Skip to main content
Thierry Crespo
Thierry Crespo
ST Employee
September 24, 2024

New release of Secure Manager 1.2.0 for STM32H5 - overview

  • September 24, 2024
  • 5 replies
  • 3249 views

The Secure Manager for STM32H573 version 1.2.0 has recently been released.  It’s available on our Secure Manager webpage. We wanted to inform you about the importance of this new release, and to refresh how it could improve your security concerns.

Updating to version 1.2.0 is essential for users.

Version 1.2.0 will be the first version for production purposes, allowing further versions and updates not to break your system implementation. Users will therefore be able to update their applications and the Secure manager to any further version remotely.
Version 1.1.x will not be supported anymore. You can still find the Secure Manager version 1.1 certificate on SESIP website at Secure Manager & STM32H5 certification. Version1.2.0 is undergoing a full security certification. This certification is expected to be available around November 2024 period.

Improved security and additional features

Here are a few details on the changes:

  • Security improvements
  • New third-party security services support from our ST partner: ProvenRun 
  • Footprint optimizations, allowing to increase the maximum allowed application size
  • AES GCM multipart support
  • Improved debug capabilities

Additional features are described in the user manual:

Secure Manager for STM32H573xx microcontrollers - User manual

The importance of MCU and MPU security

Security within an MCU or MPU or MPU application is a complex and costly journey.

Your final product or application will soon require to prove its cyber security resilience. European laws are being put in place imposing that every digital object will require a cyber security focus. Details are available at Cyber Resilience Act: MEPs adopt plans to boost security of digital products | News | European Parliament (europa.eu).

Within this law several items will have to be covered:

  • Security by design to ensure security is a core element of each new product
  • Strong Root of Trust to ensure the origin and integrity of the firmware running on the product
  • Security updates to ensure that every device can be updated in case of security vulnerability
  • Secure communication to ensure mutual attestation of communicating devices and privacy of data transiting on the networks

Building this is made seamless and straightforward using Secure Manager 1.2.0. All functions being made available natively into a software framework that can be securely installed on STM32H573 devices.

Furthermore, Secure Manager is running in an isolated partition of the device, using the TrustZone(C) from Arm architecture. See the following architecture description

ThierryCrespo_0-1726495408330.png

In this architecture, developers do not need to write any code on security aspects, everything is covered by the framework. This includes a pre-configured TrustZone.

Let's see how Secure Manager helps you to solve your previous requirements:

  • Security by design - dedicated security service design for high security, maintained and corrected by ST in case of malicious vulnerabilities
  • Strong Root of Trust - 2-stage Root of Trust, one immutable, one updatable to allow application verification of authenticity, integrity and confidentiality
  • Security update - PSA API compliant solution, to securely & independently update your application and the secure modules (or secure apps) as well as the root of trust itself.

Verifying that your security application is robust against threats

Security assurance is indeed highly important and clearly a difficulty for developers. Developers often do not know how to implement a secure code, neither how attackers are going to break it. It takes years for them to get trained on security and reach the right expertise.

With Secure Manager we used decades of security expertise of our embedded software developers and partners to provide a solution capable to resist to multiple type of threats. Knowing trust can only come from external independent 3rd parties, it was tested and certified by external and highly skilled security laboratories. Penetration testing was done targeting a security assurance of SESIP Assurance Level 3 (SESIP3) including physical attacks.

ThierryCrespo_1-1726496946852.png

 

Do you have any questions about Secure Manager?

We encourage you to comment on this article if you have any questions or points to discuss, and we will be happy to respond.

Related links

    5 replies

    J
    JeanMarc_C
    Associate
    September 25, 2024

    Hello Thierry,

     

    Thank you for this presentation, It annouces a big job to add for the next developments !

    All the works seems to be focused on the STM32H573 for the moment, I assume it will be enlarged to other devices and generally other families ?

    Do you have any roadmap for this extension ? It is very important for us to choose the good micro as soon as possible in new developments.

     

    Best regards

     

    Jean-Marc

    Thierry Crespo
    Thierry CrespoAuthor
    ST Employee
    September 25, 2024

    Hello @JeanMarc_C 

    Indeed, we plan for further releases, on new dies of the STM32H5 family (having larger memory footprint) and later on other STM32 series. It is however a bit early for us to announce yet. 

    I believe that around Q1'2025 we will be able to provide more information.

    Thank you for your interest!

    Best regards

    Thierry

    T
    Thatseasy
    Associate III
    November 10, 2024

    @Thierry Crespo I tried to provision Secure Manager 1.2 to my DK board, and got the following error messages in the provisioning.log:

    2024-11-10 15:49:30,796 - root - DEBUG - Error: SFI command is not supported for the current device configuration using STLINK interfaces !
    2024-11-10 15:49:30,796 - root - DEBUG - Error: Cannot launch RSSe...
    2024-11-10 15:49:30,796 - root - DEBUG -
    2024-11-10 15:49:30,796 - root - DEBUG - Error: C:\Users\cbens\STM32Cube\Repository\STM32Cube_FW_H5_V1.3.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\SecureManagerPackage.sfi SFI file Install Operation Failure! Please, try again.
    2024-11-10 15:49:30,796 - root - DEBUG -


    Then I booted the DK board in DFU mode, and used the programmer to program the sfi, but still failed either "could not connect to the device" if SW1=0, or the following errors if SW1 = 1 (I know according to the instructions it should not be 1.)

    17:23:44 : Erasing memory corresponding to segment 0:
    17:23:44 : Not flash Memory : No erase done
    17:23:44 : Download in Progress:
    17:23:45 : File download complete
    17:23:45 : Time elapsed during download operation: 00:00:00.111
    17:23:45 : Get RSSe status...
    17:23:46 : Error: Failed to get RSSe Status!
    17:23:46 : Error: Cannot launch RSSe...

     

    All the tools are up to date.

    Any suggestions? Someone in the forum mentioned CubeProgrammer 2.18, should I try that version, and where I can download it?

    Thank you!

    Laurids_PETERSEN
    Laurids_PETERSEN
    Community Manager
    November 12, 2024

    Hi @Thatseasy,

    Thanks for your question. In order for it to have more visibility for the community, I suggest creating a post on our STM32 security forum board. 

    Best regards,
    Laurids 

    Thierry Crespo
    Thierry CrespoAuthor
    ST Employee
    November 12, 2024

    Hello @Thatseasy,

    Indeed, technical fellows can answer you posting at STM32 MCUs Security - STMicroelectronics Community

    Please label your question with Secure Manager label, it will be processed by knowledgeable people.

    Best regards

    Thierry

      Terms & ConditionsAccessibility statement