diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild
index 15f6183c4c..446e279461 100644
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@@ -755,9 +755,17 @@ menu "Security features"
                 efuse when Secure Boot is enabled. This prevents any more efuses from being read protected.
 
                 If this option is set, it will remain possible to write the EFUSE_RD_DIS efuse field after Secure
-                Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse holding the public
-                key digest, causing an immediate denial of service and possibly allowing an additional fault
-                injection attack to bypass the signature protection.
+                Boot is enabled. This may allow an attacker to read-protect the BLK2 efuse (for ESP32) and
+                BLOCK4-BLOCK10 (i.e. BLOCK_KEY0-BLOCK_KEY5)(for other chips) holding the public key digest, causing an
+                immediate denial of service and possibly allowing an additional fault injection attack to
+                bypass the signature protection.
+
+                NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block
+
+                NOTE: If "UART ROM download mode (Permanently disabled (recommended))" or
+                "UART ROM download mode (Permanently switch to Secure mode (recommended))" is set,
+                then it is __NOT__ possible to read/write efuses using espefuse.py utility.
+                However, efuse can be read/written from the application
 
         config SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS
             bool "Leave unused digest slots available (not revoke)"
diff --git a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c
index 0bbadf286c..d00f2d9e15 100644
--- a/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c
+++ b/components/bootloader_support/src/esp32c3/flash_encryption_secure_features.c
@@ -40,5 +40,11 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
 
+#if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
+    // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
+    // otherwise the Flash Encryption key cannot be read protected
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+#endif
+
     return ESP_OK;
 }
diff --git a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c
index 647d2fd988..30098bed32 100644
--- a/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c
+++ b/components/bootloader_support/src/esp32c3/secure_boot_secure_features.c
@@ -40,5 +40,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
+#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+    bool rd_dis_now = true;
+#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
+    /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
+       when Flash Encryption is being enabled */
+    rd_dis_now = esp_flash_encryption_enabled();
+#endif
+    if (rd_dis_now) {
+        ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
+        esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+    }
+#else
+    ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
+#endif
+
     return ESP_OK;
 }
diff --git a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c
index ad5182db22..3927367c3e 100644
--- a/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c
+++ b/components/bootloader_support/src/esp32s2/flash_encryption_secure_features.c
@@ -41,5 +41,11 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_BOOT_REMAP);
     esp_efuse_write_field_bit(ESP_EFUSE_DIS_LEGACY_SPI_BOOT);
 
+#if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
+    // This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
+    // otherwise the Flash Encryption key cannot be read protected
+    esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+#endif
+
     return ESP_OK;
 }
diff --git a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c
index 74197b45ab..418a932209 100644
--- a/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c
+++ b/components/bootloader_support/src/esp32s2/secure_boot_secure_features.c
@@ -40,5 +40,20 @@ esp_err_t esp_secure_boot_enable_secure_features(void)
 
     esp_efuse_write_field_bit(ESP_EFUSE_SECURE_BOOT_EN);
 
+#ifndef CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS
+    bool rd_dis_now = true;
+#ifdef CONFIG_SECURE_FLASH_ENC_ENABLED
+    /* If flash encryption is not enabled yet then don't read-disable efuses yet, do it later in the boot
+       when Flash Encryption is being enabled */
+    rd_dis_now = esp_flash_encryption_enabled();
+#endif
+    if (rd_dis_now) {
+        ESP_LOGI(TAG, "Prevent read disabling of additional efuses...");
+        esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_RD_DIS);
+    }
+#else
+    ESP_LOGW(TAG, "Allowing read disabling of additional efuses - SECURITY COMPROMISED");
+#endif
+
     return ESP_OK;
 }