Hello Zoey,
this is important question indeed as SBSFU embedded the keys used to authenticate current firmware and decrypt the updates.
The usual way to perform secure firmware programming during factory is to use dedicated tools like flasher secure provided by Segger.
Principle is to flash the chip in a kind of secure box connected to a secure server through ethernet. The firmware is then transmitted through a secure channel to the secure box.
ST also provides the SFI solution (Secure Firmware Install). This solution is today only applicable to STM32H753 and STM32L465CEU6F (Specific part number for L4)
It will also be available in the coming STM32L5. You can find documentation about this on st.com.
The necessary tools to be able to use SFI are STM32CubeProgrammer, a PC with a smartcard interface, a Smartcard format HSM (Hardware Security Module) sold by ST, and a STLink or USB to communicate with the chip to program.
With SFI, you provide only an encrypted firmware to the manufacturer and the decryption is done inside the chip itself.
The decryption key is encrypted in the HSM with the public key of the chip transmitted to chip through the the STM32CubeProgrammer and decrypted in the chip thanks to its private key.
Best regards
Jocelyn
