TOE specific information personalization
The integrator has also the privilege and responsibility of configuring cryptographic keys used by the TOE
to authenticate Secure Image and non-secure image and of configuring information (cryptographic keys and
instance ID) used by the TOE to compute the token value for the platform attestation. All information must be
kept confidential until it is provisioned inside the STM32U585xx chip and until STM32U585xx IC security is fully
activated. Once the STM32U585xx IC security is fully activated, the confidentiality of product security assets is
ensured by STM32U585xx IC security protections. However, if the customer cannot rely on a trusted environment
(such as trusted manufacturing) to provision the data and to activate the STM32U585xx IC security protection,
then the secure firmware installation service (refer to document AN4992) embedded inside STM32U585xx may
be used. Any failure in this responsibility can result in the creation of malicious firmware or can result in computing
wrong information to attest the Identification of platform type and the Identification of individual platform, which
violate the assumptions made in the security target. The integrator must therefore implement appropriate security
measures for the environment to protect the keys involved in the signature of the IoT application binary and the
information involved in the Entity attestation token computation.
To personalize that information, the integrator must build the Integrator Perso data binary data and program it
in the region Integrator Perso data area as defined in Section 3.3 Secure installation. For details on how to
personalize the Integrator Perso data area, refer to UM2851.
The personalization of the Integrator Perso data is in the scope of the certified configuration.
Integrator specific secure functions integration
The integrator can choose to enable the application RoT partition and add his secure functions specific to its
product inside the secure domain in the unprivileged part (isolated execution domain configured by the TOE).
The integrator must use the PSA API to access the TOE and must comply with TOE rules to export those new
secured services to the non-secure application. The integrator must adapt the memory layout in case the size of
the secure application is bigger than the secure image primary slot size.
The TOE is certified without any secured functions inside the application RoT. To get this configuration, the
compilation option TFM_PARTITION_APP_ROT must be de-activated in the Linker\flash_layout.h file.
/* #define TFM_PARTITION_APP_ROT */ /* comment to remove APP_ROT partition */
The flexibility for an integrator to add his secured services in the isolated secure or unprivileged domain managed
by the TOE without compromising the TOE security falls within the scope of this evaluation but it is not the
certified configuration (SHA256 value of the secure application is changed, refer to Section 3.1 Secure
acceptance).
Secure Storage size change
The integrator can also choose to change the size of secure storage areas located in the TOE (size of the
protected storage area used by the Protected Storage API of the TOE or size of the internal trusted storage area
used by the Internal Trusted Storage API). The laboratory has assessed the security of modifying the size of the
secure storage area. However, to use the certified configuration, the integrator cannot modify the secure storage
size.
Non-secure application change
The integrator can also choose to change the non-secure application by his non-secure application without
changing the Flash memory layout as defined in UM2851. The certified configuration allows the installation of any
non‑secure application.
Non-secure application size change
The integrator can also choose to change the size of the non-secure application, meaning change the global
internal Flash or SRAM layout defined in UM2851.
The laboratory has assessed the security of modifying the non‑secure image slot size. However, to use the
certified configuration, it is not allowed to modify the size of non‑secure image slots.
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 13/27
To Next Page
Need help?
General
