Bootpath STM32H5 using STM32CubeMX How to Introduction
Target description
The purpose of this article is to provide the background needed to understand and execute the related "how to start".
This introduction article reviews some technical notions related to this topic, more detailed explanations are available in the two following articles:
- Introduction theoretical article: Introduction to Secure boot and Secure firmware update.
- Specific STM32H5 bootpaths article: Secure Boot for STM32H5
1. Introduction
A Boot path selection interface has been added in STM32CubeMx to help customers to select the boot configuration adapted to their needs.
The configuration is done through three main choices: (see possible boot paths in Secure_Boot_for_STM32H5 article)
- Is a run time isolation needed? -> TrustZone activation or not (possible on STM32H56 and STM32H57)
- If run time isolation is needed:
- S
- If no run time isolation needed:
- Examples are provided in the STM32CubeFW using different types of bootpathes. (see for instance following links)
The STM32CubeFW examples are using the provided script, configuration files and user application codes.
The STM32CubeMX examples are using implicitly similar configuration files, but the wanted bootpath is chosen graphically through the tool and the initial codes are generated.
With STM32CubeMX you can generate your own project in an easy to use and straightforward way.
- This article gives an introduction on how to define and configure a bootpath starting from scratch using STM32CubeMX and how the initial related codes (secure and non-secure) are generated
- The STM32CubeMX tool provided by ST is available at following link: STM32CubeMX installation file
- How to proceed practically step by step is explained in the different How To article of the table below.
Product Serie | STM32H503 | STM32H563 | STM32H573 | Prerequisite | Introduction article | Path Nr Figure2 |
---|---|---|---|---|---|---|
Ecosystem | Nucleo MB1814-H503RB | Nucleo MB1404-H563ZI | Discovery STM32H573I-DK | |||
STM32CubeMX OEMiROT example on STM32H573 | Link to How To | STM32CubeMx_V6.9.0 or later | Link | 1 | ||
STM32CubeMX OEMiROT example on STM32H563 | Link to How To | STM32CubeMx_V6.9.0 or later | Link | 1 | ||
STM32CubeMX STiROT example on STM32H573 | Link to How To | STM32CubeMx_V6.9.0 or later | Link | 2 | ||
STM32CubeMX Secure Manager example | Link to How To | STM32CubeMx_V6.9.0 or later | Link | 3 |
2. The different possible bootpaths
The possible bootpaths are depending on the chosen device, if it supports the embedded hardware cryptography and if Trust Zone is activated or not.
The article mentioned previously gives more details about the supported bootpaths Secure Boot for STM32H5.
In summary:
- The STM32H57 is supporting TrustZone and hardware cryptography, so all bootpathes are possible with this device
- The STM32H56 is supporting TrustZone but not an emebdded hardware cryptography accelerator (without export control constraints), so the STiROT (ST immutable Root of Trust) and the secure manager are not supported.
- The STM32H503 is not supporting TrustZone and not supporting embedded hardware cryptography (without export control constraints), limiting to a single bootpath as explained in the Secure Boot for STM32H5 article
The bootpath is selected through option bytes programming (TZEN and UBE), as show in next figure.
When the bootpath is selected through STM32CubeMX, the related option bytes are programmed during the provisioning procedure.
This procedure is done automatically and the user don't need to take care which option byte needs to be programmed.
2.1. STM32H57 Bootpaths
The STM32H57x devices support services available in the embedded system flash and services that can be installed.
For installable services refer to the Secure Manager wiki article,
The figure below shows the possible bootpaths selected through the related user option bytes.
Advise: before setting manually some option bytes or trying your own settings and solutions, it is advised to execute the proposed "how to", specially the one related to the Debug Authentication: DA "how to" introduction, in order to avoid locking your device or board.
All the bootpath of the above figure are supported by STM32CubeMX.
2.2. STM32H57 Bootpaths examples using STM32CubeMX
The table in the introduction section gives the link to the documented examples proposed for a bootpath setting using STM32CUbeMX The figure below shows the related bootpath: