1. Article purpose[edit source]
The purpose of this article is to:
- briefly introduce the MCE peripheral and its main features
- indicate the level of security supported by this hardware block
- explain how to configure the MCE peripheral.
2. Peripheral overview[edit source]
The MCE (Memory Cipher Engine) peripheral defines, in a given address space, one region with specific security setup (encryption). It also supports multiple key sizes and chaining modes.
2.1. Features[edit source]
Refer to STM32MP13 reference manuals for the complete list of features, and to the software components, introduced below, to know which features are really implemented.
MCE 128-bit master key is generated by RNG[1] and provisioned during boot processing, in order to use AES[2] block ciphering feature. It must be fully saved in Backup RAM for low power sequences.
2.2. Security support[edit source]
MCE is a secure peripheral (under ETZPC control).
3. Peripheral usage and associated software[edit source]
3.1. Boot time[edit source]
The MCE can be configured at boot time to setup the region.
3.2. Runtime[edit source]
3.2.1. Overview[edit source]
All system bus traffic going through an encrypted region is managed on-the-fly by the MCE, automatically decrypting reads and encrypting writes if authorized.
3.2.2. Software frameworks[edit source]
Internal peripherals software table template
| RAM/Security | MCE | Memory mapping | Memory mapping | | |- |}
3.2.3. Peripheral configuration[edit source]
The MCE device tree configuration is generated via STM32CubeMX tool, according to the region characteristics (address, length, type). This configuration is applied during boot time by the FSBL (see Boot chain overview): TF-A.
3.2.4. Peripheral assignment[edit source]
Internal peripherals assignment table template
| rowspan="2" | RAM/Security | rowspan="2" | MCE | MCE | ✓ | ✓ | | |-
|}
4. How to go further[edit source]
Not applicable.
5. References[edit source]