Revision as of 14:44, 3 May 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.1. What is the Secure Boot and Secure Firmware Update
- Secure Boot and Secure Firmware Update ensure that only authorized software is executed on the device.
- Secure Boot is the first firmware running after a STM32 reset. It activates the security mechanisms, and verifies the authenticity and the integrity of the code executed on the platform after the boot stage (Application). Secure Boot is the foundation of the device security, also known as the Root of Trust of the device.
- This foundation is extended by the Secure Firmware Update functionality, allowing to securely update the Application.
2. Secure Boot
- Secure boot uses cryptography to verify (Authentication + Integrity) the Application code and its metadata.
- Secure boot only grants Application execution if both verifications, on the code and on the metadata, are successful. Metadata may contain version information, hardware configuration, boot conditions, and many more.
- Secure boot must be an immutable code launched at reset. Immutability is a mandatory requirement for Secure boot.
- ROMCode technology -or any other mechanism allowing the code to be immutable- ensures the immutability. In STM32 microcontrollers, the write protection mechanism on the flash memory typically supports immutability.
- The immutable code must be concise, simple and verifiable. This minimizes the risk of a vulnerability that cannot be corrected. Complex steps are handled at the following stage.
- The immutable code is executed at reset. It verifies the platform configuration, such as the boot configuration and the protection mechanisms. This code is the ROT (Root Of Trust).
3. Secure Firmware Update
- The Secure Firmware Updatability of the Application is a key point to ensure security while considering vulnerability risks. If the Application in the device is concerned by a security weakness, an Application update is performed in order to fix it.
- The Secure firmware update of the Application relies on cryptography to decrypt, authenticate and check integrity of the received new Application image.
- The Secure firmware update can be implemented following different strategies:
- one slot: a new Application image overwrites the running Application within the slot. This configuration can be used when local download is allowed.
- two slots: the Secure firmware update verifies the new Application image within the first slot (Download slot) and install it within the second slot (Execution slot). This configuration can be used when Over The Air update is supported.
- recovery: if no valid image remains within any slot, the Secure firmware update recovers a factory image.
- others...
- In all cases, Secure firmware update must take care of version control. Secure firmware update garanties that an Application version N-1 can't be installed after running an Application version N.
- The Application is responsible for the new Application image download; once new image received, the Application triggers a reset on the device to let Secure boot Secure firmware update installs the new Application version.
- Image programming must be resistant to asynchronous power down and reset.
- Image upgrade strategy
- - can be based on overwriting, swapping, ....
- - can consider all image update in one time or sequential steps (depending on Non Volatile space)
- - consider update of code and data of images
4. STM32 Secure boot and Secure firmware update implementations
ST brings several implementations of Secure boot Secure firmware update implementation according to STM32 HW capabilities:
- The SBSFU legacy
- SBSFU by mcuboot: implementation that relies on mcuboot open source solution.
- STiROT: SESIP certified implementation.
5. References