FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure Manager PSA Firmware Update Service

Christian Keydel
Associate II

‎2025-07-14 11:16 AM

From the manual UM3254:

4.1.4 PSA firmware update service
4.1.4.1 Description
This service provides an implementation of the PSA firmware update API defined in [PSAfwuAPI]. It provides a
standard and platform-agnostic interface for firmware updates.
The firmware update scheme is based on a dual slot: one active slot and one download slot. The active slot is
used to execute the firmware and the download slot is used to download the new image to be installed.
The following images can be updated:
• Nonsecure application
• SMuRoT
• Secure Manager
• Secure modules (each can be updated independently)
The installation flow is as follows:
1. The nonsecure application (update agent) gets information about the installed images (such as name,
installation status, version, and others).
2. It downloads the image to the secure download slot.
3. It requests the image installation. It resets the device to execute the secure boot stages (SMiRoT and
SMuRoT) that perform the installation in the active slot and jumps to the nonsecure application.
4. The nonsecure application must accept the image using its specific acceptance criteria (nonsecure application
dependent):
– If the acceptance criteria are met, the nonsecure application informs the firmware update service that
the image is accepted.
– If the acceptance criteria are not met, the nonsecure application generates a reboot. The secure boot
stages are executed and perform a rollback to the previous valid image, which was swapped in the
download slot.

Two questions:

In step 4, the nonsecure application that must accept the image is already the new application that got installed into the active slot in step 3, correct?

In the last sentence, it sounds as if the SM, while doing step 3 (programming the active slot from the download slot), also copies (backs up) the old application from the active slot into the download slot ("which was swapped") so that when the new application is not accepted, the firmware update service can restore the old application from the download slot. Is this understanding correct? If not, what does the "which was swapped" mean exactly?

Thanks,

Chris

Labels:
0 Kudos
2 REPLIES 2
JohnyKessler
ST Employee

‎2025-07-15 12:38 AM

 

Hello  @Christian Keydel 

 

Yes, after the reset in step 3, the nonsecure application that boots in step 4 is the new application (let's call it ns_appli_b). The old application (ns_appli_a) is in the download slot and can be swapped if necessary.

 

You’ve got it right. If ns_appli_b doesn’t meet the acceptance criteria, you can cancel the process and recover ns_appli_a.

 

Best regards

Johny

Christian Keydel
Associate II
In response to JohnyKessler

‎2025-07-15 1:53 AM

Hello @JohnyKessler,

Thanks, that is clever.

Is there any example from ST to demonstrate this? Ideally, all steps (e.g. using a USB update agent) but at least how an application does the verification in step 4?

In CubeMX I found the "TFM" series of examples for the STM32L562E-DK that also uses PSA but it is pretty old and I don't know if it still applies. Is there anything newer?

Thanks,

Chris

0 Kudos
Top