Table of Contents
Advertisement
Quick Links
Introduction
This application note presents the basics of security in STM32 microcontrollers.
Security in microcontrollers encompasses several aspects including protection of firmware intellectual property, protection of
private data in the device, and guarantee of a service execution.
The context of IoT has made security even more important. The huge number of connected devices makes them an attractive
target for attackers and several remote attacks have shown the vulnerabilities of device communication channels. With IoT,
the security extends the requirements for confidentiality and authentication to communication channels, which often require
encryption.
This document is intended to help the building of a secure system by applying countermeasures to different types of attack.
In the first part, after a quick overview of different types of threats, examples of typical attacks are presented to show how
attackers exploit the different vulnerabilities in an embedded system.
The subsequent sections focus on the set of hardware and software protections that defend the system from these attacks.
The last sections list all security features available in the STM32 Series, and guidelines are given to build a secure system.
Type
STM32C0 Series, STM32F0 Series, STM32F1 Series, STM32F2 Series, STM32F3 Series, STM32F4 Series,
STM32F7 Series, STM32G0 Series, STM32G4 Series, STM32H5 Series, STM32H7 Series, STM32L0 Series,
Microcontrollers
STM32L1 Series, STM32L4 Series, STM32L4+ Series, STM32L5 Series, STM32U5 Series, STM32WB Series,
STM32WL Series
AN5156 - Rev 8 - March 2023
For further information contact your local STMicroelectronics sales office.
Introduction to STM32 microcontrollers security
Table 1.
Applicable products
Product series
AN5156
Application note
www.st.com
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for ST STM32C0 Series
Summary of Contents for ST STM32C0 Series
- Page 1 Applicable products Type Product series STM32C0 Series, STM32F0 Series, STM32F1 Series, STM32F2 Series, STM32F3 Series, STM32F4 Series, STM32F7 Series, STM32G0 Series, STM32G4 Series, STM32H5 Series, STM32H7 Series, STM32L0 Series, Microcontrollers STM32L1 Series, STM32L4 Series, STM32L4+ Series, STM32L5 Series, STM32U5 Series, STM32WB Series,...
-
Page 2: General Information
AN5156 General information General information ® ® This document applies to STM32 Arm Cortex -core based microcontrollers. Note: Arm is a registered trademark of Arm limited (or its subsidiaries) in the US and/or elsewhere. The table below presents a nonexhaustive list of the acronyms used in this document and their definitions. Table 2. - Page 3 AN5156 General information Term Definition Power control Read only memory–system flash memory in STM32 Root of trust Read protection Root secure services Real-time clock Security attribution unit Secure boot Side channel attack SDRAM Synchronous dynamic random access memory SECDED ECC mode of operation: single error correct, double error detect Secure firmware installation Secure firmware update Simple power analysis...
- Page 4 -M3 programming manual (PM0056) ® • Cortex -M0+ programming manual for STM32L0, STM32G0, STM32WL, and STM32WB series (PM0223) Refer to the following set of user manuals and application notes (available on www.st.com) for detailed description of security features: Ref. Title Comment...
-
Page 5: Overview
AN5156 Overview Overview Security purpose Why protection is needed Security in microcontrollers means protecting embedded firmware, data, and the system functionality. The need for data protection is greatest in the case of cryptographic keys or personal data. The firmware code is also an important asset. If an attacker gains access to the binary, they can reverse-engineer the program in an attempt to find further vulnerabilities, bypass licensing and software restrictions. -
Page 6: Table 3. Assets To Be Protected
AN5156 Security purpose What must be protected Security cannot be limited to a certain target or asset. It is difficult to protect data if the code binary is exposed. Both the attacks and the protection mechanisms often do not make difference. However it is still useful to summarize the assets and risks. -
Page 7: Attack Types
AN5156 Attack types Attack types This section presents the different types of attack that a microcontroller may have to face, from the most basic ones to very sophisticated and expensive ones. The last part presents typical examples of attacks targeting an IoT system. -
Page 8: Software Attacks
AN5156 Software attacks The table below gives an overview of the cost and techniques used for each type of attack. Table 4. Attacks types and costs Attacks Software Hardware non–invasive Hardware invasive types Scope Remote or local Local board and device level Local device level Software bugs Debug port... -
Page 9: Hardware Attacks
AN5156 Hardware attacks Malware injection There are various methods to inject a piece of code inside the system. The size of the malware depends on the target but may be very small (few tens of bytes). To be executed, the malware must be injected in the device memory (RAM or flash memory). -
Page 10: Non-Invasive Attacks
If a highest protection level is required, consider pairing a secure element with the general-purpose microcontroller. Secure elements are dedicated microcontrollers certified as per the latest security standards with specific hardware. Refer to ST secure microcontrollers web page. 3.3.1 Non-invasive attacks Non-invasive, or board-level attacks try to bypass the protection without physical damage (device kept functional). -
Page 11: Silicon Invasive Attacks
Several ST microcontrollers dedicated to security offer robustness against such kind of treatments. These are not part of the STM32 family and are out of scope of this document. Refer to ST secure hardware platforms (www.st.com/en/secure-mcus.html). -
Page 12: Iot System Attack Examples
AN5156 IoT system attack examples Reading the data When using the electron microscope, the data, represented by an electric charge, becomes visible. It is possible to read the whole device memory. Micro probing and internal fault injection Micro probing consists in interacting with the device at metal layer level. Thin electrodes are used to establish an electrical contact directly with the surface of the device so that the attacker can observe, manipulate, and interfere with it while the device is running. -
Page 13: List Of Attack Targets
AN5156 List of attack targets List of attack targets The following sections list the possible attack targets. Initial provisioning The cryptographic data for root of trust for the chain of security must be injected to the SoC in a controlled trusted way. - Page 14 AN5156 List of attack targets Communication interfaces Serial interfaces (such as SPI, I2C or USART) are used either by the bootloader or by applications to exchange data and/or commands with the device. The interception of a communication allows an attacker to use the interface as a device entry point.
