Using HSM for device attestation (#11528)

* Using HSM for device attestation phase * added se05x platform specific device attestation cred file * printing long int * build fix * restyled * Revert "printing long int" This reverts commit d97b883. * Init of key after checks, Added new build arg to enable HSM for device attestation Co-authored-by: Jagadish B E <[email protected]> Co-authored-by: Jagadish-NXP <[email protected]>
project-chip · Feb 11, 2022 · a84b0c2 · a84b0c2
1 parent 1691628
commit a84b0c2
Show file tree

Hide file tree

Showing 11 changed files with 319 additions and 3 deletions.
diff --git a/examples/lighting-app/nxp/k32w/k32w0/BUILD.gn b/examples/lighting-app/nxp/k32w/k32w0/BUILD.gn
@@ -19,6 +19,8 @@ import("//build_overrides/openthread.gni")
 import("${k32w0_sdk_build_root}/k32w0_executable.gni")
 import("${k32w0_sdk_build_root}/k32w0_sdk.gni")
 
+import("${chip_root}/src/crypto/crypto.gni")
+
 assert(current_os == "freertos")
 
 k32w0_platform_dir = "${chip_root}/examples/platform/nxp/k32w/k32w0"
@@ -43,6 +45,10 @@ k32w0_sdk("sdk") {
     "${k32w0_platform_dir}/util/include",
   ]
 
+  if (chip_with_se05x == 1) {
+    include_dirs += [ "${chip_root}/examples/platform/nxp/se05x" ]
+  }
+
   defines = []
   if (is_debug) {
     defines += [ "BUILD_RELEASE=0" ]

diff --git a/examples/lighting-app/nxp/k32w/k32w0/main/AppTask.cpp b/examples/lighting-app/nxp/k32w/k32w0/main/AppTask.cpp
@@ -39,6 +39,13 @@
 #include "TimersManager.h"
 #include "app_config.h"
 
+#if CHIP_CRYPTO_HSM
+#include <crypto/hsm/CHIPCryptoPALHsm.h>
+#endif
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+#include "DeviceAttestationSe05xCredsExample.h"
+#endif
+
 #define FACTORY_RESET_TRIGGER_TIMEOUT 6000
 #define FACTORY_RESET_CANCEL_WINDOW_TIMEOUT 3000
 #define APP_TASK_STACK_SIZE (4096)
@@ -90,7 +97,11 @@ CHIP_ERROR AppTask::Init()
     chip::Server::GetInstance().Init();
 
     // Initialize device attestation config
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleSe05xDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
 
     // QR code will be used with CHIP Tool
     PrintOnboardingCodes(chip::RendezvousInformationFlags(chip::RendezvousInformationFlag::kBLE));

