manualshive.com logo in svg

ST X-CUBE-SBSFU, Руководство пользователя, Страница: 23 / 94

Поделиться
Скачать
ST X-CUBE-SBSFU Скачать руководство пользователя страница 23

UM2262 Rev 6

23/94

UM2262

Protection measures and security strategy

93

Protections against outer attacks

Outer attacks refer to attacks triggered by external tools such as debuggers or probes, 
trying to access the device. In the SBSFU application example, RDP, tamper, DAP and 
IWDG protections are used to protect product against outer attacks:

RDP

 (Read Protection): Read Protection Level 2 is mandatory to achieve the highest 

level of protection and to implement a Root of Trust:

External access via the JTAG HW interface to RAM and Flash is forbidden. This 
prevents attacks aiming to change SBSFU code and therefore mining the Root of 
Trust.

Option bytes cannot be changed. This means that other protections such as WRP 
and PCROP cannot be changed anymore.

Caution

 - RDP level 1 is not proposed for the following reasons:

1. Secure Boot / Root of Trust (single entry point and immutable code) cannot be 
ensured, because Option bytes (WRP) can be modified in RDP L1.
2. Device internal flash can be fully reprogrammed (after flash mass erase via RDP L0 
regression) with a new FW without any security.
3. Secrets in RAM memory protected by firewall can be accessed by attaching the 
debugger via the JTAG HW interface on a system reset.
In case JTAG HW interface access is not possible at customer product, and in case the 
customer uses a trusted and reliable user application code, then the above-highlighted 
risks are not valid.

Tamper

: the anti-tamper protection is used to detect physical tampering actions on the 

device and to take related counter measures. In case of tampering detection, the 
SBSFU application example forces a reboot.

DAP

 (Debug Access Port): the DAP protection consists in de-activating the DAP 

(Debug Access Port). Once de-activated, JTAG pins are no longer connected to the 
STM32 internal bus. DAP is automatically disabled with RDP Level 2.

IWDG

 (Independent Watchdog): IWDG is a free-running down-counter. Once running, 

it cannot be stopped. It must be refreshed periodically before it causes a reset. This 
mechanism allows the control of SBSFU execution duration.

Protections against inner attacks

Inner attacks refer to attacks triggered by code running in the STM32. Attacks may be due 
to either malicious firmware exploiting bugs or security breaches, or unwanted operations. 
In th SBSFU application example, WRP, firewall, PCROP, and MPU protections preserve 
the product from inner attacks:

FWALL

 (firewall): the firewall is configured to protect the code, volatile data and non-

volatile data. Protected code is accessible through a single entry point (the call gate 
mechanism is described in 

Appendix A

). Any attempt to jump and try to execute any of 

the functions included in the code section without passing through the entry point 
generates a system reset.

 

In the KMS example, keys and cryptographic services are executed inside the isolated 
environment under firewall protection.

Содержание X-CUBE-SBSFU

Страница 1: ...plete firmware image or only on a portion of the firmware image Examples are provided for single firmware image configuration in order to maximize firmware image size and for dual firmware image confi...

Страница 2: ...s and STM32L0 Series 21 5 2 STM32F4 Series STM32F7 Series and STM32L1 Series 24 5 3 STM32G0 Series STM32G4 Series and STM32H7 Series 26 5 4 STM32WB Series 30 5 5 STM32L4 Series combined with STSAFE A1...

Страница 3: ...Tera Term connection 50 8 3 1 ST LINK disable 50 8 3 2 Tera Term launch 50 8 3 3 Tera Term configuration 51 8 3 4 Welcome screen display 52 8 4 SBSFU application execution 52 8 4 1 Download request 52...

Страница 4: ...Symmetric verification and encryption scheme 73 D 4 X509 certificate based asymmetric scheme without firmware encryption 74 D 5 Secure Boot and Secure Firmware Update flow 76 Appendix E Firmware image...

Страница 5: ...M32WB Series specificities 88 H 1 Compilation process 88 H 2 Key provisioning 88 Appendix I STM32H7 Series specificities 89 I 1 JTAG connection for STM32H753 devices 89 I 2 JTAG connection for STM32H7...

Страница 6: ...comparison 17 Table 4 MPU regions in the STM32F4 Series STM32F7 Series and STM32L1 Series 26 Table 5 MPU regions in the STM32G0 Series STM32G4 Series and STM32H7 Series 28 Table 6 Error messages at b...

