SFI Step-by-step on STM32 boards

Revision as of 10:58, 4 June 2024 by Registered User
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

SFI Step-by-stepClock.png75min

Target description

This tutorial shows how to use SFI for installing a simple LED Blink example.

The process goes through three steps at the original equipment manufacturer (OEM) and the Contract Manufacturer (CM) sites.

  • Development @ OEM: the application code that runs on STM32 is generated.
  • Secure Room @ OEM: code prepared during the development is encrypted and packaged to be sent for manufacturing. The Secure Room is isolated, and its resources are not visible outside of it.
  • Manufacturing @ CM: the encrypted code received by the OEM Secure Room is installed using SFI tools.


Prerequisites

Hardware

  • STM32H735-DK[1] Discovery kit with STM32H735IG MCU with Bootloader version 9.3 min
  • STM32H7B3I-DK[2] Discovery kit with STM32H7B3LI MCU with Bootloader version 9.2 min
  • NUCLEO-H753ZI[3] STM32 Nucleo-144 development board with STM32H753ZI MCU with Bootloader version 9.1 min
  • B-U585I-IOT02A[4] Discovery kit for IoT node with STM32U5 series with Bootloader version 9.2 min
  • STM32H573I-DK[5] Discovery kit with STM32H573IIK3Q MCU
  • STM32-HSM[6] SAM for Secure Firmware Installation
  • Smartcard Reader
    • Laptop built-in
    • External


  • STLINK-V3[7] modular in-circuit debugger and programmer for STM32/STM8
  • USB cable Type-A to Micro-B
  • USB cable Type-C
  • Jump wires

Software

  • STM32CubeProgrammer[8] Software programming tool for STM32 (v2.11 min)
    • Including STM32TrustedPackageCreator
  • STM32CubeMX[9] STM32Cube initialization code generator
  • STM32CubeIDE[10] Integrated Development Environment for STM32
  • X-CUBE-SFI Expansion package[11] The STM32CubeExpansion_SFI Secure Firmware Install shows how to go through SFI installation process for STM32 devices to protect OEM firmware during the CM product manufacturing stage.


Literature

  • AN4992 STM32 MCUs secure firmware install (SFI) overview
  • UM2237 STM32CubeProgrammer software description
  • UM2238 STM32 Trusted Package Creator tool software description
  • AN5054 Secure programming using STM32CubeProgrammer
  • AN2606 STM32 microcontroller system memory boot mode
  • RM0468 STM32H723/733, STM32H725/735 and STM32H730 Value line advanced Arm®-based 32-bit MCUs
  • RM0433 STM32H742, STM32H743/753 and STM32H750 Value line advanced Arm®-based 32-bit MCUs
  • RM0455 STM32H7A3/7B3 and STM32H7B0 Value line advanced Arm®-based 32-bit MCUs
  • RM0456 STM32U575/585 Arm®-based 32-bit MCUs
  • RM0481 STM32H563/H573 and STM32H562 Arm®-based 32-bit MCUs
  • UM2679 STM32H735G-DK Discovery kit
  • UM2407 STM32H7 Nucleo-144 boards (MB1364)
  • UM2839 Discovery kit for IoT node with STM32U5 Series
  • UM3143 Discovery kit with STM32H573II MCU
  • UM2448 STLINK-V3SET debugger/programmer for STM8 and STM32
  • STM32HSM-V2 Data brief HSM v2


Info white.png Information
Note that the screenshots and the examples given in this article are based on the STM32H735G-DK board and it can be tolerated with any other supported boards.


1. Environment setup

Before starting, the first step is to prepare the environment is to go through the SFI process.

Info white.png Information
For the sake of this demonstration, we are considering the same machine to act as both OEM Development, OEM Secure Room, and CM manufacturing tool. In a real scenario, these agents are most probably separated entities.
Info white.png Information
This page describes how to use SFI on STM32 boards and all screenshots and CLI commands have been token using STM32H735G-DK board. It can be easily tolerated by any other supported device and development board.

1.1. Install xcube-sfi Expansion Package

Clock.png5min

  • Download xcube-sfi[11]
  • Register on www.st.com web site if necessary
  • Unzip the downloaded file


xcube-sfi is now installed on your computer.


