1. Article purpose[edit source]
The purpose of this article is to explain how to perform a secure boot on an STM32MPU device with the Distribution Package.
Follow these steps to perform this use case:
- Create the signature key with the KeyGen tool (if not already done).
- Put the signature key on the STM32 MPU (if not already done).
- Compile a Distribution Package with a signed FIP.
- Sign the first-stage bootloader binaries with the signing tool.
- Create a FlashLayout file for signed binaries.
- Program and test.
- Close the device (if not already done).
You must proceed step-by-step (no rollback possible).
2. Creating signature key[edit source]
To perform the secure boot, binaries must be signed with a specific signature key.
If this signature key is already present on the STM32MPU device, go directly to Distribution Package with signed FIP.
To create the signature key, use the STM32MP KeyGen CLI Tool.
Refer to the KeyGen tool page for installation and command-line options.
The minimal command to use is:
STM32MP_KeyGen_CLI -abs <output directory> -pwd <password> -n <number of key>
With:
- <output directory> = Patch to the generated private and public key files (privateKey.pem and publicKey*.pem).
- <password> = Password of the private key. The password must contain at least four characters. The number of passwords must match the number of key pairings.
- <number of key> = Number of key pairs, one for STM32MP15 or more for other platforms.
2.1. Creating signature key for STM32MP13[edit source]
Click on "Expand", visible on the right side of the page, to view Creating signature key for STM32MP13x lines .
STM32MP13 device supports up to eight signature key pairs (public key/private key).
Example:
STM32MP_KeyGen_CLI -abs stm32mp13-key/ -pwd azerty azerty azerty azerty azerty azerty azerty azerty -n 8
------------------------------------------------------------------- STM32MP Key Generator <tool version> ------------------------------------------------------------------- Prime256v1 curve is selected. AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 0 generated successfully. + public key: stm32mp13-key/publicKey00.pem + private key: stm32mp13-key/privateKey00.pem + public hash key: stm32mp13-key/publicKeyHash00.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 1 generated successfully. + public key: stm32mp13-key/publicKey01.pem + private key: stm32mp13-key/privateKey01.pem + public hash key: stm32mp13-key/publicKeyHash01.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 2 generated successfully. + public key: stm32mp13-key/publicKey02.pem + private key: stm32mp13-key/privateKey02.pem + public hash key: stm32mp13-key/publicKeyHash02.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 3 generated successfully. + public key: stm32mp13-key/publicKey03.pem + private key: stm32mp13-key/privateKey03.pem + public hash key: stm32mp13-key/publicKeyHash03.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 4 generated successfully. + public key: stm32mp13-key/publicKey04.pem + private key: stm32mp13-key/privateKey04.pem + public hash key: stm32mp13-key/publicKeyHash04.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 5 generated successfully. + public key: stm32mp13-key/publicKey05.pem + private key: stm32mp13-key/privateKey05.pem + public hash key: stm32mp13-key/publicKeyHash05.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 6 generated successfully. + public key: stm32mp13-key/publicKey06.pem + private key: stm32mp13-key/privateKey06.pem + public hash key: stm32mp13-key/publicKeyHash06.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 7 generated successfully. + public key: stm32mp13-key/publicKey07.pem + private key: stm32mp13-key/privateKey07.pem + public hash key: stm32mp13-key/publicKeyHash07.bin ------------------------------------------------------------ Hash of table of Hash of {algorithm + public Key} file generated successfully. + Hash Hash: stm32mp13-key/publicKeysHashHashes.bin
2.2. Creating signature key for STM32MP15[edit source]
Click on "Expand", visible on the right side of the page, to view Creating signature key for STM32MP15x lines .
STM32MP15 device supports only one signature key pair (public key/private key).
Example:
STM32MP_KeyGen_CLI -abs stm32mp15-key/ -pwd azerty -n 1
------------------------------------------------------------------- STM32MP Key Generator <tool version> ------------------------------------------------------------------- Prime256v1 curve is selected. AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 0 generated successfully. + public key: stm32mp15-key/publicKey00.pem + private key: stm32mp15-key/privateKey00.pem + public hash key: stm32mp15-key/publicKeyHash00.bin ------------------------------------------------------------ Hash of table of Hash of {algorithm + public Key} file generated successfully. + Hash Hash: stm32mp15-key/publicKeysHashHashes.bin
2.3. Creating signature key for STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Creating signature key for STM32MP25x lines .
STM32MP25 device supports up to eight signature key pairs (public key/private key).