- Page 15 AN5156 List of attack targets SRAM The SRAM is the device running memory. It embeds runtime buffers and variables (such as stack or heap) and can embed firmware and keys. While in the non-volatile memory, the secrets may be stored as encrypted, when loaded to the SRAM, they need to be present in plain view to be used.
-
Page 16: Device Protections
AN5156 Device protections Device protections Security protections described in this section are controlled by hardware mechanisms. They are set either by configuring the device through option bytes, or dynamically by hardware component settings: • Memory protection: main security feature, used to protect code and data from internal (software) and external attacks •... -
Page 17: Dual-Core Architecture
AN5156 Dual-core architecture Secure modes are orthogonal to the existing modes, Thread and Handler. Thus, there can be a Thread or Handler mode in each secure mode (see the figure below). Figure 3. Armv8-M TrustZone® execution modes Arm TrustZone system security Armv8-M Armv6-M/Armv7-M Secure... -
Page 18: Memory Protections
. Internal Cannot be updated (erase/written). System flash ROM part of the flash memory. Embeds device . NVM memory bootloader and other ST services. A part may also be unreadable. . ROM Internal protections: . Internal User flash memory Flash memory for user application •... -
Page 19: System Flash Memory
In STM32 MCUs, the system memory is a read-only part (ROM) of the embedded flash memory. It is dedicated to the ST bootloader. Some devices include additional secure services (RSS) in this area. This part cannot be modified to guarantee its authenticity and integrity. The bootloader is readable since it does not contain any sensitive algorithm. -
Page 20: External Flash Memories
AN5156 Memory protections Code execution The part of the firmware that requires faster performances can be downloaded from the user or the external flash memory, and executed from the SRAM. Another reason to execute code from the SRAM is when using encrypted external flash memory on devices without on-the-fly decryption: the code is decrypted inside the SRAM before its execution. -
Page 21: Stm32 Memory Protections
AN5156 Software isolation 4.4.5 STM32 memory protections Several STM32 features are available to cover the various cases considered. They are listed in the table below with their respective scope, and described in Section 6 STM32 security features. Table 6. Scope of STM32 embedded memory protection features External attack Internal attack Feature... -
Page 22: Boot Protection
AN5156 Boot protection Other serial interfaces can also be used. If the bootloader is available, the device content can be accessed through I2C, SPI, USART, or USB‑DFU. If the interface is open during the runtime, the application transfer protocol must limit its access capabilities (such as operation mode or address access range). Associated STM32 features: •... -
Page 23: Secure Applications
Note: • The document provides an implementation example of SB and SFU (www.st.com/en/product/ ‑ cube ‑ sbsfu). • The user manual 'Getting started with STM32CubeL5 TF-M application' (UM2671) describes an example of TF-M implementation with the STM32L5 Series MCU. -
Page 24: Secure Firmware Update (Sfu)
AN5156 STMicroelectronics proprietary SBSFU solution SB main functionalities: • Check the STM32 security configuration and set up runtime protections. • Assert the integrity and authenticity of the user application images that are executed (see the figure below). Figure 6. Secure boot FSM Reset Check device security configuration (option bytes) Secure boot... -
Page 25: Configurations
5.3.3 Configurations The ST proprietary SBSFU is very configurable. The most important configuration option is the choice to use a single or dual image handling of application code. Each has a separate example. Single image leaves more space for application code. Two or more images add some advanced features to the image handling. -
Page 26: Product Certifications
AN5156 Product certifications Table 8. Basic feature differences of TrustZone-based secure software Feature SBSFU for TrustZone® TF-M RoT services Immutable RoT Immutable RoT + updatable RoT Cryptographic key management Static keys only Key storage hierarchy with HUK root key Secure storage Absent Internal and external NV counter... -
Page 27: Stm32 Security Features
AN5156 STM32 security features STM32 security features This section presents all the STM32 features that can be gathered to meet the different security concepts presented in previous sections, and to achieve a high level of security. Overview of security features 6.1.1 Static and dynamic protections A distinction can be made depending on whether protection features are static or dynamic:... -
