Signing tool

1 Purpose[edit]

STM32MP Signing Tool is a key tool that guarantees a secure platform, it ensures the signing of binary images using ECC keys generated by KeyGen tool. The signed binary images are used during the STM32MP15 secure boot sequence that supports a trusted boot chain; this action ensures an authentication and integrity check of the loaded images .

2 STM32MP Signing Tool overview[edit]

The STM32MP Signing Tool software generates a signed binary file from:

  • Binary image file : contains the binary data to be programmed for the STM32MP1 Series device.
  • Public key file: contains the generated ECC public key in PEM format (generated with the KeyGen tool).
  • Private key file: contains the encrypted ECC private key in PEM format (generated with the KeyGen tool).

If the image entry is an .stm32 file that already contains header and info, it is also possible to generate a signed binary file from the given .stm32 file with the batch file mode. In that case, the parameters Entry point of image, Load address of image, and Image version are not mandatory.

Signing tool usage block diagram:

SigningTool.png

3 STM32MP Signing Tool install[edit]

This section describes the requirements and procedure to use the STM32MP Signing Tool software.

3.1 Linux install[edit]

The STM32MP Signing Tool is tested on Ubuntu 14.04 and 16.04 32-bit and 64-bit and should work on any distribution.

To install the STM32MP Signing Tool, the installation of STM32CubeProgrammer is needed.

To run the STM32MP Signing Tool, launch the ./STM32MP_SigningTool_CLI.

3.2 Windows install[edit]

To install the STM32MP Signing Tool, the installation of STM32CubeProgrammer is needed.

To run it, launch the executable STM32MP_SigningTool_CLI.exe.

4 Command line options[edit]

Available options are:

  • --binary-image -bin
Description : binary image file path
Syntax : -bin <File_Path>
  • --public-key -pubk
Description : public key file path
Syntax : -pubk <File_Path>
  • --private-key -prvk
Description : private key file path
Syntax : -prvk <File_Path>
  • --password -pwd
Description : password of the private key
Syntax : -pwd <Password>
  • --load-address -la
Description : load address of image
Syntax : -la <Load_Address>
  • --entry-point -ep
Description : image entry point
Syntax : -ep <Entry_Point>
  • --image-version -iv
Description : image version, Default is 0
Syntax : -iv <Version>
  • --algorithm -a
Description : used algorithm : 1. (P-256 NIST) 2. (Brainpool 256), 1- P256NIST is the default algorithm
Syntax : -a <AlgoNbr>
  • --option-flags -of
Description : option flags of image, default is 0
Syntax : -of <Option_Flags>
  • --output -o
Description : output file path
Syntax : -o <Output_File_Path>
  • --silent -s
Description : silent mode, no prompt messages
Syntax : -s
  • --binary-type -type
Description : identify binary file
Syntax : --binary-type <type>

5 STM32MP Signing Tool usage examples[edit]

This section presents some examples of how to use the STM32MP Signing Tool software.

5.1 Example 1:[edit]

./STM32AP_SigningTool_CLI -bin /home/User/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –la 0x20000000 –ep 0x08000000

The default algorithm is selected (prime256v1) and the option flags value is 0 (default value). The signed output binary file (BinaryFile_Signed.bin) is created in the folder /home/user/

5.2 Example 2:[edit]

./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.bin –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –iv 5 –pwd azerty –s –la 0x20000000 –ep 0x08000000 –a 2 –o /home/user/Folder2/Folder3/signedFile.bin

BrainpoolP256t1 algorithm is selected in this example.

5.3 Example 3:[edit]

./STM32AP_SigningTool_CLI -bin /home/User/Folder1/BinaryFile.stm32 –pubk /home/user/publicKey.pem –prvk /home/user/privateKey.pem –pwd azerty –o /home/user/Folder2/Folder3/signedFile.bin

If the image entry is an .stm32 file that already contains header and info the only mandatory options are: public key, private key and password.


6 Standalone mode[edit]

When executing the STM32MP Signing Tool in standalone mode, an absolute path must be entered at first, then enter the password must be entered twice for confirmation.
After specifying one of the two algorithms, enter the image version, image entry point, image load address, and finally the option flags value.
By pressing enter, the output file path proposed by default is selected; if desired, a different output file path can be specified.