Secure Boot and Secure Firmware Update (SBSFU) UM2262
16/94 UM2262 Rev 6
Firmware update runs through the following steps:
1. If a firmware update is needed, a new encrypted firmware image is created and stored
in the server.
2. The new encrypted firmware image is sent to the device deployed in the field through
an untrusted channel.
3. The new image is downloaded, checked and installed.
Firmware update can be done on the complete firmware image, or only on a portion of the
firmware image (only for dual-image configuration).
Firmware update is vulnerable to the threats presented in Section 3.1: Product security
introduction: cryptography is used to ensure confidentiality, integrity and authentication.
Confidentiality is implemented so as to protect the firmware image, which may be a key
asset for the manufacturer. The firmware image sent over the untrusted channel is
encrypted so that only devices having access to the encryption key can decrypt the firmware
package.
Integrity is verified so as to be sure that the received image is not corrupted.
Authenticity check aims to verify that the firmware image is coming from a trusted and
known source, in order to prevent unauthorized entities to install and execute code.
3.4 Cryptography operations
The X-CUBE-SBSFU STM32Cube Expansion Package is delivered with four cryptographic
schemes using both asymmetric and symmetric cryptography.
The default cryptographic scheme demonstrates ECDSA asymmetric cryptography for
firmware verification and AES-CBC symmetric cryptography for firmware decryption.
Thanks to asymmetric cryptography, the firmware verification can be performed with public-
key operations so that no secret information is required in the device.
The alternative cryptographic schemes provided in the X-CUBE-SBSFU Expansion
Package are:
• ECDSA asymmetric cryptography for firmware verification with AES-CBC or AES-CTR
symmetric cryptography for firmware encryption
• ECDSA asymmetric cryptography for firmware verification without firmware encryption
• X509 certificate-based ECDSA asymmetric cryptography for firmware verification
without firmware encryption
• AES-GCM symmetric cryptography for both firmware verification and encryption.
Table 3 presents the various security features associated with each of the cryptographic
schemes.
To Next Page
Loading...
Need help?
General
