ST-HSMv2 programming - personalization data & fw id

Question

Hi,I want to perform the SSP process as detailed at:https://www.st.com/resource/en/application_note/an5510-overview-of-the-secure-secret-provisioning-ssp-on-stm32mp1-series-stmicroelectronics.pdf(I also went over the STM32_prog documents)I am now trying to program my HSMv2 card and I don't understand which file I need to provide in "Personalization data file"(Trusted Package Creator - HSM Tab)There are 2 options:STM32MP1_5000200A_SSP_01000000_00000000.enc.binSTM32MP1_5000300A_SSP_01000000_00000000.enc.binI don't understand which one I need to pickmy MPU is "STM32MP157CAB3" (Rev Z)is it 5000300 because of the "3" after the "CAB" ?The "5000" part I understand, I can see this value in the DFU device infoThe "200" vs "300" I don't understandAccording to the Docs, I need to know the product ID of my MPUAnd they suggest using "STM32_Programmer_CLI –c port=swd –gc "certificate.bin"" to find out this valuebut this command is failing:"an error occurred while uploading data from the virtual partition 0xF1"Another thing I don't quite fully understand is the value of "Firmware identifier" field in the HSM tabIs it any string I want ?The example images show "SSP_MPU"Thanks,Michael

OlivierK · Accepted Answer

Hi MVass.1 (Community Member)

I followed the same step as you and I understand this is confusing. I've asked to make the changes for the next release of the document as it is taken from the UM2238 document, originally designed for STM32 MCUs .

The correct procedure to generate the certificate from the command STM32_Programmer_CLI is not correctly described for MPU, in either document AN5510 or UM2238.

To get the product ID of your MPU part, you need first to generate the tfa-ssp file from an OpenSTLinux development package, following this step:

https://wiki.st.com/stm32mpu/wiki/How_to_configure_TFA_BL2#Secure_secret_provisioning_-28SSP-29

Then, for instance using a STM32MP15-EV1, put the board in DFU mode and run a similar script below:

STM32_Programmer_CLI -c port=usb1 -d tf-a-ssp-stm32mp157f-ev1-trusted.stm32 0x01 -s

STM32_Programmer_CLI -c port=usb1 -gc "MP15_CERT.bin"

SB speed : High Speed (480MBit/s)

Manuf. ID : STMicroelectronics

Product ID : DFU in HS Mode @Device ID /0x500, @Revision ID /0x0000

SN : 002C00453438511836383238

FW version : 0x0110

Board : --

Device ID : 0x0500

Device name : STM32MP1

Device type : MPU

Revision ID : --

Device CPU : Cortex-A7

Certificate File : MP15_CERT.bin

Requesting Chip Certificate...

Get Certificate done successfully

Writing data to file MP15_CERT.bin

Writing chip certificate to file MP15_CERT.bin finished successfully

Time elapsed during the getcertificate operation is: 00:00:00.011

then if you open the MP15_CERT.bin (using xxd for instance)

$ xxd MP15_CERT.bin

00000000: 3530 3030 3230 3041 2ce9 0432 c67e bac5 5000200A,..2.~..

You see which personalisation data file to choose in Trusted Package Creator.

STM32MP1_5000200A_SSP_01000000_00000000.enc.bin
STM32MP1_5000300A_SSP_01000000_00000000.enc.bin

Regarding the Firmware ID field, this is just some personalized data so any string of 15 char max.

Regards,

Olivier

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded