AN5511. STM32WL5x SFI tools, bootloader and RSS interface. Application note. Introduction

(1)

Introduction

This application note describes the interface between:

• on host side, STMicroelectronics tools (such as the STM32 Trusted Package Creator, part of the STM32CubeProgrammer) • on STM32WL5x microcontroller side, bootloader and RSSE (root security services extension)

for the SFI (secure firmware install) process.

STM32WL5x SFI tools, bootloader and RSS interface

AN5511

Application note

(2)

1

General information

This document applies to STM32WL5x Arm®_{-based MCUs.}

Note: Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

Table 1. Acronyms

Acronym Description

AES Advanced encryption standard API Application programming interface

BL Bootloader

HSM Hardware security module

IPCC Inter-processor communication controller JTAG Joint test access group

OEM Original equipment manufacturer RDP Readout protection

RSS Root security services RSSE RSS extension

RSSFS Root security services first stage RSSLIB Root security services library

SFI Secure firmware install SS Security services

(3)

2

SFI process overview

The SFI process consists in programming firmware within the STM32 in a way that this firmware remains secret and cannot be extracted during a transmission between the host and the STM32.

By using the SFI process, the OEMs can delegate the STM32 device programming to a subcontractor without disclosing their firmware (including associated secrets and valuable assets).

Note: This section provides only a summary of the SFI process. The full SFI process is described in the application

note Overview secure firmware install (SFI) (AN4992).

The main participants to the SFI process are listed below:

• The OEM develops and generates the OEM firmware (and its AES secret key). Refer to the user

manual STM32 Trusted Package Creator tool software description (UM2238) to get the full description and decomposition of an SFI binary (also named SFI image).

• On the host side:

– The STM32 Trusted Package Creator encrypts the OEM firmware into SFI binaries and OEM option bytes, using the AES secret key.

– The STM32CubeProgrammer parses and sends SFI binaries and SFI commands to the STM32.

• On the STM32 side:

– The bootloader or JTAG receives the SFI commands and forwards them to the RSSE.

– RSS, RSSLIB and RSSE provide secure services(SS) to the bootloader and program the OEM firmware within the STM32 user Flash memory.

Figure 1. SFI process overview

Data

File

STM32CubeProgrammer STM32 Trusted Package Creator

Dat

a

Fi

l

Data File

SFI image (encrypted)

Option bytes Data File Firmware Data File Secure bootloader STM32 SFI device Hardware Data File

SFI image (encrypted) Firmware and option bytes

OEM firmware development

OEM contract manufacturing

AES secret key

STM32 chip certificate (public key) STM32 chip private key License (encrypted AES secret key)

1 3 4 6 Data File 8 5 2 Security Module HSM smartcard 7

The secure bootloader is a standard ST bootloader with additional security features. During the SFI process, the secure bootloader never allows any other code to access the user Flash memory or SRAM.

In order to keep the OEM firmware secret, the OEM generates an AES secret key that is encrypted and encapsulated within a license. This license is specific and tied to a single chip. The HSM (hardware security module) builds the license from the chip certificate that it gets back from the STM32 MCU.

The host programming tool provides this license to the STM32 prior to the user Flash memory programming. SFI process overview

(4)

In order to achieve the process mentioned above, the STM32 Trusted Package Creator tool builds the SFI binaries from the following:

• OEM firmware

• OEM option bytes configuration

• OEM firmware key

• OEM nonce (IV)

(5)

3

SFI cryptography overview

The figure below gives an overview of the cryptography scheme for the SFI process on the STM32WL5x.

Figure 2. Cryptography scheme for SFI process on STM32WL5x

Crypto operation

OEM

STM32

OEM license server/HSM

Generate 128-bit random AES GCM encryption AES GCM decryption ECIES decryption Generate NIST P256 ECC key pair

ECIES encryption

Verification ECDSA

No sensitive asset Secret asset

Data path Key path

FW key ProvPrivK ProvPubK FW key Encripted FW key ChipPubKi ST public key ChipPubKi + certificate FW ChipPrivKi FW key FW SFI image

3.1

Chip certificate verification

The STM32WL5x devices use the ECDSA with NIST P-256 curve scheme (that uses an ST public key) for the chip certificate verification.

3.2

License encryption/decryption

A license is dedicated to a single chip and to its chip certificate. This license embeds the encrypted firmware key that RSSE uses to decrypt the SFI image.

The cryptographic schemes used by the STM32WL5x devices for license and encrypted firmware key are the following:

• ECIES with NIST P-256 curve

(6)

3.3

Image header authentication

The SFI binary contains first the image header that is further described in

Section 6.1.3 RSSE_SFI_ProcessImageHeader. See the user manual STM32 Trusted Package Creator tool

software description (UM2238) for more details.

The STM32WL5x devices use the following cryptographic schemes for this image header authentication:

• AES128-GCM

• firmware IV (96 bits) and firmware key (128 bits) encrypted licences payload (see Table 9. RSSE_SFI_FWKey_t description)

3.4

Image areas encryption/decryption/authentication

The SFI binary concatenates several structures named areas described in

Section 6.1.4 RSSE_SFI_ProcessArea.

The STM32WL5x devices use the following cryptographic schemes for the areas encryption, decryption and authentication:

• AES128-GCM

• same firmware key than the one used for the image header • firmware IV + area index

(7)

4

STM32 Trusted Package Creator output binaries

The following figure shows the STM32 Trusted Package Creator processing at the beginning of the SFI process.

Figure 3. STM32 Trusted Package Creator processing overview

OEM firmware + option bytes 010101 101010 010101 1100...

OEM firmware cleartext

hو,nvتhو,nv وnتjr dpeârنjت ndperyن OEM firmware + option bytes

Encrypted SFI image file

STM32TrustedPackage

Creator _MAC _ENC

After processing the inputs, the Trusted Package Creator must output the following binaries: • image header (refer to Table 10)

• several areas that must fit the SRAM1 size constraints

The maximum size of each area is given by the field rsse_param_max_size detailed in Section 5.1 . The format of the areas is described by Table 11.

(8)

5

SFI bootloader/STM32CubeProgrammer interface

5.1

STM32 descriptor in STM32WL5x

The STM32WL5x system Flash memory embeds an STM32 descriptor, that provides host information regarding the MCU and the way the host can communicate with the RSS. The tables below gives an overview and each field is detailed in the next sections.

Table 2. stm32_descriptor_t

Field name Field type Description

Version

uint32_t

Descriptor version

CertificateAddr Address of the chip certificate

AvailableRamStartAddr Start address of the available SRAM for host

AvailableRamEndAddr End address of the available SRAM for host

RSSELoadAddr Address where to find the upload RSSE address

RSSEMaxSize Maximum size of an RSSE

RSSEParamAddr Address where to find the input parameter address for the_{API call}

RSSEParamMaxSize Maximum size of an RSSE parameter

RSSEResultAddr Address where to find the output parameter address for_{the API call}

Reserved uint32_t[7] Reserved

RSSLIBAPITable STM32xx_Descriptor_t RSSLIB API table within the RSSLIB system Flash area

Table 3. RSSLIB_STM32xxApiTable_t

Field name Field type Description

RSSLIB_RSSECall RSSLIB_RSSECall_t Gateway to call RSSE API

RSSLIB_Call RSSLIB_Call_t Gateway to call RSSLIB API

RSSLIB_GetRSSVersion RSSLIB_GetRSSVersion_t Gateway to get RSS version

SSLIB_GetCertificate RSSLIB_GetCertificate_t Gateway to get certificate

RSSLIB_GetCertificateSize RSSLIB_GetCertificateSize_t Gateway to get certificate size

RSSLIB_SEC_CloseExitHDP RSSLIB_SEC_CloseExitHDP_t Gateway to close HDP

RSSLIB API function types

The function types in C for RSSLIB APIs that are relevant for SFI are the following:

• typedef RSSLIB_RSSStatus_t (*RSSLIB_RSSECall_t)(RSSLIB_RSSECmd_t *pRSSECmd);

• typedef RSSLIB_RSSStatus_t (*RSSLIB_Call_t)(RSSLIB_RSSCmd_t *pRSSECmd);

(9)

5.2

Legacy SFI commands

The table below lists the legacy commands used by the bootloader during the SFI process.

