Registered User mNo edit summary Tag: 2017 source edit |
Registered User m (image sizing) Tag: 2017 source edit |
||
| (2 intermediate revisions by one other user not shown) | |||
| Line 28: | Line 28: | ||
** STM32U083 Nucleo board <br> | ** STM32U083 Nucleo board <br> | ||
** USB-C cable | ** USB-C cable | ||
[[File:NucleoU083.png| | [[File:NucleoU083.png|350x350px|frameless|center|Nucleo-U083]] | ||
*'''Required tools''' | *'''Required tools''' | ||
| Line 45: | Line 45: | ||
= Example configuration = | == Example configuration == | ||
This chapter explains how to start with the provisioning script. <br> | This chapter explains how to start with the provisioning script. <br> | ||
It is used to configure the OEMiRoT and generate the signed application image. <br> | It is used to configure the OEMiRoT and generate the signed application image. <br> | ||
==Preliminary stage== | ===Preliminary stage=== | ||
The different steps to configure and use the OEMiRoT are based on a script provided in the STM32CubeFW: <br> | The different steps to configure and use the OEMiRoT are based on a script provided in the STM32CubeFW: <br> | ||
'''Projects\NUCLEO-U08RC\ROT_Provisioning\OEMiROT\provisioning.bat''' | '''Projects\NUCLEO-U08RC\ROT_Provisioning\OEMiROT\provisioning.bat''' | ||
| Line 59: | Line 59: | ||
Launch the script '''provisioning.bat''' (double click) and keep it running during all the following steps: | Launch the script '''provisioning.bat''' (double click) and keep it running during all the following steps: | ||
:*Select the RDP level. Don't use level 2 unless you are certain about the OEM2 password correctly set in prior. See [[Security:RDP_for_STM32U0| Using RDP regression on the STM32U0]] for more information. Select 0 to start. See [[Security:RDP_for_STM32U0|RDP for STM32U0]] before trying other values. | :*Select the RDP level. Don't use level 2 unless you are certain about the OEM2 password correctly set in prior. See [[Security:RDP_for_STM32U0| Using RDP regression on the STM32U0]] for more information. Select 0 to start. See [[Security:RDP_for_STM32U0|RDP for STM32U0]] before trying other values. | ||
[[File:Security_u0-provisioning1.png| | [[File:Security_u0-provisioning1.png|600px|frameless|center|provisioning batch execution - RDP phase]] | ||
== Image generation== | === Image generation=== | ||
Check that the STM32U0 IAR™ patch provided is correctly installed, and check that the IAR Embedded Workbench™ version is recent enough. | Check that the STM32U0 IAR™ patch provided is correctly installed, and check that the IAR Embedded Workbench™ version is recent enough. | ||
| Line 73: | Line 73: | ||
Build each of them when asked by the provisioning batch. | Build each of them when asked by the provisioning batch. | ||
[[File:Security_u0-provisioning-image.png| | [[File:Security_u0-provisioning-image.png|900px|frameless|center|Continuation of the provisioning batch execution]] | ||
===OEMiROT_Boot project configuration=== | ====OEMiROT_Boot project configuration==== | ||
The step 2 of the script is the generation of the firmware images. | The step 2 of the script is the generation of the firmware images. | ||
| Line 85: | Line 85: | ||
This example is configured by default for one application image and a data image. | This example is configured by default for one application image and a data image. | ||
Default parameters are localed in the file '''flash_layout.h''' as shown in figure below: | Default parameters are localed in the file '''flash_layout.h''' as shown in figure below: | ||
[[File:Security_flash layout.png| | [[File:Security_flash layout.png|900px|frameless|center|The flash layout file settings screenshot]] | ||
{{Info|During the OEMiROT_Boot execution, if the number of images is wrong, Bootloader is launched to load new code and/or data images.<br>}} | {{Info|During the OEMiROT_Boot execution, if the number of images is wrong, Bootloader is launched to load new code and/or data images.<br>}} | ||
===OEMiROT_Boot project compilation=== | ====OEMiROT_Boot project compilation==== | ||
*Open '''Project -> Option -> General Options'''. The device and the CPU core should be automatically recognized: | *Open '''Project -> Option -> General Options'''. The device and the CPU core should be automatically recognized: | ||
| Line 96: | Line 96: | ||
The following binary is created in '''Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Boot\Binary\OEMiROT_Boot.bin'''. | The following binary is created in '''Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Boot\Binary\OEMiROT_Boot.bin'''. | ||
===OEMiROT_Appli project compilation=== | ====OEMiROT_Appli project compilation==== | ||
