Debug Authentication for STM32H5

Revision as of 13:35, 18 June 2024 by Registered User

1. Introduction

This article gives an overview about Debug Authentication applied to STM32H5 MCUs.

A detailed description of Debug Authentication is provided in AN6008

If you want to learn more about Debug Authentication specific usage for each STM32H5 device and you want to practice, refer to Debug Authentication STM32H5 How to Introduction

List of applicable products:

Type Products
Microcontroller STM32H573xx, STM32H563xx, STM32H562xx, STM32H533xx, STM32H523xx, STM32H503xx

2. Debut Authentication Services

The debug authentication allows to securely:

  • Re-open the debug access
  • Perform regression to product states OPEN (full regression) or TZ-CLOSED (partial regression)

The debug authentication services are usable:

  • During development
  • For field return analysis

Here is an overview of the debug authentication setup : DA setup

Two Authentication methods are available :

  • When TrustZone® is disabled, the authentication method used by the protocol requires a password. Only a full regression to the OPEN state is possible.
  • When TrustZone® is enabled, the authentication method used by the protocol requires certificate chain. Regression and debug opening are possible. In this case, the possible actions are :
    • a partial regression (to TZ-CLOSED state)
    • a full regression (to OPEN state)
    • a debug re-opening

When using certificates, the authorized actions are defined through masks.

Refer to AN6008 for more details about Debug Authentication certificates, actions and masks usage.

The Debug Authentication protocol uses the JTAG dedicated access point (ap0) to communicate with the chip.
The protocol is defined by Arm®: ARM PSA ADAC V1.0. (Authenticated Debug Access Control PSA ADAC V1.0. (Authenticated Debug Access Control)

Refer to AN6008 for more details on the Debug Authentication protocol.

3. Debug Authentication provisioning

The debug authentication provisioning consists in storing the password hash or hash of the key related to the root certificate inside the chip.
According to the STM32H5 series devices, these data are stored in OBKey or in OTP.

  • STM32H523/533/562/563/573 has OBKey areas used to store keys/ passwords.
  • STM32H503 devices don't have an OBKey area and use OTP (one-time programming) area to store the password hash. That means that provisioned password hash cannot be changed anymore once provisioned.

Refer to AN6008 for more details on the Debug Authentication provisioning.