Overview

This package is the STM32 Flexible Crypto Framework (STFCF) middleware provided by STMicroelectronics.

Description

The STM32 Flexible Crypto Framework (STFCF) provides easy access to the cryptographic capabilities offered by STMicroelectronics. It enables experimentation with multiple cryptographic engines and exposes services through the Platform Security Architecture (PSA) Application Programming Interface (API).

The framework supports several cryptographic engines, selectable by configuration:

  • Hardware acceleration with HAL API (“Mbed TLS Alt HAL”): Using hardware accelerators for cryptographic operations.

  • STCryptoLib (“Mbed TLS Alt STCryptoLib”): Using software-based cryptographic solutions.

  • Mbed TLS: Direct implementation of Mbed TLS.

  • PSA driver Key Wrap Engine (“KWE”): Wrapping, Unwraping, Sharing, or Generating keys.

  • Third-party alternatives (“Mbed TLS custom alternative”): Custom configurations combining different cryptographic solutions.

STFCF overall architecture

  • Below is the STM32 Flexible Crypto Framework architecture:

STFCF architecture

STFCF architecture

Folder Structure

The following tree describes a simplified view of the main folders and files in the STFCF middleware:

@startsalt { ' <color:Red>**WIP** {T !startsub COMMON_1 + <&folder> ./middleware/<b>stfcf/ ++ <&folder> .config/ !endsub ' KWE !startsub KWE ++ <&folder> kwe/ | Key Wrap Engine +++ <&folder> core/* +++ <&folder> interface/* !endsub ' Mbed TLS Alt !startsub MBEDTLS_ALT ++ <&folder> mbedtls_alt/ | Mbed TLS Alternatives ' ++++ <&folder> .config/template/ | <&question-mark><color:Red> Option#a ' +++++ <&folder> include/ ' ++++++ <&folder> hal/*_alt.h.hbs | generate only the alternative algo selected by user and according to the HW capabilities ' ++++++ <&folder> stcryptolib/*_alt.h.hbs | generate only the alternative algo selected by user ' +++++ <&folder> source/ ' ++++++ <&folder> hal/*_alt.c.hbs | generate only the alternative algo selected by user and according to the HW capabilities ' ++++++ <&folder> stcryptolib/*_alt.c.hbs | generate only the alternative algo selected by user +++ <&folder> include/ ++++ <&folder> common/*_alt.h ++++ <&folder> hal/*_alt.h | selected according to user configuration and the HW capabilities ++++ <&folder> stcryptolib/*_alt.h | selected according to user configuration +++ <&folder> source/ ++++ <&folder> hal/ +++++ aes_aes.alt.c | AES/SAES thanks HAL AES as flavor, selected according to user configuration and the HW capabilities '+++++ aes_saes.alt.c | AES thanks HAL AES with SAES as flavor, selected according to user configuration and the HW capabilities, <b>Pattern</b> +++++ cryp_aes.alt.c | AES thanks HAL CRYP as flavor, selected according to user configuration and the HW capabilities +++++ <color:Black>*_alt.c | selected according to user configuration and the HW capabilities ++++ <&folder> stcryptolib/*_alt.c | selected according to user configuration !endsub !startsub COMMON_2 ' Templates ++ <&folder> templates/ +++ mx_kwe_config.h | disabled by default, included only when working with the KWE implementation +++ mx_mbedtls_config.h | same content as defined by the community, enabled Alt supported by the HAL hardware entropy +++ mx_mbedtls_alt_config.h | template with Mbed TLS Alt HAL hardware_entropy enabled by default '+++ mx_mbedtls_alt_hal_config.h | template with Mbed TLS Alt HAL enabled '+++ mx_mbedtls_alt_stcyptolib_config.h | template with Mbed TLS Alt HAL enabled +++ mx_stfcf_config.h ' Files ++ README.md ++ Release_Notes.html ++ STMicroelectronics.stfcf.pdsc !endsub } } @endsalt

STFCF Folder Structure

The KWE directory contains the Key Wrap Engine (KWE) implementation. It is divided into core/ for core KWE functionality and interface/ for interface definitions related to KWE.

The STFCF middleware folder structure enables modular and flexible integration of multiple cryptographic implementations by providing a common switching interface. This interface separates the hardware abstraction layer (HAL) implementations from the software-optimized STCryptoLib implementations into dedicated header and source files. This separation allows seamless selection and mixing of alternatives per algorithm. Configuration templates and KWE-specific modules support easy customization and extension.

In HAL implementation, for certain algorithms, there are two types of implementation files, for example aes_aes_hal.c and cryp_aes_hal.c (similarly for CCM and GCM). The choice between CRYP and AES depends on the STM32 MCU used on the board. being used.

The templates folder contains various configuration template files used to customize and generate the middleware configuration.

Main Features

The STFCF middleware integrates multiple cryptographic solutions into a single, cohesive framework. It supports a wide range of STM32 cores and offers extensive configurability to adapt to different use cases.

  • User Guidance: The framework serves as a helper to guide users in their cryptographic choices, offering a unified interface for various cryptographic implementations.

  • Promotion of Hardware Alternatives: By leveraging the PSA API, the framework promotes the use of STMicroelectronics’ hardware alternatives, ensuring consistent and optimized performance across different implementations.

The main backbone of the STFCF middleware is the Mbed TLS middleware. The STFCF relies on several external dependencies to provide comprehensive cryptographic services. These dependencies include third-party cryptographic libraries like STCryptoLib or HAL.

  • Mbed TLS Alt HAL Capabilities: The framework supports Mbed TLS with alternative implementations using HAL (Hardware Abstraction Layer). This enables the use of hardware accelerators for cryptographic operations, enhancing performance and security.

  • Mbed TLS Alt STCryptoLib Capabilities: The framework also supports Mbed TLS with alternative implementations using STCryptoLib. This provides software-based cryptographic solutions optimized for STM32 microcontrollers.

  • Key Wrap Engine: The Key Wrap Engine (KWE) is a PSA alternative, implemented as a PSA driver based on the CCB peripheral, to wrap, unwrap, share, and generate keys. Application code should never handle the keys directly.

Note

The PSA Cryptography API is a standard by ARM. See the Platform Security Architecture.

See Also

More information about the STM32 ecosystem can be found in the STM32 MCU Developer Zone.