1. What is debug authentication ?
Debug authentication is process used to disable the security fetures on the STM32 in secure way. The user leverages on the debug authentication security feature to either:
- Perform regression testing on the OPEN or TZ-CLOSED product states in a secured way, erasing user data in user flash, SRAM and OBKeys.
- Re-open debug access on the STM32 in a secured way.
Debug authentication is only used when the STM32 is no longer in OPEN product state.
Debug authentication only grants its services to a legitimate user password or certificate authentication.
The STM32 life cycle management drives the STM32 debug authentication method, password or certificate. Refer to the life-cycle management section of the appropriate STM32 reference manual on how to implement the debug authentication security feature.
The user sends a password or certificicates to STM32 via a limited debug access port that does not grant access to STM32 hardware resources such as the CPU registers, memory, peripheral registers, and so on. When a debug access is re-opened, a new debug access port is also opened, granting access to the STM32 hardware resources.
Debug Authentication is closely related to:
- STM32 Product State Life cycle
- STM32 ARM TrustZone enablement or not.
1.1. Password
In order to trigger the debug authentication feature, the host sends the debug authentication password to the STM32. When the STM32 recieves the password, it verifies that it corresponds to the one that is provisioned.
1.2. Certificate
When user triggers Debug Authentication feature (Regression or Debug Re-opening), he sends first a Certificate and a Debug Authentication Action Request to the STM32. On Certificate reception (Step 1), STM32 verifies that:
- Certificate fits the one provisioned.
- The Authorized Actions sent with the Certificate fit the ones provisioned.
- The Action Request fits with Authorized Action list carried by the Certificate.
STM32 starts challenge-response procedure (Step 2 and Step 3): STM32 verifies that Host owns the Debug Authentication Private Key before performing the requested action (regression or Debug re-opening).
The Certificate carries the requested action.
In the scheme below STM32 blocks Debug Authentication Action Request because Authorized Actions within Certificate do not map Provisioned Authorized Actions.
In the scheme below STM32 blocks Debug Authentication Action Request because Action Request does not fit with Certificate Authorized Actions.
In the scheme below, Certificate Authorized Actions fit Provisioned Authorized Action and Action Request fits Certificate Authorized Actions, then STM32 grants Debug Authentication Action Request.
2. Provisioning
Before configuring STM32 in a product state below PROVISIONING (i.e. PROVISONED, TZ-CLOSED or CLOSED) , user must provision either:
- The hash of the Certificate Public Key and Authorized Actions. Authorized actions are a combination of Regression, Partial Regression and Debug re-opening.
or
- The hash of the Password.
3. Regression
3.1. Full regression
Debug Authentication erases full user Flash, SRAM and OBKEys1. Full regression erases Debug Authentication Provisioned data, i.e. Certificate and Authorized Actions, hence user must provision again Debug Authentication data. After Full regression STM32 is in product state OPEN.
Note1: When STM32 supports OBKeys.
3.2. Partial regression
Debug Authentication erases non-secure user Flash, non-secure SRAM and non-secure OBKEys1. After partial regression STM32 is in product state TZ-CLOSED.
Please note that STM32 not supporting TrustZone or not enabling TrustZone do not support Partial regression.
Note1: When STM32 supports OBKeys.
4. Debug Re-opening
Only Debug Authentication by Certificate supports Debug Re-opening. After Debug Re-opening user can debug STM32. Debug Re-opening does not change STM32 product state. Debug Re-opening is temporary, power off the STM32 disables Debug Re-opening and Debug is closed again.
