STM32MP13 backup registers

Applicable for STM32MP13x lines


1 Article purpose[edit]

This article explains how the TAMP backup registers are used by STM32MPU Embedded Software on STM32MP13.

2 Overview[edit]

The STM32MP13 embeds 32 backup registers of 32 bits. A programmable border allows these backup registers to be split into a secure and a non-secure groupa.

3 Backup register usage[edit]

This paragraph explains the default usage of backup registers by the ROM code and STM32MPU Embedded Software distribution. The subsequent chapter then shows the backup register mapping used to fulfill those needs.

Warning white.png Warning
It is important to notice that the backup registers can be erased when a tamper detection occurs in TAMP internal peripheral
Info white.png Information
Backup register(s) might be used for another purpose by the application when the feature(s) listed below is/are not used by the said application

3.1 Boot counter feature[edit]

The BOOT_COUNTER is used by U-Boot to detect boot failures between its execution and before the complete Linux application initialization :

  • It is incremented by U-Boot
  • It is reset by the application

Hence if U-Boot reads a non-null value after a reset, this means that something went wrong at boot time. This information can be used to initiate entry into a fail safe mode.

Warning white.png Warning
This feature is disabled by default, since TF-A BL2 firmware update feature takes care of a boot counter management

3.2 Boot mode selection feature[edit]

The BOOT_MODE register is used to propagate boot mode information from one component to the next boot stage, on cold boot or after a reset:

  • The ROM code executes a serial boot if BOOT_MODE[7:0] is equal to 0xFF, as stated in the ROM code boot device selection strategy. In this case, the backup register is reset by the ROM code before proceeding with the serial boot mode. Other values are ignored by the ROM code.
  • TF-A gets the selected boot device from the ROM code context in SYSRAM and writes it into BOOT_MODE[15:8] for U-Boot[1].
  • U-Boot uses the BOOT_MODE register to get TF-A and Linux kernel (as explained in the next bullet) information[2] in order to select the desired boot mode (among "NORMAL", "STM32PROG", ...[1]) and build the appropriate "chosen" node in the device tree. This device tree is given to the Linux kernel for its start up, as explained in the "Runtime configuration" paragraph in Documentation/devicetree/usage-model.rst .
  • The Linux kernel can force a reboot mode by writing to the BOOT_MODE register. This writing is done via the "reboot" Linux command, that is configured via the compatible "syscon-reboot-mode" in the device tree [2].

3.3 Firmware update info feature[edit]

The FWU_INFO is used by TF-A BL2 to detect boot failures between its execution and before the complete Linux application initialization during a Secure Firmware Update.

3.4 SAES secret key feature[edit]

The SAES secret key registers can be used to own a 256 bits key that is carried to SAES internal peripheral via a buried hardware bus. This solution allows to protect the key with the tamper mechanism: these registers together with SAES memory and registers are erased as soon as a tamper event occurs.
Notice that, when this feature is used, the concerned backup registers should be set as 'secure'.
Look for 'boot hardware key' in the STM32MP13 Reference Manuals for more information about this feature.

4 Memory mapping[edit]

The table below shows the backup register mapping used by STM32MPU Embedded Software.
The TAMP backup register base address is 0x5C00A100, corresponding to TAMP_BKP0R.

TAMP register Securitya ROM / software register name Comment
TAMP_BKP31R Non-secure BOOT_COUNTER See Boot counter feature
TAMP_BKP30R Non-secure BOOT_MODE See Boot mode selection feature
TAMP_BKP29R Non-secure (Reserved for future use)
TAMP_BKP28R Non-secure (Reserved for future use)
TAMP_BKP27R Non-secure (Reserved for future use)
TAMP_BKP26R Non-secure (Reserved for future use)
TAMP_BKP25R Non-secure (Reserved for future use)
TAMP_BKP24R Non-secure (Reserved for future use)
TAMP_BKP23R Non-secure (Reserved for future use)
TAMP_BKP22R Non-secure (Reserved for future use)
TAMP_BKP21R Non-secure (Reserved for future use)
TAMP_BKP20R Non-secure (Reserved for future use)
TAMP_BKP19R Non-secure (Reserved for future use)
TAMP_BKP18R Non-secure (Reserved for future use)
TAMP_BKP17R Non-secure (Reserved for future use)
TAMP_BKP16R Non-secure (Reserved for future use)
TAMP_BKP15R Non-secure (Reserved for future use)
TAMP_BKP14R Secure Write/ Non-secure Read (Reserved for future use)
TAMP_BKP13R Secure Write/ Non-secure Read (Reserved for future use)
TAMP_BKP12R Secure Write/ Non-secure Read (Reserved for future use)
TAMP_BKP11R Secure Write/ Non-secure Read (Reserved for future use)
TAMP_BKP10R Secure Write/ Non-secure Read FWU_INFO See Firmware update info feature
TAMP_BKP9R Non-secure (Reserved for future use)
TAMP_BKP8R Non-secure (Reserved for future use)
TAMP_BKP7R Non-secure SAES secret key See SAES secret key feature
TAMP_BKP6R Non-secure
TAMP_BKP5R Non-secure
TAMP_BKP4R Non-secure
TAMP_BKP3R Non-secure
TAMP_BKP2R Non-secure
TAMP_BKP1R Non-secure
TAMP_BKP0R Non-secure

a: the security borders are configured by OP-TEE in core/arch/arm/plat-stm32mp1/main.c , so the source code has to be modified if a different border is needed. Look for "zone" keyword in the file.

5 References[edit]