Hello @martinhaefner9,
I confirm that today, with STM32H573 you cannot provision the Debug Authentication through the firmware when TrustZone is disabled.
The reason behind is that DA is encrypted in secure state when you use the provisioning process through programmer.
As your code runs with TZ disabled in non secure state, the derived key generated by DHUK is not the same.
This issue is fixed on more recent STM32H533. It will also be fixed on STM32H573 but on next cut but it is not planned yet.
Here are the possible solutions I can think of:
1) Use the "standard" provisioning process provided by programmer. This provisioning is now supported by many third party programmers. This would be the less impacting for your firmware but depends on actual support by your programming tool.
2) Enable TrustZone. In this case, you will need to make adaptations to your firmware. Either you leave all your firmware on secure side or Secure + non secure
- In case of one secure application, every peripheral you are using should be allocated to secure
- In case of Secure + non secure you will have to manage the provisioning in the secure application and jump to the non secure application that is your firmware.
I think the first solution : full secure is the easiest way to go. With such solution, the DA encryption by the firmware will work because it will use same DHUK as the one used when launching regression.
3) Use STM32H563: This chip does not use encryption, so no issue. But I guess you are using STM32H573 for its hardware cryptography capabilities
4) Use STM32H533: Here it depends if your firmware first inside 512 KB flash which I guess again is unlikely.
Best regards
Jocelyn
