[NXP] Add EL2GO factory data impl, change default rw61x factory data …

…impl (project-chip#36615) * [NXP][platform] Add EL2GO factory data implementation, update default factory data implmentation to use secure element Signed-off-by: Martin Girardot <[email protected]> * [NXP][exmples] Add EL2GO factory data implementation, update default factory data implmentation to use secure element Signed-off-by: Martin Girardot <[email protected]> * [NXP][script] Add EL2GO factory data implementation Signed-off-by: Martin Girardot <[email protected]> * [NXP][doc] Add EL2GO factory data implementation, update default factory data implmentation to use secure element Signed-off-by: Martin Girardot <[email protected]> * Restyled by whitespace * Restyled by clang-format * Restyled by gn * Restyled by prettier-markdown * Restyled by autopep8 * Restyled by isort * [NXP] fix spelling Signed-off-by: Martin Girardot <[email protected]> * [NXP][submodule] Update NXP matter support submodule Signed-off-by: Martin Girardot <[email protected]> * [NXP] Add factory data secure key storage compatiblity with actual factory data Signed-off-by: Martin Girardot <[email protected]> --------- Signed-off-by: Martin Girardot <[email protected]> Co-authored-by: Restyled.io <[email protected]>
espressif · Nov 26, 2024 · e782f53 · e782f53
1 parent 0ac52eb
commit e782f53
Show file tree

Hide file tree

Showing 13 changed files with 621 additions and 146 deletions.
diff --git a/docs/platforms/nxp/nxp_manufacturing_flow.md b/docs/platforms/nxp/nxp_manufacturing_flow.md
@@ -103,8 +103,6 @@ Here is the interpretation of the **required** parameters:
 --hw_version       -> Hardware Version as number
 --hw_version_str   -> Hardware Version as string
 --cert_declaration -> path to the Certification Declaration (der format) location
---dac_cert         -> path to the DAC (der format) location
---dac_key          -> path to the DAC key (der format) location
 --pai_cert         -> path to the PAI (der format) location
 --spake2p_path     -> path to the spake2p tool
 --out              -> name of the binary that will be used for storing all the generated data
@@ -113,6 +111,11 @@ Here is the interpretation of the **required** parameters:
 Here is the interpretation of the **optional** parameters:
 
 ```shell
+--dac_cert              -> path to the DAC certificate (der format) location
+--dac_key               -> path to the DAC key (der format) location
+--EL2GO_bin             -> path to the EdgeLock 2Go binary (bin format) location
+--EL2GO_DAC_KEY_ID      -> DAC key ID configured into EdgeLock 2Go as hex value
+--EL2GO_DAC_CERT_ID     -> DAC certificate ID configured into EdgeLock 2Go as hex value
 --dac_key_password      -> Password to decode DAC key
 --dac_key_use_sss_blob  -> Used when --dac_key contains a path to an encrypted blob, instead of the
                            actual DAC private key. The blob metadata size is 24, so the total length
@@ -182,17 +185,56 @@ Also, demo **DAC**, **PAI** and **PAA** certificates needed in case
 
 ## 6. Increased security for DAC private key
 
-### 6.1 SSS-based platforms
+### 6.1 SSS-based with EdgeLock2go support
+
+EdgeLock2go services could be used to securely provisioned DAC key/cert during
+manufacturing.
+
+Prior to the generation of the factory data binary. `EL2GO` data needs to be
+generated following `EL2GO` process.
+
+For the factory data generation following option need to be added:
+
+`--EL2GO_bin ~/secure_objects.bin` containing `EL2GO` information including
+encrypted DAC private key and certificate. `--EL2GO_DAC_KEY_ID 1234` containing
+corresponding to the ID of the DAC key chosen during `EL2GO` key generation.
+`--EL2GO_DAC_CERT_ID 4321` containing corresponding to the ID of the DAC
+certification chosen during `EL2GO` key generation.
