FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SBSFU user app API extension

Go to solution
jrgert
Associate III

‎2021-08-25 09:27 AM

My project uses SBSFU template ported to my STM32L496 board. I need to call the crypto library from the user app.

UM2262 mentions cryptographic middleware support in sections 6.2.3 and 6.2.4, but it is vague.

Are there other documents that explain better, or perhaps specific examples for calling the crypto lib from the user app?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2021-08-30 09:49 AM

Hello @jrgert​ 

The STM32L4 provides hardware isolation thanks to the firewall.

The Secure Engine is running inside this secure enclave.

The Secure Engine was design to enable easy extension with user defined services.

So, it is possible to add specific crypto services inside the SE.

The advantage is that you benefit from the isolation and possibly share the crypto library services if using the same.

The drawback is that services and possible keys would be frozen in the SBSFU without ability to update.

Regarding the implementation, be careful that the X-CUBE-CRYPTOLIB provided by ST (link in @Pavel A.​  post) you will get a new version 4.x that is not compatible with the one used in SBSFU that is 3.x

There is no issue if you do everything in your application.

But if you want to isolate your crypto services inside the secure engine, it would preferable to get the same version. If this is the case, please drop me a private message.

Best regards

Jocelyn

View solution in original post

0 Kudos
6 REPLIES 6
Go to solution
alister
Lead

‎2021-08-26 01:02 AM

>I need to call the crypto library from the user app.

Can you explain why please?

0 Kudos
Go to solution
Pavel A.
Evangelist III

‎2021-08-26 02:52 AM

SBSFU contains a subset of the ST crypto lib, if I remember correctly.

You can get the full library here, it has documentation and examples.

--pa

0 Kudos
Go to solution
jrgert
Associate III
In response to alister

‎2021-08-26 05:32 AM

I would like to do some hashing, ciphering and/or message authentication. I thought using the library that is already linked in would be useful.

0 Kudos
Go to solution
alister
Lead
In response to jrgert

‎2021-08-26 02:33 PM

The X-CUBE-CRYPTOLIB or mbedTLS linked your boot (SBSFU) project's SE are for authenticating app headers, authenticating the active app matches its header, decrypting and integrity-checking an app during install and are coupled to your secret key(s). You app would not typically use these as adding an API to reach them opens them to attack.

An exception may be a certificate, requiring similar security as your secret key(s), which you elect to place in the same bank and sector as your boot code during manufacture, and devise some callgate to get it.

The crypto library used in your app must be linked with your app, which is a separate project. If you build your boot and app projects in the same repo and wanted to use the same lib for both, certainly you could arrange its projects to do that. X-CUBE-SBSFU typically uses X-CUBE-CRYPTOLIB and Pavel A describes how to get its full library. Apps typically use mbedTLS.

0 Kudos
Go to solution
jrgert
Associate III
In response to jrgert

‎2021-08-27 06:28 AM

Understood. Thank you.

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2021-08-30 09:49 AM

Hello @jrgert​ 

The STM32L4 provides hardware isolation thanks to the firewall.

The Secure Engine is running inside this secure enclave.

The Secure Engine was design to enable easy extension with user defined services.

So, it is possible to add specific crypto services inside the SE.

The advantage is that you benefit from the isolation and possibly share the crypto library services if using the same.

The drawback is that services and possible keys would be frozen in the SBSFU without ability to update.

Regarding the implementation, be careful that the X-CUBE-CRYPTOLIB provided by ST (link in @Pavel A.​  post) you will get a new version 4.x that is not compatible with the one used in SBSFU that is 3.x

There is no issue if you do everything in your application.

But if you want to isolate your crypto services inside the secure engine, it would preferable to get the same version. If this is the case, please drop me a private message.

Best regards

Jocelyn

0 Kudos
Top