How to start with certificate linked to SOC class and ID on STM32H5

This message will disappear after all relevant tasks have been resolved.

Semantic MediaWiki

There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

How to start with certificate linked to SOC class and ID on STM32H5

Target description

The generation of a root certificate and a certificate chain and how to use it to open the debugger through a debug authentication are explained in the two following articles:

The purpose of this article is to explain how to generate a certificate and a certificate chain valid only for one specific MCU product and for one specific sample.

Introduction

It is advised to read the following article: Debug Authentication STM32H5 How to Introduction.
Read the chapter about the root certificate and the certificate chain included in one of the "How to start" mentioned previously.

Prerequisites

To try out the certificate and certificate chain that will be generated, a provisioned board is needed with an installed running application code.
It is advised to use one of the two following examples based on the STM32Cube Firmware.
Execute chapter 1 to chapter 4

1. Unhide of the required field in STM32 Trusted Package Creator

To link a certificate or certificate chain to a specific product, the ID called the SOC class (in accordance with to the ARM PSA ADAC specification) needs to be specified.
To link a certificate or certificate chain to a specific sample die, the ID called the SOC ID (in accordance with to the ARM PSA ADAC specification) needs to be specified.

By default, the field to specify these ID are not available in STM32 Trusted Package Creator.
A modification of the certificate generation xml file is needed.
This file is located in STM32CubeProgrammer directory: STM32CubeProgrammer\bin\TPC_CertifGen_Data_Base.
The ID of the product is indicated in the Reference Manual or can be find out using STM32CubeProgrammer as indicated in the next chapter.
For this example, this ID called SOC Class (or also target ID) is 0x484 (STM32H57/6)
The STM32_CertifGen_DB_0x484.xml file needs to be update according to the following description

Figure 1 Unhide SOC Class SOC ID in TPC

Change: <Hidden>1</Hidden>
Into: <Hidden>0</Hidden> (line 57 and 62 in the above figure example)

With these modifications the related fields will be visible in STM32 Trusted Package Creator.

2. STM32CubeProgrammer Discover to read SOC Class and SOC ID

Open STM32CubeProgrammer, see figure below.

1. Click on the Shield
2. Click on Discover
3. According to the prerequisites, an application code is installed and the device has been set in Closed state
4. From the Log window the SOC ID value can be copied, the SOC Class (target ID) value is also indicated.

Figure 2 Use the Discover to read the SOC ID and the SOC Class

The next chapter shows how these two values are used with STM32 Trusted Package Creator to generate certificates.

3. Generation of Root certificate and certificate chain linked to SOC ID and SOC Class

With the modification explained previously, done for the STM32_CertifGen_DB_0x484.xml file, STM32 Trusted Package Creator is displaying the SOC Class and SOC ID fields as shown in the next sections.

3.1. Root certificate generation

Open STM32TrustedPackageCreator
1. Click on the Shield
2. Select "Debug Authentication - Certificate Generation"
3. Select the STM32H56/573
4. Select "ROOT" to generate the root certificate
5. Enter the path for the root private and public keys of the "How to start" (see prerequisite)
6. For the SOC class and SOC ID:
- It is possible to link the complete certificate chain to the SOC Class and SOC ID, but it is also possible to link only the leaf certificate to these IDs.
- Untick "Scope-limiting unconstrains".
- If "0" is entered in the fields the root certificate will not be linked to the SOC Class or to the SOC ID.
- See the figure 4 to enter the SOC Class and SOC ID.
7. Set the wanted permission mask
8. Select the Certificate directory of the CubeFW example and chose the name for the root certificate.

Figure 3 Root certificate generation

Enter the SOC Class and SOC ID
To link the certificate to the SOC Class and / or to the SOC ID, it has to be entered as shown in the following picture.

The SOC Class needs to be entered manually, with the following format 0X8404 (for ID 0x484) (solution to improve this point is under investigation).
The SOC ID (also called target ID) can be cut and paste from the STM32CubeProgrammer log window, as indicated in figure 2.

Figure 4 Enter the SOC ID and the SOC Class