espressif: automate build system for flash enc

Modifies Kconfig and build tools to support flash encryption and E-Fuse burning when flash encryption is enabled. Signed-off-by: Filipe Cavalcanti <filipe.cavalcanti@espressif.com>
2026-05-26 18:56:10 +08:00 · 2025-10-21 11:41:46 -03:00
parent 8f42a6f6d7
commit 49d6177c68
8 changed files with 489 additions and 36 deletions
@@ -299,6 +299,44 @@ choice ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE

 endchoice

+config ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+	bool "Require user provided encryption key for flash encryption"
+	default y
+	---help---
+		This option enables the requirement of a host generated flash encryption key.
+
+		If not selected, a random key will be generated by the bootloader on first boot.
+		In this case, the user will not have access to the key and will be unable to reuse it.
+
+if ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME
+	string "Path to flash encryption key"
+	default "flash_enc_key.bin"
+	---help---
+		Path to the key file used to encrypt the flash.
+
+		This key is in a binary format and is generated by espsecure application.
+
+		Path is evaluated relative to the NuttX root directory.
+
+		You can generate a new signing key by running the following command:
+		$ espsecure.py generate_flash_encryption_key <key_name>
+
+endif # ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED
+	bool "Device is already encrypted"
+	default n
+	depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+	depends on !ESPRESSIF_EFUSE_VIRTUAL
+	---help---
+		Append --encrypt to esptool.py write_flash command.
+
+		This option is useful when the device already has a flash encryption key,
+		and the user wants to simply flash a new firmware to it, using the key already present.
+		It requires that the DEVELOPMENT mode is set. It is not possible to reflash in RELEASE mode.
+
 endif # ESPRESSIF_SECURE_FLASH_ENC_ENABLED

 endmenu # Bootloader and Image Configuration
@@ -458,6 +458,45 @@ choice ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE

 endchoice

+config ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+	bool "Require user provided encryption key for flash encryption"
+	default y
+	---help---
+		This option enables the requirement of a host generated flash encryption key.
+
+		If not selected, a random key will be generated by the bootloader on first boot.
+		In this case, the user will not have access to the key and will be unable to reuse it.
+
+if ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME
+	string "Path to flash encryption key"
+	default "flash_enc_key.bin"
+	---help---
+		Path to the key file used to encrypt the flash.
+
+		This key is in a binary format and is generated by espsecure application.
+
+		Path is evaluated relative to the NuttX root directory.
+
+		You can generate a new signing key by running the following command:
+		$ espsecure.py generate_flash_encryption_key <key_name>
+
+endif # ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED
+	bool "Device is already encrypted"
+	default n
+	depends on ESPRESSIF_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+	depends on !ESPRESSIF_EFUSE_VIRTUAL
+	---help---
+		Append --encrypt to esptool.py write_flash command.
+
+		This option is useful when the device already has a flash encryption key,
+		and the user wants to simply flash a new firmware to it, using the key already present.
+		If requires that the DEVELOPMENT mode is set, it is not possible to reflash
+		in RELEASE mode.
+
 endif # ESPRESSIF_SECURE_FLASH_ENC_ENABLED

 endmenu # Bootloader and Image Configuration
@@ -140,6 +140,45 @@ choice ESP32_SECURE_FLASH_ENCRYPTION_MODE

 endchoice

+config ESP32_SECURE_FLASH_ENC_USE_HOST_KEY
+	bool "Require user provided encryption key for flash encryption"
+	default y
+	---help---
+		This option enables the requirement of a host generated flash encryption key.
+
+		If not selected, a random key will be generated by the bootloader on first boot.
+		In this case, the user will not have access to the key and will be unable to reuse it.
+
+if ESP32_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME
+	string "Path to flash encryption key"
+	default "flash_enc_key.bin"
+	---help---
+		Path to the key file used to encrypt the flash.
+
+		This key is in a binary format and is generated by espsecure application.
+
+		Path is evaluated relative to the NuttX root directory.
+
+		You can generate a new signing key by running the following command:
+		$ espsecure.py generate_flash_encryption_key <key_name>
+
+endif # ESP32_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED
+	bool "Device is already encrypted"
+	default n
+	depends on ESP32_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+	depends on !ESPRESSIF_EFUSE_VIRTUAL
+	---help---
+		Append --encrypt to esptool.py write_flash command.
+
+		This option is useful when the device already has a flash encryption key,
+		and the user wants to simply flash a new firmware to it, using the key already present.
+		If requires that the DEVELOPMENT mode is set, it is not possible to reflash
+		in RELEASE mode.
+
 endif # ESP32_SECURE_FLASH_ENC_ENABLED

