ST STM32MP13 Series User Manual
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Computer Hardware
  5. STM32MP13 Series
  6. User manual
ST STM32MP13 Series User Manual

ST STM32MP13 Series User Manual

Security guidance for sesip level 3 certification
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
UM2885
User manual
STM32MP13xx security guidance for SESIP level 3 certification
Introduction
This document describes how to prepare an STM32MP13xx microprocessor to make a secure system solution compliant with
SESIP level 3.
The security guidance that is described in this document applies to any boards based on the devices listed in the table below,
for die revision Y.
Table 1.
Applicable products
Reference
Products
STM32MP13xx
STM32MP131C, STM32MP131F, STM32MP133C, STM32MP133F, STM32MP135C, STM32MP135F
UM2885 - Rev 2 - January 2023
www.st.com
For further information contact your local STMicroelectronics sales office.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the STM32MP13 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for ST STM32MP13 Series

Summary of Contents for ST STM32MP13 Series

  • Page 1: Table 1. Applicable Products

    The security guidance that is described in this document applies to any boards based on the devices listed in the table below, for die revision Y. Table 1. Applicable products Reference Products STM32MP13xx STM32MP131C, STM32MP131F, STM32MP133C, STM32MP133F, STM32MP135C, STM32MP135F UM2885 - Rev 2 - January 2023 www.st.com For further information contact your local STMicroelectronics sales office.

  • Page 2: General Information

    UM2885 General information General information ® This document applies to STM32MP13xx Arm -based MPUs. Note: Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Table 2. Specific acronyms Acronym Description Boot hardware key Global partition table Hardware‑unique key Microprocessor...

  • Page 3: Reference Documents

    UM2885 Reference documents Reference documents • Reference manual STM32MP13xx Reference Manual (RM0475) - revision 0.5 • Application note Overview of the secure secret provisioning (SSP) on STM32MP1 Series (AN5510) - revision 1 • User manual STM32CubeProgrammer software description (UM2237) - revision 18 •...

  • Page 4: Toe Preparative Procedures

    Secure acceptance is the process in which the user securely receives the TOE and verifies its genuineness. The TOE is distributed as an STM32 MPU device, with a software package that can be obtained from www.st.com. Refer to the cover page for the applicable devices. How to accept an STM32MP13xx MPU device When the device is in the OTP‑SECURE Open default state, TOE genuineness can be verified using a debugger,...

  • Page 5: Secure Installation And Preparation Of The Operational Environment (Agd_Pre.1.2C)

    UM2885 Secure installation and preparation of the operational environment (AGD_PRE.1.2C) • Alternatively, use the STM32CubeProgrammer graphical user interface (GUI) as follows: – On the right, select USB (not STLINK, set by default) in the connection picklist and click on the refresh button.

  • Page 6: Figure 2. Stm32Mp135F-Dk Discovery Kit Connections

    Secure installation and preparation of the operational environment (AGD_PRE.1.2C) Hardware setup STM32MP135F-DK Discovery kit board is used as described below. Connect the USB Micro-B to Type-A cable between your laptop and the ST-LINK/V2-1 port of the board. ® Connect the power supply using the USB Type-C connector (power 5V-3A).

  • Page 7: Secure Installation

    Debug when the protections are disabled Software setup STMicroelectronics provides OpenSTLinux binary packages ("starter" packages) that can run directly on ST boards mounted with the TOE. Each starter package contains a set of complete, configured images to boot a non‑secure platform. OpenSTLinux is based on the Trusted Firmware-A (TF-A) reference implementation, which can be found at https://trustedfirmware-a.readthedocs.io.
  • Page 8 UM2885 Secure installation and preparation of the operational environment (AGD_PRE.1.2C) The user also needs to create a 128-bit secret to store in OTP the words 92 to 95 of the TOE. He also creates a 32-bit derivation constant to be stored in the encrypted FSBL extension header. With this information, the STM32 key generator tool can compute a 128-bit encryption key that is used to encrypt the FSBL image using AES CBC chaining mode.
  • Page 9 UM2885 Secure installation and preparation of the operational environment (AGD_PRE.1.2C) Step E: Image programming Once the image is signed, it can be programmed into the flash memory on the target board with the STM32CubeProgrammer tool. Supported flash memory and its associated flash memory mapping are described Available interfaces and methods of use (AGD_OPE.1.2C and AGD_OPE.1.3C).

  • Page 10: Figure 4. Authenticated Stm32 Header (With Extensions) With Binary Files

    UM2885 Secure installation and preparation of the operational environment (AGD_PRE.1.2C) Each binary image (signed or not) loaded by ROM code need to include a specific STM32 header added on top of the binary data. This header includes two extension headers: one for FSBL authentication, and one for FSBL decryption.

