FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Review a secret file content for STM32MP2 series to enable secure boot

Go to solution
ThinhNguyen
Associate III

‎2025-07-09 7:30 PM

My goal is to create a SSP payload and write it to the OTP of the STM32MP257F chip. The OS running on my KIT is based on OpenSTLinux.

To get the SSP Payload, a Secret file is required. I just need secure boot.

I refer to the following sources:

The contents of my Secret file will include the components as shown below. (Json file attached)

ThinhNguyen_0-1752114013070.png

Is a secret file with such components enough for secure boot? And please advise if there are any invalid options in the Secret list

Preview file
10 KB
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
ThomasB
ST Employee

‎2025-08-11 2:08 AM

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

  • OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
  • OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

 

Best regards,

Thomas


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

View solution in original post

1 REPLY 1
Go to solution
ThomasB
ST Employee

‎2025-08-11 2:08 AM

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

  • OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
  • OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

 

Best regards,

Thomas


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Top