Target description
The purpose of this article is to explain step by step how to use the Secure Manager provided in the STM32Cube_FW-H5, using the STM32H573 discovery board.
This how to start is using the default configuration provided in the STM32Cube_FW_H5.
If you want to modify the default configuration, please refer to the How to start with Secure Manager customized config on STM32H5 article.
But it is strongly advised to start with this practical example before starting to customize your solution.
Especially if you want to regenerate some keys, you need to understand the implications and store these keys preciously.
1. Introduction
- Start by reading the Secure Manager STM32H5 How to Intro article.
- For technical background, please refer to the Secure Manager for STM32H5 article.
2. Prerequisites
- Hardware
- STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note: the Secure Manager is not supported for STM32H56x devices, the HW crypto is not available)
- Discovery MB1677- STM32H573 (need USB-C cable)
- STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note: the Secure Manager is not supported for STM32H56x devices, the HW crypto is not available)
- Required tools
- STM32Cube_H5_V1.1.0 with Le STM32Cube_H5_V1.1.1 patch, or later
- STM32CubeProgrammer_rev2.14.0 or more recent (with STM32TrustedPackageCreator (TPC) selected at installation).
- One of the supported IDE:
- EWARM (IAR) rev 9.20.1
- MDK_ARM (IAR) rev 5.37
- STM32CubeIDE (IAR) rev 1.13.0
- Tera Term / Putty or equivalent UART terminal emulator.
- STM32Cube Firmware
- Download the STM32CubeFW_H5 Cube firmware
- With STM32Cube_H5_V1.1.0 you need to download also the STM32Cube_H5_V1.1.1 patch and copy all files into V1.1.0
- For later STM32Cube_H5_V1.1.x, when available, it is delivered as a single zip file.
- A directory STM32H573I-DK is included in the “Projects” directory
- If the STM32CubeProgrammer has not been installed in the default folder:
- C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer.
- The customized installation path needs to be updated in the environment variable: env.bat (see the example in the figure below).
- Download the STM32CubeFW_H5 Cube firmware
3. Step by step instructions
- On the STM32H573-DK, check that the switch (SW1) is set to 0 to boot from user flash
- Connect the STM32H573-DK using the USB-C cable
- Execute the provisioning_auto.bat script
Note:
In the figure above two scripts are shown:
- The provisioning_auto.bat to install the default configuration (used in this article).
- The provisioning.bat to customize the configuration (used in the How to start with Secure Manager customized config on STM32H5 article
3.1. Script (provisioning_auto.bat) step 1
The step 1 of the script generates automatically all the needed files used for the device confguration.
Using the default configuration and keys, the script is executed straightforward till step 2.
The step 1 of the script is generating automatically all the files needed for the Secure Manager configuration.
As mentioned above, for more details about customized configuration, please refer to How to start with Secure Manager customized config on STM32H5 article.
Note:
The figure above shows the Debug Authentication (DA) configuration. For all trials it is advised to use the default keys provided by ST. In case new keys are generated and the device is set in another state than open, it will not be possible to reopen the debugger and to make a regression in case these new keys are lost.
3.2. Script (provisioning_auto.bat) step 2
After completion of step 1, follow the indications of the script as shown in the figure below.
The step 2 of the script installs the Secure Manager and a nonsecure default application.
After installation you should see:
- The message that the board is correctly confirmed
- On the discovery board the led1, led2, led3 and led4 should blink (default installed code by the script)
Note in case of issue:
- Check the provisioning.log file (in directory: \Projects\STM32H573I-DK\ROT_Provisioning\SM).
- Peform a regression (see chapter below) and restart at the beginning of this article.
4. Default installed code execution
As mentioned above, after the script execution completion, you should see the four led blinking corresponding to the default installed application code.
- Start Tera Term or another terminal emulator (see figure below)
- Select -> Serial -> select your COM port
- Setup -> Serial port -> set Speed to 115200 baudrate, Data to 8 bit and Stop bit to 1bit -> New setting
- Press the reset button of the discovery board (B2 black button)
- The default installed code makes four led blinking and outputs the information shown in the terminal (see figure below): the memory configuration, the Secure Manager version and the version of the installed ST Updatable Root of Trust.
(for more details about uRoT please refer to the Secure Boot for STM32H5 article).
- Close the terminal window
- Start STM32CubeProgrammer and try to connect, see the figure below
You can observe:
- The Option Byte readout shows that the script has set the device in TZ-Closed. This leaves the nonsecure application open for debug. For more details about product states, refer to the New product state article
- The user flash at 0x08000000 is not accessible since it's a secure zone where the Secure Manager is installed.
- The user flash at 0x0806E400 is accessible and is the location of the nonsecure default installed application.
Notes:
- Don't modify the Option Bytes (regressions are not allowed, Closed state seting is allowed but don't do it for this tutorial since it will close the debug access for the nonsecure application).
- !! Important reminder: the Locked state closes definitively your device. So it's a final state adding a further protection level, but the device can't be changed or debugger reopened anymore by any method.
5. Develop your own application
As described above, the device has been set in TZ-Closed by the installation script. This means that the device is still open for nonsecure application development.
An example of application that you can modify is included in the STM32Cube_H5. It is provided for the three supported IDE (EWARM, MDK-ARM and STM32CubeIDE).
- Open the application located at : STM32Cube_FW_H5_Vx.x.x\Projects\STM32H573I-DK\Applications\ROT\SMAK_Appli\
- The following example is shown using IAR (EWARM) project, you can use the other supported IDE (MDK-ARM, STM32CubeIDE) in the same way.
- You can make your own modifications to this code.
- To upload the code to the device, simply select: download and debug as shown in figure below (for IAR)
- Close the IDE and connect your terminal emulator according the setting described in chapter Default installed code execution
- Press the reset button of the discovery board (B2 black button).
- The window shown below is displayed. The menu of the different services (API) of the Secure Manager are indicated (for more details refer to How to start with Secure Manager customized config on STM32H5
- Since the device is in TZ-Closed, it is open for nonsecure application development, a modification of the application running on the device is straightforward:
- Open the IDE, make your modifications and reload the modified application. For IAR select Make&Restart (see figure below)
- Press the reset button of the discovery board (B2 black button) and the new application code is executed.
6. Regression
Perfoming a full regression is reinitialization (back to virgin state) the device, erasing the user flash and the Secure Storage.
For more explanations see Secure Manager STM32H5 How to Intro article.
The easiest way to make a regression is to use the provided script shown in the figure below.
- Just double click and the script will automatically perform the regression
- When the regression is completed the script will display the message below
