cancel
Showing results for 
Search instead for 
Did you mean: 

Secure firmware update at secure zone with SBSFU

Istillaga
Senior

Hello,

I am programming with the STM32U575ZIT6 microcontroller, and I am trying to update the firmware in the secure zone. However, when I try to update the firmware in the secure zone, the function ret_arm=LOADER_FLASH_DEV_NAME.EraseSector(sector_address) in FW_UPDATE_DownloadNewFirmware(&fw_image_dwl_area) returns a value less than 0, which causes the update to fail. Performing the update in the non-secure zone works without any issues. I suspect the problem might be that LOADER_FLASH_DEV_NAME does not work properly in the secure zone, or that the firmware image area cannot be read correctly in the secure zone. Is there anything specific that needs to be enabled or configured for the secure firmware update to work?

4 REPLIES 4
Jocelyn RICARD
ST Employee

Hello @Istillaga ,

if you are in a single slot configuration, you need to use the secure part of the loader to be able to write in secure area. If you use the example provided you will see that in such case the loader non secure will call a service of the loader secure.

Best regards

Jocelyn

Hello @Jocelyn RICARD,

I suppose you are referring to this part of the code in the loader:

 

#if defined(MCUBOOT_PRIMARY_ONLY)
    if (sector_address < NS_IMAGE_PRIMARY_PARTITION_OFFSET)
    {
        ret_arm = SECURE_Flash_EraseSector(sector_address);
    }
    else
    {
        ret_arm = LOADER_FLASH_DEV_NAME.EraseSector(sector_address);
    }
#else
    ret_arm = LOADER_FLASH_DEV_NAME.EraseSector(sector_address);
#endif

 

Where SECURE_Flash_EraseSector is defined as:

 

CMSE_NS_ENTRY int32_t SECURE_Flash_EraseSector(uint32_t addr)
{
    return LOADER_FLASH_DEV_NAME.EraseSector(addr);
}

 

As you can see, the same function is used in both cases. So I don't know what I should change.

However, I am not trying to implement this in the loader project. I am trying to update the application firmware in the secure application project using the firmware configurations with the overwrite method and using both the primary and secondary image slots.

 

Hell @Istillaga ,

if you have 2 slots configuration, I mean MCUBOOT_PRIMARY_ONLY is commented out, you will see the menu in user example to update from application.

 

In that case, both secure and non secure download slots are non secure and can be written by non secure application.

Best regards

Jocelyn

Hello @Jocelyn RICARD,

So yo cannot modify the two slots to be written by the secure application?If it were possible to write via the secure application, what would need to be modified?