Overview

With a wide range of applications and the rise of cyberattacks, securing MCUs has become imperative; however, ensuring MCU performance is also crucial given how interconnected today’s systems are. This project examines the security and performance of next-generation microcontroller units (MCUs) leveraging new security solutions for IoT edge applications. By benchmarking these MCUs against key performance metrics, their viability will be assessed to facilitate the widespread adoption of this new firmware.

This project utilizes the STM32 toolchain and Nordic Semiconductor PPK II along with the nRF software. See the slides for more information.

Navigation

To navigate to source code, choose a project (i.e UnoI2C) and select the Core directory for non-secure projects or the Secure directory and then the Core directory for secure projects. Within Core there should be an Src folder which contains the code used in the selected application.

How-To Guide

Developing Purely Secure/Non-Secure Applications

Adapted from: https://wiki.st.com/stm32mcu/wiki/Security:How_to_start_with_STM32CubeMX_STiRoT_Boot_path_on_STM32H57

STM32CubeMX

1. Click on Access to MCU Selector and select our device, the STM32H573I-DK, from the Series column
2. Create the project and enable TrustZone
3. Specify project name and path
   1. Select Secure or Non-secure project based on the use case (could be both then select both)
   2. Toolchain as STM32Cube IDE
4. Go to File > Save Project

Once the project has been created…

1. In Pinout and Configuration, click on pins for use case > GPIO_Output
   1. Pin Reserve to choose if it’s reserved for Secure or Non-Secure (Cortex M-33 Secure vs. Cortex M-33 non-secure)
   2. Optional but recommended: Enter a user label for pins
   3. Note: External documentation to know which LEDs to use
2. For pin reservation for I²C and others
   1. For I²C, make sure SCL is PB6 and SDA is PB7
   2. LEDs
      1. LED1 is PI9
      2. LED2 is PI8
      3. LED3 is PF1
      4. LED4 is PF4
      5. See layout page 12 for more details
   3. Don't forget to reserve pins if needed
   4. Enter user labels for reserved pins for easy identification in the generated code
   5. Refer to the Hardware Layout Page 3 for pin layouts
3. In System Core it will show what pins are configured for what
4. In Boot Path and Debug Authentication > Select > STiRoT > Secure Application 9. Click on Finish and OK on the popup 10. Note: This does not need to be done for purely NS
5. Select Edit Config Files (Opens the TPC)

In the TPC…

1. Select/deselect “is the firmware full secure” based on use case
   1. If both secure and nonsecure, make sure enough resources are allocated to both
2. Generate OBKey 2. Note: If you define your own code, you need to change the sizes and default settings to match your code size and regenerate OBKeys (our mistake before lol)
3. Close TPC

Back in the Project Manager tab…

1. In Boot Path and Debug Authentication > Configure
   1. Note: key may need to be regenerated but USUALLY NOT, otherwise VERY IMPORTANT to not lose the key!! (ok for this example to leave as is)
2. Opens TPC again, then Generate OBKey
3. Close TPC
4. In Project Manager > Signature make sure Sign Binaries is selected
5. Generate Code > Yes
6. Then click “Open Project” on the popup

STM32 CubeIDE

1. Project opened in the IDE
2. Insert modified code into secure/non-secure main based on use case
3. Compile code, Project > Rebuild All
   1. Note: Secure code needs to be compiled BEFORE nonsecure code!

For device provisioning…

1. Connect the board to computer through USB_STLink connector
2. Go to File Explorer to project path
3. Under project name > ROT_provisioning > STiRoT > provisioning.bat
4. Follow instructions of script up until Step 3
5. In Step 3 > set device state (usually CLOSED)

Code should be executing on board now!

To perform a regression (to be able to modify the running application and flash again)…

Note: Can also fully erase board like a factory reset in CubeProgrammer as well

Go to STM32CubeProgrammer

1. Make sure the board is connected via ST-LINK
   1. If not found:
      1. Go to menu bar → Parallels Icon → Devices → USB/Bluetooth → Select STLINKV3
2. Select the DA tab on the left (shield icon, last tab in top section)
3. Click Discover
4. Select "Full Regression" from the list below 2. This only shows if the lifecycle is CLOSED
5. Select Execute 3. A success message should appear
6. Don't forget to disconnect ST-LINK (it connect automatically on success)

Cloning Project from GitHub

1. Find .project file in File Explorer and double click to open in STM32 IDE
2. Build project
   1. If Secure -> in STiRoT, ROT provisioning find provisioning.bat and show in Explorer > double click to run
3. Optional: FOR TROUBLESHOOTING 2. May have paths messed up… 1. In that case, open IOC file and update paths for firmware, regenerate code 2. Will have to update the main.c files 3. Then rebuild project 3. Don’t forget to install python as well (from command line type python > ENTER, install from Microsoft store)

Creating a non-secure application with default Secure Manager

https://wiki.st.com/stm32mcu/wiki/Security:How_to_start_with_Secure_Manager_default_configuration_on_STM32H5