Image encryption
The TOE is certified with image encryption capability enabled and with the use of encrypted firmware images.
In a configuration with image encrypted capability enabled, the firmware image can be provided either in clear
format or in AES‑CTR‑128 encrypted format. The encrypted format ensures the confidentiality of image data. The
flexibility for an integrator to use a clear image without compromising the TOE security does not fall within the
scope of this evaluation, and it is not the certified configuration. The image encryption capability configuration is
achieved by define MCUBOOT_ENC_IMAGES in TFM_SBSFU_Boot\Inc\mcuboot_config\mcuboot_confi
g.h file.
#define MCUBOOT_ENC_IMAGES /* Defined: Image encryption enabled. */
It is possible to disable image encryption support to reduce the memory footprint of the TFM_SBSFU_Boot
application. The flexibility for an integrator to disable the image encryption support without compromising the TOE
security does not fall within the scope of this evaluation, and it is not the certified configuration.
Anti-tamper
The TOE is certified with internal tampers detection configuration. In this configuration, the anti‑tamper protection
is monitoring backup domain voltage threshold and cryptograpic IPs fault (SAES or AES or PKA or TRNG). This
configuration is achieved thanks to define TFM_TAMPER_ENABLE set to INTERNAL_TAMPER_ONLY in the TFM
_SBSFU_Boot\Inc\boot_hal_cfg.h file.
#define NO_TAMPER (0) /*!< No tamper activated */
#define INTERNAL_TAMPER_ONLY (1) /*!< Only Internal tamper activated */
#define ALL_TAMPER (2) /*!< Internal and External tamper
activated */
#define TFM_TAMPER_ENABLE INTERNAL_TAMPER_ONLY /*!< TAMPER configuration flag */
It is possible to enable more tamper detection (enable also external tamper detection, or enable additional internal
tamper detection).
The flexibility for an integrator to enable more tamper detection without compromising the TOE security falls within
the scope of this evaluation, but it is not the certified configuration (Implementation ID value is changed, refer to
Section 3.1 Secure acceptance).
It is also possible to disable internal tamper detection. The flexibility for an integrator to disable internal tamper
detection without compromising the TOE security does not fall within the scope of this evaluation, and it is not the
certified configuration.
Standalone external loader capability
The TOE is certified with standalone external loader capability enabled. In this configuration, in case there is no
valid image installed in primary slot and no new valid image candidate in the secondary slot, or in case of user
button pressed during reset on the B-U585I-IOT02A board (GPIO port C, pin 13 state set), then the TOE is hiding
the security assets before jumping to the non-secure standalone external loader application. Then the standalone
external loader allows downloading a new firmware image.
This configuration is achieved by define MCUBOOT_EXT_LOADER in Linker\flash_layout.h file.
#define MCUBOOT_EXT_LOADER /* Defined: Add external local loader application.
To enter it, press the user button at reset.
Undefined: No external local loader application. */
The integrator can change the external loader implementation such as using another communication channel than
UART or using another protocol than YModem. The laboratory has assessed the security of using or not the
standalone loader application. Even though the standalone loader application is outside the TOE and has very
limited permissions (immutable trusted code located in the non-secure domain), to use the certified configuration,
the integrator has to use a standalone loader application without any modifications. If despite everything the
integrator wishes to replace the standalone loader with his loader, he will have to integrate this code into his
certification scheme.
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 12/27
To Next Page
Loading...
Need help?
General
