FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SFI Process

Hitesh_Aratek
Associate III

‎2024-08-16 05:44 AM

Hi Team,

Am using STM32H573I-DK board
Can i get any document or explanation that how SFI is processing and what are the keys involved in encryption and authentication.
I already referred AN4992 and wiki pages but the process is not so clear.

0 Kudos
3 REPLIES 3
CMYL
ST Employee

‎2024-08-16 07:31 AM

Hi @Hitesh_Aratek 

Question 1: SFI Process

see also

  • AN5054: How to perform secure programming using STM32CubeProgrammer. This is a practical step by step process.
  • UM2338: User manual STM32 Trusted Package Creator tool software description

The SFI process involves several steps to ensure secure firmware installation. This process includes generating encrypted firmware, provisioning the HSM card, and using the STM32CubeProgrammer to perform the SFI process.

  1. Generating Encrypted Firmware

  •    Tools Required: STM32 Trusted Package Creator (STPC)
  •    Files Needed:
    •      OEM firmware
    •      .csv file containing option bytes configuration
    •      128-bit AES encryption key
    •      96-bit nonce
    •      Random key area file (optional)
    •      OBKey files for device configuration (optional)

   The first step is to encrypt the user OEM firmware using the STM32 Trusted Package Creator tool. This involves including the necessary files in the STPC tool (for practical step by step, see AN5054 page 110-115)

2. HSM Card Provisioning

  • Tools Required: STM32 Trusted Package Creator (STPC) 
  • Files Needed: HSMv2 smartcard

    Provision the HSM card via the STPC tool. This step ensures that the HSM card is ready for secure firmware installation (AN5054).

  1. Perform SFI Process

  • Tools Required: STM32CubeProgrammer
  • Files Needed:
    • Encrypted firmware
    •  HSM card (if required)
    • STMicroelectronics global license file

Use the STM32CubeProgrammer to perform the SFI process. This involves programming the encrypted firmware onto the STM32H573I-DK board.

Question 2: The Keys Involved in Encryption and Authentication are as follows:

  1. 128-bit AES Encryption Key
  • Used to encrypt the OEM firmware.
  • Ensures that the firmware is securely encrypted before installation.
  1. 96-bit Nonce
  • A unique number used once to ensure the encryption process is secure.
  • Prevents replay attacks by ensuring that each encryption operation is unique.
  1. Random Key Area File (Optional)
  • Provides additional randomness to the encryption process.
  • Enhances the security of the encrypted firmware.
  1. OBKey Files (Optional)
  • Used for device configuration.
  • Ensures that the device is configured correctly for secure firmware installation.
  1. STMicroelectronics Global License File
  • Required for the SFI process.
  • Ensures that the firmware installation is authorized and secure.

Hope this is helpfull

Best Regards,

0 Kudos
Hitesh_Aratek
Associate III

‎2024-08-17 01:59 AM

@CMYL 
Thanks for the info. Can we have any document/ presentation material for the communication between RSS and RSSe Lib protocol for secure SFI communication.

0 Kudos
CMYL
ST Employee

‎2024-08-19 04:39 AM - edited ‎2024-08-19 04:49 AM

 

Hi @Hitesh_Aratek 

Please find below 2 User manuals (with or without SM) and a wiki:

- UM3125: STM32H573xx security guidance for SESIP 3 Certification (STM32H573xx security guidance for SESIP 3 Certification - User manual)

- UM3238: STM32H573xx STM32TRUSTEE-SM security guidance for SESIP 3 Certification: STM32H573xx STM32TRUSTEE-SM security guidance for SESIP 3 Certification - User manual

- Wiki page: Security:Secure Storage for STM32H5 - stm32mcu 

STM32StepByStep:SFI Step-by-step on STM32 boards - stm32mcu

 

Best Regards

 

 

Top