2025-08-01 1:02 AM
I have followed the wiki to create my encryption keys;
https://wiki.st.com/stm32mpu/wiki/How_to_perform_Secure_Boot_from_Distribution_Package#Creating_encryption_key_for_STM32MP13--STM32MP21--STM32MP23_and_STM32MP25
Which suggest creating two keys for TF-A and FIP encryption.
But then in the same page it suggest we only load the encryption key for TF-A to OTP registers (i can not fit the FIP key into OTP anyways)
After i build my image with the following config;
SIGN_KEY = "../keys/privateKey00.pem"
SIGN_KEY_stm32mp13 = "../keys/privateKey00.pem"
EXTERNAL_KEY_CONF = "1"
SIGN_KEY_PASS = "pass pass pass pass pass pass pass pass"
SIGN_ENABLE = "1"
SIGN_TOOL = "/bin/STM32_SigningTool_CLI"
ENCRYPT_ENABLE = "1"
ENCRYPT_FSBL_KEY = "../keys/stm32mp_encryption_key.bin"
ENCRYPT_FSBL_KEY_stm32mp13 = "../keys/stm32mp_encryption_key.bin"
ENCRYPT_FIP_KEY = "../keys/stm32mp_encryption_key_256bits.bin"
ENCRYPT_FIP_KEY_stm32mp13 = "../keys/stm32mp_encryption_key_256bits.bin"
I get this error;
NOTICE: CPU: STM32MP135F Rev.Y
NOTICE: Model: EGate Rev D
NOTICE: Bootrom authentication succeeded
NOTICE: Reset reason (0x34):
NOTICE: BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE: BL2: Built : 16:19:31, Jun 28 2024
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: File decryption failed (4)
ERROR: BL2: Failed to load image id 4 (-2)
Which makes sense because I assume TF-A uses the key in the OTP to decrypt the image, which would fail.
When I try to encrypt FIP using the same key as TF-A I get the following error;
| CMD> encrypt_fw \
| --key <my-key> \
| --nonce 1234567890abcdef12345678 \
| --fw-enc-status 0 \
| --in /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee.bin \
| --out /yocto/build/tmp-glibc/work/egate_revd-oe-linux-gnueabi/fip-stm32mp/6.0/recipe-sysroot/optee/tee-header_v2-stm32mp135f-dk-custom-mx-optee_Encrypted.bin
| ERROR: Unsupported key size: 32
| [TOOLS ERROR]: ENCTOOL optee header error
When I completely skip encryption and only use signed binaries I get yet another error;
NOTICE: CPU: STM32MP135F Rev.Y
NOTICE: Model: EGate Rev D
NOTICE: Bootrom authentication succeeded
NOTICE: Reset reason (0x34):
NOTICE: BL2: v2.10-stm32mp1-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE: BL2: Built : 16:19:31, Jun 28 2024
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: BL2: Failed to load image id 4 (-5)
Any suggestions?
