Secure Manager for STM32H5

Revision as of 09:48, 5 July 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Introduction

STM32H5 MCUs are equipped with numerous, new security features, such as product life cycle, isolation, Debug authentication, Secure storage, and Secure Boot. Solid security skills are required to individually use these blocks.

STMicroelectronics offers a full solution, owned and maintained by STMicroelectronics, which is SESIP 3 and PSA certified.

PSA certification is the highest level of security certification for general purpose MCUs.


2. Secure manager overview

Secure Manager is a TEE (Trusted Execution Environment) integrating core security services.


SECURITY Secure Manager Global presentation.png


  • The blue elements in the above image correspond to the Secure Manager.
  • The blue and green elements in the above image are delivered by STMicroelectronics.
  • The yellow elements correspond to the user application. The user can call some security services, which are standards defined by the PSA Arm®.


2.1. Secure Manager

Secure Manager is a software component, which is a binary file encrypted, signed and delivered by STMicroelectronics. The user does not have access to the code.


ST iROT is the first stage bootloader. It is installed inside your device at purchase.
Both Secure Manager and ST iROT are only available on STM32H573 devices.

ST uROT is the second stage bootloader. The second stage bootloader can be updated.

Secure Manager Core is a secure OS, which handles the platform security services.

The PSA API accesses the following services:

  • Firmware update, allowing to update firmware in a secure way.
  • Secure storage, to securely store data.
  • Cryptography, to encrypt or decrypt an element to check.
  • Attestation, which is defined for the iOT. It allows to have an identifier to the full picture of your device.


2.2. Additional modules

Third-parties or customers can add security services by defining them and developing a secure module. Security services are highlighted in green in the above image.

  • Confidentiality is ensured when delivering a software API: Encrypted and signed at delivery, the software API is installed securely.
  • After installation, access to the API is guaranteed, while preventing access to the software.


2.3. User application

The Secure Manager handles security, being transparent for the user. It is installed on the internal flash memory. The Secure Manager also locks a portion of the RAM.
When users develop their own application, the size of the available flash memory is the only constraint to consider.


2.4. Certification

Secure Manager and hardware are certified SESIP level 3 and PSA level 3.

Platform certification requires the certification of application and secure modules. The Secure Manager handles the isolation between the different services.

This level of certification is required to ensure that one secure service cannot access the resources of another secure service.

The Secure Manager is PSA API compatible, meaning that this API has not been defined by ST: It is a standard defined by Arm®.

The Secure Manager is designed for long-term support. In case of weakness detection, STMicroelectronics delivers a new Secure Manager, as it can be updated using the different stage bootloaders.

The Secure Manager is optimized for certification, allowing you to just focus on the application certification.


2.5. Booting mechanism

The secure storage is used to store the keys that are used during boot time to authenticate each software component before launch.

After the provisioning and during the installation of the Secure Manager, we also provision those keys in the secure storage.


First step booting


  1. At reset, the ST iROT authenticates a second stage bootloader, with the keys in the secure storage.
  2. When the second stage bootloader is authenticated, we are certain that no malicious modifications have been made. Temporal isolation allows to go to the next level.
  3. With temporal isolation, a portion of code can no longer be seen by the system. The associated keys have the same isolation level. When another level is reached, access to the previous level is removed, as well as the associated keys.


Second step booting

  1. The second stage bootloader authenticates the Secure Manager. This ensures that authenticity is not modified by a malicious action, such as hacking.
  2. The second stage bootloader authenticates the different modules. The keys need to be authenticated every time as keys owner are different.
  3. The second stage bootloader authenticates the application to ensure the integrity is guaranteed. When this step is successfully completed, the second stage bootloader jumps to the Secure Manager.

Third step booting

  1. The Secure Manager initializes the core, then jumps to the application.
  2. After these steps, we are in regular execution.

The application could call some secure API. For example, calling an API to trusted storage in order to store some data.

The Secure Manager uses the MPU to isolate the services that will be executed. During the execution of the secure storage, it cannot access other resources. Secure Manager jumps to the Trusted storage and executes this API and then goes back to the application. This is transparent for the user.


3. Links

For further details on the Secure Manager, refer to the following articles:

Secure Manager.

Secure Manager STM32H5 How to Intro

How to start with Secure Manager on STM32H573


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Manager_for_STM32H5&oldid=36030"