Connectivity:STM32CubeWBA BLE - OEMiROT & Secure Firmware Update

1. Introduction

1.1. OEMiROT

OEMiROT is the bootloader developed by STMicroelectronics.

This bootloader is embedded in several products, including the STM32WBA6, and is based on the MCUboot open-source library. MCUboot is a reference implementation of a secure bootloader infrastructure on MCUs, already used in various implementations, such as Zephyr, TF-M, and Mynewt.

One of the main features of a secure bootloader is the secure firmware upgrade. A basic example, included with every STM32Cube package, demonstrates how to download new firmware or data using the YModem protocol over UART transport.

Since the STM32WBA6 includes Bluetoothc Low Energy (BLE) protocol, an example has been created to show how to perform a secure update of new firmware or data over the air (SFOTA) on this device using BLE.

This example can be found here: https://github.com/stm32-hotspot/STM32WBA-OEMiROT-FOTA.

This Wiki page is dedicated to explaining how the example works.

1.2. Prerequisite

This page introduces the Secure Firmware Update Over The Air (SFOTA):

  • SFOTA relies on the OEMiROT secure bootloader, a common secure bootloader used across various STMicroelectronics parts. It is then important to understand its functionality. The following article details how to utilize the OEMiROT on the STM32WBA, and it must be reviewed before proceeding with the SFOTA project: Security:OEMiRoT OEMuRoT for STM32WBA - stm32mcu
  • OEMiROT uses the TrustZone® framework. Even if the secure part of the TrustZone is not of interest for your matter (no code/data in the secure part), TrustZone must be activated to support the OEMiROT. Here you will find resources on how to create a simple BLE project on STM32WBA5 with the TrustZone activated: STM32WBA Bluetooth® LE & TrustZone - stm32mcu

2. Using OEMiROT for Secure FOTA

2.1. Images and slots

As for every MCUBoot based bootloader, the OEMiROT uses the notion of slot and image for its internal processing.

Image/Slot
  • Image: An “image” in MCUboot, refers to a complete binary that can be loaded or executed by the microcontroller. This image can include application code or application data.
  • Slot: A “slot” in MCUboot is a unit that can contain an image (download slot or install slot)

In our example, two slots per image are used:

  • A download slot where a new image is downloaded and where mcuboot checks for updates
  • An install slot where images are installed and executed.

The full explanation of the update strategy can be found here : Security:OEMiRoT OEMuRoT for STM32WBA#OEMiRoT-2FOEMuRoT activation

2.2. SMP and MCUMGR

2.2.1. Introduction

As most of the security-related firmware manipulation (decryption, signature verification, rollback mechanism) is handled by the Secure bootloader (OEMiROT), the goal of the BLE application to make a secure firmware update is to manipulate and put the firmware to the correct download slot.

As OEMiROT, several projects are based on MCUboot. Unifying the transport layer for all ecosystems is the main goal of this project.

Zephyr ecosystem already proposes a standardized exchange layer for firmware upgrade, called MCUmgr.

As STMicroeletrconics is also present in the Zephyr ecosystem, the goal of this STM32Cube project is to unify the MCUmgr protocol between Zephyr and STM32Cube Ecosystem.

2.2.1.1. Protocol description

An open-source protocol called MCUmgr allowing to remotely manage MCU is currently embedded into the Zephyr environment.

A part of this protocol allows to manipulate the different images and slots of a remote device, to perform firmware update.

MCUmgr protocol is used on top of the SMP (Simple Managment Protocol). This protocol (which is not the same as the Bluetooth SMP layer) allows to encapsulate MCUmgr protocol to be exchanged on BLE or UART transport.

The full description of the two protocols can be found here

MCUmgr & SMP layers

2.3. STM32WBA-OEMiROT-FOTA example project

The OEMiROT FOTA project replaces the default OEMiROT project. It is located in the folder: Firmware\Projects\STM32WBA65I-DK1\Applications\ROT

The SFOTA project only supports the OEMiROT bootloader configuration and the TrustZone isolated project (Secure and NonSecure projects).

Connectivity oemirot architecture detailed without loader.png

It is composed of two different subprojects:

  • OEMiROT_Boot

OEMiROT bootloader project, responsible of handling the secure boot and secure update mechanism.

