Is it possible to transform security on embedded systems from a burden to a blessing? It’s the question ST is trying to answer with STM32Trust, an initiative that focuses on all the software and hardware solutions we bring to improve the security of our devices. Information security, or InfoSec, can be a burden because it is such a vast domain. Hence, helping engineers means making ST tools more accessible. Indeed, taking advantage of all the features that a system offers is not always evident. Moreover, the need to acquire stringent certifications can increase costs and delay product launches. Developers thus need solutions to implement vital protections faster.
How It Started and How It’s Going
STM32Trust is a program that keeps growing as ST releases more software tools and products over time. Started in 2019, the initiative also helps educate developers to ensure their knowledge is up to date. As a result, ST holds training, publishes papers, writes documentation, and works with partners to facilitate the obtention of certifications. In other words, exhaustively explaining all the aspects of STM32Trust in one blog post would be futile, which is why The ST Blog decided to focus on a few core solutions to help readers better visualize how they can implement security into their system.
One of the core solutions in STM32Trust is X-CUBE-SBSFU (Secure Boot and Secure Firmware Update). Put simply, the software expansion package enables developers to implement a secure boot and offers a secure firmware update system. It is one of the prominent pillars of STM32Trust alongside our Secure Firmware Installation (SFI) process. The latter enables the upload of encrypted firmware into the microcontroller to protect from IP theft, among other things. And while SBSFU and SFI were predominant when ST launched STM32Trust, we added new solutions to our portfolio. For instance, Trusted Firmware-M (TF-M) helps implement a secure environment on our STM32L5 microcontrollers. Similarly, Trusted Firmware-A (TF-A) works on Cortex-A devices, such as the STM32MP1. Let us, therefore, delve into these offerings and see what they bring to STM32Trust.
STM32Trust and X-CUBE-SBSFU: Fashioning Secure Boot and Secure Firmware Update
Protecting Users From Start to Finish
Secure Boot is a program that runs at startup or reset to verify the integrity of the boot files by checking file size or signature to determine if anything changed. It thus protects the system from attacks that want to compromise the firmware during the boot sequence. Another type of protection is a secure firmware update. This method shields users from attacks that modify the existing system remotely. Indeed, when a server sends a partial or complete encrypted firmware image update, the embedded system transmits it via UART to the MCU, the system checks its authenticity, and then decrypts it before installing it.
A Much Easier Implementation
A package like X-CUBE-SBSFU allows developers to implement these features more easily. For instance, the code from X-CUBE-SBSFU that runs on our STM32L4 received a PSA Level 1 certification. Engineers can thus use it to receive the same accreditation much more quickly. Moreover, ST continues to make its source code available. As a result, developers can learn from our implementation and optimize their applications. For example, our libraries can generate 60 KB binaries approximately, which can be a bit large for some small embedded systems. However, optimization operations enable developers to trim the code and only use relevant functions to fit their MCU.
X-CUBE-SBSFU also serves other purposes as it helps teams take advantage of various STM32Trust tools. For instance, it uses our X-CUBE-CRYPTOLIB library to optimize cryptographic operations. ST recently overhauled the software package to offer a modular approach and certified code. Moreover, X-CUBE-CRYPTOLIB now segregates libraries according to the MCU to be more intuitive. X-CUBE-SBSFU also added support for STSAFE-A110, the tamper-resistant secure element, found on the STEVAL-STWINKT1B, that stores various keys and certificates.
STM32Trust and TF-M or TF-A: Creating Trusted Environments
Security Through Encryption, Verification, and Isolation
Both TF-M and TF-A are reference implementation of a Trusted Execution Environment (TEE). The former works on specific Cortex-M cores, while the latter is for Cortex-A devices. As the name implies, the point is to create trust by isolating and securing various aspects of the system. For instance, TF-M and TF-A leverage secure storage and cryptographic operations to secure the boot and update processes. Hence, they offer a way to guarantee the integrity of the Secure Boot mechanism and the firmware. They also sandbox runtimes to prevent an issue from affecting the whole system and enable services such as key storage as well as attestation and secure cryptography.
Building Trust on Cortex-M and Cortex-A Devices
Developers looking to use TF-M on a compatible STM32 microcontroller will find what they need in its software package. For instance, implementing TF-M on an STM32L5 starts with STM32CubeL5. The package has a reference implementation for significant features like secure boot, secure storage, secure isolation, and more. As a result, teams can create a mechanism similar to SFU but with standard isolation schemes. We will also continue to improve our reference implementation over time to take advantage of more features. As for TF-A, since things are obviously different for an MPU, ST created a Wiki to guide engineers. It walks users through the major notions and software tools to rapidly implement a reference environment. Additionally, developers can also use OP-TEE, an Open Portable Trusted Execution Environment that serves as a companion solution for non-secure Linux kernels.
STM32Trust and SFI: Bringing Secure Firmware Install
Protecting Intellectual Property and Preventing Theft
Secure Firmware Install is a mechanism that protects a customer’s binary from malicious activities. Very often, companies must rely on a third party to assemble their final product. The problem is that it can cause a great deal of anxiety and uncertainty. A rogue employee on the assembly line, or hackers, could steal the firmware, leading to catastrophic consequences. A secure firmware install protects against it by encrypting the firmware before shipping it to the OEM. Since decryption happens when the code is inside the MCU, the IP remains safe, and any stolen firmware is useless. Additionally, companies can even use this technique to track the number of firmware installations to monitor any product theft.
A Smart Card and STM32CubeProgrammer
SFI relies primarily on two tools. Developers encrypt their firmware with the Trusted Package Creator utility available within the STM32CubeProgrammer software and place their private keys and certificates in a secure hardware module that takes the form of a smart card.
Teams then ship the encrypted binary and smart card to the EMS. Assembly lines upload the firmware and keys over UART, I<sup>2</sup>C, USB, or JTAG via STM32CubeProgrammer. The smart card then validates everything by authenticating the MCU and getting its unique key. The card also sends a private key to decrypt the binary and generate an individual license for each product. The license enables the upload system to track the precise number of installs. Finally, ST recently released a new version of its smart card that allows companies to define their target device. Previously, the model of the MCU was setup in advance. With the new version, companies can load it to enjoy a more flexible system.