cancel
Showing results for 
Search instead for 
Did you mean: 

Disabling TrustZone on the STM32H5

jens-vdb
Associate II

Hi,

I have been experimenting with secure boot on the STM32H573I-DK, but I can't perform a regression anymore.

While adapting the example code (OEMiROT) to my own version, I am currently in the situation where the device is "provisioned" (0x2e), but I have lost the keys/certificates because they were accidentally overwritten during my experiments. So I can't open up the debug access port anymore. TrustZone is enabled (0xb4).

Currently with the STM32CubeProgrammer I can connect to the device in hotplug mode:

jensvdb_0-1704242998560.png

And I can read out the registers:

jensvdb_1-1704243029203.png

After doing some research for other ST platforms (the STM32U5 for example), it seems to be possible to "unprovision" the device using the STM32CubeProgrammer. However, changing both the PRODUCT_STATE and TZEN registers to 0xED and 0xC3 respectively results in an error:

jensvdb_2-1704243175357.png

Additionally, the STM32CubeProgrammer manual documents a possibility to disable TrustZone via CLI (https://www.st.com/resource/en/user_manual/um2237-stm32cubeprogrammer-software-description-stmicroelectronics.pdf:(

jensvdb_3-1704243269003.png

Alas, this method does not work as well as the command does not seem to be supported for the interface:

STM32_Programmer_CLI -c port=SWD mode=HotPlug -tzenreg

jensvdb_4-1704243361832.png

Is there any possibility to revert the product state and/or disable TrustZone on the STM32H5?

1 ACCEPTED SOLUTION

Accepted Solutions
Jocelyn RICARD
ST Employee

Hello @jens,

First, STM32H5 is different from STM32U5 and TZ regression will not work.

In fact, on STM32H5, you can simply disable TrustZone in option bytes when in OPEN state.

Here you are in iROT-PROVISIONED state. In this state you cannot use OBK provisioning for debug authentication credentials anymore.

 

According to your description you should be have a correct provisioning integrity :

JocelynRICARD_0-1704270827433.png

of directly with command line:

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD debugauth=2
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.15.0
      -------------------------------------------------------------------


Start Debug Authentication Sequence

SDM 1.0.0 Init Sequence
Open SDM Lib
open_comms                    :   506 : open       : Asserting target reset

open_comms                    :   510 : open       : Writing magic number

open_comms                    :   518 : open       : De-asserting target reset

open_comms                    :   564 : open       : Communication with the target established successfully

response_packet_lock
discovery: target ID.......................:0x484
discovery: SoC ID..........................:0x280057  0x33325117  0x38363236  0x0
discovery: SDA version.....................:2.4.0
discovery: Vendor ID.......................:STMicroelectronics
discovery: PSA lifecycle...................:ST_LIFECYCLE_IROT_PROVISIONED
discovery: PSA auth version................:1.0
discovery: ST HDPL1 status.................:0xffffffff
discovery: ST HDPL2 status.................:0xffffffff
discovery: ST HDPL3 status.................:0xffffffff
discovery: Token Formats...................:0x200
discovery: Certificate Formats.............:0x201
discovery: cryptosystems...................:Ecdsa-P256 SHA256
discovery: ST provisioning integrity status:0xeaeaeaea
discovery: Available Permissions...........:(a) ==> Full Regression
discovery: Available Permissions...........:(b) ==> To TZ Regression
discovery: Available Permissions...........:(c) ==> Level 3 Intrusive Debug
discovery: Available Permissions...........:(d) ==> Level 2 Intrusive Debug
discovery: Available Permissions...........:(e) ==> Level 1 Intrusive Debug
discovery: Available Permissions...........:(f) ==> Level 3 Intrusive Non Secure Debug
discovery: Available Permissions...........:(g) ==> Level 2 Intrusive Non Secure Debug
discovery: Available Permissions...........:(h) ==> Level 1 Intrusive Non Secure Debug

Debug Authentication: Discovery Success

This discovery provides the status of the device through the Debug Authentication channel.

If you have the ST provisioning integrity status value equal to 0xeaeaeaea this means that debug authentication is provisioned.

Now, if you have overwritten the keys, it may have been done using the TrustedPackageCreator by regenerating the key using "Regenerate" button. In that case, the old key is saved in a .bak file containing also the date and time in the file name.

The only thing you need it the root private key you used when provisioning the device.

Also, if this is the default one provided in the package there is no issue.

If you generated your own private key, provisioned the device with associated public key and completely lost this private key, you will not be able to recover in any way. This is the purpose of the debug authentication to be able to authenticate ...

 

Best regards

Jocelyn

View solution in original post

1 REPLY 1
Jocelyn RICARD
ST Employee

Hello @jens,

First, STM32H5 is different from STM32U5 and TZ regression will not work.

In fact, on STM32H5, you can simply disable TrustZone in option bytes when in OPEN state.

Here you are in iROT-PROVISIONED state. In this state you cannot use OBK provisioning for debug authentication credentials anymore.

 

According to your description you should be have a correct provisioning integrity :

JocelynRICARD_0-1704270827433.png

of directly with command line:

C:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin>STM32_Programmer_CLI.exe -c port=SWD debugauth=2
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.15.0
      -------------------------------------------------------------------


Start Debug Authentication Sequence

SDM 1.0.0 Init Sequence
Open SDM Lib
open_comms                    :   506 : open       : Asserting target reset

open_comms                    :   510 : open       : Writing magic number

open_comms                    :   518 : open       : De-asserting target reset

open_comms                    :   564 : open       : Communication with the target established successfully

response_packet_lock
discovery: target ID.......................:0x484
discovery: SoC ID..........................:0x280057  0x33325117  0x38363236  0x0
discovery: SDA version.....................:2.4.0
discovery: Vendor ID.......................:STMicroelectronics
discovery: PSA lifecycle...................:ST_LIFECYCLE_IROT_PROVISIONED
discovery: PSA auth version................:1.0
discovery: ST HDPL1 status.................:0xffffffff
discovery: ST HDPL2 status.................:0xffffffff
discovery: ST HDPL3 status.................:0xffffffff
discovery: Token Formats...................:0x200
discovery: Certificate Formats.............:0x201
discovery: cryptosystems...................:Ecdsa-P256 SHA256
discovery: ST provisioning integrity status:0xeaeaeaea
discovery: Available Permissions...........:(a) ==> Full Regression
discovery: Available Permissions...........:(b) ==> To TZ Regression
discovery: Available Permissions...........:(c) ==> Level 3 Intrusive Debug
discovery: Available Permissions...........:(d) ==> Level 2 Intrusive Debug
discovery: Available Permissions...........:(e) ==> Level 1 Intrusive Debug
discovery: Available Permissions...........:(f) ==> Level 3 Intrusive Non Secure Debug
discovery: Available Permissions...........:(g) ==> Level 2 Intrusive Non Secure Debug
discovery: Available Permissions...........:(h) ==> Level 1 Intrusive Non Secure Debug

Debug Authentication: Discovery Success

This discovery provides the status of the device through the Debug Authentication channel.

If you have the ST provisioning integrity status value equal to 0xeaeaeaea this means that debug authentication is provisioned.

Now, if you have overwritten the keys, it may have been done using the TrustedPackageCreator by regenerating the key using "Regenerate" button. In that case, the old key is saved in a .bak file containing also the date and time in the file name.

The only thing you need it the root private key you used when provisioning the device.

Also, if this is the default one provided in the package there is no issue.

If you generated your own private key, provisioned the device with associated public key and completely lost this private key, you will not be able to recover in any way. This is the purpose of the debug authentication to be able to authenticate ...

 

Best regards

Jocelyn