Integrating user app with TouchGFX in SBSFU demo

PatriciaQ · ‎2025-10-29

Hello!

I have a custom PCB using the STM32U5A9 microcontroller.

I've been developing my code using Cube IDE with CubeMX generated software including TouchGFX.

I need to implement secure boot and OTA. I am following the SBSFU example for the B-U585I-IOT02A board and struggling to incorporate my project in the Non-secure user application segment of that demo project. I’m also trying to go the other way around and implement the SBSFU infrastructure and files into my custom project.

First question - all I need is secure boot and OTA is it true that I do not need to enable the Trust Zone? If so, how should I modify the SBSFU build process to only include one image?

Second question - It’s been difficult to follow the SBSFU code especially the slot addresses and programming to replicate it within my custom project. The postbuild script for the SBSFU_Boot project pulls firmware size values from image_macros_preprocessed_bl2.c to populate addresses in other scripts like SBSFU_Update.sh. How is this file generated? What do I need to bring in from the SBSFU project to execute it within my custom project structure?

Any thoughts or recommendations would be appreciated! Thank you.

Bubbles · ‎2025-10-30

Hi @PatriciaQ,

the SBSFU example for the STM32U5 is based on ARM TF-M, so it's really dependent on the TrustZone.

You can however have some security even without enabling TrustZone, like BOOT_LOCK, RDP, and MPU. Or you can enable TrustZone and have all the memory set as secure, which will relieve you from dealing with secure-nonsecure isolation and give you the advantage of secure boot with HDP. That's what I'd probably go for in case of single application with SB and OTA capability.

Regarding the integration, what's you IDE? Is it STM32CubeIDE?

Here is a wiki page that might be helpful: Security:SBSFU by MCUboot - stm32mcu

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

mrmacklems · ‎2025-11-14

You don’t need TrustZone if you only want secure boot and OTA; just build a single non-secure application image with SBSFU’s bootloader. The image_macros_preprocessed_bl2.c file is generated during the bootloader build and defines firmware sizes and slot addresses for OTA scripts. To integrate SBSFU into your custom project, include the bootloader source, SBSFU headers, linker scripts, and post-build scripts, and adjust flash offsets to match your PCB memory layout.

JoeMck · ‎2025-11-20

I am attempting to do something very similar. I've been down the path of trying to integrate the SBSFU example into my TouchGFX project, in STM32CubeIDE, only to run into project structure/hierarchy/linking/referencing issues. I've then tried to integrate my TouchGFX project into the SBSFU example, only to run into similar issues. It seems like there could/should be a better way to combine projects.

mrmacklems · ‎2025-12-28

This is a common issue because both SBSFU and TouchGFX assume ownership of the project’s startup, linker script, memory layout, and build structure, so merging two generated projects almost always causes conflicts; the most reliable approach is to use the SBSFU example as the base project and integrate TouchGFX into it as a module rather than trying to merge projects, letting SBSFU control the boot flow, flash layout, and security boundaries while manually adding TouchGFX sources, initialization, and memory regions in a way that respects the secure/non-secure split, since STM does not currently provide a clean, official workflow to combine them automatically.