This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.How to start with STiRoT OEMuRoT on STM32H7S
Literature
- Wiki pages:
- STiRoT STM32H7S How to intro article.
- STiRoT_for_STM32H7RS article
- STiRoT article.
- Debug Authentication for STM32H7RS article.
- UM2237 STM32CubeProgrammer software description
- UM2238 STM32 trusted package creator (TPC) tool software description
- AN5054 Secure programming using STM32CubeProgrammer
- ANxxx Getting started with STiRoT for STM32H7S MCUs
Target description
The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for STiRoT, using the STM32H7S discovery board.
- Chapter1: xxxx
- Chapter2: xxxx
Based on this STM32CubeFW example, additional exercises are proposed
- Chapter3: xxxx
- Chapter4: xxx
Introduction
Two examples are provided in the STM32Cube_FW:
- An example with a single boot stage: STiRoT
- An example with two boot stages: STiRoT - OEMuRoT
The two boot stages example is used in this "getting started".
to update
Through this practical example you will learn:
- What is STiRoT for STM32H7S and how to use the STM32CubeFW example which is provided.
- How to configure the STiRoT and the debug authentication for this example.
- What is the iLoader and its role.
- How to generate an encrypted and signed image for the user application firmware.
- What the device provisioning is and how to perform the setup of the device.
- How the user application is installed.
- How to perform a debug authentication and reopen the debugger.
- How to read the installed user application firmware using the STM32CubeProgrammer
- How to attach an IDE on a running target and execute step by step, the secure user application
- How to make a Firmware Update of a closed device
- How to perform a regression to retrieve an empty board.
Prerequisites
- Hardware
- STM32H7S discovery board: the STM32H7S devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not support for STM327R devices).
- Discovery MB1736- STM32H7S (need USBC cable)
- STM32H7S discovery board: the STM32H7S devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not support for STM327R devices).
- Required tools
- STM32Cube_FW_H7RS_V1.0.0RC3 or later
- STM32CubeProgrammer_rev0.0.7-H7RS-B01 or more recent (with trusted package creator (TPC) selected at installation).
- IAR Embedded Workbench® rev 9.20.1 or later.
- IAR Patch EWARMv9_STM32H7R-Sxx_V0.10.0 or later
- Tera Term / Putty or equivalent terminal emulator.
- STM32Cube Firmware
- Download the STM32Cube_FW_H7RS Cube firmware (advise is to place it close form the C: in order to avoid long windows paths)
- A directory STM32H7S78-DK is included in "STM32Cube_FW_H7RS\Projects"
- Open the env.bat file
- If the STM32CubeProgrammer has not been installed in the default folder:C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated.
- Update the COM port to be aligned with your COM port number.
- Use the Windows device manager to find out your COM port number, as shown in figure below
- Check that the selected application path is correct: for the following tutorial the ROT/STiROT_Appli must be active.
1. Example with PASSWORD configuration
1.1. STiRoT and debug authentication configuration
This chapter explains how to start with the provisioning script.
It is used to configure the STiRoT and the debug authentication.
1.1.1. Preliminary stage
- The different steps to configure and use the STiRoT are based on a script provided in the STM32CubeFW: STM32H7S78-DK\ROT_Provisioning\STiROT_OEMuROT\provisioning.bat
- The following documentation is a guide through all the steps of this script, and explains how to perform each of them.
- The figure below shows where the script is located in the STM32CubeFW.
- Launch the script: provisioning.bat (double click) and keep it running during all the following steps.
- Type the product state: CLOSED (don't use LOCKED for this tutorial, this state is used only to set a final product state)
- Type the chosen Debug Authentication: PASSWORD (for explanation about certificate and password refer to intro article)
- Launch the script: provisioning.bat (double click) and keep it running during all the following steps.
- iLoader
- As explained in the introduction article, an immutable loader code example is provided in the STM32Cube_FW_H7RS (see STiRoT_STM32H7S_How_to_Intro article).
- As explained in the introduction article, an immutable loader code example is provided in the STM32Cube_FW_H7RS (see STiRoT_STM32H7S_How_to_Intro article).
- The role of this application is to handle the transfers between internal RAM and the external flash memory.
- This application will be installed in the user flash and write protected.
- The role of this application is to handle the transfers between internal RAM and the external flash memory.
- Next action required by the script is to compile all the iLoader application example files.
- iLoader compilation using an IDE
- The figure below shows where the provided iLoader application example is located.
- The figure below shows the example using IAR
- Select "Project-STiROT_iLoader": Project-> Rebuild All => The compilation should be executed without reported warning or error.
- OEMuRoT
- For the OEMuRoT boot application code (updatable Root of Trust boot), the OEMiRoT application is used.
- OEMiRoT (application used for the OEMuRoT) compilation using an IDE
- The figure below shows where the provided application example for IAR is located.
- Open the project with IAR
- Select "Project-STM32H7S78-DK_EOMiROT_Boot": Project-> Rebuild All => The compilation should be executed without reported warning or error.
- As shown in the figure below, two binary files are created. Through the automatically launched Post-build command an encrypted and signed image is created.