menu "ESP Security Specific"

    menu "Crypto DPA Protection"
        depends on SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
        config ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP
            bool "Enable crypto DPA protection at startup"
            default y
            help
                This config controls the DPA (Differential Power Analysis) protection
                knob for the crypto peripherals. DPA protection dynamically adjusts
                clock frequency of the crypto peripheral. DPA protection helps to make it
                difficult to perform SCA attacks on the crypto peripherals. However,
                there is also associated performance impact based on the security level
                set. Please refer to the TRM for more details.

        choice ESP_CRYPTO_DPA_PROTECTION_LEVEL
            prompt "DPA protection level"
            depends on ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP
            default ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW
            help
                Configure the DPA protection security level

            config ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW
                bool "Security level low"

            config ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM
                bool "Security level medium"

            config ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH
                bool "Security level high"
        endchoice

        config ESP_CRYPTO_DPA_PROTECTION_LEVEL
            int
            default 1 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW
            default 2 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM
            default 3 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH
    endmenu

    config ESP_CRYPTO_FORCE_ECC_CONSTANT_TIME_POINT_MUL
        bool "Forcefully enable ECC constant time point multiplication operations"
        depends on SOC_ECC_CONSTANT_TIME_POINT_MUL
        default n
        help
            If enabled, the app startup code will burn the ECC_FORCE_CONST_TIME efuse bit to force the
            ECC peripheral to always perform constant time point multiplication operations,
            irrespective of the ECC_MULT_SECURITY_MODE status bit that is present in the ECC_MULT_CONF_REG
            register. By default, ESP-IDF configures the ECC peripheral to perform constant time point
            multiplication operations, so enabling this config would provide security enhancement only in
            the cases when trusted boot is not enabled and the attacker tries carrying out non-constant
            time point multiplication operations by changing the default ESP-IDF configurations.
            Performing constant time operations protect the ECC multiplication operations from timing attacks.

            For targets that support Secure Boot using ECDSA-P384, the write-protection bit of the efuse
            bit could be shared by multiple other efuse bits and can be programmed by the application when
            Secure Boot is enabled.
            Thus, you could select CONFIG_SECURE_BOOT_SKIP_WRITE_PROTECTION_SCA, in case you would like
            to skip the write-protection of the efuse bit.

    config ESP_ECDSA_ENABLE_P192_CURVE
        bool "Enable ECDSA 192-curve operations"
        depends on SOC_ECDSA_P192_CURVE_DEFAULT_DISABLED
        default n
        help
            By default, only the 256-bit curve operations are allowed. If this configuration is enabled,
            it will set the eFuse to allow ECDSA operations using both the 192-bit and 256-bit curves.

endmenu
