manualshive.com logo in svg

ST X-CUBE-SBSFU, User Manual, Page: 34 / 94

Share
Download
ST X-CUBE-SBSFU User Manual Download Page 34

Protection measures and security strategy

UM2262

34/94

UM2262 Rev 6

PCROP 

(proprietary code readout protection): a section of Flash is defined as execute-

only applying PCROP protection on it: it is not possible to access this section in reading 
nor writing. Being an execute-only area, a key is protected with PCROP only if it is 
"embedded" in a piece of code: executing this code moves the key to a specific pointer 
in RAM. Placed behind the firewall, its execution is not possible from outside.

WRP

 (write protection): write protection is used to protect trusted code from external 

attacks or even internal modifications such as unwanted writings/erase operations on 
critical code/data. 

MPU

 (memory protection unit): the MPU is used to make an embedded system more 

robust by splitting the memory map for Flash and SRAMs into regions having their own 
access rights. In the SBSFU application example, MPU is configured in order to ensure 
that no other code is executed from any memories during SBSFU code execution. 
When leaving the SBSFU application, the MPU configuration is updated to authorize 
also the execution of user application code.

STSAFE-A Secure Element protections

The STSAFE-A100 is a highly secure solution with a secure operating system running on 
the latest generation of secure microcontrollers:

Security features

: The chip is CC EAL5+ AVA_VAN5 Common Criteria certified and 

provides the following protections.

Active shield

Monitoring of environmental parameters

Protection mechanism against faults

Unique serial number on each die

Protection against side-channel attacks

Secure operating system

: STSAFE-A100 runs a secure operating system offering 

protection against logical and physical attacks.

Secure channel and device binding

: STSAFE-A100 allows a secure channel to be 

set up with the STM32 in order to prevent eavesdropping of sensitive information on 
the I²C line and to ensure pairing of a specific STM32 with a specific STSAFE-A100 (to 
prevent cloning).

The secure channel is based on symmetric cryptography: two AES 128-bit keys (the so-
called host pairing keys) are used to implement services such as command authorization, 
command data encryption, response data encryption and response authentication.

Summary of Contents for X-CUBE-SBSFU

Page 1: ...plete firmware image or only on a portion of the firmware image Examples are provided for single firmware image configuration in order to maximize firmware image size and for dual firmware image confi...

Page 2: ...s and STM32L0 Series 21 5 2 STM32F4 Series STM32F7 Series and STM32L1 Series 24 5 3 STM32G0 Series STM32G4 Series and STM32H7 Series 26 5 4 STM32WB Series 30 5 5 STM32L4 Series combined with STSAFE A1...

Page 3: ...Tera Term connection 50 8 3 1 ST LINK disable 50 8 3 2 Tera Term launch 50 8 3 3 Tera Term configuration 51 8 3 4 Welcome screen display 52 8 4 SBSFU application execution 52 8 4 1 Download request 52...

Page 4: ...Symmetric verification and encryption scheme 73 D 4 X509 certificate based asymmetric scheme without firmware encryption 74 D 5 Secure Boot and Secure Firmware Update flow 76 Appendix E Firmware image...

Page 5: ...M32WB Series specificities 88 H 1 Compilation process 88 H 2 Key provisioning 88 Appendix I STM32H7 Series specificities 89 I 1 JTAG connection for STM32H753 devices 89 I 2 JTAG connection for STM32H7...

Page 6: ...comparison 17 Table 4 MPU regions in the STM32F4 Series STM32F7 Series and STM32L1 Series 26 Table 5 MPU regions in the STM32G0 Series STM32G4 Series and STM32H7 Series 28 Table 6 Error messages at b...

Page 7: ...n bytes screen 49 Figure 21 STM32CubeProgrammer erasing 49 Figure 22 Tera Term connection screen 50 Figure 23 Tera Term setup screen 51 Figure 24 SBSFU welcome screen display 52 Figure 25 SBSFU encryp...

Page 8: ...s using openssl 86 Figure 52 Provisioning in STM32 and firmware image 87 Figure 53 Compile with Loader integration 88 Figure 54 JTAG connection capability on STM32H753 devices 89 Figure 55 JTAG connec...