1.2. Install STM32CubeProgrammer and STM32TrustedPackageCreator

Clock.png5min

STM32CubeProgrammer (STM32CubeProg) is an all-in-one multi-OS software tool for programming STM32 products. STM32CubeProgrammer provides an easy-to-use and efficient environment for reading, writing, and verifying device memory through both the debug interface (JTAG and SWD) and the bootloader interface (UART, USB DFU, I2C, SPI, and CAN).

Info white.png Information
Note that for STM32H7 MCUs only JTAG/SWD, UART, USB DFU, and SPI interfaces are supported.

STM32TrustedPackageCreator is part of the STM32CubeProgrammer toolset and allows the generation of secure firmware and modules to be used for STM32 secure programming solutions.

  1. Download the latest version of STM32CubeProg[8]
Security Download STM32CubePROG.png


  1. Unzip the downloaded file and launch the SetupSTM32CubeProgrammer-xxx.exe corresponding to your OS, and follow the instructions.

Make sure to select STM32TrustedPackageCreator add-on during the installation of STM32CubeProgrammer

Security TrustedPackageCreator.png

STM32CubeProgrammer and STM32TrustedPackageCreator are now installed on your computer.

Warning white.png Warning
Make sure to have the folder including 'STM32_Programmer_CLI.exe' and 'STM32TrustedPackageCreator_CLI.exe' in your PATH.
  • Typical path in Windows: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin
  • If you installed it in another location, update scripts in the XCUBE-SFI package
  • Advise: right click on the STM32TrustedPackageCreator.exe file in this path and select "Pin to taskbar" to have a quick access to the tool

1.3. Install STM32CubeMX

Clock.png 10min
STM32CubeMX is a graphical tool that allows an easy configuration of STM32 microcontrollers and the generation of the corresponding initialization C code through a step-by-step process.
Refer to the STM32CubeMX install on the Step1 Tools installation
STM32CubeMX is now installed on your computer.

1.4. Install STM32CubeIDE

Clock.png 10min

STM32CubeIDE is an Integrated Development Environment for STM32

Refer to the STM32CubeIDE install on the article: Step1 Tools installation

2. Development @ OEM: Firmware creation

The first step of the process is to create a demo LED Blink application for the dedicated board.

You can use an example from the STM32Cube firmware package. To use this option, you can refer to the example made on B-U585I-IOT02A described in this section: U585 example.
You can also choose to use the example project developed in xcube-sfi or create a new project. These two options are described below.

2.1. Create New Project Blinking LED with STM32CubeMX and HAL

You can find a detailed step-by-step for Nucleo-L476RG in the Step2 Blink LED article - the process is similar. The binary file generated by the project build is named OEM_Dev.bin.

2.2. Code example in X-CUBE-SFI

Clock.png10min

xcube-sfi already proposes an application binary for:

  • STM32H735G-DK
  • STM32H7B3I-DK
  • NUCLEO-H753ZI
  • B-U585I-IOT02A
  • STM32H573I-DK

In the package X-CUBE-SFI you can find the application in OEM_Dev: Path: X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_Dev.

Choose the toolchain you want to use (EWARM, MDK-ARM, or STM32CubeIDE) and compile the code. This page explains how to compile the code with the STM32CubeIDE toolchain:

  • Open folder "STM32CubeIDE", then double click on the .cproject.
  • Select a directory as a workspace and launch the IDE.
  • Once the workspace is successfully imported, select Project > Build Project. This generates the binary file saved as OEM_Dev.bin to use in the next paragraphs.

You can open the main.c file in the Project Explorer and see that the main function is used to Blink LED in an infinite loop.
Example on STM32H735G-DK:

/* Infinity loop */
/* USER CODE BEGIN WHILE */
while (1)
{
  /* USER CODE END WHILE */

  /* USER CODE BEGIN 3 */
  HAL_GPIO_TogglePin(USER_LED1_GPIO_Port, USER_LED1_Pin);
  /* Insert delay 100 ms */
  HAL_Delay(100);
  HAL_GPIO_TogglePin(USER_LED2_GPIO_Port, USER_LED2_Pin);
  /* Insert delay 100 ms */
  HAL_Delay(100);
}
/* USER CODE END 3 */

You can now close STM32CubeIDE toolchain.
Open X-CUBE-SFI package and in folder OEM_Dev\STM32CubeIDE, launch the TransferBinToSecureRoom.bat Script needed to:

  • Create the OEM_SecureRoom/Binary folder
  • Copy the binary file OEM_Dev.bin generated by the compilation in this folder.


