create simple non secure only project for STM32N6570-DK on CubeMX

ramkumarkoppu · ‎2025-03-28

How to create simple non secure only project for STM32N6570-DK on CubeMX to use on board peripherals. by default it creates project with the FBL, secure, non-secure for this device.

ramkumarkoppu · ‎2025-04-02

Understood...this is your SoC boot flow is architectured, I will have to modify my development flow as per this then, thank you.

View solution in original post

RomainR. · ‎2025-03-29

Hi @ramkumarkoppu

The STM32N6 is always in secure mode after reset and this is due to internal BootROM.
In your application, you have to choose a context run-time execution which always include a FSBL and LRUN contexts. All binaries FSBL and secure or non secure application must be signed to be correctly executed by the BootROM. Then, each contexts can be copied by BootROM from external memory, SDMMC or eMMC into SRAM, or can be executed direclty in these all external memories.

The application in LRUN context is always start in secure application which in charge of configure the peripheral, GPIO, memory of N6 to be allowed in non-secure application (refer to Isolation LRUN example)

Refer to following resources.

UM3249 in section 5.1.4 Running the Isolation_LRUN (Load&Run) template project and 5.3 Developing a custom application.
This excellent Knowledge Article: https://community.st.com/t5/stm32-mcus/stm32n6-boot-rom-explained/ta-p/763648
UM3234 How to proceed with boot ROM on STM32N6 MCUs.

Let me know if it helps?
Best regards,

Romain,

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

ramkumarkoppu · ‎2025-03-29

Hi @RomainR., Thanks for the info. What I am trying to do achieve is to put the STM32N6570-DK in the DEV mode with secure boot disabled so that BootROM can run the non secure application binary directly from QSPI flash available on this board if it is capable of XIP. For the initial development I would like to use minimal and simple setup as possible. My board is shipped with this BOOT configuration

So, can you guide me if my development setup as described above is possible with this board and CubeMX, if it is yes, how to do it please?

Note: I was using another vendor Cortex-M33 based hardware where this setup was possible to run the non secure app from the QSPI flash with XIP in the DEV and non secure mode.

ramkumarkoppu · ‎2025-04-02

Hi,

Is there any update on this issue please?

RomainR. · ‎2025-04-02

Hello @ramkumarkoppu

As explained in my previous comment, you will not be able to execute a non-secure binary from the BootROM.

At the STM32N6 Life-Cycle level, all shipped STM32N6 are in a Closed-Unlocked state.

Look at the following KB: In section 4. Supported life cycle:
https://community.st.com/t5/stm32-mcus/stm32n6-boot-rom-explained/ta-p/763648

Moreover, the OTP18 fuse is by default already secure_boot=0. So In Dev_BOOT or in Flash Boot (XiP) your execution context will systematically be:

BootROM jumps into a signed FSBL binary (which will always be secure)
Secure FSBL jumps into a signed secure application that will configure the RIF to authorize peripherals in non-secure mode.
The secure application jumps into the non-secure binary that uses the previously authorized peripherals.

There is another example in STM32Cube_FW_N6_V1.1.0\Projects\NUCLEO-N657X0-Q\Examples\RIF\RIF_Peripheral
This time the FSBL (Secure) directly configures the RIF and jumps into a non-secure application (here the RIF authorizes the SPI)

BR

Romain,

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

ramkumarkoppu · ‎2025-04-02

Understood...this is your SoC boot flow is architectured, I will have to modify my development flow as per this then, thank you.