The objective of this article is to guide STM32H573 users by providing the first steps when using the secure manager. For further details on what is the secure manager and why to use it, refer to the article introduction to secure manager.
1. Installation
This section details provisioning with the secure manager, from the open product state with a STM32H57x with factory settings or after a full regression, to a state where the secure manager is installed and the product is in TZ-Closed. When the product is in TZ-Closed state, it is ready for nonsecure application with the development of API calls.
There are several ways to install the secure manager, from a step-by-step meticulous checklist to a simple batch execution. Only the arrangement of the nonsecure application image slots is configurable in the SMAK form.
1.1. Prerequisites
- To use the secure manager, a compatible STM32 MCU is needed. Only the STM32H573 line currently supports the secure manager.
- On the software side, the STM32CubeMX toolset is needed, complete with STM32CubeProgrammer and the Trusted Package Creator. The STM32CubeMX downloads the STM32CubeH5 Package, containing the HAL and the examples.
- There is no extra cost or licensing hurdle for the SMAK. To use SMDK, contact STMicroelectronics and get qualified to sign an NDA.
2. Batch installation
Automated installation using prepared script is ready for the STM32H573I-DK Discovery kit in the STM32CubeH5 Package.
2.1. Environment configuration
A batch file called env.bat is by default placed at the following location:
C:\Users\***\STM32Cube\Repository\STM32Cube_FW_H5_V1.0.1\Projects\STM32H573I-DK\ROT_Provisioning
This batch file needs to be edited.To continue with the installation, both the addresses and the communication virtual port number must be edited.
2.2. SMAK Keys configuration
The keys are in the SMAK/Keys subfolder. The easiest way to modify the keys is to open the STM32 Trusted Package Creator tool:
- Select H5 in the leftmost pane, and then the OBkeys tab.
- Open the key configuration file and regenerate the keys as needed:
- SMAK authentication key is used for the signed installed application.
- SMAK encryption key is used to provide confidentiality on the installed user application.
2.3. Memory configuration
The memory layout and partitioning are also configurable.
Basic settings are easily accessible by opening another xml file in the STM32 Trusted Package Creator tool:
2.4. Debug authentication (DA) configuration
Provisioning the debug authentication (DA) keys and certificate is strongly recommended.
The article introduction to Debug Authentication details the process.
When modifying the default settings, consider the need to actually debug the NS application in the TZ-Closed state. Removing the debug certificate would block such development.
2.5. Installation process
In the basic scenario, all that is required is to execute the provisioning.bat and follow the instructions on the screen. The process requires you to manipulate the SW1 switch on the DK board to complete the provisioning correctly.
The batch file works in two steps. In step 1, it prepares the SFI package, consisting of:
- Keys configuration
- Layout configuration
- DA configuration
All these are prepared in the STM32 Trusted Package Creator.
The previously updated environment configuration is used now to communicate with the STM32H573I-DK board and to upload the SFI package.
Make sure to follow the instructions to manipulate the SW1, to assert the correct state on the BOOT0 pin. Secure manager is installed when finished.
3. Using the secure manager
Now the secure manager is provisioned and the STM32H573 is in TZ-closed state. It's possible to code and debug in the nonsecure domain of the MCU using the usual development tools, for example STM32CubeIDE. The STM32Cube package for STM32H5 contains a template called SMAK_Appli. Just add functionality and download using, for example, STM32CubeProgrammer.
3.1. Development of the user application
The SMAK_Appli template is by default available at the following path:
C:\Users\***\STM32Cube\Repository\STM32Cube_FW_H5_V1.0.1\Projects\STM32H573I-DK\Templates\ROT\SMAK_Appli\
The project is packed with batch files that automate necessary post-build actions and binary download using the CLI STM32CubeProgrammer.
One difference compared to the bare-metal development is that you need to manually place a breakpoint to your main to commence the debug session. The debug authentication session is valid while the debugger stays connected to the target.
3.2. The template application
The template application contains a user interface. This user interface works with terminal application on host PC and showcases the PSA functionality, provided by the secure manager, in service of the user application.
As an initial step in the development loop, the application can be modified in a way that it is visible on the terminal screen. For example, in the main.c edit:
const uint8_t UserAppId = 'A';
to
const uint8_t UserAppId = 'B';
and rebuild the application normally. The postbuild script will produce an encrypted binary.
Running the template application, using the terminal enter '4" to select Firmware update and then 3 to select Download nonsecure app.
Send the encrypted binary using YMODEM on your terminal SW. Once that is done and test passed, select '2' for Installation Application.
Results are immediate. Unless you select the option Validation nonsecure app, the application is reverted to the previous version on next reboot. This default behavior of two slot system is implemented to have reset as a panic button in case the newly downloaded firmware is not working properly.
4. Generating from STM32CubeMX
The secure manager can also be configured using the STM32CubeMX visual tool, along with other components of the secure boot. For further details, refer to the following article: How to start with STM32CubeMX and Secure Manager on STM32H573