SBSFU versus TFM for STM32U5G9J-DK2

ttnickb · ‎2024-11-12

# Overview

I am looking into secure bootloader options for the STM32U5G9J-DK2 that support application updates. For now, I just wanted to run a demo that showed updating the application over UART.

Initially I thought to start with SBSFU since that is what I am familiar with, but seems various posts here and elsewhere guide toward TFM for the Cortex-M33.

After trying both options using STM32CubeIDE 1.15.1 and STM32CubeProgrammer 2.17.0 in Windows, neither demo project seemed to work out-of-the-box and I am now unsure what to do next.

# What I Tried (SBSFU)

I initially downloaded and adjusted the U585 SBSFU example to the STM32U5G9 as described in the README:

https://github.com/STMicroelectronics/STM32CubeU5/tree/main/Projects/B-U585I-IOT02A/Applications/SBSFU

The 5 projects compiled and appeared to load OK, but doesn't run the external loader if holding the User Button at boot; the serial terminal prints a single message "[INF] Flash operation: Op=0x0, Area=0x0, Address=0x0"
but nothing more (went silent). For a normal boot without User Button pressed, the application menu shows options to toggle an LED or exercise protection settings, which work OK but doesn't demonstrate updating the app like I wanted to see.

# What I Tried (TFM)

After SBSFU didn't seem to fully work, I switched to the TFM demo hoping this was more polished. It took a bit to realize the TFM demo must be downloaded as a package from the ST website and isn't on Git...but eventually I got the v1.6.0 package that had U585 TFM example in it.

I adjusted the projects for STM32U5G9 target, disabled TAMPER since the pins aren't valid on the U5G9 EVK, compiled the 5 projects in the prescribed order and ran the `dataimg.sh` script. Finally, I ran the regression and program script and rebooted my EVK. The bootloader printed various things but stops after printing "[ERR] Unable to find bootable image". With some additional logs added, it appears that the slot / image header is all 0xFF, which causes a failure in `Middlwares/mcuboot/loader.c : boot_validate_slot()`. Not sure why this would be.

I did notice the bootloader sets Option Byte RDP to 0xBB, but STM32CubeProgrammer shows different values:

Maybe the RDP values are just different with TrustZone enabled?

# Questions

1. Is TFM recommended for the U5G9? Or would SBSFU work just as well? The SBSFU example seems very different than other STM32 families (WB, etc).

2. Assuming TFM is recommended, what would cause the TFM bootloader to print "no bootable images" after following the README steps? Are there additional edits required for U5G9 not described in the README?

ttnickb · ‎2024-11-12

After taking a break, I did a more comprehensive search of the entire `TFM/` folder for the demo and found a few lingering `STM32U585AIIx` definitions, mainly in the `.cproject` files. I had removed the symbol and added a new one in the STM32CubeIDE, but I guess it didn't remove these? Anyway, I replaced the symbols manually and did a full clean + rebuild, and the demo is now booting into the application with interactive menu as described!

I wonder if the same issue applies to the SBSFU example, since the process of retargeting from STM32U585 to STM32U5G9 was very similar (edit symbol in the IDE).

I'd still like some feedback is TFM is the fully recommended project...but for now that is what I will stick with.

View solution in original post

ttnickb · ‎2024-11-12

After taking a break, I did a more comprehensive search of the entire `TFM/` folder for the demo and found a few lingering `STM32U585AIIx` definitions, mainly in the `.cproject` files. I had removed the symbol and added a new one in the STM32CubeIDE, but I guess it didn't remove these? Anyway, I replaced the symbols manually and did a full clean + rebuild, and the demo is now booting into the application with interactive menu as described!

I wonder if the same issue applies to the SBSFU example, since the process of retargeting from STM32U585 to STM32U5G9 was very similar (edit symbol in the IDE).

I'd still like some feedback is TFM is the fully recommended project...but for now that is what I will stick with.

Jocelyn RICARD · ‎2024-11-13

Hello @ttnickb ,

The SBSFU is just a secure boot with update capabilities for a secure + non secure applications.

The TFM embeds the same secure boot + a secure application providing secure services like secure storage and cryptography accessible through PSA API From non secure application.

So, it depends what you need.

The SBSFU should work out of the box if you get it from STM32CubeU5.

Best regards

Jocelyn

ttnickb · ‎2024-11-14

Thanks Jocelyn. I did get the SBSFU demo working also.

With adjustments to the SBSFU app, would it be possible to download a new application without rebooting into the loader (i.e. in the same way the TFM demo does it...download using YMODEM protocol from the app)? Or is that somehow prevented since SBSFU doesn't have all the same TrustZone features enabled?

Jocelyn RICARD · ‎2024-11-14

Hello @ttnickb ,

The principle is the same. With SBSFU the TrustZone is enabled also.

The point is that default SBSFU configuration don't provide a download slot (primary only configuration).

You can adapt SBSFU to your needs by changing the configuration in flash_layout.h in linker directory.

The provided example uses these configuration flags to enable related menus.

So, if you disable MCUBOOT_PRIMARY_ONLY flag, you will get menu in application that allows downloading application in download slot using Ymodem.

Best regards

Jocelyn