AN4246 Application note

Similar documents
SPC5-FLASHER. Flash management tool for SPC56xx family. Description. Features

AN3354 Application note

Single LNB supply and control IC DiSEqC 1.X compliant with EXTM based on the LNBH29 in a QFN16 (4x4) Description

UM1676 User manual. Getting started with.net Micro Framework on the STM32F429 Discovery kit. Introduction

AN3155 Application note

UM1790 User manual. Getting started with STM32L053 discovery kit software development tools. Introduction

AN3332 Application note

UM1727 User manual. Getting started with STM32 Nucleo board software development tools. Introduction

UM1680 User manual. Getting started with STM32F429 Discovery software development tools. Introduction

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

M24LRxx/CR95HF application software installation guide

STEVAL-IEG001V2. Smart real-time vehicle tracking system. Features

EN: This Datasheet is presented by the m anufacturer. Please v isit our website for pricing and availability at ore.hu.

LM337. Three-terminal adjustable negative voltage regulators. Features. Description

UM1613 User manual. 16-pin smartcard interface ST8034P demonstration board. Introduction

AN4108 Application note

Description. Table 1. Device summary. Order code Temperature range Package Packaging Marking

Table 1. Absolute maximum ratings (T amb = 25 C) Symbol Parameter Value Unit. ISO C = 330 pf, R = 330 Ω : Contact discharge Air discharge

STTH1R04-Y. Automotive ultrafast recovery diode. Features. Description

DDSL01. Secondary protection for DSL lines. Features. Description

EVL185W-LEDTV. 185 W power supply with PFC and standby supply for LED TV based on the L6564, L6599A and Viper27L. Features.

AN2557 Application note

AN3998 Application note

TN0023 Technical note

Description. Table 1. Device summary

BD241A BD241C. NPN power transistors. Features. Applications. Description. NPN transistors. Audio, general purpose switching and amplifier transistors

AN2604 Application note

AN3990 Application note

AN2389 Application note

UA741. General-purpose single operational amplifier. Features. Applications. Description. N DIP8 (plastic package)

TDA W CAR RADIO AUDIO AMPLIFIER

How To Write To An Eeprom Memory On A Flash Memory On An Iphone Or Ipro Memory On Microsoft Flash Memory (Eeprom) On A Microsoft Microsoft Powerbook (Ai) 2.2.2

BD238. Low voltage PNP power transistor. Features. Applications. Description. Low saturation voltage PNP transistor

UM0985 User manual. Developing your STM32VLDISCOVERY application using the IAR Embedded Workbench software. Introduction

2STBN15D100. Low voltage NPN power Darlington transistor. Features. Application. Description

Description. Table 1. Device summary. Order codes. TO-220 (single gauge) TO-220 (double gauge) D²PAK (tape and reel) TO-220FP

AN2680 Application note

ST19NP18-TPM-I2C. Trusted Platform Module (TPM) with I²C Interface. Features

ST High voltage fast-switching NPN power transistor. Features. Applications. Description

Getting started with DfuSe USB device firmware upgrade STMicroelectronics extension

Description SO-8. series. Furthermore, in the 8-pin configuration Very low-dropout voltage (0.2 V typ.)

BD135 - BD136 BD139 - BD140

AN2824 Application note

AN1819 APPLICATION NOTE Bad Block Management in Single Level Cell NAND Flash Memories

AN3265 Application note

AN4156 Application note

AN3270 Application note

AN3353 Application note

ULN2801A, ULN2802A, ULN2803A, ULN2804A

ETP01-xx21. Protection for Ethernet lines. Features. Description. Applications. Benefits. Complies with the following standards

ESDLIN1524BJ. Transil, transient voltage surge suppressor diode for ESD protection. Features. Description SOD323

AN4368 Application note

Description. IO and RF AGC. ASIC controller and power management. Carrier recovery loop. GPIO switch matrix. Lock indicator and monitoring DVBS2 FEC

BZW50. Transil, transient voltage surge suppressor (TVS) Features. Description

TDA2004R W stereo amplifier for car radio. Features. Description

AN3110 Application note

AN4128 Application note

DSL01-xxxSC5. Secondary protection for DSL lines. Features. Description. Applications. Benefits. Complies with the following standards

LM135-LM235-LM335. Precision temperature sensors. Features. Description

ULN2001, ULN2002 ULN2003, ULN2004

STTH2R06. High efficiency ultrafast diode. Features. Description

AN3359 Application note

AN2866 Application note

STTH110. High voltage ultrafast rectifier. Description. Features

AN2146 APPLICATION NOTE

MC34063AB, MC34063AC, MC34063EB, MC34063EC

LM134-LM234-LM334. Three terminal adjustable current sources. Features. Description

AN886 APPLICATION NOTE

Order code Temperature range Package Packaging

AN3252 Application note

MC Low noise quad operational amplifier. Features. Description

TN0072 Technical note

AN2703 Application note

STP60NF06FP. N-channel 60V Ω - 30A TO-220FP STripFET II Power MOSFET. General features. Description. Internal schematic diagram.

