Last edited 2 months ago

STM32MP2 backup registers

Applicable for STM32MP25x lines


1. Article purpose[edit | edit source]

This article explains how the TAMP backup registers are used by STM32MPU Embedded Software on STM32MP25.

2. Overview[edit | edit source]

The STM32MP25 embeds 128 backup registers of 32 bits. A programmable border allows these backup registers to be split into a secure and a nonsecure groupa.

3. Backup register usage[edit | edit source]

This paragraph explains the default usage of backup registers by the ROM code and STM32MPU Embedded Software distribution. The subsequent chapter then shows the backup register mapping used to fulfill those needs.

Warning white.png Warning
It is important to notice that the backup registers can be erased when a tamper detection occurs in TAMP internal peripheral
Info white.png Information
Backup register(s) might be used for another purpose by the application when the feature(s) listed below is/are not used by the said application

3.1. Boot mode selection feature[edit | edit source]

The BOOT_MODE register is used to propagate boot mode information from one component to the next boot stage, on cold boot or after a reset:

  • The ROM code executes a serial boot if BOOT_MODE[7:0] is equal to 0xFF, as stated in the ROM code boot device selection strategy. In this case, the backup register is reset by the ROM code before proceeding with the serial boot mode. Other values are ignored by the ROM code.
  • TF-A gets the selected boot device from the ROM code context in SYSRAM and writes it into BOOT_MODE[15:8] for U-Boot[1]. The boot interface type is written into BOOT_MODE[15:12], and the instance used is written into BOOT_MODE[11:8]. TF-A also writes other information in this register. The partition that was used to boot is written into BOOT_MODE[19:16], and the BL2 authentication status from ROM code into BOOT_MODE[23:20].

3.2. Firmware update info feature[edit | edit source]

The FWU_INFO is used by TF-A BL2 to detect boot failures between its execution and before the complete Linux application initialization during a Secure Firmware Update.

3.3. SAES secret key feature[edit | edit source]

The SAES secret key registers can be used to own a 256 bits key that is carried to SAES internal peripheral via a buried hardware bus. This solution allows the key to be protected by the tamper mechanism: these registers together with SAES memory and registers are erased as soon as a tamper event occurs.
Notice that, when this feature is used, the concerned backup registers should be set as 'secure'.
Look for 'boot hardware key' in the STM32MP25 Reference Manuals for more information about this feature.

3.4. Cortex-M coprocessor resource table[edit | edit source]

The CortexM Resource table address and Resource table size registers are used to provide information on the resource table present in the Cortex-M firmware. This information is written by the boot stage in charge of Cortex-M load and start, and then read and initialized by the Linux to instantiate the inter-processor communication. Notice that the registers are duplicated to support the Cortex-A master boot mode (registers written by U-boot) and the Cortex-M master boot mode (registers written by the Cortex-M non secure FW itself).

4. Memory mapping[edit | edit source]

The table below shows the backup register mapping used by STM32MPU Embedded Software.
The TAMP backup register base address is 0x46010100, corresponding to TAMP_BKP0R.

By default, the openSTLinux set a fixed configuration for tamp resources identification:

  • R0 = Main processor (Cortex-A35 or Cortex-M33 depending on boot mode selection)
  • R1 = Cortex-A35 processor
  • R2 = Cortex-M33 processor

The table shows the read/write accesses to the registers but doesn't show the read only accesses. Refer to STM32MP25 Reference Manuals for more details on the read only access.

The different area listed in the table below are all programmable thanks to the device tree configuration.

