FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32H562 reading OBK in nonsecure application with TrustZone enabled

Go to solution
PieterG
Associate III

‎2024-11-25 02:52 AM

I am having trouble to get OBK data reading working on the STM32H562 / H563 (which do not support secure storage because they are lacking hardware crypto support).

My plan is to store keys in the OBK area, (encrypted with some storage key of my own) and use HDPL to make sure the application cannot access the bootloader keys.

I am not really using the TrustZone, but I need to enable it in order to get HDPL support.

So my secure application is very small, it configures nonsecure access for GPIO's, most of the flash (apart from the area where the secure application resides), and all IRQ's, then it jumps to my nonsecure bootloader.

When I have TrustZone disabled, I can write and read OBK data like expected.

As soon as I enable TrustZone, I can no longer read OBK data in my nonsecure bootloader or application, instead I'm reading all zeros.

The HDP level matches the area I'm trying to read.

But to be sure I'm trying to read all HDP areas, just in case I'm in an unexpected level.

 

I expect that OBK writing will not work from nonsecure context, because the FLASH_NSOBKCFGR register is only available when TZ_STATE = 0xC3.

But shouldn't OBK reading work?

Perhaps I am overlooking how to configure OBK to be used from nonsecure context?
I did not find any settings to do so.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2024-11-25 09:58 AM

Hello @PieterG ,

First if you need encryption of your secure storage, why not using STM32H573 ?

Besides, you don't need TrustZone to be enabled to use HDP levels (or I missed something).

Now, if you enable TrustZone, OBKeys are no more accessible from non secure (even OBK HDPL3 non secure zone)

To access OBKeys you have to create dedicated secure services.

Best regards

Jocelyn

 

View solution in original post

0 Kudos
2 REPLIES 2
Go to solution
Jocelyn RICARD
ST Employee

‎2024-11-25 09:58 AM

Hello @PieterG ,

First if you need encryption of your secure storage, why not using STM32H573 ?

Besides, you don't need TrustZone to be enabled to use HDP levels (or I missed something).

Now, if you enable TrustZone, OBKeys are no more accessible from non secure (even OBK HDPL3 non secure zone)

To access OBKeys you have to create dedicated secure services.

Best regards

Jocelyn

 

0 Kudos
Go to solution
PieterG
Associate III
In response to Jocelyn RICARD

‎2024-11-25 10:22 AM

Thank you for your response Jocelyn.


We cannot use the STM32H573 in this product because of its condiderably higher BOM price.

TrustZone is probably not required to have HDP level OBK protection, but it is for flash sector HDP protection:

PieterG_0-1732558369255.png

I would prefer not to have to enable TrustZone, but we really need to be able to hide a piece of (bootloader config) flash from the application. That's why we are using this setup with a minimal secure application.

 

So unfortunately, I understand that having TrustZone enabled means we cannot access the OBK anymore. I'll consider the following options:

-No longer enable TrustZone, instead hide the bootloader config flash page by encrypting it with a key in OBK area HDPL1, so the application has no way to read it

(though it can still erase or modify or otherwise corrupt it)

-provide OBK data through a secure service

0 Kudos
Top