6.5.3 Memory and peripheral protections
The SAU defines the transaction security attribute, and the bus infrastructure propagates this attribute towards
the targets. The targets (memories and peripherals) are protected by hardware mechanisms that filter the access
depending on the secure and privileged attributes.
There are two types of peripherals in the TrustZone® system architecture:
• TrustZone-aware peripherals: connected directly to the AHB or APB bus, with a specific TrustZone®
behavior such as a subset of secure registers. The access filtering control is included in these peripherals
• Securable peripherals: protected by an AHB/APB firewall gate controlled by the GTZC to define
security properties
TrustZone-aware peripherals are the ones with a bus master role (DMAs), the GTZC, the flash memory
controller, and others peripherals with a fundamental role within the system (PWR, RTC, system configuration).
The remaining system peripherals are securable.
The GTZC defines the access state of securable peripherals, embedded SRAM, and external memories:
• Peripherals can be set as secure or nonsecure (exclusively), privileged or unprivileged using TZSC.
• Embedded SRAM is protected by blocks of 256 bytes through the MPCBB.
• External memories are protected by regions (watermark: start and length). The number of protected
regions depends on the memory types (NAND, NOR, or OCTOSPI).
• Illegal access events lead to secure interrupts generated by TZIC.
Note: The flash memory security attribute is defined through secure watermark option bytes, and/or flash memory
interface block-based registers.
6.6 Flash memory write protection (WRP)
The write protection feature is used to protect the content of the specified memory area against erase or update.
For flash memory technology, an update must be considered as filling with zeros.
For instance, the write protection can be set on a page or a sector of a flash memory to prevent its alteration
during a firmware or data update. It can also be set by default on the unused memory area to prevent
any malware injection. Its granularity is linked to the page or sector size.
When to use the WRP
This protection must be used, in particular when write operations are foreseen within the application. This is
the case if data storage or code update operations are expected. The WRP prevents wrong accesses due to
unsafe functions causing unexpected overflows.
Note: The WRP is available on all STM32 devices.
6.7
Execute-only firmware (PCROP)
Part of the STM32 flash memory can be configured with an 'execute-only' attribute. The firmware stored in such
configured area can only be fetched by the CPU instruction bus. Any attempt to read or write this area is
forbidden. The protection applies against both internal (firmware) accesses as well as external (debug port)
accesses. In an STM32 device, this feature is named proprietary code readout protection (PCROP).
The PCROP is a static protection set by option bytes. The number of protected areas and their granularity
depends on the STM32 device (see Section 6.1, Section 6.1, and Section 6.1). When the PCROP is in use, care
must be taken to compile the firmware with the execute-only attribute (refer to user compiler options). Refer to
the document [3] for more details.
In particular, the ARMv6-M instruction set has difficulty working with this constraint. The compiler must be set not
to place constants and literal pools within the program, otherwise even the code execution can eventually trigger
the protection.
When to use the PCROP
The PCROP is used to protect third-party firmware (intellectual property), as well as the most sensitive parts of
the user firmware.
Note: The PCROP is available on all STM32 devices listed in Table 1, except on TrustZone-enabled devices, where it
is superseded by another protection mechanism.
AN5156
Flash memory write protection (WRP)
AN5156 - Rev 8
page 34/56
To Next Page
Loading...
Need help?
General
