Skip to main content
jrgert
jrgert
Associate III
August 25, 2021
Solved

SBSFU user app API extension

  • August 25, 2021
  • 3 replies
  • 1469 views

My project uses SBSFU template ported to my STM32L496 board. I need to call the crypto library from the user app.

UM2262 mentions cryptographic middleware support in sections 6.2.3 and 6.2.4, but it is vague.

Are there other documents that explain better, or perhaps specific examples for calling the crypto lib from the user app?

This topic has been closed for replies.
Best answer by Jocelyn RICARD

Hello @jrgert​ 

The STM32L4 provides hardware isolation thanks to the firewall.

The Secure Engine is running inside this secure enclave.

The Secure Engine was design to enable easy extension with user defined services.

So, it is possible to add specific crypto services inside the SE.

The advantage is that you benefit from the isolation and possibly share the crypto library services if using the same.

The drawback is that services and possible keys would be frozen in the SBSFU without ability to update.

Regarding the implementation, be careful that the X-CUBE-CRYPTOLIB provided by ST (link in @Pavel A.​  post) you will get a new version 4.x that is not compatible with the one used in SBSFU that is 3.x

There is no issue if you do everything in your application.

But if you want to isolate your crypto services inside the secure engine, it would preferable to get the same version. If this is the case, please drop me a private message.

Best regards

Jocelyn

3 replies

alister
alister
Senior III
August 26, 2021

>I need to call the crypto library from the user app.

Can you explain why please?

jrgert
jrgertAuthor
Associate III
August 26, 2021

I would like to do some hashing, ciphering and/or message authentication. I thought using the library that is already linked in would be useful.

alister
alister
Senior III
August 26, 2021

The X-CUBE-CRYPTOLIB or mbedTLS linked your boot (SBSFU) project's SE are for authenticating app headers, authenticating the active app matches its header, decrypting and integrity-checking an app during install and are coupled to your secret key(s). You app would not typically use these as adding an API to reach them opens them to attack.

An exception may be a certificate, requiring similar security as your secret key(s), which you elect to place in the same bank and sector as your boot code during manufacture, and devise some callgate to get it.

The crypto library used in your app must be linked with your app, which is a separate project. If you build your boot and app projects in the same repo and wanted to use the same lib for both, certainly you could arrange its projects to do that. X-CUBE-SBSFU typically uses X-CUBE-CRYPTOLIB and Pavel A describes how to get its full library. Apps typically use mbedTLS.

Pavel A.
Pavel A.
Super User
August 26, 2021

SBSFU contains a subset of the ST crypto lib, if I remember correctly.

You can get the full library here, it has documentation and examples.

--pa

Jocelyn RICARD
Jocelyn RICARDBest answer
ST Employee
August 30, 2021

Hello @jrgert​ 

The STM32L4 provides hardware isolation thanks to the firewall.

The Secure Engine is running inside this secure enclave.

The Secure Engine was design to enable easy extension with user defined services.

So, it is possible to add specific crypto services inside the SE.

The advantage is that you benefit from the isolation and possibly share the crypto library services if using the same.

The drawback is that services and possible keys would be frozen in the SBSFU without ability to update.

Regarding the implementation, be careful that the X-CUBE-CRYPTOLIB provided by ST (link in @Pavel A.​  post) you will get a new version 4.x that is not compatible with the one used in SBSFU that is 3.x

There is no issue if you do everything in your application.

But if you want to isolate your crypto services inside the secure engine, it would preferable to get the same version. If this is the case, please drop me a private message.

Best regards

Jocelyn

Terms & ConditionsAccessibility statement