How to start with STM32CubeMX OEMiRoT Boot path on STM32H563

Revision as of 15:32, 16 June 2023 by Registered User (→‎GPIO configuration)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.
Under construction.png Coming soon


Target description

The purpose of this article is to explain how to proceed step by step to generate a boot path using STM32CubeMx.
The example below will show how to configure and provision a boot path for an OEMiROT with a secure and non-secure user application initial code generation.
Read the Secure Boot STM32H5 How to Introduction article before starting the practical example described below.

More technical details you may need to understand this getting started are available in the following articles:

The How to start described in this article is using the Boot path number 1 of the figure below.

Figure 1 STM32H5 Bootpath CubeMx examples

Prerequisites

To execute the example described below, you need:

  • NUCLEO board: NUCLEO-H563ZI
SECURITY NUCLEO-H563 board picture.png
  • The following tools:
    • STM32CubeMx_6.9.0 or later (for installation, see appendix)
    • IAR Embedded Workbench rev 9.20.1 or later

Note:

  • STM32 Trusted Package Creator (TPC) is automatically installed during the STM32CubeMX installation. There is a TPC version dedicated to STM32CubeMX and installed in the STM32CubeMX/utilities folder.
  • The latest STM32Cube_FW revision is installed through STM32CubeMX (see appendix)
  • If needed set the windows environment variable (see appendix). It is required in case the H5 doesn’t appear in the “Access to MCU Selector” of STM32CubeMx

1. Setting the STM32CubeMX project

Launch STM32CubeMX

  • 1) Click on Access to MCU selector (easier for this example to enable only the needed GPIOs, so it's advised to use the MCU selector instead of the board selector).
  • 2) Select STM32H5 serie and select the device used in NUCLEO_H563
  • 3) Click start project
  • 4) Enable the TrustZone, as shown in the figure 1, for the OEMiROT bootpath the TZ needs to be enabled.
SECURITY CubeMX H563 Project configuration.png


Set the STM32CubeMX project:

  • 1) Type the name of the project (the related folder will be created)
  • 2) Chose the folder for this project (avoid long path)
  • 3) Tick both: Secure and non Secure projects
  • 4) Select the Toolchain, for this example EWARN is used
SECURITY CubeMX H563 Project save.png
  • 5) File -> Save Project -> the project folder (if not already existing) and the STM32H563_OEMiROT.ioc file is created

2. GPIO configuration

For this proposed example three GPIO need to be configured for the discovery board:

  • PF4 for the blue LED used in the secure user application code
  • PC13 for the blue user button used in the secure user application code
  • PB0 for the green LED used in the non-secure user application code


In the STM32CubeMX select the Pinout & Configuration window

To configure the GPIO for the blue LED proceed as follow:

  • Click left on PF4: select GPIO_Output -> a push pull output will be configured need to drive an LED
  • Click right on PF4: and select Cortex-M33 secure. This GPIO is then assigned to the secure user application code
SECURITY LQFP144 PF4 config CubeMX.png

To configure the user bue button proceed as follow:

  • Click left on PC13: select GPIO_Input
  • Click right on PC13: and select Cortex-M33 secure. This GPIO is then assigned to the secure user application code
SECURITY LQFP144 PC13 config CubeMX.png

To configure the GPIO for the green LED proceed as follow:

  • Click left on PB0: select GPIO_Output -> a push pull output will be configured need to drive an LED
  • Click right on PB0: and select Cortex-M33 non-secure. This GPIO is then assigned to the non-secure user application code
SECURITY LQFP144 PB0 config CubeMX 2.png
  • Select GPIO: the summary of the settings are displayed as shown in the figure below
Figure 15 GPIO setting summary

3. Appendix

3.1. STM32CubeFW installation

The STM32CubeFW needs to be installed through STM32CubeMX.

  • Step 1: the repository folder has to be defined:
    • In CubeMx: Help menu -> Updater Settings
    • Browse the repository you have chosen for the STM32CubeFW


Figure 26 STM32CubeFW repository setting
  • Step 2: STM32CubeFW installation
    • In STM32CubeMX: Select Install/Remove
    • In the description frame: select STM32H5
    • Select the CubeFW package to install
    • In case you have locally the zip file of the STM32CubeFWH5: it can be installed by drag and drop this file in the description window

Note: only official STM32CubeFW release can be installed by STM32CubeMX.

Figurex STM32CubeFW installation
Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:How_to_start_with_STM32CubeMX_OEMiRoT_Boot_path_on_STM32H563&oldid=35399"