Debug Authentication STM32H7RS How to Introduction

This message will disappear after all relevant tasks have been resolved.
Semantic MediaWiki
There are 1 incomplete or pending task to finish installation of Semantic MediaWiki. An administrator or user with sufficient rights can complete it. This should be done before adding new data to avoid inconsistencies.

1. Debug Authentication

Debug authentication controls debug opening and regressions. It can be used during development, manufacturing and for field return analysis.

  • Features
    • the usage of a password method allows only full regression (from closed state to open state).
    • the usage of cryptography (certificates) can be used for full regressions ,debug opening and firmware download from a closed device.
  • Debug authentication principle
    • Use of JTAG dedicated access point (ap0) to communicate with the chip.
    • Secure protocol defined by ARM : ARM PSA ADAC V1.0. (Authenticated Debug Access Control)[1]
SECURITY Intro to DA for H7S.png

2. Debug Authentication for STM32H7S with password method

SECURITY Product lifecycle H7S password method.png

Provisioning with password management

  • Provisioning data is located at OBKeys-HDPL0 area.
  • Provisioning data is the HASH (SHA256) of the password.
  • STM32TrustedPackageCreator is used to generate the OBKeys files containing the HASH of the Debug authentication password adding SHA256 to ensure integrity.

Debug authentication controls

  • Full regression with the Debug authentication password.
  • Debug authentication password has to be provisioned in OBKeys to allow this regression.
SECURITY Regression TZ disabled.png

Getting started with Debug authentication

Refer to the following page for an example on getting started with Debug authentication access with password method:

How to start with OEMiRoT - Password method

How to start with STiRoT - Password method

3. Debug Authentication for STM32H7RS with certificate method

SECURITY Product lifecycle H7S certif method.png

Provisioning with certificate management

  • Provisioning data is located at OBKeys -HDPL0 area.
  • Provisioning data contain:
    • HASH (SHA256) of the root Certificate Public Key.
    • SOC_PERMISSION: 16 bits defining the permissions authorized by default.
  • STM32TrustedPackageCreator generates the OBKeys files containing the provisioning data adding SHA256 to ensure integrity.

Debug authentication controls

  • Re-enabling debug possibility.
  • Full regression
  • Firmware download (access to the secure bootloader)

To perform Debug authentication

  • The chip must be provisioned with:
    • ECC public key.
    • SOC_PERMISSION: 16 bits defining the permissions authorized by default.
  • A certificate signed by a private ECC key has to be created to be able to authenticate, and it embeds the following:
    • ECC public key.
    • PERM_MASK_CERT which describes the capabilities associated with this certificate.
SECURITY Certif DA H7S.png

Getting started with Debug authentication
Refer to the following page for an example on getting started with Debug authentication access with certificate method:

How to start with STiRoT - Certificate configuration

How to start with OEMiRoT - Certificate configuration

How to start with DA access on STM32H7RS

4. References

  1. PSA ADAC V1.0. (Authenticated Debug Access Control)


Retrieved from "https://wiki.st.com/stm32mcu/index.php?title=Security:Debug_Authentication_STM32H7RS_How_to_Introduction&oldid=55222"