Example:
STM32MP_KeyGen_CLI -abs stm32mp25-key/ -pwd azerty azerty azerty azerty azerty azerty azerty azerty -n 8
------------------------------------------------------------------- STM32MP Key Generator <tool version> ------------------------------------------------------------------- Prime256v1 curve is selected. AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 0 generated successfully. + public key: stm32mp25-key/publicKey00.pem + private key: stm32mp25-key/privateKey00.pem + public hash key: stm32mp25-key/publicKeyHash00.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 1 generated successfully. + public key: stm32mp25-key/publicKey01.pem + private key: stm32mp25-key/privateKey01.pem + public hash key: stm32mp25-key/publicKeyHash01.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 2 generated successfully. + public key: stm32mp25-key/publicKey02.pem + private key: stm32mp25-key/privateKey02.pem + public hash key: stm32mp25-key/publicKeyHash02.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 3 generated successfully. + public key: stm32mp25-key/publicKey03.pem + private key: stm32mp25-key/privateKey03.pem + public hash key: stm32mp25-key/publicKeyHash03.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 4 generated successfully. + public key: stm32mp25-key/publicKey04.pem + private key: stm32mp25-key/privateKey04.pem + public hash key: stm32mp25-key/publicKeyHash04.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 5 generated successfully. + public key: stm32mp25-key/publicKey05.pem + private key: stm32mp25-key/privateKey05.pem + public hash key: stm32mp25-key/publicKeyHash05.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 6 generated successfully. + public key: stm32mp25-key/publicKey06.pem + private key: stm32mp25-key/privateKey06.pem + public hash key: stm32mp25-key/publicKeyHash06.bin ------------------------------------------------------------ AES_256_cbc algorithm is selected for private key encryption Generating Prime256v1 keys... Private key PEM file created Public key PEM file created public key hash file created Keys packet 7 generated successfully. + public key: stm32mp25-key/publicKey07.pem + private key: stm32mp25-key/privateKey07.pem + public hash key: stm32mp25-key/publicKeyHash07.bin ------------------------------------------------------------ Hash of table of Hash of {algorithm + public Key} file generated successfully. + Hash Hash: stm32mp25-key/publicKeysHashHashes.bin
3. Creating encryption key[edit source]
3.1. Creating encryption key for STM32MP13 and STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Creating encryption key for STM32MP13x lines and STM32MP25x lines .
To perform secure boot with encrypted binaries, you must have binaries encrypted with a specific encryption key.
If this signature key is already present on the STM32MPU device, go directly to Distribution Package with signed FIP.
To create an encryption key, you must generate a random key of 16 bytes and another random key of 32 bytes.
On Linux with STM32MP_KeyGen_CLI:
STM32MP_KeyGen_CLI -rand 16 stm32mp_encryption_key.bin STM32MP_KeyGen_CLI -rand 32 stm32mp_encryption_key_256bits.bin
On Windows with STM32MP_KeyGen_CLI:
STM32MP_KeyGen_CLI.exe -rand 16 stm32mp_encryption_key.bin STM32MP_KeyGen_CLI.exe -rand 32 stm32mp_encryption_key_256bits.bin
4. Putting signature key on STM32 MPU[edit source]
Information |
For demonstration and test purposes, the signature key can be put on the STM32MP device with a simple U-Boot command on the development board. For production purposes, it must be set in the production step, as described in Secure Secret Provisioning (SSP) overview. |
4.1. Putting hash key on device for STM32MP13 and STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Putting hash key on device for STM32MP13x lines and STM32MP25x lines .
To manually put the public key hash (PKH) on the STM32MPU device with a U-Boot stm32key command:
- Put the Public Key Hash file (publicKeysHashHashes.bin), generated as described in the previous section, on the bootfs partition.
- Boot the board and stop on the U-Boot console.
- Load public key hash in DDR.
For example, the hash key file is located on the eighth partition of the SD card:
load mmc 0:8 0xc0000000 publicKeysHashHashes.bin
- Register public key hash.
stm32key fuse 0xc0000000
For more information, refer to How to use U-Boot stm32key command.
4.2. Putting the hash key on the device for STM32MP15[edit source]
Click on "Expand", visible on the right side of the page, to view Putting hash key on device for STM32MP15x lines .
To manually put the public key hash (PKH) on the STM32MP device with a U-Boot stm32key command:
- Put the Public Key Hash file (publicKeyhash.bin), generated as described in the previous section, on the bootfs partition.
