STM32H753 SFI Error: Invalid state after SFI install

theHolgi · ‎2025-11-11

Device details

MPU: STM32H753AII6

Connection:
Probe: J-Link V11.00 / SW version V7.98c

STM toolset: STM32 Cube Programmer / Trusted Package Creator v2.20.0

SFI programming fails with error:
Error: SECURITY State Fail
Error: Invalid state after SFI install !
Error: RSS internal system error or License is invalid !

I also tried against the STM32H757I-EVAL board, which has a compatible CPU, with the same result.

-----

HSM provisioning

For Personalization Data I chose the group with the H753 in it, and from the 4 options in dropdown list the combination of "SFI" and Device ID "45002001" which is how the STM32H753 identifies.

SFI creation

For the simplified example, there is only one section of code starting from default address 0x08000000.
Settings for RAM size and continuation token are default, and seem to make sense.

Option bytes are, except for RDP level = 0xBB (level 1), identical to the defaults after mass erase.

SFI creation

SFI flashing

Complete log:

15:25:42 : STM32CubeProgrammer API v2.20.0 | Linux-64Bits 
15:25:57 : UR connection mode is defined with the HWrst reset mode
15:25:57 : UR connection mode is defined with the SWrst reset mode
15:26:05 : UR connection mode is defined with the HWrst reset mode
15:26:05 : UR connection mode is defined with the SWrst reset mode
15:26:05 : 51022075
15:26:05 : Device=Cortex-M7
15:26:05 : Device ID   : 0x450
15:26:05 : Voltage     : 3,30V
15:26:06 : UPLOADING OPTION BYTES DATA ...
15:26:06 :   Bank          : 0x00
15:26:06 :   Address       : 0x5200201c
15:26:06 :   Size          : 308 Bytes
15:26:06 : UPLOADING ...
15:26:06 :   Size          : 1024 Bytes
15:26:06 :   Address       : 0x8000000
15:26:06 : Read progress:
15:26:06 : Data read successfully
15:26:06 : Time elapsed during the read operation is: 00:00:00.004
15:26:24 : SFI parsing file started ...
15:26:24 : SFI header information    : 
15:26:24 :     SFI protocol version        : 2
15:26:24 :     SFI total number of areas   : 5
15:26:24 :     SFI image version           : 0
15:26:24 : SFI Areas information     : 
15:26:24 : Parsing Area 1/5    : 
15:26:24 :     Area type                   : F
15:26:24 :     Area size                   : 122816
15:26:24 :     Area destination address    : 0x8000000
15:26:24 : Parsing Area 2/5    : 
15:26:24 :     Area type                   : P
15:26:24 :     Area size                   : 32
15:26:24 :     Area destination address    : 0x81FF000
15:26:24 : Parsing Area 3/5    : 
15:26:24 :     Area type                   : R
15:26:24 :     Area size                   : 32
15:26:24 :     Area destination address    : 0x81FF000
15:26:24 : Parsing Area 4/5    : 
15:26:24 :     Area type                   : F
15:26:24 :     Area size                   : 59776
15:26:24 :     Area destination address    : 0x801DFC0
15:26:24 : Parsing Area 5/5    : 
15:26:24 :     Area type                   : C
15:26:24 :     Area size                   : 36
15:26:24 :     Area destination address    : 0x0
15:26:24 : Parsed File SUCCESS
15:26:39 : getProductID command execution finished
15:26:42 : Requesting Chip Certificate from device ...
15:26:42 : Get Certificate done successfully
15:26:42 : requesting license for the current STM32 device
15:26:42 : Init Communication ... 
15:26:42 : P11 lib initialization Success!
15:26:42 : Opening session with slot ID 1... 
15:26:42 : Succeed to Open session with reader slot ID 1 
15:26:43 : Succeed to generate license for the current STM32 device
15:26:43 : Closing session with reader slot ID 1... 
15:26:43 : Session closed with reader slot ID 1 
15:26:43 : Closing communication with HSM... 
15:26:43 : Communication closed with HSM 
15:26:43 : Succeed to get License for Firmware from HSM slot ID 1
15:26:43 : Starting Firmware Install operation...
15:26:43 : Activating security...
15:26:43 : Warning: Option Byte: SECURITY, value: 0x1, was not modified.
15:26:43 : Warning: Option Bytes are unchanged, Data won't be downloaded
15:26:43 : Time elapsed during option Bytes configuration: 00:00:00.002
15:26:43 : Activating security Success
15:26:43 : Setting write mode to SFI
15:26:43 : Warning: Option Byte: BCM7, value: 0x1, was not modified.
15:26:43 : Warning: Option Byte: SECURITY, value: 0x1, was not modified.
15:26:43 : Warning: Option Byte: ST_RAM_SIZE, value: 0x3, was not modified.
15:26:43 : Warning: Option Bytes are unchanged, Data won't be downloaded
