 Hello and welcome to this presentation that details the TFM offer in STM32U5. Cryptography ensures integrity, authentication and confidentiality. However, the use of cryptography alone is not enough. A set of measures and system-level strategy are needed to protect critical operations, sensitive data such as a secret key, and the execution flow in order to resist possible attacks. The Secure Boot and Secure Firmware Update or SBSFU solution based on trusted firmware for Cortex-M or TFM provides a modular and configurable framework whose security concepts are described hereafter. Three protected and isolated domains are created. Secure Privileged to execute PSA Immutable ROT code using its associated secrets and to use Secure Privileged STM32U5 peripherals. This domain is hidden once the execution of Immutable PSA ROT code is complete. Secure Privileged to execute PSA Updateable ROT code using its associated secrets and to use Secure Privileged STM32U5 peripherals. Secure Unprivileged to execute Application Updateable ROT and its associated secrets and to use Secure Unprivileged STM32U5 peripherals. The execution surface is limited according to the application state. From product reset until the installed application is verified, only TFM-SBSFU boot code execution is allowed. Once the installed application has been verified, application code, secure part and non-secure part, execution is allowed. The STM32U5 also features protection against software and physical attacks. TFM implementation in the STM32U5Cube firmware is based on the ARM TFM reference implementation. This figure, presented by this top-level view, summarizes all the TFM components described in the previous section. The STM32CubeU5 package proposes two applications, the TFM application with full TFM services, the SBSFU application with only the secure boot and secure firmware update services of the ARM TFM. In this figure, the terror term hyperterminal is used to interface with a toolset to configure the example, run it and display the execution results. Examples and help are available in the UM2851 user's manual entitled Getting Started with STM32CubeU5 TFM application. This figure details the secure functions of TFM and the hardware security IPs integrated into the STM32U5 devices to reinforce the protection mechanisms against outer and inner attacks. TFM is an open-source software framework driven by ARM Limited that provides a reference implementation of the PSA standard on the ARM Cortex M33 processor. The PSA Immutable Root of Trust, or ROT, is an immutable secure boot and secure firmware update application executed after any reset. The PSA Updateable ROT is a secure application implementing a set of secure services isolated in the secure-slash-privileged environment that can be called by the non-secure application at non-secure application runtime via the following PSA APIs. Secure storage service, internal trusted storage service, cryptography service and initial attestation service. The application, Updateable ROT, are third-party secure services that are isolated in the secure-slash-unprivileged environment and that can be called by the non-secure application at non-secure application runtime. The right-hand side of the figure details the security hardware IPs involved in the various secure functions. This slide describes the mechanisms used to protect against outer attacks triggered by tools such as debuggers and probes. The Device Lifecycle feature is based on Read Protection Level 2 to achieve the highest protection level. Read Protection Level 2 with the OEM2 password capability is used to ensure that the JTAG debugger cannot access the device except to inject the OEM2 password. In RDP Level 2, when OEM2 password is injected on the JTAG port, the RDP level is regressed to Level 1. The OEM2 password must first have been provisioned when the RDP level is zero. The BootLog feature is based on the BootLog option byte used to fix the entry point to a memory location defined by the option byte. In the TFM application example, the boot entry point after reset is fixed to TFM-SBSFU boot code. SRAM2 is automatically protected against intrusion once the system is configured in RDP Level 1. The SRAM2 content is erased as soon as an intrusion is detected. Moreover, SRAM2 content can be write protected until the next reset by activating a logbit. In the TFM application example, the system has been configured to use the protected SRAM2 to share and freeze the initial attestation information between the TFM-SBSFU boot application and the secure application. The Anti-Tamper Protection is used to protect sensitive data from physical attacks. It's activated at the start of TFM-SBSFU boot and remains active during the TFM-Apply and TFM-Loader applications. If tempering is detected, sensitive data in SRAM2, caches and cryptographic peripherals are immediately erased and a reboot is forced. Both external active tamper pins and internal tamper events are used. Other STM32U5 peripherals could be used to protect the product against outer attacks but the current TFM example doesn't use them. The debug protection consists in disabling