diff --git a/components/bootloader_support/src/esp32s2/flash_encrypt.c b/components/bootloader_support/src/esp32s2/flash_encrypt.c
index a99f0ee146..797a495517 100644
--- a/components/bootloader_support/src/esp32s2/flash_encrypt.c
+++ b/components/bootloader_support/src/esp32s2/flash_encrypt.c
@@ -188,31 +188,28 @@ static esp_err_t initialise_flash_encryption(void)
 
 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
     ESP_LOGI(TAG, "Disable UART bootloader encryption...");
-    const uint8_t dis_manual_encrypt = 1;
-    esp_efuse_write_field_blob(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT, &dis_manual_encrypt, 1);
+    esp_efuse_write_field_cnt(ESP_EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT, 1);
 #else
     ESP_LOGW(TAG, "Not disabling UART bootloader encryption");
 #endif
 
 #ifndef CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
     ESP_LOGI(TAG, "Disable UART bootloader cache...");
-    const uint8_t dis_download_caches = 1;
-    esp_efuse_write_field_blob(ESP_EFUSE_DIS_DOWNLOAD_DCACHE, &dis_download_caches, 1);
-    esp_efuse_write_field_blob(ESP_EFUSE_DIS_DOWNLOAD_ICACHE, &dis_download_caches, 1);
+    esp_efuse_write_field_cnt(ESP_EFUSE_DIS_DOWNLOAD_DCACHE, 1);
+    esp_efuse_write_field_cnt(ESP_EFUSE_DIS_DOWNLOAD_ICACHE, 1);
 #else
     ESP_LOGW(TAG, "Not disabling UART bootloader cache - SECURITY COMPROMISED");
 #endif
 
 #ifndef CONFIG_SECURE_BOOT_ALLOW_JTAG
     ESP_LOGI(TAG, "Disable JTAG...");
-    const uint8_t dis_jtag = 1;
-    esp_efuse_write_field_blob(ESP_EFUSE_HARD_DIS_JTAG, &dis_jtag, 1);
+    esp_efuse_write_field_cnt(ESP_EFUSE_HARD_DIS_JTAG, 1);
 #else
     ESP_LOGW(TAG, "Not disabling JTAG - SECURITY COMPROMISED");
 #endif
 
-    const uint8_t dis_boot_remap = 1;
-    esp_efuse_write_field_blob(ESP_EFUSE_DIS_BOOT_REMAP, &dis_boot_remap, 1);
+    esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
+    esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
 
     esp_err_t err = esp_efuse_batch_write_commit();
 
diff --git a/components/bootloader_support/src/esp32s2/secure_boot.c b/components/bootloader_support/src/esp32s2/secure_boot.c
index 47e55dde42..4deb5d1728 100644
--- a/components/bootloader_support/src/esp32s2/secure_boot.c
+++ b/components/bootloader_support/src/esp32s2/secure_boot.c
@@ -34,12 +34,20 @@ esp_err_t esp_secure_boot_permanently_enable(void)
         return r;
     }
 
-    ets_efuse_clear_program_registers();
-    REG_SET_BIT(EFUSE_PGM_DATA3_REG, EFUSE_SECURE_BOOT_EN);
-    ets_efuse_program(ETS_EFUSE_BLOCK0);
+    esp_efuse_batch_write_begin(); /* Batch all efuse writes at the end of this function */
 
-    assert(ets_efuse_secure_boot_enabled());
-    ESP_LOGI(TAG, "Secure boot permanently enabled");
+    esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
+    esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
+    esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
+
+    // TODO: also disable JTAG here, etc
+
+    esp_err_t err = esp_efuse_batch_write_commit();
+
+    if (err == ESP_OK) {
+        assert(ets_efuse_secure_boot_enabled());
+        ESP_LOGI(TAG, "Secure boot permanently enabled");
+    }
 
     return ESP_OK;
 }