ST-HSMv2 programming - personalization data & fw id

MVass.1 · ‎2022-05-03

Hi,

I want to perform the SSP process as detailed at:

https://www.st.com/resource/en/application_note/an5510-overview-of-the-secure-secret-provisioning-ssp-on-stm32mp1-series-stmicroelectronics.pdf

(I also went over the STM32_prog documents)

I am now trying to program my HSMv2 card and I don't understand which file I need to provide in "Personalization data file"

(Trusted Package Creator - HSM Tab)

There are 2 options:

STM32MP1_5000200A_SSP_01000000_00000000.enc.bin
STM32MP1_5000300A_SSP_01000000_00000000.enc.bin

I don't understand which one I need to pick

my MPU is "STM32MP157CAB3" (Rev Z)

is it 5000300 because of the "3" after the "CAB" ?

The "5000" part I understand, I can see this value in the DFU device info

The "200" vs "300" I don't understand

According to the Docs, I need to know the product ID of my MPU

And they suggest using "STM32_Programmer_CLI –c port=swd –gc "certificate.bin"" to find out this value

but this command is failing:

"an error occurred while uploading data from the virtual partition 0xF1"

Another thing I don't quite fully understand is the value of "Firmware identifier" field in the HSM tab

Is it any string I want ?

The example images show "SSP_MPU"

Thanks,

Michael

OlivierK · ‎2022-05-05

Hi MVass.1 (Community Member)

I followed the same step as you and I understand this is confusing. I've asked to make the changes for the next release of the document as it is taken from the UM2238 document, originally designed for STM32 MCUs .

The correct procedure to generate the certificate from the command STM32_Programmer_CLI is not correctly described for MPU, in either document AN5510 or UM2238.

To get the product ID of your MPU part, you need first to generate the tfa-ssp file from an OpenSTLinux development package, following this step:

https://wiki.st.com/stm32mpu/wiki/How_to_configure_TFA_BL2#Secure_secret_provisioning_-28SSP-29

Then, for instance using a STM32MP15-EV1, put the board in DFU mode and run a similar script below:

STM32_Programmer_CLI -c port=usb1 -d tf-a-ssp-stm32mp157f-ev1-trusted.stm32 0x01 -s

STM32_Programmer_CLI -c port=usb1 -gc "MP15_CERT.bin"

SB speed : High Speed (480MBit/s)

Manuf. ID : STMicroelectronics

Product ID : DFU in HS Mode @Device ID /0x500, @Revision ID /0x0000

SN : 002C00453438511836383238

FW version : 0x0110

Board : --

Device ID : 0x0500

Device name : STM32MP1

Device type : MPU

Revision ID : --

Device CPU : Cortex-A7

Certificate File : MP15_CERT.bin

Requesting Chip Certificate...

Get Certificate done successfully

Writing data to file MP15_CERT.bin

Writing chip certificate to file MP15_CERT.bin finished successfully

Time elapsed during the getcertificate operation is: 00:00:00.011

then if you open the MP15_CERT.bin (using xxd for instance)

$ xxd MP15_CERT.bin

00000000: 3530 3030 3230 3041 2ce9 0432 c67e bac5 5000200A,..2.~..

You see which personalisation data file to choose in Trusted Package Creator.

STM32MP1_5000200A_SSP_01000000_00000000.enc.bin
STM32MP1_5000300A_SSP_01000000_00000000.enc.bin

Regarding the Firmware ID field, this is just some personalized data so any string of 15 char max.

Regards,

Olivier

View solution in original post

OlivierK · ‎2022-05-05