Info white.png Information
In this paragraph, we use the STM32CubeIDE toolchain but the process is the same for EWARM and MDK-ARM toolchains

3. Secure Room @ OEM: SFI package generation and HSM provisioning

In the Secure Room, the following two steps are performed:

  • SFI package generation: the code prepared during the development is encrypted and packaged to be sent for manufacturing.
  • HSM provisioning: the HSM is provisioned with the keys used for encryption and with the max license counter.
Warning white.png Warning
The assumption is that the Secure Room is isolated and its resources are not accessible from the outside world.


3.1. SFI package generation

Clock.png15min

Info white.png Information
For SFI package creation you can use STM32 Trusted Package Creator CLI (command line interface) or GUI (graphical user interface). These two options are described below

In this step, the application binary file and the option byte configuration are encrypted in an SFI package.

The following inputs are needed:

  • Application binary file (OEM_Dev.bin created in the previous step) and download address in FLASH.
  • AES Key
  • Nonce
  • Option bytes

3.1.1. Inputs preparation

3.1.1.1. Firmware binary files and download address

The OEM binary file previously generated is designed to be executed from a specific address in FLASH.
The SFI process ensures that the binary is downloaded at the address specified as an input parameter.

  • For this example we use: 0x08000000.
Info white.png Information
In this page, we use dummy values, the OEM can create its keys with arbitrary values
3.1.1.2. Encryption key file

The first step is to create secret keys and the nonce to be used by STM32TrustedPackageCreator to encrypt the firmware image in the SFI package and to be programmed in the STM32-HSM.

  1. Create a new text file
  2. Paste the following text
  3. AES_KEY_TEST_001
    
    The corresponding hex values are: 41 45 53 5F 4B 45 59 5F 54 45 53 54 5F 30 30 31
  4. Save it as aeskey.bin
Warning white.png Warning
The OEM is responsible for keeping this key SECRET - the confidentiality of the solution relies on this.
Warning white.png Warning
You can also use the aeskey.bin file example in the xcube-sfi package folder "Keys": X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\Keys
3.1.1.3. AES nonce file
  1. Create a new text file
  2. Paste the following text
  3. NONCE_TEST01
    
    The corresponding hex values are: 4E 4F 4E 43 45 5F 54 45 53 54 30 31
  4. Save it as nonce.bin
Warning white.png Warning
You can also use the nonce.bin file example in the xcube-sfi package, folder "Keys": X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\Keys
3.1.1.4. Option bytes file

Together with installing the application binary, the SFI process can be used to specify the OB values to be configured at the end of the installation process.
In the path C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\SFI_OB_CSV_FILES you can find OB files for each supported MCU.

To create your own OB file, you can use STM32 Trusted Package Creator:

  • Open STM32 Trusted Package Creator
  • In the SFI OB tab, select the MCU used
  • The right panel displays the OB values as saved in the file you generate. Select a path to save the OB file that is generated in the "Generate OB .csv file".

Example on STM32H735G-DK: You can refer to option bytes file generation in this article where the STM32H2x/H3x microcontroller is selected: STM32H2x/H3x option bytes file generation.

Info white.png Information
For more details on OB register values, you can refer to:

RM0468 for STM32H723/733, STM32H725/735 and STM32H730 Value line microcontrollers.

RM0456 for STM32U575/585 microcontrollers.

RM0433 for STM32H7x3 microcontroller.

RM0456 for STM32U575/585 microcontrollers.

Info white.png Information
You can also use the ob.csv file in the xcube-sfi package, folder "OptionBytes": X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\OptionBytes
3.1.1.5. Image version

The Image version parameter is used to inform which firmware version is installed.

3.1.1.6. Generate Hash

The generated hash is a checkbox used for the integrity check of the firmware and option bytes. This option is only supported on U5 and H7 series.

