cancel
Showing results for 
Search instead for 
Did you mean: 

How to validate an image with security features enabled?

ac_gd
Associate II

Hi all,

In our project we have enabled the ENABLE_IMAGE_STATE_HANDLING flag and download an image via YMODEM transfer to our NUCLEO-L476RG. However, when we try to validate the image by calling SE_APP_ValidateFw(), our STM reboots and does a rollback.

All of this only happens when not defining SECBOOT_DISABLE_SECURITY_IPS in NUCLEO-L476RG/Applications/2_Images/2_Images_SBSFU/SBSFU/App/app_sfu.h (see attachment for our app_sfu.h file) So when security features are enabled. However, we found out that the security feature that triggers this reset is SFU_MPU_USERAPP_ACTIVATION: when we disable this one, everything works as expected and no rollback happens (i.e., no reset).

Is this expected behavior of the SFU_MPU_USERAPP_ACTIVATION security feature? Is it incompatible with ENABLE_IMAGE_STATE_HANDLING mode/SE_APP_ValidateFw call?

Kind regards,

ac_gd

14 REPLIES 14
jrgert
Associate III

Thank you for posting your question. While I do not have an answer, I do have the exact same situation with my board's STM32L496 and SBSFU v2.5.0.

Per your observation, I disabled SFU_MPU_USERAPP_ACTIVATION and the problem went away.

For background info, when I run my projects with ENABLE_IMAGE_STATE_HANDLING disabled, the firmware can be updated.

jrgert
Associate III

There is a difference in MPU permissions comparing the SB / SFU vs. App regions. MPU_REGION_FULL_ACCESS vs. MPU_REGION_PRIV_RO respectively. There is a comment regarding the app permissions and firewall, however I do not know enough about either yet. Still learning.

For fun, I changed the App region permission to MPU_REGION_FULL_ACCESS and it boots up and the app runs now. Is this OK?

ac_gd
Associate II

Hi @jrgert​, thank you for your answer. I am glad that you can reproduce the problem. If you assign it full access, will the MPU protection still have any effect?

FBelv
Associate II

How did you manage to call SE_APP_ValidateFw() from within the UserApp? I am trying to run SBSFU with ENABLE_IMAGE_STATE_HANDLING, but the SE_APP_ValidateFw() function will reset the STM32L4A6 as the function is not in the expected memory boundary. Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?

The failing part is in the function

/*Secure Engine Call*/
 
e_ret_status = (*SE_CallGatePtr)(SE_APP_VALIDATE_FW, peSE_Status, primask_bit, SlotNumber);

and this calls the:

SE_ErrorStatus SE_CallGate(SE_FunctionIDTypeDef eID, SE_StatusTypeDef * const peSE_Status, uint32_t PrimaskParam, ...)
{
  SE_ErrorStatus e_ret_status;
  va_list arguments;
#if defined(__GNUC__)
  register unsigned lr asm("lr");
  uint32_t LR = lr;
#else
  uint32_t LR;
#endif /* __GNUC__ */
 
  /* Enter the protected area */
  ENTER_PROTECTED_AREA();
 
  /*
   * Warning : It is mandatory to call NVIC_SystemReset() in case of error
   * instead of return(SE_ERROR) to avoid any attempt of attack by modifying
   * the call stack (LR) in order to execute code inside secure enclave
   */
 
  /* Check the Callgate was called only from SE Interface */
#if defined(__ICCARM__) || defined (__CC_ARM)
  LR = __get_LR();
#endif /* __ICCARM__ || __CC_ARM */
 
  IS_CALLER_SE_IF();

the IS_CALLER_SE_IF is

#define IS_CALLER_SE_IF() \
  do{ \
    if (LR< SE_IF_REGION_ROM_START){\
      NVIC_SystemReset();}\
    if (LR> SE_IF_REGION_ROM_END){\
      NVIC_SystemReset();}\
  }while(0)

and obviously, if the SE_APP_ValidateFw() function is in the UserApp flash space, the second IF will trigger a reset.

So, my question is, how did you avoid this? I'm on STM32CubeIde. Too bad STM tries its best not to provide working examples on STM32CubeIde.

FBelv asked "Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?"

Yes, my app code calls SE_APP_ValidateFw() per Appendix J of UM2262. The SBSFU examples do provide a test app that calls the function.

kaur
Associate III

Hi @FBelv ,

I am facing the same issue with my project. Were you able to find a solution for this?

 

--

Best

Praneet

FBelv
Associate II

I didn't look into that too much and gave up shortly.

ST should invest some more resources into properly maintaining SBSFU which hasn't been updated since a long time.

 

kaur
Associate III

Thanks for your response @FBelv ,

Its strange that I saw this issue intermittently earlier but now I am seeing it consistently. This is a blocker for me so I hope I can find a way to fix this. I will update this thread if I figure out the root cause and solution.

 

--

Best

Praneet

Jocelyn RICARD
ST Employee

Hello @kaur ,

Are you using latest version of X-CUBE-SBSFU ?

Did you change the flash mapping ?

In this package, the MPU configuration needs to be adapted when flash mapping is changed. this is not done automatically ...

Best regards

Jocelyn