|
Coming soon |
1. Product security overview
A device deployed in the field operates in an untrusted environment and it is therefore subject to threats and attacks. To mitigate the risk of attack, the goal is to allow only authentic firmware to run on the device. In fact, allowing the update of firmware images to fix bugs, or introduce new features or countermeasures, is commonplace for connected devices, but it is prone to attacks if not executed in a secure way.
Consequences may be damaging such as firmware cloning, malicious software download or device corruption. Security solutions must be designed in order to protect sensitive data (potentially even the firmware itself) and critical operations.
Typical countermeasures are based on cryptography (with associated key) and on memory protections:
- Cryptography ensures integrity (the assurance that data has not been corrupted), authentication (the assurance that a certain entity is what it claims to be) and confidentiality (the assurance that only authorized users can read sensitive data) during firmware transfer.
- Memory protection mechanisms prevent external attacks (for example by accessing the device physically through JTAG) and internal attacks from other embedded non-secure processes.
2. STiROT : ST immutable Root Of Trust
This SW component provides 2 services :
- The Secure Boot (root of trust services) is an immutable code, always executed after a system reset (1), that activates STM32 runtime protections and then verifies the authenticity and integrity of the application (2) code before every execution (3).