secure boot - RSA4096 - stm32u5

Hello @paulgoulpie ,

You can use the imgtool provided in mcuboot github with same version.

There is no specific addition made by ST here.

Best regards

Jocelyn

Hello @Jocelyn RICARD 

Thank you for your feedback.

However I cannot interchange the imgtool version of github and the imgtool version of ST (provided by /STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool)

I will detail the tests carried out for you

Getting imgtool from github and version testing:

git clone https://github.com/mcu-tools/mcuboot.git
cd mcuboot
git checkout v1.7.2
./scripts/imgtool.py version
1.7.2

Modification of the env.sh file for referencing the imgtool version of github:

imgtool="/home/${USER}/Dev/mcuboot/scripts/imgtool.py"

Test launching the postbuild.sh script (from the SBSFU_Appli/STM32CubeIDE/NonSecure/Release folder)

"../../postbuild.sh" "." "1.0.0+0" "nonsecure"
/home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/NonSecure/Release
assemble image
Usage: imgtool.py [OPTIONS] COMMAND [ARGS]...
Try 'imgtool.py -h' for help.

Error: No such command 'ass'.
postbuild.sh failed

It seems that the ass option is not integrated in the imgtool version of github:

/home/${USER}/Dev/mcuboot/scripts/imgtool.py -h
Usage: imgtool.py [OPTIONS] COMMAND [ARGS]...

Options:
-h, --help Show this message and exit.

Commands:
create Create a signed or unsigned image
getpriv Dump private key from keypair
getpub Dump public key from keypair
keygen Generate pub/private keypair
sign Create a signed or unsigned image
verify Check that signed image can be verified by given key
version Print imgtool version information

On the other hand, the imgtool version of ST seems to integrate it:

/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool -h
Usage: imgtool [OPTIONS] COMMAND [ARGS]...

Options:
-h, --help Show this message and exit.

Commands:
ass Assemble and padd 1 or 2 binaries
clean clean an ST file
create Create a signed or unsigned image
flash modify bash /batch variable value with layout file content
getpriv Dump private key from keypair
getprivbin Dump private key from keypair, in binary format
getpub Dump public key from keypair
getpubbin Dump public key in binary format
keygen Generate pub/private keypair
resign resign a licence image file
sign Create a signed or unsigned image
version Print imgtool version information

Similar test by restoring the use of the imgtool version of ST.
Modification of the env.sh file for referencing the imgtool version of ST:

imgtool="/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool"

Test launching the postbuild.sh script (from the SBSFU_Appli/STM32CubeIDE/NonSecure/Release folder

"../../postbuild.sh" "." "1.0.0+0" "nonsecure"
/home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/NonSecure/Release
assemble image
signing
encrypting

However, I can try to use the ST version for the assemble image step and use the github version for the signing step.
In this case, I also note a discrepancy.
If below the commands generated by postbuild.sh used for the signing step:

/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 --confirm --pad /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_init.bin
/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_sign.bin
/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -E /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/enc-rsa2048-pub.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_enc_sign.bin

These run without problems.

If I try to run with the github version, here are the results:

/home/${USER}/Dev/mcuboot/scripts/imgtool.py sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 --confirm --pad /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_init.bin
Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE
Try 'imgtool.py sign -h' for help.

Error: No such option: --primary-only Did you mean --overwrite-only?

/home/${USER}/Dev/mcuboot/scripts/imgtool.py sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_sign.bin
Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE
Try 'imgtool.py sign -h' for help.

Error: No such option: --primary-only Did you mean --overwrite-only?

/home/${USER}/Dev/mcuboot/scripts/imgtool.py sign -k /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/root-rsa-2048.pem -E /home/${USER}/Dev/sbsfu/SBSFU_Boot/Src/enc-rsa2048-pub.pem -S 1335296 -e little -H 0x400 --pad-header -s auto --align 16 --primary-only --overwrite-only -v 1.0.0+0 /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app.bin /home/${USER}/Dev/sbsfu/SBSFU_Appli/STM32CubeIDE/../Binary/sbsfu_app_enc_sign.bin
Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE
Try 'imgtool.py sign -h' for help.

