Skip to main content
S
SafeDev
Associate III
December 20, 2023
Solved

SBSFU --> MCU Boot with STM32U585 without Trustzone

  • December 20, 2023
  • 2 replies
  • 2437 views

Hi all,

we would implement SBSFU (Secure Boot and Secure Firmware Update) on STM32U585.

Our goals are:

  1. application do not use TrustZone feature (TZ_EN = 0)
  2. we want to avoid access to MCU on field (Device protection, for exapmle RDP = 1)
    1. question: if on field MCU is protected with RDP = 1 or 2 or whatever how could a firmware update take place? we need a regression before firmware update?
  3. at start up "mcu boot" check the security/integrity of application firmware: is that right?
  4. we want to upload the new firmware via USB connection: we think we should develop our custom bootloader. Correct?
  5. in our understading we will develop 2 projects (one project for application + bootloader and one project for mcu boot)
    1. how we could "join" the two binaries into a single one? is it possible?
  • A possible scenario for our could be that one:
    • user connects to our device via USB.
    • user want to update the firmware: then from the application we start our custom bootloader.
    • bootloader copy new firmware into a dedicate "update zone" into internal flash
    • when copy is finished MCU is resetted
    • at new startup “mcu boot” should detect a new firmware image into “Update Zone” and check its security/integrity
    • if the new firmware image is good then "mcu boot" will copy it into a dedicate "applicative zone" into internal flash
    • when the copy has finisched the MCU is resetted and at next start the new firmware image should start.

Is this scenario feasible?

Sorry for all these questions but we are newby about this argument. We read lots of documents but most of them refers to projects with Trust Zone active (at the moment we are working SBSFU examples of STM32U585 package).

Thank you in advance

Best regards

This topic has been closed for replies.
Best answer by Jocelyn RICARD

Hello @SafeDev ,

application do not use TrustZone feature (TZ_EN = 0)
=> When you enable TrustZone you benefit from the temporal isolation of the secure boot and keys.
This means that when running application, all secure boot area is masked. You can sill adapt the secure boot with TrustZone disabled but you can also develop your application in secure only, so that you don't have to deal with TZ.

we want to avoid access to MCU on field (Device protection, for exapmle RDP = 1)
question: if on field MCU is protected with RDP = 1 or 2 or whatever how could a firmware update take place? we need a regression before firmware update?
=> The Read protection protects from JTAG read access. No impact on your application. The update is managed internally

at start up "mcu boot" check the security/integrity of application firmware: is that right?
=> Yes, this is the purpose of the secure boot

we want to upload the new firmware via USB connection: we think we should develop our custom bootloader. Correct?
=> Yes, you need to develop the USB device part that will be able to connect to USB host, receive the update file and write it to flash.

in our understading we will develop 2 projects (one project for application + bootloader and one project for mcu boot)
=> Yes you will have 2 different applications / projects 
- Secure boot which is SBSFU
- Main application embedding the USB loader

how we could "join" the two binaries into a single one? is it possible?
=> The SBSFU example provided in STM32U5 does not provide such capability but you can develop your own tool to do that.

A possible scenario for our could be that one:
user connects to our device via USB.
user want to update the firmware: then from the application we start our custom bootloader.
bootloader copy new firmware into a dedicate "update zone" into internal flash
when copy is finished MCU is resetted
at new startup “mcu boot” should detect a new firmware image into “Update Zone” and check its security/integrity
if the new firmware image is good then "mcu boot" will copy it into a dedicate "applicative zone" into internal flash
when the copy has finisched the MCU is resetted and at next start the new firmware image should start.
Is this scenario feasible?
=> You described exactly how the MCU boot / SBSFU works !

Best regards

Jocelyn

2 replies

Jocelyn RICARD
Jocelyn RICARDBest answer
ST Employee
December 20, 2023

Hello @SafeDev ,

application do not use TrustZone feature (TZ_EN = 0)
=> When you enable TrustZone you benefit from the temporal isolation of the secure boot and keys.
This means that when running application, all secure boot area is masked. You can sill adapt the secure boot with TrustZone disabled but you can also develop your application in secure only, so that you don't have to deal with TZ.

we want to avoid access to MCU on field (Device protection, for exapmle RDP = 1)
question: if on field MCU is protected with RDP = 1 or 2 or whatever how could a firmware update take place? we need a regression before firmware update?
=> The Read protection protects from JTAG read access. No impact on your application. The update is managed internally

at start up "mcu boot" check the security/integrity of application firmware: is that right?
=> Yes, this is the purpose of the secure boot

we want to upload the new firmware via USB connection: we think we should develop our custom bootloader. Correct?
=> Yes, you need to develop the USB device part that will be able to connect to USB host, receive the update file and write it to flash.

in our understading we will develop 2 projects (one project for application + bootloader and one project for mcu boot)
=> Yes you will have 2 different applications / projects 
- Secure boot which is SBSFU
- Main application embedding the USB loader

how we could "join" the two binaries into a single one? is it possible?
=> The SBSFU example provided in STM32U5 does not provide such capability but you can develop your own tool to do that.

A possible scenario for our could be that one:
user connects to our device via USB.
user want to update the firmware: then from the application we start our custom bootloader.
bootloader copy new firmware into a dedicate "update zone" into internal flash
when copy is finished MCU is resetted
at new startup “mcu boot” should detect a new firmware image into “Update Zone” and check its security/integrity
if the new firmware image is good then "mcu boot" will copy it into a dedicate "applicative zone" into internal flash
when the copy has finisched the MCU is resetted and at next start the new firmware image should start.
Is this scenario feasible?
=> You described exactly how the MCU boot / SBSFU works !

Best regards

Jocelyn

S
SemSem
Associate
March 14, 2024

Please I need your help,

 

I have STM32U5 MCU and the TrusZone is disabled. Is it possible to have secure boot or not. If yes, please can you explain to me how I can achieve this. Thanks a lot

Jocelyn RICARD
Jocelyn RICARD
ST Employee
March 14, 2024

Hello @SemSem ,

As explained above we don't provide such secure boot.

Here are the solutions you have

1- You adapt the provided example but it may be challenging and you would lose important protection features

2- You enable TrustZone and create a secure only application

3- You enable TrustZone, create a secure application that will make everythnig non secure and develop you non secure application as if no TZ was enabled.

I shared somewhere in the forum an example of this secure application.

Best regards

Jocelyn

 

Terms & ConditionsAccessibility statement