How to start with OEMiSB on STM32U0

Revision as of 16:38, 24 January 2024 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Literature

  • UM2237 STM32CubeProgrammer software description

2. Target description

The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for OEMiSB, using the Nucleo-STM32U083RC board.

  • How to use the script provided by ST and perform all the required steps.
  • How to install and run the user application example which is provided.

3. Introduction

Theoretical introduction article is available here.
The example solution is provided with the STM32CubeU0 package and consists of 2 parts:

  • Firmware/Projects/NUCLEO-U083RC/Application/ROT/OEMiSB_Boot
  • Firmware/Projects/NUCLEO-U083RC/ Application/ROT/OEMiSB_Appli (a simple Toggle LED application.)

4. Prerequisites

  • Hardware
    • STM32U083 Nucleo board: the STM32U083 devices have all the available security features, including the HW crypto accelerator (the HW cryptographic acceleration is not supported for STM32U07x devices).
    • USB-C cable
File:STM32083 nucleo.png
  • Required tools
    • STM32Cube_FW_U0_V1.0.0 or later
    • STM32CubeProgrammer_rev2.16.0 or more recent.
    • IAR Embedded Workbench® rev 9.40.1 or later.
    • Tera Term / Putty or equivalent terminal emulator.
  • STM32Cube Firmware
    • Download the STM32Cube_FW_U0 Cube firmware (advise is to place it close form the C: in order to avoid long paths)
    • A directory NUCLEO-U083RC is included in "STM32Cube_FW_U0_V1.x.x\Projects"
  • Open the env.bat file in ROT_Provisioning sub-folder
  • 1- If the STM32CubeProgrammer has not been installed in the default folder:

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated.

  • 2- Check that the OEMiSB_Appli path is OK

5. Example configuration

This chapter explains how to start with the provisioning script.
It is used to configure the OEMiSB and generate the binary image.

5.1. Image generation

Check that the STM32U0 IAR™ provided patch is correctly installed and check that your IAR Embedded Workbench™ version is recent enough.

The example for IAR Embedded Workbench™ consists of two parts:

The STM32 secure boot and root of trust examples
  • OEMiSB_Boot corresponds to the Secure Boot.

It performs integrity check of the project firmware and verifies the security settings such as WRP and HDP are in place.

  • OEMiSB_Appli is an example of application protected by OEMiSB

It displays the menu using the Virtual COM port console.

5.2. OEMiSB project configuration and build

To ease the example generation and loading, a script is provided in the STM32Cube package. The script called “provisioning” is available in \Projects\NUCLEO-U083RC\ROT_Provisioning\OEMiSB.
The script execution is following steps:
1. Configuration management

Provisioning script screenshot

2. Image generation

  • Modifying header files automatically.
  • Compilation of the boot.
  • Compilation of the application and generating binary file.
  • Computing application hash and generating hash area binary.
Second screenshot of the provisioning batch

3. Provisioning

  • Remove old protections and initialize option bytes.
  • Perform mass erase.
  • Download application, boot and hash.
  • Hardening by enabling HDP and WRP.
Third screenshot of the provisioning
  • Lastly the pre-selected RDP level is programmed in the OB.

Scripted approach is useful to automate hash generation, which would have to be manually imported into the binary on each build. Application hash checked by the immutable secure boot is an important pert of the securization.

5.3. OEMiRoT application execution

  • Close the script
  • Launch the Teraterm (or equivalent)
  • File => New connection
  • The COM port number should be the same as indicated by your Windows device manager
  • Setup => Serial port -> update to 115200 (and see the figure below for other configurations) -> New Setting
teraterm config.png
  • Press the reset button (black button of the discovery board)
  • The OEMiRoT application is executed (figure below)
Screenshot of the terminal window
Info white.png Information
If you have the terminal already running when the provisioning script finishes, you can directly observe the initial execution log. No need to hit the reset button then.


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:How_to_start_with_OEMiSB_on_STM32U0&oldid=48031"