Last edited one week ago

How to perform Secure Boot from Distribution Package

Applicable for STM32MP13x lines, STM32MP15x lines, STM32MP21x lines, STM32MP23x lines, STM32MP25x lines

How to perform Secure Boot from Distribution Package

1. Article purpose[edit | edit source]

The purpose of this article is to explain how to perform a secure boot on an STM32 MPU device with the Distribution Package.

To do so, steps, described in chapters below, must be followed:

Important
You must proceed step-by-step, no rollback possible.
  • Create the signature and encryption keys with the KeyGen tool (if not already done).
  • Fuse the signature/encryption keys on the STM32 MPU (if not already done).
  • Compile the Distribution Package with a signed binaries.
  • Sign the first-stage bootloader binaries with the Signing tool.
  • Create a FlashLayout file for signed binaries.
  • Flash the STM32 MPU with generated FlashLayout file.
  • Check the keys
  • Close the device (if not already done).
Important
Make sure to save, on your PC, the signature and encryption keys, generated according to the way of working defined in this article, and fused on the STM32 MPU device.

Once the signature materials are fused in the STM32 MPU device, no changes are possible

2. Prerequisites[edit | edit source]

Install the STM32CubeProgrammer with the KeyGen tool and Signing tool.

3. Set up signature and encryption keys[edit | edit source]

3.1. Create signature keys[edit | edit source]

To perform the secure boot, binaries must be signed/verified with a specific signature key.

If this signature key is already present on the STM32 MPU device, go directly to Update Distribution Package with signed binaries chapter.

To create the signature key, use the STM32MP KeyGen CLI Tool.
Refer to the KeyGen tool page for installation and command-line options.

The minimal command to use is: 

STM32_KeyGen_CLI -abs <output directory> -pwd <password> -n <number of key>

With:

  • <output directory> = Path to the generated files: private and public key files (privateKey*.pem and publicKey*.pem), Hash file (publicKeyHash*.bin), HashHashes file and (publicKeysHashHashes.bin) .
  • <password> = Passwords of the private key. The password must contain at least four characters. The number of passwords must match the number of key pairings.
  • <number of key> = Number of key pairs, one for STM32MP15 or eight for other platforms.
Information
With such command, keys pairs, public and private signature keys, are created.

With each pair, the hash of the public key ("public hash key" binary) is created.
For all pairs, the hash of all public keys hashes ("public hash hash key" binary) is also generated.

To build your signed image correctly, you need to store the private and public keys in the same folder.

Important
It is mandatory to memorize (e.g. saving on your local PC) the password associated with the signature key and the generated files (publicKey*.pem and privateKey.pem). They are requested later when a binary must be signed.

Procedure is described below, select the one corresponding to the used STM32MPU.

3.1.1. For STM32MP13x lines [edit | edit source]

If you want to sign one of the software components listed in the table below, you need to create its signature key.

The Signature keys are used to sign and verify corresponding components. Several components can be signed/verified by the same key, as shown in table below.

Signature key name
FSBL
TF-A Yes
PKHTH
FIP
OP-TEE Yes
PKHTH
U-BOOT Yes
PKHTH


STM32MP13x lines  devices support up to eight signature key pairs (public key/private key).

Example: 

STM32_KeyGen_CLI -abs stm32mp13-key/ -pwd password1 password2 password3 password4 password5 password6 password7 password8 -n 8

       -------------------------------------------------------------------
                       STM32MP Key Generator <tool version>                              
       -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 0 generated successfully.
 + public key:       stm32mp13-key/publicKey00.pem
 + private key:      stm32mp13-key/privateKey00.pem
 + public hash key:  stm32mp13-key/publicKeyHash00.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 1 generated successfully.
 + public key:       stm32mp13-key/publicKey01.pem
 + private key:      stm32mp13-key/privateKey01.pem
 + public hash key:  stm32mp13-key/publicKeyHash01.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 2 generated successfully.
 + public key:       stm32mp13-key/publicKey02.pem
 + private key:      stm32mp13-key/privateKey02.pem
 + public hash key:  stm32mp13-key/publicKeyHash02.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 3 generated successfully.
 + public key:       stm32mp13-key/publicKey03.pem
 + private key:      stm32mp13-key/privateKey03.pem
 + public hash key:  stm32mp13-key/publicKeyHash03.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 4 generated successfully.
 + public key:       stm32mp13-key/publicKey04.pem
 + private key:      stm32mp13-key/privateKey04.pem
 + public hash key:  stm32mp13-key/publicKeyHash04.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 5 generated successfully.
 + public key:       stm32mp13-key/publicKey05.pem
 + private key:      stm32mp13-key/privateKey05.pem
 + public hash key:  stm32mp13-key/publicKeyHash05.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 6 generated successfully.
 + public key:       stm32mp13-key/publicKey06.pem
 + private key:      stm32mp13-key/privateKey06.pem
 + public hash key:  stm32mp13-key/publicKeyHash06.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 7 generated successfully.
 + public key:       stm32mp13-key/publicKey07.pem
 + private key:      stm32mp13-key/privateKey07.pem
 + public hash key:  stm32mp13-key/publicKeyHash07.bin
 ------------------------------------------------------------
 Hash of table of Hash of {algorithm + public Key} file generated successfully.
 + Hash Hash:  stm32mp13-key/publicKeysHashHashes.bin


Information
It is recommended to rename the generated files to match with key usage:

For PKHTH:

  • a7_PKHTH_privateKey0X.pem
  • a7_PKHTH_publicKey0X.pem
  • a7_PKHTH_publicKeyHash0X.bin
  • a7_PKHTH_publicKeysHashHashes.bin

where X: 0 to 7

3.1.2. For STM32MP15x lines [edit | edit source]

If you want to sign one of components given in table below, you need to create its signature key.

The Signature keys are used to sign and verify corresponding components. Several components be signed/verified by the same key, as shown in table below.

Signature key name
FSBL
TF-A Yes
PKH
FIP
OP-TEE Yes
PKH
U-BOOT Yes
PKH

STM32MP15 device supports only one signature key pair (public key/private key).

Example: 

STM32_KeyGen_CLI -abs stm32mp15-key/ -pwd pass1 -n 1

       -------------------------------------------------------------------
                       STM32MP Key Generator <tool version>                   
       -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 0 generated successfully.
 + public key:       stm32mp15-key/publicKey00.pem
 + private key:      stm32mp15-key/privateKey00.pem
 + public hash key:  stm32mp15-key/publicKeyHash00.bin
 ------------------------------------------------------------
 Hash of table of Hash of {algorithm + public Key} file generated successfully.
 + Hash Hash:  stm32mp15-key/publicKeysHashHashes.bin
Information
It is recommended to rename the generated files to match with key usage:

For PKH:

  • a7_PKH_privateKey00.pem
  • a7_PKH_publicKey00.pem
  • a7_PKH_publicKeyHash00.bin
  • a7_PKH_publicKeysHashHashes.bin

3.1.3. For STM32MP2 series[edit | edit source]

If you want to sign one of components given in table below, you need to create its signature key.

The Signature keys are used to sign and verify corresponding components. Several components be signed/verified by the same key, as shown in table below.