Страница 7: ...n bytes screen 49 Figure 21 STM32CubeProgrammer erasing 49 Figure 22 Tera Term connection screen 50 Figure 23 Tera Term setup screen 51 Figure 24 SBSFU welcome screen display 52 Figure 25 SBSFU encryp...

Страница 8: ...s using openssl 86 Figure 52 Provisioning in STM32 and firmware image 87 Figure 53 Compile with Loader integration 88 Figure 54 JTAG connection capability on STM32H753 devices 89 Figure 55 JTAG connec...

Страница 9: ...is a starting point for OEMs to develop their own SBSFU as a function of their product security requirement levels The X CUBE SBSFU Secure Boot and Secure Firmware Update Expansion Package runs on STM...

Страница 10: ...d mail RDP Read protection SB Secure Boot SE Secure Engine SFU Secure Firmware Update SM State machine UART Universal asynchronous receiver transmitter UUID Universally unique identifier WRP Write pro...

Страница 11: ...for the X CUBE SBSFU STM32Cube Expansion Package AN5056 2 Introduction to STM32 microcontrollers security application note AN5156 3 STM32CubeProgrammer software description user manual UM2237 4 Authe...

Страница 12: ...ssor series such as STM32CubeL4 for the STM32L4 Series which include STM32Cube hardware abstraction layer HAL ensuring maximized portability across the STM32 portfolio STM32Cube low layer APIs ensurin...

Страница 13: ...The sample applications are delivered in dual image and single image modes of operation and can be configured in different cryptographic scheme This user manual describes the typical use of the packag...

Страница 14: ...e assurance that a certain entity is who it claims to be and confidentiality the assurance that only authorized users can read sensitive data during firmware transfer Memory protection mechanisms prev...

Страница 15: ...2 two entities are typically involved in a firmware update process Server OEM manufacturer server web service Stores the new version of device firmware Communicates with the device and sends the new...

Страница 16: ...Authenticity check aims to verify that the firmware image is coming from a trusted and known source in order to prevent unauthorized entities to install and execute code 3 4 Cryptography operations Th...

Страница 17: ...ng FW binary None the user FW is in clear format AES GCM encryption FW binary Integrity SHA256 FW header and FW binary AES GCM Tag FW header and FW binary Authentication SHA256 of the FW header is ECD...

Страница 18: ...example rooting based on token ID KMS only supports a subset of PKCS 11 APIs Object management functions creation update deletion AES encryption functions AES decryption functions Digesting functions...

Страница 19: ...UM2262 Rev 6 19 94 UM2262 Key management services 93 Figure 3 KMS functions overview For more details regarding the OASIS PKCS 11 standard refer to 5...

Страница 20: ...ist basic fault injection attacks The security strategy is based on the following concepts Ensure single entry point at reset force code execution to start with Secure Boot code Make SBSFU code and SB...

Страница 21: ...y strategy 93 Figure 5 SBSFU security IPs vs STM32 Series 2 of 2 5 1 STM32L4 Series and STM32L0 Series Figure 6 illustrates how the system the code and the data are protected in the X CUBE SBSFU appli...

Страница 22: ...Protection measures and security strategy UM2262 22 94 UM2262 Rev 6 Figure 6 STM32L4 and STM32L0 protection overview during SBSFU execution...

Страница 23: ...able user application code then the above highlighted risks are not valid Tamper the anti tamper protection is used to detect physical tampering actions on the device and to take related counter measu...

Страница 24: ...s used to make an embedded system more robust by splitting the memory map for Flash and SRAMs into regions having their own access rights In the SBSFU application example MPU is configured in order to...

Страница 25: ...o detect physical tampering actions on the device and to take related counter measures In case of tampering detection the SBSFU application example forces a reboot DAP Debug Access Port the DAP protec...

Страница 26: ...nning the SBSFU code 5 3 STM32G0 Series STM32G4 Series and STM32H7 Series Figure 8 illustrates how the system the code and the data are protected in the X CUBE SBSFU application example for the STM32G...

Страница 27: ...wall can be accessed by attaching the debugger via the JTAG HW interface on a system reset 1 In case JTAG HW interface access is not possible at customer product and in case the customer uses a truste...

Страница 28: ...not call the Secure Engine services nor access the critical data This strict access control to Secure Engine services and resources is implemented by defining specific MPU regions described in Table 5...

