SFI for STM32H7RS

Revision as of 18:40, 26 February 2024 by Registered User (→‎Introduction)
This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Introduction

Hereafter, STM32H7R/S refers to STM32H7Rx/7Sx lines. The STM32H7R/S supports Secure Firmware Install thanks to a dedicated RSSe (Secure firmware extension).

STMicroelectronics provides the SFI solution to perform the preparation and installation flows.

2. SFI for STM32H7RS

The SFI procedure on the STM32H7RS is similar to the SFI procedure applied on other platforms. The main difference is that interaction between host and STM32H7RS is not possible during SFI. Follow SFI Step-by-step on STM32 boards to run the SFI procedure on the STM32H7RS. SFI on external flash (SFIx) is not supported on STM32H7RS.

2.1. Preparation flow

2.1.1. Overview

Security SFI H7RS Preparation Flow


The purpose of this step is to:

  • prepare the encrypted firmware image to install, called SFI image. It is composed of the OEM application and the additional components (OEM secrets and OEM option bytes).
  • provision the OEM key within an HSM.

2.1.2. SFI image

2.1.2.1. SFI image generation

Once the OEM application has been developed, the OEM must prepare and test the SFI image to be installed during manufacturing.
For that purpose, the OEM must use the STM32 Trusted Package Creator tool. This allows to correctly generate the SFI image and test it before manufacturing.

The output of the STM32 Trusted Package Creator is the tested SFI image, ready to be installed during manufacturing.

2.1.2.2. Description of the SFI image inputs

The OEM must provide the following inputs, described below:

  • the OEM application: The OEM must provide its application binary.
  • the OEM secrets: The OEM secrets are the OEM data and the OEM keys.

During the SFI procedure, the OEM must set its secrets, paying specific attention to the following:

  • OEM Option Byte Key (OBKey) provisioning: OBKey HDPL0 shall be done first, includes Debug Authentication (DA) configuration, then other OBKey (optional), OBKey IROT for example.
  • OEM Option Bytes (OB): The OEM must set carefully the STM32H7RS Product state.

The STM32H7RS Flash Memory configuration to install via the SFI procedure must be the same than the one used during the OEM application development.

2.1.2.3. SFI image output description

The Trusted Package Creator encrypts the SFI image inputs with the OEM key, and generates the SFI image.
The SFI image is then an encrypted image containing the OEM application, the OEM secrets and the OEM option bytes.

2.1.3. OEM key provisioning

The OEM must provide its OEM key to the Contract Manufacturer (CM) in a way the OEM key cannot be read or extracted clearly by the CM. Only STM32 can handle the OEM key.


In SFI for STM32H7RS, to provide the OEM key to the CM:

  • The OEM provisions its OEM key, using the Trusted Package Creator, in one HSM.

Then:

  • Only the STMicroelectronics STM32 microcontrollers can securely install the SFI image.
  • Authenticity, integrity, and confidentiality of the SFI image content is ensured.

When using the HSM, the number of STM32 chips to program can be counted.

2.2. Installation flow

The installation procedure is similar to the generic SFI installation procedure, deployed on other STM32 products supporting SFI.

Security SFI H7RS Installation Flow.png


Info white.png Information
Refer to AN4992 §6 "SFI image programming by OEMs or CMs" for an overview of the SFI image programming.

3. References


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:SFI_for_STM32H7RS&oldid=50424"