I am implementing a secure boot process on the STM32H723. My application has three firmware components with the following memory layout:
1. BOOT: Located in internal Flash.
2. OS: Located in internal Flash.
3. USER: Located in external SDRAM.
The required boot and runtime behavior is:
1. Upon power-on, the BOOT code must read and perform a full verification (e.g., checksum, hash) of the entire OS image from internal Flash.
2. After verification, the BOOT jumps to the OS.
3. The OS provides a runtime environment for the USER application. The OS and USER application need to interact bidirectionally (e.g., call each other's functions).
Core Security Requirement:
The USER application (running in SDRAM) must be prevented from reading the code of both the BOOT and the OS from internal Flash. The OS code should be executable but not readable.
Question / Request for Clarification:
The PCROP (Proprietary Code Read Protection) feature seems designed for "execute-only" protection. However, a conflict exists in my use case:
• The BOOT needs read access to the OS area for verification.
• The USER must be denied read access to the same area.
what is the recommended method?
Reference: STM32H723 Reference Manual RM0433, Sections 4.3 (Flash Protection).
Cannot use the MPU in combination with user mode (privilege separation) for this protection, as it would involve frequent SVC (supervisor call) system calls for OS-USER interaction, introducing unacceptable performance overhead.
