3. System security

The device is designed with a comprehensive set of security features, some of which are based on the standard Arm TrustZone® technology (a) .

These features simplify the process of evaluating IoT devices against security standards. They also significantly reduce the cost and complexity of software development for OEM and third-party developers, by facilitating the reuse, improving the interoperability, and minimizing the API fragmentation.

This section explains the different security features available on the device.

3.1 Key security features

a. Available only on STM32WBA52/4/5x devices.

3.2 Secure firmware install (a)

The secure firmware install (SFI) is an immutable secure service embedded in the devices. The SFI allows secure and counted installation of OEM firmware in an untrusted production environment (such as OEM contract manufacturer).

The confidentiality of the installed images written in the internal flash memory is protected using the AES.

The SFI native service leverages the following hardware security features:

Further information can be found in AN4992 STM32 MCUs secure firmware install (SFI) overview , available on www.st.com .

3.3 Secure boot (a)

Secure boot, whose specifically designed features are described in this section, is an immutable code that is always executed after a system reset. As a root of trust, this code checks the device static protections and activates available device runtime protections, reducing the risk that invalid or malicious code runs on the platform. As root of trust, the secure boot also checks the integrity and authenticity of the next level firmware before executing it.

The actual functions of the secure boot depend on the availability of TrustZone features, and on the firmware stored in the device. However, the secure boot typically initializes the secure storage.

The device Trusted Firmware-M (TFM) application, supported by the STM32 ecosystem, provides a root of trust solution including secure boot functions.

In the devices, the secure boot benefits of hardware security features such as:

a. Available only on STM32WBA52/4/5x devices.

3.3.1 Unique boot entry and BOOT_LOCK

When TrustZone is activated (TZEN = 1) and BOOT_LOCK secure option bit is cleared, the application selects a boot entry point located either in the system flash memory (see Section 3.3.2 ), or in the secure user flash memory, at the address defined by SECBOOTADD0 option bytes.

When TrustZone is activated (TZEN = 1) and BOOT_LOCK secure option bit is set, the device unique boot entry is the unmodifiable secure address defined by SECBOOTADD0 option bytes. All these option bytes cannot be modified by the application anymore when BOOT_LOCK is set.

Note: As long as it is cleared, the BOOT_LOCK option bit can be set without any constraint. But once set, the BOOT_LOCK option bit cannot be cleared when RDP level > 0.

For more information on the boot mechanisms, refer to Section 4: Boot modes .

3.3.2 Immutable root of trust in system flash memory

The immutable root of trust code stored in the system flash memory is first used to perform SFI, allowing secure and counted installation of OEM firmware in untrusted production environment (such as OEM contract manufacturer).

The STMicroelectronics immutable code also includes secure runtime services that can be called at runtime, when a secure application sets the SYSCFG_RSSCMDR register to a non-null value, before triggering a system reset. This runtime feature is deactivated when the BOOT_LOCK secure option bit is set.

3.4 Secure firmware update (a)

The secure firmware update is a secure service that runs after a secure boot. Its actual functions depend on the availability of the TrustZone features and on the firmware stored in the device.

The device Trusted Firmware-M (TFM) application, supported by the STM32 ecosystem, allows the update of the microcontroller built-in program with new firmware versions, adding new features and correcting potential issues. The update process is performed in a secure way to prevent unauthorized updates and access to confidential on-device data.

A firmware update can be done either on a single firmware image including both secure and nonsecure parts, or on the secure (respectively nonsecure) part of the firmware image, independently.

In the devices, the secure update application leverages the same hardware security as the firmware install described in Section 3.2 .

3.5 Resource isolation using TrustZone (a)

In the devices, the hardware and software resources can be partitioned so that they exist either in the secure world or in the nonsecure world, as shown in Figure 3 .

a. Available only on STM32WBA52/4/5x devices.

Figure 3. Secure/nonsecure partitioning using TrustZone technology

Diagram illustrating secure/nonsecure partitioning using TrustZone technology. The diagram shows two worlds: Nonsecure world and Secure world. The Nonsecure world contains Applications and Privileged system services. The Secure world contains Application RoT and Root of trust services. Both worlds share Peripherals and I/Os, Memory (internal, external), and CPU time. The Secure world is initialized by an 'Init' signal. A legend indicates that white boxes represent the Nonsecure world and hatched boxes represent the Secure world.

The diagram illustrates the secure/nonsecure partitioning using TrustZone technology. It is divided into two main columns: the Nonsecure world (left) and the Secure world (right). At the top, an 'Init' signal points to the Secure world. The Nonsecure world contains 'Applications' and 'Privileged system services'. The Secure world contains 'Application RoT' and 'Root of trust services'. Both worlds share a common layer of 'Peripherals and I/Os', 'Memory (internal, external)', and 'CPU time'. A legend at the bottom left shows a white box for 'Nonsecure world' and a hatched box for 'Secure world'. The diagram is labeled 'MSV64438V1' in the bottom right corner.

Diagram illustrating secure/nonsecure partitioning using TrustZone technology. The diagram shows two worlds: Nonsecure world and Secure world. The Nonsecure world contains Applications and Privileged system services. The Secure world contains Application RoT and Root of trust services. Both worlds share Peripherals and I/Os, Memory (internal, external), and CPU time. The Secure world is initialized by an 'Init' signal. A legend indicates that white boxes represent the Nonsecure world and hatched boxes represent the Secure world.

Note: The initial partitioning of the platform is under the responsibility of the secure firmware executed after reset of the device.

Thanks to this resource isolation technology, the secure world can be used to protect critical code against intentional or unintentional tampering from the more exposed code running in the nonsecure world.

Note: The secure code is typically small and rarely modified, while nonsecure code is more exposed, and prone to firmware updates.

3.5.1 TrustZone security architecture

The Armv8-M TrustZone technology is a comprehensive hardware architecture that proposes to developers a comprehensive, holistic protection across the entire processor and system. The device TrustZone hardware features include:

Note: The TrustZone security is activated by the TZEN option bit in the FLASH_OPTR register.

3.5.2 Armv8-M security extension of Cortex-M33

The Arm security extension of the Cortex-M33 is an evolution, not a revolution. It uses the programmer model from earlier Cortex-M subfamilies like Cortex-M4. Indeed, Armv8-M is architecturally similar to Armv7-M, using the same 32-bit architecture, the same memory mapped resources protected with an MPU. Armv8-M also uses the nested vectored interrupt controller (NVIC).

The Armv8-M TrustZone implementation is composed of the following features:

For more information, refer to Cortex-M33 programming manual (PM0264).

3.5.3 Memory and peripheral allocation using IDAU/SAU

Security attributes

The Armv8-M nonsecure memory view (see Figure 4 ) is similar to Armv7-M (that can be found in Cortex-M4), with the difference that the secure memory is hidden. The secure memory view shows the flash memory, SRAM, and peripherals that are only accessible while the Cortex processor executes in Secure state.

Note: Figure 4 shows the 32-bit address space viewed by the secure code after the SAU configuration.