STDP2600. Advanced HDMI to DisplayPort (dual mode) converter. Features. Applications

L78MxxAB L78MxxAC. Precision 500 ma regulators. Features. Description

STP60NF06. N-channel 60V Ω - 60A TO-220 STripFET II Power MOSFET. General features. Description. Internal schematic diagram.

L6234. Three phase motor driver. Features. Description

STN3NF06L. N-channel 60 V, 0.07 Ω, 4 A, SOT-223 STripFET II Power MOSFET. Features. Application. Description

P6KE. Transil, transient voltage surge suppressor (TVS) Features. Description. Complies with the following standards

Obsolete Product(s) - Obsolete Product(s)

Hello and welcome to this presentation of the STM32L4 Firewall. It covers the main features of this system IP used to secure sensitive code and data.

Figure 1. STM32F429 Discovery board: STM32F429I-DISCO

AN2760 Application note

UM0462 User manual. STM32 and STM8 Flash loader demonstrator. Introduction

AN3969 Application note

VN5R003H-E. 3 mω reverse battery protection switch. Features. Description. Application

STDP2690. Advanced DisplayPort to DisplayPort (dual mode) converter. Features. Applications

AN974 APPLICATION NOTE

UM1075 User manual. ST-LINK/V2 in-circuit debugger/programmer for STM8 and STM32. Introduction

AN820 APPLICATION NOTE INPUT/OUTPUT PROTECTION FOR AUTOMOTIVE COMPUTER

STP55NF06L STB55NF06L - STB55NF06L-1

AN3327 Application note

BTW N. 50 A 1200 V non insulated SCR thyristor. Description. Features. Applications

AN3211 Application note

AN4427 Application note

AN2328 Application note

AN4571 Application note

Description. Table 1. Device summary. Order code Temperature range Package Packing Marking

AN438 APPLICATION NOTE SAFETY PRECAUTIONS FOR DEVELOPMENT TOOL TRIAC + MICROCONTROLLER

Transcription:

Application note Proprietary Code Read Out Protection on STM32L1 microcontrollers Introduction The protection of the intellectual property of embedded code has become a high importance issue concerning the microcontrollers. In order to provide this protection, STM32 microcontrollers have different means of protecting Flash code against copy and reverse engineering. This application note describes the generic STM32 family Flash protection features. The focus is on the Proprietary Code Read Out Protection (PCROP) which is embedded in medium-density plus STM32L151xC, STM32L152xC, STM32L162xC and STM32L100xC microcontrollers. Table 1 lists the microcontrollers concerned by this application note. Table 1. Applicable products Type Microcontrollers Applicable products STM32L1 (STM32L151xC, STM32L152xC, STM32L162xC and STM32L100xC) April 2013 DocID024207 Rev 1 1/11 www.st.com

Contents AN4246 Contents 1 Flash code protection........................................ 3 1.1 Global Read Out Protection (RDP).............................. 3 1.2 Write Protection............................................. 5 1.3 Proprietary Code Read Out Protection............................ 5 2 Examples.................................................. 7 2.1 Secure Firmware Update (SFU) bootloader protection............... 7 2.2 Preloaded third-party IP code................................... 7 3 Conclusion................................................. 8 4 Reference documents........................................ 9 5 Revision history........................................... 10 2/11 DocID024207 Rev 1

Flash code protection 1 Flash code protection The STM32 microcontroller family is provided with the following code protection features: 1. Global Read-out Protection (RDP) 2. Write protection 3. Proprietary Code Read Out Protection (PCROP) These features are meant to protect the intellectual property of the embedded firmware code, which represents an increasing interest for complex embedded systems. 1.1 Global Read Out Protection (RDP) The global Read Out Protection allows the embedded firmware code (preloaded in the Flash memory) to protect against reverse engineering, dumping using debug tools or other means of intrusive attack. This protection is set by the user after the binary code is loaded to the embedded Flash memory. Table 2 describes the 3 user-defined protection levels. Table 2. RDP Protection Level Levels Description Level 0 Level 1 Level 2 No protection (default) Flash memory is protected against reading by debugging or code dumping by the RAM loaded code All debug features are disabled Once the user code is loaded in the Flash memory of the product, it can be protected against code dumping.this is possible by activating either Level 1 or Level 2 protection, otherwise by RDP option byte programming, following the rules described in Figure 1. DocID024207 Rev 1 3/11

