From 7a5b7c51da9a84d50c2aa21e7aee762f83e8647a Mon Sep 17 00:00:00 2001 From: Ricardo Casallas Date: Thu, 30 Jun 2022 15:17:17 -0400 Subject: [PATCH] EFR32: DeviceAttestationCredentialsProvider: Review comments applied. --- examples/chef/efr32/src/AppTask.cpp | 9 --------- examples/chef/efr32/src/main.cpp | 16 ++++++++++++++++ examples/light-switch-app/efr32/src/AppTask.cpp | 17 ----------------- examples/light-switch-app/efr32/src/main.cpp | 16 ++++++++++++++++ examples/lighting-app/efr32/src/AppTask.cpp | 17 ----------------- examples/lighting-app/efr32/src/main.cpp | 16 ++++++++++++++++ examples/lock-app/efr32/src/AppTask.cpp | 17 ----------------- examples/lock-app/efr32/src/main.cpp | 16 ++++++++++++++++ examples/platform/efr32/BUILD.gn | 10 ++++++---- examples/platform/efr32/efr32_creds.h | 15 ++++++++++++--- src/lib/lib.gni | 3 +++ .../EFR32/EFR32DeviceAttestationCreds.cpp | 8 ++++---- .../EFR32/EFR32DeviceAttestationCreds.h | 2 +- 13 files changed, 90 insertions(+), 72 deletions(-) diff --git a/examples/chef/efr32/src/AppTask.cpp b/examples/chef/efr32/src/AppTask.cpp index 15ff91d64a5fa6..b6450ba696d126 100644 --- a/examples/chef/efr32/src/AppTask.cpp +++ b/examples/chef/efr32/src/AppTask.cpp @@ -43,9 +43,6 @@ #include -#include -#include - #include #include @@ -167,7 +164,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -205,11 +201,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/chef/efr32/src/main.cpp b/examples/chef/efr32/src/main.cpp index 920f51b8e5805d..3f2cc598599b4e 100644 --- a/examples/chef/efr32/src/main.cpp +++ b/examples/chef/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Chef-App" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/light-switch-app/efr32/src/AppTask.cpp b/examples/light-switch-app/efr32/src/AppTask.cpp index d92124af297648..da0e20396ba733 100644 --- a/examples/light-switch-app/efr32/src/AppTask.cpp +++ b/examples/light-switch-app/efr32/src/AppTask.cpp @@ -41,13 +41,6 @@ #include -#include -#ifdef EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -162,7 +155,6 @@ Identify gIdentify = { }; } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -200,15 +192,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#ifdef EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/light-switch-app/efr32/src/main.cpp b/examples/light-switch-app/efr32/src/main.cpp index 685d223daf8eed..12e9d085b953ef 100644 --- a/examples/light-switch-app/efr32/src/main.cpp +++ b/examples/light-switch-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light-Switch" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lighting-app/efr32/src/AppTask.cpp b/examples/lighting-app/efr32/src/AppTask.cpp index 4e43169e4a1a2c..3edc00dfa8855e 100644 --- a/examples/lighting-app/efr32/src/AppTask.cpp +++ b/examples/lighting-app/efr32/src/AppTask.cpp @@ -39,13 +39,6 @@ #include -#include -#if EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -167,7 +160,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -205,15 +197,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#if EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lighting-app/efr32/src/main.cpp b/examples/lighting-app/efr32/src/main.cpp index 54137f45c89043..1484e6e18a4290 100644 --- a/examples/lighting-app/efr32/src/main.cpp +++ b/examples/lighting-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&chip::Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lock-app/efr32/src/AppTask.cpp b/examples/lock-app/efr32/src/AppTask.cpp index c835b26bdbc036..d87601c361fd74 100644 --- a/examples/lock-app/efr32/src/AppTask.cpp +++ b/examples/lock-app/efr32/src/AppTask.cpp @@ -43,13 +43,6 @@ #include -#include -#ifdef EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -176,7 +169,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -214,15 +206,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#ifdef EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lock-app/efr32/src/main.cpp b/examples/lock-app/efr32/src/main.cpp index cbc0c3643f07ff..444910bf16856e 100644 --- a/examples/lock-app/efr32/src/main.cpp +++ b/examples/lock-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Door-Lock" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/platform/efr32/BUILD.gn b/examples/platform/efr32/BUILD.gn index 7b981b118798d7..dc11cd24df4149 100644 --- a/examples/platform/efr32/BUILD.gn +++ b/examples/platform/efr32/BUILD.gn @@ -38,10 +38,12 @@ config("chip_examples_project_config") { "-Wl,--wrap=_calloc_r", ] - defines = [ - # Set to 1 to enable EFR32 attestation credentials - "EFR32_ATTESTATION_CREDENTIALS=0", - ] + if (chip_build_device_attestation_credentials) { + defines = [ + # Set to 1 to enable EFR32 attestation credentials + "EFR32_ATTESTATION_CREDENTIALS=1", + ] + } } source_set("openthread_core_config_efr32_chip_examples") { diff --git a/examples/platform/efr32/efr32_creds.h b/examples/platform/efr32/efr32_creds.h index 3ce14016918ad3..52514adec3969f 100644 --- a/examples/platform/efr32/efr32_creds.h +++ b/examples/platform/efr32/efr32_creds.h @@ -1,5 +1,14 @@ -#ifndef MATTER_DEVICE_CREDENTIALS_EFR32 -#define MATTER_DEVICE_CREDENTIALS_EFR32 +/** + * This is a boilerplat header to define the EFR32 authentication credentials. + * Applications must provide their own version of this header, and include: + * - The content of the CSA-provided Certification Declaration + * - The location and size of the PAI, and DAC + * - The key ID of the key-pair associated with the DAC + * + * These credentials MUST be provided if the build variable "chip_build_device_attestation_credentials" is set to true. + */ +#ifndef EFR32_EXAMPLE_DEVICE_CREDENTIALS +#define EFR32_EXAMPLE_DEVICE_CREDENTIALS //-> format_version = 1 //-> vendor_id = 0xFFF1 @@ -54,4 +63,4 @@ const uint8_t kCertificationDeclaration[541] = { #define MFG_MATTER_DAC_SIZE 492 #define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 -#endif // MATTER_DEVICE_CREDENTIALS_EFR32 +#endif // EFR32_EXAMPLE_DEVICE_CREDENTIALS diff --git a/src/lib/lib.gni b/src/lib/lib.gni index c78be22c2d9196..fd93ece8540262 100644 --- a/src/lib/lib.gni +++ b/src/lib/lib.gni @@ -20,4 +20,7 @@ declare_args() { # a Commissioner or Administrator that employs different or more complex # logic, this should be set to false. chip_build_default_attestation_verifier = true + + # Set to true to enable device-specific attestation credentials + chip_build_device_attestation_credentials = false } diff --git a/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp b/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp index 678099d1c54410..3ef57746e8341b 100644 --- a/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp +++ b/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp @@ -70,9 +70,9 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override { - psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; - uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 }; - size_t signature_size = sizeof(signature); + psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; + uint8_t signature[64] = { 0 }; + size_t signature_size = sizeof(signature); psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(), signature, signature_size, &signature_size); @@ -84,7 +84,7 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider } // namespace -DeviceAttestationCredentialsProvider * GetDACProvider() +DeviceAttestationCredentialsProvider * GetEFR32DacProvider() { static DeviceAttestationCredsEFR32 dac_provider; return &dac_provider; diff --git a/src/platform/EFR32/EFR32DeviceAttestationCreds.h b/src/platform/EFR32/EFR32DeviceAttestationCreds.h index 923b8d45f68471..3dbc48a01b0872 100644 --- a/src/platform/EFR32/EFR32DeviceAttestationCreds.h +++ b/src/platform/EFR32/EFR32DeviceAttestationCreds.h @@ -32,7 +32,7 @@ namespace EFR32 { * @returns a singleton DeviceAttestationCredentialsProvider that relies on no * storage abstractions. */ -DeviceAttestationCredentialsProvider * GetDACProvider(); +DeviceAttestationCredentialsProvider * GetEFR32DacProvider(); } // namespace EFR32 } // namespace Credentials