Skip to main content
J
jijomathew
Associate III
September 19, 2024
Question

SBSFU integration with STM32 L496ZG

  • September 19, 2024
  • 1 reply
  • 3726 views

I am integrating SBSFU with the STM32L496ZG microcontroller and have created a new project. I attempted to generate the SFB file using a customized post-build script from the L476 Simple App example. Although I modified the script paths for my project, the SFB file is not being generated.

The command prompt shows:
Encrypt debug\SBSFU. bin into .\\Binary\\\SBSFU. SFU using AES key from Secure  Engine binary

An error message is generated:
Exception: AES CBC encryption requires the Firmware Image size to be a multiple of the AES block size (16 bytes)

Could you please provide guidance on how to resolve this issue?

1 reply

S
STea
ST Employee
September 19, 2024

Hello @jijomathew ,

 

The postbuild script will normally take into account the image preparation padding ... 

so, make sure you follow the flow of execution preparation and requirements described in Getting started with the X-CUBE-SBSFU STM32Cube Expansion Package - User manual

you can also find a detail how to in the STM32 security ecosystem - STMicroelectronics
All the martials and associated slides can be found in MOOC - Security Part6 - STM32 security ecosystem, from theory to practice - Google Drive
you will find presentation detailing the solution and how the images will be generated with a specific crypto scheme.

Regards

J
jijomathewAuthor
Associate III
September 19, 2024

Followed the steps and successfully implemented for Nucleo L476RG Dev board, But still confused about replicating the same for L496ZG microcontroller, one main doubt i has  by customizing the postbuild script and running are we able to generate sfb file for my custom application.

S
STea
ST Employee
September 19, 2024

Hello @jijomathew ,

this is possible to do with the postbuild script which uses the batch or Python variant of pepareimage.py
the details on mods and custom usage of this script can be found in (Middlewares\ST\STM32_Secure_Engine\Utilities\KeysAndImages\readme.txt).
see the following section and follow the steps to make your binary 16 bit aligned 

Example for partial update :
----------------------------

[0] Generate partial image
python prepareimage.py diff -1 UserApp_v1.bin -2 UserApp_v2.bin UserApp_partial.bin -a 16 --poffset UserApp_partial.offset
(-a 16: align partial binary on 16 bytes. Partial binary size will also be aligned on 16 bytes)

[1] Generate the keys - OPTION
python prepareimage.py keygen -k AES_CBC.bin -t aes-cbc
=> for aes_cbc , "AES_CBC" must be in file name else key is not created, this
is used to discriminate AES_GCM key versus AES_CBC key
python prepareimage.py keygen -k ECCKEY.txt -t ecdsa-p256

This step is not mandatory but if you do so, please make sure:
* to copy the content of ECCKEY.txt in SECoreBin\Binary
* to use AES_CBC.bin instead of OEM_KEY_COMPANY1_key.bin
Then the prebuild operations (SE_CoreBin) must be performed.

[2] Encrypt the complete image
python prepareimage.py enc -k AES_CBC.bin -i iv.bin UserApp_v2.bin UserApp_v2.sfu

[3] Encrypt the partial image
python prepareimage.py enc -k AES_CBC.bin -i iv.bin UserApp_partial.bin UserApp_partial.sfu

[4] Generate the clear complete FW tag (SHA256 of the clear FW)
python prepareimage.py sha256 UserApp_v2.bin UserApp_v2.sign

[5] Generate the clear partial FW tag (SHA256 of the clear FW)
python prepareimage.py sha256 UserApp_partial.bin UserApp_partial.sign

[6] Generate the .sfb FW metadata (header) and encrypted partial binary
python prepareimage.py pack -k ECCKEY.txt -r 28 -p 1 -v 2 -i iv.bin -f UserApp_v2.sfu -t UserApp_v2.sign --pfw UserApp_partial.sfu --ptag UserApp_partial.sign --poffset UserApp_partial.offset UserApp_partial.sfb
(Please note the use of -r 28 to have a FW header length of 192 bytes. This is needed to match the FLASH constraint.)

 Regards

Terms & ConditionsAccessibility statement