How to start with Debug authentication (DA) access on STM32H50345min
Target description
This page is a candidate for renaming (move). The requested new name is: How to start with Debug authentication access on STM32H503 product lines . The supplied reason is: Avoiding acronyms such as DA and being more precise by indicating STM32H503 are product lines . -- Registered User (-) 17:15, 14 June 2023 (CEST). Wiki maintainers: remember to update the pages that link this page before renaming (moving) it. |
This tutorial describes provisioning and full regression on STM32H503 product lines.
The provisioning process goes through 3 steps:
- Programming of initial option bytes.
- Generating and flashing the code image.
- Provisioning of password.
The fourth step provides details on full regression.
Prerequisites
- Introduction to Debug Authentication for STM32H5 MCUs
- RM0492 STM32H503xx Reference Manual
- knowledge of STM32CubeProgrammer (STM32CubeProg)
- knowledge of JTAG / SWD interface
Hardware
- Nucleo MB1814 with STM32H503
Required tools
- STM32CubeProgrammer[1] Software programming tool for STM32 (v2.13.0 min), including STM32TrustedPackageCreator
- STM32Cube_FW_H5_V1.0.0 [2] or higher version
- IAR Embedded Workbench© v9.20.1 or higher version
- Tera Term or equivalent UART Terminal emulator
Literature
- Introduction to Debug Authentication for STM32H5 MCUs
- RM0492 STM32H503xx Reference Manual
- UM2237 STM32CubeProgrammer software description
- UM2238 STM32 Trusted Package Creator tool software description
- AN5054 Secure programming using STM32CubeProgrammer
- AN2606 STM32 microcontroller system memory boot mode
Environment setup
The environment used in the Debug authentication process must be prepared beforehand.
- Download the STM32CubeH5 package and install it.
- A directory NUCLEO-H503RB is included in the Projects directory.
1. STM32H503 specific behavior
The STM32H503 product lines are based on the STM32H5x3 device architecture, without any Arm® TrustZone®.
To make regression possible with Debug Authentication, a password must be provisioned on the STM32H503 product line.
The flash memory interface does not provide OBKeys. OTP is used to provision the HASH of the password.
2. Provisioning
The script NUCLEO-H503RB\ROT_Provisioning\DA\provisioning.bat does the provisioning.
This script performs the following actions :
- Setting the option bytes of the device.
- Setting a password to the board.
- Setting the final chosen product state according to user selection.
2.1. Provisioning - Step1 : Programming of Initial option bytes
- Connect the board.
- Run the provided provisioning.bat script (double click).The script proceeds with the programming of option bytes.
- Remove all the protections.
- Erase the user flash memory.
2.2. Provisioning - Step2 : Generating and flashing the code image
Once the option bytes are successfully programmed, the script asks to flash your application. Follow the instructions.
In the example, we use the GPIO_IOToggle application located in : Projects\NUCLEO-H503RB\Examples\GPIO\GPIO_IOToggle\EWARM
Make sure that the STM32H5 IAR patch is installed properly. This patch is available in the Utilities\PC_Software\IDEs_Patches\EWARM folder.
- Open the Project.eww, located in the EWARM directory:Projects\NUCLEO-H503RB\Examples\GPIO\GPIO_IOToggle\EWARM
- Go to Project > Rebuild all
- Once the project is correctly built, go to : Project > Download > Download active application to flash the code.
- Reset the board using the black button. The green led must blink at that stage.
2.3. Provisioning - Step3 : Provisioning the password and setting the final product state
2.3.1. Password not yet provisioned
- Go back to provisioning script window and press a key to continue.
- The script asks whether the password was already provisioned.
Before answering "No", you have the possibility to update the default password in the user_password.bin file.
User_passord.bin : the password (16 bytes) that will be provisioned is defined here.
Board_password.bin : HASH of user password, which will be provisioned in the chip.
Password.bin : output file opening the DA access for regression.
Board_password.bin and Password.bin files are automatically updated with the new password saved in user_password.bin when the provisioning script is run.
The script can continue to be run even if the default password is not updated. Answer “No” to continue.
- Follow the script and choose the product state: PROVISIONED or CLOSED.
Make a first trial setting the product in PROVISIONED state:
The installed code must run, and the led blinks.
Ignore next paragraph 3.2, and go to step4 : Full regression
2.3.2. Password already provisioned
- Go back to the provisioning script window. Press a key to continue.
- The script asks whether the password was already provisioned. Answer "Yes" to continue.
- Follow the script and choose the product state: PROVISIONED or CLOSED.
As a test, set the product to PROVISIONED state:
The installed code must run, and the led blinks.
Follow this tutorial until the end.
3. Full regression
A full regression erases the user stored content and sets the product to open state. This can be done by following these steps:
- Erase the user flash memory content.
- Set the product to open state.
If the product is already in open state, a full regression is not needed since the device is not secured and changes can be done without any authentication. In this case, if the regression script is executed, errors are found.
If the product is not in open state, the product state can only be changed with a full regression.
3.1. Full regression using the provided script
The regression can be done using the provided script, or using CubeProgrammer (see 4.2).
For a full regression, follow these steps:
- Launch the regression.bat script located in ROT_Provisioning\DA
- If the regression is successful, the following message is displayed:
Connect STM32CubeProgrammer to check that the flash memory content is properly erased, and that the option bytes and product state are at default values.
3.2. Full regression using STM32CubeProgrammer
- Disconnect the CubeProgrammer, remove/plug the USB cable.
- Redo the exercise starting at step1, set the “CLOSED” state.
- Select in CubeProgrammer and select “Debug Authentication”.
- Click “Discover”. The information window is filled.
- Enter the password.bin file.
- Click Full regression. When performed successfully, the following message will be displayed :
- Check with CubeProgrammer that the flash memory content is sucessfully erased, and that the product state and option bytes are at default values using ST link SWD.