Figure 4. Sharing memory map between CPU in secure and nonsecure state

Figure 4: Sharing memory map between CPU in secure and nonsecure state. The diagram shows two memory views: Nonsecure and Secure. The Nonsecure view shows System region, System control and debug, External peripherals, External memories, Periph-NS, hidden (SRAM-NS), hidden (Flash-NS), and hidden (Flash-S). The Secure view shows hidden (MPU-NS*, SCB-NS*, SysTick-NS*), DEBUG, hidden (SAU), MPU-NS, MPU-S, SCB-NS, SCB-S, NVIC, SysTick-NS, SysTick-S, and ITM / DWT / FBP. A callout box details the Secure view components.
Nonsecure memory viewSecure memory viewNonsecure memory viewSecure memory view
0xFFFF FFFFSystem regionhiddenMPU-NS*
0xF000 0000System control and debugSCB-NS*
0xE000 0000External peripheralsSysTick-NS*
0xA000 0000External memoriesDEBUG
0x6000 0000Periph-NShiddenSAU
0x4000 0000hiddenMPU-NSMPU-S
0x2000 0000hiddenSCB-NSSCB-S
0x0000 0000hiddenNVIC
SysTick-NSSysTick-S
ITM / DWT / FBP

(*) Aliased addresses

MSv64440V1

Figure 4: Sharing memory map between CPU in secure and nonsecure state. The diagram shows two memory views: Nonsecure and Secure. The Nonsecure view shows System region, System control and debug, External peripherals, External memories, Periph-NS, hidden (SRAM-NS), hidden (Flash-NS), and hidden (Flash-S). The Secure view shows hidden (MPU-NS*, SCB-NS*, SysTick-NS*), DEBUG, hidden (SAU), MPU-NS, MPU-S, SCB-NS, SCB-S, NVIC, SysTick-NS, SysTick-S, and ITM / DWT / FBP. A callout box details the Secure view components.

Note: The devices have no support for external memories and external peripherals.

The Cortex processor state (and associated rights) depends on the security attribute assigned to the memory region where it is executed:

To manage transitions to the secure world, developers must create nonsecure callable (NSC) regions that contain valid entry points to the secure libraries. The first instruction in these entry points must be the new secure gate (SG) instruction, used by the nonsecure code to call a secure function (see Figure 5).

Figure 5. Secure world transition and memory partitioning

Diagram illustrating secure world transition and memory partitioning. It shows Nonsecure memory containing a Nonsecure application, and Secure memory containing a Nonsecure callable region with a Secure entry point and a Secure library. Arrows show the flow: call from Nonsecure application to Secure entry point, return from Secure entry point to Nonsecure application, call/branch from Secure entry point to Secure library, and return from Secure library to Nonsecure application.

The diagram illustrates the memory architecture and execution flow for secure world transitions. On the left, a box labeled 'Nonsecure memory' contains a 'Nonsecure application'. On the right, a box labeled 'Secure memory' contains a 'Nonsecure callable' region, which in turn contains a 'Secure entry point', and a 'Secure library'. Arrows indicate the flow of execution: a 'call' arrow from the 'Nonsecure application' to the 'Secure entry point', a 'return' arrow from the 'Secure entry point' back to the 'Nonsecure application', a 'call / branch' arrow from the 'Secure entry point' to the 'Secure library', and a 'return' arrow from the 'Secure library' back to the 'Nonsecure application'. The identifier 'MSV64441V1' is visible in the bottom right corner of the diagram.

Diagram illustrating secure world transition and memory partitioning. It shows Nonsecure memory containing a Nonsecure application, and Secure memory containing a Nonsecure callable region with a Secure entry point and a Secure library. Arrows show the flow: call from Nonsecure application to Secure entry point, return from Secure entry point to Nonsecure application, call/branch from Secure entry point to Secure library, and return from Secure library to Nonsecure application.

Programming security attributes

In Cortex-M33, the static implementation-defined attribution unit (IDAU) works with the programmable security attribution unit (SAU) to assign a specific security attribute (S, NS, or NSC) to a specific address, as shown in Table 6.

Table 6. Configuring security attributes with IDAU and SAU

IDAU security attributionSAU security attribution (1)Final security attribution
NonsecureSecureSecure
Secure-NSCSecure-NSC
NonsecureNonsecure
Secure-NSCSecureSecure
NonsecureSecure-NSC

1. Defined regions are aligned to 32-byte boundaries.

The SAU can be configured by the Cortex-M33 only in the secure-privileged state. When the TrustZone is enabled, the SAU defaults all addresses as secure (S). A secure boot application can then program the SAU to create NSC or NS regions, as shown in Table 6 .

Note: The SAU/IDAU settings are applicable only to the Cortex-M33. The other masters (like DMA) are not affected by these policies.

3.5.4 Memory and peripheral allocation using GTZC

Global TrustZone framework architecture

On top of the Armv8-M TrustZone security extension in Cortex-M33, the devices embed complementary security features that reinforce, in a flexible way, the isolation between the secure and the nonsecure worlds. Unlike the SAU/IDAU, the GTZC can protect legacy memories and peripherals against nonsecure transactions coming from other masters than the Cortex-M33.

Figure 6. Global TrustZone framework and TrustZone awareness

Diagram of Global TrustZone framework and TrustZone awareness architecture.

The diagram illustrates the Global TrustZone framework and TrustZone awareness within a device boundary. At the top, a CPU (containing SAU+IDAU and MPU) and a DMA are connected to a central pink-shaded area representing the Global TrustZone framework. To the right of this framework are Flash memory and SRAM. Below the framework is a horizontal blue bar representing the Global TrustZone framework bus. Four Peripherals are connected to this bus: three are standard Peripherals, and one is a TrustZone-aware peripheral (indicated by a cross-hatch pattern). Below the bus, two I/O blocks are shown, each connected to a vertical blue bar representing another part of the Global TrustZone framework. A legend at the bottom indicates that the solid blue color represents the Global TrustZone framework and the cross-hatch pattern represents TrustZone-aware peripherals.

Diagram of Global TrustZone framework and TrustZone awareness architecture.

Securing peripherals with TZSC

When the TrustZone security is active, a peripheral is either securable through the TZSC block in GTZC, or is natively TrustZone-aware, as shown in the previous figure:

TrustZone-aware AHB masters like Cortex-M33 or DMAs, drive a secure signal in the AHB interconnect, according to their security mode, independently from the TZSC.

Note: Like with TrustZone, a peripheral can be made privileged-only with TZSC (see Section 3.6.3 ). In this case, if this peripheral is master on the interconnect, it automatically issues privileged transactions.

Securing memories with MPCBB

The MPCBB blocks in GTZC provide the capability to configure the security and privilege of embedded SRAM blocks, as defined in Table 7 .

Table 7. MPCBBx resources

MemoryMPC resource
SRAM1GTZC1_MPCBB1
SRAM2GTZC1_MPCBB2
2.4 GHz RADIO RXTXRAMGTZC1_MPCBB6

For more information, refer to Section 5: Global TrustZone controller (GTZC) .

Applying GTZC configurations

The TZSC and MPCBB blocks can be used in one of the following ways:

When the dynamic option is selected and the configuration is not locked:

Securing peripherals with TZSC

The TZSC block in GTZC provides the capability to manage the security and the privilege for all securable peripherals. The list of these peripherals can be found in Section 5: Global TrustZone controller (GTZC) .

Note: When the TrustZone is deactivated, the resource isolation hardware GTZC can still be used to isolate peripherals to privileged code only (see Section 3.6.3 ).

When the TrustZone is activated, peripherals are set as nonsecure and unprivileged after reset.

TrustZone-aware peripherals

The devices include the following TrustZone-aware peripherals:

Illegal accesses to those peripherals are monitored through the TZIC registers, as described in Section 5: Global TrustZone controller (GTZC) . For more details, refer to Section 3.5.5 .