 menu "Potentially insecure options"
@@ -145,6 +145,45 @@ choice ESP32S2_SECURE_FLASH_ENCRYPTION_MODE

 endchoice

+config ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY
+	bool "Require user provided encryption key for flash encryption"
+	default y
+	---help---
+		This option enables the requirement of a host generated flash encryption key.
+
+		If not selected, a random key will be generated by the bootloader on first boot.
+		In this case, the user will not have access to the key and will be unable to reuse it.
+
+if ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME
+	string "Path to flash encryption key"
+	default "flash_enc_key.bin"
+	---help---
+		Path to the key file used to encrypt the flash.
+
+		This key is in a binary format and is generated by espsecure application.
+
+		Path is evaluated relative to the NuttX root directory.
+
+		You can generate a new signing key by running the following command:
+		$ espsecure.py generate_flash_encryption_key <key_name>
+
+endif # ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY
+
+config ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED
+	bool "Device is already encrypted"
+	default n
+	depends on ESP32S2_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
+	depends on !ESPRESSIF_EFUSE_VIRTUAL
+	---help---
+		Append --encrypt to esptool.py write_flash command.
+
+		This option is useful when the device already has a flash encryption key,
+		and the user wants to simply flash a new firmware to it, using the key already present.
+		If requires that the DEVELOPMENT mode is set, it is not possible to reflash
+		in RELEASE mode.
+
 endif # ESP32S2_SECURE_FLASH_ENC_ENABLED

 menu "Potentially insecure options"
@@ -58,6 +58,10 @@ else
 	ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ)
 endif

+ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y)
+	ESPTOOL_WRITEFLASH_OPTS += --encrypt
+endif
+
 ifneq ($(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),)
 	ESPTOOL_RESET_OPTS += --after no_reset
 endif
@@ -94,7 +98,7 @@ ifdef ESPTOOL_BINDIR

 		FLASH_BL         := $(BL_OFFSET) $(BOOTLOADER)

-		ifneq ($(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),)
+		ifneq ($(CONFIG_ESP32_SECURE_BOOT),)
 			ESPTOOL_BINS :=
 		else
 			ESPTOOL_BINS := $(FLASH_BL)
@@ -124,7 +128,13 @@ else ifeq ($(CONFIG_ESP32_APP_FORMAT_MCUBOOT),y)
 		APP_IMAGE  := nuttx.bin
 	endif

-	FLASH_APP      := $(APP_OFFSET) $(APP_IMAGE)
+	FLASH_APP := $(APP_OFFSET) $(APP_IMAGE)
+
+	ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),y)
+		ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y)
+			ENC_APP := $(CONFIG_ESP32_STORAGE_MTD_OFFSET) enc_mtd.bin
+		endif
+	endif

 	ifeq ($(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),y)
 		IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
@@ -144,7 +154,7 @@ else
 	ESPTOOL_BINDIR := .
 endif

-ESPTOOL_BINS += $(FLASH_APP)
+ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP)

 ifeq ($(CONFIG_BUILD_PROTECTED),y)
 	ESPTOOL_BINS += $(CONFIG_ESP32_USER_IMAGE_OFFSET) nuttx_user.bin
@@ -157,6 +167,68 @@ YELLOW = \033[1;33m
 BOLD   = \033[1m
 RST    = \033[0m

