ST STM32U5 Series User Manual page 9

RDP Level
In its certified configuration, the platform is deployed in RDP level 2.
Note that the RDP value in FLASH_OPTR indicates the protection level of the product, as explained in Section
3.10.1 of [RM_U5]
• RDP Level 0 if RDP[7:0] = 0xAA
• RDP Level 2 if RDP[7:0] = 0xCC
• RDP Level 1 if RDP[7:0] is not 0xAA or 0xCC
Note: The existing feature of regression to RDP Level 0 based on OEM1KEY is out of the scope of the TOE.
HDP securable memory area
The platform is certified with the HDP securable memory enabled. The Integrator must link the immutable Root of
Trust of the product firmware inside the securable memory area and configure the associated options bytes as
follows:
• For the STM32U5 series:
– HDP1EN= 1
– HDP1_PEND: index of the last page of the HDP1 securable memory area
• For STM32WBA5 series:
– HDPEN= 1
– HDP_PEND: index of the last page of the HDP securable memory area
Additionally, for the U5 (resp. WBA5) series, the product firmware must activate the hidden protection just before
jumping out of the securable memory area by setting the HDP1_ACCDIS bit (resp. HDP_ACCDIS bit) in
FLASH_SECHDPCR register. Refer to Section 3.6.1 in
Boot configuration
In its certified configuration, the platform starts by executing code from the secure address defined by the
SECBOOTADD0 option byte, because the BOOT_LOCK option byte is set. This address must be in a secure,
write-protected, and HDP-protected area, as described in
Fault injection attacks countermeasures
To meet the target of platform resistance against physical attackers, the Integrator must implement the following
software countermeasures within its application when performing sensitive operations (including cryptographic
ones):
• Redundancy:
– For example:
◦
◦
– In case of verification error:
◦
◦
• Random timing jitter:
– For example, apply a random loop (using the RNG peripheral) before executing a sensitive operation.
• Execution control flow:
– For example:
◦
◦
– In case of control flow error:
◦
UM3387 - Rev 1
or [RM_WBA5].
Perform the sensitive operation twice and verify that the results are equal.
Implement the inverse of the cryptographic operation, as described in the following section
hardware cryptographic accelerators.
Make sure that the results are erased or cannot be accessed by the user.
Implement a security response, for example, a platform reset.
Use a finite state machine in which transitions are verified to be legit.
Use a scattered known computation with a verified result at the end.
Implement a security response, for example, a platform reset.
[RM_U5] or [RM_WBA5] for more details on HDP.
Section 3.2.3.
UM3387
Operational user guidance
TOE
page 9/22