STM32 header for binary files

The STM32 header is a STMicroelectronics header needed for binaries loaded by ROM code.

1. Description↑

Each binary image loaded by the ROM code needs to include a specific STM32 header added on top of the binary data. This header includes mandatory and optional information: this second one is only needed for the authentication (STM32MP1 Series) and decryption (STM32MP13x lines ) processes.

2. On STM32MP13x lines ↑

2.1. Base header↑

Name	Length	Byte Offset	Description
Magic number	32 bits	0	4 bytes in big endian: 'S', 'T', 'M', 0x32 = 0x53544D32
Image signature	512 bits	4	ECDSA signature for image authentication^{[Note 1]}
Image checksum	32 bits	68	Checksum of the payload^{[Note 2]}
Header version	32 bits	72	Header version v2.0 = 0x00020000 Byte0: reserved Byte1: major version = 0x02 Byte2: minor version = 0x00 Byte3: reserved
Image length	32 bits	76	Length of image in bytes^{[Note 3]}
Image entry Point	32 bits	80	Entry point of image
Reserved	96 bits	84	Reserved
Version number	32 bits	96	Image Version (monotonic number)^{[Note 4]}
Option flags	32 bits	100	b0=1: Authentication enabled^{[Note 5]} b1=1: Decryption enabled.^{[Note 6]} b31=1: Header padding enabled^{[Note 7]}
Header extensions length	32 bits	104	Sizes of header extensions enabled by option flags.
Padding	20 Bytes	108	Reserved padding bytes^{[Note 8]}. Must all be set to 0

↑ Signature is calculated from first byte of header version field to last byte of image given by image length field.
↑ 32-bit sum of all payload bytes accessed as 8-bit unsigned numbers, discarding any overflow bits. Used to check the downloaded image integrity when signature is not used (if b0=0 in Option flags).
↑ Length is the length of the built image, it does not include the length of the STM32 header.
↑ Image version number is an anti rollback monotonic counter. The ROM code checks that it is higher or equal to the monotonic counter stored in OTP.
↑ Enabling signature verification is mandatory on secure closed chips. Authentication parameters are stored in "Authentication header extension".
↑ When decryption is enabled, authentication is mandatory. Decryption parameters are stored in "Decryption header extension".
↑ This header padding extension is always used to have a fixed size of 512 bytes for the whole size of header + its extensions.
↑ This padding forces STM32 base header size to 128 bytes (0x80).

2.2. Authentication header extension↑

This header extension contains parameters needed for authentication.

Name	Length	Byte Offset^{[Note 1]}	Description
Extension type	32 bits	0	4 bytes in big endian: 'S', 'T', 0x00, 0x02 = 0x53540002
Extension length	32 bits	4	Number of bytes of header extension = 340
Public key index	32 bits	8	Index of the public key to be used.
Public key number	32 bits	12	Number of public keys in table = 8
ECDSA algorithm	32 bits	16	1: P-256 NIST ; 2: brainpool 256
ECDSA public key	512 bits	20	ECDSA public key to be used to verify the signature.^{[Note 2]}
Public key1 hash	256 bits	84	Hash of (Algorithm+Public key1)
...	...	...	Hashes of (Algorithm+Public key), for key2 up to key7
Public key8 hash^{[Note 3]}	256 bits	308	Hash of (Algorithm+Public key8)

↑ Offset is relative to header extension base
↑ This field is an extract of PEM public key file that only kept the ECC Point coordinates x and y in a raw binary format (RFC 5480). This field will be hashed with SHA-256 and compared to the Hash of pubKey that is stored in the entry of the public key table referenced by the public key index.
↑ The table of public key hashes will be hashed with SHA-256 by the ROM code and compared to the Hash of Public Keys Hashes Table (PKHTH) that is stored in OTP.

2.3. Decryption header extension↑

This header extension contains parameters needed for decryption.

Name	Length	Byte Offset^{[Note 1]}	Description
Extension type	32 bits	0	4 bytes in big endian: 'S', 'T', 0x00, 0x01 = 0x53540001
Extension length	32 bits	4	Number of bytes of header extension = 32
Key size	32 bits	8	Size of extension key (128 bits)^{[Note 2]}.
Derivation constant	32 bits	12	Constant used to derive decryption key from master key stored in OTP.
Plain hash	128 bits	16	128 msb bits of plain payload SHA256.

↑ Offset is relative to header extension base
↑ Key size is fixed to 128 bits

2.4. Padding header extension↑

Name	Length	Byte Offset^{[Note 1]}	Description
Extension type	32 bits	0	4 bytes in big endian: 'S', 'T', 0xFF, 0xFF = 0x5354FFFF
Extension length	32 bits	4	Number of bytes of header extension = N + 8
Padding bytes	N bytes	8	Padding bytes^{[Note 2]}.