Illegal access controller with TZIC

The TZIC block in GTZC gathers all illegal access events originated from sources protected by GTZC or TrustZone-aware peripherals, generating a global secure interrupt towards the NVIC.

TZIC is available only when the system is TrustZone enabled (TZEN = 1). All accesses to TZIC registers must be secured and privileged.

For each illegal event source, a status flag and a clear bit exist. Each illegal event can be masked, not generating an interrupt towards the NVIC.

Note: By default, all events are masked.

3.5.5 Managing security in TrustZone-aware peripherals

Embedded flash memory

When the TrustZone security is enabled through option bytes (TZEN = 1), the whole flash memory is secure after reset and the following protections, shown in Figure 7 , are available to the application:

Note: All areas are aligned on the flash memory page granularity.

The flash memory area can be configured as secure while it is tagged as nonsecure in Cortex-M33 IDAU/SAU. In this case, nonsecure accesses by the CPU to the flash memory are denied.

Erase or program operations can be available to secure (resp. nonsecure) code only for secure (resp. nonsecure) pages or memory. A flash memory is considered secure if at least one page is secure.

Figure 7. Flash memory TrustZone protections

Diagram illustrating Flash memory TrustZone protections. It compares 'TrustZone disabled' and 'TrustZone enabled' states for User flash memory and Read-only system Flash memory. In the 'TrustZone disabled' state, User flash memory is all nonsecure, and Read-only system Flash memory contains Bootloader and Hidden areas. In the 'TrustZone enabled' state, User flash memory is divided into alternating Nonsecure and Secure pages, with the bottom section being Flash memory-S(*) and Flash memory-S(*) (HDP). Read-only system Flash memory contains Bootloader-NS and RSS(*) (HDP). Arrows indicate the Boot address in both states.

The diagram shows the memory layout for User flash memory and Read-only system Flash memory when TrustZone is disabled versus when it is enabled.

(*): nonvolatile security configuration

MSv64451V1

Diagram illustrating Flash memory TrustZone protections. It compares 'TrustZone disabled' and 'TrustZone enabled' states for User flash memory and Read-only system Flash memory. In the 'TrustZone disabled' state, User flash memory is all nonsecure, and Read-only system Flash memory contains Bootloader and Hidden areas. In the 'TrustZone enabled' state, User flash memory is divided into alternating Nonsecure and Secure pages, with the bottom section being Flash memory-S(*) and Flash memory-S(*) (HDP). Read-only system Flash memory contains Bootloader-NS and RSS(*) (HDP). Arrows indicate the Boot address in both states.

As shown above, when TrustZone is activated (TZEN = 1), the application code can use the HDP area that is part of the flash watermark-based secure area. When the application sets the HDP_ACCDIS bit, data read, write, and instruction fetch on this HDP area are denied until the next system reset.

For example, the software code in the secure flash HDP area can be executed only once, with any further access to this area denied until the next system reset. Additionally, any flash memory page belonging to an active HDP area cannot be erased anymore.

When the TrustZone is deactivated (TZEN = 0), the volatile/non-volatile secure area features are deactivated and all secure registers are RAZ/WI.

See Section 7: Embedded flash memory (FLASH) for more details.

Direct memory access controller (GPDMA)

When a DMA channel x is defined as secure (SECx = 1 in GPDMA_SECCFGR), the source and destination transfers can be independently set as secure or nonsecure by a secure application using SSEC and DSEC bits in GPDMA_CxTR1. Table 8 summarizes the security options available in each DMA channel.

Table 8. DMA channel use (security) (1)
Destination typeSecure DMA channel x (SECx = 1)Nonsecure DMA channel y (SECy = 0)
Secure sourceNonsecure sourceSecure sourceNonsecure source
Secure destinationOKOK (2)Transfer blocked
Nonsecure destinationOK (3)OK (4)Transfer blockedOK
  1. 1. When a transfer is blocked, it completes, but the corresponding writes are ignored, and reads return zeros. Also an illegal access event to TZIC is automatically triggered by the memory/peripheral used as source or destination.
  2. 2. If the source is a memory, the transfer is possible only if SSEC = 0, otherwise the transfer is blocked.
  3. 3. If the destination is a memory, the transfer is possible only if DSEC = 0, otherwise the transfer is blocked.
  4. 4. The memory-to-memory transfer is possible only if SSEC = 0 and DSEC = 0, otherwise it is blocked.

When a channel is configured as secure:

Note: DMA secure channels are not available when TrustZone is deactivated.

When a channel is configured as nonsecure in linked-list mode, the loading of the next linked-list data structure from memory is performed with nonsecure transfers. See Section 17: General purpose direct memory access controller (GPDMA) for more details.

Power control (PWR)

When the TrustZone security is activated (TZEN = 1), the selected PWR registers can be secured through PWR_SECCFGR, protecting the following PWR features:

Other PWR configuration bits become secure:

See Section 11: Power control (PWR) for details.

Secure clock and reset (RCC)

When the TrustZone security is activated (TZEN = 1) and security is enabled in the RCC, the bits controlling the peripheral clocks and resets become TrustZone-aware:

When a peripheral is defined as secure, its related clock, reset, and clock source selection in the RCC, become secure and in some case the selection of clock source during low-power modes as well.

Note: Refer to Table 3 and Table 4 for the list of securable and TrustZone-aware peripherals.

Additionally, the following configurations can be made secure-only using RCC_SECCFGR:

See Section 12: Reset and clock control (RCC) for details.

Real time clock (RTC)

Like all TrustZone-aware peripherals, a nonsecure read/write access to a secured RTC register is RAZ/WI. It also generates an illegal access event that triggers a secure illegal access interrupt if the RTC illegal access event is enabled in the TZIC.

After a Backup domain power-on reset, all RTC registers can be read or written in both secure and nonsecure modes. The secure boot code can then change its security setup, making registers Alarm A, alarm B, wake-up timer and timestamp secure or not, using RTC_SECCFGR.

When the SEC bit is set in secure-only RTC_SECCFGR:

When SEC is cleared in secure-only RTC_SECCFGR, it is still possible to restrict access in secure mode to some RTC registers by setting dedicated control bits: INITSEC, CALSEC, TSSEC, WUTSEC, ALRASEC, and ALRBSEC.

Note: The RTC security configuration is not affected by an NRST pin reset.

See Section 36: Real-time clock (RTC) for more details.

Tamper and backup registers (TAMP)

Like all TrustZone-aware peripherals, a nonsecure read/write access to a secured TAMP register is RAZ/WI. It also generates an illegal access event that triggers a secure illegal access interrupt if the TAMP illegal access event is enabled in the TZIC.

After a Backup domain power-on reset, all TAMP registers can be read or written in both secure and nonsecure modes. The secure boot code can change its security setup, making some registers secure or not as needed, using TAMP_SECCFGR register.

When TAMPSEC is set in TAMP_SECCFGR:

The application can also:

Note: The TAMP security configuration is not affected by an NRST reset.

See Section 37: Tamper and backup registers (TAMP) for more details.

General-purpose I/Os (GPIO)

When the TrustZone security is activated (TZEN = 1), each I/O pin of the GPIO port can be individually configured as secure through the GPIOx_SECCFGR registers. Only a secure application can write to GPIOx_SECCFGR registers. After boot, each I/O pin of GPIO is set as secure.

