Getting started with STM32U0 security

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

A set of practical examples and tips intended to provide an overview and to help understand the STM32U0 security solution. These examples are based on the boards, tools, and code provided by ST.
In the guides listed below, each step to follow is described in detail.
It is advised to get familiar with the available tools by using these examples before making your own steps with the STM32Cube_FW_U0.

Product Series	STM32U03x	STM32U08x
Board	NUCLEO-U031R8	NUCLEO-U083RC
OEMiRoT	N/A	Link to How To
OEMiSB	Link to How To	no dedicated example, but applicable

The STM32U0 small memory footprint is not suited for extensive secure environments. Instead, the focus is on the secure boot and simple, but hardened protection of assets. The platform security certifications are targeting SESIP3, which is a stand-out feature for such a small product.
Password protected regression is another differentiating feature of the STM32U0 series.

1 RDP regression

The important feature of the STM32U0 is the ability to lock regression from RDP1 to RDP0 using password and allow password-protected regression from RDP2 to RDP1.
Further reading:

Main RDP regression article: Using RDP regression on the STM32U0

2 OEMSB - Secure Boot

The secure boot example is a compact code showcasing the utilization of the boot lock feature and subsequent protections. The example is based on the STM32CubeMX.
The goal of the Secure Boot is to protect the application code and prevent execution of any other code on the device.

The Secure Boot for STM32U0 is an introduction article for theoretical background.
The How to start with Secure Boot for STM32U0 article is a step-by-step guide to practically get the example working.

3 OEMiRoT - Root of Trust

The customized Immutable Root of Trust (OEMiRoT) is more complex than the secure boot, as it features a loader capable of updating the application code. The loader is very basic, but can be secured with additional effort and code size expense.
It is advised to first try the general OEMiRoT wiki article to understand the term Root of Trust.

The OEMiRoT STM32U0 Introduction wiki article gives a short technical introduction to be read before executing the getting started.
The How to start with OEMiRoT on STM32U0 wiki article is a step-by-step guide to practically get the example working.