What will be the rough estimate to implement SBSFU complete solution on STM32H753 MCU..?? Also, can you please let me know the right point of contact to know about SBSFU solution details for STM32H753 .??

Hello @SPati.7​ 

• SBSFU solution offered by STM, is acceptable by FDA (FIPS complaint)

SBSFU is using FIPS CAVP certified crypto library

https://www.st.com/resource/en/product_presentation/fips_cavp_certification.pdf

• If we use Certificate, then What is Certificate Storage Mechanism?

Certificate is only managed on STM32L4 families taking advantage of firewall isolation mechanism.

On STM32H753, you can use the secure memory to store a certificate that will be used only for authenticating the firmware. This secure memory is locked (unaccessible) once jumping on application.

Now, as I said we don't provide such setup on STM32H7 in SBSFU examples.

• Is Secure Boot implemented with Memory Protection or Cryptography ...??

Yes, the SBSFU isolates the keys and cryptography operation using ARM Cortex-M7 memory protection unit (MPU) on STM32H753.

SBSFU uses a Secure Engine framework to implement this.

• Support for TLS1.3 (mbedTLS / WolfSSL) in terms of certificate store ...??

SBSFU is 'only' a secure boot. Again, on STM32L4 we provide secure storage mechanism using firewall isolation. But on STM32H753 we don't provide such mechanism.

• How STM share certificate details with OEM, in case of STSAFE-A110 solution …??

STSAFE is the solution for secure storage in case H753.

To answer your question I ask my colleague @Benjamin BARATTE​ 

• Any Software (Encryption SW) Purchase License details …??

No purchase needed. Regarding license information please read x-cube-cryptolib user manual UM1924 available on st.com

Best regards

Jocelyn

Hello @SPati.7​ ,

Let me copy your questions and answer them one by one.

Basically we are interested in Secure Boot & Secure Firmware Update solution, i got clear understanding on how SBSFU implementation works. I see key sharing and storage as part of Secure Boot it self, it means it is using Flash as storage for the same with write protections right ..??

In case of H753, as we have secure user memory (again Flash), are we going to store keys (Public Key for SB & Symmetric Key in case of Encrypted FW) in this location ..?? or as part of SB, will keep it..??

A: Yes, public key for authentication and symmetric key for FW decryption are stored together with the secure boot. All secure boot is write protected, and isolated in secure memory.

with above SBSFU, we can implement solution without much need of separate Secure Storage as i understood.

A: I don't catch your point. As I said in previous post, STM32H7 does not offer secure storage capability. Now, SBSFU keys are securely stored for sure.

But we have requirement for Secure Storage as well, in case of TLS based communication (Certificate Storage) and Configuration Data (Storage). Do you think only STSAFE-A110 is the solution we have along with SBSFU ..??

A: You can have an application implementing a secure operating system using MPU for isolation. This could be an alternative. Now we don't propose such solution.

or is there any other alternatives we have ..?? Bcoz i see maximum storage is 6KB in STSAFE-A110, which is very less compared with our certificates( usually range of 1 KB to 2 KB).

A: STSAFE-A110 is typically used for IOT devices. So, no storage issue for credentials. For other data, you can store them encrypted in flash, and store the associated key in the STSAFE.

Final Question, Do you have any idea on complete solution (SBSFU+TLS+SECSTORAGE) work estimate in terms of man weeks..??

A: I cannot answer this question. Now, you can have a look to the X-CUBE-AWS that implements SBSFU + AWS cloud connectivity on a STM32H755 (the dual core feature is not really used, so can be easily adapted to H753) as a starting point.

Best regards

Jocelyn