HSM preparation process

The HSM (hardware secure modules) is a license generation tool necessary during the SFI programming procedure.

1. Preparing necessary files:

  1. Preparation of the keys (AES128Key.bin and Nonce.bin), these files can by generated by STM32 Trusted Package Creator tool, they must be the same as when they were used during SFI binary file generation.

  2. Select Correct personalization data file from STM32CubeProgrammer install folder.

2. How to pick correct personalization data file:

To choose the right personalization data file we need to know the first digits from the chip certificate for the MCU family which we want to program. You can read the chip certificate using the GangFlasher-ST:

  1. Open window “STM32 Trusted Programming setup”(Setup ->SSP/SFI)

  2. Check “SFI Enable” box

  3. Select the target from which you want to read the certificate

  4. Click Read button and select folder where want to save certificate

  5. Open file in notepad - first eight digits in the certificate are the same as the correct personalization data file prefix (this will be useful in the steps below).


    4820200B ¶‚ĹŽî"C,ˆ×Vš\ˆżĽĚ*ű2ÎłčÇÔC#PFW˜QŇłÁ–P׈ŁśH

Example certificate from STM32U5 MCU. Note the 4820200B digits.

3. HSM generation

To validate the HSM programming request, the user has to:

  • Set firmware identifier, used to identifies the correct HSM

  • Select files prepared in the first step

  • Select “Personalization data file” which can be found in the STM32CubeProgrammer tool install folder.
    Note the “Personalization data file” STM32U5_4820200B… prefix, the STM32U5 indicates the family, whereas the identification digits can be read from the target MCU.

STMicroelectronics application notes and user manuals:

[1] UM2238 - STM32 Trusted Package Creator tool software description