Showing results for 
Search instead for 
Did you mean: 


Associate III

Hi Team,

I hope this email finds you well. I am reaching out to inquire about documentation similar to UM2262 but specific to the STM32H5 microcontroller.

We are currently working on a project that involves firmware encryption, decryption, and update processes for the STM32H5 series. To ensure the smooth execution of our project, we are seeking comprehensive documentation that outlines the procedures and best practices for implementing these processes effectively.

Could you kindly provide us with any relevant documentation or resources that detail the firmware encryption, decryption, and update processes specifically tailored to the STM32H5 microcontroller?

Your assistance in this matter would be greatly appreciated, as it will significantly contribute to the success of our project.

Thanks & Regards,



Jocelyn RICARD
ST Employee

Hello @Hitesh_Aratek ,

All documentation on STM32H5 OEMiROT is available on wiki in security part here

It does not address what you are requestion because it is based on open source mcuboot which documentation is available here

Best regards


@Jocelyn RICARD 

What modifications are necessary to use OEMiROT with external flash (e.g. SPI connected) ?
I know this works in Zephyr easily with Nordic devices, but I've never tried it on STM32 devices. Unfortunately I don't have Zephyr on the current project, it's developed in STM32CubeIDE and FreeRTOS.

Jocelyn RICARD
ST Employee

Hello @mjurjevic ,

today there is no implementation available to address external flash.

What you need to do is

1) Create the external flash driver

2) link this driver to the slots you put in external flash. This is done in flash_map.c (STM32Cube_FW_H5_V1.2.0\Middlewares\Third_Party\mcuboot\bl2\src\flash_map.c)

For reference, you can look at the implementation made on the STM32L5 available either in the STM32CubeL5 or on Github here

Best regards



Associate II

@Jocelyn RICARD 
Is secure code and data image required in this setup? Also what is the purpose of "data" images?

I'm looking at possible boot paths for STM32H56x on wiki:
So if I understand correctly, if TZ=0, I don't need to have secure image (code and data)?

To summarize, I can go forward with OEMiROT bootloader and primary non secure image slot in internal flash and secondary non-secure image slot on external flash?

Hello @mjurjevic ,

data images are optional. It is a way to provision securely secure and/or non secure data.

If TZ=0, you don't have secure/non secure isolation. But the OEMiROT was made to work with TZ=1.

There are currently no secure boot example with TZ=0.

You can use external flash if you provide the FLASH driver to address this flash to OEMiROT.

Best regards