STM32MP21/STM32MP23/STM32MP25 Signature key name
A35-TD flavor M33-TD flavor
(only for ecosystem release ≥ v6.2.0 )
FSBL M (Arm® Cortex®-M33)
TF-M MCUBOOT Not applicable Yes
OEM-KEY1
M33DDR (Arm® Cortex®-M33)
TF-M DDR firmware Not applicable Yes
FSBLM-DDR-FW-PKH
M33FW (Arm® Cortex®-M33)
TF-M Secure + M33 firmwware nonsecure Not applicable Yes
FSBLM-M33-FW-PKH
FSBL A (Arm® Cortex®-A35)
TF-A Yes
OEM-KEY1 		Yes
OEM-KEY1
FIP (Arm® Cortex®-A35)
TF-A (bl31 + fwconfig) Yes
OEM-KEY1 		Yes
OEM-KEY1
DDR firmware Yes
OEM-KEY1 		Not applicable
OP-TEE Yes
OEM-KEY1 		Yes
OEM-KEY1
U-BOOT Yes
OEM-KEY1 		Yes
OEM-KEY1
Cortex-M Coprocessor firmware
Cortex-M33 coprocessor firmware (only for ecosystem release ≥ v6.2.0 ) Yes
RPROC-FW-PKH 		Not applicable

In chapters below, different way to create keys, defined in the table above, are described depending on the type of key. If you want to sign one of component given in table above, you must create the associated key.

3.1.3.1. Create Signature keys for both TD flavor (A35-TD or M33-TD) (OEM-KEY1 for Cortex-A35)[edit | edit source]

STM32MP21, STM32MP23 and STM32MP25 devices support up to eight signature key pairs (public key/private key).

Example for STM32MP2X (where stm32mp2X can be stm32mp21, stm32mp23 or stm32mp25): 

STM32_KeyGen_CLI -abs stm32mp2X-key/ -pwd password1 password2 password3 password4 password5 password6 password7 password8 -n 8

       -------------------------------------------------------------------
                       STM32MP Key Generator <tool version>                              
       -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 0 generated successfully.
 + public key:       stm32mp2X-key/publicKey00.pem
 + private key:      stm32mp2X-key/privateKey00.pem
 + public hash key:  stm32mp2X-key/publicKeyHash00.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 1 generated successfully.
 + public key:       stm32mp2X-key/publicKey01.pem
 + private key:      stm32mp2X-key/privateKey01.pem
 + public hash key:  stm32mp2X-key/publicKeyHash01.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 2 generated successfully.
 + public key:       stm32mp2X-key/publicKey02.pem
 + private key:      stm32mp2X-key/privateKey02.pem
 + public hash key:  stm32mp2X-key/publicKeyHash02.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 3 generated successfully.
 + public key:       stm32mp2X-key/publicKey03.pem
 + private key:      stm32mp2X-key/privateKey03.pem
 + public hash key:  stm32mp2X-key/publicKeyHash03.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 4 generated successfully.
 + public key:       stm32mp2X-key/publicKey04.pem
 + private key:      stm32mp2X-key/privateKey04.pem
 + public hash key:  stm32mp2X-key/publicKeyHash04.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 5 generated successfully.
 + public key:       stm32mp2X-key/publicKey05.pem
 + private key:      stm32mp2X-key/privateKey05.pem
 + public hash key:  stm32mp2X-key/publicKeyHash05.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 6 generated successfully.
 + public key:       stm32mp2X-key/publicKey06.pem
 + private key:      stm32mp2X-key/privateKey06.pem
 + public hash key:  stm32mp2X-key/publicKeyHash06.bin
 ------------------------------------------------------------
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys packet 7 generated successfully.
 + public key:       stm32mp2X-key/publicKey07.pem
 + private key:      stm32mp2X-key/privateKey07.pem
 + public hash key:  stm32mp2X-key/publicKeyHash07.bin
 ------------------------------------------------------------
 Hash of table of Hash of {algorithm + public Key} file generated successfully.
 + Hash Hash:  stm32mp2X-key/publicKeysHashHashes.bin
Information
It is recommended to rename the generated files to match with key usage:

For OEM-KEY1:

  • a35_OEM-KEY1_privateKey0X.pem
  • a35_OEM-KEY1_publicKey0X.pem
  • a35_OEM-KEY1_publicKeyHash0X.bin
  • a35_OEM-KEY1_publicKeysHashHashes.bin

where X: 0 to 7

3.1.3.2. Create Signature keys for A35-TD flavor only[edit | edit source]
3.1.3.2.1. Create Signature keys for Cortex-M33 (RPROC-FW-PKH)[edit | edit source]

Since ecosystem release v6.2.0 , signature keys can be created also for the Cortex-M (running as remote processor, in A35-TD flavor )

See ECC keys chapter from How to protect the Cortex-M coprocessor firmware page for more information.

STM32MP21, STM32MP23 and STM32MP25 device supports one signature key pairs (public key/private key).
Example: Create private key: 

STM32_KeyGen_CLI -abs stm32mp2-rproc-key/ -pwd password1

       -------------------------------------------------------------------
                       STM32MP Key Generator <tool version>                              
       -------------------------------------------------------------------

 Prime256v1 curve is selected. 
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys generated successfully.
 + public key:       stm32mp2-rproc-key/publicKey.pem
 + private key:      stm32mp2-rproc-key/privateKey.pem
 + public hash key:  stm32mp2-rproc-key/publicKeyhash.bin
Information
It is recommended to rename the generated files to match with key usage:

For RPROC-FW-PKH:

  • m33_RPROC-FW-PKH_ecc_publicKey.pem
  • m33_RPROC-FW-PKH_ecc_privateKey.pem

Extract public key in DER format and the new hash, based on DER format: 

 openssl ec -pubin -in stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey.pem -outform DER -pubout -out stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey.der
 tail -c +28 stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey.der > stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey_der.bin
 openssl dgst -sha256 -binary stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey_der.bin > stm32mp2-rproc-key/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin
3.1.3.3. Signature keys created for M33-TD flavor only[edit | edit source]

Since ecosystem release v6.2.0 , signature keys can be created also for the Cortex-M in M33-TD flavor .

3.1.3.3.1. Asymmetric signature keys created for Cortex-M33 (FSBLM-DDR-FW-PKH and FSBLM-M33-FW-PKH)[edit | edit source]

To create an asymmetric key for M33-TD flavor , you must use ST KeyGen tools.

STM32MP21, STM32MP23 and STM32MP25 device supports one signature key pairs (public key/private key) for those keys..

