Skip to main content
H
h_adi
Visitor II
June 3, 2024
Solved

Firmware with SBSFU bootloader with SFI at manufacturing

  • June 3, 2024
  • 1 reply
  • 1237 views

Hi,

I am doing feasibility on SBSFU bootloader on STM32H753ZI. Currently in our firmware we are planning to have a custom bootloader based on SBSFU for secure boot and update. But I came across SFI feature from ST to ensure protection at the manufacturing end.
1. Is it possible to use SFI package if we are using SBSFU as bootloader? Because I found SFI uses RSS bootloader(system bootloader) whereas SBSU is loaded from flash.
2. Is it mandatory to have an external flash if we want to use SFI, Can it work with just internal flash?
I am relatively new to this area. Kindly provide support.  

Best answer by STea

Hello @h_adi,
The Secure Firmware Installation solution, available on STM32L4, STM32H5, STM32H7, STM32L5, STM32U5, STM32WBA, and STM32WL microcontrollers, provides protection when devices are being programmed for the first time.so it has no links with the SBSFU which provides runtime Secuity at boot and update.
where the Secure Boot ensures the integrity and authenticity of the application firmware that runs inside a device.
Secure Firmware Update allows you to authenticate and verify the integrity of the required field updates.

two implementation schemes

  • X-CUBE-SBSFU, implementing the SBSFU mechanisms: easily set up all STM32 memory-protection mechanisms to isolate Secure Boot and Firmware Update functions from the main application. A reference implementation of ST's secure element, STSAFE, which maximizes the security level of the final application, is included. STM32L4 implementation also offers secure storage.
  • TFM_SBSFU, implementing the same mechanisms on devices loaded with TF-M (Trusted Firmware-M), and delivered with STM32Cube packages.

More on this could be found in this STM32Trust - STMicroelectronics and you can also check this Wiki pages to get a better understanding of this tow solutions:
-Security:SFI - stm32mcu

-Security:Introduction to Secure boot and Secure firmware update - stm32mcu

Regards

 

 

1 reply

S
STeaBest answer
ST Employee
June 5, 2024

Hello @h_adi,
The Secure Firmware Installation solution, available on STM32L4, STM32H5, STM32H7, STM32L5, STM32U5, STM32WBA, and STM32WL microcontrollers, provides protection when devices are being programmed for the first time.so it has no links with the SBSFU which provides runtime Secuity at boot and update.
where the Secure Boot ensures the integrity and authenticity of the application firmware that runs inside a device.
Secure Firmware Update allows you to authenticate and verify the integrity of the required field updates.

two implementation schemes

  • X-CUBE-SBSFU, implementing the SBSFU mechanisms: easily set up all STM32 memory-protection mechanisms to isolate Secure Boot and Firmware Update functions from the main application. A reference implementation of ST's secure element, STSAFE, which maximizes the security level of the final application, is included. STM32L4 implementation also offers secure storage.
  • TFM_SBSFU, implementing the same mechanisms on devices loaded with TF-M (Trusted Firmware-M), and delivered with STM32Cube packages.

More on this could be found in this STM32Trust - STMicroelectronics and you can also check this Wiki pages to get a better understanding of this tow solutions:
-Security:SFI - stm32mcu

-Security:Introduction to Secure boot and Secure firmware update - stm32mcu

Regards

 

 

Terms & ConditionsAccessibility statement