STM32Trust

The STM32 security framework

for protecting embedded
systems
Outline

STM32Trust TEE
1 What is security? 4
Secure Manager

2 STM32Trust framework 5 Security in practice

3 STM32Trust security functions 6 Security functions by product

Access useful links See abbreviation glossary and definitions

2
Click to go to the relevant sections
What is security?

3
What is security?

Security is about ensuring:

Confidentiality
Protecting sensitive data and ensuring secrecy.
Confidentiality
Integrity
Safeguarding data accuracy and protecting it from any
C.I.A
modification. TRIAD

Availability
Availability Integrity
Ensuring that functionality and/or data is available
when it is needed.

4
Addressing the security challenges and gaps

Security challenges
for our customers IoT security
our customers certifications
Time to & regulations
Complex High cost
market

Missing link
Developers
Scalability, certification,
maintenance.
Core security hardware and services
Multiple devices
Hardware
5
Our goal: protect customer assets

Data Connectivity
Confidentiality Regulations
Secrets Network access
Regulations Data transfer
Authenticity Confidentiality
Availability

IP System trust
Software Regulations
Data Reliability
Processes Availability
Secrets Authentication
Confidentiality

6
Threat assessment workflow
•1 Identify threats according to the different types of customer assets.
•2 Propose mitigation strategies via Security Functions & services.
•3 Rely on recognized Security Assurance levels.

Threats exploit
vulnerabilities & damage
assets.

Protections mitigate
vulnerabilities & therefore
can mitigate threats.
Customers Assets Threats Vulnerabilities Security
Functions
&
Services
Mitigate

7
The STM32Trust framework

8
What is STM32Trust?

STM32Trust is built on key pillars to ensure security

Secure hardware Root of Trust

Certifications &
Software & services
regulations

9
Software and services
Use our services to protect your workflow, from the development
phase to deployment in the field

DEVELOPEMENT VALIDATION MANUFACTORING IN THE FIELD

Guidance Software update

Certification Secure install
Examples Attestation
Pre-Evaluation Provisioning
Libraries Communication
Standards
References
Regulations
Tools
Boards

Supports Supports
Supports
STM32Cube TF-M, TF-A Secure firmware install
PSA Certification OP-TEE Secure module install
SESIP Certification Crypto libraries Secure secret provisioning
NIST SP800-90B Secure Manager Secure element support

Simplifies

10
Certifications & Regulations
End Devices & Applications

Security Security
Regulations Standards

U.S. CYBER TRUST MARK EU RED & CRA

Focuses on
IEC 62443-4 EN 303 645
Platform Security
Security Evaluation Architecture
Standard for IoT Platforms For chips, system Enables
software & device

11
Focus on RED and CRA standards

Radio Equipment Directive (RED) Cyber Resilience Act (CRA)

Goal: increase security for radio connected devices. Goal: ensure more secure hardware and software products in
the field
• Be capable of updating/patching products.
• Actively monitor vulnerabilities and provide updates/patches.

• Conformity assessment with risk-based approach

according to the usage and environment of the device. • Different security levels according to predefined categories.
• Hardware component: N/A • Hardware component: third-party evaluation

• IoT consumer device: self-declaration • IoT consumer device-: self-declaration

• IoT industrial device: self-declaration • IoT industrial device: third-party evaluation

2023 2024 2025 2026 2027

RED Transition Application

CRA Transition Application

August 1, 2024
STM32Trust Security Functions
From assets to Security Functions

STM32Trust streamlines the IoT security Model with: STM32Trust Security Functions
• A meta security framework with generic Security Functions Identification / Authentication / Attestation

• The coverage of commonplace threats & vulnerabilities classes Application life cycle

Secure manufacturing

Software IP protection

Silicon device life cycle

Secure install / update

Threats CWE vulnerabilities
Secure storage
Unauthorized access Authentication & authorization
Isolation
Malware & ransomware Encryption & cryptography
Abnormal situation handling
Denial of service (DoS) Network

Man-in-the-middle (MitM) Secure boot

Physical security

Physical tampering Software Crypto engine

Data privacy & integrity Configuration & management Audit / Log

14
Security Functions for RoT certification
Mapping Security Functions (SF) to PSA Certified
STM32Trust Security Functions
and SESIP for RoT security certification
Identification / Authentication / Attestation
PSA certified SFs SESIP SFs
Application life cycle
Initialization Identification and attestation
Secure manufacturing
Software isolation Product life cycle
Software IP protection
Secure storage Secure communication
Silicon device life cycle
Firmware update Extra attacker resistance
Secure install / update
Secure state Cryptographic functionality
Secure storage
Cryptography Compliance functionality
Isolation
Attestation …
Abnormal situation handling
Audit …
Secure boot
Debug …
Crypto engine
Physical protection …
Audit / Log

15
STM32Trust Security Functions explained
Security Functions Definition
Identification / Authentication / Attestation Unique identification of a device and/or software, and ability to detect its authenticity.

