FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to validate an image with security features enabled?

ac_gd
Associate II

‎2021-07-16 06:14 AM

Hi all,

In our project we have enabled the ENABLE_IMAGE_STATE_HANDLING flag and download an image via YMODEM transfer to our NUCLEO-L476RG. However, when we try to validate the image by calling SE_APP_ValidateFw(), our STM reboots and does a rollback.

All of this only happens when not defining SECBOOT_DISABLE_SECURITY_IPS in NUCLEO-L476RG/Applications/2_Images/2_Images_SBSFU/SBSFU/App/app_sfu.h (see attachment for our app_sfu.h file) So when security features are enabled. However, we found out that the security feature that triggers this reset is SFU_MPU_USERAPP_ACTIVATION: when we disable this one, everything works as expected and no rollback happens (i.e., no reset).

Is this expected behavior of the SFU_MPU_USERAPP_ACTIVATION security feature? Is it incompatible with ENABLE_IMAGE_STATE_HANDLING mode/SE_APP_ValidateFw call?

Kind regards,

ac_gd

Labels:
Preview file
12 KB
0 Kudos
14 REPLIES 14
jrgert
Associate III

‎2021-07-16 01:27 PM

Thank you for posting your question. While I do not have an answer, I do have the exact same situation with my board's STM32L496 and SBSFU v2.5.0.

Per your observation, I disabled SFU_MPU_USERAPP_ACTIVATION and the problem went away.

For background info, when I run my projects with ENABLE_IMAGE_STATE_HANDLING disabled, the firmware can be updated.

0 Kudos
jrgert
Associate III

‎2021-07-16 02:24 PM

There is a difference in MPU permissions comparing the SB / SFU vs. App regions. MPU_REGION_FULL_ACCESS vs. MPU_REGION_PRIV_RO respectively. There is a comment regarding the app permissions and firewall, however I do not know enough about either yet. Still learning.

For fun, I changed the App region permission to MPU_REGION_FULL_ACCESS and it boots up and the app runs now. Is this OK?

0 Kudos
ac_gd
Associate II

‎2021-07-26 11:36 PM

Hi @jrgert​, thank you for your answer. I am glad that you can reproduce the problem. If you assign it full access, will the MPU protection still have any effect?

0 Kudos
FBelv
Associate II

‎2021-08-17 12:50 AM

How did you manage to call SE_APP_ValidateFw() from within the UserApp? I am trying to run SBSFU with ENABLE_IMAGE_STATE_HANDLING, but the SE_APP_ValidateFw() function will reset the STM32L4A6 as the function is not in the expected memory boundary. Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?

The failing part is in the function

/*Secure Engine Call*/
 
e_ret_status = (*SE_CallGatePtr)(SE_APP_VALIDATE_FW, peSE_Status, primask_bit, SlotNumber);

and this calls the:

SE_ErrorStatus SE_CallGate(SE_FunctionIDTypeDef eID, SE_StatusTypeDef * const peSE_Status, uint32_t PrimaskParam, ...)
{
  SE_ErrorStatus e_ret_status;
  va_list arguments;
#if defined(__GNUC__)
  register unsigned lr asm("lr");
  uint32_t LR = lr;
#else
  uint32_t LR;
#endif /* __GNUC__ */
 
  /* Enter the protected area */
  ENTER_PROTECTED_AREA();
 
  /*
   * Warning : It is mandatory to call NVIC_SystemReset() in case of error
   * instead of return(SE_ERROR) to avoid any attempt of attack by modifying
   * the call stack (LR) in order to execute code inside secure enclave
   */
 
  /* Check the Callgate was called only from SE Interface */
#if defined(__ICCARM__) || defined (__CC_ARM)
  LR = __get_LR();
#endif /* __ICCARM__ || __CC_ARM */
 
  IS_CALLER_SE_IF();

the IS_CALLER_SE_IF is 

#define IS_CALLER_SE_IF() \
  do{ \
    if (LR< SE_IF_REGION_ROM_START){\
      NVIC_SystemReset();}\
    if (LR> SE_IF_REGION_ROM_END){\
      NVIC_SystemReset();}\
  }while(0)

and obviously, if the SE_APP_ValidateFw() function is in the UserApp flash space, the second IF will trigger a reset.

So, my question is, how did you avoid this? I'm on STM32CubeIde. Too bad STM tries its best not to provide working examples on STM32CubeIde.

0 Kudos
jrgert
Associate III
In response to FBelv

‎2021-08-18 06:08 AM

FBelv asked "Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?"

Yes, my app code calls SE_APP_ValidateFw() per Appendix J of UM2262. The SBSFU examples do provide a test app that calls the function.

0 Kudos
kaur
Associate III
In response to FBelv

‎2024-01-05 10:53 AM

Hi @FBelv ,

I am facing the same issue with my project. Were you able to find a solution for this?

 

--

Best

Praneet

0 Kudos
FBelv
Associate II
In response to kaur

‎2024-01-08 12:59 AM

I didn't look into that too much and gave up shortly.

ST should invest some more resources into properly maintaining SBSFU which hasn't been updated since a long time.

 

0 Kudos
kaur
Associate III
In response to FBelv

‎2024-01-08 10:25 AM

Thanks for your response @FBelv ,

Its strange that I saw this issue intermittently earlier but now I am seeing it consistently. This is a blocker for me so I hope I can find a way to fix this. I will update this thread if I figure out the root cause and solution.

 

--

Best

Praneet

0 Kudos
Jocelyn RICARD
ST Employee

‎2024-01-08 11:03 AM

Hello @kaur ,

Are you using latest version of X-CUBE-SBSFU ?

Did you change the flash mapping ?

In this package, the MPU configuration needs to be adapted when flash mapping is changed. this is not done automatically ...

Best regards

Jocelyn

0 Kudos
Top