Failed to provision Secure Manager 1.2

Thatseasy · ‎2024-11-12

I tried to provision Secure Manager 1.2 to my DK board, and got the following error messages in the provisioning.log:

2024-11-10 15:49:30,796 - root - DEBUG - Error: SFI command is not supported for the current device configuration using STLINK interfaces !
2024-11-10 15:49:30,796 - root - DEBUG - Error: Cannot launch RSSe...
2024-11-10 15:49:30,796 - root - DEBUG -
2024-11-10 15:49:30,796 - root - DEBUG - Error: C:\Users\cbens\STM32Cube\Repository\STM32Cube_FW_H5_V1.3.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\SecureManagerPackage.sfi SFI file Install Operation Failure! Please, try again.
2024-11-10 15:49:30,796 - root - DEBUG -

Then I booted the DK board in DFU mode, and used the programmer 2.17 to program the sfi, but still failed either "could not connect to the device" if SW1=0, or the following errors if SW1 = 1 (I know according to the instructions it should not be 1.)

17:23:44 : Erasing memory corresponding to segment 0:
17:23:44 : Not flash Memory : No erase done
17:23:44 : Download in Progress:
17:23:45 : File download complete
17:23:45 : Time elapsed during download operation: 00:00:00.111
17:23:45 : Get RSSe status...
17:23:46 : Error: Failed to get RSSe Status!
17:23:46 : Error: Cannot launch RSSe...

All the tools are up to date.

Any suggestions? Someone in the forum mentioned CubeProgrammer 2.18, should I try that version, and where I can download it?

Thank you!

Jocelyn RICARD · ‎2024-11-13

Hello @Thatseasy ,

OK so the issue is the board. SFSP 0.1.1 which is the version of the system flash secure part is very old and will not work.

To get Secure Manager work you have to get a new DK board.

Best regards

Jocelyn

View solution in original post

Thatseasy · ‎2024-11-12

Could it be wrong with my device driver setup? In the device manager, I see "ST-Link Debug" is active, the "STM32 ST-LINK/V3" is not, but even if I temporarily uninstalled "ST-Link Debug", "STM32 ST-LINK/V3" was still not active; and "ST-Link Debug" always comes back.

Jocelyn RICARD · ‎2024-11-13

Hello @Thatseasy ,

When I connect my STM32H574I-DK I get ST-Link Debug and if I connect the other USB connector I get this DFU in FS Mode. So, STM32 ST-Link/V3 should appear when you are in STLink upgrade mode.

The tools are working correctly as far as I know.

At least the command:

python provisioning.py --sfi-gen --sfi-flash -a

is working without issue.

Best regards

Jocelyn

Thatseasy · ‎2024-11-13

Thank you @Jocelyn RICARD for your reply.

What does "2024-11-10 15:49:30,796 - root - DEBUG - Error: SFI command is not supported for the current device configuration using STLINK interfaces !" exactly mean? My board is STM32H573I-DK, and CubeProgrammer version is 2.17.

Jocelyn RICARD · ‎2024-11-13

Hello @Thatseasy ,

I don't know how to get such error. Maybe some option bytes that are not well setup.

Is you device in open state ?

Is your DK board recent ?

Here are the option bytes I have after my board's regression.

"c:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32_Programmer_CLI.exe" -c port=SWD mode=UR -ob displ
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.17.0
      -------------------------------------------------------------------

ST-LINK SN  : 004D00483232511639353236
ST-LINK FW  : V3J15M6
Board       : STM32H573I-DK
Voltage     : 3.28V
Warning:  Connection to AP 0 requested and failed, Connection established with AP 1

SWD freq    : 8000 KHz
Connect mode: Under Reset
Reset mode  : Hardware reset
Device ID   : 0x484
Revision ID : --
Device name : STM32H56x/573
Flash size  : 2 MBytes
Device type : MCU
Device CPU  : Cortex-M33
BL Version  : 0xE4
SFSP Version: v2.5.0
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

  Bank          : 0x00
  Address       : 0x40022050
  Size          : 112 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x01
  Address       : 0x40022070
  Size          : 16 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x02
  Address       : 0x40022080
  Size          : 16 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x03
  Address       : 0x400220e0
  Size          : 16 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x04
  Address       : 0x400221e0
  Size          : 16 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x05
  Address       : 0x40022090
  Size          : 8 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x06
  Address       : 0x400220f0
  Size          : 8 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x07
  Address       : 0x400221f0
  Size          : 8 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x08
  Address       : 0x400220f8
  Size          : 8 Bytes

██████████████████████████████████████████████████ 100%

  Bank          : 0x09
  Address       : 0x400221f8
  Size          : 8 Bytes

██████████████████████████████████████████████████ 100%


OPTION BYTES BANK: 0

   Product state:

     PRODUCT_STATE: 0xED (Open)

   BOR Level:

     BOR_LEV      : 0x0 (BOR Level 1, the threshold level is low (around 2.1 V))
     BORH_EN      : 0x0  (0x0)

   User Configuration:

     IO_VDD_HSLV  : 0x0  (0x0)
     IO_VDDIO2_HSLV: 0x0  (0x0)
     IWDG_STOP    : 0x1  (0x1)
     IWDG_STDBY   : 0x1  (0x1)
     BOOT_UBE     : 0xC3 (ST-iRoT (system flash) selected)
     SWAP_BANK    : 0x0  (0x0)
     IWDG_SW      : 0x1  (0x1)
     NRST_STOP    : 0x1  (0x1)
     NRST_STDBY   : 0x1  (0x1)
OPTION BYTES BANK: 1

