This guide covers hardware and software methods for encrypting and decrypting firmware in microcontrollers (STM32, PIC, AVR, ESP32, etc.), including security best practices and attack mitigation.

1. Why Encrypt MCU Firmware?

2. Hardware-Based Encryption
A. Built-in MCU Security Features

STM32 Read Protection (RDP)

• Level 0: No protection (default)
• Level 1: Flash read disabled (JTAG/SWD locked)
• Level 2: Irreversible bricking if tampered

How to enable:

c
// In STM32CubeIDE (or via ST-Link CLI)
HAL_FLASH_OB_Unlock();
FLASH_OBProgramInitTypeDef OB_Config;
OB_Config.OptionType = OPTIONBYTE_RDP;
OB_Config.RDPLevel = OB_RDP_LEVEL_1;
HAL_FLASHEx_OBProgram(&OB_Config);
HAL_FLASH_OB_Lock();

B. External Secure Elements

Example: AES-128 Encryption with ATECC608A

c
uint8_t plaintext[16] = "Hello MCU!";
uint8_t key[16] = {0x2B, 0x7E, 0x15, ... }; // AES-128 key
uint8_t ciphertext[16];

ATECC608A_Encrypt(key, plaintext, ciphertext); // Uses I2C

3. Software-Based Encryption
A. Symmetric Encryption (AES)
Best for real-time decryption in resource-constrained MCUs.

STM32 Hardware AES (CRYP peripheral)

c
// STM32Cube HAL Example
AES_HandleTypeDef haes;
haes.Init.DataType = AES_DATATYPE_8B;
haes.Init.KeySize = AES_KEYSIZE_128;
HAL_CRYP_Init(&haes);

uint8_t key[16] = "..."; // 128-bit key
uint8_t plaintext[16] = "Encrypt this!";
uint8_t ciphertext[16];

HAL_CRYP_AESECB_Encrypt(&haes, plaintext, 16, ciphertext, HAL_MAX_DELAY);

B. Asymmetric Encryption (RSA/ECC)
Used for secure boot and key exchange.

• RSA-2048: Slow (~1 sec on Cortex-M4)
• ECC P-256: Faster than RSA

Example: ECDSA Signature Verification

c
// Using MbedTLS on STM32
mbedtls_ecdsa_context ctx;
mbedtls_ecdsa_init(&ctx);
mbedtls_ecp_group_load(&ctx.grp, MBEDTLS_ECP_DP_SECP256R1);

mbedtls_ecdsa_verify(&ctx.grp, hash, sig, &ctx.Q);

4. Firmware Decryption Methods (Attack Vectors)
A. Side-Channel Attacks

B. Fault Injection

• Clock Glitching → Reset MCU during secure boot
• Laser Fault Injection → Bypass password checks

Mitigation:

• Enable Tamper Protection (STM32 RDP Level 2)
• Use Secure Bootloaders

C. JTAG/SWD Exploitation

• Disable Debug Ports (STM32 RDP=1)
• Use Secure Firmware Updates (Signed DFU)

5. Secure Boot Implementation
A. STM32 Secure Boot (TrustZone)

1. Enable TrustZone in STM32CubeMX

2. Sign Firmware with ECDSA

bash
openssl ecparam -genkey -name prime256v1 -noout -out priv.key
openssl dgst -sha256 -sign priv.key firmware.bin > firmware.sig

3. Verify Signature in Bootloader

B. ESP32 Secure Boot

bash
# Enable Secure Boot in ESP-IDF
idf.py secure-boot enable
idf.py flash

6. Best Practices

1. Never Store Keys in Flash → Use OTP (One-Time Programmable) memory
2. Use Randomized Nonces → Prevent replay attacks
3. Secure Firmware Updates → Encrypted + Signed OTA
4. Disable Unused Peripherals → Reduce attack surface

7. Tools for MCU Security Testing

Conclusion

Next Steps:

• Try STM32 TrustZone for secure/non-secure partitions
• Implement AES-256 + Secure Boot on ESP32
• Test your MCU with ChipWhisperer