### STM32L5 MCU series

Excellence in ultra-low-power with more security









## First STM32 Based on Cortex-M33

#### STM32L5 is the answer

 More security with TrustZone and ST security implementation

- **HW** to resist to Logical and board level attack
- Lower Power consumption
  - STM32 ultra-low-power technology
- Integration, Size, performance
  - More performance, high memory size and wide portfolio









## STM32L5 block diagram 3

- Up to 110MHz, 165DMIPS
- 512 KB Flash / 256KB SRAM
- Security TrustZone ARM v8M
- ART acceletor: Instruction Cache 8 KB, for internal and external memories
- 1xOctoSPI







# Extend the Battery Life Time

- STM32L5 reuses the STM32L4/L4+ technology achieving best-in-class power consumption
- STM32L5 integrates an optional SMPS (DC/DC buck voltage) regulator) which can be enabled/disabled on the fly to optimize the energy.
- Proven by EEMBC test results:









# Ultra-low-power Modes 5

#### Best power consumption numbers with full flexibility

Tamper detection: 3 I/Os. RTC Wake-up time  $V_{BAT}$ 3 nA / 225 nA\* Wake-up sources: reset pin. 5 I/Os. RTC Shutdown 33 nA / 300 nA\* 250 µs 14 us 110 nA / 385 nA\* **Standby** Wake-up sources: + BOR, IWDG 14 µs Standby + 64-Kbyte RAM 190 nA / 465 nA\* Wake-up sources: + all I/Os, PVD, COMPs, I2C, 5 µs Stop 2 (full retention: 256-Kbyte RAM)  $3.3 \mu A / 3.6 \mu A^*$ LPUART. LPTIM 6 cycles Sleep 38 µA / MHz Wake-up sources: any interrupt or event Run up to 110 MHz Down to 60 µA / MHz



### More Performance 6

#### Better responsiveness of the application

• New Arm® Cortex®-M33 performance: +20% versus Cortex-M4

1.5 DMIPS/MHz 3.88 CoreMark/MHz



165 DMIPS 427 CoreMark



- New ST ART Accelerator™: working both on internal and external Flash
  - 8 Kbytes of instruction cache







## Series/Packages/Pinout





### STM32L5 series

| Cortex M33 (DSP + FPU) - 110 MHz | ICACHE  USART, SPI, I <sup>2</sup> C  16 and 32-bit timers                                               | Product<br>line                        | FLASH<br>(KB)    | RAM<br>(KB) | Memory<br>I/F             | 2 x Op-<br>Amp | 2 x<br>Comp. | 4ch / 2x<br>Sigma Delta<br>Interface | 12- bit ADC<br>5 Msps<br>16 bit HW<br>oversampling | USB2.0<br>Device<br>XTAL-less | CAN-FD | AES<br>128/256-bit | PKA | OTFDEC |
|----------------------------------|----------------------------------------------------------------------------------------------------------|----------------------------------------|------------------|-------------|---------------------------|----------------|--------------|--------------------------------------|----------------------------------------------------|-------------------------------|--------|--------------------|-----|--------|
|                                  | SAI + audio PLL SHA, TRNG, PKA On-the fly descryption                                                    | STM32L552<br>USB Device &<br>CAN-FD    | 512<br>to<br>256 | 256         | SDMMC<br>FSMC<br>Octo SPI | •              | •            | •                                    | 2                                                  | •                             | •      |                    |     |        |
|                                  | 2x 12-bit DAC Temperature sensor  Low voltage 1.71V to 3.6V VBAT Mode Unique ID Capacitive Touch sensing | USB Device & CAN-FD & AES, PKA, OTFDEC |                  | 256         | SDMMC<br>FSMC<br>Octo SPI | •              | •            | •                                    | 2                                                  | •                             | •      | •                  | •   | •      |



