How to start with certificate linked to SOC class and ID on STM32H5
Target description
The generation of a root certificate and a certificate chain and how to use it to open the debugger through a debug authentication are explained in the two following articles:
- How to start with OEMiRoT on STM32H573 and 563 TrustZone enabled.
- How to start with STiRoT on STM32H573.
The purpose of this article is to explain how to generate a certificate and a certificate chain valid only for one specific MCU product and for one specific sample.
Introduction
It is advised to read the following article: Debug Authentication STM32H5 How to Introduction.
Read the chapter about the root certificate and the certificate chain included in one of the "How to start" mentioned previously.
Prerequisites
To try out the certificate and certificate chain that will be generated, a provisioned board is needed with an installed running application code.
It is advised to use one of the two following example based on the STM32Cube Firmware.
- How to start with OEMiRoT on STM32H573 and 563 TrustZone enabled.
- How to start with STiRoT on STM32H573: execute chapter 1 to chapter 4.
- Hardware
- STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note that for the STM32H56x devices, the HW crypto is not available)
- Discovery MB1677- STM32H573 (need USBC cable)
- STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note that for the STM32H56x devices, the HW crypto is not available)
- Required tools
- STM32Cube_FW_H5_V1.0.0 or later
- STM32CubeProgrammer_rev2.13.0 or more recent (with trusted package creator (TPC) selected at installation).
- IAR Embedded Workbench® rev 9.20.1 or later.
- Tera Term / Putty or equivalent terminal emulator.
- STM32Cube Firmware
- Download the STM32CubeFW_H5 Cube firmware (Place it as close as possible to the C: root, to avoid long windows path)
- A directory STM32H573I-DK is included in the “Projects” directory
- If the STM32CubeProgrammer has not been installed in the default folder:C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated in the environment variable: env.bat
- Check that the selected application path is correct: for the following tutorial the STiRoT fully secured example is described => The STiROT_Appli must be active.
- Check that the selected application path is correct, as shown in the figure below: for the following tutorial, the STiRoT fully secured example is described => The STiROT_Appli must be active.
Literature
- Wiki pages:
- STiRoT STM32H5 How to intro article.
- STiRoT for STM32H5 article.
- STiRoT article.
- Debug Authentication STM32H5 How to Introduction article.
- UM2237 STM32CubeProgrammer software description
- UM2238 STM32 trusted package creator (TPC) tool software description
- AN5054 Secure programming using STM32CubeProgrammer
Step by step instructions
- The different stages to configure and use the STiRoT are based on a script provided in the STM32CubeFW (provisioning.bat)
- The following documentation is a guide through all the steps of this script, and explains how to perform each of them.