2025-07-07 2:08 AM
I am following the "How to deploy SSP using a step-by-step approach". I am working on "3.1.2.2. Secret file content for STM32MP2 series". The target MPU is STM32MP257F. I have some questions as below:
1. How do I know whether to choose "Format 1" or "Format 2"?
2. I selected the binary file as FIP-EDMK, which is 256-bit but the KeySize shows 128-bit and it won't let me select 256-bit again. Is this acceptable?
Solved! Go to Solution.
2025-07-08 3:09 AM
Indeed, the FIP-EDMK format is not specified in the wiki. I’ll look into updating the wiki page to include the correct format.
You can find the information in U-Boot in the file:
`arch/arm/mach-stm32mp/cmd_stm32key.c`
It contains:
{
.name = "FIP-EDMK",
.desc = "Encryption/Decryption Master Key for FIP",
.start = 260,
.size = 8,
},
The format isn’t specified, so it defaults to Format 1.
static int fuse_key_value(struct udevice *dev, const struct stm32key *key, unsigned long addr, bool print)
{
u32 word, val;
int i, ret;
u32 (*format)(u32) = format1;
/* Use key_format function pointer if defined */
if (key->key_format)
format = key->key_format;
Format1 is the default value.
If the format is specified in the structure (always with Format 2), then Format 2 is used.
So, the format to use is indeed Format 1. I hope this answers all your questions. I’ll request information regarding the meaning of the Enc/Wrap option and respond in the other post.
2025-07-08 1:47 AM
Hello @ThinhNguyen,
According to the STM32 Trusted Package Creator user manual, it states:
"Select the endianness format of the binary, Format 1, or Format 2. (Format 1 is fixed for word item)." Since you’re working with a binary, you should select Format 2.
For the second question, you need to change the Enc/Wrap option to either Encryption or Wrapping to access the KeySize option and set it to 256-bit.
Please refer to the user manual UM2238 for more details.
Best Regards,
Zakaria
2025-07-08 2:03 AM
Hi @Zakaria1 ,
I read UM2238 but didn't see much mention about when to use format 1 and when to use format 2. As you said, when using binary files, you should choose format 2, so why are OEM_KEY1_ROOT and RMA_LOCK_PSWD also binary files but it requires choosing format 1.
2025-07-08 2:11 AM
Hi @ThinhNguyen,
Sorry, I misunderstood. In fact, for all word items, the format is fixed as Format 1. For binary items, there is a choice, but for specific keys, I believe the tool enforces the format to avoid selecting an incorrect one. The format refers to the endianness used for writing keys to the OTPs. Here’s an example from UM2238:
Endianness given in the specification for format: Keys are represented as a string of bytes
to be stored in consecutive OTP words. For example, a 64-bit key
(0xAABBCCDDEEFF5566) is stored in two consecutive OTP words, KEY0 and KEY1. A
key is stored in OTP words using one of the following formats:
• Format 1: KEY0 = 0xAABBCCDD, KEY1 = 0xEEFF5566
• Format 2: KEY0 = 0xDDCCBBAA, KEY1 = 0x6655FFEE
2025-07-08 2:22 AM
Hi @Zakaria1,
Thanks for clarifying. You are right. However, the problem arises that I do not have the information to know whether the FIP-EDMK (32 random bytes) has a Format 1 or Format 2. I think this Format is pre-defined so that the ROM code can read and understand the value in the OTP. ROM code is a blind spot for me. Can you provide relevant information to help me determine the Format of the FIP-EDMK?
2025-07-08 2:24 AM
Please refer to this wiki page for the STM32MP23-25 OTP mapping to determine which format to use.
STM32MP23-25 OTP mapping - stm32mpu
Here’s a screenshot from the wiki showing that OEM_KEY1_ROT and OEM_KEY2_ROT must be in Format 1:
2025-07-08 2:30 AM
Hi @Zakaria1,
I looked through it, but unfortunately it doesn't mention anything about the FIP-EDMK format. You can see the image I pasted below.
Click to the link it let me to the intruction to enable secure boot. There is no information about FIP-EDMK format type too.
2025-07-08 3:09 AM
Indeed, the FIP-EDMK format is not specified in the wiki. I’ll look into updating the wiki page to include the correct format.
You can find the information in U-Boot in the file:
`arch/arm/mach-stm32mp/cmd_stm32key.c`
It contains:
{
.name = "FIP-EDMK",
.desc = "Encryption/Decryption Master Key for FIP",
.start = 260,
.size = 8,
},
The format isn’t specified, so it defaults to Format 1.
static int fuse_key_value(struct udevice *dev, const struct stm32key *key, unsigned long addr, bool print)
{
u32 word, val;
int i, ret;
u32 (*format)(u32) = format1;
/* Use key_format function pointer if defined */
if (key->key_format)
format = key->key_format;
Format1 is the default value.
If the format is specified in the structure (always with Format 2), then Format 2 is used.
So, the format to use is indeed Format 1. I hope this answers all your questions. I’ll request information regarding the meaning of the Enc/Wrap option and respond in the other post.
2025-07-08 3:12 AM
Hi @Zakaria1,
It answered my question. Thanks!
2025-07-08 7:36 PM
hi @Zakaria1,
I I opened the cmd_stm32key.c file to read more but I found it very different from the code you quoted. Here is the code I have.
static int fuse_key_value(struct udevice *dev, const struct stm32key *key, u32 addr, bool print)
{
u32 word, val;
int i, ret;
for (i = 0, word = key->start; i < key->size; i++, word++, addr += 4) {
val = __be32_to_cpu(*(u32 *)(long)addr);
if (print)
printf("Fuse %s OTP %i : %08x\n", key->name, word, val);
ret = misc_write(dev, STM32_BSEC_OTP(word), &val, 4);
if (ret != 4) {
log_err("Fuse %s OTP %i failed\n", key->name, word);
return ret;
}
/* on success, lock the OTP for the key */
val = BSEC_LOCK_PERM;
ret = misc_write(dev, STM32_BSEC_LOCK(word), &val, 4);
if (ret != 4) {
log_err("Lock %s OTP %i failed\n", key->name, word);
return ret;
}
}
return 0;
}
To make sure I didn't make a mistake I also checked the latest uboot patch file here: https://raw.githubusercontent.com/STMicroelectronics/meta-st-stm32mp/refs/heads/walnascar/recipes-bsp/u-boot/u-boot-stm32mp/0001-v2023.10-stm32mp-r1.2.patch
It also does not contain the code you quoted.
I would like to ask where I can find the code you quoted to read more about how they work.