|
Coming soon |
1. What is SBSFU
Secure Boot and Secure Firmware Update is a STM32Cube based package showcasing utilization of various STM32 security features to create a product capable of controlled secure boot and update it's firmware reliably, eliminating threats of loading unauthorized or malicious code.
The SBSFU is constantly evolving, adding support for new microcontrollers and features and fixing identified vulnerabilities of previous versions.
It's however not a definitive and universal solution covering all the possible application needs, rather a proven starting point for own development.
For most STM32 lines the SBSFU comes in two variants. Single-slot for maximum image size and dual-slot for more image manipulating options such as over-the-air.
The use of STM32Cube ensures easy portability of the code to similar STM32 devices which are not supported directly.
2. Getting started with STM32 and SBSFU
The SBSFU is no simple topic and there is no easy start. There are however some advice to be given.
- Download the latest SBSFU package from ST website.
- X-CUBE-SBSFU
- The package includes all basic SBSFU solutions.
- Some are available in product related Cube packages (usually more advanced ones)
- Choose a supported board to start with
- Preferably a Nucleo based on general purpose MCU (like for example G071 or G474)
- If not sure pick one where both 1-slot and 2-slot examples are available.
- Get it working
- Follow steps in the readme file of the selected project
- Configure settings in app_sfu.h for lower security for starts
- Familiarize yourself with the SBSFU
- Learn how to configure different security settings
- Learn how to change the memory mapping
- Use the knowledge to your benefit
2.1. Secure Boot
The Secure Boot is an immutable code that checks the device static protections, sets volatile protections and then makes sure the code it gives control to ( application ) is not corrupted. A boot protection such as BOOT_LOCK is used to prevent attacker from diverting the boot from the intended starting address.
The Secure Boot is an implementation of the generic Root of Trust principle, which introduces a fixed (immutable) boot location and a chain of software components that use cryptographic means to authenticate each subsequent component, including integrity check.
Practical technical solution of this goal depends on the security features available in each particular series. In STM32 particular, following are used:
- RDP
- WRP
- MPU
- HDP
- BOOT_LOCK
For the description of the abbreviations see here.
2.2. Secure Engine
Using a service of Secure Engine it's possible to externalize critical secure operations related mainly to cryptography and improve overall security while avoiding the need for both SBSFU and application to implement cryptographic functions.
Other functions may include secure manipulation with Flash memory, holding secure state-machines and key management.
The Secure Engine is a middleware used by other software components and may be configured to feature various cryptographic algorithms, symmetric and asymmetric. It's running in an isolated enclave, as permitted by the features of the used STM32 MCU, either firewall or MPU. Code used in the SE enclave is supposed to be trusted.
2.3. Secure Firmware Update
Third major component of the SBSFU is the update capability. It's relying on Secure Boot for RoT foundations and on the Secure engine to provide trusted services of cryptography and image manipulation.
It's expected that a new firmware image is made available and a communication must be established between the SBSFU equipped device and the remote entity holding the image.
2.3.1. Communication interface
In the basic example provided within the X-CUBE-SBSFU package the default method of firmware delivery is an USART serial interface using a subset of the YMODEM protocol. While this delivery method is still relevant, it's expected that many adopters of the SBSFU will eventually adapt the SBSFU to use one of many alternative interfaces, or even an external storage to obtain the new firmware image.
The USART is practical for demonstration purposes because every ST development board features an ST-link with virtual serial port established using USB interface and this communication interface has very little software overhead, leaving more code space for firmware image.
2.3.2. Cryptographic protection of firmware image
Most communication interfaces do not inherently guarantee neither authenticity nor confidentiality of the communication. In such case it's necessary to provision these protection cryptographically.
Following schemes are supported in the X-CUBE-SBSFU package:
| Features | Asymmetric with AES encryption | asymmetric w/o encryption | Symmetric (AES-GCM) |
|---|---|---|---|
| Confidentiality | AES-CBC | None | AES-GCM |
| Integrity | SHA256 | SHA256 | AES-GCM |
| Authenticity | ECDSA signed | ECDSA signed | AES-GCM Tag |
| Keys needed in device | private AES-CBC, public ECDSA | public ECDSA (X.509 certificate option) | private AES-GCM |
SBSFU Overview - first video in the series
Playlist about STM32 security ecosystem and place of SBSFU within its context
Playlist about secure cloud connectivity using SBSFU and secure element STSAFE-A110
4. STM32 compliant with SBSFU
As of version 2.5.0, the SBSFU package includes examples for the following STM32 series:
- STM32F4
- STM32F7
- STM32G0
- STM32G4
- STM32H7
- STM32L0
- STM32L1
- STM32L4
- STM32WL
- STM32WB
The following series have an application called SBSFU in their respective STM32Cube packages, but this is quite different architecture, based on TrustZone and TF-M.
- STM32L5
- STM32U5
5. STMicroelectronics Resources
SBSFU user manual
SBSFU integration guide
SBSFU user manual for STM32WL series
SBSFU integration guide for the STM32WL series
SBSFU on TrustZone cabable STM32