 Hello and welcome to this presentation of the OTFDEC which is included in STM32L562 microcontrollers. Original purpose of OTFDEC is to protect the confidentiality of read-only firmware libraries stored in external SPI nor flash devices. The OTFDEC performs on-the-flight decryption using OctoSPI memory mapped read operation. Any read access size down to the byte is supported. The OTFDEC is located between the memory peripheral controller watermark or MPCWM1 which is a part of the GTCC in charge of defining non-secure areas in the external memory and the OctoSPI1 that controls the access to an external serial flash. Advanced encryption standard or AES128-bit algorithm in counter mode is implemented to achieve the lowest possible latency. As a consequence each time the content of one encrypted region is changed the entire region must be re-encrypted with a different cryptographic context, key or initialization vector. Up to four independent regions can be defined each with their own 128-bit key and initialization vector information. A right locking mechanism prevents any further reconfiguration of region parameters. The purpose of the OTFDEC peripheral is to protect the user code and data that are stored in the external serial flash memory. If the image is stored unencrypted it's easy to read it by either desoldering the flash device then resoldering it on another board or by spying the traffic on the SPI bus by using a logic analyzer or an oscilloscope. Consequently the image stored in the flash memory should be encrypted then decrypted on the fly during runtime reads. The latency caused by the decryption should be minimized. The OTFDEC has been designed to tackle these objectives. The OTFDEC is a new IP implemented in the STM32L562 able to decrypt with low latency code and data stored within an external flash. It also supports an encryption mode. The encryption process must follow the sequence described in the reference manual. When encryption mode is selected, flash on the fly decryption for all regions is deactivated. Since the decryption is done internally by the microcontroller, the data transferred over the OTFDEC bus is encrypted. This is a countermeasure against flash unsoldering and bus spying. The OTFDEC is a companion IP of the OTFDEC peripheral. It intercepts any data read or write and instruction fetch that targets the external flash. Decryption is transparent to the Cortex M33 core. Data and instructions that the processor receives have been decrypted in hardware by the OTFDEC. The OTFDEC protects confidentiality of external read only code and read only data plus code areas. They are decrypted on the fly. Four independent and non-overlapping encrypted regions can be defined. The AES 128-bit cipher in counter mode is used to achieve the lowest possible latency. Access minimum granularity is 8 bits. Each region is defined by a 128-bit secret key and its public 8-bit CRC. Initialization vector of each region is built by OTFDEC using a 64-bit application information and a 16-bit library version. The user can define this information as the public diversification data. The OTFDEC has a unique AHB slave interface used to access control and status registers and also to transfer data to encrypt and decrypt data. For each region, the operating mode has to be selected. If the region contains both code and data, the mode field of the region configuration register has to be set to binary value 1-0. Standard AES encryption algorithm is used, hence encryption process can be embedded in code generation tools or application firmware for runtime encryption. If the region only contains instruction, the mode field of the region configuration register could be set to binary value 1-1. In this case, an additional layer of protection is added on top of the standard AES encryption algorithm, hence encryption process cannot be embedded in software tools. OTFDEC must be used to perform the encryption. The configuration of each region can be independently locked to prevent any further modification. Both the 128-bit key and the configuration parameters can be locked. All key registers are write-only and are automatically erased in case of intrusion detected by tempers, readout protection regression or mode field change. OTFDEC is a trust zone aware peripheral. All writes to its registers must be secure when security is activated in the product when TZEN equals 1. When privbit is set to OTFDEC, privcfgr only privileged accesses are granted when accessing most OTFDEC registers. The principle of OTFDEC is to analyze all AHB read transfers on the associated AHB bus. If the read request is within one of the four regions programmed in OTFDEC, the control logic triggers a keystream computation based on AES algorithm in counter mode. The keystream is then used to decrypt on the flying the data present in the read transfer from the OCTO-SPI AHB master, tying low the H-ready out signal of this master while the keystream information is being computed. This takes up to 11 cycles. Any access outside the enabled OTFDEC regions belongs to a non-encrypted region. As OTFDEC is used in conjunction with OCTO-SPI, it is mandatory to access the flash memory using the memory map mode of the flash controller. In the region configuration register, the mode bits define the OTFDEC operating mode, standard or enhanced encryption. The OTFDEC