Debug Authentication Failed

Thatseasy · ‎2025-02-26

My H5 DK board is in TZ-CLOSED state (after --sfi-flash), I am unable to put it in "Level 1/2/3 Intrusive Debug" state no matter what combinations of keys and certificates to use (including key_1_root.pem and cert_root.b64). Only Full regression works. Any suggestions? Thanks!

17:16:50 : Start Debug Authentication Sequence
17:16:50 : SDMOpen : 602 : open : SDM API v1.0
17:16:50 : SDMOpen : 603 : open : SDM Library version v1.1.0
17:16:50 : open_comms : 495 : open : Asserting target reset
17:16:50 : open_comms : 499 : open : Writing magic number
17:16:50 : open_comms : 509 : open : De-asserting target reset
17:16:50 : open_comms : 561 : open : Communication with the target established successfully
17:16:50 : discovery: target ID.......................:0x484
17:16:50 : discovery: SoC ID..........................:0x00000000_35353537_3332510A_003A002B
17:16:50 : discovery: SDA version.....................:2.4.0
17:16:50 : discovery: Vendor ID.......................:STMicroelectronics
17:16:50 : discovery: PSA lifecycle...................:ST_LIFECYCLE_TZ_CLOSED
17:16:50 : discovery: PSA auth version................:1.0
17:16:50 : discovery: ST HDPL1 status.................:0x2717
17:16:50 : discovery: ST HDPL2 status.................:0x400003bf
17:16:50 : discovery: ST HDPL3 status.................:0xffffffff
17:16:50 : discovery: Token Formats...................:0x200
17:16:50 : discovery: Certificate Formats.............:0x201
17:16:50 : discovery: cryptosystems...................:Ecdsa-P256 SHA256
17:16:50 : discovery: ST provisioning integrity status:0xeaeaeaea
17:16:50 : discovery: permission if authorized...........:Full Regression
17:16:50 : discovery: permission if authorized...........:To TZ Regression
17:16:50 : discovery: permission if authorized...........:Level 3 Intrusive Debug
17:16:50 : discovery: permission if authorized...........:Level 2 Intrusive Debug
17:16:50 : discovery: permission if authorized...........:Level 1 Intrusive Debug
17:16:50 : discovery: permission if authorized...........:Level 3 Intrusive Non Secure Debug
17:16:50 : discovery: permission if authorized...........:Level 2 Intrusive Non Secure Debug
17:16:50 : discovery: permission if authorized...........:Level 1 Intrusive Non Secure Debug
17:17:22 : Start Debug Authentication Sequence
17:17:22 : SDMOpen : 602 : open : SDM API v1.0
17:17:22 : SDMOpen : 603 : open : SDM Library version v1.1.0
17:17:22 : open_comms : 495 : open : Asserting target reset
17:17:22 : open_comms : 499 : open : Writing magic number
17:17:22 : open_comms : 509 : open : De-asserting target reset
17:17:22 : open_comms : 561 : open : Communication with the target established successfully
17:17:22 : [00%] discovery command
17:17:22 : [10%] sending discovery command
17:17:22 : [20%] receiving discovery
17:17:22 : [40%] loading credentials
17:17:22 : [50%] sending challenge request
17:17:22 : [60%] receiving challenge
17:17:22 : [70%] signing token
17:17:22 : SDMAuthenticate : 1317 : client : Found 1 certificates
17:17:22 : [80%] sending response
17:17:22 : [90%] receiving status
17:17:22 : Error: Debug Authentication Failed

JohnyKessler · ‎2025-02-27

Hello @Thatseasy

If I'm not mistaken, you are working with the Secure Manager. In this context, the DA's permissions do not allow reopening the debug for the secure domain. Even if you change the DA's permissions, they will not be taken into account.

You may observe in your traces "discovery: permission if authorized" -> It depends on the configuration.

In TZ-Closed, there is no need to reopen the debug for the nonsecure domain because it is allowed natively.

For more information about the product state in the Secure Manager context, please refer to this UM: https://www.st.com/resource/en/user_manual/um3254-secure-manager-for-stm32h573xx-microcontrollers-stmicroelectronics.pdf -> Chapter 6.3 Product state

Best regards

Johny

View solution in original post

JohnyKessler · ‎2025-02-27