+
+Reference factory data generation command:
+
+```shell
+python3 ./scripts/tools/nxp/factory_data_generator/generate.py -i 10000 -s UXKLzwHdN3DZZLBaL2iVGhQi/OoQwIwJRQV4rpEalbA= -p ${passcode} -d ${discriminator} --vid "0x$VID" --pid "0x$PID" --vendor_name "NXP Semiconductors" --product_name "Thermostat" --serial_num "12345678" --date "$DATE" --hw_version 1 --hw_version_str "1.0" --cert_declaration $FACTORY_DATA_DEST/Chip-Test-CD-$VID-$PID.der --EL2GO_bin ~/secure_objects.bin --EL2GO_DAC_KEY_ID 1234 --EL2GO_DAC_CERT_ID 4321 --pai_cert $FACTORY_DATA_DEST/Chip-PAI-NXP-$VID-$PID-Cert.der --spake2p_path ./out/spake2p --unique_id "00112233445566778899aabbccddeeff" --out $FACTORY_DATA_DEST/factory_data.bin
+```
+
+Supported platforms:
+
+-   `rw61x`
+
+In addition to the GN flag `nxp_use_factory_data=true`, a Matter application
+needs to be built with `nxp_enable_secure_EL2GO_factory_data=true` to allow
+loading of EdgeLock2go data to the secure element.
+
+In this mode EdgeLock2go keys will always remain encrypted and only usable by
+the `SSS`. In this case, all operations that requires DAC private access will be
+transferred to the `SSS`.
+
+### 6.2 SSS-based without EdgeLock2go support for DAC private key secure storage
 
 Supported platforms:
 
 -   `k32w1`
 -   `mcxw71`
+-   `rw61x`
 
 For platforms that have a secure subsystem (`SSS`), the DAC private key can be
 converted to an encrypted blob. This blob will overwrite the DAC private key in
-factory data and will be imported in the `SSS` at initialization, by the factory
-data provider instance.
+factory data and will be imported in the `SSS` by the factory data provider
+instance.
+
+In this architecture, outside of the manufacturing flow, the DAC private will
+always remain usable only by the `SSS`. In this case, all operations that
+requires DAC private access will be transferred to the `SSS`.
 
 The application will check at initialization whether the DAC private key has
 been converted or not and convert it if needed. However, the conversion process
@@ -226,64 +268,5 @@ Please note that `--dac_key` now points to a binary file that contains the
 encrypted blob.
 
 The user can use the DAC private in plain text instead of using the `SSS` by
-adding the following gn argument `chip_use_plain_dac_key=true`.
-
-### 6.2 RW61X
-
-Supported platforms:
-
--   RW61X
-
-there are three implementations for factory data protection
-
--   whole factory data protection with AES encryption (
-    nxp_use_factory_data=true nxp_enable_secure_whole_factory_data=true )
-    `examples/platform/nxp/rt/rw61x/factory_data/source/AppFactoryDataExample.cpp`\
-    `src/platform/nxp/rt/rw61x/FactoryDataProviderEncImpl.cpp`
-
--   only dac private key protection ( nxp_use_factory_data=true
-    nxp_enable_secure_dac_private_key_storage=true )
-    `examples/platform/nxp/rt/rw61x/factory_data/source/AppFactoryDataExample.cpp`
-    \
-    `src/platform/nxp/rt/rw61x/FactoryDataProviderImpl.cpp`
-
--   whole factory data protection with hard-coded AES key (
-    nxp_use_factory_data=true )
-    `examples/platform/nxp/common/factory_data/source/AppFactoryDataDefaultImpl.cpp`
-    \
-    `src/platform/nxp/common/factory_data/FactoryDataProviderFwkImpl.cpp`
-
-for the first one, the whole factory data is encrypted by an AES-256 key, the
-AES key can be passed through serial link when in factory production mode, and
-will be provisioned into Edge Lock, and the returned AES Key blob (wrapped key)
-can be stored in the end of factory data region in TLV format. for the
-decryption process, the blob is retrieved and provisioned into Edge Lock and the
-whole factory data can be decrypted using the returned key index in Edge Lock.
-Compared with only dac private key protection solution, this solution can avoid
-tampering with the original factory data.
-
-the factory data should be encrypted by an AES-256 key using "--aes256_key"
-option in "generate.py" script file.
-
-it will check whether there is AES key blob in factory data region when in each
-initialization, if not, the default AES key is converted and the result is
-stored into flash, it run only once.
