Skip to main content
i2399
i2399
Associate III
September 27, 2024
Solved

Secure Update via USB Stick (STM32H750) SBSFU / QSPI

  • September 27, 2024
  • 2 replies
  • 1894 views

Hello to all,

I was wondering if there was a way to implement a secure update via USB stick using X-CUBE-SBSFU software.
Moreover, the application software would be installed on external flash, custom bootloader immutable in internal flash.

Maybe installing the new application with my custom bootloader and then letting secure boot do all the security verifications after triggering a system reset?

Sorry if it sounds a silly question but I am quite new to this complex topic.

Thanks!

Best answer by Jocelyn RICARD

Hello @i2399 ,

the STM32H750 is a bit specific because it contains only one 128KB flash sector.

The code is executed in place in external flash, so code confidentiality is not possible.

Also, when executing your application it is not possible to write in the same external flash. This means that application cannot download itself a new firmware and write it in the flash.

The example is provided with a loader located after the SBSFU in the same 128KB sector.

You can update this loader to have a USB host mass storage implementation that is able to read a file in the USB stick and write it to the download slot in external flash.

Then once update file is completely transfered, you can reset the chip and SBSFU will securely install the new image in the execution slot.

The SBSFU will check the integrity and authenticity of the firmware. This means computing the hash of the firmware and also checking a signature with a public key.

Best regards

Jocelyn

 

 

2 replies

Pavel A.
Pavel A.
Super User
September 27, 2024

Define secure. What does this mean for you?

 

    i2399
    i2399Author
    Associate III
    September 27, 2024

    Hello Pavel,

    in my case it means that the new image should be encrypted and decryptable with a secret key, and that I can verify that the image is not corrupted, for example with a SHA256.

    Thanks for your time.

    Jocelyn RICARD
    Jocelyn RICARDBest answer
    ST Employee
    September 27, 2024

    Hello @i2399 ,

    the STM32H750 is a bit specific because it contains only one 128KB flash sector.

    The code is executed in place in external flash, so code confidentiality is not possible.

    Also, when executing your application it is not possible to write in the same external flash. This means that application cannot download itself a new firmware and write it in the flash.

    The example is provided with a loader located after the SBSFU in the same 128KB sector.

    You can update this loader to have a USB host mass storage implementation that is able to read a file in the USB stick and write it to the download slot in external flash.

    Then once update file is completely transfered, you can reset the chip and SBSFU will securely install the new image in the execution slot.

    The SBSFU will check the integrity and authenticity of the firmware. This means computing the hash of the firmware and also checking a signature with a public key.

    Best regards

    Jocelyn

     

     

      i2399
      i2399Author
      Associate III
      September 27, 2024

      Jocelyn,

      I think this is what I was looking for.

      Thank you and have a great weekend!

      Ivan

      Terms & ConditionsAccessibility statement