Last edited 3 months ago

Tamper configuration

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP25x lines

1. Overview[edit | edit source]

The STM32 MPUs embed a tamper detection management system.

The tamper management and configuration functions have been added to the OP-TEE secure OS to protect against external attacks when the system is running. The tamper management is also present in the TF-A BL2 because tamper events can occur when the SoC is in low-power or power-off modes.

When a tamper event occurs, the platform's secrets are erased or blocked. The automatic erase mode of all secrets can be configured for some tampers. It is enabled by default but can be turned off (see TAMP device tree configuration) if the user application needs to control erase operations. The platform secrets access is blocked when erase is on-going.

Except for STM32MP15x lines More info.png, the tampers can be configured in 2 modes:

  • Confirmed mode: immediate erase of secrets on tamper detection, including backup registers erase
  • Potential mode: Some of the secrets are instead locked following a tamper detection until a software action.

On STM32MP15x lines More info.png, the secrets will be erased.

To learn more about which secrets are erased or blocked in which modes, refer to the TAMP interconnection in the TAMP chapter of the SoC reference manual.

Info white.png Information
Because STMicroelectronics cannot provide generic sequences on how to handle tampers, someone wishing to use tampers is expected to customize the tampers interrupt handler sequence. The default behavior when a tamper event occurs is a system reset when running. When the tamper is in confirmed mode, the appropriate secret erase sequence is also performed by the hardware. Whereas in potential mode, the secrets are blocked but not erased until the handler sequence is performed. The files to custom are TF-A BL2 platform setup (when a tamper event happens when the SoC is in retention mode) and OP-TEE tamper driver for runtime management

1.1. Internal tampers[edit | edit source]

The table below represents the list of the supported internal tampers.

STM32MP13x lines More info.png STM32MP15x lines More info.png STM32MP25x lines More info.png
Backup voltage domain monitoring
Temperature monitoring
LSE monitoring
HSE monitoring
RTC calendar overflow
Monotonic counter (1) overflow
JTAG/SWD access
Cryptographic IPs fault (SAES or CRYP or PKA or TRNG)
Monotonic counter 2 overflow
IWDG reset when tamper flag is set IWDG1/2/5✓
ADC2 analog watchdog monitoring 1
ADC2 analog watchdog monitoring 2
ADC2 analog watchdog monitoring 3
VDDCORE monitoring under/over voltage
LPSRAM1 CRC fail (same signal as IWDG5 reset)

1.2. External tampers[edit | edit source]

External tampers can be defined on all MPUs:

  • 3 on STM32MP15x lines More info.png
  • 8 on STM32MP13x lines More info.png
  • 8 on STM32MP25x lines More info.png

The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (2 pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatch before a tamper event is raised can be configured.

2. Software configuration[edit | edit source]

2.1. Default internal tampers configuration[edit | edit source]

Be aware that some of the internal tampers require other feature to be functional(LSE/HSE monitoring, voltage monitoring). Refer to the TAMP chapter of the SoC reference manual to learn more on this subject.

Warning white.png Warning
Because it monitors the LSE oscillator used for the retention domain, a LSE monitoring internal tamper event must be followed by either a reset of the backup domain or a custom sequence. For the latter, please modify the code in TF-A BL2 platform setup and OP-TEE tamper driver

For STM32MP13x lines More info.png:

  • By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list

For STM32MP15x lines More info.png:

  • By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list

For STM32MP25x lines More info.png:

  • By default, there is no internal tamper enabled. If you wish to enable one or more of them, please refer to the TAMP common property list

2.2. Default external tampers configuration[edit | edit source]

For STMicroelectronics boards and except for STM32MP15x lines More info.png platforms, the TAMP button is default supported to generate tamper events. This is done in the board device tree file. See: Board device tree configuration

Operating system

Boot loader stage 2

Tamper

Low speed external oscillator (STM32 clock source)

High speed external oscillator (STM32 clock source)

Real time clock

debug and test protocol, named from the Joint Test Action Group that developed it

Serial wire debug

Cryptographic processor

Independent watchdog

Cyclic redundancy check calculation unit

Operating system

Boot loader stage 2

Tamper

Low speed external oscillator (STM32 clock source)

High speed external oscillator (STM32 clock source)

Real time clock

debug and test protocol, named from the Joint Test Action Group that developed it

Serial wire debug

Cryptographic processor

Independent watchdog

Cyclic redundancy check calculation unit

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=Tamper_configuration&oldid=106643"