Secure Boot & Chain of Trust (Foundation) STM32MP2

About the Course

This is an intensive, hands-on training for embedded engineers and cybersecurity specialists who face the challenge of securing IoT products based on the STM32MP2 platform.

In the era of ubiquitous connected devices, firmware layer security has stopped being optional — it has become fundamental. Most courses discuss Secure Boot theoretically. We will guide you through the entire device hardening procedure, including irreversible OTP fuse burning.

You will understand from the inside how BootROM verifies each element of the chain of trust:

• TF-A BL2 — First Stage Boot Loader (FSBL), DDR configuration
• BL31 (Secure Monitor) — runtime services in Secure World
• BL32 (OP-TEE) — Trusted Execution Environment
• BL33 (U-Boot) — main bootloader
• Linux Kernel — operating system

🎯 Project Goal: “The Fusing Ceremony”

During the course, we don’t discuss slides. We lock a real device. Participants will independently:

✓ Generate their own Public Key Infrastructure (PKI) using ECDSA P-256 elliptic curve cryptography

✓ Digitally sign bootloader images (TF-A) and verify their headers in a hex editor

✓ Configure Encrypted Boot using EDMK — a new STM32MP2 capability

✓ Conduct the “Fusing Ceremony” — permanent writing of the public key hash to the device’s OTP memory

✓ Close the device lifecycle and test failure scenarios, including intentional “bricking” of the board

✓ Build a Trusted Application (TA) running in the OP-TEE secure world

📅 Training Program

DAY 1: The Foundation – Trust Architecture and Exploration

Understanding the hardware security fundamentals. From BootROM to OTP.

Module 1.1: Cryptography in Embedded Systems

• Symmetric vs asymmetric cryptography: When to use what?
• Hash functions (SHA-256) and digital signatures (ECDSA)
• Why ECC, not RSA? Efficiency vs security in embedded

Module 1.2: STM32MP2 Security Architecture

• Role of BootROM as the immutable Root of Trust
• Boot Flavors: Cortex-A35 vs Cortex-M33 as Trusted Domain — when to choose which?
• BSEC3 controller and OTP memory map — authentication and encryption key layout
• Resource Isolation Framework (RIF/RIFSC) — resource isolation between execution contexts
• The “shadow registers” mechanism — how to test before permanent writing?

Module 1.3: Lab – Factory State Analysis (“Open”)

• Environment setup: STM32MP257F-DK, SDK, STM32CubeProgrammer
• First boot and stopping at U-Boot
• Practical exercise: stm32key read command — we see a “clean slate”

DAY 2: The Ceremony – Root of Trust Implementation

The heart of the Secure Boot procedure. Key generation, signing, and the point of no return.

Module 2.1: Key Infrastructure Generation (PKI)

• STM32MP_KeyGen_CLI tool: Creating ECC P-256 key pair
• File anatomy: privateKey.pem (crown jewels), publicKey.pem, publicKeyhash.bin (32 bytes for OTP)
• Key security: Why do we use HSM in production?

Module 2.2: Firmware Signing and Encryption

• STM32MP_SigningTool_CLI: Signing TF-A image
• STM32 header analysis (.stm32): Magic bytes ‘S’,‘T’,‘M’,0x32
• Option flags: authentication (b0) and encryption (b1) — new in STM32MP2
• Encrypted Boot with EDMK (Encryption/Decryption Master Key) — firmware IP protection
• Lab: Comparing files before/after signing (hexdump, vbindiff)

Module 2.3: OTP Provisioning – Point of No Return

• “Check twice, burn once” strategy
• Provisioning authentication and encryption keys (EDMK) via stm32key
• Requirements: OP-TEE with CFG_STM32_BSEC_WRITE
• ⚠️ Irreversible command: stm32key fuse -y — The Fusing Ceremony
• Post-write verification: The device now has an identity!

DAY 3: The Lockdown – Closure and Production

Transition from prototype to secured product. Automation and TEE.

Module 3.1: Device Lifecycle Closure

• Device Life Cycle states in STM32MP2: Unsecured → Secured_Unlocked → Under_Provisioning → Secured_Locked → RMA
• Differences vs STM32MP1 (OPEN → CLOSED → RMA) — mental model migration
• ⚠️ Preparation: Signed (and optionally encrypted) image MUST be on the card before closure!
• stm32key close command — Secure Boot enforcement
• Lab: Intentional “bricking” and recovery procedure

Module 3.2: Automation in Yocto (OpenSTLinux)

• meta-st layer configuration: TRUSTED_BOARD_BOOT, TF_A_SIGN_ENABLE, ROT_KEY
• Image rebuild: bitbake st-image-weston with certificates
• FIP image analysis

Module 3.3: OP-TEE and TF-M – Trusted Execution Environment

• Why do we secure the system? Secure World vs Normal World isolation
• OP-TEE (A35 as Trusted Domain) vs TF-M (M33 as Trusted Domain, PSA Certified)
• Lab: “Hello World” Trusted Application — secret safe from Linux
• SYSRAM limitations in MP25x: How to write lean TAs?

Module 3.4: Q&A and Summary

• Authenticated Boot vs Encrypted Boot — when to encrypt firmware?
• EDMK and intellectual property protection in the supply chain
• Lifecycle management in mass production (SSP)
• Consultation on participants’ own projects

💰 Pricing and Participation Models

I offer a flexible model, tailored to skill level and needs.

Option A: FUNDAMENTALS (2 Days)

Ideal for those who want to understand security architecture and go through the basic Secure Boot procedure, without diving into production automation.

Option B: FULL LOCKDOWN (3 Days) ⭐ Recommended

Complete training including device closure, Yocto automation, and introduction to OP-TEE. Essential for teams preparing for mass production of secured IoT devices.

Promotion: By choosing the 3-day package upfront, you save €100 compared to adding the 3rd day separately (3rd day add-on price is €400).

Small teams: For teams smaller than 4 people - rates are negotiated individually.

🏆 Why is it worth it?

🛠️ Hardware Requirements

Each participant receives:

• STM32MP257F-DK board (Discovery Kit)
• 16GB microSD card (class 10)
• USB Type-C cable

Required software: Ubuntu 22.04/24.04 LTS, STM32CubeProgrammer, OpenSTLinux SDK.

🎁 Hardware stays with participants after the workshop!

Want to reserve a date for your team? Contact me to arrange details and availability. Secure your devices before someone else does.