cancel
Showing results for 
Search instead for 
Did you mean: 

Does SBSFU support user app to execute from both Bank 1 and Bank 2?

SL61
Associate II

I am using STM32L4A6VG with 1 MB flash and my application is about 600+KB. I want to update the user app from an external flash and need some guide to modify SBSFU.

After reading these 2 examples (STM32CubeExpansion_SBSFU_V2.4.0\Projects\B-L475E-IOT01A\Applications\2_Images_ExtFlash and STM32CubeExpansion_SBSFU_V2.4.0\Projects\32L496GDISCOVERY\Applications\2_Images), I can update user image from my external flash with RDP and WRP on. Here is my configuration of memory mapping. I know this configuration violates FWALL and MPU settings (like active image header should be in FWALL NVDATA) so I comment the sanity check of FWALL and turn off FWALL protection.

/* Header does not start at the beginning of the sector to ensure the overlap constraint between 
   firewall NVDATA section and firewall CODE section. 
   This constraint is relevant only for products with dual bank and firewall isolation */
__ICFEDIT_SLOT_Active_1_start__  = 0x08012000;
__ICFEDIT_SLOT_Active_1_end__    = 0x080F1FFF;
__ICFEDIT_SLOT_Active_1_header__ = __ICFEDIT_SLOT_Active_1_start__;
 
/* Dwl slot #1 (896 kbytes) */
__ICFEDIT_SLOT_Dwl_1_start__     = 0x90000000;
__ICFEDIT_SLOT_Dwl_1_end__       = 0x900DFFFF;

The question is how I can modify the linker script to let SBSFU run with all security features on. The user app is larger than the size of one bank so I have to split the image and use both Bank 1 and Bank 2 to execute. How can I let SBSFU know the correct boundary of my image?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Sean,

Everything is possible but here you will need to dig into the SBSFU to perform modifications and it will not be easy for sure!

My first proposal was to remove this firewall overlapping part and put directly active image after the SBSFU.

For reminder, this firewall part is here because of the ability of the chip to swap banks. So, firewall areas should be at same offset in each bank to avoid possibility of secret leak when swapping banks.

To perform such secret extraction hack would need to be able to inject code in RAM and execute it. If you set RAM as non executable it will be more complex to achieve for instance.

Now, if you want to be on the safe side, and keep the exclusion mechanism, you have 2 possibilities:

1- You change SBSFU so that it is able to manage this exclusion part. Active image would start just after the SBSFU, header would be kept where it is, protected by firewall, and active image would continue until end of flash. This has several impacts: SBSFU, firmware build and tools.

2- use the multislot capability. You create an active image #2 that is managed "independantly" from active image #1. In that case, impact would be mainly in the way you build your firmware. You would need to split it it 2 binaries like one exe and one library for instance. You have an example of such multi slot setup in 2_Images_ExtFlash of B-L475E-IOT01A board.

Best regards

Jocelyn

View solution in original post

6 REPLIES 6
Jocelyn RICARD
ST Employee

Hello,

In your case, you cannot implement easily the firewall protection over dual bank.

I mean this would be too complex to reserve an area inside your application in bank 2 to protect against bank swap.

So, you reduce a little bit the robustness. Now, such attack would be very complex to perform anyway.

Best regards

Jocelyn

Hi Jocelyn,

Thanks for your reply.

Just would like to make it clear​ and try to catch your point. Based on your suggestion, I come up with two ideas to deal with such scenario. One is to use RDP and WRP only with external flash. The other one is to use another MCU with larger internal flash, like STM32F4 series. More expensive but I can use all SBSFU features. Am I right?

Best,

Sean

Hi Sean,

Well this is not what I meant :)

You can still active the firewall which provides a good hardware isolation between secure engine and the rest of the code.

The STM32F4 does not implement such mechanism.

If you really want to change chip, L4+ series like STM32L4R or S have 2MB flash and still implement the firewall hw.

Best regards

Jocelyn

SL61
Associate II

Hi Jocelyn,

Thanks for clarify STM32F4 is not capable for that. Haven't done read in detail with SBSFU of F4 series:grinning_face_with_sweat: . I am looking at L4+ series and see if it can minimize the effort of migrating.

As for firewall protection, I am still confused about how to use it with external flash. Basically I want to split the active image in Bank 1 and Bank 2 since it is too big. When running SBSFU, it can check if a valid image is in external flash and program it into internal flash.

0693W000007ZQ2VQAW.png

  • For application image, I can modify linker file so codes can be split into two parts. This part should be OK.
  • For SBSFU, I find SBSFU will calculate the boundary based on mapping_fwimg.ld. But I am not sure if I can let SBSFU know the boundary of application image by modifying it like below. Seems I need to add extra variables to let SBSFU know the active image has two parts, which is complicated to modify these codes.
__ICFEDIT_SLOT_Active_1_header__ = 0x08089000;
__ICFEDIT_SLOT_Active_1_part1_start__  = 0x08012000;
__ICFEDIT_SLOT_Active_1_part1_end__    = 0x0807FFFF;
__ICFEDIT_SLOT_Active_1_part2_start__  = 0x0808A000;
__ICFEDIT_SLOT_Active_1_part2_end__    = 0x080F1FFF;

​Thanks for your time.

Best,

Sean

Hi Sean,

Everything is possible but here you will need to dig into the SBSFU to perform modifications and it will not be easy for sure!

My first proposal was to remove this firewall overlapping part and put directly active image after the SBSFU.

For reminder, this firewall part is here because of the ability of the chip to swap banks. So, firewall areas should be at same offset in each bank to avoid possibility of secret leak when swapping banks.

To perform such secret extraction hack would need to be able to inject code in RAM and execute it. If you set RAM as non executable it will be more complex to achieve for instance.

Now, if you want to be on the safe side, and keep the exclusion mechanism, you have 2 possibilities:

1- You change SBSFU so that it is able to manage this exclusion part. Active image would start just after the SBSFU, header would be kept where it is, protected by firewall, and active image would continue until end of flash. This has several impacts: SBSFU, firmware build and tools.

2- use the multislot capability. You create an active image #2 that is managed "independantly" from active image #1. In that case, impact would be mainly in the way you build your firmware. You would need to split it it 2 binaries like one exe and one library for instance. You have an example of such multi slot setup in 2_Images_ExtFlash of B-L475E-IOT01A board.

Best regards

Jocelyn

SL61
Associate II

Hi Jocelyn,

Thanks for your detailed answer. I think it is enough for me to choose which way to go.

Best,

Sean​