 STM32_KeyGen_CLI -abs stm32mp2-cm33-key/ -pwd password1

       -------------------------------------------------------------------
                       STM32 Key Generator <tool version>                              
       -------------------------------------------------------------------

  Prime256v1 curve is selected. 
 AES_256_cbc algorithm is selected for private key encryption
 Generating Prime256v1 keys... 
 Private key PEM file created 
 Public key PEM file created 
 public key hash file created 
 Keys generated successfully.
 + public key:       stm32mp2-cm33-key/publicKey.pem
 + private key:      stm32mp2-cm33-key/privateKey.pem
 + public hash key:  stm32mp2-cm33-key/publicKeyhash.bin
Information
The Hash generated by ST KeyGen tools are not usable in case of M33-TD flavor , you must create a new hash from public key

Extract Public Key in DER format 

 openssl ec -pubin -in stm32mp2-cm33-key/publicKey.pem -pubout -outform DER -out stm32mp2-cm33-key/publicKey.der

Hash the key and store the result on hash file 

 openssl dgst -sha256 -binary stm32mp2-cm33-key/publicKey.der > stm32mp2-cm33-key/hash.bin
Information
The key can be renamed to match with key usage:

For FSBLM-DDR-FW-PKH:

  • m33_FSBLM-DDR-FW-PKH_privateKey.pem
  • m33_FSBLM-DDR-FW-PKH_publicKey.pem
  • m33_FSBLM-DDR-FW-PKH_hash.bin

For FSBLM-M33-FW-PKH:

  • m33_FSBLM-M33-FW-PKH_privateKey.pem
  • m33_FSBLM-M33-FW-PKH_publicKey.pem
  • m33_FSBLM-M33-FW-PKH_hash.bin
3.1.3.3.2. TF-M Initial Attestation Key[edit | edit source]

TF-M requires a key for Initial Attestation[1]. By default it requires asymmetric keys.

However you can choose to use a symmetric key[2]. This is the default implementation made by ST.

To create this symmetric key, you must generate a random key of 32 bytes.

STM32_KeyGen_CLI -rand 32 m33_TFM-IAK_key_256bits.bin


3.2. Fuse signature keys on STM32 MPU[edit | edit source]

Information
For demonstration and test purposes, the signature materials can be fused manually on the STM32 MPU device using a simple U-Boot command on the development board.

For production purposes, it must be set in the production phase, as described in Secure Secret Provisioning (SSP) overview.

Of course, before fusing the keys, they must have been created. For the creation follow instructions given in #Create signature keys chapter;

Correspondence between signature keys and binary files for STM32MP1 series:

Signature key name Binary file
STM32MP13 PKHTH a7_PKHTH_publicKeysHashHashes.bin
STM32MP15 PKH a7_PKH_publicKeysHashHashes.bin

Correspondence between signature keys and binary files forSTM32MP2 series:

STM32MP21, STM32MP23 and STM32MP25 Signature key name Binary file
A35-TD flavor OEM-KEY1 a35_OEM-KEY1_publicKeysHashHashes.bin
RPROC-FW-PKH m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin
M33-TD flavor OEM-KEY1 a35_OEM-KEY1_publicKeysHashHashes.bin
FSBLM-DDR-FW-PKH m33_FSBLM-DDR-FW-PKH_hash.bin
FSBLM-M33-FW-PKH m33_FSBLM-M33-FW-PKH_hash.bin
TFM-IAK m33_TFM-IAK_key_256bits.bin

To manually fuse thePublic Key Hash file (*publicKeysHash*.bin), generated as described in the #Create signature key chapter, put the file in the bootfs partition (recommended one) and use a U-Boot stm32key command:

  • Boot the board
  • Stop on the U-Boot console.
  • Load public hash key in DDR.

In this example, the hash key file is located in the bootfs partition of the SD card: 

stm32key list
  • Select the key (keys are given in both table above)
 stm32key select <key name>
load mmc 0#bootfs ${loadaddr} <binary name>
  • Verify the key
 stm32key read ${loadaddr}
Important
Verify the keys before confirming the "fuse" operation; It is an irreversible operation!
  • Fuse public key hash
stm32key fuse ${loadaddr}
  • Verify the key in OTP
 stm32key read
Warning
<key name> and <binary name> must be replaced by values given in correspondence tables above

For complete information on the fuse procedure, refer to How to use U-Boot stm32key command.

3.3. Create encryption keys[edit | edit source]

Only STM32MP13x lines  and STM32MP2 series support the encryption of binaries. To perform secure boot with encrypted binaries, you must encrypt binaries with a specific encryption key.
The encryption keys are then also used to decrypt a component/firmware.

If this encryption key is already present on the STM32 MPU device, go directly to Update Distribution Package with signed binaries chapter.

To create an encryption key, you must generate a random key of 16 bytes and another random key of 32 bytes.

STM32_KeyGen_CLI -rand 16 stm32mp_encryption_key_128bits.bin
STM32_KeyGen_CLI -rand 32 stm32mp_encryption_key_256bits.bin

3.3.1. For STM32MP13x lines [edit | edit source]

If you want to encrypt one of the software components listed in the table below, you need to create its encryption key.

The encryption keys are used to encrypt and decrypt corresponding components. Several components can be encrypted/decrypted by the same key, as shown in table below.

STM32MP13 Encryption key name
FSBL
TF-A Yes
EDMK
FIP
OP-TEE Yes
EDMK
U-BOOT No Not enabled in software

For STM32MP13x lines , The EDMK key is used for both FSBL encryption (128 bits key) and FIP encryption (256 bits key):

  • "a7_EDMK_key_128bits.bin" can be generated with KeyGen tool (128 bits random key)
  • "stm32mp13_a7_EDMK_encryption_key_256bits.txt" can be generated with below example:
hexdump -e '/1 "%02x"' a7_EDMK_key_128bits.bin > stm32mp13_a7_EDMK_encryption_key_256bits.txt
hexdump -e '/1 "%02x"' a7_EDMK_key_128bits.bin >> stm32mp13_a7_EDMK_encryption_key_256bits.txt
printf "\n" >> stm32mp13_a7_EDMK_encryption_key_256bits.txt

In this case, the FIP encryption key is the concatenation of 2 times the EDKM key to constitute a 256 bits encrypt key.

Information
It is recommended to rename the generated files (stm32mp_encryption_key_128bits.bin and stm32mp13_a7_EDMK_encryption_key_256bits.txt) to match with key usage:

For EDMK:

  • a7_EDMK_key_128bits.bin
  • stm32mp13_a7_EDMK_encryption_key_256bits.txt

3.3.2. For STM32MP2 series[edit | edit source]

If you want to encrypt one of the software components listed in the table below, you need to create its encryption key.

The encryption keys are used to encrypt and decrypt corresponding components. Several components can be encrypted/decrypted by the same key, as shown in table below.

STM32MP21/STM32MP23/STM32MP25 A35-TD flavor M33-TD flavor
(only for ecosystem release ≥ v6.2.0 )
FSBL M (Arm® Cortex®-M33)
TF-M MCUBOOT Not applicable No Not enabled in software
M33DDR (Arm® Cortex®-M33)
TF-M DDR firmware Not applicable No Not enabled in software
M33FW (Arm® Cortex®-M33)
TF-M Secure + M33 firmware nonsecure Not applicable No Not enabled in software
FSBL A (Arm® Cortex®-A35)
TF-A Yes
EDMK1-128b for STM32MP21

or EDMK1 for STM32MP23/STM32MP25

Yes
EDMK1-128b for STM32MP21

or EDMK1 for STM32MP23/STM32MP25

FIP (Arm® Cortex®-A35)
TF-A (bl31 + fwconfig) Yes
FIP-EDMK 		Yes
FIP-EDMK
DDR firmware No Not enabled in software Not applicable
OP-TEE Yes
FIP-EDMK 		Yes
FIP-EDMK
U-BOOT No Not enabled in software No Not enabled in software
Cortex-M Coprocessor firmware
Cortex-M33 coprocessor firmware (only for ecosystem release ≥ v6.2.0 ) Yes
RPROC-FW-ENC-KEY 		Not applicable
Information
It is recommended to rename the generated files (stm32mp_encryption_key_128bits.bin and stm32mp_encryption_key_256bits.bin) to match with key usage:

For EDMK1-128b:

  • a35_EDMK1-128b_key_128bits.bin

For EDMK1:

  • a35_EDMK1_key_128bits.bin

For FIP-EDMK:

  • a35_FIP-EDMK_key_256bits.bin

For RPROC-FW-ENC-KEY:

  • m33_RPROC-FW-ENC-KEY_key_256bits.bin

3.4. Fuse encryption key on STM32 MPU[edit | edit source]

Information
For demonstration and test purposes, the encryption materials can be fused manually on the STM32 MPU device using a simple U-Boot command on the development board.

