Introduction to Manufacturing for STM32H5

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Coming soon

1. Introduction to Manufacturing for STM32H5

Outsourcing of product manufacturing enables original equipment manufacturers (OEMs) to reduce their direct costs and concentrate on high-added-value activities, such as research and development, sales, and marketing. However, contract manufacturing puts the OEM's proprietary assets at risk, and since the contract manufacturer (CM) manipulates the OEM's intellectual property (IP), it might appear or be appropriated by other customers.
To meet the new market security requests and protect customers against any leakage of their IPs, STMicroelectronics introduces new security concepts and tools, permitting programming of OEM firmware into STM32 MCU internal Flash memory or external non-volatile memories in a secure way (with confidentiality, authentication and integrity checks). STM32 H5 Series devices support protection mechanisms that protect critical operations (such as cryptography algorithms) and critical data (such as secret keys) against unauthorized access.

2. Secure Manager

The Secure Manager is an STMicroelectronics trusted execution environment security framework that is compliant with Arm^® Platform Security Architecture (PSA) specifications for Cortex^®-M (Armv8-M).

The Secure Manager is aiming at simplifying the security development cycle of embedded applications by providing ready to use security services developed according to best practices.

It is linked to our STM32Cube ecosystem and made easy to be installed within our selected STM32 devices.

In addition to Secure Manager, STM32H5 MCUs are also equipped with new security features, such as Product life cycle, Isolation, Debug authentication, Secure Storage and Secure Boot.

Using these features on stand-alone basis requires solid security skills. However, STMicroelectronics offers a full solution owned and maintained by STMicroelectronics: Secure Manager. This solution provides a full set of security features targeting SESIP and PSA Level 3 certification. Secure Manager aims at simplifying the security development cycle of embedded applications, by providing ready-to-use security services developed following best practices.
Easy to install on STM32 products, Secure Manager offers a ready-to-use, high-performance and certified solution, supporting Secure Boot, root of trust, cryptography, internal trusted storage, initial attestation, as well as firmware update functions defined by the Arm^® PSA specifications.

For more general information about the Secure Manager please refer to the dedicated chapter.

In order to manage the Product life cycle, Secure Manager is delivered with a complete ecosystem composed of the following:

Secure Manager access kit (SMAK): The SMAK is used to develop nonsecure applications using the Secure Manager services.
Secure Module development kit (SMDK): The SMDK is used to develop secure modules and associated APIs to access these modules from nonsecure (NS) applications.

For more information on developing nonsecure applications using the Secure Manager services, refer to SMAK for STM32H5 article.
For more information about Secure Manager manufacturing, refer to SMAK for STM32H5 article.
For more information on developing secure modules, refer to SMDK for STM32H5 article.

3. SFI

The secure firmware install (SFI) solution provides security when programming devices in a non-trusted facility owned by a Contract Manufacturer (CM). SFI addresses the two main issues at a non-trusted facility:

OEM application confidentiality against CM during STM32 programming.
Avoid CM overproduction of OEM devices.

Without SFI, the OEM sends uncoded firmware to the CM. So, the application code is open to attacks or copies. The OEM must trust the CM, hoping that its application code is not stolen or tampered with and that the CM does not over-produce parts.
SFI offers a complete example with the STM32 Trusted Package Creator software package to encrypt the OEM application (including code and data), the STM32CubeProgrammer to flash the STM32 securely, and the STM32-HSM to transfer OEM credentials to the programming partner (CM).
For more general information about the secure firmware install please refer to the SFI dedicated chapter.

The STM32H5 series provide a security framework with a trusted execution environment: the Secure Manager. It simplifies the security development cycle of embedded applications, by providing ready-to-use security services that are developed following recommended industry standards.
The OEM can choose to develop its application using the Secure Manager or not.

These two procedures are described within the SFI for STM32H5 dedicated article.

4. SFIx

5. SSFI

6. Provisioning

A device deployed in the field operates in an untrusted environment and it is therefore subject to threats and attacks. To mitigate the risk of attack, the goal is to allow only authentic firmware to run on the device. Allowing the update of firmware images to fix bugs, or introducing new features or countermeasures, is commonplace for connected devices, but it is prone to attacks if not executed in a secure way.

To address these issues, STMicroelectronics developed the STiRoT which stands for ST immutable (unchangeable) Root Of Trust and acts as a first boot stage. This is a ROM code targeting a SESIP level 3 certified implementation.

STiRoT provides two services:

The Secure Boot (root of trust services) is an immutable code, which is always executed after a system reset. It activates runtime protections and then, it verifies the authenticity and integrity of the application code and data before every execution.
The Secure Firmware Update application is an immutable code that detects that a new application code or data image is available. It checks its authenticity, then checks the integrity of the new image before installing it after decryption.

Cryptography is used to ensure confidentiality, integrity, and authentication.

Confidentiality is implemented to protect the firmware image, which may be a key asset for the manufacturer. The firmware image sent over the untrusted channel is encrypted so that only the devices having access to the encryption key can decrypt the firmware package.
Integrity is verified to check that the received image is not corrupted.
Authenticity checks verify that the firmware image is coming from a trusted and known source, in order to prevent unauthorized entities to install and execute code.

For more general information about the STiRoT please refer to the dedicated chapter and for more information focused on the STM32H5 series please refer to the STiRoT for STM32H5 article.