SFI is a secure mechanism implemented in STM32 microcontrollers that allows secure and counted installation of OEM firmware in an untrusted production environment, such as an OEM contract manufacturer. The SFI process prevents the OEM firmware code from:
- Being accessed by the contract manufacturer
- Being extracted
- Being disclosed
A detailed description of SFI is provided in AN4992
List of applicable products:
| Type | Products |
|---|---|
| Microcontroller | STM32U375xx, STM32U385xx, STM32U3B5xx, STM32U3C5xx |
1. Introduction
The STM32U3 microcontrollers support secure firmware install (SFI) only on internal flash memory by means of a dedicated RSSe (secure firmware extension) delivered in the X-CUBE-RSSe STM32Cube Expansion Package.
The SFI procedure on STM32U3 microcontrollers is similar to the SFI procedure applied to other platforms. To run the SFI procedure on STM32U3 microcontrollers, follow the instructions in SFI step-by-step on STM32 boards.
2. Preparation flow
Once the OEM application has been developed, the OEM must prepare and test the SFI image to be installed during manufacturing.
For that purpose, the OEM must use the STM32 Trusted Package Creator tool.
The purpose of this step is to:
- Prepare the encrypted firmware image for installation. This image is called the SFI image. The SFI image consists of the OEM application and additional components, including OEM secrets and OEM option bytes.
- Provision the OEM key that is used to encrypt the firmware image within a hardware security module (HSM).
2.1. SFI image generation
The OEM must provide the following inputs:
- The OEM application: The OEM must provide its application binary.
- The OEM secrets: The OEM secrets are the OEM data and the OEM keys.
- The OEM option bytes configuration
The Trusted Package Creator encrypts the SFI image inputs with the OEM key and generates the SFI image.
The SFI image is an encrypted file that contains the OEM application, OEM secrets, and OEM option bytes.
2.1. OEM key provisioning
The OEM must provide the OEM key to the contract manufacturer (CM) in a way that prevents the CM from reading or extracting the OEM key. Only the STM32 can process the OEM key. In the SFI solution, the OEM provisions the OEM key by using the Trusted Package Creator in a hardware security module ( HSM). Then:
- Only the STMicroelectronics STM32 microcontrollers can securely install the SFI image.
- The authenticity, integrity, and confidentiality of the SFI image content are ensured.
When using the HSM, the number of STM32 chips to program can be counted.
3. Installation flow
The installation procedure is similar to the generic SFI installation procedure, which is deployed on other STM32 products supporting SFI.
