STM32Trust

Overview
Resources
Featured content
Image for STM32Trust

The STM32Trust ecosystem combines knowledge, design tools, and ready-to-use original ST software to build strong cyber-protection into new IoT devices, leveraging industry best-practices. These help designers take advantage of features built into STM32 microcontrollers to ensure trust among devices, prevent unauthorized access, and resist side-channel attacks to avert data theft and code modification.

STM32Trust integrates all available cyber-protection resources including reference material and free software for the STM32 family and offers a robust multi-level strategy to enhance security.

The STM32Trust solution offers a complete toolset for code and execution protection.

Image for STM32Trust

Code protection

STM32Trust.CodeProtection includes a set of solutions to ensure owner code confidentiality and integrity programming on authentic STM32 devices.

Hardware cyber-protection features are already embedded on certain STM32 MCU models. Tamper detection, firewall code-isolation mechanisms and Arm TrustZone® technologies are also implemented to ensure the most sensitive codes benefit from extra protection.

*available in Q4 2019

X-CUBE-SBSFU

Application codes are most vulnerable when being transferred into boot memory or updated in the field.

The X-CUBE-SBSFU Secure Boot and Secure Firmware Update is a set of software reference source codes for secure firmware and upgrade of STM32 microcontroller built-in applications, adding new features and correcting potential issues. The update process is performed in a secure way to prevent unauthorized updates and access to confidential on-device data.

The X-CUBE-SBSFU shows how to set up all STM32 memory-protection mechanisms to isolate Secure Boot and Firmware Update functions from the main application.

There is also a reference implementation of ST’s secure element STSAFE, which maximizes the security level of the final application.

X-CUBE-CRYPTOLIB

This ECCN 5D002-classified software is based on STM32Cube architecture package and includes a set of crypto algorithms based on firmware implementation. Ready to use in all STM32 microcontrollers.

SFI

The Secure Firmware Installation solution, available on STM32L4 and STM32H7 microcontrollers and soon to be extended to additional STM32 platforms, provides protection when devices are being programmed for the first time.

The solution offers a complete toolset to encrypt OEM binaries with the Trusted Package Creator software, the CUBE Programmer to securely flash the STM32 and the STM32HSM to transfer OEM credentials to the programming partner.

Image for SFI

After firmware development and validation, designers can securely encrypt binary files using the Trusted Package Creator software and store all their credentials into a dedicated smart card, such as the hardware security module STM32HSM.

The STM32CubeProgrammer or SFI recommended partner programming tools can then be implemented to securely program STM32 MCUs in untrusted environments, such as manufacturing lines.

STM32CubeProgrammer

The STM32CubeProgrammer includes the STM32TrustedPackage Creator tool which allows the generation of SFI and SMI encrypted images for STM32 devices embedding SFI. It is available in both CLI and GUI modes free of charge.

The SFI format is an encryption format for firmware created by STMicroelectronics. It uses AES algorithm to transform a firmware in Elf, Hex, Bin or Srec formats into an encrypted and authenticated firmware in SFI format. An SFI firmware image is composed of a header, plus several areas. The areas are usually contiguous firmware areas. The last area is the configuration area containing the option byte values to be programmed when the SFI is complete.

STM32HSM

The STM32HSM-V1 is used to secure the programming of STM32 products to avoid product counterfeiting on contract manufacturers' premises.

FASTROM

FASTROM (Factory Advanced Service Technique Read Only Memory) MCUs are Flash devices which are pre-programmed with the customer’s code and selected options. FASTROM MCUs improve programming efficiency for large quantities (10,000+) and compared to ROM, have the advantage of shortening leadtime and allow devices to be reprogrammed.

For further information, please contact your local ST contact.

Execution protection

Devices become targets of cyberattacks when they are commercially implemented and need to be immune to these attacks. Cyber security measures need to be set up to make sure that firmware IPs are protected and that credentials and data are secured by the application and cannot be breached.

STM32Trust.ExecutionProtection is a set of STM32 functions to ensure owner code proper runtime isolation, execution and ease, and which achieves confidentiality and authenticity in the collected data. STM32 offers different architectures and isolation schemes.

*available in Q4 2019

Debug

The debug port provides access to all the device’s resources from the outside. Used for application development, it is the first vulnerability breach to be accessed by the attacker on the device. STM32 debug function shall be locked to ensure owner code confidentiality and authenticity.

Secure boot

Executed after each reset, the secure boot, as shown in the X-CUBE-SBSFU software package, checks the integrity of the STM32 platform configuration and verifies each embedded firmware signature for authentication.

MPU

The Memory Protection Unit mechanism protects different processes from each other and allows them to run independently. The resulting software isolation ensures that individual processes keep their code and data safe from each other. STM32 provides MPU solutions and is supported by several operating systems.

Dual-core architecture

Dual-core architectures allow two runtime applications to run within the same device, both isolated by the core ID.

TrustZone

TrustZone is a complete set of hardware mechanisms to ensure the proper definition and isolation of two main security application domains: one so-called trusted domain (for critical applications with their affected resources) and one non-trusted domain for the main firmware application.