**ST Restricted** 



#### STM32L5 TrustZone Isolations

#### Up to 5 security domains – PSA isolation level 3



Un-Trusted area with code isolation RTOS & applications

Trusted area with code isolation Secure OS and services

Trusted Privileged Immutable area Customer RoT / Secure Boot code





## STM32L5 TrustZone Implementation

#### High granularity of Isolation



Each GPIO, DMA channel, part of memory, etc... can be affected to 1 domain

Fine granularity adjustment of memory size and peripherals for each domain

Full Hardware Isolation on each domain



# A Full Set of Security Resources STM32L5



Private Key (PKA) acceleration ECC - RSA

Active and Static tamper detection

AES acceleration up to 256

On-The-Fly Decryption

Hash
Up to SHA-256

**TRNG** 





# A Full Set of Security Resources STM32L5



TrustZone

**Unique Boot Entry** 

HDP (Hide Protect)

Memory protection Unit (MPU)

OTP memory

**Unique ID** 





# Security Certification Compliant STM32L5

Industrial

Security

Level

Capable

Arm

**PSA** security

Level 1

Certified

Arm

**PSA** security

Level 2

Ready





#### STM32L5 TrustZone architecture





## TrustZone Security architecture

- Security architecture is based on Arm® TrustZone® with the ARMv8-M Main Extension
- When the TrustZone is enabled, the SAU (security attribution unit) and IDAU (implementation defined attribution unit) define the access permissions based on secure and non-secure state.
  - IDAU: It provides a first memory partition as non-secure or non-secure callable attributes. The IDAU memory map partition is not configurable and fixed by hardware implementation.
  - SAU: Up to eight SAU configurable regions are available for security attribution.
  - The security state is selected based first on IDAU security attribute, then combined with SAU security attribution





### Additional states in ARMv8-M 16











#### ARM v8-M Trustzone access rules



## General picture 18







# TrustZone peripheral classification (1/2)

- When the TrustZone security is active, a peripheral can be either Securable or TrustZone-aware
- Securable peripheral:
  - a peripheral is protected by an AHB/APB firewall gate that is controlled from TZSC controller to define security properties.

- TrustZone-aware:
  - a peripheral connected directly to AHB or APB bus and is implementing a specific TrustZone behavior such as a subset of registers being secure.





# TrustZone peripheral classification (2/2) 201

List of TrustZone-aware peripherals

| Bus  | Peripherals                                                    |
|------|----------------------------------------------------------------|
| AHB2 | GPIOAGPIOH                                                     |
| AHB1 | MPCBBx MPCWMx TZIC TZSC EXTI Flash memory RCC DMAMUX DMA2 DMA1 |
| AHB2 | OTFDEC                                                         |
| APB2 | SYSCFG                                                         |
| APB1 | PWR<br>RTC                                                     |

The remaining peripherals are Securable.



## STM32L5 System Architecture



# STM32L562xx/52xx System Architecture 22

#### 32-bit multilayer AHB bus matrix, 6 Masters, 7 Slaves



- ICACHE is a 8KB instruction cache, on C-AHB Code bus of Cortex®-M33 to improve performance when fetching instruction (or data) from internal or external memories
- Remapping logic allows any internal or external memory range to be cached.

MPCBBx: Memory protection controller bloc based MPCWMx: Memory protection controller Watermark

# GTZC TZSC / MPC-BB / TZIC





### GTZC in ARMv8-M subsystem block diagram





Securable memories

MSv48198V2

### GTZC - MPCBB - TZ aware







### Embedded FLASH





## Flash memory: Features 28

- Up to 512 Kbytes: 128pages
  - Single Bank: Page size = 4 Kbytes,
  - Dual Bank: Page size = 2 Kbytes
- 512 bytes OTP (one-time programmable)
- Flash memory read operations with two data width modes:
  - Single bank mode DBANK=0: read access of 128 bits
  - Dual bank mode DBANK=1: read access of 64 bits
- TrustZone security support
  - Flash security area is defined by watermark user options or block based configuration register





## Flash memory: TrustZone Security

- Secure watermark-based area by option bytes
  - Single Bank: 2 secure watermarked areas
  - Dual Bank: 1 secure watermarked area per bank
- Secure or non-secure block-based areas.
  - Any page can be configured as secure /non secure
- Erase/program in secure and non-secure mode
  - Non-secure and Secure register
- Secure and non-secure interrupts