The provisioning batch passes the changes made to the flash memory layout file to the application configuration. It is necessary to rebuild them as well. | The provisioning batch passes the changes made to the flash memory layout file to the application configuration. It is necessary to rebuild them as well. | ||
*Open the Project.eww located in the EWARM directory: | *Open the Project.eww located in the EWARM directory: | ||
| Line 108: | Line 108: | ||
Don’t close the EWARM project. | Don’t close the EWARM project. | ||
===OEMiROT_Loader project compilation=== | ====OEMiROT_Loader project compilation==== | ||
The provisioning batch passes the changes made to the flash memory layout file to the loader configuration. It is necessary to rebuild them as well. | The provisioning batch passes the changes made to the flash memory layout file to the loader configuration. It is necessary to rebuild them as well. | ||
*Open the Project.eww located in the EWARM directory: | *Open the Project.eww located in the EWARM directory: | ||
| Line 120: | Line 120: | ||
Don’t close the EWARM project. | Don’t close the EWARM project. | ||
==Board programming== | ===Board programming=== | ||
In the next steps the script will automatically perform: | In the next steps the script will automatically perform: | ||
| Line 128: | Line 128: | ||
*Setting the final state of the product. | *Setting the final state of the product. | ||
[[File:Security_u0-provisioning3.png| | [[File:Security_u0-provisioning3.png|900px|frameless|none|Programming the device in provisioning batch]] | ||
* If all the steps have been executed successfully, a confirmation is displayed as shown in the figure above. | * If all the steps have been executed successfully, a confirmation is displayed as shown in the figure above. | ||
==OEMiRoT application execution== | ===OEMiRoT application execution=== | ||
*Close the script. | *Close the script. | ||
| Line 145: | Line 145: | ||
*The OEMiRoT application is executed (see the figure below). | *The OEMiRoT application is executed (see the figure below). | ||
[[File:Security_u0-irotApp.png| | [[File:Security_u0-irotApp.png|900px|frameless|center|Screenshot of the terminal window]] | ||
{{Info|If the terminal is already running when the provisioning script finishes, it is possible to directly access the initial execution log. There is no need for reset.<br>}} | {{Info|If the terminal is already running when the provisioning script finishes, it is possible to directly access the initial execution log. There is no need for reset.<br>}} | ||
=== Using the loader === | ==== Using the loader ==== | ||
From the application menu, select option 2, "New Firmware Image".<br> | From the application menu, select option 2, "New Firmware Image".<br> | ||
The application expects to receive an encrypted and signed binary generated here:<br> | The application expects to receive an encrypted and signed binary generated here:<br> | ||
Latest revision as of 12:16, 27 March 2025
Literature
- UM2237 STM32CubeProgrammer software description
Target description
The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for OEMiRoT, using the Nucleo-STM32U083RC board:
- How to use the script provided by ST and perform all the required steps.
- How to install and run the user application example which is provided.
Based on this STM32CubeFW example, additional exercises are proposed:
- To perform a firmware upgrade using the loader
Introduction
- Start by reading the OEMiRoT STM32U0 Introduction article.
One example of OEMiRoT is provided in the STM32Cube_FW_U0 that is used in this "getting started".
Through this practical example you will learn:
- What OEMiRoT is and how to use the STM32CubeFW example which is provided.
- How to configure the OEMiRoT.
- How to generate an encrypted and signed image for the user application firmware and user data.
- What the device provisioning is and how to perform the setup of the device.
- How the user application is installed.
- How to execute the example user application.
- How to update the application using the loader.
Prerequisites
- Hardware
- STM32U083 Nucleo board
- USB-C cable
- STM32U083 Nucleo board
- Required tools
- STM32Cube_FW_U0_V1.0.0 or later
- STM32CubeProgrammer_rev2.16.0 or later
- IAR Embedded Workbench® rev 9.20.4 or later
- Tera Term / Putty or equivalent terminal emulator
- STM32Cube Firmware
- Download the STM32Cube_FW_U0 Cube firmware (avoid long paths in the location).
- A directory NUCLEO-U083RC is included in "STM32Cube_FW_U0_V1.x.x\Projects".
- Open the env.bat file in the ROT_Provisioning sub-folder.
- 1- If the STM32CubeProgrammer has not been installed in the default folder
C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated.
- 2- Check that the OEMiRoT_Appli path is correct.
