Tamper configuration

Applicable for STM32MP13x lines, STM32MP15x lines

1 Overview[edit]

The STM32 MPUs embed tamper detection management system.

The tamper management and configuration functions have been added to the secure OS to select and detect events to protect against external attacks.

On a tamper event, secrets are erased or blocked.

The backup registers and backup SRAM (configurable on STM32MP13x lines More info.png) are considered as secrets.

On STM32MP13x lines More info.png, the security level has been increased and the following preripheral have been added to the secret list:

The automatic erase mode can be configured for any tampers (internal and external). It is enabled by default but can be turned off (NOERASE) if the user application needs to control erase operations. If disabled the backup registers, SRAM3, and RHUK (root hardware unique key) in BSEC are locked (no read nor write are possible until event acknowledged), and SAES, HASH peripherals and PKA SRAM are always erased.

1.1 Internal tampers[edit]

The table below represents the list of the supported internal tampers.

STM32MP13x lines More info.png STM32MP15x lines More info.png
Backup voltage domain monitoring
Temperature monitoring
LSE monitoring
HSE monitoring
RTC calendar overflow
Monotonic counter (1) overflow
JTAG/SWD access
Cryptographic IPs fault (SAES or CRYP or PKA or TRNG)
Monotonic counter 2 overflow
IWDG reset when tamper flag is set
ADC2 analog watchdog monitoring 1
ADC2 analog watchdog monitoring 2
ADC2 analog watchdog monitoring 3

1.2 External tampers[edit]

3 external tampers on STM32MP15x lines More info.png and 8 on STM32MP13x lines More info.png can be defined.

The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (2 pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatch before a tamper event is raised can be configured.

2 Software configuration[edit]

The tamper driver only exists in OP-TEE.

External tampers have to be configured in device tree.

Internal and external tampers have to be activated in main configuration file .

The device tree enables the TAMP IP and configures the external tamper (active, passive, level, and so on).

The main.c activates the desired TAMPER_ID, in ERASE or NOERASE mode and defines which is the callback in case of an event. An external TAMPER can be activated only if the corresponding TAMPER_ID is enabled in the device tree.

Example :

static uint32_t int_tamp1_callback(int id) {
	MSG("Backup domain voltage threshold monitoring tamper event occurs");
	/* ... */
	/* specific application event management */
	/* ... */

stm32_tamp_activate(INT_TAMP1, TAMP_ERASE, tamp1_callback);

The value returned by the callback defines if the driver acknowledges the event, and resets the board. If the event is configured as NOERASE, the callback may check:

  • in case of true positive: erase manually secret (with stm32_tamp_erase_secret()) and returns TAMP_CB_ACK_AND_RESET
  • in case of false positive: returns TAMP_CB_ACK (it unlocks the secret IPs).

The main.c configures the permission access of the TAMP register (privileged mode, secure mode), and it shows if the backup SRAM is included in the secret IPs list.

2.1 Default internal tampers configuration[edit]

For STM32MP13x lines More info.png:

  • By default, only internal tampers 1, 2, 3 , 4, 7, 12 and 13 are enabled, configured as ERASE, and the callback resets the board.

For STM32MP15x lines More info.png:

  • By default, only internal tampers 1, 2, 3 , 4 are enabled, configure as ERASE, and the callback will reset the board.

2.2 External tampers[edit]

On the STM32MP135F-DK More info green.png, a tamper button is connected to the external tamper 2. It is default enable in the device tree. Pressing the TAMP button raises the EXT_TAMP2 event, erases all secrets and resets the board.