Modes Of Operation (Agd_Ope.1.5C) - ST STM32CubeL5 User Manual

In order to achieve TOE_PERSONALIZATION, the following measures shall be taken:
• As described in section
and privileges
private key and HUK). It is recommended that the integrator puts in place a system (a database for instance)
ensuring new unique data generation.
• The integrator shall protect the integrity of all the TOE personalization data until they are provisioned and
well protected inside the TOE of each device. Moreover, the integrator shall protect the confidentiality of the
private cryptographic keys that are included in the TOE personalization data.
• Once TOE immutable data are generated for a new product, Integrator shall program them at the right
format at the location and shall protect them (write protection and security protection) as described in
Section 3.3.3 SW programing into STM32L5 chip internal Flash
4.2.5

Modes of operation (AGD_OPE.1.5C)

The TOE operates after product reset by executing the TOE immutable TFM_SBSFU application, the only
interfaces are the Flash memory slots where new images can be downloaded (Non-Secure Image secondary slot
and the Non-Secure Image secondary slot). In case a new image to install is available then TOE will verify it and
will install it. In case there is no new image to be installed, TOE verifies the installed images (secure application
and the non-secure application). If the installed images are valid then the TOE immutable TFM_SBSFU
application starts the secure application of the TOE. Once the secure application is correctly initialized, the secure
application starts the non-secure application. The non-secure application uses the PSA APIs exported by the TOE
to securely enter the TOE in order to execute secure services.
In case there is no valid images (i.e a valid secure image and a valid non-secure image) installed and nor new
images in the Non-Secure Image secondary slot and/or the Non-Secure Image secondary slot to be installed,
then the TOE is blocked in an infinite loop in secure domain. The only way to unblock the product is to do an RDP
regression (that will erase all Flash memory content) if TOE is configured in RDP Level 1 and then to reconfigure
it with valid images.
In case STM32L5 Option Bytes values are not correctly configured to ensure the TOE security, the TOE secure
boot procedure after reset will detect the problem and will block the TOE secure boot procedure execution. To
unlock the product, STM32L5 Option Bytes shall be completely re-programmed (after doing an RDP regression
that will fully erase the STM32L5 Flash memories in case RDP Level 1 configuration is used for the TOE)
following the preparation procedure as described in
In case TOE detects any violation, as described in section
(AGD_OPE.1.4C), the TOE either generates reset or either runs infinite loop blocking the product until next
product reset.
UM2745 - Rev 1
TOE specific information personalization
(AGD_OPE.1.1C), some TOE immutable data are unique per product (EAT public key, EAT
Operational guidance for the role integrator
of Section 4.2.1 User-accessible functions
memory.
Section 3.3 Secure installation.
Section 4.2.3 Security-relevant events
UM2745
page 31/36