Modes Of Operation (Agd_Ope.1.5C) - ST STM32U585 Series User Manual

• The integrator must protect the integrity of the immutable part of the TOE (TFM_SBSFU_Boot application)
until it is programmed and well protected inside the TOE of each device.
• The persons responsible for the application of the procedures described in
procedures, and the persons involved in the delivery and protection of the product must have the required
skills and must be aware of the security issues.
• In the case that any part of the preparative procedures of the TOE or any part of the preparative procedures
of the integrated IoT solution is executed by a party other than the integrator, the integrator must guarantee
that sufficient guidance is provided to this party.
To achieve TOE_PERSONALIZATION, the following measures must be taken:
• As described in section
and privileges
private key). It is recommended that the integrator puts in place a system (a database for instance) ensuring
new unique data generation. HUK is hidden in hardware and is unique per chip, there is no need for the
integrator to provision it.
• The integrator must protect the integrity of all the TOE personalization data until they are provisioned and
well protected inside the TOE of each device. Moreover, the integrator must protect the confidentiality of the
private cryptographic keys that are included in the TOE personalization data.
• Once TOE immutable data are generated for a new product, the integrator must program them in the
right format at the location and must protect them (write protection and security protection) as described in
Section 3.3 Secure
4.2.5

Modes of operation (AGD_OPE.1.5C)

The TOE operates after product reset by executing the TOE immutable TFM_SBSFU_Boot application, the only
interfaces are the Flash memory slots where new images can be downloaded (non‑secure application and the
‑ secure image secondary slots). In case a new image to install is available then TOE verifies it and installs
non
it. In case there is no new image to be installed, TOE verifies the installed images from a former secure or
non‑secure application. If the installed images are valid then the TOE immutable TFM_SBSFU_Boot application
starts the secure application of the TOE. Once the secure application is correctly initialized, the secure application
starts the non-secure application. The non-secure application uses the PSA APIs exported by the TOE to securely
enter the TOE to execute secure services.
In case there are no valid images, which means a valid secure image or a valid non-secure image installed and
no new images in the secure image secondary slot or the non
TOE jumps to the standalone external loader application. This standalone external loader application can be used
to download new images in the non
In case STM32U585xx option bytes values are not correctly configured to ensure the TOE security, the TOE
secure boot procedure after reset detects the problem blocks the TOE secure boot procedure execution and
generates a reset. To unlock the product, STM32U585xx option bytes must be programmed to the expected
configuration in case the RDP Level is still 0. They must be completely re-programmed (after doing an RDP
regression to level 1 by injecting OEM2 password, then RDP regression to level 0, that fully erases the
STM32U585xx Flash memories) in case RDP Level is 2 for the TOE, follow the preparation procedure as
described in Section 3.3 Secure
In case TOE detects any violation, as described in
TOE generates a reset.
UM2852 - Rev 1
TOE specific information personalization
(AGD_OPE.1.1C), some TOE immutable data are unique per product (EAT public key, EAT
installation.
‑ secure image secondary slot or the secure image secondary slot.
installation.
Operational guidance for the integrator role
of Section 4.2.1 User‑accessible functions
‑ secure image secondary slot to be installed, the
Section 4.2.3 Security-relevant events
UM2852
Section 3 Preparative
(AGD_OPE.1.4C), the
page 22/27