Certificates And Certificate Chains; Permission Masks; Figure 6. Debug Authentication Using A Root Certificate - ST STM32H5 Series Getting Started

5.4.2

Certificates and certificate chains

There are three types of certificates:
• Root certificate
• Intermediate certificate
• Leaf certificate
Example of usage: a manufacturer (root level) subcontracts some services to other entities (intermediate level).
These subcontractors also subcontract some of their services to other entities (leaf level).
A certificate chain can be composed of:
• A root certificate only
• A root certificate + a leaf certificate
• A root certificate + Nx intermediate certificates + a leaf certificate
Certificates and certificate chain are created by using STM32 Trusted Package Creator.
5.4.3

Permission masks

Each certificate brings additional limitations to the authorized actions through a permission mask.
When using the certificate method, the requested action is applied only if the accumulation of the different masks
of the chain authorizes this action.
Several masks are involved in the permission accumulation:
• The product mask, which is hardcoded in the device (all supported actions are authorized).
• The permission mask, which is defined in HDPL1 OBK during the provisioning sequence (refer to
Section 4.1.4
• The certificate mask defined in each certificate of the certificate chain.
• The token mask defined in the token to trigger an action.
Example of a forbidden action
In this example, the token mask is used to request a debug opening from HDPL1 S/NS but the permission mask
defined in the leaf certificate forbids the debug opening from HDPL1.
So finally, the requested action is rejected.
In the example described in
AN6008 - Rev 1
Figure 6. Debug authentication using a root certificate
for permission mask details).
Figure 7, the certificate chain contains a root certificate and a leaf certificate.
STM32H5 debug authentication protocol description
AN6008
page 14/25