secure secret provisioning (SSP) without HSM question

Question

Hi,During the actual production of our stm32mp157c products we do intend to use the HSM flow.But for now I am simply trying to test the SSP flow with some debug (development) keys and without access to an HSM.I went over:https://www.st.com/resource/en/application_note/an5510-overview-of-the-secure-secret-provisioning-ssp-on-stm32mp1-series-stmicroelectronics.pdfandhttps://www.st.com/resource/en/user_manual/dm00403513-stm32-trusted-package-creator-tool-software-description-stmicroelectronics.pdfbut unfortunately there is not much information regarding the STM32_Programmer_CLI.exe "-ssp" command with "hsm" flag equal to "0" (HSM not used)only:"<license_path|slot=slotID>: path to the license file (if hsm=0)reader slot ID if HSM is used (if hsm=1)"I don't quite understand exactly what "license file" I need to provide the command.And also, if HSM is not used, how will the ST MPU decrypt the data file (OTP keys) ? I am assuming it is somehow related to this license file ? because in the HSM flow, the HSM knows the AES decryption key and passes it to the ST MPU.I do see a "License" tab in the latest version "STM32 Trusted Package Creator" but there is no documentation for this option in the tool's documentation I linked above.If this Tab is the remaining peace that I am missing, then I do need some help understanding the input it requires.I guess that "FW key file" & "Nonce file" are the AES-128-GCM values used in the "SSP" tab ?what is "Image version" ? what is "Public key file" ? is this the ECDSA OEM key used for the secure boot flow ?Thanks,Michael

OlivierK · Accepted Answer

Hi MVass.1 (Community Member)The information you are looking for is in the STM32CubeProgramer UserManual (UM2237)https://www.st.com/resource/en/user_manual/dm00403500-stm32cubeprogrammer-software-description-stmicroelectronics.pdfto extract the license file from the HSM card, you can use -hsmgetlicense "path/licenseMP.bin"-hsmgetlicense Description: Gets a license for the current chip if counter is not null Syntax: -hsmgetlicense [slot=] [protocol=] : File path into which the recieved license will be stored [slot=] :Slot ID of the smart card reader Default value: slot=1 (the PC integrated SC reader) []: Protocol type to be used: static/live Only static protocol is supported so far Default value: static Then to use the extracted license file in the ssp command with hsm=0--ssp sspfile.ssp tf-ssp.stm32 hsm=0 "path/licenseMP.bin"To understand the SSP process within STM32CubeProgrammer, you need the AN5054, chapt12 is dedicated to the STM32MP1:Secure programming using STM32CubeProgrammer - Application noteRegards,OlivierIn order to give better visibility on the answered topics, please click on 'Select as Best' on the reply which solved your issue or answered your question. See also 'Best Answers'

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded