Prerequisites:

• PROGACMP v9.86+ or Cyclone Firmware 11.xx+
• STM32Cube_FW_H7RS_V1.0.0 or later
• STM32 Trusted Package Creator v2.19.0 or later

Overview:

The STM32H7R/S^[c] implements a device life cycle state machine, supporting 4 states and two debug authentication mechanisms^[1]. The product life cycle flow is depicted in the following diagram from the reference manual:

How to Generate Provisioning Data for Debug Authentication Password:

When provisioning the STM32H7RS, a .OBK file is used to store the provisioning data. These instructions will review how to generate the .OBK file for debug authentication with any desired password. First, open the STM32 Trusted Package Generator and navigate to the “Security” page.

Select the “OBKey” tab if it is not by default. Our tools only work with regression through password debug authentication, so the OBKey (.OBK) file needs to be configured accordingly. The selected XML file indicates the configuration, so the configuration “DA_ConfigWithPassword.xml” should be used. The XML file can be found in the directory [.../Projects/STM32H7S78-DK/ROT_Provisioning/DA/Config] of the FW package. If using an STM32H7Rx, then the .xml file needs to be modified to disable encryption. Open the XML in an editor and modify: 0.

Provide a password in the text input field and modify the output path and/or filename if needed. Lastly, generate the .OBK file by selecting the “Generate OBKey” button. The password will be saved as ASCII in a .bin file.

How to Provision Debug Authentication Password to STM32H7RS device in PROGACMP

Once the application has been programmed in the open state, the next step is to set the product state to provisioning. 

1. Choose Module (CM) and load the STM32H7Sx_8KB_OBKeys.arp algorithm.
2. Select the user command SP Set Provision State

The algorithm will be reloaded and the device will be set to the provisioning product state. The next step is to provision the OBKeys data for debug authentication. This is done through programming the .OBK file configured for debug authentication with password. 

3. Queue the generated .OBK file with the configured password and program (PM).
4. Run the verify command to ensure the .OBK was successfully loaded into the buffer.
5. Select the user command DP Data Provisioning which will provision the data from the buffer into the HDPL0 OBKeys for debug authentication.

Once the algorithm is reloaded, the device has been provisioned, and is ready to be closed. The last step:

6. Select the user command SC Set Closed State to set the product state to closed.

After running this user command, the device will attempt to reload but will fail to reconnect. In the closed state, the device can only be reconnected with a full regression through debug authentication. Follow the steps below on how to do a full regression with debug authentication.

How to do Full Regression Debug Authentication for the STM32H7RS in PROGACMP

After setting the device to closed, the only way to reconnect is to fully regress with debug authentication. In PROGACMP, this is done through the connection manager and configuring the settings for the target device. 

1. Reopen PROGACMP to get the connection manager and select the target STM32H7RS device.
2. Select the “Security Settings” and enable the checkbox for “Allow Regression”.
3. In the password text field, enter the password used for the .OBK data that was provisioned on the target device previously.
4. Select “OK” to confirm the password and enable the “Mass erase upon connection to target” checkbox.
5. Lastly, configure the rest of the connection settings (interface and port) to connect to the target and select Connect (reset).

The device should be fully regressed and able to reconnect to PROGACMP in the Open product state.

How to Provision Debug Authentication Password to STM32H7RS device in Stand-alone

When provisioning the debug authentication password with stand-alone programming, the same procedure from PROGACMP is applied. Instead of each step done at a time, the provisioning steps are instead all queued in the programming sequence on the image creation utility. With the Cyclone Image Creation Utility open, select the STM32H7RS device targeted. 

The first programming sequence commands should program the main flash with the application data. Once the application is programmed and verified, the provisioning steps can be added by selecting CM ;Choose Algorithm and loading the OBKeys algorithm. The following sequence of commands correlate to the same commands done in PROGACMP

How to do Full Regression Debug Authentication for the STM32H7RS in Stand-Alone:

In stand-alone programming, the debug authentication is handled when first connecting to the target, similarly to PROGACMP. In the image creation utility, the debug authentication is configured through the Power and Communication tab. To enable full regression debug authentication, the “Mass erase upon connection to target” and “Allow Regression” checkboxes need to be selected. In the password text field, enter the password used for the OBKey provisioned on the device previously. 

The debug authentication and regression is handled upon first entry, so any steps in the programming sequence will be done after regression.