EFR32: DeviceAttestationCredentialsProvider implemented.

examples/platform/efr32/efr32_certs.h

@@ -0,0 +1,15 @@
+#ifndef MATTER_MFG_TOKENS_EFR32
+#define MATTER_MFG_TOKENS_EFR32
+
+#define EFR32_CERTS_DAC_ID PSA_KEY_ID_USER_MIN + 1
+
+#define CREATOR_MFG_MATTER_CD (USERDATA_TOKENS | 0x200)  //   4 bytes 0x226
+#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x444) //   4 bytes
+#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x614) //   4 bytes
+
+#define MFG_MATTER_CD_SIZE 541
+#define MFG_MATTER_PAI_SIZE 463
+#define MFG_MATTER_DAC_SIZE 492
+#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1
+
+#endif // MATTER_MFG_TOKENS_EFR32

src/app/clusters/operational-credentials-server/operational-credentials-server.cpp

@@ -41,7 +41,6 @@
 #include <credentials/DeviceAttestationCredsProvider.h>
 #include <credentials/FabricTable.h>
 #include <credentials/GroupDataProvider.h>
-#include <credentials/examples/DeviceAttestationCredsExample.h>
 #include <lib/core/CHIPSafeCasts.h>
 #include <lib/core/PeerId.h>
 #include <lib/support/CodeUtils.h>

src/credentials/BUILD.gn

@@ -47,16 +47,21 @@ static_library("credentials") {
     "attestation_verifier/DeviceAttestationDelegate.h",
     "attestation_verifier/DeviceAttestationVerifier.cpp",
     "attestation_verifier/DeviceAttestationVerifier.h",
-    "examples/DeviceAttestationCredsExample.cpp",
-    "examples/DeviceAttestationCredsExample.h",
-    "examples/ExampleDACs.cpp",
-    "examples/ExampleDACs.h",
-    "examples/ExamplePAI.cpp",
-    "examples/ExamplePAI.h",
     "examples/LastKnownGoodTimeCertificateValidityPolicyExample.h",
     "examples/StrictCertificateValidityPolicyExample.h",
   ]
 
+  if (!chip_device_attestation_credentials) {
+    sources += [
+      "examples/DeviceAttestationCredsExample.cpp",
+      "examples/DeviceAttestationCredsExample.h",
+      "examples/ExampleDACs.cpp",
+      "examples/ExampleDACs.h",
+      "examples/ExamplePAI.cpp",
+      "examples/ExamplePAI.h",
+    ]
+  }
+
   # TODO: These tests files should be removed after the DeviceAttestationCredsExample implementation
   # is changed to generate it's own credentials instead of using Test credentials.
   # For mbed and nrfconnect test builds, which are bilding monolithic test library these files are not needed.

src/include/platform/KvsPersistentStorageDelegate.h

@@ -22,6 +22,7 @@
 #include <lib/core/CHIPError.h>
 #include <lib/core/CHIPPersistentStorageDelegate.h>
 #include <lib/support/CodeUtils.h>
+#include <lib/support/SafeInt.h>
 #include <platform/KeyValueStoreManager.h>
 
 namespace chip {

src/platform/EFR32/BUILD.gn

@@ -56,6 +56,10 @@ static_library("EFR32") {
     "gatt_db.h",
   ]
 
+  if (chip_device_attestation_credentials) {
+    sources += [ "DeviceAttestationCredsImpl.cpp" ]
+  }
+
   if (chip_enable_ota_requestor) {
     sources += [
       "OTAImageProcessorImpl.cpp",