-
-for the second one, it only protect the dac private key inside the factory data,
-the dac private key is retrieved and provisioned into Edge Lock, the returned
-key blob replace the previous dac private key, and also update the overall size
-and hash, and re-write the factory data. when device is doing matter
-commissioning, the blob is retrieved and provisioned into Edge Lock and the
-signing can be done using the returned key index in Edge Lock.
-
-the factory data should be plain text for the first programming. it will check
-whether there is dac private key blob (base on the size of blob, should be 48)
-in factory data when in each initialization, if not, the dac private key is
-converted and the result is stored into flash, it run only once.
-
-for the third one, it is a little similar to the first one, the whole factory
-data is encrypted by an AES key, but there are two differences:
-
--   the AES key is hard-coded and not provisioned into Edge Lock
--   the factory data should be encrypted by AES-128 key using "--aes128_key"
-    option in "generate.py" script file.
+adding the following gn argument `chip_use_plain_dac_key=true` (not supported on
+rw61x).
diff --git a/examples/all-clusters-app/nxp/rt/rw61x/BUILD.gn b/examples/all-clusters-app/nxp/rt/rw61x/BUILD.gn
@@ -1,5 +1,5 @@
 # Copyright (c) 2021 Project CHIP Authors
-# Copyright 2023 NXP
+# Copyright 2023-2024 NXP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,15 +55,6 @@ app_common_folder = "all-clusters-app/all-clusters-common"
 rt_sdk("sdk") {
   defines = []
 
-  # To be moved, temporary mbedtls config fix to build app with factory data
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
-    defines += [
-      "MBEDTLS_NIST_KW_C",
-      "MBEDTLS_PSA_CRYPTO_CLIENT",
-    ]
-  }
-
   cflags = []
   public_deps = []
   public_configs = []
@@ -141,8 +132,8 @@ rt_executable("all_cluster_app") {
     "../../common/main/main.cpp",
   ]
 
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
+  if (nxp_enable_secure_whole_factory_data ||
+      nxp_enable_secure_EL2GO_factory_data) {
     sources += [ "${chip_root}/examples/platform/nxp/${nxp_platform}/factory_data/source/AppFactoryDataExample.cpp" ]
     if (nxp_enable_secure_whole_factory_data) {
       defines += [ "ENABLE_SECURE_WHOLE_FACTORY_DATA" ]

diff --git a/examples/laundry-washer-app/nxp/rt/rw61x/BUILD.gn b/examples/laundry-washer-app/nxp/rt/rw61x/BUILD.gn
@@ -56,15 +56,6 @@ app_common_folder = "laundry-washer-app/nxp/zap"
 rt_sdk("sdk") {
   defines = []
 
-  # To be moved, temporary mbedtls config fix to build app with factory data
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
-    defines += [
-      "MBEDTLS_NIST_KW_C",
-      "MBEDTLS_PSA_CRYPTO_CLIENT",
-    ]
-  }
-
   cflags = []
   public_deps = []
   public_configs = []
@@ -142,8 +133,8 @@ rt_executable("laundry-washer") {
     "../../common/main/main.cpp",
   ]
 
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
+  if (nxp_enable_secure_whole_factory_data ||
+      nxp_enable_secure_EL2GO_factory_data) {
     sources += [ "${chip_root}/examples/platform/nxp/${nxp_platform}/factory_data/source/AppFactoryDataExample.cpp" ]
     if (nxp_enable_secure_whole_factory_data) {
       defines += [ "ENABLE_SECURE_WHOLE_FACTORY_DATA" ]

diff --git a/examples/thermostat/nxp/rt/rw61x/BUILD.gn b/examples/thermostat/nxp/rt/rw61x/BUILD.gn
@@ -1,5 +1,5 @@
