How code in internal flash of STM32U5 can be protected from copying, if it is stored decrypted?

VTver.1 · ‎2023-05-08

Flash writing procedure has just finished. The next step, anyone can assume, is verification, that code has been written correctly, which involves reading the flashed memory. At this stage, if I trace the API calls, which Cube tool does to perform flash reading. Does this mean I can copy the firmware without having vendor keys? Please point me at which step I'm wrong.

VTver.1 · ‎2023-05-10

Thank you, @gbm , quoting your answer, " Normally, during factory programing, the memory is written, then verified, THEN PROTECTED.", can I conclude that during verification the memory is NOT protected, and all my concerns about the security of this step are reasonable? I haven't found anything refuting my concerns in this discussion thread.

Pavel A. · ‎2023-05-10

Have you seen https://wiki.st.com/stm32mcu/wiki/Security:SFI ?

VTver.1 · ‎2023-05-11

Thank you @Pavel A. My question refers exactly regarding the SFI procedure, described in the link you shared with me. The user needs to know the answer, if the device was flashed correctly or not. (This is quite obvious) Then, how the verification of the internal flash, being written with decrypted code is performed? The link you provided, and other documents I have searched, don't contain information about this step and it's security. It would be really helpful, if you could provide more details on this step.

Pavel A. · ‎2023-05-11

@JHOUD @Jocelyn RICARD @Aime could you help here, please?

Jocelyn RICARD · ‎2023-05-11

Hello @VTver.1 ,

From your first question, I understand you are flashing a firmware in clear. So, no need to read it back from device because you already have it on the PC.

Now, regarding SFI, this addresses the installation of a firmware in an untrusted environment.

This requires specific tools and a HSM as described in the Wiki.

The firmware installation is actually done by the chip itself.

It receives the encrypted firmware from the programmer, decrypts it, write it to flash and then finally check is was properly written. When the whole firmware is flashed, the programmer sends the last block that contains the encrypted option bytes to setup. This is usually the last command send, after that, the device is closed and ready to go.

I hope it answers your question

Best regards

Jocelyn

Pavel A. · ‎2023-05-11

@Jocelyn RICARD What if [in untrusted environment] this last command is blocked so the firmware remains open to read out?

Bubbles · ‎2023-05-11

Hi @Jocelyn RICARD ,

I think the SFI uses the RSS secure bootloader, so the part is already RDP2 when the loading starts. But maybe we should stop this discussion. the security team already warned me against sharing more than what's in the AN4992 without NDA with the counterpart.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Jocelyn RICARD · ‎2023-05-11

Hello Pavel,

The SFI can only run with minimum security level enabled (RDP 0.5 on U5), with a boot forced on RSS.

If the SFI process is interrupted, by a reset for instance, at next boot, SFI process is still enabled and interruption is detected. Everything is then erased.

Best regards

Jocelyn

VTver.1 · ‎2023-05-11

We are ready to sign NDA ASAP to get all the detailed information. May be we shall switch to emails regarding this problem, so that I can involve management of CNOGA Medical. Please involve Israeli representative also, if this is appropriate.

Pavel A. · ‎2023-05-11

Thank you for the explanation, Jocelyn