1. Debug Authentication
Debug authentication controls debug opening and regressions. It can be used during development, manufacturing and for field return analysis.
- Features
- the usage of a password method allows only full regression (from closed state to open state).
- the usage of cryptography (certificates) can be used for full regressions ,debug opening and firmware download from a closed device.
- Debug authentication principle
- Use of JTAG dedicated access point (ap0) to communicate with the chip.
- Secure protocol defined by ARM : ARM PSA ADAC V1.0. (Authenticated Debug Access Control)[1]
2. Debug Authentication for STM32H7S with password method
Provisioning with password management
- Provisioning data is located at OBKeys-HDPL0 area.
- Provisioning data is the HASH (SHA256) of the password.
- STM32TrustedPackageCreator is used to generate the OBKeys files containing the HASH of the Debug authentication password adding SHA256 to ensure integrity.
Debug authentication controls
- Full regression with the Debug authentication password.
- Debug authentication password has to be provisioned in OBKeys to allow this regression.
Getting started with Debug authentication
Refer to the following page for an example on getting started with Debug authentication access with password method:
How to start with OEMiRoT - Password method
How to start with STiRoT - Password method
3. Debug Authentication for STM32H7RS with certificate method
Provisioning with certificate management
- Provisioning data is located at OBKeys -HDPL0 area.
- Provisioning data contain:
- HASH (SHA256) of the root Certificate Public Key.
- SOC_PERMISSION: 16 bits defining the permissions authorized by default.
- STM32TrustedPackageCreator generates the OBKeys files containing the provisioning data adding SHA256 to ensure integrity.
Debug authentication controls
- Re-enabling debug possibility.
- Full regression
- Firmware download (access to the secure bootloader)
To perform Debug authentication
- The chip must be provisioned with:
- ECC public key.
- SOC_PERMISSION: 16 bits defining the permissions authorized by default.
- A certificate signed by a private ECC key has to be created to be able to authenticate, and it embeds the following:
- ECC public key.
- PERM_MASK_CERT which describes the capabilities associated with this certificate.
Getting started with Debug authentication
Refer to the following page for an example on getting started with Debug authentication access with certificate method:
How to start with STiRoT - Certificate configuration
How to start with OEMiRoT - Certificate configuration
How to start with DA access on STM32H7RS
4. References