 # Copyright (c) 2021 Project CHIP Authors
-# Copyright 2023 NXP
+# Copyright 2023-2024 NXP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -58,15 +58,6 @@ app_common_folder = "thermostat/nxp/zap"
 rt_sdk("sdk") {
   defines = []
 
-  # To be moved, temporary mbedtls config fix to build app with factory data
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
-    defines += [
-      "MBEDTLS_NIST_KW_C",
-      "MBEDTLS_PSA_CRYPTO_CLIENT",
-    ]
-  }
-
   cflags = []
   public_deps = []
   public_configs = []
@@ -165,8 +156,8 @@ rt_executable("thermostat") {
     ]
   }
 
-  if (nxp_enable_secure_dac_private_key_storage ||
-      nxp_enable_secure_whole_factory_data) {
+  if (nxp_enable_secure_whole_factory_data ||
+      nxp_enable_secure_EL2GO_factory_data) {
     sources += [ "${chip_root}/examples/platform/nxp/${nxp_platform}/factory_data/source/AppFactoryDataExample.cpp" ]
     if (nxp_enable_secure_whole_factory_data) {
       defines += [ "ENABLE_SECURE_WHOLE_FACTORY_DATA" ]

diff --git a/scripts/tools/nxp/factory_data_generator/custom.py b/scripts/tools/nxp/factory_data_generator/custom.py
@@ -337,3 +337,30 @@ def encode(self):
 
     def max_length(self):
         return 64
+
+
+class El2GoObject(FileArgument):
+
+    def __init__(self, arg):
+        super().__init__(arg)
+
+    def key(self):
+        return 24
+
+
+class El2GoDacKeyID(IntArgument):
+
+    def __init__(self, arg):
+        super().__init__(arg)
+
+    def key(self):
+        return 25
+
+
+class El2GoDacCertID(IntArgument):
+
+    def __init__(self, arg):
+        super().__init__(arg)
+
+    def key(self):
+        return 26
diff --git a/scripts/tools/nxp/factory_data_generator/generate.py b/scripts/tools/nxp/factory_data_generator/generate.py
@@ -23,10 +23,10 @@
 import sys
 
 from crc import Calculator, Crc16
-from custom import (CertDeclaration, DacCert, DacPKey, Discriminator, HardwareVersion, HardwareVersionStr, IterationCount,
-                    ManufacturingDate, PaiCert, PartNumber, ProductFinish, ProductId, ProductLabel, ProductName,
-                    ProductPrimaryColor, ProductURL, Salt, SerialNum, SetupPasscode, StrArgument, UniqueId, VendorId, VendorName,
-                    Verifier)
+from custom import (CertDeclaration, DacCert, DacPKey, Discriminator, El2GoDacCertID, El2GoDacKeyID, El2GoObject, HardwareVersion,
+                    HardwareVersionStr, IterationCount, ManufacturingDate, PaiCert, PartNumber, ProductFinish, ProductId,
+                    ProductLabel, ProductName, ProductPrimaryColor, ProductURL, Salt, SerialNum, SetupPasscode, StrArgument,
+                    UniqueId, VendorId, VendorName, Verifier)
 from default import InputArgument
 
 # Global variable for hash ID
@@ -75,13 +75,24 @@ def __init__(self, args):
         self.spake2p = Spake2p()
         if self.args.spake2p_verifier is None:
             self.spake2p.generate(self.args)
-        self.args.dac_key.generate_private_key(self.args.dac_key_password, self.args.dac_key_use_sss_blob)
+        if self.args.dac_key:
+            self.args.dac_key.generate_private_key(self.args.dac_key_password, self.args.dac_key_use_sss_blob)
 
     def _validate_args(self):
-        if self.args.dac_key_password is None:
+        if self.args.dac_key_password is None and self.args.EL2GO_bin is None:
             logging.warning(
                 "DAC Key password not provided. It means DAC Key is not protected."
