How to start with DA access on STM32H503

How to start with Debug authentication access on STM32H50345min

Target description

This page is a candidate for renaming (move). The requested new name is: How to start with Debug authentication access on STM32H503 product lines . The supplied reason is: Avoiding acronyms such as DA and being more precise by indicating STM32H503 are product lines . -- Registered User (-) 17:15, 14 June 2023 (CEST). Wiki maintainers: remember to update the pages that link this page before renaming (moving) it.

This tutorial details provisioning and full regression on STM32H503 product lines.

The provisioning process goes through 3 steps:

• Programming of Initial Option Bytes.
• Generating and flashing the code image.
• Provisioning of password.

The fourth step details a full regression.

Prerequisites

• Introduction to Debug Authentication for STM32H5 MCUs
• RM0492 STM32H503xx Reference Manual
• knowledge of STM32CubeProgrammer
• knowledge of JTAG / SWD interface
  

Hardware

• Nucleo MB1814 with STM32H503

Required tools

• STM32CubeProgrammer^[1] Software programming tool for STM32 (v2.13.0 min)
  • Including STM32TrustedPackageCreator
• STM32Cube_FW_H5_V1.0.0 ^[2] or upper
• IAR Embedded Workbench v9.20.1 or upper
• Tera Term or equivalent UART Terminal emulator

Literature

• Introduction to Debug Authentication for STM32H5 MCUs
• RM0492 STM32H503xx Reference Manual
• UM2237 STM32CubeProgrammer software description
• UM2238 STM32 Trusted Package Creator tool software description
• AN5054 Secure programming using STM32CubeProgrammer
• AN2606 STM32 microcontroller system memory boot mode

Environment setup

Before starting, the first step is to prepare the environment to be able to go through the Debug authentication process.

• Download the STM32CubeH5 package and install it

A directory NUCLEO-H503RB is included in the Projects directory

Warning

Place STM32CubeH5 package close to the C: root , to avoid longer paths.

Warning

If STM32CubeProgrammer has not been installed in the default folder, the customized installation paths need to be updated in the following script :NUCLEO-H503RB\ROT_Provisioning\env.bat :: ============================================================================== :: General :: ============================================================================== :: Configure tools installation path set stm32programmercli="C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32_Programmer_CLI.exe" set stm32tpccli="C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32TrustedPackageCreator_CLI.exe"

1. Specific behaviors of the STM32H503 product lines

The STM32H503 product lines are based on the STM32H5x3 device architecture, without any Arm^® TrustZone^®.
To make regression possible with Debug Authentication , a password must be provisioned on the STM32H503 product line.

The flash interface does not provide OBKeys --> OTP is used to provision the HASH of the password.

Warning

Once provisioned during the provisioning step, the password cannot be changed anymore. The user must remember the password.

2. Provisioning

The script NUCLEO-H503RB\ROT_Provisioning\DA\provisioning.bat does the provisioning.
This script performs the following actions :

• Setting the option bytes of the device.
• Setting a password to the board.
• Setting the final chosen product state according to user selection.

2.1. Provisioning - Step1 : Programming of Initial Option Bytes

1. Connect the board.
2. Run the provided provisioning.bat script (double click).The script proceeds with Option Bytes programming.
3. Remove all the protections.
4. Erase the user flash.

2.2. Provisioning - Step2 : Generating and flashing the code image

Once the Option Bytes are successfully programmed, the script asks to flash your application. Follow the instructions.

Warning

Do not close the provisioning script window. Do not disconnect the board.

In the example, we use the GPIO_IOToggle application located in : Projects\NUCLEO-H503RB\Examples\GPIO\GPIO_IOToggle\EWARM

Check that the STM32H5 IAR patch is installed properly. This patch is available in the Utilities\PC_Software\IDEs_Patches\EWARM folder.

• Open the Project.eww, located in the EWARM directory :Projects\NUCLEO-H503RB\Examples\GPIO\GPIO_IOToggle\EWARM
• Go to Project --> Rebuild all

• Once the project is correctly built, go to : Project --> Download --> Download active application to flash the code.

• Reset the board using the black button. The green led must blink at that stage.

2.3. Provisioning - Step3 : Provisioning the password and setting the final product state

2.3.1. Password not yet provisioned

Warning

If the password has already been provisioned, go to 3.2 - Password already provisioned On STM32H503 MCUs, the password is provisioned on OTP. Once provisioned, the password cannot be changed.

• Go back to provisioning script window and press a key to continue.
• The script asks whether the password has been already provisioned.

Before answering "No", you have the possibility to update the default password in the user_password.bin file.

User_passord.bin : where you define the password (16 bytes) that will be provisioned

Board_password.bin : HASH of user password which will be provisioned in the chip

Password.bin : output file in order to open the DA access for regression

Board_password.bin and Password.bin files will be automatically updated with the new password saved in user_password.bin during provisioning script.

You can also continue script without updating the default password . Answer “No” to continue

Warning

The password can't be updated after this step

• Follow the script and choose the product state (PROVISIONED or CLOSED )

Warning

Reminder that LOCKED is a definitive product step that can’t be changed anymore.

Make a first trial setting the product in PROVISIONED state :

--> the installed code must run and the led blink

ignore next paragraph 3.2 and jump directly to step4 : Full regression

2.3.2. Password already provisioned

Warning

if you already provisioned password jump directly to 4- Full Regression

• Go back to provisioning script window and press a key to continue procedure.
• The script asks if password is already provisioned.
  

Answer "Yes" to continue

• Follow the script and choose the product state (PROVISIONED or CLOSED)

Warning

Reminder that LOCKED is a definitive product step that can’t be changed anymore.

Make a first trial setting the product in PROVISIONED state :

--> the installed code must run and the led blink

Complete the tutorial till the end.

3. Full regression

• A full regression will erase the user stored contents.
  • Erase the user flash content
  • Set the product in open state

• If the product is in Open state, a full regression is not needed since the device is not secured and changes can be done without any authentication.
  

In case the regression script is executed, it will indicate some errors

• If the product is not in Open state, the only way to change the product state is to first do a full regression

3.1. Full regression using the provided script

The regression can be done using the provided script or using CubeProgrammer (see 4.2)

To perform a full regression

• Launch the regression.bat script located in ROT_Provisioning\DA
• If the regression has succeeded the following message should be displayed
  

Connect STM32CubeProgrammer and check that the flash content is well erased and that the option bytes and product state are at default values.

3.2. Full regression using STM32CubeProgrammer

• Disconnect the CubeProgrammer, remove/plug the USB cable
• Redo the exercise starting at step1, set the “CLOSED” state
• Select in CubeProgrammer and select “Debug Authentication”
• Click “Discover” the information window will be filled

• Enter the password.bin file

• Click Full regression and you get this successfull message box :

• Check with CubeProgrammer that the flash content is well erased and that the product state and option bytes are at default values thanks ST link SWD.

4. References