How to integrate SBSFU in STM32U585 series

HirenThumar2702 · ‎2023-06-13

Hello support team,

Have a Nice day.

I am working on STM32U585ZIT6 Controller and investigating SBSFU for firmware upgrading.

I list our specifications for a custom bootloader below.

Enable TrustZone
Enable Dual bank
Run time firmware write in the second bank
After successfully doing it swap bank

I do not find specific this series SBSFU related document

Can you provide me integration document for STM32U5 Series?

https://www.st.com/resource/en/application_note/an5056-integration-guide-for-the-xcubesbsfu-stm32cube-expansion-package-stmicroelectronics.pdf

Thanks

Hiren R. Thumar

Frantz LEFRERE · ‎2023-06-13

Hello Hiren,

X-SBSFU package doesn't support the Cortex M33 based STM32 ( STM32L5/U5/H5)

For those one ST decided to go with MCU Boot.

The code example is deliver in the Cube

STM32Cube_FW_U5_V1.2.0\Projects\B-U585I-IOT02A\Applications\SBSFU

I let you check the associated readme.htlm

Best regards,

Frantz

View solution in original post

Jocelyn RICARD · ‎2023-06-13

Hello Hiren,

the only secure boot solution we provide on STM32U5 is based on MCUBoot.

This is something different from X-CUBE-SBSFU package.

We provide the integration of MCUBoot that is open source secure boot in the STM32CubeU5.

You can find it here;

STM32Cube_FW_U5_V1.2.0\Projects\B-U585I-IOT02A\Applications\SBSFU\

This solution does not fulfill your dual bank requirement. The update is managed in similar way as on X-CUBE-SBSFU by copying or swaping firmware from download slot to active slot.

Besides the information provided with the SBSFU project in the STM32CubeU5, you can refer to 2 documents:

AN5447: Overview of Secure Boot and Secure Firmware Update solution on Arm® TrustZone® STM32 microcontrollers

UM2851: Getting started with STM32CubeU5 TFM application that provides many details on the secure boot solution (apart from TFM)

Best regards

Jocelyn

View solution in original post

Jocelyn RICARD · ‎2023-06-23

Hello @HirenThumar2702,

The SBSFU project will fulfil your requirement.

The TFM example provides also a secure boot (based on the same MCUboot as SBSFU example) but instead of providing a simple secure application as example, provides the TFM porting on STM32U5. It provides secure services such as crypto and secure storage.

Best regards

Jocelyn

View solution in original post

Frantz LEFRERE · ‎2023-06-13

Hello Hiren,

X-SBSFU package doesn't support the Cortex M33 based STM32 ( STM32L5/U5/H5)

For those one ST decided to go with MCU Boot.

The code example is deliver in the Cube

STM32Cube_FW_U5_V1.2.0\Projects\B-U585I-IOT02A\Applications\SBSFU

I let you check the associated readme.htlm

Best regards,

Frantz

Jocelyn RICARD · ‎2023-06-13

Hello Hiren,

the only secure boot solution we provide on STM32U5 is based on MCUBoot.

This is something different from X-CUBE-SBSFU package.

We provide the integration of MCUBoot that is open source secure boot in the STM32CubeU5.

You can find it here;

STM32Cube_FW_U5_V1.2.0\Projects\B-U585I-IOT02A\Applications\SBSFU\

This solution does not fulfill your dual bank requirement. The update is managed in similar way as on X-CUBE-SBSFU by copying or swaping firmware from download slot to active slot.

Besides the information provided with the SBSFU project in the STM32CubeU5, you can refer to 2 documents:

AN5447: Overview of Secure Boot and Secure Firmware Update solution on Arm® TrustZone® STM32 microcontrollers

UM2851: Getting started with STM32CubeU5 TFM application that provides many details on the secure boot solution (apart from TFM)

Best regards

Jocelyn

HirenThumar2702 · ‎2023-06-19

Hello Jocelyn,

Thanks for your replay,

I have checked repo of stm32u5 "en.stm32cubeu5-v1-2-0"

it has an SBSFU example so can I use this example?

Below we mention my project requirement

1. Firmware should upgrade through URAT port(Through TERATERM or any serial loader) and support secure boot features like sign image upgrade.

so can you give guidance on which is better SBSFU or TFM for the STM32U585ZIT6 controller?

Jocelyn RICARD · ‎2023-06-23

Hello @HirenThumar2702,

The SBSFU project will fulfil your requirement.

The TFM example provides also a secure boot (based on the same MCUboot as SBSFU example) but instead of providing a simple secure application as example, provides the TFM porting on STM32U5. It provides secure services such as crypto and secure storage.

Best regards

Jocelyn

HirenThumar2702 · ‎2023-08-22

Hello Jocelyn,

Have a nice day.

I am working on B-U585I-IOT02A development kit and i tried merge our application with SBSFU_Boot and SBSFU_Loader

I've included the steps I take to integrate my own application below.

1. Create Project Name: Application[Enable TrustZone]
2. Change .ld file of secure and non secure project[output.ld - added prebuild file in secure and non secure project properties]
3. Change linker path in secure and non secure project properties
4. Added Postbuild.sh in own application repo
5. Update NS address in secure-> main.c "#define VTOR_TABLE_NS_START_ADDR NS_CODE_START"
6. Added postbuild.sh path in secure and non secure project properties
7. Successful compile code
8. Generate sign with encrypted .bin file in Binary folder
9. Go to local bootloader with reset
10. Upload encrypted sign .bin through SBSFU_Loader
11. Reset trigger
12.We are getting log in SBSFU_Boot

LOG:

[INF] signature OK
[INF] Bootloader chainload address offset: 0x1a000
[INF] Jumping to the first image slot

After this Log it is not run our application

i attached my project in this thread so please provide a suggestion for resolving the issue

Thanks

Hiren R. Thumar

HirenThumar2702 · ‎2023-08-27

Greetings, Jocelyn RICHIRD.

Enjoy your day,

I can integrate my own software (written in Bear metal code) with SBSFU_Boot.

When I developed my own bear metal program with enable ThreadX os and attempted to integrate with SBSU at that time, I encountered various compilation errors, which I've listed below.

"c:\st\stm32cubeide_1.6.1\stm32cubeide\plugins\com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.10.3-2021.10.win32_1.0.200.202301161003\tools\arm-none-eabi\bin\ld.exe: ./Application/User/tx_initialize_low_level.o: in function `__tx_DBGHandler':
(.text+0x68): undefined reference to `g_pfnVectors'"

Can you provide me any advice on how to handle this?

Thanks

Hiren R. Thumar

+91 9426570128

Lanceglot · ‎2024-02-09

Hi, Jocelyn

I am trying to understand how works the example of SBSFU for STM32U5 (that one STM32Cube_FW_U5_V1.2.0\Projects\B-U585I-IOT02A\Applications\SBSFU). Could you answer, how generates files ns_data.bin and s_data.bin, those will be signed and encrypted in a script named dataimg.sh. I don't see from where occurs those files and what they sense.

Best regards
Lancelot

Jocelyn RICARD · ‎2024-02-09

Hello Lancelot,

These files are simple binary files with dummy content.

The point here is to provide data files that can be updated using the same mechanism as the firmware update; meaning using encryption and authentication.

Best regards

Jocelyn

Lanceglot · ‎2024-02-12

Jocelyn,
Thank you for your answer!

Do you have any document with notes about the correct way for porting the SBSFU example for STM32U5 from the Trust Zone application to a solution without Trust Zone use for application code? Or some example?

Best regards

Lancelot