             )
+        if self.args.dac_key and self.args.EL2GO_bin:
+            logging.error("Could not provide two DAC Key provisionning method at the same time")
+
+        if (not self.args.dac_key or not self.args.dac_cert) and not self.args.EL2GO_bin:
+            logging.error("Need to provide a DAC provisionner")
+            raise Exception("Could not generate factory data")
+
+        if self.args.EL2GO_bin and (not self.args.EL2GO_DAC_CERT_ID or not self.args.EL2GO_DAC_KEY_ID):
+            logging.error("Need to provide EdgeLock 2Go DAC IDs")
+            raise Exception("Could not generate factory data")
 
         str_args = [obj for key, obj in vars(self.args).items() if isinstance(obj, StrArgument)]
         for str_arg in str_args:
@@ -210,17 +221,23 @@ def main():
                           help="[str] Hardware version as string")
     required.add_argument("--cert_declaration", required=True, type=CertDeclaration,
                           help="[path] Path to Certification Declaration in DER format")
-    required.add_argument("--dac_cert", required=True, type=DacCert,
-                          help="[path] Path to DAC certificate in DER format")
-    required.add_argument("--dac_key", required=True, type=DacPKey,
-                          help="[path] Path to DAC key in DER format")
     required.add_argument("--pai_cert", required=True, type=PaiCert,
                           help="[path] Path to PAI certificate in DER format")
     required.add_argument("--spake2p_path", required=True, type=str,
                           help="[path] Path to spake2p tool")
     required.add_argument("--out", required=True, type=str,
                           help="[path] Path to output binary")
 
+    optional.add_argument("--dac_cert", type=DacCert,
+                          help="[path] Path to DAC certificate in DER format")
+    optional.add_argument("--dac_key", type=DacPKey,
+                          help="[path] Path to DAC key in DER format")
+    optional.add_argument("--EL2GO_bin", type=El2GoObject,
+                          help="[path] Path to EL2GO secure objects binary")
+    optional.add_argument("--EL2GO_DAC_KEY_ID", type=El2GoDacKeyID,
+                          help="[hex] EL2GO DAC key ID")
+    optional.add_argument("--EL2GO_DAC_CERT_ID", type=El2GoDacCertID,
+                          help="[hex] EL2GO DAC certificate ID")
     optional.add_argument("--dac_key_password", type=str,
                           help="[path] Password to decode DAC Key if available")
     optional.add_argument("--dac_key_use_sss_blob", action='store_true',

diff --git a/src/platform/nxp/common/factory_data/FactoryDataProvider.h b/src/platform/nxp/common/factory_data/FactoryDataProvider.h
@@ -1,7 +1,7 @@
 /*
  *
  *    Copyright (c) 2023 Project CHIP Authors
- *    Copyright 2023 NXP
+ *    Copyright 2023-2024 NXP
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -26,6 +26,21 @@
 namespace chip {
 namespace DeviceLayer {
 
+#define CHIP_FACTORY_DATA_ERROR(e)                                                                                                 \
+    ChipError(ChipError::Range::kLastRange, ((uint8_t) ChipError::Range::kLastRange << 2) | e, __FILE__, __LINE__)
+
+#define CHIP_FACTORY_DATA_SHA_CHECK CHIP_FACTORY_DATA_ERROR(0x01)
+#define CHIP_FACTORY_DATA_HEADER_READ CHIP_FACTORY_DATA_ERROR(0x02)
+#define CHIP_FACTORY_DATA_HASH_ID CHIP_FACTORY_DATA_ERROR(0x03)
+#define CHIP_FACTORY_DATA_PDM_RESTORE CHIP_FACTORY_DATA_ERROR(0x04)
+#define CHIP_FACTORY_DATA_NULL CHIP_FACTORY_DATA_ERROR(0x05)
+#define CHIP_FACTORY_DATA_FLASH_ERASE CHIP_FACTORY_DATA_ERROR(0x06)
+#define CHIP_FACTORY_DATA_FLASH_PROGRAM CHIP_FACTORY_DATA_ERROR(0x07)
+#define CHIP_FACTORY_DATA_INTERNAL_FLASH_READ CHIP_FACTORY_DATA_ERROR(0x08)
+#define CHIP_FACTORY_DATA_PDM_SAVE_RECORD CHIP_FACTORY_DATA_ERROR(0x09)
+#define CHIP_FACTORY_DATA_PDM_READ_RECORD CHIP_FACTORY_DATA_ERROR(0x0A)
+#define CHIP_FACTORY_DATA_RESTORE_MECHANISM CHIP_FACTORY_DATA_ERROR(0x0B)
+
 class FactoryDataProviderImpl;
 
 /**
@@ -72,6 +87,10 @@ class FactoryDataProvider : public chip::Credentials::DeviceAttestationCredentia
         kProductLabel,
         kProductFinish,
         kProductPrimaryColor,
+        kEl2GoBlob,
+        kEl2GoDacKeyId,
+        kEl2GoDacCertId,
+
         kMaxId
     };