Product state for STM32H5

1. Introduction

It is advised to start by reading the New product state article.
From the development phase until the maintenance phase a product can be configured under many product states ( also called lifecycle states).
The lifecycle controls the access to code and data.

This article lists in which product states a STM32H5 can be configured.

2. Product states

2.1. Product state : Open

• This state is mainly used during the development phase since the device is fully open.
  
• Debug is fully open.
  
• The Trust Zone can be disabled or enabled (not available for STM32H503 devices).
  
• Bootloader is usable.
  

2.2. Product state : Provisioning

• This state is used during the provisioning.
  
• The debug is only available when executing a nonsecure user application.
  

• The Trust-Zone can be disabled or enabled (not available for STM32H503 devices).
  
• Bootloader is usable.
  
• Secure Firmware install can be launched in this state (not anymore possible in the following states).
  

2.3. Product state : Provisioned

• In this state, the OEMiRoT or STiRoT code and datas are provisioned.
  
• Debug is available only when executing a nonsecure user application.
  

• Debug Authentication can be launched : Debug access for secure applications can be available by launching the Debug Authentication (see Debug Authentication setting).
  
• The OEMiRoT or STiRoT can launch the bootloader if the verification of the code located in the next isolation level is failing (authentication, integrity, or missing code)
  

2.4. Product state : TZ-Closed

• This product state is not available for STM32H503 devices.
• The TZ-Closed state corresponds to an intermediate state of the product. All the secure firmware is installed, the non secure application can be developed, or loaded in a second instance.
• The [STiRoT or OEMiRoT]+ uRoT (optional) + Secure user application code and data are provisioned.
• uRoT(optional) can launch the bootloader if the verification of the code located in the next isolation level is failing (authentication, integrity, or missing code).
  
• The debug is only available when executing a nonsecure user application.
  
• Debug Authentication can be launched : Debug access for secure applications can be available by launching the Debug Authentication.
• From this state, the non secure application can be updated using the firmware update mechanism, or directly programmed through the flash loader (embedded in the IDE).

2.5. Product state : Closed

• This state occurs with the fully provisioned product.
  
• Debug Authentication is allowed : The debug is fully closed but can be opened by launching the Debug Authentication (see Debug Authentication setting).

2.6. Product state : Locked

• This state is used with the fully provisioned product without any more changes.
  
• Locked is a final unchangeable product state. No method can modify the embedded firmware and product configuration.
  
• The debug is definitively closed and cannot be reopened through debug authentication.
  
• No regression is possible anymore
  

3. Lifecycle

The figure below shows the product states of the product during along the lifecycle phases :

• Development phase, offering full debug capabilities to the developer.
• Provisioning phase, the main asset areas are protected (no longer accessible)
• Final phase, the product is in the field.
• Maintenance phase, including field return management.
  

4. References

• RM0481 STM32H5x3/562 reference manual