STM32Trust security

ecosystem for STM32

 Agenda

1 STM32Trust Overview 5 Security functions & offer

2 Security Assurance 6 Focus on SFI and SBSFU

Enhancing STM32 Security

3 7 Security functions by product
assurance with STSECURE

4 Real-world examples

2
 What security means for us?

Security is protecting Customer Assets

Protection
Customer
requirements
Assets

• Assets guaranty our customer revenues

• Customers value their assets
• ST need to provide means to help our customers secure these assets
3
 Security is a threat’ mitigation model

Threats exploit
Vulnerabilities and damage
Assets.

Protections mitigate
Vulnerabilities and therefore
might mitigate Threats.
Customer Assets Threats Vulnerabilities
Security
functions
Mitigate

Identify Assets, Threats and Vulnerabilities to

define Protections and Countermeasures
mitigating them to an acceptable level 4
 What is STM32Trust ?

A security framework proposal

1 Identify threats according to customer assets categories

2 Propose mitigations via Security Functions & Services

3 Rely on recognized Security Assurance levels

To help customers protect their assets and

reach the required Security Assurance levels
5
 Our goal:
protect our customer’s assets
Data Connectivity
Confidentiality Regulations
Secrets Network access
Regulations Data transfer
Authenticity Confidentiality
Availability

IP System trust
Software Regulations
Data Reliability
Processes Availability
Secrets Authentication
Confidentiality

6
 From assets to security functions

STM32Trust simplifies the mitigation model analysis with: STM32Trust Security Functions
• Pre-analyzed threats and vulnerabilities Identification / Authentication / Attestation

• Mitigation with ready to use Security Functions & Services Application Life Cycle

Secure Manufacturing

Data Software IP Protection

Silicon Device Life Cycle

Connectivity
Treats Vulnerabilities Secure Install / Update

IP Secure Storage

Isolation
System trust
Abnormal Situations Handling

Secure Boot

Crypto Engine

Audit / Log
7
 From device to application
security assurance level
• STM32Trust focusing on 2 de-facto product certification schemes:

Security Evaluation Standard for IoT Platforms (SESIP)

Published by Global Platform for IoT devices

Platform Security Assurance by ARM® (PSA)

Focusing to protect IoT devices

• Aligned to multiple national & applicative security standards

• Fitting most customers application Security Assurance requirements

EN 303 645

IEC 62443

8
Security assurance & certifications
 Product certification status

Certifications Available Now

ARM PSA ARM PSA Level 1 ARM PSA Level 2
• Level 1 (Self Assessment) • STM32L4 • STM32L5 (TF-M)
• Level 2 (White box – Time Limited) • STM32L5
ARM PSA API Compliant
• Level 3 (Physical attack) • STM32L5 (TF-M)

SESIP SESIP Level 1 SESIP Level 3

• Level 1 (Self Assessment) • STM32L4 (SBSFU) • STM32L4 (SBSFU)
• Level 2 (Black box) • STM32L5 (TF-M)
• Level 3 (White box – Time Limited)
• Level 4 (White box)
• Level 5 (Smartcard-like EAL4+)

CC EAL5+ FIPS-140-2 TCG GSMA

• STSAFE-A110 • STSAFE-TPM • STSAFE-TPM • ST4SIM
• STSAFE-TPM
• ST4SIM

Evaluations Available Now

PCI POS Point of Sale application • STM32L4

• Certification documents and links available at www.st.com/stm32trust

• Evaluations material is not public 10
Enhancing STM32 security assurance
with STSECURE
 Security gradation
MCU / MPU with
Crypto engine Computer firmware MCU + Secure element
embedded security

