Solved
OPTSR_PRG flash register not updating after enabling secure user memory
- May 27, 2024
- 2 replies
- 1753 views
Hello everyone,
i am trying to enable the secure user memory on the stm32h743 using the x-cube-sbsfu project and have the following problem:
After activating the security bit, the value of the OPTSR_PRG flash register is not changing, so the security bit is not set and therefore i cannot configure the secure user memory.
I use the function SFU_LL_SECU_SetProtectionSecUser from the sfu_low_level_security.c file for the configuration and before calling the function i also called HAL_FLASH_Unlock() and HAL_FLASH_OB_Unlock().
Does anyone know what could be the problem?
/**
* @brief Apply Secure User Memory protection.
* psFlashOptionBytes: pointer to the Option Bytes structure.
* pbIsProtectionToBeApplied: Output parameter to be set as "TRUE" if
* this OptByte has to be modified and immediately reloaded.
* @retval SFU_ErrorStatus SFU_SUCCESS if successful, SFU_ERROR otherwise.
*/
SFU_ErrorStatus SFU_LL_SECU_SetProtectionSecUser(FLASH_OBProgramInitTypeDef *psFlashOptionBytes,
SFU_BoolTypeDef *pbIsProtectionToBeApplied)
{
SFU_ErrorStatus e_ret_status = SFU_ERROR;
SFU_LL_RSS_SecureArea_t aSecureAreas[SFU_LL_RSS_NB_SECURE_AREAS];
/* Check if Secure User Memory is already configured */
if (SFU_LL_SECU_CheckProtectionSecUser(psFlashOptionBytes) == SFU_SUCCESS)
{
e_ret_status = SFU_SUCCESS;
}
else
{
/* Apply the proper configuration if we are in development mode */
#if defined(SECBOOT_OB_DEV_MODE)
/* Set the security bit if needed */
/* ------------------------------ */
if ((psFlashOptionBytes->USERConfig & FLASH_OPTSR_SECURITY) == RESET)
{
psFlashOptionBytes->Banks = FLASH_BANK_1;
psFlashOptionBytes->OptionType = OPTIONBYTE_USER;
psFlashOptionBytes->USERType = OB_USER_SECURITY;
psFlashOptionBytes->USERConfig = OB_SECURITY_ENABLE;
if (HAL_FLASHEx_OBProgram(psFlashOptionBytes) == HAL_OK)
{
TRACE("\r\n\t Security bit set.");
/*
* We need to reload the OBs before configuring the secure user memory area,
* otherwise the configuration is skipped because Secure Mode is not entered at reset (not booting in RSS).
*
* Note: updating pbIsProtectionToBeApplied and e_ret_status would be useless here.
*/
HAL_FLASH_OB_Launch();
}
else
{
#if defined(SFU_VERBOSE_DEBUG_MODE)
TRACE("\r\n\t Cannot set the security bit - ERROR");
#endif /* SFU_VERBOSE_DEBUG_MODE */
return (SFU_ERROR);
}
}
/* else only the secure user memory area needs to be set */
/* Set the secure user memory area */
/* ------------------------------- */
aSecureAreas[0].sizeInBytes = SFU_SEC_USER_MEM_SIZE;
aSecureAreas[0].startAddress = SFU_SEC_USER_MEM_START_FROM_OB;
aSecureAreas[0].removeDuringBankErase = 1U;
/* Only 1 secure area is used */
aSecureAreas[1].sizeInBytes = 0U;
aSecureAreas[1].startAddress = 0U;
aSecureAreas[1].removeDuringBankErase = 1U;
TRACE("\r\n= [SBOOT] SecArea.size: %d SecArea.addr:%x - RESET", aSecureAreas[0].sizeInBytes,
aSecureAreas[0].startAddress);
/* no need to set pbIsProtectionToBeApplied and e_ret_status because the next function triggers a RESET */
SFU_LL_RSS->resetAndInitializeSecureAreas(1, aSecureAreas);
#else
TRACE("\r\n= [SBOOT] System Security Configuration failed: Secure User Memory is incorrect. STOP!");
SFU_EXCPT_Security_Error();
#endif /* SECBOOT_OB_DEV_MODE */
}
return e_ret_status;
}