- Boot the board and stop it on the U-Boot console.
- Load the public key hash in DDR.
For example, the hash key file is located on the eighth partition of the SD card:
load mmc 0:8 0xc0000000 publicKeyhash.bin
- Register public key hash.
stm32key fuse 0xc0000000
For more information, refer to How to use U-Boot stm32key command.
5. Putting encryption key on STM32 MPU[edit source]
Information |
For demonstration and test purposes, the encryption key can be put on the STM32MPU device with a simple U-Boot command on the development board. For production purposes, it must be set in the production step. |
5.1. Putting an encryption key on the device for STM32MP13 and STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Putting an encryption key on the device for STM32MP13x lines and STM32MP25x lines .
To manually put the key on the STM32MPU device with a U-Boot stm32key command:
- Put the encryption key file (stm32mp_encryption_key.bin), generated as demonstrated in the previous section, on the bootfs partition.
- Boot the board and stop it on the U-Boot console.
- Load a hash public key in DDR.
For example, the hash key file is located on the eighth partition of the SD card:
load mmc 0:8 0xc0000000 stm32mp13_encryption_key.bin
- Select the EDMK key (How to use U-Boot stm32key command|):
stm32key select EDMK
- Register the encryption key:
stm32key fuse 0xc0000000
- Verify that the key is registered:
stm32key read
For more information, refer to How to use U-Boot stm32key command.
6. Distribution Package with signed FIP[edit source]
6.1. Prerequisites[edit source]
- Signature key (public key(s), private key(s), hash key file, and password).
- STM32MPU Distribution Package.
6.2. Generate Distribution Package with signed binaries[edit source]
Information |
With this step only FIP binaries are signed. |
- Source the environment of the Distribution Package.
source layers/meta-st/scripts/envsetup.sh
Select your DISTRO and your machine.
- Indicate where to find the signature key (in this example, the signature key is located in the key directory on the meta-st-stm32mp layer).
Add the following lines to local.conf (in the build directory):
6.2.1. Generate Distribution Package with signed binaries for STM32MP13[edit source]
Click on "Expand", visible on the right side of the page, to view Generate Distribution Package with signed binaries for STM32MP13.
echo 'SIGN_KEY = "key/stm32mp13/privateKey00.pem" ' >> conf/local.conf echo 'SIGN_KEY_stm32mp13 = "key/stm32mp13/privateKey00.pem" ' >> conf/local.conf echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf echo 'SIGN_ENABLE = "1" ' >> conf/local.conf echo 'SIGN_TOOL = "<path to STM32MP_SigningTool tools>" ' >> conf/local.conf
Information |
If there are eight key pairs, you need to declare eight passwords:
SIGN_KEY_PASS = "azerty azerty azerty azerty azerty azerty azerty azerty" |
6.2.2. Generate Distribution Package with signed binaries for STM32MP15[edit source]
Click on "Expand", visible on the right side of the page, to view Generate Distribution Package with signed binaries for STM32MP15.
echo 'SIGN_KEY_stm32mp15 = "key/stm32mp15/privateKey.pem" ' >> conf/local.conf echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf echo 'SIGN_KEY_PASS = "<password of signature key>" ' >> conf/local.conf echo 'SIGN_ENABLE = "1" ' >> conf/local.conf echo 'SIGN_KEY = "key/stm32mp15/privateKey.pem" ' >> conf/local.conf echo 'SIGN_TOOL = "<path to STM32MP_SigningTool tools>" ' >> conf/local.conf
6.2.3. Generate Distribution Package with signed binaries for STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Generate Distribution Package with signed binaries for STM32MP25.
echo 'SIGN_KEY = "key/stm32mp25/privateKey00.pem" ' >> conf/local.conf echo 'SIGN_KEY_stm32mp25 = "key/stm32mp25/privateKey00.pem" ' >> conf/local.conf echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf echo 'SIGN_ENABLE = "1" ' >> conf/local.conf echo 'SIGN_TOOL = "<path to STM32MP_SigningTool tools>" ' >> conf/local.conf
Information |
If there are eight key pairs, you need to declare eight passwords:
SIGN_KEY_PASS = "azerty azerty azerty azerty azerty azerty azerty azerty" |
- Compile the binaries:
bitbake st-image-weston
The FIP file, signed and ready to be programmed on the board, can be found in tmp-glibc/deploy/images/<machine name>/fip/.
