H573 Trust Zone / Secure Boot support in Zephyr MCUBoot

ekwus · ‎2025-10-06

Hi

I've been trying to understand what level of support is available for the H573 security features in Zephyr RTOS with mcuboot but either can't find any information or no one replies to my comments.

I have a Zephyr sysbuild build working where mcuboot starts, validates the singed application in slot0 and proceeds tp boot from slot0.

What I can't find or confirm is if that security features of the STM32H573 are being used or not. There doesn't seem to be any configuration relating to enabling or disabling the features.

Are the security features enabled in Zephyr for the H573?

I'm using the latest 4.2 version of Zephyr.

Cheers

Dave

Jocelyn RICARD · ‎2025-10-08

Hello @ekwus ,

the mcuboot adaptation available for STM32H573 that enables all the security features is the one provided in the STM32CubeH5.

In this Zephyr/mcuboot you get the image authentication mechanism but nothing specific to the device.

Best regards

Jocelyn

ekwus · ‎2025-10-14

Hi

Thanks for replying and pointing us towards the STM32CubeH5 repo/package. I've since been able to get OEMiROT_Boot project building and I hadn't understood until now that OEMiROT was actually mcuboot based.

So our current thinking is that we need to build the OEMiROT with STM32Cube first and then flash to the board, then build our Zephyr application (without sysbuild), sign it using imgtool and then flash that to the correct board image slot whilst ensuring that both the STM32Cube built app and Zephyr built app both use the same flash partition mapping.

Would you be able to confirm if that general approach is correct? Possibly we need to take a step back at this stage and figure out what is the simplest approach to securely booting a Zephyr application on the H573 platform. For example is there an approach where we can use STiROT and achieve the same results?

Cheers

Dave