 Hello, in this session I will present you the SBSFU homework part and then the first hands-on that is the continuation of this first homework. So let's go. So the purpose of this homework is to prepare your environment to be ready for the workshop hands-on related to SBSFU. So we detailed the building of the SBSFU and also we will flash the NUCLEO-L476 target to check everything is working fine. So here is the environment you should have installed following the installation procedure provided. So here you have the home directory, I would say, directly on C drive, STM32 secure workshop, documentation folder where you have all the slides, and L4 directory and also directories for the following of the workshop. You have finished projects that you can look at after. You have the scripts you will see. And then the SBSFU, so let me put it in the pointer here, the SBSFU 2.4.0 structure. We have the drivers, middlewares and all the projects including all the boards supported. So here is the beginning. And we will use the NUCLEO-L476RG and we will find the SBSFU here with a user app, which is an example application. And so we have three projects, SBSFU, AC Corbin and user app. The linker command is, as it's name says, command files for linking the projects. First thing is to import the project in the cube ID. So first we will start the cube ID. I'm launching cube ID 1.4.0. Here it is. So by default you should go to this workspace but you can put it wherever you want. So I launch using this workspace. It takes a few seconds to start. Here it is. So this is the default view. We click here and there is no project at all. And the first thing to do is to open project from file system. Here it is. Directory. Then let's go to our workshop. And in L4, STM32 cube projects. L476 application to images. This is our project. So this is a two-image project. We'll see later what it means. Select the folder. So cube ID detects three projects. We need to remove this one. And that's okay. You can finish. So cube ID will import the three projects. And let's go back to the slides. So here is what we just done. And then next thing is to build the three projects. You need first to build the SC Corbin, SBSFU and user app. So start from SC Corbin. Click here. So launching the build. So it's building. Here it is. We are our first SC Corbin build. And we can check, if it is the same as expected with the size of the binary generator. So here we generated a binary SC Corbin. Then we can launch the building of SBSFU. This will take a bit more time because it is a bit bigger. So you can, while it is compiling, you can look into the directories. You have the application directory where the source code. In the core you have the main.c and usual files at HLMSP and interrupts. The whole SBSFU is here in the two directories application and target. The target contains all the files that need to be adapted when you change the target. Mainly. And the application is mostly something that doesn't change depending on the target. So you have all these files compiled and also a lot of HLMS that are compiled. You can see here. Ok. And also one important thing is the use of some files inside middleware for the interface with the secure engine here. And then once this one is finished we will build the user application. So that has also a similar structure. So let's wait for the end of this one. Ok. This is built. It took two minutes. We have 59, 578. 59, 578. We have the same build here. And then let's go back and build the user application. So user application. You have an application that goes with the main file and you will see what it is doing. It's displaying a menu that gives you access to some features. For sure you have access the ability to make an update. Let's see this later. So here we are compiling the application and we should have something with 21 the text part 21, 6, 3, 2. I pause a little. Oh no, it's finished. 21, 6, 3, 2. Ok. And then you see at the end there is something that is done automatically that is a post build which is a script that is building automatically some binary files that will be used for downloading. So let's see the next slide. So let's go to this binary files that we have just built. So I will look in the explorer. So let's go to l4. Go back to sbsfu in the projects Nucleo l476 application 2 images and 2 images user app binary. Then you see the 2 binaries that are built. The first one the concatenation of the 3 binaries we have built the secorbin, the sbsfu and the user application that is ready to be flashed on the target. The user app.sfb is the update file of the user application so it is the same file but in an update format. So before flashing what we will need for next hands on is to update the stlink. So please use the menu here help stlink upgrade it is here and you just need to click on open in update mode and see if you have if you need to upgrade. Here I will make an upgrade with the same version but it works obviously if you have an older version. So this this upgrade is needed to update the firmware of the stlink embedded on the Nucleo. So it's successful you can close it and that's it. That's just what we did with them. Now you need to open an explorer on the scripts that we use during the hands on. So I've prepared a window for that here it is. So now you have connected already your target if you have done the stlink upgrade and be careful to be sure no other board should be connected and then launch a start tera term so from the script start tera term it will automatically detect the comport you are using here I am using com 60 and nothing happens obviously there is no code executing on the target. Then launch reset L4 target script let's launch it reset So this script basically is executing RDP regression so sets the RDP level 0 and also deactivates the write protections so once this is done your board is ready to be flashed So now you could have an issue with a previous script that is using STM32Q programmer if you didn't install it in the default directory so in that case you need to update this set of.pad file to match the directory location you are using. Then download the sbsfu so use script 01 so let's download it so you see we are downloading the file that we have generated here so that is 50 558 size so this is the file we are downloading so you can, once it's done you can press here and if you let's follow the slides if you go to the terminal you have this message which is normal so this message means that you have activated RDP level 1 and you need to do a po1 reset to be able to start the board so let's do it I unplug my USB and plug it again and I should have something displayed on my screen so nothing display if I press a space I can see that something comes if I press reset I can see all the start up the reason we didn't see anything at the beginning is that USB animation was too long and the trace wasn't displayed was already finished when the animation finished so you can just press reset and also you have in the slides something you can sometimes have on the screen some strange characters in that case just reset the terminal like this so here it comes back to the good condition so here are the trace after reset so we can compare the two here we have our trace here and what are on the slides so if you have the same traces you are done with this homework so here you let's go to the hands on we have finished the homework if you have any issue you can still go to this address and you have a lot of FAQ and tip and tricks to to be able to to solve the issues you can face so let's go to the next to the next hands on which is building the sbsfu so starting from what we've just done we build we have build sbsfu and executed on target then we will check the secure boot what it is doing and we will generate version 2 of the application and update it in the target so restarting from our configuration we just finished the homework so we should be in the right condition so first to explain you what happened in the traces the first trace you have after sbsfu boot is this one where sbsfu is checking the security environment so if all the option bytes are correctly set especially and then it's starting initializing the secure engine and then check the status after reset where you can display the errors that you had previously we will see how it works then check new firmware to download this is the first check using the local loader of the sbsfu to check if there is a download request and then check user firmware status that is checking if there is something in the active slot and if there is something in the download slot here nothing in the download slot but something in active slot it is checking the firmware signature of this active slot so we will see during this workshop how this firmware signature is actually done and once the signature is checked the user can execute the user firmware so at this point the sbsfu has made a complete check of the application that will be launched we are sure that the application is genuine and was not corrupted that's the purpose of the secure boot then we have our application that displays some menus interactive menus so this is the quick view on the traces so test protection menu let's play with this menu so I am coming back to our console and press 2 and we have this menu where we check the protection so the firewall is the enclave that protects the secure engine so here we try to directly access to the firewall from the user application so I press 2 what happens the access is detected here basically a reset is performed and then the sbsfu is restarting and can check there was a firewall reset so you can add your own action if you detect for example a firewall reset now there is just the action is only to display a trace but you can do whatever you want and then we restart so test another protection for example the independent watchdog I press 6 so what happens is I am trying a wide loop and waiting that the watchdog is just triggering so here after some time watchdog is triggered and it is detected as a watchdog so this is what you can do with this next menu test se user code se means secure engine this menu allows the calling an API in the secure engine so the secure engine provides a secure API and sbsfu provides just one example of API so just try it press 3 and then we are in a configuration where we have only one active slot so press 1 for active slot 1 and then we have we get 2 information coming from the secure engine the active firmware version and the active firmware size next slide so here is just what we have displayed sorry so a note about active slots active slots is where active user firmware is located by opposition with download slots where the new version of the firmware is downloaded so you have active and download with the latest sbsfu 2.4 we have now 3 possible active slots and 3 possible download slots but we can have a configuration with 3 active slots and only one download slot so the download slot will be able to download one update for one of the 3 active slots so the download slot must be at least the maximum size of the 3 active slots and the main purpose of introducing this sbsfu active slot is the support of multiple core chips and other independent firmware so sbsfu in a nutshell we have seen rapidly the sbsfu directory structure how to build it in the adequate order we have seen the 2 files that are generated one is the big file including all the binaries and the second one which is just the update the sbsfu and the application then are loaded at the same time on the target with this big file we have seen that sbsfu is activating the secure protection we didn't activate them we have seen that rdp level 1 was set automatically this was done by sbsfu also you have seen by the choices that it is checking the user application authenticity and that it is launching the application after this check also you have seen what the default user application we provide that is doing some protection check call to secure engine api and also the first one that we didn't address yet the update let's see how this update is working so this is done by the first menu so this update is managed inside the application the menu is inside the application and the the code to transfer the update is inside the application so we use the why modem protocol to transfer this to be able to have a protocol that make sure that the transfer is going well this protocol enables writing each chunk of the new firmware in the download slot and at the end of the application once it has downloaded the whole update it should reset the chip to activate the sbsfu and then sbsfu will detect the new firmware and will install it so let's see how it works we have the tera term that is managing the why modem protocol or sbsfu slot slot 1 active and slot 1 update so this application contains a loader a loader is just something that is able to communicate here and able to flash the content of what it received so it transfer the firmware that we generated userapp.sfb once it transfer it resets to give back the hand to the secure boot so after reset the sbsfu is executed sbsfu is checking detecting a new firmware and once is detecting the new firmware it is checking this new firmware using authentication and it installs the new firmware once it has been authenticated by swapping the two slots and once the swap is done a new authentication is done to make sure everything is was done correctly let's do it and prepare the update image so just to be sure that we have updated image we will change something in the code so go in the main.c in the application and change userapp.id to be so I will launch here go to user and main.c in main.c here I find userapp.id at line 51 and replace it by b control s to save the file and the second thing to do is to change the user the version of the firmware so to change it here click on userapp right click properties and c++ build here settings and build steps you click here and at the end you see one and one the first one is meaning slot one so active slot one version one so we will change to version 2 oops then rebuild this new version so we will go a bit here and you will see that it will launch a post build with version 2 here here it is so post build is generating version 2 and so now our version 2 we can download it so if we come back to what so here you can see that it was not finished so just here we have the new files that were just generated so let's do the update so first come back to the console so I come back to the top menu and press one so first what it is doing it is erasing the download download area so the download slot one and waiting for data through why modem protocol to do this you just need to access to file transfer why modem send so this is a protocol supported by tera term you press send it will open automatically normally in the good directory let's check it here we have windows secure l4 cube project application to image and so on so we are in the good directory just select sfb and it will transfer the user it's quite fast it's 22k bytes so here what's happening is that it has detected a new firmware in slot download one and it is image preparation consists in decrypting the firmware in slot one swapping come back swapping the two images once the swap has been done it is resetting and there is no more download it is detecting the new firmware and verifying and then we have our user application we can check using the menu test user code with still slot one and we have our version 2 that we just put so this is what are in the following slides select the update download and then we have the full update done and our user app B version 2 in conclusion as you could see the first build is very simple and even the first update is straight forward sbsfu is a secure bootloader that checks integrity, authenticity of the application that's its main purpose also for the update the sbsfu is checking the integrity and authenticity at each update step to make it really secure and also we could see that we use a why modem protocol for transferring but this is providing provided as an example just if you want to use something else you just need to adapt the transfer protocol so that's it for this first hands on thank you