Page 9: ...is a starting point for OEMs to develop their own SBSFU as a function of their product security requirement levels The X CUBE SBSFU Secure Boot and Secure Firmware Update Expansion Package runs on STM...

Page 10: ...d mail RDP Read protection SB Secure Boot SE Secure Engine SFU Secure Firmware Update SM State machine UART Universal asynchronous receiver transmitter UUID Universally unique identifier WRP Write pro...

Page 11: ...for the X CUBE SBSFU STM32Cube Expansion Package AN5056 2 Introduction to STM32 microcontrollers security application note AN5156 3 STM32CubeProgrammer software description user manual UM2237 4 Authe...

Page 12: ...ssor series such as STM32CubeL4 for the STM32L4 Series which include STM32Cube hardware abstraction layer HAL ensuring maximized portability across the STM32 portfolio STM32Cube low layer APIs ensurin...

Page 13: ...The sample applications are delivered in dual image and single image modes of operation and can be configured in different cryptographic scheme This user manual describes the typical use of the packag...

Page 14: ...e assurance that a certain entity is who it claims to be and confidentiality the assurance that only authorized users can read sensitive data during firmware transfer Memory protection mechanisms prev...

Page 15: ...2 two entities are typically involved in a firmware update process Server OEM manufacturer server web service Stores the new version of device firmware Communicates with the device and sends the new...

Page 16: ...Authenticity check aims to verify that the firmware image is coming from a trusted and known source in order to prevent unauthorized entities to install and execute code 3 4 Cryptography operations Th...

Page 17: ...ng FW binary None the user FW is in clear format AES GCM encryption FW binary Integrity SHA256 FW header and FW binary AES GCM Tag FW header and FW binary Authentication SHA256 of the FW header is ECD...

Page 18: ...example rooting based on token ID KMS only supports a subset of PKCS 11 APIs Object management functions creation update deletion AES encryption functions AES decryption functions Digesting functions...

Page 19: ...UM2262 Rev 6 19 94 UM2262 Key management services 93 Figure 3 KMS functions overview For more details regarding the OASIS PKCS 11 standard refer to 5...

Page 20: ...ist basic fault injection attacks The security strategy is based on the following concepts Ensure single entry point at reset force code execution to start with Secure Boot code Make SBSFU code and SB...

Page 21: ...y strategy 93 Figure 5 SBSFU security IPs vs STM32 Series 2 of 2 5 1 STM32L4 Series and STM32L0 Series Figure 6 illustrates how the system the code and the data are protected in the X CUBE SBSFU appli...

Page 22: ...Protection measures and security strategy UM2262 22 94 UM2262 Rev 6 Figure 6 STM32L4 and STM32L0 protection overview during SBSFU execution...

Page 23: ...able user application code then the above highlighted risks are not valid Tamper the anti tamper protection is used to detect physical tampering actions on the device and to take related counter measu...

Page 24: ...s used to make an embedded system more robust by splitting the memory map for Flash and SRAMs into regions having their own access rights In the SBSFU application example MPU is configured in order to...

Page 25: ...o detect physical tampering actions on the device and to take related counter measures In case of tampering detection the SBSFU application example forces a reboot DAP Debug Access Port the DAP protec...

Page 26: ...nning the SBSFU code 5 3 STM32G0 Series STM32G4 Series and STM32H7 Series Figure 8 illustrates how the system the code and the data are protected in the X CUBE SBSFU application example for the STM32G...

Page 27: ...wall can be accessed by attaching the debugger via the JTAG HW interface on a system reset 1 In case JTAG HW interface access is not possible at customer product and in case the customer uses a truste...

Page 28: ...not call the Secure Engine services nor access the critical data This strict access control to Secure Engine services and resources is implemented by defining specific MPU regions described in Table 5...

Page 29: ...UM2262 Rev 6 29 94 UM2262 Protection measures and security strategy 93 Figure 9 STM32G0 STM32G4 and STM32H7 protection overview during user application execution...

Page 30: ...UM2262 30 94 UM2262 Rev 6 5 4 STM32WB Series Figure 10 illustrates how the system the code and the data are protected in the X CUBE SBSFU application example for the STM32WB Series Figure 10 STM32WB p...

