Secure Boot STM32H5 How to Introduction

STM32H5 boot path using the STM32CubeMX "How to Introduction"

Target description

The purpose of this article is to provide the background knowledge needed to understand and execute the related "How to start".
This introduction article reviews some technical notions related to this topic. More detailed explanations are available in the two following articles:

1. Introduction

A boot path selection interface was added to the STM32CubeMX to help the customers select the boot configuration adapted to their needs.
The configuration is done through the following main choices. See possible boot paths in below section and in the Secure Boot for STM32H5 article:

  • Is a runtime isolation needed?: TrustZone® activation or not (possible on STM32H56 and STM32H57).
  • If runtime isolation is needed:
    • Secure Manager or
    • Immutable Root of Trust (iROT) with secure user application (TFM, Trusted Firmware) and optional nonsecure user application.
  • If no runtime isolation is needed:
    • Root of Trust (iROT, uROT) needed or not?

Examples are provided in the STM32CubeFW using different types of boot paths. See for instance the following links:

The STM32CubeFW examples are using the provided script, configuration files, and user application codes.
The STM32CubeMX examples are using implicitly similar configuration files, but the appropriate boot path is chosen graphically through the tool and the initial codes are generated.
With STM32CubeMX, you can generate your own project in an easy to use and straightforward way.

  • This article gives an introduction on how to define and configure a boot path starting from scratch using STM32CubeMX, and how the initial related codes (secure and nonsecure) are generated.
    • The STM32CubeMX tool provided by ST is available at the following link: STM32CubeMX installation file.
    • How to proceed practically step by step is explained in the different "How To" articles of the table below.
Product Serie STM32H503 STM32H563 STM32H573 Prerequisite Introduction article Path Nr Figure 2
Ecosystem Nucleo MB1814-H503RB Nucleo MB1404-H563ZI Discovery STM32H573I-DK - - -
STM32CubeMX OEMiROT example on STM32H573 - - Link to How To STM32CubeMx_V6.9.0 or later Link 1
STM32CubeMX OEMiROT example on STM32H563 - Link to How To - STM32CubeMx_V6.9.0 or later Link 1
STM32CubeMX STiRoT example on STM32H573 - - Link to How To STM32CubeMx_V6.9.0 or later Link 2
STM32CubeMX secure manager example - - Link to How To STM32CubeMx_V6.9.0 or later Link 3

2. The different possible boot paths

The possible boot paths depend on the chosen device, if it supports the embedded hardware cryptography, and if TrustZone® is activated or not.
STiRoT and implicitly the secure manager are only available on devices supporting the full hardware cryptography.

The article mentioned previously gives more details about the supported boot paths Secure Boot for STM32H5.
In summary:

  • The STM32H57 is supporting TrustZone® and full hardware cryptography, so all boot paths are possible with this device.
  • The STM32H56 is supporting TrustZone® but limited hardware cryptography (hash + PKA verif). The STiRoT (ST immutable Root of Trust), and the secure manager are not supported.
  • The STM32H503 is not supporting TrustZone®, and has limited hardware cryptography (hash) limiting to a single boot path as explained in the Secure Boot for STM32H5 article.


  • The STM32H56x does not support the full PKA (Public Key Accelerator), but only the embedded Verification Algorithm (DSA and ECDSA signature verification, see RM0481).
  • The STM32H56x and STM32H50x are not under export control regulation since these products have limited embedded hardware cryptography.

The boot path is selected through option bytes programming (TZEN and UBE) as show in the next figure.
When the boot path is selected through STM32CubeMX, the related option bytes are programmed during the provisioning procedure.
This procedure is done automatically. The user does not need to take care of which option byte needs to be programmed.

2.1. STM32H5 boot paths

The figure below shows the possible boot paths selected through the related user option bytes.
Advice: Before setting manually some option bytes or trying your own settings and solutions, it is advised to execute the proposed "How to", specially the one related to the debug authentication: DA "How to" introduction in order to avoid locking your device or board.

Figure 1 STM32H5 possible boot paths

All the boot paths of the above figure are supported by STM32CubeMX.

2.2. STM32H5 boot paths examples using STM32CubeMX

The table in the introduction section gives the link to the documented examples proposed for a boot path setting using STM32CubeMX. The figure below shows the related boot path:

Figure 2 STM32H5 boot path STM32CubeMX examples

Note: according to previous explanations:

  • The boot path one is supported by STM32H56x and STM32H57x (need TrustZone® activation).
  • The boot paths two and three are only supported by STM32H57x (need full hardware cryptography).