Using HSM for device attestation (project-chip#11528)

* Using HSM for device attestation phase * added se05x platform specific device attestation cred file * printing long int * build fix * restyled * Revert "printing long int" This reverts commit d97b883. * Init of key after checks, Added new build arg to enable HSM for device attestation Co-authored-by: Jagadish B E <[email protected]> Co-authored-by: Jagadish-NXP <[email protected]> Signed-off-by: Doru Gucea <[email protected]>
doru91 · Dec 20, 2021 · 8a2ec14 · 8a2ec14
1 parent 76fc424
commit 8a2ec14
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 3 deletions.
diff --git a/examples/lighting-app/nxp/k32w/k32w0/BUILD.gn b/examples/lighting-app/nxp/k32w/k32w0/BUILD.gn
@@ -19,6 +19,8 @@ import("//build_overrides/openthread.gni")
 import("${k32w0_sdk_build_root}/k32w0_executable.gni")
 import("${k32w0_sdk_build_root}/k32w0_sdk.gni")
 
+import("${chip_root}/src/crypto/crypto.gni")
+
 assert(current_os == "freertos")
 
 k32w0_platform_dir = "${chip_root}/examples/platform/nxp/k32w/k32w0"
@@ -43,6 +45,10 @@ k32w0_sdk("sdk") {
     "${k32w0_platform_dir}/util/include",
   ]
 
+  if (chip_with_se05x == 1) {
+    include_dirs += [ "${chip_root}/examples/platform/nxp/se05x" ]
+  }
+
   defines = []
   if (is_debug) {
     defines += [ "BUILD_RELEASE=0" ]

diff --git a/examples/lighting-app/nxp/k32w/k32w0/main/AppTask.cpp b/examples/lighting-app/nxp/k32w/k32w0/main/AppTask.cpp
@@ -39,6 +39,13 @@
 #include "TimersManager.h"
 #include "app_config.h"
 
+#if CHIP_CRYPTO_HSM
+#include <crypto/hsm/CHIPCryptoPALHsm.h>
+#endif
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+#include "DeviceAttestationSe05xCredsExample.h"
+#endif
+
 #define FACTORY_RESET_TRIGGER_TIMEOUT 6000
 #define FACTORY_RESET_CANCEL_WINDOW_TIMEOUT 3000
 #define APP_TASK_STACK_SIZE (4096)
@@ -90,7 +97,11 @@ CHIP_ERROR AppTask::Init()
     chip::Server::GetInstance().Init();
 
     // Initialize device attestation config
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleSe05xDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
 
     // QR code will be used with CHIP Tool
     PrintOnboardingCodes(chip::RendezvousInformationFlags(chip::RendezvousInformationFlag::kBLE));

diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -14,6 +14,7 @@
 
 import("//build_overrides/chip.gni")
 import("//build_overrides/nlassert.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 
 static_library("credentials") {
   output_name = "libCredentials"
@@ -38,6 +39,10 @@ static_library("credentials") {
     "examples/DeviceAttestationVerifierExample.cpp",
     "examples/DeviceAttestationVerifierExample.h",
   ]
+
+   if (chip_with_se05x == 1) {
+     sources += [ "${chip_root}/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.cpp" ]
+   }
 
   cflags = [ "-Wconversion" ]
 

diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -40,6 +40,10 @@ buildconfig_header("crypto_buildconfig") {
     defines += [ "CHIP_CRYPTO_HSM=0" ]
     defines += [ "CHIP_CRYPTO_HSM_NXP=0" ]
   }
+
+  if (chip_with_se05x_da == 1) {
+    defines += [ "ENABLE_HSM_DEVICE_ATTESTATION=1" ]
+  }
 }
 
 if (chip_crypto == "openssl") {

diff --git a/src/crypto/crypto.gni b/src/crypto/crypto.gni
@@ -16,6 +16,7 @@ declare_args() {
   # Crypto implementation: mbedtls, openssl.
   chip_crypto = ""
   chip_with_se05x = 0
+  chip_with_se05x_da = 0
 }
 
 if (chip_crypto == "") {

diff --git a/src/crypto/hsm/CHIPCryptoPALHsm.h b/src/crypto/hsm/CHIPCryptoPALHsm.h
@@ -89,6 +89,16 @@ class P256PublicKeyHSM : public P256PublicKey
     operator uint8_t *() override { return bytes; }
     operator const uint8_t *() const override { return bytes; }
 
+    const uint8_t * ConstBytes() const override { return &bytes[0]; }
+    uint8_t * Bytes() override { return &bytes[0]; }
+    bool IsUncompressed() const override
+    {
+        constexpr uint8_t kUncompressedPointMarker = 0x04;
+        // SEC1 definition of an uncompressed point is (0x04 || X || Y) where X and Y are
+        // raw zero-padded big-endian large integers of the group size.
+        return (Length() == ((kP256_FE_Length * 2) + 1)) && (ConstBytes()[0] == kUncompressedPointMarker);
+    }
+
     void SetPublicKeyId(uint32_t id) { PublicKeyid = id; }
 
     CHIP_ERROR ECDSA_validate_msg_signature(const uint8_t * msg, size_t msg_length,

diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
@@ -339,9 +339,6 @@ CHIP_ERROR CASESession::SendSigma1()
     uint8_t destinationIdentifier[kSHA256_Hash_Length] = { 0 };
 
     // Generate an ephemeral keypair
-#ifdef ENABLE_HSM_CASE_EPHEMERAL_KEY
-    mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY);
-#endif
     ReturnErrorOnFailure(mEphemeralKey.Initialize());
 
     // Fill in the random value

diff --git a/src/transport/FabricTable.cpp b/src/transport/FabricTable.cpp
@@ -161,6 +161,11 @@ CHIP_ERROR FabricInfo::LoadFromStorage(FabricStorage * storage)
     }
     VerifyOrExit(mOperationalKey != nullptr, err = CHIP_ERROR_NO_MEMORY);
     SuccessOrExit(err = mOperationalKey->Deserialize(info->mOperationalKey));
+#ifdef ENABLE_HSM_CASE_OPS_KEY
+    // Set provisioned_key = true , so that key is not deleted from HSM.
+    mOperationalKey->provisioned_key = true;
+#endif
+
 
     ChipLogProgress(Inet, "Loading certs from storage");
     SuccessOrExit(err = SetRootCert(ByteSpan(info->mRootCert, rootCertLen)));

diff --git a/src/transport/FabricTable.h b/src/transport/FabricTable.h
@@ -156,6 +156,10 @@ class DLL_EXPORT FabricInfo
             mOperationalKey = chip::Platform::New<Crypto::P256Keypair>();
 #endif
             mOperationalKey->Initialize();
+#ifdef ENABLE_HSM_CASE_OPS_KEY
+            // Set provisioned_key = true , so that key is not deleted from HSM.
+            mOperationalKey->provisioned_key = true;
+#endif
         }
         return mOperationalKey;
     }