Page 31: ...In case of tampering detection the SBSFU application example forces a reboot DAP Debug Access Port the DAP protection consists in de activating the DAP Debug Access Port Once de activated JTAG pins ar...

Page 32: ...d to authorize also the execution of user application code 5 5 STM32L4 Series combined with STSAFE A100 Figure 10 illustrates how the system the code and the data are protected in the X CUBE SBSFU app...

Page 33: ...omer product and in case the customer uses a trusted and reliable user application code then the above highlighted risks are not valid Tamper the anti tamper protection is used to detect physical tamp...

Page 34: ...n leaving the SBSFU application the MPU configuration is updated to authorize also the execution of user application code STSAFE A Secure Element protections The STSAFE A100 is a highly secure solutio...

Page 35: ...f the middleware in order to provide a protected environment managing all critical data and operations such as secure key storage cryptographic operations and others Integration of secure key manageme...

Page 36: ...B L475E IOT01A board The STSAFE A100 feature is available on the STM32L4 Series with example provided on the B L475E IOT01A board 6 2 Architecture This section describes the software components of the...

Page 37: ...registers that are not protected mbed TLS cryptographic services delivered as open source code Similarly as for X CUBE CRYPTOLIB symmetric and asymmetric key approaches AES GCM AES CBC ECDSA as well a...

Page 38: ...set of APIs to access all the STSAFE A100 device features from STM32 microcontrollers It integrates both low level communication drivers to interface with the STSAFE A100 hardware and a higher level...

Page 39: ...ication dual image variant only Secures FW upgrade Authentication and integrity check FW decryption FW installation Anti rollback mechanisms to avoid re installation of previous firmware version Suppo...

Page 40: ...ting information about the current firmware image Provides examples using KMS exported services through a standard PKCS 11 interface AES GCM CBC encryption decryption RSA signature verification key pr...

Page 41: ...UM2262 Rev 6 41 94 UM2262 Package description 93 6 3 Folder structure A top level view of the folder structure is shown in Figure 13 and Figure 14 Figure 13 Project folder structure 1 of 2...

Page 42: ...tions and parameters are described 6 5 Application compilation process with IAR toolchain Figure 15 outlines the steps needed in order to build the application and to demonstrate Secure Boot and Secur...

Page 43: ...n example It generates The user application binary file that is uploaded to the device using the Secure Firmware Update process UserApp sfb A binary file concatenating the SBSFU binary the user applic...

Page 44: ...amming STM32 microcontrollers ST LINK utility STM32 ST LINK Utility STSW LINK004 is a full featured software interface for programming STM32 microcontrollers It provides an easy to use and efficient e...

Page 45: ...on tool The X CUBE SBSFU Expansion Package for STM32Cube is delivered with the prepareimage tool handling the cryptographic keys and firmware image preparation The prepareimage tool is delivered in tw...

Page 46: ...wnload SBSFU application 2 SBSFU is running download UserApp A 3 UserApp A is installed 4 UserApp A is running download UserApp B 5 UserApp B is installed then running The UserApp A and UserApp B bina...

Page 47: ...ion is disabled on all Flash pages PCROP protection is disabled a BFB2 bit disabled Chip is erased b Option bytes setting can differ from one STM32 Series to another as illustrated in Figure 18 Figure...

Page 48: ...62 Rev 6 Option bytes setting is verified by means of the STM32CubeProgrammer through the following four steps 1 Connection Menu Target Connect with Under reset mode selected refer to Figure 19 Figure...

Page 49: ...grammer Option bytes screen is specific to the STM32 microcontroller series 3 Erase chip Menu Target Erase Chip Figure 21 STM32CubeProgrammer erasing 4 Disconnect Menu Target Disconnect 8 2 Applicatio...

Page 50: ...s a a Power cycle the board after flashing SBSFU unplug plug the USB cable b The SBSFU application starts and configures the security mechanisms in development mode In product mode security mechanisms...

Page 51: ...etup menus Figure 22 illustrates the General setup and Serial port setup menus Figure 23 Tera Term setup screen A configuration is saved using Menu Setup Save Setup Caution After each plug unplug of t...