diff --git a/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.cpp b/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.cpp
@@ -0,0 +1,238 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#include "DeviceAttestationSe05xCredsExample.h"
+
+#include <crypto/CHIPCryptoPAL.h>
+
+#include <lib/core/CHIPError.h>
+#include <lib/support/Span.h>
+
+#if CHIP_CRYPTO_HSM
+#include <crypto/hsm/CHIPCryptoPALHsm.h>
+#endif
+
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+
+#define DEV_ATTESTATION_KEY 0xDADADADA
+
+namespace chip {
+namespace Credentials {
+namespace Examples {
+
+namespace {
+
+class ExampleSe05xDACProvider : public DeviceAttestationCredentialsProvider
+{
+public:
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_cd_buffer) override;
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override;
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer) override;
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override;
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_signature_buffer) override;
+};
+
+CHIP_ERROR ExampleSe05xDACProvider::GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer)
+{
+    /*
+    credentials/test/attestation/Chip-Test-DAC-FFF1-8000-000A-Cert.pem
+    -----BEGIN CERTIFICATE-----
+    MIIB6jCCAY+gAwIBAgIIBRpp5eeAND4wCgYIKoZIzj0EAwIwRjEYMBYGA1UEAwwP
+    TWF0dGVyIFRlc3QgUEFJMRQwEgYKKwYBBAGConwCAQwERkZGMTEUMBIGCisGAQQB
+    gqJ8AgIMBDgwMDAwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEyMzU5NTlaMEsx
+    HTAbBgNVBAMMFE1hdHRlciBUZXN0IERBQyAwMDBBMRQwEgYKKwYBBAGConwCAQwE
+    RkZGMTEUMBIGCisGAQQBgqJ8AgIMBDgwMDAwWTATBgcqhkjOPQIBBggqhkjOPQMB
+    BwNCAAR6hFivu5vNFeGa3NJm9mycL2B8dHR6NfgPN+EYEz+A8XYBEyePkfFaoPf4
+    eTIJT+aftyhoqB4ml5s2izO1VDEDo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB
+    /wQEAwIHgDAdBgNVHQ4EFgQU1a2yuIOOyAc8R3LcfoeX/rsjs64wHwYDVR0jBBgw
+    FoAUhPUd/57M2ik1lEhSDoXxKS2j7dcwCgYIKoZIzj0EAwIDSQAwRgIhAPL+Fnlk
+    P0xbynYuijQV7VEwBvzQUtpQbWLYvVFeN70IAiEAvi20eqszdReOEkmgeSCgrG6q
+    OS8H8W2E/ctS268o19k=
+    -----END CERTIFICATE-----
+    */
+    constexpr uint8_t kDacCertificate[] = {
+        0x30, 0x82, 0x01, 0xEA, 0x30, 0x82, 0x01, 0x8F, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x05, 0x1A, 0x69, 0xE5, 0xE7,
+        0x80, 0x34, 0x3E, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x46, 0x31, 0x18, 0x30,
+        0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x4D, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+        0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01, 0x0C,
+        0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02,
+        0x02, 0x0C, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x20, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32,
+        0x33, 0x34, 0x33, 0x5A, 0x18, 0x0F, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39,
+        0x5A, 0x30, 0x4B, 0x31, 0x1D, 0x30, 0x1B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x14, 0x4D, 0x61, 0x74, 0x74, 0x65, 0x72,
+        0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x44, 0x41, 0x43, 0x20, 0x30, 0x30, 0x30, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0A,
+        0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01, 0x0C, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12,
+        0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02, 0x0C, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59,
+        0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01,
+        0x07, 0x03, 0x42, 0x00, 0x04, 0x7A, 0x84, 0x58, 0xAF, 0xBB, 0x9B, 0xCD, 0x15, 0xE1, 0x9A, 0xDC, 0xD2, 0x66, 0xF6, 0x6C,
+        0x9C, 0x2F, 0x60, 0x7C, 0x74, 0x74, 0x7A, 0x35, 0xF8, 0x0F, 0x37, 0xE1, 0x18, 0x13, 0x3F, 0x80, 0xF1, 0x76, 0x01, 0x13,