Firewall

The firewall is a hardware protection peripheral which controls the bus transactions and filters accesses to three particular areas: a code area (Flash), a volatile data area (SRAM), and a non-volatile data area (Flash). It allows users to simply set the critical code execution apart from the main application firmware.

Resources

PRODUCT SPECIFICATIONS
00 Files selected for download
Description Version Size Action
DB2641
Proprietary code read-out protection (PCROP), software expansion for STM32Cube
3.0.0
139 KB
PDF
APPLICATION NOTES
Description Version Size Action
AN5056
Integration guide for the X-CUBE-SBSFU STM32Cube Expansion Package
3.0.0
3MB
PDF
AN5156
Introduction to STM32 microcontrollers security
2.0.0
3MB
PDF
AN4729
STM32L0/L4 FIREWALL overview
1.2.0
114KB
PDF
AN2606
STM32 microcontroller system memory boot mode
38.0.0
3.9MB
PDF
AN4701
Proprietary code read-out protection on microcontrollers of the STM32F4 Series
3.0
893.7KB
PDF
AN4758
Proprietary code read-out protection on microcontrollers of the STM32L4 Series
2.0
994.8 KB
PDF
AN4968
Proprietary code read out protection (PCROP) on STM32F72xxx and STM32F73xxx microcontrollers
1.0
1.1MB
PDF
AN4230
STM32 microcontrollers random number generation validation using NIST statistical test suite
2.0
517.0 KB
PDF
AN3371
Using the hardware real-time clock (RTC) in STM32 F0, F2, F3, F4 and L1 series of MCUs
5.2
418.0 KB
PDF
AN4992
Overview secure firmware install (SFI)
3.0
1.2MB
PDF
AN5054
Secure programming using STM32CubeProgrammer
2.0
2.9MB
PDF
AN4838
Managing memory protection unit (MPU) in STM32 MCUs
3.0.0
219.8 KB
PDF
AN4246
Proprietary Code Read Out Protection on STM32L1 microcontrollers
1.2.0
283.7 KB
PDF
USER MANUAL
Description Version Size Action
UM2262
Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package
4.0
2.8 MB
PDF
UM2237
STM32CubeProgrammer software description
7.0
3.2 MB
PDF
UM2238
STM2 Trusted Package Creator tool software description
3.0
1.7 MB
PDF
    For customers or partners who want to develop secure programming solution based on STM32 SFI, additional technical documents are available under NDA (contact sales office)
  • AN5243 Bootloader SFI security extension for STM32H7 Series
  • AN2428 Hardware secure module (HSM) for STM32CubeProgrammer secure firmware install (SFI)
PRODUCT SPECIFICATIONS
DB2641

Proprietary code read-out protection (PCROP), software expansion for STM32Cube

APPLICATION NOTES
AN5056

Integration guide for the X-CUBE-SBSFU STM32Cube Expansion Package

AN5156

Introduction to STM32 microcontrollers security

AN4729

STM32L0/L4 FIREWALL overview

AN2606

STM32 microcontroller system memory boot mode

AN4701

Proprietary code read-out protection on microcontrollers of the STM32F4 Series

AN4758

Proprietary code read-out protection on microcontrollers of the STM32L4 Series

AN4968

Proprietary code read out protection (PCROP) on STM32F72xxx and STM32F73xxx microcontrollers

AN4230

STM32 microcontrollers random number generation validation using NIST statistical test suite

AN3371

Using the hardware real-time clock (RTC) in STM32 F0, F2, F3, F4 and L1 series of MCUs

AN4992

Overview secure firmware install (SFI)

AN5054

Secure programming using STM32CubeProgrammer

AN4838

Managing memory protection unit (MPU) in STM32 MCUs

AN4246

Proprietary Code Read Out Protection on STM32L1 microcontrollers

USER MANUAL
UM2262

Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package

UM2237

STM32CubeProgrammer software description

UM2238

STM2 Trusted Package Creator tool software description

Trainings

X-CUBE-PCROP firmware Proprietary code read-out protection (PCROP) software expansion for STM32Cube (AN4701, AN4758 and AN4968)
STM32 online training about “Security & Safety Full range of STM32 training courses (STM32G4, STM32F7, STM32L4, STM32L4+, STM32G0, STM32WB, STM32H7 and STM32MP1) available on line
STM32 MOOC - Basics of security in STM32 STM32 security basics MOOC with hands-on exercises

Featured content

STM32Trust: Secure Boot, Update, and Install Under One Roof

We are launching today STM32Trust, a new initiative that focuses on all the software and hardware solutions we bring to improve the security of our devices.

Getting started with STM32H747 Discovery Kit

The STM32H747I-DISCO Discovery kit is a complete demonstration and development platform for STMicroelectronics STM32H747XIH6 microcontroller, designed to simplify user application development.

Get involved in the STM32 Community

Ask questions, share projects and collaborate with your fellow community members.

Follow us on Facebook

Be the first informed about our STM32 products and solutions and share your ideas on our dedicated Facebook page

サポート & フィードバック