Isolation in STM32 microcontrollers: STM32U5 and STM32H5 similarities and differences

STea · ‎2024-05-21

Summary

Protecting the firmware is a paramount concern in the design and deployment of embedded systems. STM32 microcontrollers, which are integral to countless applications, employ various mechanisms to safeguard against unauthorized access and tampering. In this article, we delve into the differences of the solution offered on the STM32H5 series and the STM32U5 series, highlighting the nuances of hide protection (HDP) and readout protection (RDP).

Introduction

The RDP and HDP features are pivotal to the STM32Trust ecosystem, enhancing the security framework that encompasses the entire life cycle of STM32 devices. RDP plays a crucial role in ensuring the integrity and authenticity of firmware during secure boot and update processes, while also protecting software IP against unauthorized access. HDP contributes significantly to the isolation aspect, creating a barrier between trusted and nontrusted application segments and securing sensitive data storage an ensuring also the integrity and authenticity in the STM32H5 series. Together, these features underpin the robust security measures such as secure manufacturing and device and application life cycle management. This reinforces the STM32Trust's commitment to safeguarding applications against a wide array of security threats.

1. STM32U5 Series: product life cycle

RDP is a long-standing security feature in STM32 microcontrollers, providing several levels of protection.

When activated, it forbids any external access to the flash content, so it impacts mainly the debuggability of the MCU.

In the STM32U5 series, the RDP feature is more evolved than the older series, introducing the possibility of keyed regression, which makes it more practical to use. With the introduction of TrustZone®, we get an additional transition level called RDP L0.5. Here we explain the access permission of each level and transition and possibilities for the STM32U5 series.

1.1 Product state transition:

The STM32U5 defines product states based on RDP levels to ease the transition

1.1.1 Without TrustZone®

RDP Level 0

Open access: Full accessibility for development, testing, and debugging.

RDP Level 1

Flash protection: External access to the flash memory content is blocked.
Debug accessibility: RAM and CPU remain accessible via the debug port.
User flash updates: Allows flash content updates through user code execution.
Reversibility: The protection can be removed by triggering a mass erase.

RDP Level 2

Enhanced security: Disables the JTAG port to prevent debugging and external access.
User flash updates: Permits flash updates via user code.
Irreversibility: This protection level is permanent and can only be reversed with OEMKey2.

1.1.2 With TrustZone®

With the introduction of a new level for the cases where TrustZone® is enabled we can limit access to the secure world. Further, give access to the non-secure world making it possible to develop a product with different manufacturing contributors ensuring a secure non-accessible root.

RDP Level 0.5

RDP Level 0.5 applies to STM32 microcontrollers with TrustZone® enabled, securing the trusted domain while keeping the non-trusted domain accessible. This intermediate security state is reversible through a mass erase.

1.2 Product regression: RDP keyed regression

RDP mechanism offers the possibility for keyed regression and reopening of the product throw the provisioned OEM1 and OEM2 keys, which offer a level of flexibility while developing as well as ensuring the security of the firmware and sensitive data.

The RDP mechanism is specific to the microcontroller's flash memory and does not extend to a system-on-chip (SoC) level. It offers a binary choice between unprotected (level 0) and protected states (level 1 and level 2), with the highest level being irreversible (unless keyed regression when the OEM2 key is provisioned.) Thus, hindering certain postemployment activities such as failure analysis.

2. Hide Protection (HDP) on STM32U5:

The embedded flash memory provides a feature to define a hidden zone that can be established within each bank's watermarked-secure area, with a granularity of 8-Kbyte sectors. This HDP zone can contain code, associated data, and keys, which can be concealed from access after the system boots up and remains hidden until the system is reset. The concept of this hide protection mechanism is illustrated in the figure below from RM0456.

Flash memory secure HDP area

2.1 Transition control

When the HDPxEN and HDPx_ACCDIS bits (x = 1, 2) are set, data read, write, and
instruction fetch on the area defined by SECWMx_PSTRT and HDPx_PEND option bytes, are denied until the next device reset.

Bank erase aborts when it contains a write-protected area (WRP or HDP area).
The HDP area can be resized by a secure application if the area is not hidden, and if RDP level ≠ 2

3. STM32H5 Series: Product life cycle mechanism

The STM32H5 series departs from the RDP mechanism in favor of a product life cycle approach to ensure the debuggability of the system according to the product state, which includes the following:

3.1 Product State Transitions

Product state transitions can be divided in two cases depending on the availability of the TrustZone® isolation feature on the microcontroller. In fact, we add another a dedicated state with TrustZone®. This is explained in detail below.

3.1.1 Without TrustZone®

Open State: The default state for development activities.
Provisioning: A new step where configuration is embedded into the device, including a password hash.
iROT-Provisioned: A state for when a secure boot is implemented.
Closed: Secures the flash content, with exit requiring password authentication.
Locked: A permanent state with no exit option, ensuring the highest level of security.

