Secure Manager for STM32H5

Revision as of 15:32, 29 June 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Introduction


STM32H5 MCUs are equipped with numerous, new security features, such as product life cycle, isolation, debug authentication, secure storage, and secure boot. Solid security skills are required to use these blocks.

STMicroelectronics offers a full solution, owned and maintained by STMicroelectronics, which is SESIP 3 and PSA certified.

PSA certification is the highest level of security certification for general purpose MCUs.


2. Secure manager overview

Secure manager is a TEE (Trusted Execution Environment) integrating core security services.


SECURITY Secure Manager Global presentation.png

2.1. Secure manager

The blue elements in the above image correspond to the secure manager. Secure manager is composed of one software brick, which is a binary encrypted and signed by STMicroelectronics. It is delivered by STMicroelectronics and the user does not have access to the code. Secure manager and ST iROT are available only on STM32H573 devices.

In the above image, blue and green elements are delivered by STMicroelectronics. The yellow elements correspond to the user application. The user can call some security services, which are standards defined by the PSA ARM.

  • ST iROT is the fisrt stage bootloader. It is installed inside your device at purchase.
  • ST uROT is the second stage bootloader. The second stage bootloader can be updated.
  • Secure manager core is a secure OS, which handles the platform security services.
  • The PSA API accesses the following services:
    • Firmware update, allowing to update firmware in a secure way.
    • The secure storage, to securely store data.
    • Cryptography, to encrypt or decrypt an element to check.
    • Attestation, which is defined for the iOT. It allows to have an identifier to the full picture of your device.


2.2. Additional modules

To add some security services, a third-party or a customer can define them and develop a secure module. Security services are highlighted in green in the above image.
This ensures confidentiality when delivering a software API. Encrypted and signed at delivery, it is installed securely.
Access to the API is ensured, while preventing access to the software.


2.3. User application

Security is handled by the secure mpanager, being transparent for the user.
Secure manager is installed in the internal flash. A portion of RAM is locked by the secure manager, too.
For these reasons, when the user develops its own application, the only constraint is the size of the flash memory that is available.


2.4. Certification

Secure manager and hardware are certified SESIP level 3 and PSA level 3.

Platform certification requires application and secure modules certification. Secure manager handles the isolation between the different services.

This level of certification is required to ensure that one secure service cannot access the resources of the other secure services. It is PSA API compatible, meaning that this API has not been defined by ST, it is a standard defined by ARM.

It is designed for long-term support. In case of weakness detection, STMicroelectronics delivers a new secure manager, as it can be updated using the different stage bootloaders.

It is optimized for certification. Just focus on the application certification.


2.5. Booting mechanism

The secure storage is used to store the keys that are used during the boot time to authenticate each brick of software before launch.

After the provisioning and during the installation of the secure manager, we also provision those keys in this secure storage.

First step booting

  1. At reset, we are on the ST iROT that authenticates a second stage bootloader with the keys in the secure storage.
  2. When this authentication is done, we are sure this one is authenticated and has not been modified by a hacker or something else we jump on it thanks to the temporal isolation.
  3. A portion of code can no longer be seen by the system with temporal isolation. The associated keys have the same isolation level. Once we jump to another level, we remove access to the previous one and also to the associated keys.



Second step booting

  1. The second stage bootloader authenticates the secure manager. This ensures that authenticity is not modified by a malicious action, such as hacking.
  2. The second stage bootloader authenticates the different modules. The keys need to be authenticated every time as keys owner are different.
  3. The second stage bootloader authenticates the application to ensure the integrity is guaranteed. When this step is successfully completed, the second stage bootloader jumps to the secure manager.

Third step booting

  1. The secure manager initializes the core, then jumps to the application.
  2. After these steps, we are in regular execution.

The application could call some secure API. For example, calling an API to trusted storage in order to store some data.

The secure manager uses the MPU to isolate the services that will be executed. During the execution of the secure storage, it could not access to other resources. Secure manager jumps to the Trusted storage and executes this API and then goes back to the application. This is transparent for the user.


3. Links

For more details about the secure manager, refer to the article secure manager.

Secure Manager STM32H5 How to Intro introduces the following How to start article:

How to start with secure manager on H573, describing how to experiment, install, and try secure manager.


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Manager_for_STM32H5&oldid=35718"