ST X-CUBE-SBSFU STM32Cube Integration Manual
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Computer Hardware
  5. STM32Cube
  6. Integration manual
ST X-CUBE-SBSFU STM32Cube Integration Manual

ST X-CUBE-SBSFU STM32Cube Integration Manual

Expansion package
Hide thumbs Also See for X-CUBE-SBSFU STM32Cube:
Table of Contents

Advertisement

Quick Links

Download this manual
Introduction
The X-CUBE-SBSFU Secure Boot and Secure Firmware Update solution allows the update of the
STM32 microcontroller built-in program with new firmware versions, adding new features and
correcting potential issues. The update process is performed in a secure way to prevent unauthorized
updates and access to confidential on-device data.
The Secure Boot (Root of Trust services) is an immutable code, always executed after a system reset.
It checks STM32 static protections, activates STM32 runtime protections, and then verifies the
authenticity and integrity of user application code before every execution to make sure that invalid or
malicious code cannot be run.
The Secure Firmware Update application receives the firmware image via a UART interface with the
Ymodem protocol. It checks its authenticity, and the integrity of the code before installing it. The
firmware update is done on the complete firmware image, or only on a portion of the firmware image.
Examples can be configured to use asymmetric or symmetric cryptographic schemes with or without
firmware encryption. They are provided:
for single-slot configuration to maximize firmware image size
for dual-slot configuration to ensure safe image installation and enable over-the-air firmware
update capability commonly used in IoT devices.
For a complex system with multiple firmware such as protocol stack, middleware, and user application,
the firmware image configuration can be extended up to three firmware images.
The secure key management services provide cryptographic services to the user application through
the PKCS #11 APIs (KEY ID-based APIs) that are executed inside a protected and isolated
environment. User application keys are stored in the protected and isolated environment for their
secured update: authenticity check, data decryption, and data integrity check.
STSAFE-A110 is a tamper-resistant secure element (Hardware Common Criteria EAL5+ certified)
used to host X509 certificates and keys and perform verifications used for firmware image
authentication during Secure Boot and Secure Firmware Update procedures.
The X-CUBE-SBSFU user manual (UM2262) explains how to get started with
X-CUBE-SBSFU and details SBSFU functionalities. This application note describes how to adapt X-
CUBE-SBSFU and integrate it with the user's application; It answers such questions as:
How to port X-CUBE-SBSFU onto another board?
How to tune the X-CUBE-SBSFU configuration to fit the user's needs?
How to generate a new firmware encryption key?
How to debug X-CUBE-SBSFU?
How to adapt to SBSFU?
How to adapt the user's application?
Note:
Throughout this application note, the IAR Embedded Workbench
provide guidelines for project configuration. Secure Boot and Secure Firmware Update applications
are referred to as SBSFU.
Note:
The single-slot configuration is demonstrated in examples named 1_Image.
The dual-slot configuration is demonstrated in examples named 2_Images.
December 2021
Integration guide for the X-CUBE-SBSFU
STM32Cube Expansion Package
AN5056 Rev 8
AN5056
Application note
®
IDE is used as an example to
1/49
www.st.com
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the X-CUBE-SBSFU STM32Cube and is the answer not in the manual?

Questions and answers

Related Manuals for ST X-CUBE-SBSFU STM32Cube

Summary of Contents for ST X-CUBE-SBSFU STM32Cube

  • Page 1 Secure Boot and Secure Firmware Update applications are referred to as SBSFU. Note: The single-slot configuration is demonstrated in examples named 1_Image. The dual-slot configuration is demonstrated in examples named 2_Images. December 2021 AN5056 Rev 8 1/49 www.st.com...

  • Page 2: Table Of Contents

    Contents AN5056 Contents General information ......... 6 Related documents .
  • Page 3 AN5056 Contents Implementing a new cryptographic scheme for SBSFU ....34 Optimizing memory mapping ........36 How to activate interruption management inside the firewall isolated environment .
  • Page 4 List of tables AN5056 List of tables Table 1. List of acronyms ............6 Table 2.
  • Page 5 AN5056 List of figures List of figures Figure 1. SBSFU project structure ........... . 9 Figure 2.