+# Flash encryption procedure
+
+define FLASH_ENC
+	$(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)";
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+		if [ ! -f "$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \
+			echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \
+			echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \
+			exit 1; \
+		fi; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \
+		echo "Applying encryption to user MTD partition on flash."; \
+		if [ ! -f "$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \
+			echo -e "$(RED)Make sure CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \
+			exit 1; \
+		fi; \
+		size_int=$$(( $(CONFIG_ESP32_STORAGE_MTD_SIZE) )); \
+		echo -e "Encrypting user MTD partition offset: $(CONFIG_ESP32_STORAGE_MTD_OFFSET), size: $(CONFIG_ESP32_STORAGE_MTD_SIZE) ($$size_int)"; \
+		dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \
+        espsecure.py encrypt_flash_data --keyfile $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \
+		rm blank_mtd.bin; \
+	fi
+
+endef
+
+# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted
+
+define BURN_EFUSES
+	$(Q) if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \
+	elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \
+	else \
+		if [ "$(CONFIG_ESP32_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+			echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \
+		fi; \
+		echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \
+		efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \
+		if echo "$$efuse_summary" | grep -q '?? ??'; then \
+			echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \
+			if [ -z "$(NOCHECK)" ] ; then \
+				espefuse.py --port $(ESPTOOL_PORT) burn_key flash_encryption $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME); \
+			else \
+				espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key flash_encryption $(CONFIG_ESP32_SECURE_FLASH_ENC_HOST_KEY_NAME); \
+			fi; \
+		fi; \
+	fi
+endef
+
 # Functions for printing help messages

 define HELP_SIGN_APP
@@ -167,14 +239,6 @@ define HELP_SIGN_APP
 	$(Q) echo ""
 endef

-define HELP_FLASH_BOOTLOADER
-	$(Q) echo ""
-	$(Q) echo "$(YELLOW)Security features enabled, so bootloader not flashed automatically.$(RST)"
-	$(Q) echo "Use the following command to flash the bootloader:"
-	$(Q) echo "    esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)"
-	$(Q) echo ""
-endef
-
 # MERGEBIN -- Merge raw binary files into a single file

 define MERGEBIN
@@ -290,6 +354,7 @@ endif
 define POSTBUILD
 	$(call MKIMAGE)
 	$(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN))
+	$(if $(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC))
 	$(if $(CONFIG_ESP32_MERGE_BINS),$(call MERGEBIN))
 endef

@@ -306,8 +371,7 @@ define FLASH
 		exit 1; \
 	fi

+	$(if $(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES))
 	$(eval ESPTOOL_OPTS := -c esp32 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS))
 	esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
-
-	$(if $(CONFIG_ESP32_SECURE_BOOT)$(CONFIG_ESP32_SECURE_FLASH_ENC_ENABLED),$(call HELP_FLASH_BOOTLOADER))
 endef
@@ -58,6 +58,10 @@ else
 	ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ)
 endif

+ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y)
+	ESPTOOL_WRITEFLASH_OPTS += --encrypt
+endif
+
 ifneq ($(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),)
 	ESPTOOL_RESET_OPTS += --after no_reset
 endif
@@ -86,7 +90,7 @@ ifdef ESPTOOL_BINDIR

 		FLASH_BL         := $(BL_OFFSET) $(BOOTLOADER)

-		ifneq ($(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),)
+		ifneq ($(CONFIG_ESP32S2_SECURE_BOOT),)
 			ESPTOOL_BINS :=
 		else
 			ESPTOOL_BINS := $(FLASH_BL)
@@ -114,6 +118,12 @@ ifeq ($(CONFIG_ESP32S2_APP_FORMAT_MCUBOOT),y)

 	FLASH_APP      := $(APP_OFFSET) $(APP_IMAGE)

+	ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),y)
+		ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y)
+			ENC_APP := $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET) enc_mtd.bin
+		endif
+	endif
+
 	ifeq ($(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),y)
 		IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
 	else
@@ -132,7 +142,7 @@ else
 	ESPTOOL_BINDIR := .
 endif

-ESPTOOL_BINS += $(FLASH_APP)
+ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP)

