FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Where to store BHK key and RHUK key in stm32u585 in order to use SBSFU or a custom secure bootloader?

Go to solution
Aurelien1
Associate III

‎2022-08-30 01:16 AM

Hi, we have to use a secure bootloader for STM32U585.

I have reading documentation about SFI and SBSFU and I am confusing.

1)   

Is there

somewhere a porting of SBSFU on this device?

We want to use a custom secure

Bootloader that only check update inside external memory and flash it if security

check is ok.

I have written all the code to do it. But I don’t know where to store my RSA KEY. I want to use both RHUK and BHK.

2)   Where is the correct location to store BHK and RHUK key fir a correct security use?

If I am correct from my SBSFU reading, KEYs are just stored inside Internal Secure Flash (0x0C000000) and RDP is used to limit access to Flash from DEBUG port (SWD/JTAG).

3)   If yes why this key are not accessible to application? Is it because Application should not be executed in secure world?

Thanks to help me

Labels:
13 REPLIES 13
Go to solution
Jocelyn RICARD
ST Employee
In response to EGuar.1

‎2023-06-12 06:03 AM

Hello @Enrico Guariento​ ,

Please create a dedicated topic when asking a question so that answer can be useful for others.

STM32HSM has 2 possible states: Open and provisioned.

As soon as you have provisioned your HSM with keys, personalization data and max number of license with the STM32TrustedPackageCreator, you cannot go back.

You can use it to generate expected number of licenses for SFI process.

Once all licenses are consumed, you can trash the HSM card. It cannot be used anymore.

Best regards

Jocelyn

0 Kudos
Go to solution
EGuar.1
Associate II
In response to Jocelyn RICARD

‎2023-06-12 06:14 AM

I make a simple example: I download 3 licenses in the SmartCard and I use them to download the SFI files into the microcontroller. Once the SmartCard is empty, can I load 3 more different licenses for a different firmware or I have to throw the smartcard and buy a new one? ThankYou very much for the answer

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee
In response to Jocelyn RICARD

‎2023-06-12 07:02 AM

Hi again @Enrico Guariento​ ,

Once the maximum number of licenses have been consumed, you cannot use the HSM anymore. You need to provision a new one.

Now, if you are making tests, the license produced for a chip is always the same.

So, one way to do is to request first the license for a chip, store it on your hard drive, and then provide this license each time you want to test SFI on this same chip.

Best regards

Jocelyn

0 Kudos
Go to solution
EGuar.1
Associate II

‎2023-06-12 07:14 AM

ThankYou very much Jocelyn for Your support. You were very clear in the answer and You provided me a great help. Best Regards.

0 Kudos
Top