FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Understanding SSP provisioning step by step ?

Go to solution
A.M.
Associate III

‎2025-03-17 3:44 AM

Hello,

I am trying to understand this document:

https://wiki.stmicroelectronics.cn/stm32mpu/wiki/How_to_deploy_SSP_using_a_step-by-step_approach

Generally speaking, I miss some context between the "SSP is nice to protect your firmware through HSM" and the how-to with many acronyms and missing explanations.

I spend a couple of days reading related documentation and still feel very lost.

"2.2 Payload file"
I understand this step as the creation of a file with all the secrets in it, including HSM and RMA keys/password.
What are the meaning of RSSe, DHUK, BHK or DHUK_xor_BHK acronyms?

** Question 1**  What are RSSe, DHUK, BHK ?

2.2.1:
My page looks very different. This section is not helpful.

2.2.1.2:
I believe this is the public key generated in step 2.1.1.
What is the RMA password? I understand that this password allows to protect RMA mode, but how is it created? should I provide a file with a random 16 character password? or is this an AES key? Is it one of the private keys generated in step 2.1.1 or 2.1.2?

**Question 2** How to create the file for the RMA password?

2.2.2 backup file memory creation:
What is this? Is nice to know how to do it, but it would be better to understand first it meaning and goal.
Need for some concepts here.

**Question 3** What is a "backup file memory creation"?

2.2.3 payload creation
I though that we already did that in the Secrets Gen (step 2.2.1).

**Question 4** What is the difference between the secrets file and the payload file?








Labels:
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Febus
ST Employee

‎2025-03-18 9:14 AM

Hello,

I will try to help you with that topic.

Before answering your questions, I want to mention the AN5510 document, which provides more information on the process.
With the many acronyms involved, it can be hard to follow, but the Glossary page on the STM32MPU website can help you with all the new acronyms.

 

Question 1: What are RSSe, DHUK, BHK? 
RSSe stands for RSS extension firmware (Root Secure Services).
DHUK stands for derived hardware unique key. (source)
RHUK stands for root hardware unique key.
BHK stands for boot hardware key.

 

Question 2: How to create the file for the RMA password?
You can find more information about this part in section 5.1 of the AN5510 document and also AN5827

Question 3: What is a "backup file memory creation"?
You can use the STM32 Trusted Package Creator tool software described in the UM2238 User Manual. This manual provides a clearer explanation than I could give.

Question 4: What is the difference between the secrets file and the payload file?
Secrets file: This is the file you want to use, and it will be encrypted.
Payload file: This is what you will give to third parties.

Febus_0-1742314384466.png

 

For further details, refer to the respective documents and tools mentioned above.
If you need help, let me know

Febus

 

View solution in original post

1 REPLY 1
Go to solution
Febus
ST Employee

‎2025-03-18 9:14 AM

Hello,

I will try to help you with that topic.

Before answering your questions, I want to mention the AN5510 document, which provides more information on the process.
With the many acronyms involved, it can be hard to follow, but the Glossary page on the STM32MPU website can help you with all the new acronyms.

 

Question 1: What are RSSe, DHUK, BHK? 
RSSe stands for RSS extension firmware (Root Secure Services).
DHUK stands for derived hardware unique key. (source)
RHUK stands for root hardware unique key.
BHK stands for boot hardware key.

 

Question 2: How to create the file for the RMA password?
You can find more information about this part in section 5.1 of the AN5510 document and also AN5827

Question 3: What is a "backup file memory creation"?
You can use the STM32 Trusted Package Creator tool software described in the UM2238 User Manual. This manual provides a clearer explanation than I could give.

Question 4: What is the difference between the secrets file and the payload file?
Secrets file: This is the file you want to use, and it will be encrypted.
Payload file: This is what you will give to third parties.

Febus_0-1742314384466.png

 

For further details, refer to the respective documents and tools mentioned above.
If you need help, let me know

Febus

 

Top