Table 4. Bootloader legacy commands set used for SFI

OpCode Command Description Inputs Outputs

0x11 ReadMemory The bootloader legacy returnsdata read from specified memory

address. • Number of bytes to read • Memory address • Memory data • Checksum 0x31 WriteMemory

The bootloader legacy writes the received data to the specified memory address. • Number of bytes to read • Memory address • Data to write None

For a complete description of these commands, refer to the following application notes:

• STM32 microcontroller system memory boot mode (AN2606)

• USART protocol used in the STM32 bootloader (AN3155)

• SPI protocol used in the STM32 bootloader (AN4286)

5.3

RSS API call: SpecialRead command

The bootloader legacy calls RSS APIs, whatever RSSE or RSSLIB API, thanks to the SpecialRead command detailed below.

Table 5. SpecialRead command

OpCode Command Description Inputs Outputs

0x50 SpecialRead

Bootloader legacy returns a packet of data read.

If the bootloader legacy is not able to read from the memory, or if any error occurs, the packet size is 0.

The host must send: • the special

command opcode 0x5y and wait for an acknowledge. • the command

opcode 0xXXXX and wait for an acknowledge If there is no address need, the address packet size can be set to 0.

The bootloader legacy returns a command status packet and an acknowledge value. The bootloader returns this acknowledge regardless the occurred errors, as the error code is in the command status packet.

(10)

5.3.1

SpecialRead command description

The figures below provide the diagram of a SpecialRead command that the host sends to the bootloader, and the diagram of the host return from SpecialRead command.

Figure 4. SpecialRead command diagram

XOR ACK or NACK

0x50

Data received from host ACK or NACK

0xMSB + 0xLSB

ACK or NACK

0xMSB + 0xLSB 0xXX + 0xXX + ... 0xMSB + 0xLSB

Special CMD

OpCode CMD Size 2 Address 126

Size of the data to be read, 2 bytes

Data sent to host

Figure 5. Host returns from SpecialRead command diagram

ACK

0x0 or 0x1 0xXX 0xXX

Size 2 bytes

Data sent to host

0xMSB + 0xLSB 0xXX + 0xXX + ... 0xMSB + 0xLSB

Data Size 2 bytes CMD status State Error

Data Command status

5.3.2

SpecialRead command applied to RSS API

The SFI programing tool (running on host) calls the RSS APIs through the bootloader SpecialRead command, set with a specific opcode that identifies RSSE or RSSLIB as the command receiver. The figure below highlights an RSSE API call thanks to the CMD opcode set to 0x0080. The bootloader sets opcode value to 0x0081 when it sends SpecialRead command to RSSLIB instead of RSSE.

Figure 6. BL RSSE API call

XOR

ACK or NACK

Data received from host Special CMD

OpCode

CMD OpCode

2 bytes Size 2 RSSe Command ID

Data sent to host

ACK or NACK ACK or NACK

4 bytes: LSB carries command ID 0x004

0x0080 = RSSe cmd 0x50 = SpecialRead OpCode

(11)

The figure below illustrates the diagram of the host return from an RSSE API call.

Figure 7. Host return from an RSSE API call

ACK

Size 2 bytes

Data sent to host 0x0004 RSSe_service_error_value

on 4 bytes 0x0001

Data Size 2 _bytes CMD status

Data Command status

RSSE_service_status = OK or FO (0 or 1)

The 16 LSBs (last significant bits) of the RSSE_service_error are coming from the RSSE. The 16 MSBs (most significant bits) are coming from the RSSLIB gateways RSSE_ServiceCall.

Note: If RSSE_service_status = OK, then the first Size field is 0 and the Data field is empty.

Dynamic example

The figure below illustrates a host/flashing tool calling an RSSE API.

Figure 8. Host basic RSSE service call SRAM1

Host Bootloader RSSLIB RSSE

[1‘ : WriteMem SRAM1 RSSe API input parameters

[2‘ : WriteMem SRAM1 RSSe API input parameters

[3‘ : SpecialRead(RSSE_OPCODE, RSSE_SFI_CMD_ID) _{[4 : ‘RSSLIB_RSSeCall(RSSE_SFI_CMD_ID)} [5‘ : RSSe_ServiceCall(RSSE_SFE_CMD_ID) [12‘ : ReadMem at STM32xx_descriptor.rsse_result_addr [13‘ : Read DATA at STM32xx_descriptor.rsse_result_addr

[6‘ : Read RSSe API input parameter

[8‘ : Write service output param at stm32xx_descriptor->rsse_result_addr [9‘ : return RSSE_SFI_SUCCESS [10‘ : return RSSE_SFI_SUCCESS

[11‘ : SpecialRead DATA

[14‘ : ReadMem DATA

[7‘ : RSSe API processing RSS API call: SpecialRead command

(12)

As seen above, the bootloader does not directly call the RSSE but uses instead the RSSLIB_RSSeCall function as a gateway between the bootloader and the RSSE. RSSLIB uses the same mechanism through a different gateway to route the SpecialRead command to the RSSLIB API.

Figure 9. Host basic RSSLIB service call SRAM1

Host Bootloader RSSLIB

[1‘ : WriteMem SRAM1 RSSLIB API input parameters

[2‘ : WriteMem SRAM1 RSSLIB API input parameters [3‘ : SpecialRead(RSSLIB_OPCODE, RSSLIB_CMD_ID) [4 : ‘RSSLIB_Call(RSSLIB_CMD_ID) [9‘ : ReadMem at STM32xx_descriptor.rsse_result_addr [10‘ : Read DATA at STM32xx_descriptor.rsse_result_addr

[6‘ : Write service output param at stm32xx_descriptor->rsse_result_adrr [7‘ : return RSSLIB_RSS_SUCCESS

[8‘ : SpecialRead DATA

[11‘ : ReadMem DATA

[5‘ : RSSLIB API processing

The call of RSSLIB_RSSECall can either be successful, with a return value set to RSSE_SFI_SUCCESS, or unsuccessful, with a return value different than RSSE_SFI_SUCCESS.

5.3.3

RSS API input parameters

Before calling an RSS API, the host must store the following within the STM32WL5x SRAM, at the address notified by STM32_descriptor->rsse_param_address field:

• The host writes the address where it plans to store the RSS API input parameters. Those parameters are always described by a single C structure packed within a single contiguous buffer. The bootloader provides this address to the RSS API in order to pass the input parameter location.

