ST Developers Conference 2016 - Mechanisms for Trusted Code Execution

1. October 4, 2016
Santa Clara Convention Center
Mission City Ballroom
Mechanisms for
Trusted Code Execution
Bob Waskiewicz

2. Recap  IoT Security

3. Root of Trust
• Root of Trust
• Whole process depends on the integrity of the first module
• First module protected by hardware: Trust Anchor
3
Hardware Loader RTOS Application
Verify
Trust
Trust Anchor

4. Application Code 4
• Application code should be written and executed in a secure manner
• Start with security coding ‘Best Practices’ including software layering
• Use of appropriate mechanisms:
• Use derived keys
• Use process partitioning as appropriate
• Chain of Trust
• At start-up, each ‘stage’ verifies the integrity and/or authenticity of the next stage
• Chaining of HASH/integrity checked
• Only if check is OK, control is transferred to the next stage, otherwise system is halted
Secure Execution

5. Secure Storage 5
• Access to data must be carefully controlled and restricted to
authorized persons, machines, and processes
• Data at rest – protected
• Encrypt as necessary; All keys, master keys, session keys used for secure
communications, passwords etc.
• Encrypt sensitive application data
• Encrypt sensitive customer personal data
• Destroy keys no longer valid.
Data at Rest

6. Communications 6
• IoT ecosystem relies on confidential and trusted communications
• Data integrity
• Encryption end to end
• Device authentication
• Using Public Key Infrastructure (PKI) solutions
Data in Motion

7. IoT Attacks
Local Versus Remote
Product Invasive
• Uncontrolled state
device
• Fault Injection
Glitch on power &
clock for code dump
Silicon Invasive
• Probing
• Reverse
Engineering
Extraction of key
Non Invasive
• Logical attacks
• Side channel
attacks
ATTACKS COST and EXPERTIZE
COMPONENT and SYSTEM SECURITY LEVEL
8

8. ARM Cortex® / STM32
Security Features

9. IoT Devices 9
Three Types of CPU Based Devices
• MPU: Microprocessors
• High-performance CPUs (>GHz) using lots of memory (non-volatile and volatile) >GB
• Large Storage
• Typically running complex file operating systems/General computing devices
• MCU: Microcontrollers
• Lower performing CPUs (~MHz) with self contained internal memories (< few MB)
• Typically running native code or RTOS
• Focused Application Devices
• Secure MCU: Secure Microcontrollers
• Sub-class of MCUs, limited peripheral set
• Design for security and contain specific hardware counter attack measures
• Use certifiable processes from inception to manufacturing
• Limited to specific security applications (SmartCard, SIM, eSE, Authentication)

10. STM32L476 MCU 10
• Processor
• 80 MHz ARM® Cortex® M4
• Memory Support
• Internal 1MB Flash
• Internal 128K SRAM
• QuadSPI
• External Memory Controller
• Connectivity
• I2C, SPI, USB
• Analog
• Control
Internal
Memory

11. Cortex®-M Cores
•
M0/M0+, M3, M4, and M7
14

12. ST Has Licensed ALL Cortex®-M Cores 12
Source: ARM

13. Cortex®-M0 / M0+ Microarchitecture 13
• Thumb-2 Technology
• Integrated configurable NVIC
• Microarchitecture
• 3-stage pipeline with branch speculation
• 1x AHB-Lite Bus Interfaces
• Configurable for ultra low power
• Deep Sleep Mode, Wakeup Interrupt Controller
• Flexible configurations for wider applicability
• Configurable Interrupt Controller
• Optional Debug and Trace
• M0, No Memory Protection Unit
• M0+, Optional Memory Protection Unit
ARMv6M Architecture

14. Cortex®-M3 Microarchitecture 14
• Thumb-2 Technology
• Integrated configurable NVIC
• Microarchitecture
• 3x AHB-Lite Bus Interfaces
• Configurable for ultra low power
• Deep Sleep Mode, Wakeup Interrupt Controller
• Flexible configurations for wider applicability
• Configurable Interrupt Controller
• Optional Debug and Trace
• Optional Memory Protection Unit
ARMv7ME Architecture

