STM32H5 Security Product Lifecycle
Revision as of 16:12, 8 March 2024 by Artjom.Kister (talk | contribs)
STM32H5 Security Product Lifecycle features are implemented in the PCode_DevPro_ST_STM32H5.pex script file.
Important notes
- On STM32H503 devices one-time programmable memory is used to store provisioned data. Therefore Provisioning can be done only once.
- On STM32H563/562/573 devices option bytes are used to store provisioned data. Provisioning must be done every time after regression.
- Setting product state to LOCKED permanently locks the device. No regression possible.
- For crypto-enabled devices STM32H573 .obk file must be generated with <DoEncryption>1</DoEncryption> option in .xml configuration file.
- For STM32H503 devices hash of a password can be generated using certutil windows tool. See additional example: Other examples.
Usage
DevPro -operation [operation_name] -if SWD -speed 4000 [parameter_name=value] -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex"
Operation | Parameters | Values | Description |
---|---|---|---|
DbgAuthDiscover | - | - | Shows device ID and current product state. |
SetDeviceState | ProdState | PROVISIONING | Sets product state to Provisioning. |
PROVISIONED | Sets product state to Provisioned. | ||
CLOSED | Sets product state to Closed. | ||
LOCKED | Sets product state to Locked (permanently). | ||
DbgAuthProvision | DataFile | Filename | Provision device with data in a selected file. |
DbgAuthRegression | PASSWORD | Password | Start a full regression of a device, erasing flash memory and setting product state to OPEN. |
Examples
Checking product state:
DevPro -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthDiscover -if SWD -speed 4000 -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" J-Link log: Found device with ID: 0x00000484 J-Link log: Device not provisioned J-Link log: Product state: J-Link log: OPEN
Changing product state to "PROVISIONING":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=PROVISIONING" -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=PROVISIONING -ScriptFile C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Writing OBK file for STM32H563/562/573:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\DA_Plain.obk" -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\DA_Plain.obk -ScriptFile C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H563/573/562 device found, ID: 0x00000484 J-Link log: Provisioning complete
Writing BIN file for STM32H503:
DevPro -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal "DataFile=C:\board_password.bin" -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthProvision -if SWD -speed 4000 -SetConfigVal DataFile=C:\board_password.bin -ScriptFile C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex J-Link log: STM32H503 device found, ID: 0x00000474 J-Link log: Provisioning complete
Changing product state to "CLOSED":
DevPro -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal "ProdState=CLOSED" -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation SetDeviceState -if SWD -speed 4000 -SetConfigVal ProdState=CLOSED -ScriptFile C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex J-Link log: Product state successfully changed
Performing a full regression:
DevPro -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal "PASSWORD=qwerty123456" -ScriptFile "C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex" SEGGER Device Provisioner V7.96 Compiled Mar 7 2024 16:48:58 'q' to quit '?' for help Command line: -operation DbgAuthRegression -if SWD -speed 4000 -SetConfigVal PASSWORD=qwerty123456 -ScriptFile C:\Program Files\SEGGER\JLink\Script\PCode_DevPro_ST_STM32H5.pex J-Link log: Device unlocked
Other examples
Generating a binary file with SHA256 hash of a password string:
1. Create a text file with password
0123456789012345 --> password.txt
2. Generate SHA256 hash using "certutil" on Windows<
certutil -hashfile "password.txt" SHA256
Output:
SHA256 hash of password.txt: 184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d CertUtil: -hashfile command completed successfully.
3. Save Hash string to a text file
184aa46d813411727da0dc9e64186bb9907289b5aab4b320d26fff5ea45d8e3d --> hash.txt
4. Generate a binary file from the hash text file using "certutil" on Windows
certutil -decodehex hash.txt board_password.bin
Output:
Input Length = 64 Output Length = 32 CertUtil: -decodehex command completed successfully.