Страница 29: ...UM2262 Rev 6 29 94 UM2262 Protection measures and security strategy 93 Figure 9 STM32G0 STM32G4 and STM32H7 protection overview during user application execution...

Страница 30: ...UM2262 30 94 UM2262 Rev 6 5 4 STM32WB Series Figure 10 illustrates how the system the code and the data are protected in the X CUBE SBSFU application example for the STM32WB Series Figure 10 STM32WB p...

Страница 31: ...In case of tampering detection the SBSFU application example forces a reboot DAP Debug Access Port the DAP protection consists in de activating the DAP Debug Access Port Once de activated JTAG pins ar...

Страница 32: ...d to authorize also the execution of user application code 5 5 STM32L4 Series combined with STSAFE A100 Figure 10 illustrates how the system the code and the data are protected in the X CUBE SBSFU app...

Страница 33: ...omer product and in case the customer uses a trusted and reliable user application code then the above highlighted risks are not valid Tamper the anti tamper protection is used to detect physical tamp...

Страница 34: ...n leaving the SBSFU application the MPU configuration is updated to authorize also the execution of user application code STSAFE A Secure Element protections The STSAFE A100 is a highly secure solutio...

Страница 35: ...f the middleware in order to provide a protected environment managing all critical data and operations such as secure key storage cryptographic operations and others Integration of secure key manageme...

Страница 36: ...B L475E IOT01A board The STSAFE A100 feature is available on the STM32L4 Series with example provided on the B L475E IOT01A board 6 2 Architecture This section describes the software components of the...

Страница 37: ...registers that are not protected mbed TLS cryptographic services delivered as open source code Similarly as for X CUBE CRYPTOLIB symmetric and asymmetric key approaches AES GCM AES CBC ECDSA as well a...

Страница 38: ...set of APIs to access all the STSAFE A100 device features from STM32 microcontrollers It integrates both low level communication drivers to interface with the STSAFE A100 hardware and a higher level...

Страница 39: ...ication dual image variant only Secures FW upgrade Authentication and integrity check FW decryption FW installation Anti rollback mechanisms to avoid re installation of previous firmware version Suppo...

Страница 40: ...ting information about the current firmware image Provides examples using KMS exported services through a standard PKCS 11 interface AES GCM CBC encryption decryption RSA signature verification key pr...

Страница 41: ...UM2262 Rev 6 41 94 UM2262 Package description 93 6 3 Folder structure A top level view of the folder structure is shown in Figure 13 and Figure 14 Figure 13 Project folder structure 1 of 2...

Страница 42: ...tions and parameters are described 6 5 Application compilation process with IAR toolchain Figure 15 outlines the steps needed in order to build the application and to demonstrate Secure Boot and Secur...

Страница 43: ...n example It generates The user application binary file that is uploaded to the device using the Secure Firmware Update process UserApp sfb A binary file concatenating the SBSFU binary the user applic...

Страница 44: ...amming STM32 microcontrollers ST LINK utility STM32 ST LINK Utility STSW LINK004 is a full featured software interface for programming STM32 microcontrollers It provides an easy to use and efficient e...

Страница 45: ...on tool The X CUBE SBSFU Expansion Package for STM32Cube is delivered with the prepareimage tool handling the cryptographic keys and firmware image preparation The prepareimage tool is delivered in tw...

Страница 46: ...wnload SBSFU application 2 SBSFU is running download UserApp A 3 UserApp A is installed 4 UserApp A is running download UserApp B 5 UserApp B is installed then running The UserApp A and UserApp B bina...

Страница 47: ...ion is disabled on all Flash pages PCROP protection is disabled a BFB2 bit disabled Chip is erased b Option bytes setting can differ from one STM32 Series to another as illustrated in Figure 18 Figure...

Страница 48: ...62 Rev 6 Option bytes setting is verified by means of the STM32CubeProgrammer through the following four steps 1 Connection Menu Target Connect with Under reset mode selected refer to Figure 19 Figure...

Страница 49: ...grammer Option bytes screen is specific to the STM32 microcontroller series 3 Erase chip Menu Target Erase Chip Figure 21 STM32CubeProgrammer erasing 4 Disconnect Menu Target Disconnect 8 2 Applicatio...