For production purposes, it must be set in the production phase, as described in Secure Secret Provisioning (SSP) overview.

Of course, before fusing the keys, they must have been created. For the creation follow instructions given in #Create encryption keys chapter;

Fuse an encryption key on the device for STM32MP13x lines  or STM32MP2 series.

Correspondence between platform and key/signature file for


Correspondence between encryption keys and binary files for STM32MP13x lines :

Encryption key name Binary file
STM32MP13 EDMK a7_EDMK_key_128bits.bin

Correspondence between encryption keys and binary files for STM32MP2 series:

Encryption key name Binary file
STM32MP21 EDMK1-128b EDMK1-128b_key_128bits.bin
FIP-EDMK FIP-EDMK_key_256bits.bin
RPROC-FW-ENC-KEY (for A35-TD flavor only) m33-RPROC-FW-ENC-KEY_key_256bits.bin
STM32MP23/STM32MP25 EDMK1 EDMK1_key_128bits.bin
FIP-EDMK FIP-EDMK_key_256bits.bin
RPROC-FW-ENC-KEY (for A35-TD flavor only) m33-RPROC-FW-ENC-KEY_key_256bits.bin

To manually fuse the key on the STM32 MPU device with a U-Boot stm32key command:

  • Fuse the encryption key file (stm32mp_encryption_key.bin), generated as demonstrated in the previous section, on the bootfs partition.
  • Boot the board and stop it on the U-Boot console.
  • Load the encryption key in DDR.

To manually fuse the encryption key, generated as described in the #Create encryption key chapter, on the bootfs partition (recommended one), use a U-Boot stm32key command:

  • Boot the board
  • Stop on the U-Boot console.
  • Load public hash key in DDR.

In this example, the key file is located in the bootfs partition of the SD card: 

stm32key list

stm32key select <key name>

load mmc 0#bootfs ${loadaddr} <binary name>
  • Verify that the key is registered
stm32key read
Important
Verify the keys before confirming the "fuse" operation; It is an irreversible operation!
  • Fuse the encryption key
stm32key fuse ${loadaddr}
  • Verify the key in OTP
stm32key read
Warning
<key name> and <binary name> must be replaced by values given in correspondence tables above

For complete information on the fuse procedure, refer to How to use U-Boot stm32key command.

4. Update the Distribution Package with signed binaries[edit | edit source]

4.1. Prerequisites[edit | edit source]

Signature and encryption keys must have been created and associated materials fused in the board. If not done come back to #Set up signature and encryption keys chapter.

List of signature/encryption keys, mandatory or optional, for STM32MP1 series:

Signature keys list Encryption keys list
STM32MP13 Mandatory PKHTH EDMK
Optional
STM32MP15 Mandatory PKH
Optional

List of signature/encryption keys, mandatory or optional, for STM32MP2 series:

Key to fuse on board
Signature keys list Encryption keys list
STM32MP21 A35-TD flavor Mandatory OEM-KEY1 EDMK1-128b

FIP-EDMK

Optional RPROC-FW-PKH RPROC-FW-ENC-KEY
M33-TD flavor Mandatory OEM-KEY1

FSBLM-DDR-FW-PKH
FSBLM-M33-FW-PKH
TFM-IAK

EDMK1-128b

FIP-EDMK

STM32MP23 A35-TD flavor Mandatory OEM-KEY1 EDMK1
FIP-EDMK
Optional RPROC-FW-PKH RPROC-FW-ENC-KEY
M33-TD flavor Mandatory OEM-KEY1

FSBLM-DDR-FW-PKH
FSBLM-M33-FW-PKH
TFM-IAK

EDMK1

FIP-EDMK

STM32MP25 A35-TD flavor Mandatory OEM-KEY1 EDMK1

FIP-EDMK

Optional RPROC-FW-PKH RPROC-FW-ENC-KEY
M33-TD flavor Mandatory OEM-KEY1

FSBLM-DDR-FW-PKH
FSBLM-M33-FW-PKH
TFM-IAK

EDMK1

FIP-EDMK 


source layers/meta-st/scripts/envsetup.sh
  • select your DISTRO and your machine.
Information
Only two modes are supported: signed binaries or signed and encrypted binaries .

4.2. Configure a Distribution Package with signed or signed / encrypted partition binaries[edit | edit source]

Information
Only two modes are supported: signed binaries or signed and encrypted binaries .

The configuration of the Distribution Package with signed or signed/encrypted binaries is done by adding lines, given in chapters below, to local.conf file, available in the build directory, and generate your image. In chapters below, select the part corresponding to your case.

4.2.1. For STM32MP1 series[edit | edit source]

Generate a Distribution Package with signed or signed / encrypted configurations for STM32MP13x lines .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp13/a7_PKHTH_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a7_PKHTH_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
 SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_FSBL_KEY = "key/stm32mp13/a7_EDMK_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp13/stm32mp13_a7_EDMK_encryption_key_256bits.txt" ' >> conf/local.conf

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf

Generate Distribution Package with signed configuration for STM32MP15x lines .

You can enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "1" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp15/a7_PKH_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "key/stm32mp15/a7_PKH_publicKey00.pem"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf

Encryption is not supported on STM32MP15x lines .

4.2.2. ForSTM32MP2 series with A35-TD flavor [edit | edit source]

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP21x lines  with A35-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.3" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp21/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

If you would like to activate the signature of binaries used on Cortex-M33 coprocessor: 

echo 'SIGN_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_INFOKEY = "key/stm32mp21/m33_RPROC-FW-PKH_ecc_publicKey.der" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp21/m33_RPROC-FW-PKH_ecc_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PASS = "password of remote processor signature key " ' >> conf/local.conf

To desactivate it, just not provide the SIGN_COPRO_ECC information and set SIGN_COPRO_DEFAULT (software signature key provided by OP-TEE) 

echo 'SIGN_COPRO_DEFAULT = "1" ' >> conf/local.conf

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp21/a35_EDMK1-128b_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp21/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you want to activate the encryption of binaries use on Cortex-M33 coprocessor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp21/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP23x lines  with A35-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.2" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp23/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

If you would like to activate the signature of binaries used on Cortex-M33 coprocessor: 

echo 'SIGN_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_INFOKEY = "key/stm32mp23/m33_RPROC-FW-PKH_ecc_publicKey.der" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp23/m33_RPROC-FW-PKH_ecc_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PASS = "password of remote processor signature key " ' >> conf/local.conf