• Basic crypto services • Pure software countermeasures Broad MCU portfolio Trusted components
embedded in dedicated ICs against remote software attacks • Tamper resistance (Hardware & SoC)
• Countermeasures against remote
mainly
software and board level attacks • Common Criteria, GSMA, TCG certifications
• Self-evaluated solution • Proven against all attacks (remote software,
• STM32Trust Security framework
board level and silicon level attacks)
• MPU with ARM TrustZone
• SESIP & PSA Certifications Lifecycle Security Centric devices
• Secure Programming services • Secure development methodology
• Secure personalization & key provisioning
• Secure supply chain
• Certified Common Criteria sites

Main STM32 MCU / MPU Secure

Companion chip

12
 A large range of
certified STM32 companion secure elements

Storage &
Communication Platform integrity
Authentication

STSAFE / ST4SIM

www.st.com/STSAFE www.st.com/ST4SIM
13
 Security assurance & certifications
STM32 MCUs & MPUs STSAFE Secure Element

Product
Security Assurance* EAL5+

Bridge for Application Assurance level

Application
Security Assurance
IEC 62443
* product certifications depends on each products

• Security Evaluation Standard for IoT Platforms (SESIP)

• Published by Global Platform to align protection profiles to multiple security assurance schemes
• Platform Security Assurance (PSA) by ARM©
• Focusing to protect IoT devices
• Common Criteria EAL5+
14
• Enhance security with highest hardware resistance based on companion secure elements
Real-world examples
 Customer example (1/6)
focus on secure manufacturing

My asset is Bob is the CEO of a company designing toys.

my product He needs to be protected against counterfeiting and device
cloning

What Bob needs to achieve The Security Functions needed by Bob

• No firmware stolen during production • Secure Manufacturing

• No over-production by manufacturer
• Software IP Protection
• No mean to program other devices
• Secure Install / Update
• No firmware stolen in the field IP Protection
• Silicon Device Lifecycle

16
 Customer example (2/6)
focus on isolation and IP protection
Jon owns a company selling firmware
My asset is
His firmware is of highest value, as his revenue comes from
my IP
royalties. It features user-enable application options.

What Jon wants to achieve The Security Functions needed by Jon

• Protect its firmware • Software IP Protection

• Isolate his firmware from customer one • Code Isolation

• Ensure independent firmware updates • Secure Install/Update

IP Protection
• Set application macro-state in a way • Application Lifecycle
which cannot be altered
17
 Customer example (3/6)
focus on secure maintenance & update
Mark’s company sells costly equipment.
My asset is
He wants to offer remote maintenance and updates.
product
He wants to only update his equipment and would like to
trust
make sure only his firmware runs on his devices.

What Mark wants to achieve The Security Functions needed by Mark

• Ensure he connects to his equipment • Identification/Authentication/

• Ensure connection is liable Attestation
Secure
• Ensure the update is handled with Connectivity
integrity and authenticity • Secure Install/Update

• Authenticity and integrity of firmware • Secure Boot

running on devices System integrity • Memory protections 18
 Customer example (4/6)
focus on data management
Oliver sells devices that report sensitive data to servers.
My asset is
Oliver needs to make sure the data cannot be exposed
my data
outside of his company.

What Oliver wants to achieve The Security Functions needed by Oliver

• Ensure transmitted data is not exposed • Crypto Engine

Data
• Ensure secret on data encryption keys • Secure storage

• Ensure data is sent from

authenticated devices
• Identification/Authentication/
• Ensure data is sent to authenticated Secure
Attestation
servers Connectivity 19
 Customer example (5/6)
focus on remote access & control
Rose controls her device fleet remotely.
My asset is
She wants to be sure no malicious devices are part of the fleet
device and would like to have full control over the devices.
trust Ensuring device access control at anytime is key

What Rose wants to achieve The Security Functions needed by Rose

• That every device shows a unique identity

• Be able to authenticate the device • Identification/Authentication/
• Be able to attest the device access rights Attestation
Secure
Connectivity
• Secure device communication • Crypto Engine

• Ensure that identities and access • Secure Storage and Secure

right secrets cannot be leaked even Data Manufacturing (Secure Personalization)
at the manufacturing stage Storage 20
 Customer example (6/6)
focus on data protection
Jack sell IoT devices that need to collect user data to run.
My asset is
Jack’s devices and large-scale systems needs to be in line with
my data
regulations (such as GDPR) to be able to promote & sell devices.