can also be used for encrypted data using either the standard AES algorithm or the enhanced encryption algorithm. A tamper detection, an RDP regression or a mode bits change automatically erases the keys. The OTFDEC can assert and interrupt to the NVIC for three possible causes. Security error, key error and execute only or execute while encryption error. Each of these causes has a dedicated flag and interrupt enabled bit. The Cypher data is stored in RAM. This slide describes the sequence used to encrypt the contents of a memory buffer. It has to be implemented in secure code when trust zone is enabled. User firmware is responsible for external flash programming. The user firmware is in charge of the following initializations during the boot sequence. Loading keys with OTFDEC key registers for each OTFDEC region. Loading nonce, version, address start and address end information for each OTFDEC region. Set regen bits. Locking OTFDEC configuration above, this is recommended. Then on the fly decryption is ready. User firmware must be secure if security is activated on the product when TZEN equals 1. Secure firmware install or SFI is a global solution for STM32LFI series of microcontrollers, allowing secure and counted installation of OEM firmware in untrusted production environment such as OEM contract manufacturer. OEM firmware protected by SFI can be stored in the device's embedded flash or encrypted in external flash connected via OctoSPI. When external flash memory is targeted by SFI, OEM firmware code must be encrypted with an external firmware and data AES key. This key can be common to all devices. In this case, tools could perform the encryption if OTFDEC mode equals 1.0 Or, unique per device, in this case, firmware is encrypted inside the device, mandatory if OTFDEC mode equals 1.1. Encryption on chip using OTFDEC is illustrated on the following slide. For more information, please refer to application note AN4992 for secure firmware install solutions. This slide represents the sequence where the STM32 secure bootloader handles both internal firmware installation and external firmware installation with a global external flash memory AES key and the help of an external flash memory loader. The numerical steps are represented on the schematic. First step, create an SFI image using STM32 Trusted Package Creator or TPC with an internal firmware and data including external flash memory drivers, an external firmware and data AES key and an external firmware and data. Second step, perform internal flash memory programming as described in the STM32L5 RSS training. Third step, perform external firmware and data AES key programming in OTFDEC peripheral. Alternatively to what is drawn on the slide, this key can be managed locally to the device, not globally in the flushing tools. Fourth step, perform external flash memory chunk encryption. Fifth step, perform external flash memory programming by the user's firmware. Afterward, during each secure boot, the secure internal firmware first copies the AES firmware and data keys in right only OTFDEC key registers, then activates the OTFDEC region tied to those keys. At this point, the CPU can seamlessly read or fetch data or code from external flash memory once the OctoSPI driver has been initialized. The OTFDEC is a trust zone-aware peripheral. When trust zone is disabled, only the privilege attribute is relevant. By setting the priv bit in the privilege configuration register, named priv CFGR, unprivileged reads return zero and unprivileged writes are ignored. When trust zone is enabled, non-secure write access to OTFDEC registers are discarded. Consequently, when trust zone is enabled, OTFDEC regions can only be programmed by secure applications. The privilege attribute can also be set when trust zone is enabled. The OTFDEC has three interrupt sources. The security error is raised when an attempt to read key registers is detected or when an attempt to write keys while the key lock bit is set or when an attempt to reconfigure a region while the config lock bit is set. When enhanced encryption is selected, when mode equals 1-1, the execute-only error is raised when a read access to an execute-only region is attempted. When encryption mode is selected, when ENC equals 1, the execute-while encryption error is raised when code is fetched to any protected region. The key error is raised when a read request is attempted to a region whose key registers are null or not properly programmed when key CRC equals zero. Key error can happen due to an incorrect key register writing sequence. It can also occur in case of intrusion detected by tempers, readout protection regression or mode field change. The OTFDEC is active in run, sleep, low power run and low power sleep mode. An OTFDEC interrupt can cause the device to exit sleep or low power sleep mode. In stop zero, stop one or stop two mode, the OTFDEC is frozen and its logistics content is maintained. In standby or shutdown mode, the OTFDEC is powered down and it must be reinitialized afterwards. The OTFDEC module has relationships with the following other modules global trust zone controller, OCTO-SPI interface, nested-vected interrupt controller, memory protection, root security services with SFI information. For more details on SFI, please refer to application note AN4992 about overview of secure firmware install.