STM32MP15 Tamper configuration

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1 Overview[edit source]

The STM32 MPUs embed tamper detection management. Tamper management and configuration have been added to the secure OS to select and detect events.

STM32MP15 microprocessors offer 5 internal tampers and 3 external tampers.

The internal tampers are the following:

RTC voltage domain monitoring
LSE monitoring
HSE monitoring
RTC calendar overflow
Monotonic counter overflow

External tampers can be configured to be passive or active.

On a tamper event detection, the backup registers are cleared and the Backup SRAM is read-protected and cannot be accessed until the next reset.

The Automatic erase mode can be configured for external tampers. It is enabled by default but can be turned off if the user application needs to control erase operations.

2 Software configuration[edit source]

The tamper driver only exists in the Trusted Firmware-A or in OP-TEE Internal and external tampers have to be configured in:

TAMP device tree configuration
Secure OS main
- TF-A: security configuration file
- OP-TEE security configuration file .

This second part is statically defined and must be customized depending on the application needs.

2.1 Internal tampers[edit source]

For TF-A and OP-TEE an internal tamper can be enable with a call to stm32_tamp_configure_internal() With this parameters:

an ID, linked to the existing SoC internal tamper
the mode, a bitfiled defining the tamper mod (should be at least TAMP_ENABLE)
a function that is called when this tamper event is detected. This function can be customized. By default, it just prints the tamper ID and resets the SoC.

By default, only internal tampers 1, 2, 3 and 4 are enabled.

2.2 External tampers[edit source]

Warning

When an external tamper is enabled, the associated PIN is compulsorily attached to the tamper (whatever the previous GPIO config). There is also some priority on the settings inside RTC/TAMP. See Reference Manual RTC section "GPIOs controlled by the RTC and TAMP".

For TF-A and OP-TEE an external tamper can be enable with a call to stm32_tamp_configure_external()

With this parameters:

an ID, linked to the SoC external tamper
the mode that may depend on the configure_passive and configure_active (described below in this article):
- TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge
- TAMP_TRIG_ON: High trigger for passive tamper or input falling edge
- TAMP_ACTIVE: Active tamper selected
- TAMP_NOERASE: no automatic erase
- TAMP_ERASE: automatic erase
- TAMP_NO_EVT_MASK: The tamper event must be cleared by software
- TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed.
the output pin connected to input pin (linked with selected ext tamp id)
a function pointer: function that is called when the tamper is detected

External tampers require to configure the filtering mode (for passive tamper) or active mode selection. The configuration is performed in the same secure OS main security configuration file or security configuration file .

Filter_conf and active_conf must be configured respectively with a call to stm32_configure_passive(mode) and stm32_configure_active(mode) fonction.

for passive filter, the mode in a bitfield of TAMP_FILTER_* values.
for active filter, the mode in a bitfield of TAMP_ACTIVE_* values.

Then all this configuration (each tamper individual configuration, passive configuration and active configuration) will be taken into account only when the stm32_tamp_set_config() function is call.