Secure Storage for STM32H5

Target description

1. Introduction

A critical security feature is a dedicated memory location where secret data such as keys can be stored in a very safe way.
The STM32H5 provides up to five secure storage fuflilling this requirement, called OB Keys storages.
Every secure storage is temporaly isolated through the HDPL level.

The figure below shows the five OB Keys secure storages, one for every HDPL level (HDPL0, HDPL1, HDPL2 , HDPL3 Secure and HDPL3 Non-Secure).

2. The secure storage areas for STM32H5 (OB key area)

The secure storage areas are also called Option-Byte Key (OBKeys) areas or Secure Key Storage areas.
As mentioned in the introduction, the STM32H5 provides five secure storage areas that can be used to store key but also any sensitive or secret data.
Any of these areas is related to a specific temporal isolation level HDPL. This will be explained in the next chapter.
It can be chosen if the stored data are encrypted or not.
Note:The stored data can be encrypted only for the STM32H57x.

The five areas are described in the table below.

Notes:

• A full regression will erase all the secure storages areas except the HDPL0 secure storage that is never erased. This secure storage is an ST reserved domain.
• A partial regression (NS-Regression) will erase only the HDPL3 Non-Secure storage.
• In case of a Tamper detection the DHUKs are not usable anymore until the next reset. So if the contents of the secure storages are encrypted these contents will not be accessible anymore. But the contents of the secure storages are not erased through a Tamper event. The wanted actions related to the Tamper event needs to be done through the interrupt handler.

3. Temporal isolation

Reminder: the different boot stages of the STM32H5 are protected through temporal isolation.
see: Secure_Boot_for_STM32H5
The firmware execute in HDPL[N] has no access to a firmware that has been execute in HDPL[N-1] and earlier (HDPL[N-x]).

For the secure storage it's a similar principle, the firmware currently executed in a specific HDPL[N] has no possibility to access to the secure storage HDPL[N-x].
On the other hand this FW can access to the secure storage HDPL[N] and also to any secure storage HDPL[N+x].

The SBS (System configuration, Boot and Security) embedded in the device controls the secure storage access.
The OBK-HDPL (that can be equal or higher than HDPL of the current executed firmware) selects the secure storage area (see figure in next chapter)

4. Secure storage protection

The protection of the secure storages is insured through the access control of the flash interface.
The access is controled through:

• RHUK: Root Hardware Unique Key. It is a 256-bit non-volatile key, unique per STM32H5 device and never visible from any software.
• DHUK: Derived Harware Unique Key. It is a 256-bit key different for every secure storage (HDPL0, HDPL1....) generated from the RHUK.
• EPOCH: Monotonic counter increased at each regression. To protect from an installation of an older firmware version (anti-replay).
• HDPL: Temporal Isolation Level explained in previous chapter.

The SAES is the cryptographic hardware embedded in the STM32H5 that is side channel attack resistant.
The SAES embeds a key generator that is using the RHUK to generate the different DHUKs.
The SAES and related functionalities (e.g. DHUKs generation) are available only for the STM32H573.

The figure below shows the access control. The DHUK is based on the RHUK, the HDPL (of the current execute firmware) and the

5. xxx

The hhhh Hardware Unique Key (HUK): to get a secure storage resistant to logical, side and physical attack. 5 secure storage domains; 4 HDPL Secure + 1 NS; Incl. Flash Secure Storage H5 Native support of key storage inside FLASH interface (enabling constraint debug feature)

5 secure storage areas • HDPL0 ➔ST (never erased) • HDPL1 ➔iROT (ST-iROT or OEM-iROT) • HDPL2 ➔uROT • HDPL3 + Secure ➔Trust Zone • HDPL3 + NS ➔Non secure appli

• Data can be Wrapped with DHUK • Based on HUK + Version counter • Different for each HDPLx