Download
Share
Print this page
ST STM32 Getting Started
  1. Manuals
  2. Brands
  3. ST Manuals
  4. Computer Hardware
  5. STM32 Nucleo
  6. Getting started
ST STM32 Getting Started

ST STM32 Getting Started

Mcu's and arm trustzone development
Hide thumbs Also See for STM32:

Advertisement

Quick Links

Download this manual
AN5421
Application note
®
®
Getting started with STM32 MCU's and Arm
TrustZone
development
Introduction
This document aims to provide guidelines using the EWARM and MDKARM software tool-chains on STM32L5, STM32U3, and
STM32U5 series microcontrollers.
®
This application note provides a basis for building and debugging secure and nonsecure applications for devices based on Arm
®
Cortex
-M33 (Armv8-M architecture).
®
®
®
This document first gives an overview of the Arm
Cortex
-M33 and the TrustZone
concept.
This application note then describes the way of use EWARM and MDKARM with STM32L5, STM32U3, and STM32U5 series
®
microcontrollers when the TrustZone
is enabled through TZEN option bit.
AN5421 - Rev 6 - January 2025
www.st.com
For further information, contact your local STMicroelectronics sales office.

Advertisement

loading
Need help?

Need help?

Do you have a question about the STM32 and is the answer not in the manual?

Questions and answers

Related Manuals for ST STM32

Summary of Contents for ST STM32

  • Page 1 AN5421 Application note ® ® Getting started with STM32 MCU's and Arm TrustZone development Introduction This document aims to provide guidelines using the EWARM and MDKARM software tool-chains on STM32L5, STM32U3, and STM32U5 series microcontrollers. ® This application note provides a basis for building and debugging secure and nonsecure applications for devices based on Arm ®...
  • Page 2 AN5421 General information General information ® ® This document applies to the STM32L5, STM32U3, and STM32U5 series single-core Arm Cortex -M33 based ® ® microcontrollers with Arm TrustZone Note: Arm and TrustZone are registered trademarks of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Reference documents ®...
  • Page 3 AN5421 Arm® Cortex®-M33 core overview ® ® Cortex -M33 core overview ® ® ® The Arm Cortex -M33 is the first full-feature implementation of Armv8-M with TrustZone secure technology and digital signal processing functionality. The processor supports a large number of flexible configuration options to facilitate the deployment of a wide range of applications, and offers a dedicated co-processor interface for ®...
  • Page 4 AN5421 TrustZone® concept of the Armv8-M ® TrustZone concept of the Armv8-M ® ® The Cortex -M33 processor with TrustZone has two security states (see Figure 1) and a number of associated features: • secure state • nonsecure state • four stacks and four stack pointer registers •...
  • Page 5 AN5421 SAU / IDAU - TrustZone® concept ® SAU / IDAU - TrustZone concept ® ® TrustZone security is activated by the TZEN option bit in the FLASH_OPTR register. When the TrustZone enabled, the security attribution unit (SAU) and implementation defined attribution unit (IDAU) define the access permissions based on secure and nonsecure states.
  • Page 6 AN5421 Debugging modes Debugging modes Invasive debug Invasive debug is defined as a debug process where the user controls and observes the processor activity. Most debug features are considered as invasive debug as they enable the user to halt the processor and modify its state.
  • Page 7 AN5421 Debug access Debug access Secure debug access Secure debug access offers full visibility on all instruction execution, across all memory regions, and device peripherals. It allows the tracing and debugging of the secure and the nonsecure software running on the target. Debugging of secure firmware is only available in this mode.
  • Page 8 AN5421 Flash memory protection Flash memory protection ® Readout protection level when TrustZone is disabled There are three readout protection levels as listed below: • Level 0: all read/program/erase operations to and from the user Flash memory are allowed. • Level 1: the Flash memory content is protected against debugger and potential malicious code stored in RAM.
  • Page 9 AN5421 Flash memory protection ® RDP level transition scheme when TrustZone is enabled The RDP level transition scheme when TZEN is set is illustrated in Figure ® Figure 3. RDP level transition scheme when TrustZone is disabled (TZEN = 1) Write Write RDP /= 0XAA, 0x55 And 0xCC...
  • Page 10 Before starting, the option bytes must be set using the STM32CubeProgrammer as detailed in the project readme.txt . This tool is available for download from www.st.com and illustrated in Figure Figure 4.
  • Page 11 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone ® Using MDK-ARM for Cortex -M33 with Trust Zone ® ® ® The latest version of MDK-ARM (Keil ) is available for download from the official Arm Keil web site. MDK-ARM ® (Keil ) is installed by default in the "C:\Keil"...
  • Page 12 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 3. Select the correct device by opening the configuration window and selecting: Project / Options for Target / Device then select the device from the list (see Figure Figure 7. Device selection AN5421 - Rev 6 page 12/49...
  • Page 13 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 4. From Project / Options for Target / Target / Code Generation section, select the "Software Model" as "Secure". Ensure the right memory area is selected. See Figure – Secure Boot address : Flash at 0x0C000000 : secure Flash –...
  • Page 14 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 5. Ensure that the secure nonsecure callable functions (NSC) object file “secure_nsclib.o” is defined in Project / Options for Target / Linker under Misc Controls section. Use the [--import_cmse_lib_out ..\lib\nsclib_Secure.o] command to create the output library: nsclib_Secure.o.
  • Page 15 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone Figure 10. Scatter file sample 6. Select "ST-LINK Deb ugger" as the debugger from: Project / Options for Target / Debug. See Figure Figure 11. Target options debug If "ST-LINK Debugger" does not appear in the list: a.
  • Page 16 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 7. From "Debug" settings tab, ensure the debugger is connected as illustrated in Figure Figure 12. Debug configuration From the "Flash Download" tab, select the correct Flash-loader (see Figure 13): – "Download Function": sets the Flash operations. –...
  • Page 17 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone Figure 13. Flash-loader settings Nonsecure project settings 1. Set project_ns as active project (see Figure 14). Figure 14. Project_ns nonsecure project selection AN5421 - Rev 6 page 17/49...
  • Page 18 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 2. Select the correct device by opening the configuration window: Select Project / Options for Target (see Figure 15). Figure 15. Device selection AN5421 - Rev 6 page 18/49...
  • Page 19 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 3. Ensure the right memory area is selected from Project / Options for Target / Target: – Boot address 0: Flash at 0x08040000: nonsecure flash – Boot address 1: SRAM at 0x20018000: nonsecure SRAM The software model must be set in nonsecure mode (see Figure 16).
  • Page 20 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 4. Add the import library from the secure project: this file is automatically included at link time in the nonsecure project. It allows the nonsecure part to call functions from the secure part (see Figure 17).
  • Page 21 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 5. Select "ST-LINK debugger" from Project / Options for Target / Debug (see Figure 19). Figure 19. Debug settings 6. From Debug settings / Flash Download window (see Figure 20) select: –...
  • Page 22 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 9.2.1 Building a project It is now possible to build both projects at the same time. From Project / Batch Setup (see Figure 21 Figure 22) or from the icon available from the menu bar go to the batch setup menu and select both projects. Note: The secure project must be built first in order to create the import library for the nonsecure project.
  • Page 23 Before downloading the projects, a connection to the STM32L562E-DK Discovery board must be made as follows: 1. Connect the ST-LINKV3 programming and debugging tool on the Discovery board by plugging the USB cable to the board CN17 (ST-LINK USB connector). LD3 illuminates in red when the ST-LINKV3 is connected as...
