How to Sign/Sign & Encrypt FIP Binary manually?

ThinhNguyen · ‎2025-07-10

I am working on STM32MP257F. I read the Artical "How to perform Secure Boot from Distribution Package". It doesn't seem to mention Sign or Sign & Encrypt FIP Binary manually. In my case it is necessary to Sign/Sign & Encrypted FIP binary manually and do it outside of Yocto. This is done only with 1 specific person and does not expose the private key.

Please give me an example to Sign/Sign & Encrypt FIP binary manually using STM32_SigningTool_CLI.

Thanks.

Jean-Christophe_TROTIN · ‎2025-07-11

Hi @ThinhNguyen,

I could suggest that you have a look at the following documents (if not already done):

https://wiki.st.com/stm32mpu/wiki/Signing_tool STM32 MPU wiki article (the example 5 might be interesting for you).
https://www.st.com/resource/en/user_manual/dm00595234-stm32mp1-series-signing-tool-software-description-stmicroelectronics.pdf user manual (STM32 signing tool software description); there are examples in the chapter 2.2.

Hope this information helps.

Regards,

JC.

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

ThinhNguyen · ‎2025-07-15

Hi @Jean-Christophe_TROTIN

I sent time to read the documents but it does not mention about sign FIP binary image. I found a script create_st_fip_binary.sh in meta-st-stm32mp

The command to generate an Encrypted & Sign FIP image is as below:

create_st_fip_binary.sh --use-bl31 --encrypt /mnt/HDD_2TB/stm32mp25-encryptionkey/stm32mp_encryption_key_fip.bin --sign --signature-key /mnt/HDD_2TB/stm32mp25-signaturekey/privateKey00.pem --signature-key-pass aizelk --use-ddr --search-secondary-config default:optee --search-configuration optee-emmc --search-devicetree stm32mp257f-dk --search-soc-name stm32mp25 --output /mnt/SSD_240GB/fip

# export FIP_DEPLOYDIR_ROOT before running the command.

I successfully generated FIP image. Then I programmed the image to eMMC of STM32MP257F-DK for testing. It was not working. Here is the log:

NOTICE: CPU: STM32MP257FAK Rev.Y
NOTICE: Model: STMicroelectronics STM32MP257F-DK Discovery Board
NOTICE: Board: MB1605 Var1.0 Rev.C-01
NOTICE: Reset reason: Power-on reset (por_rstn) (0x2035)
NOTICE: BL2: v2.10-stm32mp2-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE: BL2: Built : 16:19:31, Jun 28 2024
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: BL2: Failed to load image id 3 (-27)

Any suggestions?