Error: No such option: --primary-only Did you mean --overwrite-only?

For additional information, here is a comparison of the options available for the sign stage.
Version github:

/home/${USER}/Dev/mcuboot/scripts/imgtool.py sign -h
Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE

Create a signed or unsigned image

INFILE and OUTFILE are parsed as Intel HEX if the params have .hex
extension, otherwise binary format is used

Options:
-k, --key filename
--public-key-format [hash|full]
In what format to add the public key to the
image manifest: full key or hash of the key.
--align [1|2|4|8] [required]
-v, --version TEXT [required]
-s, --security-counter TEXT Specify the value of security counter. Use
the `auto` keyword to automatically generate
it from the image version.
-d, --dependencies TEXT Add dependence on another image, format:
"(<image_ID>,<image_version>), ... "
--pad-sig Add 0-2 bytes of padding to ECDSA signature
(for mcuboot <1.5)
-H, --header-size INTEGER [required]
--pad-header Add --header-size zeroed bytes at the
beginning of the image
-S, --slot-size INTEGER Size of the slot. If the slots have
different sizes, use the size of the
secondary slot. [required]
--pad Pad image to --slot-size bytes, adding
trailer magic
--confirm When padding the image, mark it as confirmed
(implies --pad)
-M, --max-sectors INTEGER When padding allow for this amount of
sectors (defaults to 128)
--boot-record sw_type Create CBOR encoded boot record TLV. The
sw_type represents the role of the software
component (e.g. CoFM for coprocessor
firmware). [max. 12 characters]
--overwrite-only Use overwrite-only instead of swap upgrades
-e, --endian [little|big] Select little or big endian
-E, --encrypt filename Encrypt image using the provided public key.
(Not supported in direct-xip or ram-load
mode.)
--save-enctlv When upgrading, save encrypted key TLVs
instead of plain keys. Enable when
BOOT_SWAP_SAVE_ENCTLV config option was set.
-F, --rom-fixed INTEGER Set flash address the image is built for.
-L, --load-addr INTEGER Load address for image when it should run
from RAM.
-x, --hex-addr INTEGER Adjust address in hex output file.
-R, --erased-val [0|0xff] The value that is read back from erased
flash.
--custom-tlv [tag] [value] Custom TLV that will be placed into
protected area. Add "0x" prefix if the value
should be interpreted as an integer,
otherwise it will be interpreted as a
string. Specify the option multiple times to
add multiple TLVs.
-h, --help Show this message and exit

Version ST:

/home/${USER}/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin//Utilities/Linux/imgtool sign -h
Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Create a signed or unsigned image

INFILE and OUTFILE are parsed as Intel HEX if the params have .hex
extension, otherwise binary format is used

