SBSFU UserApp (appli_binary) is not merging with SBSFU_UserApp.bin file

Ikbal · ‎2022-10-08

Hello,

I am trying to flashing customized SBSFU_UserApp.bin of 1_Image application from BSFU example project on STM32H7B3I-DK.

I am getting error when the application is booting. The error is:

= [SBOOT] SECURE ENGINE INITIALIZATION SUCCESSFUL

= [SBOOT] STATE: CHECK STATUS ON RESET

INFO: A Reboot has been triggered by a Hardware reset!

= [SBOOT] STATE: CHECK NEW FIRMWARE TO DOWNLOAD

= [SBOOT] STATE: CHECK USER FW STATUS

No valid FW found in the active slots nor new FW to be installed

Waiting for the local download to start...

= [SBOOT] STATE: DOWNLOAD NEW USER FIRMWARE

File> Transfer> YMODEM> Send ...............

The reference 1_Image of STM32H7B3I-DK is working fine.

I am adding a new crypto scheme in this application. I have not change any address in the Linker_Common files. I am setting the application in development mode through app_sfu.h fie. The compilation of 3 applications, prebuild and postbuild scripts is successfully done.

I am trying to read back the flash of STM32 and I find the address 0x08010400 is empty, however the SBSFU application and my customized active image header is visible in the respective flash area.

I have added some debug log in postbuild script and it seems like the postbuild is working fine.

I am not able to understand the reason for not merging of UserApp in big binary.

Please help me to fixed this issue.

Thanks,

Ikbal

Bubbles · ‎2022-10-10

Hi @Ikbal,

you wrote that the only change you've done is the crypto scheme added? Maybe you could try to compare the map files of the apps to see the differences - there may be a need for linker file alteration after all. Or maybe try to undo some changes to see which caused the failure.

Also when you try to upload the sfb file to the device, does at least that work?

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Ikbal · ‎2022-10-10

Hi JHOUD,

Thanks for the response. I tried to follow the process mentioned.

A) I tried to upload the sfb file and I am getting error related to header authentication. The error log is show in below:

======================================================================
=              (C) COPYRIGHT 2017 STMicroelectronics                 =
=                                                                    =
=              Secure Boot and Secure Firmware Update                =
======================================================================
 
= [SBOOT] SECURE ENGINE INITIALIZATION SUCCESSFUL
= [SBOOT] STATE: CHECK STATUS ON RESET
          INFO: A Reboot has been triggered by a Hardware reset!
= [SBOOT] STATE: CHECK NEW FIRMWARE TO DOWNLOAD
= [SBOOT] STATE: CHECK USER FW STATUS
          No valid FW found in the active slots nor new FW to be installed
          Waiting for the local download to start...
= [SBOOT] STATE: DOWNLOAD NEW USER FIRMWARE
          File> Transfer> YMODEM> Send .
        Fw header authentication error
= [SBOOT] STATE: HANDLE CRITICAL FAILURE
= [SBOOT] STATE: REBOOT STATE MACHINE
========= End of Execution ==========
 
 
= [SBOOT] RuntimeProtections: 0
= [SBOOT] System Security Check successfully passed. Starting...

As per my understanding the error is coming during header authentication check upon start of download sfb app. Please note that earlier when I tried to flash the SBSFU_UserApp.bin , the SBDFU App & the header were successfully written to the flash but the user application is not written to flash.

I have a question regarding when the header is written for the very first time. Is any header authentication performed at that time ?.

I feel that header authentication should not be performed at the very first time as the newly written SBSFU & then user application have to be tested and debugged.

.

Please confirm if my understanding is correct,.

B) I have disassembled the SBSFU_UserApp.bin using $ hexdump -C SBSFU_UserApp.bin and I am able to see the content at 0x00010400 address of the dump. But when I read back the same address directly from the flash there is nothing at that location. Its look like flashing of the SBSFU_UserApp.bin is happening partially as mentioned in A) above.

It appears that i have either missed something or done something wrong while making post-build scripts. Please let me know the likely area in post-build script where this could have happene whereby while full code is being built properly but not flashed completely.

C) The changes I have done in se_crypto_bootloader.c are for adding "new crypto" support and in the length of SE_HEADER_SIGN_LEN micro for the "new crypto" sign length.

