SFI for STM32H7Rx/7Sx

1 Introduction

In this article, STM32H7RS refers to the STM32H7Rx/7Sx microcontroller product lines. The STM32H7RS MCUs supports the secure firmware install (SFI) only on their internal flash memories by means of a dedicated RSSe (secure firmware extension).

STMicroelectronics provides the SFI solution to perform the preparation and installation flows.

2 SFI for STM32H7RS

The SFI procedure on the STM32H7RS MCUs is similar to the SFI procedure applied to other platforms. The main difference is that the interaction between the host and the STM32H7RS MCU is not possible during SFI. Follow SFI Step-by-step on STM32 boards to run the SFI procedure on the STM32H7RS MCUs. SFI on external flash memory (SFIx) is not supported on STM32H7RS MCUs.

2.1 Preparation flow

2.1.1 Overview

Security SFI H7RS Preparation Flow

The purpose of this step is to:

  • Prepare the encrypted firmware image to install. This image is called the SFI image. It is composed of the OEM application and the additional components (OEM secrets and OEM option bytes).
  • Provision the OEM key within an HSM.

2.1.2 SFI image SFI image generation

Once the OEM application has been developed, the OEM must prepare and test the SFI image to be installed during manufacturing.
For that purpose, the OEM must use the STM32 Trusted Package Creator tool. This allows the correct generation of the SFI image and its testing before manufacturing.

The output of the STM32 Trusted Package Creator is the tested SFI image, ready to be installed during manufacturing. Description of the SFI image inputs

The OEM must provide the following inputs:

  • The OEM application: The OEM must provide its application binary.
  • The OEM secrets: The OEM secrets are the OEM data and the OEM keys.

During the SFI procedure, the OEM must set its secrets, paying specific attention to the following:

  • OEM option byte key (OBKey) provisioning:
    • OBKey HDPL0 must be done first; It includes debug authentication (DA) configuration.
    • Then, other OBKey can be done (optional), such as OBKey IROT.
  • OEM option bytes (OB): The OEM must set carefully the STM32H7RS product state.

The STM32H7RS flash memory configuration to install via the SFI procedure must be the same than the one used during the OEM application development. SFI image output description

The Trusted Package Creator encrypts the SFI image inputs with the OEM key and generates the SFI image.
The SFI image is then an encrypted image containing the OEM application, the OEM secrets, and the OEM option bytes.

2.1.3 OEM key provisioning

The OEM must provide its OEM key to the contract manufacturer (CM) in such a way that the OEM key cannot be read or extracted clearly by the CM. Only the STM32 can handle the OEM key.

In SFI for STM32H7RS, to provide the OEM key to the CM:

  • The OEM provisions its OEM key, using the Trusted Package Creator, in one HSM.


  • Only the STMicroelectronics STM32 microcontrollers can securely install the SFI image.
  • The authenticity, integrity, and confidentiality of the SFI image content are ensured.

When using the HSM, the number of STM32 chips to program can be counted.

2.2 Installation flow

The installation procedure is similar to the generic SFI installation procedure, which is deployed on other STM32 products supporting SFI.

Security SFI H7RS Installation Flow.png

Info white.png Information
For an overview of the SFI image programming, refer to the chapter 6 of AN4992 called "SFI image programming by OEMs or CMs".