Application life cycle Defines unchangeable incremental states to securely protect application states and assets.

Secure manufacturing Device provisioning or personalization in untrusted environment with overproduction control.

Software IP protection Ability to protect a section or the whole software package against external or internal reading, ”multitenant”.

Silicon device life cycle Control states to securely protect silicon device assets during its lifetime.

Secure install / update Installation or update of firmware with initial integrity & authenticity checks before programming & execution.

Secure storage Ability to securely store secrets like data or keys.

Isolation Isolation between trusted and non-trusted parts of an application.

Abnormal situation handling Ability to detect and to react to abnormal hardware and software situations.

Secure boot Ability to ensure the authenticity and integrity of an embedded application.

Crypto engine Ability to process cryptographic algorithms, as recommended by security assurance schemes.

Audit / Log Ability to keep trace of security events in an unchangeable way.

16
STM32 product target certifications

PSA Certified Level 1 PSA Certified Level 1 SESIP3

MPU STM32MP15 STM32MP13

High perf PSA Certified Level 1

PSA Certified Level 1 SESIP3
MCUs STM32H7
STM32H5

Mainstream PSA Certified Level 1 PSA Certified Level 1 PSA Certified Level 1
STM32G0 STM32G4
MCUs STM32C0

Ultra-low-power PSA Certified Level 1 PSA Certified Level 1 SESIP3 PSA Certified Level 3 SESIP3

MCUs STM32L4/L4+ STM32L5 STM32U5

Wireless PSA Certified Level 3 SESIP3

MCUs STM32MP13

17
STM32Trust TEE Secure Manager
Embedded security
“If only
What are developers typically trying to achieve?

Easily protect my critical Easily protect my IP and my Easily & securely connect
data & secrets and those partner’s IP in a strong and to clouds & servers without
of my end customers effective way painful digital identities
management
Locally
During development Data protection
During Secure
communication updates
At rest
Registration
In production

In the field
Remotely Device life
cycle

19
Introducing the STM32Trust TEE
Secure Manager

Secure Manager
A trusted execution
environment (TEE) integrating
core security services

A set of turnkey security services developed, maintained, and certified by ST

20
Secure Manager
First used in the STM32H5 platform
The STM32Trust TEE Secure Manager protects IP and simplifies your
security journey

TrustZone®
Non-secure Secure • ST platform ownership
Un-privileged or Un-privileged • Turnkey set of security services
Privileged
• Secure Manager Core to handle isolation

Trusted storage
Firmware update
Trusted app N
Trusted app 1

Cryptography
• Multitenant software IP protection

Attestation
Application • Arm® PSA API compatible
• Designed for long-term-support (LTS)
Target • Modular secure update capable
Privileged
• Optimized certification properties
PSA API

Real-time OS Secure Manager Core

Scope of • Certified and maintained by ST
Secure Manager
ST uRoT • Covering the 12 security functions

ST iRoT 21
Secure firmware and secret installation
Embedded secure firmware install - SFI
Manage STM32 authentication, firmware decryption and installation

Customer premises Untrusted environment Secure Loader

ST ecosystem
SFI embedded services
with
Encrypted provisioned by ST
Encryption, HSM, and
FW Encrypted FW
FW Transfer  mass market
programming tools
Store encryption
key in HSM
HSM SFI approach
Physical transfer Authenticate target STM32
Trusted package creator Generate installation license
ST hardware secure
module (HSM)

STM32
Third-party premises

SMI
SMI Firmware cloning
Encrypted
Authenticate target STM32
Generate installation license protection on the first Protect third-party
Module Encrypted Module
Module transfer installation software IP
Store encryption via (SMI)
key in HSM HSM
Physical transfer UART / SPI / USB
Trusted Package creator
ST hardware secure
module (HSM)

