FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STiROT Provisioning with STM32TrustedPackageCreator for Zephyr RTOS on NUCLEO-H533RE – Encrypted Image Not Executing

elby0
Associate II

‎2025-10-24 2:02 AM

Hello STM32 Community,

I’ve successfully built a Zephyr RTOS blinky application for the NUCLEO-H533RE board. Flashing the zephyr.hex using west flash or STM32CubeProgrammer works perfectly — the LED blinks and the serial terminal prints the expected status messages.

To enhance security, I’m now trying to encrypt and sign the firmware using STM32TrustedPackageCreator and provision the board using STiROT. I followed the STM32CubeH5 GitHub examples and used the STiROT_Code_Init_Image.xml file, modifying it to point to my zephyr.bin. Provisioning was successful, and the board state was set to PROVISIONED.

However, after flashing the generated zephyr_enc_sign.hex, the board does not blink, and the serial terminal remains silent — indicating the firmware is not executing.

Here’s what I’ve done:

  • Used STiROT/Image/STiROT_Code_Init_Image.xml and modified paths to point to zephyr.bin.
  • Generated the encrypted and signed image using STM32TrustedPackageCreator.
  • Successfully provisioned the board and set its final state to PROVISIONED.
  • During the process, I noticed this message:

 

Programming the option bytes and flashing the images... 
Successful optional bytes programming and image flashing.

 

And finally the following message:

=====
===== The board is correctly configured.
===== Power off/on the board to start the application.
=====

Questions:

  1. What is the difference between STiROT_Code_Image.xml and STiROT_Code_Init_Image.xml in the context of STM32TrustedPackageCreator?
  2. Is there a specific configuration or memory mapping required for Zephyr-based applications to work with STiROT?
  3. Are there known limitations or adjustments needed when using Zephyr RTOS with STiROT provisioning?
  4. How can I verify whether the firmware is being validated and executed by STiROT?
  5. How can I validate that the board is validated with STiROT? I am not able to connect to the board using STM32CubeProgrammer unless I perform a regression. Does that mean the board was provisioned?
3 REPLIES 3
Jocelyn RICARD
ST Employee

‎2025-11-11 6:22 AM

Hello @elby0 ,

When using STiROT in such case you need to set it up to have secure and non secure application.

Zephyr application is a non secure application. So, you can use the TrustZone example, keep the secure application as it is and replace the non secure by your zephyr binary.

Now, this will not be 100% transparent as you need to assign all resources to non secure: GPIO, interrupts, RAMs ...

Also your zephyr application has to be moved to its asisgned slot that does not start at beginning fo flash.

 

The *init* generates a signed image that is already "installed". This means you just need to flash it at the right location, the STiROT will considered it already installed.

Regarding memory mapping, this is the purpose of the secure application to set it up. You will alway need a part of the memory that stays secure, even if very small.

I never used Zephyr so cannot tell if there are any limitation. Only "limitations" I can see are related to the secure/non secure partitioning that make things more complex to setup.

You can verify STiROT status by launching a discovery procedure of Debug Authentication. This is described in STiROT application note.

You can reopen the debug using debug authentication. Just open HDPL2 secure and you should have access to all the flash content.

Best regards

Jocelyn

 

elby0
Associate II
In response to Jocelyn RICARD

‎2025-11-11 6:42 AM

Hi @Jocelyn RICARD ,

Thanks for your response, much appreciated!

Yes, I am heading in the same direction. I have a sample Secure and NS application working with STiROT however this was generated using CubeMX. 

I am now working on squeezing my Zephyr Application as a NS and bring the whole project within the STiROT Provision.

One more interesting thing I found is - CubeMX has an option to generate a Secure / NS project with CMake build and Zephyr has CMake as well.

So, playing around this to try get something working.

I will keep you posted on this and if I crack this one: I will provide the solution for the community.

 

Regards,

Elby

tk50
Associate

‎2025-11-13 4:12 AM

Hello, I am interested in your solution too.

We are planning to use the following setup:

STiROT -> MCUboot (secure) -> Zephyr App (non-secure)

0 Kudos
Top