Skip to content

Fix STM32H5 update #617

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dgarske merged 9 commits into from
Oct 29, 2025
Merged

Fix STM32H5 update #617

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
58baba2
Fix STM32H5 update
mattia-moffa Oct 23, 2025
fdcd7be
Don't use hardcoded value; add comment
mattia-moffa Oct 23, 2025
70f12a2
Update docs
mattia-moffa Oct 24, 2025
fd2c81a
Fix H5 erase bug
mattia-moffa Oct 24, 2025
e0e9217
Fix some issues with documentation for STM32H5 and include steps to t…
dgarske Oct 24, 2025
177358e
Update H5 app to use new NSC API
mattia-moffa Oct 28, 2025
1813463
Fix non-trustzone configs
mattia-moffa Oct 28, 2025
ea9484f
Add docs for NSC APIs and update H5 option bytes
mattia-moffa Oct 29, 2025
70d25f4
Fix docs link
mattia-moffa Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions docs/STM32-TZ.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ OPTION BYTES BANK: 2

Boot Configuration:

NSBOOTADD : 0x80400 (0x8040000)
NSBOOTADD : 0x80600 (0x8060000)
NSBOOT_LOCK : 0xC3 (The SWAP_BANK and NSBOOTADD can still be modified following their individual rules.)
SECBOOT_LOCK : 0xC3 (The BOOT_UBE, SWAP_BANK and SECBOOTADD can still be modified following their individual rules.)
SECBOOTADD : 0xC0000 (0xC000000)
Expand All @@ -201,7 +201,7 @@ OPTION BYTES BANK: 3
Bank1 - Flash watermark area definition:

SECWM1_STRT : 0x0 (0x8000000)
SECWM1_END : 0x1F (0x803E000)
SECWM1_END : 0x2F (0x805e000)

Write sector group protection 1:

Expand All @@ -210,8 +210,8 @@ OPTION BYTES BANK: 4

Bank2 - Flash watermark area definition:

SECWM2_STRT : 0x0 (0x08100000)
SECWM2_END : 0x1F (0x0813e000)
SECWM2_STRT : 0x2F (0x0815e000)
SECWM2_END : 0x0 (0x08100000)

Write sector group protection 2:

Expand Down Expand Up @@ -251,7 +251,7 @@ OPTION BYTES BANK: 9

```
STM32_Programmer_CLI -c port=swd -d wolfboot.bin 0x0C000000
STM32_Programmer_CLI -c port=swd -d test-app/image_v1_signed.bin 0x08040000
STM32_Programmer_CLI -c port=swd -d test-app/image_v1_signed.bin 0x08060000
```

- After rebooting, the LED on the board should turn on sequentially:
Expand Down
37 changes: 25 additions & 12 deletions docs/Targets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,10 +175,10 @@ The example configuration for this scenario is available in [/config/examples/st
- User Option Bytes requirement (with STM32CubeProgrammer tool - see below for instructions)

```
TZEN = 1 System with TrustZone-M enabled
DBANK = 1 Dual bank mode
SECWM1_PSTRT=0x0 SECWM1_PEND=0x7F All 128 pages of internal Flash Bank1 set as secure
SECWM2_PSTRT=0x1 SECWM2_PEND=0x0 No page of internal Flash Bank2 set as secure, hence Bank2 non-secure
TZEN = 1 System with TrustZone-M enabled
DBANK = 1 Dual bank mode
SECWM1_STRT=0x0 SECWM1_END=0x7F All 128 pages of internal Flash Bank1 set as secure
SECWM2_STRT=0x1 SECWM2_END=0x0 No page of internal Flash Bank2 set as secure, hence Bank2 non-secure
```

- NOTE: STM32CubeProgrammer V2.3.0 is required (v2.4.0 has a known bug for STM32L5)
Expand All @@ -189,7 +189,7 @@ SECWM2_PSTRT=0x1 SECWM2_PEND=0x0 No page of internal Flash Bank2 set as secur
2. `make`
3. Prepare board with option bytes configuration reported above
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob TZEN=1 DBANK=1`
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob SECWM1_PSTRT=0x0 SECWM1_PEND=0x7F SECWM2_PSTRT=0x1 SECWM2_PEND=0x0`
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob SECWM1_STRT=0x0 SECWM1_END=0x7F SECWM2_STRT=0x1 SECWM2_END=0x0`
4. flash wolfBoot.bin to 0x0c00 0000
- `STM32_Programmer_CLI -c port=swd -d ./wolfboot.bin 0x0C000000`
5. flash .\test-app\image_v1_signed.bin to 0x0804 0000
Expand Down Expand Up @@ -316,10 +316,10 @@ SRAM memories into two parts:
- User Option Bytes requirement (with STM32CubeProgrammer tool - see below for instructions)

```
TZEN = 1 System with TrustZone-M enabled
DBANK = 1 Dual bank mode
SECWM1_PSTRT=0x0 SECWM1_PEND=0x7F All 128 pages of internal Flash Bank1 set as secure
SECWM2_PSTRT=0x1 SECWM2_PEND=0x0 No page of internal Flash Bank2 set as secure, hence Bank2 non-secure
TZEN = 1 System with TrustZone-M enabled
DBANK = 1 Dual bank mode
SECWM1_STRT=0x0 SECWM1_END=0x7F All 128 pages of internal Flash Bank1 set as secure
SECWM2_STRT=0x1 SECWM2_END=0x0 No page of internal Flash Bank2 set as secure, hence Bank2 non-secure
```

