SBSFU with Trust Zone on U575STM32 ?

Nicholas Parker · ‎2026-02-01

Hello,

I'm looking for some advice on how to progress, beginning from a fairly novice position, with a secure bootloader. I'm beginning a project where at least a secure update process (where the existing application does the update) is desired. Ideally I'd have an encrypted and signed application updates being delivered to my target application and put that away in flash, then reset the MCU and have a bootloader validate / process the update.

I've found Zephyr and had a small play with the MCUBoot -- its seem pretty cool, though I also found that some combinations of options created interesting build failures that were confusing. I've just stumbled across the SBSFU project - which appears to utilise some of MCUBoot, but I'm having a slow time making sense of it, with its half a dozens projects and plethora of source files.

If there is not a STM project that can be configured and directly used on the U575 -- I'm hoping there is at least an overview / walk through of this project somewhere (potentially with diagrams) explaining what role each project has and how its works, how to port it (whats needed), how build it etc? And maybe a walk through of producing an update and deploying it.

Its not clear to me if this project can be used on a non-crypto MCU as the example appears to be for the 585 and it looked like HW crypto was involved.

Kind regards, Nick

Nicholas Parker · ‎2026-02-01

On the subject of trying to build SBSFU projects, and while I still dont know how to use the files that get built yet...I seem to have a couple of issues with building. I'd like to understand the corrrect solution for this :-

(I know I can uncheck the option in project/Miscellaneous, but I dont understand why the GCC that ships with cube IDE doesnt seem to support the '-fcyclomatic-complexity' option thats configured in the CubeU5 projects -- am I ovelooking something ? Have I installed something incorrectly? )

arm-none-eabi-gcc: error: unrecognized command-line option '-fcyclomatic-complexity

make[1]: *** [Middlewares/mcuboot/subdir.mk:73: Middlewares/mcuboot/bl2_main.o] Error 1

make[1]: *** Waiting for unfinished jobs....

make[1]: *** [Middlewares/mcuboot/subdir.mk:75: Middlewares/mcuboot/bootutil_misc.o] Error 1

arm-none-eabi-gcc: error: unrecognized command-line option '-fcyclomatic-complexity'

So if I run 'where arm-none-eabi-gcc' I get this -- it seems correct?
C:\ST\STM32CubeIDE_2.0.0\STM32CubeIDE\plugins\com.st.stm32cube.ide.mcu.externaltools.gnu-tools-for-stm32.13.3.rel1.win32_1.0.100.202509120712\tools\bin\arm-none-eabi-gcc.exe

If I turn the cyclomatic complexity option off -- files compile nicely....but things fall over again at the the post build
step.

18424 160 3224 21808 5530 SBSFU_Loader_NonSecure.elf

"../../postbuild.sh" "." "nonsecure"

HOST OS : Windows detected

C:/__nick/ST/STM32CubeU5/Projects/B-U585I-IOT02A/Applications/SBSFU/SBSFU_Loader/STM32CubeIDE/NonSecure/Release

HOST OS : Windows detected

Usage: imgtool.exe ass [OPTIONS] INFILE OUTFILE

Try 'imgtool.exe ass -h' for help.

Error: Invalid value for '-o' / '--optional-size': -i is not a valid integer. prefixed with 0b/0B, 0o/0O, or 0x/0X as necessary.

postbuild.sh failed

Nicholas Parker · ‎2026-02-03

For the Loader project :- is there a list of changes required to build this for a non HW acceleration STM32U5XX device? It seems I'd need to (I think) at a minimum

turn of HW crypto via a #define (#undef BL2_HW_ACCEL_ENABLE)
edit some lines in low_level_com.c to suit the UART / USART I'd like to use
edit the -D option to use 'STM32U575xx' not DSTM32U585xx
Is there anything else aside from setting up the flash partitioning / options ?

I'm also having an issue that 'SaesClockSelection' is not defined ' in stm32u575xx_hal_msp.c

Should there be some kind of include guard around this to suit the U575 device?

Jocelyn RICARD · ‎2026-02-06

Hello @Nicholas Parker ,

I used latest STM32U5Cube_FW_U5 version 1.8.0 example in Projects\B-U585I-IOT02A\Applications\SBSFU_Nucleo\SBSFU_Appli\Binary\

Used latest STM32CubeIDE V2.0.0

Changed files:

config-boot.h : comment line 34: //#define BL2_HW_ACCEL_ENABLE

boot_hal_cfg.h : comment protections WRP and HDP and selected NO_TAMPER to ease debugger usage

I also add speed=fast option in SBSFU_UPDATE.sh to download faster (lines 33 and 34)

Then I launched following scripts and connect terminal emulator to check the traces

regression.sh

SBSFU_UPDATE.sh

Everything is working as expected.

Didn't change anything else.

The UART setting does not need to be changed between Nucleo U575 and DK U585.

To be cleaner you would need to change the define STM32U585xx and also startup files but that's not mandatory as long as you keep using only U575 peripherals

Also, LED mapping is different but that's a detail.

Best regards

Jocelyn

Nicholas Parker · ‎2026-02-09

Hi @Jocelyn RICARD thanks for getting back to me with advice. I have WSL2 installed and I installed the STM32Cube and now can now run "bash regression.sh" in windows CLI

(I also used usbipd command to 'attach' (share) the Nucleo board USB device on the windows side so WSL can access the USB and hence the Nucleo board)

However, I get this error :-

Error: Wrong command -ob secwm1_pstrt= secwm1_pend=0 wrp1a_pstrt= wrp1a_pend=0 wrp1b_pstrt= wrp1b_pend=0: Unknown command or command missed some parameters, please refer to the help to see the supported commands.
regression script failed, press a key
C:\__nick\SBSFU\SBSFU_Boot\STM32CubeIDE>bash regression.sh

Can you please let me know your build steps? In between modding the files and running the regression shell script?

Are you just right clicking each projects and selecting build in the order from the README.md ? Is there a better way to build everything?

Thanks very much for your time.

Nick.

EDIT : Was also stuck for quite a bit with another issue which I eventually figured out -- I needed to replace ~/ with $HOME in the env.sh script and that resolved a path issue for imgtool. For some reason the 'stm32programmercli_path' still has a tilde, but it doesnt seem to matter. Also need to be careful as editing a .sh file in STMCube on the windows side was adding \r to modified lines....had to fix those with dos2unix.

Jocelyn RICARD · ‎2026-02-10

Hi @Nicholas Parker ,

yes I just followed same steps as readme for building, then launch the 2 scripts.

Your issue looks more like an environment issue with usage of WSL2. I'm not familiar with this so difficult to help you there. Isn't it possible to just build in windows, at least to check if the example works fine on your board?

Best regards

Jocelyn

Nicholas Parker · ‎2026-02-10

Hi @Jocelyn RICARD ,

Am I understanding you correctly ? I am building in windows using the STM32CubeIDE.

It is something in the regression.sh that is failing for my setup.

How are you running the Linux bash scripts - I assume I need either a virtual machine like WSL / VIrtualBox or native Linux. Is there another way in the CubeIDE ?

Nick

Jocelyn RICARD · ‎2026-03-09

Hi @Nicholas Parker ,

Sorry for late answer. STM32CubeIDE does not need any linux environment on PC.

You can use either the STM32CubeIDE embedded bash or install git bash.

Embedded bash can be found in plugins\com.st.stm32cube.ide.mcu.externaltools.make.win32_*

Best regards

Jocelyn