• The host stores the RSS API input parameters thanks to the bootloader WriteMemory command .

Note: Input parameters are consumed by the RSS API that uses them. Hence the host can reuse the same address to

store new input parameters between two RSS API calls.

5.3.4

RSS API output parameters

After receiving the SpecialRead data that provides the status of the previously called RSS API, the host sends a basic Read command to the bootloader in order to get the output parameter.

The host must read at the address given by STM32_descriptor->rsse_result_addr.

(13)

6

Static description

For each API, a command ID identifies the called RSS API. This last ID is the one mentioned as RSSE_SFI_CMD_ID in Figure 8. Host basic RSSE service call.

6.1

RSSE SFI APIs

RSSe SFI APIs are only callable through a call to RSSLIB_RSSE_Call RSSLIB API. In order to select specific RSSE API service, the user provides the command ID tied to the API, that is mentioned within each API description.

The reader gets RSSE SFI API call examples either by bootloader or by JTAG respectively within

Section 7 Dynamic description.

6.1.1

RSSE_SFI_GetVersion

• Command ID: RSSE_SFI_GET_VERSION_CMD_ID = 0x05

• Service description: RSSE writes RSSE SFI version at address pointed by

STM32_descriptor->rsse_result_addr.

• Input parameter: None

• Output parameter: RSSE_SFI_Version_t

• Return value: RSSE_SFI_SUCCESS, RSSE_SFI_ERROR

Table 6. RSSE_SFI_Version_t description

Field Type Comment

Patch

uint8_t

Bug fix

Minor Backward compatible changes : public API deprecated, new API functions,_improvements

Major Backward incompatible changes : public API modification

Unused Reserved

6.1.2

RSSE_SFI_ProcessLicense

• Command ID: RSSE_SFI_PROCESS_LICENSE_CMD_ID = 0x01

• Service description: This service sets SFI license. RSSE unwraps firmware key and uses it to decrypt SFI areas.

• Input parameter: RSSE_SFI_License_t • Output parameter: None

Table 7. RSSE_SFI_License_t description

Header RSSe_SFI_LicenseHeader_t SFI licence header, contains the ECIES public key.

WrappedKey RSSe_SFI_FWKey_t Encrypted firmware key

Tag uint8_t[16] Integrity tag of header and wrapped key

(14)

Table 8. RSSE_SFI_LicenseHeader_t description

Field Type Comment

Type

uint32_t

Either “SFI” for SFI license

SessionID Unused for static licenses. Must correspond to chip session ID_{for live licenses. Unused on STM32WL5x devices.}

Version License protocol version

SecExtensionsMinVersion Minimal version of upgradable security extensions. Unused on_{STM32WL5x devices}

Rfu uint8_t[8]

-ProviderPublicKey uint8_t[64] Public key for ECIES algorithm

Table 9. RSSE_SFI_FWKey_t description

Iv uint32_t[4] Base initialization vector to be used with key

Value uint8_t[16] Key value

6.1.3

RSSE_SFI_ProcessImageHeader

• Command ID: RSSE_SFI_PROCESS_IMAGE_HEADER_CMD_ID = 0x02

• Service description: This service provides image header to RSSE SF. • Input parameter: RSSE_SFI_ImageHeader_t

• Output parameter: None

Table 10. RSSE_SFI_ImageHeader_t description

magic uint8_t[8] "SFIMAGIC" to recognize a valid SFI image header

protocolversion

uint16_t Identify version of SFI protocol

totalAreasNumber Total number of areas in image

tag uint8_t[16] Cryptographic tag to ensure authenticity of previous parameters

6.1.4

RSSE_SFI_ProcessArea

• Command ID: RSSE_SFI_PROCESS_AREA_CMD_ID = 0x03

• Service description: RSSE SFI processes the SFI area given in input. RSSE SFI decrypts the area using firmware key, then RSSE SFI performs different processing according to area type given within the area header substructure.

• Input parameter: RSSE_SFI_Area_t • Output parameter: None

Table 11. RSSE_SFI_Area_t description

Header RSSe_SFI_AreaHeader_t Header of the areas

Data uint8_t[…] Area payload, that is described by a substructure that is specific_{to the header type value}

(15)

Table 12. RSSE_SFI_AreaHeader_t description

Type

uint8_t

Type of area:

• F for firmware area • P for pause area(1)

• R for resume area • C for configuration area

Version Firmware version

Index uint16_t

Area index:

• 1 for the first area

• up to TotalAreasNumber for the last one Size

uint32_t Area size (in bytes)

Dest Address where to Flash memory area (unused for configuration area)

TotalAreasNumber uint16_t It matches value in image header.

Version uint8_t[16] Integrity tag covering previous parameters and area data

1. For compatibility only with other STM32 platforms.

(16)

Area types

• F for firmware area

When the type within the area header is F, RSSE handles the area as a firmware area. RSSE SFI programs the area payload within the user Flash memory at the destination address notified within the dest field of the area header.

• P for pause area

When the type within the area header is P, RSSE only returns a return value set with constant meaning a successful execution.

• R for resume area

When the type within the area header is R, RSSE only returns with return value set with constant meaning a successful execution.

• C for configuration area

When the type within the area header is C, RSSE handles the area as a configuration area. Such area is always the latest transmitted to RSSE SFI during SFI process. A configuration area only contains option bytes that RSSE SFI programs on the STM32 device. The area payload (data field) within the area buffer of type RSS_SFI_Area_t, is described in the table below.

Table 13. stm32wl5_OB_Config_t Field Type OPTR uint32_t PCROP1ASR PCROP1AER WRP1AR PCROP1BSR PCROP1BER IPCCBR SFR SRRVR

Each option byte is 32-bit long. The size of the area must be 48 bytes. Refer to the product reference manual to get option byte definition.

(17)

6.1.5

RSSE_SFI_GetState

• Command ID: RSSE_SFI_GET_STATE_CMD_ID = 0x04

• Service description: RSSE writes SFI status at STM32_descriptor→rsse_result_addr

• Output parameter: uint32_t, SFI status is described by the table below. • Return value: RSSE_SFI_SUCCESS, RSSE_SFI_ERROR

Table 14. RSSE SFI state

Constant Constant value (C hexadecimal notation)

RSSE_SFI_NOT_INITIALISED 0x0U RSSE_SFI_INITIALISED 0x1U RSSE_SFI_LICENSE_OK 0x2U RSSE_SFI_IMAGE_HEADER_OK 0x3U RSSE_SFI_AREA_KO 0x4U RSSE_SFI_AREA_KO 0x5U

6.1.6

RSSE_SFI_GetStatus

• Command ID: RSSE_SFI_GET_STATUS_CMD_ID = 0x06

• Service description: RSSE writes SFI status at STM32_descriptor→rsse_result_addr

• Output parameter: uint32_t, SFI status is described by the table below. • Return value: RSSE_SFI_SUCCESS, RSSE_SFI_ERROR

Table 15. RSSE SFI status

Constant Constant value (C hexadecimal notation)

RSSE_SFI_ERROR 0xEAEAEAEA

RSSE_SFI_SUCCESS 0xF5F5F5F5

(18)

