4.4.5 STM32 memory protections
Several STM32 features are available to cover the various cases considered. They are listed in the table below
with their respective scope, and described in Section 6 STM32 security features.
Table 6. Scope of STM32 embedded memory protection features
Feature
External attack
protection
Internal attack
protection
Flash memory SRAM
RDP Yes No Yes Yes
Firewall No Yes Yes Yes
MPU No Yes Yes Yes
PCROP
(1)
Yes Yes (read/write) Yes No
WRP
(2)
Yes Yes Yes No
HDP Yes Yes Yes
Yes (for execution)
(3)
TrustZone® Yes Yes Yes Yes
1. Support of this feature in Armv6-M products is limited as constant data cannot be stored in NVM.
2. Write protection can be unset when RDP level ≠ 2.
3. The SRAM is protected by a secure area only at secure code execution. It must be cleaned before leaving the secure area.
4.5 Software isolation
The software isolation refers to a runtime mechanism protecting different processes from each other (interprocess
protection). These processes can be executed sequentially or concurrently (for example tasks of operating
system). The software isolation in the SRAM ensures that respective stack and working data of each process
cannot be accessed by the other processes. This interprocess protection can be extended to the code in the flash
memory and nonvolatile data as well.
Goals of the software isolation:
• Prevent a process to spy the execution of another sensitive process.
• Protect a process execution against a stack corruption due to memory leaks or overflow (incorrect memory
management implementation).
This memory protection can be achieved through different mechanisms listed in the table below, and detailed
in Section 6 STM32 security features .
Table 7. Software isolation mechanism
Protection
Type Isolation
MPU Dynamic
By privilege attribute
(1)
Firewall Static By bus address hardware control
Secure hide protection Static Process preemption at reset
Dual core Static
By core ID
(2)
TrustZone®/Security attribute Static and dynamic By secure attribute propagated from the core to all resources
1. The attribute protection is only for CPU access and is not taken into account for other bus master (such as DMA).
2. Reading the CPUID indicates which CPU is currently executing code. An example can be found in the
HAL_GetCurrentCPUID function.
4.6
Debug port and other interface protection
The debug ports provide access to the internal resources (core, memories, and registers) and must be disabled
in the final device. It is the most basic external attack that is easily avoided by deactivating JTAG (or SWD) ports
by a secure and immutable firmware (refer to Section 5.3.1 Secure boot (SB) ), or preferably by permanently
disabling the functionality (JTAG fuse in RDP2).
AN5156
Software isolation
AN5156 - Rev 8
page 21/56
To Next Page
Loading...
Need help?
General