  • Page 24 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone 3. Start a debug session by clicking the “Download and Debug” button in the toolbar illustrated in Figure Figure 26. Download and debug button Note: The system always boots in secure code (main.c) at first and the secure application then launches the nonsecure application as illustrated in below.
  • Page 25 AN5421 Using MDK-ARM for Cortex®-M33 with Trust Zone Figure 28. Code switch to nonsecure code status ® The secure status is provided from the status bar at the bottom of Keil interface as illustrated in Figure Figure 29. CPU status AN5421 - Rev 6 page 25/49...
  • Page 26 AN5421 Using EWARM for Cortex M33 with TrustZone® ® Using EWARM for Cortex M33 with TrustZone ® The latest version of IAR Embedded Workbench for Arm (EWARM) is available to download from the official web site of IAR System. This part uses EWARM v8.40.1 and STM32L562-DK disco board. 10.1 Secure project settings To configure a secure project, the first step is to open "Multi-projects"...
  • Page 27 AN5421 Using EWARM for Cortex M33 with TrustZone® 2. Set project_s-STM32L562E-DK_Templates_TrustZone as active project as illustrated in Figure Figure 31. Setting the project to active status AN5421 - Rev 6 page 27/49...
  • Page 28 AN5421 Using EWARM for Cortex M33 with TrustZone® 3. Open the configuration window by selecting Project-s / Options / General Options and select the correct device from "Processor variant" section. From "TrustZone" section, ensure that the mode selected is "Secure" and "TrustZone" checkbox is checked as shown in Figure Figure 32.
  • Page 29 AN5421 Using EWARM for Cortex M33 with TrustZone® 4. From Project-s / Options / Linker / Config "Linker configuration file editor" section (see Figure 33): a. Click Edit to display the linker configuration file editor. b. Check the linker configuration file to make sure that the application has been linked to the right address: ◦...
  • Page 30 AN5421 Using EWARM for Cortex M33 with TrustZone® 5. Open the debugger tab from: Project / Options / Debugger. From setup section, select ST-LINK as a debugger in the driver field (see Figure 34). Figure 34. Project debugger setup AN5421 - Rev 6...
  • Page 31 AN5421 Using EWARM for Cortex M33 with TrustZone® 6. From the "Download" tab, ensure that "Use flash loader" is checked (see Figure 35). Figure 35. FlashLoader selection AN5421 - Rev 6 page 31/49...
  • Page 32 AN5421 Using EWARM for Cortex M33 with TrustZone® 7. The secure project must specify the nonsecure project output file as an extra image that must be loaded by the debugger. To do this, use: Project / Options / Debugger / Images and check the "Download extra image" check box (see Figure 36).
  • Page 33 Hardware reset: the probe toggles the nSRST/nRESET line on the JTAG connector to reset the device. This reset usually resets the peripheral units also. ◦ Connect during reset: ST-LINK connects to the target while keeping Reset active. Reset is pulled low and remains low while connecting to the target. –...
  • Page 34 AN5421 Using EWARM for Cortex M33 with TrustZone® 10.2 Nonsecure project settings Set project_s-STM32L562E-DK_Templates_TrustZone as active project 1. Open the configuration window by selecting Project-s / Options/ General Options. In the "Target" tab, select the correct device from processor variant section (see Figure 38).
  • Page 35 AN5421 Using EWARM for Cortex M33 with TrustZone® 2. From Project-s / Options / Linker / Linker configuration file section (see Figure 39): – Click edit to display the linker configuration file editor. – Check the linker configuration file to make sure that the application has been linked to the right address: ◦...
  • Page 36 AN5421 Using EWARM for Cortex M33 with TrustZone® 3. From Project-s / Options / Linker in the "Library" (see Figure 40). Add the imported library from the secure project. This file is automatically included at link time in the nonsecure project. It allows the nonsecure part to call functions of the secure part. Figure 40.
  • Page 37 AN5421 Using EWARM for Cortex M33 with TrustZone® 10.3 Build projects Both projects are ready to be built. 1. Select Project / Batch Build or the icon available from the menu bar (see Figure 41). Figure 41. Project batch build AN5421 - Rev 6 page 37/49...
  • Page 38 AN5421 Using EWARM for Cortex M33 with TrustZone® 2. Add the two configurations to be built at the same time (see Figure 42). Note: The secure project must be built first in order to create the import library for the nonsecure project. In order to build the secure project before the nonsecure one, it must be first in the build order as illustrated below.
  • Page 39 1. Before downloading the project, connect to the STM32L562E-DK Discovery board as follows (see Figure 43): – Connect the ST-LINKV3 programming and debugging tool to the Discovery board by plugging the USB cable to the CN17 ST-LINK USB connector of the board. – LD3 illuminates in red when the ST-LINKV3 is connected.
  • Page 40 AN5421 Using EWARM for Cortex M33 with TrustZone® 2. Select the Project_ns project as active project then load the nonsecure binary code. Start a debug session by clicking the download and debug button in the toolbar to program the flash memory and start debugging (see Figure 44).
  • Page 41 AN5421 Using EWARM for Cortex M33 with TrustZone® 4. The secure status is provided from secure register under CPU registers (see Figure 46). Figure 46. Secure register location 0 = nonsecure 1 = secure AN5421 - Rev 6 page 41/49...
  • Page 42 AN5421 Using EWARM for Cortex M33 with TrustZone® 10.5 Connection issue to STM32L552ZE-Q when RDP is set to 0.5 The EWARM is able to connect to the device and debug the nonsecure application. To connect to the STM32L552ZE-Q, proceed as follows: 1.
  • Page 43 AN5421 Using EWARM for Cortex M33 with TrustZone® 4. Change the Reset mode to software reset: Project options / ST-LINK in the "Setup" tab select "Software" from the "Reset" field as illustrated in Figure Figure 49. Reset mode selection AN5421 - Rev 6...
  • Page 44 AN5421 Using EWARM for Cortex M33 with TrustZone® 5. Connect to the device in Hot-plug mode from: Project / Attach to the Running Target (see Figure 50). Figure 50. Attach to running target option Note: IDEs do not support the nonsecure flash reprogramming in RDP level 0.5, only STM32Cubeprogrammer allows AN5421 - Rev 6 page 44/49...
  • Page 45 Using CubeIDE for Cortex®-M33 with TrustZone® ® ® Using CubeIDE for Cortex -M33 with TrustZone This part is explained in the Getting started with STM32 development in CubeIDE (AN5394), which is available on www.st.com AN5421 - Rev 6 page 45/49...
  • Page 46 AN5421 Revision history Table 1. Document revision history Date Version Changes 21-Feb-2020 Initial release. 01-Aug-2022 Updated Figure 42. Project batch build order Updated: 15-May-2023 • Product series to include STM32U5 series • Section 1: General information Updated: 12-Sep-2023 • Title •...
  • Page 47 AN5421 Contents Contents General information ............. . . 2 ®...
  • Page 48 AN5421 List of figures List of figures Figure 1. Security state in Armv8-M ............4 ®...
  • Page 49 ST’s terms and conditions of sale in place at the time of order acknowledgment. Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or the design of purchasers’...

This manual is also suitable for:

Stm32l5Stm32u3Stm32u5