6.2

RSSLIB APIs

6.2.1

RSSLIB_GetRssVersion

• Command ID: RSSLIB_GET_RSS_VERSION_CMD_ID = 0x01

• Service description: RSSLIB writes RSS version at address pointed by

STM32_descriptor→rsse_result_addr

• Input parameter: None • Output parameter: None

Table 16. RSS_Version_t description

Patch

uint8_t

Bug fix

Minor Backward compatible changes : public API deprecated, new API functions,_improvements

Major Backward incompatible changes : public API modification

Unused Reserved

6.2.2

RSSLIB_GetCertificateSize

• Command ID: RSSLIB_GET_CERTIFICATE_SIZE_CMD_ID = 0x02

• Service description: RSSLIB writes certificate size at address pointed by

• Return value: Certificate size

Table 17. Certificate size

CertificateSize uint32_t Certificate size

6.2.3

RSSLIB_GetCertificate

• Command ID: RSSLIB_GET_CERTIFICATE_CMD_ID = 0x03

• Service description: RSSLIB writes certificate address at address pointed by

• Return value: RSSLIB_Certificate_t address

Table 18. RSSLIB_Certificate_t Field Type ProductId uint8_t[8] ChipPublicKey uint8_t[64] Signature Padding uint8_t[114] Crc uint8_t[2] RSSLIB APIs

(19)

7

Dynamic description

The host can perform SFI process using one of the following interfaces with STM32WL5x devices:

• interface supported by bootloader (such as UART, SPI or I2_{C, refer to}_{Section 7.1 SFI procedure over} bootloader)

• a JTAG interface (refer to Section 7.2 SFI procedure over JTAG)

Whatever the interface, RSSE SFI process activity is depicted by the diagram below.

Figure 10. RSSE SFI process activity diagram

No

Yes Last area ?

End

Step 7: Process area Step 6: Process image header

Step 5: Process license Step 4: Get RSSE version Step 3: RSSE SFI installation

Step 2: Get certificate Step 1: Get certificate size Step 0: Descriptor analysis

Start

(20)

7.1

SFI procedure over bootloader

There is a descriptor in system Flash memory, that defines which SRAM can be used by the

STM32CubeProgrammer. Based on this descriptor, the STM32CubeProgrammer defines its mapping, that is used to control RSSE (RSSE input or output parameters). A mapping example is described in the figure below.

Figure 11. STM32_Descriptor analysis for SFI by bootloader

Stm32xx_descriptor_AvailableRamStartAddr = 0x2000 2000 Stm32xx_descriptor_AvailableRamStartAddr = 0x2000 7EFF Stm32xx_descriptor_RSSELoadAddr = 0x2000 2000 Stm32xx_descriptor_ParamAddr = 0x2000 2004 Stm32xx_descriptor_ResultAddr = 0x2000 2008

Descriptor

@0x2000 2004 : 0x2000 2020 @0x2000 2008 : 0x2000 2014 @0x2000 2014 : Result

Available SRAM

@0x2000 2000 : 0x2000 2020 @0x2000 2020 : RSSE @0x2000 2020 : Param @0x2000 7EFF : 0xXXXX XXXX Available_ram_start_addr Available_ram_end_addr

(21)

The sequence to apply to execute SFI is indicated below:

1. Pre-conditions (see Figure 12)

To execute the SFI, samples need to be programmed with default OB (from ST production). For development purpose, it can be useful to have commands that configure the default option bytes.

2. Step 0: Descriptor analysis (see Figure 13)

3. Step 1: Get certificate size (see Figure 14)

4. Step 2: Get certificate (see Figure 15)

5. Step 3: RSSE installation (see Figure 16 to Figure 18)

The host must install RSSE SFI within the STM32 device.

6. Step 4: Get version (see Figure 19)

7. Step 5: Process license (see Figure 20)

The license provides the encrypted firmware key to RSSE SFI, that uses its chip private key to handle the license.

8. Step 6: Process image header (see Figure 21)

The image header provides to RSSE SFI the number of areas to program. It also provides the SFI protocol version.

9. Step 7: Process area F (firmware) (see Figure 22 and Figure 23)

In this step, the host provides areas to the STM32 that RSSE SFI must program. RSSE SFI performs different processing according to the area type:

– On reception of P and R areas, RSSE SFI does not perform any internal Flash memory programming, but only checks area index and returns the value meaning a successful processing.

– On reception of F areas, RSSE SFI programs the internal Flash memory, whereas for C area, and programs the internal Flash option-byte registers.

Host perform this step several times, until the area number fits the one mentioned within the image header. The last area must be configuration Ctype.

7.1.1

MSCs over bootloader

(22)

Figure 12. BL - Pre-conditions

Hardware STM32Cube _Bootloader _RSSFS _RSSE

Programmer User JTAG_WriteReg(...) Registers System Flash SRAM2 IPCC RSSLIB Power OFF/ON JTAG_WriteReg(...)

Set default option byte

Power OFF/ON HSM STM32_Programmer_CLI.exe -c port=swd sn=XXXX, mode=HOTPLUG -dsecurity STM32_Programmer_CLI.exe -c port=swd sn=XXXX, mode=HOTPLUG -setdefaultob

Note: Pre-conditions (development only). To do in case samples have security enabled or Option bytes not set to default values. Disable security

AN551

SFI procedure over bootloader

1

-

Rev 1

(23)

Figure 13. BL - Step 0 - Descriptor analysis

RSSFS

Bootlader RSSE Registers

Preconditions First hardware boot at OEM CM (after ST production). Hardware BOOT pin is set to boot in user Flash. As the Flash is empty, the system boots in bootloader mode. Default option bytes (RDP L0, no security).

Bootloader reboot

SRAM1 System_Flash

Power ON

Read descriptor to get RSS/bootloader information (such as RSSE SFI address)

IPCC

ReadMemory(@Descriptor,

Descriptor Size) _{Read(Descriptor)}

Descriptor Descriptor

RSSLIB

Program an SFI file in Flash memory. The SFI file contains a binary composed of:

- an SFI header - a firmware area F

- a configuration area C (option bytes)

Write(OB_Launch =Reset) Write(nSWBOOT0=0, nBOOT0=1, nBOOT1=0)

Write option bytes to boot in RSS mode, and do Reset. Write(OB_Start) Optional CM4 execution CM0+ execution STM32_Programmer.exe -sfi protocol=static « C:\file.sfi » « C:License.bin » -rsse « C:RSSe.bin »

WriteMemory(nSWBOOT0=0, nBOOT0=0, nBOOT1=1) Hardware STM32Cube Programmer User HSM

SFI procedure over bootloader

1

-

(24)

Figure 14. BL - Step 1 - Get certificate size RSSLIB_Call (RSSL_SFI_GET_ CERTIFICATE_SIZE _CMD_ID) SpecialRead(RSSL, RSSL_SFI_GET_CERTIFICATE_ SIZE_CMD_ID) CM4 execution RSSFS

Bootlader RSSLIB IPCC RSSE SRAM1 System_Flash Registers

Get certificate size

SpecialRead DATA RSSLIB_SUCCESS

ReadMemory (@descriptor.RSSE_result_addr)

Read certificate size

CertificateSize

RSSLIB status

Hardware STM32Cube_Programmer

User HSM

RSSLIB_GetCertificateSize()

AN551

SFI procedure over bootloader

1

-

Rev 1

(25)

