Versions Compared

Old Version 4

changes.mady.by.user Adam Czajkowski

Saved on

compared with

New Version Current

changes.mady.by.user Łukasz Surdej

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

I. Upgrade the SE Firmware version on the target MCU

  1. Verify access to device and check current SE firmware version.

...

  1. Run Auto Program by pressing AUTO PROG. (F8) button in main window. This will load SE firmware to device flash, reset device and run the firmware. Firmware will by updated automatically after a few seconds.

  2. Verify Access to device to check if SE firmware was successfully updated. Check SE FW ver. text output shown below to verify.

...

II. Flash Bootloader Firmware and Application Firmware

This step will require setup using Simplicity Studio, described below:

Generate bootloader image and application image using Simplicity Studio

  1. Create and build bootloader project (ex. Bluetooth Apploader OTA DFU).

  2. Create application project.

  3. Add to application project Bootloader Application Interface (to include app_properties.c with ApplicationProperties_t struct).

...

  1. Build application project.

Generate keys using FlashPro/GangPro-ARM software

Command key and Sign key - ECDSA-P256-SHA256 key pairs.

...

  1. New keys will be generated and saved in Security Store folder.

  2. After keys generation disable key loading (uncheck Enable Load) and press OK.

Sign bootloader and application images with private sign key using Simplicity Commander

  1. Generate GBL key in text file.

...

Code Block
languagepowershell
commander convert bootloader-apploader_BG24B220MG21B010.hex --aeskey gbl_key.txt --outfile bootloader-apploader_BG24B220_aes.hex

...

Code Block
languagepowershell
commander convert bootloader-apploader_BG24B220MG21B010_aes.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bootloader-apploader_BG24B220MG21B010_signed.hex
commander convert bt_soc_blinky_BG24B220MG21B010.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bt_soc_blinky_BG24B220MG21B010_signed.hex

  1. Check images.

Simplicity Commander:

Code Block
languagepowershell
commander util appinfo bootloader-apploader_BG24B220MG21B010_signed.hex
commander util appinfo bt_soc_blinky_BG24B220MG21B010_signed.hex

Load images to device using FlashPro/GangPro-ARM software

  1. Before loading images to device clear device memory. Select form menu Setup → Memory Options.

  2. In Memory Erase section select All Memory and click OK.

...

  1. Open code file with signed bootloader image (bootloader-apploader_BG24B220MG21B010_signed.hex).

...

  1. Next append code file with signed application image (bt_soc_blinky_BG24B220MG21B010_signed.hex). Leave Memory protection unchecked and perform Auto program.

...

  1. Bootloader and application image are loaded to flash.

...

Load images to device using FlashPro/GangPro-ARM software - option with external flash connected via SPI

It is recommended to program an external flash before the main flash

...

in case of any bootloader issues.

  1. In main window click Add/Edit external flash (EF) button to configure connected EF.

...

  1. Configure the type of connected EF, the communication interface, and the address space. Then click OK.

...

  1. Select form menu Setup → Memory Options. In Memory Options window select Address Range: External Flash only and click OK.

...

  1. Open code file for external flash. Leave Memory protection unchecked and perform Auto program.

...

  1. External flash should be programmed.

...

  1. Now load bootloader and application images to internal flash. Select form menu Setup → Memory Options. In Memory Options window select Address Range: Flash memory only and click OK.

...

  1. Open code file with signed bootloader image and append code file with signed application image.

...

  1. Next Perform Auto program. Bootloader and application images should be loaded into internal flash.

...

III. Provision Key, Enable Secure Boot and Enable Debug Lock using FlashPro/GangPro-ARM

  1. Select menu Setup → Secure Engine (SE).

  2. In the bottom left corner click Read from device to check security state. The figure below presents the state of a new device (not previously provisioned).

...

  1. Open configuration file (*.json) from Security Store and set suitable values. In the following file Secure boot is enabled - only signed firmware will be executed.

...

  1. At this stage leave debug port open and device erase enable in case of any errors (eqeg. firmware boot error)

...

  1. Click OK to save configuration

  2. Secure Engine configuration will be applied after checking “Enable” in Memory Protection section of main window and clicking “Lock Device”. This will program OTP (load keys and boot & tamper configuration).

...

  1. Note: this options are one time programmable - once programmed can not be changed!

...

  1. Check device status after configuration. Secure boot should be enabled and boot status should have the value 0x00000020 (OK )

...

  1. At the end of programming cycle device can be locked. Go to Secure Engine (SE) dialog, disable Device Erase and lock debug port (Debug Lock and Secure Debug Lock enable). Specify also Debug Restrictions for a TrustZone aware application. This configuration is irreversible and allows debug port to be unlocked with Debug unlock token only.

...

  1. Loading debug unlock tokens and token generation can be enabled in “Debug unlock token“ section.

...

  1. After locking the debug port, this port can be unlocked by checking Unlock device by token in Secure Debug unlock section. In this section debug unlock token and access certificate generation parameters can also be specified.

...

  1. As OTP was already programmed, disable keys and OTP configuration loading and click OK to save configuration.

...

  1. In main window clicking Lock Device to load configuration to device and generate Debug Unlock Token.

...

  1. This step ends production programming.

Note

If Unlock device by token loading is enabled, the application will try to unlock debug port using Debug Unlock Token after an unsuccessful attempt to connect to the device. The token should be located in the following path: SecurityStore\device_(SerialNumber)\challenge_(challenge)\ .

Providing private keys and enabling “Generate missing Tokens” Token form private keys” will automatically generate token when connecting to the device and use this token to unlock debug port.

...

If both private keys (command and sign) are not available, token can be generated from access certificate by checking Generate Token form Access certificate. The access certificate should be located in the following path: SecurityStore\device_(SerialNumber)\

Useful links

Elprotronic ST Microelectronics programmer’s page

...