Skip to end of banner
Go to start of banner

STM32 MCUs secure firmware install (SFI)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

STM32 SFI is a solution for secure manufacturing in production environments that guarantees the authenticity, integrity, and confidentiality of the firmware. It is available on select STM32L4, and most STM32L5, STM32U5, STM32H5 and STM32H7 microcontrollers.

Instructions

The procedure consists of two main steps:

  1. Preparation of files and Hardware Secure Module (HSM) using the source code and the toolkit provided by STMicroelectronics. Two elements are necessary to perform an SFI sequence using FlashPro-ARM/GangPro-ARM

  2. Programming of the target’s flash memory and option bytes using FlashPro-ARM/GangPro-ARM using the files prepared in the first step.

1. Preparing necessary files:

  1. Preparation of the keys (AES128Key.bin and Nonce.bin)

  2. Preparation of Option Bytes Config file (OptionBytesSetting.csv)

  3. Preparation of firmware files (firmware.bin, .hex, .srec, etc.)

  4. Preparation of an encrypted firmware binary file (*.sfi) using STM32TrustedPackageCreator (SFI tab) or STM32TrustedPackageCreator_CLI (-sfi option), keys, option bytes config file and input firmware are necessary in this step.

  5. Programming HSM modules with a limited number of licenses using STM32TrustedPackageCreator (HSM tab) or STM32TrustedPackageCreator_CLI (-hsm option), keys (AES128Key.bin and Nonce.bin) are necessary in this step and they must be the same as for firmware encryption.

2. Programming flash memory and option bytes using FlashPro-ARM/GangPro-ARM on Windows

  1. Open FlashPro-ARM/GangPro-ARM

  2. Open Setup → SFI Setup Tab

    1. Set HSM card index(by default 1)

    2. Check “Enable” box

    3. Use “Browse” button and pick *.sfi file, generated by STM32TrustedPackageCreator

    4. Check “Set log file path” box - only if want save in file used licenses from HSM module

    5. Use “Browse” button and set place where save log file with licenses

    6. Press “Ok” button to save SFI setup

image-20240529-093037.png

  1. Press “AUTO PROG.”(or “WRITE FLASH”) button to execute secure firmware install operation

  2. Check output logs after AutoProgram

image-20240529-092442.png

Communication initialization.........	 OK
 OSC=48.15 MHz, Sys.CLK=48.15 MHz
Erasing memory ...............................	 done
Secure firmware install procedure start...	 OK
Communication initialization...................	 OK
Reading MCU decriptor.........................	 OK
Option bytes setup.................................	 OK
Certificate analyze.................................	 OK
Request HSM license............................	 OK
Firmware install......................................	 OK
RSS version = 1.4.0..............................	 OK
RSSe version = 2.3.0............................	 OK
Install license.........................................	 OK
Processing Image Header.....................	 OK
SFI programming....................................	 OK
Warning: Could not verify security state after last chunk programming
 -------- D O N E --- ( run time =  10.7 sec.)

STMicroelectronics application notes and user manuals:

[1] AN5054 - Secure programming using STM32CubeProgrammer

[2] AN4992- STM32 MCUs secure firmware install (SFI) overview

[3] AN5156 - Introduction to STM32 microcontrollers security

[4] UM2238 - STM32 Trusted Package Creator tool software description

  • No labels