2021-02-02 02:09 AM
Hello,
I want to use sbsfu for STM32L562 controller with STM32Cube IDE version 1.5.
AS per primary research i am using below package and project .
I am using STM32SecuWS package.
Under that project I am using is STM32SecuWS\TFM\STM32Cube_FW_L5_V1.3.0\Projects\NUCLEO-L552ZE-Q\Applications\SBSFU.
I have gone through the document.
overview-of-secure-boot-and-secure-firmware-update-solution-on-arm-trustzone-stm32l5-series-microcontrollers-stmicroelectronics.pdf
And I want to use STM32CubeL5 SBSFU on page 10.non secure image primary slot(single slot 1 image).
1) For single slot do i required SBSFU_Loader project?
2) I only want to upload non secure image(my user application) do i need to run SBSFU\SBSFU_Appli\Secure project?
3) Postbuild.bat process remains same as x cube sbsfu right?
4) project example is with L552ZE , i have to use STM32L562 what configuration or settings i need to change in cubeIDE?
5) Example project already using mbedTLS library right?
6) getting-started-with-stm32cubel5-tfm-application-stmicroelectronics.pdf
is not useful as i required SBSFU on stm32l562 and not TFM right?
Regards,
Vrund
Solved! Go to Solution.
2021-02-03 11:47 AM
Hi Vrund,
I'm not sure the reason why you want to use STM32L5.
You can use the L5 without activating TZEN, but you loose the HDP feature in that case.
Using this chip in non secure only, you can port the SBSFU or do your own secureboot.
You have other bootloader examples available: the mcuboot provided in L5 and also the wolf secureboot.
Also, we provide some very basic secureboot to show how things work in the MOOC security part 3.
So, many possible solutions.
Best regards
Jocelyn
2021-02-02 03:17 AM
Hello Vrund,
First, there is a 1.3.1 release of the firmware already available.
Only change compared to 1.3.0 is that mcu boot related exe files used for signature operations are now digitally signed by ST avoiding issues with automatic removal.
Answers to your questions:
1) For single slot do i required SBSFU_Loader project?
A: Yes, you need a loader outside your application in this case.
2) I only want to upload non secure image(my user application) do i need to run SBSFU\SBSFU_Appli\Secure project?
A: Yes, the secure boot is checking authenticity of both secure and non secure images, and then jumps to secure.
The secure image is important to setup the security configuration of your platform.
3) Postbuild.bat process remains same as x cube sbsfu right?
A: No, in TFM we use a different implementation of SBSFU that is based on open source mcu boot.
So, scripts are different.
4) project example is with L552ZE , i have to use STM32L562 what configuration or settings i need to change in cubeIDE?
A: You need to adapt the target if you want to use HW accelerated crypto. Also, you will need to adapt the interfaces used by SBSFU: UART, LED and button.
But you can copy this from the TFM implementation on the STM32L562
5) Example project already using mbedTLS library right?
A: Yes, we don't use the ST S-CUBE-CRYPTOLIB here.
6) getting-started-with-stm32cubel5-tfm-application-stmicroelectronics.pdf
is not useful as i required SBSFU on stm32l562 and not TFM right?
A: You can have a look to the AN5447 that shows the differences between the 2.
Basically, TFM uses the same secure boot (based on mcuboot).
You can also have a look to the presentation made in the security MOOC part 6.
Best regards
Jocelyn
2021-02-03 02:06 AM
Hello Jocelyn,
I have gone through AN5447.
In my user application i don't want to access secure part of the flash.
A)For single Slot non secure user application i have to use below projects.
1) SBSFU_Boot
2) SBSFU_Secure App
3) SBSFU Non Secure App (my user app)
4) Any point in time i only want to update non secure application so SBSFU Loader non secure is required.
B) I have seen in SBSFU BOOT it uses TZEN =1 bit and RDP level 2 so it will boot from RSS flash address. is it right?
i have also seen it has used dual bank flash is it right? but why for single image slot it has used dual bank what's the advantage?
C) Rather than using SBSFU BOOT and modifying it,
it will be better if I create custom bootloader, which will check integrity and authenticity using mbed crypto library.
Configuration I am planning to use is TZEN =0 (disable), single bank, RDP level 2, WRP for protecting flash area of bootloader and HDP to store keys.
In that case I don't need to use SBSFU loader, bootloader size will be reduced and Remove secure and non secure application usage.
And I can easily manage public-private key as per my PKI infrastructure. rather depending on prebuild and Postbuild scripts.
is it sounds good.?
Regards,
Vrund
2021-02-03 11:47 AM
Hi Vrund,
I'm not sure the reason why you want to use STM32L5.
You can use the L5 without activating TZEN, but you loose the HDP feature in that case.
Using this chip in non secure only, you can port the SBSFU or do your own secureboot.
You have other bootloader examples available: the mcuboot provided in L5 and also the wolf secureboot.
Also, we provide some very basic secureboot to show how things work in the MOOC security part 3.
So, many possible solutions.
Best regards
Jocelyn
2021-02-03 10:15 PM
Hello Jocelyn,
MOOC security part 3.
have gone through the doc and video.
OK.
Using this chip in non secure only
BDW by porting SBSFU, you mean to say porting the code STM32CubeExpansion_SBSFU_V2.4.0\Projects\STM32F413H-Discovery\Applications to STM32L562
correct?
You have other bootloader examples available: the mcuboot provided in L5
Under which folder?
Regards,
Vrund
2021-02-04 01:23 AM
Hi Vrund,
yes for the porting this is what I meant.