23
Embedded secure secret provisioning - SSP
Manage STM32 authentication, license generation and secure key transfer

Customer premises Untrusted environment

The SSP process ST ecosystem

Sign
Encrypted SSP image
prevents the OEM with
SSP Firmware Signed FW secrets Encryption, HSM, and
from: programming tools
Generate customer keys Encrypted SSP image
Store encryption
key in HSM STM32Cube Programmer

Being accessed by the

ST hardware secure
STM32
MPU contract manufacturer
module (HSM)

STM32Cube Trusted Package Creator

Being extracted or Protect secret
disclosed customer keys

Authenticate target STM32

Generate installation license
Being over produced

24
Security in practice
Customer example (1/6)
focus on secure manufacturing
Asset
Bob is at the head of a company designing toys.
Product He would like to avoid the counterfeiting of his company-
branded toys.

What Bob needs to achieve Required Security Functions

• Firmware protection during production

• Production management at
• Secure manufacturing
manufacturer (no over- or under-
production) • Software IP protection
• Protection against the programing of • Secure install / update
other devices during production
IP protection • Silicon device life cycle
• Firmware protection in the field
26
Customer example (2/6)
focus on isolation and IP protection
Asset
Jon owns a company that sells firmware.
The firmware package features additional options that can be
IP enabled by the user.

What Jon needs to achieve Required Security Functions

• Firmware protection
• Ensure that the firmware package is • Software IP protection
isolated from customer firmware • Code isolation

• Ensure independent firmware updates • Secure Install/Update

IP protection
• Set application in a macrostate while • Application life cycle
ensuring it cannot be altered
27
Customer example (3/6)
focus on secure maintenance & update
Asset Mark’s company sells costly equipment.
He plans to offer remote maintenance and updates.
Product He wants to ensure that the remote updates are only performed on the
trustability equipment sold by his company and that only his firmware pack runs on the
devices.
.

What Mark wants to achieve Required Security Functions

• Ensure only his equipment benefits from

remote updates • Identification/Authentication/
• Access to information on product state Attestation
Secure
• Ensure that the firmware update is connectivity
carried out in a secure way • Secure Install/Update

• Firmware authentication and integrity • Secure boot

System integrity • Memory protections 28
Customer example (4/6)
focus on data management
Asset
Oliver sells devices that report sensitive data to servers.
Company Oliver needs to make sure the data cannot be exposed
data outside of his company.

What Oliver wants to achieve Required Security Functions

• Ensure the data transmitted is not

• Crypto engine
exposed
Data
• Secrecy in data encryption keys • Secure storage

• Ensure data is sent from

authenticated devices
• Identification/Authentication/
• Ensure data is sent to authenticated Secure
Attestation
servers connectivity 29
Customer example (5/6)
focus on remote access & control
Asset
Rose controls her device fleet remotely.
Device She wants to make sure her devices have not been hacked and have
integrity full control over the devices at any time.

What Rose wants to achieve Required Security Functions

• Unique identity for each device

• Device authentication • Identification/Authentication/
• Attest device access rights Attestation
Secure
connectivity
• Secure device communication • Crypto engine

• Ensure that identities and access • Secure storage and secure

rights cannot be hacked, even at the Data manufacturing (secure personalization)
manufacturing stage storage 30
Customer example (6/6)
focus on data protection
Asset
Jack collects and stores user data in his devices
Jack’s devices and large-scale systems need to comply with
Data
regulations (such as GDPR).

What Jack wants to achieve Required Security Functions

• Platform integrity • Secure boot

• Abnormal situation handling
System integrity

• Integrity of user data • Crypto engine

• Identification/Authentication/Attestation
Secure connectivity

• Secure storage of user data • Secure storage

31
Secure storage
Security Functions and services
in STM32 products
The STM32 portfolio

Five product categories

Wireless Ultra-low-power Mainstream High-performance Embedded

MCU MCU MCU MCU MPU
Short- and long-range connectivity 32-bit general-purpose microcontrollers: from 75 to 3,224 CoreMark score 32- and 64-bit microprocessors

Enabling edge AI solutions Scalable security

MPU portfolio 33
MCU portfolio
Mainstream products with security functions
STM32Fx STM32Trust Security Features
Functions
Hardware Software Services

