 Hello and welcome to this presentation of the OTF DAC which is included in STM32L562 microcontrollers. Original purpose of OTF DAC is to protect the confidentiality of read-only firmware libraries stored in external SPI nor Flash devices. The OTF DAC performs on-the-flight decryption using Octo-SPI memory mapped read operation. Any read access size down to the byte is supported. The OTF DAC is located between the Memory Peripheral Controller Watermark or MPCWM1 which is a part of the GTCC in charge of defining non-secure areas in the external memory and the Octo-SPI1 that controls the access to an external serial flash. Advanced encryption standard or AES128-bit algorithm in counter mode is implemented to achieve the lowest possible latency. As a consequence, each time the content of one encrypted region is changed, the entire region must be re-encrypted with a different cryptographic context, key or initialization vector. Up to four independent regions can be defined, each with their own 128-bit key and initialization vector information. A right locking mechanism prevents any further reconfiguration of region parameters. The purpose of the OTF DAC Peripheral is to protect the user code and data that are stored in the external serial flash memory. If the image is stored unencrypted, it's easy to read it by either desoldering the flash device then resoldering it on another board or by spying the traffic on the SPI bus by using a logic analyzer or an oscilloscope. Consequently, the image stored in the flash memory should be encrypted then decrypted on the fly during runtime reads. The latency caused by the decryption should be minimized. The OTF DAC has been designed to tackle these objectives. The OTF DAC is a new IP implemented in the STM32L562 able to decrypt with low latency code and data stored within an external flash. It also supports an encryption mode. The encryption process must follow the sequence described in the reference manual. When encryption mode is selected, flash on the fly decryption for all regions is deactivated. Since the decryption is done internally by the microcontroller, the data transferred over the OTF SPI bus is encrypted. This is a countermeasure against flash unsoldering and bus spying. The OTF DAC is a companion IP of the OTF SPI Peripheral. It intercepts any data read or write and instruction fetch that targets the external flash. Decryption is transparent to the Cortex M33 core. Data and instructions that the processor receives have been decrypted in hardware by the OTF DAC. The OTF DAC protects confidentiality of external read-only code and read-only data plus code areas. They are decrypted on the fly. Four independent and non-overlapping encrypted regions can be defined. The AES 128-bit cipher in counter mode is used to achieve the lowest possible latency. Access minimum granularity is 8 bits. Each region is defined by a 128-bit secret key and its public 8-bit CRC. Initialization vector of each region is built by OTF DAC using a 64-bit application information and a 16-bit library version. The user can define this information as the public diversification data. The OTF DAC has a unique AHB slave interface used to access control and status registers and also to transfer data to encrypt and decrypt data. For each region, the operating mode has to be selected. If the region contains both code and data, the mode field of the region configuration register has to be set to binary value 1-0. Standard AES encryption algorithm is used, hence encryption process can be embedded in code generation tools or application firmware for runtime encryption. If the region only contains instruction, the mode field of the region configuration register could be set to binary value 1-1. In this case, an additional layer of protection is added on top of the standard AES encryption algorithm, hence encryption process cannot be embedded in software tools. OTF DAC must be used to perform the encryption. The configuration of each region can be independently locked to prevent any further modification. Both the 128-bit key and the configuration parameters can be locked. All key registers are write-only and are automatically erased in case of intrusion detected by tempers, readout protection regression or mode field change. OTF DAC is a trust zone aware peripheral. All writes to its registers must be secure when security is activated in the product when TZEN equals 1. When priv-bit is set to OTF DAC, priv-cfgr only privileged accesses are granted when accessing most OTF DAC registers. The principle of OTF DAC is to analyse all AHB read transfers on the associated AHB bus. If the read request is within one of the four regions programmed in OTF DAC, the control logic triggers a key stream computation based on AES algorithm in counter mode. The key stream is then used to decrypt on the fly the data present in the read transfer from the OctoSPI AHB master, tying low the AHB ready-out signal of this master while the key stream information is being computed, this takes up to 11 cycles. Any access outside the enabled OTF DAC regions belongs to a non-encrypted region. As OTF DAC is used in conjunction with OctoSPI, it is mandatory to access the flush memory using the memory map mode of the flush controller. In the region configuration register, the mode bits define the OTF DAC operating mode, standard or enhanced encryption. The OTF