# STM32L5 FLASH I/F





#### FLASH features overview

- Up to 512 KB with dual bank (RWW)
- **Memory Organization** 
  - dual bank
  - main memory: up to 512MB (128 x 2KB pages)
  - System memory: 32KB (16 x 2KB pages)
- 2 write protection area per bank (n x2KB)
- Trustzone support
  - 1 secure area per bank including:
    - 1 secure PcROP area
    - 1 secure HDP area
  - Block based security attribute (volatile)
- Bank swapping



ECC support (SECDED)

8 bits per 64-bits double word

# Secure areas (WM) - non-volatile settings (option bytes)

- Secure watermark area
  - Start and End addresses defined in secure option bytes
- Secure PcROP area
  - Start @ defined in secure option bytes
  - End @ same as Secure area
- Secure Hide protection area
  - Start @ same as Secure area one
  - End @ defined in secure option bytes

All area definition are aligned on number of pages





# Write protection areas - non volatile settings (option bytes)

#### 2 independent WRP areas

- Start and End addresses defined in option bytes
- Always aligned on number of pages
- Write protection attribute orthogonal to other settings (Secure / HDP / PcROP)





### Bloc based security attribute – volatile settings 34

- Any 2KB flash page (bloc) can be set as secure/non-secure thanks to dedicated secure registers in the flash interface (SECBBXA/Bn)
- At reset all SECBBA/Bn registers are cleared (non-secure)
- Setting a page as secure, which already belongs to the secure watermark area, will have no effect





#### PCROP 35

#### PcROP Properties

- Only secure fetch/execute access permitted
- PCROP area is activated by setting the PCROPEN option bit
- PCROP size and PCROPEN can only be modified while HDP1\_ACCDIS register bit is reset

#### Benefits

- FW IP protection
- Mutual protection of secure FW IPs

#### constraints

- Specific compilation option required (no literal pool / execute only)
- Small impact on Code size & performance





## Hide Protection area (aka sticky)

#### SECURE HDP Memory Properties

- Enable isolation of secure boot code & data (secrets) from (secure) application code
- HDP area is activated by setting the HDPEN option bit
- HDP size and HDPEN can only be modified while HDP1\_ ACCDIS register bit is reset
- Once the HDP1\_ ACCDIS is set, no more operation are permitted on HDP zone (size / R / W / Erase)
- => Any page belonging to the HDP area can only be erased by the HDP code itself.
- How it works?
  - 1. System Boots and execute HDP area (sensitive code)
  - Call HDP exit function (immutable in RSS lib)
     → Disable / Hide secure HDP area until next reset
  - 3. Exit function will branch to (secure) application code
  - (secure) FW can not access any more securable HDP area
- Benefits



Easy & Efficient boot code/secrets isolation



FLASH



ACCDI S



## RSS – Root Security Services



### RSS

- SYSTEM FLASH (aka Information bloc)
  - Immutable (=ROM)
  - Root Security Services
    - A) RSS\_boot (sticky property- HDP like)
      - Unique entry point
      - Provide set of security services available at reset (SFI / SMI / ...)
    - B) RSS lib
      - Multiple entry points (Trusted ST APIs)
      - Provide set of security services callable by User code
  - Boot Loader
    - Unique entry point
    - Classic bootloader functions
  - Provisionning
    - Pair of <u>chip</u> public/private key
    - Certificate (genuine STM32) + UID



