A set of practical trainings is proposed to get an overview and to understand the STM32H5 security solutions.
These trainings are based on the boards, tools and code examples provided by ST.
This article gives an overview of these proposed trainings.
For the examples listed below, each step to be done is described in detail.
It is advised to start with these examples before making your own trials or using other security related examples available in the STM32Cube_FW_H5.
In this article you will access the following security features of the STM32H5
Security functions embedded on: | ![]() |
![]() |
![]() |
---|---|---|---|
Secure boot and firmware update | YES | YES | YES |
SBSFU legacy | YES | NO | NO |
SBSFU by mcuboot | NO | YES | YES |
STiROT | NO | YES | YES |
Isolation | YES | YES | YES |
HDP | YES | YES | YES |
TF-M | NO | YES | YES |
Secure manager | NO | NO | YES |
IP protection | YES | YES | YES |
Secure provisioning | YES | YES | YES |
Initial attesation | YES | YES | YES |
SMAK | NO | NO | YES |
SMDK | NO | NO | YES |
Cryptography | YES | YES | YES |
ST crypto lib | YES | YES | YES |
Crypto libraries | YES | YES | YES |
Crypto lib usage | YES | YES | YES |
Silicon device life cycle | YES | YES | YES |
Legacy RDP | NO | NO | NO |
Secure manufacturing | YES | YES | YES |
SFI | YES | YES | YES |
SFIx | YES | YES | YES |
Provisioning | YES | YES | YES |
Secure storage | NO | YES | YES |
Attestation | YES | YES | YES |
1. Secure Boot
The STM32CubeMX can be used to set the wanted bootpath and to generate the related firmware frame.
- The Secure_Boot_for_STM32H5 wiki article explains the possible bootpaths for the different STM32H5 series.
- The How_to_intro_Secure_boot_for_STM32H5 wiki article gives a short technical introduction to be read before executing the getting started.
- The How_to_start_with_STM32CubeMX_OEMiROT_Boot_path_on_STM32H573 wiki article explains step by step how to proceed.
- Prerequisites for How to start with STM32CubeMX OEMiROT Boot path on STM32H573
- STM32H573I-DK Discovery kit
- STM32CubeMX: STM32CubeMX link for installation
- Prerequisites for How to start with STM32CubeMX OEMiROT Boot path on STM32H573
2. Debug Authentication
It is key to well understand how to set the Debug Authentication in order to define the wanted rights to reopen the debugger once closed.
- It is strongly advised to read Debug_Authentication_for_STM32H5_MCUs wiki article.
- The Debug_Authentication_STM32H5_How_to_Introduction wiki article summarizes all the technical know-how to be read before executing the getting started.
- Two getting started dedicated to the DA are proposed, using for the user application firmware the GPIO_IOToggle of the STM32CubeFW.
- Two further getting started examples address the Debug Authentication including a step-by-step section showing the principle of the certificate chain and how to use it. But it needs to execute the related step-by-step starting from the beginning.
- Part of the STiROT how to start: How_to_start_with_ST-iROT_on_STM32H573#Debug_Authentication
- Part of the OEMiROT how to start: How_to_start_with_OEM-iROT_on_STM32H573_%E2%80%93_TrustZone_enabled#OEMiROT_Step_by_step-_Debug_Authentication
3. OEMiROT
4. STiROT
5. Secure Manager
rrrr