Bootpath STM32H5 using STM32CubeMX How to Introduction
Target description
The purpose of this article is to provide the background needed to understand and execute the related "how to start".
This introduction article reviews some technical notions related to this topic, more detailed explanations are available in the two following articles:
- Introduction theoretical article: Introduction_to_Secure_boot_and_Secure_firmware_update.
- Specific STM32H5 bootpaths article: Secure_Boot_for_STM32H5
1. Introduction
- Examples are provided in the STM32CubeFW using different types of bootpathes. (see for instance following links)
- This article gives an introduction on how to define and configure a bootpath starting from scratch using STM32CubeMX. The related code templates for secure and non-secure (if applicable) user applications are automatically generated.
- How to proceed practically step by step is explained in the article: How_to_start_with_STM32CubeMX_OEMiROT_Boot_path_on_STM32H573
- The STM32CubeMX tool provided by ST is available at following link: STM32CubeMX installation file
The examples in the STM32CubeFW are using the provided user application codes.
2. The different possible bootpaths
The possible bootpaths are depending on the chosen device, if it supports the embedded hardware cryptography and if Trust Zone is activated or not.
The article mentioned previously gives more details about the supported bootpaths Secure_Boot_for_STM32H5.
In summary:
- The STM32H57 is supporting TrustZone and hardware cryptography, so all bootpathes are possible with this device
- The STM32H56 is supporting TrustZone but not an emebdded hardware cryptography accelerator (without export control constraints), so the STiROT (ST immutable Root of Trust) and the secure manager are not supported.
- The STM32H503 is not supporting TrustZone and not supporting embedded hardware cryptography (without export control constraints), limiting to a single bootpath as explained in the Secure_Boot_for_STM32H5 article
The bootpath is selected through option bytes programming (TZEN and UBE), as show in next figure.
For the STM32CubeFW examples (see link at the beginning of this article), the chosen configuration and related option bytes are programmed by using the provisioning script provided in the STM32CubeFW
With STM32CubeMx, the bootpath is chosen graphically. The user does not need to take care of the related option byte that will be automatically programmed during the provisioning procedure.
2.1. STM32H57 Bootpaths
The STM32H57x devices support services available in the embedded system flash and services that can be installed. (add link to secure manager intro)
The figure below shows the possible bootpaths selected through the related user option bytes.
Advise: before setting manually some option bytes or trying your own settings and solutions, it is advised to execute the proposed "how to", specially the one related to the Debug Authentication: DA "how to" introduction, in order to avoid locking your device or board.