How to deploy SSP using a step-by-step approach

---

1. Article purpose↑

This article explains, step by step, how to run the SSP process from the OEM secret generation till the chip provisioning. The SSP overview is explained here.

This example uses the STM32CubeProgrammer (STM32CubeProg) and its associated tools to manage the complete SSP.

2. OEM secret management↑

The aim of SSP is to protect OEM secrets. It includes multiple secrets:

• Secrets to be provisioned in OTP
• OEM authentication keys for Secure Boot
• OEM secrets encryption key

For STM32MP2 series it also includes:

• Backup registers
• Backup SRAM

2.1. Key generation↑

2.1.1. Authentication keys↑

The initial keys to generate for STM32 MPUs are the authentication keys. This is the root of trust of the STM32 MPU secure boot.
The PKHTH (on STM32MP13xC/F lines ) or PKH (on STM32MP15xC/F lines ) is automatically installed during the SSP process in the dedicated OTP.
On STM32MP2 series, the PKHTH must be provided by the user in the secret file to generate a valid payload.

To generate the keys, you can use the KeyGen_tool:

• On STM32MP13xC/F lines  or STM32MP25xC/F lines :

Example to generate eight ECC key pairs (Prime256v1) using AES_256_cbc encryption:

STM32_KeyGen_CLI -abs /home/user/KeyFolder/ -pwd testkey1 testkey2 testkey3 testkey4 testkey5 testkey6 testkey7 testkey8 -n 8

• On STM32MP15xC/F lines :

Example to generate one ECC key pair (Prime256v1) using AES_256_cbc encryption:

STM32_KeyGen_CLI -abs /home/user/KeyFolder/ -pwd testkey

2.1.2. Encryption key↑

The SSP process uses a symmetric encryption to protect the OEM secrets exchanged with the chip. This encryption/decryption uses an AES encryption scheme using:

• a 128-bit symmetric key
• a 128-bit nonce value

Both values are provisioned in a HSM, and then securely sent to a ST verified chip using a secured transfer flow.
The two values can be directly generated with the STM32 Trusted Package Creator available in STM32CubeProgrammer , which also further manages the secret file encryption with the given key:

Another solution is to prepare both keys using the KeyGen_tool (till version 2.12.0) with the command:

STM32_KeyGen_CLI -rand 16 enc_key.bin
STM32_KeyGen_CLI -rand 16 nonce.bin

2.2. Payload file↑

The payload file is a binary containing all the data the OEM will be provisioning during the SSP procedure. A payload file must at least include the section of data for the OTP: the secret file.

On STM32MP2 series, the payload file can also include several sections to provision data in battery backed memories such as TAMP backup registers and BKPSRAM.

On STM32MP2 series, the RSSe SSP firmware supports secret data encryption and key wrapping. Both of these operations can be done either for the CID1 (Cortex^®-A35) or CID2 (Cortex^®-M33) and can use the keys: DHUK, BHK or DHUK_xor_BHK (for more details on the keys see SAES chapter in reference manual).

The following table lists the supported algorithms for both operations

2.2.1. Secret file creation↑

STM32 Trusted Package Creator provides an interface to generate the secret file. After selecting the targeted STM32MPU, the OEM client can import binary. Here is an example after selecting "STM32MP25":

2.2.1.1. Secret file content for STM32MP1 series↑

On STM32MP1 series, the secret file includes:

• the RMA password (OTP56)
• all OTPs from 59 to 95 on STM32MP1 series, named Free for user.

The secret file size must be (1 + 95 - 59 + 1) * 4 bytes = 152 bytes.

2.2.1.2. Secret file content fo STM32MP2 series↑

On STM32MP2 series, the secret file must include:

• The Root of trust the PKHTH which is the public key hash table hash file (32 bytes) generated by KeyGen_tool.
• the RMA ^[1] passwords

2.2.2. Backup memory file creation↑

The provisioning of backed memory regions is only supported on STM32MP2 series. The STM32 Trusted Package Creator integrates an interface to create the backup memory file: backup-out.bin
The data and offset must be aligned on 32bits. The base address of the file is registered during the creation of the payload. The backup file list can be saved to a json file to be imported later.
The following screenshot shows how to create two backup sections to provision the BHK (Backup1) and then write in BKPR12 to BKPR15 a 256bits key wrapped with the BHK (Backup2).

2.2.2.1. BHK provisioning↑

To provision the BHK with the SSP procedure, the user must add a backup memory region with offset 0 in the backup registers (base address is 0x46010100). The region must be locked to enable the hardware to access the BHK.

The BHK is represented as a string of 32 bytes. For example to provision the key from the NIST AES ECB 256b test 0:

FE E8 38 9F ... EF 94 4B E0

The binary given as the input of STM32 Trusted Package Creator must invert the bytes of the key. The first byte of the NIST key (0xFE) must be the last byte of the file:

E0 4B 94 EF ... 9F 38 E8 FE

2.2.3. Payload creation↑

The STM32 Trusted Package Creator is used to encrypt and prepare the payload file used for provisioning.
All the previous generated keys and files must be properly selected in the STM32 Trusted Package Creator interface to generate the final encrypted file (.ssp).