15:26:43 : Time elapsed during option Bytes configuration: 00:00:00.002
15:26:43 : Succeed to set write mode for SFI
15:26:43 : Starting SFI part 1
15:26:43 : Writing license to address 0x24020800
15:26:43 : Writing Img header to address 0x24021000
15:26:43 : Writing areas and areas wrapper...
15:26:43 : RSS process started...
15:26:53 : RSS command execution OK
15:26:53 : RSS complete Value = 0xCC000007
15:26:53 : Reconnecting...
15:26:54 : Device=Cortex-M7
15:26:54 : Device ID   : 0x450
15:26:54 : Reconnected !
15:26:54 : Error: SECURITY State Fail
15:26:54 : Error: Invalid state after SFI install !
15:26:54 : Error: RSS internal system error or License is invalid !
15:26:54 : Aborting...
15:26:55 : Time elapsed during option Bytes configuration: 00:00:00.335
15:27:00 : Time elapsed during option Bytes configuration: 00:00:05.146
15:27:00 : Waiting 8s for end of regression...
15:27:00 : Display OB after Abort for sanity check
15:27:00 : OPTION BYTES BANK: 0
15:27:00 :    Read Out Protection:
15:27:00 :      RDP          : 0xAA (Level 0, no protection) 
15:27:00 :    BOR Level:
15:27:00 :      BOR_LEV      : 0x3 (reset level is set to VBOR3) 
15:27:00 :    User Configuration:
15:27:00 :      IWDG1_SW     : 0x1 (Independent watchdog is controlled by software) 
15:27:00 :      NRST_STOP_D1 : 0x1 (STOP mode on Domain 1 is entering without reset) 
15:27:00 :      NRST_STBY_D1 : 0x1 (STANDBY mode on Domain 1 is entering without reset) 
15:27:00 :      FZ_IWDG_STOP : 0x1 (Independent watchdog is running in STOP mode) 
15:27:00 :      FZ_IWDG_SDBY : 0x1 (Independent watchdog is running in STANDBY mode) 
15:27:00 :      SECURITY     : 0x1 (Security feature enabled) 
15:27:00 :      BCM7         : 0x1 (CM7 boot enabled) 
15:27:00 :      NRST_STOP_D2 : 0x1 (STOP mode on Domain 2 is entering without reset) 
15:27:00 :      NRST_STBY_D2 : 0x1 (STANDBY mode on Domain 2 is entering without reset) 
15:27:00 :      SWAP_BANK    : 0x0 (after boot loading, no swap for user sectors) 
15:27:00 :      IO_HSLV      : 0x0 (Product working in the full voltage range, I/O speed optimization at low-voltage disabled) 
15:27:00 :    Boot address Option Bytes:
15:27:00 :      BOOT_CM7_ADD0: 0x800  (0x8000000) 
15:27:00 :      BOOT_CM7_ADD1: 0x1FF0  (0x1FF00000) 
15:27:00 :    PCROP Protection:
15:27:00 :      PROT_AREA_START1: 0xFF  (0x800FF00) 
15:27:00 :      PROT_AREA_END1: 0x0  (0x80000FF) 
15:27:00 :      DMEP1        : 0x0 (Flash Bank 1 PCROP zone is kept when RDP level regression (change from level 1 to 0) occurs) 
15:27:00 :      PROT_AREA_START2: 0xFF  (0x810FF00) 
15:27:00 :      PROT_AREA_END2: 0x0  (0x81000FF) 
15:27:00 :      DMEP2        : 0x0 (Flash Bank 2 PCROP zone is kept when RDP level regression (change from level 1 to 0) occurs) 
15:27:00 :    Secure Protection:
15:27:00 :      SEC_AREA_START1: 0xFF  (0x800FF00) 
15:27:00 :      SEC_AREA_END1: 0x0  (0x80000FF) 
15:27:00 :      DMES1        : 0x0 (Flash Bank 1 secure area is kept when RDP level regression (change from level 1 to 0) occurs) 
15:27:00 :      SEC_AREA_START2: 0xFF  (0x810FF00) 
15:27:00 :      SEC_AREA_END2: 0x0  (0x81000FF) 
15:27:00 :      DMES2        : 0x0 (Flash Bank 2 secure area is kept when RDP level regression (change from level 1 to 0) occurs) 
15:27:00 :    DTCM RAM Protection:
15:27:00 :      ST_RAM_SIZE  : 0x3 (16 KB) 
15:27:00 :    Write Protection:
15:27:00 :      nWRP0        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP1        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP2        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP3        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP4        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP5        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP6        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP7        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP8        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP9        : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP10       : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP11       : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP12       : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP13       : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP14       : 0x1 (Write protection not active on this sector) 
15:27:00 :      nWRP15       : 0x1 (Write protection not active on this sector) 
15:27:00 : Abort SUCCESS
15:27:00 : Disconnected from device.

