STM32MP15 Tamper configuration

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1 Overview[edit source]

The STM32 MPU embeds tamper detection management. Tamper management and configuration have been added into the secure OS to configure and detect events.

STM32MP15 offers 5 internals and 3 externals tampers.

Internal tampers are:

RTC voltage domain monitoring
LSE monitoring
HSE monitoring
RTC calendar overflow
Monotonic counter overflow

External tampers can be configured to be passive or active.

On a tamper event detection, the backup registers are cleared and Backup SRAM is read protected and not accessible until next reset.

Automatic erase mode can be configured for external tampers. It is default enabled but can be turned off in case of user application erase control.

2 Software configuration[edit source]

Warning

The tamper driver only exists in the Trusted Firmware-A, not yet in OP-TEE

Internal tampers and external tampers have to be configured into:

TAMP device tree configuration
Secure OS main security configuration file .

This second part is statically defined and must be customized depending on the application needs. The file contains two static tables, one for internal tampers, another for external ones.

2.1 Internal tampers[edit source]

Here is the structure that registers internal tamper.

struct stm32_tamp_int {
	int id;
	void (*func)(int id);
};

Internal tamper structure contains:

an ID (linked to the existing SoC internal tamper)
a function that will be called on the detected tamper event. This function can be customized, default one just prints the tamper ID and resets the SoC.

A static list of tampers is automatically registered during the main security loop.

static struct stm32_tamp_int int_tamp[PLAT_MAX_TAMP_INT] = {
	{
		.id = ITAMP1,
		.func = stm32mp1_tamper_action,
	},
...
}

By default, only internal tampers 1, 2, 3 and 4 are enabled.

2.2 External tampers[edit source]

Here is the structure that register external tampers.

struct stm32_tamp_ext {
	int id;
	uint8_t mode;
	uint8_t erase;
	uint8_t evt_mask;
	void (*func)(int id);
};

External tamper structure contains:

an ID: linked to the SoC external tamper
a mode (depending on filter count parameter explained below in this same article) :
- TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge
- TAMP_TRIG_ON: High trigger for passive tamper or input falling edge
- TAMP_ACTIVE : Active tamper selected
an erase mode: for backup registers and Backup SRAM
- TAMP_NOERASE: no automatic erase
- TAMP_ERASE: automatic erase
an event mask:
- TAMP_NO_EVT_MASK: The tamper event must be cleared by software
- TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed.
a function pointer: function that will be called when the tamper is detected

Here is a configuration example for two external tampers enabled

static struct stm32_tamp_ext ext_tamp[PLAT_MAX_TAMP_EXT] = {
{
		.id = EXT_TAMP1,                      // External tamper 1
		.mode = TAMP_TRIG_ON,                 // Tamper trigger event
		.erase = TAMP_NOERASE,                // Not erasing the backup registers
		.evt_mask = TAMP_NO_EVT_MASK,         // Mask is not set
		.func = NULL,                         // No function
},
{
		.id = EXT_TAMP2,                      // External tamper 2
		.mode = TAMP_ACTIVE,                  // Active tamper selected
		.erase = TAMP_NOERASE,                // Not erasing the backup registers and backup sram
		.evt_mask = TAMP_NO_EVT_MASK,         // Mask is not set
		.func = NULL,                         // No function
},
	TAMP_UNUSED,
}

External tampers require to configure the filtering mode (for passive tamper) or active mode selection. The configuration is made in the same secure OS main security configuration file inside the init_sec_peripherals function.

Filter_conf ad active_conf values must be configured based on defined values from stm32_tamp.h .

Here is an example of filtering configuration for passive tamper with pull up disabled, 2 RTC cycles for precharge, 1 count event for detection (Level detection), and sampling frequencey set to 16384Hz.

	uint32_t filter_conf = TAMP_FLTCR(TAMP_FILTER_PULL_UP_DISABLE,
					  TAMP_FILTER_DURATION_2_CYCLES,
					  TAMP_FILTER_COUNT_1,
					  TAMP_FILTER_SAMPLING_16384);

Here is an example of filtering configuration for active tamper.
Based on the external tamper declaration above, the tamper 2 is the only one defined as active.
The following configuration (for all active tamper) defines:

global active filtering is enabled
tamper compared to defined tamp_out selection
output charge period is set to 2 x CK_ATPRE * prescaler clock defined to RTCCKL/2
tamp_out selection 2 is set to external tamper 1 output.

	uint32_t active_conf = TAMP_ACT(TAMP_ACTIVE_FILTER_ON,
					TAMP_ACTIVE_ATO_TAMPOUTSEL,
					TAMP_ACTIVE_APER_1_OUTPUT,
					TAMP_ACTIVE_CKSEL_DIV_2,
					TAMP_ACTIVE_ATOSEL_OUT2_(0));