Registered User mNo edit summary |
Registered User mNo edit summary Tag: 2017 source edit |
||
| (21 intermediate revisions by 6 users not shown) | |||
| Line 1: | Line 1: | ||
<noinclude>{{ApplicableFor | <noinclude>{{ApplicableFor | ||
|MPUs list=STM32MP13x | |MPUs list=STM32MP13x, STM32MP25x | ||
|MPUs checklist=STM32MP13x,STM32MP15x | |MPUs checklist=STM32MP13x,STM32MP15x, STM32MP25x | ||
}}</noinclude> | }}</noinclude> | ||
==Article purpose== | ==Article purpose== | ||
The purpose of this article is to: | The purpose of this article is to: | ||
* briefly introduce the SAES peripheral and its main features | * briefly introduce the SAES peripheral and its main features, | ||
* indicate the | * indicate the peripheral instances assignment at boot time and their assignment at runtime (including whether instances can be allocated to secure contexts), | ||
* list the software frameworks and drivers managing the peripheral, | |||
* explain | * explain how to configure the peripheral. | ||
==Peripheral overview== | ==Peripheral overview== | ||
The SAES peripheral provides hardware acceleration to encrypt or decrypt data using the AES<ref>https://en.wikipedia.org/wiki/Advanced_Encryption_Standard</ref> algorithms. It supports | The '''SAES''' peripheral provides hardware acceleration to encrypt or decrypt data using the AES<ref>https://en.wikipedia.org/wiki/Advanced_Encryption_Standard</ref> algorithms. It supports two key sizes (128 bits and 256 bits) and different chaining modes. It incorporates protections against differential power analysis (DPA) and the related side-channel attacks. | ||
Refer to the [[STM32MP13 resources#Reference manuals|STM32MP13 reference manuals]] for the complete list of features, and to the software frameworks and drivers, introduced below, to see which features are implemented. | |||
Refer to the [[STM32MP13 resources#Reference manuals|STM32MP13 reference manuals]] for the complete list of features, and to the software | |||
== | ==Peripheral usage== | ||
This chapter is applicable in the scope of the '''OpenSTLinux BSP''' running on the Arm<sup>®</sup> Cortex<sup>®</sup>-A processor(s), and the '''STM32CubeMPU Package''' running on the Arm<sup>®</sup> Cortex<sup>®</sup>-M processor. | |||
== | ===Boot time assignment=== | ||
=== | ====On {{MicroprocessorDevice | device=13}}==== | ||
The SAES instance is used to decrypt firmware. | The SAES instance is used to decrypt the firmware. | ||
{{#lst:STM32MP1_internal_peripherals_assignment_table_template|stm32mp1_boottime}} | |||
<section begin=stm32mp13_boottime /> | |||
| rowspan="1" | Security | |||
| rowspan="1" | [[SAES internal peripheral|SAES]] | |||
| SAES | |||
| <span title="assignable peripheral" style="font-size:21px">☐</span> | |||
| <span title="assigned peripheral" style="font-size:21px">☑</span> | |||
| | |||
| ROM code allocation is managed with the [[STM32MP13_OTP_mapping|bit 7 in OTP 9]] | |||
|- | |||
<section end=stm32mp13_boottime /> | |||
|} | |||
== | ====On {{MicroprocessorDevice | device=25}}==== | ||
=== | {{#lst:STM32MP2_internal_peripherals_assignment_table_template|stm32mp2_a35_boottime}} | ||
<section begin=stm32mp25_a35_boottime /> | |||
| rowspan="1" | Security | |||
| rowspan="1" | [[SAES internal peripheral | SAES]] | |||
| SAES | |||
| <span title="assignable peripheral" style="font-size:21px">☐</span> | |||
| <span title="assigned peripheral" style="font-size:21px">☑</span> | |||
| <span title="assignable peripheral but not supported" style="font-size:21px">⬚</span> | |||
| ROM code allocation is managed with the [[STM32MP25_OTP_mapping|bit 8 in OTP 16]] | |||
|- | |||
<section end=stm32mp25_a35_boottime /> | |||
|} | |||
===Runtime assignment=== | |||
====On {{MicroprocessorDevice | device=13}}==== | |||
=== | {{#lst:STM32MP1_internal_peripherals_assignment_table_template|stm32mp13_runtime}} | ||
{{ | <section begin=stm32mp13_runtime /> | ||
{{: | |||
< | |||
| rowspan="1" | Security | | rowspan="1" | Security | ||
| rowspan="1" | [[SAES internal peripheral|SAES]] | | rowspan="1" | [[SAES internal peripheral|SAES]] | ||
| Line 54: | Line 59: | ||
| <span title="assignable peripheral but not supported" style="font-size:21px">⬚</span> | | <span title="assignable peripheral but not supported" style="font-size:21px">⬚</span> | ||
| Assignment (single choice) | | Assignment (single choice) | ||
|- | |-<section end=stm32mp13_runtime /> | ||
</ | |} | ||
==How to | ====On {{MicroprocessorDevice | device=25}}==== | ||
{{#lst:STM32MP2_internal_peripherals_assignment_table_template|stm32mp25_runtime}} | |||
<section begin=stm32mp25_a35_runtime /> | |||
| rowspan="1" | Security | |||
| rowspan="1" | [[SAES internal peripheral | SAES]] | |||
| SAES | |||
| <span title="assignable peripheral" style="font-size:21px">☐</span><sup>OP-TEE</sup> | |||
| <span title="assignable peripheral but not supported" style="font-size:21px">⬚</span> | |||
| <span title="assignable peripheral" style="font-size:21px">☐</span> | |||