System Flash

# STM32L5 Device Life Cycle (RDP)





## TZEN = 0 40

Legacy mode





### TZEN = 1

Trustzone enabled mode

Additional RDP level





Note: RDP regression can only be done by debug interface or by system bootloader

MSv49344V1

## RDP level summary TZEN=1

| Protection<br>Level | Properties                                                                       | Comments                                                                                                                                                                           |
|---------------------|----------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Level 0             | DEVICE OPEN                                                                      | <ul> <li>No debug restriction (secure and non-secure)</li> <li>Boot @ must target a secure area</li> <li>Boot on secure SRAM, FLASH, SYSTEM FLASH (RSS) possible</li> </ul>        |
| Level 0,5           | DEVICE PARTIALLY CLOSED  NO SECURE DEBUG                                         | <ul> <li>Non-secure debug only</li> <li>NS-Flash access allowed (w\ debug connection)</li> <li>Boot @ must target secure user flash</li> <li>Boot on SRAM not permitted</li> </ul> |
| Level 1             | DEVICE MEMORIES PROTECTED  NO SECURE DEBUG  FLASH + SRAM2 + Backup_Reg PROTECTED | <ul> <li>Non-secure debug only</li> <li>Flash access <u>not allowed</u> (w\ debug connection)</li> <li>Boot @ must target secure user flash</li> </ul>                             |
| Level 2             | CLOSED DEVICE (No JTAG) NO OPTION BYTE CHANGE                                    | <ul><li>No debug (JTAG fuse)</li><li>Boot @ in secure user flash</li></ul>                                                                                                         |



## Protection of a first 3<sup>rd</sup> party vendor from a final one







## Encryption/ Decryption Authentification





## Encryption/ Decryption Authentification



#### The STM32L5 embeds:

- True random number generator
- 96-bit unique ID
- Encryption hardware accelerator: AES(128/256-bit key)
- HASH processor, fully compliant of the secure hash algorithm (SHA-1, SHA-224, SHA-256), the MD5 hash algorithm and the HMAC
- Public Key Acceleration (PKA): acceleration for RSA, Diffie-Hellmann or ECC (Elliptic Curve Cryptography)
- OTFDEC (On-the-fly decryption engine)





### **AES HW accelerator** 46

- 128-bit data block processing
- Support for cipher key lengths of 128-bit and 256-bit
- Multiple chaining modes are supported
  - ECB, CBC, CTR, GCM, GMAC, CCM
- The AES accelerator is a 32-bit AHB peripheral. It supports DMA single transfers for incoming and outgoing data
- 51 or 75 clock cycle latency in ECB mode for processing one 128-bit block of data with, respectively, 128-bit or 256-bit key



## **AES** processing latency 47

Table 205. Processing latency (in clock cycle) for ECB, CBC and CTR

| Key size | Mode of operation      | Algorithm     | Input<br>phase +<br>FSM set | Computation phase | Output phase | Total |
|----------|------------------------|---------------|-----------------------------|-------------------|--------------|-------|
|          | Mode 1: Encryption     | ECB, CBC, CTR | 9                           | 38                | 4            | 51    |
|          | Mode 2: Key derivation | -             | -                           | 59                | -            | 59    |
| 128-bit  | Mode 3: Decryption     | ECB, CBC, CTR | 9                           | 38                | 4            | 51    |
|          | Mode 1: Encryption     | ECB, CBC, CTR | 13                          | 58                | 4            | 75    |
|          | Mode 2: Key derivation | -             | -                           | 82                | -            | 82    |
| 256-bit  | Mode 3: Decryption     | ECB, CBC, CTR | 13                          | 58                | 4            | 75    |

#### Table 206. Processing latency for GCM and CCM (in clock cycle)

| Key size  | Mode of operation   | Algorithm | Init Phase | Header<br>phase | Payload<br>phase | Tag phase |
|-----------|---------------------|-----------|------------|-----------------|------------------|-----------|
| 128-bit   | Mode 1: Encryption/ | GCM       | 64         | 35              | 51               | 59        |
| 120-DIL   | Mode 3: Decryption  | CCM       | 63         | 55              | 114              | 58        |
| וח חביי ו | Mode 1: Encryption/ | GCM       | 88         | 35              | 75               | 75        |
|           | Mode 3: Decryption  | CCM       | 87         | 79              | 162              | 82        |