  • Page 11: Operational User Guidance

    UM2885 Operational user guidance Operational user guidance User role The user role integrator, also called original equipment manufacturer (OEM), is the most relevant for this TOE. Indeed, the integrator is the one to: • Receive the TOE, • Perform the preparative procedures as described in TOE preparative procedures, •...

  • Page 12: Figure 5. Active-Key Monotonic Counter In Otp Word 22

    UM2885 Operational guidance for the integrator role Length (in Name Byte offset Description bits) Number of public keys in the 0x8C Number of public keys in the table (N=8) table N 1: P-256 NIST ECDSA algorithm 0x90 2: Brainpool 256 Authentication Public key hash table, to check the hash table starting at ECDSA public key...

  • Page 13: Table 5. Stm32 Header Information For Fsbl Encryption

    Refer to the boot_api_context_t structure in https://github.com/STMicroelectronics/arm-trusted-firmware/blob/ v2.4-stm32mp/plat/st/stm32mp1/include/boot_api.h for details. Number of images in external flash memory The integrator can configure the TOE to use one or two copies of the FSBL in the external flash memory. In the case of using two copies, FSBL1 and FSBL2, the ROM code tries to load and launch the first copy and in case of failure, it then tries to load the second copy.
  • Page 14 UM2885 Operational guidance for the integrator role The integrator can change the TOE serial boot management or remove the serial boot functionality. Both options are in the scope of the certified configuration. Refer to Secure installation and preparation of the operational environment (AGD_PRE.1.2C) for details.

  • Page 15: Figure 6. Key Management Principle

    UM2885 Operational guidance for the integrator role Figure 6. Key management principle Tamper reaction (block or erase) Secure AES Peripheral usage Embedded non- Derived H/w key Tamper events volatile storage Hardware derivation (OTP, s/w secret) Unique Key TAMP Embedded with volatile side-channel Hw Key...
  • Page 16 UM2885 Operational guidance for the integrator role Note: Any keys encrypted by DHUK or BHK are not usable when a tamper event occurs. ® Crypto peripherals critical to secure ROM code are made secure only. Refer to TrustZone and MMU isolation usage in this section for details.
  • Page 17 UM2885 Operational guidance for the integrator role For example, it is recommended when cryptographic drivers execute in the secure mode of the Cortex‑A7, that the integrator verifies that the peripherals and the memory used by those drivers are read/write secure only. More specifically, the following hardware features must be used: •...

  • Page 18: Available Interfaces And Methods Of Use (Agd_Ope.1.2C And Agd_Ope.1.3C)

    UM2885 Operational guidance for the integrator role Those methods are described in the tamper and backup registers (TAMP) section of the RM0475 reference manual and summarized in the following table. Note: When activated only a reset of the backup domain can deactivate the tamper protections. Table 7.
  • Page 19 UM2885 Operational guidance for the integrator role Method of use: • Power on the product as defined in RM0475 • Reset the device as defined in RM0475 • Device executes the ROM code. • ROM executes the authenticated code of the integrator when the TOE is in its certified configuration. This code uses SAES and PKA peripherals freely after the RNG peripheral is properly configured and clocked (in RCC).
  • Page 20 UM2885 Operational guidance for the integrator role Parameters: • Sticky read‑lock: Integrator can use the BSEC_SRLOCKx register to prevent reloading of selected shadow registers until the next system reset. • Sticky write‑lock: Integrator can use the BSEC_SWLOCKx register to lock the write to the selected shadow register until the next system reset.

  • Page 21: Figure 7. Tamper-Protected Physical Chip Interfaces

    UM2885 Operational guidance for the integrator role Figure 7. Tamper‑protected physical chip interfaces STM32 TAMPL/H Vdd domain switch REF- IWDG1 REF+ Backup DD_ANA domain DDCORE Vdd CPU Backup DDCPU RAM* C-A7 Monitoring Vdd DDR RTC + via ADC Backup regs DDQ_DDR 32 kHz subsystem...
  • Page 22 UM2885 Operational guidance for the integrator role Actions: • When the integrator activates a tamper input event linked to a physical chip interface, it must decide if it is the source of a potential tamper (ITAMPxNOER=1 in TAMP_CR3) or the source of a confirmed tamper (ITAMPxNOER=0 in TAMP_CR3).

  • Page 23: Figure 8. Quad-Spi Nor Flash Memory Layout Without Gpt

    UM2885 Operational guidance for the integrator role Figure 8. Quad-SPI NOR flash memory layout without GPT ‑ mode, two NOR flash memories Note: It is possible to use NOR flash memory either in single or dual mode. In dual are connected to the two ports of the NOR interface and the two memories are used in interlaced mode. Parallel NAND (via FMC) and serial NAND (via Quad-SPI) layouts contain n copies of FSBL in the first valid blocks.