  • OEMiROT_Appli_TrustZone

This is the user application, which will be booted. This application contains the BLE application and the SMP and MCUmgr layer to update the different images using the BLE protocol.

  • Data images

Data images are located in the folderFirmware\Projects\STM32WBA65I-DK1\ROT_Provisioning\OEMiROT\Binary:

  • ns_data.bin: nonsecure data
  • s_data.bin: secure data

The encrypted and signed versions are created when the provisioning script is launched.

By default, in our example, there are three updatable applicative images:

  • A secure code image for the secure code project. This image configures the global security attribution and boots the nonsecure image. This is the Secure project of the OEMiROT_Appli_TrustZone
  • A nonsecure image for the nonsecure code. This image runs the main application with the BLE and firmware upgrade facilities. This is the NonSecure project of the OEMiROT_Appli_TrustZone
  • A NonSecure data image, displayed at the beginning of the boot of the NonSecure image. The only purpose of this image is to demonstrate the update of a data image. The first byte of the image is its revision version. This is the ns_data.bin binary

All these images use a dual slot configuration with overwriting mechanisms (the new images to download are pushed to secondary slot).

Upon reboot, mcuboot installs the secondary slot to the primary slot by overwriting it.

2.3.1. Setup and compilation

The full information on how to setup your environment is described in Security:OEMiRoT OEMuRoT for STM32WBA#Provisioning process.

2.3.1.1. Environment setup

The scripts allowing to customize the projects to your environment are env.sh and env.bat in the folder Projects/STM32WBA65I-DK1/ROT_Provisioning/.

If your environment is not the default one (that is, you use several versions of STtools, or you have not installed it to the standard path), you must edit these files to match your desired environment.

2.3.1.2. Bootloader configuration setup

The bootloader overall behavior is done in the OEMiROT_Boot project:

  • Security behavior: RDP level, MPU, HDP, WRP configuration, ...
  • Memory layout behavior: use of external flash memory, number of slots, number of images, ...

At the end of the compilation of the OEMiROT_Boot project, post-build scripts are executed to reflect this behavior to the OEMiROT_Appli_TrustZone project.

To keep a consistent environment, every modification of the OEMiROT_Boot project must be followed by a full recompilation of the different projects.

2.3.1.2.1. Security setup

The bootloader uses of STM32WBA6 security features. It can be enable/disabled in the following file:

Projects/STM32WBA65I-DK1/Applications/ROT/OEMiROT_Boot/Inc/boot_hal_cfg.h.

The following options can be modified:

  • Icache
  • WRP protection
  • HDP protection
  • SRAM2 erase at reset
  • Tampering
  • Option byte locking
  • MPU
  • RDP
2.3.1.2.2. Memory layout setup

The overall bootloader and application configuration can be made with the file

Projects/STM32WBA65I-DK1/Applications/ROT/OEMiROT_Boot/Inc/flash_layout.h

In this file several options can be chosen:

  • Overwrite-only configuration
  • Use of an external flash memory
  • Number of applicative images
  • Number of secure and nonsecure data slots
  • Size of the different slots
2.3.1.3. Compilation

Once the previously mentioned options have been chosen, the compilation of the different project can be done

1. Compile the OEMiROT_Boot project.

This step must be done first, because post-build script of the OEMiROT_Boot project populates the rest of the script and project with the right values corresponding to the chosen configuration

2. Compile the OEMiROT_Appli_TrustZone project

2.3.1.4. Image signature and encryption

The encryption and signature is done automatically by post-build script. This script is launched after the OEMiROT_Appli_TrustZone compilation is done.

The resulting files are present in the OEMiROT_Appli_TrustZone/Binary folder with _enc and/or _sign suffixes, depending upon the OEMiROT security options

2.3.2. Flash

The flashing is done with several scripts in the folder Projects/STM32WBA65I-DK1/ROT_Provisioning/OEMiROT. If you have compiled with STM32CubeIDE, use the .sh file extension, if the projects have been compiled with IAR or Keil, use the .bat extension.

