Introduction to Manufacturing for STM32H5

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Coming soon

1. Introduction to Manufacturing for STM32H5

During the product development process, the original equipment manufacturers (OEMs) can subcontract the manufacturing to an OEM contract manufacturing (OEM CM) who will also manage the programming tools or refers to a third party programmer. The manufacturing therefore takes place in a untrusted environment putting proprietary assets at risk, and since the OEM CM manipulates the OEM's intellectual property (IP), it might appear or be appropriated by other customers.

To meet the new market security requests and protect customers against any leakage of their IPs, STMicroelectronics introduces new security concepts and tools, permitting programming of OEM firmware into STM32 MCU internal Flash memory or external non-volatile memories in a secure way (with confidentiality, authentication and integrity checks).

On the other hand a product manufactured in a trusted environment can still be vulnerable on the field. To increase robustness against attacks, STM32H5 Series offers solutions enabling firmware authentication and secure firmware updates using cryptography and memory protection mechanisms, allowing the protection of critical operations and data against unauthorized access.

2. Trusted Manufacturing

2.1. STiRoT

A device deployed in the field operates in an untrusted environment and it is therefore subject to threats and attacks. To mitigate the risk of attack, the goal is to allow only authentic firmware to run on the device. Allowing the update of firmware images to fix bugs, or introducing new features or countermeasures, is commonplace for connected devices, but it is prone to attacks if not executed in a secure way.

To address these issues, STMicroelectronics developed the STiRoT which stands for ST immutable (unchangeable) Root Of Trust and acts as a first boot stage. This is a ROM code targeting a SESIP level 3 certified implementation. STiRoT provides two services:

The Secure Boot (root of trust services) is an immutable code, which is always executed after a system reset. It activates runtime protections and then, it verifies the authenticity and integrity of the application code and data before every execution.
The Secure Firmware Update application is an immutable code that detects that a new application code or data image is available. It checks its authenticity, then checks the integrity of the new image before installing it after decryption.

The STiRoT activation is done by configuring the related option byte and defining the STiRoT configuration. STiRoT is activated in two different use case :

One boot stage: The STiROT manages directly the user application.
Two boot stages: The STiROT manages an updatable boot stage (uROT) located in the user flash memory which manages the user application. The updatable boot stage can be customized to fit customer needs.

The STiRoT configuration provides the possibility to define the number of manages images (firmware images only, or firmware and data images), the location of the images, and the cryptographic keys. Once the configuration is done an image is generated and the device can be programmed with the option bytes, the OBKeys and the generated image.

For more general information about the STiRoT please refer to the dedicated chapter and for more information focused on the STM32H5 series please refer to the STiRoT for STM32H5 article.

2.2. OEMiRoT

Instead of using the Root of Trust provided by STMicroelectronics, the STM32H5 series allows the OEM to develop and use their own Root of Trust solution.

OEMiRoT which stands for OEM immutable (unchangeable) Root of Trust is an example based on the MCUboot open-source software (refer to mcuboot) provided with STM32CubeH5. The OEMiRoT can be modified by the OEM to be tailored to their own application.

The given example also features the Secure Boot and the Secure Firmware Update as for the STiRoT. An OEM updatable RoT (OEMuRoT) can be generated from the OEMiRoT to act as a second boot stage after STiRoT.

For more information about the OEMiRoT for STM32H5 please refer to the dedicated chapter.

3. Untrusted Manufacturing

3.1. SFI

The secure firmware install (SFI) solution provides security when programming devices in a non-trusted facility owned by a Contract Manufacturer (CM). SFI addresses the two main issues at a non-trusted facility:

OEM application confidentiality against CM during STM32 programming.
Avoid CM overproduction of OEM devices.

Without SFI, the STM32 is programmed with clear code and data. So, the application code is open to attacks or copies. The OEM must trust the CM, hoping that its application code is not stolen or tampered with and that the CM does not over-produce parts.
SFI offers a complete solution with the STM32 Trusted Package Creator software package to encrypt the OEM application (including code and data), the STM32CubeProgrammer to flash the STM32 securely, and the STM32-HSM to transfer OEM credentials to the programming partner (CM).
For more general information about the secure firmware install please refer to the SFI dedicated chapter.

The STM32H5 series provide a security framework with a trusted execution environment: the Secure Manager. It simplifies the security development cycle of embedded applications, by providing ready-to-use security services that are developed following recommended industry standards.
The OEM can choose to develop its application using the Secure Manager or not.

These two procedures are described within the SFI for STM32H5 dedicated article.

3.2. SFIx

SFIx extends the SFI solution to support external memories connected to the STM32 device. SFIx uses the same tools as the regular SFI.

For more general information about the SFIx please refer to the dedicated chapter.

3.3. Secure Manager

The Secure Manager is an STMicroelectronics trusted execution environment security framework that is compliant with Arm^® Platform Security Architecture (PSA) specifications for Cortex^®-M (Armv8-M).

Secure Manager is an easy-to-use proprietary implementation of the PSA API, which is specifically optimized for STM35H5 MCUs. Easy to install on STM32 products, Secure Manager provides a way to manage the entire security ecosystem on the STM32 device.

During the manufacturing flow, the OEM gets the encrypted image of the Secure Manager from STMicroelectronics and prepares its encrypted firmware image containing its nonsecure application image, its secure module images, the OEM secrets.
The OEM can configure the Secure Manager during the installation phase or after, defining parameters such as the non-secure application installation key, the number of modules, and the ITS storage size.
The Secure Manager and the firmware can then be securely installed by the OEM, using keys defined during the process.

The following figure describes the Secure Manager manufacturing preparation and installation flow.

For more general information about the Secure Manager please refer to the dedicated chapter.

The Secure Manager is delivered with a complete ecosystem in order to manage the product life cycle. This ecosystem is composed of :

The Secure Manager access kit (SMAK): used to develop nonsecure applications using the Secure Manager services.
The Secure Module development kit (SMDK): used to develop secure modules and associated APIs to access these modules from nonsecure applications.

For more information on developing nonsecure applications using the Secure Manager services, refer to SMAK for STM32H5 article.
For more information about Secure Manager manufacturing, refer to SMAK for STM32H5 article.
For more information on developing secure modules, refer to SMDK for STM32H5 article.