  • Page 24: Figure 10. Emmc Flash Memory Layout

    UM2885 Operational guidance for the integrator role Figure 10. eMMC flash memory layout On the SD/MMC interface, the SD card layout contains versions of FSBL. The ROM code first looks for a GPT. If it finds it, it locates two FSBLs by looking for the two first GPT entries of which names begin with 'fsbl'. If it cannot find a GPT, the ROM code looks for FSBL1 at offset LBA34 and FSBL2 at offset LBA546.

  • Page 25: Table 8. Boot Device Selection Via The Boot Pins And Otp (Flash Memory)

    UM2885 Operational guidance for the integrator role Table 8. Boot device selection via the boot pins and OTP (Flash memory) OTP word 3 TAMP_REG[20] OTP word 3 (primary Boot source #2 Boot source if BOOT pins (secondary Boot source #1 (force serial) boot source) if #1 fails...

  • Page 26: Table 11. Parallel Nand Afmux Default Configurations

    UM2885 Operational guidance for the integrator role • NAND configurations. – For serial NANDs, the AFmux default setting is the same as for serial NOR. Refer to Table – For parallel NANDs, the AFmux default configurations, which are overwritten by OTP values defined by OTP words 5 to 7, are described in Table Table 11.
  • Page 27 UM2885 Operational guidance for the integrator role As part of the TOE configuration, the integrator can permanently disable flash memory interfaces by burning the relevant fuses of OTP word 3, as described in the parameters above. Disabling all the flash memory interfaces is not part of the certified TOE configuration.

  • Page 28: Figure 12. Rom Boot Source Selection

    UM2885 Operational guidance for the integrator role Table 14. Boot device selection via the boot pins and OTP (serial) OTP word 3 OTP word 3 (primary TAMP_REG[20] Boot source #2 Boot source if BOOT pins (secondary Boot source #1 (force serial) boot source) if #1 fails #2 fails...

  • Page 29: Security-Relevant Events (Agd_Ope.1.4C)

    UM2885 Operational guidance for the integrator role Method of use: • The method to provision and lock the RMA password, when the device is OTP‑SECURE Open, is described in Section 3.2.2 Secure installation. Alternatively, the method described in AN5510 can be used.

  • Page 30: Modes Of Operation (Agd_Ope.1.5C)

    UM2885 Operational guidance for the integrator role To achieve the above TRUSTED_INTEGRATOR and TOE_PREPARATION security objectives, the following measures must be taken. • The integrator must verify the genuineness of the TOE as described in Secure Acceptance. • The integrator must follow all the guidelines described in User‑accessible functions and privileges (AGD_OPE.1.1C) Available interfaces and methods of use (AGD_OPE.1.2C and AGD_OPE.1.3C)

  • Page 31: Technical Annexes

    UM2885 Technical annexes Technical annexes Boot from parallel and serial NANDs Supported parallel NANDs The ROM code supports parallel NAND with the following parameters. Table 16. Parallel NAND support by ROM code Block size (Kbytes) Page size (Kbytes) Data width ECC (bits and code) 8, 16 4 (bch), 8 (bch), 1 (hamming)

  • Page 32: How To Update Otp With U-Boot

    UM2885 How to update OTP with U-Boot Needed for Parameter table offset Description Needed for parallel NAND serial NAND [85:84] Number of spare bytes per page [95:92] Number of pages per block [99:96] Number of blocks per unit Number of ECC bits correctability Note: Serial NAND memories are not ONFI compliant but most of them are ONFI compatible.
  • Page 33 UM2885 How to update OTP with U-Boot Word 0x00000008: 00000000 82004000 00000000 00000000 Word 0x0000000c: 7d04f0db 00470022 33385115 34383330 Word 0x00000010: 22986562 27010551 7a470140 06cc1608 Word 0x00000014: 5e560054 00000000 00000000 401a300c Word 0x00000018: ffffffff ffffffff ffffffff ffffffff Word 0x0000001c: ffffffff ffffffff ffffffff ffffffff When all the 96 OTPs are available (secure open device): Board $>...

  • Page 34: Revision History

    UM2885 Revision history Table 19. Document revision history Date Revision Changes 29-Nov-2022 Initial release. 25-Jan-2023 Second release. UM2885 - Rev 2 page 34/38...

  • Page 35: Table Of Contents

    UM2885 Contents Contents General information ............. . . 2 Reference documents .

  • Page 36: List Of Figures

    UM2885 List of figures List of figures Figure 1. STM32MP13xx acceptance using STM32CubeProgrammer ........5 Figure 2.

  • Page 37: List Of Tables

    UM2885 List of tables List of tables Table 1. Applicable products ..............1 Table 2.
  • Page 38 ST’s terms and conditions of sale in place at the time of order acknowledgment. Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of purchasers’...

This manual is also suitable for:

Stm32mp131cStm32mp131fStm32mp133cStm32mp133fStm32mp135cStm32mp135f

Table of Contents