SBSFU with two active and two download slots

sute · ‎2023-05-24

Hi,

I have an application using STM32H7B3, SBSFU and TouchGFX. We are running out of flash space so we want to place TouchGFX images to external flash. I understand that to achieve this, we need two SBSFU active and download slots. The first active slot and download slot are for application code, and they need to be placed in the internal flash with read protection. Images don't need read protection, so the second active slot and download slot can be used for them in the external flash.

I am wondering can this be achieved with SBSFU and are there any examples? There is the 2_Images_ExtFlash example for B-L475E-IOT01A, but it has both download slots placed in the external flash which we cannot do since the active firmware slot would be swapped there and it has no read protection. Although, I am a bit confused since the example has no SWAP area so how does it even work?

Thanks!

Jocelyn RICARD · ‎2023-05-24

Hello @MS.12utela

you should be able to have this working rapidly.

You first need to update the external flash driver in SBSFU (sfu_low_level_flash_ext.c )and possibly in your application if it in charge of downloading the update.

You need to create the slots in the mapping file in linker_common (mapping_fwimg.ld if you use STM32CubeIDE)

You will need to put the headers of the 2 active slots just after the SBSFU so they can be protected.

About the swap area, it depends on the swap configuration.

You can disable the swap by defining SFU_NO_SWAP

In that case, no swap area is needed and update is done by simply erasing old firmware by new one.

Best regards

Jocelyn

View solution in original post

Jocelyn RICARD · ‎2023-05-24

Hello @MS.12utela

you should be able to have this working rapidly.

You first need to update the external flash driver in SBSFU (sfu_low_level_flash_ext.c )and possibly in your application if it in charge of downloading the update.

You need to create the slots in the mapping file in linker_common (mapping_fwimg.ld if you use STM32CubeIDE)

You will need to put the headers of the 2 active slots just after the SBSFU so they can be protected.

About the swap area, it depends on the swap configuration.

You can disable the swap by defining SFU_NO_SWAP

In that case, no swap area is needed and update is done by simply erasing old firmware by new one.

Best regards

Jocelyn

sute · ‎2023-05-25

Thank you!

Fred · ‎2023-05-30

Hi,

be careful that the idea is also that the slots stored in external FLASH are encrypted:

Fred · ‎2023-05-30

Which gives when running your application:

sute · ‎2023-05-30

Hi,

Thanks for the reply. This is interesting and I think I may have misunderstood something then, as I remember reading that the external flash is not encrypted (can't remember where though). If this is the case then what if I have one active slot in the internal flash for which there is a corresponding download slot in the external flash. Is the data in the external flash always encrypted?

Fred · ‎2023-05-30

Maybe you found some information here:

https://www.st.com/resource/en/user_manual/um2262-getting-started-with-the-xcubesbsfu-stm32cube-expansion-package-stmicroelectronics.pdf

I would recommend section I.2

Fred · ‎2023-05-30

I think one of the diagrams is wrong as it indicates a non-encrypted firmware image.

This was not the design principle but I need to check the implementation.

I would trust the Figure 63.

Fred · ‎2023-05-30

Ok, it is encrypted:

/**

* @brief This function configure the flash in memory mapped mode to be able to execute code

* @param none

* @retval SFU_ErrorStatus SFU_SUCCESS if successful, SFU_ERROR otherwise.

*/

SFU_ErrorStatus SFU_LL_FLASH_EXT_Config_Exe(uint32_t SlotNumber)

{

SFU_ErrorStatus e_ret_status = SFU_ERROR;

SE_StatusTypeDef e_se_status = SE_KO;

SE_FwRawHeaderTypeDef FwImageHeader;

/* ensure previous operation is finished (erase/write) : GetStatus()

such verification is done (inside BSP driver) at the beginning of erase or write operation but

not for read operation ==> in order to maximise BSP driver execution timing efficiency */

while (BSP_OSPI_NOR_GetStatus(0U) != BSP_ERROR_NONE)

{

HAL_Delay(1);

}

/* Enable memory map mode */

if (BSP_OSPI_NOR_EnableMemoryMappedMode(0) == BSP_ERROR_NONE)

{

e_ret_status = SFU_SUCCESS;

}

/* Read firmware header : Nonce will be used for OTFDEC initialisation */

if (SFU_LL_FLASH_Read((uint8_t *)&FwImageHeader, (uint8_t *) SlotHeaderAdd[SlotNumber],

sizeof(FwImageHeader)) != SFU_SUCCESS)

{

e_ret_status = SFU_ERROR;

}

/* Initialisation of "On The Fly DECryption" for external flash */

if ((e_ret_status == SFU_SUCCESS) && (SE_ExtFlash_Decrypt_Init(&e_se_status, &FwImageHeader) == SE_SUCCESS))

{

e_ret_status = SFU_SUCCESS;

}

else

{

e_ret_status = SFU_ERROR;

}

return e_ret_status;

}

sute · ‎2023-05-31

Thanks a lot! This starts to look promising although it is still a bit unclear if I want to run the scenario where I have one active slot in the internal flash which is not encrypted and one download slot in the external flash. When the slots are swapped, will the unencrypted active slot be encrypted during the swap to the download slot?

Or is the idea that when On-The-Fly Decryption is activated, the active slot is encrypted even when placed in the internal flash? Will this affect performance?