I have compared the map files of the STM32H7B3I-DK ECC application and my application with respect to memory configuration and linker script & memory map, but there are no differences. The log is attached in the next answer.

Please suggest what else I can check to solve the problem.

Thanks & Best Regards,

Ikbal

Ikbal · ‎2022-10-10

Hi,

I am attaching the same logs below:

Memory Configuration
 
Name             Origin             Length             Attributes
SE_Entry_Secure_ROM_Region 0x0000000008000400 0x0000000000000200 xr
SE_Key_region_ROM 0x0000000008000600 0x0000000000000300 xr
SE_Startup_region_ROM 0x0000000008000900 0x0000000000000100 xr
SE_ROM_region    0x0000000008000a00 0x0000000000005600 xr
SE_IF_region_ROM 0x0000000008006000 0x0000000000000900 xr
SB_HDP_ROM_region 0x0000000008006900 0x0000000000000100 xr
SB_ROM_region    0x0000000008006a00 0x0000000000009600 xr
SE_RAM_region    0x0000000020000400 0x0000000000000c00 xrw
SB_HDP_Code_RAM_region 0x0000000020001000 0x0000000000000100 xrw
SB_RAM_region    0x0000000020001100 0x000000000001ef00 xrw
*default*        0x0000000000000000 0xffffffffffffffff
 
Linker script and memory map
                0x0000000000000000                _Min_Heap_Size = 0x0
                0x0000000000000000                _Min_Stack_Size = 0x0
                0x0000000008010000                __ICFEDIT_SLOT_Active_1_start__ = 0x8010000
                0x00000000081fffff                __ICFEDIT_SLOT_Active_1_end__ = 0x81fffff
                0x0000000008010000                __ICFEDIT_SLOT_Active_1_header__ = __ICFEDIT_SLOT_Active_1_start__
                0x0000000000000000                __ICFEDIT_SLOT_Active_2_header__ = 0x0
                0x0000000000000000                __ICFEDIT_SLOT_Active_2_start__ = 0x0
                0x0000000000000000                __ICFEDIT_SLOT_Active_2_end__ = 0x0
                0x0000000000000000                __ICFEDIT_SLOT_Active_3_header__ = 0x0
                0x0000000000000000                __ICFEDIT_SLOT_Active_3_start__ = 0x0
                0x0000000000000000                __ICFEDIT_SLOT_Active_3_end__ = 0x0
                0x0000000000000400                VECTOR_SIZE = 0x400
                0x0000000008000400                __ICFEDIT_SE_Code_region_ROM_start__ = (0x8000000 + VECTOR_SIZE)
                0x0000000008000400                __ICFEDIT_SE_CallGate_region_ROM_start__ = __ICFEDIT_SE_Code_region_ROM_start__
                0x00000000080005ff                __ICFEDIT_SE_CallGate_region_ROM_end__ = (__ICFEDIT_SE_Code_region_ROM_start__ + 0x1ff)
                0x0000000008000600                __ICFEDIT_SE_Key_region_ROM_start__ = (__ICFEDIT_SE_CallGate_region_ROM_end__ + 0x1)
                0x00000000080008ff                __ICFEDIT_SE_Key_region_ROM_end__ = (__ICFEDIT_SE_Key_region_ROM_start__ + 0x2ff)
                0x0000000008000900                __ICFEDIT_SE_Startup_region_ROM_start__ = (__ICFEDIT_SE_Key_region_ROM_end__ + 0x1)
                0x0000000008000a00                __ICFEDIT_SE_Code_nokey_region_ROM_start__ = (__ICFEDIT_SE_Startup_region_ROM_start__ + 0x100)
                0x0000000008005fff                __ICFEDIT_SE_Code_region_ROM_end__ = 0x8005fff
                0x0000000008006000                __ICFEDIT_SE_IF_region_ROM_start__ = 0x8006000
                0x00000000080068ff                __ICFEDIT_SE_IF_region_ROM_end__ = (__ICFEDIT_SE_IF_region_ROM_start__ + 0x8ff)
                0x0000000008006900                __ICFEDIT_SB_HDP_region_ROM_start__ = (__ICFEDIT_SE_IF_region_ROM_end__ + 0x1)
                0x00000000080069ff                __ICFEDIT_SB_HDP_region_ROM_end__ = (__ICFEDIT_SB_HDP_region_ROM_start__ + 0xff)
                0x0000000008006a00                __ICFEDIT_SB_region_ROM_start__ = (__ICFEDIT_SB_HDP_region_ROM_end__ + 0x1)
                0x000000000800ffff                __ICFEDIT_SB_region_ROM_end__ = 0x800ffff
                0x0000000000000200                SE_Entry_Secure_ROM_Region_Length = ((__ICFEDIT_SE_CallGate_region_ROM_end__ - __ICFEDIT_SE_CallGate_region_ROM_start__) + 0x1)
                0x0000000000000300                SE_Key_region_ROM_Length = ((__ICFEDIT_SE_Key_region_ROM_end__ - __ICFEDIT_SE_Key_region_ROM_start__) + 0x1)
                0x0000000000000100                SE_Startup_region_ROM_Length = (__ICFEDIT_SE_Code_nokey_region_ROM_start__ - __ICFEDIT_SE_Startup_region_ROM_start__)
                0x0000000000005600                SE_ROM_region_Length = ((__ICFEDIT_SE_Code_region_ROM_end__ - __ICFEDIT_SE_Code_nokey_region_ROM_start__) + 0x1)
                0x0000000000000900                SE_IF_region_ROM_Length = ((__ICFEDIT_SE_IF_region_ROM_end__ - __ICFEDIT_SE_IF_region_ROM_start__) + 0x1)
                0x0000000000000100                SB_HDP_ROM_region_Length = ((__ICFEDIT_SB_HDP_region_ROM_end__ - __ICFEDIT_SB_HDP_region_ROM_start__) + 0x1)
                0x0000000000009600                SB_ROM_region_Length = ((__ICFEDIT_SB_region_ROM_end__ - __ICFEDIT_SB_region_ROM_start__) + 0x1)
                0x0000000020000000                __ICFEDIT_SE_region_RAM_start__ = 0x20000000
                0x0000000020000400                __ICFEDIT_SE_region_RAM_stack_top__ = 0x20000400
                0x0000000020000fff                __ICFEDIT_SE_region_RAM_end__ = 0x20000fff
                0x0000000020001000                __ICFEDIT_SB_HDP_Code_region_RAM_start__ = (__ICFEDIT_SE_region_RAM_end__ + 0x1)
                0x00000000200010ff                __ICFEDIT_SB_HDP_Code_region_RAM_end__ = (__ICFEDIT_SB_HDP_Code_region_RAM_start__ + 0xff)
                0x0000000020001100                __ICFEDIT_SB_region_RAM_start__ = (__ICFEDIT_SB_HDP_Code_region_RAM_end__ + 0x1)
                0x000000002001ffff                __ICFEDIT_SB_region_RAM_end__ = 0x2001ffff
                0x0000000000000c00                SE_RAM_region_Length = ((__ICFEDIT_SE_region_RAM_end__ - __ICFEDIT_SE_region_RAM_stack_top__) + 0x1)
                0x0000000000000100                SB_HDP_CODE_RAM_region_Length = ((__ICFEDIT_SB_HDP_Code_region_RAM_end__ - __ICFEDIT_SB_HDP_Code_region_RAM_start__) + 0x1)
                0x000000000001ef00                SB_RAM_region_Length = ((__ICFEDIT_SB_region_RAM_end__ - __ICFEDIT_SB_region_RAM_start__) + 0x1)

Ikbal · ‎2022-10-10

Hi,

Some differences were also there and log is given below.