Flash code protection AN4246 Figure 1. RDP Levels RDP /= AAh & /= CCh Others options modified Write options including RDP = CCh Level 1 RDP /= AAh RDP /= CCh default Write optionsincluding RDP /= CCh & /= AAh Write options including RDP = AAh Level 2 RDP = CCh Options write (RDP level increase) includes - Options erase - New options program Write options including RDP = CCh Level 0 RDP = AAh RDP = AAh Others option(s) modified Options write (RDP level decrease) includes - Mass erase - Options erase - New options program Options write (RDP level identical) includes - Options erase - New options program ai16045 Note: Both protection levels (1 and 2) have the same abilities to protect the Flash memory. Its content cannot be read by Serial Wire or JTAG Debug access, bootloader system software or by loading any other SW to the volatile RAM memory. The main difference between the two protection levels is the volatile data (RAM content) protection which only exists on Level 2. When RDP protection is set to Level 1, debug tools still can be connected and access all the volatile resources of the MCU (RAM and registers). These tools are used to check the part and/or system, by loading some test code to the RAM. Also, Level 1 protection allows to recover a programmed part by erasing the entire Flash content. This is done by re-programming the RDP option byte from Level 1 to Level 0 (see Figure 1). On the other hand, Level 2 protection is irreversible (fuse). Once the RDP is set to Level 2, the RDP option byte and all the other option bytes are frozen and can non longer be modified. However, the user Flash content, with the exception of all the write-protected sectors (see Section 1.2: Write Protection), still can be updated under the control of the user code itself. An IAP (In Application Programming) bootloader code can be implemented in order to allow a firmware update of some sectors. In order to ensure the protection of previously programmed user code, the bootloader protocol can be a user specified (implementing the relevant protection against attacks, dumping and/or malicious code update). Some examples of Secure Bootloader implementation using the embedded AES accelerator available on STM32 are described in application note AN4023 - STM32 secure firmware upgrade. For additional details on Read Protection, refer to the microcontroller reference manuals. 4/11 DocID024207 Rev 1

Flash code protection 1.2 Write Protection The Write protection, applied by a Flash area (sector), protects the content of the specified sectors against code update or erase. One option bit is used to activate the write protection for each Flash sector. When the Write protection is set for sector i (option bit nwrpi = 0), this sector cannot be erased or programmed. Table 3 shows the sector Write protection depending on the RDP Level. Levels Table 3. Write Protection Description Level 0 or 1 The other option bytes still can be modified. (1) Level 2 All the option bytes are definitively frozen. (2) 1. The sector Write protection is very important for safety functions. If they are programmed in the write protected sectors, these functions are fully protected against accidental erase or update. 2. A write protected sector cannot be erased or modified, either intentionally or not. Note: Under these conditions, the integrity of the embedded firmware written in these sectors is guaranteed against any modification. 1.3 Proprietary Code Read Out Protection The Proprietary Code Read Out Protection (PCROP) is an alternative protection which is applied also by sector, allowing the protection of specific code (intellectual property) against attacks. The PCROP implements 2 main features on the microcontroller code protection and the code management. Table 4 compares both PCROP features to the RDP protection method. Table 4. Protection against attacks Type of Protection External attacks Internal attacks (such as Trojan horse type) Comparison Similar to the protection offered by RDP (but which can be restricted to a specific Flash area) Possible use of some unsecured third party code in an application, while still preserving the privacy of some parts of the code This protection is based on an execute-only mechanism. The Flash code area can only be reached by the STM32 CPU (as an instruction code), while all other accesses (DMA, debug and CPU data read) are strictly prohibited. While protecting the executable code against reading, a side effect generated by this execute-only mechanism makes the protected code itself (executed from this area) unable to access the associated data values stored in the same area (e.g. literal pool). In order to avoid the need of data accesses in this area (specially for literal pool accesses), a specific command line option must be chosen in the ARM/Keil compiler: (armcc --no_literal_pools --max_string_in_code = 0). DocID024207 Rev 1 5/11

Flash code protection AN4246 This command line option translates the literal pool operations with alternative instructions. These instructions build the register values without any data read access. It is mainly needed for loading registers with variable addresses. As an alternative method is less efficient, this option translates these operations in a slightly less effective code. However, the loss of performance is limited (below 5%), which is acceptable for the protected parts of the code. The PCROP sector is selected by using the same option bytes as the Write protection. As a result, these 2 options are exclusive each other. However, the sectors protected against reading (PCROP) are also protected against writing/erasing. Therefore, the PCROP may be considered as a superset of the sector write protection. In order to activate the PCROP (change the function of the nwrp option bits), the SPRMOD option bit must be activated. This operation is irreversible. Also in PCROP mode, a sector which was set to be read-protected cannot be reset to the unprotected state. As a result, new sectors may be added to the read protected area (when RDP is set to Level 0 or 1), but the protected ones cannot be unprotected, either erased or modified. Depending on the RDP level, there is a possible workaround for recovering a protected chip. If the STM32 is in RDP Level 1 and the RDP option byte is set to Level 0, the user s Flash area will be totally erased. This is the only case where the SPRMOD and nwrp bits may be reset and all the protected sectors may be unprotected. However, as this operation is always associated to the global erase of the user Flash area, the code protection is not affected. When the RDP is set to Level 2, all the option bytes are frozen and can no longer be modified. As a result, the protected sectors never can be erased or modified, so the protection becomes permanent. 6/11 DocID024207 Rev 1

