Registered User mNo edit summary Tag: 2017 source edit |
Registered User mNo edit summary Tag: 2017 source edit |
||
| (3 intermediate revisions by 3 users not shown) | |||
| Line 3: | Line 3: | ||
|MPUs checklist=STM32MP13x, STM32MP15x, STM32MP25x | |MPUs checklist=STM32MP13x, STM32MP15x, STM32MP25x | ||
}}</noinclude> | }}</noinclude> | ||
== Overview == | == Overview == | ||
The STM32 MPUs embed a tamper detection management system. | The STM32 MPUs embed a tamper detection management system. | ||
| Line 11: | Line 12: | ||
The automatic erase mode of all secrets can be configured for some tampers. It is enabled by default but can be turned off (see [[TAMP device tree configuration]]) if the user application needs to control erase operations. The platform secrets access is blocked when erase is on-going. | The automatic erase mode of all secrets can be configured for some tampers. It is enabled by default but can be turned off (see [[TAMP device tree configuration]]) if the user application needs to control erase operations. The platform secrets access is blocked when erase is on-going. | ||
Except for {{MicroprocessorDevice | device=15}}, the tampers can be configured in | Except for {{MicroprocessorDevice | device=15}}, the tampers can be configured in two modes: | ||
* Confirmed mode: immediate erase of secrets on tamper detection, including backup registers erase | * Confirmed mode: immediate erase of secrets on tamper detection, including backup registers erase | ||
* Potential mode: | * Potential mode: some of the secrets are instead locked following a tamper detection until a software action. | ||
On {{MicroprocessorDevice | device=15}}, the secrets will be erased. | On {{MicroprocessorDevice | device=15}}, the secrets will be erased. | ||
| Line 23: | Line 24: | ||
=== Internal tampers === | === Internal tampers === | ||
The table below represents the list of the supported internal tampers. | The table below represents the list of the supported internal tampers. | ||
<!-- There is no JTAG internal tamper on the STM32MP15 series please untick the corresponding box below --> | |||
{| class="st-table" width="60%" valign="top" | {| class="st-table" width="60%" valign="top" | ||
|- | |- | ||
| Line 63: | Line 64: | ||
! scope="row" | JTAG/SWD access | ! scope="row" | JTAG/SWD access | ||
| <span title="internal tamper available" style="font-size:21px">✓</span> | | <span title="internal tamper available" style="font-size:21px">✓</span> | ||
| | | | ||
| <span title="internal tamper available" style="font-size:21px">✓</span> | | <span title="internal tamper available" style="font-size:21px">✓</span> | ||
|- | |- | ||
| Line 113: | Line 114: | ||
* 8 on {{MicroprocessorDevice | device=25}} | * 8 on {{MicroprocessorDevice | device=25}} | ||
The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active ( | The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (two pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatches raised before a tamper event can be configured. | ||
== Software configuration == | == Software configuration == | ||
=== Default internal tampers configuration === | === Default internal tampers configuration === | ||
Be aware that some of the internal tampers require other feature to be functional(LSE/HSE monitoring, voltage monitoring). Refer to the TAMP chapter of the [[STM32 MPU resources#Reference manuals|SoC reference manual]] to learn more on this subject. | Be aware that some of the internal tampers require other feature to be functional (LSE/HSE monitoring, voltage monitoring). Refer to the TAMP chapter of the [[STM32 MPU resources#Reference manuals|SoC reference manual]] to learn more on this subject. | ||
{{Warning | Because it monitors the LSE oscillator used for the retention domain, a LSE monitoring internal tamper event must be followed by either a reset of the backup domain or a custom sequence. For the latter, please modify the code in {{CodeSource | TF-A | plat/st/stm32mp1/bl2_plat_setup.c | TF-A BL2 platform setup}} and {{CodeSource | OP-TEE_OS | core/drivers/stm32_tamp.c | OP-TEE tamper driver}} }} | {{Warning | Because it monitors the LSE oscillator used for the retention domain, a LSE monitoring internal tamper event must be followed by either a reset of the backup domain or a custom sequence. For the latter, please modify the code in {{CodeSource | TF-A | plat/st/stm32mp1/bl2_plat_setup.c | TF-A BL2 platform setup}} and {{CodeSource | OP-TEE_OS | core/drivers/stm32_tamp.c | OP-TEE tamper driver}} .}} | ||
For {{MicroprocessorDevice | device=13}}: | For {{MicroprocessorDevice | device=13}}: | ||
* By default, there is no internal tamper enabled. | * By default, there is no internal tamper enabled. To enable one or more of them, refer to the [[TAMP device tree configuration#Common TAMP node append |TAMP common property list]] | ||
For {{MicroprocessorDevice | device=15}}: | For {{MicroprocessorDevice | device=15}}: | ||
* By default, there is no internal tamper enabled. | * By default, there is no internal tamper enabled. To enable one or more of them, refer to the[[TAMP device tree configuration#Common TAMP node append | TAMP common property list]] | ||
For {{MicroprocessorDevice | device=25}}: | For {{MicroprocessorDevice | device=25}}: | ||
* By default, there is no internal tamper enabled. | * By default, there is no internal tamper enabled. To enable one or more of them, refer to the [[TAMP device tree configuration#Common TAMP node append |TAMP common property list]] | ||
=== Default external tampers configuration === | === Default external tampers configuration === | ||
For STMicroelectronics boards and except for {{MicroprocessorDevice | device=15}} platforms, the TAMP button is default supported to generate tamper events. This is done in the board device tree file. See: [[TAMP device tree configuration#DT configuration (board level) | Board device tree configuration]] | For STMicroelectronics boards and except for {{MicroprocessorDevice | device=15}} platforms, the TAMP button is default supported to generate tamper events. This is done in the board device tree file. See:[[TAMP device tree configuration#DT configuration (board level) | Board device tree configuration]] | ||
<noinclude> | <noinclude> | ||
[[Category:Abnormal situation handling|How to trace and debug]] | [[Category:Abnormal situation handling|How to trace and debug]] | ||
{{PublicationRequestId | 33573 | 2025-01-10 | }} | {{PublicationRequestId | 33573 | 2025-01-10| }} | ||
</noinclude> | </noinclude> | ||
Latest revision as of 15:33, 1 April 2025
1. Overview[edit | edit source]
The STM32 MPUs embed a tamper detection management system.
