Skip to content

Commit

Permalink
Support for Hardware Secure Module (HSM) using Infineon OPTIGA Trust M (
Browse files Browse the repository at this point in the history
#32771)

* 1)Added Crypto Function provided by Infineon HSM OPTIGA Trust M

* Fix Lint code base error and remove unnecessary comments.

* Restyled by whitespace

* Apply restyled changes.

* - Tidy up the code and the printouts.
- Updated the trustm_Open() to add init settings.

* - Clear the trustm_isOpen flag when trustm_close() is called.

* Apply restyled patch

* 1)Updated README.md

* Restyled by prettier-markdown

* 1)Tidy Up the code

---------

Co-authored-by: Ank Khandelwal <[email protected]>
Co-authored-by: Restyled.io <[email protected]>
  • Loading branch information
3 people authored Apr 4, 2024
1 parent cfe283f commit 6a7961d
Show file tree
Hide file tree
Showing 33 changed files with 4,689 additions and 9 deletions.
5 changes: 5 additions & 0 deletions .github/.wordlist.txt
Original file line number Diff line number Diff line change
Expand Up @@ -643,6 +643,8 @@ HomePods
hostapd
hostname
href
HSM
hsm
HTTPS
HW
hwadr
Expand Down Expand Up @@ -965,6 +967,7 @@ objcopy
OccupancySensing
OctetString
OECORE
OID
ol
Onboarding
onboardingcodes
Expand All @@ -986,6 +989,7 @@ openweave
OperationalCredentials
operationalDataset
opkg
OPTIGA
optionMask
optionOverride
optionsMask
Expand Down Expand Up @@ -1429,6 +1433,7 @@ transitionTime
TransportMgrBase
TriggerEffect
TRNG
trustm
TrustedRootCertificates
tsan
TSG
Expand Down
6 changes: 6 additions & 0 deletions .gitmodules
Original file line number Diff line number Diff line change
Expand Up @@ -324,3 +324,9 @@
path = third_party/infineon/psoc6/psoc6_sdk/libs/lwip-network-interface-integration
url = https://github.com/Infineon/lwip-network-interface-integration.git
platforms = infineon
[submodule "third_party/infineon/trustm/optiga-trust-m"]
path = third_party/infineon/trustm/optiga-trust-m
url = https://github.com/Infineon/optiga-trust-m.git
branch = matter_support
platforms = infineon

1 change: 1 addition & 0 deletions docs/guides/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
- [ASR - Getting Started Guide](./asr_getting_started_guide.md)
- [Espressif (ESP32) - Getting Started Guide](./esp32/README.md)
- [Infineon PSoC6 - Software Update](./infineon_psoc6_software_update.md)
- [Infineon Trust M Provisioning](./infineon_trustm_provisioning.md)
- [Linux - Simulated Devices](./simulated_device_linux.md)
- [mbedOS - Adding a new target](./mbedos_add_new_target.md)
- [mbedOS - Commissioning](./mbedos_commissioning.md)
Expand Down
61 changes: 61 additions & 0 deletions docs/guides/infineon_trustm_provisioning.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
# Infineon OPTIGA&trade; Trust M Provisioning for Matter

To use Infineon OPTIGA&trade; Trust M for device attestation, Provisioning for
OPTIGA&trade; Trust M with Matter test device Attestation certificate is needed.

## Hardware setup:

[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)

[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)

[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/)
or Jumping Wire

## Provisioning for OPTIGA&trade; Trust M

The
[Linux Tools for OPTIGA&trade; Trust M ](https://github.com/Infineon/linux-optiga-trust-m)
can be used to perform provisioning by following the steps mentioned below.

- Set up chip-tool on Raspberry Pi 4 by following the instruction listed at
[Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4)
- Clone the repo from Infineon Public GitHub

```
$ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
```

- Build the Linux tools for OPTIGA&trade; Trust M

```
$ cd linux-optiga-trust-m/
$ ./trustm_installation_aarch64_script.sh
```

- Run the script to generate Matter test DAC for lock-app using the public key
extracted from the Infineon pre-provisioned Certificate and store it into
0xE0E0

```
$ cd scripts/matter_provisioning/
$ ./matter_dac_provisioning.sh
```

_Note:_

_By running this example matter_dac_provisioning.sh, the steps shown below are
executed:_

_Step1: Extract the public key from the Infineon pre-provisioned
Certificate(0xE0E0) using openssl command._

_Step2: Generate DAC test certificate using the extracted public key, Signed by
[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_.
Please note that production devices cannot re-use these test keys/certificates.