When an I/O pin is configured as secure, its corresponding configuration bits for alternate function (AF), mode selection (MODE), and I/O data are RAZ/WI in case of nonsecure access.

When digital alternate function is used (input/output mode), to protect the data transiting from/to the I/O managed by a secure peripheral, the devices add a secure alternate function gate on the path between the peripheral and its allocated I/Os:

The TrustZone-aware logic around GPIO ports, used as alternate function, is summarized in Table 9 .

Table 9. Secure alternate function between peripherals and allocated I/Os

Security configurationAlternate function logicComment
PeripheralAllocated I/O pinInputOutput
SecureSecureI/O dataPeripheral data-
NonsecureOut of reset configuration
SecureNonsecure00-
NonsecureI/O dataPeripheral data

When an analog function with an analog switch is used, the connection to the peripherals listed in Table 10 , is blocked by hardware when the peripheral is nonsecure and the I/O is secure.

Table 10. Nonsecure peripheral functions not connected to secure I/Os

PeripheralAnalog function (1)InputOutputHow to set the peripheral or the function as secure
ADC4ADC4_INy (y = 1 to 10)X-Set ADC4SEC in GTZC1_TZSC
COMPx (2) (x = 1, 2)COMPx_INM1
COMPx_INP1		Set COMPSEC in GTZC1_TZSC
  1. 1. Used to find the I/O corresponding to the signal/function on the package (refer to the product datasheet).
  2. 2. Available only on STM32WBA54/55xx devices.

Table 11 summarizes the list of peripheral functions that do not have any hardware protection linked to TrustZone. The listed signals (input and/or outputs) are not blocked when the I/O is set as secure and the associated peripheral function is nonsecure.

For example, when a secure application sets an I/O port pin as secure to be used as LPTIM2_OUT, if the RTC_OUTx is nonsecure, it can be programmed to output data to the I/O port pin, potentially causing malfunction to the secure application.

Similarly, when a secure application sets an I/O port pin as secure to be used as USART1_TX, if TAMP_INx is nonsecure, it can be programmed to capture the USART input traffic.

It is important that, for each case described in Table 11 , the secure application decides if a potential effect on data integrity or confidentiality is critical or not. For example, if the USART situation described above is not acceptable (data transiting on secure USART is confidential), the application must configure the TAMP as secure, even if it does not use it.

Note: How to make a peripheral secure is summarized in the right column of Table 11 .

Table 11. Nonsecure peripheral functions that can be connected to secure I/Os

PeripheralSignal (1)InputOutputHow to set the peripheral or the function as secure
TAMPTAMP_INx (x = 1 to 6)X-Set TAMPSEC in TAMP_SECCFGR
TAMP_OUTx (x = 1 to 6)-X
RTCRTC_OUTx (x = 1, 2)-XSet SEC in RTC_SECCFGR
RTC_TSX-Set TSSEC in RTC_SECCFGR
PWRWKUPx (x = 1 to 8)X-Set WUPxSEC in PWR_SECCFGR
RCCLSCO-XSet LSESEC in RCC_SECCFGR
EXTIEXTIx (x = 0 to 15)X-Set SECx bit in EXTI_SECCFGR
  1. 1. To find the I/O corresponding to the signal/function on the package refer to the product datasheet.

Refer to Section 14: General-purpose I/Os (GPIO) for more details.

Extended interrupts and event controller (EXTI)

When the TrustZone security is activated (TZEN = 1), the EXTI is able to protect event register bits from being modified by nonsecure accesses. The protection can individually be activated per input event via the register bits in EXTI_SECCFGR1. When an input event is configured as secure, only a secure application can change the configuration (including security if applicable), change the masking or clear the status of this input event.

The security configuration in EXTI_SECCFGR1 can be globally locked after reset in EXTI_LOCKR.

See Section 19: Extended interrupts and event controller (EXTI) for more details.

System configuration controller (SYSCFG)

Like all TrustZone-aware peripherals, when the TrustZone security is activated (TZEN = 1), a nonsecure read/write access to a secured SYSCFG register is RAZ/WI. Such access also generates an illegal access event that triggers a secure illegal access interrupt if the SYSCFG illegal access event is not masked in the TZIC.

See Section 15: System configuration controller (SYSCFG) for more details.

Hardware semaphore (HSEM)

Like all TrustZone-aware peripherals, when the TrustZone security is activated (TZEN = 1), a nonsecure read/write access to a secured HSEM register is RAZ/WI. Such access also generates an illegal access event that triggers a secure illegal access interrupt if the HSEM illegal access event is not masked in the TZIC.

See Section 13: Hardware semaphore (HSEM) for more details.

Microcontroller debug unit (DBGMCU)

The MCU debug component (DBGMCU) helps the debugger, providing support for:

The DBGMCU is a TrustZone-aware peripheral, managing accesses to its control registers as described in Table 12 .

Table 12. TrustZone-aware DBGMCU accesses management

Debug profilePeripheral status (1)DBG_xx_STOP control bits
Write accessRead access
Nonsecure invasive
(SPIDEN = 0)		NSYes (S (2) or NS)Yes (S or NS)
SNone (S or NS)
Secure invasive
(SPIDEN = 1)		NSYes (S or NS)
SYes (S only)

1. As reported by the GTZC or the TrustZone-aware peripheral feature.

2. Secure access from debugger is converted to nonsecure access in the device.

Refer to Section 45.13: Microcontroller debug unit (DBGMCU) for more details.

3.5.6 Activating TrustZone security

The TrustZone is deactivated by default in the device. It can be activated by setting the TZEN user option bit in FLASH_OPTR when in RDP Level 0. Once TZEN has changed from 0 to 1, the default security state, after reset, is always the following:

Note: Refer to Table 3 and Table 4 for the list of securable and TrustZone-aware peripherals.

3.5.7 Deactivating TrustZone security

Once activated, TrustZone it can be deactivated only during an RDP regression to Level 0.

Note: Such RDP regression triggers the erase of embedded memories (flash memory, SRAM1, SRAM2, PKA SRAM and TAMP backup registers), and the reset of all peripherals, including all crypto engines.

Note: Before launching an RDP regression, the software must invalidate the ICACHE and wait for the BUSYF bit to get cleared.

After the TrustZone deactivation, most of the features mentioned in Section 3.5 are no longer available:

Note: When the TrustZone is deactivated, the resource isolation using privilege stays available (see Section 3.6.3 for details).

3.6 Isolation of other resources (a)

These are hardware mechanisms offering an additional level of isolation on top of the TrustZone technology.

3.6.1 Temporal isolation using secure hide protection (HDP)

When the TrustZone security is enabled (TZEN = 1), the embedded flash memory allows an HDP area in the watermarked-secure area (8-Kbyte page granularity) to be defined. The code executed in this HDP area (with its related data and keys) can be hidden after boot until the next system reset. The hide protection principle is shown in Figure 8.

