EFR32: DeviceAttestationCredentialsProvider: Review comments applied.

examples/chef/efr32/src/AppTask.cpp

@@ -43,9 +43,6 @@
 
 #include <assert.h>
 
-#include <credentials/DeviceAttestationCredsProvider.h>
-#include <credentials/examples/DeviceAttestationCredsExample.h>
-
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
 #include <setup_payload/SetupPayload.h>
 
@@ -167,7 +164,6 @@ Identify gIdentify = {
 
 } // namespace
 using namespace chip::TLV;
-using namespace ::chip::Credentials;
 using namespace ::chip::DeviceLayer;
 
 AppTask AppTask::sAppTask;
@@ -205,11 +201,6 @@ CHIP_ERROR AppTask::Init()
     sWiFiNetworkCommissioningInstance.Init();
 #endif
 
-    chip::DeviceLayer::PlatformMgr().LockChipStack();
-    // Initialize device attestation config
-    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
-    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
-
     // Create FreeRTOS sw timer for Function Selection.
     sFunctionTimer = xTimerCreate("FnTmr",          // Just a text name, not used by the RTOS kernel
                                   1,                // == default timer period (mS)

examples/chef/efr32/src/main.cpp

@@ -25,12 +25,19 @@
 #include "sl_system_kernel.h"
 #include <DeviceInfoProviderImpl.h>
 #include <app/server/Server.h>
+#include <credentials/DeviceAttestationCredsProvider.h>
 #include <matter_config.h>
+#if EFR32_ATTESTATION_CREDENTIALS
+#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
+#else
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#endif
 
 #define BLE_DEV_NAME "SiLabs-Chef-App"
 using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::DeviceLayer;
+using namespace ::chip::Credentials;
 
 #define UNUSED_PARAMETER(a) (a = a)
 
@@ -49,6 +56,15 @@ int main(void)
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
+    chip::DeviceLayer::PlatformMgr().LockChipStack();
+    // Initialize device attestation config
+#if EFR32_ATTESTATION_CREDENTIALS
+    SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider());
+#else
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
+
     EFR32_LOG("Starting App Task");
     if (GetAppTask().StartAppTask() != CHIP_NO_ERROR)
         appError(CHIP_ERROR_INTERNAL);

examples/light-switch-app/efr32/src/AppTask.cpp

@@ -41,13 +41,6 @@
 
 #include <assert.h>
 
-#include <credentials/DeviceAttestationCredsProvider.h>
-#ifdef EFR32_ATTESTATION_CREDENTIALS
-#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
-#else
-#include <credentials/examples/DeviceAttestationCredsExample.h>
-#endif
-
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
 #include <setup_payload/SetupPayload.h>
 
@@ -162,7 +155,6 @@ Identify gIdentify = {
 };
 } // namespace
 using namespace chip::TLV;
-using namespace ::chip::Credentials;
 using namespace ::chip::DeviceLayer;
 
 AppTask AppTask::sAppTask;
@@ -200,15 +192,6 @@ CHIP_ERROR AppTask::Init()
     sWiFiNetworkCommissioningInstance.Init();
 #endif
 
-    chip::DeviceLayer::PlatformMgr().LockChipStack();
-    // Initialize device attestation config
-#ifdef EFR32_ATTESTATION_CREDENTIALS
-    SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider());
-#else
-    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
-#endif
-    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
-
     // Create FreeRTOS sw timer for Function Selection.
     sFunctionTimer = xTimerCreate("FnTmr",          // Just a text name, not used by the RTOS kernel
                                   1,                // == default timer period (mS)

examples/light-switch-app/efr32/src/main.cpp

@@ -25,12 +25,19 @@
 #include "sl_system_kernel.h"
 #include <DeviceInfoProviderImpl.h>
 #include <app/server/Server.h>
+#include <credentials/DeviceAttestationCredsProvider.h>
 #include <matter_config.h>
+#if EFR32_ATTESTATION_CREDENTIALS
+#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
+#else
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#endif
 
 #define BLE_DEV_NAME "SiLabs-Light-Switch"
 using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::DeviceLayer;
+using namespace ::chip::Credentials;
 
 #define UNUSED_PARAMETER(a) (a = a)
 