 # Commands for colored and formatted output

@@ -151,12 +161,73 @@ define HELP_SIGN_APP
 	$(Q) echo ""
 endef

-define HELP_FLASH_BOOTLOADER
-	$(Q) echo ""
-	$(Q) echo "$(YELLOW)Security features enabled, so bootloader not flashed automatically.$(RST)"
-	$(Q) echo "Use the following command to flash the bootloader:"
-	$(Q) echo "    esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(FLASH_BL)"
-	$(Q) echo ""
+# Commands for colored and formatted output
+
+RED    = \033[1;31m
+YELLOW = \033[1;33m
+BOLD   = \033[1m
+RST    = \033[0m
+
+# Flash encryption procedure
+
+define FLASH_ENC
+	$(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)";
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+		if [ ! -f "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \
+			echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \
+			echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \
+			exit 1; \
+		fi; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \
+		echo "Applying encryption to user MTD partition on flash."; \
+		if [ ! -f "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \
+			echo -e "$(RED)Make sure CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \
+			exit 1; \
+		fi; \
+		size_int=$$(( $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) )); \
+		echo -e "Encrypting user MTD partition offset: $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET), size: $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) ($$size_int)"; \
+		dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \
+        espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \
+		rm blank_mtd.bin; \
+	fi
+
+endef
+
+# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted
+
+define BURN_EFUSES
+	$(Q) if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \
+	elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \
+	else \
+		if [ "$(CONFIG_ESP32S2_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+			echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \
+		fi; \
+		echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \
+		efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \
+		if echo "$$efuse_summary" | grep -q '?? ??'; then \
+			echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \
+			if [ -z "$(NOCHECK)" ] ; then \
+				espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			else \
+				espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESP32S2_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			fi; \
+		fi; \
+	fi
 endef

 # MERGEBIN -- Merge raw binary files into a single file
@@ -251,6 +322,7 @@ endif
 define POSTBUILD
 	$(call MKIMAGE)
 	$(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN))
+	$(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC))
 	$(if $(CONFIG_ESP32S2_MERGE_BINS),$(call MERGEBIN))
 endef

@@ -266,8 +338,8 @@ define FLASH
 		echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \
 		exit 1; \
 	fi
+
+	$(if $(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES))
 	$(eval ESPTOOL_OPTS := -c esp32s2 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(ESPTOOL_RESET_OPTS) $(if $(CONFIG_ESP32S2_ESPTOOLPY_NO_STUB),--no-stub))
 	esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
-
-	$(if $(CONFIG_ESP32S2_SECURE_BOOT)$(CONFIG_ESP32S2_SECURE_FLASH_ENC_ENABLED),$(call HELP_FLASH_BOOTLOADER))
 endef
@@ -107,11 +107,19 @@ else ifeq ($(CONFIG_ESP32S3_APP_FORMAT_MCUBOOT),y)

 	APP_IMAGE      := nuttx.bin
 	FLASH_APP      := $(APP_OFFSET) $(APP_IMAGE)
-ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
-	IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
-else
- 	IMGTOOL_ALIGN_ARGS := --align 4
-endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y)
+			ENC_APP := $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET) enc_mtd.bin
+		endif
+	endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
+	else
+		IMGTOOL_ALIGN_ARGS := --align 4
+	endif
+
 	IMGTOOL_SIGN_ARGS  := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v 0 -s auto \
 		-H $(CONFIG_ESP32S3_APP_MCUBOOT_HEADER_SIZE) --pad-header \
 		-S $(CONFIG_ESP32S3_OTA_SLOT_SIZE)
@@ -124,7 +132,7 @@ else
 	ESPTOOL_BINDIR := .
 endif

-ESPTOOL_BINS += $(FLASH_APP)
+ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP)

 ifeq ($(CONFIG_BUILD_PROTECTED),y)
 	# Check the operating system
@@ -138,6 +146,75 @@ ifeq ($(CONFIG_BUILD_PROTECTED),y)
 	endif
 endif

+# Commands for colored and formatted output
+
+RED    = \033[1;31m
+YELLOW = \033[1;33m
+BOLD   = \033[1m
+RST    = \033[0m
+
+# Flash encryption procedure
+
+define FLASH_ENC
+	$(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)";
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \
+			echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \
+			echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \
+			exit 1; \
+		fi; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \
+		echo "Applying encryption to user MTD partition on flash."; \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \
+			echo -e "$(RED)Make sure CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \
+			exit 1; \
+		fi; \
+		size_int=$$(( $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) )); \
+		echo -e "Encrypting user MTD partition offset: $(CONFIG_ESP32S3_STORAGE_MTD_OFFSET), size: $(CONFIG_ESP32S3_STORAGE_MTD_SIZE) ($$size_int)"; \
+		dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \
+        espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \
+		rm blank_mtd.bin; \
+	fi
+
+endef
+
+# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted
+
+define BURN_EFUSES
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \
+	elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \
+	else \
+		if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+			echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \
+		fi; \
+		echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \
+		efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \
+		if echo "$$efuse_summary" | grep -q '?? ??'; then \
+			echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \
+			if [ -z "$(NOCHECK)" ] ; then \
+				espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			else \
+				espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			fi; \
+		fi; \
+	fi
+endef
+
 # MERGEBIN -- Merge raw binary files into a single file

