FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authentication key provisioning in STM32H5

TetrasLyre
Associate II

‎2025-03-25 8:29 AM

Hi,

I come to you about the key provisioning process for the iROT in the STM32H5.

Using TrustedPackageCreator, the keys provided in the file STiROT_Config.xml for the Secure Boot (field <Authentication key>) are both the private and public keys of the .pem file. However, only the public key is needed, and will be embedded in the device.

 

This method of provisioning is limiting for us for two reasons:

- on the one hand, it doesn't allow to subcontract the provisioning task, as we don't want to give the private key to the subcontractor

- secondly, the private key may be generated by an HSM and cannot leave the vault.

 

So, is there a way to provision only the public key at this stage?

 

Best regards,

Christine

 

Labels:
0 Kudos
3 REPLIES 3
Jocelyn RICARD
ST Employee

‎2025-03-25 11:37 AM

Hello @TetrasLyre ,

For the generation of obk file, you can fix this by changing the xml file like this:

	<File>
		<Name>Authentication key</Name>
		<Value>./../Keys/STiRoT_Authentication_pub.pem</Value>
		<Align>4</Align>
		<KeyType>ecdsa-p256</KeyType>
		<Type></Type>
		<Default>.\..\Keys\STiRoT_Authentication.pem</Default>
		<Tooltip>Select the key used to authenticate firmware and data images. When this key is regenerated, both frmware and data images must be processed with Imgtool</Tooltip>
	</File>

Basically you provide the public pem and remove the "Public" in type field.

The public key will be used.

Best regards

Jocelyn

 

0 Kudos
TetrasLyre
Associate II
In response to Jocelyn RICARD

‎2025-03-26 2:32 AM

Hi Jocelyn,

Thank you for your reply.

In the following, we need to embed the command of TrustedPackageCreator_CLI that forms and signs (and encrypts) the firmware in the HSM, to enable the digital signature with the secured private key in the enclave of the HSM. Factually, the private key cannot leave the HSM. 
Is the source code of the command of TrustedPackageCreator_CLI available in open source?

Best regards,

0 Kudos
Jocelyn RICARD
ST Employee

‎2025-03-26 3:29 AM

Hello @TetrasLyre ,

I was expecting this point :)

The TrustedPackageCreator is a kind of frontend that understands xml inputs and transforms it into imgtool commands for signing and encrypting the firmware.

In this setup, imgtool is provided as binary in STM32CubeProgrammer in Utilities directory.

You can see the call to imgtool from TrustedPackageCreator in 

~/STMicroelectronics/STM32CubeProgrammer/imgtool-command.log

The latest source version I know is in STM32CubeU5 version 1.5.0 but I don't know if it is compatible with STiROT images. I have to check this.

Best regards

Jocelyn

0 Kudos
Top