   User Configuration 2:

     TZEN         : 0xC3 (Trust zone disabled)
     SRAM2_ECC    : 0x0 (SRAM2 ECC check enabled )
     SRAM3_ECC    : 0x1 (SRAM3 ECC check disabled)
     BKPRAM_ECC   : 0x1 (BKPRAM ECC check disabled)
     SRAM2_RST    : 0x0 (SRAM2 erase when system reset)
     SRAM1_3_RST  : 0x1 (SRAM1 and SRAM3 not erased when a system reset occurs)
OPTION BYTES BANK: 2

   Boot Configuration:

     NSBOOTADD    : 0x80000  (0x8000000)
     NSBOOT_LOCK  : 0xC3 (The SWAP_BANK and NSBOOTADD can still be modified following their individual rules.)
     SECBOOT_LOCK : 0x0 (Unknown Value)
     SECBOOTADD   : 0x0  (0x0)
OPTION BYTES BANK: 3

   Bank1 - Flash watermark area definition:

     SECWM1_STRT  : 0x7  (0x800E000)
     SECWM1_END   : 0x0  (0x8000000)

   Write sector group protection 1:

     WRPSGn1      : 0xFFFFFFFF  (0x8000000)
OPTION BYTES BANK: 4

   Bank2 - Flash watermark area definition:

     SECWM2_STRT  : 0x7  (0x810E000)
     SECWM2_END   : 0x0  (0x8100000)

   Write sector group protection 2:

     WRPSGn2      : 0xFFFFFFFF  (0x8000000)
OPTION BYTES BANK: 5

   OTP write protection:

     LOCKBL       : 0x0  (0x0)
OPTION BYTES BANK: 6

   Flash data bank 1 sectors:

     EDATA1_EN    : 0x0 (No Flash high-cycle data area)
     EDATA1_STRT  : 0x0  (0x0)
OPTION BYTES BANK: 7

   Flash data bank 2 sectors:

     EDATA2_EN    : 0x0 (No Flash high-cycle data area)
     EDATA2_STRT  : 0x0  (0x0)
OPTION BYTES BANK: 8

   Flash HDP bank 1:

     HDP1_STRT    : 0x7F  (0xFE000)
     HDP1_END     : 0x0  (0x0)
OPTION BYTES BANK: 9

   Flash HDP bank 2:

     HDP2_STRT    : 0x7F  (0xFE000)
     HDP2_END     : 0x0  (0x0)

Could you check if you have something similar?

Best regards

Jocelyn

Thatseasy · ‎2024-11-13

Thank you @Jocelyn RICARD I compared the outputs, it appears all the option bytes are the same, only the boards have some differences (left is mine, and right is yours).

Jocelyn RICARD · ‎2024-11-13

Hello @Thatseasy ,

OK so the issue is the board. SFSP 0.1.1 which is the version of the system flash secure part is very old and will not work.

To get Secure Manager work you have to get a new DK board.

Best regards

Jocelyn

ChangeToH5 · ‎2025-01-30

Hi Jocelyn,

I have similar issue on the new H5-DK board with SM installation, followed online instructions (Security:How to start with Secure Manager default configuration on STM32H5 - stm32mcu) step-by-step, but failed at sfi secure installation at Step 2: Installation.

The provisioning.log file is also attached, the log file says it failed at launch RSSe.

What can I try to get this DK board working?

Any help is apprecaited.

Jocelyn RICARD · ‎2025-01-31

Hello @ChangeToH5 ,

issue comes from the version of RSSe that you are using:

C:\github\STM32Cube_FW_H5_V1.4.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\RSSe\H5\enc_signed_RSSe_SFI_STM32H5_2M_v2.0.1.0.bin

Version should be

STM32Cube_FW_H5_V1.4.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\enc_signed_RSSe_SFI_H5-2M_v3.0.0.0.bin

Could you please download SEC-M H5 v1.2.1 and check again?

Also, you may update STM32CubeProgrammer from v1.17 to V2.18 but shouldn't be an issue.

Best regards

Jocelyn

ChangeToH5 · ‎2025-01-31

Thank you @Jocelyn RICARD for the response.

Initially I did have X-Cube-SEC-M-H5_V1.2.1 by following "How to start with Secure Manager (customized configuration) on STM32H5" which recommends X-Cube-SEC-M-H5_V1.2.1, I tried it without change any configuration but unsuccessful for installation. So I realized I should do "How to start with Secure Manager default configuration on STM32H5" first, which recommends X-Cube-SEC-M-H5_V1.2.0, that's why I changed to use enc_signed_RSSe_SFI_STM32H5_2M_v2.0.1.0.bin instead of enc_signed_RSSe_SFI_H5-2M_v3.0.0.0.bin.

Could it be possibly messed up by changing RSSe versions when failed at installation step of "How to start with Secure Manager (customized configuration) on STM32H5"?

FYI. Later yesterday, I did a full chip erase by STM32CubeProgrammer 2.17.0 tool, then without any settings change, I was able to run "python provisioning.py --sfi-flash -a" successfully, do you know why? (just curious what could be possibly the reasons that fixed my issue).

I was also able to reopen the device by running "python provisioning.py --regression -a".

Thanks again.