 define MERGEBIN
@@ -157,7 +234,7 @@ define MERGEBIN
 			$(ESPTOOL_FLASH_OPTS)                                                \
 		)                                                                        \
 	)
-	esptool.py -c esp32s3 merge_bin --output nuttx.merged.bin $(ESPTOOL_MERGEBIN_OPTS) $(ESPTOOL_BINS)
+	esptool.py -c esp32s3 merge_bin $(ESPTOOL_MERGEBIN_OPTS) --output nuttx.merged.bin $(ESPTOOL_BINS)
 	$(Q) echo nuttx.merged.bin >> nuttx.manifest
 	$(Q) echo "Generated: nuttx.merged.bin"
 endef
@@ -220,6 +297,7 @@ endif
 define POSTBUILD
 	$(call MKIMAGE)
 	$(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN))
+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC))
 	$(if $(CONFIG_ESP32S3_MERGE_BINS),$(call MERGEBIN))
 endef

@@ -235,6 +313,7 @@ define FLASH
 		echo "USAGE: make flash ESPTOOL_PORT=<port> [ ESPTOOL_BAUD=<baud> ] [ ESPTOOL_BINDIR=<dir> ]"; \
 		exit 1; \
 	fi
+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES))
 	$(eval ESPTOOL_OPTS := -c esp32s3 -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(if $(CONFIG_ESP32S3_ESPTOOLPY_NO_STUB),--no-stub))
 	esptool.py $(ESPTOOL_OPTS) write_flash $(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)
 endef
@@ -68,6 +68,10 @@ else
 	ESPTOOL_WRITEFLASH_OPTS := -fs $(FLASH_SIZE) -fm dio -ff $(FLASH_FREQ)
 endif

+ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED),y)
+	ESPTOOL_WRITEFLASH_OPTS += --encrypt
+endif
+
 # Configure the variables according to build environment

 ESPTOOL_MIN_VERSION := 4.8.0
@@ -101,11 +105,19 @@ ifeq ($(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),y)

 	APP_IMAGE      := nuttx.bin
 	FLASH_APP      := $(APP_OFFSET) $(APP_IMAGE)
-ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
-	IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
-else
-	IMGTOOL_ALIGN_ARGS := --align 4
-endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		ifeq ($(CONFIG_ESPRESSIF_SPIFLASH),y)
+			ENC_APP := $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET) enc_mtd.bin
+		endif
+	endif
+
+	ifeq ($(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),y)
+		IMGTOOL_ALIGN_ARGS := --align 32 --max-align 32
+	else
+		IMGTOOL_ALIGN_ARGS := --align 4
+	endif
+
 	IMGTOOL_SIGN_ARGS  := --pad $(VERIFIED) $(IMGTOOL_ALIGN_ARGS) -v $(CONFIG_ESPRESSIF_MCUBOOT_SIGN_IMAGE_VERSION) -s auto \
 		-H $(CONFIG_ESPRESSIF_APP_MCUBOOT_HEADER_SIZE) --pad-header \
 		-S $(CONFIG_ESPRESSIF_OTA_SLOT_SIZE)
@@ -116,7 +128,76 @@ else ifeq ($(CONFIG_ESPRESSIF_SIMPLE_BOOT),y)
 	ESPTOOL_BINDIR := .
 endif