| <span title="assignable peripheral but not supported" style="font-size:21px">⬚</span> | |||
| | |||
| | |||
|- | |||
<section end=stm32mp25_a35_runtime /> | |||
|} | |||
==Software frameworks and drivers== | |||
Below are listed the software frameworks and drivers managing the SAES peripheral for the embedded software components listed in the above tables. | |||
* '''Linux<sup>®</sup>''': [[Crypto_API_overview|crypto framework]] | |||
* '''OP-TEE''': [[STM32 MPU OP-TEE_overview|SAES driver]] and {{CodeSource | OP-TEE_OS | core/include/crypto/crypto.h | Cryptographic Provider API (CP API)}} | |||
* '''TF-A BL2''': [[TF-A_overview|SAES driver]] | |||
==How to assign and configure the peripheral== | |||
The peripheral assignment can be done via the [[STM32CubeMX]] graphical tool (and manually completed if needed).<br /> | |||
This tool also helps to configure the peripheral: | |||
* partial device trees (pin control and clock tree) generation for the OpenSTLinux software components, | |||
* HAL initialization code generation for the STM32CubeMPU Package. | |||
The configuration is applied by the firmware running in the context in which the peripheral is assigned. | |||
==References== | ==References== | ||
| Line 64: | Line 96: | ||
<noinclude> | <noinclude> | ||
[[Category:Security peripherals|SAES internal peripheral]] | |||
{{ArticleBasedOnModel| Internal peripheral article model}} | {{ArticleBasedOnModel| Internal peripheral article model}} | ||
{{PublicationRequestId | 24122 | 2022-07-27 | }} | |||
</noinclude> | </noinclude> | ||
Latest revision as of 16:12, 25 July 2024
1. Article purpose
The purpose of this article is to:
- briefly introduce the SAES peripheral and its main features,
- indicate the peripheral instances assignment at boot time and their assignment at runtime (including whether instances can be allocated to secure contexts),
- list the software frameworks and drivers managing the peripheral,
- explain how to configure the peripheral.
2. Peripheral overview
The SAES peripheral provides hardware acceleration to encrypt or decrypt data using the AES[1] algorithms. It supports two key sizes (128 bits and 256 bits) and different chaining modes. It incorporates protections against differential power analysis (DPA) and the related side-channel attacks.
Refer to the STM32MP13 reference manuals for the complete list of features, and to the software frameworks and drivers, introduced below, to see which features are implemented.
3. Peripheral usage
This chapter is applicable in the scope of the OpenSTLinux BSP running on the Arm® Cortex®-A processor(s), and the STM32CubeMPU Package running on the Arm® Cortex®-M processor.
3.1. Boot time assignment
3.1.1. On STM32MP13x lines 
The SAES instance is used to decrypt the firmware.
Click on 
to expand or collapse the legend...
| Domain | Peripheral | Boot time allocation | Comment
| |||
|---|---|---|---|---|---|---|
| Instance | Cortex-A7 secure (ROM code) |
Cortex-A7 secure (TF-A BL2) |
Cortex-A7 non-secure (U-Boot) | |||
| Security | SAES | SAES | ☐ | ☑ | ROM code allocation is managed with the bit 7 in OTP 9 | |
3.1.2. On STM32MP25x lines
Click on to expand or collapse the legend...
| Domain | Peripheral | Boot time allocation | Comment
| |||
|---|---|---|---|---|---|---|
| Instance | Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 non-secure (U-Boot) | |||
| Security | SAES | SAES | ☐ | ☑ | ⬚ | ROM code allocation is managed with the bit 8 in OTP 16 |
3.2. Runtime assignment
3.2.1. On STM32MP13x lines
Click on to expand or collapse the legend...
| Domain | Peripheral | Runtime allocation | Comment
| ||
|---|---|---|---|---|---|
| Instance | Cortex-A7 secure (OP-TEE) |
Cortex-A7 non-secure (Linux) | |||
| Security | SAES | SAES | ☐ | ⬚ | Assignment (single choice) |
3.2.2. On STM32MP25x lines
Click on to expand or collapse the legend...
| Domain | Peripheral | Runtime allocation | Comment
| |||||
|---|---|---|---|---|---|---|---|---|
| Instance | Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 non-secure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 non-secure (STM32Cube) |
Cortex-M0+ (STM32Cube) | |||
| Security | SAES | SAES | ☐OP-TEE | ⬚ | ☐ | ⬚ | ||
4. Software frameworks and drivers
Below are listed the software frameworks and drivers managing the SAES peripheral for the embedded software components listed in the above tables.
- Linux®: crypto framework
- OP-TEE: SAES driver and Cryptographic Provider API (CP API)
- TF-A BL2: SAES driver
5. How to assign and configure the peripheral
The peripheral assignment can be done via the STM32CubeMX graphical tool (and manually completed if needed).
This tool also helps to configure the peripheral:
- partial device trees (pin control and clock tree) generation for the OpenSTLinux software components,
- HAL initialization code generation for the STM32CubeMPU Package.
The configuration is applied by the firmware running in the context in which the peripheral is assigned.
6. References