Secure Boot STM32H5 How to Introduction

Revision as of 16:49, 18 April 2023 by Registered User (Created page with "<big><big><big>''Bootpath STM32H5 using STM32CubeMX How to Introduction''</big></big></big> <br> <big><big>'''Target description'''</big></big><br> The purpose of this arti...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

Bootpath STM32H5 using STM32CubeMX How to Introduction


Target description

The purpose of this article is to provide the background needed to understand and execute the related "how to start".
This introduction article reviews some technical notions related to this topic, more detailed explanations are available in the two following articles:



1. Introduction

  • This article gives an introduction on how to define and configure a bootpath starting from scratch using STM32CubeMX. The related code templates for secure and non-secure (if applicable) user applications are automatically generated.

The examples in the STM32CubeFW are using the provided user application codes.


2. The different possible bootpaths

The possible bootpaths are depending on the chosen device, if it supports the embedded hardware cryptography and if Trust Zone is activated or not.
The article mentioned previously gives more details about the supported bootpaths Secure_Boot_for_STM32H5.
In summary:

  • The STM32H57 is supporting TrustZone and hardware cryptography, so all bootpathes are possible with this device
  • The STM32H56 is supporting TrustZone but not an emebdded hardware cryptography accelerator (without export control constraints), so the STiROT (ST immutable Root of Trust) and the secure manager are not supported.
  • The STM32H503 is not supporting TrustZone and not supporting embedded hardware cryptography (without export control constraints), limiting to a single bootpath as explained in the Secure_Boot_for_STM32H5 article

The bootpath is selected through option bytes programming (TZEN and UBE), as show in next figure.
For the STM32CubeFW examples (see link at the beginning of this article), the chosen configuration and related option bytes are programmed by using the provisioning script provided in the STM32CubeFW
With STM32CubeMx, the bootpath is chosen graphically. The user does not need to take care of the related option byte that will be automatically programmed during the provisioning procedure.

2.1. STM32H57 Bootpaths

The STM32H57x devices support services available in the embedded system flash and services that can be installed. (add link to secure manager intro)
The figure below shows the possible bootpaths selected through the related user option bytes.
Advise: before setting manually some option bytes or trying your own settings and solutions, it is advised to execute the proposed "how to", specially the one related to the Debug Authentication: DA "how to" introduction, in order to avoid locking your device or board.

File:Bootpath1.png
Figure 1 STM32H57 possible bootpaths
Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Secure_Boot_STM32H5_How_to_Introduction&oldid=33040"