Getting started with STM32H5 security


A set of practical examples is proposed to get an overview and to understand the STM32H5 security solutions.
These practical examples are based on the boards, tools and code examples provided by ST.
For the examples listed below, each step to be followed is described in detail.
It is advised to start with these examples before making your own trials or using other security related examples available in the STM32Cube_H5.

Product Series STM32H503 picto.png STM32H533 picto.png STM32H563 picto.png STM32H573 picto.png Prerequisite Introduction article
Development Boards NUCLEO H503RB (MB1814) NUCLEO H533RE NUCLEO H563ZI(MB1404) DISCOVERY H573II(MB1677) - -
Embedded flash size 128k 512k 2M - -
Debug Authentication
Debug Authentication TZ disabled example Link to How To - Link to How To Link to How To STM32CubeH5 Link
Debug Authentication TZ enabled example NA - Link to How To Link to How To STM32CubeH5 Link
Certificates linked to SOC ID and Class NA - - Link to How To STM32CubeH5 Link
Immutable Root of Trust (iRoT)
STiRoT example NA - NA Link to How To STM32CubeH5 Link
OEMiRoT TZ disabled example Link to How To - - - STM32CubeH5 Link
OEMiRoT TZ enabled example NA Link to How To Link to How To Link to How To STM32CubeH5 Link
STM32CubeMX STiRoT example NA - NA Link to How To STM32CubeMx_V6.9.0 or later Link
STM32CubeMX OEMiRoT example - - Link to How To Link to How To STM32CubeMx_V6.9.0 or later Link
Secure Manager
Secure Manager on STM32H573 (default configuration) NA NA NA Link to How To STM32CubeH5_V1.1.1 or later; X-CUBE-SEC-M-H5_v1.0.0 or later Link
Secure Manager on STM32H573 (customized configuration) NA NA NA Link to How To STM32CubeH5_V1.1.1 or later; X-CUBE-SEC-M-H5_v1.0.0 or later Link
STM32CubeMX Secure Manager example NA NA NA Link to How To STM32CubeMx_V6.9.0 or later Link
  • Note:
    • TZ: Trust Zone
    • NA: Not Applicable
    • - : supported but no dedicated wiki article example available

1. Secure Boot

The secure boot and related root of trust is implicitly used in all the proposed " How to start" step by step examples.
A bootpath can be defined from scratch and a related firmware frame is generated using the STM32CubeMx.
The example on this topic is based on the STM32CubeMx.

2. Debug Authentication

It is key to well understand how to set the Debug Authentication (DA) in order to define the appropriate rights to reopen the debugger once closed.

3. OEMiRoT

An OEM can develop its own customized Immutable Root Of Trust (OEMiRoT).
It is advised to read the Secure Boot for STM32H5 wiki article to understand the different possible Root of Trust.

4. STiRoT

An immutable root of trust defined by ST is included natively for the STM32H57x series.
It is an embedded firmware stored in the system flash and that cannot be modified.
It is advised to read the Secure Boot for STM32H5 wiki article to understand the different possible Root of Trust.

5. Secure Manager

ST provides a solution enhancing the security offer and this solution is easy to install and to use.
This solution is called the Secure Manager. It provides a secure boot, updatable root of trust, PSA secure services available at run time of the application, and a secure module management.
The secure manager is only supported for the STM32H573xx product line.


Pages in category "Getting started with STM32H5 security"

This category contains only the following page.