How to start with STM32CubeMX STiRoT Boot path on STM32H57S

Target description

The purpose of this article is to provide step-by-step instructions on how to configure a boot path.
The example below demonstrates how to configure and provision a boot path for an STiRoT (ST immutable Root of Trust) and generate an application code using CubeMx.
The initially generated code is modified to blink the green led embedded on the board.

Read Secure Boot STM32H7RS How to Introduction before starting the practical example described below.

For more technical details which may be useful to know before getting started, check out the following articles:

• Security features on STM32H7RS
• STiRoT for STM32H7S

The figure below shows the possible bootpaths for the STM32H7RS.
The STiRoT is only supported for the STM32H7S, since it requires the Cryp hardware accelerator not supported on the STM32H7R.

The example described in this article uses the boot path indicated in bellows figure.

Prerequisites
To execute the example described below, you need an STM32H57S-DK discovery board:

Figure 2 STM32H7S DK MB1736

You'll also need the following tools:

• STM32CubeMX_6.11.0 or later
• IAR Embedded Workbench rev 9.20.1 or later
• STM32CubeProgrammer rev 2.16.0

Note:

• STM32 Trusted Package Creator (TPC) is automatically installed during the STM32CubeMX installation. This TPC version is dedicated to STM32CubeMX and installed in the STM32CubeMX/utilities folder.
• The latest STM32Cube_FW revision is installed through STM32CubeMX (see appendix).

1. Setting up the STM32CubeMX project

Launch STM32CubeMX

1. Click on Access to MCU Selector (for this example, it's easier to enable only the necessary single GPIO, so it's advised to use the MCU selector instead of the board selector).
2. From the Series column, select STM32H7
3. Select the device used in STM32H7S78-DK.
4. Click start project.
5. For the Memory Protection Unit, select No

Create the STM32CubeMX project:

1. Select Project Manager tab.
2. Type the name of the project.
3. Choose a folder for the project (avoid a long path). If it doesn't already exist, the related folder will be created.
4. Tick Appli Project
5. Select the relevant toolchain; for this example EWARM is used.
6. The correct MCU reference should be already filler in.
7. The Firmware Package Name and Version should be correct if the latest STM32CubeFW has been installed (see prerequisites)
8. The Firmware Relative Patch should indicate the path to your STM32CubeRepository
9. Select File > Save Project.
10. The project folder (if it doesn't already exist) and the H7S_STiRoT_blinking_LED.ioc file are created.

2. GPIO configuration

For the proposed example a single GPIO is defined in order to blink the green LED available in the Discovery kit

• PO1 is controlling the green LED (see MB1736 schematic)
• In STM32CubeMX, select the Pinout & Configuration window

• Click on PO1 and select GPIO_Output. This will configure a push pull output that is needed to drive a LED.

• Click on System Core and select GPIO. A summary of the newly configured setting is displayed as shown in the figure below:

3. STiRoT boot path and Debug Authentication configurations

To configure the bootpath indicated in figure 1, proceed as following:

1. Click on Boot Path and Debug Authentication.
2. In case the STM32CubeProgrammer is not installed at the default installation path. Click Browse, select the path and STM32_Programmer_CLI.exe
3. Tick Generate DA Folder, select Configure, the debug authentication windows is open (see figure below)
   1. The path to the Debug Authentication xml file is indicated
   2. A new DA root key can be generated. If a new key is generated, don't loose it since it is required for debug opening and regression(for trials, it is advised to keep the default key)
   3. The permission mask can modified by clicking on the dark blue fields. By default, the debug opening for all HDP isolation levels is allowed and the full regression. For this step by step, just keep all the fields selected.
   4. Click Generate OBkey

4. Click Select in the Boot path selection.

4.1 Tick ST immutable Root of Trust, to select an STiRoT boot path.

4.2 Click Next.

4.3 Tick Application, according figure 1, this example is without an OEMuRoT.

4.4 Click Finish

• To generate the initial code follow the step of the figure below

1. Tick Enable Linker File Update.
2. Tick Sign Binary (the signed and encrypted binary will be automatically generated during the compilation through the IDE (postbuild).
3. Click Generate Code

• Click on Open Project
• In the main.c, add the following code to toggle the PO1 pin for the green LED.

  HAL_GPIO_TogglePin(GPIOO,GPIO_PIN_1);
  HAL_Delay(200); 
  

• Compile the code using the IDE (Project > Rebuild all).
• Note that at the end of the compilation a Post-build command is launched. It will generate the encrypted and signed user application code image (see figure below)

4. Device provisioning

4.1. Device provisioning introduction

During the provisioning step (for more details see STiRoT STM32H7S How to Intro article)

• The option bytes are configured.
  
• The encrypted and signed binary file is uploaded to the external flash memory (encrypted in AES with STiRoT key)
• The image in the download slot is decrypted and stored re-encrypted in the external flash memory installation slot (encrypted in AES with MCE key)
• The device is set in Closed state.

• Note: all the data transfer between internal RAM and external flash is managed by the provided iLoader code. This firmware is the first installed in clear in the flash embedded in the device.

A provisioning script is guiding the user during the provisioning steps.

4.2. Env.bat file update

The figure below shows where the env.bat file is located in the generated project environment.

• Edit this file with a text editor, as shown in figure below
• Don't modify the path to STM32 Trusted Package Creator included in STM32CubeMX!
• The correct COM_port needs also to be updated. The COM port can for instance be found out using the windows device manager. (COM9 for the example of figure below)

4.3. Board provisioning, firmware installation and product state setting

The board provisioning is performed using the provided script.
This script is available in the project structure created previously using STM32CubeMx.

All the steps to be followed are indicated by the script.

• Connect your board using the USB cable (USB STLink connector).
• Double-click on the provisioning.bat file shown in figure above.

Step 0:

• The final product state is chosen. (! don't chose LOCKED since this is a definitive product state that disable the debugger and can't be changed anymore.
• The debug authentication method is chosen. For this tutorial, chose CERTIFICATE.

Once the device is in CLOSED state, the Password method is allowing to perform a full regression, using the defined password.

Once the device is in CLOSED state, the Certificate method is allowing using a key to perform the operations allowed by the certificate. (see in next sections)

• The next step is to compile the iloader

5. Appendix