Figure 15. BL - Step 2 - Get certificate

CM4 execution

RSSFS

Bootlader RSSLIB IPCC RSSE SRAM1 System_Flash Registers

Get certificate SpecialRead DATA ReadMemory DATA Read certificate @Certificate RSSLIB status SpecialRead(RSSL, RSSL_GET_CERTIFICATE _CMD_ID) RSSLIB_Call (RSSL_SFI_GET_ CERTIFICATE_CMD_ID) RSSE_SFI_SUCCESS ReadMemory (@descriptor.RSSE_result_addr) Hardware STM32Cube Programmer User HSM RSSLIB_GetCertificate()@Certificate

SFI procedure over bootloader

1

-

(26)

Figure 16. BL - Step 3 - RSSE installation: Set RSSE input/output param addresses. Load RSSE

CM4 execution

RSSFS

Bootloader RSSLIB IPCC RSSE SRAM1 System_Flash Registers

WriteMemory(@param_addr)

At descriptor->RSSE_param_addr _{Write(@RSSE SFI)}

WriteMemory ACK

Load RSSE SFI in RAM WriteMemory(RSSE SFI)_{at @RSSE_SFI}

Write(RSSE SFI) WriteMemory ACK

WriteMemory(@output_param)

At descriptor->RSSE_result_addr _{Write(@RSSE SFI)}

WriteMemory ACK

WriteMemory(@RSSE SFI) At descriptor->RSSE_load_addr

Write(@RSSE SFI) WriteMemory ACK

Optional if done before each RSSLIB/RSSE command call

Load @input_param in RAM Load @output_param in RAM

Load @RSSE SFI in RAM

Hardware STM32Cube

Programmer User

HSM

AN551

SFI procedure over bootloader

1

-

Rev 1

(27)

Figure 17. BL - Step 3 - RSSE installation: Install RSSE

CM4 execution

Write(OB_Launch =Reset) RSSFS

Bootloader RSSE Registers

RSS Reboot

SRAM2 System_Flash IPCC

RSSLIB

Reboot

Write(nSWBOOT0=0, nBOOT0=1, nBOOT1=0) Write option bytes to boot in

RSS mode (RSS install RSSE and do Reset)

WriteMemory(nSWBOOT0=0, nBOOT0=1, nBOOT1=0)

Write(OB_Start) Reboot

CM0+ execution

Hardware _ProgrammerSTM32Cube User

HSM

SFI procedure over bootloader

1

-

(28)

Figure 18. BL - Step 3 - RSSE installation: Start RSSE

CM4 execution CM0+ execution

Start RSSE

Hardware STM32Cube_Programmer _Bootloader _RSSFS _RSSE _Registers

User

Bootloader reboot

SRAM2 System

Flash

Read RSSE state SpecialRead(RSSE,

RSSE_SFI_GET_STATE_CMD_ID) SpecialRead (RSSLIB, START_RSSE) IPCC SpecialRead DATA RSSE_SFI_SUCCESS RSSLIB_RSSECall (RSSE_SFI_GET_ STATE_CMD_ID) RSSLIB RSSLIB_StartRSSE (RxCallback) ReadMemory (@descriptor.RSSE_result_addr) ReadMemory DATA SpecialRead DATA Verify state is OK State RSSE_SFI _SUCCESS Resume

Wait RSSE ready thanks to RxCallbak() RSSE status RSSE Status HSM RSSE _SFI_ SUCCESS RSSLIB_SUCCESS RSS_GetState()

AN551

SFI procedure over bootloader

1

-

Rev 1

(29)

Figure 19. BL - Step 4 - Get version

Hardware STM32Cube_Programmer Bootloader RSSFS RSSE

Wait command from the host

User SpecialRead(RSSE, RSSE_SFI_GET_VERSION _CMD_ID) Registers System Flash SRAM2 IPCC Get version RSSLIB RSSE_SFI_SUCCESS SpecialRead DATA ReadMemory (@descriptor.RSSE_result_addr) ReadMemory DATA

Read RSSE version

RSSE Version RSSE status HSM RSSE_SFI _SUCCESS RSSE _SFI_ SUCCESS RSSE_GetVersion() RSSLIB_RSSECall (RSSE_SFI_GET _VERSION_CMD_ID)

SFI procedure over bootloader

1

-

(30)

Figure 20. BL - Step 5 - Process license CM4 execution CM0+ execution RSSFS Bootloader RSSE Write license SpecialRead(RSSE, RSSE_PROCESS_LICENCE) Write(License) Registers System Flash SRAM2 IPCC

Verify previous command is OK

License RSSLIB RSSE_SFI_SUCCESS WriteMemory ACK Write(@License) WriteMemory ACK RSSLIB_RSSECall (RSSE_SFI_GET_STATE _CMD_ID) RSSE check in SRAM which RSS command (CmdId) to call SpecialRead(RSSE, RSSE_SFI_GET_STATE) RSSE_SFI_SUCCESS SpecialRead DATA ReadMemory (@descriptor.RSSE_result_addr) ReadMemory DATA Read State State Get License( Certificate )

Compute License Process license SpecialRead DATA RSSE_SFI_SUCCESS RSSE status WriteMemory(Licence) At @Licence WriteMemory(@Licence) At @descriptor->RSSE_param_addr RSSLIB_RSSECall (RSSE_SFI_PROCESS_L ICENCE_CMD_ID) RSSE _SFI_ SUCCESS RSSE _SFI_ SUCCESS RSSE_SFI_ SUCCESS RSSE_ProcessLicense (*License) RSSE_GetState()

User HSM RSSE check in SRAM which RSS command (CmdId) to call

AN551

SFI procedure over bootloader

1

-

Rev 1

(31)

Figure 21. BL - Step 6 - Process image header

Hardware STM32Cube_Programmer _Bootloader _RSSFS _RSSE

User

Write image header (SFI magic, number of areas) Write(ImageHeader) Registers System Flash SRAM1 RSSE check in SRAM which RSS command (CmdId) to call IPCC HSM RSSLIB RSSE_SFI_SUCCESS SpecialRead DATA WriteMemory ACK Write(@ImageHeader) WriteMemory ACK

Verify previous command is OK RSSE check in

SRAM which RSS command (CmdId) to call SpecialRead(RSSE, RSSE_SFI_GET_STATE) RSSE_SFI_SUCCESS SpecialRead DATA ReadMemory (@descriptor.RSSE_result_addr) ReadMemory DATA Read State State

Process image header

RSSE Status WriteMemory(ImageHeader) At @ImageHeader RSSE_ProcessImage Header() RSSE_GetState() WriteMemory(@ImageHeader) At @descriptor->RSSE_param_addr RSSLIB_RSSECall (RSSE_SFI_PROCESS_IMA GE_HEADER_CMD_ID) RSSE _SFI_ SUCCESS RSSE_SFI_SUCCESS SpecialRead (RSSE, RSSE_SFI_PROCESS_IMAGE _HEADER_CMD_ID) RSSLIB_RSSECall (RSSE_SFI_GET_ STATE_CMD_ID) RSSE_SFI_SUCCESS RSSE _SFI_ SUCCESS

SFI procedure over bootloader

1

-

(32)

Figure 22. BL - Step 7 - Process area F (firmware)