 .text.SE_CRYPTO_Authenticate_Metadata
 
        0x0000000008000bf0    0xf0 ./Application/User/se_crypto_bootloader.o
 
        0x0000000008000bf0        SE_CRYPTO_Authenticate_Metadata
 
 .text.__NVIC_SystemReset
 
        0x0000000008000ce0    0x24 ./Application/User/se_low_level.o
 
 .text.SE_LL_GetSector
 
        0x0000000008000d04    0x34 ./Application/User/se_low_level.o
 
 .text.SE_LL_CRC_Config
 
        0x0000000008000d38    0x38 ./Application/User/se_low_level.o
 
        0x0000000008000d38        SE_LL_CRC_Config
 
 .text.SE_LL_FLASH_Erase
 
        0x0000000008000d70    0xb0 ./Application/User/se_low_level.o
 
        0x0000000008000d70        SE_LL_FLASH_Erase
 
 .text.SE_LL_FLASH_Write
 
        0x0000000008000e20    0x54 ./Application/User/se_low_level.o
 
        0x0000000008000e20        SE_LL_FLASH_Write
 
 .text.SE_LL_FLASH_Read
 
        0x0000000008000e74    0x58 ./Application/User/se_low_level.o
 
        0x0000000008000e74        SE_LL_FLASH_Read
 
 .text.SE_LL_Buffer_in_ram
 
        0x0000000008000ecc    0x30 ./Application/User/se_low_level.o
 
        0x0000000008000ecc        SE_LL_Buffer_in_ram
 
 .text.SE_LL_Buffer_in_SBSFU_ram
 
        0x0000000008000efc    0x30 ./Application/User/se_low_level.o
 
        0x0000000008000efc        SE_LL_Buffer_in_SBSFU_ram
 
 .text.SE_LL_Buffer_part_of_SE_ram
 
        0x0000000008000f2c    0x38 ./Application/User/se_low_level.o
 
        0x0000000008000f2c        SE_LL_Buffer_part_of_SE_ram
 
 .text.SE_LL_CORE_Cleanup
 
        0x0000000008000f64    0x4 ./Application/User/se_low_level.o
 
        0x0000000008000f64        SE_LL_CORE_Cleanup
 
 .text.SE_LL_Lock_Keys
 
        0x0000000008000f68    0x8 ./Application/User/se_low_level.o
 
        0x0000000008000f68        SE_LL_Lock_Keys
 
 .text.HAL_CRC_MspInit
 
        0x0000000008000f70    0x2 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_crc.o
 
        0x0000000008000f70        HAL_CRC_MspInit
 
 *fill*     0x0000000008000f72    0x2 
 
 .text.HAL_CRC_Init
 
        0x0000000008000f74    0x74 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_crc.o
 
        0x0000000008000f74        HAL_CRC_Init
 
 .text.HAL_CRCEx_Polynomial_Set
 
        0x0000000008000fe8    0x48 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_crc_ex.o
 
        0x0000000008000fe8        HAL_CRCEx_Polynomial_Set
 
 .text.HAL_FLASH_Unlock
 
        0x0000000008001030    0x4c ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash.o
 
        0x0000000008001030        HAL_FLASH_Unlock
 
 .text.HAL_FLASH_Lock
 
        0x000000000800107c    0x30 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash.o
 
        0x000000000800107c        HAL_FLASH_Lock
 
 .text.FLASH_WaitForLastOperation
 
        0x00000000080010ac    0xc0 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash.o
 
        0x00000000080010ac        FLASH_WaitForLastOperation
 
 .text.HAL_FLASH_Program
 
        0x000000000800116c    0xec ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash.o
 
        0x000000000800116c        HAL_FLASH_Program
 
 .text.FLASH_MassErase.constprop.0
 
        0x0000000008001258    0x3c ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash_ex.o
 
 .text.FLASH_Erase_Sector
 
        0x0000000008001294    0x44 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash_ex.o
 
        0x0000000008001294        FLASH_Erase_Sector
 
 .text.HAL_FLASHEx_Erase
 
        0x00000000080012d8   0x120 ./Drivers/STM32H7xx_HAL_Driver/stm32h7xx_hal_flash_ex.o
 
        0x00000000080012d8        HAL_FLASHEx_Erase
 
 .text.__NVIC_SystemReset
 
        0x00000000080013f8    0x24 ./Middlewares/STM32_Secure_Engine/se_callgate.o
 
 .text.SE_CallGateService
 
        0x000000000800141c   0x4d0 ./Middlewares/STM32_Secure_Engine/se_callgate.o
 
        0x000000000800141c        SE_CallGateService
 
 .text.SE_IMG_Write
 
        0x00000000080018ec    0x2c ./Middlewares/STM32_Secure_Engine/se_fwimg.o
 
        0x00000000080018ec        SE_IMG_Write
 
 .text.SE_IMG_Read
 
        0x0000000008001918    0x2c ./Middlewares/STM32_Secure_Engine/se_fwimg.o
 
        0x0000000008001918        SE_IMG_Read
 
 .text.SE_IMG_Erase
 
        0x0000000008001944    0x30 ./Middlewares/STM32_Secure_Engine/se_fwimg.o
 
        0x0000000008001944        SE_IMG_Erase
 
 .text.SE_APPLI_GetActiveFwInfo
 
        0x0000000008001974    0x40 ./Middlewares/STM32_Secure_Engine/se_user_application.o
 
