Secure area for nucleo h755

smnhff · ‎2024-03-26

Hello,

I would like to setup a secure area on the h755 board. My setup is as follows:

I have a secure app that runs permanently on the m7, and on the m4, there is a non-secure app running.

I want to configure all but the last sector of the m7 as secure.

I followed this example, and it seems to work, until I want to flash the secure area configuration (start 0x000, end 0xffe). Then the cube programmer starts loading forever, until I reconnect the board or go to some other tab.

What am I missing?

CMYL · ‎2024-04-01

Hi @smnhff

In RM0399, It is recommended to align the secure-only area size with flash sector granularity in order to
avoid access right issues. In your case, the last section is partially secure.

• SEC_AREA_START2[11:0] = 0x000
• SEC_AREA_END2[11:0] = 0xffe

The secure-only area size defined above is equal to:
[(SEC_AREA_END - SEC_AREA_START) + 1] x 256 = 4095 x 256 bytes = 0xF FF00

0x080F FF00 > 0x080E 0000 (last sector start address)

In your case you need to set as follows in order to avoid overlapping of last sector:

• SEC_AREA_START2[11:0] = 0x000
• SEC_AREA_END2[11:0] = (0xE00-1) = DFF

Best regards,

Younes

smnhff · ‎2024-04-02

Thank you very much for your reply. Now while checking again, I came across another uncertainty from my side: I want to use the m7 core as some sort of hardware security module. As such, I would like to not exit from the secure area to provide continuous access to secure functions.

Is it possible to do this without locking the device? To my understanding, the note mentioned above states that on the reference board, this will lock the system as a debugger cannot access the m7 domain while running in the secure area, and as a consequence I cannot reflash the board. However, the h755 also has an m4. Does this change anything? Do I still lock the device when I do this?

If this does not work, how would I implement this concept instead?

Best regards