FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

X-CUBE-SBSFU: Can you use non-secure boot? Also, can you update firmware using USART DFU?

Go to solution
PKryg.1
Associate II

‎2022-01-12 10:22 PM

Hello everyone,

I have pretty uncommon question. I'm working on STM32WB with SBSFU, and I'm wondering, if it's possible to use non-secure boot with it? As far as I'm concerned, secure boot is enabled by default, but many security features can be disable using flags.

Also, another question: All the provided examples are using USART YMODEM to transfer data. I know, that it really doesn't matter what kind of protocol you use as long as image is placed in a correct place in the memory, but I wonder if I can use DFU feature to update firmware and still use SBSFU. I think it should be possible.

Thank you in advance.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Fred
ST Employee

‎2022-01-13 12:19 AM

Hi,

regarding your first point: SBSFU as a secure bootloader implements two things

(A) check and set-up the STM32 security infrastructure => this you can disable thanks to compiler switches in app_sfu.h.

You can enable SECBOOT_DISABLE_SECURITY_IPS to disable all IPs at once.

This means you won't have code isolation any more for instance.

(B) check the authenticity and integrity of the application before booting it.

This means using crypto services to check the firmware image you have programmed.

This cannot be disabled by compiler switches.

If you want to boot the firmware "blindly" (no check) then you can have a loot at sfu_boot.c to see how the bootloader does that. If you want to disable it then you have to bypass the checks.

Regarding your second point : at boot-up, SBSFU checks the content of the download slot to see if a new firmware image must be installed. You can use any method of your choice to populate this slot. As long as you write the ".sfb" correctly in this slot, it will be detected by SBSFU at boot stage and it will be installed.

Hope this helps.

View solution in original post

0 Kudos
2 REPLIES 2
Go to solution
Fred
ST Employee

‎2022-01-13 12:19 AM

Hi,

regarding your first point: SBSFU as a secure bootloader implements two things

(A) check and set-up the STM32 security infrastructure => this you can disable thanks to compiler switches in app_sfu.h.

You can enable SECBOOT_DISABLE_SECURITY_IPS to disable all IPs at once.

This means you won't have code isolation any more for instance.

(B) check the authenticity and integrity of the application before booting it.

This means using crypto services to check the firmware image you have programmed.

This cannot be disabled by compiler switches.

If you want to boot the firmware "blindly" (no check) then you can have a loot at sfu_boot.c to see how the bootloader does that. If you want to disable it then you have to bypass the checks.

Regarding your second point : at boot-up, SBSFU checks the content of the download slot to see if a new firmware image must be installed. You can use any method of your choice to populate this slot. As long as you write the ".sfb" correctly in this slot, it will be detected by SBSFU at boot stage and it will be installed.

Hope this helps.

0 Kudos
Go to solution
PKryg.1
Associate II

‎2022-01-13 07:20 AM

Yes! This is exactly the answer I was looking for. Thank you :).

0 Kudos
Top