In the context of symmetric or asymmetric cryptography, protecting secret keys is essential. To address this need, ST proposes a solution that ensures keys remain secret at all times and are usable only on a specific device. On STM32, two elements are required:
- The first element is a hardware coupling and chaining bridge (CCB) that isolates key manipulation within hardware cryptographic IPs.
- The second element is a Root Security Services extension (RSSe) library that allows user firmware to use the secret key without providing access to the key itself. In this document, the library is referenced as RSSe KW (RSSe for Key Wrap), and the output is referenced as wrapped key.
A detailed description of RSSe KW is provided in AN6278
List of applicable products:
| Type | Products |
|---|---|
| Microcontroller | STM32U385xx |
1. RSSe KW for DUA
Provisioning unique keys may be required for some use cases, such as initial attestation. This step is crucial and can be costly to guarantee the uniqueness and confidentiality of the keys. STMicroelectronics addresses this challenge by provisioning each applicable STM32 device with unique key pairs, called device unique authentication (DUA) keys, in secure facilities. These keys are 256-bit elliptic curve cryptographic (ECC) keys. The public key is accessible through a certificate signed by an STMicroelectronics certificate authority (CA), while the wrapped private key is accessible only through the RSSe KW.
2. RSSe KW principles overview
RSSe KW is a library implemented in STM32 microcontrollers that get wrapped DUA keys in trusted facilities. The main goal of the RSSe KW is to provide wrapped keys usable only on one specific device. The RSSe KW prevents the sensitive keys from:
- Being accessed by any firmware or debugging access.
- Being used by another device (including STM32).
3. DUA wrapped key usage contexts
The output of the RSSe KW includes the selected DUA key, wrapped for a specific context, and the elements required to use it. On STM32U3 devices, the specific context depends on the following:
- The security state: secure or nonsecure
- The privilege state: privileged or unprivileged
- The key usage: signature computation or scalar multiplication computation (for ECC keys)
All these elements can be selected when starting the key wrap command.
The list of allowed contexts is:
| Key wrapped | Security state | Privilege state | Key usage |
|---|---|---|---|
| DUA License Usage key | secure | privilege | signature |
| DUA License Usage key | secure | privilege | scalar multiplication |
| DUA License Usage key | non-secure | privilege | signature |
| DUA License Usage key | non-secure | privilege | scalar multiplication |
| DUA User key | secure | privilege | signature |
| DUA User key | secure | privilege | scalar multiplication |
| DUA User key | non-secure | privilege | signature |
| DUA User key | non-secure | privilege | scalar multiplication |
4. RSSe KW interface
Using Cube Programmer, the user can obtain the wrapped key with one command. The output container is stored in a binary file selected by the user.
If a custom tool is used, install the RSSe KW in STM32 RAM before receiving the KW command, as described in AN6278