Development Or Production Mode Configuration - ST X-CUBE-SBSFU STM32Cube Integration Manual
Expansion package
Hide thumbs
Also See for X-CUBE-SBSFU STM32Cube:
- Quick start manual (66 pages) ,
- User manual (42 pages) ,
- Quick start manual (50 pages)
Table of Contents
Advertisement
AN5056
4.4
Development or production mode configuration
The first step before any code modification is often to configure the SBSFU project in
development mode to enable IDE debugging facilities and add SBSFU debug traces:
1.
Deactivate all security protections: SFU_xxx_PROTECT_ENABLE
2.
Deactivate SFU_FINAL_SECURE_LOCK_ENABLE
3.
Activate SFU_FWIMG_BLOCK_ON_ABNORMAL_ERRORS_MODE
4.
Activate SECBOOT_OB_DEV_MODE
5.
Optionally, activate the verbose mode: SFU_VERBOSE_DEBUG_MODE. For details about
the impact on mapping, refer to
At the end of the development phase, the SBSFU project must be configured in production
mode for the final release:
1.
Activate all required security protections: SFU_xxx_PROTECT_ENABLE
2.
Deactivate verbose mode: SFU_VERBOSE_DEBUG_MODE
3.
Deactivate SFU_FWIMG_BLOCK_ON_ABNORMAL_ERRORS_MODE
4.
Deactivate SECBOOT_OB_DEV_MODE
5.
Activate SFU_FINAL_SECURE_LOCK_ENABLE to configure the RDP level 2. On
STM32H7 Series, the secure user memory is also configured when
SFU_FINAL_SECURE_LOCK_ENABLE is enabled.
6.
Deactivate SFU_DEBUG_MODE to remove all prints of SBSFU that can be valuable
information for an attacker.
Read Protection Level 2 is mandatory to achieve the highest level of protection and to
implement a Root of Trust. It is the user's responsibility to activate it in the final SW to be
programmed during the product manufacturing stage.
In production mode, the Secure Boot checks the Option Byte values (RDP, WRP, PCROP,
Secure user memory) and blocks execution in case a wrong configuration is detected.
Depending on the platform, a few other Option Bytes must be configured such as:
•
BFB2 disabled for STM32L4 Series and STM32L0 Series devices with dual-bank Flash
•
nDBANK enabled for STM32F7 Series
•
nBFB2 enabled for STM32L1 Series
•
BOOT_LOCK enabled for STM32G0Series and STM32G4 Series
•
DBANK disabled on STM32G4 Series and B-L4S5I-IOT01A board
Caution:
Option Bytes must be configured to the production mode values using
STM32CubeProgrammer (STM32CubeProg), just after programming the software during
the production stage. If this is not done, the device remains unsecured. Refer to
way to use STM32CubeProgrammer.
Section 6.2: Memory mapping
AN5056 Rev 8
SBSFU configuration
adaptation.
[13]
for the
25/49
48
Advertisement
Table of Contents
Need help?
Do you have a question about the X-CUBE-SBSFU STM32Cube and is the answer not in the manual?
Questions and answers