Last edited one month ago

How to provision secrets for Android

Applicable for STM32MP25x lines

1. Article purpose[edit | edit source]

This article describes the procedure for flashing Android cryptography keys into OTP memory with the U-boot stm32key tool.

The OSTL stm32key tool has been updated for Android in order to flash the "RPMB key" and "Trusty Device Master key". The tool is embedded in the U-Boot programmer firmware.

2. Prerequisites[edit | edit source]

STM32CubeProgrammer must be installed.

The keys "Trusty device master key" and "RPMB authentication key" have been created and stored in the default folder <your android folder>/device/stm/stm32mp2/security/keys.

3. Flash the U-boot programmer firmware[edit | edit source]

STM32_Programmer_CLI -c port=usb1 -w <your android folder>/device/stm/stm32mp2/layout/programmer/FlashLayout_emmc_cm33tdcid_rpmb.tsv

4. Fuse the OTPs[edit | edit source]

It's recommended to use the serial console on Arm®-Cortex®-A35 to check command execution (see How to open several serial consoles page for more information). Then, enter in the U-Boot shell, pressing a key on you host keyboard as soon as required.

In the U-Boot shell, executes the command:

fastboot usb 0

4.1. The Trusty Device Master key[edit | edit source]

Select the key slot fused (Trusty device master key)

fastboot oem run:'stm32key select TRUSTY-DV-MK'

Load the key on the device (default address : 0x84000000)

fastboot stage <your android folder>/device/stm/stm32mp2/security/keys/your_trusty_dv_k.bin

Verify key values before start fusing, compare the output of the two commands:

fastboot oem run:'stm32key read 0x84000000'
hexdump -C <your android folder>/device/stm/stm32mp2/security/keys/your_trusty_dv_k.bin

Start fusing (not reversible)

fastboot oem run:'stm32key fuse 0x84000000'

4.2. The RPMB authentication key[edit | edit source]

Regarding the RPMB authentication key, the key flashed in OTP must be identical to the one flashed in the eMMC key slot.

You can use the rpmb_provision script, which allows you to flash the OTP and the eMMC key slot simultaneously.

rpmb_provision


If the eMMC is already fused with a key, you can execute the following commands to flash the OTP :

Select the key slot fused (RPMB)

fastboot oem run:'stm32key select RPMB-KEY'

Load the key on the device (default address : 0x84000000)

fastboot stage <your android folder>/device/stm/stm32mp2/security/keys/your_rpmbkey.bin

Verify key values before start fusing, compare the output of the two commands:

fastboot oem run:'stm32key read 0x84000000'
hexdump -C <your android folder>/device/stm/stm32mp2/security/keys/your_rpmbkey.bin

Start fusing (not reversible)

fastboot oem run:'stm32key fuse 0x84000000'