2021-07-16 06:14 AM
Hi all,
In our project we have enabled the ENABLE_IMAGE_STATE_HANDLING flag and download an image via YMODEM transfer to our NUCLEO-L476RG. However, when we try to validate the image by calling SE_APP_ValidateFw(), our STM reboots and does a rollback.
All of this only happens when not defining SECBOOT_DISABLE_SECURITY_IPS in NUCLEO-L476RG/Applications/2_Images/2_Images_SBSFU/SBSFU/App/app_sfu.h (see attachment for our app_sfu.h file) So when security features are enabled. However, we found out that the security feature that triggers this reset is SFU_MPU_USERAPP_ACTIVATION: when we disable this one, everything works as expected and no rollback happens (i.e., no reset).
Is this expected behavior of the SFU_MPU_USERAPP_ACTIVATION security feature? Is it incompatible with ENABLE_IMAGE_STATE_HANDLING mode/SE_APP_ValidateFw call?
Kind regards,
ac_gd
2021-07-16 01:27 PM
Thank you for posting your question. While I do not have an answer, I do have the exact same situation with my board's STM32L496 and SBSFU v2.5.0.
Per your observation, I disabled SFU_MPU_USERAPP_ACTIVATION and the problem went away.
For background info, when I run my projects with ENABLE_IMAGE_STATE_HANDLING disabled, the firmware can be updated.
2021-07-16 02:24 PM
There is a difference in MPU permissions comparing the SB / SFU vs. App regions. MPU_REGION_FULL_ACCESS vs. MPU_REGION_PRIV_RO respectively. There is a comment regarding the app permissions and firewall, however I do not know enough about either yet. Still learning.
For fun, I changed the App region permission to MPU_REGION_FULL_ACCESS and it boots up and the app runs now. Is this OK?
2021-07-26 11:36 PM
Hi @jrgert, thank you for your answer. I am glad that you can reproduce the problem. If you assign it full access, will the MPU protection still have any effect?
2021-08-17 12:50 AM
How did you manage to call SE_APP_ValidateFw() from within the UserApp? I am trying to run SBSFU with ENABLE_IMAGE_STATE_HANDLING, but the SE_APP_ValidateFw() function will reset the STM32L4A6 as the function is not in the expected memory boundary. Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?
The failing part is in the function
/*Secure Engine Call*/
e_ret_status = (*SE_CallGatePtr)(SE_APP_VALIDATE_FW, peSE_Status, primask_bit, SlotNumber);
and this calls the:
SE_ErrorStatus SE_CallGate(SE_FunctionIDTypeDef eID, SE_StatusTypeDef * const peSE_Status, uint32_t PrimaskParam, ...)
{
SE_ErrorStatus e_ret_status;
va_list arguments;
#if defined(__GNUC__)
register unsigned lr asm("lr");
uint32_t LR = lr;
#else
uint32_t LR;
#endif /* __GNUC__ */
/* Enter the protected area */
ENTER_PROTECTED_AREA();
/*
* Warning : It is mandatory to call NVIC_SystemReset() in case of error
* instead of return(SE_ERROR) to avoid any attempt of attack by modifying
* the call stack (LR) in order to execute code inside secure enclave
*/
/* Check the Callgate was called only from SE Interface */
#if defined(__ICCARM__) || defined (__CC_ARM)
LR = __get_LR();
#endif /* __ICCARM__ || __CC_ARM */
IS_CALLER_SE_IF();
the IS_CALLER_SE_IF is
#define IS_CALLER_SE_IF() \
do{ \
if (LR< SE_IF_REGION_ROM_START){\
NVIC_SystemReset();}\
if (LR> SE_IF_REGION_ROM_END){\
NVIC_SystemReset();}\
}while(0)
and obviously, if the SE_APP_ValidateFw() function is in the UserApp flash space, the second IF will trigger a reset.
So, my question is, how did you avoid this? I'm on STM32CubeIde. Too bad STM tries its best not to provide working examples on STM32CubeIde.
2021-08-18 06:08 AM
FBelv asked "Are you calling the SE_APP_ValidateFw() from the UserApp in the SBSFU code?"
Yes, my app code calls SE_APP_ValidateFw() per Appendix J of UM2262. The SBSFU examples do provide a test app that calls the function.
2024-01-05 10:53 AM
Hi @FBelv ,
I am facing the same issue with my project. Were you able to find a solution for this?
--
Best
Praneet
2024-01-08 12:59 AM
I didn't look into that too much and gave up shortly.
ST should invest some more resources into properly maintaining SBSFU which hasn't been updated since a long time.
2024-01-08 10:25 AM
Thanks for your response @FBelv ,
Its strange that I saw this issue intermittently earlier but now I am seeing it consistently. This is a blocker for me so I hope I can find a way to fix this. I will update this thread if I figure out the root cause and solution.
--
Best
Praneet
2024-01-08 11:03 AM
Hello @kaur ,
Are you using latest version of X-CUBE-SBSFU ?
Did you change the flash mapping ?
In this package, the MPU configuration needs to be adapted when flash mapping is changed. this is not done automatically ...
Best regards
Jocelyn