ST67W611M Security Overview

back to main page

1. Overview presentation

Protecting the ST67W611M from unauthorized access and tampering is important for maintaining the platform's reliability and safety. This document describes the key security goals for firmware and the methods used to achieve them.

1.1. Security goals and mechanisms

Primary goal: The primary security goal is to ensure that only authenticated firmware runs on the ST67W611M. This is achieved through the use of digital signatures and Public Key Infrastructure (PKI) to verify the authenticity of the firmware. The firmware confidentiality is not protected, the binaries are provided in clear mode. The firmware confidentiality is not protected, the binaries are provided in clear mode

Secondary goal: The secondary goal is to support anti-rollback mechanisms, which prevent the installation of older, potentially vulnerable firmware versions.

1.2. Firmware structure

Two modes are provided, each with a header containing a digital signature and versioning information:

  1. Mission mode:
    • Bootloader binary:
      • Authenticated by the ROM code during the initial boot process
      • Includes versioning information to ensure that only the latest version is used, preventing rollback to an older version
    • Mission profile binary:
      • A Wi-Fi® & Bluetooth® LE binary used for operational tasks
      • Authenticated by the bootloader to ensure its integrity and authenticity before execution
  2. Manufacturing mode:
    • Bootloader binary (same as above):
      • Authenticated by the ROM code during the initial boot process
      • Includes versioning information to ensure that only the latest version is used, preventing rollback to an older version
    • MFG firmware binary:
      • Used for test and production configuration
      • Authenticated by the bootloader to ensure its integrity and authenticity before execution

Additionally, the bootloader performs a versioning check on the firmware to ensure that only the latest version is installed, further supporting the anti-rollback mechanism

1.3. Implementation

In Wi-Fi ICs, the root of trust is established through the combination of ROM and One-Time Programmable (OTP) memory.

  • ROM: This is a Read-Only Memory that contains the primary bootloader and is immutable after manufacturing. It initializes the hardware and performs the initial security checks.
  • OTP Memory: This nonvolatile memory can be programmed only once and is used to store cryptographic keys and other security-critical information. The root of trust is the foundation that all the authentication is based on. The authentication relies on asymmetric authentication with the public key and versioning information stored in OTPs.
Info white.png Information
The primary constraint for the manufacturing (mfg) binary and the wifi mission profile binary is that they must contain the same version. This ensures that the version is not updated to a higher one, which would prevent the execution of the other binary.

1.3.1. Tooling

For more information regarding the tools used to extract the security configuration, including software version and key revocation, update the firmware in flash, and select between manufacturing and mission profiles for the Network Coprocessor, please visit the wiki page: Connectivity:Wi-Fi MCU Hardware Setup