1. What is SFI?

The secure firmware install (SFI) solution provides security when programming devices in a non-trusted facility owned by a Contract Manufacturer (CM).

Info white.png Information
For detailed STM32 reference supporting SFI, refer to applicable products in AN4992 STM32 MCUs secure firmware install (SFI) overview

SFI addresses the two main issues at a non-trusted facility:

  • OEM application confidentiality against CM during STM32 programming.
  • Avoid CM overproduction of OEM devices.

The graph below shows a typical manufacturing process where an OEM develops an application and requires programming this application in the STM32 during manufacturing. The manufacturing process is the responsibility of the CM, which purchases STM32 primary parts from ST through either sales or distribution channels.

Without SFI, the OEM sends uncoded firmware to the CM. So, the application code is open to attacks or copies. The OEM must trust the CM, hoping that its application code is not stolen or tampered with and that the CM does not over-produce parts.

Security Manufacturing problem.png

SFI offers a complete example with the STM32 Trusted Package Creator software package to encrypt the OEM application (including code and data), the STM32CubeProgrammer to flash the STM32 securely, and the STM32-HSM[1] to transfer OEM credentials to the programming partner (CM).

Security SFI ManageSTM32authentication.png

Below is the description of the SFI manufacturing scheme:

  • The OEM creates and manages his secret encryption key (the firmware key as indicated in the figure below).
  • The OEM encrypts its application and Option bytes configuration with the firmware key. It is the SFI OEM application image (the Encrypted file in the figure below).
  • The OEM programs the firmware key within an HSM and locks it. After that step, the firmware key cannot be read or extracted clearly from the HSM. Only STM32 can handle the firmware key from the HSM.
  • The OEM sends the HSM and the SFI OEM application image to the CM facility.
  • The CM securely installs the OEM application using SFI tools (including HSM):
    • STM32 securely extracts the firmware key from the HSM. HSM verifies the firmware key extraction request number.
    • STM32 securely decrypts and programs the OEM application within the internal flash.
    • OEM application is never disclosed outside STM32. The SFI process guarantees the OEM application confidentiality against CM.

OEM uses the STM32 Trusted Package Creator software to:

  • Encrypt the OEM application (meaning binary files)
  • Store its credentials (firmware key and part counter) into STM32-HSM [1].

CM uses the STM32CubeProgrammer (or any other SFI-recommended partner programming tools) to securely program STM32 MCUs in untrusted environments.

Security SFIgraph2.png

2. SFI security features

The SFI security features are the following:

  • Only STMicroelectronics STM32 microcontrollers can install the protected firmware.
  • The number of STM32 chips to program are counted by the STM32-HSM[1].
  • Authenticity, integrity, and confidentiality of the OEM application and option bytes.
  • STM32 user Flash and external memory:
    • User flash: STM32 programs user Flash with decrypted application and option bytes.
    • External memory: if applicable (according to STM32 family), the STM32 receives encrypted OEM external application targeting external memory, STM32 decrypts it, and re-encrypts it with either a device unique or a global key before programming in external memory.

3. Getting started with STM32 and SFI

You can refer to the following pages for step-by-step examples of SFI.

4. References