Hardware STM32Cube_Programmer Bootloader RSSFS RSSE

User Write area F Process area F WriteMemory(Image i, chunkN) WriteMemory(Image i, ...) Loop up to last chunk of « F » area » Registers System Flash SRAM1 IPCC HSM RSSE_SFI_SUCCESS SpecialRead DATA RSSLIB WriteMemory ACK WriteMemory(@Area) At @descriptor->RSSE_param_addr Write(@Area) WriteMemory ACK

Verify previous command is OK RSSE check in

SRAM which RSS command (CmdId) to call SpecialRead(RSSE, RSSE_SFI_GET_STATE) RSSE_SFI_SUCCESS SpecialRead DATA ReadMemory (@descriptor.RSSE_result_addr) ReadMemory DATA Read State WriteMemory(Image i, chunk0) at @Area SpecialRead(RSSE, RSSE_SFI_PROCESS_ AREA_CMD_ID) RSSLIB_RSSECall (RSSE_SFI_PROCESS _AREA_CMD_ID) RSSE_SFI_SUCCESS RSSE _SFI_ SUCCESS RSSE _SFI_ SUCCESS RSSE_SFI_SUCCESS RSSLIB_RSSECall (RSSE_SFI_GET_STATE _CMD_ID) RSSE_ProcessArea() RSSE_GetState() Write(chunk0) State RSSE check in SRAM which RSS command (CmdId) to call

AN551

SFI procedure over bootloader

1

-

Rev 1

(33)

Figure 23. BL - Step 7 - Process area C (configuration/option bytes)

Hardware STM32Cube_Programmer _Bootloader _RSSE

User Write area « C » WriteMemory(Image i, chunkN) WriteMemory(Image i, ...) Registers System

Flash Userapp

SRAM1 IPCC RSSE check in SRAM which RSS command (CmdId) to call

User App Reboot Reboot HSM Write(OB) OB_Launch() RSSFS SpecialRead DATA WriteMemory(@Area) At @descriptor->RSSE_param_addr WriteMemory ACK WriteMemory ACK Process area « C » WriteMemory(Image i, chunk0) at @Area RSSLIB_RSSECall (RSSE_SFI_PROCESS _AREA_CMD_ID) RSSE_SFI_SUCCESS RSSE _SFI_ SUCCESS RSSE_ProcessArea() SpecialRead(RSSE, RSSE_SFI_PROCESS _AREA_CMD_ID) Write(chunk0) Write(@Area) RSSE _SFI_ SUCCESS

SFI procedure over bootloader

1

-

(34)

7.2

SFI procedure over JTAG

The procedure is the same as SFI over bootloader. The only difference is that JTAG interface is used instead of the bootloader interface.

The sequence to apply to execute SFI is indicated below:

1. Pre-conditions (see Figure 24)

To execute the SFI, samples need to be programmed with default OB (from ST production). For development purpose, it can be useful to have commands that configure the default option bytes.

2. Step 0: Descriptor analysis (see Figure 25)

3. Step 1: Get certificate size (see Figure 26)

4. Step 2: Get certificate (see Figure 27)

5. Step 3: RSSE installation (see Figure 28 to Figure 30)

The host must install RSSE SFI within the STM32 device.

6. Step 4: Get version (see Figure 31)

7. Step 5: Process license (see Figure 32)

The license provides the encrypted firmware key to RSSE SFI, that uses its chip private key to handle the license.

8. Step 6: Process image header (see Figure 33)

The image header provides to RSSE SFI the number of areas to program. It also provides the SFI protocol version.

9. Step 7: Process area F (firmware) (see Figure 34 and Figure 35)

In this step, the host provides areas to the STM32 that RSSE SFI must program. RSSE SFI performs different processing according to the area type:

– On reception of P and R areas, RSSE SFI does not perform any internal Flash memory programming, but only checks area index and returns the value meaning a successful processing.

– On reception of F areas, RSSE SFI programs the internal Flash memory, whereas for C area, and programs the internal Flash option-byte registers.

Host perform this step several times, until the area number fits the one mentioned within the image header. The last area must be configuration Ctype.

7.2.1

MSCs over JTAG

(35)

Figure 24. JTAG - Pre-conditions

CM4 execution

Hardware STM32Cube_Programmer JTAG RSSFS RSSE

User JTAG_WriteReg(...) Registers System Flash SRAM2 IPCC STM32_Programmer_CLI.exe -c port=swd sn=XXXX mode=HOTPLUG -dsecurity HSM RSSLIB Do power off/on JTAG_WriteReg(...) STM32_Programmer_CLI.exe -c port=swd sn=XXXX mode=HOTPLUG -setdefaultob Set default OB Do power off/on Disable security

SFI procedure over JT

1

-

(36)

Figure 25. JTAG - Step 0 - Descriptor analysis

Hardware STM32Cube _JTAG _RSSFS _RSSE _Registers

Programmer User

BL Reboot

SRAM1 System_Flash

Read descriptor to get RSS/BL information (RSSE SFI address…)

IPCC

JTAG_ReadMemory(@Descriptor,

Descriptor Size) _{Read(Descriptor)}

Descriptor Descriptor

RSSLIB

Program a SFI file in Flash memory.

SFI file contains a binary composed of: - SFI header - Firmware area F - Configuration area C (option bytes)

Write(OB_Launch =Reset) Write(nSWBOOT0=0, nBOOT0=1, nBOOT1=0)

Write OB to boot in RSS mode, and do Reset JTAG_WriteReg(nSWBOOT0=0, nBOOT0=0, nBOOT1=1) Write(OB_Start) Optional Preconditions First hardware boot at OEM (after ST production). Hardware Boot pin is set to boot in user Flash. As the Flash is empty, the user boot in BL mode Default OB (RDP L0, no security).

Power ON HSM

STM32_Programmer.exe -sfi protocol=static « C:\file.sfi » « C:License.bin » -rsse « C:RSSe.bin »

AN551

SFI procedure over JT

AG

1

-

Rev 1

(37)

Figure 26. JTAG - Step 1 - Get certificate size

CM4 execution

Hardware STM32Cube_Programmer JTAG RSSFS RSSE

User RSSLIB IPCC SRAM1 SystemFlash Registers

Get certificate eize

JTAG_ReadMemory (@descriptor.RSSE_result_addr)

Read certificate size _{Certificate size}

Build payload JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run() JTAG_ReadReg(R0) Certificate size

Read RSSLIB status

Write(@CertificateSize)

Optional for each function call, not indicated in next diagrams for a better lisibility

HSM JTAG_WriteReg(SP, @stack_pointer = 0x2000 xxxx) JTAG_WriteReg(MSP, @stack_pointer = 0x2000 xxxx) JTAG_WriteMem(@RSSPayload, GetCertificateSizePayload) JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_Call) RSSLIB_Call (RSSL_SFI_GET _CERTIFICATE_ SIZE_CMD_ID) RSSLIB_SUCCESS RSSLIB_GetCertificateSize()

SFI procedure over JT

1

-

(38)

Figure 27. JTAG - Step 2 - Get certificate

CM4 execution

RSSFS

JTAG RSSLIB IPCC RSSE SRAM1 System_Flash Registers

Get certificate

Write(@Certificate) RSSLIB_SUCCESS

Read certificate _@Certificate

Build payload JTAG_ReadReg(R0) Certificate JTAG_ReadMemory (@Certificate) JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run()