STM32H56x

3.1.2 With TrustZone®

Open State: The default state for development activities.
Provisioning: A new step where configuration is embedded into the device, including a password hash.
iROT-Provisioned: A state for when a secure boot is implemented.
TZ-Closed: A state where the trusted domain is secured, but the non-trusted domain is still accessible for programming, erase, and debugging.
Closed: Secures the flash content, with exit requiring password authentication.
Locked: A permanent state with no exit option, ensuring the highest level of security.

STM32H57x

3.2 Product regression: Debug authentication

Password presentation: Allows the customer to present a password via JTAG/SWD to return to the open state.

This new mechanism provides a nuanced and secure method for managing the device's security throughout its life cycle. With the ability to lock and unlock states as needed, this is a key improvement over the legacy RDP feature across older families in which a miss manipulation of the option bytes can lead to a dead-locked chip.

4. Hide Protection (HDP) on STM32H5: What's new?

In the STM32H5 series, HDP is extended with more defined levels ensuring different isolated BOOT stages. The hardware and software resources used to boot can be isolated. This is called temporal isolation.

4.1 HDP features

HDP approach and implementation on the STM32H5 series is different from the HDP feature found in the 5 series here are the main features of HDP on the H5 series:

4.1.1 Granular control

Sector-level protection: HDP allows defining protected areas with sector granularity, offering precise control over which memory segments are secured.
Independent memory segments: Protection can be applied to areas independently of secure watermark areas, enabling a more customized security layout.

4.1.2 Enhanced security levels

Unlike RDP's binary approach, HDP offers three levels, each corresponding to different stages of the secure boot process and user accessibility.

Level 1: Reserved for the initial secure boot stage, not user-accessible.
Level 2: Utilized by subsequent secure boot stages, such as the updatable Root of Trust.
Level 3: The final security state, post-secure boot, locking down the firmware.

The STM32H5 series features five secure storage areas, alternatively known as option-byte Key (OBKeys) areas or secure key storage zones. These areas are versatile, suitable for housing not only keys but also any confidential data. Each area corresponds to a distinct level of temporal isolation, denoted as HDPL. Users have the option to encrypt the data stored within these areas, although this feature is exclusive to the STM32H533 and STM32H573 models. For the STM32H523 and STM32H56x models, encryption details are provided in a specific chapter on secure storage for non-crypto parts.

Below is an overview of the secure storage areas and their attributes:

HDPL0 (256 bytes): Permanently allocated to STMicroelectronics and never erased.
HDPL1 (2048 bytes): Designated for initial Root of Trust (iRoT) keys, erasable through regression.
HDPL2 (768 bytes): For secondary Root of Trust (uRoT), Operating System (OS), or secure applications, also erasable through regression.
HDPL3S (3072 bytes): Reserved for secure application keys, subject to erasure via regression.
HDPL3NS (2032 bytes): Allocated for non-secure application keys, erasable through non-secure regression (NS-Regression).

It is important to note that a full regression process erases all secure storage areas except for HDPL0, which is exclusively reserved by STMicroelectronics and remains intact. A partial regression, or NS-Regression, only erases the non-secure storage at HDPL3NS. Furthermore, in the event of tamper detection, the Device Hardware Unique Keys (DHUKs) become inoperative until the next reset. If the secure storages' contents are encrypted, they will be inaccessible after a tamper event, although not erased. The appropriate response to a tamper event should be executed via the interrupt handler.

4.1.3 Dynamic configuration

Monotonic counter: Prevents downgrading of protection levels without a proper system reset, ensuring a one-way progression towards increased security.
Volatile settings: Some HDP settings are volatile and must be reconfigured upon each boot, offering temporary protection adjustments as needed.

4.1.4 Transition control

Callable functions: Accessible parts of the system flash memory contain functions that facilitate transitions between HDP levels.
Register thresholds: A register value defines the threshold between HDPL2 and the final HDPL3, which is volatile and offers dual protection against unauthorized changes.

4.2 HDP based secure boot

The temporal isolation provided by the HDP feature is the piler of the boot mechanism on the STM32H5 series. Each level of HDP can be associated with a stage of the boot stages, as depicted in the following figure below.

Conclusion

The STM32U5 and STM32H5 series showcase the evolution of security through the integration of RDP and HDP, tailored to support the product life cycle. The STM32U5 series combines RDP with HDP to offer a robust, dual-layer protection throughout the product's life cycle. Meanwhile, the STM32H5 series introduces a product state-driven HDP mechanism, enhancing flexibility and control over firmware security. These developments reflect a commitment to providing advanced security solutions that cater to the dynamic needs of product development and deployment.