Secure Manager for STM32H5

1. Introduction

In addition to Secure Manager, STM32H5 MCUs are also equipped with new security features, such as Product life cycle, Isolation, Debug authentication, Secure Storage and Secure Boot.

Using these features on stand-alone basis requires solid security skills. However, STMicroelectronics offers a full solution owned and maintained by STMicroelectronics: Secure Manager. This solution provides a full set of security features targeting SESIP and PSA Level 3 certification.

Secure Manager for STM32H5 is described in this article. For information on generic Secure Manager solution, refer to Secure Manager article.

2. Secure Manager overview

Secure Manager is an STMicroelectronics trusted execution environment security framework that is compliant with Arm® Platform Security Architecture (PSA) specifications for Cortex®-M (Armv8-M).

Secure Manager aims at simplifying the security development cycle of embedded applications, by providing ready-to-use security services developed following best practices.

Easy to install on STM32 products, Secure Manager offers a ready-to-use, high-performance and certification target solution, supporting Secure Boot, root of trust, cryptography, internal trusted storage, initial attestation, as well as firmware update functions defined by the Arm® PSA specifications.

The Secure Manager features are the following:

  • Arm PSA standard and API compliancy
  • Arm PSA services
    • Secure Boot
    • Cryptography
    • Internal trusted storage
    • Initial attestation
    • Firmware update
  • Multiple-tenant software IP protection
    • Sandboxed secure services (PSA isolation level 3)
  • Security certification target
    • PSA Certification L3
    • GlobalPlatform SESIP3

3. Secure Manager ecosystem

In order to manage the Product life cycle, Secure Manager is delivered with a complete ecosystem composed of the following:

  • Secure Manager access kit (SMAK): The SMAK is used to develop nonsecure applications using the Secure Manager services.
  • Secure Module development kit (SMDK): The SMDK is used to develop secure modules and associated APIs to access these modules from nonsecure (NS) applications.

4. Further information

For more information on developing nonsecure applications using the Secure Manager services, refer to SMAK for STM32H5 article.
For more information about Secure Manager manufacturing, refer to SMAK for STM32H5 article.
For more information on developing secure modules, refer to SMDK for STM32H5 article.

5. References

  • RM0481 STM32H5x3/562 reference manual
  • UM2237 STM32CubeProgrammer software description
  • UM2238 STM32TrustedPackageCreator tool software description
  • AN5054 Secure programming using STM32CubeProgrammer
  • AN2606 STM32 microcontroller system memory boot mode
  • AN4992 STM32 MCUs secure firmware install (SFI) overview