Stm32 Memory Protections; Software Isolation; Debug Port And Other Interface Protection - ST STM32C0 Series Application Note

4.4.5

STM32 memory protections

Several STM32 features are available to cover the various cases considered. They are listed in the table below
with their respective scope, and described in
Feature
RDP
Firewall
MPU
PCROP (1)
(2)
WRP
HDP
TrustZone®
1. Support of this feature in Armv6-M products is limited as constant data cannot be stored in NVM.
2. Write protection can be unset when RDP level ≠ 2.
3. The SRAM is protected by a secure area only at secure code execution. It must be cleaned before leaving the secure area.
4.5

Software isolation

The software isolation refers to a runtime mechanism protecting different processes from each other (interprocess
protection). These processes can be executed sequentially or concurrently (for example tasks of operating
system). The software isolation in the SRAM ensures that respective stack and working data of each process
cannot be accessed by the other processes. This interprocess protection can be extended to the code in the flash
memory and nonvolatile data as well.
Goals of the software isolation:
• Prevent a process to spy the execution of another sensitive process.
• Protect a process execution against a stack corruption due to memory leaks or overflow (incorrect memory
management implementation).
This memory protection can be achieved through different mechanisms listed in the table below, and detailed
in Section 6 STM32 security features
Protection
MPU
Firewall
Secure hide protection
Dual core
TrustZone®/Security attribute
1. The attribute protection is only for CPU access and is not taken into account for other bus master (such as DMA).
2. Reading the CPUID indicates which CPU is currently executing code. An example can be found in the
HAL_GetCurrentCPUID function.
4.6

Debug port and other interface protection

The debug ports provide access to the internal resources (core, memories, and registers) and must be disabled
in the final device. It is the most basic external attack that is easily avoided by deactivating JTAG (or SWD) ports
by a secure and immutable firmware (refer to
disabling the functionality (JTAG fuse in RDP2).
AN5156 - Rev 8
Section 6 STM32 security
Table 6. Scope of STM32 embedded memory protection features
External attack Internal attack
protection
Yes
No
No
Yes Yes (read/write)
Yes
Yes
Yes
.
Table 7. Software isolation mechanism
Type
Dynamic
Static
Static
Static
Static and dynamic
Section 5.3.1 Secure boot (SB)
features.
Flash memory
protection
No Yes
Yes Yes
Yes Yes
Yes
Yes Yes
Yes Yes
Yes Yes
Isolation
(1)
By privilege attribute
By bus address hardware control
Process preemption at reset
By core ID (2)
By secure attribute propagated from the core to all resources
), or preferably by permanently
AN5156
Software isolation
SRAM
Yes
Yes
Yes
No
No
Yes (for execution) (3)
Yes
page 21/56