FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Replace SBSFU Uart local loader for USB. Crypto in Secure Engine is failing.

MBuen.1
Senior

‎2021-09-21 07:00 PM

Hey guys,

I need to replace Uart for USB on my SBSFU local loader. I manage to create the USB comm in SBSFU quite easily, using UART structure provided in the SBSFU examples. My problem is when i receive firmware header, my code get stuck on the following part in the Secure Engine:

int32_t status;
  PKA_ECDSAVerifInTypeDef ECDSA_verif = {0};
  const uint8_t *pSign_r;
  const uint8_t *pSign_s;
  /* Firmware metadata to be authenticated and reference MAC */
  const uint8_t *pPayload;    /* Metadata payload */
  int32_t payloadSize;        /* Metadata length to be considered for hash */
  uint8_t *pSign;             /* Reference MAC (ECCDSA signed SHA256 of the FW metadata) */
  const uint8_t *pPub_x;
  const uint8_t *pPub_y;
  /* buffer for sha256 computing */
  uint8_t MessageDigest[CRL_SHA256_SIZE];
  int32_t MessageDigestLength = 0;
 
  /* the key to be used for crypto operations (as this is a pointer to m_aSE_FirmwareKey or m_aSE_PubKey it can be a
     local variable, the pointed data is protected) */
  uint8_t *pKey;

This is inside the SE_CRYPTO_Authenticate_Metadata on the Secure Engine (i configured my debugger with SBSFU and SE .elf, so that i could be able to debug both codes). Code goes until line number two of the code snippet above, then after that i see with debug that code keeps looping in this part of startup file:

Reset_Handler:
    Infinite_Loop:
    b Infinite_Loop
    .size Reset_Handler, .-Reset_Handler

This is the call stack until infinite loop: 

Thread #1 [main] 1 [core: 0] (Suspended : Breakpoint)	
	SE_CRYPTO_Authenticate_Metadata() at se_crypto_bootloader.c:1.064 0x8000bcc	
	SE_CallGateService() at se_callgate.c:841 0x80023ac	
	SE_CallGate() at se_callgate.c:311 0x80002b8	
	SE_VerifyHeaderSignature() at se_interface_bootloader.c:701 0x8003bb8	
	SFU_LOADER_VerifyFwHeader() at sfu_loader.c:942 0x8005342	
	SFU_COM_USB_DataPktRxCpltCallback() at sfu_loader.c:733 0x80055e2	
	SFU_COM_USB_Receive() at sfu_com_loader.c:358 0x8004b4c	
	SFU_LOADER_DownloadNewUserFw() at sfu_loader.c:135 0x8005516	
	SFU_BOOT_SM_DownloadNewUserFw() at sfu_boot.c:748 0x80043b2	
	SFU_BOOT_SM_Run() at sfu_boot.c:416 0x80047a4	
	<...more frames...>

I fell this could be something related to my ram partitioning. Here's how my mapping_sbsfu.ld is:

/* SE Code region */
VECTOR_SIZE = 0x200;
__ICFEDIT_SE_Code_region_ROM_start__       = 0x08000000 + VECTOR_SIZE;
__ICFEDIT_SE_CallGate_region_ROM_start__   = __ICFEDIT_SE_Code_region_ROM_start__;  /* No need to do +4 as we have dummy bytes in SE_CoreBin .ld file */
__ICFEDIT_SE_CallGate_region_ROM_end__     = __ICFEDIT_SE_Code_region_ROM_start__ + 0x1FF;
 
/* SE key region */
__ICFEDIT_SE_Key_region_ROM_start__        = __ICFEDIT_SE_CallGate_region_ROM_end__ + 0x1;
__ICFEDIT_SE_Key_region_ROM_end__          = __ICFEDIT_SE_Key_region_ROM_start__ + 0xFF;
 
/* SE Startup */
__ICFEDIT_SE_Startup_region_ROM_start__    = __ICFEDIT_SE_Key_region_ROM_end__ + 0x1;
__ICFEDIT_SE_Code_nokey_region_ROM_start__ = __ICFEDIT_SE_Startup_region_ROM_start__ + 0x100;
__ICFEDIT_SE_Code_region_ROM_end__         = __ICFEDIT_SE_Startup_region_ROM_start__ + 0x31FF;
 
/* SE IF ROM */
__ICFEDIT_SE_IF_region_ROM_start__         = __ICFEDIT_SE_Code_region_ROM_end__ + 1;
__ICFEDIT_SE_IF_region_ROM_end__           = __ICFEDIT_SE_IF_region_ROM_start__ + 0x5FF;
 
/* SBSFU Code region */
__ICFEDIT_SB_region_ROM_start__            = __ICFEDIT_SE_IF_region_ROM_end__;
__ICFEDIT_SB_region_ROM_end__              = 0x0801FFFF;
 