Figure 8. Flash memory secure HDP area

Figure 8: Flash memory secure HDP area diagram. The diagram shows two vertical columns representing flash memory. The left column has three sections: 'User applications' at the top, 'Secure Flash memory applications' in the middle, and 'Secure boot code and data (HDP)' at the bottom. A vertical double-headed arrow on the left of the middle and bottom sections is labeled 'Secure area'. An arrow labeled '1) Execute after reset' points to the bottom section. The right column also has three sections: 'User applications' at the top, 'Secure Flash memory applications' in the middle, and 'Hidden' at the bottom. The 'Hidden' section has a red circle with a diagonal line through it. An arrow labeled '2) Jump to secure code and hide area' points from the 'Secure Flash memory applications' section to the 'Hidden' section. The text 'MSV64452V2' is in the bottom right corner.
Figure 8: Flash memory secure HDP area diagram. The diagram shows two vertical columns representing flash memory. The left column has three sections: 'User applications' at the top, 'Secure Flash memory applications' in the middle, and 'Secure boot code and data (HDP)' at the bottom. A vertical double-headed arrow on the left of the middle and bottom sections is labeled 'Secure area'. An arrow labeled '1) Execute after reset' points to the bottom section. The right column also has three sections: 'User applications' at the top, 'Secure Flash memory applications' in the middle, and 'Hidden' at the bottom. The 'Hidden' section has a red circle with a diagonal line through it. An arrow labeled '2) Jump to secure code and hide area' points from the 'Secure Flash memory applications' section to the 'Hidden' section. The text 'MSV64452V2' is in the bottom right corner.

When the HDPEN and HDP_ACCDIS bits are set, data read, write, and instruction fetch on the area defined by SECWM_PSTRT and HDP_PEND option bytes are denied until the next device reset.

Note: Mass erase aborts when it contains a write-protected area (WRP or HDP area).

The HDP area can be resized by a secure application if the area is not hidden and if RDP Level \( \neq \) 2.

3.6.2 RSSLIB functions

The RSS provides runtime services thanks to RSS library. As other microcontroller peripherals features and mapping, the RSS library functions are exposed to user within the CMSIS device header file provided by the STM32Cube firmware package. Please refer to UM3131 to get more details regarding STM32Cube firmware package. RSS library functions are named RSSLIB functions hereafter.

The user firmware calls RSSLIB functions using RSSLIB_PFUNC C defined macro, that points to a location within nonsecure system memory. Hence prior calling RSSLIB functions, the secure user firmware must define a nonsecure region above this location within SAU of the Cortex ® -M33. This nonsecure region starts from

a. Available only on STM32WBA52/4/5xx devices.

RSSLIB_SYS_FLASH_NS_PFUNC_START up to RSSLIB_SYS_FLASH_NS_PFUNC_END. These last addresses are provided within the CMSIS device header file. The user can set this nonsecure region either by using the CMSIS system partition header file or by implementing its own code for SAU setup. The CMSIS system partition header file is part of the STM32Cube firmware package.

RSSLIB functions are split between non-secure callable and secure callable function.

The RSS library functions are described within sections hereafter.

CloseExitHDP

Bootloader ID:

CloseExitHDP1 function

Secure attribute:

Secure callable function.

Prototype:

uint32_t CloseExitHDP(uint32_t HdpArea, uint32_t VectorTableAddr)

Arguments:

Description:

The user calls CloseExitHDP to close flash HDP secure memory area and jump to the reset handler embedded within the vector table which address is passed as input parameter.

CloseExitHDP sets the SP provided by the passed vector table, however it is up to the caller to first set the new vector table. Then it clears all general-purpose.

A Cortex®-M33 registers (r0, r1, ...) before jumping to new vector table reset handler. On successful execution, the function does not return and does not push LR onto the stack.

In case of failure (bad input parameter value), this function returns RSSLIB_ERROR.

Refer to section Section 7.5.3: Secure hide protection (HDP) to get more details on flash memory HDP protection.

3.6.3 Resource isolation using Cortex privileged mode

In parallel to the TrustZone isolation described in Section 3.5 , the hardware and software resources can be partitioned so that they are restricted to software running in Cortex privileged mode.

Thanks to this hardware isolation technology, available even if TrustZone is deactivated (TZEN = 0), critical code or data can be protected against intentional or unintentional tampering from the more exposed unprivileged code.

Memory and peripheral privileged allocation using MPU

The Cortex-M33 MPU divides the unified memory into eight regions, each aligned to a multiple of 32 bytes. Each memory regions can be programmed to generate faults when accessed inappropriately by unprivileged software.

Memory and peripheral privileged allocation using GTZC

For the Cortex-M33 master, to complement the coarse isolation provided by the MPU, the GTZC reinforces, in a flexible way, the isolation between privileged and unprivileged tasks, for peripherals and selected memories.

In the devices, a peripheral is either securable privileged-only through GTZC, or is natively privileged-aware:

The list of securable peripherals can be found in Table 3 .

The GTZC provides the capability to configure the privilege level of embedded SRAM blocks, programming the MPCBB resources defined in Section 3.5.4 .

Managing security in privileged-aware peripherals

TrustZone-aware peripherals also implement privileged-only access mode. The privileged protection is valid even if TZEN = 0:

By default all embedded flash registers can be read or programmed in both privileged and unprivileged modes.

When secure privileged bit SPRIV is set in FLASH_PRIVCFGGR, reading and writing the flash secure registers are possible only in privileged mode. Write access to this bit is ignored if TrustZone is deactivated (TZEN = 0).

When nonsecure privileged bit NSPRIV is set in FLASH_PRIVCFGGR, reading and writing the flash nonsecure registers are possible only in privileged mode.

Regarding privileged protection of the embedded flash memory, the devices offer the following features:

Note: Switching a page from privileged to unprivileged does not erase the content of the page. When applicable, an erase or program operation is always available to privileged code, and to unprivileged code only for unprivileged pages or memory.

When a DMA channel x is defined as privileged (PRIVx = 1 in GPDMA_PRIVCFGGR), special rules apply when accessing privileged/unprivileged source or destination (see Table 13 ).

Table 13. DMA channel use (privilege)

DestinationPrivileged DMA channel x (PRIVx = 1)Unprivileged DMA channel y (PRIVy = 0)
Privileged sourceUnprivileged sourcePrivileged sourceUnprivileged source
PrivilegedOKTransfer blocked (1)
UnprivilegedOKTransfer blockedOK

1. When a transfer is blocked, the transfer completes but the corresponding writes are ignored, and reads return 0s.

See Section 17: General purpose direct memory access controller (GPDMA) for more details.

By default, after a reset, all PWR registers but PWR_PRIVCFGGR, can be read or written in both privileged and unprivileged modes.

When secure privileged bit SPRIV is set in PWR_PRIVCFGGR, reading and writing the PWR securable registers are possible only in privileged mode. Write access to this bit is ignored if TrustZone is disabled (TZEN = 0).

When nonsecure privileged bit NSPRIV is set in PWR_PRIVCFGGR, reading and writing the PWR nonsecure registers are possible only in privileged mode.

See Section 11: Power control (PWR) for details.

By default, after a reset, all RCC registers but RCC_PRIVCFGGR can be read or written in both privileged and unprivileged modes.

When secure privileged bit SPRIV is set in RCC_PRIVCFGGR, reading and writing the RCC securable bits are possible only in privileged mode. Write access to this bit is ignored if TrustZone is disabled (TZEN = 0).

When the nonsecure privileged bit NSPRIV is set in RCC_PRIVCFGGR, reading and writing the RCC nonsecure bits are possible only in privileged mode.

See Section 12: Reset and clock control (RCC) for details.

By default after a Backup domain reset, all RTC registers but RTC_PRIVCFGR, can be read or written in both privileged and unprivileged modes.

When PRIV bit is set in privileged-only RTC_PRIVCFGR:

All the other RTC registers can be read only in privileged mode.