  • Page 6: General Information

    General information AN5056 General information Table 1 Table 2 present the definitions of acronyms and terms that are relevant for a better understanding of this document. Table 1. List of acronyms Acronym Description Advanced encryption standard Debug access port ECDSA Elliptic curve digital signature algorithm AES Galois/counter mode Hardware abstraction layer...
  • Page 7 AN5056 General information The X-CUBE-SBSFU Secure Boot and Secure Firmware Update Expansion Package runs ®(a) ® on STM32 32-bit microcontrollers based on the Arm Cortex -M processor. a. Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and or elsewhere. AN5056 Rev 8 7/49...

  • Page 8: Related Documents

    User manual Getting started with STM32CubeF7 MCU Package for STM32F7 Series (UM1891) User manual Getting started with STM32CubeG0 for STM32G0 Series (UM2303) 10. User manual Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package (UM2262) 11. User manual Development guidelines for STM32Cube Expansion Packages (UM2285) 12.

  • Page 9: Porting X-Cube-Sbsfu Onto Another Board

    AN5056 Porting X-CUBE-SBSFU onto another board Porting X-CUBE-SBSFU onto another board X-CUBE-SBSFU supplements the STM32Cube™ software technology, making portability across different STM32 microcontrollers easy. It comes with a set of examples implemented on given STM32 boards that are useful starting points to port the X-CUBE-SBSFU onto another STM32 board.

  • Page 10: Memory Mapping Definition

    Porting X-CUBE-SBSFU onto another board AN5056 Memory mapping definition As already highlighted in the X-CUBE-SBSFU user manual (Refer to [10]), a key aspect is the placement of all elements inside the Flash memory of the device: • Secure Engine: protected environment to manage all critical data and operations. •...

  • Page 11: Figure 3. Linker File Architecture

    AN5056 Porting X-CUBE-SBSFU onto another board The linker file definitions shared between the three projects (SECoreBin, SBSFU, UserApp) are grouped in the Linker_Common folder as presented in Figure • mapping_fwimg.icf: contains firmware image definitions such as active slots, download slots, and swap area •...

  • Page 12: Figure 4. Mapping Constraints With Mpu Isolation (Nucleo-G071Rb Example)

    Porting X-CUBE-SBSFU onto another board AN5056 Figure 4. Mapping constraints with MPU isolation (NUCLEO-G071RB example) Another typical use case is the MPU configuration of the active-slot region to authorize user application execution. Figure 5 shows how to respect the MPU constraints on NUCLEO- L073RZ.

  • Page 13: Sbsfu Region Definition Parameters

    AN5056 Porting X-CUBE-SBSFU onto another board 3.2.1 SBSFU region definition parameters Figure 6 presents the parameters in file mapping_sbsfu.icf that are used for the configuration of the SBSFU regions. Figure 6. SBSFU regions (NUCLEO-L476RG mapping_sbsfu.icf) AN5056 Rev 8 13/49...

  • Page 14: Firmware Image Slot Definition Parameters

    Porting X-CUBE-SBSFU onto another board AN5056 3.2.2 Firmware image slot definition parameters Figure 7 presents the parameters in file mapping_fwimg.icf that are used for the configuration of the image regions. Figure 7. Firmware image slot definitions (NUCLEO-L476RG mapping_fwimg.icf) Compliance with SBSFU constraints requires that the following conditions are met: •...

  • Page 15: Figure 8. Firewall Configuration Constraint On Dual Bank Products

    AN5056 Porting X-CUBE-SBSFU onto another board Figure 8. Firewall configuration constraint on dual bank products Figure 9. Firewall configuration after bank swap For the STM32G0 Series, STM32G4 Series, and STM32H7 Series, one constraint exists: the header of the active slot must be mapped just after the SBSFU code to be protected by the secured memory.

  • Page 16: Project-Specific Linker Files

    Porting X-CUBE-SBSFU onto another board AN5056 Note: For series with MPU-based isolation or firewall-based isolation, the MPU constraint on the active-slot configuration must be verified as illustrated in Figure 3.2.3 Project-specific linker files SECoreBin places critical code and data such as secrets, as illustrated in Figure Figure 10.