/* LOADER code region : 20 kBytes area aligned on 4kBytes address, MPU protection constraints */
__ICFEDIT_LOADER_region_ROM_start__        = __ICFEDIT_SB_region_ROM_end__ + 0x1;
__ICFEDIT_LOADER_region_ROM_end__          = 0x0802FFFF;
 
SE_Entry_Secure_ROM_Region_Length = __ICFEDIT_SE_CallGate_region_ROM_end__ - __ICFEDIT_SE_CallGate_region_ROM_start__ + 1;
SE_Key_region_ROM_Length          = __ICFEDIT_SE_Key_region_ROM_end__ - __ICFEDIT_SE_Key_region_ROM_start__ + 1;
SE_Startup_region_ROM_Length      = __ICFEDIT_SE_Code_nokey_region_ROM_start__ - __ICFEDIT_SE_Startup_region_ROM_start__ ;
SE_ROM_region_Length              = __ICFEDIT_SE_Code_region_ROM_end__ - __ICFEDIT_SE_Code_nokey_region_ROM_start__ + 1;
SE_IF_region_ROM_Length           = __ICFEDIT_SE_IF_region_ROM_end__ - __ICFEDIT_SE_IF_region_ROM_start__ + 1;
SB_ROM_region_Length              = __ICFEDIT_SB_region_ROM_end__ - __ICFEDIT_SB_region_ROM_start__ + 1;
LOADER_ROM_region_Length          = __ICFEDIT_LOADER_region_ROM_end__ - __ICFEDIT_LOADER_region_ROM_start__ + 1;
 
/* RAM section */
/* SE stack is placed 1st in RAM, stack overflow does not write on other RAM area */
__ICFEDIT_SE_region_RAM_start__     = 0x20000000;
__ICFEDIT_SE_region_RAM_stack_top__ = 0x20000400;
__ICFEDIT_SE_region_RAM_end__       = 0x20000FFF;
 
/* LOADER communication region when bypass mode activated */
__ICFEDIT_LOADER_COM_region_RAM_start__ = __ICFEDIT_SE_region_RAM_end__ + 1;
__ICFEDIT_LOADER_COM_region_RAM_end__   = __ICFEDIT_LOADER_COM_region_RAM_start__ + 0x0F;
 
/* LOADER RAM1 region */
__ICFEDIT_LOADER_region_RAM_start__ = __ICFEDIT_LOADER_COM_region_RAM_end__ + 1;
__ICFEDIT_LOADER_region_RAM_end__   = 0x2002FFFF;
 
/* SBSFU RAM1 region */
__ICFEDIT_SB_region_RAM_start__     = __ICFEDIT_LOADER_COM_region_RAM_end__ + 1;
__ICFEDIT_SB_region_RAM_end__       = 0x2004FFFF;
 
SE_RAM_region_Length = __ICFEDIT_SE_region_RAM_end__ - __ICFEDIT_SE_region_RAM_stack_top__ + 1;
LOADER_RAM_region_Length = __ICFEDIT_LOADER_region_RAM_end__ - __ICFEDIT_LOADER_region_RAM_start__ + 1;
SB_RAM_region_Length = __ICFEDIT_SB_region_RAM_end__ - __ICFEDIT_SB_region_RAM_start__ + 1;
 
MEMORY
{
 SE_Entry_Secure_ROM_Region (rx)     : ORIGIN = __ICFEDIT_SE_CallGate_region_ROM_start__, LENGTH = SE_Entry_Secure_ROM_Region_Length
 SE_Key_region_ROM (rx)              : ORIGIN = __ICFEDIT_SE_Key_region_ROM_start__, LENGTH = SE_Key_region_ROM_Length
 SE_Startup_region_ROM (rx)          : ORIGIN = __ICFEDIT_SE_Startup_region_ROM_start__, LENGTH = SE_Startup_region_ROM_Length
 SE_ROM_region (rx)                  : ORIGIN = __ICFEDIT_SE_Code_nokey_region_ROM_start__, LENGTH = SE_ROM_region_Length
 SE_IF_region_ROM (rx)               : ORIGIN = __ICFEDIT_SE_IF_region_ROM_start__, LENGTH = SE_IF_region_ROM_Length
 SB_ROM_region (rx)                  : ORIGIN = __ICFEDIT_SB_region_ROM_start__, LENGTH = SB_ROM_region_Length
 LOADER_ROM_region (rx)              : ORIGIN = __ICFEDIT_LOADER_region_ROM_start__, LENGTH = LOADER_ROM_region_Length
 SE_RAM_region (xrw)               : ORIGIN = __ICFEDIT_SE_region_RAM_stack_top__, LENGTH = SE_RAM_region_Length
 LOADER_RAM_region (xrw)           : ORIGIN = __ICFEDIT_LOADER_region_RAM_start__, LENGTH = LOADER_RAM_region_Length
 SB_RAM_region (xrw)               : ORIGIN = __ICFEDIT_SB_region_RAM_start__, LENGTH = SB_RAM_region_Length
 RAM_SHARED (rw)                     : ORIGIN = 0x20030000, LENGTH = 10K
}

I changed the __ICFEDIT_SB_region_RAM_end__ to 0x2004FFFF to see if it would solve anything but the behaviour kept the same.

