Hi,
During the actual production of our stm32mp157c products we do intend to use the HSM flow.
But for now I am simply trying to test the SSP flow with some debug (development) keys and without access to an HSM.
I went over:
https://www.st.com/resource/en/application_note/an5510-overview-of-the-secure-secret-provisioning-ssp-on-stm32mp1-series-stmicroelectronics.pdf
and
https://www.st.com/resource/en/user_manual/dm00403513-stm32-trusted-package-creator-tool-software-description-stmicroelectronics.pdf
but unfortunately there is not much information regarding the STM32_Programmer_CLI.exe "-ssp" command with "hsm" flag equal to "0" (HSM not used)
only:
"<license_path|slot=slotID>: path to the license file (if hsm=0)
reader slot ID if HSM is used (if hsm=1)"
I don't quite understand exactly what "license file" I need to provide the command.
And also, if HSM is not used, how will the ST MPU decrypt the data file (OTP keys) ? I am assuming it is somehow related to this license file ? because in the HSM flow, the HSM knows the AES decryption key and passes it to the ST MPU.
I do see a "License" tab in the latest version "STM32 Trusted Package Creator" but there is no documentation for this option in the tool's documentation I linked above.
If this Tab is the remaining peace that I am missing, then I do need some help understanding the input it requires.
I guess that "FW key file" & "Nonce file" are the AES-128-GCM values used in the "SSP" tab ?
what is "Image version" ?
what is "Public key file" ? is this the ECDSA OEM key used for the secure boot flow ?
Thanks,
Michael