Page 28: Table 10. Security Features For Stm32L0/1/4/4+, Stm32Wb, Stm32Wl Devices
AN5156 Overview of security features Feature STM32C0 STM32F0 STM32F1 STM32F2 STM32F3 STM32F4 STM32G0 STM32G4 SP800‑90‑A SP800‑90‑A SBSFU TF-M 1. Only XL density devices feature the MPU. 2. MPU is not universally supported in STM32F3 series. Refer to the product datasheet to confirm availability. 3. -
Page 29: Readout Protection (Rdp)
AN5156 Readout protection (RDP) Table 11. Security features for STM32L5, STM32U5, STM32H503/5, STM32H72x/73/74x/75, STM32H7Ax/7Bx, STM32F7 devices STM32 STM32 STM32 STM32 Feature STM32L5 STM32U5 STM32H5 STM32F7 H503 H72x/73 H74x/75 H7Ax/7Bx Cortex core Cortex‑M33 Cortex‑M7 RDP four RDP four Backup Backup Backup levels, levels, SRAM,... -
Page 30: Figure 8. Example Of Rdp Protections (Stm32L4 Series)
AN5156 Readout protection (RDP) Depending on the STM32 device, additional protections are available, including: • backup registers for real-time clock (RTC) • backup SRAM • Nonvolatile memories Figure 8. Example of RDP protections (STM32L4 series) Debug port FLASH FLASH FLASH SRAM1 SRAM SRAM... -
Page 31: Lifecycle Management-Product State
AN5156 Lifecycle management–product state Internal flash memory content updating on an RDP protected STM32 MCU In RDP level 1 or 2, the flash memory content can no longer be modified with an external access (bootloader or booting from SRAM). However, modifications by an internal application are always possible. -
Page 32: One-Time Programmable (Otp)
AN5156 One-time programmable (OTP) The new lifecycle management defines a set of permitted states, and the possible transition between them, just as in the case of the RDP, but there are more states defined for the following: • Provision with immutable root of trust code. •... -
Page 33: Core State
AN5156 TrustZone® Figure 9. TrustZone® implementation at system level Armv8-M Cortex-M33 AHB master SAU/MPU AHB5 MPCBB AHB peripherals Secure watermarks and GTZC block based MPCWM AHB/APB Flash bridge memory Internal External peripheral SRAM memory TrustZone specific implementation 6.5.1 Core state The core state depends on the region of the current running code. -
Page 34: Memory And Peripheral Protections
AN5156 Flash memory write protection (WRP) 6.5.3 Memory and peripheral protections The SAU defines the transaction security attribute, and the bus infrastructure propagates this attribute towards the targets. The targets (memories and peripherals) are protected by hardware mechanisms that filter the access depending on the secure and privileged attributes. -
Page 35: Secure Hide Protection (Hdp)
AN5156 Secure hide protection (HDP) Secure hide protection (HDP) Some STM32 devices support the HDP memory concept. The HDP, named secure hide protection on STM32L5 devices, is also known as secure user memory on STM32H7 devices, or securable memory on STM32G0 devices. -
Page 36: Figure 11. Firewall Fsm
AN5156 Firewall Call gate mechanism The firewall is opened by calling a 'call-gate' mechanism: a single entry point that must be used to open the gate, and to execute the code protected by the firewall. If the protected code is accessed without passing through the call gate mechanism, then a system reset is generated. -
Page 37: Memory Protection Unit (Mpu)
AN5156 Memory protection unit (MPU) When to use the firewall The firewall protects both code and data. The protected code can always be called as long as a call gate mechanism is respected. Note: A firewall is available on STM32L0 and STM32L4 devices only. Refer to the application note AN4730 for more details. -
Page 38: Customer Key Storage (Cks)
AN5156 Customer key storage (CKS) Secure process isolation strategy At reset, the privileged mode is the default one for any process. The SB application is then executed in privileged mode. The idea is to isolate secure processes (such as SB, OS kernel, key manager, or SFU) from unsecured or untrusted processes (user applications). -
Page 39: Antitamper (Tamp)/Backup Registers (Bkp)
AN5156 Antitamper (TAMP)/backup registers (BKP) 6.12 Antitamper (TAMP)/backup registers (BKP) The antitamper is a system level protection, used to detect physical tampering attempts on the system. An external tamper event is detected by a level transition on dedicated device pins. Internal tamper sensors can check voltage, temperature, or clock. -
Page 40: Independent Watchdog (Iwdg)
CryptoLib software library The STM32 X-CUBE-CRYPTOLIB software library runs on all STM32 devices. It is available for free download at www.st.com/en/product/x-cube-cryptolib. The version V4 is available with full firmware implementation, compiled for Cortex‑M0, Cortex‑M0+, Cortex‑M3, Cortex‑M33, Cortex‑M4, and Cortex‑M7. AN5156 - Rev 8... -