3.1.1.7. Available ram size

When selecting the dedicated microcontroller on STM32TrustedPackagecreator the Available RAM Size will be selected automatically.

For STM32H7 Series MCUs, the ram size value is 0x1E000.

RAM Size on TPC.png
3.1.1.8. Continuation token address

Select the address where the continuation token is going to be stored.
The continuation token address must be an address available in Flash.
This field is only relevant for STM32H75xxI/STM32H7B3xI/STM32H733xx/STM32H735xx products, depending on firmware mapping, 0x80FF000 can be used as a nominal value for H7 examples.

3.1.1.9. Output SFI file

Output SFI file is the file to be created with sfi extension.

3.1.2. SFI package generation using STM32 Trusted Package Creator CLI (command line interface)

3.1.2.1. Command launched from STM32CubeProgrammer\bin folder

You can use this command line to generate sfi package:

Info white.png Information
Command line below must be launched from the path: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin.
Files called in the command line must also be saved in this folder.
The mentioned ram size, device identity and token address values are the ones used for STM32H7xx, so when you change your target you must use the dedicated values for your target.
 STM32TrustedPackageCreator_CLI.exe -sfi -fir OEM_Dev.bin 0x08000000 -k aeskey.bin -n nonce.bin -ob ob.csv -v 1 --ramsize 0x1E000 -devid 0x450 --token 0x80FF000 -hash 1 -o OEM_Dev.sfi
3.1.2.2. Command launched from another folder ( xcube-sfi example)

xcube-sfi package gives an example of a script used to generate the output file from another directory.
In Folder "Scripts" in X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\Scripts, you can open the script "GenerateSFI_OEM_Dev.bat" with Notepad for example. Script description:

  • STM32TrustedPackageCreator executable Path is defined in "TOOLDIR":
SET TOOLDIR=c:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin
SET TOOL=%TOOLDIR%\STM32TrustedPackageCreator_CLI.exe
  • Files previously created are set as "KEY", "NONCE" and "OPTBYTE" parameters:
SET SECURE_ROOM=..\..\OEM_SecureRoom
SET KEYDIR=%SECURE_ROOM%\Keys
SET KEY=%KEYDIR%\aeskey.bin
SET NONCE=%KEYDIR%\nonce.bin

SET OPTION_BYTES_DIR=%SECURE_ROOM%\OptionBytes
SET OPTBYTE=%OPTION_BYTES_DIR%\ob.csv
  • Firmware binary and address are defined as "BINARY", and "BINARY_BASE_ADD".
SET APP_INPUT_DIR=%SECURE_ROOM%\Binary
SET BINARY=%APP_INPUT_DIR%\OEM_Dev.bin
SET BINARY_BASE_ADD=0x08000000


  • Image version is marked "1", Output sfi file is created in "OUT_BIN" path as "OUT_FILE" (OEM_Dev.sfi):
SET OUT_BIN=..\Binary
SET OUT_FILE=%OUT_BIN%\OEM_Dev.sfi

SET VERSION=1
  • At least we can launch the command line calling all previously defined parameters:
"%TOOL%" -sfi -fir %BINARY% %BINARY_BASE_ADD% -k %KEY% -n %NONCE% -ob %OPTBYTE% -v %VERSION% --ramsize 0x1E000 -devid 0x450 --token 0x80FF000 -hash 1 -o %OUT_FILE%


Once launched the succeed message displays:

Security sfiGenerationsuccess.png

Output file with sfi extension is now generated, and you can transfer this file in the binary folder to be used in the last step launching "TransferSFIToCM.bat" script placed in this directory: X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\Scripts.

Info white.png Information
xcube-sfi package uses command line interface to generate SFI package. If you want to use this CLI, you can manage a script with your folder directories. If you prefer using GUI (graphical user interface) follow next paragraph.

3.1.3. SFI package generation using STM32 Trusted Package Creator GUI (graphical user interface)

In the SFI panel of STM32TrustedPackageCreator you have to enter the parameters described in Inputs preparation
In the following screenshot the used example is on STM32H735G-DK, and the same method will be used with other supported boards.

TPC SFIcaptureLeft.png

Once all parameters are browsed through you can click on the "Generate SFI" button.


