FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how to create a NS calibration section

SebastianD
Associate II

‎2026-03-13 5:46 AM - last edited on ‎2026-03-13 5:52 AM by

Hello together,

I search for a solution to put calibration data in a NS area.

Background Information:

  • we are using STM35H573 with STM secure manager.
  • we use an ethernet Rest API to update Application including request install and so on

Now I want to use the same Rest API to update configuration data. The BIN file shall be signed like a normal application. The behavior should be more or less the same: Restart µC, SM checks validity; app will be started,...

I have read um3254 but I do not understand the section with large profile.

I have read something about ITS, but I think this is not the solution I need. The calibration data must not be stored in the trusted area. They shall only validated bei the SM during update or startup.

 

Thanks for joining this topic.

 

Br Sebastian

 

Labels:
0 Kudos
6 REPLIES 6
Jocelyn RICARD
ST Employee

‎2026-03-13 7:22 AM

Hello Sebastian,

NS reserved area is fully controlled by your application, Secure Manager will not check anything in this area.

If you need to authenticate your calibration data, the only way is to do it with your application.

To perform such check, you may provision the public key in the ITS factory data, and then use this key to check signature of your data.

You will need to create your own signed binary using associated private key.

Best regards

Jocelyn

 

 

0 Kudos
SebastianD
Associate II

‎2026-03-13 8:26 AM

Hi Jocelyn,

So you mean that NS reserved shall be used for calibration data. Is there no possibility to have a 2nd SMAK for calibration data? And SMAK_0 (application) has access to SMAK_1 ( configuration data)? The feature of SM are needed, for example:

  • that no old version can be stored
    or
  • that the signature is checked during installation.
    or
  • If installation is gets wrong the old values are still available,.....

Br

Sebastian

0 Kudos
Jocelyn RICARD
ST Employee

‎2026-03-13 8:56 AM

Hello Sebastian,

Such data slot is provided in OEMiROT examples but is not supported by the Secure Manager.

Best regards

Jocelyn

 

 

0 Kudos
SebastianD
Associate II

‎2026-03-13 9:07 AM

Hi Jocelyn,

puuh what are no good news. In UM3254 I saw this figure 9 and thought that module active and download slot can (mis)used for the calibration data.

So the only way is,  to use the NS reserved area and perform the complete handling on application level. My test with NS reserved are that updating the app (SMAK) will not erase/overwrite the NS reserved area. Is this correct?

Br Sebastian

 

 

0 Kudos
Jocelyn RICARD
ST Employee

‎2026-03-13 10:18 AM

Hi Sebastian,

the module is only used for having specific code running in secure side to implement other secure services.

The secure Manager will never access to the NS reserved area. This means that any update of application, Secure Manager or SMuROT will not touch this area.

I understand this is not a good news for you.
One possible starting point could be to reuse what is provided with OEMiROT. I mean the capability to generate a signed data image.

Then you will have to analyse the format of generated image (described in mcuboot doc) to compute the hash and check the signature. Both operations can use Secure Manager’s crypto services.

Best regards,

Jocelyn

0 Kudos
SebastianD
Associate II

‎2026-03-19 4:41 AM

Hi Joceyln,

At the moment for me the SM-Stack is a blockbox. I have to check your proposal. This needs a little time. Hopefully I can reponse on Monday.

 

Br Sebastian

0 Kudos
Top