Secure Storage for STM32H5

Revision as of 17:28, 4 August 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Target description

1. Introduction

A critical security feature is a dedicated memory location where secret data such as keys can be stored in a very safe way.
The STM32H5 provides up to five secure storage fuflilling this requirement, called OB Keys storages.
Every secure storage is temporaly isolated through the HDPL level.

The figure below shows the five OB Keys secure storages, one for every HDPL level (HDPL0, HDPL1, HDPL2 , HDPL3 Secure and HDPL3 Non-Secure).


File:Secure storage.png
Figure 1 STM32H5 OB Keys Secure Storage

2. The secure storage areas for STM32H5 (OB key area)

The secure storage areas are also called Option-Byte Key (OBKeys) areas or Secure Key Storage areas.
As mentioned in the introduction, the STM32H5 provides five secure storage areas that can be used to store key but also any sensitive or secret data.
Any of these areas is related to a specific temporal isolation level HDPL. This will be explained in the next chapter.
It can be chosen if the stored data are encrypted or not.
Note:The stored data can be encrypted only for the STM32H57x.

The five areas are described in the table below.

Temporal Isolation Level Storage size (Bytes) Usage Regression
HDPL0 255 Reserved for ST, HDPL0 keys Never erased
HDPL1 2047 iRoT keys Erased through regression
HDPL2 767 uRot, OS or Secure Application Erased through regression
HDPL3S 3071 Secure Application keys Erased through regression
HDPL3NS 2031 Non-Secure Application keys Erased through NS-Regression

Notes:

  • A full regression will erase all the secure storages areas except the HDPL0 secure storage that is never erased. This secure storage is an ST reserved domain.
  • A partial regression (NS-Regression) will erase only the HDPL3 Non-Secure storage.
  • In case of a Tamper detection the DHUKs are not usable anymore until the next reset. So if the contents of the secure storages are encrypted these contents will not be accessible anymore. But the contents of the secure storages are not erased through a Tamper event. The wanted actions related to the Tamper event needs to be done through the interrupt handler.

3. Temporal isolation

Reminder: the different boot stages of the STM32H5 are protected through temporal isolation.
see: Secure_Boot_for_STM32H5
The firmware execute in HDPL[N] has no access to a firmware that has been execute in HDPL[N-1] and earlier (HDPL[N-x]).

For the secure storage it's a similar principle, the firmware currently executed in a specific HDPL[N] has no possibility to access to the secure storage HDPL[N-x].
On the other hand this FW can access to the secure storage HDPL[N] and also to any secure storage HDPL[N+x].

The SBS (System configuration, Boot and Security) embedded in the device controls the secure storage access (see RM0481)
The OBK-HDPL (that can be equal or higher than HDPL of the current executed firmware) selects the secure storage area.
The control of the access is also taking into account if the executed FW is secure or non-secure (see figure in next chapter).

4. Secure storage protection

The protection of the secure storages is insured through the access control of the flash interface.
The access is controled through:

  • RHUK: Root Hardware Unique Key. It is a 256-bit non-volatile key, unique per STM32H5 device and never visible from any software.
  • DHUK: Derived Harware Unique Key. A 256-bit key different for every secure storage (HDPL0, HDPL1...) generated by the SAES based on RHUK.
  • EPOCH: Monotonic counter increased at each regression. To protect from an installation of an older firmware/data version (anti-replay).
  • HDPL: Temporal Isolation Level explained in previous chapter.

The SAES is the cryptographic hardware embedded in the STM32H5 that is side channel attack resistant and embeds the key generator to provide the different DHUKs.

  • Note: the SAES and related functionalities are only available for the STM32H573.

The figure below gives an overview of the access control.
The SBS (see previous chapter) controls the OBK-HDPL but also the EPOCH selection.
There are two EPOCH counters: one for the Secure application and one for Non-Secure application.

  • NEXTHDPL[1:0] of SBS register (SBS_NEXTHDPLCR) is used to select an OBK-HDPL higher than the HDPL of the current executed firmware.
  • EPOCH_SEL[1:0] of SBS register (SBS_EPOCHSELCR) is used to select between the EPOCH counter for Secure or Non-Secure application. (see RM0481).
File:Data encryption using SAES-DHUK .png
Figure 2 Data encryption using SAES/DHUK

In summary:

  • Cloning protection is insured through the RHUK, unique for every device and insures that all the derived keys and encrypted data are valid only for a specific device.
  • Replay protection is insured though the EPOCH counter, controls that previously encrypted data can not be reused => new DHUKs after regression. The data related to the Secure and Non-Secure applications is protected through two different EPOCH counter
  • Temporal isolation is insured through the SBS in order to forbit the access of the secure storage HDPLx lower than the HDPLx of the current executed code.


5. xxx

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Storage_for_STM32H5&oldid=38115"