1. What is the Secure Boot and Secure Firmware Update
The Secure Boot and Secure Firmware Update solution ensures that only authorized software is executed on a device.
After a STM32 reset, Secure Boot is the first firmware that is run on the device. It activates the security mechanisms, and verifies the authenticity and the integrity of the code executed on the platform after the boot stage (Application).
Secure Boot is the foundation of the device security, which is also known as the Root of Trust (RoT) of the device. This foundation is extended by the Secure Firmware Update functionality, allowing to securely update the Application.
2. Secure Boot
Secure Boot uses cryptography to verify (Authentication + Integrity) the Application code and metadata:
Secure Boot only grants Application execution if verifications on both the code and the metadata are successful. Metadata may contain version information, hardware configuration, boot conditions, and many more.
Secure Boot must be an immutable code launched at reset. Immutability is a mandatory requirement for Secure boot:
- Immutability is ensured by the ROMCode technology, or any other mechanism allowing the code to be immutable. In STM32 microcontrollers, immutability is typically supported by the write protection mechanism on the flash memory.
- The immutable code must be concise, simple and verifiable. This minimizes the risk of having vulnerabilities that cannot be corrected. Complex steps are handled at a later stage. The immutable code is the RoT that is executed at reset: it verifies the platform configuration, such as the boot configuration and the protection mechanisms.
3. Secure Firmware Update
The Secure Firmware Updatability of the Application is a key point to ensure security while considering vulnerability risks. If the Application in the device is concerned by a security weakness, an Application update is performed in order to fix it.
The Secure Firmware Update of the Application relies on cryptography to decrypt, authenticate and check the integrity of the newly received Application image.
The Secure Firmware Update can be implemented by following different strategies:
- One slot: a new Application image overwrites the running Application within the slot. This configuration can be used when local downloading is allowed.
- Two slots: the Secure firmware update verifies the new Application image within the first slot (Download slot) and installs it within the second slot (Execution slot). This configuration can be used if Over The Air updates are supported.
- Recovery: if no valid image remains within any slot, the Secure firmware update recovers a factory image.
- Other strategies may also be used.
Regardless of the selected strategy, the Secure Firmware Update must handle version control: Secure Firmware Update ensures that a previous version of the Application (Application version N-1) cannot be installed after running the current Application version (Application version N).
The Application is responsible for downloading the new Application image. Once the new image is received, the Application triggers a reset on the device for a Secure Boot, and Secure Firmware Update installs the new Application version.
Image programming must be resistant to asynchronous power down and reset. The image upgrade strategy can:
- be based on overwriting, swapping, or any other mechanism.
- consider all the image updates in one time, or in sequential steps (depending on Non Volatile space).
- take into account code update and image data.
4. STM32 Secure Boot and Secure Firmware Update implementations
ST offers several implementations of Secure Boot and Secure Firmware Update, according to STM32 hardware capabilities:
- The SBSFU legacy
- SBSFU by mcuboot: implementation relying on the mcuboot open source solution.
- STiRoT: SESIP certified implementation.
5. References