ST-HSMv2 programming - personalization data & fw id

MVass.1 · ‎2022-05-03

Hi,

I want to perform the SSP process as detailed at:

https://www.st.com/resource/en/application_note/an5510-overview-of-the-secure-secret-provisioning-ssp-on-stm32mp1-series-stmicroelectronics.pdf

(I also went over the STM32_prog documents)

I am now trying to program my HSMv2 card and I don't understand which file I need to provide in "Personalization data file"

(Trusted Package Creator - HSM Tab)

There are 2 options:

STM32MP1_5000200A_SSP_01000000_00000000.enc.bin
STM32MP1_5000300A_SSP_01000000_00000000.enc.bin

I don't understand which one I need to pick

my MPU is "STM32MP157CAB3" (Rev Z)

is it 5000300 because of the "3" after the "CAB" ?

The "5000" part I understand, I can see this value in the DFU device info

The "200" vs "300" I don't understand

According to the Docs, I need to know the product ID of my MPU

And they suggest using "STM32_Programmer_CLI –c port=swd –gc "certificate.bin"" to find out this value

but this command is failing:

"an error occurred while uploading data from the virtual partition 0xF1"

Another thing I don't quite fully understand is the value of "Firmware identifier" field in the HSM tab

Is it any string I want ?

The example images show "SSP_MPU"

Thanks,

Michael

OlivierK · ‎2022-05-05

Hi MVass.1 (Community Member)

I followed the same step as you and I understand this is confusing. I've asked to make the changes for the next release of the document as it is taken from the UM2238 document, originally designed for STM32 MCUs .

The correct procedure to generate the certificate from the command STM32_Programmer_CLI is not correctly described for MPU, in either document AN5510 or UM2238.

To get the product ID of your MPU part, you need first to generate the tfa-ssp file from an OpenSTLinux development package, following this step:

https://wiki.st.com/stm32mpu/wiki/How_to_configure_TFA_BL2#Secure_secret_provisioning_-28SSP-29

Then, for instance using a STM32MP15-EV1, put the board in DFU mode and run a similar script below:

STM32_Programmer_CLI -c port=usb1 -d tf-a-ssp-stm32mp157f-ev1-trusted.stm32 0x01 -s

STM32_Programmer_CLI -c port=usb1 -gc "MP15_CERT.bin"

SB speed : High Speed (480MBit/s)

Manuf. ID : STMicroelectronics

Product ID : DFU in HS Mode @Device ID /0x500, @Revision ID /0x0000

SN : 002C00453438511836383238

FW version : 0x0110

Board : --

Device ID : 0x0500

Device name : STM32MP1

Device type : MPU

Revision ID : --

Device CPU : Cortex-A7

Certificate File : MP15_CERT.bin

Requesting Chip Certificate...

Get Certificate done successfully

Writing data to file MP15_CERT.bin

Writing chip certificate to file MP15_CERT.bin finished successfully

Time elapsed during the getcertificate operation is: 00:00:00.011

then if you open the MP15_CERT.bin (using xxd for instance)

$ xxd MP15_CERT.bin

00000000: 3530 3030 3230 3041 2ce9 0432 c67e bac5 5000200A,..2.~..

You see which personalisation data file to choose in Trusted Package Creator.

STM32MP1_5000200A_SSP_01000000_00000000.enc.bin
STM32MP1_5000300A_SSP_01000000_00000000.enc.bin

Regarding the Firmware ID field, this is just some personalized data so any string of 15 char max.

Regards,

Olivier

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

OlivierK · ‎2022-05-05