15. Cortex®-M4 Microarchitecture 15
• Thumb-2 Technology
• DSP and SIMD extensions
• Optional single precision FPU
• Integrated configurable NVIC
• Microarchitecture
• 3-stage pipeline with branch speculation
• 3x AHB-Lite Bus Interfaces
• Configurable for ultra low power
• Deep Sleep Mode, Wakeup Interrupt Controller
• Power down features for Floating Point Unit
• Flexible configurations for wider applicability
• Configurable Interrupt Controller
• Optional Debug and Trace
• Optional Memory Protection Unit
ARMv7ME Architecture

16. Cortex®-M7 Microarchitecture 16
• Thumb-2 Technology
• DSP and SIMD extensions
• Optional Double precision FPU
• Dual-issue superscalar architecture
• Microarchitecture
• 6-stage pipeline with branch speculation
• AXI-M Bus Interface with cache memory
• Configurable for ultra low power
• Deep Sleep Mode, Wakeup Interrupt Controller
• Power down features for Floating Point Unit
• Flexible configurations for wider applicability
• Configurable Interrupt Controller
• Optional Debug and Trace
• Optional Memory Protection Unit
ARMv7ME Architecture

17. Today - STM32 Portfolio 17
8 product series / 31 product linesMore than 30 product lines
398 CoreMark
120 MHz
150 DMIPS
Ultra-low-power
Mainstream
Cortex-M0
Cortex-M0+ Cortex-M3 Cortex-M4 Cortex-M7
106 CoreMark
48 MHz
38 DMIPS
245 CoreMark
72 MHz
90 DMIPS
177 CoreMark
72 MHz
61 DMIPS
608 CoreMark
180 MHz
225 DMIPS
High-performance 1082 CoreMark
216 MHz
462 DMIPS
75 CoreMark
32 MHz
26 DMIPS
93 CoreMark
32 MHz
33 DMIPS
273 CoreMark
80 MHz
100 DMIPS

18. STM32 Family vs. Security Features 18
ST
Family
Security Features
Debug
Access
Port
RESET
Register
FLASH
WRP
FLASH
Mass
ERASE
Tamper
Pins
CRC
Hardware
96-Bit
UniqueID
Crypto
Library
Support
Memory
Protection
Unit(MPU)
FLASH
RDP
TRNG
AES
Hardware
Accelerator
FLASH
PCROP
HASH
Hardware
Accelerator
Firewall
SRAM
RDP
SysClock
(MHz)
ARM
Cortex®
STM32 F1 72 M3
STM32 F3 72 M4
STM32 F0 48 M0
STM32 L1 32 M3
STM32 F2 120 M3
STM32 F4 180 M4
STM32 F7 216 M7
STM32 L0 32 M0+
STM32 L4 80 M4
*ARM
TRM
RMxxxx
AN4246
RMxxxx
AN3371
RMxxxx
UM1924
AN4838
*AN179
AN4246
AN4230
UM1924
AN4246
AN4701
AN4758
UM1924
AN4729
AN4729
Application Note# (AN)/User Manual# (UM)/Reference Manual#(RM) (www.st.com/mcu) (*infocenter.arm.com)

19. ARM Memory Protection Unit 19
Overview
Main()@ addr:
RO
Region 0
Region 3
Main Stack
MSP@ addr:
Privileged RW
PSP@addr:
Unprivileged RW
MPU example
Bootloader@ addr:
No Access
Region 1
Region 4
Process Stack
• Optional feature available on Cortex™-
M cores
• Enforce privilege rules on read / write /
execute only or no-access
• Memory areas defined by regional (8
Regions) parameters for memory
isolation
• Upon violation, core generates a hard-
fault or core “lock-up”

20. ARM Memory Protection Unit 20
Why Use an MPU ?
• Prevent processes from accessing memory that has not been allocated to them.
• Protect applications from a number of potential error such as the detection of
stack overflows
• Protect from invalid execution by RTOS tasks and protect data from corruption
• Protect system peripherals from unintended modification

21. ARM Cortex® Debug 21
• Serial Wire Debug or IEEE JTAG Debug
• Embedded break / watch capabilities for easy Flashed application debugging
• Includes a Serial Wire Viewer for low bandwidth data trace
• Includes an Embedded Trace Module for system core clock debugging
• DAP is ALIVE ALL the time  After RESET, when core enters low power mode, and when
non-core security features are enabled
• The BKPT assembly instruction will cause the core to enter Debug state
Debug Access Port (DAP)
JTAG SWD
More pins
available
for the
application