Zone RIF Zonea TAMP register ROM / software register name Comment
Zone3 Read/Write Non-secure Zone3-RIF2 TAMP_BKP127R
TAMP_BKP126R
TAMP_BKP125R
TAMP_BKP124R
TAMP_BKP123R
TAMP_BKP122R CortexM Resource table size Cortex-M resource table address
TAMP_BKP121R CortexM Resource table address Cortex-M resource table size
TAMP_BKP120R BOOT_MODE Boot mode for CM33 non secure
Zone3-RIF0 TAMP_BKP119R
TAMP_BKP118R
TAMP_BKP117R
TAMP_BKP116R
TAMP_BKP115R
TAMP_BKP114R
TAMP_BKP113R
TAMP_BKP112R
TAMP_BKP111R
TAMP_BKP110R
TAMP_BKP109R
TAMP_BKP108R
Zone3-RIF1 TAMP_BKP107R
TAMP_BKP106R
TAMP_BKP105R
TAMP_BKP104R
TAMP_BKP103R
TAMP_BKP102R
TAMP_BKP101R
TAMP_BKP100R
TAMP_BKP99R
TAMP_BKP98R CM_rsc_tab_addr Cortex-M resource table address
TAMP_BKP97R CM_rsc_tab_size Cortex-M resource table size
TAMP_BKP96R BOOT_MODE See Boot mode selection feature
Zone2 Read Non-secure/Write secure Zone2-RIF2 TAMP_BKP95R Cortex_M_state CM33 power state
TAMP_BKP94R
TAMP_BKP93R
TAMP_BKP92R
TAMP_BKP91R
TAMP_BKP90R
TAMP_BKP89R
TAMP_BKP88R
TAMP_BKP87R
TAMP_BKP86R
TAMP_BKP85R
TAMP_BKP84R
TAMP_BKP83R
TAMP_BKP82R
TAMP_BKP81R
TAMP_BKP80R
TAMP_BKP79R
TAMP_BKP78R
TAMP_BKP77R
TAMP_BKP76R
TAMP_BKP75R
TAMP_BKP74R
TAMP_BKP73R
TAMP_BKP72R
Zone2-RIF1 TAMP_BKP71R Cortex_A_state CA35 power state
TAMP_BKP70R
TAMP_BKP69R
TAMP_BKP68R
TAMP_BKP67R
TAMP_BKP66R
TAMP_BKP65R
TAMP_BKP64R
TAMP_BKP63R
TAMP_BKP62R
TAMP_BKP61R
TAMP_BKP60R
TAMP_BKP59R
TAMP_BKP58R
TAMP_BKP57R
TAMP_BKP56R
TAMP_BKP55R
TAMP_BKP54R
TAMP_BKP53R
TAMP_BKP52R
TAMP_BKP51R
TAMP_BKP50R
TAMP_BKP49R
TAMP_BKP48R FWU_INFO See Firmware update info feature
Zone1 Read/Write secure Zone1-RIF2 TAMP_BKP47R
TAMP_BKP46R
TAMP_BKP45R
TAMP_BKP44R
TAMP_BKP43R
TAMP_BKP42R
TAMP_BKP41R
TAMP_BKP40R
TAMP_BKP39R
TAMP_BKP38R
TAMP_BKP37R
TAMP_BKP36R
TAMP_BKP35R
TAMP_BKP34R
TAMP_BKP33R
TAMP_BKP32R
TAMP_BKP31R PLAT_NV_COUNTER_BL2_3
TAMP_BKP30R PLAT_NV_COUNTER_BL2_2
TAMP_BKP29R PLAT_NV_COUNTER_BL2_1
TAMP_BKP28R PLAT_NV_COUNTER_BL2_0
TAMP_BKP27R PLAT_NV_COUNTER_PS_2
TAMP_BKP26R PLAT_NV_COUNTER_PS_1
TAMP_BKP25R PLAT_NV_COUNTER_PS_0
TAMP_BKP24R Init value TF-M NV Counter region
Zone1-RIF1 TAMP_BKP23R
TAMP_BKP22R
TAMP_BKP21R
TAMP_BKP20R
TAMP_BKP19R
TAMP_BKP18R
TAMP_BKP17R
TAMP_BKP16R
TAMP_BKP15R
TAMP_BKP14R
TAMP_BKP13R
TAMP_BKP12R
TAMP_BKP11R LOWPOWER_EP_ADDR Entry point address for low power mode exit (STOP2)
TAMP_BKP10R ROM_CORE1_HOLDING_PEN_ADDR Core1 branch address for second core boot (32bit only / Reserved otherwise)
TAMP_BKP9R ROM_CORE1_HOLDING_PEN_MAGIC Core1 Magic (0xCA7FACE1) (32bit only/ Reserved otherwise)
TAMP_BKP8R
TAMP_BKP7R Can be used as 'SAES secret key' and the registers should be set secure in that case Propagated to SAES by the hardware KEYBUS
TAMP_BKP6R
TAMP_BKP5R
TAMP_BKP4R
TAMP_BKP3R
TAMP_BKP2R
TAMP_BKP1R
TAMP_BKP0R


a
: the security borders are configured by the Secure OS (look for st,backup-zones in TAMP configuration), so the OP-TEE device tree has to be modified if different borders are needed.


5. References[edit | edit source]