STM32F0 Identification / Authentication

/ Attestation
Unique ID - -

STM32F1* Application life cycle OTP** -

Secure manufacturing - - -
STM32F2**
Software IP protection MPU**, WRP - -

Silicon device life cycle WRP - CubeProgrammer

Secure install / update - - -

Secure storage - - -

Isolation - - -
Certification targets
Abnormal situation handling Tamper, RTC -

Secure boot - - -

Crypto engine - - -

Audit / Log - - -

34
Mainstream products with security functions
STM32Cx STM32Trust Security Features
Functions
Hardware Software Services

STM32C0 Identification / Authentication

/ Attestation
Unique ID - -

Application life cycle - -

Secure manufacturing - - -

Software IP protection MPU, WRP -

Silicon device life cycle WRP - CubeProgrammer

Secure install / update - - -

Secure storage - - -

Isolation MPU - -
Certification targets
Abnormal situation handling Tamper, RTC -

Secure boot - - -

Crypto engine - - -

Audit / Log - - -

35
Mainstream products with security functions
STM32Gx STM32Trust Security Features
Functions
Hardware Software Services

STM32G0 Identification / Authentication

/ Attestation
Unique ID - STSAFE support

STM32G4 Application life cycle OTP - -

Secure manufacturing - - -

Software IP protection RDP, MPU, PCROP - -

Silicon device life cycle HDP, WPR, RDP, PCROP - CubeProgrammer

Secure install / update HDP, WPR, RDP, UBE X-CUBE-SBSFU CubeProgrammer

Secure storage HDP - -

Isolation HDP, MPU - -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling - -
PVD, WD, BR

Secure boot HDP, WPR, RDP, UBE, MPU X-CUBE-SBSFU CubeProgrammer

Crypto engine HASH, AES, TRNG X-CUBE-CRYPTOLIB, -

Audit / Log - - -

36
Mainstream products with security functions
STM32Gx STM32Trust Security Features
Functions
Hardware Software Services

STM32G0 Identification / Authentication

/ Attestation
Unique ID - STSAFE support

STM32G4 Application life cycle OTP - -

Secure manufacturing - - -

Software IP protection RDP, MPU, PCROP - -

Silicon device life cycle HDP, WPR, RDP, PCROP - CubeProgrammer

Secure install / update HDP, WPR, RDP, UBE X-CUBE-SBSFU CubeProgrammer

Secure storage HDP - -

Isolation HDP, MPU - -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling - -
PVD, WD, BR

Secure boot HDP, WPR, RDP,UBE,MPU X-CUBE-SBSFU CubeProgrammer

Crypto engine HASH, AES, TRNG X-CUBE-CRYPTOLIB, -

Audit / Log - - -

37
Ultra-low-power products with security functions
STM32Lx STM32Trust Security Features
Functions
Hardware Software Services

STM32L0 Identification / Authentication

/ Attestation
Unique ID -

STM32L4 Application life cycle OTP -

Secure manufacturing - - -
STM32L5
Software IP protection RDP, Firewall, PcRoP, MPU -

Silicon device life cycle PCROP - CubeProgrammer

Secure install / update RDP, MPU, X-CUBE-SBSFU CubeProgrammer

Secure storage Firewall, -

Isolation Firewall, MPU, PCROP -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling -
PVD, WDT, Backup registers

Secure boot RDP, WRP X-CUBE-SBSFU CubeProgrammer

Crypto engine AES, HASH, TRNG X-CUBE-CRYPTOLIB -

Audit / Log - -

38
Ultra-low-power products with security functions
STM32Lx STM32Trust Security Features
Functions
Hardware Software Services

STM32L0 Identification / Authentication

/ Attestation
Unique ID -

STM32L4 Application life cycle OTP -

Secure manufacturing RSS SFI -

STM32L5
Software IP protection RDP, Firewall , PCROP, MPU -

Silicon device life cycle PCROP, RDP, WRP - CubeProgrammer

Secure install / update RDP, MPU X-CUBE-SBSFU CubeProgrammer

Secure storage Firewall X-CUBE-SBSFU -

Isolation Firewall, MPU, PCROP - -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling -
PVD, WD, BR

Secure boot RDP,WRP,MPU X-CUBE-SBSFU CubeProgrammer

Crypto engine AES, HASH, TRNG X-CUBE-CRYPTOLIB, DPA resistance* (FIPS-140) -

Audit / Log - -

39
Ultra-low-power products with security functions
STM32Lx STM32Trust Security Features
Functions
Hardware Software Services