22. STM32 Firewall 22
Overview
• Creates a specific “trust area” of code with
own memory isolated from all other code
areas
• Has a single gateway interface to enter the
Firewall. Any access other than the
proscribed gateway interface results in a
system reset
• Ideal for protecting algorithmic IP separate
from the rest of the internal application, and
performing security sensitive operations (i.e.
HASHing)
• Intrusive detection into a protected area
generates a MCU reset
• Includes DMA and/or Interrupt intrusions
• Configured at Start and remains active until
the next system reset
GP-DMACortex-M
Bus Matrix
Bridge AHB/APBSRAM
NV Memory
FIREWALL
Volatile Data
Code
Data
Reset Event

23. STM32 Memory Features 23
• Readout Protection (RDP)
• Level 0: no readout protection
• Level 1: memory readout protection
• Level 2: chip readout protection
• Proprietary code Read Out Protection (PcROP)
• Specific configurable area
• 1 each per Flash sector
• Write protection (WRP)
• 1 each per Flash / SRAM* sector
Overview
Flash code is protected when
accessed through the JTAG
interface or when the Boot is
different from Flash memory
Flash code is only
executable, not readable
Flash code is protected from
unwanted write/erase operations

24. STM32 Memory Features 24
• Readout Protection Level 0 (no protection, factory default)
• All operations (R/W/Erase) are permitted on Flash memory, SRAM, and Backup Domain
• Readout Protection Level 1
• If the selected boot mode is User Flash and if no debugger access is detected (no JTAG):-
• All operations (R / W / Erase) are permitted on the Flash memory, SRAM, and Backup registers
• If the selected boot mode is not user Flash, or if a debugger access is detected (JTAG):-
• ALL operations (R / W / Erase) to Flash memory, SRAM, and Backup registers are blocked and a
hard fault interrupt is generated.
Readout Protection (RDP)

25. STM32 Memory Features 25
• Readout Protection Level 2 (JTAG fuse blown)
• All protections provided by Level 1 are active
• Boot from RAM or System memory is no longer possible (only from User Flash memory)
• The physical JTAG interface is disabled
• Factory Failure Analysis Report is limited, thus ensuring there is no factory backdoor
• If the selected boot mode is User Flash memory
• All operations (R/W/Erase) are permitted on the Flash memory, backup registers and SRAM
• Level 2 CANNOT be reversed
Readout Protection (RDP)

26. STM32 Memory Features 27
• Level 0
• Option byte mods are allowed
• Can transition to Level 1 or Level 2
• Level 1
• Option byte mods are allowed.
• Can transition to Level 0 or Level 2
• Level 0  Mass erase of user Flash, backup registers and
newer device SRAM sector
• Level 2
• Option bytes are frozen
• No transition possible
RDP Transition Scheme
Level 0
RDP = 0xAA
Level 1
RDP ≠ 0xCC
RDP ≠ 0xAA
Level 2
RDP = 0xCC
Permanent
State

27. STM32 Memory Features 28
Proprietary code Read Out Protection (PcROP)
Protect confidentiality of software
IP code whatever the RDP level
• Prevents malicious software or a
debugger from reading sensitive code
• The PCROP Flash memory area is
executable only
• R / W / Erase operations are not permitted
• Third-parties can develop and sell
specific software IPs for STM32 MCUs
• Customers may use these software
IPs for development with / in their own
application code

28. STM32 Memory Features 29
• PCROP : Prevents snooping execution, however, the results of
execution (variables, core registers) are not protected.
• PCROP : RAM not protected
• Firewall : Dynamic execution protection, (open / close)
Firewall vs. PCROP

29. STM32 Memory Features 30
• The Flash write-protected area is defined on a per sector basis via
the STM32 option bytes setting.
• In newer STM32 devices the WRP area is defined by “start” and
“end” addresses
• In the STM32L4 devices, a SRAM section is write protectable
Flash and SRAM Write Protection (WRP)

30. STM32 96-bit Unique ID 31
• Unique Device Identifier installed at the ST Factory
• Provides a reference number unique for any STM32
• It will not repeat for many years
• The Unique ID is suited for:-
• Generating a serial number via an algorithm
• Combining with cryptographic primitives to increase security before
programming STM32 Flash, key derivation.
• Used as part of device authentication during secure boot process
Features

