Introduction

The SBSFU (Secure Boot and Secure Firmware Update) solution allows the update of the STM32 microcontroller built‑in

program with new firmware versions, adding new features and correcting potential issues. The update process is performed in a

secure way to prevent unauthorized updates and access to confidential on-device data.

The Secure Boot (made of Root of Trust services) is an immutable code, always executed after a system reset.

In a single-core configuration, the Secure Boot checks STM32 static protections, activates STM32 runtime protections, and then

verifies the authenticity and integrity of the user application code before every execution, to make sure that invalid or malicious

code cannot be run.

In a dual-core configuration, the Secure Boot is made of two parts (one per core):

•Cortex®-M4 side: The Secure Boot checks static protections, checks the Cortex®-M0+ boot configuration, activates

Cortex®-M4 runtime protections and boots the Cortex®-M0+.

•Cortex®-M0+ side: The Secure Boot checks static protections,activates Cortex®-M0+ runtime protections, verifies the

authenticity and integrity of the user application code before every execution to make sure that invalid or malicious code

cannot be run, and then signals to both cores that the user applications are valid.

The Secure Firmware Update application receives the firmware image via a UART interface with the Ymodem protocol. The

Secure Firmware Update checks the image authenticity, and the integrity of the code before installing it. The firmware update is

done on the complete firmware image, or only on a portion of the firmware image.

Examples can be configured to use asymmetric or symmetric cryptographic schemes with or without firmware encryption:

• to maximize firmware image size, for single-slot configuration

• to ensure safe image installation and enable over-the-air firmware update capability commonly used in IoT devices, for

dual-slot configuration

For a complex system with multiple firmware such as protocol stack, middleware, and user application, the firmware image

configuration can be extended up to three firmware images. In the applications detailed in this document, one firmware image is

used for the single-core configuration, while two firmware images are available for the dual-core configuration.

In the dual-core configuration, the secure key management services (KMS) provide cryptographic services to the user

application through the PKCS #11 APIs (KEY ID-based APIs), that are executed inside a protected and isolated environment.

User application keys are stored in the protected and isolated environment for their secured update: authenticity check, data

decryption, and data integrity check.

In the single-core configuration, the same services are offered but there are not executed inside a protected and isolated

environment.

This application note describes how to adapt the STM32CubeWL SBSFU and to integrate it with the user application.

Note: • In this document, the EWARM IDE (integrated development environment) is used as an example to provide

guidelines for project configuration. Secure Boot and Secure Firmware Update applications are referred to

as SBSFU. Boot and Firmware update (with only attack surface reduction) applications are referred to as

BFU.

• The single-core single-slot BFU configuration is demonstrated in an example named BFU_1_Slot.

The single

‑

core dual

‑

slot BFU configuration is demonstrated in an example named BFU_2_Slots.

The dual

‑

core single

‑

slot SBSFU configuration is demonstrated in an example named

SBSFU_1_Slot_DualCore The dual

‑

core dual

‑

slot SBSFU configuration is demonstrated in an example

named SBSFU_2_Slots_DualCore.

Integration guide of SBSFU on STM32CubeWL (including KMS)

AN5544

Application note

AN5544 - Rev 2 - July 2021

For further information contact your local STMicroelectronics sales office.

www.st.com

1General information

This document applies to the STM32CubeWL SBSFU, running on STM32WL Series Arm®-based

microcontrollers.

Note: Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

The table below lists acronyms and terms that are relevant for a better understanding of this document.

Table 1. Acronyms and terms

Acronym or term Definition

AES Advanced encryption standard

BFU Boot and Firmware Update

DAP Debug access port

ECDSA Elliptic curve digital signature algorithm

GCM AES Galois/counter mode

GTZC Global security controller

HAL Hardware abstraction layer

HDP Hide protection

IDE Integrated development environment

KMS Key management services

MPU Memory protection unit

RDP Readout protection

SB Secure Boot

SE Secure Engine

SFU Secure Firmware Update

SBSFU Secure Boot and Secure Firmware Update

TZIC Security illegal access controller

TZSC Security controller

UART Universal asynchronous receiver/transmitter

WRP Write protection

Firmware image Binary image (executable) run by the device as a user application

Firmware header Bundle of meta-data describing the firmware image to be installed (contains firmware information and

cryptographic information)

mbed-crypto mbed implementation of the cryptographic algorithms

sfb file Binary file packing the firmware header and the firmware image

Reference documents

• User manual Getting started with STM32CubeWL for STM32WL Series (UM2643)

• User manual Getting started with the SBSFU of STM32CubeWL (UM2767)

• User manual STM32CubeProgrammer software description (UM2237)

•STM32 Cortex-M4 MCUs and MPUs programming manual (PM0214)

•Cortex-M0+ programming manual for STM32L0, STM32G0, STM32WL and STM32WB Series (PM0223)

AN5544

General information

AN5544 - Rev 2 page 2/49