STM32L0 Identification / Authentication

/ Attestation
Unique ID, Certificate TF-M -

STM32L4 Application life cycle OTP -

Secure manufacturing RSS Secure firmware install -

STM32L5
Software IP protection RDP, Firewall , PCROP, MPU TF-M -

Silicon device life cycle RDP, WRP, HDP - CubeProgrammer

Secure install / update RDP, MPU, UBE, TrustZone® TF-M_SBSFU boot CubeProgrammer

Secure storage AES Key storage, OTFDEC, HDP TF-M -

Isolation Firewall, MPU, PCROP TF-M -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling -
PVD, WD, BR

Secure boot RDP, WRP, MPU, UBE, HDP TF-M_SBSFU boot CubeProgrammer

Crypto engine AES, HASH, PKA, OTFDEC, TRNG X-CUBE-CRYPTOLIB, TF-M -

Audit / Log GTZC (global TrustZone® controller) TF-M -

40
Ultra-low-power products with security functions
STM32Ux STM32Trust Security Features
Functions
Hardware Software Services

STM32U5 Identification / Authentication

/ Attestation
Unique ID, device certificate TF-M STSAFE support

Application life cycle OTP TFM -

Secure manufacturing RSS STM32HSM-V1 (link) XCUBE-SFI

Software IP protection RDP, MPU TFM XCUBE-SFI

Silicon device life cycle RDP, WRP, HDP - CubeProgrammer

Secure install / update TrustZone®, HDP, MPU, UBE, RDP X-CUBE-SBSFU, TFM_SBSFU Boot CubeProgrammer

Secure storage TrustZone®,AESKey,OTFDEC,HDP TF-M -

Isolation MPU, HDP, TrustZone® TF-M -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling - -
PVD, WD, BR

Secure boot TructZone, RDP,WRP,MPU,UBE,HDP X-CUBE-SBSFU, TFM_SBSFU Boot CubeProgrammer

Crypto engine TRNG, HASH, OTFDEC, AES, PKA(1) X-CUBE-CRYPTOLIB, TF-M -

Certificate includes
physical protections Audit / Log GTZC TF-M -

41
High performance products with security functions
STM32Fx STM32Trust Security Features
Functions
Hardware Software Services

STM32F3 Identification / Authentication

/ Attestation
Unique ID - -

STM32F4 Application life cycle - - -

Secure manufacturing - -
STM32F7
Software IP protection - -

Silicon device life cycle - - -

Secure install / update - - -

Secure storage - - -

Isolation - - -
Certification targets
Abnormal situation handling - - -

Secure boot - - -

Crypto engine - - -

Audit / Log - - -

42
High performance products with security functions
STM32Fx STM32Trust Security Features
Functions
Hardware Software Services

STM32F3 Identification / Authentication

/ Attestation
Unique ID - STSAFE support

STM32F4 Application life cycle OTP - -

Secure manufacturing - -
STM32F7
Software IP protection RDP, MPU, PCROP -

Silicon device life cycle WPR, RDP, PCROP - CubeProgrammer

CubeProgrammer
Secure install / update HDP, WPR, RDP, UBE X-CUBE-SBSFU
(digest, signature)

Secure storage HDP, OTFDEC - -

Isolation MPU, PCROP - -

Certification targets Tamper, RTC, GPIO locking, ECC, CSS, Temp
Abnormal situation handling - -
Sensor, watchdogs, PVD
CubeProgrammer
Secure boot RDP,WRP,MPU, X-CUBE-SBSFU
(digest, signature)

Crypto engine AES,HASH,TRNG X-CUBE-CRYPTOLIB, PCL(1) -

Audit / Log - - -

Notes: (1) side channel PCL : Protected Crypto Library 43

High performance products with security functions
STM32Fx STM32Trust Security Features
Functions
Hardware Software Services

STM32F3 Identification / Authentication

/ Attestation
Unique ID - STSAFE support

STM32F4 Application life cycle OTP - -

Secure manufacturing - - -
STM32F7
Software IP protection RDP, MPU -

Silicon device life cycle WPR, RDP - CubeProgrammer

CubeProgrammer
Secure install / update HDP, WPR, RDP, UBE X-CUBE-SBSFU
(digest, signature)

Secure storage HDP, OTFDEC - -

Isolation MPU - -
Certification targets Tamper, RTC, GPIO locking, ECC, CSS, Temp
Abnormal situation handling - -
Sensor, Watchdogs, PVD
CubeProgrammer
Secure boot RDP,WRP,MPU X-CUBE-SBSFU
(digest, signature)

