Skip to main content
J
Jakub Standarski
Associate III
October 13, 2023
Solved

SBSFU | SFU_MPU_PROTECT_ENABLE | Pros & Cons

  • October 13, 2023
  • 5 replies
  • 2770 views

Hello all,
I have a question about additional MPU protection provided by enabling SFU_MPU_PROTECT_ENABLE.
What are the main benefits of that?
How much "protection value" do we miss if it's disabled?

 

This topic has been closed for replies.
Best answer by Jocelyn RICARD

Hello Jakub,

MPU protection is an internal isolation but also allows cache configurability as well as some address range configuration for read, write and execute capabilities.

If you disable MPU, you lose all of these.

Regarding security, MPU adds a layer to be passed by an attacker.

For instance, if attacker manages to perform a stack overflow on one interface, the setting of stack as non executable reduces the possibilities of such attack. Also, disabling access to secure boot code containing keys, prevents from directly reading such keys.

Best regards

Jocelyn

 

5 replies

Bubbles
Bubbles
ST Employee
October 18, 2023

Hi @Jakub Standarski,

this is not easy to quantify. What particular product you have in mind? In some products the MPU is probably the most important part. In others, where there is for example HDP, it's little less important. I understand it's difficult to get it right, especially if you manipulated linker settings.

There are several MPU regions used, each for different purpose. If there's one region you struggle with, you can identify the incorrect setting by disabling various regions and observing the effect.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
J
Jakub StandarskiAuthor
Associate III
October 23, 2023

I was rather wondering whether with all other securities turned on, MPU is also important chunk of that protection mechanism.

As far as I understand, by using additional MPU protection, we can force usage of peripherals' buses in privileged mode (which is not the case by default) or protect access to some kind of vulnerable data.
Does additional MPU protection add anything else than that?

Jocelyn RICARD
Jocelyn RICARDBest answer
ST Employee
October 23, 2023

Hello Jakub,

MPU protection is an internal isolation but also allows cache configurability as well as some address range configuration for read, write and execute capabilities.

If you disable MPU, you lose all of these.

Regarding security, MPU adds a layer to be passed by an attacker.

For instance, if attacker manages to perform a stack overflow on one interface, the setting of stack as non executable reduces the possibilities of such attack. Also, disabling access to secure boot code containing keys, prevents from directly reading such keys.

Best regards

Jocelyn

 

J
Jakub StandarskiAuthor
Associate III
October 23, 2023

That's what I needed, thanks!

H
hw310404
Associate II
November 8, 2023

Hi @Jakub Standarski  are you able to get MPU working? I still get "Hard fault" if I enable it and all the rest of the security mechanism works fine. Any insights are much appreciated.

Jocelyn RICARD
Jocelyn RICARD
ST Employee
March 6, 2024

Hello Jakub,

Hardfault is usually quite easy to debug. You have a first view with hardfault analyser, and then you can go back to root cause.

One other thing you can do first is to put a breakpoint on the reset handler of your application, and then go step by step. After few iteration you should understand what is the cause.

Best regards

Jocelyn

J
Jakub StandarskiAuthor
Associate III
March 6, 2024

Yeah, usually that's true. But we've narrowed down the issue to the SysTick function, which halts counting. Right after jumping to that function, HardFault is triggered.

Jocelyn RICARD
Jocelyn RICARD
ST Employee
March 6, 2024

I remember an issue related to SysTick in old SBSFU versions. But in latest one it is suspended.

One thing I would check in your case is the value of VTOR to check if it point to the right interrupt vector location

Terms & ConditionsAccessibility statement