1. Article purpose[edit | edit source]
The purpose of this article is to:
- briefly introduce the TAMP peripheral and its main features,
- indicate the peripheral instances assignment at boot time and their assignment at runtime (including whether instances can be allocated to secure contexts),
- list the software frameworks and drivers managing the peripheral,
- explain how to configure the peripheral.
2. Peripheral overview[edit | edit source]
The TAMP peripheral is a secure peripheral.
The TAMP peripheral is used to prevent any attempt by an attacker to perform an unauthorized physical or electronic action against the device. It also includes the backup registers that remain powered-on when the platform is switched off.
The TAMP peripheral control the access to the backup registers.
It is important to notice that a tamper event can erase the following secrets:
- On STM32MP13x lines
- the backup registers
- the SRAM3
- the BKPSRAM internal memory
- the OTP upper fuses are forced to 0 and BSEC mode switch to OTP-INVALID.
- On STM32MP15x lines
- On STM32MP25x lines
- the backup registers
- the SRAM1
- the SAES, CRYP1/2, HASH, OTFDEC peripherals
- PKA SRAM
- the OTP upper fuses are forced to 0 and BSEC mode switch to OTP-INVALID.
- the BKPSRAM internal memory
Refer to the STM32MP13 reference manuals, STM32MP15 reference manuals or STM32MP25 reference manuals for the complete list of features, and to the software frameworks and drivers, introduced below, to see which features are implemented.
3. Peripheral usage[edit | edit source]
This chapter is applicable in the scope of the OpenSTLinux BSP running on the Arm® Cortex®-A processor(s), and the STM32CubeMPU Package running on the Arm® Cortex®-M processor.
3.1. Boot time assignment[edit | edit source]
The TAMP is used at boot time to share data between the ROM code, FSBL and SSBL: see STM32MP13 backup registers, STM32MP15 backup registers or STM32MP2 backup registers for further information.
3.1.1. On STM32MP1 series[edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by STM32 MPU Embedded Software:
- ☐ means that the peripheral can be assigned to the given boot time context.
- ☑ means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
- ⬚ means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32 MPU reference manuals.
Domain | Peripheral | Boot time allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A7 secure (ROM code) |
Cortex-A7 secure (TF-A BL2) |
Cortex-A7 non-secure (U-Boot) | |||
Security | TAMP | TAMP | ✓ | ✓ | ✓ |
3.1.2. On STM32MP2 series[edit | edit source]
Click on to expand or collapse the legend...
- ☐ means that the peripheral can be assigned to the given boot time context.
- ☑ means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
- ⬚ means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP25 reference manuals.
Domain | Peripheral | Boot time allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 non-secure (U-Boot) | |||
Security | TAMP | TAMP | ☐ | ☐ | ☐ | Shareable at internal peripheral level thanks to the RIF: see the boot time allocation per feature |
The below table shows the possible boot time allocations for the features of the TAMP instance.
Feature | Boot time allocation | Comment | ||
---|---|---|---|---|
Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 non-secure (U-Boot) | ||
TAMP resource 0 | ⬚ | ⬚ | ||
TAMP resource 1 | ✓ | ⬚ | ||
TAMP resource 2 | ⬚ | ⬚ |
3.2. Runtime assignment[edit | edit source]
TAMP is seen as a system peripheral. The tamper detection and management is, after configuration, non modifiable. TAMP is configured in OP-TEE to manage tamper events.
3.2.1. On STM32MP13x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by STM32 MPU Embedded Software:
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
Refer to How to assign an internal peripheral to an execution context for more information on how to assign peripherals manually or via STM32CubeMX.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP13 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | ||
---|---|---|---|---|---|
Instance | Cortex-A7 secure (OP-TEE) |
Cortex-A7 non-secure (Linux) | |||
Security | TAMP | TAMP | ☐ | ☐ |
3.2.2. On STM32MP15x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by STM32 MPU Embedded Software:
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
Refer to How to assign an internal peripheral to an execution context for more information on how to assign peripherals manually or via STM32CubeMX.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possiblities might be described in STM32MP15 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A7 secure (OP-TEE) |
Cortex-A7 non-secure (Linux) |
Cortex-M4 (STM32Cube) | |||
Security | TAMP | TAMP | ☐ | ☐ | ☐ |
3.2.3. On STM32MP25x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by STM32 MPU Embedded Software:
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP25 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | |||||
---|---|---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 non-secure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 non-secure (STM32Cube) |
Cortex-M0+ (STM32Cube) | |||
Security | TAMP | TAMP | ✓OP-TEE | ⬚ | ⬚ | ⬚ | Shareable at internal peripheral level thanks to the RIF: see the runtime allocation per feature |
The below table shows the possible runtime allocations for the features of the TAMP instance.
Feature | Runtime allocation | Comment | ||||
---|---|---|---|---|---|---|
Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 non-secure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 non-secure (STM32Cube) |
Cortex-M0+ (STM32Cube) | ||
TAMP resource 0 | ☐OP-TEE | ⬚ | ☐ | ☐ | ☐ | |
TAMP resource 1 | ✓OP-TEE ✓TF-A BL31 |
⬚ | ⬚ | ⬚ | ||
TAMP resource 2 | ⬚OP-TEE | ⬚ | ✓ | ⬚ |
4. Software frameworks and drivers[edit | edit source]
Below are listed the software frameworks and drivers managing the TAMP peripheral for the embedded software components listed in the above tables.
- Linux®:
- syscon driver (drivers/mfd/syscon.c ) based on binding syscon.yaml
- NVMEM framework for TAMP Backup Register access (using TAMP Backup Register Driver ).
For details on Backup register usage see How to use TAMP Backup Registers
- OP-TEE: TAMP driver and header file of TAMP OP-TEE driver + TAMP NVRAM driver using NVMEM API
- TF-A BL2: TF-A backup register access
- U-Boot: U-Boot backup register access using NVMEM API
5. How to assign and configure the peripheral[edit | edit source]
The peripheral assignment can be done via the STM32CubeMX graphical tool (and manually completed if needed).
This tool also helps to configure the peripheral:
- partial device trees (pin control and clock tree) generation for the OpenSTLinux software components,
- HAL initialization code generation for the STM32CubeMPU Package.
The configuration is applied by the firmware running in the context in which the peripheral is assigned.
For the Linux kernel configuration, sysconf part, please refer to TAMP device tree configuration.
For the secure configuration, please refer to TAMP device tree configuration and Tamper configuration.
6. References[edit | edit source]