↑ Offset is relative to header extension base
↑ N shall be calculated by signing tool so that the size of whole header plus its extension is equal to 512 bytes

3. On STM32MP15x lines ↑

Name	Length	Byte Offset	Description
Magic number	32 bits	0	4 bytes in big endian: 'S', 'T', 'M', 0x32 = 0x53544D32
Image signature	512 bits	4	ECDSA signature for image authentication^{[Note 1]}
Image checksum	32 bits	68	Checksum of the payload^{[Note 2]}
Header version	32 bits	72	Header version v1.0 = 0x00010000 Byte0: reserved Byte1:major version = 0x01 Byte2: minor version = 0x00 Byte3: reserved
Image length	32 bits	76	Length of image in bytes^{[Note 3]}
Image entry Point	32 bits	80	Entry point of image
Reserved1	32 bits	84	Reserved
Load address	32 bits	88	Load address of image^{[Note 4]}
Reserved2	32 bits	92	Reserved
Version number	32 bits	96	Image Version (monotonic number)^{[Note 5]}
Option flags	32 bits	100	b0=1: no signature verification^{[Note 6]}
ECDSA algorithm	32 bits	104	1: P-256 NIST ; 2: brainpool 256
ECDSA public key	512 bits	108	ECDSA public key to be used to verify the signature.^{[Note 7]}
Padding	83 Bytes	172	Reserved padding bytes^{[Note 8]}. Must all be set to 0.
Binary type	1 Byte	255	Used to check the binary type 0x10-0x1F: FSBL 0x30: Copro

↑ Signature is calculated from first byte of header version field to last byte of image given by image length field.
↑ 32-bit sum of all payload bytes accessed as 8-bit unsigned numbers, discarding any overflow bits. Used to check the downloaded image integrity when signature is not used (if b0=1 in Option flags).
↑ Length is the length of the built image, it does not include the length of the STM32 header.
↑ This field is not used by ROM code.
↑ Image version number is an anti rollback monotonic counter. The ROM code checks that it is higher or equal to the monotonic counter stored in OTP.
↑ Enabling signature verification is mandatory on secure closed chips.
↑ This field is an extract of PEM public key file that only kept the ECC Point coordinates x and y in a raw binary format (RFC 5480). This field will be hashed with SHA-256 and compared to the Hash of pubKey that is stored in OTP.
↑ This padding forces STM32 header size to 256 bytes (0x100).

[1] Signature is calculated from first byte of header version field to last byte of image given by image length field.

[2] 32-bit sum of all payload bytes accessed as 8-bit unsigned numbers, discarding any overflow bits. Used to check the downloaded image integrity when signature is not used (if b0=0 in Option flags).

[3] Length is the length of the built image, it does not include the length of the STM32 header.

[4] Image version number is an anti rollback monotonic counter. The ROM code checks that it is higher or equal to the monotonic counter stored in OTP.

[5] Enabling signature verification is mandatory on secure closed chips. Authentication parameters are stored in "Authentication header extension".

[6] When decryption is enabled, authentication is mandatory. Decryption parameters are stored in "Decryption header extension".

[7] This header padding extension is always used to have a fixed size of 512 bytes for the whole size of header + its extensions.

[8] This padding forces STM32 base header size to 128 bytes (0x80).

[9] Offset is relative to header extension base

[10] This field is an extract of PEM public key file that only kept the ECC Point coordinates x and y in a raw binary format (RFC 5480). This field will be hashed with SHA-256 and compared to the Hash of pubKey that is stored in the entry of the public key table referenced by the public key index.

[11] The table of public key hashes will be hashed with SHA-256 by the ROM code and compared to the Hash of Public Keys Hashes Table (PKHTH) that is stored in OTP.

[12] Offset is relative to header extension base

[13] Key size is fixed to 128 bits

[14] Offset is relative to header extension base

[15] N shall be calculated by signing tool so that the size of whole header plus its extension is equal to 512 bytes

[16] Signature is calculated from first byte of header version field to last byte of image given by image length field.

[17] 32-bit sum of all payload bytes accessed as 8-bit unsigned numbers, discarding any overflow bits. Used to check the downloaded image integrity when signature is not used (if b0=1 in Option flags).

[18] Length is the length of the built image, it does not include the length of the STM32 header.

[19] This field is not used by ROM code.

[20] Image version number is an anti rollback monotonic counter. The ROM code checks that it is higher or equal to the monotonic counter stored in OTP.

[21] Enabling signature verification is mandatory on secure closed chips.

[22] This field is an extract of PEM public key file that only kept the ECC Point coordinates x and y in a raw binary format (RFC 5480). This field will be hashed with SHA-256 and compared to the Hash of pubKey that is stored in OTP.

[23] This padding forces STM32 header size to 256 bytes (0x100).

[Note 1]

[Note 2]

[Note 3]

[Note 4]

[Note 5]

[Note 6]

[Note 7]

[Note 8]

[Note 1]

[Note 2]

[Note 3]

[Note 1]

[Note 2]

[Note 1]

[Note 2]

[Note 1]

[Note 2]

[Note 3]

[Note 4]

[Note 5]

[Note 6]

[Note 7]

[Note 8]