diff --git a/.github/workflows/bloat_check.yaml b/.github/workflows/bloat_check.yaml index 8f04e49f961498..ef06507924cd01 100644 --- a/.github/workflows/bloat_check.yaml +++ b/.github/workflows/bloat_check.yaml @@ -33,7 +33,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 steps: - name: Checkout diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e509aab995c682..1da7dd09665706 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -40,7 +40,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" @@ -136,7 +136,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" @@ -279,7 +279,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" @@ -340,7 +340,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" @@ -449,7 +449,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/chef.yaml b/.github/workflows/chef.yaml index 3432fdc9a09779..c2c4a777bde7d3 100644 --- a/.github/workflows/chef.yaml +++ b/.github/workflows/chef.yaml @@ -33,7 +33,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 options: --user root steps: @@ -54,7 +54,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-esp32:35 + image: ghcr.io/project-chip/chip-build-esp32:41 options: --user root steps: @@ -75,7 +75,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-nrf-platform:35 + image: ghcr.io/project-chip/chip-build-nrf-platform:41 options: --user root steps: @@ -96,7 +96,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-telink:35 + image: ghcr.io/project-chip/chip-build-telink:41 options: --user root steps: diff --git a/.github/workflows/cirque.yaml b/.github/workflows/cirque.yaml index fcd49a2ab65337..919085ac77ee0f 100644 --- a/.github/workflows/cirque.yaml +++ b/.github/workflows/cirque.yaml @@ -40,7 +40,7 @@ jobs: # need to run with privilege, which isn't supported by job.XXX.contaner # https://github.com/actions/container-action/issues/2 # container: - # image: ghcr.io/project-chip/chip-build-cirque:35 + # image: ghcr.io/project-chip/chip-build-cirque:41 # volumes: # - "/tmp:/tmp" # - "/dev/pts:/dev/pts" diff --git a/.github/workflows/doxygen.yaml b/.github/workflows/doxygen.yaml index 13da9c2b4da1d6..cc93947c2c0937 100644 --- a/.github/workflows/doxygen.yaml +++ b/.github/workflows/doxygen.yaml @@ -81,7 +81,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build-doxygen:35 + image: ghcr.io/project-chip/chip-build-doxygen:41 if: github.actor != 'restyled-io[bot]' diff --git a/.github/workflows/examples-ameba.yaml b/.github/workflows/examples-ameba.yaml index a10f4a84ac7d69..4716a44f76b1e1 100644 --- a/.github/workflows/examples-ameba.yaml +++ b/.github/workflows/examples-ameba.yaml @@ -36,7 +36,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-ameba:35 + image: ghcr.io/project-chip/chip-build-ameba:41 options: --user root steps: diff --git a/.github/workflows/examples-asr.yaml b/.github/workflows/examples-asr.yaml index 092f911a233642..52c63eda8fbbd0 100644 --- a/.github/workflows/examples-asr.yaml +++ b/.github/workflows/examples-asr.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-asr:35 + image: ghcr.io/project-chip/chip-build-asr:41 options: --user root steps: diff --git a/.github/workflows/examples-bouffalolab.yaml b/.github/workflows/examples-bouffalolab.yaml index ec90a39b26cf17..8d12696dcd8f89 100644 --- a/.github/workflows/examples-bouffalolab.yaml +++ b/.github/workflows/examples-bouffalolab.yaml @@ -35,7 +35,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-bouffalolab:35 + image: ghcr.io/project-chip/chip-build-bouffalolab:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-cc13x2x7_26x2x7.yaml b/.github/workflows/examples-cc13x2x7_26x2x7.yaml index 3c864525707a88..e9f47467b88f7f 100644 --- a/.github/workflows/examples-cc13x2x7_26x2x7.yaml +++ b/.github/workflows/examples-cc13x2x7_26x2x7.yaml @@ -36,7 +36,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-ti:35 + image: ghcr.io/project-chip/chip-build-ti:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-cc32xx.yaml b/.github/workflows/examples-cc32xx.yaml index 73f463b167707b..54f6025d850b85 100644 --- a/.github/workflows/examples-cc32xx.yaml +++ b/.github/workflows/examples-cc32xx.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-ti:35 + image: ghcr.io/project-chip/chip-build-ti:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-efr32.yaml b/.github/workflows/examples-efr32.yaml index 1dae68ced0f4a7..147dc957e130da 100644 --- a/.github/workflows/examples-efr32.yaml +++ b/.github/workflows/examples-efr32.yaml @@ -38,7 +38,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-efr32:36 + image: ghcr.io/project-chip/chip-build-efr32:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-esp32.yaml b/.github/workflows/examples-esp32.yaml index 2317da776e6a95..09d2b24d04aa47 100644 --- a/.github/workflows/examples-esp32.yaml +++ b/.github/workflows/examples-esp32.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-esp32:35 + image: ghcr.io/project-chip/chip-build-esp32:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" @@ -124,7 +124,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-esp32:35 + image: ghcr.io/project-chip/chip-build-esp32:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-infineon.yaml b/.github/workflows/examples-infineon.yaml index ff6f2e91a906b5..0f94ce1a2da631 100644 --- a/.github/workflows/examples-infineon.yaml +++ b/.github/workflows/examples-infineon.yaml @@ -35,7 +35,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-infineon:35 + image: ghcr.io/project-chip/chip-build-infineon:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-linux-arm.yaml b/.github/workflows/examples-linux-arm.yaml index a346bec097fa81..562279a0d35375 100644 --- a/.github/workflows/examples-linux-arm.yaml +++ b/.github/workflows/examples-linux-arm.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-crosscompile:35 + image: ghcr.io/project-chip/chip-build-crosscompile:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-linux-imx.yaml b/.github/workflows/examples-linux-imx.yaml index f6fee89fa966e4..843e76b9b14c41 100644 --- a/.github/workflows/examples-linux-imx.yaml +++ b/.github/workflows/examples-linux-imx.