31. STM32 Cyclical Redundancy Check 32
• Used to get a CRC code from 8,16, or 32 bit
data word
• Verify data integrity
• Generate a software code signature
• Can be used direct by core or via DMA
Overview
CRC computation
engine
Data register (Input) with buffer
Data register (Output)
AHB Bus
32-bit (read access)
32-bit (write access)
Reset/Initial value
Bit reversal (in/out)
Polynomial

32. STM32 Advanced Encryption Standard 33
• Hardware acceleration that transforms
original plaintext to unreadable ciphertext
• Supports
• Several standard operation modes and
key sizes
• Supports several standard AES chaining
modes
• Supports data swapping
• Supports DMA
• Reduces CPU time:-
• typical 100 -200 sysclk cycles
Overview
Cipher
Cipher Key
Encryption direction
Decryption direction
Plaintext Ciphertext

33. 34
STM32 Advanced Encryption Standard 42
•
Block Diagram
DMA request for
outgoing data transfer
AES Accelerator
DataIn
Dataout
Dataswapping
Dataswapping
ECB
DMA request for
incoming data transfer
GCM
CBC
GMAC
CTR
CMAC
AES chaining mode
Encryption Key derivation
AES operation mode
Decryption Key derivation +
decryptionKey: 128- 256-bit
NIST FIPS 197 compliant implementation of AES

34. 35
STM32 HASH Processor
Overview
MD5
HASH
HASH Processor
InputFIFO
Dataswapping
HMAC
Message
Digest
H0..H7
8x32bit
16x32bit
SHA-1, SHA-224
SHA-256
• Hardware acceleration that
transforms original plaintext to an
unreadable Message Digest
• Supports
• Supports several HASH standards
• Supports data swapping
• Supports DMA
• Reduces CPU time:-
• typical 50-66 sysclk cycles
Compliant with:
FIPS Pub 180-2
Secure HASH Standards (SHA-1*, SHA-224, SHA-256)
IETF RFC 1321 (MD5*)
43

35. STM32 Crypto Library 36
• STM32 Firmware Crypto Library V3.1.0
• All STM32 series supported: STM32F0, STM32F1, STM32F2, STM32F3, STM32F4,
STM32F7, STM32L0, STM32L1 and STM32L4
• All algorithms are based on firmware implementation without using any hardware
acceleration
• The STM32 Firmware Crypto Library is distributed by ST as an object code library,
accessed by the user application through an API
• The library is compiled for Cortex® M0, M0+, M3, M4, and M7 cores
Software ONLY

36. STM32 Crypto Library 37
• STM32 Hardware Acceleration Crypto Library V3.1.0
• Support all STM32 series with hardware acceleration (AES and/or HASH): STM32F2,
STM32F4, STM32F7, STM32L0, STM32L1 and STM32L4
• Support the algorithms based on firmware implementation with hardware acceleration
(Hybrid)
• The STM32 Hardware Acceleration Crypto library is distributed by ST as an object code
library, accessed by the user application through an API
• The library is compiled for Cortex® M0, M0+, M3, M4, and M7 cores
Hardware Acceleration

37. STM32 Crypto Library 38
CAVP FIPS Certified
NEW
Ecosystem
X-CUBE-CRYPTOLIB library
is ready for use in security-conscious STM32-based applications
• Helps customers prove the security of their new products
quickly and cost-effectively
• Ready for use STM32-based applications including IoT
• Removes the burden of algorithm validation
• Allows OEMs to fasten their security certification process
• Includes all the major algorithms for encryption, hashing,
message authentication, and digital signing

38. 39
• 32-bit Random Number Generator based on a noise source
• A 32-bit random number can be generated at an average frequency of AHB / xx
• Three Flags:-
• Valid random data is ready
• An abnormal sequence occurs on the seed
• A frequency error is detected when using a PLL48 RNG clock source
• One interrupt
• To indicate an error (an abnormal seed sequence or a frequency error)
Features
STM32 True Random Number Generator

39. STM32 True Random Number Generator 40
Block Diagram
RNG
RNG_CLK
Flags
Interrupt
Enable bit
RNG interrupt to NVIC
IM DRDY
LFSR
(Linear Feedback
Shift register)
Analog seed
32-bit
random data
register
Clock checker
Fault detector
CEISSEISSECS CECS
Error management

40. STM32 Reset 41
• Manages three types of reset:-
• System reset
• Power reset
• Backup domain reset
• Peripherals have individual reset control bits in the RCC_CSR register
Features
Safe and flexible reset management without external components

