ST STM32U5 Series User Manual page 15

To achieve UNIQUE_ID and KEY_MANAGEMENT, the following measures must be taken:
• The Integrator must protect the integrity of the Immutable Root of Trust of the nonplatform required
firmware
area for each device.
• The persons responsible for the application of the procedures described in
procedures, and the persons involved in the delivery and protection of the product must have the required
skills and must be aware of the security issues.
• In the case that any part of the preparative procedures of the platform or a party other than the Integrator
integrates any part of the preparative procedures of the integrated platform, the Integrator must guarantee
sufficient guidance is provided to this party.
• The Integrator can define any type of immutable data unique per product that might allow product
identification after its field deployment. It is recommended that the Integrator puts in place a data
management process, possibly based on a database solution, ensuring new unique data generation.
• The Integrator must protect the integrity of all the data protected in the HDP securable memory area until
they are provisioned and properly protected inside the platform of each device. Moreover, the Integrator
must protect the confidentiality of the secret data that are stored in the HDP securable memory area.
• Once immutable data of the nonplatform required firmware are generated for a new product, the Integrator
must program them in the defined format at the correct location corresponding to the securable memory
area and must protect them as described in
• The Integrator must protect the integrity and confidentiality of the cryptographic secret keys encapsulated
in the root parameters as defined in
4.2.5 Modes of operation (AGD_OPE.1.5C)
This section identifies all possible modes of operation of the platform (including operation following failure or
operational error), their consequences, and implications for maintaining secure operation.
Normal boot mode
After reset, the platform is forced to boot into the nonplatform required secure firmware. The security
configuration, dictated by
other alternative boot modes.
Regression mode
The Integrator owning the OEM2KEY to unlock RDP2 injects this value over the JTAG interface while maintaining
the platform under reset, as explained in the OEM2 RDP lock mechanism subsection of
Section 7.6.2. If the OEM2KEY value is wrong, the regression request aborts, and any access to the flash
memory is blocked until the next power-on-reset.
UM3387 - Rev 1
([ST] Section 1.4.5) until it is programmed and properly protected inside the securable memory
Section
Section 3.2: Secure installation and preparation
Section 3.2.3: Secure installation.
4.2.1.
(AGD_PRE.1.2C), unauthorizes all the
UM3387
Operational user guidance
Section 3: TOE preparative
[RM_U5] or [RM_WBA5]
page 15/22