This article goal is to guide a STM32H573 user through first steps of using the Secure Manager. To learn what is the Secure Manager and why to use it please read introduction to Secure manager.
1. Installation
This section will walk you through provisioning with Secure Manager from product state open with clean STM32H57x (either a virgin or after full regression) and state where the Secure Manager is installed and the product is in TZ-Closed, ready for non-secure application with PSA API calls development.
There are several ways to install the Secure Manager, ranging from step-by-step meticulously following a checklist to simply executing a prepared batch. Very little is configurable in the SMAK form, only the arrangement of the non-secure application image slots.
1.1. Prerequisites
To use the Secure manager a compatible STM32 MCU is needed. At this moment only the STM32H573 line supports the Secure Manager.
On software side the STM32CubeMX toolset is needed, complete with STM32CubeProgrammer and the Trusted Package Creator. The STM32CubeMX will download the STM32H5 cube package, containing the HAL and examples.
There is not extra cost or licensing hurdle for the SMAK. To use SMDK the customer must contact ST to get qualified for signing an NDA.
1.2. SMAK Keys configuration
First step would be to transition the product state to "Provisioning" and prepare the OB and OBK contents. The Secure Manager will expect to find keys in right places of the OBK storage structure. In particular following keys need to be generated and provisioned:
- SFI - secure firmware install keys must be provisioned in order to load the Secure Manager binary
- SMAK authentication key - used to signed installed application
- SMAK encryption key - used to provide confidentiality on the installed user application
1.3. DA configuration
Provisioning the Debug authentication keys and certificate is highly recommended step. Details of the process can be found in introduction to Debug Authentication
2. Using the Secure Manager
Now the Secure Manager is provisioned and the STM32H573 is in TZ-closed state. It's possible to code and debug in the non-secure domain of the MCU using the usual development tools, for example STM32CubeIDE. The STM32Cube package for STM32H5 contains a template called SMAK_Appli. Just add functionality and download as usually.
2.1. Generating from STM32CubeMX
From the STM32CubeMX select the STM32H573xx and start a new project. A prompt will be displayed to choose whether TrustZone will be used. For development using the Secure Manager select "with TrustZone enabled."
Once the '*.ioc' project is saved, go to 'Project Manager' tab to select the bootpath settings. the Secure Manager only works with underlying ST-iRoT and ST-uRoT selected. Configure your project in the STM32CubeMX as usual, selecting the peripherals used, assigning pins and configuring the clock tree. When the project is generated, it will have the linker files prepared to fit within the memory range assigned to the application by the Secure Manager.