Secure Boot / Secure Firmware Update and X509 Cert Hierarchies

RKher.1 · ‎2021-11-02

Is there a way to support X09 certs for Secure Boot and Secure Firmware Authentication (SBSFU) features on STM32 MCU's? All the examples I've seen on this use bare public keys rather than certificates. Thanks!

Bubbles · ‎2021-11-03

Hi @RKher.1 ,

generally the MCU is capable of storing, reading, parsing and using the certificate and it shouldn't be a big problem to add this functionality, provided that the signature algorithm used in the certificate is supported.

The SBSFU as provided is kept simple and using the certificate was perceived as an unnecessary complexity. At least in the context of firmware authentication. Once other IoT functionality is involved, it starts to make more sense. But the SBSFU did not involve IoT scenarios from the start.

So you are welcome to extend your SBSFU-based project with certificates, but AFAIK it's not planned to be added to the base package, there are other priorities.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

RKher.1 · ‎2021-11-04

@JHOUD Thanks for the clarification! It does not seem like CryptoLib v.4.0.0 has X.509 functionality for parsing and verifying certificates. Can you confirm this? If so, is there a recommended library for supporting this, eg. MbedTLS?

Bubbles · ‎2021-11-05

Hi, yes the mbedTLS was already successfully integrated with SBSFU on several projects. Actually even including the x509, but only while using external secure element for key and certificate secure storage ( B-L4S5I-IOT01A + STSAFE-A110 ). Maybe that's where you should focus. Check out AN5056 for further details.

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

RKher.1 · ‎2021-11-05

@JHOUD Thanks for the clarification. I'll check out the application note that you reference in your response.