FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SBSFU integration with STM32 L496ZG

jijomathew
Associate II

‎2024-09-18 11:44 PM

I am integrating SBSFU with the STM32L496ZG microcontroller and have created a new project. I attempted to generate the SFB file using a customized post-build script from the L476 Simple App example. Although I modified the script paths for my project, the SFB file is not being generated.

The command prompt shows:
Encrypt debug\SBSFU. bin into .\\Binary\\\SBSFU. SFU using AES key from Secure  Engine binary

An error message is generated:
Exception: AES CBC encryption requires the Firmware Image size to be a multiple of the AES block size (16 bytes)

Could you please provide guidance on how to resolve this issue?

Labels:
0 Kudos
10 REPLIES 10
STea
ST Employee

‎2024-09-19 04:04 AM

Hello @jijomathew ,

 

The postbuild script will normally take into account the image preparation padding ... 

so, make sure you follow the flow of execution preparation and requirements described in Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package - User manual

you can also find a detail how to in the STM32 security ecosystem - STMicroelectronics
All the martials and associated slides can be found in MOOC - Security Part6 - STM32 security ecosystem, from theory to practice - Google Drive
you will find presentation detailing the solution and how the images will be generated with a specific crypto scheme.

Regards

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
Preview file
396 KB
Preview file
592 KB
Preview file
814 KB
0 Kudos
jijomathew
Associate II
In response to STea

‎2024-09-19 05:03 AM

Followed the steps and successfully implemented for Nucleo L476RG Dev board, But still confused about replicating the same for L496ZG microcontroller, one main doubt i has  by customizing the postbuild script and running are we able to generate sfb file for my custom application.

0 Kudos
STea
ST Employee
In response to jijomathew

‎2024-09-19 06:23 AM

Hello @jijomathew ,

this is possible to do with the postbuild script which uses the batch or Python variant of pepareimage.py
the details on mods and custom usage of this script can be found in (Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages\readme.txt).
see the following section and follow the steps to make your binary 16 bit aligned 

Example for partial update :
----------------------------

[0] Generate partial image
python prepareimage.py  diff -1 UserApp_v1.bin -2 UserApp_v2.bin UserApp_partial.bin -a 16 --poffset UserApp_partial.offset
(-a 16: align partial binary on 16 bytes. Partial binary size will also be aligned on 16 bytes)

[1] Generate the keys - OPTION
python prepareimage.py keygen -k AES_CBC.bin -t aes-cbc
=> for aes_cbc , "AES_CBC"  must be in file name else key is not created, this
is used to discriminate AES_GCM key versus AES_CBC key
python prepareimage.py  keygen  -k ECCKEY.txt -t ecdsa-p256

This step is not mandatory but if you do so, please make sure:
* to copy the content of  ECCKEY.txt in SECoreBin\Binary
* to use AES_CBC.bin instead of OEM_KEY_COMPANY1_key.bin
Then the prebuild operations (SE_CoreBin) must be performed.

[2] Encrypt the complete image
python prepareimage.py  enc -k AES_CBC.bin -i iv.bin UserApp_v2.bin UserApp_v2.sfu

[3] Encrypt the partial image
python prepareimage.py  enc -k AES_CBC.bin -i iv.bin UserApp_partial.bin UserApp_partial.sfu

[4] Generate the clear complete FW tag (SHA256 of the clear FW)
python prepareimage.py sha256  UserApp_v2.bin  UserApp_v2.sign

[5] Generate the clear partial FW tag (SHA256 of the clear FW)
python prepareimage.py sha256  UserApp_partial.bin  UserApp_partial.sign

[6] Generate the .sfb FW metadata (header) and encrypted partial binary
python prepareimage.py  pack -k ECCKEY.txt -r 28 -p 1 -v 2 -i iv.bin -f UserApp_v2.sfu -t UserApp_v2.sign --pfw UserApp_partial.sfu --ptag UserApp_partial.sign --poffset UserApp_partial.offset UserApp_partial.sfb
(Please note the use of -r 28 to have a FW header length of 192 bytes. This is needed to match the FLASH constraint.)

 Regards

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
0 Kudos
STea
ST Employee
In response to STea

‎2024-09-26 04:00 AM

Hello @jijomathew ,

did you manage to get this working?
Regards

In order to give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
0 Kudos
jijomathew
Associate II
In response to STea

‎2024-10-01 04:51 AM

Hello sorry for the delay,

in your tutorial video, there is a single script called post-build script which converts binary files to SBSFU. I have customized the same script to convert my application to SBSFU, will attach the post-build script in a text file which i have edited   with the appropriate project  directory  while running this edited script I got the following error ,Encrypt debug\SBSFU.bin into .\\Binary\\\SBSFU.sfu using AES key from SecureEngine binary. By this way can i integrate SBSFU ? if i am wrong please correct and please tell the steps to be followed for integrating SBSFU with a custom application.

Preview file
7 KB
0 Kudos
jijomathew
Associate II
In response to STea

‎2024-10-01 05:08 AM

hello ,

Still, I am stuck I need help

0 Kudos
Jocelyn RICARD
ST Employee
In response to jijomathew

‎2024-10-01 06:48 AM

Hello @jijomathew ,

The issue you describe in your initial post is probably due to the fact you didn't reuse the linker file that was provided.

In this linker file you have a specific section that ensure the generated binary is aligned on 16 bytes.

You should have something like this in your linker file (last FLASH section)

/* Extra ROM section (last one) to make sure the binary size is a multiple of the AES block size (16 bytes) and L4 flash writing unit (8 bytes)*/
.align16 :
{
. = . + 1; /* _edata=. is aligned on 8 bytes so could be aligned on 16 bytes: add 1 byte gap */
. = ALIGN(16) - 1; /* increment the location counter until next 16 bytes aligned address (-1 byte) */
BYTE(0); /* allocate 1 byte (value is 0) to be a multiple of 16 bytes */
} > FLASH

Best regards

Jocelyn

0 Kudos
jijomathew
Associate II
In response to Jocelyn RICARD

‎2024-10-16 02:43 AM

Hello 

@Jocelyn RICARD 

@STea 

I have built the project and got the following files in my binary folder how I  can upload the SFB  file, I am using a custom PCB where I normally upload the code using an ST link. Using a cube programmer is it possible?Screenshot 2024-10-16 150510.png

0 Kudos
Jocelyn RICARD
ST Employee
In response to jijomathew

‎2024-10-16 08:40 AM

Hello @jijomathew ,

First it is not normal to see the .sign, .sfu and .sfuh files. They are temporary files that should be deleted at end of signing script.

In development only, if you removed all protections, it should be possible to download the .sfb file as binary in the download slot. After reset, the SBSFU should install the new application.

Now, I have never tried this on my side :)

The normal way to do, when you want to check the update is to download the .sfb file using a loader.

Best regards

Jocelyn

 

 

0 Kudos
Top