This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.Registered User mNo edit summary |
Registered User m (→Overview) |
||
| (11 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
== Overview == | == Overview == | ||
The STM32 | The STM32 MPUs embed tamper detection management. Tamper management and configuration have been added to the secure OS to select and detect events. | ||
STM32MP15 | STM32MP15 microprocessors offer 5 internal tampers and 3 external tampers. | ||
The internal tampers are the following: | |||
* RTC voltage domain monitoring | * RTC voltage domain monitoring | ||
* LSE monitoring | * LSE monitoring | ||
| Line 13: | Line 13: | ||
External tampers can be configured to be passive or active. | External tampers can be configured to be passive or active. | ||
On a tamper event detection, the [[STM32MP15 backup registers|backup registers]] are cleared and [[BKPSRAM_internal_memory|Backup SRAM]] is read protected and | On a tamper event detection, the [[STM32MP15 backup registers|backup registers]] are cleared and the [[BKPSRAM_internal_memory|Backup SRAM]] is read-protected and cannot be accessed until the next reset. | ||
Automatic erase mode can be configured for external tampers. It is default | The Automatic erase mode can be configured for external tampers. It is enabled by default but can be turned off if the user application needs to control erase operations. | ||
== Software configuration == | == Software configuration == | ||
{{Warning| The tamper driver only exists in the Trusted Firmware-A | {{Warning| The tamper driver only exists in the Trusted Firmware-A. It is not yet available in OP-TEE}} | ||
Internal | Internal and external tampers have to be configured in: | ||
* [[TAMP device tree configuration]] | * [[TAMP device tree configuration]] | ||
* Secure OS main {{CodeSource|TF-A|plat/st/stm32mp1/sp_min/sp_min_setup.c|security configuration file}}. | * Secure OS main {{CodeSource|TF-A|plat/st/stm32mp1/sp_min/sp_min_setup.c|security configuration file}}. | ||
| Line 27: | Line 27: | ||
=== Internal tampers === | === Internal tampers === | ||
Below the structure that registers internal tamper: | |||
<pre> | <pre> | ||
struct stm32_tamp_int { | struct stm32_tamp_int { | ||
| Line 35: | Line 35: | ||
</pre> | </pre> | ||
Internal tamper structure contains: | Internal tamper structure contains: | ||
* an ID | * an ID, linked to the existing SoC internal tamper | ||
* a function that | * a function that is called when a tamper event is detected. This function can be customized. By default, it just prints the tamper ID and resets the SoC. | ||
A static list of tampers is automatically registered during the main security loop. | A static list of tampers is automatically registered during the main security loop. | ||
| Line 52: | Line 52: | ||
=== External tampers === | === External tampers === | ||
Below the structure that registers external tampers: | |||
<pre> | <pre> | ||
struct stm32_tamp_ext { | struct stm32_tamp_ext { | ||
| Line 64: | Line 64: | ||
External tamper structure contains: | External tamper structure contains: | ||
* an ID | * an ID, linked to the SoC external tamper | ||
* a mode | * a mode that depends on the filter count parameter (described below in this article): | ||
** TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge | ** TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge | ||
** TAMP_TRIG_ON: High trigger for passive tamper or input falling edge | ** TAMP_TRIG_ON: High trigger for passive tamper or input falling edge | ||
** TAMP_ACTIVE : Active tamper selected | ** TAMP_ACTIVE: Active tamper selected | ||
* an erase mode: for [[STM32MP15 backup registers|backup registers]] and [[BKPSRAM_internal_memory|Backup SRAM]] | * an erase mode: for [[STM32MP15 backup registers|backup registers]] and [[BKPSRAM_internal_memory|Backup SRAM]] | ||
** TAMP_NOERASE: no automatic erase | ** TAMP_NOERASE: no automatic erase | ||
| Line 75: | Line 75: | ||
