is Firmware encryption support on STM32H753VI ??

SPati.7 · ‎2022-05-11

As per Firmware encryption need, we need to have OTFDEC module and External Flash, where we can store Encrypted firmware on External Flash and on every reset of MCU, we decrypt on the fly with help of OTFDEC module and load it on RAM. From there it can execute.

But here in SBSFU examples, for STM32H753ZI, we see SECBOOT_ECCDSA_WITH_AES128_CBC_SHA256 crypto scheme, where it is encrypting the firmware as well. is it available on production mode of STM32H753VI as well ??

if it is, then how it is possible without OTFDEC & External Flash ??

Tesla DeLorean · ‎2022-05-11

You can decrypt data from Internal Flash into RAM

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..

Jocelyn RICARD · ‎2022-05-13

Hello @SPati.7,

First, STM32H753 does not include OTFDEC. Only STM32H735 supports this feature.

Regarding encryption, SBSFU only manages decryption of new downloaded firmware.

When you use external flash for download slot, only NO_SWAP mode should be used so that new downloaded firmware is decrypted and installed in active slot.

In case of interruption by reset for instance, SBSFU will continue the installation on next startup.

Best regards

Jocelyn

Fred · ‎2022-05-14

As explained by Jocelyn, what we provide as example is based on OTFEC and external FLASH.

See UM2262, section I.2: "External Flash on STM32H7B3 devices".

Besides, with OTFDEC, we use AES-128 in counter mode ( CTR).

It seems that your need would be to keep the active firmware encrypted even in internal FLASH ?

We do not provide anything for this.

I guess an approach could be to execute from RAM so decrypt from FLASH and place in RAM the firmware but we have not investigated this at all.