ST STM32U5 Series User Manual page 14

4.2.3 Security-relevant events (AGD_OPE.1.4C)
Once configured according to
detects any unauthorized access and any unexpected configuration:
• Erroneous values found in the option bytes of the security configuration at boot time:
– Cancel the boot sequence by resetting or blocking the platform (Integrator-defined implementation).
• Illegal access in the HDP securable memory area:
– Read returns zero.
– Write causes a bus error. The Integrator firmware can implement an error handler.
• Attempt to reprogram the security option bytes in RDP level 2:
– Status FLASH_SR.WRPERR or FLASH_SR.OPTWERR raised with a possible interrupt to a user
implementation-defined error handler.
• Closed JTAG/SWD access violation:
– The connection request is not transmitted to the access port and debug port. The request is ignored.
• Wrong OEM2 password injection for RDP level 2 to level 1 regression:
– The detection ignores the regression request and restarts in RDP level 2 at the next boot.
• Attempts to compromise RNG entropy properties by disturbing physical RNG interfaces:
– The RNG hardware raises alarms on clock and noise source defects with a possible interrupt to a
user implementation-defined error handler.
• Detection of attacks to RNG, SAES, and PKA by an attacker with physical access:
– The peripheral goes to locked mode and an internal tamper is generated (tamp_itamp9 input),
disabled by default.
4.2.4 Security measures (AGD_OPE.1.6C)
This section describes, as the user role of the Integrator, the security measures to be followed to fulfill the security
objectives for the operational environment as described in
To achieve TRUSTED_INTEGRATOR and LIFECYCLE, the following measures must be taken:
• Verify the genuineness of the TOE as described in
• Follow all guidelines described and referenced in
(AGD_PRE.1.2C).
• Follow all guidelines described in
and Section 4.2.2: Available interfaces and methods of use (AGD_OPE.1.2C and AGD_OPE.1.3C)
regarding the implementation of the nonplatform required firmware described in
• In the manufacturing phase, the Integrator must securely provision the TOE immutable data specific to the
Integrator or specific to the product as stated in the product firmware HDP securable memory area of
Section 4.2.1: User‑accessible functions and privileges
• Once the Integrator finishes the production of a final user application, they must set the MCU hardware
static protections as stated in
the user application, the final product state must be RDP2.
UM3387 - Rev 1
Section 3.2: Secure installation and preparation
Section 3.1: Secure
Section 3.2: Secure installation and preparation
Section 4.2.1: User‑accessible functions and privileges (AGD_OPE.1.1C)
Section 3.2.3: Secure
(AGD_PRE.1.2C), the platform
[ST] Section 2.1.
acceptance.
[ST]
(AGD_OPE.1.1C).
installation. To protect the complete product including
UM3387
Operational user guidance
Section 1.4.5.
page 14/22