Page 52: ...no download request the application checks the status of the user firmware Since the board was erased no firmware is available The application cannot jump to firmware and goes back to check if there i...

Page 53: ...lected the Ymodem transfer starts Transfer progress is reported as shown in Figure 26 Figure 26 SBSFU encrypted firmware transfer in progress The progress gauge stalls for a short time at the beginnin...

Page 54: ...d firmware transfer The system status that is printed as shown in Figure 27 consequently provides the following information There is no firmware to download The firmware is detected as encrypted The u...

Page 55: ...strated in Figure 28 and further described from Section 8 5 1 to Section 8 5 3 Figure 28 User application execution 8 5 1 Download a new firmware image The download of a new firmware image is performe...

Page 56: ...Step by step execution UM2262 56 94 UM2262 Rev 6 Figure 29 Encrypted firmware download via user application...

Page 57: ...r trying to access the PCROP region protecting the keys WRP test 4 Causes an error trying to erase write protected code IWDG test 5 Causes a reset simulating a deadlock by not refreshing the watchdog...

Page 58: ...g the status of the user firmware This error is reached when the Flash state does not allow determining the firmware status generic error Decrypt user FW error Not used in the current example code Thi...

Page 59: ...not be reached as a signature issue would be captured at decrypt stage reporting Decrypt failure Incorrect binary format not encrypted Error encountered during an installation procedure the binary pr...

Page 60: ...ine initialization function Secure Encryption functions with OEM key Secure read write access to firmware image Information Secure service to lock some functions in Secure Engine Note Functionalities...

Page 61: ...res to have multiple functions protected by the firewall and called from unprotected code outside it e g encrypt and decrypt functions a way to select which of the internal functions to execute is nee...

Page 62: ...ernal ReadKey function that moves the keys into the protected section of SRAM1 and then use them in the cryptographic operations Figure 32 Secure Engine call gate mechanism A 1 2 SE interface Code pro...

Page 63: ...ns if not locked via the Secure Engine lock service in a secure way using the services provided by SE A 2 MPU based Secure Engine Isolation A 2 1 Principle The MPU based Secure Engine isolation relies...

Page 64: ...ction A 1 2 SE interface keeping in mind that MPU protection replaces the Firewall protection It abstracts the request to get the privileged level of software execution this request consists in trigge...

Page 65: ...aces the Firewall protection the constraints for the placement of the call gate code are only the MPU region constraints the call gate must be located in the privileged code region When the Secure Eng...

Page 66: ...code can program these peripherals For instance in the X CUBE SBSFU example for 32F413HDISCOVERY an MPU region covers the DMA registers to make sure it is not possible to program these peripherals in...

Page 67: ...rding to the maximum possible partial image Swap region This is a Flash area used to swap the content of Slot 0 and Slot 1 Nevertheless this area is not a buffer used for each and every swap of Flash...

Page 68: ...Dual image handling UM2262 68 94 UM2262 Rev 6 Figure 37 Internal user Flash mapping example of the NUCLEO L476RG with 512 byte headers...

Page 69: ...Figure 38 shows how to find information such as slot size and SBSFU code size in the NUCLEO L476RG example To start the application SBSFU initializes the SP register with the user application stack p...

Page 70: ...ge the local download procedure is the only way to update the active user code C 1 Elements and roles Slot 0 This slot contains the active firmware firmware header firmware This is the user applicatio...

Page 71: ...ic scheme selected with the SECBOOT_CRYPTO_SCHEME compiler switch Table 8 Cryptographic scheme list SECBOOT_CRYPTO_SCHEME value Authentication Confidentiality Integrity SECBOOT_ECCDSA_WITH_AES128_CBC_...

Page 72: ...ric encryption schemes These schemes SECBOOT_ECCDSA_WITH_AES128_CBC_SHA256 SECBOOT_ECCDSA_WITH_AES128_CTR_SHA256 SECBOOT_ECCDSA_WITHOUT_ENCRYPT_SHA256 are implemented for firmware decryption and verif...

Page 73: ...handling 93 D 3 Symmetric verification and encryption scheme This scheme SECBOOT_AES128_GCM_AES128_GCM_AES128_GCM is implemented for firmware decryption and verification as illustrated in Figure 40 F...