Страница 50: ...s a a Power cycle the board after flashing SBSFU unplug plug the USB cable b The SBSFU application starts and configures the security mechanisms in development mode In product mode security mechanisms...

Страница 51: ...etup menus Figure 22 illustrates the General setup and Serial port setup menus Figure 23 Tera Term setup screen A configuration is saved using Menu Setup Save Setup Caution After each plug unplug of t...

Страница 52: ...no download request the application checks the status of the user firmware Since the board was erased no firmware is available The application cannot jump to firmware and goes back to check if there i...

Страница 53: ...lected the Ymodem transfer starts Transfer progress is reported as shown in Figure 26 Figure 26 SBSFU encrypted firmware transfer in progress The progress gauge stalls for a short time at the beginnin...

Страница 54: ...d firmware transfer The system status that is printed as shown in Figure 27 consequently provides the following information There is no firmware to download The firmware is detected as encrypted The u...

Страница 55: ...strated in Figure 28 and further described from Section 8 5 1 to Section 8 5 3 Figure 28 User application execution 8 5 1 Download a new firmware image The download of a new firmware image is performe...

Страница 56: ...Step by step execution UM2262 56 94 UM2262 Rev 6 Figure 29 Encrypted firmware download via user application...

Страница 57: ...r trying to access the PCROP region protecting the keys WRP test 4 Causes an error trying to erase write protected code IWDG test 5 Causes a reset simulating a deadlock by not refreshing the watchdog...

Страница 58: ...g the status of the user firmware This error is reached when the Flash state does not allow determining the firmware status generic error Decrypt user FW error Not used in the current example code Thi...

Страница 59: ...not be reached as a signature issue would be captured at decrypt stage reporting Decrypt failure Incorrect binary format not encrypted Error encountered during an installation procedure the binary pr...

Страница 60: ...ine initialization function Secure Encryption functions with OEM key Secure read write access to firmware image Information Secure service to lock some functions in Secure Engine Note Functionalities...

Страница 61: ...res to have multiple functions protected by the firewall and called from unprotected code outside it e g encrypt and decrypt functions a way to select which of the internal functions to execute is nee...

Страница 62: ...ernal ReadKey function that moves the keys into the protected section of SRAM1 and then use them in the cryptographic operations Figure 32 Secure Engine call gate mechanism A 1 2 SE interface Code pro...

Страница 63: ...ns if not locked via the Secure Engine lock service in a secure way using the services provided by SE A 2 MPU based Secure Engine Isolation A 2 1 Principle The MPU based Secure Engine isolation relies...

Страница 64: ...ction A 1 2 SE interface keeping in mind that MPU protection replaces the Firewall protection It abstracts the request to get the privileged level of software execution this request consists in trigge...

Страница 65: ...aces the Firewall protection the constraints for the placement of the call gate code are only the MPU region constraints the call gate must be located in the privileged code region When the Secure Eng...

Страница 66: ...code can program these peripherals For instance in the X CUBE SBSFU example for 32F413HDISCOVERY an MPU region covers the DMA registers to make sure it is not possible to program these peripherals in...

Страница 67: ...rding to the maximum possible partial image Swap region This is a Flash area used to swap the content of Slot 0 and Slot 1 Nevertheless this area is not a buffer used for each and every swap of Flash...

Страница 68: ...Dual image handling UM2262 68 94 UM2262 Rev 6 Figure 37 Internal user Flash mapping example of the NUCLEO L476RG with 512 byte headers...

Страница 69: ...Figure 38 shows how to find information such as slot size and SBSFU code size in the NUCLEO L476RG example To start the application SBSFU initializes the SP register with the user application stack p...

Страница 70: ...ge the local download procedure is the only way to update the active user code C 1 Elements and roles Slot 0 This slot contains the active firmware firmware header firmware This is the user applicatio...

Страница 71: ...ic scheme selected with the SECBOOT_CRYPTO_SCHEME compiler switch Table 8 Cryptographic scheme list SECBOOT_CRYPTO_SCHEME value Authentication Confidentiality Integrity SECBOOT_ECCDSA_WITH_AES128_CBC_...

Страница 72: ...ric encryption schemes These schemes SECBOOT_ECCDSA_WITH_AES128_CBC_SHA256 SECBOOT_ECCDSA_WITH_AES128_CTR_SHA256 SECBOOT_ECCDSA_WITHOUT_ENCRYPT_SHA256 are implemented for firmware decryption and verif...

