How to start with certificate linked to SOC class and ID on STM32H5

Revision as of 19:25, 8 February 2024 by Registered User
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

How to start with certificate linked to SOC class and ID on STM32H5


Target description

The generation of a root certificate and a certificate chain and how to use it to open the debugger through a debug authentication are explained in the two following articles:

The purpose of this article is to explain how to generate a certificate and a certificate chain valid for one

The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for STiRoT, using the STM32H57 discovery board.


The purpose of this article is to explain step by step how to use the STM32CubeFW example provided by ST, for STiRoT, using the STM32H57 discovery board.

  • How to use the script provided by ST and perform all the required steps.
  • How to install and run the user application example which is provided.
  • How to perform a regression to retrieve an empty board with initial settings.

Based on this STM32CubeFW example, additional exercises are proposed

  • To generate a certificate chain.
  • To reopen the debugger for product states other than OPEN
  • To attach an IDE
  • To perform a firmware upgrade using the bootloader


Introduction

Two examples are provided in the STM32Cube_FW:
One example with a secure and non secure application code, and one example with a fully secured application code (Both examples without uRoT).
The fully secured application code example is used in this "getting started".

Through this practical example you will learn:

  • What STiRoT is and how to use the STM32CubeFW example which is provided.
  • How to configure the STiRoT and the debug authentication for this example.
  • How to generate an encrypted and signed image for the user application firmware and user data.
  • What the device provisioning is and how to perform the setup of the device.
  • How the user application and user data are installed.
  • How to perform a debug authentication and reopen the debugger.
  • How to read the installed user application firmware using the STM32CubeProgrammer
  • How to attach an IDE on a running target and execute step by step, the secure user application
  • How to perform a regression to retrieve an empty board
  • The principle of certificate chain.


Prerequisites

  • Hardware
    • STM32H573 discovery board: the STM32H573 devices have all the available security features, including the HW crypto accelerator. (Note that for the STM32H56x devices, the HW crypto is not available)
    • Discovery MB1677- STM32H573 (need USBC cable)


  • Required tools
    • STM32Cube_FW_H5_V1.0.0 or later
    • STM32CubeProgrammer_rev2.13.0 or more recent (with trusted package creator (TPC) selected at installation).
    • IAR Embedded Workbench® rev 9.20.1 or later.
    • Tera Term / Putty or equivalent terminal emulator.
Info white.png Information
The TPC installed together with CubeProgrammer in the bin folder located in default STM32CubeProgrammer path : C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin You can pin this tool to the taskbar to simplify the "STiRoT Getting started" process :
Security PinToTask.png


  • STM32Cube Firmware
    • Download the STM32CubeFW_H5 Cube firmware (Place it as close as possible to the C: root, to avoid long windows path)
    • A directory STM32H573I-DK is included in the “Projects” directory
    • If the STM32CubeProgrammer has not been installed in the default folder:C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer, the customized installation path needs to be updated in the environment variable: env.bat
    • Check that the selected application path is correct: for the following tutorial the STiRoT fully secured example is described => The STiROT_Appli must be active.


  • Check that the selected application path is correct, as shown in the figure below: for the following tutorial, the STiRoT fully secured example is described => The STiROT_Appli must be active.


Literature


Step by step instructions

  • The different stages to configure and use the STiRoT are based on a script provided in the STM32CubeFW (provisioning.bat)
  • The following documentation is a guide through all the steps of this script, and explains how to perform each of them.


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:How_to_start_with_certificate_linked_to_SOC_class_and_ID_on_STM32H5&oldid=49063"
No categories assignedEdit