1. What is debug authentication ?
The user leverages on the debug authentication security feature to either:
- Perform secure regression testing on the OPEN or TZ-CLOSED product states, erasing user data in user flash memory, SRAM and OBKeys.
- Safely re-open debug access on the STM32.
Debug authentication can be used when the STM32 is in product state PROVISIONNING up to product state CLOSED.
Debug authentication only grants its services when user enters a legitimate user password or a certificate authentication.
The STM32 life cycle management drives the STM32 debug authentication method, password or certificate. Refer to the life-cycle management section of the appropriate STM32 reference manual on how to implement the debug authentication security feature.
The user sends a password or certificicate to the STM32 via a limited debug access port that does not grant access to STM32 hardware resources such as the CPU registers, memory, peripheral registers, and so on. When a debug access on a closed device is opened, a new debug access port is also opened, granting access to the STM32 hardware resources.
Refer to the following items for more information:
- New product state
- STM32 ARM TrustZone enablement or not.
1.1. Password
In order to access the debug authentication feature, the host sends the debug authentication password to the STM32. When the STM32 receives the password, it verifies that it corresponds to the one that is provisioned.
1.2. Certificate
When the user access the debug authentication feature (regression or debug re-opening), he sends first a certificate and a debug authentication action request to the STM32. When the STM32 receives the certificate, it verifies that:
- Certificate fits the one that is provisioned.
- The authorized actions sent with the certificate match the ones provisioned.
- The action request matches the authorized action list carried by the certificate.
The STM32 starts the challenge-response procedure (Step 2 and Step 3): the STM32 verifies that the host owns the debug authentication private key before performing the requested action (regression or debug re-opening).
The certificate carries the requested action.
The next figure illustrates how the STM32 blocks the debug authentication action request when authorized actions in certificate do not match the provisioned authorized actions.
The figure below illustrates how the STM32 blocks the debug authentication action request because the action request does not fit with certificate authorized actions.
The figure below illustrates that the certificate authorized actions fits the provisioned authorized action and the action request fits the certificate authorized actions, then STM32 grants debug authentication action request.
2. Provisioning
Before configuring the STM32 in a product in a more secured state below PROVISIONING (this is PROVISONED, TZ-CLOSED or CLOSED) , user must provision either:
- The hash of the certificate public key and authorized actions. The authorized actions are a combination of regression, partial regression and debug re-opening.
or
- The hash of the password.
3. Regression
3.1. Full regression
Debug authentication erases the whole of the user flash memory, SRAM and OBKEys1. Full regression erases the debug authentication provisioned data, which is the certificate and authorized actions, hence the user must provision debug authentication data once again. After full regression, the STM32 is in the OPEN product state.
Note1: When the STM32 supports OBKeys.
3.2. Partial regression
Debug authentication erases non-secure user flash memory, non-secure SRAM and non-secure OBKEys1. After partial regression, the STM32 is in the TZ-CLOSED product state.
Note that the STM32 that does not support TrustZone or when TrustZone is not enabled does not support partial regression.
Note1: When the STM32 supports OBKeys.
4. Debug Re-opening
Only debug authentication by certificate supports debug re-opening. After debug re-opening, the user can debug the STM32. Debug re-opening does not change the STM32 product state. Debug re-opening is temporary, power off the STM32 disables debug re-opening and debug is closed again.