STiROT Provisioning with STM32TrustedPackageCreator for Zephyr RTOS on NUCLEO-H533RE – Encrypted Image Not Executing

Question

Hello STM32 Community,I’ve successfully built a Zephyr RTOS blinky application for the NUCLEO-H533RE board. Flashing the zephyr.hex using west flash or STM32CubeProgrammer works perfectly — the LED blinks and the serial terminal prints the expected status messages.To enhance security, I’m now trying to encrypt and sign the firmware using STM32TrustedPackageCreator and provision the board using STiROT. I followed the STM32CubeH5 GitHub examples and used the STiROT_Code_Init_Image.xml file, modifying it to point to my zephyr.bin. Provisioning was successful, and the board state was set to PROVISIONED.However, after flashing the generated zephyr_enc_sign.hex, the board does not blink, and the serial terminal remains silent — indicating the firmware is not executing.Here’s what I’ve done:Used STiROT/Image/STiROT_Code_Init_Image.xml and modified paths to point to zephyr.bin.Generated the encrypted and signed image using STM32TrustedPackageCreator.Successfully provisioned the board and set its final state to PROVISIONED.During the process, I noticed this message: Programming the option bytes and flashing the images... 
Successful optional bytes programming and image flashing. And finally the following message:=====
===== The board is correctly configured.
===== Power off/on the board to start the application.
=====Questions:What is the difference between STiROT_Code_Image.xml and STiROT_Code_Init_Image.xml in the context of STM32TrustedPackageCreator?Is there a specific configuration or memory mapping required for Zephyr-based applications to work with STiROT?Are there known limitations or adjustments needed when using Zephyr RTOS with STiROT provisioning?How can I verify whether the firmware is being validated and executed by STiROT?How can I validate that the board is validated with STiROT? I am not able to connect to the board using STM32CubeProgrammer unless I perform a regression. Does that mean the board was provisioned?

Jocelyn RICARD · Answer

Hello @elby0 ,When using STiROT in such case you need to set it up to have secure and non secure application.Zephyr application is a non secure application. So, you can use the TrustZone example, keep the secure application as it is and replace the non secure by your zephyr binary.Now, this will not be 100% transparent as you need to assign all resources to non secure: GPIO, interrupts, RAMs ...Also your zephyr application has to be moved to its asisgned slot that does not start at beginning fo flash. The *init* generates a signed image that is already "installed". This means you just need to flash it at the right location, the STiROT will considered it already installed.Regarding memory mapping, this is the purpose of the secure application to set it up. You will alway need a part of the memory that stays secure, even if very small.I never used Zephyr so cannot tell if there are any limitation. Only "limitations" I can see are related to the secure/non secure partitioning that make things more complex to setup.You can verify STiROT status by launching a discovery procedure of Debug Authentication. This is described in STiROT application note.You can reopen the debug using debug authentication. Just open HDPL2 secure and you should have access to all the flash content.Best regardsJocelyn

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded