ST STM32U585 Series Скачать руководство пользователя страница 1

Страница: 1 / 27

Introduction

This document describes how to prepare STM32U585xx microcontrollers to make a secure system solution compliant with
SESIP Profile for PSA Level 3 using the STM32Cube_FW_U585_Security_certification_V1.0.0 software package included in the

STM32CubeU5

MCU Package.

The

B-U585I-IOT02A

board integrating the

STM32U585AI

microcontroller is used as the hardware vehicle to implement and test

a non

‑

secure application using secure services but it does not bring any additional security mechanism.

The security guidance described in this document applies to any boards based on STM32U585xx microcontrollers.

STM32U585xx security guidance for PSA Certified™ Level 3 with SESIP Profile

UM2852

User manual

UM2852

Rev 1

June 2021

For further information contact your local STMicroelectronics sales office.

www.st.com

Содержание STM32U585 Series

Страница 1: ...ating the STM32U585AI microcontroller is used as the hardware vehicle to implement and test a non secure application using secure services but it does not bring any additional security mechanism The security guidance described in this document applies to any boards based on STM32U585xx microcontrollers STM32U585xx security guidance for PSA Certified Level 3 with SESIP Profile UM2852 User manual UM...

Страница 2: ...FM application runs on STM32U585xx 32 bit microcontrollers based on the Arm Cortex M processor Note Arm is a registered trademark of Arm Limited or its subsidiaries in the US and or elsewhere UM2852 General information UM2852 Rev 1 page 2 27 ...

Страница 3: ...irmware update functionalities only SESIP Security evaluation standard for IoT platforms SFN Secure function An entry function to a secure service Multiple SFN per SS are permitted SP Secure partition A logical container for a single secure service SPE Secure processing environment PSA term In TF M this means the secure domain is protected by TF M SPM Secure partition manager The TF M component is...

Страница 4: ...ision 15 UM2851 User manual Getting started with STM32CubeU5 TF M applications UM2851 Revision 1 Security Target Security Target for STM32U585 family of device compliant with SESIP profile for PSA Certified Level 3 V1 0 PSA_ST_API PSA Storage API 1 0 0 PSA_CRYPTO_API PSA Cryptography API 1 0 0 PSA_ATTESTATION_API PSA Attestation API 1 0 0 IEE1149 EEE 1149 1 2013 ADI5 Arm Debug Interface Architectu...

Страница 5: ...ession Level 1 level 0 that erases the user Flash The software package can be obtained through the standard ST support channels Note that it is the responsibility of the integrator to choose the correct STM32CubeU5 MCU Package version How to accept the STM32U585xx microcontroller by reading with STM32CubeProgrammer for more details refer to UM2237 the DBGMCU_IDCODE register value 0x2001 6482 at th...

Страница 6: ...and is changed as soon as the non secure image code is changed customized by the integrator at first installation or updated through the secure update procedure These TOE values can be obtained with this procedure 1 Run TFM User Application menu then press 2 Test TFM then 7 TFM Test EAT 2 Copy the token response in Middlewares Third_Party trustedfirmware tools iat verif ier st_tools eat txt 3 Deco...

Страница 7: ...s external memories STM32CubeProgrammer also allows option programming and upload programming content verification and microcontroller programming automation through scripting STM32CubeProgrammer is delivered in GUI graphical user interface and CLI command line interface versions The STM32CubeProgrammer tool version to use for the TFM tests in the context of the security certification is v2 8 0 v2...

Страница 8: ...BOOTADD0 0x180080 0x0c004000 address NSBOOTADD0 SECBOOTADD0 NSBOOTADD1 SECBOOTADD0 BOOT_LOCK set SECWM1 enabled with SECWM1_PSTRT 0 0x08000000 address and SECWM1_PEND 0x28 0x08050000 address HDP1 enabled with HDP1_PEND 0xa 0x0c015fff address WRP1A enabled with WRP1A_PSTRT 0x1 0x08002000 address and WRP1A_END 0xb 0x08016000 address and WRP1A locked UNLOCK_1A unchecked SECWM2 disabled HDP2 disabled ...

Страница 9: ...e the TOE into a full IoT solution To this end the system integrator has access to interfaces that are unavailable for other users as described in Section 4 2 2 Available interfaces and methods of use AGD_OPE 1 2C and AGD_OPE 1 3C The integrator can also change some parts outside or inside the TOE nevertheless some changes may impact the certified configuration of the TOE The TOE scope evaluated c...

Страница 10: ... file define MCUBOOT_IMAGE_NUMBER 2 1 S and NS application binaries are assembled in one single image 2 Two separated images for S and NS application binaries It is possible to configure the number of images to one single image where the secure and non secure applications are assembled so that the boot time is reduced The laboratory has assessed the security of both single and separate images Howe...

Страница 11: ...n TFM_SBSFU_Boot Inc config boot h file HW accelerators activation in BL2 define BL2_HW_ACCEL_ENABLE The activation of the cryptography hardware accelerators for TFM secure cryptography services at run time is achieved by activating the define TFM_HW_ACCEL_ENABLE in the TFM_Appli Inc tfm_mbedcrypto_conf ig h file HW accelerators activation in TFM define TFM_HW_ACCEL_ENABLE It is possible to disabl...

