<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
  <meta charset="utf-8" />
  <meta name="generator" content="pandoc" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
  <title>Release Notes for STM32 Key Management Services</title>
  <style>
      code{white-space: pre-wrap;}
      span.smallcaps{font-variant: small-caps;}
      span.underline{text-decoration: underline;}
      div.column{display: inline-block; vertical-align: top; width: 50%;}
  </style>
  <link rel="stylesheet" href="_htmresc/mini-st_2020.css" />
  <!--[if lt IE 9]>
    <script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
  <![endif]-->
  <link rel="icon" type="image/x-icon" href="_htmresc/favicon.png" />
</head>
<body>
<div class="row">
<div class="col-sm-12 col-lg-4">
<center>
<h1 id="release-notes-for-stm32-key-management-services">Release Notes for <strong>STM32 Key Management Services</strong></h1>
<p>Copyright © 2019 STMicroelectronics<br />
</p>
<a href="https://www.st.com" class="logo"><img src="_htmresc/st_logo_2020.png" alt="ST logo" /></a>
</center>
<h1 id="purpose">Purpose</h1>
<p>Key Management Services (KMS) provides cryptographic services through <a href="http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/os/pkcs11-base-v2.40-errata01-os-complete.html%3E">the standard PKCS#11 APIs (developed by OASIS)</a> allowing to abstract the key value to the caller (using object ID and not directly the key value). KMS can be executed inside a protected/isolated environment in order to ensure that key value can’t be accessed by an unauthorized code running outside the protected/isolated environment.</p>
<p><br />
The figure below shows the overall KMS architecture.</p>
<figure>
<img src="_htmresc/KMS.png" alt="" /><figcaption>KMS overview</figcaption>
</figure>
<p>KMS manages 3 types of keys:<br />
</p>
<ul>
<li>Static embedded keys :<br />

<ul>
<li>Predefined keys embedded within the code that can’t be modified<br />
</li>
<li>Unmutable keys<br />
</li>
</ul></li>
<li>Updatable keys with static ID :<br />

<ul>
<li>Keys IDs are predefined in the system<br />
</li>
<li>Key(s) can be injected or updated in a NVM storage via a secure procedure using Static Embedded Keys(authenticity check, data integrity check and data decryption)<br />
</li>
<li>Key can’t be deleted<br />
</li>
<li>Provisionnable keys<br />
</li>
</ul></li>
<li>Updatable keys with dynamic ID :<br />