** TAMP_NO_EVT_MASK: The tamper event must be cleared by software | ** TAMP_NO_EVT_MASK: The tamper event must be cleared by software | ||
** TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed. | ** TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed. | ||
* a function pointer: function that | * a function pointer: function that is called when the tamper is detected | ||
Below a configuration example to enable two external tampers: | |||
<pre> | <pre> | ||
static struct stm32_tamp_ext ext_tamp[PLAT_MAX_TAMP_EXT] = { | static struct stm32_tamp_ext ext_tamp[PLAT_MAX_TAMP_EXT] = { | ||
| Line 83: | Line 83: | ||
.id = EXT_TAMP1, // External tamper 1 | .id = EXT_TAMP1, // External tamper 1 | ||
.mode = TAMP_TRIG_ON, // Tamper trigger event | .mode = TAMP_TRIG_ON, // Tamper trigger event | ||
.erase = TAMP_NOERASE, // | .erase = TAMP_NOERASE, // Backup registers are not erased | ||
.evt_mask = TAMP_NO_EVT_MASK, // Mask is not set | .evt_mask = TAMP_NO_EVT_MASK, // Mask is not set | ||
.func = NULL, // No function | .func = NULL, // No function | ||
| Line 90: | Line 90: | ||
.id = EXT_TAMP2, // External tamper 2 | .id = EXT_TAMP2, // External tamper 2 | ||
.mode = TAMP_ACTIVE, // Active tamper selected | .mode = TAMP_ACTIVE, // Active tamper selected | ||
.erase = TAMP_NOERASE, // | .erase = TAMP_NOERASE, // Backup registers and backup SRAM are not erased | ||
.evt_mask = TAMP_NO_EVT_MASK, // Mask is not set | .evt_mask = TAMP_NO_EVT_MASK, // Mask is not set | ||
.func = NULL, // No function | .func = NULL, // No function | ||
| Line 99: | Line 99: | ||
External tampers require to configure the filtering mode (for passive tamper) or active mode selection. | External tampers require to configure the filtering mode (for passive tamper) or active mode selection. | ||
The configuration is | The configuration is performed in the same secure OS main {{CodeSource|TF-A|plat/st/stm32mp1/sp_min/sp_min_setup.c|security configuration file}} inside the init_sec_peripherals function. | ||
Filter_conf | Filter_conf and active_conf values must be configured according to the values defined in {{CodeSource|TF-A|include/drivers/st/stm32_tamp.h|stm32_tamp.h}}. | ||
Below an example of filtering configuration for passive tamper with pull-up disabled, 2 RTC cycles for precharge, 1 count event for detection (level detection), and a sampling frequency set to 16,384 Hz: | |||
<pre> | <pre> | ||
uint32_t filter_conf = TAMP_FLTCR(TAMP_FILTER_PULL_UP_DISABLE, | uint32_t filter_conf = TAMP_FLTCR(TAMP_FILTER_PULL_UP_DISABLE, | ||
| Line 111: | Line 111: | ||
</pre> | </pre> | ||
Below an example of active tamper filtering configuration.<br> | |||
Based on the external tamper declaration above, | Based on the external tamper declaration above, tamper 2 is the only one defined as active.<br> | ||
The | The configuration (for all active tampers) is the following: | ||
* global active filtering | * global active filtering enabled | ||
* tamper compared to defined tamp_out selection | * tamper compared to defined tamp_out selection | ||
* output charge period | * output charge period set to 2 x CK_ATPRE * prescaler clock period, with clock configured to RTCCKL/2 | ||
* tamp_out selection 2 | * tamp_out selection 2 set to external tamper 1 output | ||
<pre> | <pre> | ||
uint32_t active_conf = TAMP_ACT(TAMP_ACTIVE_FILTER_ON, | uint32_t active_conf = TAMP_ACT(TAMP_ACTIVE_FILTER_ON, | ||
| Line 128: | Line 128: | ||
<noinclude> | <noinclude> | ||
[[Category:STM32MP15 platform configuration]] | [[Category:STM32MP15 platform configuration]] | ||
{{PublicationRequestId | 18176 | 2020-11-19| }} | |||
</noinclude> | </noinclude> | ||
Latest revision as of 10:50, 27 November 2020
1. Overview[edit source]
The STM32 MPUs embed tamper detection management. Tamper management and configuration have been added to the secure OS to select and detect events.
STM32MP15 microprocessors offer 5 internal tampers and 3 external tampers.
The internal tampers are the following:
- RTC voltage domain monitoring
- LSE monitoring
- HSE monitoring
- RTC calendar overflow
- Monotonic counter overflow
External tampers can be configured to be passive or active.
On a tamper event detection, the backup registers are cleared and the Backup SRAM is read-protected and cannot be accessed until the next reset.
The Automatic erase mode can be configured for external tampers. It is enabled by default but can be turned off if the user application needs to control erase operations.
2. Software configuration[edit source]
|
The tamper driver only exists in the Trusted Firmware-A. It is not yet available in OP-TEE |
Internal and external tampers have to be configured in:
- TAMP device tree configuration
- Secure OS main security configuration file .
This second part is statically defined and must be customized depending on the application needs. The file contains two static tables, one for internal tampers, another for external ones.
2.1. Internal tampers[edit source]
Below the structure that registers internal tamper:
struct stm32_tamp_int {
int id;
void (*func)(int id);
};
Internal tamper structure contains:
- an ID, linked to the existing SoC internal tamper
- a function that is called when a tamper event is detected. This function can be customized. By default, it just prints the tamper ID and resets the SoC.
A static list of tampers is automatically registered during the main security loop.
static struct stm32_tamp_int int_tamp[PLAT_MAX_TAMP_INT] = { { .id = ITAMP1, .func = stm32mp1_tamper_action, }, ... }
By default, only internal tampers 1, 2, 3 and 4 are enabled.
2.2. External tampers[edit source]
Below the structure that registers external tampers:
struct stm32_tamp_ext {
int id;
uint8_t mode;
uint8_t erase;
uint8_t evt_mask;
void (*func)(int id);
};
External tamper structure contains:
- an ID, linked to the SoC external tamper
- a mode that depends on the filter count parameter (described below in this article):
- TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge
- TAMP_TRIG_ON: High trigger for passive tamper or input falling edge
- TAMP_ACTIVE: Active tamper selected
- an erase mode: for backup registers and Backup SRAM
- TAMP_NOERASE: no automatic erase
- TAMP_ERASE: automatic erase
- an event mask:
- TAMP_NO_EVT_MASK: The tamper event must be cleared by software
- TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed.
- a function pointer: function that is called when the tamper is detected
Below a configuration example to enable two external tampers:
static struct stm32_tamp_ext ext_tamp[PLAT_MAX_TAMP_EXT] = { { .id = EXT_TAMP1, // External tamper 1 .mode = TAMP_TRIG_ON, // Tamper trigger event .erase = TAMP_NOERASE, // Backup registers are not erased .evt_mask = TAMP_NO_EVT_MASK, // Mask is not set .func = NULL, // No function }, { .id = EXT_TAMP2, // External tamper 2 .mode = TAMP_ACTIVE, // Active tamper selected .erase = TAMP_NOERASE, // Backup registers and backup SRAM are not erased .evt_mask = TAMP_NO_EVT_MASK, // Mask is not set .func = NULL, // No function }, TAMP_UNUSED, }
External tampers require to configure the filtering mode (for passive tamper) or active mode selection. The configuration is performed in the same secure OS main security configuration file inside the init_sec_peripherals function.
Filter_conf and active_conf values must be configured according to the values defined in stm32_tamp.h .
Below an example of filtering configuration for passive tamper with pull-up disabled, 2 RTC cycles for precharge, 1 count event for detection (level detection), and a sampling frequency set to 16,384 Hz:
uint32_t filter_conf = TAMP_FLTCR(TAMP_FILTER_PULL_UP_DISABLE, TAMP_FILTER_DURATION_2_CYCLES, TAMP_FILTER_COUNT_1, TAMP_FILTER_SAMPLING_16384);
Below an example of active tamper filtering configuration.
Based on the external tamper declaration above, tamper 2 is the only one defined as active.
The configuration (for all active tampers) is the following:
- global active filtering enabled
- tamper compared to defined tamp_out selection
- output charge period set to 2 x CK_ATPRE * prescaler clock period, with clock configured to RTCCKL/2
- tamp_out selection 2 set to external tamper 1 output
uint32_t active_conf = TAMP_ACT(TAMP_ACTIVE_FILTER_ON, TAMP_ACTIVE_ATO_TAMPOUTSEL, TAMP_ACTIVE_APER_1_OUTPUT, TAMP_ACTIVE_CKSEL_DIV_2, TAMP_ACTIVE_ATOSEL_OUT2_(0));