2.2.3.1. On STM32MP1 series↑

On STM32MP15x lines , the OEM Public Key must be registered in the interface.
On STM32MP13x lines , the OEM Root Public Key Hashes Table Hash must be registered in the interface.

2.2.3.2. On STM32MP2 series↑

On STM32MP2 series, the OEM Root Public Key Hashes Table Hash and RMA password are already included in the secret file. Hence, the user does not need to register them on this interface.
The user can also add backup memory files. The supported base addresses are:

• 0x46010100 and 0x56010100 for TAMP backup registers.
• 0x42000000 and 0x52000000 for BKPSRAM.

2.3. HSM provisioning↑

The HSMv2^[2] must be provisioned with the OEM associated SSP file.

The STM32 Trusted Package Creator has a dedicated SSP HSM provisioning interface to select:

• the encryption key used to encrypt the SSP secret file
• the nonce used to encrypt the SSP secret file
• the personalization data file (used to identify the chip):
  • STM32MP1 for STM32MP1 series
    • 5010100D file for STM32MP13xC/F lines  rev.Y
    • 5000200A file for STM32MP15xC/F lines  rev.B & rev.Z
  • STM32MP2 for STM32MP2 series
    • 5050200E file for STM32MP23xC/F lines  and STM32MP25xC/F lines  rev.Y

• the maximum number of images to program, which depends also on the HSMv2 used.

3. SSP Firmware management↑

On STM32MPUs, a specific firmware is used to:

• exchange SSP communication with the host,
• burn the OTP in fuses,
• provision battery backed memory (only on STM32MP2 series)

3.1. SSP Firmware for STM32MP1 series↑

On STM32MP1 series, the SSP Firmware is a specific TF-A BL2 that is delivered with each ecosystem version and must be updated regarding the user's board.
It only includes a limited part of the TF-A BL2 scope:

• only serial boot support
• dedicated SSP feature set

The main TF-A firmware is ready for all targets except the board device tree. It must be customized in the same way as for TF-A BL2.

3.1.1. Build TF-A BL2 SSP↑

Because it uses the same firmware, the way of building and configuring the firmware is described in the How_to_configure_TF-A_BL2 page.

The specific part is the following one:

• dedicated flag to enable the SSP part: STM32MP_SSP
• no TRUSTED_BOARD_BOOT enabled to limit the BL2 binary size

Example:

• Command line for the UART mode on STM32MP13xC/F lines  using STM32MP135x-DK Discovery kit :

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_UART_PROGRAMMER=1 \
      STM32MP13=1 STM32MP_SSP=1 DTB_FILE_NAME=stm32mp135f-dk.dtb

• Command line for the USB mode on STM32MP15xC/F lines  using STM32MP157x-EV1 Evaluation board :

make ARM_ARCH_MAJOR=7 ARCH=aarch32 PLAT=stm32mp1 STM32MP_USB_PROGRAMMER=1 \
      STM32MP15=1 STM32MP_SSP=1 DTB_FILE_NAME=stm32mp157c-ev1.dtb

3.1.2. Signing TF-A BL2 SSP↑

This TF-A BL2 SSP firmware MUST be signed with the OEM authentication key generated at step 1.

The authentication is made by the ROM code using the OEM public key given by the HSM during the process.

This is made in the same way as TF-A BL2 using the Signing_tool.
Example:

 STM32_SigningTool_CLI -bin tfa-ssp.stm32 -pubk OEMpublicKey.pem –prvk OEMprivateKey.pem –pwd testkey

3.2. SSP Firmware for STM32MP2 series↑

On STM32MP2 series, STMicroelectronics provides a dedicated ST firmware that is signed and encrypted by ST^[3]. This firmware is generic and does not need to be customized by the OEM to be compatible with the design of his board. The SSP firmware for STM32MP2 series must be imported in STM32CubeProgrammer.

4. Production processing↑

At that stage, the following parts are available:

• SSP encrypted secret file
• provisioned HSMv2
• SSP firmware

All that material must be given to the untrusted production to start the SSP process.

4.1. Test case using STM32CubeProgrammer_Cli↑

For an evaluation purpose, STM32CubeProgrammer can be used to test the SSP processing chain.

On the host, the STM32CubeProgrammer must be installed. HSM is plugged into the host smartcard reader. The board is connected, its chip is virgin. The serial boot mode is selected and the power is ON.

The following command can be used for a USB SSP provisioning:

  STM32_Programmer_CLI -c port=USB1 -ssp <ssp_file_path> <ssp-fw-path> hsm=1 slot=1

5. SSP: Final state↑

At that stage, the device is provisioned with all the OEM secrets:

• OEM PKH or PKHTH
• OTP secrets
• battery backed memory

The chip is now in the secure close state, the secure boot is mandatory.
Enabling secure boot is the final step to use the chip.

The SSP process cannot be restarted anymore.

6. References↑