Secure Secret Provisioning (SSP)

Revision as of 14:45, 30 September 2022 by Registered User (Created page with "= Article purpose = To meet the new market security requests and protect customers against any leakage of their IPs, STMicroelectronics introduces a security feature, the secu...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Article purpose[edit source]

To meet the new market security requests and protect customers against any leakage of their IPs, STMicroelectronics introduces a security feature, the secure secret provisioning (SSP), allowing the programming of OEM secrets into STM32 MPU one time programming (OTP) area in a secure way (with confidentiality, authentication and integrity checks). The STM32MP1 Series supports protection mechanisms allowing the protection of critical operations (such as cryptography algorithms) and critical data (such as secret keys) against unexpected access.
This wiki gives an overview of the STM32MP1 Series SSP solution with its associated tools ecosystem.

2. SSP overview[edit source]

The SSP is a secure system mechanism implemented in STM32 microprocessors that allows secured and counted installation of OEM secrets in untrusted production environment (such the OEM contract manufacturer).
The SSP process prevents the OEM secrets from:

  • being accessed by the contract manufacturer.
  • being extracted or disclosed.

SSP schema high level

Following the SFI strategy, the SSP processing relies on a Hardware security module (HSM) to manage chip authentication and encrypted dedicated communication to exchange data with STM32 chip. This chip authentication allows to count the number of provisioned devices. The HSM is connected to the programing tool that will upload the encrypted data to the chip.


3. SSP embedded software implementation[edit source]

The SSP implementation relies on two embedded software parts:

3.1. ROM Code SSP implementation[edit source]

The ROM code has a complete access to chip data. During the SSP process, it is in charge of:

  • generate the chip certificate
  • download the TF-A SSP Firmware from the programmer.
  • Decrypt the secret data.
  • Authenticated the TF-A SSP Firmware.

3.2. TF-A SSP Firmware[edit source]

The TF-A SSP Firmware is a specific firmware that will extend the communication with the programmer and will be in charge of specific SSP commands:

  • Initialize the SSP processing.
  • Send the ROM code prepared certificate to the programmer to allow chip authentication.
  • Receive the secret data from the programmer and store it in a dedicated section for the ROM code.
  • Burn all the decrypted secrets and set the chip state to CLOSE.

The TF-A SSP required a dedicated board configuration.

4. External SSP tools[edit source]

5. SSP detail steps[edit source]

The SSP process requires three dedicated steps:

  • Enter in provisioning mode : The chip is in Secure Open state by default, this will move the device to a provisioning state.
  • Upload the secrets : This step will download all the data required to provisioned the chip.
  • Provisioning : This final step will burn the secrets in fuses and closed the chip.

All these steps will be described below.

Secure secret provisioning

Original equipment manufacturer

Microprocessor unit

One time programmed

Secure firmware install

Hardware security module

Read only memory

Trusted firmware for Arm® Cortex®-A

Retrieved from "https://wiki.st.com/stm32mpu-ecosystem-v4/index.php?title=Secure_Secret_Provisioning_(SSP)&oldid=88325"