STM32 MPU ROM code secure boot

Warning

Work in progess

1. Purpose[edit source]

Secure boot is a key feature to guarantee a secure platform.

STM32MP1 boot sequence supports a trusted boot chain that ensures that the loaded images are authenticated and checked in integrity before being used.

Warning

The secure boot feature availability is indicated in the security field of the chip part number.

2. Authentication processing[edit source]

2.1. Full view[edit source]

STM32 MPU provides authentication processing with ECDSA ^[1] verification algorithm, based on ECC ^[2]. ECDSA offers better result than RSA with a smaller key. STM32 MPU relies on a 256 bits ECDSA key.

The figure above shows the steps implied in secure boot:

1. Keys generation
2. Keys registration
3. Image signing & encryption
4. Image authentication
5. Image decryption

The EDCSA verification follows the process below:

The BSEC OTP used by secure boot are:

• the OTP WORD 24 to 31 for PKH
• the OTP WORD0 to close the device

2.2. Keys generation[edit source]

First step is to generate necessary keys with STM32 KeyGen tool.

2.2.1. STM32MP13x lines [edit source]

The STM32 KeyGen tool generates 8 ECC pair of keys that will be used to sign the images.

The STM32 KeyGen tool tool also generates a file containing the hash of the 8 public key hashes (PKHTH) that will be used to authenticate the public key on the target.

2.2.2. STM32MP15x lines [edit source]

The STM32 KeyGen tool generates one ECC pair of keys that will be used to sign the images.

The STM32 KeyGen tool tool also generates a third file containing the public key hash (PKH) that will be used to authenticate the public key on the target.

2.3. Keys registration[edit source]

2.4. Image signing[edit source]

Two algorithms are supported for ECDSA calculation:

• P-256 NIST
• Brainpool 256

The algorithm selection is done via the signed binary header, as shown in STM32 header (subchapter in this same article).

2.5. Image authentication[edit source]

2.6. Image encryption[edit source]

2.7. Image decryption[edit source]

3. Operating on STM32MP13x lines [edit source]

4. Operating on STM32MP15x lines [edit source]

5. U-Boot command stm32key[edit source]

OpenSTLinux embeds a stm32key tool that can be called from U-Boot command line interface to manage these OTP.

  help stm32key
 stm32key read [<addr>] : Read the hash stored at addr in memory or in OTP
 stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP
 stm32key close [-y] : Close the device, the hash stored in OTP

The optional option -y is used to skip the confirmation message.

Nota: the support of close is available in ecosystem release ≥ v3.1.0

In this article, this stm32key tool is used to illustrate and experiment the steps needed to activate the secure boot, but these OTP can also be updated directly by customer application or with Secure Secret Provisioning (SSP).

6. Authentication steps[edit source]

The expected sequence to test the secure boot on the device is

• Key generation

• Key registration: update and lock PKH in OTP (stm32key fuse)

• Perform image authentication and check that the ROM code accepted them.

• Close the device, only signed binary will be accepted (stm32key close)

6.1. Key generation[edit source]

First step is to generate the ECC pair of keys with STM32 KeyGen tool. This is the key pair that will be used to sign the images.
The tool also generates a third file containing the public key hash (PKH) that will be used to authenticate the public key on the target.

6.2. Key registration[edit source]

Warning

Make sure that a device with Secure boot enabled is used: this is mentioned in the part number, otherwise the device will become permanently unusable.

6.2.1. Load hash public key[edit source]

PKH file (publicKeyhash.bin) must be available in DDR before proceeding.

For example loaded from a filesystem partition on a storage device, like bootfs (partition 4) on SD card (mmc0):

  load mmc 0:4 0xc0000000 publicKeyhash.bin
 32 bytes read in 50 ms (0 Bytes/s)

6.2.2. Register hash public key[edit source]

First step to enable the authentication is to burn the OTP WORD 24 to 31 in BSEC with the corresponding public key hash (PKH, output file from STM32 KeyGen).

Make sure that a trusted image was programmed on your board, because below operation will not be possible with optee boot.

You can verify this PKH available in DDR:

  stm32key read 0xc0000000                                       Read loaded key from DDR to confirm it is valid (without writing it in OTP)
 OTP value 24: 12345678
 OTP value 25: 12345678
 OTP value 26: 12345678
 OTP value 27: 12345678
 OTP value 28: 12345678
 OTP value 29: 12345678
 OTP value 30: 12345678
 OTP value 31: 12345678

Warning

If hash key is ok, the key in OTP can be fused

  stm32key fuse 0xc0000000                                    Write and lock the key in OTP

The device now contains the hash to authenticate images. To read back the OTP, you can use NVMEM framework or the command stm32key:

  stm32key read                                                   Read the key in OTP

6.3. Image signing[edit source]

In a second step, FSBL binary must be signed. STM32 Signing tool allows to fill the STM32 binary header that is parsed by the embedded software to authenticate each binary.

6.3.1. STM32 Header[edit source]

STM32 header for binary files

For STM32MP15x lines :

• the monotonic counter is stored in OTP 4
• the Public Key Hash is stored in OTP WORD 24 to 31

6.4. Image programming[edit source]

Once the image is signed, it can be programmed into the flash on the target board with STM32CubeProgrammer.

6.5. PKH check[edit source]

Before really starting the authentication process, the ROM code compares the hash of the public key carried in the STM32 header with the one that was provisioned in OTP.

6.6. Authentication[edit source]

6.6.1. ROM code authentication[edit source]

Using a signed binary, the ROM code authenticates and starts the FSBL.

At boot time on board, you must see the following line in TF-A trace:

NOTICE:  CPU: STM32MP157CAA Rev.?
NOTICE:  Model: STMicroelectronics STM32MP157C eval daughter on eval mother
NOTICE:  Board: MB1263 Var1.0 Rev.C-01
NOTICE:  Bootrom authentication succeeded
INFO:    Reset reason (0x15):
INFO:      Power-on Reset (rst_por)
INFO:    PMIC version = 0x10

On closed device, if the authentication fails, the ROM code enters into a serial boot loop indicated by the blinking Error LED (cf ROM code common debug and error cases).

The ROM code provides secure services to the FSBL for image authentication with the same ECC pair of keys, so there is no need to support ECDSA algorithm in FSBL.

6.7. Closing the device[edit source]

Notice that this last step is not shown in the diagram above.

Without any other modification, the device is able to perform image authentication but non authenticated images can still be used and executed: the device is still opened, let's see this as a kind of test mode to check that the PKH is properly set.

As soon as the authentication process is confirmed, the device can be closed and the user is forced to use signed images.

OTP WORD0 bit 6 is the OTP bit that closes the device. Burning this bit will lock authentication processing and force authentication from the Boot ROM. Non signed binaries will not be supported anymore on the target.

To program this bit, the STM32CubeProgrammer or U-Boot command line interface can be used.

Here is how to proceed with U-Boot:

  stm32key close

or if stm32key close is not supported, you can write bit 6 = 0x40 in OTP 0:

  fuse prog 0 0x0 0x40

Warning

This must not be done on STM32MP15 part numbers without Secure boot enabled, otherwise the chip will be bricked and could not be used anymore

7. References[edit source]