ST STM32H5 Security Product Lifecycle: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 43: | Line 43: | ||
| Full Regression || Start a full regression of a device, erasing flash memory and setting product state to OPEN. | | Full Regression || Start a full regression of a device, erasing flash memory and setting product state to OPEN. | ||
|- | |- | ||
| To TZ Regression || Start a partial regression of a device and setting product state to TZ- | | To TZ Regression || Start a partial regression of a device and setting product state to TZ-CLOSED. | ||
|- | |- | ||
| Level 3 Intrusive Debug || Open debug interface with level 3 permissions. | | Level 3 Intrusive Debug || Open debug interface with level 3 permissions. | ||
Latest revision as of 14:41, 24 March 2025
The STM32H5 series of devices comes with enhanced device life-cycle management features. SEGGER implemented support for these features via a dedicated utility called Device Provisioner. For more information about this, please refer to the Device Provisioner article. STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file.
Important notes
- On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once.
- On STM32H563/562/573 and STM32H523/533 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression.
- Setting product state to LOCKED permanently locks the device. No regression possible.
- For crypto-enabled devices: STM32H573 and STM32H533 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file.
- For STM32H503 devices hash of a password can be generated using certutil windows tool. See additional example: Other examples.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32H5.pex
| Operation | Parameters | Values | Description |
|---|---|---|---|
| DbgAuthDiscover | - | - | Show device ID and current product state. |
| SetDeviceState | ProdState | PROVISIONING | Sets product state to Provisioning. |
| PROVISIONED | Sets product state to Provisioned. | ||
| CLOSED | Sets product state to Closed. | ||
| LOCKED | Sets product state to Locked (permanently). | ||
| DbgAuthProvision | DataFile | Filename | Provision device with data in a selected file. |
| DbgAuthRegression | PASSWORD | Password | Start a full regression of a device, erasing flash memory and setting product state to OPEN. |
| DbgAuthCert | CertFile | FileName | .b64 certificate file |
| KeyFile | FileName | .pem private key | |
| Perm | Full Regression | Start a full regression of a device, erasing flash memory and setting product state to OPEN. | |
| To TZ Regression | Start a partial regression of a device and setting product state to TZ-CLOSED. | ||
| Level 3 Intrusive Debug | Open debug interface with level 3 permissions. | ||
| Level 2 Intrusive Debug | Open debug interface with level 2 permissions. | ||
| Level 1 Intrusive Debug | Open debug interface with level 1 permissions. | ||
| Level 3 Intrusive Non Secure Debug | Open debug interface for non secure operation with level 3 permissions. | ||
| Level 2 Intrusive Non Secure Debug | Open debug interface for non secure operation with level 2 permissions. | ||
| Level 1 Intrusive Non Secure Debug | Open debug interface for non secure operation with level 1 permissions. | ||
| CloseDebug | - | - | Close previously opened debug interface. |
| ReadOptionBytes | OptionName | FLASH_OPTSR | Read FLASH option status register. |
| FLASH_OPTSR2 | Read FLASH option status register 2. | ||
| FLASH_NSBOOTR | Read FLASH non-secure boot register. | ||
| FLASH_SECBOOTR | Read FLASH secure boot register. | ||
| FLASH_SECWM1R | Read FLASH security watermark for Bank 1. | ||
| FLASH_SECWM2R | Read FLASH security watermark for Bank 2. | ||
| FLASH_WRP1R | Read FLASH write sector group protection for Bank 1. | ||
| FLASH_WRP2R | Read FLASH write sector group protection for Bank 2. | ||
| FLASH_OTPBLR | Read FLASH non-secure OTP block lock. | ||
| FLASH_EDATA1R | Read FLASH data sector configuration Bank 1. | ||
| FLASH_EDATA2R | Read FLASH data sector configuration Bank 2. | ||
| FLASH_HDP1R | Read FLASH HDP Bank 1 configuration. | ||
| FLASH_HDP2R | Read FLASH HDP Bank 2 configuration. | ||
| WriteOptionBytes | OptionName | FLASH_OPTSR | Write FLASH option status register. |
| FLASH_OPTSR2 | Write FLASH option status register 2. | ||
| FLASH_NSBOOTR | Write FLASH non-secure boot register. | ||
| FLASH_SECBOOTR | Write FLASH secure boot register. | ||
| FLASH_SECWM1R | Write FLASH security watermark for Bank 1. | ||
| FLASH_SECWM2R | Write FLASH security watermark for Bank 2. | ||
| FLASH_WRP1R | Write FLASH write sector group protection for Bank 1. | ||
| FLASH_WRP2R | Write FLASH write sector group protection for Bank 2. | ||
| FLASH_OTPBLR | Write FLASH non-secure OTP block lock. | ||
| FLASH_EDATA1R | Write FLASH data sector configuration Bank 1. | ||
| FLASH_EDATA2R | Write FLASH data sector configuration Bank 2. | ||
