Revision as of 16:05, 3 May 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.1. What is the Secure Boot and Secure Firmware Update
- Secure Boot and Secure Firmware Update ensure that only authorized software is executed on the device.
- Secure Boot is the first firmware running after a STM32 reset. It activates the security mechanisms, and verifies the authenticity and the integrity of the code executed in the platform after the boot stage (the Application). Secure Boot is the foundation of the device security, which is also known as the Root of Trust of the device.
- This foundation is extended by the Secure Firmware Update functionality, allowing to securely update the Application.
2. The Secure boot
- The Secure boot uses cryptography to verify (Authentication + Integrity) the Application code with its metadata.
- The Secure boot only grants Application execution if both verifications on the code and on the metadata are successful. Metadata can be version, HW configuration, boot conditions...
- The Secure boot must be an immutable code launched at reset. Immutability is a mandatory requirement for the Secure boot.
- Immutability can be guarantied thanks to ROMCode technology, or any mechanisms that allows to make code immutable. Typically, in STM32 microcontrollers, this is supported by the write protection mechanism on the flash memory.
- This immutable code must be small, simple and verifiable. This minimizes the risk of a vulnerability that cannot be corrected. The complex steps are handled by the next stage.
- This immutable code is executed at reset, it will verify the platform configuration (boot configuration, protection mechanisms, ...). This code is the ROT (Root Of Trust).
3. Secure Firmware Update
- The Secure Firmware Updatability of the Application is a key point to ensure security considering vulnerability risks of it. If the Application exposes some security weakness, it matters to fix it by updating it within the device.
- The Secure firmware update of the Application relies on cryptography to decrypt, authenticate and check integrity of the received new Application image.
- The Secure firmware update can be implemented following different strategies:
- one slot: a new Application image overwrites the running Application within the slot. This configuration can be used when local download is allowed.
- two slots: the Secure firmware update verifies the new Application image within the first slot (Download slot) and install it within the second slot (Execution slot). This configuration can be used when Over The Air update is supported.
- recovery: if no valid image remains within any slot, the Secure firmware update recovers a factory image.
- others...
- In all cases, Secure firmware update must take care of version control. Secure firmware update garanties that an Application version N-1 can't be installed after running an Application version N.
- The Application is responsible for the new Application image download; once new image received, the Application triggers a reset on the device to let Secure boot Secure firmware update installs the new Application version.
- Image programming must be resistant to asynchronous power down and reset.
- Image upgrade strategy
- - can be based on overwriting, swapping, ....
- - can consider all image update in one time or sequential steps (depending on Non Volatile space)
- - consider update of code and data of images
4. STM32 Secure boot and Secure firmware update implementations
ST brings several implementations of Secure boot Secure firmware update implementation according to STM32 HW capabilities:
- The SBSFU legacy
- SBSFU by mcuboot: implementation that relies on mcuboot open source solution.
- STiROT: SESIP certified implementation.
5. References