Merge branch 'espressif:release/v5.4' into release/v5.4

Author: Jason2866

.github/workflows/docker.yml

@@ -21,7 +21,7 @@ jobs:
     # Disable the job in forks
     if: ${{ github.repository_owner == 'espressif' }}
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04-X64-large
     steps:
       # Depending on the branch/tag, set CLONE_BRANCH_OR_TAG variable (used in the Dockerfile
       # as a build arg) and TAG_NAME (used when tagging the image).

.gitlab/ci/common.yml

@@ -40,7 +40,7 @@ variables:
   GIT_FETCH_EXTRA_FLAGS: "--no-recurse-submodules --prune --prune-tags"
   # we're using .cache folder for caches
   GIT_CLEAN_FLAGS: -ffdx -e .cache/
-  LATEST_GIT_TAG: v5.4.2
+  LATEST_GIT_TAG: v5.4.3
 
   SUBMODULE_FETCH_TOOL: "tools/ci/ci_fetch_submodule.py"
   # by default we will fetch all submodules

.gitmodules

@@ -51,6 +51,7 @@
 	url = ../../DaveGamble/cJSON.git
 	sbom-version = 1.7.19
 	sbom-cpe = cpe:2.3:a:cjson_project:cjson:{}:*:*:*:*:*:*:*
+	sbom-cpe = cpe:2.3:a:davegamble:cjson:{}:*:*:*:*:*:*:*
 	sbom-supplier = Person: Dave Gamble
 	sbom-url = https://github.com/DaveGamble/cJSON
 	sbom-description = Ultralightweight JSON parser in ANSI C

components/bootloader/Kconfig.projbuild

@@ -1136,8 +1136,9 @@ menu "Security features"
 
     config SECURE_FLASH_PSEUDO_ROUND_FUNC
         bool "Permanently enable XTS-AES's pseudo rounds function"
-        default y
-        depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
+        default y if SECURE_FLASH_ENCRYPTION_MODE_RELEASE
+        default n
+        depends on SECURE_FLASH_ENC_ENABLED && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
         help
             If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
             Note: Enabling this config would burn an efuse.

components/bootloader_support/include/esp_flash_encrypt.h

@@ -215,6 +215,10 @@ bool esp_flash_encryption_cfg_verify_release_mode(void);
  * It burns:
  *  - "disable encrypt in dl mode"
  *  - set FLASH_CRYPT_CNT efuse to max
+ *
+ * In case of the targets that support the XTS-AES peripheral's pseudo rounds function,
+ * this API would configure the pseudo rounds level efuse bit to level low if the efuse bit
+ * is not set already.
  */
 void esp_flash_encryption_set_release_mode(void);
 

components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c

@@ -36,7 +36,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
 
-#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
+#if CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC
     if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
         ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
         uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;

components/bootloader_support/src/flash_encrypt.c

@@ -212,8 +212,13 @@ void esp_flash_encryption_set_release_mode(void)
 
 #ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
-        uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
-        esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
+        uint8_t xts_pseudo_level = 0;
+        esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
+
+        if (xts_pseudo_level == ESP_XTS_AES_PSEUDO_ROUNDS_DISABLE) {
+            xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
+            esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
+        }
     }
 #endif
 

components/bt/controller/esp32/bt.c

@@ -1972,6 +1972,7 @@ esp_err_t esp_bt_controller_disable(void)
 #endif
 
     esp_phy_disable(PHY_MODEM_BT);
+    s_time_phy_rf_just_enabled = 0;
     btdm_controller_status = ESP_BT_CONTROLLER_STATUS_INITED;
     esp_unregister_shutdown_handler(bt_shutdown);
 

components/esp-tls/esp_tls.h

@@ -396,10 +396,12 @@ esp_tls_t *esp_tls_conn_http_new(const char *url, const esp_tls_cfg_t *cfg) __at
  * @param[in]  hostname  Hostname of the host.
  * @param[in]  hostlen   Length of hostname.
  * @param[in]  port      Port number of the host.
- * @param[in]  cfg       TLS configuration as esp_tls_cfg_t. If you wish to open
- *                       non-TLS connection, keep this NULL. For TLS connection,
- *                       a pass pointer to esp_tls_cfg_t. At a minimum, this
- *                       structure should be zero-initialized.
+ * @param[in]  cfg       TLS configuration as esp_tls_cfg_t. For a TLS
+ *                       connection, pass a pointer to a esp_tls_cfg_t. For a
+ *                       plain TCP connection, pass a pointer to a
+ *                       esp_tls_cfg_t with is_plain_tcp set to true. At a
+ *                       minimum, this pointer should be not NULL and the
+ *                       structure should be zero-initialized
  * @param[in]  tls       Pointer to esp-tls as esp-tls handle.
  *
  * @return

components/esp-tls/esp_tls_mbedtls.c

@@ -239,7 +239,7 @@ int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
             ret = esp_mbedtls_dynamic_set_rx_buf_static(&tls->ssl);
             if (ret != 0) {
                 ESP_LOGE(TAG, "esp_mbedtls_dynamic_set_rx_buf_static returned -0x%04X", -ret);
-                return ret;
+                return -1;
             }
         }
 #endif