Secure Update via USB Stick (STM23H750)

i2399 · ‎2024-09-27

Hello to all,

I was wondering if there was a way to implement a secure update via USB stick using X-CUBE-SBSFU software.
Moreover, the application software would be installed on external flash, custom bootloader immutable in internal flash.

Maybe installing the new application with my custom bootloader and then letting secure boot do all the security verifications after triggering a system reset?

Sorry if it sounds a silly question but I am quite new to this complex topic.

Thanks!

Pavel A. · ‎2024-09-27

Define secure. What does this mean for you?

i2399 · ‎2024-09-27

Hello Pavel,

in my case it means that the new image should be encrypted and decryptable with a secret key, and that I can verify that the image is not corrupted, for example with a SHA256.

Thanks for your time.

Jocelyn RICARD · ‎2024-09-27

Hello @i2399 ,

the STM32H750 is a bit specific because it contains only one 128KB flash sector.

The code is executed in place in external flash, so code confidentiality is not possible.

Also, when executing your application it is not possible to write in the same external flash. This means that application cannot download itself a new firmware and write it in the flash.

The example is provided with a loader located after the SBSFU in the same 128KB sector.

You can update this loader to have a USB host mass storage implementation that is able to read a file in the USB stick and write it to the download slot in external flash.

Then once update file is completely transfered, you can reset the chip and SBSFU will securely install the new image in the execution slot.

The SBSFU will check the integrity and authenticity of the firmware. This means computing the hash of the firmware and also checking a signature with a public key.

Best regards

Jocelyn