 MPU Unzoned. Puppos will protect the data array thanks to MPU, then access this data with a DMA. And this way we can work around the MPU protection. For the first step, we will start from the HL example that is delivered in the GZO Cubemix firmware package and we will experiment it and try to understand how it is configured. In the second step, we will modify and we will add a DMA memory to memory to get access to this protected data. So let's switch to STM32 Cubemix IDEA. First, I will open my project. So I will open from a file system or import it. It should be the same. Here from the directory, I will select this one. So the STM32 Cubemix firmware GZO, the current version is 1.3.0 In the project, I will use a Nucleo GZO71. We've got an example, Cortex, Cortex underscore MPU and I selected the SSC version which will be converted. Here I need to import this one. Just finish. Yes, I want the conversion to Cubemix IDEA and it was converted without problem. Let's first have a look in the RINMI.txt file. If you are not familiar with the example delivered with our Cubemix firmware, each example has a RINMI which describes exactly what you want to do. So here we want to generate the MPU memory fold access when we access to a privileged read-only array. All the information will be in the STM32 MPU.c. How to use it? We just need to compile and to run the example. First, let's compile. When I'm preparing this MOOC, in fact, I discovered that there is an error in the file delivered. The linking script is not correct. So let's see what is not okay. The main will have a defined access permission to activate, I would say, the reconfiguration of the MPU. I share it in it. System clock config, quite useful. Then we've got the MPU config and the MPU access path config. If we go to this definition, we are in the STM32 underscore MPU.c. So here would be a default configuration for our platform. So as you can see, the first region we define is a RAM region, 256 kilobyte, and it will be a read-write region. Then we configure the flash region, 1 megabyte read-write region, so without any restriction on execution. And then we configure the peripheral region, 512 megabytes read-write and execute-never region. So I would say this is the normal MPU for the platform. Now we've got the access-perm config. Here we will configure just the access for just one region. So what is this region? As you can see, it is in RAM. Here you've got the address, a resize, and we try to protect this array. So this array is defined also at the top of this file. Let's have a look. So the address of this array should be this one. And here we just talk about this read-only array section. So this section should be defined in the liquor file. And if you look in it, you will see that it's missing. Okay, so I hope it will correct it quickly in the next version. But for the moment, please check in your code if it's available or not. And if it's not, I propose to do it by ourselves now. So first we will define the region of the RAM where we are interested in. Okay, so it's a memory array origin. I put exactly the same address in the code and the length will be 64. That's enough. And then we need to define the section. So I propose to do it at the end. Just here for example. In this section, I put everything that's coming from the root section in the memory array. So exactly the same one thing that before. You should have exactly the same rolling for this one and this one. Okay, that way you are sure that the privilege read-only array is located at this address. Okay, so let's save it. Let compile it again. And let's check on our target. So now if I compile, compilation is okay. Let's stay back and see if it works. Though by default it should be okay. I haven't switched to debug. Okay, I've got an issue. Let's remove everything. Terminate and remove. And I will launch it again. Sorry about this. I will plug and plug my board. Okay, this time initialization was okay. So what I propose, step by step. Let's go in the MPU config. Here the MPU is disabled first. Then we will configure. So due to some optimization, we've got some strength jump. But finally we will execute the configuration region zero for the RAM. Then for the flash, and then we've got the peripheral region. Then we enable MPU. So here the protection is now activated. Okay, but we are still in privilege mode. We haven't switched from privilege mode to and privilege. So here we can add some region or reconfigure the MPU. So here we will define a new region. So we'll disable first. We will configure a new region that will not error the previous configuration because we have chosen another region. So the resize. So it can be read only if you are privileged. So this array could be read. So here we should not have any error. That will be the case. And here what will we do? We will uncomment this write access. And if it's failed. Okay, so here everything is okay. It's working fine. So now I propose to uncomment this write access. And let's see if it's failed. So here I just terminate and reload. It will ask me if I want to save my modification. We will compile it and debug it again. So here MPU config, I will step in this one. Let's stop just on this access. Then read only for the moment is fully empty. If I try to write what happened, I've got a hard fault. Okay, so the MPU doesn't allow the call to do a write access to this region. So I would say basically we have seen this configuration of the MPU on what happened when there is some issue. So what I propose now is to add a GME. And we will replace in this function. So it was there. What I propose is to write, we will write thanks to GME to this array. Let's see if we manage to do it. Okay, so for that we will use Cubemix to add the memory to memory GME. So I launch Cubemix and I will ask open project. So let's take directly the path. I also should be available directly here. So if I open the IOC directly in my project, I will just need to add a GME. So it would be a memory to memory one. I just add memory to memory, nothing specific by byte. I will increment the address on the both side. Perfect. I would say from the project point of view, we can do it crush. I would say what is in our Cubemix firmware. And I generate do it. Now I come back in my code. And we should see appear now the GME that have been, I would say, had it by Cubemix, modifying the main.c on the associated file needed. So here it says it have been already down by Cubemix. We've got the GME in it. We can see here really bad thing one channel. And now let's modify this. Here we will remove this. And I propose to use a GME. So what I will do, let's try to modify, I will put two data, for example. And for the value, let's see one. Okay. Now I want to do a HL GME starts. Okay. The source address would be my data array. The destination address would be the privileged one, which is protected. And I want to transfer to data. Okay. Now what is missing is the HGME name, which is in the main.c. So at the top of the main.c file here, you've got the definition. Let's copy it. And in the top of the stm32mp.c, we will just declare it as an extern, just to have access to it. So, okay. And then I've got this name. I've got to copy it again and put it there. Okay. So I think it's ready. Let's try to recompile this one and to download it. So I want to keep my modification. Okay. So I've got an issue. What is it? Oh, I think I need to do some casts. No, just warning. HL GME starts. Okay. So I need to do some casts to avoid some issues. I need 32 underscore type. I think the same for this one. Okay. Let's build this first. Better. Still not good. Oh. Okay. I am if it was addressing the structures. Sorry about this. Okay. This time it's okay. Let's step by step. And I'm interested in this function. Okay. Here we configure again our protection. Here I start my GME. I don't see any reset. And now if I look in this array, you can see that we managed to transfer the two value. So we managed to access this array, which is protected thanks to the MPU. This is due to the DMA is not impacted by this protection. The MPU really to protect the core access. So just to fix you this idea, and it's important when you're using in the context of security, that mean if we manage to inject some code that is capable to create a DMA, we can work around this mechanism. But that's not means bad mechanism. It's a really, really interesting mechanism can be used with a security OS and could be very efficient. We use it also in the SBSFU to add some level of security inside.