2008-06-09 03:43 AM
Protection, Is my code in Flash really secure?
#stm322011-05-17 03:29 AM
Protection, Is my code in Flash really secure?
I want my code in Flash to be secure from downloading by anybody else. After reading the documentation on STM32… Cortex I still have some doubts. I hope I am not right – I hope the ways bellow to steal the code are actually not possible but …. I prefer to be sure than only guess. Possible (?) ways of attack: 1. Intruder loads code (via System Boot Loader) into the beginning of RAM and after Reset the ST32 boots from this RAM. He is getting control over the processor and his procedure is easily copying my precious code from flash to ram and next via USART, SPI…. 2. Similar to above but this intruder’s code is setting DMA to transfer data from the secure (?) Flash region via USART or SPI. Next he just waits for my secure bytes at this door opened … 3. Similar to above (p.2) but he sets this DMA transfer with debugger… ? And according to above (assuming the Flash is secured with RDP set): 4. Is a subroutine in Flash able to read and transfer data from Flash? Even with RDP set – important when I have arrays of coefficient within the Flash. 5. On the other hand - when this subroutine is in RAM. It will be dangerous for my code if subroutine in RAM could read code from Flash (because of p.1). 6. How St32 distinguish whether DMA settings are safe against Flash code protection or not? 7. Is there any way to totally disable the debugger? Totally or till the nearest Mass Erase ? 8. How about attack via “TMC Tap�? Generally – the protection policy of ST32 Cortex is not quite clear to me. And how about you – friends? I have no Kit just to try, as I am at the decision which microcontroller to choose for my product line. Thank you very much for any help and response.2011-05-17 03:29 AM
> Generally – the protection policy of ST32 Cortex is not quite clear to me. And how about you – friends?
it's not at all clear to me either. I was deferring this issue until later. since my project is quite complex, new revisions and models of the STM32 will surely come out before I need to mass produce, and I expect the protections to be debugged and to evolve. I also expect a document from ST focusing on security since the model seems complex and involves many subsystems. (maybe part of this info is already available from ARM.) I would prefer the protection to be simple and lumped in some clear and small functionality as this reduces the chance of circumvention. on the other hand, the more complex the model the more likely an exploit will be found. regrettably the bootloader can't be disabled, so your device will go out with that code there. I think the bootloader only allows a mass erase when protection is on, or so I think ST's doc said, but ST won't release the source code for the loader. of course I find this extremely annoying: security by obscurity. I know of some people that go to extremes with other processors: they tie all pins to ground and feed 10V into a pin busting the bonding wire of the encapsulation, and who knows what else. for the STM32 at most you'd have to bust USART1 RX and the JTAG clock. whether the chip would survive such a treatment and in what condition is anybody's guess, and so is the level of protection achieved. in short, while I remain in my current state of ignorance and until ST publishes a clarifying document I consider the STM32 unsafe. and I might add that when the time comes to make a decision I won't simply trust that ST has done its homework.2011-05-17 03:29 AM
Quote:
On 09-04-2008 at 16:14, Anonymous wrote: Protection, Is my code in Flash really secure? no, the stm32 is not a secure microcontroller (at least not in the class of secureAVR or Maxim secure microcontrollers with encrypted program and data memory)Quote:
I want my code in Flash to be secure from downloading by anybody else. that is like asking I don't want my car stolen, it can't be achieved in the absolute sense you need to determine first what level of security you want, that is all a manufacturer can provide (and guarantee)2011-05-17 03:29 AM
From my reading of the Boot Mode document AN2606:
When the RDP (read protection) option is active, the only command that is allowed is the ''Permanent Readout Unprotect'' command (which erases all of the Flash). So while the protection is enabled, it should not be possible to download programs to RAM and run them (as Renon suggested). That sounds pretty safe to me. Although, I'm not sure how the JTAG is disabled (is there a JTAG fuse somewhere). Hopefully an expert from ST can reassure us.2011-05-17 03:29 AM
Just attended a STM seminar.
And I asked if it was possible to read out flash from a RAM Bootloader when Readout protection was enabled. I was told that it was not possible to Read flash from code executing in RAM when the Readout protection was active. I still wonder if you can create a small block of code and write it to an empty flash page and then call that code from your RamBootloader.. and make it read out the rest of the flash contents.. Or even clear a page and read out the rest of the code. Granted you will destroy some of the code, but it could help you figure out how to get the access without destroying code. As I don't need this degree of security - I have not examined the varius attack possibilities closer. /Henrik2011-05-17 03:29 AM
> I was told that it was not possible to Read flash from code executing in RAM when the Readout protection was active.
yeah but how is this implemented? we need to know more. what if the code in ram sets up DMA transfers? there's no need to keep the implementation secret unless it's broken. ST just published the errata, I guess they just need more time.2011-05-17 03:29 AM
Hi all,
When Read-out protection is active, The flash content is secure. All read accesses through RAM, TMC, DMA or bootloader are not granted in this case, only a read-out un-protection or mass erase can be performed there. Cheers, STOne-32.2011-05-17 03:29 AM
hi STOne,
I haven't studied this yet, but I think I remember you could load code into RAM on a read-out protected device somehow. (was it through JTAG?) 1) you say DMA access to flash is blocked in a read-out protected device. how is this implemented? if both RAM and flash can program the DMA controller, how are DMA accesses to flash selectively blocked when originated by code in RAM? 2) say you have a read-out protected device in which some pages of the flash are write-protected and others are not. is there a way (via JTAG or loaded program in RAM or whatever) to reprogram some of the non-write-protected pages without erasing all of the flash first? > When Read-out protection is active, The flash content is secure. I'm sure that's true, but I think ST has to acknowledge that some of us, the original poster included, will need to understand and review the security model before we commit our IP to it.2011-05-17 03:29 AM
Hi Lanchon,hholms,greg_stm,obtronix, renon,
Is the PM0042 not enought clear on this protection point ? Cheers, STOne-32. [ This message was edited by: STOne-32 on 01-05-2008 19:21 ]