Options:
-ma, --magic-val INTEGER fix magic value in hex output file.
-u, --urot TEXT
-p, --profile [1|2|3|4|5|6|7] Fix Secure Manager Profile : 1 (small) | 2
(medium) | 4 (large)
-C, --core TEXT
-l, --licence [0|1] Fix Licence : 0 (global licence) 1(chip
licence)
-c, --clear Output is not Encrypted, So that it can be
written in primary slot
-k, --key filename optional key for signature if key not
present TLV signature is not present.
--public-key-format [hash|full]
In what format to add the public key to the
image manifest: full key or hash of the key.
--align [1|2|4|8|16] [required]
-v, --version TEXT [required]
-s, --security-counter TEXT Specify the value of security counter. Use
the `auto` keyword to automatically generate
it from the image version.
-d, --dependencies TEXT Add dependence on another image, format:
"(<image_ID>,<image_version>), ... "
--no-pad-tlv disable tlv padding (in case of magic in
0x73ab1024)
--pad-sig create uncompress ECDSA signature (for
mcuboot <1.5 and for STuRoT and
SecureManager Image)
-P, --primary-only when encrypted image hash and signature are
computed with header without encrypted flag
-o, --otfdec INTEGER
-H, --header-size INTEGER [required]
--pad-header Add --header-size zeroed bytes at the
beginning of the image
-S, --slot-size INTEGER Size of the slot. If the slots have
different sizes, use the size of the
secondary slot. [required]
--pad Pad image to --slot-size bytes, adding
trailer magic
--confirm When padding the image, mark it as confirmed
(implies --pad)
-M, --max-sectors INTEGER When padding allow for this amount of
sectors (defaults to 128)
--boot-record sw_type Create CBOR encoded boot record TLV. The
sw_type represents the role of the software
component (e.g. CoFM for coprocessor
firmware). [max. 12 characters]
--overwrite-only Use overwrite-only instead of swap upgrades
-e, --endian [little|big] Select little or big endian
-E, --encrypt filename Encrypt image using the provided public key.
(Not supported in direct-xip or ram-load
mode.)
--save-enctlv When upgrading, save encrypted key TLVs
instead of plain keys. Enable when
BOOT_SWAP_SAVE_ENCTLV config option was set.
-F, --rom-fixed INTEGER Set flash address the image is built for.
-L, --load-addr INTEGER Load address for image when it should run
from RAM.
-x, --hex-addr INTEGER Adjust address in hex output file.
-R, --erased-val [0|0xff] The value that is read back from erased
flash.
--custom-tlv [tag] [value] Custom TLV that will be placed into
protected area. Add "0x" prefix if the value
should be interpreted as an integer,
otherwise it will be interpreted as a
string. Specify the option multiple times to
add multiple TLVs.
-h, --help Show this message and exit.

diff:

diff -u --color /tmp/git /tmp/st
--- /tmp/git 2025-03-19 12:44:09.504940283 +0100
+++ /tmp/st 2025-03-19 12:44:44.201041295 +0100
@@ -1,4 +1,4 @@
-Usage: imgtool.py sign [OPTIONS] INFILE OUTFILE
+Usage: imgtool sign [OPTIONS] INFILE OUTFILE

Create a signed or unsigned image

@@ -6,19 +6,35 @@
extension, otherwise binary format is used

Options:
- -k, --key filename
+ -ma, --magic-val INTEGER fix magic value in hex output file.
+ -u, --urot TEXT
+ -p, --profile [1|2|3|4|5|6|7] Fix Secure Manager Profile : 1 (small) | 2
+ (medium) | 4 (large)
+ -C, --core TEXT
+ -l, --licence [0|1] Fix Licence : 0 (global licence) 1(chip
+ licence)
+ -c, --clear Output is not Encrypted, So that it can be
+ written in primary slot
+ -k, --key filename optional key for signature if key not
+ present TLV signature is not present.
--public-key-format [hash|full]
In what format to add the public key to the
image manifest: full key or hash of the key.
- --align [1|2|4|8] [required]
+ --align [1|2|4|8|16] [required]
-v, --version TEXT [required]
-s, --security-counter TEXT Specify the value of security counter. Use
the `auto` keyword to automatically generate
it from the image version.
-d, --dependencies TEXT Add dependence on another image, format:
"(<image_ID>,<image_version>), ... "
- --pad-sig Add 0-2 bytes of padding to ECDSA signature
- (for mcuboot <1.5)
+ --no-pad-tlv disable tlv padding (in case of magic in
+ 0x73ab1024)
+ --pad-sig create uncompress ECDSA signature (for
+ mcuboot <1.5 and for STuRoT and
+ SecureManager Image)
+ -P, --primary-only when encrypted image hash and signature are
+ computed with header without encrypted flag
+ -o, --otfdec INTEGER
-H, --header-size INTEGER [required]
--pad-header Add --header-size zeroed bytes at the
beginning of the image

All of these tests lead me to the conclusion that there are differences between the ST version and the github version.
Can you confirm these things for me and tell me how to proceed?

Thanking you,

Kind regards,

Paul Goulpié

Hello @paulgoulpie ,

I'm sorry I didn't check first.

In fact the imgtool was provided in previous releases of STM32CubeU5.

You can download version 1.5.0 and python scripts are there in Middelwares\Third_Party\mcuboot\scripts

I don't know why this was actually removed.

Best regards

Jocelyn

Hello @paulgoulpie ,

Thank you for the PR !

Best regards

Jocelyn