FAQs
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

STM32 H753 flow for setting Secure mode / secure user area/ Enable RSS

Go to solution
Mishme
Associate

‎2023-10-14 11:17 PM

Good day!

I am working with the STM32H753 product. I am trying to understand the sequences and state machines for RSS activation. The reference manual (RM0433) does not provide enough information to grasp the full picture. Additionally, there are no examples for setting up and activating RSS.

 

  1. Could you please provide the most detailed description for the correct setup of the secure user memory?
  2. I would also appreciate a comprehensive guide on the description and configuration of the Secure access mode
  3. Specifically, I'm unsure about the sequence of steps: should I configure the secure user area first or should I activate the secure mode EN bit first? The documentation doesn't make this clear.

 

Could you please provide guidance on the correct sequence of these operations?

I would appreciate any assistance or additional resources you could provide on this topic.

 

Thank you in advance.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2023-10-19 11:01 AM

Hello @Mishme,

the X-CUBE-SBSFU package provides an example implementation of secure boot for many STM32 devices.

You will find there projects based on STM32H753 with the code used to enable the secure user memory.

You can look for SFU_LL_SECU_SetProtectionSecUser function for instance.

Best regards

Jocelyn

View solution in original post

6 REPLIES 6
Go to solution
Bubbles
ST Employee

‎2023-10-18 6:51 AM

Hi @Mishme,

this should ease your way into the existing documentation:

STM32H7-Security-Root Security Services (RSS)

but unfortunately I found no helpful examples yet.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

Go to solution
Bubbles
ST Employee

‎2023-10-19 2:17 AM

Hi, I believe this is what you seek

MicrosoftTeams-image (1).png

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2023-10-19 11:01 AM

Hello @Mishme,

the X-CUBE-SBSFU package provides an example implementation of secure boot for many STM32 devices.

You will find there projects based on STM32H753 with the code used to enable the secure user memory.

You can look for SFU_LL_SECU_SetProtectionSecUser function for instance.

Best regards

Jocelyn

Go to solution
Mishme
Associate

‎2023-10-23 12:59 AM

Hi!

Thanks. Yes this is what I was looking for. Example configuration and activation RSS.

I analyzed the source code. Correct me if I misunderstood the sequence of actions.

1) First, it is necessary to activate Security bit mode through Options Bytes - HAL_FLASHEx_OBProgram(...).

2) Then, use the RSS API to set the secure user memory area SFU_LL_RSS->resetAndInitializeSecureAreas(1, aSecureAreas);

Do you possibly know of a project with source code that is solely dedicated to the activation of RSS? With all possible argument checks, guard conditions, and error handlers.

I want to understand the entire state machine of the controller's behavior because incorrect arguments in the secure user memory will lead to a complete lock-up of the controller, even without activating RDP2.

Best regards,

Mikhail

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2023-10-24 10:25 AM

Hello Mishme,

Here is a small project dedicated to testing H7 secure memory (STM32H753_SecureMem_ExampleV1.1.7z)

I provided as is. It is supposed to be used on Nucleo-H753ZI

I updated it with latest version of CubeMX/CubeIDE/CubeFW.

It is composed of 2 projects.

1- A bootloader that uses UART VCP to provide a menu and give necessary information about option bytes.

2- A User application that can be downloaded thanks to ymodem in second 128KB flash sector. Purpose of this user application is to allow performing regression if the one from bootloader does not work.

You should be able to progressively experiment the setup.

For instance, you can see that when security + secure memory is activated, you cannot connect with JTAG by default even in RDP Level 0. You will see you can re-enable JTAG through the code.

To be able to remove the secure memory you must perform a regression.

For this you first need to set RDP1 (a power on reset will probably be necessary).

Then launch the regression command.

After launching the regression, you must wait for around 10 seconds because a mass erase is automatically triggered. If you interrupt this sequence with a reset, your board will be bricked because the code will be removed but not the secure memory.

I hope this will help.

Best regards

Jocelyn

STM32H753_SecureMem_ExampleV1.1.7z
Go to solution
hsun
Associate

‎2024-08-12 12:01 PM

@Jocelyn RICARD  does this mean you CANNOT set/remove the secure memory regions in cubeprogrammer?

 

 

thanks

0 Kudos
Top