Skip to main content
T
Thatseasy
Associate III
November 12, 2024
Solved

Failed to provision Secure Manager 1.2

  • November 12, 2024
  • 6 replies
  • 2231 views

I tried to provision Secure Manager 1.2 to my DK board, and got the following error messages in the provisioning.log:

2024-11-10 15:49:30,796 - root - DEBUG - Error: SFI command is not supported for the current device configuration using STLINK interfaces !
2024-11-10 15:49:30,796 - root - DEBUG - Error: Cannot launch RSSe...
2024-11-10 15:49:30,796 - root - DEBUG -
2024-11-10 15:49:30,796 - root - DEBUG - Error: C:\Users\cbens\STM32Cube\Repository\STM32Cube_FW_H5_V1.3.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\SecureManagerPackage.sfi SFI file Install Operation Failure! Please, try again.
2024-11-10 15:49:30,796 - root - DEBUG -


Then I booted the DK board in DFU mode, and used the programmer 2.17 to program the sfi, but still failed either "could not connect to the device" if SW1=0, or the following errors if SW1 = 1 (I know according to the instructions it should not be 1.)

17:23:44 : Erasing memory corresponding to segment 0:
17:23:44 : Not flash Memory : No erase done
17:23:44 : Download in Progress:
17:23:45 : File download complete
17:23:45 : Time elapsed during download operation: 00:00:00.111
17:23:45 : Get RSSe status...
17:23:46 : Error: Failed to get RSSe Status!
17:23:46 : Error: Cannot launch RSSe...

 

All the tools are up to date.

Any suggestions? Someone in the forum mentioned CubeProgrammer 2.18, should I try that version, and where I can download it?

Thank you!

Best answer by Jocelyn RICARD

Hello @Thatseasy ,

OK so the issue is the board. SFSP 0.1.1 which is the version of the system flash secure part is very old and will not work.

To get Secure Manager work you have to get a new DK board.

Best regards

Jocelyn

6 replies

T
ThatseasyAuthor
Associate III
November 12, 2024

Could it be wrong with my device driver setup? In the device manager, I see "ST-Link Debug" is active, the "STM32 ST-LINK/V3" is not, but even if I temporarily uninstalled "ST-Link Debug", "STM32 ST-LINK/V3" was still not active; and "ST-Link Debug" always comes back. 

Thatseasy_0-1731442899757.png

 

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 13, 2024

Hello @Thatseasy ,

When I connect my STM32H574I-DK I get ST-Link Debug and if I connect the other USB connector I get this DFU in FS Mode. So, STM32 ST-Link/V3 should appear when you are in STLink upgrade mode.

The tools are working correctly as far as I know.

At least the command:

python provisioning.py --sfi-gen --sfi-flash -a

is working without issue.

Best regards

Jocelyn

 

T
ThatseasyAuthor
Associate III
November 13, 2024

Thank you @Jocelyn RICARD for your reply.

What does "2024-11-10 15:49:30,796 - root - DEBUG - Error: SFI command is not supported for the current device configuration using STLINK interfaces !" exactly mean?  My board is STM32H573I-DK, and CubeProgrammer version is 2.17.  

Jocelyn RICARD
Jocelyn RICARD
ST Employee
November 13, 2024

Hello @Thatseasy ,

I don't know how to get such error. Maybe some option bytes that are not well setup.

Is you device in open state ?

Is your DK board recent ?

Here are the option bytes I have after my board's regression.

"c:\Program Files\STMicroelectronics\STM32Cube\STM32CubeProgrammer\bin\STM32_Programmer_CLI.exe" -c port=SWD mode=UR -ob displ
 -------------------------------------------------------------------
 STM32CubeProgrammer v2.17.0
 -------------------------------------------------------------------

ST-LINK SN : 004D00483232511639353236
ST-LINK FW : V3J15M6
Board : STM32H573I-DK
Voltage : 3.28V
Warning: Connection to AP 0 requested and failed, Connection established with AP 1

SWD freq : 8000 KHz
Connect mode: Under Reset
Reset mode : Hardware reset
Device ID : 0x484
Revision ID : --
Device name : STM32H56x/573
Flash size : 2 MBytes
Device type : MCU
Device CPU : Cortex-M33
BL Version : 0xE4
SFSP Version: v2.5.0
Debug in Low Power mode enabled


UPLOADING OPTION BYTES DATA ...

