Coming soon |
1. What is SFIX
OEM product can embed external Flash additionally to STM32 internal Flash.
The SFIX solution provides security when programming STM32 devices and external Flash in a non-trusted facility owned by a Contract Manufacturer (CM).
The SFIX solution is the same solution than the SFI solution, it also allows the external Flash programming.
2. External flash memory programming principle
The OEM external flash content must be encrypted to ensure the OEM data confidentiality.
External flash crypto is handled by the OTFDEC peripheral. This peripheral can encrypt and decrypt on-the-fly external firmware and data stored in external flash memory connected to STM32 microcontrollers through the OCTOSPI interface. The OTFDEC can handle up to 4 regions of external flash memory, each one with its own dedicated Key. The OTFDEC uses standard AES CTR 128-bit algorithm for encryption and decryption operations. Refer to the OTFDEC section of the STM32 microcontroller reference manual to get more insight.
The STM32 receives encrypted external firmware and data, decrypts them with the SFI OEM key, and re-encrypts them with an external flash memory AES key common to all devices to be programmed or with a unique external flash memory AES key per device.
Modify the following picture by adding external flash
NOTE: The SFIX cannot handle internal flash memory in a first sequence and external in a separate independent one: when SFIX handles external firmware, it must first handle internal firmware that in turn enable the decryption at runtime of the external firmware.
The internal flash firmware must enable the read/fetch of data/code within the external flash memory, using the OTFDEC and the OCTOSPI peripherals.
3. External flash memory encryption with global key
Modify the following picture by adding external flash and key coming from user
4. External flash memory encryption with chip unique key
5. References