diff --git a/.github/workflows/examples-k32w.yaml b/.github/workflows/examples-k32w.yaml index b1d2e6c22dca16..c613a09a79d268 100644 --- a/.github/workflows/examples-k32w.yaml +++ b/.github/workflows/examples-k32w.yaml @@ -65,14 +65,14 @@ jobs: timeout-minutes: 5 run: scripts/examples/k32w_example.sh examples/lock-app/k32w out/lock_app_debug - - name: Build example K32W Lighting App - timeout-minutes: 5 - run: scripts/examples/k32w_example.sh - examples/lighting-app/k32w out/lighting_app_debug - name: Build example K32W Shell App timeout-minutes: 5 run: scripts/examples/k32w_example.sh examples/shell/k32w out/shell_app_debug + - name: Build example K32W Lighting App with Secure Element + timeout-minutes: 5 + run: scripts/examples/k32w_se_example.sh + examples/lighting-app/k32w out/lighting_app_se_release - name: Binary artifact suffix id: outsuffix uses: haya14busa/action-cond@v1.0.0 diff --git a/examples/lighting-app/k32w/README.md b/examples/lighting-app/k32w/README.md index 24cef64a8cda7c..afa970e733af50 100644 --- a/examples/lighting-app/k32w/README.md +++ b/examples/lighting-app/k32w/README.md @@ -55,6 +55,22 @@ default settings by pressing a button. However, this mode does not guarantee that the device will be able to communicate with the CHIP controller and other devices. +### SE051H Secure Element + +Deployment of this firmware configuration requires the K32W061 board setups +using the K32W0/JN5189 module board, SE051 Expansion board and Generic Expansion +board as shown below: + +![SE051H + K32W061 DK6](../../platform/k32w/doc/images/k32w-se.jpg) + +The SE051H Secure Element extension may be used for best in class security and +offloading some of the Project CHIP cryptographic operations. Depending on your +hardware configuration, choose one of the options below (building with or +without Secure Element). NOTE: the SE051H is a derivative of the SE051 product +family (see http://www.nxp.com/SE051) including dedicated CHIP support in +addition to the SE051 feature set. See the material provided separately by NXP +for more details on SE051H. + ### Bluetooth LE Advertising In this example, to commission the device onto a Project CHIP network, it must @@ -153,18 +169,22 @@ distribution (the demo-application was compiled on Ubuntu 20.04). the one from the image below. ![MCUXpresso SDK Download](../../platform/k32w/doc/images/mcux-sdk-download.JPG) -- Start building the application +- Start building the application either with Secure Element or without + - with Secure Element ``` user@ubuntu:~/Desktop/git/connectedhomeip$ export K32W061_SDK_ROOT=/home/user/Desktop/SDK_2.6.3_K32W061DK6/ user@ubuntu:~/Desktop/git/connectedhomeip$ ./third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh user@ubuntu:~/Desktop/git/connectedhomeip$ source ./scripts/activate.sh user@ubuntu:~/Desktop/git/connectedhomeip$ cd examples/lighting-app/k32w/ -user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false" +user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1" user@ubuntu:~/Desktop/git/connectedhomeip/examples/lightin-app/k32w$ ninja -C out/debug user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ $K32W061_SDK_ROOT/tools/imagetool/sign_images.sh out/debug/ ``` + - without Secure element + Exactly the same steps as above but set chip_with_se05x=0 in the gn command + Note that "patch_k32w_sdk.sh" script must be run for patching the K32W061 SDK 2.6.3. diff --git a/examples/lock-app/k32w/README.md b/examples/lock-app/k32w/README.md index 8ea3ce186c25d0..d3f526c39283d3 100644 --- a/examples/lock-app/k32w/README.md +++ b/examples/lock-app/k32w/README.md @@ -56,6 +56,22 @@ default settings by pressing a button. However, this mode does not guarantee that the device will be able to communicate with the CHIP controller and other devices. +### SE051H Secure Element + +Deployment of this firmware configuration requires the K32W061 board setups +using the K32W0/JN5189 module board, SE051 Expansion board and Generic Expansion +board as shown below: + +![SE051H + K32W061 DK6](../../platform/k32w/doc/images/k32w-se.jpg) + +The SE051H Secure Element extension may be used for best in class security and +offloading some of the Project CHIP cryptographic operations. Depending on your +hardware configuration, choose one of the options below (building with or +without Secure Element). NOTE: the SE051H is a derivative of the SE051 product +family (see http://www.nxp.com/SE051) including dedicated CHIP support in +addition to the SE051 feature set. See the material provided separately by NXP +for more details on SE051H. + ### Bluetooth LE Advertising In this example, to commission the device onto a Project CHIP network, it must @@ -156,18 +172,23 @@ distribution (the demo-application was compiled on Ubuntu 20.04). the one from the image below. ![MCUXpresso SDK Download](../../platform/k32w/doc/images/mcux-sdk-download.JPG) -- Start building the application +- Start building the application either with Secure Element or without + + - with Secure Element ``` user@ubuntu:~/Desktop/git/connectedhomeip$ export K32W061_SDK_ROOT=/home/user/Desktop/SDK_2.6.3_K32W061DK6/ user@ubuntu:~/Desktop/git/connectedhomeip$ ./third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh user@ubuntu:~/Desktop/git/connectedhomeip$ source ./scripts/activate.sh user@ubuntu:~/Desktop/git/connectedhomeip$ cd examples/lock-app/k32w/ -user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false" +user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1" user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ ninja -C out/debug user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ $K32W061_SDK_ROOT/tools/imagetool/sign_images.sh out/debug/ ``` + - without Secure element + Exactly the same steps as above but set chip_with_se05x=0 in the gn command + Note that "patch_k32w_sdk.sh" script must be run for patching the K32W061 SDK 2.6.3. diff --git a/examples/platform/k32w/doc/images/k32w-se.jpg b/examples/platform/k32w/doc/images/k32w-se.jpg new file mode 100644 index 00000000000000..691bffd8d39504 Binary files /dev/null and b/examples/platform/k32w/doc/images/k32w-se.jpg differ diff --git a/scripts/examples/k32w_se_example.sh b/scripts/examples/k32w_se_example.sh new file mode 100755 index 00000000000000..df933c89854471 --- /dev/null +++ b/scripts/examples/k32w_se_example.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash + +# +# Copyright (c) 2021 Project CHIP Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -e + +# Build script for K32W examples GitHub workflow. + +source "$(dirname "$0")/../../scripts/activate.sh" + +set -x +env + +"$(dirname "$0")"/../../third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh + +gn gen --check --fail-on-unused-args --root="$1" "$2" --args="k32w_sdk_root=\"$K32W061_SDK_ROOT\" is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1" +ninja -C "$2" diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp index fd09be13d387c3..02996423f0e83f 100644 --- a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp +++ b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp @@ -159,11 +159,7 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c if (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) { - if (pab == NULL) - { - /* Need X/Y value to verify abort condition */ - goto exit; - } + VerifyOrReturnError(pab != NULL, CHIP_ERROR_INVALID_ARGUMENT); } #if SSS_HAVE_SE05X_VER_GTE_16_03 @@ -487,7 +483,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in, uint8_t pKeyKe[16] = { 0, }; - constexpr size_t pkeyKeLen = sizeof(pKeyKe); + size_t pkeyKeLen = sizeof(pKeyKe); const CHIP_ERROR error = Spake2p_ComputeRoundTwo_HSM(&hsm_pake_context, role, in, in_len, out, out_len, pKeyKe, &pkeyKeLen); if (CHIP_NO_ERROR == error) @@ -500,7 +496,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in, CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::KeyConfirm(const uint8_t * in, size_t in_len) { - VerifyOrExit(state == CHIP_SPAKE2P_STATE::R2, error = CHIP_ERROR_INTERNAL); + VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::R2, CHIP_ERROR_INTERNAL); #if !ENABLE_HSM_SPAKE_VERIFIER const bool sw_rollback_verifier = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER); @@ -518,8 +514,8 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::KeyConfirm(const uint8_t * in, size { return Spake2p::KeyConfirm(in, in_len); } - - const CHIP_ERROR error = Spake2p_KeyConfirm_HSM(&hsm_pake_context, role, in, in_len); + CHIP_ERROR error = CHIP_ERROR_INTERNAL; + error = Spake2p_KeyConfirm_HSM(&hsm_pake_context, role, in, in_len); if (CHIP_NO_ERROR == error) { state = CHIP_SPAKE2P_STATE::KC; diff --git a/third_party/simw-top-mini/simw_config.gni b/third_party/simw-top-mini/simw_config.gni index 874b571c23aca5..4f46c788353204 100644 --- a/third_party/simw-top-mini/simw_config.gni +++ b/third_party/simw-top-mini/simw_config.gni @@ -16,5 +16,5 @@ declare_args() { # possible values host_k32w, host_linux - host = "host_linux" + host = "host_k32w" }