2025-07-10 1:55 AM
I am working on STM32MP257F. I read the Artical "How to perform Secure Boot from Distribution Package". It doesn't seem to mention Sign or Sign & Encrypt FIP Binary manually. In my case it is necessary to Sign/Sign & Encrypted FIP binary manually and do it outside of Yocto. This is done only with 1 specific person and does not expose the private key.
Please give me an example to Sign/Sign & Encrypt FIP binary manually using STM32_SigningTool_CLI.
Thanks.
2025-07-11 5:22 AM
Hi @ThinhNguyen,
I could suggest that you have a look at the following documents (if not already done):
Hope this information helps.
Regards,
JC.
2025-07-15 3:14 AM
I sent time to read the documents but it does not mention about sign FIP binary image. I found a script create_st_fip_binary.sh in meta-st-stm32mp
The command to generate an Encrypted & Sign FIP image is as below:
create_st_fip_binary.sh --use-bl31 --encrypt /mnt/HDD_2TB/stm32mp25-encryptionkey/stm32mp_encryption_key_fip.bin --sign --signature-key /mnt/HDD_2TB/stm32mp25-signaturekey/privateKey00.pem --signature-key-pass aizelk --use-ddr --search-secondary-config default:optee --search-configuration optee-emmc --search-devicetree stm32mp257f-dk --search-soc-name stm32mp25 --output /mnt/SSD_240GB/fip
# export FIP_DEPLOYDIR_ROOT before running the command.
I successfully generated FIP image. Then I programmed the image to eMMC of STM32MP257F-DK for testing. It was not working. Here is the log:
NOTICE: CPU: STM32MP257FAK Rev.Y
NOTICE: Model: STMicroelectronics STM32MP257F-DK Discovery Board
NOTICE: Board: MB1605 Var1.0 Rev.C-01
NOTICE: Reset reason: Power-on reset (por_rstn) (0x2035)
NOTICE: BL2: v2.10-stm32mp2-r1.0(release):lts-v2.10.5-dirty(7c229848)
NOTICE: BL2: Built : 16:19:31, Jun 28 2024
NOTICE: TRUSTED_BOARD_BOOT support enabled
ERROR: BL2: Failed to load image id 3 (-27)
Any suggestions?