cancel
Showing results for 
Search instead for 
Did you mean: 

What will be the rough estimate to implement SBSFU complete solution on STM32H753 MCU..?? Also, can you please let me know the right point of contact to know about SBSFU solution details for STM32H753 .??

SPati.7
Associate III
 
1 ACCEPTED SOLUTION

Accepted Solutions

Hi @SPati.7​ ,

For WolfSSL, you can check with them if they provide training on this feature.

For MbedTLS, I don't have training at the moment.

I can provide you this structure to overload Mbedtls mbedtls_pk_info_t :

static const mbedtls_pk_info_t mbedtls_stsafe_info = {

  MBEDTLS_PK_ECDSA,

  "ECDSA-STSAFE-A110",

  stsafea_get_bitlen,

  stsafea_can_do,

#if defined(MBEDTLS_ECDSA_C)

  NULL,

  stsafea_sign_wrap,

#if defined(MBEDTLS_ECP_RESTARTABLE)

  NULL,

  NULL,

#endif

#else /* MBEDTLS_ECDSA_C */

  NULL,

  NULL,

#endif /* MBEDTLS_ECDSA_C */

  NULL,

  NULL,

  NULL,

  NULL,

  NULL,

#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)

  NULL,

  NULL,

#endif

  NULL,

};

here you have the minimal function to implement on STSAFE-A wrapper.

Then to use in TLS context, you have to provide to ssl context a private key, you can create the private key with the following code :

mbedtls_pk_context pk;

mbedtls_pk_init(&pk);

pk->pk_info = &mbedtls_stsafe_info ;

I will try to compile everything in a wiki article but not in a near future.

Regarding the personalization of the STSAFE-A product, you have to contact your local ST support to discuss this topic.

if you are in EMEA region, I'm your entrypoint, otherwise you will need to contact your local ST support.

Best Regards,

Benjamin

View solution in original post

18 REPLIES 18
Jocelyn RICARD
ST Employee

Hello @SPati.7​ ,

I'm not sure to understand your question.

The SBSFU package supports this device.

Documentation is provided in st.com at same location of the package that is

https://www.st.com/en/embedded-software/x-cube-sbsfu.html

Please let me know if you need more information

Best regards

Jocelyn

Hello Jocelyn,

Thanks for your quick reply.

This is specific to STMH753 series of MCU. I have some specific questions related to Cyber Security implementation as mentioned below. Can you please help with these ..??

  • SBSFU solution offered by STM, is acceptable by FDA (FIPS complaint)
  • If we use Certificate, then What is Certificate Storage Mechanism?
  • Is Secure Boot implemented with Memory Protection or Cryptography ...??
  • Support for TLS1.3 (mbedTLS / WolfSSL) in terms of certificate store ...??
  • How STM share certificate details with OEM, in case of STSAFE-A110 solution …??
  • Any Software (Encryption SW) Purchase License details …??

Jocelyn RICARD
ST Employee

Hello @SPati.7​ 

  • SBSFU solution offered by STM, is acceptable by FDA (FIPS complaint)

SBSFU is using FIPS CAVP certified crypto library

https://www.st.com/resource/en/product_presentation/fips_cavp_certification.pdf

  • If we use Certificate, then What is Certificate Storage Mechanism?

Certificate is only managed on STM32L4 families taking advantage of firewall isolation mechanism.

On STM32H753, you can use the secure memory to store a certificate that will be used only for authenticating the firmware. This secure memory is locked (unaccessible) once jumping on application.

Now, as I said we don't provide such setup on STM32H7 in SBSFU examples.

  • Is Secure Boot implemented with Memory Protection or Cryptography ...??

Yes, the SBSFU isolates the keys and cryptography operation using ARM Cortex-M7 memory protection unit (MPU) on STM32H753.

SBSFU uses a Secure Engine framework to implement this.

  • Support for TLS1.3 (mbedTLS / WolfSSL) in terms of certificate store ...??

SBSFU is 'only' a secure boot. Again, on STM32L4 we provide secure storage mechanism using firewall isolation. But on STM32H753 we don't provide such mechanism.

  • How STM share certificate details with OEM, in case of STSAFE-A110 solution …??

STSAFE is the solution for secure storage in case H753.

To answer your question I ask my colleague @Benjamin BARATTE​ 

  • Any Software (Encryption SW) Purchase License details …??

No purchase needed. Regarding license information please read x-cube-cryptolib user manual UM1924 available on st.com

Best regards

Jocelyn

Thank You Very Much … Jocelyn..!!

Basically we are interested in Secure Boot & Secure Firmware Update solution, i got clear understanding on how SBSFU implementation works. I see key sharing and storage as part of Secure Boot it self, it means it is using Flash as storage for the same with write protections right ..??

In case of H753, as we have secure user memory (again Flash), are we going to store keys (Public Key for SB & Symmetric Key in case of Encrypted FW) in this location ..?? or as part of SB, will keep it..??

with above SBSFU, we can implement solution without much need of separate Secure Storage as i understood.

But we have requirement for Secure Storage as well, in case of TLS based communication (Certificate Storage) and Configuration Data (Storage). Do you think only STSAFE-A110 is the solution we have along with SBSFU ..??

or is there any other alternatives we have ..?? Bcoz i see maximum storage is 6KB in STSAFE-A110, which is very less compared with our certificates( usually range of 1 KB to 2 KB).

Final Question, Do you have any idea on complete solution (SBSFU+TLS+SECSTORAGE) work estimate in terms of man weeks..??

Hello @Jocelyn RICARD​  Can you Please reply to my questions mentioned above ..??

Jocelyn RICARD
ST Employee

Hello @SPati.7​ ,

Let me copy your questions and answer them one by one.

Basically we are interested in Secure Boot & Secure Firmware Update solution, i got clear understanding on how SBSFU implementation works. I see key sharing and storage as part of Secure Boot it self, it means it is using Flash as storage for the same with write protections right ..??

In case of H753, as we have secure user memory (again Flash), are we going to store keys (Public Key for SB & Symmetric Key in case of Encrypted FW) in this location ..?? or as part of SB, will keep it..??

A: Yes, public key for authentication and symmetric key for FW decryption are stored together with the secure boot. All secure boot is write protected, and isolated in secure memory.

with above SBSFU, we can implement solution without much need of separate Secure Storage as i understood.

A: I don't catch your point. As I said in previous post, STM32H7 does not offer secure storage capability. Now, SBSFU keys are securely stored for sure.

But we have requirement for Secure Storage as well, in case of TLS based communication (Certificate Storage) and Configuration Data (Storage). Do you think only STSAFE-A110 is the solution we have along with SBSFU ..??

A: You can have an application implementing a secure operating system using MPU for isolation. This could be an alternative. Now we don't propose such solution.

or is there any other alternatives we have ..?? Bcoz i see maximum storage is 6KB in STSAFE-A110, which is very less compared with our certificates( usually range of 1 KB to 2 KB).

A: STSAFE-A110 is typically used for IOT devices. So, no storage issue for credentials. For other data, you can store them encrypted in flash, and store the associated key in the STSAFE.

Final Question, Do you have any idea on complete solution (SBSFU+TLS+SECSTORAGE) work estimate in terms of man weeks..??

A: I cannot answer this question. Now, you can have a look to the X-CUBE-AWS that implements SBSFU + AWS cloud connectivity on a STM32H755 (the dual core feature is not really used, so can be easily adapted to H753) as a starting point.

Best regards

Jocelyn

@Jocelyn RICARD​  Thanks for your time in replying to my questions.

As you said, we are planning to use STSAFE-A110 to store certificate details, for encrypted communication like TLS.

Can you please share more info on STSAFE-A110 implementation details with STMH753 ..??

Final Question: We plan to use SBSFU solution for Secure Boot & Secure Firmware Update of H753. STSAFE-A110 & H753 combination, want to use it for TLS based communication.

is that approach is fine enough ..??

Hi @SPati.7​ 

For STM32H7, the SBSFU does not support STSAFE-A110.

Therefore you must add it in your application.

In that case, you need to integrate it in your TLS stack.

Which TLS stack did you use for your project ?

Thanks,

Best Regards,

Benjamin

Exactly @Benjamin BARATTE​  We don't want to use STSAFE-A110 with SBSFU solution.

SBSFU solution alone use it for Secure Boot. this is possible right ..??

From Application, we want to integrate STSAFE-A110 for TLS.

As of now, we are looking for WolfSSL and mbedTLS kind of stack .. Any suggestions from your side .??