Other serial interfaces can also be used. If the bootloader is available, the device content can be accessed
through I2C, SPI, USART, or USB‑DFU. If the interface is open during the runtime, the application transfer
protocol must limit its access capabilities (such as operation mode or address access range).
Associated STM32 features:
• read protection (RDP)
• disable of unused ports
• bootloader access forbidden (configured by RDP in STM32 devices)
4.7
Boot protection
The boot protection secures the very first software instructions in a system. If an attacker succeeds in modifying
the device boot address, he/she can execute his/her own code, to bypass initial dynamic protections configuration
or to access unsecured bootloader applications that give access to the device memory.
A microcontroller usually allows the boot configuration in order to choose between starting at user application,
at bootloader application, or at the SRAM located firmware. The boot protection relies on a single entry point to
a trusted code that can be the user application, or a secure service area if available (RSS).
Associated STM32 features:
• read protection (RDP)
• unique boot entry
• secure hide protection (HDP)
• TrustZone
4.8 System monitoring
The monitoring of the device power supply and environment can be set to avoid malfunction and to take
corresponding countermeasures. Some mechanisms, like tamper detection, are dedicated to security. Other
mechanisms are primarily used for safety reason but can serve security as well. For example, the detection of a
power down or external clock disconnection can be unintentional (safety) but can also reveal an attack (security).
Tamper detection is used to detect system/board level intrusions. The opening of a consumer product enclosure
can be detected on an MCU pin and trigger appropriate actions. Internal tamper sensors are capable of detecting
irregular voltage, temperature, or other parameters.
Clock security system is used to protect against external oscillator failures. If a failure is detected on the
external clock, the microcontroller switches to the internal clock in order to safely execute. The interrupt signal
allows the firmware to react to the clock failure event.
Power supply and voltage level can be monitored to detect abnormally-low voltage level. Below a certain voltage
value, the normal behavior cannot be guaranteed and it may be the sign of a fault injection attack.
Device temperature can be measured with an internal sensor. The information is feedbacked to the device
through an internal ADC channel. A monitoring application can take appropriate actions according to the
temperature range. Increased temperature may be part of a fault injection attack scheme.
Associated STM32 features:
• tamper protection (with RTC component)
• clock security system
• power supply supervision
• temperature sensor
AN5156
Boot protection
AN5156 - Rev 8
page 22/56
To Next Page
Loading...
Need help?
General