The right panel displays the size of the package generated, and the address to install in flash memory.

Security SFI panel right.png

3.2. HSM programming

Clock.png10min

The programming step consists of the provisioning to the HSM of the following parameters:

  • AES Key
  • Nonce
  • Personalization data
  • ID
  • License counter
Info white.png Information
For HSM programming you can use STM32 Trusted Package Creator CLI (command line interface) or GUI (graphical user interface). These two options are described below

3.2.1. Preparation

AES key and nonce have been generated in the previous step. In this section, we aim to focus on the remaining parameters.

3.2.2. HSM programming with STM32 Trusted Package Creator - CLI (command line interface)

  • Personalization data

The first step for HSM programming is to retrieve the personalization data for the smartcard: with this step, the specific STM32-HSM allows the installation of SFI images to a specific STM32 family of products. This allows the OEM to add additional control on the STM32 parts that are manufactured by the CM.

To perform this operation the user first needs to know the product ID of the device.

  1. Connect your board with the micro-USB cable through the USB ST-LINK connector
  2. Retrieve the STM32 device certificate
    STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -gc certificate.bin
    
    certif cubepg.png

  3. Browse now to the folder C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\PersoPackages and look for the binary file with the corresponding name: device name followed by the product ID.
    - In the STM32H735G-DK example the parameter for the command is:
    c:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\PersoPackages\STM32H73x_4830100C_SFI._01000000_00000000.enc.bin
    
  • ID

The ID is a tag name for the HSM card (that is, for the secret key) that could be useful to the CM when multiple cards are used in manufacturing.

  • For the STM32H735G-DK example we use: h735_4830100C.
  • License counter

The license counter is the max number of devices that can be programmed with this HSM.

  • For this example, we use: 300.
Info white.png Information
Each time an SFI process is launched the license counter is decremented even if an error occurs during the process
Info white.png Information
Note that the max value of the counter depends on the specific STM32-HSM you are using - you can refer to the documentation for additional information: STM32HSM-V2)
  • Provisioning
Warning white.png Warning
The HSM can be programmed only once, and this operation is irreversible.

The HSM must be in OEM STATE. If the HSM is already programmed and there is a new attempt to reprogram it, an error message is displayed to indicate that the operation failed and the HSM is locked.


Now that we have defined the parameters, we can proceed with the provisioning of the STM32-HSM.

  1. Plug the HSM into the smart card reader
  2. We can get the state of the HSM with the command:
    Info white.png Information
    Command line below must be launched from the path: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin
    STM32TrustedPackageCreator_CLI.exe -hsm -i 1 -info
    
    Security SFI cmd HSM get info OEM STATE.png

  3. Provision the HSM:
    Info white.png Information
    Command line below must be launched from the path: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin. aeskey.bin and nonce.bin must also be saved in this folder.
    Info white.png Information
    You can also use the script example in XCUBE-SFI, path: X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\OEM_SecureRoom\Scripts\ Program_Hsm.bat to program the HSM


    In this example, we use STM32H735G-DK files and parameter values:

     STM32TrustedPackageCreator_CLI.exe -hsm -i 1 -k aeskey.bin -n nonce.bin -id "h735_4830100C" -mc 300 -pd 'c:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\PersoPackages\STM32H73x_4830100C_SFI._01000000_00000000.enc.bin'
    
    Security SFI cmd HSM perso.png

Warning white.png Warning
At this step, the HSM is programmed and in OPERATIONAL_STATE.

You can get the state of the HSM with the command:

Info white.png Information
Command line below must be launched from the path: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin
STM32TrustedPackageCreator_CLI.exe -hsm -i 1 -info
Security SFI cmd HSM get info after programming.png


The HSM is ready to be shipped to the CM together with the OEM_Dev.bin package created before.

3.2.3. HSM programming using STM32 Trusted Package Creator - GUI (graphical user interface)

Open the tool STM32 Trusted Package Creator.
If the shortcut has not been created on your Desktop during STM32CubeProgrammer installation, you can open it from:
C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin

TPC HSM.png
  • Firmware identifier

The ID is a tag name for the HSM card (that is, for the secret key) that could be useful to the CM when multiple cards are used in manufacturing. You can use a significant name for your board and its certificate like in this example: h735_4830100C.

