Method of use:
• Reset the STM32U585xx as defined in RM0456.
• Set the GPIO port C pin 13 (Press the user button on the B-U585I-IOT02A development board) when the
TFM_SBSFU_Boot application is starting to execute.
Parameters:
• None
Actions:
• After having checked the static protections and configured the dynamic protections, the TOE starts
standalone external loader.
• The standalone external loader application allows the user to download a new firmware image.
Errors:
• The standalone local loader execution is failing in the case of corrupted Flash content where the loader
application is located.
4.2.3 Security-relevant events (AGD_OPE.1.4C)
Once configured, TOE detects any unauthorized access and any unexpected configuration as described
hereafter:
• Secure peripheral access violation from any non-secure domain masters (CPU or other masters) is detected
and generates a reset.
• Secure Memories access violation from non-secure domain generates a reset: non‑secure domain (CPU or
other Masters) accessing secure memories (Flash or SRAM) without going through the secure domain entry
point, which means calling the secure callable functions exported to the non-secure domain.
• Secure memory or peripheral access privilege violation resets the product: secure unprivileged domain
(CPU) accessing Secure privilege domain (memory or peripheral) without going through privilege domain
entry point, which means calling the SVC call function.
• Secure DMA privilege access violation:
– Secure DMA privilege access violation on privilege peripherals from the secure unprivileged domain is
transparent (a silent‑fail mechanism):
◦ Any read operations return 0
◦ Any write operations are ignored
– Secure DMA privilege access violation on privilege memories from the secure unprivileged domain is
transparent (a silent‑fail mechanism), so DMA can be used in the secure unprivileged domain with the
current implementation of the TOE.
• Root of Trust Access violation during application execution: Once Root of Trust (immutable
TFM_SBSFU_Boot application managing the secure boot and secure firmware update functions) execution
is finished, it is no more possible to access this area:
– Any access violation from Non-Secure generates a reset as there is no secure callable entry point
exported to enter this secure region.
– Any access violation from Secure privilege or unprivileged domains has no effects:
◦ Any read operations return 0
◦ Any write operations are ignored
◦ Any execution operations are ignored (0X00 Amrv8 operation corresponding to a NOP)
• Images authenticity or integrity violation: in case of corrupted image authenticity or integrity (one of the
images or the 2 images), it is detected during the TOE secure boot procedure launched after any product
reset and the TOE does not start to execute the corrupted images but starts to execute the non‑secure
immutable standalone external loader in a non‑secure area. Using this standalone external loader, new valid
image(s) can be downloaded in the image(s) secondary slots. Once downloaded, these new images are
verified and installed. In case images are corrupted during the application execution, then the problem is
detected at the next product reset.
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 20/27
To Next Page
Need help?
General