+        0x27, 0x8F, 0x91, 0xF1, 0x5A, 0xA0, 0xF7, 0xF8, 0x79, 0x32, 0x09, 0x4F, 0xE6, 0x9F, 0xB7, 0x28, 0x68, 0xA8, 0x1E, 0x26,
+        0x97, 0x9B, 0x36, 0x8B, 0x33, 0xB5, 0x54, 0x31, 0x03, 0xA3, 0x60, 0x30, 0x5E, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13,
+        0x01, 0x01, 0xFF, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03,
+        0x02, 0x07, 0x80, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0xD5, 0xAD, 0xB2, 0xB8, 0x83, 0x8E,
+        0xC8, 0x07, 0x3C, 0x47, 0x72, 0xDC, 0x7E, 0x87, 0x97, 0xFE, 0xBB, 0x23, 0xB3, 0xAE, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D,
+        0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x84, 0xF5, 0x1D, 0xFF, 0x9E, 0xCC, 0xDA, 0x29, 0x35, 0x94, 0x48, 0x52, 0x0E,
+        0x85, 0xF1, 0x29, 0x2D, 0xA3, 0xED, 0xD7, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03,
+        0x49, 0x00, 0x30, 0x46, 0x02, 0x21, 0x00, 0xF2, 0xFE, 0x16, 0x79, 0x64, 0x3F, 0x4C, 0x5B, 0xCA, 0x76, 0x2E, 0x8A, 0x34,
+        0x15, 0xED, 0x51, 0x30, 0x06, 0xFC, 0xD0, 0x52, 0xDA, 0x50, 0x6D, 0x62, 0xD8, 0xBD, 0x51, 0x5E, 0x37, 0xBD, 0x08, 0x02,
+        0x21, 0x00, 0xBE, 0x2D, 0xB4, 0x7A, 0xAB, 0x33, 0x75, 0x17, 0x8E, 0x12, 0x49, 0xA0, 0x79, 0x20, 0xA0, 0xAC, 0x6E, 0xAA,
+        0x39, 0x2F, 0x07, 0xF1, 0x6D, 0x84, 0xFD, 0xCB, 0x52, 0xDB, 0xAF, 0x28, 0xD7, 0xD9
+    };
+
+    return CopySpanToMutableSpan(ByteSpan{ kDacCertificate }, out_dac_buffer);
+}
+
+CHIP_ERROR ExampleSe05xDACProvider::GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer)
+{
+    /*
+    credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Cert.pem
+    -----BEGIN CERTIFICATE-----
+    MIIBvzCCAWagAwIBAgIIfpkqTYmEBRUwCgYIKoZIzj0EAwIwHzEdMBsGA1UEAwwU
+    TWF0dGVyIFRlc3QgUEFBIEZGRjEwIBcNMjEwNjI4MTQyMzQzWhgPOTk5OTEyMzEy
+    MzU5NTlaMEYxGDAWBgNVBAMMD01hdHRlciBUZXN0IFBBSTEUMBIGCisGAQQBgqJ8
+    AgEMBEZGRjExFDASBgorBgEEAYKifAICDAQ4MDAwMFkwEwYHKoZIzj0CAQYIKoZI
+    zj0DAQcDQgAEynPORkG/CDtKM42gQxoKMjB/ZtFgV0tmEi8lBs9q03Djf2XWNHrn
+    l6GXJlBQl200rHtjezvaC1vYQ+2OXV6b8qNjMGEwDwYDVR0TAQH/BAUwAwEB/zAO
+    BgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFIT1Hf+ezNopNZRIUg6F8Skto+3XMB8G
+    A1UdIwQYMBaAFO8Y4OzUZgQ03w28kR7UUhaZZoOfMAoGCCqGSM49BAMCA0cAMEQC
+    IFlGfLWq/BpStUOJbdI73kXQgGxTpzec5xLkqAqtZ6taAiA/mv80v+8mVtOb+tF2
+    WCRrNllsMubAajV+yukQb3k0dQ==
+    -----END CERTIFICATE-----
+    */
+    constexpr uint8_t kPaiCertificate[] = {
+        0x30, 0x82, 0x01, 0xBF, 0x30, 0x82, 0x01, 0x66, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x7E, 0x99, 0x2A, 0x4D, 0x89,
+        0x84, 0x05, 0x15, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x30, 0x1F, 0x31, 0x1D, 0x30,
+        0x1B, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x14, 0x4D, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20,
+        0x50, 0x41, 0x41, 0x20, 0x46, 0x46, 0x46, 0x31, 0x30, 0x20, 0x17, 0x0D, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34,
+        0x32, 0x33, 0x34, 0x33, 0x5A, 0x18, 0x0F, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35,
+        0x39, 0x5A, 0x30, 0x46, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x4D, 0x61, 0x74, 0x74, 0x65,
+        0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x49, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0A, 0x2B, 0x06, 0x01, 0x04,
+        0x01, 0x82, 0xA2, 0x7C, 0x02, 0x01, 0x0C, 0x04, 0x46, 0x46, 0x46, 0x31, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0A, 0x2B, 0x06,
+        0x01, 0x04, 0x01, 0x82, 0xA2, 0x7C, 0x02, 0x02, 0x0C, 0x04, 0x38, 0x30, 0x30, 0x30, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07,
+        0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00,
