1. Literature
- UM2237 STM32CubeProgrammer software description
2. Target description
The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for OEMiSB, using the Nucleo-STM32U083RC board.
- How to use the script provided by ST and perform all the required steps.
- How to install and run the user application example which is provided.
3. Introduction
Theoretical introduction article is available here.
The example solution is provided with the STM32CubeU0 package and consists of 2 parts:
- Firmware/Projects/NUCLEO-U083RC/Application/ROT/OEMiSB_Boot
- Firmware/Projects/NUCLEO-U083RC/ Application/ROT/OEMiSB_Appli (a simple Toggle LED application.)
4. Prerequisites
- Hardware
- STM32U083 Nucleo board: the STM32U083 devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not supported for STM32U07x devices).
- USB-C cable
- STM32U083 Nucleo board: the STM32U083 devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not supported for STM32U07x devices).
- Required tools
- STM32Cube_FW_U0_V1.0.0 or later
- STM32CubeProgrammer_rev2.16.0 or more recent.
- IAR Embedded Workbench® rev 9.40.1 or later.
- Tera Term / Putty or equivalent terminal emulator.
- STM32Cube Firmware
- Download the STM32Cube_FW_U0 Cube firmware (advise is to place it close form the C: in order to avoid long paths)
- A directory NUCLEO-U083RC is included in "STM32Cube_FW_U0_V1.x.x\Projects"
- Open the env.bat file in ROT_Provisioning sub-folder
- 1- If the STM32CubeProgrammer has not been installed in the default folder:
- 1- If the STM32CubeProgrammer has not been installed in the default folder:
C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated.
- 2- Check that the OEMiSB_Appli path is OK
5. Example configuration
This chapter explains how to start with the provisioning script.
It is used to configure the OEMiSB and generate the binary image.
5.1. Image generation
Check that the STM32U0 IAR™ provided patch is correctly installed and check that your IAR Embedded Workbench™ version is recent enough.
The example for IAR Embedded Workbench™ consists of two parts:
- OEMiSB_Boot corresponds to the Secure Boot.
It performs integrity check of the project firmware and verifies the security settings such as WRP and HDP are in place.
- OEMiROT_Appli is an example of application managed by OEMiROT
It displays the menu using the Virtual COM port console.
5.2. OEMiSB project configuration and build
To ease the example generation and loading, a script is provided in the STM32Cube package. The script called “provisioning” is available in \Projects\NUCLEO-U083RC\ROT_Provisioning\OEMiSB.
The script execution is following steps:
1. Configuration management
- RDP selection
- 0: In this case the development mode is enabled
- 1: Production mode is enabled, and debug is possible
- 2: Production mode is enabled, and debug is not possible
- Data size selection
- RDP selection
2. Image generation
- Compilation of the boot.
- Compilation of the application and generating binary file.
- Editing boot header files automatically.
- Computing application HASH and generating hash area binary.
3. Provisioning
- Remove old protections and initialize option bytes.
- Perform mass erase.
- Download application, boot and hash.
- Hardening by enabling HDP and WRP.
- Lastly the pre-selected RDP level is programmed in the OB.
Scripted approach is useful to automate hash generation, which would have to be manually imported into the binary on each build. Application hash checked by the immutable secure boot is an important pert of the securization.