Advanced Hardware Security Integration (HSM / TPM / TEE)
OP-TEE, TPM 2.0, and Secure Provisioning on STM32MP1. From Trusted Applications to PKCS#11 and secure production.
About the Course
The terms HSM, TPM, and TEE are often confused or used interchangeably — leading to incorrect architectural decisions. This training precisely defines the role of each technology in the context of the STM32MP1 platform:
| Technology | Role in STM32MP1 |
|---|---|
| TEE (OP-TEE) | Trusted Execution Environment on the main CPU (TrustZone). High performance for cryptographic operations |
| TPM 2.0 | External chip — immutable trust anchor. Attestation, protection of low-frequency-use keys |
| HSM (STM32HSM) | Production tool for secure secret transfer to the factory (SSP) |
The training shows how to combine these technologies into a hybrid model: TPM protects device identity and boot state, OP-TEE takes over performance-demanding tasks (TLS, encryption), and HSM secures the production process.
🎯 Project Goal: “Hardware-Backed Security”
During the course, we build a complete solution combining all three pillars. Participants will:
✓ Write their own Trusted Application (TA) controlling a hardware resource inaccessible to Linux
✓ Use the CRYP accelerator for AES-GCM encryption from OP-TEE
✓ Integrate an external TPM 2.0 via SPI and configure the TCG stack in Linux
✓ Generate an SSH key in TPM (PKCS#11) — the private key never leaves the chip
✓ Configure dm-crypt with a TPM-sealed key — automatic unlocking at boot
✓ Write secrets to RPMB — secure storage resistant to Replay Attack
📅 Training Program
DAY 1: The TEE – OP-TEE and Trusted Applications
TrustZone on STM32MP1: How to use the “secure world” to protect keys and execute sensitive operations.
Module 1.1: STM32MP1 Security Architecture
- Comparison of STM32MP15 vs STM32MP13: cores, Crypto IP, certification
- Memory isolation (TZC-400) and peripherals (ETZPC)
- SYSRAM limitations and paging mechanism
Module 1.2: OP-TEE on STM32MP1
- Architecture: OP-TEE Core + Trusted Applications
- Pseudo-TA vs User TA — differences and applications
- TA size optimization in the context of memory constraints
- Lab: OP-TEE compilation and boot log analysis
Module 1.3: Creating Trusted Applications
- TA structure and mandatory Entry Points
- GlobalPlatform API and
libuteelibrary - Lab: “Secure GPIO” — TA controls a peripheral inaccessible to Linux
Module 1.4: Hardware Acceleration with OP-TEE
- Integration of cryptographic peripherals with OP-TEE
- Keys in CRYP registers — isolation from Linux space
- Lab: Encryption in TA using hardware acceleration
Module 1.5: Secure Storage and RPMB
- Problem of persistent secret storage protected from Linux
- RPMB (Replay Protected Memory Block) — mechanism and Replay Attack protection
- Alternatives: REE FS — security compromises
- Lab: Writing and reading secrets via RPMB
DAY 2: The TPM & Production – External Anchor and Secure Production
TPM 2.0 as certified key storage. PKCS#11 for applications. Secure Provisioning for the factory.
Module 2.1: TPM 2.0 Integration with STM32MP1
- Communication interfaces: SPI vs I2C — performance and applications
- Device Tree and Linux kernel configuration
- Lab: Connecting a TPM module and verifying operation
Module 2.2: TCG Stack in Linux
- Stack layers: Kernel Driver → Resource Manager → TSS (SAPI/ESAPI/FAPI)
tpm2-toolsutilities — basic operations- Lab: Reading PCR, creating a key in TPM
Module 2.3: PKCS#11 and Application Integration
- Problem: applications (SSH, OpenVPN) don’t know the TSS API
- Solution:
tpm2-pkcs11as an abstraction layer - Lab: SSH token with key stored in TPM
Module 2.4: TPM vs OP-TEE — When to Choose What?
- Comparison: key storage, performance, certification
- Hybrid model — TPM for identity, OP-TEE for performance
- Lab: dm-crypt with TPM-sealed key
Module 2.5: Secure Secret Provisioning (SSP)
- Problem: how to upload keys in an untrusted factory?
- STM32HSM-V2 and Secure Firmware Install (SFI) process
- Transition to “Secured Closed” state — irreversible JTAG closure
- Demonstration: SSP process simulation
Module 2.6: Q&A and Summary
- Target architecture: TPM + OP-TEE + SSP
- Compliance with standards: IEC 62443, GDPR, Cyber Resilience Act
- Consultation on your own projects
💰 Pricing
FULL INTEGRATION (2 Days)
Intensive training covering all three pillars: OP-TEE, TPM 2.0, and Secure Provisioning.
| Scope | Full program (Day 1 + Day 2) |
| Outcome | Working TA + TPM integration + SSP knowledge |
| Price | €900 net / person |
| Min. group | 5 people |
Extended option: For teams requiring deeper immersion in OP-TEE (more TA labs) or TPM (Measured Boot, Remote Attestation) — option to extend to 3 days. Request a quote.
🏆 Why is it worth it?
| Benefit | Description |
|---|---|
| Clear distinction | HSM vs TPM vs TEE — no more confusion and wrong architectural decisions |
| Hybrid model | We show how to combine technologies, not how to choose one over another |
| STM32MP1 specific | ETZPC, TZC-400, CRYP, RPMB — not generic TrustZone considerations |
| Production | SSP and STM32HSM — knowledge essential for moving from prototype to mass production |
🛠️ Requirements
Hardware (provided):
- STM32MP157C-DK2 board (with eMMC for RPMB)
- X-LINUX-TPM module (STPM4RasPI) on SPI
- microSD card, USB Type-C cable
Software:
- Ubuntu 20.04/22.04 LTS
- OpenSTLinux SDK with OP-TEE
tpm2-tools,tpm2-tss,tpm2-pkcs11
Participant knowledge:
- Secure Boot and Chain of Trust basics (or completed “Secure Boot & Chain of Trust” course)
- Linux basics (shell, compilation)
- Nice to have: C knowledge (for TA labs)
🎁 Hardware stays with participants after the workshop!
Want to reserve a date for your team? Contact me to arrange details. Build a device that can be trusted — in hardware.
Interested in the training?
Contact me to discuss details, customize the program for your team, or schedule a date.
Contact ← All Trainings