Examples 2 Examples 2.1 Secure Firmware Update (SFU) bootloader protection A secure firmware update bootloader (as described in AN4023) can be included. It allows programming a third party code in the STM32 Flash memory, without compromising the secure bootloader mechanism and/or keys. 2.2 Preloaded third-party IP code The third-party code which contains critical intellectual property code can be preloaded (e.g. through a fast ROM procedure) in the STM32 Flash memory and protected against reading by activating the PCROP mechanism. Then, the STM32 microcontrollers including the protected code can be used/programmed by the end user, without affecting the protected code. DocID024207 Rev 1 7/11

Conclusion AN4246 3 Conclusion STM32 microcontrollers are provided with various Flash protection mechanisms to fulfill the different needs of the intellectual property protection. These range from a single user global code protection to a finer grain code protection where multiple IP firmware can coexist in the STM32 microcontroller memory. This solution allows the application to operate in potentially unsafe environments without compromising code protection or integrity. 8/11 DocID024207 Rev 1

Reference documents 4 Reference documents Programming manual (PM0062), STMicroelectronics Reference manual (RM0038), STMicroelectronics DocID024207 Rev 1 9/11

Revision history AN4246 5 Revision history Table 5. Document revision history Date Revision Changes 03-Apr-2013 1 Initial release. 10/11 DocID024207 Rev 1

Please Read Carefully: Information in this document is provided solely in connection with ST products. STMicroelectronics NV and its subsidiaries ( ST ) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described herein at any time, without notice. All ST products are sold pursuant to ST s terms and conditions of sale. Purchasers are solely responsible for the choice, selection and use of the ST products and services described herein, and ST assumes no liability whatsoever relating to the choice, selection or use of the ST products and services described herein. No license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. If any part of this document refers to any third party products or services it shall not be deemed a license grant by ST for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoever of such third party products or services or any intellectual property contained therein. UNLESS OTHERWISE SET FORTH IN ST S TERMS AND CONDITIONS OF SALE ST DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY WITH RESPECT TO THE USE AND/OR SALE OF ST PRODUCTS INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (AND THEIR EQUIVALENTS UNDER THE LAWS OF ANY JURISDICTION), OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. ST PRODUCTS ARE NOT AUTHORIZED FOR USE IN WEAPONS. NOR ARE ST PRODUCTS DESIGNED OR AUTHORIZED FOR USE IN: (A) SAFETY CRITICAL APPLICATIONS SUCH AS LIFE SUPPORTING, ACTIVE IMPLANTED DEVICES OR SYSTEMS WITH PRODUCT FUNCTIONAL SAFETY REQUIREMENTS; (B) AERONAUTIC APPLICATIONS; (C) AUTOMOTIVE APPLICATIONS OR ENVIRONMENTS, AND/OR (D) AEROSPACE APPLICATIONS OR ENVIRONMENTS. WHERE ST PRODUCTS ARE NOT DESIGNED FOR SUCH USE, THE PURCHASER SHALL USE PRODUCTS AT PURCHASER S SOLE RISK, EVEN IF ST HAS BEEN INFORMED IN WRITING OF SUCH USAGE, UNLESS A PRODUCT IS EXPRESSLY DESIGNATED BY ST AS BEING INTENDED FOR AUTOMOTIVE, AUTOMOTIVE SAFETY OR MEDICAL INDUSTRY DOMAINS ACCORDING TO ST PRODUCT DESIGN SPECIFICATIONS. PRODUCTS FORMALLY ESCC, QML OR JAN QUALIFIED ARE DEEMED SUITABLE FOR USE IN AEROSPACE BY THE CORRESPONDING GOVERNMENTAL AGENCY. Resale of ST products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by ST for the ST product or service described herein and shall not create or extend in any manner whatsoever, any liability of ST. ST and the ST logo are trademarks or registered trademarks of ST in various countries. Information in this document supersedes and replaces all information previously supplied. The ST logo is a registered trademark of STMicroelectronics. All other names are the property of their respective owners. 2013 STMicroelectronics - All rights reserved STMicroelectronics group of companies Australia - Belgium - Brazil - Canada - China - Czech Republic - Finland - France - Germany - Hong Kong - India - Israel - Italy - Japan - Malaysia - Malta - Morocco - Philippines - Singapore - Spain - Sweden - Switzerland - United Kingdom - United States of America www.st.com DocID024207 Rev 1 11/11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information