<ul>
<li>Keys IDs are defined when keys are created using KMS services<br />
</li>
<li>Key value can be updated using KMS services<br />
</li>
<li>Key can be deleted<br />
</li>
<li>Runtime keys<br />
</li>
</ul></li>
</ul>
<p>KMS supports this subset of PKCS#11 APIs:<br />
</p>
<ul>
<li>Object management functions: creation / update / deletion / search<br />
</li>
<li>AES Encrypt &amp; Decrypt functions<br />
</li>
<li>SHA Digest functions<br />
</li>
<li>RSA Sign / Verify functions<br />
</li>
<li>ECDSA Verify functions<br />
</li>
<li>ECC key pair generation<br />
</li>
<li>ECDH key derivation<br />
</li>
</ul>
<p><br />
For more details, refer to <a href="https://www.st.com/st-web-ui/static/active/en/resource/technical/document/user_manual/DM00414687.pdf">UM2262</a> : Getting started with X-CUBE-SBSFU expansion package, Chapter 4.</p>
</div>
<div class="col-sm-12 col-lg-8">
<h1 id="update-history">Update History</h1>
<div class="collapse">
<input type="checkbox" id="collapse-section11" checked aria-hidden="true"> <label for="collapse-section11" aria-hidden="true"><strong>v1.1.9 / 20-June-2022</strong></label>
<div>
<h2 id="main-changes">Main Changes</h2>
<ul>
<li><p>New features in this release are :</p>
<ul>
<li><p>Secure counters<br />
</p></li>
<li><p>Give possibility to encrypt the blob objects in NVM<br />
</p></li>
</ul></li>
<li><p>CHM documentation updated<br />
</p></li>
</ul>
<h2 id="known-limitations">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility">Backward Compatibility</h2>
<p>Compatibility with v1.1.8</p>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section10" aria-hidden="true"> <label for="collapse-section10" aria-hidden="true"><strong>v1.1.8 / 10-December-2021</strong></label>
<div>
<h2 id="main-changes-1">Main Changes</h2>
<ul>
<li>Update LICENSE file for Key Management Services middleware (Software license agreement description)</li>
</ul>
<h2 id="known-limitations-1">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-1">Backward Compatibility</h2>
<p>Compatibility with v1.1.7</p>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section9" aria-hidden="true"> <label for="collapse-section9" aria-hidden="true"><strong>v1.1.7 / 25-June-2021</strong></label>
<div>
<h2 id="main-changes-2">Main Changes</h2>
<ul>
<li>Create LICENSE file for Key Management Services middleware (Software license agreement description)</li>
</ul>
<h2 id="known-limitations-2">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-2">Backward Compatibility</h2>
<p>Compatibility with v1.1.6</p>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section8" aria-hidden="true"> <label for="collapse-section8" aria-hidden="true"><strong>v1.1.6 / 20-May-2021</strong></label>
<div>
<h2 id="main-changes-3">Main Changes</h2>
<ul>
<li><p>Give possibility to derivate keys in RAM instead of NVM</p></li>
<li><p>Locked objects are no more accessible by searches</p></li>
</ul>
<h2 id="known-limitations-3">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-3">Backward Compatibility</h2>
<p>Break of compatibility with v1.1.5</p>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section7" aria-hidden="true"> <label for="collapse-section7" aria-hidden="true"><strong>v1.1.5 / 4-September-2020</strong></label>
<div>
<h2 id="main-changes-4">Main Changes</h2>
<ul>
<li>Minor fix for build issues</li>
</ul>
<h2 id="known-limitations-4">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-4">Backward Compatibility</h2>
<ul>
<li>Fully compatible with previous version</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section6" aria-hidden="true"> <label for="collapse-section6" aria-hidden="true"><strong>v1.1.4 / 24-July-2020</strong></label>
<div>
<h2 id="main-changes-5">Main Changes</h2>
<ul>
<li>CHM documentation updated<br />
</li>
</ul>
<h2 id="known-limitations-5">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-5">Backward Compatibility</h2>
<ul>
<li>Fully compatible with previous version</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section5" aria-hidden="true"> <label for="collapse-section5" aria-hidden="true"><strong>v1.1.3 / 2-July-2020</strong></label>
<div>
<h2 id="main-changes-6">Main Changes</h2>
<ul>
<li>Warnings issues fixes<br />
</li>
</ul>
<h2 id="known-limitations-6">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-6">Backward Compatibility</h2>
<ul>
<li>Fully compatible with previous version</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section4" aria-hidden="true"> <label for="collapse-section4" aria-hidden="true"><strong>v1.1.2 / 1-July-2020</strong></label>
<div>
<h2 id="main-changes-7">Main Changes</h2>
<ul>
<li><p>Configuration switch placement review<br />
</p></li>
<li><p>Warnings and spelling issues fixes<br />
</p></li>
</ul>
<h2 id="known-limitations-7">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-7">Backward Compatibility</h2>
<ul>
<li>Fully compatible with previous version</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section3" aria-hidden="true"> <label for="collapse-section3" aria-hidden="true"><strong>v1.1.1 / 12-June-2020</strong></label>
<div>
<h2 id="main-changes-8">Main Changes</h2>
<ul>
<li><p>C_STM_ImportBlob update to specify blob download area<br />
</p></li>
<li><p>Allow multiple C_Initialize and C_Finalize imbricated calls<br />
</p></li>
</ul>
<h2 id="known-limitations-8">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-8">Backward Compatibility</h2>
<ul>
<li>Break of compatibility with V1.1.0 (New parameter C_STM_ImportBlob)</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section2" aria-hidden="true"> <label for="collapse-section2" aria-hidden="true"><strong>v1.1.0 / 11-May-2020</strong></label>
<div>
<h2 id="main-changes-9">Main Changes</h2>
<ul>
<li><p>New features and improvements introduced in this release are :</p>
<ul>
<li><p>Object search<br />
</p></li>
<li><p>ECC key pair generation<br />
</p></li>
<li><p>ECDH key derivation<br />
</p></li>
<li><p>Memory management improved (introduction of different allocators)<br />
</p></li>
<li><p>Lock keys and services vendor APIs<br />
</p></li>
<li><p>iKMS/niKMS folders replaces tKMS one<br />
</p>
<ul>
<li>Use iKMS when caller is isolated from KMS by a secure enclave<br />
</li>
<li>Use niKMS when caller is not isolated from KMS by a secure enclave<br />
</li>
</ul></li>
<li><p>MPU isolation support in iKMS<br />
</p></li>
<li><p>kms_config.h redesign (better scalability and config build time check)<br />
</p></li>
</ul></li>
<li><p>Bug fixes</p>
<ul>
<li>AES CMAC moved to Sign/Verify services<br />
</li>
<li>Secure enforcement when using KMS in a secure enclave<br />
</li>
<li>PKCS#11 compliance (returned value, parameters handling…)<br />
</li>
</ul></li>
</ul>
<h2 id="known-limitations-9">Known Limitations</h2>
<ul>
<li>None</li>
</ul>
<h2 id="backward-compatibility-9">Backward Compatibility</h2>
<ul>
<li>Break of compatibility with V1.0.0</li>
</ul>
</div>
</div>
<div class="collapse">
<input type="checkbox" id="collapse-section1" aria-hidden="true"> <label for="collapse-section1" aria-hidden="true"><strong>v1.0.0 / 13-July-2019</strong></label>
<div>
<h2 id="main-changes-10">Main Changes</h2>
<h3 id="first-official-release">First official release</h3>
<p>Official delivery of Key Management Services for STM32 series, compliant with PKCS#11 APIs from OASIS.</p>
<h2 id="known-limitations-10">Known Limitations</h2>
<p>None</p>
</div>
</div>
</div>
</div>
<footer class="sticky">
For complete documentation on <strong>Security framework for STM32 series</strong>, visit: <a href="https://www.st.com/stm32trust">STM32Trust</a>
</footer>
</body>
</html>