SBSFU STM32U585 series with CMake toolchain

erosghignoni · ‎2025-09-12

Hi everyone,

I'm working on integrating the SBSFU (Secure Boot and Secure Firmware Update) into an existing project for a custom board using an STM32U585 microcontroller.

At this stage of the project, I am trying to include the SBSFU_Boot (https://github.com/STMicroelectronics/STM32CubeU5/tree/main/Projects/B-U585I-IOT02A/Applications/SBSFU) to my firmware, in order to be able to create a more secure and upgradable environment.

My goal is to successfully build and run the SBSFU_Boot bootloader from the ST example using my CMake toolchain, so it can eventually load my existing Secure/Non-Secure application.

I have successfully configured CMake to compile the SBSFU_Boot project without any errors. However, after flashing the compiled binary to the microcontroller, the device fails to boot. The bootloader doesn't seem to execute at all.

This issue appears to be related to migrating the build configuration from the provided CubeIDE project to my CMake environment, as the original example works on the ST development kit.

Could anyone who has experience with SBSFU on CMake toolchain offer some advice? Specifically, I'm looking for guidance on:

The essential steps to replicate the CubeIDE build process for SBSFU in CMake.
Any common pitfalls or required compiler flags for building the STM32U585 SBSFU bootloader outside of CubeIDE.

Thank you in advance for your support,
Eros

Jocelyn RICARD · ‎2025-09-12

Hello @erosghignoni ,

I made the same adaptation for a customer some time ago.

When secure boot has finished its execution, it first closes the HDP (Hide Protection)

This is the purpose of first line of this code

void LL_SECU_UpdateRunTimeProtections(void)
{
  /* Enable HDP protection to hide sensible boot material */
  enable_hdp_protection();
 
  /* Set MPU to enable execution of Secure and Non Secure active slots */
  mpu_appli_cfg();
}

After the first call, the whole flash area of mcuboot is made inaccessible... except for the code running in ".BL2_NoHdp_Area"

This is where the issue comes from: We have a linker region defined like following in stm32u5xx_bl2.ld

.BL2_NoHdp_Area :
    {
        KEEP(*(.BL2_NoHdp_Data))
        KEEP(*(.BL2_NoHdp_Code))
        *mpu_armv8m_drv.o (.text* .rodata*)
        KEEP(*(.BL2_Error_Code))
        __hdp_end__ = .;
    } > FLASH_NOHDP

Issue is that cmake is creating object files like mpu_armv8m_drv.c.obj

So, the line with mpu_armv8m_drv.o does not match.

Just changing it with

*mpu_armv8m_drv* (.text* .rodata*)

Will solve the issue.

Be careful that you need to launch a prebuild command to generate a output.ld file that is the one actually used for linking.

After the change and rebuild, you can check in the map file that mpu_armv8m_drv.c related functions are put at the right location:

 *(.BL2_NoHdp_Code)
 .BL2_NoHdp_Code
                0x0c018130      0x22c CMakeFiles/SBSFU_Boot.dir/Src/boot_hal.c.obj
                0x0c018130                boot_jump_to_next_image
                0x0c018156                boot_jump_to_ns_image
                0x0c01817c                boot_clear_bl2_ram_area
                0x0c018194                boot_clean_ns_ram_area
                0x0c0181dc                execute_loader
                0x0c018270                boot_platform_quit
 .BL2_NoHdp_Code
                0x0c01835c      0x318 CMakeFiles/SBSFU_Boot.dir/Src/low_level_security.c.obj
                0x0c018394                LL_SECU_UpdateLoaderRunTimeProtections
                0x0c018570                LL_SECU_UpdateRunTimeProtections
                0x0c018650                TAMP_IRQHandler
 *mpu_armv8m_drv*(.text* .rodata*)
 .text.mpu_armv8m_enable
                0x0c018674       0x34 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c018674                mpu_armv8m_enable
 .text.mpu_armv8m_check
                0x0c0186a8       0x34 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c0186a8                mpu_armv8m_check
 .text.mpu_armv8m_region_enable
                0x0c0186dc       0x5e CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c0186dc                mpu_armv8m_region_enable
 .text.mpu_armv8m_region_enable_check
                0x0c01873a       0x56 CMakeFiles/SBSFU_Boot.dir/Src/mpu_armv8m_drv.c.obj
                0x0c01873a                mpu_armv8m_region_enable_check

With this change your setup should work like with STM32CubeIDE

Best regards

Jocelyn

erosghignoni · ‎2025-09-12

Hi, thank you so much for your quick response.
I tried your suggestion but I am not able to start the bootloader.
Here the map file section (I've just disabled the tamper

#define TFM_TAMPER_ENABLE NO_TAMPER)

.BL2_NoHdp_Area
                0x0c018000      0x7d4
 *(.BL2_NoHdp_Data)
 .BL2_NoHdp_Data
                0x0c018000      0x130 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/low_level_security.c.obj
                0x0c018000                sau_load_cfg
                0x0c0180a0                region_cfg_appli_ns
                0x0c01810c                region_cfg_appli_s
 *(.BL2_NoHdp_Code)
 .BL2_NoHdp_Code
                0x0c018130      0x22c CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/boot_hal.c.obj
                0x0c018130                boot_jump_to_next_image
                0x0c018156                boot_jump_to_ns_image
                0x0c01817c                boot_clear_bl2_ram_area
                0x0c018194                boot_clean_ns_ram_area
                0x0c0181dc                execute_loader
                0x0c018270                boot_platform_quit
 .BL2_NoHdp_Code
                0x0c01835c      0x2f4 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/low_level_security.c.obj
                0x0c018394                LL_SECU_UpdateLoaderRunTimeProtections
                0x0c018570                LL_SECU_UpdateRunTimeProtections
 *mpu_armv8m_drv*(.text* .rodata*)
 .text.mpu_armv8m_enable
                0x0c018650       0x34 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/mpu_armv8m_drv.c.obj
                0x0c018650                mpu_armv8m_enable
 .text.mpu_armv8m_check
                0x0c018684       0x34 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/mpu_armv8m_drv.c.obj
                0x0c018684                mpu_armv8m_check
 .text.mpu_armv8m_region_enable
                0x0c0186b8       0x5e CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/mpu_armv8m_drv.c.obj
                0x0c0186b8                mpu_armv8m_region_enable
 .text.mpu_armv8m_region_enable_check
                0x0c018716       0x56 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/mpu_armv8m_drv.c.obj
                0x0c018716                mpu_armv8m_region_enable_check
 *(.BL2_Error_Code)
 .BL2_Error_Code
                0x0c01876c       0x68 CMakeFiles/SBSFU_Boot.dir/SBSFU_Boot/Src/boot_hal.c.obj
                0x0c01876c                Error_Handler
                0x0c0187d4                        __hdp_end__ = .

The SECBOOTADD0 OptionByte is set at Value 0x1800c0 and Address 0x0c006000 (as suggested by the example).
Trying with the debugger, it seems that the microcontroller is stuck at instruction address 0x0c01876c (Error_Handler).

I would like to ask you if you have some suggestions or if you have some CMake file template that you can provide me.

Thank you so much for your time and best regards
Eros

Jocelyn RICARD · ‎2025-09-12

Hello @erosghignoni ,

It looks like you didn't launch the installation scripts (regression.sh and SBSFU_Update.sh) that setup the option bytes properly. I would guess that secure watermarks are not setup correctly.

I would suggest being first familiar with the SBSFU through STM32CubeIDE, make it work so that you have a working setup that you can use for comparison.

Best regards

Jocelyn