Skip to main content
X
xj_it
Associate
June 19, 2024
Question

stm32u5 Secure boot with RSS(root-secure-service) as starting point?

  • June 19, 2024
  • 1 reply
  • 2964 views

Hi,

I am trying to write a bootloader that implements secure boot on STM32U545 or 585. Now I work on the SBSFU Example from ST on the discovery board b-u585i-iot02a as a starting point.

Questions:

  1.  Can I use a bootloader based on the SBSFU_Boot from STM32U5 as the unique boot entry point and configured as write protected, to achieve the aim of secure boot?
  2. If the bootloader should be updatable in field, which method can be used? 
    1. Possiblity: boot from RSS with DFU. But I need to get to USB on Hardware, right?
    2. Is there other ways than using USB?

 

Thanks in advance.

1 reply

Jocelyn RICARD
Jocelyn RICARD
ST Employee
June 19, 2024

Hello @xj_it ,

The secureboot must be the unique entry point. Otherwise it is no more a secure boot !

If you provide a way to update the secure boot, it is also no more a secure boot.

The only solution to have an updatable secure boot is to have 2 stages:

First stage is a simple, not updatable secure boot that authenticates a 2nd stage

Second stage is the updatable secure boot that authenticates the application.

There are no example of 2 stages bootloader on STM32U5. 

An example exist on more recent STM32H5 but it is not easily portable on STM32U5 because it uses different security mechanisms.

Best regards

Jocelyn

 

X
xj_itAuthor
Associate
June 20, 2024

Hello @Jocelyn RICARD ,

thanks for the quick reply!

 

About two stages bootloader:

1) If a device is delivered with secure boot (including HDP, RDP, and write protection), is it still possible to reprogram the flash memory using the ROM-bootloader, which resides in the system memory, through an interface other than STlink(SWD)?

 

2) Can RSS be the first stage bootloader (STiRoT)? 

         In another post about this topic, you mentioned:

                 "RSS is not involved in checking integrity of the firmware once it has been installed.

                 This means STM32U5 does not provide a ROMed secure boot (as it is done on STM32H573 for instance)"

         ---> So, what would happen if the RSS is set as the unique boot entry in option byte, while the second bootloader and fw images already exist? Will the system still boot from RSS and then proceed to the custom bootloader?

 

3) Another question regarding flash size. If I use SBSFU as bootloader and two slots (primary and secondary slot) in a processor with 512KB, will there be issues regarding insufficient space? In section 8.3 "Memory Layout" of the document found here
https://www.st.com/resource/en/user_manual/um2851-getting-started-with-stm32cubeu5-tfm-application-stmicroelectronics.pdf,

it says, 512-Kbyte flash memory devices do not support this configuration with TFM. 
However, would this configuration be feasible with SBSFU?

 

Thanks in advance!

BR, X

Jocelyn RICARD
Jocelyn RICARD
ST Employee
June 20, 2024

Hello @xj_it ,

 

 

About two stages bootloader:

1) If a device is delivered with secure boot (including HDP, RDP, and write protection), is it still possible to reprogram the flash memory using the ROM-bootloader, which resides in the system memory, through an interface other than STlink(SWD)?

No this is not possible on STM32U5. The system bootloader cannot be used when device is closed using either RDP1 or RDP2.

 

2) Can RSS be the first stage bootloader (STiRoT)? 

         In another post about this topic, you mentioned:

                 "RSS is not involved in checking integrity of the firmware once it has been installed.

                 This means STM32U5 does not provide a ROMed secure boot (as it is done on STM32H573 for instance)"

         ---> So, what would happen if the RSS is set as the unique boot entry in option byte, while the second bootloader and fw images already exist? Will the system still boot from RSS and then proceed to the custom bootloader?

RSS on STM32U5 is not a secure boot. Unique boot entry can only address user flash.

 

3) Another question regarding flash size. If I use SBSFU as bootloader and two slots (primary and secondary slot) in a processor with 512KB, will there be issues regarding insufficient space? In section 8.3 "Memory Layout" of the document found here
https://www.st.com/resource/en/user_manual/um2851-getting-started-with-stm32cubeu5-tfm-application-stmicroelectronics.pdf,

it says, 512-Kbyte flash memory devices do not support this configuration with TFM. 
However, would this configuration be feasible with SBSFU?

Yes you have enough space. SBSFU is taking less than 100 KB all included.

If you use a STM32U535 for instance, the flash layout of the SBSFU is automatically adapted.

 

Best regards

Jocelyn

Terms & ConditionsAccessibility statement