Jocelyn RICARD · ‎2025-11-11

Hello @theHolgi ,

The Segger driver attached to STM32CubeProgrammer does not have the capability to handle SFI properly as far as I know.

You can use either STLink or Segger Programmer.

Best regards

Jocelyn

theHolgi · ‎2025-11-13

Hello @Jocelyn RICARD ,

thanks for your answer, but I cannot confirm; I tried with STLink-v3 now and get almost the same log. The only difference in direct comparison is that the RSS complete Value changed from 0xCC000007 to 0x80.

(See log attached)

STM Programmer v2.19 also bears the exact same result.

theHolgi · ‎2025-11-13

Since AN5052, in its latest version as of 10-Mar-2025, still says in chapter 3 "the tool [STM32CubeProgrammer, referring to SFI programming] is currently available only in CLI mode" – although the GUI absolutely not makes an unavailable impression –, I also tried in CLI mode.

The error message is there:

$ STM32_Programmer_CLI -c port=SWD reset=SWrst -sfi out.sfi hsm=1 slot=1

      -------------------------------------------------------------------
                        STM32CubeProgrammer v2.20.0                  
      -------------------------------------------------------------------

ST-LINK SN : 003300163232511639353236
ST-LINK FW : V3J10M3
Board : STLINK-V3MINIE
Voltage : 3,30V
SWD freq : 8000 KHz
Connect mode: Normal
Reset mode : Software reset
Device ID : 0x450
Revision ID : Rev V
Device name : STM32H7xx
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M7
BL Version : 0x90

Error: SFI with hash is not supported on this device, please disable hash while generating SFI image

Now I am stuck on this message.
AN4992 chapter 4.2.1 mentions a "Hash" with the comment "option must be enabled on all STM32 devices supporting SFI", and a screenshot of an obviously older version of TPC where this was selectable (in v2.20, the checkbox doesn't exist).
In the TPC CLI, it exists as an option to Continuation Token, but no matter if I set it to 0 or 1, my results are the same.
my SFI creation commandline:

STM32TrustedPackageCreator_CLI -sfi -devid 0x450 -rs 0x1E000 -ct 0x081FF000 0 -v 0 -k FW_AES_key.bin -n FW_nonce.bin -ob SFI_Default.csv -fir just_bootloader.bin 0x08000000 -o just_bootloader.sfi

Update:
My experience with trying to flash it on the STM32H757I-EVAL is the same (the Eval-Board probe also identifies as an STLink-v3).
I updated the probe's firmware to V3J15M7 and that also doesn't change anything.

I found the undocumented command line parameter

-hash 1

being used here; using it with either 0 or 1 also doesn't make a change.

theHolgi · ‎2025-11-17

Now trying with older STM Tools versions.

STM32CubeProgrammer v2.10 supports the -hash option, but the programmer says:

Error: SFI Programming on STM32H7xx is not supported with v2.10.0, Please use v2.9.0

Sure, why not.

