1 Awareness of MCU security needs to be cultivated
The security issues facing IoT devices today are different from those in the past, so ST has stepped up its investment in security. Around 2015, ST's security chip and MCU (microcontroller) platform belonged to a large department, because at that time it was found that hackers had not only attacked high-security applications, such as bank cards, ID cards, etc., but had gradually expanded to the public level. For example, four or five years ago, smart speakers and smart videos in smart homes were breached. Many customers gradually discovered that the threat of security risks could paralyze the entire network, and some manufacturers were even held hostage by hackers for ransom.
Traditional MCUs already have certain security capabilities. Unfortunately, many embedded developers don't pay much attention to security issues, or do not have the relevant knowledge and capabilities to improve security. Therefore, in the past four or five years, ST has gradually cultivated this technology. block market and educate customers.
As the application of IoT fragmented devices is becoming more and more extensive, people do not know which weakest link hackers will enter, so the security of the MCU is particularly improved.
2 How does the STM32WL LoRa wireless system chip ensure security
At the end of 2020, ST launched the STM32WL LoRa wireless system chip series products for the mass market. Among them, the WL5 adopts a dual-core form. In addition to the M4 core, an M0+ core is added. The advantage is that it can be upgraded in the same system. It is of great help to customers in security upgrades; in addition, advanced security features have been added.
Figure 1 Security and protection of STM32WL
Specifically, STM32WL is an upgrade based on the traditional STM32 platform. In fact, the existing STM32 already has the proper security protection, as shown in Figure 1, the black font describes the security facilities available on the existing STM32 product line, such as power monitoring, flash memory protection, clock security, intrusion monitoring, software IP etc, these are all functions supported by the existing STM32.
On this basis, dual-core can provide higher security features, including M4 and M0+ secure hardware isolation, secure boot code protection, etc. And, in adding these more secure dual-core hardware versions, ST's customer base can quickly upgrade from existing platforms, leading developers to quickly embed security concepts into the design framework of their products.
For developers, dual cores emphasize four key features: data encryption, secure downloads, firmware protection, and authentication. These four main security features are selected by ST in product security design and development when interacting with developers in the past ten years, and are considered to be the main key to solving developers' pain points.
1) Data encryption
Data encryption promotes the security key management service KMS system, which means that a special security domain is provided in the chip to store keys, to manage the use of different applications in the system, and to handle privileges. In the past, traditional general-purpose MCUs. There is no such function.
2) Firmware IP protection
There are many users in our customer base who develop hardware firmware to execute applications on the chip. Many customers are very worried that the IP in their products and firmware will be stolen, broken, or stolen by hackers. Therefore, there is a secure boot (root of trust) in WL5, which allows them to use and protect the firmware with confidence. There are some specific domains, which can only be executed after these applications are authenticated in the firmware memory.
3) Installation and update of security firmware
During the execution process, more and more IoT devices will have various upgrade requirements that will continue to occur, that is, users may need to update the code and firmware during this process, which is very difficult in the current environment. , but also more time-consuming, labor-intensive, and resource-intensive. Once many devices are launched, it is difficult to upgrade the firmware, which increases the difficulty of maintaining the entire ecosystem.
To this end, WL5 has 2 features: ① Embedded Secure Firmware Installation (SFI); ② SBSFU, which gives a definable field update on this basis, and can perform a secure platform upgrade. In addition to these two firmwares, ST also provides reference codes to support users to use them more quickly, so that they can better implement this function.
These foundations must be embedded in a strong security cipher and encryption module. For example, ST has a relatively strong hardware encryption co-processor, which can add digital signatures and ensure that the existing MCU can achieve encryption under the condition of limited resources. functions and capabilities.
Speaking of the most important existing customers, they know about Secure Boot and Chain of Trust when doing firmware upgrades for application development, and the idea of Chain of Trust is not new, but it's been a few years since it was actually implemented on MCUs. There needs to be a mechanism on the chip that these chips must perform a secure boot at the beginning of execution or at reset. Under the secure boot mechanism, the chip will check by itself whether the registers or peripherals on the chip have been tampered with. Under these measures, the second step will be used to verify whether the application is allowed to verify its legitimacy. If these are normal, then the application can be started in a specific domain, which will greatly reduce damage or errors. , or give hackers the opportunity to intercept or crash the entire system. Therefore, the root of trust is an extremely important link in the security concept. ST is also continuously cultivating developers and engineers to improve their security concepts faster.
Thanks to ST's dual-core push, these application advantages, such as SFI, SBSFU, and KMS, can take advantage of applications while maintaining maximum flexibility. Functions that were impossible or difficult before, or required high cost and ability to implement, are now more convenient and easier for developers to implement.
The following five points are very important for any IoT device: ① Developers need to have the flexibility to implement different levels of security, because the data protected by the device itself is different in degree, and it is impossible to spend a lot of money with only very basic security functions. Protect it; ② Regarding the protection of IP, when more and more developers implement different functions and performances in their middleware or firmware, the protection of these IPs will be very important, so that there is a better way to protect their intellectual property. The next three are the upgrades related to the reproducibility, attackability, and reliability of the device, which are also the functions that the future IoT devices must have. These will be perfect and easy to provide to developers.
3 Security management of MCU life cycle
In the entire chip development process, the security life cycle includes chip design, tape-out, testing, and testing tools after the chip is given to developers. If it is attacked, it will reset, or to some extent, the flash memory will be reset. The code is all erased, which is what ST MCUs can handle at the moment.
In the later life cycle, the heaviest link is self-destruction. It is possible to have this functionality in secure chips, but there is no similar functionality in traditional MCUs yet, it is up to developers to build this into their R&D or lifecycle management.
4 There are many ways to be safe
Since Arm TrustZone is very good, why does the STM32WL LoRa wireless system chip not use TrustZone?
In fact, the concept of TrustZone was first proposed by Arm, and it is the idea of implementing the most basic code isolation or security isolation for security functions. In the past ten years, TrustZone has been recognized in different security chips. Many manufacturers used the M core for the TrustZone STM32 general-purpose MCU without TrustZone. Therefore, on the basis of Cortex-M, if you want to achieve Similar to TrustZone – if the hardware is physically isolated, another method should be adopted, which is to implant the concept of TrustZone (not TrustZone itself) into the traditional general-purpose MCU based on the dual-core design concept.
It can be seen that there are many ways to achieve security, and TrustZone is just one of them. In addition, there are firewalls, Proprietary Code Read Protection (PCROP), and the only boot entry, BootLock, etc., as well as user security storage areas, etc. The STM32 has a range of safety-related hardware, combined with dual cores, other non-dual cores also have such functions, able to achieve or meet the security level required by the customer.
Responsible editor: tzh