TL;DR:
On STM32G0B1 with SBSFU + SECoreBin, I want to design a secure crypto/key enclave for the user APP.
Enclave should be WRP/PCROP/MPU protected.
Only accessible via SVC/gateway from the unprivileged APP.
Should remain updateable through SBSFU (included in .sfb).
Is this approach feasible, and what is the recommended way to implement it?
Hello,
I am designing a product based on the STM32G0B1KEU6 MCU. I have integrated my project into SBSFU to harden security as much as possible.
Currently, secure boot and secure update are protected by design (RDP, WRP and PCROP for flash, MPU for RAM). I tried to access SECoreBin crypto services from the user application but that results in a HardFault (SBSFU is configured to forbid this, by design).
My question: what is the most secure approach to provide crypto operations and key storage to the user application itself?
Can I mimic a kind of “custom SECoreBin” dedicated to AES/ECC operations and key management for the APP?
Conceptually, my idea is:
------------------------
SECoreBin + SBSFU
- WRP: enabled
- PCROP: enabled
- MPU: privileged RAM protected
- Privileged only (no API to APP)
------------------------
Custom Enclave (Crypto Services)
- WRP: enabled (code immutable for APP)
- PCROP: enabled (APP can’t read code/data from flash)
- MPU: enclave RAM region protected (APP can’t touch)
- Privileged access only via SVC/gateway
------------------------
Application (unprivileged)
- Runs with nPRIV=1
- Can only call enclave through SVC/gateway
- Cannot read/patch SBSFU or enclave code
- Cannot access enclave RAM
------------------------
In addition:
Would this “custom enclave” be updateable through SBSFU in the same way as the application image (e.g. included inside the .sfb package)?
Or is there a better recommended way to structure such a service?
Thank you in advance,
Gorka