1. Example configuration
This chapter explains how to start with the provisioning script.
It is used to configure the OEMiRoT and generate the signed application image.
1.1. Preliminary stage
The different steps to configure and use the OEMiRoT are based on a script provided in the STM32CubeFW:
Projects\NUCLEO-U08RC\ROT_Provisioning\OEMiROT\provisioning.bat
The following documentation is a guide through all the steps of this script, and explains how to perform each of them.
The figure below shows where the script is located in the STM32CubeFW.
Launch the script provisioning.bat (double click) and keep it running during all the following steps:
- Select the RDP level. Don't use level 2 unless you are certain about the OEM2 password correctly set in prior. See Using RDP regression on the STM32U0 for more information. Select 0 to start. See RDP for STM32U0 before trying other values.
1.2. Image generation
Check that the STM32U0 IAR™ patch provided is correctly installed, and check that the IAR Embedded Workbench™ version is recent enough.
The example for IAR Embedded Workbench™ consists of three parts:
- OEMiROT_Boot corresponds to the Secure Boot.
It performs authenticity and integrity checks of the project firmware and data images. It also verifies the security settings such as WRP and HDP are in place.
- OEMiROT_Appli is an example of application managed by OEMiROT.
It displays the menu using the Virtual COM port console.
- OEMiROT_Loader is responsible for loading the application part update.
Build each of them when asked by the provisioning batch.
1.2.1. OEMiROT_Boot project configuration
The step 2 of the script is the generation of the firmware images.
- Open the Project.eww located in the EWARM directory: Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Boot\EWARM
Number of code images and data images is defined in the
flash_layout.h file in the ./Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Boot\Inc folder.
This example is configured by default for one application image and a data image. Default parameters are localed in the file flash_layout.h as shown in figure below:
1.2.2. OEMiROT_Boot project compilation
- Open Project -> Option -> General Options. The device and the CPU core should be automatically recognized:
If the device is not recognized, check that the STM32U0 IAR™ patch provided is correctly installed, and check that the IAR Embedded Workbench™ version is recent enough.
- Perform: Project -> Rebuild all (don’t upload the code, only perform a compilation)
The following binary is created in Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Boot\Binary\OEMiROT_Boot.bin.
1.2.3. OEMiROT_Appli project compilation
The provisioning batch passes the changes made to the flash memory layout file to the application configuration. It is necessary to rebuild them as well.
- Open the Project.eww located in the EWARM directory:
Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Appli\EWARM
- Open Project -> Option -> General Options
The device and CPU core should be automatically recognized.
- Perform: Project -> Rebuild all (don’t upload the code, only perform a compilation)
The following image is created: Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Appli\Binary\rot_app_enc_sign.bin Don’t close the EWARM project.
1.2.4. OEMiROT_Loader project compilation
The provisioning batch passes the changes made to the flash memory layout file to the loader configuration. It is necessary to rebuild them as well.
- Open the Project.eww located in the EWARM directory:
Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Loader\EWARM
- Open Project -> Option -> General Options
The device and CPU core should be automatically recognized.
- Perform: Project -> Rebuild all (don’t upload the code, only perform a compilation).
The following image is created: Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Loader\Binary\OEMiROT_Loader.bin. Don’t close the EWARM project.
1.3. Board programming
In the next steps the script will automatically perform:
- The provisioning of the option byte.
- Flashing the previously generated image in the download area.
- Performing the needed reset to install the code.
- Setting the final state of the product.
- If all the steps have been executed successfully, a confirmation is displayed as shown in the figure above.
1.4. OEMiRoT application execution
- Close the script.
- Launch the Teraterm (or equivalent):
- File -> New connection
- The COM port number should be the same as indicated by your Windows device manager.
- Setup -> Serial port -> update to 115200 -> New Setting (see the figure below for other configurations)
- Press the reset button (black button of the discovery board).
- The OEMiRoT application is executed (see the figure below).
1.4.1. Using the loader
From the application menu, select option 2, "New Firmware Image".
The application expects to receive an encrypted and signed binary generated here:
Projects\NUCLEO-U08RC\Applications\ROT\OEMiROT_Appli\Binary\rot_app_enc_sign.bin
Try to change the UserAppId value in the application to get immediate confirmation of successful update. Rebuild the application and the postbuild batch should generate a new binary.
Use the terminal to select option 2 from the application menu again. As the application is waiting, select YMODEM send and the new application file.
The loader applies the new application on next reboot.