STM32MP157C: Security Overview
The STM32MP157C Discovery Kit 2 is a Microcontroller designed and produced by ST Microelectronics. The primary purposes of the discovery kit are to serve for development and educational purposes. The regular versions primary areas of application are smart home control, real-time applications, embedded neural networks and edge computing. The STM32MP157C employs ARM TrustZone technology to ensure isolation between applications and divides operating systems and application in secure and non-secure categories. This Microcontroller has Secure Boot and Secure Firmware Upgrade capabilities. Support for operating systems not approved by ST is nearly non-existent with only limited portability for RIOT-OS and Zephyr.
Main features include:
- Dual Processor Architecture (Cortex-A7 and Cortex-M4)
- Dedicated GPU
- OpenSTLinux Distribution pre-installed
- Android operating system also available
- 800x480 px Touch Display
- Employs ARM TrustZone technology for security
Below is an abbreviated overview of the technical data for the STM32MP157C:
- ARM Cortex-A7 32-bit Dual-Core @ 640 MHz
- ARM Cortex-M4 32-bit @ 209 MHz
- External DDR memory up to 1 GB possible
- Internal memory: 708 KB SRAM, 256 KB AXI SYSRAM, 384 KB AHB SRAM and 64 KB AHB SRAM in backup domain
- Reset/Power Management
- 1.71 V to 3.6 V I/Os supply (5 V-tolerant I/Os)
- Internal temperature sensors
- Low-power modes (sleep, stop and standby)
- DDR memory retention in standby
- Low power consumption (down to 2 microampere in standby)
- Clock management (internal and external oscillators)
- General Purpose Input/Output (GPIO)
- 176 I/O ports with interrupt capability possible
- 8 secure I/Os, 3 tamper pins, 1 active tamper pin
- 3 DMA controllers
- 37 communication peripherals (6x I2C, 8x UART/USART, 6x SPI, 4x SAI, HDMI, 3x SDMMC, 4x USB-A, Gigabit Ethernet, camera interface)
- 6 analog peripherals (2x ADC, 2x DAC, temperature sensor, digital filter for sigma delta modulator)
- 29 timers and 3 watchdogs possible
- Secure Boot, TrustZone peripherals and active tamper detection
- Cortex-M4 resource isolation
- Hardware acceleration (AES, SHA, HMAC, CRC)
Areas of Application
- Smart Home Control: Access point and remote control for various smart home appliances including real-time applications with audio/video streams, like video doorbells or alarm systems.
- Embedded Neural Networks: The Cortex-A7 main processor has native support for TensorFlow Lite on Linux systems to support Embedded Neural Networks. The STM32Cube.AI is pre-configured on the co-processor Cortex-M4 and can handle machine learning tasks in an Embedded System.
- Edge Computing: STM32MP157C has better processing power than most Microcontrollers used in Embedded Systems and is comparable in power to a Raspberry Pi (Generation 2). This is the reason why they can be used in edge computing scenarios where data must be processed near the Embedded Systems that collect the data.
ARM TrustZone technology provides the means to isolate security critical components of a Microcontroller. This is also called Trusted Execution Environment (TEE). TrustZone seperates applications by level of trust into a Normal World, which is non-secure or less secure and the Secure World, in which only trusted applications and secure operating systems are allowed.
- Normal World runs a general purpose OS (Linux/Android) and non-secure applications
- Secure World runs a secure OS like OP-TEE OS (Open Portable Trusted Execution Environment) or FreeRTOS and trusted applications
The STM32MP157C also includes a TrustZone protection controller (ETZPC) to secure internal memory and peripherals and a TrustZone address space controller (TZC) to secure external DDR memory.
Hardware Acceleration for Cryptography, Hashing and CRC
The cryptographic and hash processors (CRYPT1, CRYPT2, HASH1 and HASH2) support the following algorithms:
- DES/TDES (up to 192-bit keys)
- AES in ECB, CBC, GCM, CCM and CTR modes(up to 256-bit keys),
- SHA-1, SHA224 and SHA256 (secure hash algorithms)
STM32MP157C also has two dedicated units for cyclic redundancy checks (CRC1, CRC2).
STM32MP1 MC can use secure booting which has to be enabled manually and a ECC Public Key has to be supplied. The Boot Chain itself includes two boot loaders which are needed to ensure isolation between Secure World and Normal World for the TrustZone.
- ROM code starts the processor in secure mode. It supports the first stage bootloader authentication and offers authentication services to it.
- The First stage bootloader (FSBL) is executed from the internal memory and uses TF-A (Trusted Firmware-A). The FSBL loads the second-stage bootloader switches to it.
- The Second stage bootloader (SSBL) uses U-Boot, the Universal Boot Loader, which is a commonly used open-source bootloader in Embedded Systems.
- The Co-processor firmware can be started at the SSBL level by U-Boot or later by Linux.
Secure Firmware Updates
Secure Firmware Updates use TF-A (Trusted Firmware-A) Firmware Image Packages (FIP)
- FIP include updates for U-Boot and OP-TEE
- TF-A itself is never updated during this process
- Older versions of the FIP are kept in backup
If the new firmware fails to run after a predefined number of attempts the last working FIP is loaded instead.
Additional Security Features
- Tamper Pins
- Detect tampering with the device (by voltage edge detection)
- Can trigger emptying of backup registers and generate a RTC Timestamp
- True (Hardware) Random Number Generators (RNG1, RNG2)
- RNG1 can be configured to be Secure World-use only
Usage of other (secure) Embedded Operating Systems
Official operating system support is restricted to OpenSTLinux and Android for the STM32MP1 family of Microcontrollers. Other operating systems will encounter issues with missing drivers. Cortex-A7 can be used bare-metal with some effort as can be seen here but this is only relevant for specialized tasks like real-time audio processing. The Cortex-M4 co-processor can be used to run other operating systems in either engineering mode or by executing them directly from OpenSTLinux via remoteproc framework. Even then most operating systems are severely limited in their capabilities.
|OS||Level of Support|
|RIOT-OS||GPIO functionality is supported, one UART and one 32-bit timer are supported as well|
|Zephyr||Similar to RIOT-OS, with more functioning features which include NVIC, I2C and SPI|
|FreeRTOS||No support, but FreeRTOS can be used officially as middleware in the STM32MP1 development stack|
|Mbed OS||No support for the board|
|Contiki-NG||No support for the board|
|Apache MyNewt||No information of the support status could be found|
- https://www.st.com/en/microcontrollers-microprocessors/stm32mp157c.html (accessed on: 2023-02-24)
- https://wiki.st.com/stm32mpu/wiki/Security_overview (accessed on: 2023-02-24)
- https://www.trustonic.com/technical-articles/what-is-trustzone/ (accessed on: 2023-02-24)
- B. Ngabonziza, D. Martin, A. Bailey, H. Cho and S. Martin, “TrustZone Explained: Architectural Features and Use Cases”, **2016 IEEE 2nd International Conference on Collaboration and Internet Computing**, 2016, pp. 445-451