        0x0000000008001974        SE_APPLI_GetActiveFwInfo
 
 .text.SE_SetSystemCoreClock
 
        0x00000000080019b4    0xc ./Middlewares/STM32_Secure_Engine/se_utils.o
 
        0x00000000080019b4        SE_SetSystemCoreClock
 
 .text.HAL_GetTick
 
        0x00000000080019c0    0x40 ./Middlewares/STM32_Secure_Engine/se_utils.o
 
        0x00000000080019c0        HAL_GetTick
 
 .text.SHA256Transform
 
        0x0000000008001a00   0x278 ../../../../../../../Middlewares/ST/STM32_Cryptographic/Fw_Crypto/STM32H7A3/Lib\STM32CryptographicV3.1.3_CM7_GCC.a(crypto.o)
 
 .text.SHA256Update
 
        0x0000000008001c78    0x8e ../../../../../../../Middlewares/ST/STM32_Cryptographic/Fw_Crypto/STM32H7A3/Lib\STM32CryptographicV3.1.3_CM7_GCC.a(crypto.o)
 
        0x0000000008001c78        SHA256Update
 
 .text.SHA256_Append
 
        0x0000000008001d06    0x26 ../../../../../../../Middlewares/ST/STM32_Cryptographic/Fw_Crypto/STM32H7A3/Lib\STM32CryptographicV3.1.3_CM7_GCC.a(crypto.o)
 
        0x0000000008001d06        SHA256_Append
 
 .text.SHA256Init
 
        0x0000000008001d2c    0x50 ../../../../../../../Middlewares/ST/STM32_Cryptographic/Fw_Crypto/STM32H7A3/Lib\STM32CryptographicV3.1.3_CM7_GCC.a(crypto.o)

There were differences prior during compile time which are due to different crypto schemes.

Bubbles · ‎2022-10-11

Hi @Ikbal,

there is no obvious problem in the memory mapping, I see.

I still don't know what's the change you did in the cryptography scheme.

Where did you configure the change? in app_sfu.h ? There you can try also disabling some checks and protections for debug purposes.

I should probably also highlight the existence of AN5056 and UM2262 where you may find some tips regarding the cryptography scheme swap in the project.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Ikbal · ‎2022-10-11

Dear JHOUD,

Thank you for the update.

I tried to add RSA signing and verification in place of ECDSA. I followed the AN5056 section 7.1 for adding new crypto scheme but with following modifications:.

I have not add a new scheme in the se_crypto_config.h file. I used the same SECBOOT_ECCDSA_WITHOUT_ENCRYPT_SHA256 scheme name and I have made changes in the se_crypto_bootloader.c with RSA API's and other required variables in place of ECDSA API's. As per my understanding the crypto scheme name is checking in many source and header files. If I add a new scheme name I need to add in all those places. This is the reason I am using this method.
I used the same harder structure that SECBOOT_ECCDSA_WITHOUT_ENCRYPT_SHA256 is used. The changes I have done in SE_HEADER_SIGN_LEN with 256 for RSA sign length.

Please let me know if I can live without scheme name as detailed above as it would lots of changes. If name change is a must, please let me know the reason for such change,

Further, in app_sfu.h, I have disables all the protection by enabling SECBOOT_DISABLE_SECURITY_IPS.

Thanks & Best Regards,

Ikbal

Ikbal · ‎2022-10-11

Dear JHOUD,

I able to find the reason of the error. The error is because of Header signature verification failure in slot SLOT_ACTIVE_1.

Now, I want to debug my changes in se_crypto_bootloader.c file of SECoreBin project. I tried to add TRACE same a SBSFU app and printf API's for adding debug messages but I am getting compile time error.

I am using STM32Cube IDE and compiling the applications as per the order maintain in the readme of the STM32H7B3I-DK 1_Image demo project.

I want to know, what is the proper debug mechanism for SECoreBin application? How can I enable debug mode of this application?

Thanks & Best Regards,

Ikbal