To make secure firmware installations (SFI) truly ubiquitous in production environments, SEGGER, an ST Authorized Partner, is launching STM32-SFI Flasher Commander. The free command line interface (CLI) talks to the SEGGER Flasher PRO, PRO XL, and Compact probes to make SFI possible. Put simply, the CLI receives encrypted firmware and sends it to the SEGGER probes responsible for flashing it. They then transfer the image, which will be decrypted inside the STM32 microcontroller. Since there are already many SEGGER Flasher probes in numerous production environments and the new Flasher Commander is free, a whole lot of assembly lines just became SFI-capable without any additional investments.
Table of Contents
The survival of the securest
2023: A security odyssey
2023 was a critical year for ST when it comes to security. We released Secure Manager, an STM32Trust turnkey solution that implements major features at the system level to facilitate developments on the STM32H5. Our latest MCU series offers the latest safeguards, such as an immutable root of trust (iRoT) and an updatable root of trust (uRoT). The STM32H5 security features provide greater flexibility and ensure that devices are immune to more attacks while simplifying developments. As the EU Cyber Resilience Act and the IoT Cybersecurity Improvement Act in the USA require new safeguards to protect users, security in IoT is no longer a luxury but a necessity.
Production wide shut
While ST works on microcontrollers and development tools, we don’t operate the production facilities that our customers use to manufacture their products. Hence, while we create secure solutions, our partners must find ways to implement them on assembly lines. The challenge is that infrastructures vary widely in scale and processes. There are also regional considerations to take into account and existing installations. Realistically, ST can’t ask a manufacturer to invest in massive equipment that will only work with our devices simply to support SFI. As of today, some partners have adopted our solutions, but we also know that some don’t wish to invest the time or money to support the security feature.
The lack of support for Secure Firmware Installation is challenging for developers because many rely upon our SFI to protect their IPs and products. In essence, SFI is a mechanism that encrypts firmware and decrypts it inside an STM32 microcontroller so no one can steal proprietary code or remove a device from the assembly line without anyone noticing it. Developers encrypt their code using an ST hardware secure module (STM32HSM), thus making it unreadable. They also define where to install the image and on how many devices. Then, once on the production line, a system loads the encrypted firmware. The STM32 MCU checks that it is supposed to receive that firmware and gets the decryption key from the STM32HSM.
Simply put, the STM32’s SFI offers end-to-end encryption, preventing anyone from accessing a clear version of the firmware. To ensure the transmission of the protected firmware to the production line, engineers must use a tool to send the encrypted code to the system flashing the ST device. Developers can use ST tools in a prototyping environment, such as STLINK-V3. The challenge is that our probes and systems are not designed for production facilities that must run uninterrupted and deal with large volumes. This is why we have members of the ST Partner Program who created tools meant for production environments. However, until now, there was a missing link preventing the use of STM32 SFI on SEGGER probes.
Instead of leaving customers to their own devices, ST worked with its Partner Program to offer solutions to bridge the gap between the lab and the production line and work with a non-ST probe. That’s how the STM32-SFI Flasher Commander was born. In a nutshell, SEGGER ported our Root Secure Services extension (RSSe) library into their ecosystem, among other things. The RSSe matches the flasher with the target STM32 MCU to upload the proper bootloader, enabling the device to decrypt the firmware internally. The CLI also has SFI validation tools and other mechanisms that developers know from STM32CubeProgrammer but that now work with SEGGER’s Flasher probes.
Save (the) Bill
All production lines currently using Flasher probes now support the secure installation of encrypted firmware onto compatible STM32s. And since SEGGER is present on numerous sites worldwide, it made the ST technology ubiquitous. Additionally, to make STM32 SFI even more accessible, SEGGER is offering a little demo firmware to showcase how developers can test the technology during prototyping. The company even provides a caching feature so engineers can reuse the same license on the same device during testing instead of burning through multiple licenses and then buying new ones. They are also inaugurating the ability to connect multiple Flasher probes onto one computer and run STM32-SFI Flasher Commander in parallel.
Once upon a time in Productronica
SEGGER will present its new STM32-SFI Flasher Commander at the Productronica conference in Germany from November 14 to 17 (Booth A1.174). Attendees will thus have the opportunity to see it in action and ask questions. With the launch of STM32-SFI Flasher Commander, the ST Authorized Partner now supports our latest STM32 SFI, opening the door to far greater adoption of a critical security solution like SFI everywhere.