Secure Storage for STM32H5

Revision as of 11:14, 1 August 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Target description

1. Introduction

A critical security feature is a dedicated memory location where secret data such as keys can be stored in a very safe way.
The STM32H5 provides up to five secure storage fuflilling this requirement, called OB Keys storages.
Every secure storage is temporaly isolated through the HDPL level.

The figure below shows the five OB Keys secure storages, one for every HDPL level (HDPL0, HDPL1, HDPL2 , HDPL3 Secure and HDPL3 Non-Secure).


File:Secure storage.png
Figure 1 STM32H5 OB Keys Secure Storage

2. The secure storage areas for STM32H5 (OB key area)

The secure storage areas are also called Option-Byte Key (OBKeys) areas or Secure Key Storage areas.
As mentioned in the introduction, the STM32H5 provides up to five secure storage areas that can be used to store key but also any sensitive or secret data.
Any of this area is related to a specific temporal isolation level HDPL. This will be explained in the next chapter.

The five areas are described in the table below.

Temporal Isolation Level Storage size (Bytes) Usage Regression
HDPL0 255 Reserved for ST, HDPL0 keys Never erased
HDPL1 2047 iRoT keys Erased through regression
HDPL2 767 uRot, OS or Secure Application Erased through regression
HDPL3S 3071 Secure Application keys Erased through regression
HDPL3NS 2031 Non-Secure Application keys Erased through NS-Regression


3. Temporal isolation

An option-byte key can be accessed only if the OBK-HDPL (set in SBS) matches the HDPL associated to the storage offset (as indicated below) (refer to Section 14.3.7: SBS hardware secure storage control). If it is not the case, an OBKERR error is raised.

3.1. ==========

The hhhh Hardware Unique Key (HUK): to get a secure storage resistant to logical, side and physical attack. 5 secure storage domains; 4 HDPL Secure + 1 NS; Incl. Flash Secure Storage H5 Native support of key storage inside FLASH interface (enabling constraint debug feature)

5 secure storage areas • HDPL0 ➔ST (never erased) • HDPL1 ➔iROT (ST-iROT or OEM-iROT) • HDPL2 ➔uROT • HDPL3 + Secure ➔Trust Zone • HDPL3 + NS ➔Non secure appli

• Data can be Wrapped with DHUK • Based on HUK + Version counter • Different for each HDPLx

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Storage_for_STM32H5&oldid=37776"