postbuild.shis called by the application project as its postbuild step. Please see the file for argument usage and the demoapp repository for usage examples.make_keys_v6m.batormake_keys_v7m.batcreates random unique AES and ECDSA keys for use by postbuild.sh. They keys must be unique to each application using this system. Keys are typically placed in the application project'sKeysdirectory. See demoapp repository for examples.
Note: use v6m only for Cortex-M0+ targets like STM32L0, F0 or G0. For all other targets use v7m variant.
The bootloader and secure firmware update security system consists of two private keys:
- AES-CBC key (encryption - confidentiality)
- ECSDA key (signing - authentication)
The prepareimage.py tool is used for generating both keys.
These keys must be unique to each project to prevent loading wrong firmware.
These keys are the means by which the stm32-secure-patching-bootloader accepts or rejects firmware for a given product.
Do not use the same keys for multiple projects/products or the stm32-secure-patching-bootloader in one product could update to firmware meant for another product.
Use the 'make_keys_v7m.bat' convenience script located in Scripts to generate the keys
automatically in the specified project Keys directory, or follow these manual steps:
Open a console window to Tools and run these commands:
python prepareimage.py keygen -k Cipher_Key_AES_CBC.bin -t aes-cbcpython prepareimage.py keygen -k Signing_PrivKey_ECC.txt -t ecdsa-p256- Add and/or commit changes to these 2 files into the project's
Keysdirectory.
Also, in Keys directory, machine.txt must exist, and must contain either V7M for a non-Cortex-M0 target,
or V6M for a Cortex-M0 target. Again, see the demoapp repository for examples on Keys directory setup.