Port KMS to STM32H7A3

JQiao.1 · ‎2024-03-18

Hi experts,

I need to implement the storage of a security key (upgradable) on STM32H7A3. After reading the example code of KMS under project B-L475E-IOT01A in x-cube-sbsfu, and a few posts in the forum (KSM support on STMH7 and 2-images-kms-port-to-stm32f756zgtxx ), I have the following questions:

Can a mcu without firewall, e.g. H7A3, still uses KMS? After comparing the SBSFU code between B-L475E-IOT01A and STM32H7B3I-DK, there are a lot of differences which means major adaptation needs to be done?
If I use MPU + PCROP level 1 to protect the flash sector which contains the key, how can the key being upgraded?

Jocelyn RICARD · ‎2024-03-19

Hello @JQiao.1 ,

The main difference with STM32L4 is that you don't have isolation (like firewall) on STM32H7. So, MPU is used, and Secure Engine runs in privileged mode whereas rest of the SBSFU code runs in non privileged mode.

Now, when jumping to application you are back to privileged mode. So, if you want to keep this isolation you need to manage privileged / non privileged area which is not trivial I guess.

Now, the Secure Engine framework is the same. You need to add services in the list and implement them. To my knowledge you are the first one who explores this path, so I have no specific advise to give you.

Regarding PCROP, you must obviously disable it as it is no more used. Please read the SBSFU getting started UM2262 on this topic : you will see the firmware authentication key is inside a leaf certificate.

On the overall porting process, you will need to have really deep understanding of the mechanisms involved, and most of information is only in the code.

Best regards

Jocelyn