We are launching today STM32Trust, a new initiative that focuses on all the software and hardware solutions we bring to improve the security of our devices. Because information security, or InfoSec, is such a vast domain, we wanted to design a unique program that would more easily help engineers benefit from all the ST tools at their disposal. Security is a recurring topic on this blog because as IoT gets the unfortunate nickname of “Internet of Threats,” finding the right solution and using the proper tool may not be obvious. Additionally, taking advantage of all the features that a system offers is not always evident, and as the need arises to obtain an increasing number of certifications, developers have a harder time implementing vital protections.
STM32Trust is an energetic program that will grow with more packages and products over time, thus serving as an excellent hub for engineers looking to learn more and stay up to date. To celebrate the launch of this program, we’re announcing a new update to our X-CUBE-SBSFU. The 2.2.0 version now supports the STM32WB, our first wireless microcontroller with an embedded Bluetooth LE 5.0 and 802.15.4 stack, and the new STM32H7 that houses our first dual-core architecture for MCU. X-CUBE-SBSFU is an expansion package that enables developers to implement a secure boot and offer a secure firmware update system. It is one of the prominent pillars of STM32Trust alongside our Secure Firmware Installation (SFI) process which enables the upload of encrypted firmware into the microcontroller. Let’s, therefore, delve into these two offerings and see what they bring to STM32Trust.
X-CUBE-SBSFU: Bringing Secure Boot and Secure Firmware Update to STM32Trust
Secure Boot is a program that runs at startup or reset to verify the integrity of the boot files by checking their size or signature, among other things. It protects the system from attacks that want to compromise the firmware during the boot sequence. On the other hand, a secure firmware update shields users from attacks that try to modify the existing system remotely. When a server sends the partial or complete encrypted firmware image that serves as an update, the embedded system transmits it via UART to the MCU, and the system checks its authenticity, then decrypts it and installs it. Moreover, the code from X-CUBE-SBSFU that runs on our STM32L4 received a PSA Level 1 certification. Developers will thus be able to receive the same certification much more quickly, shortening their time to market.
A package like X-CUBE-SBSFU often has multiple purposes. As seen above, it can serve as a tool to implement powerful mechanisms that will secure the boot and firmware update processes. Because we make our source code available, the solution also serves as an object lesson to developers looking to implement some of these features. Furthermore, although our libraries can generate 60 KB binaries approximately, which can be a bit large for some small embedded systems, they can customize the source code to trim it and only use the relevant functions, thus testifying to the flexibility of our solution. Finally, the package helps developers take advantage of our other STM32Trust tools. For instance, it uses our X-CUBE-CRYPTOLIB library to optimize cryptographic operations, and version 2.2.0 supports STSAFE-A100, a tamper-resistant secure element that stores various keys and certificates.
SFI: Bringing Secure Firmware Install to STM32Trust
Secure Firmware Install is a mechanism that protects a customer’s binary from malicious intentions. Very often, companies must rely on a third party to assemble their final product. However, it can often cause a great deal of anxiety and uncertainty. A rogue employee on the assembly line or hackers targeting the OEM’s servers could easily steal the firmware, and the fallout from the IP theft could be catastrophic. A secure-firmware-install protects against it by encrypting the firmware before shipping it to the assembly line and decrypting it only inside the MCU. Any stolen firmware is thus useless, and companies can even use this technique to keep track of the number of installations. As a result, if hackers manage to grab some MCUs before they leave the assembly line, the customer will know it right away and will be able to take actions.
Developers encrypt their firmware with the Trusted Package Creator tool available within our STM32CubeProgrammer utility and place their firmware secure credentials in a hardware module that takes the form of a smart card. They can then ship the encrypted binary and smart card to the OEM. The assembly line will upload the firmware and keys over UART, I<sup>2</sup>C, USB, or JTAG by also using STM32CubeProgrammer. The smart card contains a complex system that authenticates the MCU and gets a unique key from that component before sending the firmware secure credentials necessary to decrypt the binary into the MCU and generate an individual license for each STM32 component. This license enables the upload system to keep track of the precise number of installs, allowing companies to quickly see if the firmware is on components that are now missing.
