How to start with certificate linked to SOC class and ID on STM32H5

Revision as of 11:35, 13 February 2024 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

How to start with certificate linked to SOC class and ID on STM32H5


Target description

The generation of a root certificate and a certificate chain and how to use it to open the debugger through a debug authentication are explained in the two following articles:

The purpose of this article is to explain how to generate a certificate and a certificate chain valid only for one specific MCU product and for one specific sample.


Introduction

It is advised to read the following article: Debug Authentication STM32H5 How to Introduction.
Read the chapter about the root certificate and the certificate chain included in one of the "How to start" mentioned previously.


Prerequisites

To try out the certificate and certificate chain that will be generated, a provisioned board is needed with an installed running application code.
It is advised to use one of the two following examples based on the STM32Cube Firmware.
Execute chapter 1 to chapter 4



1. Unhide of the required field in STM32 Trusted Package Creator

  • To link a certificate or certificate chain to a specific product, the ID called the SOC class (in accordance with to the ARM PSA ADAC specification) needs to be specified.
  • To link a certificate or certificate chain to a specific sample die, the ID called the SOC ID (in accordance with to the ARM PSA ADAC specification) needs to be specified.

By default, the field to specify these ID are not available in STM32 Trusted Package Creator.
The modifications shown below are needed in the STM32_CertifGen_DB_0x484.xml file.
This file is located in STM32CubeProgrammer directory: STM32CubeProgrammer\bin\TPC_CertifGen_Data_Base.


Figure 1 Unhide SOC Class SOC ID in TPC
  • Change: <Hidden>1</Hidden>
  • Into: <Hidden>0</Hidden> (line 57 and 62 in the above figure example)

With these modifications the related fields will be visible in STM32 Trusted Package Creator.

2. STM32CubeProgrammer Discover to read SOC Class and SOC ID

Open STM32CubeProgrammer, see figure below.

  • 1. Click on the Shield
  • 2. Click on Discover
  • 3. According to the prerequisites, an application code is installed and the device has been set in Closed state
  • 4. From the Log window the SOC ID value can be copied, the SOC Class (target ID) value is also indicated.


Figure 2 Use the Discover to read the SOC ID and the SOC Class

The next chapter shows how these two values are used with STM32 Trusted Package Creator to generate certificates.

3. Generation of Root certificate and certificate chain linked to SOC ID and SOC Class

With the modification done for the STM32_CertifGen_DB_0x484.xml file, STM32 Trusted Package Creator is displaying the SOC Class and SOC ID fields as shown below:

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:How_to_start_with_certificate_linked_to_SOC_class_and_ID_on_STM32H5&oldid=49227"
No categories assignedEdit