Showing results for 
Search instead for 
Did you mean: 

Port KMS to STM32H7A3

Associate II

Hi experts,

I need to implement the storage of a security key (upgradable) on STM32H7A3. After reading the example code of KMS under project B-L475E-IOT01A in x-cube-sbsfu, and a few posts in the forum (KSM support on STMH7  and 2-images-kms-port-to-stm32f756zgtxx ), I have the following questions:

  1. Can a mcu without firewall, e.g. H7A3, still uses KMS? After comparing the SBSFU code between B-L475E-IOT01A  and STM32H7B3I-DK, there are a lot of differences which means major adaptation needs to be done?
  2. If I use MPU + PCROP level 1 to protect the flash sector which contains the key, how can the key being upgraded?
Jocelyn RICARD
ST Employee

Hello @JQiao.1 ,

The main difference with STM32L4 is that you don't have isolation (like firewall) on STM32H7. So, MPU is used, and Secure Engine runs in privileged mode whereas rest of the SBSFU code runs in non privileged mode.

Now, when jumping to application you are back to privileged mode. So, if you want to keep this isolation you need to manage privileged / non privileged area which is not trivial I guess.

Now, the Secure Engine framework is the same. You need to add services in the list and implement them. To my knowledge you are the first one who explores this path, so I have no specific advise to give you.


Regarding PCROP, you must obviously disable it as it is no more used. Please read the SBSFU  getting started UM2262 on this topic : you will see the firmware authentication key is inside a leaf certificate.

On the overall porting process, you will need to have really deep understanding of the mechanisms involved, and most of information is only in the code. 

Best regards