  • Encryption key file

Enter the AES Key file previously generated.

  • Nonce file

Enter the nonce generated in the previous step.

  • Personalization data file

You have to select the MCU used: in this example, the selected MCU is STM32H73.
Press Open, and select the PersoPackages folder.
In this folder you can find the file to use: in this example the used file is STM32H72x_H73x_4830100C_SFI._01000000_00000000.enc.bin

150


  • Maximum number of images to program.

The maximum number of devices that can be programmed with HSM (which depends on the used HSM). For this example, we use: 300

Info white.png Information
Each time an SFI process is launched the license counter is decremented even if an error occurs during the process
Info white.png Information
Note that the maximum value of the counter depends on the specific STM32-HSM you are using - you can refer to the documentation for additional information: STM32HSM-V2 )
  • Provisioning

Now that we have defined the parameters, we can proceed with the provisioning of the STM32-HSM.

Warning white.png Warning
The HSM can be programmed only once and this operation is irreversible.

The HSM must be in OEM STATE. If the HSM is already programmed and there is a new attempt to reprogram it, an error message is displayed to indicate that the operation failed and the HSM is locked.

  1. Plug the HSM into the smart card reader
  2. Provision the HSM:
    Select Program HSM and you have to answer "Yes" to these warning messages before locking your HSM:
    warning1 HSM.png
    warning2 HSM.png
    warning3 HSM.png

    After this step, the HSM is programmed and in OPERATIONAL_STATE.

    The HSM is ready to be shipped to the CM together with the OEM_Dev.sfi package created before.

    4. Manufacturing @ CM: Secure Firmware Installation

    Clock.png10min

    In this step, the CM receives from the OEM the HSM card provisioned with the secret key and initialized with a max counter of licenses, and the .sfi package to be installed (including the firmware and option bytes configuration in encrypted format).

    The SFI process could be performed through a regular JTAG/SWD interface or the system bootloader interface (you can refer to AN2606 for details on the supported interface for each microcontroller).

    The following section cover SWD and other interfaces.

    Info white.png Information
    The Option Bytes regression step configures the OB to their default state ( this operation may not be needed if the CM runs the SFI process on a virgin part).


    Info white.png Information
    All Command lines below must be launched from the path: C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin.


    4.1. SWD interface

    4.1.1. Hardware connection

    Plug a micro USB cable into the ST-LINK connector and make sure that STLK JP is ON.

    4.1.2. Option bytes regression

    The following steps configure the device to regress the option bytes configuration to a default state. You can launch the existing option bytes regression file on the following path: X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\CM\Scripts\PrepareTarget_SWD.bat

    The following example is for STM32H735G-DK OB regression:

    STM32_Programmer_CLI.exe -c port=SWD mode=HOTPLUG -ob RDP=0xAA nWRP0=1 nWRP1=1 nWRP2=1 nWRP3=1 nWRP4=1 nWRP5=1 nWRP6=1 nWRP7=1 BOOT_CM7_ADD0=0x0800 BOOT_CM7_ADD1=0x1FF0 SECURITY=0 -e all -ob displ
    

    After this step, the device is ready for the SFI process.

    4.1.3. Firmware install using STM32CubeProgrammer - CLI (command line interface)

    This command starts the SFI process and proceeds with the installation.

    Warning white.png Warning
    The HSM has to be plugged into the smart card reader during this operation
    STM32_Programmer_CLI.exe -vb 1 -c port=SWD mode=HOTPLUG -sfi OEM_Dev.sfi hsm=1 slot=1
    
    Info white.png Information
    You can also use the script placed in C:\X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\CM\Scripts:
    • PrepareTarget_SWD.bat to prepare target to SFI process
    • FlashSFI_SWD_OEM_Dev.bat to start the SFI process and proceed with the installation
    Info white.png Information
    You can refer to AN5054 for details on HSM and slot parameters.
    log sfi.png


    After this step, the device is programmed with the OEM application code.

