Debug authentication for STM32H7Rx/7Sx

Revision as of 16:41, 15 March 2024 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Introduction

In this article, STM32H7RS refers to the STM32H7Rx/7Sx microcontroller product lines.

This article gives an overview about debug authentication applied to STM32H7RS MCUs.

A detailed description of debug authentication is provided in AN6008

If you want to learn more about debug authentication specific usage for each STM32H7RS device and you want to practice, refer to How to start with DA access on STM32H7RS

List of applicable products:

Type Products
Microcontroller STM32H7Rxx, STM32H7Sxx

2. Debug authentication setup overview

Here is an overview of the debug authentication setup : DA setup

Refer to AN6008 for more details about debug authentication setup.

Refer to PSA ADAC V1.0. (Authenticated Debug Access Control) for more details about SDM and SDA.

3. Debug authentication services

The debug authentication allows to securely:

  • Re-open the debug access
  • Perform full regression to product states OPEN
  • Force download (get access to ST BootLoader)

The debug authentication services are usable:

  • During development
  • For field return analysis

Two Authentication methods are available :

  • use a password. Only a full regression to the OPEN state is possible.
  • use a certificate chain. Regression and debug opening are possible.

When using certificates, the authorized actions are defined through masks.

Refer to AN6008 for more details about debug authentication certificates, actions and masks usage.

The debug authentication protocol uses the JTAG dedicated access point (ap0) to communicate with the chip.
The protocol is defined by Arm®: ARM PSA ADAC V1.0. (Authenticated Debug Access Control PSA ADAC V1.0. (Authenticated Debug Access Control)

Refer to AN6008 for more details on the debug authentication protocol.

4. Debug Authentication provisioning

The debug authentication provisioning consists in storing the password hash or hash of the key related to the root certificate inside the chip.
These data are stored in OBKey on STM32H7RS series devices.

Refer to AN6008 for more details on the debug authentication provisioning.


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Debug_Authentication_for_STM32H7RS&oldid=51747"