STiRoT stands for ST immutable (unchangeable) Root Of Trust. The STiRoT is embedded in all STM32H7S devices.
1. Introduction
The purpose of this article is to provide the necessary background to understand and execute the related How to start with STiRoT on STM32H7S and How to start with STiRoT OEMuRoT on STM32H7S wiki articles.
This article describes STiRoT process steps developed in STM32CubeH7RS firmware provided by ST.
For more details about STiRoT please refer to STiRoT for STM32H7S .
Further information about security features and secure boot are available in the next two articles :
2. STiRoT services
The two STiRoT services that are provided are used in the How to start with STiRoT on STM32H7S.
- 1) The Secure Boot (Root of Trust services):
- It is an immutable code that runs after every system reset. It activates STM32 runtime protections and verifies the authenticity and integrity of the application code before every execution.
- Integrity: to ensure that no corrupted or maliciously modified firmware is about to run.
- Authenticity: to verify that firmware comes from a trusted and known source to prevent unauthorized entities from installing and executing code.
- Integrity: to ensure that no corrupted or maliciously modified firmware is about to run.
- It is an immutable code that runs after every system reset. It activates STM32 runtime protections and verifies the authenticity and integrity of the application code before every execution.
- 2) The Secure Firmware Update:
- It is an immutable code that detects if a new firmware image is available, checks its authenticity and verifies the integrity of the code before installing it after decryption.
3. STiRoT use cases and processes
3.1. One Boot Stage
STiRoT can be used in two configurations, one boot stage or two boot stages. A script guiding the user through these two configurations is provided in the STM32Cube_FW_H7RS. A loader code called iLoader is also available, allowing to transfer application images between different memory slots.
In the one boot stage configuration the STiRoT directly manages the user application installation and execution.
User Application installation :
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
- STiRoT requests the iLoader to load the new User Application image into internal RAM memory.
- The iLoader copies the new image from the download slot located in external flash memory to the internal RAM memory then generates a reset.
- After the reset STiRoT decrypts the new User Application image then controls its integrity and its authenticity. If successful, STiRoT request the iLoader to save the new User Application image to external flash memory.
- The iLoader copies the new image from internal RAM to the installation slot in external flash memory and then generates a reset. When copying, the user application code image is re-encrypted by MCE IP. The encryption key has been configured and locked in MCE by STiRoT.
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
Note : HDPL refers to Hardware Protection Level, which is a temporal isolation mechanism used to isolate boot assets during boot sequence. For more information please refer to the dedicated chapter Temporal Isolation.
Once the User Application has been installed STiRoT will manage its execution :
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
- STiRoT requests the iLoader to load the User Application image into internal RAM memory.
- The iLoader copies the image from the installation slot in external flash memory to the internal RAM memory then generates a reset. The image is automatically decrypted by MCE using the AES key configured and locked inside MCE by the STiRoT.
- After the reset STiRoT controls the integrity and authenticity of the image. If successful, STiRoT jumps into the User Application code.
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
3.2. Two Boot Stages
In the two boot stages configuration, the STiRoT manages an updatable boot stage (OEMuRoT) which manages the user application. The updatable boot stage can be customized to fit the customer needs.
The installation follows the same steps as for the one boot stage configuration, the iLoader loads the OEMuRoT image from the download slot into the RAM, controls its integrity and its authenticity and then copies the image into the installation slot in external memory.
After the OEMuRoT installation is done, the STiRoT will manage the execution :
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
- After executing the secure firmware update process, STiRoT requests the iLoader to load the OEMuROT image into internal RAM.
- The iLoader copies the image from the installation slot to the internal RAM.
- STiRoT controls the integrity and authenticity of the image. If successful, STiRoT executes OEMuROT in internal RAM.
- OEMuROT checks if a new user application is stored in the download slot. If any, OEMuROT decrypts it and controls its integrity and its authenticity. If successful, the image is copied in the user application installation slot. The image is re-encrypted by the MCE with OEMuROT encryption keys.
- OEMuROT controls the integrity and the authenticity of the user application from the installation slot. If successful, OEMuROT executes it from external flash memory. The user application can also be executed from external RAM memory.