When the PRIV bit is cleared in privileged-only RTC_PRIVCFGR register, it is still possible to restrict access to privileged mode to some RTC registers by setting dedicated control bits: INITPRIV, CALPRIV, TSPRIV, WUTPRIV, ALRAPRV, or ALRBPRIV.

See Section 36: Real-time clock (RTC) for details.

By default after a Backup domain reset, all TAMP registers but TAMP_PRIVCFGR can be read or written in both privileged and unprivileged modes.

When PRIV bit is set in privileged-only TAMP_PRIVCFGR:

The application can also:

All GPIO registers can be read and written by privileged and unprivileged accesses, whatever the security state (secure or nonsecure).

The EXTI peripheral can protect event register bits from being modified by unprivileged accesses. The protection is individually activated per input event via the register bits in the privileged-only EXTI_PRIVCFGR1 register. When an input event is configured as privileged, only a privileged application can change the configuration (including security if applicable), change the masking or clear the status of this input event.

The security configuration in EXTI_PRIVCFG1 can be globally locked after reset in EXTI_LOCKR.

See Section 19: Extended interrupts and event controller (EXTI) for more details.

All SYSCFG registers can be read and written in both privileged and unprivileged modes, except:

See Section 15: System configuration controller (SYSCFG) for more details.

3.7 Secure execution

Through a mix of special software and hardware features, the devices ensure the correct operation of their functions against abnormal situations caused by programmer errors, software attacks through network access, or local attempt for tampering code execution.

This section describes the hardware features specifically designed for secure execution.

3.7.1 Memory protection unit (MPU)

The Cortex-M33 includes a memory protection unit (MPU) that can restrict the read and write accesses to memory regions (including regions mapped to peripherals), based the Cortex-M33 operating mode (privileged, unprivileged), and the data/instruction fetch.

The memory map and the programming of the nonsecure and secure MPUs split memory into regions (up to eight per MPU). Secure MPU is available only when TrustZone is activated (a) .

3.7.2 Embedded flash memory write protection

The embedded flash memory write protection (WRP) prevents illegal or unwanted write/erase to special sections of the embedded flash memory user area (system area is permanently write protected).

Write protected areas are defined through option bytes, writing the start and end addresses: two write-protected areas can be defined, with page size granularity.

WRP areas can be modified through option byte changes unless the corresponding FLASH_WRPA/BR has its UNLOCK option bit cleared (meaning ROM emulation). UNLOCK can be set only when regressing from RDP Level 1 to Level 0.

Note: Mass erase aborts when it contains a write-protected area (WRP or HDP area).

a. Available only on STM32WBA52/4/5xx devices.

3.7.3 Tamper detection and response

Principle

The devices include active protection of critical security assets attacks, with the following features:

See Section 37: Tamper and backup registers (TAMP) for more details.

Tamper detection sources

The devices support six active input/output pins, allowing three independent active-tamper meshes, or up to five meshes if the same output pin is shared by several input pins (for a total of six active-tamper I/Os).

The active pins when clocked by the LSE are functional in all system operating modes (Run, Sleep, Stop, and Standby).

Detection time is programmable, and a digital filtering is available (tamper triggered after two false comparisons in four consecutive comparison samples).

Note: Timestamps are automatically generated when a tamper event occurs.

The internal tamper sources are listed in Table 14 .

Table 14. Internal tamper sources in TAMP

Tamper inputTamper source
itamp3LSE clock security monitoring
itamp5RTC calendar overflow (rtc_calovf)
itamp6JTAG/SWD access when RDP > 0
itamp7, 12, 13Voltage monitoring ( \( V_{CORE} \) , \( V_{SENSE} \) ) through ADC4 analog watchdog, functional down to Stop 1 mode
itamp8TAMP monotonic counter overflow
itamp9Fault generation for cryptographic peripherals (SAES, PKA, AES, RNG)
itamp11IWDG timeout and potential tamper (IWDG reset when at least one enabled tamper flag is set)

Response to tamperers

Each source of tamper in the device can be configured to trigger the following events:

Read/write accesses by software to all these secrets can be blocked, by setting the BKBLOCK bit in TAMP_CR2. The device secrets access is possible only when BKBLOCK is cleared, and no tamper flag is set for any enabled tamper source.

Device secrets erase is also triggered by setting the BKERASE bit in TAMP_CR2.

Software filtering mechanism

Each tamper source can be configured not to launch an immediate erase, by setting the corresponding TAMPxPOM bit in TAMP_CR2 (for external tamper pin) or ITAMPxPOM bit in TAMP_CR3 (for internal tamper).

In such a situation, when the tamper flag is raised, access to below secrets is blocked until all tamper flags are cleared:

Once the application, notified by the tamper event, analyzes the situation, there are two possible cases:

Note: If the tamper software fails to react to such a tamper flag, an IWDG reset triggers automatically the erase of secrets.

Tamper detection and low-power modes

Table 15. Effect of low-power modes on TAMP
ModeDescription
SleepNo effect on tamper detection features.
TAMP interrupts cause the device to exit the Sleep mode.
StopNo effect on tamper detection features, except for level detection with filtering and active tamper modes that remain active only when the clock source is LSE or LSI.
Tamper events cause the device to exit the Stop mode.
StandbyNo effect on tamper detection features, except for level detection with filtering and active tamper modes which remain active only when the clock source is LSE or LSI.
Tamper events cause the device to exit the Standby mode.

3.8 Secure storage (a)

A critical feature of any security system is how long term keys are stored, protected, and provisioned. Such keys are typically used to load a boot image, or to handle critical user data.

Figure 9 shows how key management service application can use the AES engine, for example to compute decryption keys. A nonvolatile key can be stored in the embedded secure HDP area (see Section 3.6.1 ), while volatile keys can be stored in registers in the TrustZone-aware TAMP. Figure 9 also shows keys that are managed only by hardware (like DHUK). More information on those hardware keys can be found in Section 3.8.1 .

a. Available only on STM32WBA52/4/5xx devices.

Figure 9. Key management principle

Figure 9. Key management principle diagram showing the flow of keys from embedded non-volatile storage through hardware key derivation to derived hardware unique keys, which are then used by AES with DPA and AES without DPA engines. The diagram also shows connections to embedded volatile storage (tamper resistant) and embedded non-volatile storage.

The diagram illustrates the key management principle. It shows the flow of keys from various sources through different AES engines. A legend indicates that solid arrows represent hardware transfer of key, and dashed arrows represent software transfer of key.

Figure 9. Key management principle diagram showing the flow of keys from embedded non-volatile storage through hardware key derivation to derived hardware unique keys, which are then used by AES with DPA and AES without DPA engines. The diagram also shows connections to embedded volatile storage (tamper resistant) and embedded non-volatile storage.

Details on tamper protection is found in Section 3.7.3 , while TAMP TrustZone features are briefly described in Section 3.5.5 .

3.8.1 Hardware secret key management

As shown in the previous figure, the devices propose a better protection for application keys, using hardware secret keys. These AES keys can be made usable to the application, without exposing them in clear-text (unencrypted). Such keys also become immediately unusable in case of tamper.

There are three different sources of hardware secret keys:

  1. 1. DHUK: derived key based on a 256-bit nonvolatile device unique secret in flash memory. The generation of this key takes into account the TrustZone state and key use state (KMOD).
  2. 2. BHK: 256-bit application key stored in tamper-resistant volatile storage in TAMP. This key is written at boot time, then read/write locked to application until the next reset.
  3. 3. XORK: result of an XOR of BHK and DHUK

Those keys can be used:

3.9 Unique ID

The devices store a 96-bit ID that is unique to each device (see Section 46.1.2: DESIG 96-bit unique device ID register 1 (DESIG_UIDR1) ).