Page 41: On-The-Fly Decryption Engine (Otfdec)
AN5156 On-the-fly decryption engine (OTFDEC) The X-CUBE-CRYPTOLIB supports the following algorithms: • DES, 3DES with ECB and CBC • AES with ECB, CBC, OFB, CCM, GCM, CMAC, KEY wrap, XTS • Hash functions: MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 • Other: ARC4, ChaCha20, Poly1305, Chacha20-Poly1305 •... -
Page 42: Guidelines
AN5156 Guidelines Guidelines Secure systems can take advantage of many security supporting hardware feature. Some are useful for any system, and need little change in the application code to be activated and fully functional. It is the case of the RDP feature, that prevents basic access to the flash memory by disabling the debug port. - Page 43 • Use or implement secure communication stacks relying on cryptography for confidentiality and authentication (such as TLS for Ethernet). 4.2 Use the ST AES/DES/SHA cryptographic functions with STM32 devices. • Use only official software implementation by ST with STM32 X-CUBE-CRYPTOLIB.
-
Page 44: Conclusion
AN5156 Conclusion Conclusion No system can be made secure by simply enabling security features in the hardware. Security must be rooted in the architecture of the complete solution. The threats must be identified, the countermeasures correctly designed and implemented in synergy with other security features. -
Page 45: Appendix A Cryptography - Main Concepts
AN5156 Cryptography - Main concepts Appendix A Cryptography - Main concepts Integrity, authentication, and confidentiality The objectives of cryptography are threefold: • Confidentiality: protection of sensitive data against unauthorized read accesses • Authentication: guarantee of the message sender identity • Integrity: detection of any message corruption during transmission To meet these objectives, all secure data flows rely on more or less complex combinations of the below algorithms:... -
Page 46: Public Key Algorithms (Pka)
AN5156 Public key algorithms (PKA) Public key algorithms (PKA) This class of algorithms is based on a pair of keys. One key, the private one, is never exchanged with any remote system, while the other key, the public one, can be shared with any party. The relationship between both keys is asymmetric (asymmetric cryptography): •... -
Page 47: Hash Algorithms
AN5156 Hash algorithms Hash algorithms Hash algorithms guarantee the message integrity. They generate a unique fixed-length bitstream from a message called the digest. Any difference in the input message produces a totally different digest. The digest cannot be reversed to retrieve the input message. Hashing can be used independently from message encryption. -
Page 48: Figure 20. Signature Generation With Public Key Algorithm
AN5156 MAC or signature and certificate Figure 20. Signature generation with public key algorithm HASH Message John Doe1 HASH Digest John Doe2 Private Public Signature Signature Signature Certificate A certificate is related to public key algorithms. It authenticates the public key in an asymmetric transfer. It is used to counteract usurpation by an attacker that substitutes the right public key by his own key. -
Page 49: Revision History
AN5156 Revision history Table 16. Document revision history Date Version Changes 17-Oct-2018 Initial release. Updated: • Table 1. Applicable products • Section 1 General information • Table 11. Security features for STM32H7, STM32G0, STM32G4 and STM32WB Series 25-Feb-2019 • Figure 9. Example of RDP protections (STM32L4 Series) •... -
Page 50: Table 5. Memory Types And Associated Protection
Random number generation and Communication eavesdrop in Section 3.5 List of attack targets • New Section 4.1 Configuration protection 13-Jan-2023 • Introduction of Section 5.2 ST proprietary SBSFU solution • New Section 5.2.3 Configurations • Section 5.3 Arm TF-M solution •... - Page 51 AN5156 Date Version Changes • Section 6.18 Cryptography • Section 7 Guidelines • Section 8 Conclusion Added: • Section 5.1 Secure firmware install (SFI) AN5156 - Rev 8 page 51/56...
-
Page 52: Table Of Contents
AN5156 Contents Contents General information ............. . . 2 Overview . - Page 53 AN5156 Contents STM32 security features ............27 Overview of security features .
- Page 54 AN5156 List of tables List of tables Table 1. Applicable products ..............1 Table 2.
- Page 55 AN5156 List of figures List of figures Figure 1. Corrupted connected device threat ............5 Figure 2.
- Page 56 ST’s terms and conditions of sale in place at the time of order acknowledgment. Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of purchasers’...
Need help?
Do you have a question about the STM32C0 Series and is the answer not in the manual?
Questions and answers