How to start with STM32CubeMX Secure Manager on STM32H57

Revision as of 15:18, 28 September 2023 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.
Under construction.png Coming soon

The purpose of this article is to show an integration of Secure Manager in ecosystem using STM32CubeMX.


Read Secure Manager for STM32H5 before starting the practical example described below.


SECURITY SM Boot scheme.png

Prerequisites

To execute the example described below, you'll need an STM32H573I-DK discovery board:

Figure 2: STM32H573 DK MB1677

You'll also need the following tools:

  • STM32CubeMX_6.9.2 or later (see STM32CubeMX ST web page[1])
  • IAR Embedded Workbench rev 9.20.1 or later
  • STM32CubeProgrammer rev 2.14.0

Note:

  • STM32 Trusted Package Creator (TPC) is automatically installed during the STM32CubeMX installation. This TPC version is dedicated to STM32CubeMX and installed in the STM32CubeMX/utilities folder.
  • The latest STM32Cube_FW revision is installed through STM32CubeMX (see appendix).
  • If needed, set the Windows environment variable (see appendix). It is required in case the H5 doesn’t appear in the STM32CubeMX Access to MCU Selector


1. Introduction

2. Prerequisites

  • Hardware
    • STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note: the Secure Manager is not supported for STM32H56x devices, the HW crypto is not available)
    • Discovery MB1677- STM32H573 (USB-C cable not included)
Figure 1 STM32H573-DK MB1677.png
  • In case your board has already been used for other handsons:
    • Perform a regression in case the board is in another state than OPEN (using the script provided for the last handson done).
    • If the board is in OPEN state, verify that the SECBOOT_LOCK option byte is not set (use STM32CubeProgrammer).
  • Required tools
    • STM32Cube_H5_V1.1.0 with STM32Cube_H5_V1.1.1 patch, or later
    • STM32CubeProgrammer_rev2.14.0 or more recent (with STM32TrustedPackageCreator (TPC) selected at installation).
    • One of the supported IDE:
      • EWARM (IAR) : V9.20.1 and the patch EWARMv8_STM32H5xx_V1.1.0 or later to support the STM32H5 series
      • STM32CubeIDE : 1.13.0 or later
      • MDK_ARM : V5.37.0.0 and the patch Keil_STM32H5_DFP.1.0.0 or later to support the STM32H5 series
    • Tera Term / Putty or equivalent UART terminal emulator.

The IDE patches can be found in the STM32CubeFW_H5 Cube firmware:

Figure 2 IDE patches in STM32CubeH5 Firmware Package
  • STM32Cube Firmware
    • Download the STM32CubeFW_H5 Cube firmware
      • With STM32Cube_H5_V1.1.0 you must also download the STM32Cube_H5_V1.1.1 patch and copy all the files into V1.1.0
      • For later STM32Cube_H5_V1.1.x, when available, it is delivered as a single zip file.
    • A directory STM32H573I-DK is included in the “Projects” directory
    • If the STM32CubeProgrammer is not installed in the default folder:
      • C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer.
      • The customized installation path must be updated in the environment variable: env.bat (see the example in the figure below).
Figure 3 STM32CubeProgrammer installation path to update in env.bat file


3. Setting up the STM32CubeMX project

Launch STM32CubeMX

  1. Click on Access to MCU Selector (for this example, it's easier to enable only the necessary GPIOs, so it's advised to use the MCU selector instead of the board selector).
  2. From the Series column, select STM32H5, and select the device used in STM32H5-DK.
  3. Click start project.
  4. Enable TrustZone, as shown in Figure 3. (For the STiROT boot path, TrustZone needs to be enabled.)


SECURITY STM32CubeMX MCU selector.png


Create the STM32CubeMX project:

  1. Type the name of the project (if it doesn't already exist, the related folder will be created).
  2. Choose a folder for the project (avoid a long path).
  3. Check that both the Secure Project and Nonsecure Project checkboxes are checked (they should be checked by default).
  4. Select the relevant toolchain; for this example EWARM is used.
  5. Go to File > Save Project. The project folder (if it doesn't already exist) and the STM32H5_STiROT_SLed_NSLed.ioc file will be created.


SECURITY STM32CubeMX project parameters SM.png


SECURITY STM32CubeMX project non secure SM.png
SECURITY STM32CubeMX save pj SM 2.png

4. Boot path configuration

SECURITY STM32CubeMX boot path selection SM.png


SECURITY STM32CubeMX boot path SM.png



SECURITY STM32CubeMX boot path selection OK SM 2.png
  1. STM32CubeMX ST web page
Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:How_to_start_with_STM32CubeMX_Secure_Manager_on_STM32H57&oldid=41418"