2025-08-01 4:46 AM - edited 2025-08-01 5:18 AM
My tf-a binary dump;
STM32_SigningTool_CLI -dump build/tmp-glibc/deploy/images/egate-revd/arm-trusted-firmware/tf-a-stm32mp135f-dk-custom-mx-optee-programmer-usb_Signed.stm32
-------------------------------------------------------------------
STM32 Signing Tool v2.19.0
-------------------------------------------------------------------
Header description:
Magic: 0x53544d32
Signature: 04 17 61 e8 bf d6 13 9d 33 cf 94 ac ac 66 9d 68 b6 05 5b 48 c9 5e 01 34 0c f2 a9 2b de 4d 03 ef
27 a0 e2 18 9d 53 f2 82 96 df f6 78 5b eb 07 de 43 4a fa 5f 85 2e 4c 35 83 d8 be 72 62 49 ff b5
Checksum: 0x7da8d7
Header version: 0x20000
Size: 0x179e0
Load address: 0x2ffe0000
Entry point: 0x2ffe5000
Image version: 0x0
Extension: 0x80000001
ECDSA : 256
Authentication header detected:
Type: 0x53540002
Size: 0x154
Key index: 0x0
Key number: 0x8
ECDSA Algo: 0x1
ECDSA pub key: 45 c4 98 50 f7 4b f5 33 67 c1 bf 52 dc 2a 28 f0 2e 89 07 6a b2 8e 24 1f df 8f 75 48 80 da 1e f5
21 64 26 d8 53 d6 ac b1 f7 38 b0 d5 e3 2d a2 b7 2a 18 16 96 ab 72 4d 2a 17 87 25 aa 62 32 08 fa
Key 0: 0c 83 ca 35 5e 04 f8 5f 91 36 a6 54 7d 26 4b 44 f7 07 b3 3c a7 e8 e7 d9 58 bd fc 50 be 55 a6 f2
Key 1: 39 74 65 5e 76 e5 0b a5 6a 02 60 c2 3b e7 61 d6 bd c8 17 42 89 cf 56 19 c2 32 0f 18 a6 70 c3 bc
Key 2: be 0b 2f ff ef 9b 31 11 71 a1 97 ef 8a 72 3c 0f 91 60 56 ee 04 07 ba 3c 34 42 b2 9c 70 38 96 8c
Key 3: 27 db 2a 44 1b b2 af c2 7d 59 c7 38 da 9a 66 d3 80 9c be 99 97 63 f5 13 6c 98 a9 e3 49 60 89 17
Key 4: de 58 04 6f 77 15 54 2f 19 9d a2 13 c2 f5 9c 31 4f be 15 cd 51 a8 14 c1 81 aa 61 6b b6 e4 85 d9
Key 5: e6 61 12 23 10 a6 72 d4 9a fa 93 cf c4 57 14 d1 be f1 0f 9e f0 bc 45 89 19 27 53 d3 f6 0a 55 5c
Key 6: 0b 87 c6 72 fb 14 da f3 2c ea 8f 44 5c 1d 37 86 c1 61 7f 4b e7 29 26 7f 8e 51 dd 6a 6b 75 d1 1a
Key 7: fd 61 59 63 b5 d7 b6 ba 59 13 ce 83 91 bc d2 fe 2b 48 62 eb 5a df 5f 00 48 73 b3 0c 1e 15 a2 76
Pad header detected:
Type: 0x5354ffff
Size: 0x2c
Padding values: 02 1c f2 fa 14 a0 d0 03 1e 93 9e 7a dc 78 78 88 a2 23 1b 0f d8 37 54 d8 21 6e 0b db d6 0c 69
01 79 61 ab ad
and fip info;
build/tmp-glibc/sysroots-components/x86_64/tf-a-tools-native/usr/bin/fiptool info build/tmp-glibc/deploy/images/egate-revd/fip/fip-stm32mp135f-dk-custom-mx-optee-emmc_Signed.bin
Secure Payload BL32 (Trusted OS): offset=0x240, size=0x1C, cmdline="--tos-fw"
Secure Payload BL32 Extra1 (Trusted OS Extra1): offset=0x25C, size=0x8BFE0, cmdline="--tos-fw-extra1"
Non-Trusted Firmware BL33: offset=0x8C23C, size=0x115BC8, cmdline="--nt-fw"
FW_CONFIG: offset=0x1A1E04, size=0x236, cmdline="--fw-config"
HW_CONFIG: offset=0x1A203A, size=0xC530, cmdline="--hw-config"
Trusted key certificate: offset=0x1AE56A, size=0x283, cmdline="--trusted-key-cert"
Trusted OS Firmware key certificate: offset=0x1AE7ED, size=0x22B, cmdline="--tos-fw-key-cert"
Non-Trusted Firmware key certificate: offset=0x1AEA18, size=0x22E, cmdline="--nt-fw-key-cert"
Trusted Boot Firmware BL2 certificate: offset=0x1AEC46, size=0x2C9, cmdline="--tb-fw-cert"
Trusted OS Firmware content certificate: offset=0x1AEF0F, size=0x2E2, cmdline="--tos-fw-cert"
Non-Trusted Firmware content certificate: offset=0x1AF1F1, size=0x255, cmdline="--nt-fw-cert"
STM32MP CONFIG CERT: offset=0x1AF446, size=0x286, cmdline="--stm32mp-cfg-cert"