_Step3: Write DAC test certificate into OPTIGA&trade; Trust M certificate slot
0xE0E0_

\_Step4: Write Matter test PAI into OPTIGA&trade; Trust M certificate slot
0xE0E8 and test CD into OPTIGA&trade; Trust M Arbitrary OID 0xF1E0.
17 changes: 16 additions & 1 deletion examples/lock-app/infineon/psoc6/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,11 @@
import("//build_overrides/build.gni")
import("//build_overrides/chip.gni")
import("//build_overrides/psoc6.gni")

import("${build_root}/config/defaults.gni")
import("${chip_root}/src/crypto/crypto.gni")
import("${chip_root}/src/platform/Infineon/crypto/infineon_crypto.gni")
import("${chip_root}/src/platform/device.gni")
import("${chip_root}/third_party/infineon/trustm/trustm_config.gni")
import("${psoc6_sdk_build_root}/psoc6_executable.gni")
import("${psoc6_sdk_build_root}/psoc6_sdk.gni")

Expand Down Expand Up @@ -117,6 +119,19 @@ psoc6_executable("lock_app") {
"${psoc6_project_dir}/include",
]

if (chip_crypto == "platform") {
include_dirs += [ "${chip_root}/third_party/infineon/trustm" ]
include_dirs += [ "${chip_root}/examples/platform/infineon/trustm" ]
include_dirs += [ "${chip_root}/src/platform/Infineon/crypto/trustm" ]

defines = [ "ENABLE_DEVICE_ATTESTATION=1" ]

public_deps += [
"${chip_root}/src/platform/Infineon/crypto/${infineon_crypto_impl}:infineon_crypto_lib",
"${chip_root}/third_party/infineon/trustm:optiga-trust-m",
]
}

sources = [
"${examples_plat_dir}/LEDWidget.cpp",
"${examples_plat_dir}/init_psoc6Platform.cpp",
Expand Down
49 changes: 48 additions & 1 deletion examples/lock-app/infineon/psoc6/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ An example showing the use of Matter on the Infineon CY8CKIT-062S2-43012 board.
- [Notes](#notes)
- [Cluster control](#cluster-control)
- [Factory Reset](#factory-reset)
- [Building with Optiga Trust M as HSM](#building-with-optiga-trust-m-as-hsm)
- [Optiga Trust M Provisioning](#optiga-trust-m-provisioning)
- [OTA Software Update](#ota-software-update)

<hr>
Expand Down Expand Up @@ -55,6 +57,11 @@ will then join the network.
$ cd ~/connectedhomeip
$ rm -rf out/

_To build with Infineon Hardware Security Module-OPTIGA™ Trust M for Device
attestation and other security use cases, please refer to the
[Building with OPTIGA™ Trust M as HSM](#building-with-optiga-trust-m-as-hsm) for
more instructions_

## Flashing the Application

- Put CY8CKIT-062S2-43012 board on KitProg3 CMSIS-DAP Mode by pressing the
Expand Down Expand Up @@ -128,10 +135,50 @@ commands. These power cycle the BlueTooth hardware and disable BR/EDR mode.
on the board. All the data configured on the device during the initial
commissioning will be deleted and device will be ready for commissioning
again.

- Pressing the button again within 5 seconds will cancel the factory reset of
the board.

## Building with Optiga Trust M as HSM

Infineon Hardware Security Module-OPTIGA™ Trust M is a high-end security
solution that provides an anchor of trust for connecting IoT devices to the
cloud, giving every IoT device its own unique identity.

