My goal is to create a SSP payload and write it to the OTP of the STM32MP257F chip. The OS running on my KIT is based on OpenSTLinux.To get the SSP Payload, a Secret file is required. I just need secure boot.I refer to the following sources:How to perform Secure Boot from Distribution Package How to deploy SSP using a step-by-step approachWhat is the meaning of Enc/Wrap when create a secret package?How to select format type and KeySize in STM32 Trusted Package Creator?The contents of my Secret file will include the components as shown below. (Json file attached)Is a secret file with such components enough for secure boot? And please advise if there are any invalid options in the Secret list

Hello @ThinhNguyen,On MP2x A35TD these four elements are sufficient.Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required. Best regards,Thomas

T

ThinhNguyen

Associate III

Solved

Review a secret file content for STM32MP2 series to enable secure boot

Forum|Forum|10 months ago
July 10, 2025
1 reply
521 views

My goal is to create a SSP payload and write it to the OTP of the STM32MP257F chip. The OS running on my KIT is based on OpenSTLinux.

To get the SSP Payload, a Secret file is required. I just need secure boot.

I refer to the following sources:

The contents of my Secret file will include the components as shown below. (Json file attached)

Is a secret file with such components enough for secure boot? And please advise if there are any invalid options in the Secret list

Secrets-out-json.txt

Best answer by ThomasB

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

Best regards,

Thomas

T

ThomasBBest answer

Technical Moderator

Hello @ThinhNguyen,

On MP2x A35TD these four elements are sufficient.

Keep in mind that the first two elements (OEM_KEY1_ROT and RMA_LOCK_PSWD) are mandatory. The two others are optional, depending on what you want to achieve :

OEM_FIP_EDMK is used to decrypt the FIP binaries (OP-TEE, U-Boot). If you do not encrypt your FIP, it is not required.
OEM_KEY1_EDMK is used to decrypt the FSBL (TF-A). If you do not encrypt the FSBL, it is not required.

Best regards,

Thomas

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded