cancel
Showing results for 
Search instead for 
Did you mean: 

Is there any possible way of appending or adding keys to SBSFU after the build steps?

MdFayaz
Associate III

The key which signs and encrypts the userApp is compiled along with the SBSFU and generates as a complete binary with keys by using STM32CubeIDE.

Is there any way to change this key after the build process of SBSFU?

8 REPLIES 8
Bubbles
ST Employee

Hi @MdFayaz​,

what particular SBSFU are you using? Some include a key manager ( I believe the one for STM32L4 does), but most do not.

In any case you can implement this option, the difficulty is mainly to provide the key the adequate protection. This is easier, when the key is integral part of the binary.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

MdFayaz
Associate III

Hi @JHOUD​, I use STM32F769I-DISCO

How would I replace the key in the binary with another key without the help of STM32CubeIDE?

So that, I will be able to change the keys even after the post-build of the SBSFU binary.

Hi @MdFayaz​ ,

with this particular example, there's no key manager and no possibility to modify the keys ex-post. You can modify the example to allow installation of keys, but mind that this feature was not part of the original example precisely because it's going to decrease the overall security.

You can either try to implement something and accept the security compromised, or try to re-evaluate the choice of the MCU. STM32H5 would be a safe choice I believe, maybe STM32H7 or STM32U5, depending on your exact requirements.

You can also consider external secure element line STSAFE A110.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

MdFayaz
Associate III

Thanks @JHOUD​ for the information.

MdFayaz
Associate III

Hi @JHOUD​ , can you share the steps or link (reference) to modify that example for allowing the installation of keys even after post build.

My required flow:

  1. Build the SBSFU and User App.
  2. Deciding the crypto scheme and key to be used
  3. Replace the keys in SBSFU
  4. Sign and encrypt the User App.
  5. Then flash them to board

Hi @MdFayaz​ ,

if even the crypto scheme should be flexible, that's quite a big modification. I don't have an example for that. Good luck!

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

MdFayaz
Associate III

Thanks @JHOUD​, If I keep the crypto scheme fixed, will the modification be simple?

Hi all, I found a way to replace the key after the build process of SBSFU. I used to Python script (prepareimage.py) to convert the key into assembler language (se_key.s) and then cross-compiled that file with arm-none-eabi-gcc and then over-written some part of the output file (se_key.o) on SBSFU.elf file and it worked for me.

Is there any option to replace this cross-compilation process with any other process/tool like openssl?