How to start with SFI on STM32H5 with Secure Manager

Revision as of 13:08, 27 July 2023 by Registered User (→‎Environment setup)

under construction

1. Environment setup

1.1. HW

To set up the hardware environment, STM32H573_DK MB1677 board shall be connected to a personal computer via a USB cable. This connection with the PC allows the user:

  • Programming the STM32TRUSTEE SM package in the board.
  • Interacting with the board via a UART console
  • Debugging Integrator’s non-secure application when STM32TRUSTEE Integrator’s configuration enables it.

The boot pin shall be forced to User Flash via the switch SW1.

Board setup.jpg

1.2. SW

  • CubeFW
  • XCube security

1.3. Tools

  • CubePrg

1.4. Working directory

2. Development @ OEM: Firmware creation

3. Secure Room @ OEM: SFI package generation and HSM provisioning

3.1. Package structure overview

copy windows directories tree

3.2. SFI package generation

3.2.1. Inputs preparation Key IV OEM FW OEM OBK DA

from C:\STM32CubeFirmware_Installation_path\Firmware\Projects\STM32H573I-DK\ROT_Provisioning\DA\Config\DA_Config.xml SMAK getting started: slide 50 HDPL1_for_STiRoT

from C:\STM32CubeFirmware_Installation_path\Firmware\Projects\STM32H573I-DK\ROT_Provisioning\SM\Config\SM_Config_Others.xml SMAK getting started: slide 49 HDPL2_for_3NS_Config

from C:\STM32CubeFirmware_Installation_path\Firmware\Projects\STM32H573I-DK\ROT_Provisioning\SM\Config\SM_Config_General.xml SMAK getting started: slide 46 HDPL2_for_3NS

from C:\STM32CubeFirmware_Installation_path\Firmware\Projects\STM32H573I-DK\ROT_Provisioning\SM\Config\SM_Config_Keys.xml generate obk %stm32tpccli% -pb %projectdir%ST\SM_ST_Settings_1.xml %stm32tpccli% -obk %projectdir%ST\SM_ST_Settings_2.xml SMAK getting started: slide 48 Modules OB output

Output SFI file is the file to be created with sfi extension.

3.2.2. SFI package generation using STM32 Trusted Package Creator CLI (command line interface)

3.2.3. SFI package generation using STM32 Trusted Package Creator GUI (graphical user interface)

3.3. HSM programming


To program the HSM, you can follow the same steps described in this section of the SFI article using the STM32H573_DK MB1677 board: HSM programming.

After programming the HSM, it is now ready to be shipped to the CM together with the xxx.sfi package created before.

4. Manufacturing @ CM: Secure Firmware Installation

No categories assignedEdit