Crypto engine AES, HASH, TRNG X-CUBE-CRYPTOLIB, PCL(1) -

Audit / Log - - -

Notes: (1) side channel PCL : Protected Crypto Library 44

High performance products with security functions
STM32Hx STM32Trust Security Features
Functions
Hardware Software Services

STM32H5 Identification / Authentication

/ Attestation
DHUK, X509 certificates
Device certificate
EAT (Secure Manager / TF-M) STSAFE support

STM32H7 Application life cycle OTP Secure Manager, TF-M

Secure manufacturing iRoT (RSS) SFI, SSFI (SM) XCUBE-SFI

Software IP protection Product states, HDPL, MPU, WRP, TZ Secure Manager, TF-M XCUBE-SFI

Silicon device life cycle Product states, HDPL, WRP - CubeProgrammer

TrustZone®, UBE, Bootlock, STiRoT, HPDL, WPR,

Secure install / update uRoT/MCUBoot CubeProgrammer
Product State
HDPL, OTFDEC, HUK,
Secure storage ITS (SM/TF-M) -
SAES, TrustZone®
HDPL, TZ, MPU,
Isolation Secure Manager, TF-M -
Product State
Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling Tamper (SM) -
PVD, WD, BR
TructZone, UBE, Bootlock, STiRoT, HPDL, WPR,
Secure boot iRoT/uRoT/MCUBoot CubeProgrammer
Prod.State
TNG, Hash (SHA1/2), OTFDEC, SAES(1), AES, Mbed™, NetxDuo, X-CUBE-CRYPTOLIB, Secure
Crypto engine -
PKA(1) Manager, TF-M
Certificate includes
physical protections Audit / Log - Secure Manager, TF-M -

45
High performance products with security functions
STM32Hx STM32Trust Security Features
Functions
Hardware Software Services

STM32H5 Identification / Authentication

/ Attestation
Unique ID, device certificate - STSAFE support

STM32H7 Application life cycle OTP - -

Secure manufacturing RSS SFI XCUBE-SFI, FastROM

Software IP protection RDP, MPU, PCROP SFI XCUBE-SFI

Silicon device life cycle HDP, WPR, RDP, PCROP - CubeProgrammer

CubeProgrammer
Secure install / update HDP, WPR, RDP, UBE X-CUBE-SBSFU
(digest, signature)

Secure storage HDP, OTFDEC - -

Isolation MPU, HDP, PCROP - -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling - -
PVD, WD, BR
CubeProgrammer
Secure boot HDP, WPR, RDP, UBE X-CUBE-SBSFU
(digest, signature)
HASH (SHA1, MD5), AES, DES/TDES, OTFDEC,
Crypto engine X-CUBE-CRYPTOLIB, PCL(1) -
TRNG

Audit / Log - - -

Notes: (1) side channel PCL : Protected Crypto Library 46

Wireless products with security functions
STM32Wx STM32Trust Security Features
Functions
Hardware Software Services

STM32WB Identification / Authentication

/ Attestation
Unique ID, Certificate - -

STM32WBA Application life cycle OTP - -

Secure manufacturing - - -
STM32WL5
Software IP protection RDP, MPU - -

Silicon device life cycle RDP, WRP - CubeProgrammer

Secure install / update RDP, MPU, FUS on CM0 X-CUBE-SBSFU on Cortex® M4 CubeProgrammer

Secure storage CKS - -

Isolation MPU - -
Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling - -
PVD, WD, BR

Secure boot RDP,WRP,MPU, FUS on CM0 X-CUBE-SBSFU on Cortex® M4 CubeProgrammer

Crypto engine AES, HASH, PKA, TRNG X-CUBE-CRYPTOLIB, -

Audit / Log - - -

47
Wireless products with security functions
STM32Wx STM32Trust Security Features
Functions
Hardware Software Services

STM32WB Identification / Authentication

/ Attestation
Unique ID, Certificate TF-M -

STM32WBA Application life cycle OTP -

Secure manufacturing RSS Secure Firmware install -

STM32WL5
Software IP protection RDP, Firewall, PCROP, MPU TF-M -

Silicon device life cycle RDP, WRP, HDP - CubeProgrammer

Secure install / update RDP, MPU, TrustZone® TF-M_SBSFU Boot CubeProgrammer

Secure storage AES Key storage, HDP TF-M -

Isolation Firewall, MPU, PCROP TF-M -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling -
PVD, WD, BR

