STiRoT STM32H7S How to Intro

Revision as of 17:32, 29 January 2024 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

STiRoT stands for ST immutable (unchangeable) Root Of Trust. The STiRoT is embedded in all STM32H7S devices.

1. Introduction

The purpose of this article is to provide the necessary background to understand and execute the related How to start with STiRoT on STM32H7S wiki article. This article describes STiRoT process steps developed in STM32CubeH7RS firmware provided by ST.

For more information about STiRoT please refer to STiRoT for STM32H7S

2. STiRoT services

The two STiRoT services that are provided are used in the How to start with STiRoT on STM32H7S.

1) The Secure Boot (Root of Trust services):
It is an immutable code that runs after every system reset. It activates STM32 runtime protections and verifies the authenticity and integrity of the application code before every execution.
  • Integrity: to ensure that no corrupted or maliciously modified firmware is about to run.
  • Authenticity: to verify that firmware comes from a trusted and known source to prevent unauthorized entities from installing and executing code.
2) The Secure Firmware Update:
It is an immutable code that detects if a new firmware image is available, checks its authenticity and verifies the integrity of the code before installing it after decryption.

3. STiRoT use cases and processes

STiRoT can be used in two configurations :

  • One boot stage : STiRoT directly manages the user application. At reset, STiRoT first requests iLoader to load the user application from external flash to internal RAM. Then after a successful verification of the authenticity and the integrity of the user application, STiRoT executes it.

Security STiRoT 1bootstage.png

  • Two boot stages: STiRoT manages an updatable boot stage (OEMuRoT) which manages the user application. The updatable boot stage can be customized to fit the customer needs.

Security STiRoT 2bootstages.png

4. STiRoT configuration preliminary stage

4.1. Product state definition

The product states define the security level of the product. Four levels are available :


  • Open:
  • Debug entirely open.
  • Bootloader available.
  • State mainly used during development.
  • Provisioning:
  • Debug access only available if DA-Config is previously provisioned. Full-Regression and Intrusive Debug are the only allowed regressions.
  • Bootloader available.
  • Secure Firmware Install (SFI) can be initiated. It is not possible in Closed and Locked states.
  • State defined during the product provisioning and is therefore not a selectable state.
  • Closed:
  • Debug closed but can be still opened through Debug Authentication.
  • State defined when the product is entirely provisioned.
  • Locked:
  • Final and immutable product state.
  • Debug definitively closed even through Debug Authentication.
  • Regression is not possible anymore.
  • State used for the fully provisioned product.

The product state must be chosen depending on the user application development phase and the security level needed.
In the STM32CubeH7RS firmware the script provisioning.bat allows the user to select a product state and sets it by modifying the right option bytes.

4.2. Debug Authentication configuration

The Debug Authentication allows the user to securely re-open the debug access or perform regressions. Two methods are available to use the Debug Authentication :

  • Password authentication allows only full regression to OPEN state.
  • Certificate authentication allows regression and debug opening.

For more details about debug authentication mechanism please refer to Debug Authentication for STM32H7RS.

4.3. iLoader compilation

The STiRoT never accesses the external flash memory and relies on an immutable loader installed in the user flash to handle the transfers between internal RAM and the external flash memory.

The iLoader is an example of an immutable loader application provided in the STM32Cube_FW_H7RS including functions to manage the iLoader features.

5. Configuration management

5.1. STiRoT configuration

STM32TrustedPackageCreator tool is used to generate the STiRoT configuration file (.obk) based on the template STiROT_Config.xml provided in STM32CubeH7RS software package.
Multiple parameters can be set by the user :

  • The start address of the firmware area (internal RAM).
  • The size of the firmware area.
  • The start address of the firmware installation area (external flash).
  • The start address of the firmware download area (external flash).
  • The minimal product state allowed for the firmware execution.

Two keys are configurable :

  • The encryption key allows to encrypt the firmware image.
  • The authentication key allows to authenticate the firmware image.

For STiRoT use case STiRoT configuration file.obk is encrypted and saved in HDPL1 OBkeys.

For the two boot stage use case, other parameters can be updated in the OEMuRoT boot firmware (in this use case the OEMiRoT boot application will act as the OEMuRoT). This firmware must be able to perform the authenticity and integrity checks of the user application and data images. It also configures the number of user applications and images.

5.2. Debug Authentication configuration

STM32TrustedPackageCreator also generates the Debug Authentication configuration file (.obk) based on template provided in STM32CubeH7RS software package. This file configures the conditions to reopen a protected device and the debugger.

For more details about debug authentication mechanisms, please refer to Debug authentication for STM32H7RS MCUs.

6. Images generation

STM32CubeH7RS FW package delivers Boot firmware and User firmware projects for OEMiRoT use case in Applications\ROT folder.

During this step the firmware STiRoT_Appli is compiled and image generation of the user application is automatically done (STM32TrustedPackageCreator is called in a postbuild script). For the two boot stage use case, the OEMiRoT firmware (used as the OEMuRoT firmware) will also be compiled and image generation of the user application is automatically done.

7. Provisioning

During this step the script will automatically provision the option bytes and flash the images generated in the previous step. The product state is then set to the selected one.

8. Regression

A regression can be performed through the graphic interface of the STM32CubeProgrammer or through the regression script provided in the STM32CubeH7RS software package.

9. How to start with STM32H7S and STiRoT

For getting started examples of STiRoT you can refer to the following pages :

Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:STiRoT_STM32H7S_How_to_Intro&oldid=48251"