STM32CubeProgrammer v2.9.0 loads the SFI file, but then fails communicating:

-------------------------------------------------------------------
STM32CubeProgrammer v2.9.0
-------------------------------------------------------------------

ST-LINK SN : 003300163232511639353236
ST-LINK FW : V3J15M7
Board : STLINK-V3MINIE
Voltage : 3,29V
SWD freq : 8000 KHz
Connect mode: Normal
Reset mode : Software reset
Device ID : 0x450
Revision ID : Rev V
...
SFI File Information :
SFI file path : sfi_cube9.sfi
SFI HSM slot ID : 1
SFI header information :
SFI protocol version : 1
SFI total number of areas : 5
SFI image version : 0
SFI Areas information :
...
Requesting Chip Certificate from device ...
Get Certificate done successfully
requesting license for the current STM32 device
Init Communication ...
ldm_LoadModule(): loading module "./libstp11_SAM.so" ...
ldm_LoadModule: FAILURE loading library "./libstp11_SAM.so": 0x00000000 ...
Unable to load ./libstp11_SAM.so module
Error: P11 lib initialization Failure : Error code : UNKNOWN ERROR
Error: failed to init communication with plugged HSM with slot ID 1
Closing session with reader slot ID 1...
Error: failed to Open session with reader solt ID 1 : Error code : CKR_SESSION_HANDLE_INVALID
Closing communication with HSM...
Error: Closing communication with HSM Failure : Error code : CKR_CRYPTOKI_NOT_INITIALIZED
Error: Could not proceed, HSM getting License Operation Failure! Please verify the counter otherwise, try again
Error: sfi_cube10_hash.sfi SFI file Install Operation Failure! Please, try again.

OK, I have a completely crazy idea: Use STMCubeProg v2.19 (which can use the HSM, but faild to build valid SFI packages) to program the SFI package created with v2.9 (which can create packages, but not use the HSM).

$ ~/toolz/STM32CubeProg19/bin/STM32_Programmer_CLI -c port=SWD reset=SWrst -sfi sfi_cube9.sfi hsm=1 slot=1
      -------------------------------------------------------------------
                        STM32CubeProgrammer v2.19.0                  
      -------------------------------------------------------------------
...
Succeed to get License for Firmware from HSM slot ID 1

Starting Firmware Install operation...


Activating security...
Warning: Option Byte: SECURITY, value: 0x1, was not modified.
Warning: Option Bytes are unchanged, Data won't be downloaded
Time elapsed during option Bytes configuration: 00:00:00.002
Activating security Success
Setting write mode to SFI
Warning: Option Byte: BCM7, value: 0x1, was not modified.
Warning: Option Byte: SECURITY, value: 0x1, was not modified.
Warning: Option Byte: ST_RAM_SIZE, value: 0x3, was not modified.
Warning: Option Bytes are unchanged, Data won't be downloaded
Time elapsed during option Bytes configuration: 00:00:00.002
Succeed to set write mode for SFI

Starting SFI part 1

Writing license to address 0x24020800
Writing Img header to address 0x24021000
Writing areas and areas wrapper...
RSS process started...

RSS command execution OK
RSS complete Value = 0x80
Reconnecting...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,37V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,31V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,35V
SWD freq    : 8000 KHz
Connect mode: Normal
Reset mode  : Software reset
Device ID   : 0x450
Revision ID : Rev V
Reconnected !


SECURITY State Success

Starting SFI part 2

Writing license to address 0x24020800
Writing Img header to address 0x24021000
Writing areas and areas wrapper...
all areas processed
RSS process started...

RSS command execution OK
Cheking security state after SFI...
Reconnecting...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,36V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,35V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,32V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,30V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,37V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
...retrying...
ST-LINK SN  : 003300163232511639353236
ST-LINK FW  : V3J15M7
Board       : STLINK-V3MINIE
Voltage     : 3,35V
Error: Unable to get core ID
Error: No STM32 target found! If your product embeds Debug Authentication, please perform a discovery using Debug Authentication
Error: failed to reconnect after reset !
SFI Process Finished!
SFI file sfi_cube9.sfi Install Operation Success

@Jocelyn RICARD
Which combination do you recommend I should try next?

theHolgi · ‎2025-11-24

One more update:

Step by Step guide says tools version v2.11 min is required. Since that version is not available to download, the next one is v2.13.0.
This gives the same results as 2.9, i.e. it has library loading error communicating with the HSM.

Also the SFI package created with version v2.13 works no better with later tool versions. It starts the process, but then cannot get the Core ID when resetting (doesn't matter if "reset=SWrst" or "reset=HWrst")

Latest-greatest v2.21.0 released just now behaves the same as v2.20 (cannot use SFI packages created by itself, cannot get core ID when flashing package created with v2.13)