Flashing an encrypted Firmware

j_filipe · ‎2025-09-12

Greetings,
I am using a STM32U585 MCU and I made a custom made code that implements the DFU protocol. I could successfully flash a firmare through .bin file and set the Option Bytes, set RDP level 1 and go back to RDP level 0.
What I want to do is to be able to flash an encrypted firmware into the board using my method. So obviously, I can't do it through the STM32CubeProgrammer or STM32TrustedPackageCreator since I don't want to depend from any ST HSM smartcard, so I guess I can't do it with SFI way. Is there any other way to encrypt a firmware file, then upload it to the board and the board itself be capable of decrypt the firmware and run it?
BTW, I am being using the B-U585I-IOT02A board to make the tests.
Thank you!

Pavel A. · ‎2025-09-12

Of course you can prepare encrypted image file not using the SFI and ST hardware security modules. Use whatever you like. Your program will then decrypt the file and self-update. The question is how you're going to provide to the STM32 the key for decryption and authentication info (certificate?).

j_filipe · ‎2025-09-16

But like, make a custom bootloader to make the decryption?

Pavel A. · ‎2025-09-16

Yes, a custom bootloader.

j_filipe · ‎2025-09-17

Okay.
Using OpenBootloader project as a starting point is a good option? If I want to use USB interface, what would be the next step?