Is VBAT needed for secure boot ?

Question

Hello,In the wiki I have found these lines:5.3 Non-volatile counters↑Each certificate embeds a non-volatile counter value that is checked to control anti-rollback mechanism.There are two non-volatile counters: - Trusted non-volatile counter - Non trusted volatile counterOn STM32MP1, TAMP monotonic counter is used to store the backup value, which requires backup battery to maintain the content. It is mandatory to align the same value between trusted and non-trusted value as only one counter is used as reference.Source: https://wiki.st.com/stm32mpu/wiki/TF-A_BL2_Trusted_Board_Boot#Non-volatile_countersI'm afraid, we are implementing secure boot, but we are not planning to use a battery. VBAT won't be maintained when the board is off. And so content won't be maintained.Instead, we connected VBAT to 3V3 and we added a 100nF decoupling capacitor.What is the impact on the secure boot? Would it be working in that case, even if TAMP is not powered?Thanks,Best regards,Charles

PatrickF · Accepted Answer

Hi @Community member​ explanation has already been given directly to you by local support, but for the benefit of community, I write below the answer with few additional information:Without VBAT on the platform, the anti-rollback mechanism is not usable. The TAMP_COUNT is always reset to 0 so older release can be used for booting. It does not prevent secure booting, this will be not an issue.Note that if needed, the anti-rollback could be enforced by using custom lower OTPs (e.g. 1 bit fused for each major version) and associated TF-A custom management or any suitable mechanism to fit your security.Regards.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded