Secure Manager for STM32H5

Revision as of 17:01, 28 June 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Introduction

STM32H5 MCUs are provided with numerous new security features, such as product lifecycle, isolation, debug authentication, secure storage, and secure boot.

With good security skills, all these blocks can be used. However, a full solution owned and maintained by STMicroelectronics is also available. This solution is SESIP 3 and PSA certified.

PSA certification is the highest level of security certification for general purpose MCUs.


2. Secure Manager overview

Secure Manager is a Trusted Execution Environment (TEE) integrating core security services.


SECURITY Secure Manager Global presentation.png

2.1. Secure Manager

The blue elements in the above image correspond to Secure Manager. Secure Manager is composed of one software brick, which is a binary encrypted and signed by STMicroelectronics. It is delivered by STMicroelectronics and the user does not have access to the code. Secure Manager and ST iROT is only available on STM32H573 devices.

In the above image, blue and green elements are delivered by STMicroelectronics. The yellow elements correspond to the user application. The user can call some security services, which are standards defined by the PSA ARM.

  • ST iROT is the fisrt stage bootloader. It is installed inside your device at purchase.
  • ST uROT is the second stage bootloader. The second stage bootloader can be updated.
  • Secure Manager Core is a secure OS which handles the platform security services.
  • The PSA API accesses the following services:
    • Firmware update, allowing to update firmware in a secure way.
    • The secure storage, to securely store data.
    • Cryptography, to encrypt or decrypt an element to check.
    • Attestation, which is defined for the iOT. It allows to have an identifier to the full picture of your device.


2.2. Additional modules

To add some security services, a third party or a customer can define them and develop a secure module. Security services are highlighted in green in the above image.
This ensures confidentiality when delivering a software API. Encrypted and signed at delivery, it will be installed securely.
Access to the API is ensured, while preventing access to the software.


2.3. User application

Security is handled by the Secure Manager, being transparent for the user.
Secure Manager is installed in the internal flash. A portion of RAM is locked by the Secure manager, too.
For these reasons, when the user develops its own application, the only constraint is the size of the flash that is available.


2.4. Certification

Secure Manager and Hardware are certified SESIP level 3 and PSA level 3 .

Platform certification requires application and secure module(s) certification. Secure Manager handles the isolation between the different services.

This level of certification is required to ensure that one secure service cannot access the resources of the other secure services. It is PSA API compatible, meaning that this API has not been defined by ST, it is a standard defined by ARM.

It is designed for long term support. In case of weakness detection, STMicroelectronics delivers a new Secure Manager, as it can be updated using the different stage bootloaders.

It is optimized for certification. Just focus on the application certification.


2.5. Booting mechanism

The secure storage is used to store the keys that are used during the boot time to authenticate each brick of software before launch.

After the provisioning and during the installation of the Secure Manager, we also provision those keys in this secure storage.

  • First step booting

At reset, we are on the ST iROT that authenticates a second stage bootloader with the keys in the secure storage.

When this authentication is done, we are sure this one is authenticated and has not been modified by a hacker or something else we jump on it thanks to the temporal isolation.

Temporal isolation ensures that a portion of code can’t be seen anymore by the system. The associated keys have the same isolation level. Once we jump to another level we remove access to the previous one and also to the associated keys.

  • Second step booting

The second stage bootloader will authenticate the secure Manager to ensure authenticity has not been modified from any hackers or something else. Then it will authenticate the different modules and each time the different keys because the keys owner are different. Then it authenticate the application to ensure the integrity is guarantee . If every thing is ok he will jump to the secure manager.

  • Third step booting

The secure manager initialize by itself the core, and then jump to the application. After, we are in a “normal execution”:

The application could call some secure API and for example call an API to trusted storage in order to store some data.

The secure manager use the MPU to isolate the services that will be executed : during the execution of the secure storage it could not access to the resources of an other one. Secure manager jump on the Trusted storage, execute this API and then go back to the application All this is transparent for the user.

3. Links

For more details about Secure Manager, refer to the article Secure Manager.

Secure Manager STM32H5 How to Intro introduces the following How to start article :

How to start with Secure Manager on H573 which describes how to experiment, install and try Secure Manager.


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Manager_for_STM32H5&oldid=35690"