Debug Authentication

Sysprogs forums Forums VisualGDB Debug Authentication

Log In Register Lost Password
Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • August 27, 2025 at 23:23 #36857
    julieninnovel
    Participant

    Hi all,

     

    I’m using an STM32H573 with the Debug Authentication enable. Is it a way to drun a partial regression or intrusive debug with key and certificate directly froc visual GDB ?

    At the moment, I’m using CubeProgrammer to enter into debug mode with intrusive debu or partial regression, and after using the debug with Visual GDB.

    But I would like to do this directly from Visual GDB, like CubeIDE can do.

     

    Thanks for your help.

    August 28, 2025 at 09:32 #36858
    support
    Keymaster

    Hi,

    VisualGDB does not interact with the debugged devices directly, and instead uses various vendor-supplied tools like OpenOCD.

    If STM32CubeIDE does it automatically, it likely has some special OpenOCD command in the script, or a command-line tool that it runs before or after debugging. You would need to find that out and make sure you can get it working with command-line tools alone.

    Based on your findings, we can then help you configure VisualGDB to launch these tools automatically.  If it’s a stand-alone tool, you can add it to VisualGDB Project Properties -> Debug Customization -> Pre/Debug steps. If it’s an OpenOCD script command, you can configure it via advanced settings on the Debug Settings page.

    August 28, 2025 at 23:39 #36859
    julieninnovel
    Participant

    Hi,

    Thanks for your answer. I’ve checked the configuration provided by CubeIDE. It’s not using Open OCD, but GDB.

    The DA is done by using JTAG common command to discover and then authenticate to the attached device with key and certificate.

    I attached to this post a screen shot of the CubeIDE configuration. I don’t know how to do this with VisualGDB using a SEGGER or ST Link debugger tool.

    Thanks

    Attachments:
    You must be logged in to view attached files.
    August 29, 2025 at 00:05 #36862
    support
    Keymaster

    Hi,

    You would need to figure out the exact command lines. You can try asking the ST support, or using tools like procmon to record the command lines. There is no other way to configure VisualGDB, unless you can find out these command lines.

    September 1, 2025 at 07:36 #36864
    julieninnovel
    Participant

    Hi,

     

    You fwill find in attached file a log done by using STM32CubeProgrammer.

    The Debug Authenticator is an ARM functionnality, not ST only. The Secure Debug Manager (SDM), which implements the PSA-ADAC (Authenticated Debug Access Control) specification and the Arm CoreSight SDC-600 Debug Channel to provide authenticated debug access.

    Thanks

    Attachments:
    You must be logged in to view attached files.
    September 2, 2025 at 08:21 #36870
    support
    Keymaster

    This looks like a log file, not a command line. Please make sure you can launch STM32CubeProgrammer to do it via command line (not GUI).

    September 5, 2025 at 01:55 #36878
    julieninnovel
    Participant

    Hi,

     

    I’m not sure to understand what is needed for you…

    I can give you all command line used manually with STM32CubeProgrammer CLI to do this, but I don’t know what is really done inside the ST LInk or JLINK debug tool.

     

    Full regression :

    1. Discover to know if the state if different from OPEN : ./STM32_Programmer_CLI.exe -c port=SWD debugauth=2
    2. Send command to do a full regression : ./STM32_Programmer_CLI.exe -c port=SWD per=a key=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Keys\key_1_root.pem” cert=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Certificates\cert_root.b64″ debugauth=1 -vb

     

    Partial regression :

    1. Discover to know if the state if different from OPEN or TZ-CLOSED : ./STM32_Programmer_CLI.exe -c port=SWD debugauth=2
    2. Send command to do a partial regression : ./STM32_Programmer_CLI.exe -c port=SWD per=b key=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Keys\key_1_root.pem” cert=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Certificates\cert_root.b64″ debugauth=1 -vb 1

     

    Intrusif debug :

    1. Discover to know if the state if CLOSED : ./STM32_Programmer_CLI.exe -c port=SWD debugauth=2
    2. Send command to inter in intrusiv debug level 3 of non secure application : ./STM32_Programmer_CLI.exe -c port=SWD per=f key=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Keys\key_1_root.pem” cert=”E:\SecureBoot\Demo\ROT_Provisioning\DA\Certificates\cert_root.b64″ debugauth=1 -vb 1
    3. Do not reset the microcontroleur and do not flash it. Only attach to running embeded firmware

     

    It’s possible to do other commande with other values of per :

    a : Full regression

    b : Partial regression, to TZ-CLOSED

    c : Level 3 Intrusive Debug

    d : Level 2 Intrusive Debug

    e : Level 1 Intrusive Debug

    f : Level 3 Intrusive Non Secure Debug

    g : Level 2 Intrusive Non Secure Debug

    h : Level 1 Intrusive Non Secure Debug

     

    Thanks

    September 5, 2025 at 08:09 #36879
    support
    Keymaster

    We don’t know what is really done in ST-Link or J-Link debug tool either. All we can do is show you how to configure VisualGDB to automatically run STM32CubeProgrammer CLI before debugging.

    September 8, 2025 at 00:02 #36881
    julieninnovel
    Participant

    Hi,

    Ok it will be the first step ! I would really appreciate your help for this.

    I will try to find exactly what command are needed by ST Link or J Link debug tool in a second step.

  • Author
    Posts
Log In Register Lost Password
Viewing 9 posts - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.