ST STM32U5 Series User Manual page 8

4 Operational user guidance
4.1 User roles
The Integrator's user role is the only role involved in the preparative TOE procedure. The Integrator is responsible
for:
• Receiving the TOE,
• Performing the preparative procedures as described in
• And integrating the TOE into a final product.
The Integrator has full access to the TOE security features, as the MCU devices of the STM32U5 or STM32WBA5
series are delivered in RDP0 state without any features activated for NVM protection. The Integrator also has full
access to the tools to program the TOE.
4.2 Operational guidance for the Integrator roles
4.2.1 User‑accessible functions and privileges (AGD_OPE.1.1C)
The main task of the Integrator is to integrate the TOE into a final product. To this end, the system Integrator can
access interfaces unavailable to other users, as described in
use (AGD_OPE.1.2C and
configure the TOE to make it functional in the final secure state. The Integrator can change parts outside the TOE
without compromising the security of the TOE as shown in
PSA RoT
scope
Follow the procedures described in
secure configuration. The secure configuration of the TOE might be impacted when changing some parts of the
TOE but also when changing some parts located outside the TOE scope. This section describes the changes that
the Integrator can make and highlights what is covered in the evaluation scope and what might impact the secure
configuration of the TOE.
Product firmware
The Integrator must first load the product firmware before setting up the security configuration of the final product.
The Integrator must split the product firmware into two separate areas:
• Securable memory area that includes an HDP area in which the Integrator can locate its protected assets.
This area might contain, for example, a first-stage secure boot code with root parameters composed of
private and immutable personalization data or cryptographic elements depending on the Integrator's
product security requirements.
• A non-HDP memory area where the Integrator can locate the next boot stages plus the application
firmware.
Recommended security protection programming is described in
UM3387 - Rev 1
AGD_OPE.1.3C). The Integrator cannot change any parts inside the TOE but must
Figure 2. TOE perimeter
Updatable Platform
bootloader
Root of Trust
Immutable Platform
Boot code
Root of Trust
Security
Isolation
lifecycle
hardware
This [ST] evaluation scope
Section 3.1: Secure acceptance
TOE preparative procedures,
Section 4.2.2: Available interfaces and methods of
Figure 2.
SPE partition
Main
management
Trusted
subsystem(s)
Cryptographic
RNG
operation
to check if the TOE is acceptable for the
Section 3.2.3.
UM3387
Operational user guidance
page 8/22