FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32L476 OTP area security policy question

Go to solution
Venkatesh-8559
Associate II

‎2026-02-22 11:17 PM - last edited on ‎2026-02-22 11:26 PM by

Hello,
I am working with the STM32L476 and would like some clarification regarding the One-Time Programmable (OTP) area.
From the reference manual, I understand that STM32L4 devices provide 1 KB of user OTP memory (128 double words). I would like to better understand the following:
What exactly is stored in the OTP area?


Is the OTP region purely user-programmable, or does ST also store factory calibration or security-related data in this region?


Is OTP used internally by the MCU for enforcing Flash security mechanisms such as RDP, WRP, or PCROP, or is it strictly for user data?


How is OTP protected ?


I am trying to understand the architectural role of OTP in relation to Flash protection and secure boot mechanisms.
Thank you.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
mƎALLEm
ST Employee
In response to Venkatesh-8559

‎2026-02-24 3:02 AM

Hello,

Getting back to you regarding this question.

In fact the RDP1 prevents the OTP reading unless the device correctly boots from internal flash. It's not possible to read it out using debug interface. But it remains accessible to user code whatever RDP is set.

PS: which is not the case of G0 products (the thread I have referred above)

Hope that answers your question

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.

View solution in original post

0 Kudos
6 REPLIES 6
Go to solution
mƎALLEm
ST Employee

‎2026-02-23 12:07 AM - edited ‎2026-02-24 3:03 AM

Hello @Venkatesh-8559 and welcome to the ST community,

The OTP area in STM32L476 is a dedicated, user-accessible section of flash for storing immutable data.
It is not used by ST for factory data. Once programmed, OTP data cannot be changed or erased, but it can be read. OTP area can't be read when RDP (Readout Protection) is activated according to the reference manual:

RDP.png

But I need to check internally if that is a typo or not! I will get you back for the right answer. (I'm referring to this thread). internal ticket for follow-up: 227713

Hope that answers your question.

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
Venkatesh-8559
Associate II
In response to mƎALLEm

‎2026-02-23 1:23 AM

hello @mƎALLEm , OTP area can't be read when RDP (Readout Protection) is activated  is only when booting is from RAM/boot from loader/ or if a debug is detected . but if booting is from flash then we can read OTP area even if RDP is Activated right ??

Go to solution
mƎALLEm
ST Employee
In response to Venkatesh-8559

‎2026-02-23 1:45 AM - edited ‎2026-02-23 1:46 AM

Of course it could be read from the application from the flash otherwise it doesn't have sense.

But need to confirm if the table states the correct policy. I have a doubt the OPT can't be protected by RDP level 1.

I'm waiting a confirmation from an internal expert.

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
mƎALLEm
ST Employee
In response to Venkatesh-8559

‎2026-02-24 3:02 AM

Hello,

Getting back to you regarding this question.

In fact the RDP1 prevents the OTP reading unless the device correctly boots from internal flash. It's not possible to read it out using debug interface. But it remains accessible to user code whatever RDP is set.

PS: which is not the case of G0 products (the thread I have referred above)

Hope that answers your question

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.
0 Kudos
Go to solution
Venkatesh-8559
Associate II
In response to mƎALLEm

‎2026-02-24 6:44 AM

hello @mƎALLEm ,

Thank you for your clarity and one more thing, i need one more clarification on STM32 option byte programming.

When we write new values to FLASH_OPTR and other option registers:

Where are these FLASH option registers physically located?
Are they inside the FLASH peripheral ? When OPTSTRT is set, does the CPU erase/program the option byte pages, or does the FLASH controller hardware automatically erase the option byte Flash area and program it using the values in the FLASH option registers?

I want to clearly understand how the values are getting placed among Option byte Flash memory, FLASH option registers when i changed in stm32CubeProgrammer ? 

 

 

0 Kudos
Go to solution
mƎALLEm
ST Employee
In response to Venkatesh-8559

‎2026-02-24 8:39 AM - edited ‎2026-02-24 8:39 AM

Hello,

In this community: new question = new thread/post.

Thank you for your understanding.

To give better visibility on the answered topics, please click on "Accept as Solution" on the reply which solved your issue or answered your question.
0 Kudos
Top