STM32H7Sx - How many 256-bit AHKs can be stored in option byte keys for a given HDPL?

Eliasvan · ‎2025-09-22

Dear,

For a given HDPL, how many 256-bit AHKs (Application Hardware Keys) can be stored in the option byte keys?
And how many of those are:

only usable by SAES?
usable by software?

The reference manual states the following:

5.2 FLASH main features:
"Up to 1 Kbyte of protected non-volatile option byte keys, readable either by software or
usable as a secret AES key through SAES peripheral (as AHK keys)"
- It is unclear whether this is for just one HDPL, or whether this is a grand total comprising all three HDPLs that support option byte key storage (HDPL0, HDPL1, HDPL2).
  Suppose it is for just one HDPL, then this would be able to store 32 (= 1 K byte * (8 bit / byte) / 256 bit) 256-bit AHKs. This seems to be a reasonable assumption since if it were for all three HDPLs, this number would have to be divisible by 3, which it is not (32/3 = ~10.667).
5.9.18 FLASH option byte key control register (FLASH_OBKCR):
"OBKSIZE[1:0]: Option byte key size
Application must use this bitfield to specify how many bits must be used for the new key.
Embedded flash ignores OBKSIZE during read of option keys because size is stored with the
key.
00: Key size is 32 bits
01: Key size is 64 bits
10: Key size is 128 bits
11: Key size is 256 bits"
"OBKINDEX[4:0]: Option byte key index
This bitfield represents the index of the option byte key in a given hide protection level.
Reading keys with index lower that 8, the value is not be available in OBKDRx registers. It is
instead sent directly to SAES peripheral. All others keys can be read using OBKDRx registers.
Up to 32 keys can be provisioned per hide protection level (0, 1 or 2), provided there is enough
space left in the flash to store them."
- The underlined text seems to suggest that 32 keys is an upper bound and that this amount would be lower if the key size is higher.
  This means the upper bound of 32 keys would correspond with the lower bound of the key size, being 32 bits. The total number of key bits per HDPL would then be 1024 bits (= 32 keys * 32 bit/key) or 128 bytes (= 1024 bit / (8 bit / byte)). Hence, only 4 256-bit keys (= 1024 bit / (256 bit / key)) would be able to be stored per HDPL, which contradicts the number 32 calculated in the assumption of section 5.2.

STackPointer64 · ‎2025-10-15

Hello @Eliasvan,

For a given HDPL, the option byte keys can store 32 256-bit AHKs in total.

Indexes 0 to 7 (8 keys): Reserved for hardware (HW) keys, which are writable only and directly injected into the SAES. These are usable only by SAES and correspond to your AHK implementation.
Indexes 8 to 31 (24 keys): Reserved for software (SW) keys, used by software.

This information is clarified in the Security Features section for STM32H7RS MCUs under OBKeys. Since the reference manual update process takes longer than wiki updates, you may check the wiki for more details. Nonetheless, I have escalated the issue to the relevant team for resolution. It is being tracked internally under ticket number 219787.

Best regards,

To improve visibility of answered topics, please click 'Accept as Solution' on the reply that resolved your issue or answered your question.

View solution in original post

Eliasvan · ‎2025-10-03

Judging from ST's example OEMiRoT and OEMuRoT code, the answer seems to be 32:

See "https://github.com/STMicroelectronics/STM32CubeH7RS/blob/46f09b6826fda675c4923e8ec781521b37f21659/Projects/STM32H7S78-DK/Applications/ROT/OEMiROT_Boot/Inc/low_level_obkeys.h#L36":

#define OBK_HDPL_256_KEY_SIZE     (0x00000020U)

#define FLASH_PROG_UNIT           (OBK_HDPL_256_KEY_SIZE) /* OBkey granularity : 32 */
#define OBK_PROG_UNIT             (FLASH_PROG_UNIT)

#define OBK_MAX_HDPL_AREA_SIZE    (0x400U) /* 32 indexes * 32 bytes */

So, @ ST, please:

Update section "5.2 FLASH main features" of the reference manual to clarify that the 1 Kbyte of protected non-volatile option byte keys are for a given HDPL (so times three to get the total amount).
Update section "5.9.18 FLASH option byte key control register (FLASH_OBKCR)" of the reference manual to remove the confusing part ", provided there is enough space left in the flash to store them" and potentially add " of max. 256 bits each" after "Up to 32 keys".

I will accept any post from ST that confirms that the reference manual will be updated accordingly as a solution.

STackPointer64 · ‎2025-10-15

Hello @Eliasvan,

For a given HDPL, the option byte keys can store 32 256-bit AHKs in total.

Indexes 0 to 7 (8 keys): Reserved for hardware (HW) keys, which are writable only and directly injected into the SAES. These are usable only by SAES and correspond to your AHK implementation.
Indexes 8 to 31 (24 keys): Reserved for software (SW) keys, used by software.

This information is clarified in the Security Features section for STM32H7RS MCUs under OBKeys. Since the reference manual update process takes longer than wiki updates, you may check the wiki for more details. Nonetheless, I have escalated the issue to the relevant team for resolution. It is being tracked internally under ticket number 219787.

Best regards,

To improve visibility of answered topics, please click 'Accept as Solution' on the reply that resolved your issue or answered your question.

STackPointer64 · ‎2025-10-21

Hello @Eliasvan,

Update: The ticket has been escalated, and the description will be clarified in the upcoming revision of the reference manual.

Best regards,

To improve visibility of answered topics, please click 'Accept as Solution' on the reply that resolved your issue or answered your question.