    4.1.4. Firmware install using STM32CubeProgrammer - GUI (graphical user interface)

    To be able to start the SFI process and proceed to the installation with GUI:

    • Open the STM32CubeProgrammer tool
    • Connect the board with STM32CubeProgrammer using port SWD port and HOTPLUG mode
    • Press the Secure programming Icon then SFI/SFIx as mentioned in the screenshot below
    • Plug the HSM in the smart card reader (you can see the HSM status when pressing Refrech button)
    • Choose the Using License from HSM.
    • Select the sfi binary path
    • Press Start SFI/SFIx button

    After the SFI Installation is finished the board will be disconnected to STM32CubeProgrammer.

    SFI With CP GUI.png
    Info white.png Information
    You can also use the sfi binary provided with the SFI/SFIx firmware placed in C:\X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\CM\Binary:
    • OEM_Dev.sfi to prepare target to SFI process
    Info white.png Information
    You can refer to AN5054 for details on HSM and slot parameters.

    The following Log display in STM32CubeProgrammer:

    SFI Installation LogCapture.png

    After this step, the device is programmed with the OEM application code.

    4.2. Other supported interfaces

    To connect through BL interfaces like USB/UART/SPI, you can use the following cmd to connect the device:

    • USB:
    STM32_Programmer_CLI.exe -c port=USB1
    
    • UART:

    For UART, you must check the detected COM port either by connecting through the STM32CubeProgrammer or check the detected port in Device Manager on your computer. Then you can put your preferred baud rate value. In this case, the UART COM port is COM18 and the baud rate value is 115200.

    STM32_Programmer_CLI.exe -c port=COM18 br=115200
    
    • SPI:

    When choosing SPI as your connection interface, you can put as follows with choosing your preferred baud rate value:

    STM32_Programmer_CLI.exe -c port=SPI br=6000
    
    Info white.png Information
    For more details, you can find an example using all the mentioned interfaces where the detailed connection and tests are explained in the readme file: X-Cube-SFI_V1.1.0\Projects\NUCLEO-H753ZI\Applications\SFI.

    4.2.1. Hardware connection

    To test the SFI through a different interface, you must:

    • Check that the needed interface is supported by the bootloader: AN2606
    • Check the connectors and pins are available on the board to be able to realize the connection
    • Plug a micro-USB cable into the ST-LINK connector and make sure that STLK JP is ON
    • Switch the boot switcher to boot1 (SYS MEM) or connect boot1 pins if any (it depends on the used board), to enable the system bootloader at boot.
    • Reset the board.

    4.2.2. Option bytes regression

    The following steps configure the device to regress the option bytes configuration to a default state. You can launch the existing option bytes regression file on the following path: X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\CM\Scripts\PrepareTarget_<Interface>.bat.

    The following example is for STM32H735G-DK OB regression using the USB interface:

    STM32_Programmer_CLI.exe -c port=USB1 -ob RDP=0xAA nWRP0=1 nWRP1=1 nWRP2=1 nWRP3=1 nWRP4=1 nWRP5=1 nWRP6=1 nWRP7=1 BOOT_CM7_ADD0=0x0800 BOOT_CM7_ADD1=0x1FF0 SECURITY=0 -e all -ob displ
    

    After this step, the device is ready for the SFI process.

    4.2.3. Firmware install

    This command starts the SFI process and proceeds with the installation using the USB interface.

    Warning white.png Warning
    The HSM has to be plugged into the smart card reader during this operation
    STM32_Programmer_CLI.exe -vb 1 -c port=USB1 -sfi OEM_Dev.sfi hsm=1 slot=1
    


    Info white.png Information
    You can also use the script placed in C:\X-Cube-SFI_V1.1.0\Projects\<Board_Name>\Applications\SFI\CM\Scripts:
    • PrepareTarget_<Interface>.bat to prepare target to SFI process
    • FlashSFI_<Interface>_OEM_Dev.bat to start the SFI process and proceed with the installation

    Where the <Interface> could be SWD/SPI/UART/USB.

    Info white.png Information
    You can refer to AN5054 for details on HSM and slot parameters.

    After this step, the device is programmed with the OEM application code.

    To check that the SFI is successfully installed: make sure that the boot is in position 0 (FLASH) then reset the Board.

    5. Performance tests

    Some performance tests performed on the STM32H735G-DK board are mentioned in this SFI Step-by-step on STM32H735 Discovery Kit article.


    6. References