## Hash processor 48

- Fully compliant of the secure hash algorithm
  - SHA-1 and SHA-2 family
  - MD5
  - HMAC
- Fast computation of SHA-1, SHA-224, SHA-256, and MD5

| Mode of operation | FIFO load <sup>(1)</sup> | Computation phase | Total |
|-------------------|--------------------------|-------------------|-------|
| MD5               | 16                       | 50                | 66    |
| SHA-1             | 16                       | 66                | 82    |
| SHA-224           | 16                       | 50                | 66    |
| SHA-256           | 10                       | 30                | 0     |



## Public key accelerator (PKA) 49

- Acceleration of RSA, DH and ECC over GF(p) operations, based on the Montgomery method for fast modular multiplications.
  - RSA modular exponentiation
  - RSA Chinese Remainder Theorem (CRT) exponentiation
  - ECC scalar multiplication, point on curve check
  - ECDSA signature generation and verification
- Capability to handle operands up to 3136 bits for RSA/DH and 640 bits for ECC.
- Arithmetic and modular operations such as addition, subtraction, multiplication, modular reduction, modular inversion, comparison, and Montgomery multiplication.
- Built-in Montgomery domain inward and outward transformations.



## PKA computation times 50

Table 241. Modular exponentiation with Montgomery parameters computation

|                              | Operand length (in hits) |          |           |  |  |  |  |
|------------------------------|--------------------------|----------|-----------|--|--|--|--|
| Exponent length<br>(in bits) | Operand length (in bits) |          |           |  |  |  |  |
|                              | 1024                     | 2048     | 3072      |  |  |  |  |
| 3                            | 152000                   | 407000   | 864000    |  |  |  |  |
| 17                           | 163000                   | 448000   | 955000    |  |  |  |  |
| 2 <sup>16</sup> + 1          | 208000                   | 611000   | 1308000   |  |  |  |  |
| 1024                         | 5832000                  | -        | -         |  |  |  |  |
| 2048                         | -                        | 41917000 | -         |  |  |  |  |
| 3072                         | -                        | -        | 137477000 |  |  |  |  |

Table 242. Montgomery parameters average computation times

| Operand length (in bits) |        |        |  |  |  |  |
|--------------------------|--------|--------|--|--|--|--|
| 1024                     | 2048   | 3072   |  |  |  |  |
| 59768                    | 233073 | 552321 |  |  |  |  |



## PKA computation times 51

#### Table 244. ECC scalar multiplication times with Montgomery parameters<sup>(1)</sup>

| Modulus length (in bits)    |         |         |         |         |          |          |
|-----------------------------|---------|---------|---------|---------|----------|----------|
| 160 192 256 320 384 512 521 |         |         |         |         |          |          |
| 817000                      | 1250000 | 2462000 | 4254000 | 6821000 | 14445000 | 16580000 |

#### Table 245. ECDSA signature average computation time

| Modulus length (in bits) |                             |         |         |         |          |          |
|--------------------------|-----------------------------|---------|---------|---------|----------|----------|
| 160                      | 160 192 256 320 384 512 521 |         |         |         |          |          |
| 880000                   | 1332000                     | 2645000 | 4508000 | 7298000 | 15309000 | 17770000 |

#### Table 246. ECDSA verification average computation times

| Modulus length (in bits)    |         |         |         |          |          |          |
|-----------------------------|---------|---------|---------|----------|----------|----------|
| 160 192 256 320 384 512 521 |         |         |         |          |          |          |
| 1750000                     | 2675000 | 5249000 | 9063000 | 14559000 | 30673000 | 35794000 |





## On-the-fly decryption engine (OTFDEC) -52

- The embedded OTFDEC decrypts in real-time the encrypted content (AES) stored in the external OctoSPI memories used in Memory-mapped mode
- 2 modes:
  - Standard AES
  - **Enhanced**









## **DMA**



- 2 x DMA with 2 x 8 channels,
- Privileged/unprivileged mode
  - Support of privileged/unprivileged DMA transfers independently at a channel level
- TrustZone Security
  - Support of secure/non-secure DMA transfers independently at a channel level first and independently at source and destination address
  - TrustZone-aware AHB slave port, protecting any secure register from a non-secure software access
- DMAMUX TrustZone aware as DMA
- 2 interrupts entries
  - DMAMUX1\_IRQHandler\_S (Secure)
  - DMAMUX1\_IRQHandler (Non-secure/Legacy)