To desactivate it, just not provide the SIGN_COPRO_ECC information and set SIGN_COPRO_DEFAULT (software signature key provided by OP-TEE) 

echo 'SIGN_COPRO_DEFAULT = "1" ' >> conf/local.conf

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp23/a35_EDMK1_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp23/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you want to activate the encryption of binaries use on Cortex-M33 coprocessor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp23/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP25x lines  with A35-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.2" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp25/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

If you would like to activate the signature of binaries used on Cortex-M33 coprocessor: 

echo 'SIGN_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_INFOKEY = "key/stm32mp25/m33_RPROC-FW-PKH_ecc_publicKey.der" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp25/m33_RPROC-FW-PKH_ecc_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_COPRO_ECC_PASS = "password of remote processor signature key " ' >> conf/local.conf

To desactivate it, just not provide the SIGN_COPRO_ECC information and set SIGN_COPRO_DEFAULT (software signature key provided by OP-TEE) 

echo 'SIGN_COPRO_DEFAULT = "1" ' >> conf/local.conf

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp25/a35_EDMK1_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp25/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you want to activate the encryption of binaries use on Cortex-M33 coprocessor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp25/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf
4.2.3. ForSTM32MP2 series with M33-TD flavor [edit | edit source]

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP21x lines  with M33-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.3" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp21/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

echo 'SIGN_M33DDR_KEY = "key/stm32mp21/m33_FSBLM-DDR-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33DDR_KEY_PASS = "root" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY = "key/stm32mp21/m33_FSBLM-M33-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY_PASS = "root" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with OEM-KEY1 and EDMK1 are supported for the two cores.

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp21/a35_EDMK1-128b_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp21/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you would like to activate the encryption of binaries use on co-processor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp21/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with EDMK1-128b is supported for the two cores.

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP23x lines  with M33-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.2" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp23/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

echo 'SIGN_M33DDR_KEY = "key/stm32mp23/m33_FSBLM-DDR-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33DDR_KEY_PASS = "root" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY = "key/stm32mp23/m33_FSBLM-M33-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY_PASS = "root" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with OEM-KEY1 and EDMK1 are supported for the two cores.

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp23/a35_EDMK1_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp23/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you would like to activate the encryption of binaries use on co-processor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp23/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with EDMK1 is supported for the two cores.

Generate Distribution Package with signed or signed / encrypted configuration for STM32MP25x lines  with M33-TD flavor .

First, you must enable the secure boot with signature support: 

echo 'SIGN_HEADER_VERSION = "2.2" '  >> conf/local.conf
echo 'EXTERNAL_KEY_CONF = "1" ' >> conf/local.conf 

echo 'SIGN_KEY = "key/stm32mp25/a35_OEM-KEY1_privateKey00.pem" ' >> conf/local.conf
echo 'SIGN_KEY_PUB = "<list of public key (a35_OEM-KEY1_publicKey*.pem)"  ' >> conf/local.conf
echo 'SIGN_KEY_PASS = "<passwords of signature key>" ' >> conf/local.conf

echo 'SIGN_ENABLE = "1" ' >> conf/local.conf 
echo 'SIGN_TOOL = "<path to STM32_SigningTool tools>" '  >> conf/local.conf
Information
If there are eight key pairs, you need to declare eight passwords: 
SIGN_KEY_PASS = "password0 password1 password2 password3 password4 password5 password6 password7"

echo 'SIGN_M33DDR_KEY = "key/stm32mp25/m33_FSBLM-DDR-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33DDR_KEY_PASS = "root" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY = "key/stm32mp25/m33_FSBLM-M33-FW-PKH_privateKey.pem" ' >> conf/local.conf
echo 'SIGN_M33FW_KEY_PASS = "root" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with OEM-KEY1 and EDMK1 are supported for the two cores.

Then, if wished, you can enable secure boot with encryption support: 

echo 'ENCRYPT_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_FSBL_KEY = "key/stm32mp25/a35_EDMK1_key_128bits.bin" ' >> conf/local.conf
echo 'ENCRYPT_FIP_KEY = "key/stm32mp25/a35_FIP-EDMK_key_256bits.bin" ' >> conf/local.conf

If you would like to activate the encryption of binaries use on co-processor: 

echo 'ENCRYPT_COPRO_ENABLE = "1" ' >> conf/local.conf
echo 'ENCRYPT_COPRO_KEY = "key/stm32mp25/m33_RPROC-FW-ENC-KEY_key_256bits.bin" ' >> conf/local.conf
Information
For the moment, only the usage of same FSBL key with EDMK1 is supported for the two cores.

4.3. Generate the Distribution Package[edit | edit source]

Compile the binaries for signed binaries or signed and encrypted partition binaries: 

bitbake st-image-weston

The binaries file, signed or signed encrypted ready to be programmed on the board, can be found in:

  • tmp-glibc/deploy/images/<machine name>/arm-trusted-firmware
  • tmp-glibc/deploy/images/<machine name>/fip
  • tmp-glibc/deploy/images/<machine name>/arm-trusted-firmware-m (specific for STM32MP2 series M33-TD flavor )
  • tmp-glibc/deploy/images/<machine name>/arm-trusted-firmware-m/bl2 (specific for STM32MP2 series M33-TD flavor )
  • tmp-glibc/deploy/images/<machine name>/m33-firmware (specific for STM32MP2 series M33-TD flavor )

5. FlashLayout file content[edit | edit source]

Example for FlashLayout_sdcard_stm32mp157f-dk2-optee_Signed.tsv with signature enabled: 

#Opt	Id	Name	Type	IP	Offset	Binary
- 	0x01	fsbl-boot	Binary	none	0x0	arm-trusted-firmware/tf-a-stm32mp157f-dk2-usb_Signed.stm32
-	0x03	fip-boot	FIP	none	0x0	fip/fip-stm32mp157f-dk2-optee_Signed.bin
P	0x04	fsbl1	Binary	mmc0	0x00004400	arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard_Signed.stm32
P	0x05	fsbl2	Binary	mmc0	0x00044400	arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard_Signed.stm32
P	0x06	metadata1	Binary	mmc0	0x00084400	arm-trusted-firmware/metadata.bin
P	0x07	metadata2	Binary	mmc0	0x000C4400	arm-trusted-firmware/metadata.bin 
P	0x08	fip-a	FIP	mmc0	0x00104400	fip/fip-stm32mp157f-dk2-optee_Signed.bin
PED	0x09	fip-b	FIP	mmc0	0x00504400	none
PED	0x0A	u-boot-env	Binary	mmc0	0x00904400	none
P	0x10	bootfs	System	mmc0	0x00984400	st-image-bootfs-openstlinux-weston-stm32mp1.ext4
P	0x11	vendorfs	FileSystem	mmc0	0x04984400	st-image-vendorfs-openstlinux-weston-stm32mp1.ext4
P	0x12	rootfs	FileSystem	mmc0	0x05984400	st-image-weston-openstlinux-weston-stm32mp1.ext4
P	0x13	userfs	FileSystem	mmc0	0x33984400	st-image-userfs-openstlinux-weston-stm32mp1.ext4

Example for FlashLayout_sdcard_stm32mp157f-dk2-optee_Encrypted_Signed.tsv with signature and encryption enabled: 