+        0x04, 0xCA, 0x73, 0xCE, 0x46, 0x41, 0xBF, 0x08, 0x3B, 0x4A, 0x33, 0x8D, 0xA0, 0x43, 0x1A, 0x0A, 0x32, 0x30, 0x7F, 0x66,
+        0xD1, 0x60, 0x57, 0x4B, 0x66, 0x12, 0x2F, 0x25, 0x06, 0xCF, 0x6A, 0xD3, 0x70, 0xE3, 0x7F, 0x65, 0xD6, 0x34, 0x7A, 0xE7,
+        0x97, 0xA1, 0x97, 0x26, 0x50, 0x50, 0x97, 0x6D, 0x34, 0xAC, 0x7B, 0x63, 0x7B, 0x3B, 0xDA, 0x0B, 0x5B, 0xD8, 0x43, 0xED,
+        0x8E, 0x5D, 0x5E, 0x9B, 0xF2, 0xA3, 0x63, 0x30, 0x61, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x01, 0x01, 0xFF, 0x04,
+        0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x1D, 0x0F, 0x01, 0x01, 0xFF, 0x04, 0x04, 0x03, 0x02,
+        0x01, 0x06, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x84, 0xF5, 0x1D, 0xFF, 0x9E, 0xCC, 0xDA,
+        0x29, 0x35, 0x94, 0x48, 0x52, 0x0E, 0x85, 0xF1, 0x29, 0x2D, 0xA3, 0xED, 0xD7, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x1D, 0x23,
+        0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0xEF, 0x18, 0xE0, 0xEC, 0xD4, 0x66, 0x04, 0x34, 0xDF, 0x0D, 0xBC, 0x91, 0x1E, 0xD4,
+        0x52, 0x16, 0x99, 0x66, 0x83, 0x9F, 0x30, 0x0A, 0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x04, 0x03, 0x02, 0x03, 0x47,
+        0x00, 0x30, 0x44, 0x02, 0x20, 0x59, 0x46, 0x7C, 0xB5, 0xAA, 0xFC, 0x1A, 0x52, 0xB5, 0x43, 0x89, 0x6D, 0xD2, 0x3B, 0xDE,
+        0x45, 0xD0, 0x80, 0x6C, 0x53, 0xA7, 0x37, 0x9C, 0xE7, 0x12, 0xE4, 0xA8, 0x0A, 0xAD, 0x67, 0xAB, 0x5A, 0x02, 0x20, 0x3F,
+        0x9A, 0xFF, 0x34, 0xBF, 0xEF, 0x26, 0x56, 0xD3, 0x9B, 0xFA, 0xD1, 0x76, 0x58, 0x24, 0x6B, 0x36, 0x59, 0x6C, 0x32, 0xE6,
+        0xC0, 0x6A, 0x35, 0x7E, 0xCA, 0xE9, 0x10, 0x6F, 0x79, 0x34, 0x75
+    };
+
+    return CopySpanToMutableSpan(ByteSpan{ kPaiCertificate }, out_pai_buffer);
+}
+
+CHIP_ERROR ExampleSe05xDACProvider::GetCertificationDeclaration(MutableByteSpan & out_cd_buffer)
+{
+    // -> format_version = 1
+    // -> vendor_id = 0xFFF1
+    // -> product_id_array = [ 0x8000 ]
+    // -> device_type_id = 0x1234
+    // -> certificate_id = "ZIG20141ZB330001-24"
+    // -> security_level = 0
+    // -> security_information = 0
+    // -> version_number = 0x2694
+    // -> certification_type = 0
+    // -> dac_origin_vendor_id is not present
+    // -> dac_origin_product_id is not present
+    constexpr uint8_t kCertificationDeclaration[] = {
+        0x30, 0x81, 0xe8, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x81, 0xda, 0x30, 0x81, 0xd7,
+        0x02, 0x01, 0x03, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x45,
+        0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x38, 0x04, 0x36, 0x15, 0x24, 0x00, 0x01, 0x25,
+        0x01, 0xf1, 0xff, 0x36, 0x02, 0x05, 0x00, 0x80, 0x18, 0x25, 0x03, 0x34, 0x12, 0x2c, 0x04, 0x13, 0x5a, 0x49, 0x47, 0x32,
+        0x30, 0x31, 0x34, 0x31, 0x5a, 0x42, 0x33, 0x33, 0x30, 0x30, 0x30, 0x31, 0x2d, 0x32, 0x34, 0x24, 0x05, 0x00, 0x24, 0x06,
+        0x00, 0x25, 0x07, 0x94, 0x26, 0x24, 0x08, 0x00, 0x18, 0x31, 0x7c, 0x30, 0x7a, 0x02, 0x01, 0x03, 0x80, 0x14, 0x62, 0xfa,
+        0x82, 0x33, 0x59, 0xac, 0xfa, 0xa9, 0x96, 0x3e, 0x1c, 0xfa, 0x14, 0x0a, 0xdd, 0xf5, 0x04, 0xf3, 0x71, 0x60, 0x30, 0x0b,
+        0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+        0x04, 0x03, 0x02, 0x04, 0x46, 0x30, 0x44, 0x02, 0x20, 0x43, 0xa6, 0x3f, 0x2b, 0x94, 0x3d, 0xf3, 0x3c, 0x38, 0xb3, 0xe0,
+        0x2f, 0xca, 0xa7, 0x5f, 0xe3, 0x53, 0x2a, 0xeb, 0xbf, 0x5e, 0x63, 0xf5, 0xbb, 0xdb, 0xc0, 0xb1, 0xf0, 0x1d, 0x3c, 0x4f,
+        0x60, 0x02, 0x20, 0x4c, 0x1a, 0xbf, 0x5f, 0x18, 0x07, 0xb8, 0x18, 0x94, 0xb1, 0x57, 0x6c, 0x47, 0xe4, 0x72, 0x4e, 0x4d,
+        0x96, 0x6c, 0x61, 0x2e, 0xd3, 0xfa, 0x25, 0xc1, 0x18, 0xc3, 0xf2, 0xb3, 0xf9, 0x03, 0x69
+    };
+
+    return CopySpanToMutableSpan(ByteSpan{ kCertificationDeclaration }, out_cd_buffer);
