FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STMU385 - OEMiROT_Appli_TrustZone example - building as combined secure + non-secure doesn't work.

JVan .3
Associate II

‎2025-12-23 11:12 AM

I'm working with the STM32U385/375 for a project, and have started my investigation into how to convert it to a secure root of trust application by working with the OEMiROT examples.

In stock form it works well. The provisioning works, the update over the y-modem link works just fine, etc. However, I want to build a combined binary and not deal with separate non-secure and secure binaries to apply for an update.

Accordingly, I changed MCUBOOT_APP_IMAGE_NUMBER in OEMiROT_Boot/Inc/flash_layout.h from 2 to 1, like so:

#define MCUBOOT_APP_IMAGE_NUMBER 1 /* 1: S application only if FLASH_NS_PARTITION_SIZE = 0 ,
else S and NS application binaries assembled in one single image.
2: Two separated images for S and NS application binaries. */

The build works fine, the first part of the provisioning script works fine, the appropriate value is updated in appli_flash_layout.h, and the programming begins. However, it fails with this error:

=====
===== Error while executing "Programming the option bytes and flashing the images...".
===== See "ob_flash_programming.log" for details. Then try again.
=====

I looked in the log, where I see this:

"Application images programming in download slots"
Set boot address @0x1800C0
      -------------------------------------------------------------------
                       STM32CubeProgrammer v2.21.0                  
      -------------------------------------------------------------------

ST-LINK SN  : 003C003D3333511631363730
ST-LINK FW  : V3J16M7
Board       : NUCLEO-U385RG-Q
Voltage     : 3.28V
SWD freq    : 8000 KHz
Connect mode: Hot Plug
Reset mode  : Software reset
Device ID   : 0x454
Revision ID : Rev Z
Device name : STM32U3xx
Flash size  : 1 MBytes
Device type : MCU
Device CPU  : Cortex-M33
BL Version  : --
Debug in Low Power mode enabled

      -------------------------------------------------------------------
        Choose flashing speed for Cortex M33 series.(default speed=Reliable)                  
      -------------------------------------------------------------------

Error: File does not exist: oemirot_tz_app_init_sign.bin

 

I looked in the file system and I don't see that file. I don't see in the provisioning script where it ought to be generated. Any ideas what's going on here and how to fix it?

 

Labels:
0 Kudos
2 REPLIES 2
Jocelyn RICARD
ST Employee

‎2026-01-08 11:41 AM

Hello @JVan .3 ,

I made the test and confirm that is an issue.

The oemirot_tz_app_init_sign.bin is actually oemirot_tz_ns_app_init_sign.bin

So, normally if you rename manually oemirot_tz_ns_app_init_sign.bin by oemirot_tz_app_init_sign.bin it should work.

I will raise this 

Best regards

Jocelyn

0 Kudos
JVan .3
Associate II
In response to Jocelyn RICARD

‎2026-01-12 12:36 PM

I tried this, but something seems to go wrong.

Specifically, this is the output on the console:

[INF] TAMPER Activated
[INF] Flash operation: Op=0x0, Area=0x0, Address=0x0
[INF] Starting bootloader OEMiROT
[INF] Checking BL2 NV area
[INF] Checking BL2 NV area header
[INF] Checking BL2 NV Counter consistency
[INF] Consistent BL2 NV Counter 0  = 0x0
[INF] Swap type: none
[INF] Starting validation of primary slot(s)

The device never finishes validation, and hangs like this. Did you see a different result?

0 Kudos
Top