FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Issue Integrating FreeRTOS with Secure Manager on STM32H5

Go to solution
Musa2
Associate II

‎2025-02-13 6:48 AM

Hello,

I am new to the STM32 development environment and real-time programming. I have the STM32H573I-DK development board and have followed the workshop provided by ST, available on the wiki:

https://wiki.stmicroelectronics.cn/stm32mcu/wiki/Security:How_to_start_with_STM32CubeMX_Secure_Manager_on_STM32H57

I am using STM32Cube_H5_V1.4.0. However, the default RTC clock configuration does not work. During RTC initialization, I am forced to configure it with the LSE source, otherwise, the program gets stuck when executing the SystemClock_Config() function.

rtc.png

After this modification, the program eventually works, and timestamps are correctly displayed on the serial terminal. However, I need to integrate FreeRTOS into the non-secure part of my application. When I add the X-CUBE-FREERTOS package (version 1.3.0), generate, and compile the project, I encounter the following errors:

Freertos_error.png

 

 

Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/port.c:1047: undefined reference to `SecureContext_LoadContext'
Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/port.c:1058: undefined reference to `SecureContext_FreeContext'
/Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/port.c:1067: undefined reference to `SecureInit_DePrioritizeNSExceptions'
Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/port.c:1070: undefined reference to `SecureContext_Init'
Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/portasm.c:423: undefined reference to `SecureContext_SaveContext'
Secure_manager/Middlewares/Third_Party/FreeRTOS/Source/portable/GCC/ARM_CM33/non_secure/portasm.c:423: undefined reference to `SecureContext_LoadContext'

 

 

I have checked this response on the ST community:

https://community.st.com/t5/stm32cubemx-mcus/facing-issue-in-project-creation-through-stm32cube-ide/td-p/54415, but it does not apply to my case since this is not a fully secure application. Only the Secure Manager is used.

Here are the software versions I am using:

  • STM32CubeIDE : 1.17.0
  • STM32CubeMX : 6.13.0
  • STM32CubeProgrammer : 2.18.0
  • X-CUBE-FREERTOS : 1.3.0
  • STM32Cube_H5 : 1.4.0

My question is: How can I use the Secure Manager with a non-secure FreeRTOS application?

Additional note: When I remove the FreeRTOS package and attempt to debug, I frequently encounter a debugging-related error every other time :

erreor.png

Thank you in advance for your help.

 

 

Labels:
Secure_manager.ioc
169 KB
376 KB
0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
Go to solution
Jocelyn RICARD
ST Employee

‎2025-03-06 9:38 AM

Hello @Musa2 ,

I'm sorry for late answer, I just missed your post, and was very busy recently (I'm still)

First, one important information is that new CubeMX 6.14 does not support Secure Manager boot path anymore.

This decision was taken because of too complex maintenance.

Following this decision, I made a simple test using a simple CubeMX project, and it work fine.

I share here the different steps I used. This is just to unblock. I requested an official update of wiki to have a clean way to do it.

Here you just need to create a CubeMX project selecting no TrustZone. The non secure application don't need to know anything about secure part, just being able to call the PSA API.

This should make things even simpler than with the old CuibeMX with SM boot path.

here are the steps:

1) Create CubeMX project setting peripherals needed
2) Set heap size = 0x2000 and stack size=0x1000 in mx project configuration to fit with size in SMAKg
3) Generate the project at same level as SMAK_Appli
4) Edit Drivers/CMSIS/system_stm32h5xx.c and comment the code that sets SCB->VTOR
5) Add prebuild and postbuild : Same as SMAK_Appli project in build steps
    a)Prebuild: python ../../project.py prebuild --compiler CubeIDE_Debug
    b)Postbuild: python ../../project.py postbuild
6) Postbuild output: Convert to binary
7) copy project.py and project.ini from SMAK_Appli in root dir of project
8) Update project.ini with right project name (here SMAppli_MX)
9) Copy Images directory with 2 xml files from SMAK_Appli
10) Create Binary directory (necessary for imgtool)
11) Reuse linker script from SMAK_Appli (just copy in place of the one generated by CubeMX
12) The prebuild requires presence of inc\fwu.h but can be commented in project.py (this is to update number of modules used)

As you can see I didn't integrate PSA API. I thing this will need manual addition of source files + adding the include path. But didn't do it yet. I join a zip file with the generated project.

 

Regarding FreeRTOS integration, you should also be fine because you are in a non secure environement, so CubeMX will not try to provide the Secure call required in such case.

Now, you need to be aware that SM PSA API are not reentrant (same as for TFM). So, only one call to PSA API should be done at a time.

 

Best regards

Jocelyn

 

View solution in original post

SMAppli_MX.zip
4 REPLIES 4
Go to solution
Jocelyn RICARD
ST Employee

‎2025-03-06 9:38 AM

Hello @Musa2 ,

I'm sorry for late answer, I just missed your post, and was very busy recently (I'm still)

First, one important information is that new CubeMX 6.14 does not support Secure Manager boot path anymore.

This decision was taken because of too complex maintenance.

Following this decision, I made a simple test using a simple CubeMX project, and it work fine.

I share here the different steps I used. This is just to unblock. I requested an official update of wiki to have a clean way to do it.

Here you just need to create a CubeMX project selecting no TrustZone. The non secure application don't need to know anything about secure part, just being able to call the PSA API.

This should make things even simpler than with the old CuibeMX with SM boot path.

here are the steps:

1) Create CubeMX project setting peripherals needed
2) Set heap size = 0x2000 and stack size=0x1000 in mx project configuration to fit with size in SMAKg
3) Generate the project at same level as SMAK_Appli
4) Edit Drivers/CMSIS/system_stm32h5xx.c and comment the code that sets SCB->VTOR
5) Add prebuild and postbuild : Same as SMAK_Appli project in build steps
    a)Prebuild: python ../../project.py prebuild --compiler CubeIDE_Debug
    b)Postbuild: python ../../project.py postbuild
6) Postbuild output: Convert to binary
7) copy project.py and project.ini from SMAK_Appli in root dir of project
8) Update project.ini with right project name (here SMAppli_MX)
9) Copy Images directory with 2 xml files from SMAK_Appli
10) Create Binary directory (necessary for imgtool)
11) Reuse linker script from SMAK_Appli (just copy in place of the one generated by CubeMX
12) The prebuild requires presence of inc\fwu.h but can be commented in project.py (this is to update number of modules used)

As you can see I didn't integrate PSA API. I thing this will need manual addition of source files + adding the include path. But didn't do it yet. I join a zip file with the generated project.

 

Regarding FreeRTOS integration, you should also be fine because you are in a non secure environement, so CubeMX will not try to provide the Secure call required in such case.

Now, you need to be aware that SM PSA API are not reentrant (same as for TFM). So, only one call to PSA API should be done at a time.

 

Best regards

Jocelyn

 

SMAppli_MX.zip
Go to solution
Musa2
Associate II

‎2025-03-10 8:20 AM

 

Hello @Jocelyn RICARD ,

Thank you very much for your clear response. The procedure you described indeed works correctly. I created a project following your steps and added the source and include files for the PSA SM API. However, I am encountering the following error:

 

 

STM32Cube/Repository/STM32Cube_FW_H5_V1.4.0/Middlewares/ST/secure_manager_api/interface/src/tfm_crypto_secure_api.c:25:10: fatal error: tfm_veneers.h: No such file or directory

 

I have added the source files as in the SMAK_Appli example, as well as the include files :

 

Musa2_3-1741619811840.png

 

 

Musa2_0-1741619763823.png

I think that TFM_PSA_API is not defined in my project, but I don't know where to declare it.


Are there any other specific files required for using the PSA API?

Thank you in advance for your help.

0 Kudos
Go to solution
Jocelyn RICARD
ST Employee

‎2025-03-10 2:43 PM

Hello @Musa2 ,

thank you for your feedback. Good to hear it is working fine.

For PSA API integration, the reference is the SMAK project :

STM32Cube_FW_H5_V1.4.0\Projects\STM32H573I-DK\Applications\ROT\SMAK_Appli\

You can see in this project the include directories  (in C/C++ Build/Settings/Tools settings/MCU GCC Compiler/Include Path)

../../../../../../../Middlewares/ST/secure_manager_api/ipc/nonsecure/inc
../../../../../../../Middlewares/ST/secure_manager_api/interface/inc

And also the global definition of TFM_PSA_API in "preprocessor"

Best regards

Jocelyn

Go to solution
Musa2
Associate II
In response to Jocelyn RICARD

‎2025-03-11 5:17 AM

Hello Jocelyn,

Thank you very much for your response. Everything is working correctly now.

Best regards,

0 Kudos
Top