41. STM32 Reset 42
Source
Filter
VDD
RPU
PULSE
GENERATOR
(min 20µs)
SYSTEM RESET
NRST
WWDG RESET
IWDG RESET
Software RESET
BOR RESET
Low power management RESET
External
RESET
Firewall RESET
Option byte loading RESET
• No external components are needed due to internal filter and power monitoring

42. Anti Tamper 43
• Backup Domain Contains
• A Calendar RTC
• xx Data Bytes, Backup SRAM
• Separate 32kHz oscillator for RTC
• Tamper Detection Pins
• RESETs all RTC backup registers and
Backup SRAM
• Time stamp event
Backup Domain
Backup Domain
32KHz OSC
(LSE)
RTC
xx Register Bytes
SRAM*
RCC BDSR
reg
Wakeup
Logic
IWWDG
VBAT
VDD
power switch
RTC_TAMP2
RTC_TAMP3
Anti-tamper
switches
Tamper
detection
RTC_TAMP1
Optional
filtering
capacitors
RESET & Interrupt

43. Anti Tamper 44
• External Anti Tamper Features
• Pattern control (Timer control)
• External connection between I/O pair – pattern out / in pins
• Voltage control
• DAC output / ADC input + ADC watchdog
• Temperature anti tamper
• Use internal temperature sensor (5-10 oC accuracy)
• Under / Over-voltage tampering
• Analog WDG on BandGap voltage (supply voltage measurement)
Extend Anti Tamper

44. STM32 Secure Firmware Update Overview
AN4023

45. STM32 Boot Loader Options
Native(ICP) and IAP Methods
ROM
Boot loader
UART
USB
JTAG/SWD
FLASH
IAP
Boot loader
Application
Firmware
USB
Device
2
Bluetooth LE
Radio
3
JTAG
Programmer
1
55

46. Custom Boot Loader 47
• An alternative to ICP load mechanisms giving
additional flexibility
• Tailored to the application
• Can use non-published load methods
• Ability to use other interfaces rather than the native
load interfaces
• Must be done when using STM32 Level 2 Security
Benefits
Level 2

47. AN4023 Secure Firmware Update
• Secure Loader Installation (1st Trust Event)
• Secure Firmware Insertion (ST Factory / OEM / CM / Distributor)
• Public Key installation
• Lock down the device (Level 2)
• Provisioning (2nd Trust Event)
• Private key installation (OEM / CM / Distributor)
• Done as part of a Hardware Secure Module (HSM)
• Secure Boot
• Secure Loader
Overview
57

48. Secure Provisioning 58
Signed Firmware  One-Way Verification
Application FW
Image
FW Signature
Backroom Tools
Application
FW Image
FW SignatureFW Hash
Hash
Sign
Application Firmware Package
Application
FW Image
FW
Signature
1
2 3
4
5
IAP verifies
FW Image
w/signature
IAP
Code
Host Private Key
Host Public Key
Host Public Key

49. Secure Provisioning 50
Signed Firmware  Two-Way Verification
Backroom Tools
Application FW
Image
FW Signature
IAP
Code
Application Firmware Package
Application
FW Image
FW
Signature
1
2
3
IAP verifies
FW Image
w/signature.
Signs image
+ dev id
Device ID
Host verifies
FW + Dev ID
signature
FW+Dev ID
Signature
4
Host signs
FW image
5

Host Public Key
Host Private Key
IAP Public Key
IAP Private Key

50. STM32 Secure Boot
• Secure Boot Application
• Authenticate the STM32 device
• Enable the IWDG
• RESET Recovery Check
• Disable the ARM DAP Configuration
• Initialize the Firewall and / or MPU
• To HASH The Loader firmware
• Initialize the Flash and SRAM (zero)
• At each step a GO / NO-GO decision is made by the Boot Loader
Best Coding Practices
60

51. STM32 Secure Loader
Architecture
62

52. STM32 Secure Loader
Flow Chart
62

53. Demo

54. ST Solutions for Security in IoT
AN4023, L476 Nucleo Demo
Secure Firmware Upgrade from HSM
Use of proven code from proven source
Key provisioning chain
STM32 Secure Upgrade Demo
Secure Firmware Upgrade
Use of proven code
Key provisioning chain
Main Features
• Download and upgrade of encrypted binary
• Decryption and authenticate before Flashing
• Close control of key chain
• Use of Ymodem but can be USB or IP based
64

55. 56

56. 57