Application services can use this unique identity key to identify the product in the cloud network, or to make it difficult for counterfeit devices or clones to inject untrusted data into the network.

Alternatively, the 256-bit device unique key (DHUK) can be used (see Section 3.8.1 ).

3.10 Crypto engines

The devices implement state-of-the-art cryptographic algorithms featuring key sizes and computing protection as recommended by national security agencies such as NIST for the U.S.A, BSI for Germany or ANSSI for France. Those algorithms are used to support privacy, authentication, integrity, entropy, and identity attestation.

The crypto engine embedded in STM32 reduces weaknesses on the implementation of critical cryptographic functions, preventing, for example, the use of weak cryptographic algorithms and key sizes. They also enable lower processing times and lower power consumption when performing cryptographic operations, offloading those computations from Cortex-M33. This is especially true for asymmetric cryptography.

For product certification purposes, ST can provide certified device information on how these security functions are implemented and validated.

For more information on crypto engine processing times, refer to their respective sections in the reference manual.

3.10.1 Crypto engines features

Table 16 lists the accelerated cryptographic operations available in the devices. Two AES accelerators are available (both can be reserved to secure application only).

Note: Additional operations can be added using firmware.

The PKA can accelerate asymmetric crypto operations (like key pair generation, ECC scalar multiplication, point on curve check). See Section 28: Public key accelerator (PKA) for more details.

Table 16. Accelerated cryptographic operations

OperationsAlgorithmSpecificationKey length (in bit)Modes
Get entropyRNGNIST SP800-90B (1)N/ASoftware and hardware (2) modes running in parallel
Encryption, decryptionAESFIPS PUB 197
NIST SP800-38A		128, 256ECB, CBC, CTR
Authenticated encryption or decryptionNIST SP800-38C
NIST SP800-38D		GCM, CCM
Cipher-based message authentication codeNIST SP800-38DGMAC
Table 16. Accelerated cryptographic operations (continued)
OperationsAlgorithmSpecificationKey length (in bit)Modes
ChecksumMD5IETF RFC 1321N/ADigest 128-bit
SHA-1FIPS PUB 180-4Digest 160-bit
Cryptographic hashSHA2-224FIPS PUB 180-4Digest 224-bit
SHA2-256Digest 256-bit
Keyed-hashing for message authenticationHMACFIPS PUB 198-1
IETF RFC 2104		Short, long
(>64 bytes)		-
Encryption/decryption
key-pair generation (3)		RSAIETF RFC 8017
NIST SP800-56B		Up to 4160RSAES-OAEP
Signature (3) with hashing
Signature verification		RSAIETF RFC 8017
FIPS PUB 186-4		Up to 4160PKCS1-v1_5, PSS
ECDSAANSI X9.62
IETF RFC 7027
FIPS PUB 186-4		Up to 640Table 241: Family of supported curves for ECC operations
Key agreementECDHANSI X9.42
  1. 1. Certifiable using STMicroelectronics reviewed documents.
  2. 2. Random numbers distribution to SAES and PKA using a dedicated hardware bus.
  3. 3. Private key cryptography protected against side-channel and timing attacks.

Note: Binary curves, Edwards curves and Curve25519 are not supported by the PKA.

3.10.2 Secure AES coprocessor (SAES) (a)

The devices provide an additional on-chip hardware AES encryption and decryption engine, implementing counter-measures and mitigations against power and electromagnetic side-channel attacks.

Due to these counter-measures the SAES is slower than the AES, to provide best-in-class side-channel protections.

As shown in Section 3.8 , the SAES can be used for extra-secure on-chip storage for sensitive information. It can also be made secure-only.

For more information, refer to Section 26: Secure AES coprocessor (SAES) .

3.11 Product life cycle

A typical IoT device life cycle is summarized in Figure 10 . For each step, the devices propose secure life cycle management mechanisms embedded in the hardware.

a. Available only on STM32WBA52/4/5xx devices.

Figure 10. Device life-cycle security

Figure 10. Device life-cycle security diagram showing the flow from Virgin device to Decommissioned product, split into User states and Vendor states.

The diagram illustrates the device life-cycle security flow, divided into two columns by a vertical dashed line: 'User states' on the left and 'Vendor states' on the right.

MSv64454V1

Figure 10. Device life-cycle security diagram showing the flow from Virgin device to Decommissioned product, split into User states and Vendor states.

More details on the various phases and associated transitions, found either at the vendor or end-user premises, are summarized in Table 17 .

Table 17. Main product life-cycle transitions

TransitionsDescription
Device manufacturingSTMicroelectronics creates new STM32 devices, always checking for manufacturing defects. During this process STM32 is provisioned with ROM firmware, secure firmware install (SFI) unique key pair, and a public ID.
Vendor manufacturingOne (or more) vendor is responsible for the platform assembly, initialization, and provisioning before delivery to the end user. This end user can use the final product (“productionization” transition) or use the platform for software development (“user provisioning” transition).
ProductionizationThe end user gets a product ready for use. All security functions of the platform are enabled, the debugging/testing features are restricted/disabled, and unique boot entry to immutable code is enforced.
User provisioningPlatform vendor prepares an individual platform for development, not to be connected to a production cloud network.
Field return or decommissioningThose are one-way transitions, with devices kept in user premises or returned to the manufacturer. In both cases, all data including user data are destroyed, therefore the devices lose the ability to operate securely (like connecting to a managed IoT network).

The features described hereafter contribute to secure the device life cycle.

3.11.1 Life-cycle management with readout protection (RDP)

The readout protection mechanism (full hardware feature) controls the access to the devices debug, test and provisioned secrets, as summarized in Table 18 .

Table 18. Typical product life-cycle phases

RDP protection levelDebugComments
0Device openSecure (1) and nonsecureBoot address must target a secure area when TrustZone is enabled (secure SRAM, secure flash memory, RSS in system flash memory).
Both OEM1 and OEM2 unlocking keys can be provisioned in the User options.
0.5 (2)Device partially closed (closed secure)Nonsecure onlyBoot address must target a secure area when TrustZone is enabled (secure user or system flash memory). Boot on SRAM is not permitted.
Access to nonsecure flash memory is allowed when debug is connected.
Both OEM1 and OEM2 unlocking keys can be provisioned in the User options.
1Device memories protectedNonsecure only (conditioned)Boot address must target the secure user flash memory.
Accesses to nonsecure flash memory, SRAM2, and backup registers are not allowed when debug is connected.
Both OEM1 and OEM2 unlocking keys can be provisioned in the User options.
2Device closedNone (JTAG fuse)Boot address must target the user flash memory (secure if TZEN = 1).
Option bytes are read-only, hence RDP level 2 cannot be changed, unless OEM2 unlocking key is activated (see Table 19 ).

1. Debug is not available when executing RSS code.

2. Only applicable when TrustZone security is activated in the product (STM32WBA52/4/5xx devices only).

Note: OEM1KEY option byte can be modified when OEM1LOCK = 0 (RDP = 0.5 or 1 only).
OEM2KEY option byte can be modified when OEM2LOCK = 0 (RDP = 1 only).