## **EXTI**



- All EXTI features of STM32L4
- TrustZone security support
  - Each EXTI event can be configured as secure
    - Associated input event configuration and control bits can only be modified and read by a secure access
    - a non-secure write access is discarded and a read returns 0. RAZ and WI
- Privileged/unprivileged mode selection
  - Each EXTI event can be configured as privileged
    - associated input event configuration and control bits can only be modified and read by a privilege access,
    - an unprivileged write access is discarded and a read returns 0. RAZ and WI





## **GPIO**



- All GPIOs features of STM32L4
- TrustZone security support
  - Each I/O pin of GPIO port can be individually configured as secure/non-secure
  - After reset, all IOs of GPIO ports are secure
- Secure I/O pin
  - Alternate function AFI, AFO, mode selection configuration and I/O data are secure against a non-secure access
  - Input data are not redirected to another peripheral
  - Output data are not replaced by another peripheral
  - Secure I/O data can not be redirected to a non-secure I/O whatever the I/O is configured
    as alternate function or though peripherals as analog, USB, RTC, wakeup pins

Non-secure I/O data can not be redirected to a secure peripheral



## GPIO Privilege/Unprivileged mode 59

 All GPIO registers can be read and written by privileged and unprivileged accesses, whatever the security state secure or non-secure





## Power Controller (PWR)



## PWR: TrustZone Security

- Indedependant security bits to secure PWR fonctionalities:
  - Low-power mode
  - Wake-up (WKUP) pins
  - Voltage detection and monitoring
  - VBAT mode
- Additional PWR configuration bits are secure:
  - If System clock selection is secure in RCC secure it's:
    - The voltage scaling (VOS) configuration in PWR is secure
  - If a GPIO is configured as secure
    - It's corresponding bit in PWR for Pull-up/Pull-down configuration in Standby mode is secure
  - The RTC is secure,
    - The backup domain write protection DBP bit <u>in PWR</u> is secure.



#### The UCPD is secure,

• The UCPD\_DBDIS and UCPD\_SDBY bits in PWR are secure.

## PWR Privilege mode 62

- Privilege/unprivileged mode
  - All PWR registres configuration can be set in Privilege mode
    - All PWR registers could be read and written by privileged access only except PWR\_SR1, PWR\_SR2 and PWR\_SECFGR registers.
    - Unprivileged access to a privileged PWR registers is discarded. RAZ/WI.
    - If TrustZone is enabled, PRIV bit is secure.





## RTC/TAMP



#### Up to 8 external tampers (active or not)



Up to 16 internal tampers

Temperature monitoring ITAMP2
LSE monitoring (CSS) ITAMP3
reserved ITAMP4
RTC calendar overflow ITAMP5
ITAMP6
ITAMP7
Monotonic counter overflow ITAMP8

For future
evolution
ITAMP16

TAMP

→ Erase Backup registers and Backup SRAM







### RTC / TAMP 65

- RTC TrustZone support
  - Either RTC is fully securable
  - or RTC init, calibration, alarm A, alarm B, wakeup Timer and timestamp individual secure or non-secure configuration
- TAMP/Backup registers TrustZone support
  - Tamper secure or non-secure configuration
  - Backup registers configuration in 3 configurable-size areas:
    - 1 read/write secure area
    - 1 write secure/read non-secure area
    - 1 read/write non-secure area
- 2 interrupts entries for RTC (Alarm/Wake-up-timer)
  - RTC\_IRQHandler\_S (Secure) gated by security state of RTC
  - RTC IRQHandler (Non-secure/Legacy)
- 2 interrupts entries for Tamper (Tamper)
  - TAMP IRQHandler S (Secure) gated by security state of RTC
    - TAMP\_IRQHandler (Non-secure/Legacy)

## Releasing Your Creativity





