-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support for Hardware Secure Module (HSM) using Infineon OPTIGA Trust M (
#32771) * 1)Added Crypto Function provided by Infineon HSM OPTIGA Trust M * Fix Lint code base error and remove unnecessary comments. * Restyled by whitespace * Apply restyled changes. * - Tidy up the code and the printouts. - Updated the trustm_Open() to add init settings. * - Clear the trustm_isOpen flag when trustm_close() is called. * Apply restyled patch * 1)Updated README.md * Restyled by prettier-markdown * 1)Tidy Up the code --------- Co-authored-by: Ank Khandelwal <[email protected]> Co-authored-by: Restyled.io <[email protected]>
- Loading branch information
1 parent
cfe283f
commit 6a7961d
Showing
33 changed files
with
4,689 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
# Infineon OPTIGA™ Trust M Provisioning for Matter | ||
|
||
To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for | ||
OPTIGA™ Trust M with Matter test device Attestation certificate is needed. | ||
|
||
## Hardware setup: | ||
|
||
[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/) | ||
|
||
[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/) | ||
|
||
[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/) | ||
or Jumping Wire | ||
|
||
## Provisioning for OPTIGA™ Trust M | ||
|
||
The | ||
[Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m) | ||
can be used to perform provisioning by following the steps mentioned below. | ||
|
||
- Set up chip-tool on Raspberry Pi 4 by following the instruction listed at | ||
[Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4) | ||
- Clone the repo from Infineon Public GitHub | ||
|
||
``` | ||
$ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git | ||
``` | ||
|
||
- Build the Linux tools for OPTIGA™ Trust M | ||
|
||
``` | ||
$ cd linux-optiga-trust-m/ | ||
$ ./trustm_installation_aarch64_script.sh | ||
``` | ||
|
||
- Run the script to generate Matter test DAC for lock-app using the public key | ||
extracted from the Infineon pre-provisioned Certificate and store it into | ||
0xE0E0 | ||
|
||
``` | ||
$ cd scripts/matter_provisioning/ | ||
$ ./matter_dac_provisioning.sh | ||
``` | ||
|
||
_Note:_ | ||
|
||
_By running this example matter_dac_provisioning.sh, the steps shown below are | ||
executed:_ | ||
|
||
_Step1: Extract the public key from the Infineon pre-provisioned | ||
Certificate(0xE0E0) using openssl command._ | ||
|
||
_Step2: Generate DAC test certificate using the extracted public key, Signed by | ||
[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_. | ||
Please note that production devices cannot re-use these test keys/certificates. | ||
|
||
_Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot | ||
0xE0E0_ | ||
|
||
\_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot | ||
0xE0E8 and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# Copyright (c) 2024 Project CHIP Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
declare_args() { | ||
infineon_crypto_impl = "" | ||
infineon_crypto_root = "" | ||
} | ||
assert(infineon_crypto_impl != "", "infineon_crypto_impl should be defined") | ||
assert(infineon_crypto_root != "", "infineon_crypto_root should be defined") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# Copyright (c) 2024 Project CHIP Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
import("//build_overrides/chip.gni") | ||
import("//build_overrides/nlassert.gni") | ||
import("${chip_root}/build/chip/buildconfig_header.gni") | ||
import("${chip_root}/src/crypto/crypto.gni") | ||
import("${chip_root}/src/platform/Infineon/crypto/trustm/args.gni") | ||
|
||
if (chip_crypto == "platform") { | ||
import("//build_overrides/mbedtls.gni") | ||
} | ||
|
||
source_set("public_headers") { | ||
sources = [] | ||
|
||
public_deps = [ | ||
"${chip_root}/src/crypto", | ||
"${chip_root}/src/lib/asn1", | ||
"${chip_root}/src/lib/core", | ||
"${chip_root}/src/lib/support", | ||
"${nlassert_root}:nlassert", | ||
] | ||
} | ||
|
||
static_library("infineon_crypto_lib") { | ||
sources = [ | ||
"CHIPCryptoPALHost.cpp", | ||
"CHIPCryptoPALHsm_HKDF_trustm.cpp", | ||
"CHIPCryptoPALHsm_HMAC_trustm.cpp", | ||
"CHIPCryptoPALHsm_P256_trustm.cpp", | ||
"CHIPCryptoPALHsm_rng_trustm.cpp", | ||
"CHIPCryptoPALHsm_utils_trustm.cpp", | ||
"CHIPCryptoPAL_HostFallBack.cpp", | ||
"DeviceAttestationCredsExampleTrustM.cpp", | ||
] | ||
|
||
public_deps = [ ":public_headers" ] | ||
public_configs = [] | ||
public_deps += [ "${chip_root}/third_party/infineon/trustm:optiga-trust-m" ] | ||
public_configs += [ "${chip_root}/third_party/infineon/trustm:trustm_config" ] | ||
deps = [ "${chip_root}/${infineon_crypto_root}:optiga-trust-m" ] | ||
external_mbedtls = current_os == "zephyr" | ||
|
||
if (!external_mbedtls) { | ||
public_deps += [ "${mbedtls_root}:mbedtls" ] | ||
} | ||
include_dirs = [ | ||
".", | ||
"${chip_root}/src/crypto", | ||
"${chip_root}/src/platform/Infineon/crypto/trustm", | ||
] | ||
} |
Oops, something went wrong.