Secure boot TrustZone®, Bootlock, RDP, WRP, MPU, HDP TF-M_SBSFU Boot CubeProgrammer

Crypto engine AES, HASH, PKA, TRNG X-CUBE-CRYPTOLIB, -

Certificate includes
physical protections Audit / Log GTZC (global TrustZone® controller) TF-M -

48
Wireless products with security functions
STM32Wx STM32Trust Security Features
Functions
Hardware Software Services

STM32WB Identification / Authentication

/ Attestation
Unique ID, Certificate - -

STM32WBA Application life cycle OTP -

Secure manufacturing RSS Secure Firmware install -

STM32WL5
Software IP protection RDP, PCROP, MPU - -

Silicon device life cycle RDP, WRP, - CubeProgrammer

Secure install / update RDP, MPU X-CUBE-SBSFU CubeProgrammer

Secure storage AES Key storage - -

Isolation MPU, PCROP - -

Certification targets Tamper, RTC, GPIO lock, CSS, ECC, Temp. sensor,
Abnormal situation handling -
PVD, WD, BR

Secure boot Bootlock, RDP, WRP, MPU X-CUBE-SBSFU CubeProgrammer

Crypto engine AES, HASH, PKA, TRNG X-CUBE-CRYPTOLIB, -

Audit / Log - - -

49
MPU products with security functions
STM32MPx STM32Trust Security Features
Functions
Hardware Software Services

STM32MP157 Identification / Authentication

/ Attestation
Unique ID TF-M, TF-A, OP-TEE STSAFE support

STM32MP135 Application life cycle OTP, RDP -

SSP, STM32Trusted
Secure manufacturing SSP, HSM SSP, secure boot ROM
package creator
Software IP protection RDP, MPU - -

Silicon device life cycle RDP, WRP - CubeProgrammer

Secure install / update FSBL, MPU X-CUBE-SBSFU CubeProgrammer

Secure storage AES, DES, TRNG - -

Isolation MPU, TrustZone® OP-TEE -

Certification targets RDP, Tamper, RTC, GPIO, CSS, ECC, Temp.
Abnormal situation handling - -
sensor, PVD

Secure boot RDP, MPU X-CUBE-SBSFU CubeProgrammer

Crypto engine AES, HASH, PKA, TRNG X-CUBE-CRYPTOLIB, -

Certificate includes
physical protections RTC, Tamper
Audit / Log TF-M -

50
Enhancing STM32 security assurance
levels with STSECURE
The building blocks of security
MCU / MPU with
Crypto engine Computer firmware MCU + Secure element
embedded security

• Basic crypto services • Pure software countermeasures Broad MCU portfolio Trusted components
embedded in dedicated ICs against remote software attacks • Tamper resistance (Hardware & SoC)
• Countermeasures against remote
mainly
software and board level attacks • Common Criteria, GSMA, TCG certifications
• Self-evaluated solution • Proven against all attacks (remote software,
• STM32Trust Security framework
board level and silicon level attacks)
• Arm® TrustZone®
• SESIP & PSA certifications Life cycle Security Centric devices
• Secure programming services • Secure development methodology
• Secure personalization & key provisioning
• Secure supply chain
• Certified Common Criteria sites

Main STM32 MCU / MPU Secure

companion chip

52
Where to find help
Documentation and useful links

• STM32Trust webpage

• STM32TrustTEE-SM webpage

• Wiki security

• Online trainings

• ST Community specific tags

54
Get support from ST authorized partners

Security expertise - Reduce your project time and cost

Security Hardware &

Manufacture Certification Useful life
requirements software design

Development Tools
Embedded software
Consultancy
Engineering services Evaluations Cloud solutions
Training Personalization
Hardware modules Assessment Device management
Technology Programming
Secure element & Consulting PKI life cycle
TPM solutions
Middleware / OS

55
Abbreviation glossary and definitions

56
Abbreviation glossary and definitions
Glossary Benefit and explanation

AES Key storage Write-only key registers in AES engine.

