The stm32mp-sign-tool is a lightweight open-source alternative to STM32_SigningTool_CLI that does not require the full STM32CubeProgrammer installation and dependencies.
It is a utility for signing and verifying firmware images for STM32MP MPUs.
It uses ECDSA (Elliptic Curve Digital Signature Algorithm) to ensure the integrity and authenticity of the firmware used in secure boot process.
Disclaimer: This tool is entirely developed based on the public specification of the STM32 header format. It does not use reverse engineering or incorporate any proprietary code. Additionally, it does not implement all the functionalities of the official ST Tools. Use this utility with care, as it is not affiliated with nor endorsed by STMicroelectronics.
- Sign/Verify firmware images with ECDSA (NIST P-256 or brainpool 256).
- Support for HSM Token (PKCS#11).
- Currently supports only STM32MP15x MPU firmware image headers.
- C++ compiler
- CMake
- OpenSSL library
- Optional: PKCS#11 libraries and tools for HSM signing
sudo apt-get update
sudo apt-get install -y openssl libssl-dev python3 softhsm2 opensc libengine-pkcs11-opensslcmake .
makectest -Vsudo make installGenerate an ECDSA key:
openssl ecparam -name prime256v1 -genkey -out <private_key.pem>Sign a firmware image using the following command:
stm32mp-sign-tool -k <private_key_file> -i <image.stm32> -o <image.stm32.signed>Generate an ECDSA key:
pkcs11-tool --pin <pin> --module <Module Path> --keypairgen --key-type EC:prime256v1 --id <KeyID> --label <KeyLabel>Sign a firmware image using the URI of the key:
stm32mp-sign-tool -v -k "pkcs11:object=<KeyLabel>" -p <pin> -i <image.stm32> -o <image.stm32.signed>stm32mp-sign-tool -v -k <private_key_file> -h <hash output>or
stm32mp-sign-tool -v -k "pkcs11:object=<KeyLabel>" -p <pin> -h <hash output>This project is licensed under the terms of the GNU General Public License v3 (GPLv3). You are free to use, modify, and distribute this software under the conditions outlined in the GPLv3 license.
For more information about the GPLv3 license, refer to the LICENSE file in this repository or visit GNU's official page.
By submitting a pull request to this repository, you agree to the following terms:
- You certify that your contribution is your original work or that you have the necessary rights to submit it.
- You grant the project maintainers a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license to:
- Use, modify, sublicense, and distribute your contribution under the terms of the GPLv3.
- Use, modify, sublicense, and distribute your contribution under alternative licenses, including commercial licenses.
- You understand that you retain the copyright to your contribution but agree it may be relicensed under these terms.