FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

My objective is secure boot.

jk.1
Associate II

‎2023-03-07 03:06 AM

I want to secure my code. I enabled tzen. Now i able to boot from RSS and i able to set RDP level 1 and i did regression successfully to RDP level 0. This is enough for secure boot?. I am new to embedded so, if i am wrong correct me

0 Kudos
3 REPLIES 3
HREMA.1
Associate II

‎2023-03-07 05:44 AM

Hello @jk.1​   and welcome to ST Community

Regardless of the target you are working with, you can try our out of the box solution from the cube SBSFU(secure boot secure firmware update ) package.

Also, have a look at TFM lab experiment SBSFU .

hope you find this helpful! 

Hichem

0 Kudos
jk.1
Associate II
In response to HREMA.1

‎2023-03-07 08:24 AM

I am deal with stm32L562ve. I can understand how secure boot works and SFI process but struggling in implementation. I can boot from RSS and set RPD Level 1 and regression to level 0 possible
RSS provides run times services am I right?..
( private key, public key, hash value in meta data to digest) . How to generate these key and where it is located?.....
0 Kudos
HREMA.1
Associate II

‎2023-03-09 03:17 AM

hello again @jk.1​ 

indeed RSS provides runtime services and it is immutable .

for more information about this topic and the SFI and secure boot refer to RM0456 sections 3.1,3.3,3.5 and AN4992 . the RSS services are described in the section 6.6 of RM0438 .

the key generation can be done by various tools like openSSL or python scripts using the cryptographic library .If you are basing your project on the TFM package or an other project in the STM32CubeL5 package. You can modify the keys by following this instructions:

-The default asymmetric key (RSA or ECDSA) is taken from Middlewares/Third_Party/trustedfirmware/bl2/ext/mcuboot/keys.c  and is embedded in the provisioned data area in the secure boot and secure firmware update binary.

- The AES-CTR key is encrypted (RSA-OAEP or ECIES-P256) and provided in the firmware image itself. The default asymmetric key (RSA or ECDSA) used to encrypt the AES-CTR key is distinct from the signature key, but also taken from Middlewares/Third_Party/trustedfirmware/bl2/ext/mcuboot/keys.c.

After generating the keys by one of the tools mentioned above you can modify them in the keys.c file.

A full guide for the implementation of TFM can be found in the UM2671 sections 9 and 10.

I hope this answers your requests .

Hichem.

0 Kudos
Top