  • Page 17: Multiple Image Configuration

    AN5056 Porting X-CUBE-SBSFU onto another board UserApp must be configured to run in the active slot (Slot active start address with SFU_IMG_IMAGE_OFFSET) as illustrated in Figure 12 where SFU_IMG_IMAGE_OFFSET is 512 bytes for the STM32L4 Series. Figure 12. UserApp specific linker file (NUCLEO-L476RG example) 1.

  • Page 18: Dual-Core Adaptation

    Porting X-CUBE-SBSFU onto another board AN5056 Figure 13. Multiple image configuration Dual-core adaptation For the STM32H7 Series dual-core products, it is mandatory to disable the CM4 boot while the SBSFU is running (On CM7). Thus, once the authentication and the integrity of all firmware images are verified by the SBSFU, the user application starting on CM7 can trigger the boot of CM4.

  • Page 19: Figure 14. Stm32H7 Series Dual-Core Adaptation

    AN5056 Porting X-CUBE-SBSFU onto another board Figure 14. STM32H7 Series dual-core adaptation Slots configuration may be adapted to manage two firmware images, one dedicated to CM7 and the other one dedicated to CM4. Refer to 3.2.4 Multiple image configuration for more details.

  • Page 20: Sbsfu Configuration

    Download slot, as well as backup slot, is mapped in an external Flash memory. A specific installation process without swap is selected SFU_NO_SWAP to ensure confidentiality by keeping both slots always encrypted. More details are provided in the Appendix H of the user manual Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package (UM2262). 20/49...

  • Page 21: Cryptographic Scheme Selection

    AN5056 SBSFU configuration The configuration possibilities go beyond these options through compilation switches: • Local loader can be removed to reduce the memory footprint (Dual slots only). • Verbose switch can be activated to make debugging easier. • Debug mode can be disabled (No more printf on the terminal during SBSFU execution) to reduce the memory footprint.

  • Page 22: Security Configuration

    SBSFU configuration AN5056 Figure 16. Switching the cryptographic scheme Note: For the B-L4S5I-IOT01A STSAFE and KMS variants, the SECBOOT_X509_ECDSA_WITHOUT_ENCRYPT_SHA256 cryptographic scheme is selected. For the external Flash memory variant with on-the-fly decryption (OTFDEC), the SECBOOT_ECCDSA_WITH_AES128_CTR_SHA256 cryptographic scheme is selected. Security configuration The SBSFU example is delivered with STM32 security protection configuration allowing protection secrets against both outer and inner attacks.

  • Page 23: Figure 17. Stm32L4 Series And Stm32L0 Series Security Configuration (App_Sfu.h)

    AN5056 SBSFU configuration Figure 17. STM32L4 Series and STM32L0 Series security configuration (app_sfu.h) /*!< Disable all security IPs at once when activated */ #define SECBOOT_DISABLE_SECURITY_IPS #if !defined(SECBOOT_DISABLE_SECURITY_IPS)/ # define SFU_WRP_PROTECT_ENABLE # define SFU_RDP_PROTECT_ENABLE # define SFU_PCROP_PROTECT_ENABLE # define SFU_FWALL_PROTECT_ENABLE # define SFU_TAMPER_PROTECT_ENABLE User # define SFU_DAP_PROTECT_ENABLE application...

  • Page 24: Figure 19. Stm32G0 Series, Stm32G4 Series, And Stm32H7 Series

    SBSFU configuration AN5056 Figure 19 shows the various security configuration solutions available in file app_sfu.h for the STM32WB Series. Figure 19. STM32G0 Series, STM32G4 Series, and STM32H7 Series security configuration (app_sfu.h) Figure 20 shows the various security configuration solutions available in file app_sfu.h for the STM32WB Series.

  • Page 25: Development Or Production Mode Configuration

    AN5056 SBSFU configuration Development or production mode configuration The first step before any code modification is often to configure the SBSFU project in development mode to enable IDE debugging facilities and add SBSFU debug traces: Deactivate all security protections: SFU_xxx_PROTECT_ENABLE Deactivate SFU_FINAL_SECURE_LOCK_ENABLE Activate SFU_FWIMG_BLOCK_ON_ABNORMAL_ERRORS_MODE Activate SECBOOT_OB_DEV_MODE...

