6 STM32 security features
This section presents all the STM32 features that can be gathered to meet the different security concepts
presented in previous sections, and to achieve a high level of security.
6.1 Overview of security features
6.1.1 Static and dynamic protections
A distinction can be made depending on whether protection features are static or dynamic:
• Static protections refer to features that are set with option bytes. Their configuration is retained at power
off.
Static protections are RDP (or product state), PCROP, WRP, BOR, OTP, and secure hide protection (when
available).
• Dynamic (or run time) protections do not retain their status at reset. They have to be configured at each
boot (for example during Secure boot (SB) ).
Dynamic protections provided by STM32 include MPU, tamper detection, and firewall.
Other dynamic protections are related to both security and safety. An abnormal environment behavior may
be accidental (safety) or intentional, in order to carry out an attack. These protections include clock and
power monitoring systems, memory integrity bits, and independent watchdog (IWDG).
6.1.2 Security features by STM32 devices
Table 9. Security features for STM32C0, STM32F0/1/2/3/4, STM32G0/4 devices
Feature STM32C0 STM32F0 STM32F1 STM32F2 STM32F3 STM32F4 STM32G0 STM32G4
Cortex core Cortex‑M0+ Cortex‑M0 Cortex‑M3 Cortex‑M3 Cortex‑M4 Cortex‑M4 Cortex‑M0+ Cortex‑M4
RDP
additional
protection
Bad OBL
recovery
Backup
registers
2 level RDP
only
Backup
SRAM
Backup
registers
Backup
SRAM
Backup
registers
Backup
registers,
CCMSRAM
Flash WRP
By area with
2‑Kbyte
granularity,
two areas
available
By sectors
(4 Kbytes)
By pages (4 K
or 8 Kbytes)
By sectors
(16 K, 64 K,
or
128 Kbytes)
By sectors
(4 Kbytes)
By sectors
(16 K, 64 K,
or
128 Kbytes)
By area with
2‑Kbyte
granularity,
two areas
available
By page (2 K
or 4 Kbytes)
SRAM WRP No No No No No No No
CCM SRAM,
with 1‑Kbyte
granularity
PCROP
By area with
256‑byte
granularity,
one area per
bank
No No No No By sectors
By area with
512‑byte
granularity,
two areas
available
By area with
64‑ or 128‑bit
granularity, up
to two areas
HDP
Yes
(securable
memory area)
No No No No No Yes (securable memory area)
Firewall No No No No No No No No
MPU Yes No
Yes
(1)
Yes
Yes
(2)
Yes Yes Yes
OTP 1 Kbyte No No Yes Yes 512 bytes 1 Kbyte 1 Kbyte
UBE
(3)
Yes (boot lock
feature)
No No No No No
Yes (boot lock
feature)
Yes
Internal
tamper
detection
No No No No No No Yes Yes
Hardware
crypto
No No No AES, HASH No AES, HASH AES
AN5156
STM32 security features
AN5156 - Rev 8
page 27/56
To Next Page
Loading...
Need help?
General
