1. Overview
The STM32 MPUs embed tamper detection management system.
The tamper management and configuration functions have been added to the secure OS to select and detect events to protect against external attacks.
On a tamper event, secrets are erased or blocked.
The backup registers and backup SRAM (configurable on STM32MP13x lines 
) are considered as secrets.
On STM32MP13x lines , the security level has been increased and the following preripheral have been added to the secret list:
The automatic erase mode can be configured for any tampers (internal and external). It is enabled by default but can be turned off (NOERASE) if the user application needs to control erase operations. If disabled the backup registers, SRAM3, and RHUK (root hardware unique key) in BSEC are locked (no read nor write are possible until event acknowledged), and SAES, HASH peripherals and PKA SRAM are always erased.
1.1. Internal tampers
The table below represents the list of the supported internal tampers.
| STM32MP13x lines
|
STM32MP15x lines
| |
|---|---|---|
| Backup voltage domain monitoring | ✓ | ✓ |
| Temperature monitoring | ✓ | ✓ |
| LSE monitoring | ✓ | ✓ |
| HSE monitoring | ✓ | ✓ |
| RTC calendar overflow | ✓ | ✓ |
| Monotonic counter (1) overflow | ✓ | ✓ |
| JTAG/SWD access | ✓ | |
| Cryptographic IPs fault (SAES or CRYP or PKA or TRNG) | ✓ | |
| Monotonic counter 2 overflow | ✓ | |
| IWDG reset when tamper flag is set | ✓ | |
| ADC2 analog watchdog monitoring 1 | ✓ | |
| ADC2 analog watchdog monitoring 2 | ✓ | |
| ADC2 analog watchdog monitoring 3 | ✓ |
1.2. External tampers
3 external tampers on STM32MP15x lines and 8 on STM32MP13x lines can be defined.
The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (2 pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatch before a tamper event is raised can be configured.
2. Software configuration
The tamper driver only exists in OP-TEE.
External tampers have to be configured in device tree.
Internal and external tampers have to be activated in main configuration file .
The device tree enables the TAMP IP and configures the external tamper (active, passive, level, and so on).
The main.c activates the desired TAMPER_ID, in ERASE or NOERASE mode and defines which is the callback in case of an event. An external TAMPER can be activated only if the corresponding TAMPER_ID is enabled in the device tree.
Example :
static uint32_t int_tamp1_callback(int id) {
MSG("Backup domain voltage threshold monitoring tamper event occurs");
/* ... */
/* specific application event management */
/* ... */
return TAMP_CB_ACK_AND_RESET;
}
stm32_tamp_activate(INT_TAMP1, TAMP_ERASE, tamp1_callback);
The value returned by the callback defines if the driver acknowledges the event, and resets the board. If the event is configured as NOERASE, the callback may check:
- in case of true positive: erase manually secret (with stm32_tamp_erase_secret()) and returns TAMP_CB_ACK_AND_RESET
- in case of false positive: returns TAMP_CB_ACK (it unlocks the secret IPs).
The main.c configures the permission access of the TAMP register (privileged mode, secure mode), and it shows if the backup SRAM is included in the secret IPs list.
2.1. Default internal tampers configuration
For STM32MP13x lines :
- By default, only internal tampers 1, 2, 3 , 4, 7, 12 and 13 are enabled, configured as ERASE, and the callback resets the board.
For STM32MP15x lines :
- By default, only internal tampers 1, 2, 3 , 4 are enabled, configure as ERASE, and the callback will reset the board.
2.2. External tampers
On the STM32MP135F-DK 
, a tamper button is connected to the external tamper 2. It is default enable in the device tree. Pressing the TAMP button raises the EXT_TAMP2 event, erases all secrets and resets the board.