 Bank : 0x00
 Address : 0x40022050
 Size : 112 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x01
 Address : 0x40022070
 Size : 16 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x02
 Address : 0x40022080
 Size : 16 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x03
 Address : 0x400220e0
 Size : 16 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x04
 Address : 0x400221e0
 Size : 16 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x05
 Address : 0x40022090
 Size : 8 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x06
 Address : 0x400220f0
 Size : 8 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x07
 Address : 0x400221f0
 Size : 8 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x08
 Address : 0x400220f8
 Size : 8 Bytes

██████████████████████████████████████████████████ 100%

 Bank : 0x09
 Address : 0x400221f8
 Size : 8 Bytes

██████████████████████████████████████████████████ 100%


OPTION BYTES BANK: 0

 Product state:

 PRODUCT_STATE: 0xED (Open)

 BOR Level:

 BOR_LEV : 0x0 (BOR Level 1, the threshold level is low (around 2.1 V))
 BORH_EN : 0x0 (0x0)

 User Configuration:

 IO_VDD_HSLV : 0x0 (0x0)
 IO_VDDIO2_HSLV: 0x0 (0x0)
 IWDG_STOP : 0x1 (0x1)
 IWDG_STDBY : 0x1 (0x1)
 BOOT_UBE : 0xC3 (ST-iRoT (system flash) selected)
 SWAP_BANK : 0x0 (0x0)
 IWDG_SW : 0x1 (0x1)
 NRST_STOP : 0x1 (0x1)
 NRST_STDBY : 0x1 (0x1)
OPTION BYTES BANK: 1

 User Configuration 2:

 TZEN : 0xC3 (Trust zone disabled)
 SRAM2_ECC : 0x0 (SRAM2 ECC check enabled )
 SRAM3_ECC : 0x1 (SRAM3 ECC check disabled)
 BKPRAM_ECC : 0x1 (BKPRAM ECC check disabled)
 SRAM2_RST : 0x0 (SRAM2 erase when system reset)
 SRAM1_3_RST : 0x1 (SRAM1 and SRAM3 not erased when a system reset occurs)
OPTION BYTES BANK: 2

 Boot Configuration:

 NSBOOTADD : 0x80000 (0x8000000)
 NSBOOT_LOCK : 0xC3 (The SWAP_BANK and NSBOOTADD can still be modified following their individual rules.)
 SECBOOT_LOCK : 0x0 (Unknown Value)
 SECBOOTADD : 0x0 (0x0)
OPTION BYTES BANK: 3

 Bank1 - Flash watermark area definition:

 SECWM1_STRT : 0x7 (0x800E000)
 SECWM1_END : 0x0 (0x8000000)

 Write sector group protection 1:

 WRPSGn1 : 0xFFFFFFFF (0x8000000)
OPTION BYTES BANK: 4

 Bank2 - Flash watermark area definition:

 SECWM2_STRT : 0x7 (0x810E000)
 SECWM2_END : 0x0 (0x8100000)

 Write sector group protection 2:

 WRPSGn2 : 0xFFFFFFFF (0x8000000)
OPTION BYTES BANK: 5

 OTP write protection:

 LOCKBL : 0x0 (0x0)
OPTION BYTES BANK: 6

 Flash data bank 1 sectors:

 EDATA1_EN : 0x0 (No Flash high-cycle data area)
 EDATA1_STRT : 0x0 (0x0)
OPTION BYTES BANK: 7

 Flash data bank 2 sectors:

 EDATA2_EN : 0x0 (No Flash high-cycle data area)
 EDATA2_STRT : 0x0 (0x0)
OPTION BYTES BANK: 8

 Flash HDP bank 1:

 HDP1_STRT : 0x7F (0xFE000)
 HDP1_END : 0x0 (0x0)
OPTION BYTES BANK: 9

 Flash HDP bank 2:

 HDP2_STRT : 0x7F (0xFE000)
 HDP2_END : 0x0 (0x0)

Could you check if you have something similar?

