Skip to main content
T
TetrasLyre
Associate II
March 25, 2025
Question

Authentication key provisioning in STM32H5

  • March 25, 2025
  • 5 replies
  • 633 views

Hi,

I come to you about the key provisioning process for the iROT in the STM32H5.

Using TrustedPackageCreator, the keys provided in the file STiROT_Config.xml for the Secure Boot (field <Authentication key>) are both the private and public keys of the .pem file. However, only the public key is needed, and will be embedded in the device.

 

This method of provisioning is limiting for us for two reasons:

- on the one hand, it doesn't allow to subcontract the provisioning task, as we don't want to give the private key to the subcontractor

- secondly, the private key may be generated by an HSM and cannot leave the vault.

 

So, is there a way to provision only the public key at this stage?

 

Best regards,

Christine

 

5 replies

Jocelyn RICARD
Jocelyn RICARD
ST Employee
March 25, 2025

Hello @TetrasLyre ,

For the generation of obk file, you can fix this by changing the xml file like this:

	<File>
		<Name>Authentication key</Name>
		<Value>./../Keys/STiRoT_Authentication_pub.pem</Value>
		<Align>4</Align>
		<KeyType>ecdsa-p256</KeyType>
		<Type></Type>
		<Default>.\..\Keys\STiRoT_Authentication.pem</Default>
		<Tooltip>Select the key used to authenticate firmware and data images. When this key is regenerated, both frmware and data images must be processed with Imgtool</Tooltip>
	</File>

Basically you provide the public pem and remove the "Public" in type field.

The public key will be used.

Best regards

Jocelyn

 

T
TetrasLyreAuthor
Associate II
March 26, 2025

Hi Jocelyn,

Thank you for your reply.

In the following, we need to embed the command of TrustedPackageCreator_CLI that forms and signs (and encrypts) the firmware in the HSM, to enable the digital signature with the secured private key in the enclave of the HSM. Factually, the private key cannot leave the HSM. 
Is the source code of the command of TrustedPackageCreator_CLI available in open source?

Best regards,

Jocelyn RICARD
Jocelyn RICARD
ST Employee
March 26, 2025

Hello @TetrasLyre ,

I was expecting this point :)

The TrustedPackageCreator is a kind of frontend that understands xml inputs and transforms it into imgtool commands for signing and encrypting the firmware.

In this setup, imgtool is provided as binary in STM32CubeProgrammer in Utilities directory.

You can see the call to imgtool from TrustedPackageCreator in 

~/STMicroelectronics/STM32CubeProgrammer/imgtool-command.log

The latest source version I know is in STM32CubeU5 version 1.5.0 but I don't know if it is compatible with STiROT images. I have to check this.

Best regards

Jocelyn

B
benjacam
Associate II
November 6, 2025

Hello @TetrasLyre and @Jocelyn RICARD ,

May I ask if there was any further progress with this question? Like TetrasLyre, I would like to be able to sign my non-secure application using a HSM to avoid a possibility of leaking the private key. Is there any information on how that can be done please?

Best regards,

Ben

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 11, 2025

Hello @benjacam ,

The python code used for signing is available here in scripts directory

You can modify it to provide the hash to sign to your HSM.

Best regards

Jocelyn

 

B
benjacam
Associate II
November 12, 2025

Thanks Jocelyn,

JFYI, I found the imgtool command log file here: ~/.STM32CubeProgrammer/imgtool-command.log.

This is what is contained:

/home/x/STMicroelectronics/STM32Cube/STM32CubeProgrammer/bin/Utilities/Linux/imgtool sign -k /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Config/../Keys/SM_Authentication.pem -E /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Config/../Keys/SM_Encryption_pub.pem --public-key-format full -e little --pad -S 0x96000 -H 0x400 --pad-header --max-sectors 17 -v 1.0.0 -s auto --align 16 --boot-record NSPE --rom-fixed 0x805E000 -x 0x80F4000 --confirm /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../../../../../../prj_mcu_sensor.bin /home/x/prj/build/mcu/sensor/x_cube_sec_m_h5/Projects/STM32H573I-DK/ROT_Provisioning/SM/Images/./../Binary/Profile_Large/appli_enc_sign.hex

I understand you are suggesting I write a program that _replaces_ imgtool at this path and performs the signing step on the HSM. This should technically be possible, with appropriate shebang'ing.

Looking further, imgtool originates from mcuboot

There appears to be a "tfm" branch which has some support for PKCS#11

https://github.com/mcu-tools/mcuboot/tree/tfm/scripts/imgtool/keys

 

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 12, 2025

Hello @benjacam ,

You have the python source code and the kind of command you need to use.

Then instead of using STM32TrustedPackageCreator to sign your firmware you use your modified version of the imgtool using your HSM for the signature step. 

I cannot tell more, as I have never tested it.

Best regards

Jocelyn

Terms & ConditionsAccessibility statement