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-imx:35 + image: ghcr.io/project-chip/chip-build-imx:41 steps: - name: Checkout diff --git a/.github/workflows/examples-linux-standalone.yaml b/.github/workflows/examples-linux-standalone.yaml index ad1dc349163c7b..ea60e6adbcb022 100644 --- a/.github/workflows/examples-linux-standalone.yaml +++ b/.github/workflows/examples-linux-standalone.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-mbed.yaml b/.github/workflows/examples-mbed.yaml index 54d33b9f91d3c2..4b5748b4d0abe7 100644 --- a/.github/workflows/examples-mbed.yaml +++ b/.github/workflows/examples-mbed.yaml @@ -40,7 +40,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-mbed-os:35 + image: ghcr.io/project-chip/chip-build-mbed-os:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-mw320.yaml b/.github/workflows/examples-mw320.yaml index d0e7ce3122c06b..a16ea66c148aca 100644 --- a/.github/workflows/examples-mw320.yaml +++ b/.github/workflows/examples-mw320.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-nrfconnect.yaml b/.github/workflows/examples-nrfconnect.yaml index 64bb5a319eafa8..eb62c69299fc85 100644 --- a/.github/workflows/examples-nrfconnect.yaml +++ b/.github/workflows/examples-nrfconnect.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-nrf-platform:35 + image: ghcr.io/project-chip/chip-build-nrf-platform:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-openiotsdk.yaml b/.github/workflows/examples-openiotsdk.yaml index 254e5688d62435..b6f69791d2270a 100644 --- a/.github/workflows/examples-openiotsdk.yaml +++ b/.github/workflows/examples-openiotsdk.yaml @@ -38,7 +38,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-openiotsdk:35 + image: ghcr.io/project-chip/chip-build-openiotsdk:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" options: --privileged diff --git a/.github/workflows/examples-qpg.yaml b/.github/workflows/examples-qpg.yaml index e012eb9b02d065..b0af5ab2141ef0 100644 --- a/.github/workflows/examples-qpg.yaml +++ b/.github/workflows/examples-qpg.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-stm32.yaml b/.github/workflows/examples-stm32.yaml index 84442f85294d31..9a30af500112ce 100644 --- a/.github/workflows/examples-stm32.yaml +++ b/.github/workflows/examples-stm32.yaml @@ -38,7 +38,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" steps: diff --git a/.github/workflows/examples-telink.yaml b/.github/workflows/examples-telink.yaml index 9131b3969df075..285ba96aceda07 100644 --- a/.github/workflows/examples-telink.yaml +++ b/.github/workflows/examples-telink.yaml @@ -36,7 +36,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-telink:35 + image: ghcr.io/project-chip/chip-build-telink:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-tizen.yaml b/.github/workflows/examples-tizen.yaml index a289e159dc6318..65c15e5ea4114d 100644 --- a/.github/workflows/examples-tizen.yaml +++ b/.github/workflows/examples-tizen.yaml @@ -34,7 +34,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-tizen:35 + image: ghcr.io/project-chip/chip-build-tizen:41 options: --user root volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/examples-tv-app.yaml b/.github/workflows/examples-tv-app.yaml index fff6cbb39d1acb..c59a9292a1261b 100644 --- a/.github/workflows/examples-tv-app.yaml +++ b/.github/workflows/examples-tv-app.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-android:35 + image: ghcr.io/project-chip/chip-build-android:41 volumes: - "/tmp/bloat_reports:/tmp/bloat_reports" diff --git a/.github/workflows/full-android.yaml b/.github/workflows/full-android.yaml index f7a14d1f5d3d1b..b1116fa09f239b 100644 --- a/.github/workflows/full-android.yaml +++ b/.github/workflows/full-android.yaml @@ -36,7 +36,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-android:35 + image: ghcr.io/project-chip/chip-build-android:41 volumes: - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/fuzzing-build.yaml b/.github/workflows/fuzzing-build.yaml index aedbe66ddb0ae5..f354ce369c27fd 100644 --- a/.github/workflows/fuzzing-build.yaml +++ b/.github/workflows/fuzzing-build.yaml @@ -33,7 +33,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/java-tests.yaml b/.github/workflows/java-tests.yaml index 8d21ca0bd4c56d..4356924024c9fe 100644 --- a/.github/workflows/java-tests.yaml +++ b/.github/workflows/java-tests.yaml @@ -40,7 +40,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build-java:35 + image: ghcr.io/project-chip/chip-build-java:41 options: --privileged --sysctl "net.ipv6.conf.all.disable_ipv6=0 net.ipv4.conf.all.forwarding=0 net.ipv6.conf.all.forwarding=0" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7e6206bc6374ff..15d0d3ed1be5f7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -29,7 +29,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build:39 + image: ghcr.io/project-chip/chip-build:41 steps: - name: Checkout diff --git a/.github/workflows/minimal-build.yaml b/.github/workflows/minimal-build.yaml index 189c8db3159951..029f3d759771fc 100644 --- a/.github/workflows/minimal-build.yaml +++ b/.github/workflows/minimal-build.yaml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build-minimal:35 + image: ghcr.io/project-chip/chip-build-minimal:41 steps: - name: Checkout diff --git a/.github/workflows/qemu.yaml b/.github/workflows/qemu.yaml index 714b5b8782f1ae..dc356586b4dd96 100644 --- a/.github/workflows/qemu.yaml +++ b/.github/workflows/qemu.yaml @@ -38,7 +38,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-esp32-qemu:35 + image: ghcr.io/project-chip/chip-build-esp32-qemu:41 volumes: - "/tmp/log_output:/tmp/test_logs" @@ -78,7 +78,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-tizen-qemu:35 + image: ghcr.io/project-chip/chip-build-tizen-qemu:41 volumes: - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/release_artifacts.yaml b/.github/workflows/release_artifacts.yaml index 