DAC can also be used for encrypted data using either the standard AES algorithm or the enhanced encryption algorithm. A tamper detection, an RDP regression or a mode bits change automatically erases the keys. The OTF DAC can assert an interrupt to the NVIC for three possible causes, security error, key error and execute only or execute while encryption error. Each of these causes has a dedicated flag and interrupt enabled bit. The Cypher data is stored in RAM. This slide describes the sequence used to encrypt the contents of a memory buffer. It has to be implemented in secure code when trust zone is enabled. User firmware is responsible for external flush programming. The user firmware is in charge of the following initializations during the boot sequence. Loading keys with OTF DAC key registers for each OTF DAC region. Loading nonce, version, address start and address end information for each OTF DAC region. Set reg en bits. Locking OTF DAC configuration above, this is recommended. Then on the fly decryption is ready. User firmware must be secure if security is activated on the product when TZEN equals 1. Secure firmware install or SFI is a global solution for STM32L5 series of microcontrollers, allowing secure and counted installation of OEM firmware in untrusted production environment, such as OEM contract manufacturer. OEM firmware protected by SFI can be stored in the device's embedded flash or encrypted in external flash connected via OctoSBI. When external flash memory is targeted by SFI, OEM firmware code must be encrypted with an external firmware and data AES key. This key can be common to all devices. In this case, tools could perform the encryption if OFT DAC mode equals 1.0. Or, unique per device, in this case, firmware is encrypted inside the device, mandatory if OTF DAC mode equals 1.1. Encryption on-chip using OTF DAC is illustrated on the following slide. For more information, please refer to application note AN4992 for secure firmware install solutions. This slide represents the sequence where the STM32 secure bootloader handles both internal firmware installation and external firmware installation with a global external flash memory AES key and the help of an external flash memory loader. The numerical steps are represented on the schematic. First step, create an SFI image using STM32 Trusted Package Creator or TPC with an internal firmware and data including external flash memory drivers, an external firmware and data AES key, and an external firmware and data. Second step, perform internal flash memory programming as described in the STM32 L5 RSS training. Third step, perform external firmware and data AES key programming in OTF DAC peripheral. Alternatively to what is drawn on the slide, this key can be managed locally to the device, not globally in the flushing tools. Fourth step, perform external flash memory chunk encryption. Fifth step, perform external flash memory programming by the user's firmware. Afterward, during each secure boot, the secure internal firmware first copies the AES firmware and data keys in right on the OTF DAC key registers, then activates the OTF DAC region tied to those keys. At this point, the CPU can seamlessly read or fetch data or code from external flash memory once the Octo SPI driver has been initialized. The OTF DAC is a trust zone aware peripheral. When trust zone is disabled, only the privileged attribute is relevant. By setting the priv bit in the privileged configuration register named priv CFGR, unprivileged reads return zero and unprivileged writes are ignored. When trust zone is enabled, non-secure write access to OTF DAC registers are discarded. Consequently, when trust zone is enabled, OTF DAC regions can only be programmed by secure applications. The privileged attribute can also be set when trust zone is enabled. The OTF DAC has three interrupt sources. The security error is raised when an attempt to read key registers is detected or when an attempt to write keys while the key lock bit is set or when an attempt to reconfigure a region while the config lock bit is set. When enhanced encryption is selected, when mode equals 11, the execute only error is raised when a read access to an execute only region is attempted. When encryption mode is selected, when ENC equals 1, the execute while encryption error is raised when code is fetched to any protected region. The key error is raised when a read request is attempted to a region whose key registers are null or not properly programmed when key CRC equals zero. Key error can happen due to an incorrect key register writing sequence. It can also occur in case of intrusion detected by tempers, readout protection regression or mode field change. The OTF DAC is active in run, sleep, low power run and low power sleep mode. An OTF DAC interrupt can cause the device to exit sleep or low power sleep mode. In stop zero, stop one or stop two mode, the OTF DAC is frozen and its logistics content is maintained. In standby or shutdown mode, the OTF DAC is powered down and it must be reinitialized afterwards. The OTF DAC module has relationships with the following other modules, Global TrusZone Controller, Okto SPI Interface, Nested Vector Interrupt Controller, Memory Protection, Root Security Services with SFI Information. For more details on SFI, please refer to application note AN4992 about overview of secure firmware install.