Difference between revisions of "ST STM32H5 Security Product Lifecycle"
(Created page with "STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file. __TOC__ == Important notes == # On STM32H503 devices one-time pro...") |
|||
(5 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:Device families]] |
||
− | STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file. |
||
+ | The STM32H5 series of devices comes with enhanced device life-cycle management features. SEGGER implemented support for these features via a dedicated utility called Device Provisioner. For more information about this, please refer to the [[Device_Provisioner | Device Provisioner]] article. STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file. |
||
__TOC__ |
__TOC__ |
||
Line 5: | Line 6: | ||
== Important notes == |
== Important notes == |
||
# On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once. |
# On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once. |
||
− | # On STM32H563/562/573 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression. |
+ | # On STM32H563/562/573 and STM32H523/533 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression. |
# Setting product state to LOCKED permanently locks the device. No regression possible. |
# Setting product state to LOCKED permanently locks the device. No regression possible. |
||
− | # For crypto-enabled devices STM32H573 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file. |
+ | # For crypto-enabled devices: STM32H573 and STM32H533 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file. |
# For STM32H503 devices hash of a password can be generated using [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil certutil] windows tool. See additional example: [[#Other examples | Other examples]]. |
# For STM32H503 devices hash of a password can be generated using [https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil certutil] windows tool. See additional example: [[#Other examples | Other examples]]. |
||
== Usage == |
== Usage == |
||
− | DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile |
+ | DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32H5.pex |
{| class="wikitable" |
{| class="wikitable" |
||
Line 35: | Line 36: | ||
|- |
|- |
||
|} |
|} |
||
+ | |||
+ | |||
== Examples == |
== Examples == |
||
Checking product state: |
Checking product state: |
||
− | DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile |
+ | DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 44: | Line 47: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile |
+ | Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Found device with ID: 0x00000484 |
J-Link log: Found device with ID: 0x00000484 |
||
J-Link log: Device not provisioned |
J-Link log: Device not provisioned |
||
J-Link log: Product state: |
J-Link log: Product state: |
||
J-Link log: OPEN |
J-Link log: OPEN |
||
+ | |||
− | |||
Changing product state to "PROVISIONING": |
Changing product state to "PROVISIONING": |
||
− | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile |
+ | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 57: | Line 60: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile |
+ | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Product state successfully changed |
J-Link log: Product state successfully changed |
||
Writing OBK file for STM32H563/562/573: |
Writing OBK file for STM32H563/562/573: |
||
− | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile |
+ | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 67: | Line 70: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile |
+ | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: STM32H563/573/562 device found, ID: 0x00000484 |
J-Link log: STM32H563/573/562 device found, ID: 0x00000484 |
||
J-Link log: Provisioning complete |
J-Link log: Provisioning complete |
||
Writing BIN file for STM32H503: |
Writing BIN file for STM32H503: |
||
− | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile |
+ | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 78: | Line 81: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile |
+ | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: STM32H503 device found, ID: 0x00000474 |
J-Link log: STM32H503 device found, ID: 0x00000474 |
||
J-Link log: Provisioning complete |
J-Link log: Provisioning complete |
||
Changing product state to "CLOSED": |
Changing product state to "CLOSED": |
||
− | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile |
+ | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 89: | Line 92: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile |
+ | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Product state successfully changed |
J-Link log: Product state successfully changed |
||
Performing a full regression: |
Performing a full regression: |
||
− | DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile |
+ | DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
Line 99: | Line 102: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
− | Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile |
+ | Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Device unlocked |
J-Link log: Device unlocked |
||
Latest revision as of 12:15, 16 May 2024
The STM32H5 series of devices comes with enhanced device life-cycle management features. SEGGER implemented support for these features via a dedicated utility called Device Provisioner. For more information about this, please refer to the Device Provisioner article. STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file.
Important notes
- On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once.
- On STM32H563/562/573 and STM32H523/533 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression.
- Setting product state to LOCKED permanently locks the device. No regression possible.
- For crypto-enabled devices: STM32H573 and STM32H533 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file.
- For STM32H503 devices hash of a password can be generated using certutil windows tool. See additional example: Other examples.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32H5.pex
Operation | Parameters | Values | Description |
---|---|---|---|
DbgAuthDiscover | - | - | Shows device ID and current product state. |
SetDeviceState | ProdState | PROVISIONING | Sets product state to Provisioning. |
PROVISIONED | Sets product state to Provisioned. | ||
CLOSED | Sets product state to Closed. | ||
LOCKED | Sets product state to Locked (permanently). | ||
DbgAuthProvision | DataFile | Filename | Provision device with data in a selected file. |
DbgAuthRegression | PASSWORD | Password | Start a full regression of a device, erasing flash memory and setting product state to OPEN. |
Examples
Checking product state:
DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Found device with ID: 0x00000484 J-Link log: Device not provisioned J-Link log: Product state: J-Link log: OPEN
Changing product state to "PROVISIONING":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Writing OBK file for STM32H563/562/573:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H563/573/562 device found, ID: 0x00000484 J-Link log: Provisioning complete
Writing BIN file for STM32H503:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H503 device found, ID: 0x00000474 J-Link log: Provisioning complete
Changing product state to "CLOSED":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Performing a full regression:
DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Device unlocked
Other examples
Generating a binary file with SHA256 hash of a password string:
1. Create a text file with password
0123456789012345 --> password.txt
2. Generate SHA256 hash using "certutil" on Windows<
certutil -hashfile "password.txt" SHA256
Output:
SHA256 hash of password.txt: 184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d CertUtil: -hashfile command completed successfully.
3. Save Hash string to a text file
184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d --> hash.txt
4. Generate a binary file from the hash text file using "certutil" on Windows
certutil -decodehex hash.txt board_password.bin
Output:
Input Length = 64 Output Length = 32 CertUtil: -decodehex command completed successfully.