August 2018 AN5056 Rev 2 1/27

AN5056

Application note

Integration guide for the X-CUBE-SBSFU

STM32Cube Expansion Package

Introduction

The Secure Boot and Secure Firmware Update (SBSFU) solution allows the update of the

STM32 microcontroller built-in program with new firmware versions, adding new features,

and correcting potential issues. The update process is performed in a secure way to prevent

unauthorized update and access to confidential on-device data such as secret code and

firmware encryption key.

In addition, Secure Boot (Root of Trust services) checks and activates the STM32 security

mechanisms, and verifies the authenticity and integrity of user application code before every

execution to ensure that invalid or malicious code cannot be run.

The X-CUBE-SBSFU user manual (UM2262) explains how to get started with X-CUBE-

SBSFU and details SBSFU functionalities.

This application note describes how to adapt X-CUBE-SBSFU and integrate it with the

user’s application; It answers such questions as:

•How to port X-CUBE-SBSFU onto another board?

•How to tune the X-CUBE-SBSFU configuration to fit the user’s needs?

•How to generate a new firmware encryption key?

•How to debug X-CUBE-SBSFU?

•How to adapt the user’s application?

Note: Throughout this application note, the IAR™ EWARM IDE is used as an example to provide

guidelines for project configuration.

Throughout this document, Secure Boot and Secure Firmware Update applications are

referred to as SBSFU.

www.st.com

Contents AN5056

2/27 AN5056 Rev 2

Contents

1 General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Related documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 Porting X-CUBE-SBSFU onto another board . . . . . . . . . . . . . . . . . . . . . 7

3.1 Hardware adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.2 Memory mapping definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2.1 SBSFU region definition parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3.2.2 Firmware image slot definition parameters . . . . . . . . . . . . . . . . . . . . . . 11

3.2.3 Project specific linker files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4 SBSFU configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.1 Features to be configured . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.2 Cryptographic scheme selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.3 Security configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.4 Development or production mode configuration . . . . . . . . . . . . . . . . . . . . 16

5 Generating a new firmware encryption key . . . . . . . . . . . . . . . . . . . . . 18

6 Tips for debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.1 Compiler optimizations level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.2 Memory mapping adaptation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.3 Debugging SECoreBin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

7 Adapting the user application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7.1 Application running in Slot #0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

7.2 Use of the Flash memory to store user data . . . . . . . . . . . . . . . . . . . . . . 22

7.3 Adding an SBSFU compliant firmware download procedure

in the user application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

7.4 Implementing a new cryptographic scheme for SBSFU . . . . . . . . . . . . . . 24

8 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26