Revision as of 06:45, 28 March 2023 by Registered User (→The Secure boot)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.1. What is the Secure boot and Secure firmware update
- Secure boot and secure firmware update, allows to ensure only authorized software can be executed on the device.
- Secure boot is the first firmware running after STM32 reset, it activates the security mechanisms, verifies the authenticity and integrity of the code executed in the platform right after this boot stage (the Application). The Secure Boot is the foundation of the device security, this is also known as the Root of Trust of the device.
- This foundation is extended with Secure firmware update functionality to securely update the Application.
2. The Secure boot
- The Secure boot uses cryptography to verify (Authentication + Integrity) the Application code with its metadata.
- The Secure boot only grants Application execution if those verifications on its code and metadata are successful. Metadata can be version, HW configuration, boot conditions...
- The Secure boot must be an immutable code launched at reset. Immutability is a mandatory requirement for the Secure boot.
- Immutability can be guarantied thanks to ROMCode technology, or any mechanisms that allows to make code immutable. Typically in STM32 microcontrollers this is supported thanks to write protection mechanism on flash memory.
- This immutable code must be small, simple and verifiable. This minimize the risk of a vulnerability that cannot be corrected. The complex steps are handled by the next stage.
- This immutable code is executed at reset, it will verify the platform configuration (boot configuration, protection mechanisms, ...). This code is the ROT (Root Of Trust).
3. Secure Firmware update
- Updatability of the Application is a key point to ensure security considering vulnerability risks of it. If the Application exposes some security weakness, it matters to fix it by updating it within the device.
- The Secure firmware update of the Application relies on cryptography to decrypt and authenticate the received new Application image.
- The Secure firmware update can be implemented following different strategies:
- one slot: a new Application image overwrites the running Application within the slot.
- two slots: the Secure firmware update verifies the new Application image within the first slot (Download slot) and install it within the second slot (Execution slot).
- recovery: if no valid image remains within any slot, the Secure firmware update recovers a factory image.
- others...
- In all cases, Secure firmware update must take care of version control. Secure firmware update garanties that an Application version N-1 can't be installed after running an Application version N.
- The Application is responsible for the new Application image download; once new image received, the Application triggers a reset on the device to let Secure boot Secure firmware update installs the new Application version.
4. STM32 Secure boot and Secure firmware update implementations
ST brings several implementations of Secure boot Secure firmware update implementation according to STM32 HW capabilities:
- SBSFU by mcuboot: implementation that relies on mcuboot open source solution.
- STiROT: SESIP certified implementation.
5. References