1. Overview[edit source]
The STM32 MPUs embed a tamper detection management system.
The tamper management and configuration functions have been added to the OP-TEE secure OS to protect against external attacks when the system is running. The tamper management is also present in the TF-A BL2 because tamper events can occur when the SoC is in low-power or power-off modes.
When a tamper event occurs, the platform's secrets are erased or blocked. The automatic erase mode of all secrets can be configured for some tampers. It is enabled by default but can be turned off (see TAMP device tree configuration) if the user application needs to control erase operations. The platform secrets access is blocked when erase is on-going.
Except for STM32MP15x lines 
, the tampers can be configured in 2 modes:
- Confirmed mode: immediate erase of secrets on tamper detection, including backup registers erase
- Potential mode: Some of the secrets are instead locked following a tamper detection until a software action.
On STM32MP15x lines , the secrets will be erased.
To learn more about which secrets are erased or blocked in which modes, refer to the TAMP interconnection in the TAMP chapter of the SoC reference manual.
1.1. Internal tampers[edit source]
The table below represents the list of the supported internal tampers.
| STM32MP13x lines
|
STM32MP15x lines
|
STM32MP25x lines
| |
|---|---|---|---|
| Backup voltage domain monitoring | ✓ | ✓ | ✓ |
| Temperature monitoring | ✓ | ✓ | ✓ |
| LSE monitoring | ✓ | ✓ | ✓ |
| HSE monitoring | ✓ | ✓ | ✓ |
| RTC calendar overflow | ✓ | ✓ | ✓ |
| Monotonic counter (1) overflow | ✓ | ✓ | ✓ |
| JTAG/SWD access | ✓ | ✓ | ✓ |
| Cryptographic IPs fault (SAES or CRYP or PKA or TRNG) | ✓ | ✓ | |
| Monotonic counter 2 overflow | ✓ | ✓ | |
| IWDG reset when tamper flag is set | ✓ | IWDG1/2/5✓ | |
| ADC2 analog watchdog monitoring 1 | ✓ | ||
| ADC2 analog watchdog monitoring 2 | ✓ | ||
| ADC2 analog watchdog monitoring 3 | ✓ | ||
| VDDCORE monitoring under/over voltage | ✓ | ||
| LPSRAM1 CRC fail (same signal as IWDG5 reset) | ✓ |
1.2. External tampers[edit source]
External tampers can be defined on all MPUs:
- 3 on STM32MP15x lines
- 8 on STM32MP13x lines
- 8 on STM32MP25x lines
The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (2 pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatch before a tamper event is raised can be configured.
2. Software configuration[edit source]
The tamper driver only exists in OP-TEE.
Tampers have to be configured via the device tree.
2.1. Default internal tampers configuration[edit source]
Be aware that some of the internal tampers require other feature to be functional(LSE/HSE monitoring, voltage monitoring). Refer to the TAMP chapter of the SoC reference manual to learn more on this subject.
For STM32MP13x lines :
- By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list
For STM32MP15x lines :
- By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list
For STM32MP25x lines :
- By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list