Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- STMicroelectronics Community
- STM32 MCUs
- STM32 MCUs Security
- STM32H563 OEMiROT Non-Secure Application only | Su...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
STM32H563 OEMiROT Non-Secure Application only | Support needed to adapt OEMiROT
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2025-04-24 6:04 AM
Hello,
I have successfully executed the default OEMiROT and Application projects in STM32CubeH5\Projects\NUCLEO-H563ZI\ on our prototype board based on STM32H563 1MB variant. Slight adaptations were needed for which I got plenty of support in this thread: Solved: STM32CubeProgrammer Default DA Configuration, TZ E... - STMicroelectronics Community
I would now like the OEMiROT to "skip" Secure application image altogether and directly boot into Non-Secure application image (We have developed our FW entirely in Non-Secure domain and would like to continue with it, with Secure Boot achieved through OEMiROT).
Naturally, I started with modifying "flash_layout.h" in OEMiROT_Boot project. Our flash layout configuration in "flash_layout.h" looks like this currently after changes:
...
/* Flash layout configuration : begin ****************************************/
/* #define MCUBOOT_OVERWRITE_ONLY */ /* Defined: the FW installation uses overwrite method.
UnDefined: The FW installation uses swap mode. */
/* #define MCUBOOT_EXT_LOADER */ /* Defined: Use system bootloader (in system flash).
To enter it, press user button at reset.
Undefined: Do not use system bootloader. */
#define MCUBOOT_APP_IMAGE_NUMBER 1 /* 1: S and NS application binaries are assembled in one single image.
2: Two separated images for S and NS application binaries. */
#define MCUBOOT_S_DATA_IMAGE_NUMBER 0 /* 1: S data image for S application.
0: No S data image. */
#define MCUBOOT_NS_DATA_IMAGE_NUMBER 0 /* 1: NS data image for NS application.
0: No NS data image. */
#define DEVICE_1M_FLASH_ENABLE /*Defined: the project is for 1M FLASH device
Undefined: the project is for 2M FLASH device */
/* Flash layout configuration : end ******************************************/
...
/* BL2 partitions size */
#define FLASH_S_PARTITION_SIZE (0x00000) /* 0 KB for S partition */When I see the changes (git diff) made throughout "STM32CubeH5\Projects\NUCLEO-H563ZI\Applications\ROT" and "STM32CubeH5\Projects\NUCLEO-H563ZI\ROT_Provisioning", after compiling the OEMiROT_Boot project, I observe that:
- "ob_flash_programming.sh" will not ignore "s_code_image" ("oemirot_appli_secure" in env.bat). It will still attempt to flash it.
- Surprisingly, "OEMiROT_Appli_TrustZone_Secure" project still compiles successfully although "S_CODE_SIZE" in its .ld script is literally 0x0.
I anyway went ahead and ran "provisioning.bat". The OEMiROT reported no errors on Serial output and claims to jump to the expected NS application start address but I don't see the NS application running as intended (a simple blinky that was placed instead of user menu code in the example project).
In summary, I believe its not entirely straight forward to compile "OEMiROT_Boot" project and have all the scripts (provisioning, ob_flash_programming, etc) to just have Non-Secure application image as the ONLY image to boot into.
Where do I get started? How do I achieve this? @Jocelyn RICARD , your help again would be really appreciated!
Labels:
- Labels:
-
Cryptography
-
STM32 Security
0 REPLIES 0
Related Content
- STM32CubeMX 6.14.1 released in STM32CubeMX (MCUs)
- netXDuo TCP Server problem in STM32CubeIDE (MCUs)
- Random high write times on SD card with STM32 and FileX in STM32 MCUs Boards and hardware tools
- STM32H563: CubeProgrammer UART connect fails in PRODUCT_STATE = iROTProvisioned in STM32CubeProgrammer (MCUs)