FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

H573 Trust Zone / Secure Boot support in Zephyr MCUBoot

ekwus
Associate II

‎2025-10-06 4:43 AM

Hi

I've been trying to understand what level of support is available for the H573 security features in Zephyr RTOS with mcuboot but either can't find any information or no one replies to my comments.

I have a Zephyr sysbuild build working where mcuboot starts, validates the singed application in slot0 and proceeds tp boot from slot0.

What I can't find or confirm is if that security features of the STM32H573 are being used or not. There doesn't seem to be any configuration relating to enabling or disabling the features.

Are the security features enabled in Zephyr for the H573?

I'm using the latest 4.2 version of Zephyr.

Cheers

Dave

Labels:
0 Kudos
4 REPLIES 4
Jocelyn RICARD
ST Employee

‎2025-10-08 2:12 PM

Hello @ekwus ,

the mcuboot adaptation available for STM32H573 that enables all the security features is the one provided in the STM32CubeH5.

In this Zephyr/mcuboot you get the image authentication mechanism but nothing specific to the device.

Best regards

Jocelyn

0 Kudos
ekwus
Associate II
In response to Jocelyn RICARD

‎2025-10-14 3:52 AM

Hi

Thanks for replying and pointing us towards the STM32CubeH5 repo/package. I've since been able to get OEMiROT_Boot project building and I hadn't understood until now that OEMiROT was actually mcuboot based.

So our current thinking is that we need to build the OEMiROT with STM32Cube first and then flash to the board, then build our Zephyr application (without sysbuild), sign it using imgtool and then flash that to the correct board image slot whilst ensuring that both the STM32Cube built app and Zephyr built app both use the same flash partition mapping.

Would you be able to confirm if that general approach is correct? Possibly we need to take a step back at this stage and figure out what is the simplest approach to securely booting a Zephyr application on the H573 platform. For example is there an approach where we can use STiROT and achieve the same results?

Cheers

Dave

0 Kudos
alexg1
Associate

‎2026-04-28 9:20 AM

Hello, I'm currently facing the same issues as Dave regarding the correct procedure for developing and managing a secure project with OEMiRoT + Zephyr. I have defined the device tree for both applications (s and ns) but I'm unsure about how to manage the OEMiRoT application. Should I migrate it to Zephyr from the Cube examples or is there a Zephyr sample I could use as starting point (I have not found one yet). 
Sorry if some of my observations are wrong. Hope I can get some clarification.

Kind regards, Alex.

0 Kudos
Jocelyn RICARD
ST Employee

‎2026-04-29 6:47 AM

Hello,

there is currently no specific integration between Zephyr and OEMiROT, neither STiROT.

Some studies are ongoing to find  a solution but this is only at early stage.

A simple solution could be to have Zephyr application running as secure application.

So, OEMiROT or STiROT setup to run only secure application.

You need to adapt the linker file of Zephyr to be able to run at the right location and use either TrustedPackageCreator or directly Imgtool to sign the binary.

Best regards

Jocelyn

0 Kudos
Top