78b0c34275430e..57a1ce7b325dc3 100644 --- a/.github/workflows/release_artifacts.yaml +++ b/.github/workflows/release_artifacts.yaml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build-esp32:35 + image: ghcr.io/project-chip/chip-build-esp32:41 steps: - name: Checkout @@ -64,7 +64,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build-efr32:36 + image: ghcr.io/project-chip/chip-build-efr32:41 steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/smoketest-android.yaml b/.github/workflows/smoketest-android.yaml index 64efaeb82ff20f..d1dd509fd5aa63 100644 --- a/.github/workflows/smoketest-android.yaml +++ b/.github/workflows/smoketest-android.yaml @@ -37,7 +37,7 @@ jobs: if: github.actor != 'restyled-io[bot]' container: - image: ghcr.io/project-chip/chip-build-android:35 + image: ghcr.io/project-chip/chip-build-android:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 41138dd787360c..2907a4a89711ea 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -47,7 +47,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 options: --privileged --sysctl "net.ipv6.conf.all.disable_ipv6=0 net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1" @@ -437,7 +437,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build:32 + image: ghcr.io/project-chip/chip-build:41 options: --privileged --sysctl "net.ipv6.conf.all.disable_ipv6=0 net.ipv4.conf.all.forwarding=0 net.ipv6.conf.all.forwarding=0" diff --git a/.github/workflows/unit_integration_test.yaml b/.github/workflows/unit_integration_test.yaml index be602f2ee9f142..478d347be25ab9 100644 --- a/.github/workflows/unit_integration_test.yaml +++ b/.github/workflows/unit_integration_test.yaml @@ -37,7 +37,7 @@ jobs: runs-on: ubuntu-latest container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 volumes: - "/:/runner-root-volume" - "/tmp/log_output:/tmp/test_logs" diff --git a/.github/workflows/zap_regeneration.yaml b/.github/workflows/zap_regeneration.yaml index a0ab3653d5ecb1..4488e23258cd65 100644 --- a/.github/workflows/zap_regeneration.yaml +++ b/.github/workflows/zap_regeneration.yaml @@ -30,7 +30,7 @@ jobs: runs-on: ubuntu-20.04 container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 defaults: run: shell: sh diff --git a/.github/workflows/zap_templates.yaml b/.github/workflows/zap_templates.yaml index cb8bff6172a119..f14b914ae7f88a 100644 --- a/.github/workflows/zap_templates.yaml +++ b/.github/workflows/zap_templates.yaml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-20.04 container: - image: ghcr.io/project-chip/chip-build:35 + image: ghcr.io/project-chip/chip-build:41 defaults: run: shell: sh diff --git a/config/nrfconnect/.nrfconnect-recommended-revision b/config/nrfconnect/.nrfconnect-recommended-revision index 21222ceed22ae6..8a965c116821a9 100644 --- a/config/nrfconnect/.nrfconnect-recommended-revision +++ b/config/nrfconnect/.nrfconnect-recommended-revision @@ -1 +1 @@ -v2.5.0 +v2.6.0 diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt index 9b81d7cf30282e..d132d8249d76b1 100644 --- a/config/nrfconnect/chip-module/CMakeLists.txt +++ b/config/nrfconnect/chip-module/CMakeLists.txt @@ -60,13 +60,15 @@ if (CONFIG_ARM) matter_add_cflags(--specs=nosys.specs) endif() -if (CONFIG_NORDIC_SECURITY_BACKEND) +if (CONFIG_NRF_SECURITY) zephyr_include_directories($) zephyr_include_directories($) if(TARGET platform_cc3xx) zephyr_include_directories($) endif() matter_add_flags(-DMBEDTLS_CONFIG_FILE=) + matter_add_flags(-DMBEDTLS_PSA_CRYPTO_CONFIG_FILE=) + matter_add_flags(-DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE=) elseif(CONFIG_MBEDTLS) zephyr_include_directories($) zephyr_compile_definitions($) diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig index c72080b7005409..5d03e82530c84e 100644 --- a/config/nrfconnect/chip-module/Kconfig +++ b/config/nrfconnect/chip-module/Kconfig @@ -286,4 +286,20 @@ config CHIP_ENABLE_READ_CLIENT This config can be disabled for device types that do not require Read Client functionality. Disabling this config can save flash and RAM space. +config CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + bool "Operational keys migration feature" + depends on CHIP_CRYPTO_PSA + help + Enables migration of the operational keys stored in the persistent storage to the PSA ITS secure storage. + Enable this feature while updating the firmware of in-field devices that run Mbed TLS cryptography backend + to the firmware based on PSA Crypto API. + +config CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + bool "Perform factory reset if the operational key migration failed" + default y + depends on CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + help + Perform factory reset of the device if the operational key for Fabric has not been migrated + properly to PSA ITS storage. + endif # CHIP diff --git a/config/nrfconnect/chip-module/Kconfig.defaults b/config/nrfconnect/chip-module/Kconfig.defaults index 8684adb2be3c52..f1c1f71e49acaf 100644 --- a/config/nrfconnect/chip-module/Kconfig.defaults +++ b/config/nrfconnect/chip-module/Kconfig.defaults @@ -20,32 +20,9 @@ if CHIP -config LOG - default y - -if LOG - -choice LOG_MODE - default LOG_MODE_MINIMAL -endchoice - -choice MATTER_LOG_LEVEL_CHOICE - default MATTER_LOG_LEVEL_DBG -endchoice - -config CHIP_APP_LOG_LEVEL - default 4 # debug - -config LOG_DEFAULT_LEVEL - default 1 # error - -config CHIP_LOG_SIZE_OPTIMIZATION - default y - -endif - -config PRINTK_SYNC - default y +# ============================================================================== +# System configuration +# ============================================================================== config ASSERT default y @@ -62,43 +39,52 @@ config HW_STACK_PROTECTION config FPU default y -config SHELL - default y - -config SHELL_MINIMAL - default y - -# Enable getting reboot reasons information -config HWINFO - bool - default y - -config HWINFO_SHELL - bool - default n - -config PTHREAD_IPC - bool - default n - config POSIX_MAX_FDS - int default 16 -# Application stack size