6.3. Generate a Distribution Package with encrypted partition binaries[edit source]
6.3.1. Generate a Distribution Package with encrypted partition binaries for STM32MP13[edit source]
Click on "Expand", visible on the right side of the page, to view Generate a Distribution Package with encrypted partition binaries for STM32MP13.
To enable secure boot with encryption support, add DECRYPTION_SUPPORT=aes_gcm to ENCRYPT_BLx to specify the encrypted binary.
Request encryption support on BL2 TF-A binaries:
echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf echo 'ENCRYPT_FSBL_KEY = "key/stm32mp13/stm32mp13_encryption_key.bin" ' >> conf/local.conf echo 'ENCRYPT_FIP_KEY = "stm32mp13_encryption_key_256bits.txt" ' >> conf/local.conf
6.3.2. Generate a Distribution Package with encrypted partition binaries for STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Generate a Distribution Package with encrypted partition binaries for STM32MP25x lines .
To enable secure boot with encryption support, add DECRYPTION_SUPPORT=aes_gcm to ENCRYPT_BLx to specify the encrypted binary.
Request encryption support on BL2 TF-A binaries:
echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf echo 'ENCRYPT_FSBL_KEY = "key/stm32mp25/stm32mp25_encryption_key.bin" ' >> conf/local.conf echo 'ENCRYPT_FIP_KEY = "stm32mp25_encryption_key_256bits.txt" ' >> conf/local.conf
7. Signing first-stage bootloader binaries[edit source]
If the first-stage bootloader binaries (TF-A BL2) are generated unsigned, they must be signed manually using STM32MP_SigningTool_CLI.
For installation and command-line options, see Signing tool.
Information |
If you need to populate the FSBL binary with STM32CubeProgrammer, you also need to sign the serial boot TF-A BL2 loaded in memory. |
These tools are used to sign a binary with an STM32 header, with the minimal options to sign the FSBL binary:
STM32MP_SigningTool_CLI -pubk <public key> -prvk <private key> -pwd <password> -t fsbl -of <Option_Flags> -bin FSBL binary not signed>.stm32 -o <FSBL binary signed>.stm32
with:
- <public key> = The path of the public key file generated by KeyGen: publicKey.pem.
- <private key> = The path of the private key files generated by KeyGen: privateKey*.pem; one for STM32MP15 and eight for STM32MP13/STM32MP25.
- <password> = Password used by KeyGen to protect the key files. The number of passwords must match the number of key pairs.
- <Option_Flags> = The -of option is required only for STM32MP13, with a 0x0000 0001 value.
7.1. Signing first-stage bootloader binaries for STM32MP13[edit source]
Click on "Expand", visible on the right side of the page, to view Signing first stage bootloader binaries for STM32MP13x lines .
For SD card:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-sdcard.stm32 -o arm-trusted-firmware/tf-a-<board name>-sdcard_Signed.stm32
For EMMC:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-emmc.stm32 -o arm-trusted-firmware/tf-a-<board name>-emmc_Signed.stm32
For NAND:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-nand.stm32 -o arm-trusted-firmware/tf-a-<board name>-nand_Signed.stm32
For NOR:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-nor.stm32 -o arm-trusted-firmware/tf-a-<board name>-nor_Signed.stm32
For USB (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <password> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-usb.stm32 -o arm-trusted-firmware/tf-a-<board name>-usb_Signed.stm32
For UART (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 -bin arm-trusted-firmware/tf-a-<board name>-uart.stm32 -o arm-trusted-firmware/tf-a-<board name>-uart_Signed.stm32
7.2. Signing first stage bootloader binaries for STM32MP15[edit source]
Click on "Expand", visible on the right side of the page, to view Signing first stage bootloader binaries for STM32MP15x lines .
For SD card:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-sdcard.stm32 -o arm-trusted-firmware/tf-a-<board name>-sdcard_Signed.stm32
For EMMC:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-emmc.stm32 -o arm-trusted-firmware/tf-a-<board name>-emmc_Signed.stm32
For NAND:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-nand.stm32 -o arm-trusted-firmware/tf-a-<board name>-nand_Signed.stm32
For NOR:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-nor.stm32 -o arm-trusted-firmware/tf-a-<board name>-nor_Signed.stm32
For USB (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-usb.stm32 -o arm-trusted-firmware/tf-a-<board name>-usb_Signed.stm32
For UART (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp15/publicKey.pem -prvk <path to meta-st-stm32mp>key/stm32mp15/privateKey.pem -pwd <password> -t fsbl -bin arm-trusted-firmware/tf-a-<board name>-uart.stm32 -o arm-trusted-firmware/tf-a-<board name>-uart_Signed.stm32
7.3. Signing first stage bootloader binaries for STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Signing first stage bootloader binaries for STM32MP25x lines .