- NOTE: STM32CubeProgrammer V2.8.0 or newer is required
Expand All @@ -330,7 +330,7 @@ SECWM2_PSTRT=0x1 SECWM2_PEND=0x0 No page of internal Flash Bank2 set as secur
2. `make TZEN=1`
3. Prepare board with option bytes configuration reported above
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob TZEN=1 DBANK=1`
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob SECWM1_PSTRT=0x0 SECWM1_PEND=0x7F SECWM2_PSTRT=0x1 SECWM2_PEND=0x0`
- `STM32_Programmer_CLI -c port=swd mode=hotplug -ob SECWM1_STRT=0x0 SECWM1_END=0x7F SECWM2_STRT=0x1 SECWM2_END=0x0`
4. flash wolfBoot.bin to 0x0c000000
- `STM32_Programmer_CLI -c port=swd -d ./wolfboot.bin 0x0C000000`
5. flash .\test-app\image_v1_signed.bin to 0x08010000
Expand Down Expand Up @@ -915,7 +915,7 @@ The example configuration for this scenario is available in [/config/examples/st
`STM32_Programmer_CLI -c port=swd -ob TZEN=0xB4`

- set the option bytes to enable flash secure protection of first 384KB and remainder as non-secure:
`STM32_Programmer_CLI -c port=swd -ob SECWM1_PSTRT=0x0 SECWM1_PEND=0x2F SECWM2_PSTRT=0x2F SECWM2_PEND=0x0`
`STM32_Programmer_CLI -c port=swd -ob SECWM1_STRT=0x0 SECWM1_END=0x2F SECWM2_STRT=0x2F SECWM2_END=0x0`

- flash the wolfboot image to the secure partition:
`STM32_Programmer_CLI -c port=swd -d wolfboot.bin 0x0C000000`
Expand All @@ -925,6 +925,19 @@ The example configuration for this scenario is available in [/config/examples/st

For a full list of all the option bytes tested with this configuration, refer to [STM32-TZ.md](/docs/STM32-TZ.md).

You can use the "update" command and XMODEM to send a newly signed update (see docs/flash-OTP.md) or use the steps below using the STM32_Programmer:

```sh
IMAGE_HEADER_SIZE=1024 tools/keytools/sign --ecc256 test-app/image.bin wolfboot_signing_private_key.der 2
echo -n "pBOOT" > trigger_magic.bin
./tools/bin-assemble/bin-assemble \
update.bin \
0x0 test-app/image_v2_signed.bin \
0x9FFFB trigger_magic.bin
STM32_Programmer_CLI -c port=swd -d update.bin 0x08100000
```


### Scenario 2: TrustZone Enabled, wolfCrypt as secure engine for NS applications

This is similar to Scenario 1, but also includes wolfCrypt in secure mode, and
Expand Down Expand Up @@ -975,7 +988,7 @@ To initiate an update, sign a new version of the app and upload the v3 to the up
on the second bank:

```sh
tools/keytools/sign --ecc256 test-app/image.bin wolfboot_signing_private_key.der 3
IMAGE_HEADER_SIZE=1024 tools/keytools/sign --ecc256 test-app/image.bin wolfboot_signing_private_key.der 3
Comment thread
dgarske marked this conversation as resolved.
STM32_Programmer_CLI -c port=swd -d test-app/image_v3_signed.bin 0x08160000
```