#Opt	Id	Name	Type	IP	Offset	Binary
- 	0x01	fsbl-boot	Binary	none	0x0	arm-trusted-firmware/tf-a-stm32mp157f-dk2-usb_Encrypted_Signed.stm32
-	0x03	fip-boot	FIP	none	0x0	fip/fip-stm32mp157f-dk2-optee_Encrypted_Signed.bin
P	0x04	fsbl1	Binary	mmc0	0x00004400	arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard_Encrypted_Signed.stm32
P	0x05	fsbl2	Binary	mmc0	0x00044400	arm-trusted-firmware/tf-a-stm32mp157f-dk2-sdcard_Encrypted_Signed.stm32
P	0x06	metadata1	Binary	mmc0	0x00084400	arm-trusted-firmware/metadata.bin
P	0x07	metadata2	Binary	mmc0	0x000C4400	arm-trusted-firmware/metadata.bin 
P	0x08	fip-a	FIP	mmc0	0x00104400	fip/fip-stm32mp157f-dk2-optee_Encrypted_Signed.bin
PED	0x09	fip-b	FIP	mmc0	0x00504400	none
PED	0x0A	u-boot-env	Binary	mmc0	0x00904400	none
P	0x10	bootfs	System	mmc0	0x00984400	st-image-bootfs-openstlinux-weston-stm32mp1.ext4
P	0x11	vendorfs	FileSystem	mmc0	0x04984400	st-image-vendorfs-openstlinux-weston-stm32mp1.ext4
P	0x12	rootfs	FileSystem	mmc0	0x05984400	st-image-weston-openstlinux-weston-stm32mp1.ext4
P	0x13	userfs	FileSystem	mmc0	0x33984400	st-image-userfs-openstlinux-weston-stm32mp1.ext4
Information
If you manage to create a flashlayout with Signature and Encryption, the name of file is extended with the pattern _Encrypted_Signed
  • SIGN_ENABLE activated: _Signed
  • SIGN_ENABLE and ENCRYPT_ENABLE activated: _Encrypted_Signed

6. Load the generated FlashLayout file in board[edit | edit source]

Use the previously created FlashLayout file with the signed binaries to populate the correct binaries on the board.

You can refer to STM32CubeProgrammer#How_to_flash_with_STM32CubeProgrammer article and follow instructions related to your ST boards.


7. Check the set up[edit | edit source]

At board boot time, check the two levels of the secure boot: the ROM code secure boot validation and the TF-A BL2 trusted board boot validation.

8. Close the device[edit | edit source]

Information
For demonstration and test purposes, the STM32MP device can be closed with a simple U-Boot command on the development board. For production purposes, it must be set in production step as described in AN5510: Overview of the secure secret provisioning (SSP) on STM32MP1 series.

For more information, refer to How to secure STM32 MPU.

Warning
Make sure to only close the device if the previous authentication test succeeded, otherwise the chip is bricked and becomes unusable.

In U-Boot console: 

 stm32key close

For more information, see the How to use U-Boot stm32key command.

As soon as the device is closed, the operation is irreversible; the user is forced to only use signed images.

Warning
This must not be done on STM32MP13 or STM32MP15 or STM32MP21 or STM32MP23 or STM32MP25 part numbers without secure boot enabled, otherwise the chip is bricked and becomes unusable.

9. Summary[edit | edit source]

9.1. For STM32MP1 series[edit | edit source]

Generate a Distribution Package with signed and "signed/encrypted" configurations for STM32MP13x lines .

STM32MP13x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : PKHTH
File to upload board key/stm32mp13/a7_PKHTH_publicKeysHashHashes.bin
Key files key/stm32mp13/a7_PKHTH_publicKeysHashHashes.bin
key/stm32mp13/a7_PKHTH_privateKey0X.pem

key/stm32mp13/a7_PKHTH_publicKey0X.pem
key/stm32mp13/a7_PKHTH_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration

SIGN_KEY = "key/stm32mp13/a7_PKHTH_privateKey00.pem"

SIGN_KEY_PUB = " \
key/stm32mp13/a7_PKHTH_publicKey00.pem \
... \
key/stm32mp13/a7_PKHTH_publicKey07.pem \
"
SIGN_KEY_PASS = "<passwords of signature key>"

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK
File to upload board key/stm32mp13/a7_EDMK_key_128bits.bin
Key files key/stm32mp13/a7_EDMK_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp13/a7_EDMK_key_128bits.bin"

ENCRYPT_FIP_KEY = "key/stm32mp13/stm32mp13_a7_EDMK_encryption_key_256bits.txt"

Generate a Distribution Package with signed and signed/encrypted configurations for STM32MP15x lines .

STM32MP15x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "1"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : PKH
File to upload board key/stm32mp15/a7_PKH_publicKeysHashHashes.bin
Key files key/stm32mp15/a7_PKH_publicKeysHashHashes.bin

key/stm32mp15/a7_PKH_privateKey0X.pem
key/stm32mp15/a7_PKH_publicKey0X.pem
key/stm32mp15/a7_PKH_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration

SIGN_KEY = "key/stm32mp15/a7_PKH_privateKey00.pem"
SIGN_KEY_PUB = "key/stm32mp15/a7_PKH_publicKey00.pem"
SIGN_KEY_PASS = "<passwords of signature key>"

9.2. For STM32MP2 series with A35-TD flavor [edit | edit source]

Generate a Distribution Package with signed and signed/encrypted configuration for STM32MP21x lines  with A35-TD flavor .

STM32MP21x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.3"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp21/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp21/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp21/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp21/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp21/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration

SIGN_KEY = "key/stm32mp21/a35_OEM-KEY1_privateKey00.pem"
SIGN_KEY_PUB = " \
key/stm32mp21/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp21/a35_OEM-KEY1_publicKey07.pem \

"SIGN_KEY_PASS = "<passwords of signature key>"

Signature key : RPROC-FW-PKH
File to upload board key/stm32mp21/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin
Key files key/stm32mp21/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin

key/stm32mp21/m33_RPROC-FW-PKH_ecc_privateKey.pem
key/stm32mp21/m33_RPROC-FW-PKH_ecc_publicKey.pem

Configuration to add in local.conf file, after the previous configuration SIGN_COPRO_ECC_INFOKEY = "key/stm32mp21/m33_RPROC-FW-PKH_ecc_publicKey.der"

SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp21/m33_RPROC-FW-PKH_ecc_privateKey.pem"
SIGN_COPRO_ECC_PASS = "password of remote processor signature key "

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1-128b
File to upload board Key/stm32mp21/a35_EDMK1-128b_key_128bits.bin
Key files Key/stm32mp21/a35_EDMK1-128b_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp13/a7_EDMK_key_128bits.bin"

ENCRYPT_FIP_KEY = "key/stm32mp13/stm32mp13_encryption_key_256bits.txt"

Encryption key : FIP-EDMK
File to upload board key/stm32mp21/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp21/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp21/a35_FIP-EDMK_key_256bits.bin"
Encryption key : RPROC-FW-ENC-KEY
File to upload board key/stm32mp21/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Key files key/stm32mp21/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_COPRO_KEY = "key/stm32mp21/m33_RPROC-FW-ENC-KEY_key_256bits.bin"

Generate a Distribution Package with signed and signed/encrypted configurations for STM32MP23x lines  with A35-TD flavor .