config MAIN_STACK_SIZE default 6144 config INIT_STACKS default y +config SYSTEM_WORKQUEUE_STACK_SIZE + default 2560 if CHIP_WIFI + +config HEAP_MEM_POOL_SIZE + default 80000 if CHIP_WIFI + +config CHIP_MALLOC_SYS_HEAP_SIZE + default 30720 if CHIP_WIFI + default 8192 if NET_L2_OPENTHREAD + +# We use sys_heap based allocators, so make sure we don't reserve unused libc heap anyway +config COMMON_LIBC_MALLOC_ARENA_SIZE + default -1 + +config NVS_LOOKUP_CACHE_SIZE + default 512 + +# ============================================================================== +# Zephyr networking configuration +# ============================================================================== + config NET_IPV6_MLD default y +config NET_IPV6_NBR_CACHE + default y if CHIP_WIFI + default n if NET_L2_OPENTHREAD + +config NET_IF_UNICAST_IPV6_ADDR_COUNT + default 6 + config NET_IF_MCAST_IPV6_ADDR_COUNT default 14 -# Network buffers +config NET_IF_IPV6_PREFIX_COUNT + default NET_IF_UNICAST_IPV6_ADDR_COUNT if CHIP_WIFI + config NET_PKT_RX_COUNT default 8 @@ -111,7 +97,12 @@ config NET_BUF_RX_COUNT config NET_BUF_TX_COUNT default 16 -# Bluetooth Low Energy configs +config NET_SOCKETS_POLL_MAX + default 6 if CHIP_WIFI + +# ============================================================================== +# Bluetooth Low Energy configuration +# ============================================================================== config BT default y @@ -162,99 +153,95 @@ config BT_BUF_ACL_TX_SIZE config BT_RX_STACK_SIZE default 1200 +# Increase maximum data length of PDU supported in the Controller +config BT_CTLR_DATA_LENGTH_MAX + default 251 if SOC_SERIES_NRF52X + config BT_CTLR_ECDH - bool default n config BT_CTLR_LE_ENC - bool default n config BT_DEVICE_NAME_GATT_WRITABLE - bool default n config BT_GATT_CACHING - bool default n # Disable 2M PHY due to interoperability issues. config BT_CTLR_PHY_2M default n -# Enable NFC support +config MPSL_FEM_NRF21540_RUNTIME_PA_GAIN_CONTROL + default y if MPSL_FEM + +# ============================================================================== +# NFC configuration +# ============================================================================== config CHIP_NFC_COMMISSIONING default y # Disable not needed NFC callback to save flash config NFC_THREAD_CALLBACK - bool default n +# ============================================================================== +# DFU configuration +# ============================================================================== + config CHIP_OTA_REQUESTOR default y -# All boards besides nRF7002DK use QSPI NOR external flash -if BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 - +# All boards except nRF7002DK use QSPI NOR external flash config CHIP_QSPI_NOR - default y - -endif # BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 + default y if BOARD_NRF5340DK_NRF5340_CPUAPP || BOARD_NRF52840DK_NRF52840 # nRF7002DK uses SPI NOR external flash - -if BOARD_NRF7002DK_NRF5340_CPUAPP - config CHIP_SPI_NOR - default y + default y if BOARD_NRF7002DK_NRF5340_CPUAPP -endif # BOARD_NRF7002DK_NRF5340_CPUAPP - -# Enable extended discovery -config CHIP_EXTENDED_DISCOVERY - default n +config BOOT_IMAGE_ACCESS_HOOKS + default y if SOC_SERIES_NRF53X -config NVS_LOOKUP_CACHE_SIZE - default 512 +config UPDATEABLE_IMAGE_NUMBER + default 2 if SOC_SERIES_NRF53X -# Enable OpenThread +# ============================================================================== +# OpenThread configuration +# ============================================================================== config NET_L2_OPENTHREAD default y if !WIFI_NRF700X if NET_L2_OPENTHREAD -# Disable OpenThread shell -config OPENTHREAD_SHELL - default n - -# Disable certain parts of Zephyr IPv6 stack -config NET_IPV6_NBR_CACHE - bool - default n - # Increase the default RX stack size config IEEE802154_NRF5_RX_STACK_SIZE default 1024 config OPENTHREAD_THREAD_STACK_SIZE - default 4096 + default 6144 if PSA_CRYPTO_DRIVER_CC3XX && PSA_CRYPTO_DRIVER_OBERON + default 4096 -endif +config OPENTHREAD_DEFAULT_TX_POWER + default 20 if MPSL_FEM + default 3 if SOC_SERIES_NRF53X + default 8 if SOC_SERIES_NRF52X + +endif # NET_L2_OPENTHREAD + +# ============================================================================== +# Wi-Fi configuration +# ============================================================================== if CHIP_WIFI choice WPA_SUPP_LOG_LEVEL_CHOICE - default WPA_SUPP_LOG_LEVEL_ERR + default WPA_SUPP_LOG_LEVEL_ERR endchoice -# increase the prefixes limit to match -# maximum number of IPv6 addresses per interface -config NET_IF_IPV6_PREFIX_COUNT - default 6 - # it saves us 20kB of FLASH config WPA_SUPP_NO_DEBUG default y @@ -272,74 +259,73 @@ config NRF_WIFI_LOW_POWER config NRF700X_RX_NUM_BUFS default 16 -config NRF700X_TX_MAX_DATA_SIZE - default 1280 - -config NRF700X_RX_MAX_DATA_SIZE - default 1280 - config NRF700X_MAX_TX_TOKENS default 10 config NRF700X_MAX_TX_AGGREGATION default 1 -config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG +# it saves 25kB of FLASH +config WPA_SUPP_ADVANCED_FEATURES default n -config SYSTEM_WORKQUEUE_STACK_SIZE - default 2560 +endif # CHIP_WIFI -# align these numbers to match the OpenThread config -config NET_IF_UNICAST_IPV6_ADDR_COUNT - default 6 +# ============================================================================== +# Crypto configuration +# ============================================================================== -config NET_IF_MCAST_IPV6_ADDR_COUNT - default 8 +choice OPENTHREAD_SECURITY + default OPENTHREAD_NRF_SECURITY_PSA_CHOICE if CHIP_CRYPTO_PSA + default OPENTHREAD_NRF_SECURITY_CHOICE + +endchoice -config NET_SOCKETS_POLL_MAX - default 6 +choice RNG_GENERATOR_CHOICE + default XOSHIRO_RANDOM_GENERATOR if SOC_SERIES_NRF53X +endchoice -config MBEDTLS_SSL_OUT_CONTENT_LEN - default 900 +config OBERON_BACKEND + default y -# options managed by IP4/IP6 simultaneous support -# aligned here to match OpenThread config -config NET_MAX_ROUTERS - default 1 +config