From 1616028018850d788b0058d0d99be678d98301f5 Mon Sep 17 00:00:00 2001 From: Ricardo Casallas <77841255+rcasallas-silabs@users.noreply.github.com> Date: Tue, 5 Jul 2022 18:08:43 -0400 Subject: [PATCH] EFR32: DeviceAttestationCredentialsProvider implemented. (#20005) * EFR32: DeviceAttestationCredentialsProvider implemented. * EFR32: DeviceAttestationCredentialsProvider: Review comments applied. * EFR32: DeviceAttestationCredentialsProvider: Review comments applied. --- examples/chef/efr32/BUILD.gn | 5 + examples/chef/efr32/src/AppTask.cpp | 9 -- examples/chef/efr32/src/main.cpp | 16 ++++ examples/light-switch-app/efr32/BUILD.gn | 5 + .../light-switch-app/efr32/src/AppTask.cpp | 9 -- examples/light-switch-app/efr32/src/main.cpp | 16 ++++ examples/lighting-app/efr32/BUILD.gn | 5 + examples/lighting-app/efr32/src/AppTask.cpp | 9 -- examples/lighting-app/efr32/src/main.cpp | 16 ++++ examples/lock-app/efr32/BUILD.gn | 5 + examples/lock-app/efr32/src/AppTask.cpp | 9 -- examples/lock-app/efr32/src/main.cpp | 16 ++++ examples/platform/efr32/BUILD.gn | 23 +++++ .../efr32/EFR32DeviceAttestationCreds.cpp | 95 +++++++++++++++++++ .../efr32/EFR32DeviceAttestationCreds.h | 39 ++++++++ examples/platform/efr32/efr32_creds.h | 66 +++++++++++++ examples/window-app/common/src/WindowApp.cpp | 6 +- examples/window-app/efr32/BUILD.gn | 5 + examples/window-app/efr32/src/main.cpp | 13 +++ .../operational-credentials-server.cpp | 1 - .../platform/KvsPersistentStorageDelegate.h | 1 + src/lib/lib.gni | 3 + third_party/silabs/efr32_sdk.gni | 13 +++ 23 files changed, 343 insertions(+), 42 deletions(-) create mode 100644 examples/platform/efr32/EFR32DeviceAttestationCreds.cpp create mode 100644 examples/platform/efr32/EFR32DeviceAttestationCreds.h create mode 100644 examples/platform/efr32/efr32_creds.h diff --git a/examples/chef/efr32/BUILD.gn b/examples/chef/efr32/BUILD.gn index 4161916a993f49..8016d069fb4b34 100644 --- a/examples/chef/efr32/BUILD.gn +++ b/examples/chef/efr32/BUILD.gn @@ -336,6 +336,11 @@ efr32_executable("chef_app") { ] } + # Attestation Credentials + if (chip_build_platform_attestation_credentials_provider) { + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] + } + output_dir = root_out_dir } diff --git a/examples/chef/efr32/src/AppTask.cpp b/examples/chef/efr32/src/AppTask.cpp index 15ff91d64a5fa6..b6450ba696d126 100644 --- a/examples/chef/efr32/src/AppTask.cpp +++ b/examples/chef/efr32/src/AppTask.cpp @@ -43,9 +43,6 @@ #include -#include -#include - #include #include @@ -167,7 +164,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -205,11 +201,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/chef/efr32/src/main.cpp b/examples/chef/efr32/src/main.cpp index 920f51b8e5805d..1e658f4369c92d 100644 --- a/examples/chef/efr32/src/main.cpp +++ b/examples/chef/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Chef-App" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/light-switch-app/efr32/BUILD.gn b/examples/light-switch-app/efr32/BUILD.gn index 7d870ecd737eb0..98b2c3b01af5c6 100644 --- a/examples/light-switch-app/efr32/BUILD.gn +++ b/examples/light-switch-app/efr32/BUILD.gn @@ -213,6 +213,11 @@ efr32_executable("light_switch_app") { } } + # Attestation Credentials + if (chip_build_platform_attestation_credentials_provider) { + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] + } + if (chip_enable_ota_requestor) { defines += [ "EFR32_OTA_ENABLED" ] sources += [ "${examples_plat_dir}/OTAConfig.cpp" ] diff --git a/examples/light-switch-app/efr32/src/AppTask.cpp b/examples/light-switch-app/efr32/src/AppTask.cpp