 Hello and welcome to this presentation of the STM32L4 Firewall. It covers the main features of this system IP used to secure sensitive code and data. Here is an overview of the firewall's implementation and its benefits for customer applications. The firewall protects the access to sensitive code and data located in the flash memory or SRAM1 segments from external processes. Any attack detected by the firewall causes the MCU to reset if the firewall is enabled. The firewall monitors each access from the AHB masters to the flash memory or SRAM1 AHB slaves, then depending on the firewall configuration allows the access to the memory segment or resets the MCU if not allowed. Having part of the code and data monitored by the firewall allows users to protect their IP, meaning a third party's intellectual property of embedded software can be protected against code dumping along with any sensitive data stored in SRAM1. Each memory segment protected by the firewall is configured independently with a start address and the associated length of the segment. The three definable memory segments are the code segment, the volatile data segment, and the non-volatile data segment. The firewall is based on a call gate mechanism used to open the access to these protected segments. The call gate function is the single entry point able to open the firewall and enable access to the protected segments. To ensure sensitive, volatile data is erased before returning back to non-protected user code, the call gate mechanism specifies the exact exit point when jumping back from the protected code segment. The goal is to detect any non-expected code branches and to react by resetting the MCU. To guarantee a minimum level of protection, once the firewall is enabled, it remains active until the next MCU system reset. The firewall is based on three states to ensure a dynamic protection of the secure segments. The idle state is the default state when the firewall is not enabled. In this state, the AHB memory bus is not monitored. When enabled, the firewall enters closed state and all access to the protected segments is prohibited. The correct call gate entry sequence by non-protected executing code switches the firewall to the open state. The protected code can now be executed and access to non-volatile and volatile data segments is allowed. As soon as an instruction fetch is executed, jumping back to the non-protected code area, the firewall switches back to closed state. Once closed, all access to the secure areas except for the call gate mechanism are killed by an MCU reset. The firewall's call gate function architecture offers the best solution for building a secure entry and exit point to the protected memory areas. The call gate function is located in the protected code segment at a mandatory fixed address corresponding to the code segment start address plus four, scatter file for keel, pragma setup for IAR. The FPA bit has to be cleared immediately in the call gate in order to stop any intrusion that exits the protected code in a non-protected user area when not expected. Before leaving the protected code area in execution, it is recommended to clean and clear the context or variables data and the CPU registers before requesting the exit sequence and jumping back to the non-protected instruction. The type of access to the protected segments depends on the firewall state. When it is closed, any access to the protected area generates a system reset. When the firewall is open, some access is possible. In the code segment, flash memory, read operations and instruction fetches are allowed. In the non-volatile data segment, flash memory, read and write operations are allowed. In the volatile data segment SRAM-1, read, write and execute operations are allowed if the SRAM-1 segment is declared as shared or executable. When the firewall is disabled or closed, there is no protection. Specific constraints must be respected when enabling the firewall. Interrupts must be disabled from the call gate entry sequence until the firewall switches back to the closed state. If an interrupt service routine or ISR occurs, the firewall generates a reset. All DMA access to and from the protected segments is not allowed and is rejected by the firewall system reset. The application benefits are mainly to detect an intrusion faster during the protected code execution and to offer a very high level of protection against code dumping using the DMA. Complimenting the firewall protection, it is required to set the PC Rop or proprietary code readout protection for the protected code segment in the flash memory. Setting the PC Rop stops any code from being dumped by the debugger during the development phase by external attacks or from an IAP attack. The PC Rop protection mechanism on the STM32L4 is improved over the previous STM32F2, F4 and L1 microcontrollers. STM32L4 microcontrollers make it possible to define start and end regions and there is an option byte which allows a mass erase operation but keeps the PC Rop segment protected. In production, ST recommends setting the STM32 readout protection or RDP to level 2 which disables the JTAG link to the MCU. Setting the RDP to level 2 secures the MCU against any external attacks to the protected segments. ST also recommends enabling write protection on the reset vector and the firewall configuration to prevent any unwanted write operations to the protected areas. In addition to this training, you can refer to the STM32L4 system memory protection training for more information.