Review a secret file content for STM32MP2 series to enable secure boot

ThinhNguyen · ‎2025-07-09

My goal is to create a SSP payload and write it to the OTP of the STM32MP257F chip. The OS running on my KIT is based on OpenSTLinux.

To get the SSP Payload, a Secret file is required. I just need secure boot.

I refer to the following sources:

The contents of my Secret file will include the components as shown below. (Json file attached)

Is a secret file with such components enough for secure boot? And please advise if there are any invalid options in the Secret list

ThomasB · ‎2025-08-11

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

Best regards,

Thomas

View solution in original post

ThomasB · ‎2025-08-11

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

Best regards,

Thomas