FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication key provisioning in STM32H5

TetrasLyre
Associate II

‎2025-03-25 8:29 AM

Hi,

I come to you about the key provisioning process for the iROT in the STM32H5.

Using TrustedPackageCreator, the keys provided in the file STiROT_Config.xml for the Secure Boot (field <Authentication key>) are both the private and public keys of the .pem file. However, only the public key is needed, and will be embedded in the device.

 

This method of provisioning is limiting for us for two reasons:

- on the one hand, it doesn't allow to subcontract the provisioning task, as we don't want to give the private key to the subcontractor

- secondly, the private key may be generated by an HSM and cannot leave the vault.

 

So, is there a way to provision only the public key at this stage?

 

Best regards,

Christine

 

Labels:
0 Kudos
7 REPLIES 7
Jocelyn RICARD
ST Employee

‎2025-03-25 11:37 AM

Hello @TetrasLyre ,

For the generation of obk file, you can fix this by changing the xml file like this:

	<File>
		<Name>Authentication key</Name>
		<Value>./../Keys/STiRoT_Authentication_pub.pem</Value>
		<Align>4</Align>
		<KeyType>ecdsa-p256</KeyType>
		<Type></Type>
		<Default>.\..\Keys\STiRoT_Authentication.pem</Default>
		<Tooltip>Select the key used to authenticate firmware and data images. When this key is regenerated, both frmware and data images must be processed with Imgtool</Tooltip>
	</File>

Basically you provide the public pem and remove the "Public" in type field.

The public key will be used.

Best regards

Jocelyn

 

0 Kudos
TetrasLyre
Associate II
In response to Jocelyn RICARD

‎2025-03-26 2:32 AM

Hi Jocelyn,

Thank you for your reply.

In the following, we need to embed the command of TrustedPackageCreator_CLI that forms and signs (and encrypts) the firmware in the HSM, to enable the digital signature with the secured private key in the enclave of the HSM. Factually, the private key cannot leave the HSM. 
Is the source code of the command of TrustedPackageCreator_CLI available in open source?

Best regards,

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-03-26 3:29 AM

Hello @TetrasLyre ,

I was expecting this point :)

The TrustedPackageCreator is a kind of frontend that understands xml inputs and transforms it into imgtool commands for signing and encrypting the firmware.

In this setup, imgtool is provided as binary in STM32CubeProgrammer in Utilities directory.

You can see the call to imgtool from TrustedPackageCreator in 

~/STMicroelectronics/STM32CubeProgrammer/imgtool-command.log

The latest source version I know is in STM32CubeU5 version 1.5.0 but I don't know if it is compatible with STiROT images. I have to check this.

Best regards

Jocelyn

0 Kudos
benjacam
Associate II

‎2025-11-06 8:47 AM

Hello @TetrasLyre and @Jocelyn RICARD ,

May I ask if there was any further progress with this question? Like TetrasLyre, I would like to be able to sign my non-secure application using a HSM to avoid a possibility of leaking the private key. Is there any information on how that can be done please?

Best regards,

Ben

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-11-11 7:03 AM

Hello @benjacam ,

The python code used for signing is available here in scripts directory

You can modify it to provide the hash to sign to your HSM.

Best regards

Jocelyn

 

0 Kudos
benjacam
Associate II
In response to Jocelyn RICARD

‎2025-11-12 3:12 AM - edited ‎2025-11-12 3:12 AM

Thanks Jocelyn,

JFYI, I found the imgtool command log file here: ~/.STM32CubeProgrammer/imgtool-command.log.

This is what is contained:

/home/x/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/Utilities/Linux/imgtool sign -k /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Config/../Keys/SM_Authentication.pem -E /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Config/../Keys/SM_Encryption_pub.pem --public-key-format full -e little --pad -S 0x96000 -H 0x400 --pad-header --max-sectors 17 -v 1.0.0 -s auto --align 16 --boot-record NSPE --rom-fixed 0x805E000 -x 0x80F4000 --confirm /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../../../../../../prj_mcu_sensor.bin /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Binary/Profile_Large/appli_enc_sign.hex

I understand you are suggesting I write a program that _replaces_ imgtool at this path and performs the signing step on the HSM. This should technically be possible, with appropriate shebang'ing.

Looking further, imgtool originates from mcuboot

There appears to be a "tfm" branch which has some support for PKCS#11

https://github.com/mcu-tools/mcuboot/tree/tfm/scripts/imgtool/keys

 

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-11-12 10:13 AM

Hello @benjacam ,

You have the python source code and the kind of command you need to use.

Then instead of using STM32TrustedPackageCreator to sign your firmware you use your modified version of the imgtool using your HSM for the signature step. 

I cannot tell more, as I have never tested it.

Best regards

Jocelyn

0 Kudos
Top