MBEDTLS_ENABLE_HEAP + default y -config NET_MAX_CONN - default 4 +config MBEDTLS_HEAP_SIZE + default 8192 + +# Enable PSA Crypto dependencies for Matter -config SHELL_STACK_SIZE - default 2616 +config CHIP_CRYPTO_PSA + default y if !CHIP_WIFI -config HEAP_MEM_POOL_SIZE - default 80000 +if CHIP_CRYPTO_PSA -endif +config PSA_CRYPTO_DRIVER_CC3XX + default n -config CHIP_MALLOC_SYS_HEAP_SIZE - default 28672 if CHIP_WIFI - default 8192 if NET_L2_OPENTHREAD +config PSA_WANT_ALG_SHA_224 + default n -# Enable mbedTLS from nrf_security library +# Extend the maximum number of PSA key slots to fit Matter requirements +config MBEDTLS_PSA_KEY_SLOT_COUNT + default 64 -choice OPENTHREAD_SECURITY - default OPENTHREAD_NRF_SECURITY_CHOICE -endchoice +if PSA_CRYPTO_DRIVER_CC3XX && PSA_CRYPTO_DRIVER_OBERON -config PSA_CRYPTO_DRIVER_CC3XX - default n +# Do not use CC3XX hash driver when both Oberon and CC3xx are enabled. +config PSA_USE_CC3XX_HASH_DRIVER + default n -config OBERON_BACKEND - default y +endif -config MBEDTLS_ENABLE_HEAP +# Spake2+ support +config MBEDTLS_MD_C default y -config MBEDTLS_HEAP_SIZE - default 8192 +endif + +if !CHIP_CRYPTO_PSA config NRF_SECURITY_ADVANCED default y @@ -347,32 +333,46 @@ config NRF_SECURITY_ADVANCED config MBEDTLS_AES_C default y -config MBEDTLS_ECP_C - default y - -config MBEDTLS_ECP_DP_SECP256R1_ENABLED - default y - config MBEDTLS_CTR_DRBG_C default y config MBEDTLS_CIPHER_MODE_CTR default y +config MBEDTLS_SHA1_C + default y if CHIP_WIFI + config MBEDTLS_SHA256_C default y config MBEDTLS_PK_C default y +config MBEDTLS_PKCS5_C + default y + config MBEDTLS_PK_WRITE_C default y config MBEDTLS_X509_CREATE_C - default y if !CHIP_CRYPTO_PSA + default y config MBEDTLS_X509_CSR_WRITE_C - default y if !CHIP_CRYPTO_PSA + default y + +config MBEDTLS_ECP_C + default y + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + default y + +endif + +config MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + default n if CHIP_WIFI + +config MBEDTLS_SSL_OUT_CONTENT_LEN + default 900 if CHIP_WIFI # Disable unneeded crypto operations @@ -406,17 +406,54 @@ config MBEDTLS_SSL_SRV_C config MBEDTLS_SSL_COOKIE_C default n -# Disable not used shell modules +# ============================================================================== +# Logging configuration +# ============================================================================== -config SHELL_WILDCARD - default n +config LOG + default y -config SHELL_VT100_COLORS - default n +if LOG -config SHELL_STATS +choice LOG_MODE + default LOG_MODE_MINIMAL +endchoice + +choice MATTER_LOG_LEVEL_CHOICE + default MATTER_LOG_LEVEL_DBG +endchoice + +config CHIP_APP_LOG_LEVEL + default 4 # debug + +config LOG_DEFAULT_LEVEL + default 1 # error + +config CHIP_LOG_SIZE_OPTIMIZATION + default y + +# disable synchronous printk to avoid blocking IRQs which +# may affect time sensitive components +config PRINTK_SYNC default n +endif # LOG + +# ============================================================================== +# Shell configuration +# ============================================================================== + +config SHELL + default y + +if SHELL + +config SHELL_STACK_SIZE + default 2616 if CHIP_WIFI + +config SHELL_MINIMAL + default y + config KERNEL_SHELL default n @@ -441,42 +478,12 @@ config CLOCK_CONTROL_NRF_SHELL config FLASH_SHELL default n -if MPSL_FEM - -config MPSL_FEM_NRF21540_RUNTIME_PA_GAIN_CONTROL - default y - -endif # MPSL_FEM - -config OPENTHREAD_DEFAULT_TX_POWER - default 20 if MPSL_FEM - default 3 if SOC_SERIES_NRF53X && !MPSL_FEM - default 8 if SOC_SERIES_NRF52X && !MPSL_FEM - -# SoC series related configuration - -if SOC_SERIES_NRF52X - -# Increase maximum data length of PDU supported in the Controller -config BT_CTLR_DATA_LENGTH_MAX - default 251 - -endif # SOC_SERIES_NRF52X - -if SOC_SERIES_NRF53X - -config BOOT_IMAGE_ACCESS_HOOKS - default y - -config UPDATEABLE_IMAGE_NUMBER - default 2 +config HWINFO_SHELL + default n -# Generate random numbers using Xoroshiro algorithm instead of direct calls -# to the cryptocell library to workaround firmware hangs. -choice RNG_GENERATOR_CHOICE - default XOROSHIRO_RANDOM_GENERATOR -endchoice +config OPENTHREAD_SHELL + default n -endif # SOC_SERIES_NRF53X +endif # SHELL -endif +endif \ No newline at end of file diff --git a/config/nrfconnect/chip-module/Kconfig.hci_rpmsg.defaults b/config/nrfconnect/chip-module/Kconfig.hci_ipc.defaults similarity index 96% rename from config/nrfconnect/chip-module/Kconfig.hci_rpmsg.defaults rename to config/nrfconnect/chip-module/Kconfig.hci_ipc.defaults index 17c7115e28b750..bede85fd2541d3 100644 --- a/config/nrfconnect/chip-module/Kconfig.hci_rpmsg.defaults +++ b/config/nrfconnect/chip-module/Kconfig.hci_ipc.defaults @@ -14,7 +14,7 @@ # limitations under the License. # -# The purpose of this file is to define new default values of settings used when building hci_rpmsg child image for Matter samples. +# The purpose of this file is to define new default values of settings used when building hci_ipc child image for Matter samples. config LOG default n diff --git a/config/nrfconnect/chip-module/Kconfig.hci_rpmsg.root b/config/nrfconnect/chip-module/Kconfig.hci_ipc.root similarity index 84% rename from config/nrfconnect/chip-module/Kconfig.hci_rpmsg.root rename to config/nrfconnect/chip-module/Kconfig.hci_ipc.root index 8c4f6eee49cbc2..1fe8ff85f43ee8 100644 --- a/config/nrfconnect/chip-module/Kconfig.hci_rpmsg.root +++ b/config/nrfconnect/chip-module/Kconfig.hci_ipc.root @@ -15,7 +15,7 @@ # # The purpose of this file is to create a wrapper Kconfig file that will be set as -# hci_rpmsg_KCONFIG_ROOT and processed before any other Kconfig for hci_rpmsg child image. +# hci_ipc_KCONFIG_ROOT and processed before any other Kconfig for hci_ipc child image. -rsource "Kconfig.hci_rpmsg.defaults" +rsource "Kconfig.hci_ipc.defaults" source "Kconfig.zephyr" diff --git a/examples/all-clusters-app/nrfconnect/main/AppTask.cpp