How to start with certificate linked to SOC class and ID on STM32H5
Target description
The generation of a root certificate and a certificate chain and how to use it to open the debugger through a debug authentication are explained in the two following articles:
- How to start with OEMiRoT on STM32H573 and 563 TrustZone enabled.
- How to start with STiRoT on STM32H573.
The purpose of this article is to explain how to generate a certificate and a certificate chain valid only for one specific MCU product and for one specific sample.
Introduction
It is advised to read the following article: Debug Authentication STM32H5 How to Introduction.
Read the chapter about the root certificate and the certificate chain included in one of the "How to start" mentioned previously.
Prerequisites
To try out the certificate and certificate chain that will be generated, a provisioned board is needed with an installed running application code.
It is advised to use one of the two following examples based on the STM32Cube Firmware.
Execute chapter 1 to chapter 4
- How to start with OEMiRoT on STM32H573 and 563 TrustZone enabled.
- How to start with STiRoT on STM32H573.
1. Unhide of the required field in STM32 Trusted Package Creator
- To link a certificate or certificate chain to a specific product, the ID called the SOC class (in accordance with to the ARM PSA ADAC specification) needs to be specified.
- To link a certificate or certificate chain to a specific sample die, the ID called the SOC ID (in accordance with to the ARM PSA ADAC specification) needs to be specified.
By default, the field to specify these ID are not available in STM32 Trusted Package Creator.
The modifications shown below are needed in the STM32_CertifGen_DB_0x484.xml file.
This file is located in STM32CubeProgrammer directory: STM32CubeProgrammer\bin\TPC_CertifGen_Data_Base.
- Change: <Hidden>1</Hidden>
- Into: <Hidden>0</Hidden> (line 57 and 62 in the above figure example)
The next chapter will show how these fields will be visible in STM32 Trusted Package Creator.