The supported transitions, summarized in Figure 11 , can be requested (when available) through the debug interface or via the system bootloader.

Figure 11. RDP level transition scheme

Figure 11. RDP level transition scheme diagram showing two scenarios: TrustZone disabled and TrustZone enabled. TrustZone disabled shows transitions between RDP Level 0, 1, and 2. TrustZone enabled shows transitions between RDP Level 0, 0.5, 1, and 2, with specific conditions for each transition.

The diagram illustrates the RDP level transition scheme, divided into two main sections: TrustZone disabled and TrustZone enabled.

TrustZone disabled:

TrustZone enabled:

Figure 11. RDP level transition scheme diagram showing two scenarios: TrustZone disabled and TrustZone enabled. TrustZone disabled shows transitions between RDP Level 0, 1, and 2. TrustZone enabled shows transitions between RDP Level 0, 0.5, 1, and 2, with specific conditions for each transition.

The user flash memory is automatically erased, either partially or in totality, during an RDP regression from level 1. Those regressions can be conditioned to dedicated 64-bit password keys, if provisioned by the OEM (see next subsection). During the regression from RDP Level 1 to RDP Level 0.5, only nonsecure embedded flash memory is erased, keeping functional, for example, the secure boot and the secure firmware update. In all regressions from RDP Level 1 the OTP area in the flash memory is kept, and targeted device secrets are erased. No secrets must be stored in the OTP as they are nonsecure. The same secrets are erased, as those erased as response to tamper, defined in Section 3.7.3 .

Note: Enabling TrustZone using option byte TZEN is possible only when RDP level is 0.

For more details on RDP, refer to Section 7: Embedded flash memory (FLASH) .

RDP regression and erase

When regressing RDP to level 0.5 or level 0, the SRAM1, SRAM2, PKA SRAM memories and TAMP backup registers are erased.

Note: Before launching an RDP regression, the software must invalidate the ICACHE and wait for the BUSYF bit to get cleared.

RDP unlocking sequences

The use of the two OEM password keys described in Figure 11 is described hereafter.

Note: The devices support both permanent RDP Level 2 (legacy mode) or password-based RDP Level 2 regression to Level 1. This Level 2 regression does not erase the application code, and it does not change the RDP Level 1 protections in place.

Details on the password-based regression can be found in Table 19 .

Table 19. OEM key RDP unlocking methods

OEM1 password optionsOEM2 password options
OEM1 LOCKInitial RDP levelRDP regressionOEM2 LOCKInitial RDP levelRDP regression
11Regression to Level 0 possible only through OEM1 unlock sequence (see below)11Regression to Level 0.5 possible only through OEM2 unlock sequence A (see below)
2Automatic regression to Level 1 triggered upon successful OEM2 unlock sequence B (see below)
0Regression to Level 0 always granted01Regression to Level 0.5 always granted
2Regression to Level 1 never granted. RDP level 2 remains a permanent state.

Note: Unlocking the device with a password is possible only once per power cycle.

Shifting the password key through JTAG/SWD corresponds to writing two 32-bit key words, AUTH_KEY[31:0], then AUTH_KEY[63:32], in DBGMCU_DBG_AUTH_HOST register.

JTAG 32-bit device specific ID

Unless the JTAG port is deactivated (OEM2LOCK = 0 and RDP Level = 2), a 32-bit device specific quantity can always be read through the JTAG port. This information is stored in DBGMCU_DBG_AUTH_DEVICE.

The OEM can use this 32-bit information to derive the expected OEM password keys to unlock this specific device.

Most of the time, the user threat model focuses mainly on software attacks. In this case, it may be sufficient to keep the RDP Level 1 as device protection.

For a more aggressive threat model, where the user fears physical attacks on the STM32 device, it is recommended to optimize the level of security by setting the RDP Level 2.

The recommended settings are detailed below:

As described in the previous section, the customer can decide to allow any RDP Level 2 part to regress to RDP Level 1, provided the OEM2 key has been successfully provisioned, and OEM2LOCK option bit is set.

3.12 Access controlled debug

The device restricts access to embedded debug features, to guarantee the confidentiality of customer assets against unauthorized usage of debug and trace features.

3.12.1 Debug protection with readout protection (RDP)

As described in Section 3.11.1 , the hardware RDP mechanism automatically controls the accesses to the device debug and test. The protection of these debug features are defined in Table 20 . Possible password-based regressions are described in Section 3.11.1 .

Table 20. Debug protection with RDP

RDP protection levelDebug features protection
0Device openAny debug (1)
0.5 (2)Device partially closedSecure debug is no longer available.
1Device memories protectedNonsecure debug can no longer debug code and data stored in the embedded flash memory, SRAM2, and backup registers.
2Device closedJTAG is physically deactivated, unless it is kept operational only for password key injection (OEM2LOCK = 1). See Section 3.11.1 .

1. Including ST engineering test modes, used for field returns.

2. Only applicable when TrustZone security is activated in the product (STM32WBA52/4/5xx devices only).

a. Available only on STM32WBA52/4/5xx devices.

3.13 Software intellectual property protection and collaborative development

Thanks to software intellectual property protection and collaborative model, the devices allow the design of solutions integrating innovative third-party libraries.

Collaborative development is summarized Figure 12 . Starting from a personalized device sold by STMicroelectronics, a vendor A can integrate a portion of hardware and software on a platform A, which can then be used by a vendor B, who does the same before deploying a final product to the end users.

Note: Each platform vendor can provision individual platforms for development not to be connected to a production cloud network (“Development Platform X”).

Figure 12. Collaborative development principle

Figure 12: Collaborative development principle diagram

The diagram illustrates the collaborative development principle. It is divided into two vertical sections by a dashed line: 'User states' on the left and 'Vendor states' on the right. The process starts in the Vendor states with an 'STM32 personalized device'. This leads to 'Vendor A manufacturing', which produces 'Platform A'. 'Platform A' is then 'Integrated' with a 'Platform part'. 'Platform A' is also 'User provisioning' to a 'Development platform B' in the User states. From 'Platform A', the process goes to 'Vendor B manufacturing', which produces 'Platform B'. 'Platform B' is 'Integrated' with another 'Platform part' and is also 'User provisioning' to another 'Development platform B' in the User states. 'Platform B' leads to 'Productization', which results in a 'Deployed product' in the User states. Finally, 'Decommissioning' of the 'Deployed product' leads to a 'Decommissioned product' in the User states. The diagram is labeled 'MSv64455V1' in the bottom right corner.

Figure 12: Collaborative development principle diagram

The features described hereafter contribute to securing the software intellectual property within such a collaborative development.

3.13.1 Software intellectual property protection with RDP

As described in Section 3.11.1 , the hardware RDP mechanism automatically controls the accesses to secrets provisioned in the device. The protection of these secrets is defined in Table 21 .

Table 21. Software intellectual property protection with RDP
RDP protection levelSecrets protection
Level 0Device openNo special protections.
Level 0.5 (1)Device partially closedAll peripherals and memories mapped as secure during secure boot cannot be dumped, debugged or traced
Level 1Device memories protectedData and code stored in embedded flash memory, SRAM2 and backup registers are no more accessible via debugger.
Level 2Device closedAll data and code stored in the device cannot be dumped, debugged or traced.

1. Only applicable when TrustZone ® security is activated in the product (STM32WBA52/4/5xx devices only).

3.13.2 Other software intellectual property protections

The device additional protections to software intellectual property are: