Hi,
Our product proposal to a client has at the root of its security an STM32H533 running our OEM Bootloader and Secure Application only. The Product State will be either Closed or Locked (as yet undecided) and we will be storing encryption keys used to verify the integrity of other parts of the whole system in the OBKey area with HUK encryption enabled.
The client has a very competent security team who will be attempting to break our security measures to highlight any vulnerabilities. Before we've delivered any hardware to them, they've already started some research. They are not familiar/experienced with STM32 micro-controllers. They discovered an article where the researchers have been able to reliably corrupt the value returned when the RDP level is checked during a debug session on an STM32Lxx micro-controller. This attack allows requests to read memory from the device with RDP level 1 active.
The article contains the rather frustrating conclusion that "...the STM32 series of microcontrollers must be seen as insecure...".
We are aware that the STM32H533 does not contain the same RDP security system, instead it uses the Product State which does not even allow an un-authenticated debug connection once the Product State is Provisioned or above.
Having said that, we don't know what the behind-the scene mechanisms are that prevent the debug connection, it seems feasible to us that the Product State has to be accessed by the micro-controller at some point and that a similar voltage glitching attack might be able to corrupt the value in a manner beneficial to an attacker.
What can we tell our client - other than "the read-back protection is more advanced" - to convince them that the STM32H533 is not vulnerable to voltage glitching attacks?
Best regards,
Michael Waites