- In CLOSED or LOCKED state the RSS jumps into STiRoT if the option byte IROT_SELECT is properly set.
4. STiRoT configuration preliminary stage
4.1. Product state definition
The product states define the security level of the product. Four levels are available :
- Open:
- Debug entirely open.
- Bootloader available.
- State mainly used during development.
- Provisioning:
- Debug access only available if DA-Config is previously provisioned. Full-Regression and Intrusive Debug are the only allowed regressions.
- Bootloader available.
- Secure Firmware Install (SFI) can be initiated. It is not possible in Closed and Locked states.
- State defined during the product provisioning and is therefore not a selectable state.
- Closed:
- Debug closed but can be still opened through Debug Authentication.
- State defined when the product is entirely provisioned.
- Locked:
- Final and immutable product state.
- Debug definitively closed even through Debug Authentication.
- Regression is not possible anymore.
- State used for the fully provisioned product.
For the two provided examples, the device will be first in Open state, then in Provisioning during the script execution. Once the images are installed, the script will Close or Lock the device according to the user's choice.
Be careful when using the Locked state, it is permanent and irreversible.
The product state must be chosen depending on the user application development phase and the security level needed.
In the STM32CubeH7RS firmware the script provisioning.bat allows the user to select a product state and sets it by modifying the right option bytes.
4.2. Debug Authentication configuration
The Debug Authentication allows the user to securely re-open the debug access or perform regressions from Closed state only.
Two methods are available to use the Debug Authentication :
- Password authentication allows only full regression to OPEN state.
- Certificate authentication allows regression and debug opening.
For more details about debug authentication mechanism please refer to Debug Authentication for STM32H7RS.
4.3. iLoader compilation
The STiRoT never accesses the external flash memory and relies on an immutable loader installed in the user flash to handle the transfers between internal RAM and the external flash memory.
The iLoader is an example of an immutable loader application code provided in the STM32Cube_FW_H7RS including functions to manage the iLoader features.
5. Configuration management
5.1. STiRoT configuration
STM32TrustedPackageCreator tool is used to generate the STiRoT configuration file (.obk) based on the template STiROT_Config.xml provided in STM32CubeH7RS software package.
Multiple parameters can be set by the user :
- The start address of the firmware area (internal RAM).
- The size of the firmware area.
- The start address of the firmware installation area (external flash).
- The start address of the firmware download area (external flash).
- The minimal product state allowed for the firmware execution.
Two keys are configurable :
- The encryption key allows to encrypt the firmware image.
- The authentication key allows to authenticate the firmware image.
For STiRoT use case STiRoT configuration file (.obk) is encrypted and saved in HDPL1 OBkeys.
For the two boot stage use case, other parameters can be updated in the OEMuRoT boot firmware (in this use case the OEMiRoT boot application will act as the OEMuRoT). This firmware must be able to perform the authenticity and integrity checks of the user application and data images. It also configures the number of user applications and images.
5.2. Debug Authentication configuration
STM32TrustedPackageCreator also generates the Debug Authentication configuration file (.obk) based on template provided in STM32CubeH7RS software package. This file configures the conditions to reopen a protected device and the debugger.
For more details about debug authentication mechanisms, please refer to Debug Authentication for STM32H7RS MCUs.
6. Images generation
STM32CubeH7RS FW package delivers Boot firmware and User firmware projects for OEMiRoT use case in Applications\ROT folder.
During this step the firmware STiRoT_Appli is compiled and image generation of the user application is automatically done (STM32TrustedPackageCreator is called in a postbuild script). For the two boot stage use case, the OEMiRoT firmware (used as the OEMuRoT firmware) will also be compiled and image generation of the user application is automatically done.
7. Provisioning
During this step the script will automatically provision the option bytes and flash the images generated in the previous step. The product state is then set to the selected one.
8. Regression
A regression from Closed state can be performed through the graphic interface of the STM32CubeProgrammer or through the regression script provided in the STM32CubeH7RS software package.
9. How to start with STM32H7S and STiRoT
For getting started examples of STiRoT you can refer to the following pages :
- For one boot stage : How to start with STiRoT on STM32H7S.
- For two boot stages : How to start with STiRoT OEMuRoT on STM32H7S.