Lifecycle Management-Product State; Table 12. Rdp Protections - ST STM32C0 Series Application Note

Internal flash memory content updating on an RDP protected STM32 MCU
In RDP level 1 or 2, the flash memory content can no longer be modified with an external access
(bootloader or booting from SRAM). However, modifications by an internal application are always
possible. Practical implementations of such firmware updates are SFU (secure firmware update) and IAP
(in‑application‑programming). See examples in related documents AN4657, AN5056, AN5544, and AN5447 to
learn more.
The table below summarizes the RDP protections.
Area
Flash main memory
System memory
Option bytes
(1)
Other protected assets
1. Backup registers/SRAM
When to use the RDP
On a consumer product, the RDP must always be set at least at level 1. This prevents basic attacks through
the debug port or through the bootloader. However, in RDP level 1, there is a risk of service denial caused by a
flash memory mass erase, following a return to RDP level 0.
The RDP level 2 is mandatory to implement an application with higher security level (such as immutable code).
The drawback is that the RDP level 2 can prevent a device examination, for instance after a customer return.
The RDP level 0.5 is used to debug a nonsecure application, while protecting contents within secure area
boundaries from debug access. Refer to section 'Development recommendations using TrustZone®' of the
application note Arm
about this protection.
Note: The RDP is available on all STM32 device, unless succeeded by the lifecycle management product state (see
Section 6.3).
6.3 Lifecycle management–product state
The addition of RDP 0.5 into the RDP mechanism used by the STM32 enabled the necessary isolation between
secure and nonsecure development. However, the RDP does not allow going further in the user experience with
the adoption of new development and OEM manufacturing models. The RDP has been replaced by the product
state, a more refined lifecycle management system, on the STM32H5 devices as pilot project. The product state
is also an answer to the needs of customers requesting a state that is effectively an RDP2 to the outside world
and it allows them to perform a regression in the controlled environment. A similar provision was also added to
the STM32U5 series, but the product state enabled finer control over delegating the debugging rights.
AN5156 - Rev 8
Table 12.
Boot from user flash
RDP
memory
level
Read Write
0 Yes Yes
1 Yes Yes
2 Yes Yes
0 Yes No
1 Yes No
2 Yes No
0 Yes Yes
1 Yes Yes
2 Yes No
0 Yes Yes
1 Yes Yes
2 Yes Yes
® ®
TrustZone features on STM32L5 and STM32U5 series (AN5347) for more information
RDP protections
Debug or boot from SRAM or from bootloader
Erase Read
Yes Yes
Yes No
Yes N/A
No Yes
No No
No N/A
Yes Yes
Yes Yes
No N/A
Yes Yes
N/A No
N/A N/A
AN5156
Lifecycle management–product state
Write Erase
Yes Yes
No No
N/A N/A
No No
No No
N/A N/A
Yes Yes
Yes Yes
N/A N/A
Yes Yes
No No
N/A N/A
page 31/56