Expand Down
14 changes: 10 additions & 4 deletions hal/stm32_tz.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,19 +96,21 @@ void hal_tz_claim_nonsecure_area(uint32_t address, int len)
uint32_t reg;
uint32_t end = address + len;
uint32_t start_address = address;
uint32_t start_page_n;
uint32_t bank = 0;
int pos;

if (!is_range_nonsecure(address, len))
return;

if (address < FLASH_BANK2_BASE) {
page_n = (address - ARCH_FLASH_OFFSET) / FLASH_PAGE_SIZE;
start_page_n = (address - ARCH_FLASH_OFFSET) / FLASH_PAGE_SIZE;
bank = 0;
} else {
page_n = (address - FLASH_BANK2_BASE) / FLASH_PAGE_SIZE;
start_page_n = (address - FLASH_BANK2_BASE) / FLASH_PAGE_SIZE;
bank = 1;
}
page_n = start_page_n;
#ifdef TARGET_stm32h5
/* Take into account current swap configuration */
if ((FLASH_OPTSR_CUR & FLASH_OPTSR_SWAP_BANK) >> 31)
Expand All @@ -129,13 +131,14 @@ void hal_tz_claim_nonsecure_area(uint32_t address, int len)
page_n++;
}
address = start_address;
page_n = start_page_n;
while (address < end) {
/* Erase claimed non-secure page, in secure mode */
#ifndef TARGET_stm32h5
reg = FLASH_CR & (~((FLASH_CR_PNB_MASK << FLASH_CR_PNB_SHIFT) | FLASH_CR_PER | FLASH_CR_BKER | FLASH_CR_PG | FLASH_CR_MER1 | FLASH_CR_MER2));
FLASH_CR = reg | ((page_n << FLASH_CR_PNB_SHIFT) | FLASH_CR_PER);
#else
reg = FLASH_CR & (~((FLASH_CR_PNB_MASK << FLASH_CR_PNB_SHIFT) | FLASH_CR_SER | FLASH_CR_BER | FLASH_CR_PG | FLASH_CR_MER));
reg = FLASH_CR & (~((FLASH_CR_PNB_MASK << FLASH_CR_PNB_SHIFT) | FLASH_CR_SER | FLASH_CR_BER | FLASH_CR_PG | FLASH_CR_MER | FLASH_CR_BKSEL));
FLASH_CR = reg | ((page_n << FLASH_CR_PNB_SHIFT) | FLASH_CR_SER | (bank << 31));
#endif

Expand All @@ -162,8 +165,11 @@ void hal_tz_release_nonsecure_area(void)
{
#ifndef DUALBANK_SWAP
int i;
for (i = 0; i < FLASH_SECBB_NREGS; i++)
/* Set all banks as non-secure */
for (i = 0; i < FLASH_SECBB_NREGS; i++) {
FLASH_SECBB1[i] = 0;
Comment thread
dgarske marked this conversation as resolved.
FLASH_SECBB2[i] = 0;
}
#else
uint32_t addr;
int bank_swp = 0;
Expand Down
37 changes: 25 additions & 12 deletions hal/stm32h5.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,17 +33,20 @@

#if TZ_SECURE()

/* This function assumes that the boot and the update
* partitions are at the same address in the two banks,
* regardless if DUALBANK_SWAP is active or not.
*/
static int is_flash_nonsecure(uint32_t address)
{
#ifndef DUALBANK_SWAP
if (address >= WOLFBOOT_PARTITION_BOOT_ADDRESS) {
return 1;
}
return 0;
#else
uint32_t in_bank_offset = (address & 0x000FFFFF);
if (in_bank_offset >= (WOLFBOOT_PARTITION_BOOT_ADDRESS - FLASHMEM_ADDRESS_SPACE)) {
return 1;
}
return 0;
#endif
}
#endif

Expand Down Expand Up @@ -189,6 +192,7 @@ void RAMFUNCTION hal_flash_opt_lock(void)

int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
{
uint32_t start_address;
uint32_t end_address;
uint32_t p;

Expand All @@ -199,8 +203,17 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
if (address < 0x08000000)
return -1;

end_address = address + len - 1;
for (p = address; p < end_address; p += FLASH_PAGE_SIZE) {
#if TZ_SECURE()
start_address = address | FLASH_SECURE_MMAP_BASE;
if (is_flash_nonsecure(address)) {
hal_tz_claim_nonsecure_area(address, len);
}
#else
start_address = address;
#endif

end_address = start_address + len - 1;
for (p = start_address; p < end_address; p += FLASH_PAGE_SIZE) {
uint32_t reg;
uint32_t base;
uint32_t bnksel = 0;
Expand All @@ -211,12 +224,6 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
base = FLASH_BANK2_BASE;
bnksel = 1;
}
#if TZ_SECURE()
/* When in secure mode, skip erasing non-secure pages: will be erased upon claim */
if (is_flash_nonsecure(address)) {
return 0;
}
#endif
/* Check for swapped banks to invert bnksel */
if ((FLASH_OPTSR_CUR & FLASH_OPTSR_SWAP_BANK) >> 31)
bnksel = !bnksel;
Expand All @@ -228,6 +235,12 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len)
}
/* If the erase operation is completed, disable the associated bits */
FLASH_CR &= ~FLASH_CR_SER ;

#if TZ_SECURE()
if (is_flash_nonsecure(address)) {
hal_tz_release_nonsecure_area();
}
#endif
return 0;
}

Expand Down