Read RSSLIB status

Hardware STM32Cube Programmer User HSM RSSLIB_Call (RSSL_SFI_GET_ CERTIFICATE_CMD_ID) JTAG_WriteMem(@RSSPayload, GetCertificateSizePayload) JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_Call) RSSLIB_GetCertificateSize()

AN551

SFI procedure over JT

AG

1

-

Rev 1

(39)

Figure 28. JTAG - Step 3 - RSSE installation: Set RSSE input/output param addresses. Load RSSE

CM4 execution

RSSFS

JTAG_WriteMemory(@param_addr)

At descriptor->RSSE_param_addr _{Write(@param_addr)}

Load @param_addr in RAM

Load RSSE SFI in RAM

JTAG_WriteMemory(RSSE SFI) at

@RSSE_SFI _{Write(RSSE SFI)}

JTAG_WriteMemory(@output_param)

At descriptor->RSSE_result_addr _{Write(@output_param)}

Load @output_param in RAM

JTAG_WriteMemory(@RSSE SFI)

At descriptor->RSSE_load_addr _{Write(@RSSE SFI)}

Load @RSSE SFI in RAM

Optional if done before each RSSE Command call

User HSM

SFI procedure over JT

1

-

(40)

Figure 29. JTAG - Step 3 - RSSE installation: Install RSSE

Write(OB_Launch =Reset) RSSFS

JTAG RSSE Registers

RSS Reboot

SRAM2 System_Flash

IPCC RSSLIB

Reboot

Write(nSWBOOT0=0, nBOOT0=1, nBOOT1=0)

Write option bytes to boot in RSS mode (RSS install RSSE and do Reset)

JTAG_WriteMemory(nSWBOOT0=0, nBOOT0=1, nBOOT1=0) Write(OB_Start) Reboot Hardware STM32Cube Programmer User HSM

AN551

SFI procedure over JT

AG

1

-

Rev 1

(41)

Figure 30. JTAG - Step 3 - RSSE installation: Start RSSE

Call StartRSSE()

RSSFS

JTAG RSSE Registers

BL Reboot

SRAM1 System_Flash

Read RSSE status

IPCC RSSLIB RSSLIB_StartRSSE() RSSLIB_SUCCESS JTAG_ReadMemory (@descriptor.RSSE_result_addr)

Read RSSE state _{RSSE State}

RSSE_SFI_SUCCESS

Resume

Wait RSSE ready thanks to IPCC JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run() JTAG_ReadReg(R0) Read RSSLIB status JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run() Build GetState payload Call RSSECall() JTAG_WriteMem(@RSSPayload, GetStatePayload) JTAG_ReadReg(R0) RSSLIB_StartRSSE() has no payload RSSE_SFI_GET_STATE_CMD_ID sequence Hardware STM32Cube Programmer User HSM RSSE _SFI_ SUCCESS RSS_GetState() JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_StartRSSE) JTAG_WriteReg(PC,

stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall) RSSLIB_RSSECall(RSSE_SFI_GET_ STATE_CMD_ID) RSSE State RSSE _SFI_ SUCCESS

SFI procedure over JT

1

-

(42)

Figure 31. JTAG - Step 4 - Get version

RSSFS

RSSE_SFI_SUCCESS

Read RSSE

version _{RSSE Version}

RSSE_SFI_SUCCESS JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run() Build GetVersion payload Call RSSECall() JTAG_WriteMem(@RSSPayload, GetVersionPayload) JTAG_ReadReg(R0) Read RSSLIB status

User HSM RSSLIB_RSSECall (RSSE_SFI_GET_ VERSION_CMD_ID) RSSE _SFI_ SUCCESS RSSE_GetVersion() JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall)

AN551

SFI procedure over JT

AG

1

-

Rev 1

(43)

Figure 32. JTAG - Step 5 - Process license CM4 execution CM0+ execution RSSFS JTAG RSSE JTAG_WriteMemory(Licence) At @Licence Write License Write(License) Registers System Flash SRAM2 IPCC License RSSLIB RSSE_SFI_SUCCESS JTAG_WriteMemory(@Licence) At @descriptor->RSSE_param_addr Write(@License) Get License( Certificate )

Compute license RSSE_SFI_SUCCESS JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run() Build ProcessLicense payload Call RSSECall JTAG_WriteMem(@RSSPayload, ProcessLicensePayload) JTAG_ReadReg(R0)

Read RSSE status

RSSE_SFI_GET_STATE_CMD_ID Sequence Hardware STM32Cube Programmer User HSM JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall) RSSLIB_RSSECall (RSSE_SFI_PROCESS _LICENCE_CMD_ID) RSSE _SFI_ SUCCESS RSSE_ProcessLicense (*License) RSSE check in SRAM which RSS command (CmdId) to call

SFI procedure over JT

1

-

(44)

Figure 33. JTAG - Step 6 - Process image header CM4 execution CM0+ execution RSSFS JTAG RSSE JTAG_WriteMemory(ImageHeader) At @ImageHeader

Write image header (SFI magic, number of areas). Write(ImageHeader) Registers System Flash SRAM2 RSSE check in SRAM which RSS command (CmdId) to call IPCC RSSLIB RSSE_SFI_SUCCESS RSSE_SFI_SUCCESS JTAG_WriteMemory(@ImageHeader) At @descriptor->RSSE_param_addr _{Write(@ImageHeader)} RSSE_SFI_GET_STATE_CMD_ID Sequence JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run()

Build image header payload

Call RSSECall

JTAG_WriteMem(@RSSPayload, ProcessImageHeaderPayload)

JTAG_ReadReg(R0)

Read RSSE status

Hardware STM32Cube Programmer User HSM JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall) RSSLIB_RSSECall (RSSE_SFI_PROCESS_IMAGE _HEADER_CMD_ID) RSSE _SFI_ SUCCESS RSSE_ProcessImageHeader()

AN551

SFI procedure over JT

AG

1

-

Rev 1

(45)

Figure 34. JTAG - Step 7 - Process area F (firmware) CM4 execution CM0+ execution RSSFS JTAG RSSE Write area F JTAG_WriteMemory(Image i, chunkN) JTAG_WriteMemory(Image i, ...) Loop up to last chunk of Area F Registers System Flash SRAM2 IPCC Write(chunk0) RSSE_SFI_SUCCESS RSSE_SFI_SUCCESS RSSLIB JTAG_WriteMemory(@Area) At @descriptor->RSSE_param_addr _Write(@Area) RSSE_SFI_GET_STATE_CMD_ID Sequence JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_Run()

Build process area payload

Call RSSECall

JTAG_WriteMem(@RSSPayload, ProcessAreaPayload)

JTAG_ReadReg(R0)

Read RSSE status

User HSM JTAG_WriteMemory(Image i, chunk0) at @Area JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall) RSSLIB_RSSECall (RSSE_SFI_PROCESS _AREA_CMD_ID) RSSE _SFI_ SUCCESS RSSE_ProcessArea() RSSE check in SRAM which RSS command (CmdId) to call

SFI procedure over JT

1

-

(46)

Figure 35. JTAG - Step 7 - Process area C (configuration/option byte)

JTAG RSSLIB RSSE

Write area « C » JTAG_WriteMemory(Image i, chunkN) JTAG_WriteMemory(Image i, ...) Registers System Flash User app SRAM2 IPCC RSSE check in SRAM which RSS command (CmdId) to call