Reason is that you already know how X-CUBE-SBSFU is working.
The mcuboot is actually the secure boot used in the STM32L5 CubeFW implementation.
If you open projects:
STM32Cube_FW_L5_V1.3.1\Projects\STM32L562E-DK\Applications\TFM\TFM_SBSFU_Boot\
or
STM32Cube_FW_L5_V1.3.1\Projects\NUCLEO-L552ZE-Q\Applications\SBSFU\SBSFU_Boot\
You will see the secureboot implementation is based on files located in
STM32Cube_FW_L5_V1.3.1\Middlewares\Third_Party\mcuboot\
Best regards
Jocelyn
2021-02-04 01:29 AM
Hello Jocelyn,
I have to change my ide.
Now i am using STM32cube IDE verson 1.5.
Project i am using is
STM32F413H-Discovery\Applications\1_Image\1_Image_SECoreBin\SW4STM32\STM32F413H_DISCOVERY_1_Image_SECoreBin
but it does not get build in IDE.
It shows error as below.
**** Build of configuration Debug for project STM32F413H_DISCOVERY_1_Image_SECoreBin ****
Nothing to build for project STM32F413H_DISCOVERY_1_Image_SECoreBin
Similar error shown for below project.
STM32CubeExpansion_SBSFU_V2.4.0\Projects\STM32F413H-Discovery\Applications\1_Image\1_Image_SBSFU\SW4STM32\STM32F413H_DISCOVERY_1_Image_SBSFU
Regards,
Vrund
2021-02-04 05:25 AM
Hi Vrund,
Please import project in STM32CubeIDE at "1_Image" level.
This will work directly.
Best regards
Jocelyn
2021-02-05 02:16 AM
no i did not work.
Have gone through below link.
https://www.openstm32.org/forumthread5650
but even there stuck with dependency issue.
15:42:35 **** Build of configuration Debug for project STM32F413H_DISCOVERY_1_Image_SECoreBin ****
make all
Building file: D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core/se_bootinfo.c
Invoking: MCU GCC Compiler
D:\Vrund\STM32CubeExpansion_SBSFU_V2.4.0\Projects\STM32F413H-Discovery\Applications\1_Image\1_Image_SECoreBin\SW4STM32\STM32F413H_DISCOVERY_1_Image_SECoreBin\Debug
arm-none-eabi-gcc -mcpu=cortex-m4 -mthumb -mfloat-abi=softfp -mfpu=fpv4-sp-d16 -DSTM32F413xx -DUSE_HAL_DRIVER -DUSE_STM32F413H_DISCOVERY -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Projects/STM32F413H-Discovery/Applications/1_Image/1_Image_SECoreBin/Inc" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Drivers/CMSIS/Device/ST/STM32F4xx/Include" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Drivers/CMSIS/Include" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Drivers/STM32F4xx_HAL_Driver/Inc" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Drivers/BSP/STM32F413H-Discovery" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Drivers/BSP/Components/Common" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Utilities/Fonts" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Cryptographic/Fw_Crypto/STM32F4/Inc" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Key" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Projects/STM32F413H-Discovery/Applications/1_Image/1_Image_SBSFU/SBSFU/App" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Projects/STM32F413H-Discovery/Applications/1_Image/1_Image_SBSFU/SBSFU/Target" -I"D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Projects/STM32F413H-Discovery/Applications/1_Image/Linker_Common/SW4STM32" -Os -g3 -Wall -fmessage-length=0 -Wno-strict-aliasing -ffunction-sections -c -fmessage-length=0 -MMD -MP -MF"Middlewares/STM32_Secure_Engine/se_bootinfo.d" -MT"Middlewares/STM32_Secure_Engine/se_bootinfo.o" -o "Middlewares/STM32_Secure_Engine/se_bootinfo.o" "D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core/se_bootinfo.c"
In file included from D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core/se_def.h:29:0,
from D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core/se_bootinfo.h:29,
from D:/Vrund/STM32CubeExpansion_SBSFU_V2.4.0/Middlewares/ST/STM32_Secure_Engine/Core/se_bootinfo.c:22:
c:\users\20033229\.eclipse\com.st.stm32cube.ide.mcu.rcp.product_1.5.1_1734239050_win32_win32_x86_64\plugins\fr.ac6.mcu.externaltools.arm-none.win32_1.17.0.201812190825\tools\compiler\lib\gcc\arm-none-eabi\7.3.1\include\stdint.h:9:16: fatal error: stdint.h: No such file or directory
# include_next <stdint.h>
^~~~~~~~~~
compilation terminated.
make: *** [Middlewares/STM32_Secure_Engine/se_bootinfo.o] Error 1
Middlewares/STM32_Secure_Engine/subdir.mk:43: recipe for target 'Middlewares/STM32_Secure_Engine/se_bootinfo.o' failed
"make all" terminated with exit code 2. Build might be incomplete.
Regards,
Vrund
2021-02-05 10:06 AM
Hello Vrund,
I'm afraid you have an issue with STM32CubeIDE installation because I can see reference to ac6. STM32CubeIDE is not using any ac6 plugin.
This error line "c:\users\20033229\.eclipse\com.st.stm32cube.ide.mcu.rcp.product_1.5.1_1734239050_win32_win32_x86_64\plugins\fr.ac6.mcu.externaltools.arm-none.win32_1.17.0.201812190825\tools\compiler\lib\gcc\arm-none-eabi\7.3.1\include\stdint.h"
is really strange.
Maybe you should make a clean install of STM32CubeIDE. Not sure...
Best regards
Jocelyn