Great question—dual-bank boot is absolutely a robust solution for field software updates on STM32 devices, but your concern about Level 2 read protection (RDP) is spot-on, as it directly impacts whether this mechanism works for your use case. Let’s break this down clearly:

Is Dual-Bank Boot Suitable for Field Updates? #

Yes, it’s one of the most reliable approaches for in-field firmware updates on STM32, and it’s widely supported across multiple families (e.g., STM32F4/F7/H7/L4 series). Here’s why it makes sense:

• Zero downtime during updates: You can run your active firmware from Bank 0 while downloading and validating the new firmware to Bank 1.
• Fail-safe rollback: If the new firmware is corrupted or fails validation, you can simply continue booting from the original Bank 0 instead of bricking the device.
• Simplified update flow: Most STM32s have built-in hardware support for switching the boot bank via option bytes, so you don’t need overly complex custom bootloaders (though a small bootloader to handle validation and bank switching is still recommended).

Can You Switch Banks With Level 2 Read Protection Enabled? #

Short answer: No. Here’s the critical detail:
Level 2 RDP is the highest security level for STM32 Flash. When enabled, it locks the entire Flash memory—including the option bytes that control boot bank selection. Modifying option bytes (required to switch which bank the MCU boots from) is completely prohibited under RDP level 2. Once you set RDP level 2, you can’t change any Flash configuration, including boot bank settings, without performing a full chip erase (which will wipe all firmware and reset RDP to level 0).

Key Details About STM32 RDP Levels #

To clarify the differences and help you choose the right level for production:

• RDP Level 0: No read protection. All Flash content is accessible via external debug interfaces (JTAG/SWD) and internal code. Ideal for development, but never use this in production.
• RDP Level 1: Medium security. Blocks external read access to Flash (prevents firmware dumping via debug tools) but allows internal code to read Flash, and crucially, lets you modify option bytes (including boot bank selection). This is the standard choice for production devices that need field update capability—it balances security and flexibility.
• RDP Level 2: Maximum security. Locks all Flash operations: external reads are blocked, internal code can’t read Flash regions outside its execution area, and option bytes (and thus boot bank switching) cannot be modified. This level is only suitable for devices that require absolute firmware confidentiality and never need in-field updates—since once set, you can’t update firmware without wiping the entire chip.

Final Recommendation #

If you need to support field software updates, stick with RDP Level 1 for your production configuration. Dual-bank boot will work seamlessly here, allowing you to safely update firmware and switch banks as needed. RDP Level 2 should only be used if you’re certain your device will never require an update and you need the highest possible firmware protection.

内容的提问来源于stack exchange，提问作者Guillaume Petitjean