STM32MP23x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.3"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp23/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp23/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp23/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp23/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp23/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration

SIGN_KEY = "key/stm32mp23/a35_OEM-KEY1_privateKey00.pem"
SIGN_KEY_PUB = " \
key/stm32mp23/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp23/a35_OEM-KEY1_publicKey07.pem \

"SIGN_KEY_PASS = "<passwords of signature key>"

Signature key : RPROC-FW-PKH
File to upload board key/stm32mp23/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin
Key files key/stm32mp23/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin

key/stm32mp23/m33_RPROC-FW-PKH_ecc_privateKey.pem
key/stm32mp23/m33_RPROC-FW-PKH_ecc_publicKey.pem

Configuration to add in local.conf file, after the previous configuration SIGN_COPRO_ECC_INFOKEY = "key/stm32mp23/m33_RPROC-FW-PKH_ecc_publicKey.der"

SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp23/m33_RPROC-FW-PKH_ecc_privateKey.pem"
SIGN_COPRO_ECC_PASS = "password of remote processor signature key "

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1
File to upload board key/stm32mp23/a35_EDMK1_key_128bits.bin
Key files key/stm32mp23/a35_EDMK1_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp23/a35_EDMK1_key_128bits.bin"
Encryption key : FIP-EDMK
File to upload board key/stm32mp23/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp23/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp23/a35_FIP-EDMK_key_256bits.bin"
Encryption key : RPROC-FW-ENC-KEY
File to upload board key/stm32mp23/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Key files key/stm32mp23/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_COPRO_ENABLE = "1"

ENCRYPT_COPRO_KEY = "key/stm32mp23/m33_RPROC-FW-ENC-KEY_key_256bits.bin"

Generate a Distribution Package with signed and signed/encrypted configurations for STM32MP25x lines  with A35-TD flavor .

STM32MP25x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.2"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp25/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp25/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp25/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp25/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp25/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration SIGN_KEY = "key/stm32mp25/a35_OEM-KEY1_privateKey00.pem"

SIGN_KEY_PUB = " \
key/stm32mp25/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp25/a35_OEM-KEY1_publicKey07.pem \
"
SIGN_KEY_PASS = "<passwords of signature key>"

Signature key : RPROC-FW-PKH
File to upload board key/stm32mp25/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin
Key files key/stm32mp25/m33_RPROC-FW-PKH_ecc_publicKey_der_hash.bin

key/stm32mp25/m33_RPROC-FW-PKH_ecc_privateKey.pem
key/stm32mp25/m33_RPROC-FW-PKH_ecc_publicKey.pem

Configuration to add in local.conf file, after the previous configuration SIGN_COPRO_ECC_INFOKEY = "key/stm32mp25/m33_RPROC-FW-PKH_ecc_publicKey.der"

SIGN_COPRO_ECC_PRIVKEY = "key/stm32mp25/m33_RPROC-FW-PKH_ecc_privateKey.pem"
SIGN_COPRO_ECC_PASS = "password of remote processor signature key "

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1
File to upload board key/stm32mp25/a35_EDMK1_key_128bits.bin
Key files key/stm32mp25/a35_EDMK1_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp25/a35_EDMK1_key_128bits.bin"
Encryption key : FIP-EDMK
File to upload board key/stm32mp25/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp25/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp25/a35_FIP-EDMK_key_256bits.bin"
Encryption key : RPROC-FW-ENC-KEY
File to upload board key/stm32mp25/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Key files key/stm32mp25/m33_RPROC-FW-ENC-KEY_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_COPRO_ENABLE = "1"

ENCRYPT_COPRO_KEY = "key/stm32mp25/m33_RPROC-FW-ENC-KEY_key_256bits.bin"

9.3. ForSTM32MP2 series with M33-TD flavor [edit | edit source]

Generate a Distribution Package with signed or signed/encrypted configurations for STM32MP21x lines  with M33-TD flavor .

STM32MP21x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.3"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"
SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp21/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp21/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp21/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp21/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp21/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration

SIGN_KEY = "key/stm32mp21/a35_OEM-KEY1_privateKey00.pem"
SIGN_KEY_PUB = " \
key/stm32mp21/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp21/a35_OEM-KEY1_publicKey07.pem \

"SIGN_KEY_PASS = "<passwords of signature key>"

Signature key :FSBLM-DDR-FW-PKH
File to upload board key/stm32mp21/m33_FSBLM-DDR-FW-PKH_hash.bin
Key files key/stm32mp21/m33_FSBLM-DDR-FW-PKH_hash.bin

key/stm32mp21/m33_FSBLM-DDR-FW-PKH_privateKey.pem
key/stm32mp21/m33_FSBLM-DDR-FW-PKH_publicKey.pem
key/stm32mp21/m33_FSBLM-DDR-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33DDR_KEY = "key/stm32mp21/m33_FSBLM-DDR-FW-PKH_privateKey.pem"

SIGN_M33DDR_KEY_PASS = "<password of FSBLM M33 DDR key>"

Signature key :FSBLM-M33-FW-PKH
File to upload board key/stm32mp21/m33_FSBLM-M33-FW-PKH_hash.bin
Key files key/stm32mp21/m33_FSBLM-M33-FW-PKH_hash.bin

key/stm32mp21/m33_FSBLM-M33-FW-PKH_privateKey.pem
key/stm32mp21/m33_FSBLM-M33-FW-PKH_publicKey.pem
key/stm32mp21/m33_FSBLM-M33-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33FW_KEY = "key/stm32mp21/m33_FSBLM-M33-FW-PKH_privateKey.pem"

SIGN_M33FW_KEY_PASS = "<password of FSBLM M33 FW key>"

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1-128b
File to upload board Key/stm32mp21/a35_EDMK1-128b_key_128bits.bin
Key files Key/stm32mp21/a35_EDMK1-128b_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp21/a35_EDMK1-128b_key_128bits.bin"
Encryption key : FIP-EDMK
File to upload board key/stm32mp21/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp21/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp21/a35_FIP-EDMK_key_256bits.bin"

Generate a Distribution Package with signed or signed/encrypted configurations for STM32MP23x lines  with M33-TD flavor .

STM32MP23x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.2"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"

SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp23/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp23/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp23/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp23/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp23/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration SIGN_KEY = "key/stm32mp23/a35_OEM-KEY1_privateKey00.pem"

SIGN_KEY_PUB = " \key/stm32mp23/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp23/a35_OEM-KEY1_publicKey07.pem \

"SIGN_KEY_PASS = "<passwords of signature key>"

Signature key :FSBLM-DDR-FW-PKH
File to upload board key/stm32mp23/m33_FSBLM-DDR-FW-PKH_hash.bin
Key files key/stm32mp23/m33_FSBLM-DDR-FW-PKH_hash.bin

key/stm32mp23/m33_FSBLM-DDR-FW-PKH_privateKey.pem
key/stm32mp23/m33_FSBLM-DDR-FW-PKH_publicKey.pem
key/stm32mp23/m33_FSBLM-DDR-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33DDR_KEY = "key/stm32mp23/m33_FSBLM-DDR-FW-PKH_privateKey.pem"

SIGN_M33DDR_KEY_PASS = "<password of FSBLM M33 DDR key>"

Signature key :FSBLM-M33-FW-PKH
File to upload board key/stm32mp23/m33_FSBLM-M33-FW-PKH_hash.bin
Key files key/stm32mp23/m33_FSBLM-M33-FW-PKH_hash.bin

key/stm32mp23/m33_FSBLM-M33-FW-PKH_privateKey.pem
key/stm32mp23/m33_FSBLM-M33-FW-PKH_publicKey.pem
key/stm32mp23/m33_FSBLM-M33-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33FW_KEY = "key/stm32mp23/m33_FSBLM-M33-FW-PKH_privateKey.pem"

SIGN_M33FW_KEY_PASS = "<password of FSBLM M33 FW key>"

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1
File to upload board key/stm32mp23/a35_EDMK1_key_128bits.bin
Key files key/stm32mp23/a35_EDMK1_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp23/a35_EDMK1_key_128bits.bin"
Encryption key : FIP-EDMK
File to upload board key/stm32mp23/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp23/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp23/a35_FIP-EDMK_key_256bits.bin"

Generate a Distribution Package with signed or signed/encrypted configurations for STM32MP25x lines  with M33-TD flavor .

