cancel
Showing results for 
Search instead for 
Did you mean: 

Why SBSFU code size NOT reduce by Select AES-GCM symmetric cryptographic scheme?

EEdwa.1
Associate II

Hi,

According to the document "AN5056-Integration guide for the X-CUBE-SBSFU

STM32Cube Expansion Package" Table 3. SBSFU code size reduction,

In project "NUCLEO-G071RB", I build "1_Image_SECoreBin" by modify SECBOOT_CRYPTO_SCHEME from "SECBOOT_ECCDSA_WITH_AES128_CBC_SHA256" to "SECBOOT_AES128_GCM_AES128_GCM_AES128_GCM", and find "SECoreBin.bin" size reduce about 9 Kbytes.

But I clean and build "1_Image_SBSFU", the "SBSFU.bin" size not change.

Why the "SBSFU.bin" size not reduce?

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Jocelyn RICARD
ST Employee

Hello,

the reason is that the size reduction is visible in the secure engine (SECoreBin)

This binary is inserted in the SBSFU.

To obtain the reduction of the SBSFU you need to update the mapping file located in Linker_Common that is mapping_sbsfu.* (externtion dependigngon the IDE you use.

In this file you will need to reduce the size used by the secure engine.

In the case of GCC ld file for instance you need to reduce the value of __ICFEDIT_SE_Code_region_ROM_end__

You can take example on the STM32G031 mapping that is actually using symmetric crypto.

Best regards

Jocelyn

View solution in original post

4 REPLIES 4
Jocelyn RICARD
ST Employee

Hello,

the reason is that the size reduction is visible in the secure engine (SECoreBin)

This binary is inserted in the SBSFU.

To obtain the reduction of the SBSFU you need to update the mapping file located in Linker_Common that is mapping_sbsfu.* (externtion dependigngon the IDE you use.

In this file you will need to reduce the size used by the secure engine.

In the case of GCC ld file for instance you need to reduce the value of __ICFEDIT_SE_Code_region_ROM_end__

You can take example on the STM32G031 mapping that is actually using symmetric crypto.

Best regards

Jocelyn

Thank you for the information.

I have reduced the value of __ICFEDIT_SE_Code_region_ROM_end__ and rebuild.

The "SBSFU.bin" size also reduced.

But load the "SBSFU.bin" into board, the usart print the below message repeatedly:

= [SBOOT] System Security Check successfully passed. Starting...

======================================================================

=       (C) COPYRIGHT 2017 STMicroelectronics         =

=                                  =

=       Secure Boot and Secure Firmware Update        =

======================================================================

Should I also reduce the value of __ICFEDIT_SB_region_ROM_end__ and __ICFEDIT_region_SLOT_0_start__ in mapping_fwimg.ld ?

I have try to reduce the value of __ICFEDIT_SB_region_ROM_end__ and __ICFEDIT_region_SLOT_0_start__ in mapping_fwimg.ld.

But load the "SBSFU.bin" into board, the usart still print the message infinitely.

Could you give me some suggestion?

Thanks.

Hello,

When changing the mapping you also need to adapt the MPU configuration to adapt the regions.

The MPU setup has some constraints. Basically you have to create regions that are power of 2 in size, and can be divided in 8 subregions.

Also, if you reduce the SECoreBin size, it impact the secure memory setting.

In order to progress, I would suggest to deactivate all protections so that you can go step by step.

Best regards

Jocelyn

Hi Jocelyn,

Thank you for all your assistance.

I will try to deactivate all protections.

I have #define SECBOOT_DISABLE_SECURITY_IPS at app_sfu.h.

How modify Option bytes to disable protection from STM32CubeProgammer?

Thanks.