FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

is RDP LEVEL 1  Enough?

Go to solution
Natali
Associate III

‎2024-12-17 08:32 AM

hi

please only ST Employee answer this question

i use  this code for enable RDP LEVEL 1  for STM32H743 and STM32F407

Can this code alone protect the program in the flash from any type of attack to read the program in the microcontroller?
Will it be possible to read the program through the bootloader or the program in the sram?

FLASH_OBProgramInitTypeDef OBInit;

OBInit.OptionType = OPTIONBYTE_RDP;
OBInit.RDPLevel = OB_RDP_LEVEL_1;

HAL_FLASH_OB_Unlock();
HAL_FLASH_Unlock();

HAL_FLASHEx_OBProgram(&OBInit);

HAL_FLASH_OB_Launch();
HAL_FLASH_OB_Lock();

HAL_FLASH_Lock();

 

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2024-12-18 02:04 AM

Hello @Natali ,

When you enable RDP Level 1 the content of the flash is protected from reading from bootloader and from JTAG connection.

You can still attach to the target with JTAG and read the content of the RAM. So, if the firmware copies code in RAM this can be read with JTAG.

Best regards

Jocelyn

 

View solution in original post

3 REPLIES 3
Go to solution
Jocelyn RICARD
ST Employee

‎2024-12-18 02:04 AM

Hello @Natali ,

When you enable RDP Level 1 the content of the flash is protected from reading from bootloader and from JTAG connection.

You can still attach to the target with JTAG and read the content of the RAM. So, if the firmware copies code in RAM this can be read with JTAG.

Best regards

Jocelyn

 

Go to solution
Natali
Associate III
In response to Jocelyn RICARD

‎2024-12-18 02:22 AM

many thanks

Chatgpt suggests that the SWD interface be disabled as well. Is this necessary? If so, how should the SWD interface be disabled? Can the SWD interface be re-enabled after it is disabled?

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2024-12-18 02:47 AM

Hello @Natali ,

In RDP Level 1, you can disable the SWD interface by changing the configuration of associated GPIOs in your code. Set SWDIO  and SWDCLK IO as input for instance.

This prevents the JTAG or SWD HOTPLUG connection while you are running code. But you can still connect under reset. This prevents from checking the content of peripheral registers for instance.

Other way is to switch to RDP Level 2. In that case, you disable completely SWD and cannot go back.

Depending on level of security you need, this level 2, associated with a secure boot and secure loader will greatly increase the security level of your device, with the ability to securely update it (using firmware authentication)

You can have a look to AN5156 that provides lots of useful information.

Best regards

Jocelyn

Top