I also had to alter the SB ROM lenght, since i'm now using USB and the code is bigger.

Hope anyone can help me.

Thanks in advance,

Matheus

Labels:
0 Kudos
16 REPLIES 16
MBuen.1
Senior

‎2021-09-27 05:21 AM

Yeah mate.. I know that and i'm doing it for idk, the past three weeks and i'm still stuck. I just want a hint that could help me.

0 Kudos
Jocelyn RICARD
ST Employee
In response to MBuen.1

‎2021-09-27 05:27 AM

Hello Matheus,

Hoops, this was you indeed who provided the screen capture :)

Well, I've never done such USB adaptation so this is a bit difficult to guess what your issue is.

I don't see right now any link between USB and PKA.

My first check after replacing the loader would be to dump the content of the flash that was updated with the loader and check if this is exactly what I expect.

Also, with debugging you should obtain the exact line in se_crypto_bootloader.c your are stuck. In the information you shared I can see this information.

Best regards

Jocelyn

0 Kudos
alister
Lead
In response to MBuen.1

‎2021-09-27 05:50 AM

Think what could be wrong and devise a test to see if it is.

A contender is the question several days ago whether your SE is loaded at the address it was linked at correctly. Open its binary in a hex editor and compare with flash.

You will need any decent protections disabled to do that.

Or check the SBSFU and SE map files to confirm nothing in their links collide, and read memory, either in the debugger or in STM32CubeProgrammer to confirm what's there matches their binary. Convert elfs to binary if you've only elfs.

Step into the fault with the debugger. Compare the code you're stepping with the list file.

Add an SE call that do nothing and test that works.

0 Kudos
MBuen.1
Senior
In response to Jocelyn RICARD

‎2021-09-29 01:57 PM

Hey @Jocelyn RICARD​ ,

I'm trying a different approach now. I'm using a standalone USB loader, instead of using a USB local loader inside SBSFU.

It was much less hard to implement it. Download and install were quite easy to make it. I'm stuck right now at the launch of active image.

I'm getting a hard fault right after  p_jump_to_function() is called.

 /* Initialize address of user application to jump into */
  jump_address = *(__IO uint32_t *)((SlotStartAdd[SlotNumber] + SFU_IMG_IMAGE_OFFSET + 4));
  p_jump_to_function = (Function_Pointer) jump_address;
 
  /* Initialize user application's Stack Pointer */
  __set_MSP(*(__IO uint32_t *)(SlotStartAdd[SlotNumber] + SFU_IMG_IMAGE_OFFSET));
 
  if (SFU_SUCCESS == e_ret_status)
  {
    /* JUMP into User App */
    p_jump_to_function();
  }
 
  /* The point below should NOT be reached */
  return (e_ret_status);

I was debugging it and i found out something really strange. The jump address appears to be way off what it should be. My active slot is configured to position 0x08022000, but the variable jump address store a value around 0x08018ED0, way far from where it should boot.

0 Kudos
Jocelyn RICARD
ST Employee
In response to Jocelyn RICARD

‎2021-09-30 12:01 AM

Hello Mbuen,

The jump address corresponds to the reset vector stored at application address +4 (jump_address)

So, if the SlotStartAdd is correct this means application stored at this address was not linked to run at that address.

So, you need to check the consistency between slots and application linker.

Best regards

Jocelyn

0 Kudos
MBuen.1
Senior
In response to Jocelyn RICARD

‎2021-09-30 06:36 AM

Hey @Jocelyn RICARD​ ,

You were right, the linker file of my app was mismatching the configured links in my SBSFU project. When i matched everything, my firmware update went smooth!!

Thank you very much for all you help, after 3 weeks of hard work and a lot of trials and errors, manage to accomplish this task!!

Regards,

Matheus Bueno

0 Kudos
klang.1
Associate II

‎2022-06-01 04:28 PM

I am trying to use USB port too, on STM32L496ZGT, USB Virtual Port Tx/Rx are working fine when debug separately.

But always fail at __IS_SFU_RESERVED();

main() --> SFU_BOOT_RunSecureBootService() --> SE_Startup(void)

-->  __IS_SFU_RESERVED();

I compare map file, not much difference to the one with UART in the 2_images example

Need help !

Thanks,

Kevin

0 Kudos
Top