b/examples/all-clusters-app/nrfconnect/main/AppTask.cpp index f8d117790fac3d..efdee7153b493c 100644 --- a/examples/all-clusters-app/nrfconnect/main/AppTask.cpp +++ b/examples/all-clusters-app/nrfconnect/main/AppTask.cpp @@ -45,6 +45,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -88,6 +95,9 @@ bool sHaveBLEConnections = false; app::Clusters::TemperatureControl::AppSupportedTemperatureLevelsDelegate sAppSupportedTemperatureLevelsDelegate; +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -209,11 +219,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); diff --git a/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp b/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp index 02f0704f080a58..b3c8b951372c0f 100644 --- a/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp +++ b/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp @@ -34,6 +34,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -59,6 +66,10 @@ FactoryResetLEDsWrapper<3> sFactoryResetLEDs{ { FACTORY_RESET_SIGNAL_LED, FACTOR bool sIsNetworkProvisioned = false; bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -155,10 +166,23 @@ CHIP_ERROR AppTask::Init() #endif static chip::CommonCaseDeviceServerInitParams initParams; +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + // We only have network commissioning on endpoint 0. emberAfEndpointEnableDisable(kNetworkCommissioningEndpointSecondary, false); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/chef/nrfconnect/main.cpp b/examples/chef/nrfconnect/main.cpp index d132252ecd87b3..c79694e2e792a7 100644 --- a/examples/chef/nrfconnect/main.cpp +++ b/examples/chef/nrfconnect/main.cpp @@ -43,6 +43,13 @@ #include "Rpc.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + LOG_MODULE_REGISTER(app, CONFIG_CHIP_APP_LOG_LEVEL); using namespace chip; @@ -51,7 +58,11 @@ using namespace chip::DeviceLayer; namespace { constexpr int kExtDiscoveryTimeoutSecs = 20; -} + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif +} // namespace int main() { @@ -110,6 +121,9 @@ int main() // Start IM server static chip::CommonCaseDeviceServerInitParams initParams; +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); err = chip::Server::GetInstance().Init(initParams); if (err != CHIP_NO_ERROR) diff --git a/examples/light-switch-app/nrfconnect/main/AppTask.cpp b/examples/light-switch-app/nrfconnect/main/AppTask.cpp index 06ac797f6a6899..fc1c947150dd95 100644 --- a/examples/light-switch-app/nrfconnect/main/AppTask.cpp +++ b/examples/light-switch-app/nrfconnect/main/AppTask.cpp @@ -46,6 +46,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -94,6 +101,10 @@ k_timer sDimmerPressKeyTimer; k_timer sDimmerTimer; chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -220,11 +231,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); diff --git a/examples/lighting-app/nrfconnect/main/AppTask.cpp b/examples/lighting-app/nrfconnect/main/AppTask.cpp index 5eaa1b1b401524..88964d9aa1d3c8 100644 --- a/examples/lighting-app/nrfconnect/main/AppTask.cpp +++ b/examples/lighting-app/nrfconnect/main/AppTask.cpp @@ -49,6 +49,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -108,6 +115,9 @@ DeferredAttributePersistenceProvider gDeferredAttributePersister(Server::GetInst Span(&gCurrentLevelPersister, 1), System::Clock::Milliseconds32(5000)); +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -248,11 +258,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); app::SetAttributePersistenceProvider(&gDeferredAttributePersister); diff --git a/examples/lit-icd-app/nrfconnect/main/AppTask.cpp b/examples/lit-icd-app/nrfconnect/main/AppTask.cpp index 50622d0c88b96e..d7d35bb53fcc04 100644 --- a/examples/lit-icd-app/nrfconnect/main/AppTask.cpp +++ b/examples/lit-icd-app/nrfconnect/main/AppTask.cpp @@ -38,6 +38,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -76,6 +83,9 @@ bool sIsNetworkProvisioned = false; bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -186,11 +196,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/lock-app/nrfconnect/main/AppTask.cpp b/examples/lock-app/nrfconnect/main/AppTask.cpp index 07a96b6d6c29b2..1025a045184aee 100644 --- a/examples/lock-app/nrfconnect/main/AppTask.cpp +++ b/examples/lock-app/nrfconnect/main/AppTask.cpp @@ -47,6 +47,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -90,6 +97,10 @@ bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -214,11 +225,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/platform/nrfconnect/util/MigrationManager.cpp b/examples/platform/nrfconnect/util/MigrationManager.cpp new file mode 100644 index 00000000000000..364120863bc7e2 --- /dev/null +++ b/examples/platform/nrfconnect/util/MigrationManager.cpp @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2024 Project CHIP Authors + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "migration_manager.h" + +#include +#include + +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore) +{ + CHIP_ERROR err = CHIP_NO_ERROR; + + VerifyOrReturnError(keystore && storage, CHIP_ERROR_INVALID_ARGUMENT); + + /* Initialize the obsolete Operational Keystore*/ + chip::PersistentStorageOperationalKeystore obsoleteKeystore; + err = obsoleteKeystore.Init(storage); + VerifyOrReturnError(err == CHIP_NO_ERROR, err); + + /* Migrate all obsolete Operational Keys to PSA ITS */ + for (const chip::FabricInfo & fabric : chip::Server::GetInstance().GetFabricTable()) + { + err = keystore->MigrateOpKeypairForFabric(fabric.GetFabricIndex(), obsoleteKeystore); + if (CHIP_NO_ERROR != err) + { + break; + } + } + +#ifdef CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + if (CHIP_NO_ERROR != err) + { + chip::Server::GetInstance().ScheduleFactoryReset(); + /* Return a success to not block the Matter event Loop and allow to call scheduled factory + * reset. */ + err = CHIP_NO_ERROR; + } +#endif /* CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE */ + + return err; +} +#endif /* CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS */ diff --git a/examples/platform/nrfconnect/util/include/MigrationManager.h b/examples/platform/nrfconnect/util/include/MigrationManager.h new file mode 100644 index 00000000000000..22b2c5de110de3 --- /dev/null +++ b/examples/platform/nrfconnect/util/include/MigrationManager.h @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2024 Project CHIP Authors + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +/** + * @brief Migrate all stored Operational Keys from the persistent storage (KVS) to secure PSA ITS. + * + * This function will schedule a factory reset automatically if the + * CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + * Kconfig option is set to 'y'. In this case, the function returns CHIP_NO_ERROR to not block any further + * operations until the scheduled factory reset is done. + * + * @note This function should be called just after Matter Server Init to avoid problems with further CASE + * session re-establishments. + * @param storage + * @param keystore + * @retval CHIP_NO_ERROR if all keys have been migrated properly to PSA ITS or if the error occurs, but + * the CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE kconfig is set to 'y'. + * @retval CHIP_ERROR_INVALID_ARGUMENT when keystore or storage are not defined. + * @retval Other CHIP_ERROR codes related to internal Migration operations. + */ +CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore); +#endif diff --git a/examples/pump-app/nrfconnect/main/AppTask.cpp b/examples/pump-app/nrfconnect/main/AppTask.cpp index 3a6eb9023ded0a..d5f4c6dc760e0e 100644 --- a/examples/pump-app/nrfconnect/main/AppTask.cpp +++ b/examples/pump-app/nrfconnect/main/AppTask.cpp @@ -41,6 +41,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -77,6 +84,9 @@ bool sHaveBLEConnections = false; chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -191,11 +201,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); diff --git a/examples/window-app/nrfconnect/main/AppTask.cpp b/examples/window-app/nrfconnect/main/AppTask.cpp index 7c50aedc97e2bb..5f971b67f9f9bf 100644 --- a/examples/window-app/nrfconnect/main/AppTask.cpp +++ b/examples/window-app/nrfconnect/main/AppTask.cpp @@ -37,6 +37,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -72,6 +79,10 @@ chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; bool sIsNetworkProvisioned = false; bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -193,11 +204,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); diff --git a/src/platform/Zephyr/BLEManagerImpl.cpp b/src/platform/Zephyr/BLEManagerImpl.cpp index 0b2336ea7a6cc9..54cf69dc5e50fc 100644 --- a/src/platform/Zephyr/BLEManagerImpl.cpp +++ b/src/platform/Zephyr/BLEManagerImpl.cpp @@ -40,11 +40,7 @@ #include #include #include -#if CHIP_DEVICE_LAYER_TARGET_NRFCONNECT -#include -#else #include -#endif #include #include diff --git a/src/platform/Zephyr/PlatformManagerImpl.cpp b/src/platform/Zephyr/PlatformManagerImpl.cpp index 59f3a0df45314b..df8a40a55d15cd 100644 --- a/src/platform/Zephyr/PlatformManagerImpl.cpp +++ b/src/platform/Zephyr/PlatformManagerImpl.cpp @@ -21,9 +21,9 @@ * for Zephyr platforms. */ -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#if !defined(CONFIG_NRF_SECURITY) #include // nogncheck -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) +#endif // !defined(CONFIG_NRF_SECURITY) #include @@ -45,7 +45,7 @@ PlatformManagerImpl PlatformManagerImpl::sInstance{ sChipThreadStack }; static k_timer sOperationalHoursSavingTimer; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) static bool sChipStackEntropySourceAdded = false; static int app_entropy_source(void * data, unsigned char * output, size_t len, size_t * olen) { @@ -72,7 +72,7 @@ static int app_entropy_source(void * data, unsigned char * output, size_t len, s return ret; } -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) void PlatformManagerImpl::OperationalHoursSavingTimerEventHandler(k_timer * timer) { @@ -109,16 +109,16 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) { CHIP_ERROR err; -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Minimum required from source before entropy is released ( with mbedtls_entropy_func() ) (in bytes) const size_t kThreshold = 16; -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Initialize the configuration system. err = Internal::ZephyrConfig::Init(); SuccessOrExit(err); -#if !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#if !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) if (!sChipStackEntropySourceAdded) { // Add entropy source based on Zephyr entropy driver @@ -126,7 +126,7 @@ CHIP_ERROR PlatformManagerImpl::_InitChipStack(void) SuccessOrExit(err); sChipStackEntropySourceAdded = true; } -#endif // !defined(CONFIG_NORDIC_SECURITY_BACKEND) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) +#endif // !defined(CONFIG_NRF_SECURITY) && !defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY) // Call _InitChipStack() on the generic implementation base class to finish the initialization process. err = Internal::GenericPlatformManagerImpl_Zephyr::_InitChipStack(); diff --git a/src/platform/nrfconnect/CHIPPlatformConfig.h b/src/platform/nrfconnect/CHIPPlatformConfig.h index 90af43c0a10c6b..3ece933d377996 100644 --- a/src/platform/nrfconnect/CHIPPlatformConfig.h +++ b/src/platform/nrfconnect/CHIPPlatformConfig.h @@ -49,6 +49,16 @@ #define CHIP_CONFIG_SHA256_CONTEXT_SIZE 208 #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#ifndef CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#define CHIP_CONFIG_SHA256_CONTEXT_ALIGN psa_hash_operation_t +#endif // CHIP_CONFIG_SHA256_CONTEXT_ALIGN +#endif // CONFIG_CHIP_CRYPTO_PSA + +#ifndef CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE +#define CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE 0x30000 +#endif // CHIP_CONFIG_CRYPTO_PSA_KEY_ID_BASE + // ==================== General Configuration Overrides ==================== #ifndef CHIP_CONFIG_MAX_UNSOLICITED_MESSAGE_HANDLERS diff --git a/src/platform/nrfconnect/FactoryDataParser.c b/src/platform/nrfconnect/FactoryDataParser.c index 610c78ab3e724f..3a079e6a2a1984 100644 --- a/src/platform/nrfconnect/FactoryDataParser.c +++ b/src/platform/nrfconnect/FactoryDataParser.c @@ -91,7 +91,7 @@ bool FindUserDataEntry(struct FactoryData * factoryData, const char * entry, voi return false; } - ZCBOR_STATE_D(states, MAX_FACTORY_DATA_NESTING_LEVEL - 1, factoryData->user.data, factoryData->user.len, 1); + ZCBOR_STATE_D(states, MAX_FACTORY_DATA_NESTING_LEVEL - 1, factoryData->user.data, factoryData->user.len, 1, 0); bool res = zcbor_map_start_decode(states); bool keyFound = false; @@ -124,7 +124,7 @@ bool FindUserDataEntry(struct FactoryData * factoryData, const char * entry, voi bool ParseFactoryData(uint8_t * buffer, uint16_t bufferSize, struct FactoryData * factoryData) { memset(factoryData, 0, sizeof(*factoryData)); - ZCBOR_STATE_D(states, MAX_FACTORY_DATA_NESTING_LEVEL, buffer, bufferSize, 1); + ZCBOR_STATE_D(states, MAX_FACTORY_DATA_NESTING_LEVEL, buffer, bufferSize, 1, 0); bool res = zcbor_map_start_decode(states); struct zcbor_string currentString; diff --git a/src/platform/nrfconnect/FactoryDataProvider.cpp b/src/platform/nrfconnect/FactoryDataProvider.cpp index caa1ad434f9254..11995faccd8272 100644 --- a/src/platform/nrfconnect/FactoryDataProvider.cpp +++ b/src/platform/nrfconnect/FactoryDataProvider.cpp @@ -157,20 +157,62 @@ CHIP_ERROR FactoryDataProvider::SignWithDeviceAttestationKey(c { Crypto::P256ECDSASignature signature; Crypto::P256Keypair keypair; + CHIP_ERROR err = CHIP_NO_ERROR; +#ifdef CONFIG_CHIP_CRYPTO_PSA + psa_key_id_t keyId = 0; +#endif - VerifyOrReturnError(outSignBuffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL); - ReturnErrorCodeIf(!mFactoryData.dac_cert.data, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); - ReturnErrorCodeIf(!mFactoryData.dac_priv_key.data, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + VerifyOrExit(outSignBuffer.size() >= signature.Capacity(), err = CHIP_ERROR_BUFFER_TOO_SMALL); + VerifyOrExit(mFactoryData.dac_cert.data, err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + VerifyOrExit(mFactoryData.dac_priv_key.data, err = CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND); + +#ifdef CONFIG_CHIP_CRYPTO_PSA + { + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_reset_key_attributes(&attributes); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&attributes, kDACPrivateKeyLength * 8); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); + VerifyOrExit(psa_import_key(&attributes, reinterpret_cast(mFactoryData.dac_priv_key.data), kDACPrivateKeyLength, + &keyId) == PSA_SUCCESS, + err = CHIP_ERROR_INTERNAL); + + size_t outputLen = 0; + psa_status_t status = psa_sign_message(keyId, PSA_ALG_ECDSA(PSA_ALG_SHA_256), messageToSign.data(), messageToSign.size(), + signature.Bytes(), signature.Capacity(), &outputLen); + VerifyOrExit(!status, err = CHIP_ERROR_INTERNAL); + VerifyOrExit(outputLen == chip::Crypto::kP256_ECDSA_Signature_Length_Raw, err = CHIP_ERROR_INTERNAL); + err = signature.SetLength(outputLen); + VerifyOrExit(err == CHIP_NO_ERROR, ); + } +#else + { + // Extract public key from DAC cert. + ByteSpan dacCertSpan{ reinterpret_cast(mFactoryData.dac_cert.data), mFactoryData.dac_cert.len }; + chip::Crypto::P256PublicKey dacPublicKey; + + err = chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey); + VerifyOrExit(err == CHIP_NO_ERROR, ); + err = + LoadKeypairFromRaw(ByteSpan(reinterpret_cast(mFactoryData.dac_priv_key.data), mFactoryData.dac_priv_key.len), + ByteSpan(dacPublicKey.Bytes(), dacPublicKey.Length()), keypair); + VerifyOrExit(err == CHIP_NO_ERROR, ); + err = keypair.ECDSA_sign_msg(messageToSign.data(), messageToSign.size(), signature); + VerifyOrExit(err == CHIP_NO_ERROR, ); + } +#endif + +exit: - // Extract public key from DAC cert. - ByteSpan dacCertSpan{ reinterpret_cast(mFactoryData.dac_cert.data), mFactoryData.dac_cert.len }; - chip::Crypto::P256PublicKey dacPublicKey; +#ifdef CONFIG_CHIP_CRYPTO_PSA + psa_destroy_key(keyId); +#endif - ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey)); - ReturnErrorOnFailure( - LoadKeypairFromRaw(ByteSpan(reinterpret_cast(mFactoryData.dac_priv_key.data), mFactoryData.dac_priv_key.len), - ByteSpan(dacPublicKey.Bytes(), dacPublicKey.Length()), keypair)); - ReturnErrorOnFailure(keypair.ECDSA_sign_msg(messageToSign.data(), messageToSign.size(), signature)); + if (err != CHIP_NO_ERROR) + { + return err; + } return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, outSignBuffer); } diff --git a/src/platform/nrfconnect/FactoryDataProvider.h b/src/platform/nrfconnect/FactoryDataProvider.h index 15dae3ab7e3a0e..bc1ef16ee6d161 100644 --- a/src/platform/nrfconnect/FactoryDataProvider.h +++ b/src/platform/nrfconnect/FactoryDataProvider.h @@ -21,6 +21,10 @@ #include #include +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#endif + #include #include #include diff --git a/src/platform/nrfconnect/Reboot.cpp b/src/platform/nrfconnect/Reboot.cpp index 439adebddc0ea4..6d52facf740fc3 100644 --- a/src/platform/nrfconnect/Reboot.cpp +++ b/src/platform/nrfconnect/Reboot.cpp @@ -42,7 +42,7 @@ SoftwareRebootReason GetSoftwareRebootReason() #else -using RetainedReason = decltype(nrf_power_gpregret_get(NRF_POWER)); +using RetainedReason = decltype(nrf_power_gpregret_get(NRF_POWER, 0)); constexpr RetainedReason EncodeReason(SoftwareRebootReason reason) { @@ -56,17 +56,17 @@ void Reboot(SoftwareRebootReason reason) { const RetainedReason retainedReason = EncodeReason(reason); - nrf_power_gpregret_set(NRF_POWER, retainedReason); + nrf_power_gpregret_set(NRF_POWER, 0, retainedReason); sys_reboot(retainedReason); } SoftwareRebootReason GetSoftwareRebootReason() { - switch (nrf_power_gpregret_get(NRF_POWER)) + switch (nrf_power_gpregret_get(NRF_POWER, 0)) { case EncodeReason(SoftwareRebootReason::kSoftwareUpdate): - nrf_power_gpregret_set(NRF_POWER, 0); + nrf_power_gpregret_set(NRF_POWER, 0, 0); return SoftwareRebootReason::kSoftwareUpdate; default: return SoftwareRebootReason::kOther;