@@ -49,6 +56,15 @@ int main(void)
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
+    chip::DeviceLayer::PlatformMgr().LockChipStack();
+    // Initialize device attestation config
+#if EFR32_ATTESTATION_CREDENTIALS
+    SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider());
+#else
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
+
     EFR32_LOG("Starting App Task");
     if (GetAppTask().StartAppTask() != CHIP_NO_ERROR)
         appError(CHIP_ERROR_INTERNAL);

examples/lighting-app/efr32/src/AppTask.cpp

@@ -39,13 +39,6 @@
 
 #include <assert.h>
 
-#include <credentials/DeviceAttestationCredsProvider.h>
-#if EFR32_ATTESTATION_CREDENTIALS
-#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
-#else
-#include <credentials/examples/DeviceAttestationCredsExample.h>
-#endif
-
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
 #include <setup_payload/SetupPayload.h>
 
@@ -167,7 +160,6 @@ Identify gIdentify = {
 } // namespace
 
 using namespace chip::TLV;
-using namespace ::chip::Credentials;
 using namespace ::chip::DeviceLayer;
 
 AppTask AppTask::sAppTask;
@@ -205,15 +197,6 @@ CHIP_ERROR AppTask::Init()
     sWiFiNetworkCommissioningInstance.Init();
 #endif
 
-    chip::DeviceLayer::PlatformMgr().LockChipStack();
-    // Initialize device attestation config
-#if EFR32_ATTESTATION_CREDENTIALS
-    SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider());
-#else
-    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
-#endif
-    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
-
     // Create FreeRTOS sw timer for Function Selection.
     sFunctionTimer = xTimerCreate("FnTmr",          // Just a text name, not used by the RTOS kernel
                                   1,                // == default timer period (mS)

examples/lighting-app/efr32/src/main.cpp

@@ -25,12 +25,19 @@
 #include "sl_system_kernel.h"
 #include <DeviceInfoProviderImpl.h>
 #include <app/server/Server.h>
+#include <credentials/DeviceAttestationCredsProvider.h>
 #include <matter_config.h>
+#if EFR32_ATTESTATION_CREDENTIALS
+#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
+#else
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#endif
 
 #define BLE_DEV_NAME "SiLabs-Light"
 using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::DeviceLayer;
+using namespace ::chip::Credentials;
 
 #define UNUSED_PARAMETER(a) (a = a)
 
@@ -49,6 +56,15 @@ int main(void)
     gExampleDeviceInfoProvider.SetStorageDelegate(&chip::Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
+    chip::DeviceLayer::PlatformMgr().LockChipStack();
+    // Initialize device attestation config
+#if EFR32_ATTESTATION_CREDENTIALS
+    SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider());
+#else
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
+
     EFR32_LOG("Starting App Task");
     if (GetAppTask().StartAppTask() != CHIP_NO_ERROR)
         appError(CHIP_ERROR_INTERNAL);

examples/lock-app/efr32/src/AppTask.cpp

@@ -43,13 +43,6 @@
 
 #include <assert.h>
 
-#include <credentials/DeviceAttestationCredsProvider.h>
-#ifdef EFR32_ATTESTATION_CREDENTIALS
-#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
-#else
-#include <credentials/examples/DeviceAttestationCredsExample.h>
-#endif
-
 #include <setup_payload/QRCodeSetupPayloadGenerator.h>
 #include <setup_payload/SetupPayload.h>
 
@@ -176,7 +169,6 @@ Identify gIdentify = {
 } // namespace
 
 using namespace chip::TLV;
-using namespace ::chip::Credentials;
 using namespace ::chip::DeviceLayer;
 
 AppTask AppTask::sAppTask;
@@ -214,15 +206,6 @@ CHIP_ERROR AppTask::Init()
     sWiFiNetworkCommissioningInstance.Init();
 #endif
 
-    chip::DeviceLayer::PlatformMgr().LockChipStack();
-    // Initialize device attestation config
-#ifdef EFR32_ATTESTATION_CREDENTIALS
-    SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider());
-#else
-    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
-#endif
-    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
-
     // Create FreeRTOS sw timer for Function Selection.
     sFunctionTimer = xTimerCreate("FnTmr",          // Just a text name, not used by the RTOS kernel
                                   1,                // == default timer period (mS)

examples/lock-app/efr32/src/main.cpp

@@ -25,12 +25,19 @@
 #include "sl_system_kernel.h"
 #include <DeviceInfoProviderImpl.h>
 #include <app/server/Server.h>
+#include <credentials/DeviceAttestationCredsProvider.h>
 #include <matter_config.h>
+#if EFR32_ATTESTATION_CREDENTIALS
+#include <platform/EFR32/EFR32DeviceAttestationCreds.h>
+#else
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#endif
 
