FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32 Trusted Package Creator ignoring Security Counter

Go to solution
Christian Keydel
Associate III

‎2025-11-13 1:57 AM

Using STM32TRUSTEE-SM framework, the non-secure application is built by the project.py script which in turn calls

STM32TrustedPackageCreator_CLI.exe -pb SM_Code_Image_bin.xml

to generate the application .bin file in MCUboot format.

The xml file has

	<Param>
		<Name>Security Counter</Name>
		<Value>auto</Value>
		<Type>Data</Type>
		<Command>-s</Command>
		<Hidden>1</Hidden>
		<Default>auto</Default>
	</Param>

It is my understanding that with this setting, an incrementing counter should be placed in the image header's ih_ver.iv_build_num field. But this field stays 0 no matter what I put under <Value>, auto or direct number.

There is a command "-s" which according to the documentation would be passed on to the imgtool executable, which, however, is described as this

ChristianKeydel_0-1763027708869.png

and therefore would have nothing to do with any counter.

Could anybody shed some light on it, please? I am using the latest version 2.20.0 of CubeProgrammer/TPC.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Christian Keydel
Associate III

‎2025-11-14 3:27 AM

Answering my own question, I looked into the imgtool further and here is what I found:

The "Slot" reference for the -s parameter in the documentation is wrong. "-s auto" uses a 32-bit value in the format: 0xAABBCCCC with AA=major, BB=minor and CCCC=revision and these values come straight from the -v parameters which comes from "Version" in the XML file.

These values therefore go into two places in the generated .bin file: 1. The header (version info) and 2. Into the TLV as the IMAGE_TLV_SEC_CNT entry in the protected area (security counter.

The ih_ver.iv_build_num field in the header has nothing to do with it but it can be set to any 32-bit value (purely informational) by using the major.minor.revision+build format for "Version" in the XML, e.g.

1.0.3+123456

 

View solution in original post

0 Kudos
1 REPLY 1
Go to solution
Christian Keydel
Associate III

‎2025-11-14 3:27 AM

Answering my own question, I looked into the imgtool further and here is what I found:

The "Slot" reference for the -s parameter in the documentation is wrong. "-s auto" uses a 32-bit value in the format: 0xAABBCCCC with AA=major, BB=minor and CCCC=revision and these values come straight from the -v parameters which comes from "Version" in the XML file.

These values therefore go into two places in the generated .bin file: 1. The header (version info) and 2. Into the TLV as the IMAGE_TLV_SEC_CNT entry in the protected area (security counter.

The ih_ver.iv_build_num field in the header has nothing to do with it but it can be set to any 32-bit value (purely informational) by using the major.minor.revision+build format for "Version" in the XML, e.g.

1.0.3+123456

 

0 Kudos
Top