Страница 73: ...handling 93 D 3 Symmetric verification and encryption scheme This scheme SECBOOT_AES128_GCM_AES128_GCM_AES128_GCM is implemented for firmware decryption and verification as illustrated in Figure 40 F...

Страница 74: ...e 41 Figure 41 X509 asymmetric verification The X509 certificate based asymmetric scheme makes use of a chain of X509 certificates to deliver the public key used to verify the firmware header signatur...

Страница 75: ...use the public key contained in the leaf certificate the certificate chain is first verified by the SBSFU code to ensure that the delivered firmware signing public key is authentic Once the certificat...

Страница 76: ...6 D 5 Secure Boot and Secure Firmware Update flow Figure 43 and Figure 44 indicate how the cryptographic operations asymmetric cryptographic scheme with FW encryption are integrated in the SBSFU exec...

Страница 77: ...UM2262 Rev 6 77 94 UM2262 Cryptographic schemes handling 93 Figure 44 SBSFU single image boot flows...

Страница 78: ...to Appendix F and Appendix G for KMS and STSAFE A specificities E 1 Tool location The Python scripts as well as the Windows executable are located in the Secure Engine component in folder Middlewares...

Страница 79: ...er and FW image are already correctly installed It is not needed to use the SBSFU application for installing the UserApp For STM32 devices with OTFDEC support and external Flash two separate binary fi...

Страница 80: ...partial image contains only the binary portion of the new firmware image to install versus the active firmware image Partial image usage presents various benefits Smaller firmware image to download r...

Страница 81: ...age and only the object ID is returned to the application An updatable key with static ID can be updated in the NVM storage via a secure update procedure using static embedded root keys authenticity c...

Страница 82: ...red in a section under PCROP protection but inside the KMS code running in the secure enclave as shown in Figure 47 During SECoreBin compilation stage prebuild bat updates SBSFU static embedded keys i...

Страница 83: ...orage F 3 UserApp menu A specific menu is added providing examples using KMS services exported services through a standard PKCS 11 interface AES GCM CBC encryption decryption RSA signature verificatio...

Страница 84: ...used to encrypt I2 C communication between STM32 and STSAFE A100 in order to establish a secure communication channel To combine an STSAFE A100 with an STM32 for an SBSFU application cryptographic sch...

Страница 85: ...t STSAFE A100 Pairing keys must be provisioned inside the STSAFE A100 to be able to communicate securely with an STM32 component Root CA Cert and OEM CA Cert must be provisioned inside the STSAFE A100...

Страница 86: ...CC key pair and certificate signed by the RootCA GEN_SBSFU_SAMPLE_INTER2_CA_ECC_NIST_P256 bat generates Second Intermediate CA OEM Divisional CA ECC key pair and certificate signed by the OEM CA GEN_S...

Страница 87: ...U Expansion Package is used refer to Appendix E Firmware image preparation tool for more details IDE pre build script is used to insert pairing keys inside the SBSFU code IDE post build script is used...

Страница 88: ...the air download capability Bluetooth Low Energy protocol for STM32WB Series Figure 53 outlines the additional step 0 in order to compile then integrate the Loader into SBSFU during the compilation pr...

Страница 89: ...FU application execution To mitigate this risk the switch SFU_SECURE_USER_PROTECT_ENABLE is enabled only after the development phase with the activation of the SFU_FINAL_SECURE_LOCK_ENABLE switch Figu...

Страница 90: ...memory size than what it is available in internal Flash memory OTFDEC write only key registers are configured by Secure Engine protected enclave before starting user application as illustrated in Figu...

Страница 91: ...security as other STM32 microcontrollers the header of Slot 0 must not be accessible during user application execution For this reason the header of Slot 0 is stored into the internal Flash in order t...

Страница 92: ...ingle image mode Extended support of the STM32L4 Series Updated all chapters Updated Appendix A Secure Engine protected environment and Appendix B Dual image handling Added Appendix C Single image han...

Страница 93: ...cities Removed Appendix SBSFU application state machine 4 Feb 2020 6 Added AES CTR encryption of external Flash for the microcontrollers supporting OTFDEC processing Added I 2 JTAG connection for STM3...

Страница 94: ...lection and use of ST products and ST assumes no liability for application assistance or the design of Purchasers products No license express or implied to any intellectual property right is granted b...

Отзывы:

Нет отзывов