Securely program bootloader remotely in STM32

Evgeniy Vasyliev · ‎2022-03-11

Normally the bootloader is the first thing to program in the MCU by the manufacturer,. Bootloader contains a way how to update the firmware of the device from the firmware file (encrypted), which is openly passed to the customer. Hence the bootloader is concidered to the the most secret thing to take care of.

But what to do if there is no way to go physically to the place where the newly manufacured devices are located and physically program the bootloader? Is there any way to remotely program the bootloader in a secured way, so that the people having the devices could not steal or sniff it? Are there any ready solutions to this problem?

The MCU related is STM32F427.

TDK · ‎2022-03-11

Yes, see https://www.st.com/en/embedded-software/x-cube-sbsfu.html

If you feel a post has answered your question, please click "Accept as Solution".

Tesla DeLorean · ‎2022-03-11

Depends on who you trust.

You could send pre-programmed and secure chips to your PCBA / contract manufacturer. This could be full, or partial, and then have your loader decrypt/program parts, or have a comms link to secure site that could also sign against Unique ID, so you could track/lock per IC

Distributors classically offer programming ICs as a value-add service

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

Evgeniy Vasyliev · ‎2022-03-11

Thank you, I have checked it, but this seems to be a bootloader, which is able to securely update the firmware. The question here is a bit different: how to program the bootloader itself securely?

Evgeniy Vasyliev · ‎2022-03-11

Well, I agree with you, programming the MCUs seems to be the most rational solution here, but sometimes it is not possible and we need to work completely remotely and allow the final customer to program the bootloader and firmware.

Today I found the following post: https://www.segger.com/products/debug-probes/j-link/tools/j-link-remote-server/. It explains about a tunnel mode allowing to connect to a programmer over the internet, however it does not explain how secure it is in meaning if the owner of the PC/laptop with inserted programmer can sniff the bootloader code.

I assume that there should be some solution for this field as MCUs are used in billions of devices worldwide. There should be some approach to make it work. If not - then this is an open field to make a new startup! =)

TDK · ‎2022-03-11

You need to trust one layer of the onion. Or crest a boot loader for the boot loader.

If you feel a post has answered your question, please click "Accept as Solution".

Evgeniy Vasyliev · ‎2022-03-12

OK, I was thinking to make 2 bootloaders, where the start bootloader (given to the customer) will enable to load the encrypted main bootloader (which is able to load the firmware).

However, all of this also seems to be not secure cause once you know the start bootloader then you can deassemble it and see how it decrypts the main bootloader and after that you can see how the main bootloader decrypts the firmware...

Maybe you have some idea?

Pavel A. · ‎2022-03-12

@Evgeniy Vasyliev ST definitely supports what you want.

But only on newer STM32 series and using the CubeProgrammer software.

Please read on "secure manufacturing" here: https://www.st.com/content/st_com/en/ecosystems/stm32trust.html

STM32F4 is very old. Not sure it supports the first-time secure install scenario.

If you figure out how to do secure 1st time install on old MCUs then sure, make a startup ;)