Internal flash memory content updating on an RDP protected STM32 MCU
In RDP level 1 or 2, the flash memory content can no longer be modified with an external access
(bootloader or booting from SRAM). However, modifications by an internal application are always
possible. Practical implementations of such firmware updates are SFU (secure firmware update) and IAP
(in‑application‑programming). See examples in related documents AN4657, AN5056, AN5544, and AN5447 to
learn more.
The table below summarizes the RDP protections.
Table 12. RDP protections
Area
RDP
level
Boot from user flash
memory
Debug or boot from SRAM or from bootloader
Read Write Erase Read Write Erase
Flash main memory
0
Yes Yes Yes Yes Yes Yes
1 Yes Yes Yes No No No
2 Yes Yes Yes N/A N/A N/A
System memory
0 Yes No No Yes No No
1 Yes No No No No No
2 Yes No No N/A N/A N/A
Option bytes
0 Yes Yes Yes Yes Yes Yes
1 Yes Yes Yes Yes Yes Yes
2 Yes No No N/A N/A N/A
Other protected assets
(1)
0 Yes Yes Yes Yes Yes Yes
1 Yes Yes N/A No No No
2 Yes Yes N/A N/A N/A N/A
1. Backup registers/SRAM
When to use the RDP
On a consumer product, the RDP must always be set at least at level 1. This prevents basic attacks through
the debug port or through the bootloader. However, in RDP level 1, there is a risk of service denial caused by a
flash memory mass erase, following a return to RDP level 0.
The RDP level 2 is mandatory to implement an application with higher security level (such as immutable code).
The drawback is that the RDP level 2 can prevent a device examination, for instance after a customer return.
The RDP level 0.5 is used to debug a nonsecure application, while protecting contents within secure area
boundaries from debug access. Refer to section 'Development recommendations using TrustZone®' of the
application note Arm
®
TrustZone
®
features on STM32L5 and STM32U5 series (AN5347) for more information
about this protection.
Note: The RDP is available on all STM32 device, unless succeeded by the lifecycle management product state (see
Section 6.3).
6.3
Lifecycle management–product state
The addition of RDP 0.5 into the RDP mechanism used by the STM32 enabled the necessary isolation between
secure and nonsecure development. However, the RDP does not allow going further in the user experience with
the adoption of new development and OEM manufacturing models. The RDP has been replaced by the product
state, a more refined lifecycle management system, on the STM32H5 devices as pilot project. The product state
is also an answer to the needs of customers requesting a state that is effectively an RDP2 to the outside world
and it allows them to perform a regression in the controlled environment. A similar provision was also added to
the STM32U5 series, but the product state enabled finer control over delegating the debugging rights.
AN5156
Lifecycle management–product state
AN5156 - Rev 8
page 31/56
To Next Page
Loading...
Need help?
General