 #define BLE_DEV_NAME "SiLabs-Door-Lock"
 using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::DeviceLayer;
+using namespace ::chip::Credentials;
 
 #define UNUSED_PARAMETER(a) (a = a)
 
@@ -49,6 +56,15 @@ int main(void)
     gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
+    chip::DeviceLayer::PlatformMgr().LockChipStack();
+    // Initialize device attestation config
+#if EFR32_ATTESTATION_CREDENTIALS
+    SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider());
+#else
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+    chip::DeviceLayer::PlatformMgr().UnlockChipStack();
+
     EFR32_LOG("Starting App Task");
     if (GetAppTask().StartAppTask() != CHIP_NO_ERROR)
         appError(CHIP_ERROR_INTERNAL);

examples/platform/efr32/BUILD.gn

@@ -38,10 +38,12 @@ config("chip_examples_project_config") {
     "-Wl,--wrap=_calloc_r",
   ]
 
-  defines = [
-    # Set to 1 to enable EFR32 attestation credentials
-    "EFR32_ATTESTATION_CREDENTIALS=0",
-  ]
+  if (chip_build_device_attestation_credentials) {
+    defines = [
+      # Set to 1 to enable EFR32 attestation credentials
+      "EFR32_ATTESTATION_CREDENTIALS=1",
+    ]
+  }
 }
 
 source_set("openthread_core_config_efr32_chip_examples") {

examples/platform/efr32/efr32_creds.h

@@ -1,5 +1,14 @@
-#ifndef MATTER_DEVICE_CREDENTIALS_EFR32
-#define MATTER_DEVICE_CREDENTIALS_EFR32
+/**
+ * This is a boilerplat header to define the EFR32 authentication credentials.
+ * Applications must provide their own version of this header, and include:
+ *  - The content of the CSA-provided Certification Declaration
+ *  - The location and size of the PAI, and DAC
+ *  - The key ID of the key-pair associated with the DAC
+ *
+ *  These credentials MUST be provided if the build variable "chip_build_device_attestation_credentials" is set to true.
+ */
+#ifndef EFR32_EXAMPLE_DEVICE_CREDENTIALS
+#define EFR32_EXAMPLE_DEVICE_CREDENTIALS
 
 //-> format_version = 1
 //-> vendor_id = 0xFFF1
@@ -54,4 +63,4 @@ const uint8_t kCertificationDeclaration[541] = {
 #define MFG_MATTER_DAC_SIZE 492
 #define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1
 
-#endif // MATTER_DEVICE_CREDENTIALS_EFR32
+#endif // EFR32_EXAMPLE_DEVICE_CREDENTIALS

src/lib/lib.gni

@@ -20,4 +20,7 @@ declare_args() {
   # a Commissioner or Administrator that employs different or more complex
   # logic, this should be set to false.
   chip_build_default_attestation_verifier = true
+
+  # Set to true to enable device-specific attestation credentials
+  chip_build_device_attestation_credentials = false
 }

src/platform/EFR32/EFR32DeviceAttestationCreds.cpp

@@ -70,9 +70,9 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider
 
     CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override
     {
-        psa_key_id_t key_id                                  = MFG_MATTER_DAC_KEY_ID;
-        uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 };
-        size_t signature_size                                = sizeof(signature);
+        psa_key_id_t key_id   = MFG_MATTER_DAC_KEY_ID;
+        uint8_t signature[64] = { 0 };
+        size_t signature_size = sizeof(signature);
 
         psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(),
                                          signature, signature_size, &signature_size);
@@ -84,7 +84,7 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider
 
 } // namespace
 
-DeviceAttestationCredentialsProvider * GetDACProvider()
+DeviceAttestationCredentialsProvider * GetEFR32DacProvider()
 {
     static DeviceAttestationCredsEFR32 dac_provider;
     return &dac_provider;

src/platform/EFR32/EFR32DeviceAttestationCreds.h

@@ -32,7 +32,7 @@ namespace EFR32 {
  * @returns a singleton DeviceAttestationCredentialsProvider that relies on no
  *          storage abstractions.
  */
-DeviceAttestationCredentialsProvider * GetDACProvider();
+DeviceAttestationCredentialsProvider * GetEFR32DacProvider();
 
 } // namespace EFR32
 } // namespace Credentials