+}
+
+CHIP_ERROR ExampleSe05xDACProvider::GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer)
+{
+    // TODO: We need a real example FirmwareInformation to be populated.
+    out_firmware_info_buffer.reduce_size(0);
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR ExampleSe05xDACProvider::SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign,
+                                                                 MutableByteSpan & out_signature_buffer)
+{
+
+    /*
+     credentials/test/attestation/Chip-Test-DAC-FFF1-8000-000A-Key.pem
+     -----BEGIN EC PRIVATE KEY-----
+     MHcCAQEEIAXGw6hNxgXMPMgFgAmwGzKc9gzxWXDGqQ6tquLeSWSeoAoGCCqGSM49
+     AwEHoUQDQgAEeoRYr7ubzRXhmtzSZvZsnC9gfHR0ejX4DzfhGBM/gPF2ARMnj5Hx
+     WqD3+HkyCU/mn7coaKgeJpebNosztVQxAw==
+     -----END EC PRIVATE KEY-----
+    */
+
+#if 0
+    constexpr uint8_t dac_private_key[] = { 0x05, 0xc6, 0xc3, 0xa8, 0x4d, 0xc6, 0x05, 0xcc, 0x3c, 0xc8, 0x05,
+                                            0x80, 0x09, 0xb0, 0x1b, 0x32, 0x9c, 0xf6, 0x0c, 0xf1, 0x59, 0x70,
+                                            0xc6, 0xa9, 0x0e, 0xad, 0xaa, 0xe2, 0xde, 0x49, 0x64, 0x9e };
+
+    // In a non-exemplary implementation, the public key is not needed here. It is used here merely because
+    // Crypto::P256Keypair is only (currently) constructable from raw keys if both private/public keys are present.
+    constexpr uint8_t dac_public_key[] = { 0x04, 0x7a, 0x84, 0x58, 0xaf, 0xbb, 0x9b, 0xcd, 0x15, 0xe1, 0x9a, 0xdc, 0xd2,
+                                           0x66, 0xf6, 0x6c, 0x9c, 0x2f, 0x60, 0x7c, 0x74, 0x74, 0x7a, 0x35, 0xf8, 0x0f,
+                                           0x37, 0xe1, 0x18, 0x13, 0x3f, 0x80, 0xf1, 0x76, 0x01, 0x13, 0x27, 0x8f, 0x91,
+                                           0xf1, 0x5a, 0xa0, 0xf7, 0xf8, 0x79, 0x32, 0x09, 0x4f, 0xe6, 0x9f, 0xb7, 0x28,
+                                           0x68, 0xa8, 0x1e, 0x26, 0x97, 0x9b, 0x36, 0x8b, 0x33, 0xb5, 0x54, 0x31, 0x03 };
+#endif
+
+    Crypto::P256ECDSASignature signature;
+    Crypto::P256KeypairHSM keypair;
+
+    VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(IsSpanUsable(digest_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(out_signature_buffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    keypair.SetKeyId(DEV_ATTESTATION_KEY);
+    keypair.provisioned_key = true;
+    keypair.Initialize();
+
+    ReturnErrorOnFailure(keypair.ECDSA_sign_hash(digest_to_sign.data(), digest_to_sign.size(), signature));
+
+    return CopySpanToMutableSpan(ByteSpan{ signature.ConstBytes(), signature.Length() }, out_signature_buffer);
+}
+
+} // namespace
+
+DeviceAttestationCredentialsProvider * GetExampleSe05xDACProvider()
+{
+    static ExampleSe05xDACProvider example_dac_provider;
+
+    return &example_dac_provider;
+}
+
+} // namespace Examples
+} // namespace Credentials
+} // namespace chip
+
+#endif //#ifdef ENABLE_HSM_DEVICE_ATTESTATION
diff --git a/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.h b/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.h
@@ -0,0 +1,36 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include <credentials/DeviceAttestationCredsProvider.h>
+
+namespace chip {
+namespace Credentials {
+namespace Examples {
+
+/**
+ * @brief Get implementation of a sample DAC provider to validate device
+ *        attestation procedure.
+ *
+ * @returns a singleton DeviceAttestationCredentialsProvider that relies on no
+ *          storage abstractions.
+ */
+DeviceAttestationCredentialsProvider * GetExampleSe05xDACProvider();
+
+} // namespace Examples
+} // namespace Credentials
+} // namespace chip
diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
@@ -14,6 +14,7 @@
 
