The new Arm Cortex-M33 micro-controllers include the Arm TrustZone, which provides a root of trust to the software and enables the use of a Trusted Firmware. The Arm TrustZone and Trusted Firmware technologies facilitate the implementation of a Secure Boot and Secure Firmware Update thanks to the separation of the secure and non-secure zones. Let’s dig into what kind of security management with Trusted Firmware and Arm TrustZone can be achieved.
Why use a secure boot and secure firmware update
Smart devices are used all over the world, outside of trusted environments, where they are subject to attack from malicious persons who want to steal data or modify the software to take control of them.
The attack vector is usually a vulnerability in the device’s software. These malicious actions represent many threats to smart devices that could be mitigated by updating the software to fix such vulnerabilities when they are discovered. The difficulty is that the software update operation itself can be vulnerable, allowing a malicious person to install a malicious software on the smart device. Thus the software update mechanism must be protected as well, using a Secure Boot and Secure Firmware Update which ensures that only an authorized software runs on the device.
Existing secure boots
STMicroelectronics is one of the producers of micro-controllers with Arm TrustZone. The company also provides development kits, libraries and integrated development tools that allow a quick start.
STMicroelectronics provides two ways of implementing a Secure Boot and Secure Firmware Update depending on which micro-controller is used [AN5447]:
- Micro-controllers that embed the Arm TrustZone technology (thus the ones embedding a Cortex-M33) can use the TF-M (Trusted Firmware for Cortex-M) solution. This solution is based on the open source Trusted Firmware for Cortex-M reference implementation. The TF-M is a hybrid software-hardware solution based on the Arm TrustZone technology. Further details follow in the next chapter.
- Micro-controllers that do not embed the Arm TrustZone technology (thus the ones not embedding a Cortex-M33) must use the X-CUBE-SBSFU solution. This solution is based on the proprietary X-CUBE-SBSFU STM32Cube Expansion Package and is out of scope of this article.
The Trusted Firmware’s website presents this project as
Trusted Firmware-M (TF-M) implements the Secure Processing Environment (SPE) for Armv8-M, Armv8.1-M architectures (e.g. the Cortex-M33, Cortex-M23, Cortex-M55 processors) or dual-core platforms. It is the platform security architecture reference implementation aligning with PSA Certified guidelines, enabling chips, Real Time Operating Systems and devices to become PSA Certified.
For the rest of the article, the acronym TF-M refers to the implementation of the Trusted Firmware middleware made by STMicroelectronics for its STM32-Cortex-M33-based micro-controllers, currently the STM32L5 and STM32U5 Series. The STM32Cube MCU Packages of these Series contain the TF-M implementation (see STM32CubeL5 and STM32CubeU5).
TF-M implements the Secure Processing Environment for, among others, Cortex-M33 architectures and is aligned with the PSA Certified guidelines. PSA stands for Platform Security Architecture which is a framework for securing devices. TF-M contains several software/hardware zones isolated from each other. Each zone has its own purpose and collaborates with others to achieve the goal of having a trusted firmware.
Privileged/unprivileged and secure/non-secure software zones
The PSA immutable Root of Trust is the unique entry point after a reset. It is located in the immutable privileged zone and is based on the open source software MCUBoot [AN5447, §3]. It acts as the Secure Boot and Secure Firmware Update entity and is depicted in dark blue in Figure 1.
The PSA updatable Root of Trust contains secure services which manage critical assets, such as hardware cryptography acceleration, secure storage, internal trusted storage and attestation services. It is located in the updatable privileged zone and can thus access any assets of the system. It is depicted in light blue in Figure 1 [UM2671, Introduction].
The application updatable Root of Trust is the user software of the secure area. It is located in the secure unprivileged zone. This piece of software can access any assets of the system except the ones of the privileged area. It is depicted in green in Figure 1.
The PSA immutable Root of Trust, PSA updatable Root of Trust and application updatable Root of Trust are located in the secure part of the Arm TrustZone. Both the secure privileged and user secure unprivileged applications are packaged into the so-called secure application and can be updated using the Secure Firmware Update. The PSA immutable Root of Trust cannot be updated.
The non-secure application contains the user non-secure application and PSA API to call the user secure application. It is depicted in grey in Figure 1. To take benefit of the secure assets of TF-M, the non-secure application calls, through the PSA API, the application updatable RoT which then calls the PSA updatable RoT, which can access the secure assets.
TFM vs SBSFU
TF-M is a solution based on software and hardware. Thus, the target must have the required hardware to run the corresponding software. As some parts of TF-M require hardware features that are available only on some micro-controllers, two types of applications are implemented in TF-M. Which application the developer can use depends therefore on the hardware capabilities:
- SBSFU consists only of the Secure Boot and Secure Firmware Update application (PSA immutable RoT, dark blue zone in Figure 1) [AN5447, §6].
- TFM (without dash) consists of the Secure Boot and Secure Firmware Update application (PSA immutable RoT, dark blue zone in Figure 1) and of TF-M secure services (PSA updatable RoT, light blue zone in Figure 1) [AN5447, §7].
In addition, both of them contain a user application which consists of the application updatable RoT and of the non-secure application, the former being located in the secure part of the Arm TrustZone and the latter being located in the non-secure part of the Arm TrustZone.
The STM32L562 Series and STM32U585 Series provide hardware cryptography features in addition to the Arm TrustZone technology while the STM32L552 Series and STM32U575 Series do only provide the TrustZone technology. As TFM requires these extended cryptography hardware features, it can only run on the STM32L562 or STM32U585. SBSFU must be used when using the STM32L552 or STM32U575.
Secure Boot and Secure Firmware Update
MCUboot is a bootloader and is used as secure boot and secure firmware updater. It is the PSA immutable RoT entity. It is built to run from flash memory and from a fixed location.
MCUboot has supports for encrypting/decrypting images on-the-fly while upgrading. This allows the transmission and storage of encrypted images. Furthermore, MCUboot has the possibility to swap images. During the upgrade of the application, MCUboot decrypts on-the-fly the new image stored in external flash memory to write it in main memory and encrypts on-the-fly the old one to write it in external flash memory.
Finally, MCUboot provides necessary tools to encrypt and sign images.
The secure services, accessible from the PSA updatable RoT, are [UM2671, §6]:
- Secure Storage service (SST). The service is based on hardware isolation of the flash memory to isolate the flash area from non-secure access. Data is protected by an AES-GCM-based AEAD encryption policy.
- Internal Trusted Storage service (ITS). Similar to SST, the service relies on hardware to isolate the data from the non-secure domain. However, it does not implement any encryption policy.
- Cryptography service. The service provides an implementation of the PSA crypto API and is based on mbed-crypto.
- Initial Attestation service. This service allows the application to prove the device identity during an authentication process.
Of course, this little summary is only the top of the iceberg. Many hardware services are used as protection measures to offer an optimal security strategy. Future blog posts presenting the implementation of secure and non-secure applications will describe these services with more details.
On the legal side, ordering the STM32L562E-DK in Switzerland is regulated under the EU General Export Authorisations (EU GEA) as this product is classified as dual-use due to its hardware crypto features. In short, dual-use products can be used for civil and military purposes. Therefore, their importations or exportations must be controlled to avoid that such products are used to develop, make or use (parts of) NBC weapons or to arm countries that are considered as threats for the world security. A bit of paperwork is thus mandatory to certify that the product will not be used in such conditions.