What Jack wants to achieve The Security Functions needed by Jack

• Ensure platform integrity • Secure Boot

• Abnormal Situations Handling
System integrity

• Ensure user data integrity • Crypto Engine

• Identification/Authentication/Attestation
Secure Connectivity

• Ensure user data is stored securely • Secure Storage

21
Secure Storage
Security functions and ST offer
 From assets to security functions

STM32Trust simplifies the mitigation model analysis with: STM32Trust Security Functions
• Pre-analyzed threats and vulnerabilities Identification / Authentication / Attestation

• Mitigation with ready to use Security Functions & Services Application Life Cycle

Secure Manufacturing

Software IP Protection
Treats Vulnerabilities
Silicon Device Life Cycle
Data confidentiality Device identity
Data Data integrity Secure Install / Update
Software & Updates

Denial of Service Debug access Secure Storage

Connectivity
Impersonation Secret storage Isolation

IP Software integrity Lifecycle

Abnormal Situations Handling
Malware Intrusion Open Communication
Secure Boot
System trust Software copy Monitoring
Crypto Engine
License fraud Shared memories
Audit / Log
Cloning Untrusted environment
23
 The 12 security functions
• STM32Trust brings 12 Security Functions to align with Customer Use Cases and Security Assurance
• STM32Trust brings material (Documentation, Software, Tools…) to cover those 12 Security Functions
• Security functions to embed support of companion STSAFE secure elements

Application Life Cycle Secure Boot

Secure Manufacturing Secure Install / Update

Software IP Protection Secure Storage

Silicon Device Life Cycle Isolation

Identification / Authentication /
Abnormal Situations Handling
Attestation

Audit / Log Crypto Engine

24
www.st.com/STM32Trust
 The 12 security functions
definitions
1- Secure Boot 2- Secure Install / Update 3- Secure Storage 4- Isolation

Secure Firmware Installation &

Isolation between trusted and
Ensure device application Update Ability to securely store
non-trusted parts of an
authenticity and integrity Integrity & Authenticity checks secrets like data or keys
application
License management

5- Abnormal Situations 8- Identification /

6- Crypto engine 7- Audit / Log
Handling Authentication / Attestation

Ability to detect and react to Unique identification of a

Cryptographic libraries Keep trace of security events
abnormal hardware and device and/or software, and
supported by hardware in an unchangeable way
software situations ability to detect its authenticity

9- Silicon Device Lifecycle 10- Software IP Protection 11- Secure Manufacturing 12- Application Lifecycle

Ability to protect a section or Device provisioning or

Control states to securely
the whole software against personalization in untrusted Protect application lifecycle
protect silicon device assets
illegal access. environment with states and assets
through its lifetime
Can be multi-tenant overproduction control

25
 1. Secure boot
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Example code implementing both a Secure Boot and a Secure Firmware Update
X-CUBE-SBSFU F4/F7/WB/G0/G4/H7/L0/L4
mechanism
TFM_SBSFU Boot (Part of Example code implementing both a Secure Boot and a Secure Firmware Update
L5
STM32CubeL5) mechanism
TF-A (Part of OpenSTLinux) First stage secure bootloader configuring STM32MP platform MP1

STM32 Silicon Feature Benefit for Security Function STM32 Series

RDP (Read Protection) Prevents a debugger from reading the secure boot
WRP (Write Protection) Prevents an application from altering the secure boot firmware F4/F7/WB/G0/G4/H7/L0/L4/L5
MPU (Memory Protection Unit) Ensures privileged access to some portion of application – task isolations
MMU (Memory Management Unit) Ensures privileged access to some portion of application – task isolations MP1
UBE (Unique Boot Entry) Ensures the silicon always boots at the secure boot location G0/G4/L5
HDP (Hide Protect) Temporal isolation ensuring secure boot is not seen after first execution H7/G0/G4/L5
Secure Boot ROM code Root of trust for loading first bootloader on STM32MP MP1

STSAFE Feature Benefit for Security Function

X509 certificate Allow firmware attestation
One-way counter (decrement) Supporting version control and anti-rolling using STSAFE-A
TPM Root of Trust Ensure STM32 software integrity / MP1 26
 2. Secure install / update
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Example code implementing both a Secure Boot and a Secure Firmware Update
X-CUBE-SBSFU F4/F7/WB/G0/G4/H7/L0/L4
mechanism
TFM_SBSFU Boot (Part of Example code implementing both a Secure Boot and a Secure Firmware Update
L5
STM32CubeL5) mechanism
Trusted Execution Environment for STM32MP, embedding trusted application
OP-TEE (Part of OpenSTLinux) MP1
installation/update

STM32 Silicon Feature Benefit for Security Function STM32 Series

RDP (Read Protection) Prevents a debugger from reading the secure install/update
F4/F7/WB/G0/G4/H7/L0/L4/L5
MPU (Memory Protection Unit) Ensures privileged access to secure install/update
MMU (Memory Management Unit) Ensures privileged access to secure install/update MP1
UBE (Unique Boot Entry) Ensures the silicon always boots at the secure install/update location G0/G4/L5
HDP (Hide Protect) Temporal isolation blocking access to secure install/update code after execution H7/G0/G4/L5
Trustzone Runtime isolation technology allowing 2 distinct worlds, secure and non-secure L5/MP1
Secure FSBL (First Stage Boot Loader) Secure Boot loader, loaded and authenticated by secure boot rom code MP1

STSAFE Feature Benefit for Security Function

X509 certificate Allow firmware attestation
One-way counter (decrement) Supporting version control and anti-rolling using STSAFE-A
TPM Root of Trust Ensure STM32 software integrity 27
 3. Secure storage
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Example code implementing both a Secure Boot and a Secure Firmware Update
X-CUBE-SBSFU mechanism. Specific version of STM32L4 includes a Key Management service, L4
i.e. Secure Key Storage
TFM (Part of STM32CubeL5) Trusted Execution Environment over Cortex-M, featuring Secure Storage service L5
OP-TEE (Part of OpenSTLinux) Trusted Execution Environment for STM32MP, featuring Secure Storage service MP1

STM32 Silicon Feature Benefit for Security Function STM32 Series

TrustZone is a complete set of hardware mechanisms to isolate two main security
TrustZone application domains: one trusted (ensuring the Secure Storage) and one non- L5/MP1
trusted
Simple isolation in two domains for RAM and flash. Permits to isolate Secure
Firewall L0/L4
storage firmware from application
AES Key Storage Write-only key registers in AES engine L5
OTFDEC (On The Fly Decryption) Decryption of encrypted content stored on external flash L5/H7
HDP (Hide Protect) Temporal isolation ensuring keys stored there are no more accessible H7/G0/G4/L5

STSAFE Feature Benefit for Security Function

Key Storage Secured storage in secure element in STSAFE-A and TPM
Data packet encryption/decryption Packets of data can be AES encrypted / decrypted with secret keys using STSAFE-A

28
 4. Isolation
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Trusted Execution Environment over Cortex-M, adding further software handling
TF-M (Part of STM32CubeL5) L5
for application portions sandboxing
Trusted Execution Environment for STM32MP, adding further software handling
OP-TEE (Part of OpenSTLinux) MP1
for application portions sandboxing

STM32 Silicon Feature Benefit for Security Function STM32 Series

MMU (Memory Management Unit) Ensures privileged access to some portion of application – task isolations MP1
MPU (Memory Protection Unit) Ensures privileged access to some portion of application – task isolations F4/F7/WB/G0/G4/H7/L0/L4/L5
HDP (Hide Protect) Temporal isolation ensuring a portion of code is not R/W after first execution H7/G0/G4/L5
TrustZone Runtime isolation technology allowing 2 distinct worlds, secure and non-secure L5/MP1
Simple isolation in two domains for RAM and flash. Isolates portion of an
Firewall L0/L4
application from the rest of the code
PcRoP (Proprietary code Read out Ability to set some flash sectors as execute-only, thus preventing other sectors to
F4/L0/L4/H7/G0/G4
Protection) read them
TZC (Trust Zone Controller) Ability to isolate in particular Cortex-A cores from Cortex-M one MP1

STSAFE Feature Benefit for Security Function

Crypto Services Crypto services isolated from STM32

29
 5. Abnormal situations handling
STM32 Silicon Feature Benefit for Security Function STM32 Series
Anti tamper / Active tamper / Backup Protect against a wide range of physical attacks on HW system outside the MCU.
registers Erases backup registers information when tamper is detected
RTC (Alarm timestamp) Timestamp on tamper events, or internal events F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1
Lock of selected GPIO. Impossible to unlock until next reset.
GPIO Locking
Ability to lock communication channels after tamper detection
Internal clock available for secured program execution independently from external
CSS (Clock Security System)
source clock
Robust memory integrity.
ECC (Error Correction Code)
Hardened protection against fault injection attacks thanks to error detection
F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1
Check if device is operating in expected temperature range. Hardened protection
Temperature Sensor
against temperature attacks
Watchdogs Independent watchdog and window watchdog for software timing control.
PVD (Power Voltage Monitoring) Monitors changes on power

30
 6. Crypto engine
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
This ECCN 5D002-classified software is based on STM32Cube architecture
X-CUBE-CRYPTOLIB package and includes a set of crypto algorithms based on firmware All, except MP1
implementation (symmetric, asymmetric, hash…)
DPA resistant version of Cryptographic library. Available on specific part numbers
DPA Resistant Crypto Library* (FIPS-140) L4*
after on demand adaptation
TF-M (Part of STM32CubeL5) Trusted Execution Environment over Cortex-M, featuring Crypto algorithms L5

STM32 Silicon Feature Benefit for Security Function STM32 Series

Symmetric Hardware Crypto Accelerators Implements a given algorithm by hardware implementation, like AES for instance F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1
HASH Hash algorithms implemented by hardware, like SHA F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1
PKA (Public Key Accelerator) Asymmetric algorithms (Public key), implemented by hardware, for RSA/ECC/DH WB/L5
OTFDEC (On The Fly Decryption) Decryption of encrypted image on external flash L5/H7
RNG (Random Number Generator) True RNG done entirely by hardware F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1

STSAFE Feature Benefit for Security Function

ECDH key pair generation
Assist device to establish TLS secure connections
and share secret generation
RNG (Random Number Generator) True certified RNG done entirely by hardware
Data packet encryption AES encryption/decryption using hardware secret keys by the STSAFE-A

*: Contact your nearest sales office 31

 7. Audit / log
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
TF-M (Part of STM32CubeL5) Trusted Execution Environment over Cortex-M, featuring Audit/Log L5
Customer can implement his software to handle this Security Function All

STM32 Silicon Feature Benefit for Security Function STM32 Series

GTZC (Global TrustZone Controller) Illegal access tracking and internal log/action L5

32
 8. Identification / authentication / attestation
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
TF-M (Part of STM32CubeL5) Trusted Execution Environment over Cortex-M, featuring Attestation L5

STSAFE Service Benefit for Security Function

STSAFE-A pre-personalization (MOQ 5K) Pre-loading of customer secret in STSAFE-A at ST secure manufacturing site

STM32 Silicon Feature Benefit for Security Function STM32 Series

Device 96-bit Unique ID Enables product traceability.​ Can be used for security key diversification F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1
Certificate (unique per chip) Enables to authenticate a genuine STM32 H7/WB/L5/MP1
SSP (Secure Secret Provisioning) Secure provisioning of OTP Secret values MP1

STSAFE Feature Benefit for Security Function

Device 7-Byte Unique ID Enables product traceability.​
ECDSA signature/verification based
Allow device identity verification
authentication
X509 certificate Allow attest device access rights

33
 9. Silicon device lifecycle
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
STM32CubeProgrammer Software tool able to control the RDP cycle All

STM32 Silicon Feature Benefit for Security Function STM32 Series

BSEC & BootRom Device life cycle managed through OTP and BSEC MP1
Ability to gradually choose accessible / modifiable features (like ability to debug,
RDP (Read Protection)
or ability to access Flash content) depending on RDP level
F4/F7/WB/G0/G4/H7/L0/L4/L5
Flash sector becomes not writeable anymore when write protected and RDP2 is
WRP (Write Protection)
set
HDP (Hide Protect) Temporal isolation H7/G0/G4/L5
PcRoP (Proprietary code Read out
Ability to set some flash sectors as execute-only F4/L0/L4/H7/G0/G4
Protection)

34
 10. Software IP protection
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Trusted Execution Environment over Cortex-M, adding further software handling
TF-M (Part of STM32CubeL5) L5
for application portions sandboxing
Trusted Execution Environment for STM32MP, adding further software handling
OP-TEE (Part of OpenSTLinux) MP1
for application portions sandboxing

STM32 Silicon Feature Benefit for Security Function STM32 Series

RDP (Read Protection) Prevents the reading of a software stored in flash F4/F7/WB/G0/G4/H7/L0/L4/L5
TrustZone is a complete set of hardware mechanisms to isolate two main
TrustZone security application domains: one trusted and one non-trusted. A software IP can L5/MP1
be put in trusted area, becoming non-accessible from non-trusted one
Simple isolation in two domains for RAM and flash. Permits to protect a software
Firewall L0/L4
IP
PcRoP (Proprietary code Read out
Ability to set some flash sectors as execute-only F4/L0/L4/H7/G0/G4
Protection)
MMU (Memory Management Unit) Ensures privileged access to some portion of application – task isolations MP1
MPU (Memory Protection Unit) Ensures privileged access to some portion of application – task isolations F4/F7/WB/G0/G4/H7/L0/L4/L5

35
 11. Secure manufacturing
STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series
Hardware security module (HSM) used to secure the programming of STM32
STM32HSM-V1 and V2 STM32 series with SFI or SSP
products, and to avoid product counterfeiting at contract manufacturers' premises
Software tool able to program an HSM with encryption key and counter of
STM32CubeProgrammer NA
permitted programming occurrences
FastROM Programming Services Pre-loading of customer software in STM32 done by ST manufacturing All, except MP1

STM32 Silicon Feature Benefit for Security Function STM32 Series

Built-in service callable at reset, ensuring installation of an OEM firmware and
RSS with SFI (Root Security Services
option bytes, with authenticity, integrity, confidentiality, insurance to program a H7/L4/L5
with Secure Firmware Install)
genuine STM32, and possibly limited overall quantity of programmed STM32
Secure Boot with SSP (secure secret Built-in service callable at reset, ensuring secure provisioning of OEM
MP1
provisioning) credentials. Controllability of overall quantity of STM32MP1 provisioned

STSAFE Service Benefit for Security Function

STSAFE-A pre-personalization (MoQ 5K) Pre-loading of customer secret in STSAFE-A at ST secure manufacturing site

*: Special part numbers on demand. Contact nearest sales office 36

 12. Application lifecycle

STM32 Firmware / Tool Part Number Benefit for Security Function STM32 Series

Trusted Execution Environment over Cortex-M, featuring Secure Storage service.