 import("//build_overrides/chip.gni")
 import("//build_overrides/nlassert.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 
 static_library("credentials") {
   output_name = "libCredentials"
@@ -43,6 +44,10 @@ static_library("credentials") {
     "examples/GroupDataProviderExample.cpp",
   ]
 
+  if (chip_with_se05x == 1) {
+    sources += [ "${chip_root}/examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.cpp" ]
+  }
+
   cflags = [ "-Wconversion" ]
 
   public_deps = [

diff --git a/src/credentials/FabricTable.cpp b/src/credentials/FabricTable.cpp
@@ -162,6 +162,10 @@ CHIP_ERROR FabricInfo::LoadFromStorage(FabricStorage * storage)
     }
     VerifyOrExit(mOperationalKey != nullptr, err = CHIP_ERROR_NO_MEMORY);
     SuccessOrExit(err = mOperationalKey->Deserialize(info->mOperationalKey));
+#ifdef ENABLE_HSM_CASE_OPS_KEY
+    // Set provisioned_key = true , so that key is not deleted from HSM.
+    mOperationalKey->provisioned_key = true;
+#endif
 
     ChipLogProgress(Inet, "Loading certs from storage");
     SuccessOrExit(err = SetRootCert(ByteSpan(info->mRootCert, rootCertLen)));

diff --git a/src/credentials/FabricTable.h b/src/credentials/FabricTable.h
@@ -163,6 +163,10 @@ class DLL_EXPORT FabricInfo
             mOperationalKey = chip::Platform::New<Crypto::P256Keypair>();
 #endif
             mOperationalKey->Initialize();
+#ifdef ENABLE_HSM_CASE_OPS_KEY
+            // Set provisioned_key = true , so that key is not deleted from HSM.
+            mOperationalKey->provisioned_key = true;
+#endif
         }
         return mOperationalKey;
     }

diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -40,6 +40,10 @@ buildconfig_header("crypto_buildconfig") {
     defines += [ "CHIP_CRYPTO_HSM=0" ]
     defines += [ "CHIP_CRYPTO_HSM_NXP=0" ]
   }
+
+  if (chip_with_se05x_da == 1) {
+    defines += [ "ENABLE_HSM_DEVICE_ATTESTATION=1" ]
+  }
 }
 
 if (chip_crypto == "openssl") {

diff --git a/src/crypto/crypto.gni b/src/crypto/crypto.gni
@@ -16,6 +16,7 @@ declare_args() {
   # Crypto implementation: mbedtls, openssl.
   chip_crypto = ""
   chip_with_se05x = 0
+  chip_with_se05x_da = 0
 }
 
 if (chip_crypto == "") {