Best regards

Jocelyn

    T
    ThatseasyAuthor
    Associate III
    November 13, 2024

    Thank you @Jocelyn RICARD I compared the outputs, it appears all the option bytes are the same, only the boards have some differences (left is mine, and right is yours).

    Thatseasy_2-1731517488745.png

     

     

     

    Jocelyn RICARD
    Jocelyn RICARDBest answer
    ST Employee
    November 13, 2024

    Hello @Thatseasy ,

    OK so the issue is the board. SFSP 0.1.1 which is the version of the system flash secure part is very old and will not work.

    To get Secure Manager work you have to get a new DK board.

    Best regards

    Jocelyn

    C
    ChangeToH5
    Visitor II
    January 30, 2025

    Hi Jocelyn,

    I have similar issue on the new H5-DK board with SM installation, followed online instructions (Security:How to start with Secure Manager default configuration on STM32H5 - stm32mcu) step-by-step, but failed at sfi secure installation at Step 2: Installation.

    ChangeToH5_0-1738270455614.png

    The provisioning.log file is also attached, the log file says it failed at launch RSSe. 

    What can I try to get this DK board working?

    Any help is apprecaited.

    Jocelyn RICARD
    Jocelyn RICARD
    ST Employee
    January 31, 2025

    Hello @ChangeToH5 ,

    issue comes from the version of RSSe that you are using: 

    C:\github\STM32Cube_FW_H5_V1.4.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\RSSe\H5\enc_signed_RSSe_SFI_STM32H5_2M_v2.0.1.0.bin

     

    Version should be 

    STM32Cube_FW_H5_V1.4.0\Projects\STM32H573I-DK\ROT_Provisioning\SM\Binary\enc_signed_RSSe_SFI_H5-2M_v3.0.0.0.bin

    Could you please download SEC-M H5 v1.2.1 and check again?

    Also, you may update STM32CubeProgrammer from v1.17 to V2.18  but shouldn't be an issue.

    Best regards

    Jocelyn

     

    C
    ChangeToH5
    Visitor II
    January 31, 2025

    Thank you @Jocelyn RICARD for the response.

    Initially I did have X-Cube-SEC-M-H5_V1.2.1 by following "How to start with Secure Manager (customized configuration) on STM32H5" which recommends X-Cube-SEC-M-H5_V1.2.1, I tried it without change any configuration but unsuccessful for installation. So I realized I should do "How to start with Secure Manager default configuration on STM32H5" first, which recommends X-Cube-SEC-M-H5_V1.2.0, that's why I changed to use enc_signed_RSSe_SFI_STM32H5_2M_v2.0.1.0.bin instead of enc_signed_RSSe_SFI_H5-2M_v3.0.0.0.bin.

    Could it be possibly messed up by changing RSSe versions when failed at installation step of "How to start with Secure Manager (customized configuration) on STM32H5"?

    FYI. Later yesterday, I did a full chip erase by STM32CubeProgrammer 2.17.0 tool, then without any settings change, I was able to run "python provisioning.py --sfi-flash -a" successfully, do you know why? (just curious what could be possibly the reasons that fixed my issue).

    ChangeToH5_0-1738340472480.png

    I was also able to reopen the device by running "python provisioning.py --regression -a".

    ChangeToH5_1-1738340573546.png

    Thanks again.

     

     

    Jocelyn RICARD
    Jocelyn RICARD
    ST Employee
    January 31, 2025

    Hello @ChangeToH5 ,

    Yes, the wiki was not updated for latest version of secure manager unfortunately.

    Besides they recommend using programmer V2.18 which does not include RSSe anymore. RSSe is now provided through a separate package.

    I'm not sure what happened on your side. Maybe you have flashed the older Secure Manager.

    In any case, with X-Cube-SEC-M-H5_V1.2.1 you should use this enc_signed_RSSe_SFI_H5-2M_v3.0.0.0.bin.

    Best regards

    Jocelyn

    C
    ChangeToH5
    Visitor II
    January 31, 2025

    @Jocelyn RICARD,

    Thanks for clarifying Secure Manager Package version, I'll find time to give X-Cube-SEC-M-H5_V1.2.1 a try.

    Have a great weekend!

    Terms & ConditionsAccessibility statement