RDP for STM32U0

Revision as of 10:17, 13 March 2024 by Registered User (→‎RDP level management)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.


1. RDP level management

The STM32U0 silicon device life cycle is based on the RDP mechanism implemented for the FLASH interface.


RDP protection level Debug Comments
Level 0: Device open Allowed Boot address can be either user flash, bootloader in system memory or embedded SRAM depending on boot mode configuration.

Any security configuration including OEM1 and OEM2 keys can be provisioned in flash user options.

Level 1: Device memories protected Limited Boot address can be either user flash, bootloader in system memory or embedded SRAM depending on boot mode configuration.

Debug access to user FLASH memory, embedded SRAM and backup registers is not allowed.
Any security configuration including OEM1 and OEM2 keys can be provisioned in flash user options.

Level 2: Device closed None Boot address must target the user flash memory. Flash user options are read-only, hence RDP level 2 cannot be changed, unless OEM2 unlocking key is activated.


The level transition are illustrated on the figure below:

File:MSv72611V1.png
STM32U0 RDP level management
  • 0 to 1: write any other values than 0xCC or 0x AA in the RDP register
  • 0 or 1 to 2: write 0xCC in the RDP register
  • 2 to 1: inject the OEM2KEY value through the debug interface under reset. This operation is relevant only if the OEM2 password lock activation has been previously done.
  • 1 to 0:
    • if OEM1 password lock activation done: inject the OEM2KEY value through the debug interface under reset
    • if OEM1 password lock activation not done: write 0xAA in the RDP register
Warning white.png Warning
As specified in <link to RM> Secition:3.5.6, the debug capabilities of the device are stopped if BOOT_LOCK is set in association with RDP level 1.

A debug reactivation must be mandatorily inserted in the boot sequence to reactivate the debug capabilities and make possible the regression level 1 to level 0.
Please refer to the example code in system_stm32u0xx.c from STM32U0 firmware package OEMiSB:

/* Software addition added to keep Debug enabled after Boot_Lock activation and RDP=1  */
#ifdef ENABLE_DBG_SWEN
  if (((FLASH->SECR & FLASH_SECR_BOOT_LOCK) == FLASH_SECR_BOOT_LOCK)           \
      && (((FLASH->OPTR & FLASH_OPTR_RDP) != 0xCCU)                            \
          && ((FLASH->OPTR & FLASH_OPTR_RDP) != 0xAAU)))
  {
    FLASH->ACR |= FLASH_ACR_DBG_SWEN;  /* Debug access software enabled to avoid the chip
                                         to be locked when RDP=1 and Boot_Lock=1        */
  }
#endif /* ENABLE_DBG_SWEN */

2. RDP Password Regression

Regression allows reopening the product, by returning to RDP level 0.

A full flash user memory mass erase is applied prior to the reopening.

The devices support both permanent RDP Level 2 or password-based RDP Level 2 regression to Level 1.

This Level 2 regression does not erase the application code, and it does not change the RDP Level 1 protections in place.

OEM2LOCK

OEM1LOCK

0

1

0 RDP 1 to 0 always granted
RDP 2 to 1 never granted		 RDP 1 to 0 needs OEM1KEY unlock sequence
RDP 2 to 1 never granted
1 RDP 1 to 0 always granted
RDP 2 to 1 needs OEM2KEY unlock sequence		 RDP 1 to 0 needs OEM1KEY unlock sequence
RDP 2 to 1 needs OEM2KEY unlock sequence
Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:RDP_for_STM32U0&oldid=51489"