the debug access port. Once disabled, the JTAC pins are no longer connected to the STM32U5 internal bus. DAP is automatically disabled with RDP Level 2. Independent watchdog or IWDG is a free running down counter. Once running, it cannot be stopped. It must be serviced periodically otherwise it causes a reset. This mechanism could be used to control the TFM-SBSFU boot execution duration. Inner attacks refer to attacks triggered by code running in the STM32. Attacks may be due to either malicious firmware exploiting bugs or security breaches or unwanted operations. TFM provides the following protections against inner attacks. Armstrong's zone enables two execution environments, secure and non-secure with a strict isolation between them. The MPU is used to make an embedded system more robust by splitting the memory map for flash and SRAMs into regions with their own privileged access permissions. The SIU assigns security attributes to address ranges. The GTZC is a firewall that checks the secure and privileged attributes of transactions targeting peripherals and memories. Write protection is used to protect trusted code from external attacks or even internal modifications such as a non-wanted write or erase operations on critical code or data. And the code executed in this HTTP area with its related associated data and keys can be hid enough to boot until the next system reset. Two different examples are provided in the STM32-QBU5 MCU package. The TFM application is a complete implementation of TFM and a second application implementing only the secure boot and secure firmware update functionalities of TFM named STM32-QBU5-SBSFU is also available. The table indicates the main features of the secure boot and secure firmware update application. The STM32-QBU5 TFM application relies on a flash memory layout defining different regions. The flash memory layout depends on the slot mode, the number of images, the image upgrade strategy and the local loader activation. The default configuration of these features in the TFM application is the following. Slot mode, primary and secondary slots, image number mode, two images, image upgrade strategy or variety only mode, local loader, Y-MODEM. Each region has a specific usage. BL2N VCNT region to get non-volatile information about the latest install secure and non-secure images versions. Scratch region used by TFM-SBSFU boot to temporarily store image data during the image swap process. Integrate a personalized data to personalize integrated specific or STM32-U5-specific TFM data. TFM-SBSFU boot binary to program the TFM-SBSFU boot code binary. NVCounter, where secure application manages the non-volatile counters used by the SST services. SST area region where the encrypted data of the secure storage service are stored. IDS area region where the data of the internal trusted storage service are stored in the clear. Secure image primary slot region for programming the secure image of the active firmware. Non-secure image primary slot region for programming the non-secure image of the active firmware. Secure image secondary slot region for programming the secure image of the new firmware. Non-secure image secondary slot region for programming the non-secure image of the new firmware, non-secure local loader, region for programming the TFM loader non-secure code binary, secure local loader, region for programming the TFM loader secure code binary. During the execution of TFMSBSFU boot, the TFMSBSFU boot code area is the only flush memory area that is allowed to be executed with the immutable local loader. This figure highlights the protection features per TFM region. The local loader and firmware download areas as well as the non-secure application region are marked as non-secure and privileged. The remaining part of the flush is secure and privileged. The local loader and the TFMSBSFU boot program as well as the integrator personalized data areas are right protected. The local loader and the TFMSBSFU are the only regions for which execution is allowed. When exiting the TFMSBSFU boot application to a secure application, all flush memory areas dedicated to the execution of TFMSBSFU boot are hidden and execution is allowed in secure and non-secure primary slot areas. Detailed protection schemes covering all execution and transition cases can be found in UM2851. The mechanisms for updating firmware images depends on the number of images, the image upgrade strategy and the configuration of the slots mode. The procedure is described here based on the default configuration. It describes the procedure for downloading and installing new firmware for override mode, the configuration of two firmware images and the configuration of the primary and secondary slots. The loader downloads encrypted images which are decrypted and authenticated before being programmed in clear in the corresponding slot area. The BL2NVCNT region stores the data used to manage firmware version information for anti-rollback feature. Thank you for attending this presentation. You can now refer to the presentations that detail the operation of the TFM, TFM flush memory footprint and TFM pointers.