>> skills/security-analysis

stars: 0
forks: 0
watches: 0
last updated: 2026-03-21 16:24:14

Security Feature Analysis

Extract and interpret STM32 security features from reference manual and security documentation PDFs.

What to Extract

Flash Protection

  • RDP (Read-out Protection): Levels 0 (no protection), 1 (debug restricted), 2 (permanent, irreversible)
  • WRP (Write Protection): Per-sector/page write protection via option bytes
  • PCROP (Proprietary Code Read-Out Protection): Execute-only regions, code cannot be read even by other firmware

Advanced Security Features (Family Dependent)

  • Firewall (L0, L4): Hardware IP code isolation, prevents access from non-firewalled code
  • TrustZone (L5, U5, H5, WBA): ARM TrustZone-M with SAU, secure/non-secure partitioning
  • Secure Boot: Verified boot chain, root of trust
  • SBSFU (Secure Boot and Secure Firmware Update): ST middleware for OTA updates

Option Bytes

  • RDP level configuration
  • WRP sector selection
  • BOR (Brown-Out Reset) level
  • nBOOT and boot source configuration
  • Watchdog configuration (hardware/software)
  • User option bytes

Where to Find This Information

Reference Manual - Flash Protection

Glob pattern: docs/reference-manual/*.pdf

  1. Read pages 1-5 (ToC) to find the "Flash" chapter (often titled "Embedded Flash memory")
  2. Within the Flash chapter, search for sections titled:
    • "Read protection" or "RDP" (RDP levels and transition rules)
    • "Write protection" or "WRP" (sector/page protection configuration)
    • "PCROP" or "Proprietary code" (if available on the family)
  3. Also find the "Option bytes" section (sometimes a separate chapter, sometimes within Flash)
    • Contains register descriptions for FLASH_OPTCR, FLASH_OPTCR1
    • Shows which bits control which protection feature

Reference Manual - Firewall/TrustZone

  1. Search ToC for "Firewall" chapter (L0/L4 families)
  2. Search ToC for "TrustZone" or "SAU" or "GTZC" (L5/U5/H5)
  3. These are separate chapters with their own register descriptions

Security Documents

Glob pattern: docs/security-docs/*.pdf

  1. Glob the folder to list available security documents
  2. Security Bulletins: vulnerability disclosures and patches
  3. Security Advisories: recommended security configurations
  4. Security Targets: formal security evaluation documents
  5. Security Guidance: best practices for secure development

Extraction Process

  1. Glob docs/reference-manual/*.pdf
  2. Read ToC (pages 1-5) to find Flash chapter and Option bytes section
  3. Read the Flash protection sections (RDP, WRP, PCROP)
  4. Read the Option bytes register descriptions
  5. Check for Firewall or TrustZone chapters
  6. Glob docs/security-docs/*.pdf for additional security documentation
  7. Compile into security feature profile

Key Concepts

RDP Level Transitions

  • Level 0 -> 1: Reversible (debug access restricted, Flash protected during debug)
  • Level 1 -> 0: Reversible BUT triggers mass erase of entire Flash
  • Level 1 -> 2: IRREVERSIBLE. No debug access ever. No way to reprogram via debug. Only bootloader or application can update firmware.

PCROP vs WRP

  • WRP prevents writes to protected sectors (against accidental corruption)
  • PCROP prevents reads of protected sectors (intellectual property protection). Code in PCROP regions can execute but cannot be read by DMA, debugger, or code in other sectors.

Option Bytes Programming

Option bytes are in a special Flash region. Modifying them requires:

  1. Unlock Flash (FLASH_KEYR sequence)
  2. Unlock option bytes (FLASH_OPTKEYR sequence)
  3. Modify option bytes
  4. Trigger option byte reload (OBL_LAUNCH) or system reset
  5. New option bytes take effect after reset

Output Format

## Security Profile

**RDP Level**: 0 (unprotected) / 1 (read protection) / 2 (permanent)
**WRP**: Sectors [list] write-protected
**PCROP**: [Available/Not available] - Sectors [list] if configured
**Firewall**: [Available/Not available] - [configuration if available]
**TrustZone**: [Available/Not available] - [secure/non-secure partition if available]
**Secure Boot**: [SBSFU available/custom]

**Option Bytes Register**: FLASH_OPTCR at [address]
- RDP bits: [bit positions]
- WRP bits: [bit positions]
- BOR level: [bit positions]

Additional Resources

  • references/security-extraction-guide.md - Per-family security feature availability matrix, RDP state diagrams, option byte register layouts
    Good AI Tools