Getting started with STM32H5 security

A set of practical examples is proposed to get an overview and to understand the STM32H5 security solutions.
These practical examples are based on the boards, tools and code examples provided by ST.
For the examples listed below, each step to be followed is described in detail.
It is advised to start with these examples before making your own trials or using other security related examples available in the STM32Cube_H5.

Product Series					Prerequisite	Introduction article
Development Boards	NUCLEO H503RB (MB1814)	NUCLEO H533RE	NUCLEO H563ZI(MB1404)	DISCOVERY H573II(MB1677)	-	-
Embedded flash size	128k	512k	2M		-	-
Debug Authentication
Debug Authentication TZ disabled example	Link to How To	-	Link to How To	Link to How To	STM32CubeH5	Link
Debug Authentication TZ enabled example	NA	-	Link to How To	Link to How To	STM32CubeH5	Link
Certificates linked to SOC ID and Class	NA	-	-	Link to How To	STM32CubeH5	Link
Immutable Root of Trust (iRoT)
STiRoT example	NA	-	NA	Link to How To	STM32CubeH5	Link
OEMiRoT TZ disabled example	Link to How To	-	-	-	STM32CubeH5	Link
OEMiRoT TZ enabled example	NA	Link to How To	Link to How To	Link to How To	STM32CubeH5	Link
STM32CubeMX STiRoT example	NA	-	NA	Link to How To	STM32CubeMx_V6.9.0 or later	Link
STM32CubeMX OEMiRoT example	-	-	Link to How To	Link to How To	STM32CubeMx_V6.9.0 or later	Link
Secure Manager
Secure Manager on STM32H573 (default configuration)	NA	NA	NA	Link to How To	STM32CubeH5_V1.1.1 or later; X-CUBE-SEC-M-H5_v1.0.0 or later	Link
Secure Manager on STM32H573 (customized configuration)	NA	NA	NA	Link to How To	STM32CubeH5_V1.1.1 or later; X-CUBE-SEC-M-H5_v1.0.0 or later	Link
STM32CubeMX Secure Manager example	NA	NA	NA	Link to How To	STM32CubeMx_V6.9.0 or later	Link

• Note:
  
  • TZ: Trust Zone
  • NA: Not Applicable
  • - : supported but no dedicated wiki article example available

1 Secure Boot

The secure boot and related root of trust is implicitly used in all the proposed " How to start" step by step examples.
A bootpath can be defined from scratch and a related firmware frame is generated using the STM32CubeMx.
The example on this topic is based on the STM32CubeMx.

• The Secure Boot for STM32H5 wiki article explains the possible bootpaths for the different STM32H5 series.
  
• The Secure Boot STM32H5 How to Introduction wiki article gives a short technical introduction to be read before executing the getting started.
  

2 Debug Authentication

It is key to well understand how to set the Debug Authentication (DA) in order to define the appropriate rights to reopen the debugger once closed.

• It is strongly advised to read the Debug Authentication for STM32H5 wiki article.
  
• The Debug Authentication STM32H5 How to Introduction wiki article summarizes all the technical know-how to be read before executing the getting started.
• Two getting started dedicated to the DA are proposed, using for the user application firmware the GPIO_IOToggle of the STM32CubeH5.
  • How to start with DA access on STM32H503
  • How to start with DA access on STM32H573 and H563-TrustZone disabled
• Two further getting started examples address the Debug Authentication, including a step-by-step section showing the principle of the certificate chain, and how to use it. But it needs to execute the related step-by-step starting from the beginning.
  • Part of the STiRoT how to start: How to start with STiRoT on STM32H573
  • Part of the OEMiRoT how to start: How to start with OEMiRoT on STM32H573 and 563
• It is possible to link a certificate or certificate chain to the SOC Class (product family ID) and / or SOC ID (unique device ID)
  • The generated certificate or certificate chain will be valid only for this product or even for a specific sample.
  • The How to start with certificate linked to SOC class and ID on STM32H5 article explains how to proceed
  • The example is provided for STM32H573/STM32H563 but is applicable for all STM32H5 except STM32H503 where only the debug authentication through password is supported.

3 OEMiRoT

An OEM can develop its own customized Immutable Root Of Trust (OEMiRoT).
It is advised to read the Secure Boot for STM32H5 wiki article to understand the different possible Root of Trust.

• The OEMiRoT STM32H5 How to Introduction wiki article gives a short technical introduction to be read before executing the getting started.
  
• Two getting started dedicated to the OEMiRoT based on the STM32CubeH5 are proposed:
  • How to start with OEMiRoT on STM32H503
  • How to start with OEMiRoT on STM32H573 and 563

4 STiRoT

An immutable root of trust defined by ST is included natively for the STM32H57x series.
It is an embedded firmware stored in the system flash and that cannot be modified.
It is advised to read the Secure Boot for STM32H5 wiki article to understand the different possible Root of Trust.

• The STiRoT STM32H5 How to intro wiki article gives a short technical introduction to be read before executing the getting started.
  
• The How to start with STiRoT on STM32H573 article provides an example based on the STM32CubeH5.

5 Secure Manager

ST provides a solution enhancing the security offer and this solution is easy to install and to use.
This solution is called the Secure Manager. It provides a secure boot, updatable root of trust, PSA secure services available at run time of the application, and a secure module management.
The secure manager is only supported for the STM32H573xx product line.

• The Secure Manager wiki article gives technical explanations.
• The Secure Manager STM32H5 How to Intro wiki article is an introduction for the "step by step".
• The How to start with Secure Manager (default configuration) on STM32H5 wiki article describes, step by step, how to install and use the Secure Manager. It is advised to start first with this simple example.
• The How to start with Secure Manager (customized configuration) on STM32H5 wiki article describes, step by step, how to modify the default configuration and customize the Secure Manager (SMAK).