index fe982497bd6245..da0e20396ba733 100644 --- a/examples/light-switch-app/efr32/src/AppTask.cpp +++ b/examples/light-switch-app/efr32/src/AppTask.cpp @@ -41,9 +41,6 @@ #include -#include -#include - #include #include @@ -158,7 +155,6 @@ Identify gIdentify = { }; } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -196,11 +192,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/light-switch-app/efr32/src/main.cpp b/examples/light-switch-app/efr32/src/main.cpp index 685d223daf8eed..7aa5aef9c6305b 100644 --- a/examples/light-switch-app/efr32/src/main.cpp +++ b/examples/light-switch-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light-Switch" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lighting-app/efr32/BUILD.gn b/examples/lighting-app/efr32/BUILD.gn index 192833797494b2..56f0cf92688cf8 100644 --- a/examples/lighting-app/efr32/BUILD.gn +++ b/examples/lighting-app/efr32/BUILD.gn @@ -331,6 +331,11 @@ efr32_executable("lighting_app") { ] } + # Attestation Credentials + if (chip_build_platform_attestation_credentials_provider) { + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] + } + output_dir = root_out_dir } diff --git a/examples/lighting-app/efr32/src/AppTask.cpp b/examples/lighting-app/efr32/src/AppTask.cpp index 7e1e8d9a811e82..3edc00dfa8855e 100644 --- a/examples/lighting-app/efr32/src/AppTask.cpp +++ b/examples/lighting-app/efr32/src/AppTask.cpp @@ -39,9 +39,6 @@ #include -#include -#include - #include #include @@ -163,7 +160,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -201,11 +197,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lighting-app/efr32/src/main.cpp b/examples/lighting-app/efr32/src/main.cpp index 54137f45c89043..79ef68cc720c88 100644 --- a/examples/lighting-app/efr32/src/main.cpp +++ b/examples/lighting-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&chip::Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lock-app/efr32/BUILD.gn b/examples/lock-app/efr32/BUILD.gn index 679ed1f46cda3d..4add2a9528504b 100644 --- a/examples/lock-app/efr32/BUILD.gn +++ b/examples/lock-app/efr32/BUILD.gn @@ -328,6 +328,11 @@ efr32_executable("lock_app") { ] } + # Attestation Credentials + if (chip_build_platform_attestation_credentials_provider) { + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] + } + output_dir = root_out_dir } group("efr32") { diff --git a/examples/lock-app/efr32/src/AppTask.cpp b/examples/lock-app/efr32/src/AppTask.cpp index ddb8a463c6054a..ac3914476a3f1e 100644 --- a/examples/lock-app/efr32/src/AppTask.cpp +++ b/examples/lock-app/efr32/src/AppTask.cpp @@ -43,9 +43,6 @@ #include -#include -#include - #include #include @@ -173,7 +170,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -211,11 +207,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lock-app/efr32/src/main.cpp b/examples/lock-app/efr32/src/main.cpp index cbc0c3643f07ff..a8ba160e7e2915 100644 --- a/examples/lock-app/efr32/src/main.cpp +++ b/examples/lock-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Door-Lock" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/platform/efr32/BUILD.gn b/examples/platform/efr32/BUILD.gn index 185651c5de3a61..ba36aeff00c83b 100644 --- a/examples/platform/efr32/BUILD.gn +++ b/examples/platform/efr32/BUILD.gn @@ -64,3 +64,26 @@ source_set("efr-matter-shell") { ] } } + +config("attestation-credentials-config") { + include_dirs = [ "${chip_root}" ] + + defines = [ + # Set to 1 to enable EFR32 attestation credentials + "EFR32_ATTESTATION_CREDENTIALS", + ] +} + +source_set("efr32-attestation-credentials") { + sources = [ + "EFR32DeviceAttestationCreds.cpp", + "EFR32DeviceAttestationCreds.h", + ] + + public_deps = [ + "${chip_root}/src/credentials", + "${chip_root}/src/platform:platform_base", + ] + + public_configs = [ ":attestation-credentials-config" ] +} diff --git a/examples/platform/efr32/EFR32DeviceAttestationCreds.cpp b/examples/platform/efr32/EFR32DeviceAttestationCreds.cpp new file mode 100644 index 00000000000000..8093671b37341f --- /dev/null +++ b/examples/platform/efr32/EFR32DeviceAttestationCreds.cpp @@ -0,0 +1,95 @@ +/* + * + * Copyright (c) 2022 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include "EFR32DeviceAttestationCreds.h" +#include +#include +#include +#include + +#include "efr32_creds.h" +#include "psa/crypto.h" +#include "sl_token_api.h" + +namespace chip { +namespace Credentials { +namespace EFR32 { + +namespace { + +class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider +{ +public: + CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override + { + ByteSpan cd_span(kCertificationDeclaration); + return CopySpanToMutableSpan(cd_span, out_buffer); + } + + CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override + { + // TODO: We need a real example FirmwareInformation to be populated. + out_firmware_info_buffer.reduce_size(0); + return CHIP_NO_ERROR; + } + + CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_buffer) override + { + uint8_t cert_buf[MFG_MATTER_DAC_SIZE]; + ByteSpan cert_span(cert_buf); + + int err = sl_token_get_data(CREATOR_MFG_MATTER_DAC, 0, cert_buf, sizeof(cert_buf)); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + ChipLogByteSpan(DeviceLayer, cert_span); + return CopySpanToMutableSpan(cert_span, out_buffer); + } + + CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override + { + uint8_t cert_buf[MFG_MATTER_PAI_SIZE]; + ByteSpan cert_span(cert_buf); + + int err = sl_token_get_data(CREATOR_MFG_MATTER_PAI, 0, cert_buf, sizeof(cert_buf)); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + ChipLogByteSpan(DeviceLayer, cert_span); + return CopySpanToMutableSpan(cert_span, out_pai_buffer); + } + + CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override + { + psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; + uint8_t signature[64] = { 0 }; + size_t signature_size = sizeof(signature); + + psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(), + signature, signature_size, &signature_size); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + + return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_buffer); + } +}; + +} // namespace + +DeviceAttestationCredentialsProvider * GetEFR32DacProvider() +{ + static DeviceAttestationCredsEFR32 dac_provider; + return &dac_provider; +} + +} // namespace EFR32 +} // namespace Credentials +} // namespace chip diff --git a/examples/platform/efr32/EFR32DeviceAttestationCreds.h b/examples/platform/efr32/EFR32DeviceAttestationCreds.h new file mode 100644 index 00000000000000..3dbc48a01b0872 --- /dev/null +++ b/examples/platform/efr32/EFR32DeviceAttestationCreds.h @@ -0,0 +1,39 @@ +/* + * + * Copyright (c) 2022 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#pragma once + +// The "sl_token_manager.h" include belongs to the .cpp file, but the formatter change the order +// of the headers, causing a compilation error, so the include had to be added here instead +#include "sl_token_manager.h" +#include + +namespace chip { +namespace Credentials { +namespace EFR32 { + +/** + * @brief Get implementation of a sample DAC provider to validate device + * attestation procedure. + * + * @returns a singleton DeviceAttestationCredentialsProvider that relies on no + * storage abstractions. + */ +DeviceAttestationCredentialsProvider * GetEFR32DacProvider(); + +} // namespace EFR32 +} // namespace Credentials +} // namespace chip diff --git a/examples/platform/efr32/efr32_creds.h b/examples/platform/efr32/efr32_creds.h new file mode 100644 index 00000000000000..52514adec3969f --- /dev/null +++ b/examples/platform/efr32/efr32_creds.h @@ -0,0 +1,66 @@ +/** + * This is a boilerplat header to define the EFR32 authentication credentials. + * Applications must provide their own version of this header, and include: + * - The content of the CSA-provided Certification Declaration + * - The location and size of the PAI, and DAC + * - The key ID of the key-pair associated with the DAC + * + * These credentials MUST be provided if the build variable "chip_build_device_attestation_credentials" is set to true. + */ +#ifndef EFR32_EXAMPLE_DEVICE_CREDENTIALS +#define EFR32_EXAMPLE_DEVICE_CREDENTIALS + +//-> format_version = 1 +//-> vendor_id = 0xFFF1 +//-> product_id_array = [ 0x8000, 0x8001, 0x8002, 0x8003, 0x8004, 0x8005, 0x8006, 0x8007, 0x8008, 0x8009, 0x800A, 0x800B, +// 0x800C, 0x800D, 0x800E, 0x800F, 0x8010, 0x8011, 0x8012, 0x8013, 0x8014, 0x8015, 0x8016, 0x8017, 0x8018, 0x8019, 0x801A, +// 0x801B, 0x801C, 0x801D, 0x801E, 0x801F, 0x8020, 0x8021, 0x8022, 0x8023, 0x8024, 0x8025, 0x8026, 0x8027, 0x8028, 0x8029, +// 0x802A, 0x802B, 0x802C, 0x802D, 0x802E, 0x802F, 0x8030, 0x8031, 0x8032, 0x8033, 0x8034, 0x8035, 0x8036, 0x8037, 0x8038, +// 0x8039, 0x803A, 0x803B, 0x803C, 0x803D, 0x803E, 0x803F, 0x8040, 0x8041, 0x8042, 0x8043, 0x8044, 0x8045, 0x8046, 0x8047, +// 0x8048, 0x8049, 0x804A, 0x804B, 0x804C, 0x804D, 0x804E, 0x804F, 0x8050, 0x8051, 0x8052, 0x8053, 0x8054, 0x8055, 0x8056, +// 0x8057, 0x8058, 0x8059, 0x805A, 0x805B, 0x805C, 0x805D, 0x805E, 0x805F, 0x8060, 0x8061, 0x8062, 0x8063 ] +//-> device_type_id = 0x0016 +//-> certificate_id = "ZIG20142ZB330003-24" +//-> security_level = 0 +//-> security_information = 0 +//-> version_number = 0x2694 +//-> certification_type = 0 +//-> dac_origin_vendor_id is not present +//-> dac_origin_product_id is not present +const uint8_t kCertificationDeclaration[541] = { + 0x30, 0x82, 0x02, 0x19, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x02, 0x0a, 0x30, 0x82, + 0x02, 0x06, 0x02, 0x01, 0x03, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, + 0x82, 0x01, 0x71, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x01, 0x62, 0x04, 0x82, 0x01, + 0x5e, 0x15, 0x24, 0x00, 0x01, 0x25, 0x01, 0xf1, 0xff, 0x36, 0x02, 0x05, 0x00, 0x80, 0x05, 0x01, 0x80, 0x05, 0x02, 0x80, 0x05, + 0x03, 0x80, 0x05, 0x04, 0x80, 0x05, 0x05, 0x80, 0x05, 0x06, 0x80, 0x05, 0x07, 0x80, 0x05, 0x08, 0x80, 0x05, 0x09, 0x80, 0x05, + 0x0a, 0x80, 0x05, 0x0b, 0x80, 0x05, 0x0c, 0x80, 0x05, 0x0d, 0x80, 0x05, 0x0e, 0x80, 0x05, 0x0f, 0x80, 0x05, 0x10, 0x80, 0x05, + 0x11, 0x80, 0x05, 0x12, 0x80, 0x05, 0x13, 0x80, 0x05, 0x14, 0x80, 0x05, 0x15, 0x80, 0x05, 0x16, 0x80, 0x05, 0x17, 0x80, 0x05, + 0x18, 0x80, 0x05, 0x19, 0x80, 0x05, 0x1a, 0x80, 0x05, 0x1b, 0x80, 0x05, 0x1c, 0x80, 0x05, 0x1d, 0x80, 0x05, 0x1e, 0x80, 0x05, + 0x1f, 0x80, 0x05, 0x20, 0x80, 0x05, 0x21, 0x80, 0x05, 0x22, 0x80, 0x05, 0x23, 0x80, 0x05, 0x24, 0x80, 0x05, 0x25, 0x80, 0x05, + 0x26, 0x80, 0x05, 0x27, 0x80, 0x05, 0x28, 0x80, 0x05, 0x29, 0x80, 0x05, 0x2a, 0x80, 0x05, 0x2b, 0x80, 0x05, 0x2c, 0x80, 0x05, + 0x2d, 0x80, 0x05, 0x2e, 0x80, 0x05, 0x2f, 0x80, 0x05, 0x30, 0x80, 0x05, 0x31, 0x80, 0x05, 0x32, 0x80, 0x05, 0x33, 0x80, 0x05, + 0x34, 0x80, 0x05, 0x35, 0x80, 0x05, 0x36, 0x80, 0x05, 0x37, 0x80, 0x05, 0x38, 0x80, 0x05, 0x39, 0x80, 0x05, 0x3a, 0x80, 0x05, + 0x3b, 0x80, 0x05, 0x3c, 0x80, 0x05, 0x3d, 0x80, 0x05, 0x3e, 0x80, 0x05, 0x3f, 0x80, 0x05, 0x40, 0x80, 0x05, 0x41, 0x80, 0x05, + 0x42, 0x80, 0x05, 0x43, 0x80, 0x05, 0x44, 0x80, 0x05, 0x45, 0x80, 0x05, 0x46, 0x80, 0x05, 0x47, 0x80, 0x05, 0x48, 0x80, 0x05, + 0x49, 0x80, 0x05, 0x4a, 0x80, 0x05, 0x4b, 0x80, 0x05, 0x4c, 0x80, 0x05, 0x4d, 0x80, 0x05, 0x4e, 0x80, 0x05, 0x4f, 0x80, 0x05, + 0x50, 0x80, 0x05, 0x51, 0x80, 0x05, 0x52, 0x80, 0x05, 0x53, 0x80, 0x05, 0x54, 0x80, 0x05, 0x55, 0x80, 0x05, 0x56, 0x80, 0x05, + 0x57, 0x80, 0x05, 0x58, 0x80, 0x05, 0x59, 0x80, 0x05, 0x5a, 0x80, 0x05, 0x5b, 0x80, 0x05, 0x5c, 0x80, 0x05, 0x5d, 0x80, 0x05, + 0x5e, 0x80, 0x05, 0x5f, 0x80, 0x05, 0x60, 0x80, 0x05, 0x61, 0x80, 0x05, 0x62, 0x80, 0x05, 0x63, 0x80, 0x18, 0x24, 0x03, 0x16, + 0x2c, 0x04, 0x13, 0x5a, 0x49, 0x47, 0x32, 0x30, 0x31, 0x34, 0x32, 0x5a, 0x42, 0x33, 0x33, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x32, + 0x34, 0x24, 0x05, 0x00, 0x24, 0x06, 0x00, 0x25, 0x07, 0x94, 0x26, 0x24, 0x08, 0x00, 0x18, 0x31, 0x7d, 0x30, 0x7b, 0x02, 0x01, + 0x03, 0x80, 0x14, 0x62, 0xfa, 0x82, 0x33, 0x59, 0xac, 0xfa, 0xa9, 0x96, 0x3e, 0x1c, 0xfa, 0x14, 0x0a, 0xdd, 0xf5, 0x04, 0xf3, + 0x71, 0x60, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x24, 0xe5, 0xd1, 0xf4, 0x7a, 0x7d, 0x7b, 0x0d, 0x20, + 0x6a, 0x26, 0xef, 0x69, 0x9b, 0x7c, 0x97, 0x57, 0xb7, 0x2d, 0x46, 0x90, 0x89, 0xde, 0x31, 0x92, 0xe6, 0x78, 0xc7, 0x45, 0xe7, + 0xf6, 0x0c, 0x02, 0x21, 0x00, 0xf8, 0xaa, 0x2f, 0xa7, 0x11, 0xfc, 0xb7, 0x9b, 0x97, 0xe3, 0x97, 0xce, 0xda, 0x66, 0x7b, 0xae, + 0x46, 0x4e, 0x2b, 0xd3, 0xff, 0xdf, 0xc3, 0xcc, 0xed, 0x7a, 0xa8, 0xca, 0x5f, 0x4c, 0x1a, 0x7c +}; + +#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x400) // 4 bytes +#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x600) // 4 bytes + +#define MFG_MATTER_PAI_SIZE 463 +#define MFG_MATTER_DAC_SIZE 492 +#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 + +#endif // EFR32_EXAMPLE_DEVICE_CREDENTIALS diff --git a/examples/window-app/common/src/WindowApp.cpp b/examples/window-app/common/src/WindowApp.cpp index 4c846ecf6a8c05..a15abd5f9dbcff 100644 --- a/examples/window-app/common/src/WindowApp.cpp +++ b/examples/window-app/common/src/WindowApp.cpp @@ -21,8 +21,7 @@ #include #include #include -#include -#include + #include #include @@ -112,9 +111,6 @@ WindowApp::Cover * WindowApp::GetCover(chip::EndpointId endpoint) CHIP_ERROR WindowApp::Init() { - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - ConfigurationMgr().LogDeviceConfig(); // Timers diff --git a/examples/window-app/efr32/BUILD.gn b/examples/window-app/efr32/BUILD.gn index d829fa9d15116b..c526f50cbf9204 100644 --- a/examples/window-app/efr32/BUILD.gn +++ b/examples/window-app/efr32/BUILD.gn @@ -278,6 +278,11 @@ efr32_executable("window_app") { "-Wl,SILABS_WIFI=1", ] } + + # Attestation Credentials + if (chip_build_platform_attestation_credentials_provider) { + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] + } } group("efr32") { diff --git a/examples/window-app/efr32/src/main.cpp b/examples/window-app/efr32/src/main.cpp index eef12ddf99371d..41cc1bac8f4e87 100644 --- a/examples/window-app/efr32/src/main.cpp +++ b/examples/window-app/efr32/src/main.cpp @@ -25,10 +25,17 @@ #include "sl_system_kernel.h" #include #include +#include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "Silabs-Window" using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -54,6 +61,12 @@ int main(void) EFR32_LOG("Starting App"); chip::DeviceLayer::PlatformMgr().LockChipStack(); err = app.Init(); + // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif chip::DeviceLayer::PlatformMgr().UnlockChipStack(); if (err != CHIP_NO_ERROR) diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index 20c5be2e8052f7..3127a3f75b0c08 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -41,7 +41,6 @@ #include #include #include -#include #include #include #include diff --git a/src/include/platform/KvsPersistentStorageDelegate.h b/src/include/platform/KvsPersistentStorageDelegate.h index 42ca6f481e6b4c..0348e92bf2c08d 100644 --- a/src/include/platform/KvsPersistentStorageDelegate.h +++ b/src/include/platform/KvsPersistentStorageDelegate.h @@ -22,6 +22,7 @@ #include #include #include +#include #include namespace chip { diff --git a/src/lib/lib.gni b/src/lib/lib.gni index c78be22c2d9196..213592c274939f 100644 --- a/src/lib/lib.gni +++ b/src/lib/lib.gni @@ -20,4 +20,7 @@ declare_args() { # a Commissioner or Administrator that employs different or more complex # logic, this should be set to false. chip_build_default_attestation_verifier = true + + # Set to true to enable device-specific attestation credentials + chip_build_platform_attestation_credentials_provider = false } diff --git a/third_party/silabs/efr32_sdk.gni b/third_party/silabs/efr32_sdk.gni index 6e2ec20615d7ed..a40cda2108c7b3 100644 --- a/third_party/silabs/efr32_sdk.gni +++ b/third_party/silabs/efr32_sdk.gni @@ -103,6 +103,13 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/service/sleeptimer/config", "${efr32_sdk_root}/platform/service/system/inc", "${efr32_sdk_root}/platform/service/udelay/inc", + "${efr32_sdk_root}/platform/service/legacy_hal/inc", + "${efr32_sdk_root}/platform/service/token_manager/config", + "${efr32_sdk_root}/platform/service/token_manager/inc", + "${efr32_sdk_root}/platform/service/token_manager/test", + "${efr32_sdk_root}/platform/service/token_manager/test/include", + "${efr32_sdk_root}/platform/service/token_manager/test/stack/config", + "${efr32_sdk_root}/platform/service/token_manager/test/stack/include", "${efr32_sdk_root}/platform/middleware/glib", "${efr32_sdk_root}/platform/middleware/glib/glib", "${efr32_sdk_root}/platform/middleware/glib/dmd", @@ -153,6 +160,8 @@ template("efr32_sdk") { "MBEDTLS_THREADING_ALT=1", "SL_THREADING_ALT=1", "SL_COMPONENT_CATALOG_PRESENT", + "PLATFORM_HEADER=\"platform-header.h\"", + "USE_NVM3=1", #"__STACK_SIZE=0", ] @@ -346,6 +355,7 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/radio/rail_lib/plugin/rail_util_pti/sl_rail_util_pti.c", "${efr32_sdk_root}/platform/service/device_init/src/sl_device_init_nvic.c", "${efr32_sdk_root}/platform/service/hfxo_manager/src/sl_hfxo_manager.c", + "${efr32_sdk_root}/platform/service/legacy_hal/src/token_legacy.c", "${efr32_sdk_root}/platform/service/mpu/src/sl_mpu.c", "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager.c", "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager_debug.c", @@ -357,6 +367,9 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/service/system/src/sl_system_init.c", "${efr32_sdk_root}/platform/service/system/src/sl_system_kernel.c", "${efr32_sdk_root}/platform/service/system/src/sl_system_process_action.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_def.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manager.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manufacturing.c", "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay.c", "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay_armv6m_gcc.S", "${efr32_sdk_root}/protocol/bluetooth/src/sl_bt_mbedtls_context.c",