How to validate an image with security features enabled?

ac_gd · ‎2021-07-16

Hi all,

In our project we have enabled the ENABLE_IMAGE_STATE_HANDLING flag and download an image via YMODEM transfer to our NUCLEO-L476RG. However, when we try to validate the image by calling SE_APP_ValidateFw(), our STM reboots and does a rollback.

All of this only happens when not defining SECBOOT_DISABLE_SECURITY_IPS in NUCLEO-L476RG/Applications/2_Images/2_Images_SBSFU/SBSFU/App/app_sfu.h (see attachment for our app_sfu.h file) So when security features are enabled. However, we found out that the security feature that triggers this reset is SFU_MPU_USERAPP_ACTIVATION: when we disable this one, everything works as expected and no rollback happens (i.e., no reset).

Is this expected behavior of the SFU_MPU_USERAPP_ACTIVATION security feature? Is it incompatible with ENABLE_IMAGE_STATE_HANDLING mode/SE_APP_ValidateFw call?

Kind regards,

ac_gd

kaur · ‎2024-01-08

Hi @Jocelyn RICARD ,

Thank you for your reponse. Yes, I am using the latest SBSFU version 2.6.2.

In my configuration, I have commented all security IPs except SFU_IWDG_PROTECT_ENABLE and ENABLE_IMAGE_STATE_HANDLING(app_sfu.h attached for reference).

I have implemented same functionality as userapp to call SE_APP_GetActiveFwState in my app when SFU_MPU_PROTECT_ENABLE is not enabled.

I am using 2_Images project from P-NUCEO-WB55.Nucleo and I have expanded active and download slots to 344K and MPU configuration in sfu_low_level_security.h (file attached).

However, I am still seeing the issue outlined above when SE_APP_GetActiveFwState() is called. Here is how I have split the memory in my linker file.

/* swap (8 kbytes) */
__ICFEDIT_SWAP_start__ = 0x08016000;
__ICFEDIT_SWAP_size__ = 0x2000;
__ICFEDIT_SWAP_end__ = 0x8017fff;

/* Active slot #1 (352 kbytes) */
__ICFEDIT_SLOT_Size_1__ = 0x56000;
__ICFEDIT_SLOT_Active_1_start__ = 0x8018000;
__ICFEDIT_SLOT_Active_1_end__ = 0x806dfff;
__ICFEDIT_SLOT_Active_1_header__ = __ICFEDIT_SLOT_Active_1_start__;

/* Dwl slot #1 (352 kbytes) */
__ICFEDIT_SLOT_Dwl_1_start__ = 0x806e000;
__ICFEDIT_SLOT_Dwl_1_end__ = 0x80c3fff;

--

Best

Praneet

Jocelyn RICARD · ‎2024-01-10

Hello,

First, I have double checked the Image state handling feature of the SBSFU 6.2.0 on STM32WB55 and is works fine on the default project.

I also changed the mapping as you did, and adapted MPU configuration accordingly in

Projects\P-NUCLEO-WB55.Nucleo\Applications\2_Images\2_Images_SBSFU\SBSFU\Target\sfu_low_level_security.h

#define APP_PROTECT_MPU_AREA_2_ACTIVE_SLOT_START  0x08040000U
#define APP_PROTECT_MPU_AREA_2_ACTIVE_SLOT_SIZE   MPU_REGION_SIZE_256KB
#define APP_PROTECT_MPU_AREA_2_ACTIVE_SLOT_PERM   MPU_REGION_FULL_ACCESS
#define APP_PROTECT_MPU_AREA_2_ACTIVE_SLOT_EXEC   MPU_INSTRUCTION_ACCESS_ENABLE
#define APP_PROTECT_MPU_AREA_2_ACTIVE_SLOT_SREG   0xC0U

All works fine : Check active firmware version, update and image validation.

Best regards

Jocelyn

kaur · ‎2024-01-23

Hi Jocelyn,

Thanks for trying it out with SBSFU userapp.

I still see this issue with custom app, could it be that some peripherals being used by both userapp and SBSFU are causing the issue?

Jocelyn RICARD · ‎2024-01-26

Hello @kaur ,

Well I don't know.

Only way to go further is to use the debugger and see what happens.

Best regards

Jocelyn

gpguy · ‎2024-01-26

Thank you for posting your question. I have this question too and looking for a solution.

kaur · ‎2024-01-29

Hi @gpguy ,

Is there anything different in your scenario which is leading to this issue?