Integrating user app with TouchGFX in SBSFU demo

PatriciaQ · ‎2025-10-29

Hello!

I have a custom PCB using the STM32U5A9 microcontroller.

I've been developing my code using Cube IDE with CubeMX generated software including TouchGFX.

I need to implement secure boot and OTA. I am following the SBSFU example for the B-U585I-IOT02A board and struggling to incorporate my project in the Non-secure user application segment of that demo project. I’m also trying to go the other way around and implement the SBSFU infrastructure and files into my custom project.

First question - all I need is secure boot and OTA is it true that I do not need to enable the Trust Zone? If so, how should I modify the SBSFU build process to only include one image?

Second question - It’s been difficult to follow the SBSFU code especially the slot addresses and programming to replicate it within my custom project. The postbuild script for the SBSFU_Boot project pulls firmware size values from image_macros_preprocessed_bl2.c to populate addresses in other scripts like SBSFU_Update.sh. How is this file generated? What do I need to bring in from the SBSFU project to execute it within my custom project structure?

Any thoughts or recommendations would be appreciated! Thank you.

Bubbles · ‎2025-10-30

Hi @PatriciaQ,

the SBSFU example for the STM32U5 is based on ARM TF-M, so it's really dependent on the TrustZone.

You can however have some security even without enabling TrustZone, like BOOT_LOCK, RDP, and MPU. Or you can enable TrustZone and have all the memory set as secure, which will relieve you from dealing with secure-nonsecure isolation and give you the advantage of secure boot with HDP. That's what I'd probably go for in case of single application with SB and OTA capability.

Regarding the integration, what's you IDE? Is it STM32CubeIDE?

Here is a wiki page that might be helpful: Security:SBSFU by MCUboot - stm32mcu

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

mrmacklems · ‎2025-11-14

You don’t need TrustZone if you only want secure boot and OTA; just build a single non-secure application image with SBSFU’s bootloader. The image_macros_preprocessed_bl2.c file is generated during the bootloader build and defines firmware sizes and slot addresses for OTA scripts. To integrate SBSFU into your custom project, include the bootloader source, SBSFU headers, linker scripts, and post-build scripts, and adjust flash offsets to match your PCB memory layout.