1. Introduction
This article gives an overview about debug authentication applied to STM32H5 MCUs.
A detailed description of debug authentication is provided in AN6008.
If you want to learn more about debug authentication specific usage for each STM32H5 device and you want to practice, refer to Debug Authentication STM32H5 How to Introduction.
List of applicable products:
Type | Products |
---|---|
Microcontroller | STM32H573xx, STM32H563xx, STM32H562xx, STM32H533xx, STM32H523xx, STM32H503xx |
2. Debut authentication services
The debug authentication allows to securely:
- Reopen the debug access.
- Perform regression to product states OPEN (full regression) or TZ-CLOSED (partial regression).
The debug authentication services are usable:
- During development.
- For field return analysis.
Here is an overview of the debug authentication setup:
Two authentication methods are available:
- When TrustZone® is disabled, the authentication method used by the protocol requires a password. Only a full regression to the OPEN state is possible.
- When TrustZone® is enabled, the authentication method used by the protocol requires a certificate chain. Regression and debug opening are possible. In this case, the possible actions are:
- A partial regression (to TZ-CLOSED state).
- A full regression (to OPEN state).
- A debug reopening.
When using certificates, the authorized actions are defined through masks.
Refer to AN6008 for more details about debug authentication certificates, actions, and masks usage.
The debug authentication protocol uses the JTAG dedicated access point (ap0) to communicate with the chip.
The protocol is defined by Arm®: ARM PSA ADAC V1.0. (Authenticated Debug Access Control)
Refer to AN6008 for more details on the debug authentication protocol.
3. Debug authentication provisioning
The debug authentication provisioning consists in storing the password hash or hash of the key related to the root certificate inside the chip.
According to the STM32H5 series devices, these data are stored in OBKey or in OTP.
- STM32H523/533/562/563/573 has OBKey areas used to store keys/passwords.
- STM32H503 devices do not have an OBKey area and use an OTP (one-time programming) area to store the password hash. That means that the provisioned password hash cannot be changed anymore once provisioned.
Refer to AN6008 for more details on the debug authentication provisioning.