  • Page 26: Figure 21. Option Bytes Management

    SBSFU configuration AN5056 Figure 21 shows how Option Bytes are managed at SBSFU startup: Figure 21. Option Bytes management 26/49 AN5056 Rev 8...

  • Page 27: Generating A Cryptographic Key

    AN5056 Generating a cryptographic key Generating a cryptographic key Generating a new firmware AES encryption key Key generation and firmware encryption are performed automatically during the compilation process with the prebuild.bat and postbuild.bat scripts (Refer to [10] for a detailed description of the build process).

  • Page 28: Stm32Wb Series Specificities

    Boot0) after pin header soldering and another jumper selects ‘USB MCU’ on JP2. A USB cable is connected to the USB_USER interface. The power is ON (Unplug/plug USB cable is connected to ST-LINK). Then, the function Key provisioning of Firmware Upgrade Services panel is allowed as...

  • Page 29: Kms Specificities

    AN5056 Generating a cryptographic key Figure 24. Key provisioning KMS specificities With KMS middleware integration, SBSFU keys are no longer stored in a section under PCROP protection. They are stored inside the KMS code as static embedded keys. shows an example of the firmware encryption key modification of active slot #1. Figure 25 The same applied for active slot #2 or #3: Change the key value in file OEM_KEY_COMPANY1_keys_AES_xxx.bin...

  • Page 30: Stsafe-A110 Specificities

    Generating a cryptographic key AN5056 Figure 25. KMS specificities STSAFE-A110 specificities As explained in Appendix G of the UM2262, STM32 and STSAFE-A110 must be provisioned with pairing keys and X509 certificates. STSAFE-A110 provisioning process is described in STSAFE_Provisioning/readme.txt. Figure 26 shows an example of pairing-key provisioning: STSAFE-A110 provisioning with default pairing keys Update STSAFE_PAIRING_keys.bin accordingly...

  • Page 31: Tips For Debugging

    AN5056 Tips for debugging Tips for debugging Compiler optimizations level Projects are delivered with the highest level of compiler optimizations turned on for size aspects. Such optimizations can make the debug complex. Changing the compiler optimization level possibly impacts memory mapping. Figure 27.

  • Page 32: Debugging Secorebin

    Tips for debugging AN5056 Figure 28. Memory mapping adaptations The impact of memory mapping adaptation on security peripheral configurations must be checked even though it is automatically computed. For example, check the WRP configuration using STM32CubeProgrammer (STM32CubeProg) as shown in Figure Figure 29.

  • Page 33: Figure 30. Debugging Inside Secorebin

    AN5056 Tips for debugging Figure 30. Debugging inside SECoreBin AN5056 Rev 8 33/49...

  • Page 34: Adapting Sbsfu

    Adapting SBSFU AN5056 Adapting SBSFU Implementing a new cryptographic scheme for SBSFU X-CUBE-SBSFU comes with some predefined cryptographic schemes (Refer to Section 4.2: Cryptographic scheme selection on page 21). It is also possible to extend the package with the user’s cryptographic scheme. To implement a new cryptographic scheme for SBSFU, follow the steps illustrated in Figure 31 and described below.
  • Page 35 AN5056 Adapting SBSFU Updating the tools running on the host side to prepare the keys and the firmware image: Step 5: update the preparation tools to support the new cryptographic scheme: prepareimage.py, translate_key.py, and keys.py. Step 6: update the IDE integration to generate the appropriate keys and firmware image.

  • Page 36: Optimizing Memory Mapping

    Adapting SBSFU AN5056 Optimizing memory mapping Several options exist to reduce SBSFU code size to maximize the size of the user application slot. Some of these options are summarized in Table Table 3. SBSFU code-size reduction Option Description / Consequence Gain Download a new firmware image from the Slot size is doubled...

