How to migrate a project from X-CUBE-SEC-M-H5 v1.1.2 to v1.2.0 or later on STM32H5

1. Secure Manager installation

To update your environment and provision the latest Secure Manager, proceed as explained in the following wiki How to start with Secure Manager default configuration on STM32H5.

Warning white.png Warning
Follow thoroughly the Python® part.

Once this is done, you have:

  • STM32CubeH5 v1.3.0 in /path/to/CubeH5_v1.3.0
  • X-CUBE-SEC-M-H5 v1.2.0 applied on top of STM32CubeH5
  • Secure Manager running on your target

2. Project preparation

To work with the new ecosystem, you must setup a few things for your project.

Info white.png Information
If your project was embedded in your previous install of STM32CubeH5 v1.2.0 (for instance in Project/STM32H573I-DK/Application/ROT/MyCustomProject), copy it in your new STM32CubeH5 directory.

2.1. Getting the Python® file

Copy and paste project.py and project.ini from Project/STM32H573I-DK/Templates/ROT/SMAK_Appli to your project directory:

Security project file to copy.png

You must now update the project.ini.

project.ini source project.ini updated Description
[sm]
path=./../../../ROT_Provisioning/SM/
[sm]
path=/relative_path/to/cubeH5_v1.3.0/Project/STM32H573I-DK/ROT_Provisioning/SM/
Relative path from project.ini to SM directory
[binary_download]
image_xml = ./Images/SM_Code_Image.xml
output = ./Binary/appli_enc_sign.hex



[binary_download]
image_xml = ./Images/SM_Code_Image.xml
output = ./Binary/appli_enc_sign.hex
Info white.png Information
Path and filename can be customized, but Images and Binary were used in the previous version.
Relative path from project.ini to the image xml and the output binary used to program the target
[binary_ota]
image_xml = ./Images/SM_Code_Image_bin.xml
output = ./Binary/appli_enc_sign.bin



[binary_ota]
image_xml = ./Images/SM_Code_Image_bin.xml
output = ./Binary/appli_enc_sign.bin
Info white.png Information
Path and filename can be customized, but Images and Binary were used in the previous version.
Relative path from project.ini to the image xml and the output binary used for OTA update
[iar]
linker = ./EWARM/stm32h573xx_flash.icf
output = ./EWARM/STM32H573I-DK_SMAK_Appli_Templates/Exe/appli.bin
 
[keil]
linker = ./MDK-ARM/stm32h5xx_app.sct
output = ./MDK-ARM/STM32H573I-DK_SMAK_Appli/Exe/Project.hex
 
[cubeide_debug]
linker = ./STM32CubeIDE/STM32H573IIKXQ_FLASH.ld
output = ./STM32CubeIDE/Debug/STM32H573I-DK_SMAK_Appli_Templates.bin
 
[cubeide_release]
linker = ./STM32CubeIDE/STM32H573IIKXQ_FLASH.ld
output = ./STM32CubeIDE/Release/STM32H573I-DK_SMAK_Appli_Templates.bin
[iar]
linker = ./EWARM/stm32h573xx_flash.icf
output = ./EWARM/MyProject/Exe/nonsecure_app.bin
Info white.png Information
You can use free text in the section name ([iar]) and keep the relevant IDE.

If you have multiple build configurations, you can add multiple sections like [iar_release] and [iar_debug]. It automatically handles the linker script update based on the linker file extension.




Relative path from project.ini to the linker file and the output binary out of compilation

2.2. Updating prebuild and postbuild

Update in your project settings so your prebuild/postbuild call those functions:

  • prebuild

python ../project.py prebuild --compiler {compiler}

  • postbuild

python ../project.py postbuild

For example, using IAR, with the [iar] configuration:

Security iar prebuild postbuild.png

Info white.png Information
To see how it works for other compilers, check the Projects/STM32H573I-DK/Templates/ROT/SMAK_Appli IDE project as an example.

2.3. Updating clock configuration

Last but not least, there are new requirements regarding clock configuration; Ensure that:

  • HSI48 and LSI are not configured in your SystemClockInit(), for example:
Before After
/* Use HSE in bypass mode and activate PLL with HSE as source. Enable HSI48. */
RCC_OscInitStruct.OscillatorType = RCC_OSCILLATORTYPE_HSE|RCC_OSCILLATORTYPE_HSI48;
RCC_OscInitStruct.HSI48State = RCC_HSI48_ON;
RCC_OscInitStruct.HSEState = RCC_HSE_BYPASS_DIGITAL;
RCC_OscInitStruct.PLL.PLLState = RCC_PLL_ON;
RCC_OscInitStruct.PLL.PLLSource = RCC_PLL1_SOURCE_HSE;
/* Use HSE in bypass mode and activate PLL with HSE as source.*/
 RCC_OscInitStruct.OscillatorType = RCC_OSCILLATORTYPE_HSE;
 RCC_OscInitStruct.HSEState = RCC_HSE_BYPASS_DIGITAL;
 RCC_OscInitStruct.PLL.PLLState = RCC_PLL_ON;
 RCC_OscInitStruct.PLL.PLLSource = RCC_PLL1_SOURCE_HSE;
  • LPTIM6 is not used by your nonsecure application as it is now privatized by the Secure Manager

3. Building and testing your application

Now you are ready to test.

3.1. Building your application

You can build your application:

	Project - STM32H573I-DK_SMAK_Appli			
	Reading project nodes...			
				
	Cleaning... 59 files.			
	Pre-build command			
	2024-07-15 14:39:35,253 - INFO - Running prebuild ...			
	2024-07-15 14:39:43,772 - INFO - Linker files updated successfully			
	2024-07-15 14:39:45,817 - INFO - XML images and key updated successfully			
    ....
    Post-build command			
	2024-07-15 14:40:11,642 - INFO - Postbuild successful			
				
	Total number of errors: 0			
	Total number of warnings: 0			
				
	Build succeeded

3.2. Downloading your application

As explained in How to start with Secure Manager (customized configuration) on STM32H5, you must now use: python project.py download It then downloads [binary_download].binary from project.ini to your target.

Security download project success.png

You application is running, built, and downloaded with the new ecosystem.