FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to include the non-secure app in the sfi file when --sfi-gen, and set product-state to Closed after --sfi-flash?

Go to solution
Thatseasy
Associate III

‎2024-11-24 03:56 PM

Using MX created an app utilizing Secure Manager 1.2 on STM32H573, after running 'provisioning.py --sfi-gen', the generated sfi image does not include the non-secure app image; after 'provisioning.py --sfi-flash', the product-state is set to TZ-CLOSED, and the non-secure app image can be loaded using 'project.py download', and the product-state can be changed to Closed manually using CubeProgrammer.  I'd like to simply it to a single step by calling 'provisioning.py --sfi-gen --sfi-flash -a', which will not only provision the secure manager, but also program the non-secure image and set the product-state to Closed, is it possible?

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2024-11-25 01:51 AM

Hello @Thatseasy ,

yes this is possible:

1) Change the application in configuration file.

The tools use config/sm.ini to specify what is in the image.

You can find :

"ns_app" : "../Binary/JSON/ns_app_default.json"

So, either you create another json file or you change this default json to point to your encrypted signed hex binary of your application.

 

2) In this same sm.ini file you can find ob = Option_Bytes.csv

This is where you need to setup final state of the device.

In Option bytes, you can see that product state is 0xC6 meaning TZ-CLOSED.

You can change this file either with text editor or using STM32TrustedPackageCreator using the option bytes file editor (SFI Option bytes tab)

You can change id to 0x72 meaning CLOSED.

 

Besides, you can also change SM configuration (SM_Config_Other.xml) minimal product state to force it to CLOSED.

Best regards

Jocelyn

 

View solution in original post

1 REPLY 1
Go to solution
Jocelyn RICARD
ST Employee

‎2024-11-25 01:51 AM

Hello @Thatseasy ,

yes this is possible:

1) Change the application in configuration file.

The tools use config/sm.ini to specify what is in the image.

You can find :

"ns_app" : "../Binary/JSON/ns_app_default.json"

So, either you create another json file or you change this default json to point to your encrypted signed hex binary of your application.

 

2) In this same sm.ini file you can find ob = Option_Bytes.csv

This is where you need to setup final state of the device.

In Option bytes, you can see that product state is 0xC6 meaning TZ-CLOSED.

You can change this file either with text editor or using STM32TrustedPackageCreator using the option bytes file editor (SFI Option bytes tab)

You can change id to 0x72 meaning CLOSED.

 

Besides, you can also change SM configuration (SM_Config_Other.xml) minimal product state to force it to CLOSED.

Best regards

Jocelyn

 

Top