The tamper management and configuration functions have been added to the OP-TEE secure OS to protect against external attacks when the system is running. The tamper management is also present in the TF-A BL2 because tamper events can occur when the SoC is in low-power or power-off modes.
When a tamper event occurs, the platform's secrets are erased or blocked. The automatic erase mode of all secrets can be configured for some tampers. It is enabled by default but can be turned off (see TAMP device tree configuration) if the user application needs to control erase operations. The platform secrets access is blocked when erase is on-going.
Except for STM32MP15x lines 
, the tampers can be configured in two modes:
- Confirmed mode: immediate erase of secrets on tamper detection, including backup registers erase
- Potential mode: some of the secrets are instead locked following a tamper detection until a software action.
On STM32MP15x lines , the secrets will be erased.
To learn more about which secrets are erased or blocked in which modes, refer to the TAMP interconnection in the TAMP chapter of the SoC reference manual.
 Information
|
| Because STMicroelectronics cannot provide generic sequences on how to handle tampers, someone wishing to use tampers is expected to customize the tampers interrupt handler sequence. The default behavior when a tamper event occurs is a system reset when running. When the tamper is in confirmed mode, the appropriate secret erase sequence is also performed by the hardware. Whereas in potential mode, the secrets are blocked but not erased until the handler sequence is performed. The files to custom are TF-A BL2 platform setup (when a tamper event happens when the SoC is in retention mode) and OP-TEE tamper driver for runtime management |
1.1. Internal tampers[edit | edit source]
The table below represents the list of the supported internal tampers.
| STM32MP13x lines
|
STM32MP15x lines
|
STM32MP25x lines
| |
|---|---|---|---|
| Backup voltage domain monitoring | ✓ | ✓ | ✓ |
| Temperature monitoring | ✓ | ✓ | ✓ |
| LSE monitoring | ✓ | ✓ | ✓ |
| HSE monitoring | ✓ | ✓ | ✓ |
| RTC calendar overflow | ✓ | ✓ | ✓ |
| Monotonic counter (1) overflow | ✓ | ✓ | ✓ |
| JTAG/SWD access | ✓ | ✓ | |
| Cryptographic IPs fault (SAES or CRYP or PKA or TRNG) | ✓ | ✓ | |
| Monotonic counter 2 overflow | ✓ | ✓ | |
| IWDG reset when tamper flag is set | ✓ | IWDG1/2/5✓ | |
| ADC2 analog watchdog monitoring 1 | ✓ | ||
| ADC2 analog watchdog monitoring 2 | ✓ | ||
| ADC2 analog watchdog monitoring 3 | ✓ | ||
| VDDCORE monitoring under/over voltage | ✓ | ||
| LPSRAM1 CRC fail (same signal as IWDG5 reset) | ✓ |
1.2. External tampers[edit | edit source]
External tampers can be defined on all MPUs:
- 3 on STM32MP15x lines
- 8 on STM32MP13x lines
- 8 on STM32MP25x lines
The external tampers can be configured as passive (they detect a level or an edge on one pin) or as active (two pins have to be linked together, and the TAMP hardware regularly sends a random level on the OUT pin, then reads IN pins and raises the tamper flag if the values mismatch). Note that the number of mismatches raised before a tamper event can be configured.
2. Software configuration[edit | edit source]
2.1. Default internal tampers configuration[edit | edit source]
Be aware that some of the internal tampers require other feature to be functional (LSE/HSE monitoring, voltage monitoring). Refer to the TAMP chapter of the SoC reference manual to learn more on this subject.
For STM32MP13x lines :
- By default, there is no internal tamper enabled. To enable one or more of them, refer to the TAMP common property list
For STM32MP15x lines :
- By default, there is no internal tamper enabled. To enable one or more of them, refer to the TAMP common property list
For STM32MP25x lines :
- By default, there is no internal tamper enabled. To enable one or more of them, refer to the TAMP common property list
2.2. Default external tampers configuration[edit | edit source]
For STMicroelectronics boards and except for STM32MP15x lines platforms, the TAMP button is default supported to generate tamper events. This is done in the board device tree file. See: Board device tree configuration