STM32MP25x lines 
Signature keys
Signature keys initial configuration to add in local.conf file

and only before the first declared signature key.

SIGN_HEADER_VERSION = "2.2"

EXTERNAL_KEY_CONF = "1"
SIGN_ENABLE = "1"

SIGN_TOOL = "<path to STM32_SigningTool tools>"

Signature key : OEM-KEY1
File to upload board key/stm32mp25/a35_OEM-KEY1_publicKeysHashHashes.bin
Key files key/stm32mp25/a35_OEM-KEY1_publicKeysHashHashes.bin

key/stm32mp25/a35_OEM-KEY1_privateKey0X.pem
key/stm32mp25/a35_OEM-KEY1_publicKey0X.pem
key/stm32mp25/a35_OEM-KEY1_publicKeyHash0X.pem
where X: 0 to 7

Configuration to add in local.conf file, after the previous configuration SIGN_KEY = "key/stm32mp25/a35_OEM-KEY1_privateKey00.pem"

SIGN_KEY_PUB = " \key/stm32mp25/a35_OEM-KEY1_publicKey00.pem \
... \
key/stm32mp25/a35_OEM-KEY1_publicKey07.pem \

"SIGN_KEY_PASS = "<passwords of signature key>"

Signature key :FSBLM-DDR-FW-PKH
File to upload board key/stm32mp25/m33_FSBLM-DDR-FW-PKH_hash.bin
Key files key/stm32mp25/m33_FSBLM-DDR-FW-PKH_hash.bin

key/stm32mp25/m33_FSBLM-DDR-FW-PKH_privateKey.pem
key/stm32mp25/m33_FSBLM-DDR-FW-PKH_publicKey.pem
key/stm32mp25/m33_FSBLM-DDR-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33DDR_KEY = "key/stm32mp25/m33_FSBLM-DDR-FW-PKH_privateKey.pem"

SIGN_M33DDR_KEY_PASS = "<password of FSBLM M33 DDR key>"

Signature key :FSBLM-M33-FW-PKH
File to upload board key/stm32mp25/m33_FSBLM-M33-FW-PKH_hash.bin
Key files key/stm32mp25/m33_FSBLM-M33-FW-PKH_hash.bin

key/stm32mp25/m33_FSBLM-M33-FW-PKH_privateKey.pem
key/stm32mp25/m33_FSBLM-M33-FW-PKH_publicKey.pem
key/stm32mp25/m33_FSBLM-M33-FW-PKH_publicKey.der

Configuration to add in local.conf file, after the previous configuration SIGN_M33FW_KEY = "key/stm32mp25/m33_FSBLM-M33-FW-PKH_privateKey.pem"

SIGN_M33FW_KEY_PASS = "<password of FSBLM M33 FW key>"

Encryption keys
Encryption keys initial configuration to add in local.conf file

after the configuration previously added for signature keys configuration,
and only before the first declared encryption key.

ENCRYPT_ENABLE = "1"
Encryption key : EDMK1
File to upload board key/stm32mp25/a35_EDMK1_key_128bits.bin
Key files key/stm32mp25/a35_EDMK1_key_128bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FSBL_KEY = "key/stm32mp25/a35_EDMK1_key_128bits.bin"
Encryption key : FIP-EDMK
File to upload board key/stm32mp25/a35_FIP-EDMK_key_256bits.bin
Key files key/stm32mp25/a35_FIP-EDMK_key_256bits.bin
Configuration to add in local.conf file
after the previous configuration 		ENCRYPT_FIP_KEY = "key/stm32mp25/a35_FIP-EDMK_key_256bits.bin"

10. References[edit | edit source]

  1. https://trustedfirmware-m.readthedocs.io/en/latest/integration_guide/services/tfm_attestation_integration_guide.html
  2. https://trustedfirmware-m.readthedocs.io/en/latest/design_docs/services/symmetric_initial_attest.html


Microprocessor unit

Flash memory shortened to gain space in titles, tables and block diagrams

First stage boot loader

Trusted firmware for Arm® Cortex®-A (see TF-A)

Public key hash table hash, used for secure boot - NEW

Firmware image package is a packaging format used by TF-A

Open portable trusted execution environment

Advanced encryption standard

Privacy enhanced mail (File format for storing and sending cryptographic keys, certificates, and other data)

Public key hash, used for secure boot - NEW

Arm® Cortex®-A35 trusted domain

Arm® Cortex®-M33 trusted domain

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

Cortex®

Trusted firmware for Arm® Cortex®-M (see TF-M) - NEW

Original equipment manufacturer

Doubledata rate (memory domain)

Das U-Boot -- the universal boot loader (see U-Boot)

SD memory card (https://www.sdcard.org)

One time programmed

Encryption decryption master key, used for secure boot - NEW

Error correction capability or Elliptic curve cryptography, meaning depends on context

Read only memory

Boot loader stage 2

Microprocessor unit

Flash memory shortened to gain space in titles, tables and block diagrams

First stage boot loader

Trusted firmware for Arm® Cortex®-A (see TF-A)

Public key hash table hash, used for secure boot - NEW

Firmware image package is a packaging format used by TF-A

Open portable trusted execution environment

Advanced encryption standard

Privacy enhanced mail (File format for storing and sending cryptographic keys, certificates, and other data)

Public key hash, used for secure boot - NEW

Arm® Cortex®-A35 trusted domain

Arm® Cortex®-M33 trusted domain

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

Cortex®

Trusted firmware for Arm® Cortex®-M (see TF-M) - NEW

Original equipment manufacturer

Doubledata rate (memory domain)

Das U-Boot -- the universal boot loader (see U-Boot)

SD memory card (https://www.sdcard.org)

One time programmed

Encryption decryption master key, used for secure boot - NEW

Error correction capability or Elliptic curve cryptography, meaning depends on context

Read only memory

Boot loader stage 2

Flash memories combine high density and cost effectiveness of EPROMs with the electrical erasability of EEPROMs. For this reason, the Flash memory market is one of the most exciting areas of the semiconductor industry today and new applications requiring in system reprogramming, such as cellular telephones, automotive engine management systems, hard disk drives, PC BIOS software for Plug & Play, digital TV, set top boxes, fax and other modems, PC cards and multimedia CD-ROMs, offer the prospect of very high volume demand.

Secure digital

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=How_to_perform_Secure_Boot_from_Distribution_Package&oldid=125484"