FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SBSFU STM32U585 series with CMake toolchain

erosghignoni
Visitor

‎2025-09-12 1:00 AM

Hi everyone, 

I'm working on integrating the SBSFU (Secure Boot and Secure Firmware Update) into an existing project for a custom board using an STM32U585 microcontroller.

At this stage of the project, I am trying to include the SBSFU_Boot (https://github.com/STMicroelectronics/STM32CubeU5/tree/main/Projects/B-U585I-IOT02A/Applications/SBSFU) to my firmware, in order to be able to create a more secure and upgradable environment. 

My goal is to successfully build and run the SBSFU_Boot bootloader from the ST example using my CMake toolchain, so it can eventually load my existing Secure/Non-Secure application.

I have successfully configured CMake to compile the SBSFU_Boot project without any errors. However, after flashing the compiled binary to the microcontroller, the device fails to boot. The bootloader doesn't seem to execute at all.

This issue appears to be related to migrating the build configuration from the provided CubeIDE project to my CMake environment, as the original example works on the ST development kit.

Could anyone who has experience with SBSFU on CMake toolchain offer some advice? Specifically, I'm looking for guidance on:

  • The essential steps to replicate the CubeIDE build process for SBSFU in CMake.

  • Any common pitfalls or required compiler flags for building the STM32U585 SBSFU bootloader outside of CubeIDE.

Thank you in advance for your support,
Eros

Labels:
0 Kudos
1 REPLY 1
Jocelyn RICARD
ST Employee

‎2025-09-12 1:50 AM

Hello @erosghignoni ,

I made the same adaptation for a customer some time ago.

When secure boot has finished its execution, it first closes the HDP (Hide Protection)

This is the purpose of first line of this code

void LL_SECU_UpdateRunTimeProtections(void)
{
  /* Enable HDP protection to hide sensible boot material */
  enable_hdp_protection();
 
  /* Set MPU to enable execution of Secure and Non Secure active slots */
  mpu_appli_cfg();
}

After the first call, the whole flash area of mcuboot is made inaccessible... except for the code running in ".BL2_NoHdp_Area"

This is where the issue comes from: We have a linker region defined like following in stm32u5xx_bl2.ld

.BL2_NoHdp_Area :
    {
        KEEP(*(.BL2_NoHdp_Data))
        KEEP(*(.BL2_NoHdp_Code))
        *mpu_armv8m_drv.o (.text* .rodata*)
        KEEP(*(.BL2_Error_Code))
        __hdp_end__ = .;
    } > FLASH_NOHDP

 

Issue is that cmake is creating object files like mpu_armv8m_drv.c.obj

So, the line with mpu_armv8m_drv.o does not match.

Just changing it with

*mpu_armv8m_drv* (.text* .rodata*)

Will solve the issue.

 

Be careful that you need to launch a prebuild command to generate a output.ld file that is the one actually used for linking.

 

After the change and rebuild, you can check in the map file that mpu_armv8m_drv.c related functions are put at the right location:

 *(.BL2_NoHdp_Code)
 .BL2_NoHdp_Code
                0x0c018130      0x22c CMakeFiles/SBSFU_Boot.dir/Src/boot_hal.c.obj
                0x0c018130                boot_jump_to_next_image
                0x0c018156                boot_jump_to_ns_image
                0x0c01817c                boot_clear_bl2_ram_area
                0x0c018194                boot_clean_ns_ram_area
                0x0c0181dc                execute_loader
                0x0c018270                boot_platform_quit
 .BL2_NoHdp_Code
                0x0c01835c      0x318 CMakeFiles/SBSFU_Boot.dir/Src/low_level_security.c.obj
                0x0c018394                LL_SECU_UpdateLoaderRunTimeProtections
                0x0c018570                LL_SECU_UpdateRunTimeProtections
                0x0c018650                TAMP_IRQHandler
 *mpu_armv8m_drv*(.text* .rodata*)
 .text.mpu_armv8m_enable
                0x0c018674       0x34 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c018674                mpu_armv8m_enable
 .text.mpu_armv8m_check
                0x0c0186a8       0x34 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c0186a8                mpu_armv8m_check
 .text.mpu_armv8m_region_enable
                0x0c0186dc       0x5e CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c0186dc                mpu_armv8m_region_enable
 .text.mpu_armv8m_region_enable_check
                0x0c01873a       0x56 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c01873a                mpu_armv8m_region_enable_check

With this change your setup should work like with STM32CubeIDE

Best regards

Jocelyn

0 Kudos
Top