  • Page 37: Figure 32. Example Of Memory Mapping Optimization On Nucleo-G071Rb - 2 Images

    AN5056 Adapting SBSFU Figure 32. Example of memory mapping optimization on NUCLEO-G071RB – 2 images In the folder NUCLEO-G031K8\Applications\1_Image, another example of memory optimization is provided for the NUCLEO-G031K8, where 32 Kbytes are allocated to the user application among the 64 Kbytes available on this board. AN5056 Rev 8 37/49...

  • Page 38: How To Activate Interruption Management Inside The Firewall Isolated

    Adapting SBSFU AN5056 How to activate interruption management inside the firewall isolated environment Interruption management inside the firewall isolated environment can be activated when low latency on interruption handling is required. Examples are provided in the 2_Images_OSC variant for 32L496GDISCOVERY and B-L475E-IOT01A boards. Figure 33 shows the different steps required to activate this option: Add IT_MANAGEMENT as preprocessor directive in SECoreBin and SBSFU IDE...

  • Page 39: How To Improve Boot Time

    AN5056 Adapting SBSFU How to improve boot time To resist a basic fault injection attack, some critical actions are duplicated thus are impacting the time to start the user application. If such protections are not needed, for example, if there is no physical access to the device, these counter-measures can be removed as shown in Figure Figure 34.

  • Page 40: Adapting The User Application

    Adapting the user application AN5056 Adapting the user application How to make an application SBSFU compatible First of all, the mapping of the user application must be modified to allow the application to run in active slot #1. In a multiple image configuration the same applied for active slot #2 or •...

  • Page 41: Figure 36. User Application Binary File Length

    AN5056 Adapting the user application For user application encryption, the user application binary file length must be a multiple of 16 bytes. Figure 36 shows how to update the linker file to verify this constraint. Figure 36. User application binary file length Finally, as done in the UserApp example, the IDE configuration must be updated to: Generate a UserApp.bin file Include search path for linker common files...
  • Page 42 Adapting the user application AN5056 As explained in the user manual UM2262, some additional constraints are depending on the STM32 series: • STM32F4 Series, STM32F7 Series, and STM32L1 Series: MPU-based Secure Engine isolation relies fully on the fact that a privileged level of software execution is required to access the Secure Engine services.

  • Page 43: Use Of Flash Memory To Store User Data

    AN5056 Adapting the user application Use of Flash memory to store user data The storage of user data in Flash pages or sectors is possible with some restrictions: • Out of the SBSFU code area • Not in the images slots •...

  • Page 44: Changing The Firmware Download Function In The User Application

    Adapting the user application AN5056 Changing the firmware download function in the user application This possibility is available only in the dual-slot mode of operation. A sample code based on the YMODEM protocol over UART is available in the X-CUBE- SBSFU UserApp project.

  • Page 45: How To Change The Firmware Version

    AN5056 Adapting the user application How to change the firmware version The firmware version is part of the firmware header generated with the postbuild.bat script. In the following example, the version is 5. Figure 40. Firmware version change Caution: The firmware with version SFU_FW_VERSION_INIT_NUM app_sfu.h is the only one allowed for installation when the header of the installed image is not valid.

  • Page 46: Figure 41. Validation Menu

    Adapting the user application AN5056 Figure 41. Validation menu Caution: This feature can be activated only on a dual-slot configuration example with the swap installation process selected. 46/49 AN5056 Rev 8...

  • Page 47: Revision History

    AN5056 Revision history Revision history Table 4. Document revision history Date Revision Changes 20-Dec-2017 Initial release. Document structure and content entirely updated: – Refocused on the integration topics presented in Introduction 31-Aug-2018 – Adapted to the asymmetric and symmetric cryptography schemes –...
  • Page 48 Revision history AN5056 Table 4. Document revision history (continued) Date Revision Changes OTFDEC information in Added Section 4.1: Features to be configured Section 4.2: Cryptographic scheme selection (added one note) Updated Section 3.2.2: Firmware image slot definition parameters. Added Figure 8: Firewall configuration constraint on dual bank products Figure 9: Firewall configuration after bank...
  • Page 49 ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order acknowledgment.

Table of Contents

Save PDF