ST STM32CubeU5 TFM User Manual

Introduction
This document describes how to get started with the STM32CubeU5 TFM (trusted firmware for Arm
delivered as part of the STM32CubeU5
The STM32CubeU5 TFM application provides a root of trust solution, including Secure Boot and Secure Firmware Update
functionalities. This solution is used before executing the application. It provides a set of secure services that are isolated from
the nonsecure application, but can be used by the nonsecure application at runtime. The STM32CubeU5 TFM application is
based on the open-source TF‑M reference implementation, ported onto
STM32U5 in this document). This brings the benefit of STM32U5 hardware security features such as:
® ® ‑M33 TrustZone
• Arm Cortex
®
• TrustZone -aware peripherals
• Memory protections (HDP, WRP)
• Enhanced life-cycle scheme (RDP)
Additionally, security can be augmented with the addition of a secure element, the
STSAFE in this document).
The secure services are implemented as upgradeable code that provides a set of services available at runtime for the
nonsecure application. It also manages critical assets isolated from the nonsecure application. The nonsecure application
cannot directly access any of the critical assets, but can call secure services that use the critical assets:
• Secure Boot (root of trust services) is a piece of immutable code that is always executed after a system reset. It checks
the STM32U5 static protections, activates STM32U5 runtime protections, and then verifies the authenticity and integrity of
the installed firmware before every execution. This ensures that invalid or malicious code cannot be run.
• The Secure Firmware Update application is a piece of immutable code. It detects that a new firmware image is available,
then checks its authenticity, and the integrity of the code before installing it. The firmware update can be done on the
single firmware image, including both secure and nonsecure parts of the firmware image. Alternatively, it can be done on
the secure part of the firmware image, on the nonsecure part of the firmware image, or on both independently. The
firmware update can also be done either in overwrite mode or in swap mode. Firmware can be received clear or
encrypted.
The secure services are upgradeable code implementing a set of services managing critical assets that are isolated from the
nonsecure application. This means that the nonsecure application cannot directly access any of the critical assets, but can only
use secure services that use the critical assets:
• Crypto: secure cryptographic services, based on opaque key APIs
• Protected storage: protects data confidentiality/authenticity/integrity
• Internal trusted storage: protects data confidentiality/authenticity/integrity in internal flash memory (the most secure
storage space for microcontrollers)
• Attestation: proves product identity via an entity attestation token
The TFM application presented in this document is a complete implementation of [TF-M]. A second application implementing
only the Secure Boot and Secure Firmware Update functionalities of [TF-M], named STM32CubeU5 SBSFU, is also available in
the STM32CubeU5 MCU Package. For further information on the SBSFU application, refer to [AN5447].
The first sections of this document (sections
document (sections 7 to 12) present TF‑M ported onto the STM32U5 microcontroller and integrated in the
Package. STM32CubeU5 TFM application and SBSFU application examples are provided for the
Refer to [TF-M] for more information about the open-source TF‑M reference implementation.
UM2851 - Rev 4 - October 2023
For further information contact your local STMicroelectronics sales office.
Getting started with STM32CubeU5 TFM application
MCU Package.
®
and memory protection unit (MPU)
4 to 6) present the open-source TF‑M part (v1.3.0). The last sections of this
®
STM32U5 series microcontrollers (referred to as
STSAFE-A110 microcontroller (referred to as
B-U585I-IOT02A
UM2851
User manual
‑M) application,
®
Cortex
STM32CubeU5 MCU
board.
www.st.com