For SD card:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-sdcard.stm32 -o arm-trusted-firmware/tf-a-<board name>-sdcard_Signed.stm32
For EMMC:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-emmc.stm32 -o arm-trusted-firmware/tf-a-<board name>-emmc_Signed.stm32
For NAND:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-nand.stm32 -o arm-trusted-firmware/tf-a-<board name>-nand_Signed.stm32
For NOR:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-nor.stm32 -o arm-trusted-firmware/tf-a-<board name>-nor_Signed.stm32
For USB (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-usb.stm32 -o arm-trusted-firmware/tf-a-<board name>-usb_Signed.stm32
For UART (used with STM32CubeProgrammer):
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> -t fsbl -of 0x00000001 --header-version 2.2 -bin arm-trusted-firmware/tf-a-<board name>-uart.stm32 -o arm-trusted-firmware/tf-a-<board name>-uart_Signed.stm32
8. Encrypt first stage bootloader binaries[edit source]
8.1. Encrypt first stage bootloader binaries for STM32MP13[edit source]
Click on "Expand", visible on the right side of the page, to view Encrypt first stage bootloader binaries for STM32MP13.
For SD card:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp13/stm32mp13_encryption_key.bin -t fsbl --enc-dc 0x0E5F2025 --image-version 0 -of 0x80000003 -bin arm-trusted-firmware/tf-a-<board name>-sdcard.stm32 -o arm-trusted-firmware/tf-a-<board name>-sdcard_Encrypted.stm32
For EMMC:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp13/stm32mp13_encryption_key.bin -t fsbl --enc-dc 0x0E5F2025 --image-version 0 -of 0x80000003 -bin arm-trusted-firmware/tf-a-<board name>-emmc.stm32 -o arm-trusted-firmware/tf-a-<board name>-emmc_Encrypted.stm32
For NAND:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp13/stm32mp13_encryption_key.bin -t fsbl --enc-dc 0x0E5F2025 --image-version 0 -of 0x80000003 -bin arm-trusted-firmware/tf-a-<board name>-nand.stm32 -o arm-trusted-firmware/tf-a-<board name>-nand_Encrypted.stm32
For NOR:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp13/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp13/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp13/stm32mp13_encryption_key.bin -t fsbl --enc-dc 0x0E5F2025 --image-version 0 -of 0x80000003 -bin arm-trusted-firmware/tf-a-<board name>-nor.stm32 -o arm-trusted-firmware/tf-a-<board name>-nor_Encrypted.stm32
8.2. Encrypt first stage bootloader binaries for STM32MP25[edit source]
Click on "Expand", visible on the right side of the page, to view Encrypt first stage bootloader binaries for STM32MP25.
For SD card:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp25/stm32mp25_encryption_key.bin -t fsbl --enc-dc 0x25205f0e --image-version 0 -of 0x10000003 -bin arm-trusted-firmware/tf-a-<board name>-sdcard.stm32 -o arm-trusted-firmware/tf-a-<board name>-sdcard_Encrypted.stm32
For EMMC:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp25/stm32mp25_encryption_key.bin -t fsbl --enc-dc 0x25205f0e --image-version 0 -of 0x10000003 -bin arm-trusted-firmware/tf-a-<board name>-emmc.stm32 -o arm-trusted-firmware/tf-a-<board name>-emmc_Encrypted.stm32
For NAND:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp25/stm32mp25_encryption_key.bin -t fsbl --enc-dc 0x25205f0e --image-version 0 -of 0x10000003 -bin arm-trusted-firmware/tf-a-<board name>-nand.stm32 -o arm-trusted-firmware/tf-a-<board name>-nand_Encrypted.stm32
For NOR:
STM32MP_SigningTool_CLI -pubk <path to meta-st-stm32mp>key/stm32mp25/publicKey*.pem -prvk <path to meta-st-stm32mp>key/stm32mp25/privateKey00.pem -pwd <list of passwords> --enc-key <path to meta-st-stm32mp>key/stm32mp25/stm32mp25_encryption_key.bin -t fsbl --enc-dc 0x25205f0e --image-version 0 -of 0x10000003 -bin arm-trusted-firmware/tf-a-<board name>-nor.stm32 -o arm-trusted-firmware/tf-a-<board name>-nor_Encrypted.stm32
9. Create FlashLayout file for signed binaries[edit source]
To populate the correct binaries on the board, you need to create a FlashLayout file with the signed binaries:
- FSBL = tf-a-*_Signed.stm32
- FIP = fip-*.bin
Example for FlashLayout_sdcard_stm32mp157f-dk2-optee.tsv:
#Opt Id Name Type IP Offset Binary - 0x01 fsbl-boot Binary none 0x0 arm-trusted-firmware/tf-a-stm32mp157f-dk2-usb.stm32 - 0x03 fip-boot FIP none 0x0 fip/fip-stm32mp157f-dk2-optee.bin P 0x04 fsbl1 Binary mmc0 0x00004400 arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard.stm32 P 0x05 fsbl2 Binary mmc0 0x00044400 arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard.stm32 P 0x06 metadata1 Binary mmc0 0x00084400 arm-trusted-firmware/metadata.bin P 0x07 metadata2 Binary mmc0 0x000C4400 arm-trusted-firmware/metadata.bin P 0x08 fip-a FIP mmc0 0x00104400 fip/fip-stm32mp157f-dk2-optee.bin PED 0x09 fip-b FIP mmc0 0x00504400 none PED 0x0A u-boot-env Binary mmc0 0x00904400 none P 0x10 bootfs System mmc0 0x00984400 st-image-bootfs-openstlinux-weston-stm32mp1.ext4 P 0x11 vendorfs FileSystem mmc0 0x04984400 st-image-vendorfs-openstlinux-weston-stm32mp1.ext4 P 0x12 rootfs FileSystem mmc0 0x05984400 st-image-weston-openstlinux-weston-stm32mp1.ext4 P 0x13 userfs FileSystem mmc0 0x33984400 st-image-userfs-openstlinux-weston-stm32mp1.ext4
Update the fsbl1-boot, fip-boot, fsbl1, fsbl2 and fip partitions.
Result:
#Opt Id Name Type IP Offset Binary - 0x01 fsbl-boot Binary none 0x0 arm-trusted-firmware/tf-a-stm32mp157f-dk2-usb_Signed.stm32 - 0x03 fip-boot FIP none 0x0 fip/fip-stm32mp157f-dk2-optee_Signed.bin P 0x04 fsbl1 Binary mmc0 0x00004400 arm-trusted-firmware/tf-a-stm32mp157f-dk2- sdcard_Signed.stm32 P 0x05 fsbl2 Binary mmc0 0x00044400 arm-trusted-firmware/tf-a-stm32mp157f-dk2- sdcard_Signed.stm32 P 0x06 metadata1 Binary mmc0 0x00084400 arm-trusted-firmware/metadata.bin P 0x07 metadata2 Binary mmc0 0x000C4400 arm-trusted-firmware/metadata.bin P 0x08 fip-a FIP mmc0 0x00104400 fip/fip-stm32mp157f-dk2-optee_Signed.bin PED 0x09 fip-b FIP mmc0 0x00504400 none PED 0x0A u-boot-env Binary mmc0 0x00904400 none P 0x10 bootfs System mmc0 0x00984400 st-image-bootfs-openstlinux-weston-stm32mp1.ext4 P 0x11 vendorfs FileSystem mmc0 0x04984400 st-image-vendorfs-openstlinux-weston-stm32mp1.ext4 P 0x12 rootfs FileSystem mmc0 0x05984400 st-image-weston-openstlinux-weston-stm32mp1.ext4 P 0x13 userfs FileSystem mmc0 0x33984400 st-image-userfs-openstlinux-weston-stm32mp1.ext4
10. Program and test[edit source]
Use the previously created FlashLayout file with the signed binaries to populate the correct binaries on the board.
At board boot time, check the two levels of the secure boot: the ROM code secure boot validation and the TF-A BL2 trusted board boot validation.
11. Close the device[edit source]
Information |
For demonstration and test purposes, the STM32MP device can be closed with a simple U-Boot command on the development board. For production purposes, it must be set in production step as described in AN5510: Overview of the secure secret provisioning (SSP) on STM32MP1 series. |
For more information, refer to How to secure STM32 MPU.
In U-Boot console:
stm32key close
For more information, see the How to use U-Boot stm32key command.
As soon as the device is closed, the operation is irreversible; the user is forced to only use signed images.
12. References[edit source]