Страница 12: ...able more tamper detection without compromising the TOE security falls within the scope of this evaluation but it is not the certified configuration Implementation ID value is changed refer to Section 3 1 Secure acceptance It is also possible to disable internal tamper detection The flexibility for an integrator to disable internal tamper detection without compromising the TOE security does not fa...

Страница 13: ... secure domain in the unprivileged part isolated execution domain configured by the TOE The integrator must use the PSA API to access the TOE and must comply with TOE rules to export those new secured services to the non secure application The integrator must adapt the memory layout in case the size of the secure application is bigger than the secure image primary slot size The TOE is certified wi...

Страница 14: ... inside the secure or unprivileged domain Therefore Any input received from an IoT application bounds checking for example must be validated within the Application RoT services API The integrator must be aware of what data is sent to the IoT application and must ensure that there is no unintentional leak of sensitive information Properly handle errors always check a result or status code returned ...

Страница 15: ...TOE secure boot procedure detects the problem and blocks the TOE secure boot procedure execution Reset is generated except for the case of RDP option bytes value for which infinite loop is executed in the secure domain Secure image secondary slot interface The Secure image secondary slot is used to implement the remote firmware update functionality of the secure image by triggering the bootloader ...

Страница 16: ...n Figure 3 To use the secure image secondary slot data must be written in the correct image format in the secure Image secondary slot area and the Magic 16 bytes must be written in the slot area end location as described in Figure 4 Figure 3 Flash layout Figure 4 Image format UM2852 Operational guidance for the integrator role UM2852 Rev 1 page 16 27 ...

Страница 17: ...ng the bootloader image upgrade process It is a memory area where a new candidate of the non secure image is placed by writing into it using the non secure application either via a physical interface or either via a wireless interface or using the standalone external loader application via a physical interface After any product reset if magic 16 bytes are present at the slot area end location the ...

Страница 18: ...rface The PSA API interfaces the secure services hosted in the secure application ROT These API are used or called by the Non secure world but can also be called by the secure application ROT secure services running in secure domain with unprivileged rights it provides a programmatic interface to trigger secure functionalities running in secure domain with privileged rights The integrator calls th...

Страница 19: ...rammer CLI command STM32_Programmer_CLI c port SWD mode UR hardRst lockRDP2 OEM2 password Parameters OEM2 password 64 bits Example value OEM2 password 0xFACEB00C 0xDEADBABE Actions When RDP is level 2 and OEM2 password is injected through JTAG SWD then RDP is changed from level 2 to level 1 Errors RDP level remains set to level 2 in case of wrong provided OEM2 password RDP level remains set to lev...

Страница 20: ...ls from the secure unprivileged domain is transparent a silent fail mechanism Any read operations return 0 Any write operations are ignored Secure DMA privilege access violation on privilege memories from the secure unprivileged domain is transparent a silent fail mechanism so DMA can be used in the secure unprivileged domain with the current implementation of the TOE Root of Trust Access violatio...

Страница 21: ... to all protected memories Flash protected SRAMs and back up registers Protection against debugging In RDP level 2 with OEM2 password debug via JTAG is not possible Nevertheless with RDP Level 2 with OEM2 password provisioned it is still possible to go back to RDP level 1 by injecting OEM2 password via JTAG interface then to RDP level 0 all memories erased first Intrusion signal raised as soon we ...

Страница 22: ...mutable TFM_SBSFU_Boot application the only interfaces are the Flash memory slots where new images can be downloaded non secure application and the non secure image secondary slots In case a new image to install is available then TOE verifies it and installs it In case there is no new image to be installed TOE verifies the installed images from a former secure or non secure application If the inst...

Страница 23: ...Revision history Table 2 Document revision history Date Revision Changes 30 Jun 2021 1 Initial release UM2852 UM2852 Rev 1 page 23 27 ...

Страница 24: ...4 Operational user guidance 9 4 1 User roles 9 4 2 Operational guidance for the integrator role 9 4 2 1 User accessible functions and privileges AGD_OPE 1 1C 9 4 2 2 Available interfaces and methods of use AGD_OPE 1 2C and AGD_OPE 1 3C 14 4 2 3 Security relevant events AGD_OPE 1 4C 20 4 2 4 Security measures AGD_OPE 1 6C 21 4 2 5 Modes of operation AGD_OPE 1 5C 22 Revision history 23 Contents 24 L...

Страница 25: ...List of tables Table 1 List of acronyms 3 Table 2 Document revision history 23 UM2852 List of tables UM2852 Rev 1 page 25 27 ...

Страница 26: ...List of figures Figure 1 Flash memory layout for certified configuration 8 Figure 2 TOE scope 9 Figure 3 Flash layout 16 Figure 4 Image format 16 UM2852 List of figures UM2852 Rev 1 page 26 27 ...

Страница 27: ...cts and ST assumes no liability for application assistance or the design of Purchasers products No license express or implied to any intellectual property right is granted by ST herein Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product ST and the ST logo are trademarks of ST For additional information about S...

Результаты поиска

Содержание STM32U585 Series

Отзывы:

Похожие инструкции для STM32U585 Series

Бренды по названию

Популярные бренды

ST STM32U585 Series, Руководство пользователя

Результаты поиска

Содержание STM32U585 Series

Отзывы:

Похожие инструкции для STM32U585 Series

Бренды по названию

Популярные бренды