2024-09-18 11:44 PM
I am integrating SBSFU with the STM32L496ZG microcontroller and have created a new project. I attempted to generate the SFB file using a customized post-build script from the L476 Simple App example. Although I modified the script paths for my project, the SFB file is not being generated.
The command prompt shows:
Encrypt debug\SBSFU. bin into .\\Binary\\\SBSFU. SFU using AES key from Secure Engine binary
An error message is generated:
Exception: AES CBC encryption requires the Firmware Image size to be a multiple of the AES block size (16 bytes)
Could you please provide guidance on how to resolve this issue?
2024-09-19 04:04 AM
Hello @jijomathew ,
The postbuild script will normally take into account the image preparation padding ...
so, make sure you follow the flow of execution preparation and requirements described in Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package - User manual
you can also find a detail how to in the STM32 security ecosystem - STMicroelectronics
All the martials and associated slides can be found in MOOC - Security Part6 - STM32 security ecosystem, from theory to practice - Google Drive
you will find presentation detailing the solution and how the images will be generated with a specific crypto scheme.
Regards
2024-09-19 05:03 AM
Followed the steps and successfully implemented for Nucleo L476RG Dev board, But still confused about replicating the same for L496ZG microcontroller, one main doubt i has by customizing the postbuild script and running are we able to generate sfb file for my custom application.
2024-09-19 06:23 AM
Hello @jijomathew ,
this is possible to do with the postbuild script which uses the batch or Python variant of pepareimage.py
the details on mods and custom usage of this script can be found in (Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages\readme.txt).
see the following section and follow the steps to make your binary 16 bit aligned
Example for partial update :
----------------------------
[0] Generate partial image
python prepareimage.py diff -1 UserApp_v1.bin -2 UserApp_v2.bin UserApp_partial.bin -a 16 --poffset UserApp_partial.offset
(-a 16: align partial binary on 16 bytes. Partial binary size will also be aligned on 16 bytes)
[1] Generate the keys - OPTION
python prepareimage.py keygen -k AES_CBC.bin -t aes-cbc
=> for aes_cbc , "AES_CBC" must be in file name else key is not created, this
is used to discriminate AES_GCM key versus AES_CBC key
python prepareimage.py keygen -k ECCKEY.txt -t ecdsa-p256
This step is not mandatory but if you do so, please make sure:
* to copy the content of ECCKEY.txt in SECoreBin\Binary
* to use AES_CBC.bin instead of OEM_KEY_COMPANY1_key.bin
Then the prebuild operations (SE_CoreBin) must be performed.
[2] Encrypt the complete image
python prepareimage.py enc -k AES_CBC.bin -i iv.bin UserApp_v2.bin UserApp_v2.sfu
[3] Encrypt the partial image
python prepareimage.py enc -k AES_CBC.bin -i iv.bin UserApp_partial.bin UserApp_partial.sfu
[4] Generate the clear complete FW tag (SHA256 of the clear FW)
python prepareimage.py sha256 UserApp_v2.bin UserApp_v2.sign
[5] Generate the clear partial FW tag (SHA256 of the clear FW)
python prepareimage.py sha256 UserApp_partial.bin UserApp_partial.sign
[6] Generate the .sfb FW metadata (header) and encrypted partial binary
python prepareimage.py pack -k ECCKEY.txt -r 28 -p 1 -v 2 -i iv.bin -f UserApp_v2.sfu -t UserApp_v2.sign --pfw UserApp_partial.sfu --ptag UserApp_partial.sign --poffset UserApp_partial.offset UserApp_partial.sfb
(Please note the use of -r 28 to have a FW header length of 192 bytes. This is needed to match the FLASH constraint.)
Regards
2024-09-26 04:00 AM
Hello @jijomathew ,
did you manage to get this working?
Regards
2024-10-01 04:51 AM
Hello sorry for the delay,
in your tutorial video, there is a single script called post-build script which converts binary files to SBSFU. I have customized the same script to convert my application to SBSFU, will attach the post-build script in a text file which i have edited with the appropriate project directory while running this edited script I got the following error ,Encrypt debug\SBSFU.bin into .\\Binary\\\SBSFU.sfu using AES key from SecureEngine binary. By this way can i integrate SBSFU ? if i am wrong please correct and please tell the steps to be followed for integrating SBSFU with a custom application.
2024-10-01 05:08 AM
hello ,
Still, I am stuck I need help
2024-10-01 06:48 AM
Hello @jijomathew ,
The issue you describe in your initial post is probably due to the fact you didn't reuse the linker file that was provided.
In this linker file you have a specific section that ensure the generated binary is aligned on 16 bytes.
You should have something like this in your linker file (last FLASH section)
/* Extra ROM section (last one) to make sure the binary size is a multiple of the AES block size (16 bytes) and L4 flash writing unit (8 bytes)*/
.align16 :
{
. = . + 1; /* _edata=. is aligned on 8 bytes so could be aligned on 16 bytes: add 1 byte gap */
. = ALIGN(16) - 1; /* increment the location counter until next 16 bytes aligned address (-1 byte) */
BYTE(0); /* allocate 1 byte (value is 0) to be a multiple of 16 bytes */
} > FLASH
Best regards
Jocelyn