| FLASH_HDP1R | Write FLASH HDP Bank 1 configuration. | ||
| FLASH_HDP2R | Write FLASH HDP Bank 2 configuration. | ||
| Value | 0xXXXXXXXX | 32-bit value to be written to the register specified in "OptionName" parameter. |
Examples
Checking product state
Example
DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: Found device with ID: 0x00000484
J-Link log: Device not provisioned
J-Link log: Product state:
J-Link log: OPEN
Changing product state to "PROVISIONING"
Example
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: Product state successfully changed
Writing OBK file for STM32H563/562/573
Example
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: STM32H563/573/562 device found, ID: 0x00000484
J-Link log: Provisioning complete
Writing BIN file for STM32H503
Example
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: STM32H503 device found, ID: 0x00000474
J-Link log: Provisioning complete
Changing product state to "CLOSED"
Example
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: Product state successfully changed
Performing a full regression
Example
DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V7.96
Compiled Mar 7 2024 16:48:58
Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: Device unlocked
Performing a full regression with certificate
Example
DevPro -operation DbgAuthCert -if SWD -speed 4000 -SetConfigVal "CertFile=cert_root.b64" -SetConfigVal "KeyFile=private_key.pem" -SetConfigVal "Perm=Full Regression" -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V8.10h
Compiled Nov 15 2024 16:43:13
Command line: -operation DbgAuthCert -if SWD -speed 4000 -SetConfigVal CertFile=cert_root.b64 -SetConfigVal KeyFile=private_key.pem -SetConfigVal Perm=Full Regression -ScriptFile PCode_DevPro_ST_STM32H5.pex
J-Link log: Authentication successful
Reading option bytes register
Example
DevPro -operation ReadOptionBytes -SetConfigVal "OptionName=FLASH_OPTSR2" -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V8.12f
Compiled Feb 12 2025 13:38:31
Command line: -operation ReadOptionBytes -SetConfigVal OptionName=FLASH_OPTSR2 -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
Firmware: J-Link V12 compiled Feb 11 2025 17:05:37
Opened script file: 'C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex'
J-Link log: STM32H563/573/562 device found, ID: 0x00000484
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: FLASH_OPTSR2 value: 0xC300017C
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM1_3_RST
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM1 and SRAM3 not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM3_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM3 ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: USBPD_DIS
J-Link log: Value: 0x00000001
J-Link log: |-> Disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_RST
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 not erased when a system reset occurs
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: BKPRAM_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> BKPRAM ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: SRAM2_ECC
J-Link log: Value: 0x00000001
J-Link log: |-> SRAM2 ECC check disabled
J-Link log: -----------------------------------------------------------------------------------------------
J-Link log: TZEN
J-Link log: Value: 0x000000C3
J-Link log: |-> TrustZone disabled
J-Link log: -----------------------------------------------------------------------------------------------
Writing option bytes register (enabling TrusZone)
Example
DevPro -operation WriteOptionBytes -SetConfigVal "OptionName=FLASH_OPTSR2" -SetConfigVal "Value=0xB400017C" -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
SEGGER Device Provisioner V8.12f
Compiled Feb 12 2025 13:38:31
Command line: -operation WriteOptionBytes -SetConfigVal OptionName=FLASH_OPTSR2 -SetConfigVal Value=0xB400017C -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex
Firmware: J-Link V12 compiled Feb 11 2025 17:05:37
Opened script file: 'C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex'
J-Link log: STM32H563/573/562 device found, ID: 0x00000484
J-Link log: Option bytes programmed successfully
Other examples
Generating a binary file with SHA256 hash of a password string
Example
1. Create a text file with password
0123456789012345 --> password.txt
2. Generate SHA256 hash using "certutil" (on Windows)
certutil -hashfile "password.txt" SHA256
Output:
SHA256 hash of password.txt:
184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d
CertUtil: -hashfile command completed successfully.
3. Save Hash string to a text file
184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d --> hash.txt
4. Generate a binary file from the hash text file using "certutil" (on Windows)
certutil -decodehex hash.txt board_password.bin
Output:
Input Length = 64
Output Length = 32
CertUtil: -decodehex command completed successfully.