  • img_config.{bat, sh}: holds the current project configuration, not to be executed
  • ob_flash_programming.{bat, sh} : allows to flash boot, applicative project, along the right option bytes.
  • provisioning.{bat, sh}: allows to set-up the board to be ready for an OEMiROT project
  • regression.{bat, sh} : allows to set-up the board to be programmed with new files

During the development process, to flash new firmware, the script regression.{bat, sh} must be launched to configure the board to accept a new firmware.

When flashing the project, the provisioning.{bat, sh} must be launched.

2.3.3. Step by step illustration

The following steps are illustrated with STM32CubeIDE compiler and .sh scripts, but they can be performed with IAR or Keil compiler and using .bat scripts.

2.3.3.1. Step 1 - Customize your environment

If your STM32CubeProgrammer path is the default one, this step is not needed.

Customize your environment, open the env.bat and/or the env.sh files, and modify, if needed, the path to your tools binary. Connectivity step1 customize env.png

2.3.3.2. Step 2 - Import projects on STM32CubeIDE

Open STM32CubeIDE and import the three projects

Connectivity step 2 import project 1.png

Connectivity step 2 import project 2 without local loader.png

Connectivity step 2 import project 3 without local loader.png

2.3.3.3. Step 4 - Build the projects

As explained previously, in the different project, OEMiROT_Boot must be built first, as it configurates the other projects.

In each TrustZone project (OEMiROT_Appli_TrustZone), the secure project must be built first. By default, there is a dependency between nonsecure and secure projects. Building a nonsecure project launches a secure project build first.

Connectivity step 2 import project 4 without local loader.png

2.3.4. Step 5 - Modify the data slot

If the data slots are activated in your project, you can modify them in the following folder: Projects/STM32WBA65I-DK1/ROT_Provisioning/OEMiROT/Binary.

Connectivity step3 customize data.png

2.3.5. Step 6 - Flash the board

This is the final step, it allows you to:

  • Encrypt and sign the data slot
  • Flash the mcuboot "root key"
  • Flash the different projets

As explained previously, the first step is to execute the regression script to prepare the board to be flashed. The second step is to execute the provisioning script.

Warning white.png Warning
If you are still in development, do not use a RDP level higher than the RDP 0 as you could permanently brick your board
  1. Launch the ./regression.sh script (.bat if using IAR or Keil), and follow the instructions
  2. Launch the ./provisionning.sh script (.bat if using IAR or Keil), and follow the instructions

2.4. Client

There are several clients implementing the SMP and MCUmgr protocol over the Bluetooth LE:

These tools can be used to update the Cube and Zephyr applications.

2.4.1. Secure FOTA

This section describes how to perform a Secure FOTA using the STM32WebBluetooth Application. These steps are similar for every client.

Connect using BLE to the target

Target connection
Connectivity fota step connect.png


Once connected, you can open the SMP protocol panel.

SMP protocol panel
Connectivity fota step connect smp.png


Once connected, you can retrieve the list of all images and the corresponding slot on the target

All the slots are selectable by clicking on them before performing an operation (erase, test, confirm, upload)

Image list
Connectivity fota step image list.png


The number of images and slots depends upon your overall configuration.

On a Zephyr application, empty secondaries slots are not displayed. On a STM32Cube application, empty secondaries slots are displayed with default values (hexadecimal 0xFF).

A prerequisite to download to the secondary slot is to have it erased. If the secondary slot is not erased, you can do so by clicking the "erase" button.

You can then select the targeted image to download to and the file to upload.

Upload new image
Connectivity fota step upload.png


Once the image has been uploaded, you can see that the secondary slot is no longer empty.

Secondary slot
Connectivity fota step dualslot.png


To install this image at the next boot, it must be flagged as a "test" image. To perform this action, select the corresponding hash to flag, and click the "test" button.

Test slot
Connectivity fota step test.png


You can now reset the board, by physically pushing the reset button or using the "Reset" button on the graphical interface. Once rebooted, you can reconnect, and see that the two slots have been swapped.

If you are not in MCUBOOT_OVERRIDE mode

For safety reason, if the new image is not confirmed, the old image is swapped back at the next boot. To confirm the installation, you must select the right hash and confirm it by pressing the "Confirm" button

Confirm slot
Connectivity fota step confirm.png