Difference between revisions of "STM32H5 Security Product Lifecycle"
| Line 11: | Line 11: | ||
== Usage == |
== Usage == |
||
| − | DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile |
+ | DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32H5.pex |
{| class="wikitable" |
{| class="wikitable" |
||
| Line 35: | Line 35: | ||
|- |
|- |
||
|} |
|} |
||
| + | |||
| + | |||
== Examples == |
== Examples == |
||
Checking product state: |
Checking product state: |
||
| − | DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile |
+ | DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 44: | Line 46: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile |
+ | Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Found device with ID: 0x00000484 |
J-Link log: Found device with ID: 0x00000484 |
||
J-Link log: Device not provisioned |
J-Link log: Device not provisioned |
||
| Line 51: | Line 53: | ||
Changing product state to "PROVISIONING": |
Changing product state to "PROVISIONING": |
||
| − | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile |
+ | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 57: | Line 59: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile |
+ | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Product state successfully changed |
J-Link log: Product state successfully changed |
||
Writing OBK file for STM32H563/562/573: |
Writing OBK file for STM32H563/562/573: |
||
| − | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile |
+ | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 67: | Line 69: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile |
+ | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: STM32H563/573/562 device found, ID: 0x00000484 |
J-Link log: STM32H563/573/562 device found, ID: 0x00000484 |
||
J-Link log: Provisioning complete |
J-Link log: Provisioning complete |
||
Writing BIN file for STM32H503: |
Writing BIN file for STM32H503: |
||
| − | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile |
+ | DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 78: | Line 80: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile |
+ | Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: STM32H503 device found, ID: 0x00000474 |
J-Link log: STM32H503 device found, ID: 0x00000474 |
||
J-Link log: Provisioning complete |
J-Link log: Provisioning complete |
||
Changing product state to "CLOSED": |
Changing product state to "CLOSED": |
||
| − | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile |
+ | DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 89: | Line 91: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile |
+ | Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Product state successfully changed |
J-Link log: Product state successfully changed |
||
Performing a full regression: |
Performing a full regression: |
||
| − | DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile |
+ | DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile PCode_DevPro_ST_STM32H5.pex |
SEGGER Device Provisioner V7.96 |
SEGGER Device Provisioner V7.96 |
||
Compiled Mar 7 2024 16:48:58 |
Compiled Mar 7 2024 16:48:58 |
||
| Line 99: | Line 101: | ||
'q' to quit '?' for help |
'q' to quit '?' for help |
||
| − | Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile |
+ | Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile PCode_DevPro_ST_STM32H5.pex |
J-Link log: Device unlocked |
J-Link log: Device unlocked |
||
Latest revision as of 12:02, 14 March 2024
STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file.
Important notes
- On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once.
- On STM32H563/562/573 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression.
- Setting product state to LOCKED permanently locks the device. No regression possible.
- For crypto-enabled devices STM32H573 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file.
- For STM32H503 devices hash of a password can be generated using certutil windows tool. See additional example: Other examples.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile PCode_DevPro_ST_STM32H5.pex
| Operation | Parameters | Values | Description |
|---|---|---|---|
| DbgAuthDiscover | - | - | Shows device ID and current product state. |
| SetDeviceState | ProdState | PROVISIONING | Sets product state to Provisioning. |
| PROVISIONED | Sets product state to Provisioned. | ||
| CLOSED | Sets product state to Closed. | ||
| LOCKED | Sets product state to Locked (permanently). | ||
| DbgAuthProvision | DataFile | Filename | Provision device with data in a selected file. |
| DbgAuthRegression | PASSWORD | Password | Start a full regression of a device, erasing flash memory and setting product state to OPEN. |
Examples
Checking product state:
DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Found device with ID: 0x00000484 J-Link log: Device not provisioned J-Link log: Product state: J-Link log: OPEN
Changing product state to "PROVISIONING":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Writing OBK file for STM32H563/562/573:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H563/573/562 device found, ID: 0x00000484 J-Link log: Provisioning complete
Writing BIN file for STM32H503:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H503 device found, ID: 0x00000474 J-Link log: Provisioning complete
Changing product state to "CLOSED":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Performing a full regression:
DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile PCode_DevPro_ST_STM32H5.pex SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile PCode_DevPro_ST_STM32H5.pex J-Link log: Device unlocked
Other examples
Generating a binary file with SHA256 hash of a password string:
1. Create a text file with password
0123456789012345 --> password.txt
2. Generate SHA256 hash using "certutil" on Windows<
certutil -hashfile "password.txt" SHA256
Output:
SHA256 hash of password.txt: 184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d CertUtil: -hashfile command completed successfully.
3. Save Hash string to a text file
184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d --> hash.txt
4. Generate a binary file from the hash text file using "certutil" on Windows
certutil -decodehex hash.txt board_password.bin
Output:
Input Length = 64 Output Length = 32 CertUtil: -decodehex command completed successfully.
