1. Overview[edit source]
The STM32 MPUs embed tamper detection management. Tamper management and configuration have been added to the secure OS to select and detect events.
STM32MP15 microprocessors offer 5 internal tampers and 3 external tampers.
The internal tampers are the following:
- RTC voltage domain monitoring
- LSE monitoring
- HSE monitoring
- RTC calendar overflow
- Monotonic counter overflow
External tampers can be configured to be passive or active.
On a tamper event detection, the backup registers are cleared and the Backup SRAM is read-protected and cannot be accessed until the next reset.
The Automatic erase mode can be configured for external tampers. It is enabled by default but can be turned off if the user application needs to control erase operations.
2. Software configuration[edit source]
The tamper driver only exists in the Trusted Firmware-A or in OP-TEE Internal and external tampers have to be configured in:
- TAMP device tree configuration
- Secure OS main
- TF-A: security configuration file
- OP-TEE security configuration file .
This second part is statically defined and must be customized depending on the application needs.
2.1. Internal tampers[edit source]
For TF-A and OP-TEE an internal tamper can be enable with a call to stm32_tamp_configure_internal() With this parameters:
- an ID, linked to the existing SoC internal tamper
- the mode, a bitfiled defining the tamper mod (should be at least TAMP_ENABLE)
- a function that is called when this tamper event is detected. This function can be customized. By default, it just prints the tamper ID and resets the SoC.
By default, only internal tampers 1, 2, 3 and 4 are enabled.
2.2. External tampers[edit source]
For TF-A and OP-TEE an external tamper can be enable with a call to stm32_tamp_configure_external()
With this parameters:
- an ID, linked to the SoC external tamper
- the mode that may depend on the configure_passive and configure_active (described below in this article):
- TAMP_TRIG_OFF: Low trigger for passive tamper or input rising edge
- TAMP_TRIG_ON: High trigger for passive tamper or input falling edge
- TAMP_ACTIVE: Active tamper selected
- TAMP_NOERASE: no automatic erase
- TAMP_ERASE: automatic erase
- TAMP_NO_EVT_MASK: The tamper event must be cleared by software
- TAMP_EVT_MASK: When the event is detected, the tamper is masked and internally cleared. No erase is performed.
- the output pin connected to input pin (linked with selected ext tamp id)
- a function pointer: function that is called when the tamper is detected
External tampers require to configure the filtering mode (for passive tamper) or active mode selection. The configuration is performed in the same secure OS main security configuration file or security configuration file .
Filter_conf and active_conf must be configured respectively with a call to stm32_configure_passive(mode) and stm32_configure_active(mode) fonction.
- for passive filter, the mode in a bitfield of TAMP_FILTER_* values.
- for active filter, the mode in a bitfield of TAMP_ACTIVE_* values.
Then all this configuration (each tamper individual configuration, passive configuration and active configuration) will be taken into account only when the stm32_tamp_set_config() function is call.