Skip to main content
M
mikel-m
Associate II
June 19, 2024
Solved

Enabling RDP when TrustZone is active

  • June 19, 2024
  • 1 reply
  • 918 views

Hi,

I am conducting tests with the HSM and SFI. I have tried the use case of attempting to install an SFI with an HSM that uses other keys. Obviously, I couldn't do it, but now I cannot connect the microcontroller in "normal" mode. If I connect it in "Hot plug" mode and try to change the RDP, it shows the following message:
Enabling RDP when TrustZone is active!
If no valid secure code booting and calling non-secure code, it may prevent disabling TrustZone And RDP.

And if I click OK, it shows the following message:
Your device may be lost FOREVER

What should I do to fix this error so that I can reconnect the microcontroller to the STM32CubeProgrammer?

Best regards,

Best answer by Aziz BRIGUI

Hello @mikel-m,

Welcome to ST Community :) !

The message you're seeing is a warning not an error, it is displayed because in many configurations, you can lose your device if you set RDP when TrustZone is active.

What I advise is to check section 9 in AN5347.

Basically, to make sure not to lose your chip, the following conditions should be met: 

- nSWBOOT0 option byte is checked (BOOT0 taken from PH3/BOOT0 pin)
- NSBOOTADD1 option byte is configured to 0x17F200 value at 0x0BF9 0000 address (RSS address).
- BOOT_LOCK option byte is unchecked (boot based on the pad/option bit configuration).

 

Hope this helps,

Aziz

1 reply

Aziz BRIGUI
Aziz BRIGUIBest answer
Technical Moderator
June 20, 2024

Hello @mikel-m,

Welcome to ST Community :) !

The message you're seeing is a warning not an error, it is displayed because in many configurations, you can lose your device if you set RDP when TrustZone is active.

What I advise is to check section 9 in AN5347.

Basically, to make sure not to lose your chip, the following conditions should be met: 

- nSWBOOT0 option byte is checked (BOOT0 taken from PH3/BOOT0 pin)
- NSBOOTADD1 option byte is configured to 0x17F200 value at 0x0BF9 0000 address (RSS address).
- BOOT_LOCK option byte is unchecked (boot based on the pad/option bit configuration).

 

Hope this helps,

Aziz

In order to give better visibility on the answered topics, please click on 'Accept as Solution' on the reply which solved your issue or answered your question.
Terms & ConditionsAccessibility statement