- Supported hardware setup:
[CY8CKIT-062S2-43012](https://www.cypress.com/CY8CKIT-062S2-43012)

[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)

[OPTIGA™ Trust Adapter](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-adapter/)

- Building:

Follow the steps to build with OPTIGA™ Trust M for device attestation use
case:

```
$ source scripts/activate.sh
$ scripts/build/build_examples.py --no-log-timestamps --target 'infineon-psoc6-lock-trustm' build
```
- To delete generated executable, libraries and object files use:
$ cd ~/connectedhomeip
$ rm -rf out/
- Proceed to OPTIGA™ Trust M Provisioning section to complete the credential
storage into HSM.
### Optiga Trust M Provisioning
For the description of OPTIGA™ Trust M Provisioning with test DAC generation and
PAI and CD storage, please refer to
[Infineon OPTIGA™ Trust M Provisioning](../../../../docs/guides/infineon_trustm_provisioning.md)
After completing OPTIGA™ Trust M Provisioning, proceed to
[Flashing the Application](#flashing-the-application) section to continue with
subsequent steps.
## OTA Software Update
For the description of Software Update process with infineon PSoC6 example
Expand Down
3 changes: 3 additions & 0 deletions examples/lock-app/infineon/psoc6/args.gni
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@
import("//build_overrides/chip.gni")
import("//build_overrides/pigweed.gni")
import("${chip_root}/config/standalone/args.gni")
import("${chip_root}/src/crypto/crypto.gni")
import("${chip_root}/src/platform/Infineon/PSOC6/args.gni")

psoc6_target_project =
get_label_info(":lock_app_sdk_sources", "label_no_toolchain")

import("${chip_root}/src/platform/Infineon/crypto/trustm/args.gni")
9 changes: 9 additions & 0 deletions examples/lock-app/infineon/psoc6/src/AppTask.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@
#include <app/clusters/door-lock-server/door-lock-server.h>
#include <app/clusters/identify-server/identify-server.h>

#if ENABLE_DEVICE_ATTESTATION
#include <DeviceAttestationCredsExampleTrustM.h>
#endif

/* OTA related includes */
#if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
#include <app/clusters/ota-requestor/BDXDownloader.h>
Expand Down Expand Up @@ -157,7 +161,12 @@ static void InitServer(intptr_t context)
chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);

// Initialize device attestation config
#if ENABLE_DEVICE_ATTESTATION
SetDeviceAttestationCredentialsProvider(Examples::GetExampleTrustMDACProvider());
#else
SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
#endif

#if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
GetAppTask().InitOTARequestor();
#endif
Expand Down
1 change: 1 addition & 0 deletions scripts/build/build/targets.py
Original file line number Diff line number Diff line change
Expand Up @@ -409,6 +409,7 @@ def BuildInfineonTarget():
# modifiers
target.AppendModifier('ota', enable_ota_requestor=True)
target.AppendModifier('updateimage', update_image=True)
target.AppendModifier('trustm', enable_trustm=True)

return target

Expand Down
7 changes: 6 additions & 1 deletion scripts/build/builders/infineon.py
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,8 @@ def __init__(self,
app: InfineonApp = InfineonApp.LOCK,
board: InfineonBoard = InfineonBoard.PSOC6BOARD,
enable_ota_requestor: bool = False,
update_image: bool = False):
update_image: bool = False,
enable_trustm: bool = False):
super(InfineonBuilder, self).__init__(
root=app.BuildRoot(root),
runner=runner)
Expand All @@ -92,6 +93,10 @@ def __init__(self,
self.extra_gn_options.append('chip_enable_ota_requestor=true')
if update_image:
self.extra_gn_options.append('build_update_image=true')
if enable_trustm:
self.extra_gn_options.append('chip_crypto=\"platform\"')
if enable_trustm is False:
self.extra_gn_options.append('chip_crypto=\"mbedtls\"')