-ESPTOOL_BINS += $(FLASH_APP)
+ESPTOOL_BINS += $(FLASH_APP) $(ENC_APP)
+
+# Commands for colored and formatted output
+
+RED    = \033[1;31m
+YELLOW = \033[1;33m
+BOLD   = \033[1m
+RST    = \033[0m
+
+# Flash encryption procedure
+
+define FLASH_ENC
+	$(Q) echo -e "$(YELLOW)Flash Encryption is enabled!$(RST)";
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! E-Fuses will not be burned. $(RST)"; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)FLASH ENCRYPTION error: Key file '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)' not found.$(RST)"; \
+			echo -e "$(YELLOW)Generate the encryption key using: espsecure.py generate_flash_encryption_key <key_name.bin>$(RST)"; \
+			echo -e "$(YELLOW)Refer to the documentation on flash encryption before proceeding.$(RST)"; \
+			exit 1; \
+		fi; \
+	fi
+
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SPIFLASH)" = "y" ]; then \
+		echo "Applying encryption to user MTD partition on flash."; \
+		if [ ! -f "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)" ]; then \
+			echo -e "$(RED)Flash encryption key is required for user MTD partition encryption. Key file: '$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME)'$(RST)"; \
+			echo -e "$(RED)Make sure CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME is set or disable SPI Flash.$(RST)"; \
+			exit 1; \
+		fi; \
+		size_int=$$(( $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) )); \
+		echo -e "Encrypting user MTD partition offset: $(CONFIG_ESPRESSIF_STORAGE_MTD_OFFSET), size: $(CONFIG_ESPRESSIF_STORAGE_MTD_SIZE) ($$size_int)"; \
+		dd if=/dev/zero ibs=1 count=$$size_int | LC_ALL=C tr "\000" "\377" > blank_mtd.bin; \
+        espsecure.py encrypt_flash_data --aes_xts --keyfile $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) --address 0 --output enc_mtd.bin blank_mtd.bin; \
+		rm blank_mtd.bin; \
+	fi
+
+endef
+
+# BURN_EFUSES -- Burn the flash encryption key E-Fuses if: not already burned, not virtual, not device already encrypted
+
+define BURN_EFUSES
+	$(Q) if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_FLASH_DEVICE_ENCRYPTED)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Device is already encrypted. Skipping flash encryption key burning. $(RST)"; \
+	elif [ "$(CONFIG_ESPRESSIF_EFUSE_VIRTUAL)" = "y" ]; then \
+		echo -e "$(YELLOW)WARN: Virtual E-Fuses are enabled! Skipping flash encryption key burning. $(RST)"; \
+	else \
+		if [ "$(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_USE_HOST_KEY)" = "y" ]; then \
+			echo -e "$(YELLOW)Proceeding will burn the flash encryption key E-Fuses using: $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME).$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Proceeding will burn a *randomly generated* flash encryption key (NOT user-provided).$(RST)"; \
+		fi; \
+		echo -e "$(YELLOW)This operation is NOT REVERSIBLE! Make sure to have read the documentation.$(RST)"; \
+		efuse_summary=$$(espefuse.py --port $(ESPTOOL_PORT) summary | grep -A 1 BLOCK1); \
+		if echo "$$efuse_summary" | grep -q '?? ??'; then \
+			echo -e "$(YELLOW)Encryption key already burned. Skipping...$(RST)"; \
+		else \
+			echo -e "$(YELLOW)Burning flash encryption key...$(RST)"; \
+			if [ -z "$(NOCHECK)" ] ; then \
+				espefuse.py --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			else \
+				espefuse.py --do-not-confirm --port $(ESPTOOL_PORT) burn_key BLOCK_KEY0 $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_HOST_KEY_NAME) XTS_AES_128_KEY; \
+			fi; \
+		fi; \
+	fi
+endef

 # MERGEBIN -- Merge raw binary files into a single file

@@ -172,6 +253,7 @@ endif
 define POSTBUILD
 	$(call MKIMAGE)
 	$(if $(CONFIG_ESPRESSIF_BOOTLOADER_MCUBOOT),$(call MAKE_VIRTUAL_EFUSE_BIN))
+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call FLASH_ENC))
 	$(if $(CONFIG_ESPRESSIF_MERGE_BINS),$(call MERGEBIN))
 endef

@@ -188,6 +270,7 @@ define FLASH
 		exit 1; \
 	fi

+	$(if $(CONFIG_ESPRESSIF_SECURE_FLASH_ENC_ENABLED),$(call BURN_EFUSES))
 	$(eval ESPTOOL_OPTS := -c $(CHIP_SERIES) -p $(ESPTOOL_PORT) -b $(ESPTOOL_BAUD) $(if $(CONFIG_ESPRESSIF_ESPTOOLPY_NO_STUB),--no-stub))
 	$(eval WRITEFLASH_OPTS := $(if $(CONFIG_ESPRESSIF_MERGE_BINS),$(ESPTOOL_WRITEFLASH_OPTS) 0x0 nuttx.merged.bin,$(ESPTOOL_WRITEFLASH_OPTS) $(ESPTOOL_BINS)))
 	esptool.py $(ESPTOOL_OPTS) write_flash $(WRITEFLASH_OPTS)