One-Time Programmable (Otp); Trustzone - ST STM32C0 Series Application Note

The new lifecycle management defines a set of permitted states, and the possible transition between them, just
as in the case of the RDP, but there are more states defined for the following:
• Provision with immutable root of trust code.
• Clear separation of nonsecure and secure environment.
• Use certificates for controlled regression.
• Use certificates for temporary debug sessions.
For applications that do not need these new options, there are still product states corresponding to the original
RDP values.
The main available product states are:
• Open: roughly equivalent to RDP 0
• Provisioning: marks an ongoing installation of iRoT
• iRoT-provisioned: roughly comparable to RDP 0.5
• TZ-closed: state in which debugging of nonsecure code is permitted
• Closed: more secure equivalent of RDP1, where the regression is possible only with a valid certificate
• Locked: final state with no possibility of further transition (like RDP2)
6.4

One-time programmable (OTP)

The OTP is a dedicated, isolated area in the flash memory, which can be only written on or locked out, preventing
any modification. It is usually a smaller area compared to the size of the user flash memory.
This feature is very useful for lifecycle management, provisioning, personalization, or configuration. Once the OTP
is written, there is no method of erasing data without physically damaging the device. No restriction is implicitly
put on reading written data.
Note: The OTP is available on most STM32 devices (refer to
6.5 TrustZone®
This section describes the main features of the TrustZone® architecture. For further information, refer to the
application note Arm
reference manual.
The Armv8-M TrustZone® architecture defines two domains at system level: secure and nonsecure. The full
memory-map space is split into secure and nonsecure areas. This includes all memory types (flash memory,
SRAM, and external memories), as well as all peripherals that can be shared (with specific context for each
domain) or dedicated to one domain or the other.
At system level, the isolation between secure and nonsecure domains relies on the following hardware
mechanisms (see
• specific core architecture (Armv8-M Cortex-M33) with a dual execution domain for secure and nonsecure
domains, and an implementation defined attribution unit (IDAU) to assert address range security status
• secure attribution unit (SAU) is used to refine settings of the IDAU
• bus infrastructure that propagates the secure and privilege attributes of any transaction (AHB5)
• dedicated hardware blocks managing the split between the two domains (GTZC to define security attribute
for internal SRAMs and external FSMC/OCTOSPI memories, and peripherals)
AN5156 - Rev 8
® ®

TrustZone

features on STM32L5 and STM32U5 series (AN5347), and to the device
Figure 9):
Section 2 Overview for more details).
AN5156
One-time programmable (OTP)
page 32/56