User App Reboot Reboot Write(OB) OB_Launch() RSSFS RSSE_SFI_SUCCESS RSSE_SFI_SUCCESS JTAG_WriteMemory(@Area) At @descriptor->RSSE_param_addr JTAG_WriteReg(R0, @RSSPayload) JTAG_WriteReg(LR, @return) JTAG_WriteReg(PC, stm32_descriptor->rsslib_api_table.RSSLIB_RSSECall) JTAG_Run()

Build process area payload

Call RSSECall JTAG_WriteMem(@RSSPayload,

ProcessAreaPayload)

JTAG_ReadReg(R0)

Read RSSE status

User HSM JTAG_WriteMemory(Image i, chunk0) at @Area RSSLIB_RSSECall (RSSE_SFI_PROCESS _AREA_CMD_ID) RSSE _SFI_ SUCCESS RSSE_ProcessArea() Write(chunk0) Write(@Area)

AN551

SFI procedure over JT

AG

1

-

Rev 1

(47)

8

Specific cases

SFI option bytes (OB) programming: OB configured to disable security and security debug

The SFI procedure is used to program a secure application. Normally at the end of the SFI procedure, the OB programming (C area) is done with security enabled (FSD = 0).

Nevertheless, if the OB programming (C area) is done with security enabled (FSD = 1), the setting CPU2 debug disabled (DDS = 1) cannot be used at the same time. Disabling the security during the OB programming also performs a regression on DDS (DDS = 0).

The procedure to disable security and security debug using the SFI procedure includes the two following steps: 1. The SFI procedure must be used to disable security with C area (FSD = 1).

2. The classical OB programming is used do disable CPU2 debug (DDS = 1).

(48)

Revision history

Table 19. Document revision history

Date Version Changes

(49)

STM32 descriptor in STM32WL5x . . . 8

5.2

Legacy SFI commands. . . 9

5.3

RSS API call: SpecialRead command . . . 9

5.3.1

SpecialRead command description . . . 10

5.3.2

SpecialRead command applied to RSS API . . . 10

5.3.3

RSS API input parameters . . . 12

5.3.4

RSS API output parameters . . . 12

6

Static description . . . .13

6.1

RSSE SFI APIs . . . 13

6.1.1

RSSE_SFI_GetVersion . . . 13

6.1.2

RSSE_SFI_ProcessLicense . . . 13

6.1.3

RSSE_SFI_ProcessImageHeader . . . 14

6.1.4

RSSE_SFI_ProcessArea . . . 14

6.1.5

RSSE_SFI_GetState. . . 17

6.1.6

RSSE_SFI_GetStatus. . . 17

6.2

RSSLIB APIs . . . 18

6.2.1

RSSLIB_GetRssVersion . . . 18

6.2.2

RSSLIB_GetCertificateSize. . . 18

Contents

(50)

7.1

SFI procedure over bootloader . . . 20

7.1.1

MSCs over bootloader . . . 21

7.2

SFI procedure over JTAG. . . 34

7.2.1

MSCs over JTAG . . . 34

8

Specific cases . . . .47

Revision history . . . .48

Contents . . . .49

List of tables . . . .51

List of figures. . . .52

Contents

(51)

List of tables

Table 1. Acronyms . . . 2

Table 2. stm32_descriptor_t. . . 8

Table 3. RSSLIB_STM32xxApiTable_t . . . 8

Table 4. Bootloader legacy commands set used for SFI . . . 9

Table 5. SpecialRead command. . . 9

Table 6. RSSE_SFI_Version_t description . . . 13

Table 7. RSSE_SFI_License_t description. . . 13

Table 8. RSSE_SFI_LicenseHeader_t description . . . 14

Table 9. RSSE_SFI_FWKey_t description . . . 14

Table 10. RSSE_SFI_ImageHeader_t description . . . 14

Table 11. RSSE_SFI_Area_t description. . . 14

Table 12. RSSE_SFI_AreaHeader_t description . . . 15

Table 13. stm32wl5_OB_Config_t . . . 16

Table 14. RSSE SFI state . . . 17

Table 15. RSSE SFI status . . . 17

Table 16. RSS_Version_t description . . . 18

Table 17. Certificate size. . . 18

Table 18. RSSLIB_Certificate_t . . . 18

Table 19. Document revision history . . . 48 List of tables

(52)

List of figures

Figure 1. SFI process overview . . . 3

Figure 2. Cryptography scheme for SFI process on STM32WL5x . . . 5

Figure 3. STM32 Trusted Package Creator processing overview . . . 7

Figure 4. SpecialRead command diagram . . . 10

Figure 5. Host returns from SpecialRead command diagram . . . 10

Figure 6. BL RSSE API call . . . 10

Figure 7. Host return from an RSSE API call . . . 11

Figure 8. Host basic RSSE service call . . . 11

Figure 9. Host basic RSSLIB service call . . . 12

Figure 10. RSSE SFI process activity diagram . . . 19

Figure 11. STM32_Descriptor analysis for SFI by bootloader . . . 20

Figure 12. BL - Pre-conditions . . . 22

Figure 13. BL - Step 0 - Descriptor analysis . . . 23

Figure 14. BL - Step 1 - Get certificate size . . . 24

Figure 15. BL - Step 2 - Get certificate . . . 25

Figure 16. BL - Step 3 - RSSE installation: Set RSSE input/output param addresses. Load RSSE . . . 26

Figure 17. BL - Step 3 - RSSE installation: Install RSSE . . . 27

Figure 18. BL - Step 3 - RSSE installation: Start RSSE . . . 28

Figure 19. BL - Step 4 - Get version . . . 29

Figure 20. BL - Step 5 - Process license . . . 30

Figure 21. BL - Step 6 - Process image header . . . 31

Figure 22. BL - Step 7 - Process area F (firmware) . . . 32

Figure 23. BL - Step 7 - Process area C (configuration/option bytes). . . 33

Figure 24. JTAG - Pre-conditions . . . 35

Figure 25. JTAG - Step 0 - Descriptor analysis . . . 36

Figure 26. JTAG - Step 1 - Get certificate size . . . 37

Figure 27. JTAG - Step 2 - Get certificate . . . 38

Figure 28. JTAG - Step 3 - RSSE installation: Set RSSE input/output param addresses. Load RSSE . . . 39

Figure 29. JTAG - Step 3 - RSSE installation: Install RSSE . . . 40

Figure 30. JTAG - Step 3 - RSSE installation: Start RSSE . . . 41

Figure 31. JTAG - Step 4 - Get version . . . 42

Figure 32. JTAG - Step 5 - Process license . . . 43

Figure 33. JTAG - Step 6 - Process image header . . . 44

Figure 34. JTAG - Step 7 - Process area F (firmware) . . . 45

Figure 35. JTAG - Step 7 - Process area C (configuration/option byte) . . . 46 List of figures

(53)

IMPORTANT NOTICE – PLEASE READ CAREFULLY

STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, enhancements, modifications, and improvements to ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order acknowledgement.

Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of Purchasers’ products.

No license, express or implied, to any intellectual property right is granted by ST herein.

Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.

ST and the ST logo are trademarks of ST. For additional information about ST trademarks, please refer to www.st.com/trademarks. All other product or service names are the property of their respective owners.

. For additional information about ST trademarks, please refer to www.st.com/trademarks