A set of practical trainings is proposed to get an overview and to understand the STM32H5 security solutions.
These trainings are based on the boards, tools and code examples provided by ST.
This article gives an overview of these proposed trainings.
For the examples listed below, each step to be done is described in detail.
It is advised to start with these examples before making your own trials or using other security related examples available in the STM32Cube_FW_H5.
In this article you will access the following security features of the STM32H5
| Security functions embedded on: |  |
 |
|
|---|---|---|---|
| Secure boot and firmware update | YES | YES | YES |
| SBSFU legacy | YES | NO | NO |
| SBSFU by mcuboot | NO | YES | YES |
| STiROT | NO | YES | YES |
| Isolation | YES | YES | YES |
| HDP | YES | YES | YES |
| TF-M | NO | YES | YES |
| Secure manager | NO | NO | YES |
| IP protection | YES | YES | YES |
| Secure provisioning | YES | YES | YES |
| Initial attesation | YES | YES | YES |
| SMAK | NO | NO | YES |
| SMDK | NO | NO | YES |
| Cryptography | YES | YES | YES |
| ST crypto lib | YES | YES | YES |
| Crypto libraries | YES | YES | YES |
| Crypto lib usage | YES | YES | YES |
| Silicon device life cycle | YES | YES | YES |
| Legacy RDP | NO | NO | NO |
| Secure manufacturing | YES | YES | YES |
| SFI | YES | YES | YES |
| SFIx | YES | YES | YES |
| Provisioning | YES | YES | YES |
| Secure storage | NO | YES | YES |
| Attestation | YES | YES | YES |
1. Secure Boot
The Secure Boot and related Root of Trust is implicitly used in all the proposed " How to start" step by step examples.
But a bootpath can be defined from scratch and a related firmware frame generated using the STM32CubeMx.
The proposed example on this topic is based on STM32CubeMx
- The Secure_Boot_for_STM32H5 wiki article explains the possible bootpaths for the different STM32H5 series.
- The How_to_intro_Secure_boot_for_STM32H5 wiki article gives a short technical introduction to be read before executing the getting started.
- The How_to_start_with_STM32CubeMX_OEMiROT_Boot_path_on_STM32H573 wiki article explains step by step how to proceed.
2. Debug Authentication
It is key to well understand how to set the Debug Authentication in order to define the wanted rights to reopen the debugger once closed.
- It is strongly advised to read Debug_Authentication_for_STM32H5_MCUs wiki article.
- The Debug_Authentication_STM32H5_How_to_Introduction wiki article summarizes all the technical know-how to be read before executing the getting started.
- Two getting started dedicated to the DA are proposed, using for the user application firmware the GPIO_IOToggle of the STM32CubeFW.
- Two further getting started examples address the Debug Authentication including a step-by-step section showing the principle of the certificate chain and how to use it. But it needs to execute the related step-by-step starting from the beginning.
- Part of the STiROT how to start: How_to_start_with_ST-iROT_on_STM32H573#Debug_Authentication
- Part of the OEMiROT how to start: How_to_start_with_OEM-iROT_on_STM32H573_%E2%80%93_TrustZone_enabled#OEMiROT_Step_by_step-_Debug_Authentication
3. OEMiROT
An Immutable Root of Trust firmware can be developed by an OEM.
It is advised to read the Secure_Boot_for_STM32H5 wiki article to understand the different possible Root of Trust.
The proposed examples are based on the STM32CubeFW.
- The OEMiROT_STM32H5_How_to_Introduction wiki article gives a short technical introduction to be read before executing the getting started.
- Two getting started dedicated to the OEMiROT are proposed
4. STiROT
5. Secure Manager
rrrr