STM32CubeMX user interface |
UM1718 |
|
|
4.16Boot path
STM32CubeMX introduces the possibility to configure the boot path for the STM32H5 series.
Figure 133. Boot path configuration ecosystem
STM32CubeH5 |
|
STM32CubeMX |
|
Booth path |
|
Project STM32H5 creation |
|
configuration files |
|
• Boot path selection |
|
|
|
and configuration |
|
|
|
• Linker files update |
|
|
|
|
|
|
|
• Post-build command |
|
|
|
update |
|
|
|
• Code generation |
|
|
|
• Provisioning |
|
|
|
|
|
IDE
Code compilation
Post-build command execution for code encryption via TPC
STM32CubeProgrammer
TPC
Configuration file editing
Code |
Download on |
|
|
|
target |
|
|
Target |
|
encryption |
|
|
||
(provisioning) |
|
|
|
|
|
|
|
|
|
DT56289
Note: |
STM32H56x and STM32H503 do not support cryptographic hardware accelerator (a feature |
|
needed for the ST-iROT and ST-uROT), therefore the full spectrum of boot paths is not |
|
available for these MCUs. |
|
For details about boot path and its usage, read the wiki page available on www.st.com, and |
|
the guide located under the Utilities folder of the STM32Cube firmware package. |
|
This section details, through examples, how to configure a boot path and generate the |
|
associated code. It includes compilation, encryption, and provisioning. |
4.16.1 Available boot paths
The following tables give an overview of the different boot paths supported by STM32CubeMX, depending upon the device.
Table 18. Boot paths without TrustZone (TZEN = 0)
MCU |
Application |
OEM-iRoT |
OEM-iRoT→ uRoT |
ST-iRoT |
ST-iRoT → uRoT |
→ Application |
→ Application |
→ Application |
→ Application |
||
|
|
|
|
|
|
STM32H56x |
√ |
- |
- |
- |
- |
|
|
|
|
|
|
STM32H57x |
√ |
- |
- |
- |
- |
|
|
|
|
|
|
STM32H503x |
√ |
- |
- |
- |
- |
|
|
|
|
|
|
166/453 |
UM1718 Rev 41 |
UM1718 |
|
|
|
STM32CubeMX user interface |
||
|
|
|
|
|
|
|
|
Table 19. Boot paths with TrustZone (TZEN = 1)(1) |
|
||||
|
S/NS |
OEM-iRoT → |
OEM-iRoT → |
ST-iRoT → |
ST-iRoT→ ST-uRoT |
|
MCU |
→ Secure manager |
|||||
application |
S/NS application |
uRoT application |
S application |
|||
|
|
|
|
|
→ NS application |
|
STM32H56x |
√ |
√ |
- |
- |
- |
|
|
|
|
|
|
|
|
STM32H57x |
√ |
√ |
√ |
√ |
√ |
|
|
|
|
|
|
|
|
1. S: secure, NS: non-secure.
The following figures indicate the boot paths that STM32CubeMX can configure, and the entry points after reset.
The related user option bytes are configured automatically (through Trusted Package Creator installed with CubeMX), and programmed during the provisioning stage.
Figure 134. Boot paths for STM32H57x devices
User option bytes |
|
|
|
|
|
= 1 |
= ST-iRoT |
|
|
NS application |
|
ST-iRoT |
ST-uRoT |
|
|
||
TZEN |
UBE |
|
|
||
|
|
|
|
ST-SecureOS |
|
|
= OEM-iRoT |
|
Optional |
NS application |
DT56285V2 |
|
|
|
|||
|
OEM-iRoT |
OEM-uRoT |
|
||
|
|
|
|||
|
|
|
|
S application |
|
|
|
|
|
|
Figure 135. Boot paths for STM32H56x devices
User option byte
|
= 1 |
NS application |
|
TZEN |
OEM-uRoT |
||
OEM-iRoT |
|||
|
|
S application |
DT56286V2
Figure 136. Application boot paths (legacy and ST-iRoT projects)
flash |
|
Legacy |
67 L5R7 6HFXUH XVHU DSSOLFDWLRQ |
||||
|
|
|
|
|
|
|
|
|
NS-user application |
|
|
|
S-user application |
|
|
User |
|
|
|
|
|
||
Reset |
|
|
|
|
|||
flash |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bootloader |
|
|
|
Bootloader |
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|
System |
|
Debug authentication |
|
|
|
Debug authentication |
|
|
|
|
|
|
|
|
|
|
ST-iRoT (secure boot) |
|
|
|
ST-iRoT (secure boot) |
|
|
|
|
|
|
Reset |
|
|
|
|
|
ST SFI/RSS |
ST SFI/RSS |
|
|||
|
|
|
|
|
|
||
DT56291
UM1718 Rev 41 |
167/453 |
STM32CubeMX user interface |
UM1718 |
|
|
Figure 137. Application boot paths (OEM-iRoT and Secure manager projects)
2(0 L5R7 6HFXUH 1RQ VHFXUH |
67 L5R7 67 X5R7 |
user application |
6HFXUH PDQDJHU |
|
Non-secure user application |
User flash
Reset
NS-user application
S-user application
OEM-iRoT(*)
NS-user application
Module S2
Module S1
Secure manager(*)
ST-uRoT
flash |
|
|
|
|
|
Bootloader |
|
|
|
Bootloader |
|
|
|
|
|
||
|
|
|
|
|
|
System |
Debug authentication |
|
|
|
Debug authentication |
|
|
|
|
|
|
ST-iRoT (secure boot) |
|
|
|
ST-iRoT (secure boot) |
|
|
|
|
Reset |
|
|
|
ST SFI/RSS |
ST SFI/RSS |
|||
|
|
|
|
||
(*) Not generated by STM32CubeMX
DT56290
Figure 138. Application boot path (ST-iRoT and OEM-uRoT assembled)
System flash User flash
67 L5R7 2(0 X5R7Project execution (Assembled)
TLV MCU boot
GPIO toggle NS
GPIO toggle S
Header MCU boot
TLV MCU boot
OEM-uRoT
Header MCU boot
Bootloader
Debug authentication
ST-iRoT (secure boot)
Reset
ST SFI/RSS
DT56421V1
168/453 |
UM1718 Rev 41 |
UM1718 |
STM32CubeMX user interface |
|
|
Figure 139. Application boot path: (ST-iRoT and OEM-uRoT Secure/Non-Secure project)
67 L5R7 2(0 X5R7Secure/Non-secure user application
NS-user application
S-user application
OEM-uRoT |
Not generated by STM32CubeMX |
|
|
Bootloader
Debug authentication
ST-iRoT (secure boot)
Reset
ST SFI/RSS
Figure 140. Application boot path:
(ST-iRoT and Secure/Non-Secure user application assembled)
67 L5R7 6HFXUH 1RQ 6HFXUH XVHU application (assembled as single image)
flash |
|
|
|
|
|
|
NS-User application |
|
|
User |
|
|
Single image |
|
|
|
|
||
|
|
|
(Secure and Non-Secure) |
|
|
|
|
S-User application |
|
|
|
|
|
|
flash |
|
|
|
|
|
|
|
|
|
|
|
Bootloader |
|
|
|
|
|
|
|
|
|
|
|
|
System |
|
|
Debug authentication |
|
|
|
|
|
|
|
|
ST-iRoT (secure boot) |
|
|
|
Reset |
|
|
|
|
ST SFI/RSS |
|
||
|
|
|
|
|
DT56422V1
DT56423V1
UM1718 Rev 41 |
169/453 |