cancel
Showing results for 
Search instead for 
Did you mean: 

Is VBAT needed for secure boot ?

CharlesBlanchard
Associate III

Hello,

In the wiki I have found these lines:

5.3 Non-volatile counters↑

Each certificate embeds a non-volatile counter value that is checked to control anti-rollback mechanism.

There are two non-volatile counters: - Trusted non-volatile counter - Non trusted volatile counter

On STM32MP1, TAMP monotonic counter is used to store the backup value, which requires backup battery to maintain the content. It is mandatory to align the same value between trusted and non-trusted value as only one counter is used as reference.

Source: https://wiki.st.com/stm32mpu/wiki/TF-A_BL2_Trusted_Board_Boot#Non-volatile_counters

I'm afraid, we are implementing secure boot, but we are not planning to use a battery. VBAT won't be maintained when the board is off. And so content won't be maintained.

Instead, we connected VBAT to 3V3 and we added a 100nF decoupling capacitor.

What is the impact on the secure boot? Would it be working in that case, even if TAMP is not powered?

Thanks,

Best regards,

Charles

1 ACCEPTED SOLUTION

Accepted Solutions
PatrickF
ST Employee

Hi @Community member​ 

explanation has already been given directly to you by local support, but for the benefit of community, I write below the answer with few additional information:

Without VBAT on the platform, the anti-rollback mechanism is not usable. The TAMP_COUNT is always reset to 0 so older release can be used for booting.

It does not prevent secure booting, this will be not an issue.

Note that if needed, the anti-rollback could be enforced by using custom lower OTPs (e.g. 1 bit fused for each major version) and associated TF-A custom management or any suitable mechanism to fit your security.

Regards.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

1 REPLY 1
PatrickF
ST Employee

Hi @Community member​ 

explanation has already been given directly to you by local support, but for the benefit of community, I write below the answer with few additional information:

Without VBAT on the platform, the anti-rollback mechanism is not usable. The TAMP_COUNT is always reset to 0 so older release can be used for booting.

It does not prevent secure booting, this will be not an issue.

Note that if needed, the anti-rollback could be enforced by using custom lower OTPs (e.g. 1 bit fused for each major version) and associated TF-A custom management or any suitable mechanism to fit your security.

Regards.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.