Page 74: ...e 41 Figure 41 X509 asymmetric verification The X509 certificate based asymmetric scheme makes use of a chain of X509 certificates to deliver the public key used to verify the firmware header signatur...

Page 75: ...use the public key contained in the leaf certificate the certificate chain is first verified by the SBSFU code to ensure that the delivered firmware signing public key is authentic Once the certificat...

Page 76: ...6 D 5 Secure Boot and Secure Firmware Update flow Figure 43 and Figure 44 indicate how the cryptographic operations asymmetric cryptographic scheme with FW encryption are integrated in the SBSFU exec...

Page 77: ...UM2262 Rev 6 77 94 UM2262 Cryptographic schemes handling 93 Figure 44 SBSFU single image boot flows...

Page 78: ...to Appendix F and Appendix G for KMS and STSAFE A specificities E 1 Tool location The Python scripts as well as the Windows executable are located in the Secure Engine component in folder Middlewares...

Page 79: ...er and FW image are already correctly installed It is not needed to use the SBSFU application for installing the UserApp For STM32 devices with OTFDEC support and external Flash two separate binary fi...

Page 80: ...partial image contains only the binary portion of the new firmware image to install versus the active firmware image Partial image usage presents various benefits Smaller firmware image to download r...

Page 81: ...age and only the object ID is returned to the application An updatable key with static ID can be updated in the NVM storage via a secure update procedure using static embedded root keys authenticity c...

Page 82: ...red in a section under PCROP protection but inside the KMS code running in the secure enclave as shown in Figure 47 During SECoreBin compilation stage prebuild bat updates SBSFU static embedded keys i...

Page 83: ...orage F 3 UserApp menu A specific menu is added providing examples using KMS services exported services through a standard PKCS 11 interface AES GCM CBC encryption decryption RSA signature verificatio...

Page 84: ...used to encrypt I2 C communication between STM32 and STSAFE A100 in order to establish a secure communication channel To combine an STSAFE A100 with an STM32 for an SBSFU application cryptographic sch...

Page 85: ...t STSAFE A100 Pairing keys must be provisioned inside the STSAFE A100 to be able to communicate securely with an STM32 component Root CA Cert and OEM CA Cert must be provisioned inside the STSAFE A100...

Page 86: ...CC key pair and certificate signed by the RootCA GEN_SBSFU_SAMPLE_INTER2_CA_ECC_NIST_P256 bat generates Second Intermediate CA OEM Divisional CA ECC key pair and certificate signed by the OEM CA GEN_S...

Page 87: ...U Expansion Package is used refer to Appendix E Firmware image preparation tool for more details IDE pre build script is used to insert pairing keys inside the SBSFU code IDE post build script is used...

Page 88: ...the air download capability Bluetooth Low Energy protocol for STM32WB Series Figure 53 outlines the additional step 0 in order to compile then integrate the Loader into SBSFU during the compilation pr...

Page 89: ...FU application execution To mitigate this risk the switch SFU_SECURE_USER_PROTECT_ENABLE is enabled only after the development phase with the activation of the SFU_FINAL_SECURE_LOCK_ENABLE switch Figu...

Page 90: ...memory size than what it is available in internal Flash memory OTFDEC write only key registers are configured by Secure Engine protected enclave before starting user application as illustrated in Figu...

Page 91: ...security as other STM32 microcontrollers the header of Slot 0 must not be accessible during user application execution For this reason the header of Slot 0 is stored into the internal Flash in order t...

Page 92: ...ingle image mode Extended support of the STM32L4 Series Updated all chapters Updated Appendix A Secure Engine protected environment and Appendix B Dual image handling Added Appendix C Single image han...

Page 93: ...cities Removed Appendix SBSFU application state machine 4 Feb 2020 6 Added AES CTR encryption of external Flash for the microcontrollers supporting OTFDEC processing Added I 2 JTAG connection for STM3...

Page 94: ...lection and use of ST products and ST assumes no liability for application assistance or the design of Purchasers products No license express or implied to any intellectual property right is granted b...

Reviews:

No comments