TF-M (Part of STM32CubeL5) L5
Application LifeCycle can be stored within such mechanism

Customer can implement his software to handle this Security Function All

STM32 Silicon Feature Benefit for Security Function STM32 Series

OTP (One Time Programmable) Memory OTP zones where application credentials or life cycle state can be stored. F4/F7/WB/G0/G4/H7/L0/L4/L5/MP1

37
Focus on secure firmware installation &
secure boot
 Focus
embedded secure firmware install - SFI
Manage STM32 authentication, firmware decryption and installation

Customer premises Untrusted environment Secure Loader

ST ecosystem
SFI embedded services
with
Encrypted provisioned by ST
Encryption, HSM and
FW Encrypted FW
FW Transfer ➔ Mass Market
programming tools
Store encryption
key in HSM
HSM SFI approach
Physical transfer Authenticate target STM32
Trusted Package Creator Generate installation license
ST Hardware Secure
Module (HSM)

STM32
3rd Party premises

SMI
SMI Firmware cloning
Encrypted
Authenticate target STM32
Generate installation license protection on the first Protect 3rd party
Module Encrypted Module
Module transfer installation Software IP
Store encryption via (SMI)
key in HSM HSM
Physical transfer UART / SPI / USB
Trusted Package Creator
ST Hardware Secure
Module (HSM)

39
 Focus
secure boot secure FW update - SBSFU
Reference library source code for
In-application Programming

Demonstrate SW modules for:

• Secure Boot
• Secure Engine for Crypto and key
• Firmware Update image management

Ensure authentication and secure programing of in

the field products

Reference implementation of STM32 hardware

memory protections

40
Security functions by product
 Security functions by product
STM32F4/F7/L1/WB/G0/G4/H7/L0/L4 STM32MP1 STM32L5 with TrustZone + STSAFE-A/TPM
Security Function
Silicon Firmware Silicon Firmware Silicon Firmware Silicon

Secure Boot √ √ √ √
TF-A
TFM_SBSFU
SBSFU
Secure Install/Update √ √ √ √
OPTEE
(WB)
Secure Storage (L0/L4/H7/G0/G4) √ OPTEE √ TF-M SPE √
SBSFU KMS (L4)

Isolation √ √ √ √
OPTEE TFM
Abnormal situations
√ √ √
handling
Crypto Libraries
Crypto Engine √ Crypto Libraries √ OPTEE √ √
TF-M
Audit/Log √ TF-M
ID/Auth/Attestation √ √ √ TF-M Attestation √
Silicon Device LifeCycle √ √ √

Software IP Protection √ √ √ TF-M

OPTEE
Secure Manufacturing SFI (H7/L4) with STM32HSM SSP with STM32HSM SFI with STM32HSM √
Application LifeCycle √ √ √ √

Firmware to be developed by user

42
Reference firmware proposed by ST
Takeaways
 STM32Trust security ecosystem
the one stop shop solution to implement security
First solution on the market certified PSA Level 2
First solution on the market certified SESIP Level 3

Isolation Strong certification

Secure Boot
Secure Storage
STM32L5+TFM:
Crypto Engine Level 2
STM32
Identification/Authentication
Secure Manufacturing
…
STM32L4+SBSFU:
Level 3
12 core
Customer Implementation on
security functions STSAFE
security needs STM32 and STSAFE
to address needs
EAL5+

PSA = Platform Security Architecture, by ARM

SESIP = Security Evaluation Standard for IoT Platforms, by Global Platform 44
 Thank you
Latest information available
at www.st.com/stm32trust

© STMicroelectronics - All rights reserved.

ST logo is a trademark or a registered trademark of STMicroelectronics International NV or its affiliates in the EU and/or other countries.
For additional information about ST trademarks, please refer to www.st.com/trademarks.
All other product or service names are the property of their respective owners.