Protect against a wide range of physical attacks on a hardware system outside the MCU. Erases backup registers
Antitamper / active tamper / backup registers
information when tamper is detected.
BSEC & boot ROM Device life cycle managed through OTP and BSEC.
Certificate (unique per chip) Enables to authenticate a genuine STM32.
CSS (clock security system) Internal clock available for secured program execution independently from external source clock.
Device 96-bit unique ID Enables product traceability.​ Can be used for security key diversification.
DPA Resistant Crypto Library* (FIPS-140) DPA resistant version of Cryptographic library. Available on specific part numbers after on demand adaptation
ECC (error correction code) Robust memory integrity. Hardened protection against fault injection attacks thanks to error detection.
FastROM Programming services Pre-loading of customer software in STM32 done by ST manufacturing
Firewall Simple isolation in two domains for RAM and flash. Allows to protect software IP.
Lock of selected GPIO. Impossible to unlock until next reset.
GPIO locking
Ability to lock communication channels after tamper detection.
GTZC (global TrustZone® controller) Illegal access tracking and internal log/action.
HASH Hash algorithms implemented by hardware, like SHA.
HDP (hide protect) Temporal isolation ensuring secure boot is not seen after first execution.

57
Abbreviation glossary and definitions
Glossary Benefit and explanation
MMU (memory management unit) Ensures privileged access to some portion of application–task isolations.
OP-TEE (Part of OpenSTLinux) Trusted Execution Environment for STM32MP, featuring Secure storage service

OP-TEE (Part of OpenSTLinux) Trusted Execution Environment for STM32MP, adding further software handling for application portions sandboxing

OTFDEC (on the fly decryption) Decryption of encrypted image on external flash.
OTFDEC (on the fly decryption) Decryption of encrypted content stored on external flash.
OTP (one time programmable) memory OTP zones where application credentials or life cycle states can be stored.

PCROP (proprietary code readout protection) Ability to set some flash sectors as execute-only, thus preventing other sectors to read them.

PKA (public key accelerator) Asymmetric algorithms (public key), implemented by hardware, for RSA/ECC/DH.
PVD (power voltage monitoring) Monitors power changes.
RDP (Read protection) Prevents a debugger from reading the secure boot
RNG (random number generator) True RNG done entirely by hardware.

RSS with SFI (root security services with secure Built-in service callable at reset, ensuring installation of an OEM firmware and option bytes, with authenticity, integrity,
firmware install) confidentiality, insurance to program a genuine STM32, and possibly limited overall quantity of programmed STM32.

RTC (alarm timestamp) Timestamp on tamper events, or internal events.

58
Abbreviation glossary and definitions
Glossary Benefit and explanation
Secure boot ROM code Root of trust for loading first bootloader on STM32MP.
Built-in service callable at reset, ensuring secure provisioning of OEM credentials. Controllability of overall
Secure boot with SSP (secure secret provisioning)
quantity of STM32MP1 provisioned.
Secure FSBL (First Stage bootloader) Secure bootloader, loaded and authenticated by secure boot ROM code.
SSP (secure secret provisioning) Secure provisioning of OTP secret values.
STM32CubeProgrammer Software tool able to control the RDP cycle
Symmetric hardware crypto accelerators Implements a given algorithm by hardware implementation, like AES for instance.
Checks if the device is operating in the expected temperature range. Hardened protection against temperature
Temperature sensor
attacks.
TF-A (part of OpenSTLinux) First-stage secure bootloader configuring STM32MP platform
TFM_SBSFU boot (part of STM32CubeL5) Example code implementing both a secure boot and a secure firmware update mechanism
Runtime isolation technology allowing 2 distinct worlds, secure and nonsecure. It is a complete set of hardware
TrustZone® mechanisms to isolate two main security application domains: one trusted (ensuring secure storage) and one
nontrusted.
TZC (TrustZone® controller) Ability to isolate Cortex-A cores from Cortex-M one.
UBE (unique boot entry) Ensures the silicon always boots at the secure boot location.
Watchdogs Independent watchdog and window watchdog for software timing control.
WRP (write protection) Prevents an application from altering the secure boot firmware.
This ECCN 5D002-classified software is based on STM32Cube architecture package and includes a set of crypto
X-CUBE-CRYPTOLIB
algorithms based on firmware implementation (symmetric, asymmetric, hash…)
X-CUBE-SBSFU code example implementing both a secure boot and a secure firmware update mechanism

59
Find out more at www.st.com/stm32trust

© STMicroelectronics - All rights reserved.

ST logo is a trademark or a registered trademark of STMicroelectronics International NV or its affiliates in the EU and/or other countries.
For additional information about ST trademarks, please refer to www.st.com/trademarks.
All other product or service names are the property of their respective owners.