Skip to main content
T
ThinhNguyen
Associate III
July 7, 2025
Solved

How to select format type and KeySize in STM32 Trusted Package Creator?

  • July 7, 2025
  • 3 replies
  • 664 views

I am following the "How to deploy SSP using a step-by-step approach". I am working on "3.1.2.2. Secret file content for STM32MP2 series". The target MPU is STM32MP257F. I have some questions as below:

1. How do I know whether to choose "Format 1" or "Format 2"?

2. I selected the binary file as FIP-EDMK, which is 256-bit but the KeySize shows 128-bit and it won't let me select 256-bit again. Is this acceptable?

 

ThinhNguyen_2-1751878929230.png

 

 

Best answer by Zakaria1

Indeed, the FIP-EDMK format is not specified in the wiki. I’ll look into updating the wiki page to include the correct format.
You can find the information in U-Boot in the file:

`arch/arm/mach-stm32mp/cmd_stm32key.c`

It contains:
{
.name = "FIP-EDMK",
.desc = "Encryption/Decryption Master Key for FIP",
.start = 260,
.size = 8,
},
The format isn’t specified, so it defaults to Format 1.
static int fuse_key_value(struct udevice *dev, const struct stm32key *key, unsigned long addr, bool print)
{
u32 word, val;
int i, ret;
u32 (*format)(u32) = format1;

/* Use key_format function pointer if defined */
if (key->key_format)
format = key->key_format;

Format1 is the default value.

If the format is specified in the structure (always with Format 2), then Format 2 is used.

So, the format to use is indeed Format 1. I hope this answers all your questions. I’ll request information regarding the meaning of the Enc/Wrap option and respond in the other post.


3 replies

Zakaria1
Zakaria1
Technical Moderator
July 8, 2025

Hello @ThinhNguyen,

According to the STM32 Trusted Package Creator user manual, it states:
"Select the endianness format of the binary, Format 1, or Format 2. (Format 1 is fixed for word item)." Since you’re working with a binary, you should select Format 2.
For the second question, you need to change the Enc/Wrap option to either Encryption or Wrapping to access the KeySize option and set it to 256-bit.

Please refer to the user manual UM2238 for more details.

Best Regards,
Zakaria

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
T
ThinhNguyenAuthor
Associate III
July 8, 2025

Hi @Zakaria1 ,

I read UM2238 but didn't see much mention about when to use format 1 and when to use format 2. As you said, when using binary files, you should choose format 2, so why are OEM_KEY1_ROOT and RMA_LOCK_PSWD also binary files but it requires choosing format 1. 

ThinhNguyen_0-1751965157215.png

 

Zakaria1
Zakaria1
Technical Moderator
July 8, 2025

Hi @ThinhNguyen,
Sorry, I misunderstood. In fact, for all word items, the format is fixed as Format 1. For binary items, there is a choice, but for specific keys, I believe the tool enforces the format to avoid selecting an incorrect one. The format refers to the endianness used for writing keys to the OTPs. Here’s an example from UM2238:

Endianness given in the specification for format: Keys are represented as a string of bytes
to be stored in consecutive OTP words. For example, a 64-bit key
(0xAABBCCDDEEFF5566) is stored in two consecutive OTP words, KEY0 and KEY1. A
key is stored in OTP words using one of the following formats:
• Format 1: KEY0 = 0xAABBCCDD, KEY1 = 0xEEFF5566
• Format 2: KEY0 = 0xDDCCBBAA, KEY1 = 0x6655FFEE

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Zakaria1
Zakaria1
Technical Moderator
July 8, 2025

Please refer to this wiki page for the STM32MP23-25 OTP mapping to determine which format to use.
STM32MP23-25 OTP mapping - stm32mpu
Here’s a screenshot from the wiki showing that OEM_KEY1_ROT and OEM_KEY2_ROT must be in Format 1:

Zakaria1_0-1751966631741.png

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
T
ThinhNguyenAuthor
Associate III
July 8, 2025

Hi @Zakaria1,

I looked through it, but unfortunately it doesn't mention anything about the FIP-EDMK format. You can see the image I pasted below.

ThinhNguyen_0-1751966884832.png

Click to the link it let me to the intruction to enable secure boot. There is no information about FIP-EDMK format type too.

 

Zakaria1
Zakaria1Best answer
Technical Moderator
July 8, 2025

Indeed, the FIP-EDMK format is not specified in the wiki. I’ll look into updating the wiki page to include the correct format.
You can find the information in U-Boot in the file:

`arch/arm/mach-stm32mp/cmd_stm32key.c`

It contains:
{
.name = "FIP-EDMK",
.desc = "Encryption/Decryption Master Key for FIP",
.start = 260,
.size = 8,
},
The format isn’t specified, so it defaults to Format 1.
static int fuse_key_value(struct udevice *dev, const struct stm32key *key, unsigned long addr, bool print)
{
u32 word, val;
int i, ret;
u32 (*format)(u32) = format1;

/* Use key_format function pointer if defined */
if (key->key_format)
format = key->key_format;

Format1 is the default value.

If the format is specified in the structure (always with Format 2), then Format 2 is used.

So, the format to use is indeed Format 1. I hope this answers all your questions. I’ll request information regarding the meaning of the Enc/Wrap option and respond in the other post.


In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Zakaria1
Zakaria1
Technical Moderator
July 9, 2025

Hi @ThinhNguyen,

Here’s the link to access the same code I sent in the previous response:
u-boot/arch/arm/mach-stm32mp/cmd_stm32key.c at v2023.10-stm32mp · STMicroelectronics/u-boot · GitHub

Best Regards,
Zakaria

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
    T
    ThinhNguyenAuthor
    Associate III
    July 9, 2025

    hi @Zakaria1 ,

    Thank you. It seems that the patch file for uboot in the meta-st-stm32mp is outdate but that is beyond the scope of this question.

      Terms & ConditionsAccessibility statement