def GnBuildArgs(self):
return self.extra_gn_options
Expand Down
2 changes: 1 addition & 1 deletion scripts/build/testdata/all_targets_linux_x64.txt
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ linux-fake-tests[-mbedtls][-boringssl][-asan][-tsan][-ubsan][-libfuzzer][-ossfuz
linux-{x64,arm64}-{rpc-console,all-clusters,all-clusters-minimal,chip-tool,thermostat,java-matter-controller,kotlin-matter-controller,minmdns,light,lock,shell,ota-provider,ota-requestor,simulated-app1,simulated-app2,python-bindings,tv-app,tv-casting-app,bridge,tests,chip-cert,address-resolve-tool,contact-sensor,dishwasher,microwave-oven,refrigerator,rvc,air-purifier,lit-icd,air-quality-sensor,network-manager,energy-management}[-nodeps][-nlfaultinject][-platform-mdns][-minmdns-verbose][-libnl][-same-event-loop][-no-interactive][-ipv6only][-no-ble][-no-wifi][-no-thread][-mbedtls][-boringssl][-asan][-tsan][-ubsan][-libfuzzer][-ossfuzz][-coverage][-dmalloc][-clang][-test][-rpc][-with-ui][-evse-test-event]
linux-x64-efr32-test-runner[-clang]
imx-{chip-tool,lighting-app,thermostat,all-clusters-app,all-clusters-minimal-app,ota-provider-app}[-release]
infineon-psoc6-{lock,light,all-clusters,all-clusters-minimal}[-ota][-updateimage]
infineon-psoc6-{lock,light,all-clusters,all-clusters-minimal}[-ota][-updateimage][-trustm]
rw61x-{all-clusters-app,thermostat,laundry-washer}[-ota][-wifi][-thread][-factory-data][-matter-shell]
nxp-{k32w0,k32w1}-{lighting,contact-sensor}[-factory][-low-power][-lit][-fro32k][-smu2][-dac-conversion][-rotating-id][-sw-v2]
mbed-cy8cproto_062_4343w-{lock,light,all-clusters,all-clusters-minimal,pigweed,ota-requestor,shell}[-release][-develop][-debug]
Expand Down
20 changes: 20 additions & 0 deletions src/platform/Infineon/crypto/infineon_crypto.gni
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# Copyright (c) 2024 Project CHIP Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

declare_args() {
infineon_crypto_impl = ""
infineon_crypto_root = ""
}
assert(infineon_crypto_impl != "", "infineon_crypto_impl should be defined")
assert(infineon_crypto_root != "", "infineon_crypto_root should be defined")
64 changes: 64 additions & 0 deletions src/platform/Infineon/crypto/trustm/BUILD.gn
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Copyright (c) 2024 Project CHIP Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import("//build_overrides/chip.gni")
import("//build_overrides/nlassert.gni")
import("${chip_root}/build/chip/buildconfig_header.gni")
import("${chip_root}/src/crypto/crypto.gni")
import("${chip_root}/src/platform/Infineon/crypto/trustm/args.gni")

if (chip_crypto == "platform") {
import("//build_overrides/mbedtls.gni")
}

source_set("public_headers") {
sources = []

public_deps = [
"${chip_root}/src/crypto",
"${chip_root}/src/lib/asn1",
"${chip_root}/src/lib/core",
"${chip_root}/src/lib/support",
"${nlassert_root}:nlassert",
]
}

static_library("infineon_crypto_lib") {
sources = [
"CHIPCryptoPALHost.cpp",
"CHIPCryptoPALHsm_HKDF_trustm.cpp",
"CHIPCryptoPALHsm_HMAC_trustm.cpp",
"CHIPCryptoPALHsm_P256_trustm.cpp",
"CHIPCryptoPALHsm_rng_trustm.cpp",
"CHIPCryptoPALHsm_utils_trustm.cpp",
"CHIPCryptoPAL_HostFallBack.cpp",
"DeviceAttestationCredsExampleTrustM.cpp",
]

public_deps = [ ":public_headers" ]
public_configs = []
public_deps += [ "${chip_root}/third_party/infineon/trustm:optiga-trust-m" ]
public_configs += [ "${chip_root}/third_party/infineon/trustm:trustm_config" ]
deps = [ "${chip_root}/${infineon_crypto_root}:optiga-trust-m" ]
external_mbedtls = current_os == "zephyr"

if (!external_mbedtls) {
public_deps += [ "${mbedtls_root}:mbedtls" ]
}
include_dirs = [
".",
"${chip_root}/src/crypto",
"${chip_root}/src/platform/Infineon/crypto/trustm",
]
}
Loading

0 comments on commit 6a7961d

Please sign in to comment.