src/platform/EFR32/DeviceAttestationCredsImpl.cpp

@@ -0,0 +1,104 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#include <crypto/CHIPCryptoPAL.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/CodeUtils.h>
+#include <lib/support/Span.h>
+
+#include "efr32_certs.h"
+#include "psa/crypto.h"
+#include "sl_token_api.h"
+#include "sl_token_manager.h"
+
+namespace chip {
+namespace Credentials {
+namespace Examples {
+
+namespace {
+
+class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider
+{
+public:
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override
+    {
+        uint8_t cd_buf[MFG_MATTER_CD_SIZE];
+        ByteSpan cd_span(cd_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_CD, 0, cd_buf, sizeof(cd_buf));
+        ChipLogProgress(DeviceLayer, "~ GetCertificationDeclaration-1.2, size:%u, err:%d\r\n", sizeof(cd_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cd_span);
+        return CopySpanToMutableSpan(cd_span, out_buffer);
+    }
+
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override
+    {
+        // TODO: We need a real example FirmwareInformation to be populated.
+        out_firmware_info_buffer.reduce_size(0);
+        return CHIP_NO_ERROR;
+    }
+
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_buffer) override
+    {
+        uint8_t cert_buf[MFG_MATTER_DAC_SIZE];
+        ByteSpan cert_span(cert_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_DAC, 0, cert_buf, sizeof(cert_buf));
+        ChipLogProgress(DeviceLayer, "~ GetDeviceAttestationCert, size:%u, err:%d\r\n", sizeof(cert_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cert_span);
+        return CopySpanToMutableSpan(cert_span, out_buffer);
+    }
+
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override
+    {
+        uint8_t cert_buf[MFG_MATTER_PAI_SIZE];
+        ByteSpan cert_span(cert_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_PAI, 0, cert_buf, sizeof(cert_buf));
+        ChipLogProgress(DeviceLayer, "~ GetProductAttestationIntermediateCert, size:%u, err:%d\r\n", sizeof(cert_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cert_span);
+        return CopySpanToMutableSpan(cert_span, out_pai_buffer);
+    }
+
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override
+    {
+        psa_key_id_t key_id                                  = MFG_MATTER_DAC_KEY_ID;
+        uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 };
+        size_t signature_size                                = sizeof(signature);
+
+        psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(),
+                                         signature, signature_size, &signature_size);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+
+        return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_buffer);
+    }
+};
+
+} // namespace
+
+DeviceAttestationCredentialsProvider * GetExampleDACProvider()
+{
+    static DeviceAttestationCredsImpl dac_provider;
+    return &dac_provider;
+}
+
+} // namespace Examples
+} // namespace Credentials
+} // namespace chip

src/platform/device.gni

@@ -23,6 +23,9 @@ declare_args() {
 
   # Substitute fake platform when building with chip_device_platform=auto.
   chip_fake_platform = false
+
+  # Use actual device attestation credentials
+  chip_device_attestation_credentials = false
 }
 
 if (chip_device_platform == "auto") {

third_party/silabs/efr32_sdk.gni

@@ -103,6 +103,13 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/service/sleeptimer/config",
       "${efr32_sdk_root}/platform/service/system/inc",
       "${efr32_sdk_root}/platform/service/udelay/inc",
+      "${efr32_sdk_root}/platform/service/legacy_hal/inc",
+      "${efr32_sdk_root}/platform/service/token_manager/config",
+      "${efr32_sdk_root}/platform/service/token_manager/inc",
+      "${efr32_sdk_root}/platform/service/token_manager/test",
+      "${efr32_sdk_root}/platform/service/token_manager/test/include",
+      "${efr32_sdk_root}/platform/service/token_manager/test/stack/config",
+      "${efr32_sdk_root}/platform/service/token_manager/test/stack/include",
       "${efr32_sdk_root}/platform/middleware/glib",
       "${efr32_sdk_root}/platform/middleware/glib/glib",
       "${efr32_sdk_root}/platform/middleware/glib/dmd",
@@ -153,6 +160,8 @@ template("efr32_sdk") {
       "MBEDTLS_THREADING_ALT=1",
       "SL_THREADING_ALT=1",
       "SL_COMPONENT_CATALOG_PRESENT",
+      "PLATFORM_HEADER=\"platform-header.h\"",
+      "USE_NVM3=1",
 
       #"__STACK_SIZE=0",
     ]
@@ -346,6 +355,7 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/radio/rail_lib/plugin/rail_util_pti/sl_rail_util_pti.c",
       "${efr32_sdk_root}/platform/service/device_init/src/sl_device_init_nvic.c",
       "${efr32_sdk_root}/platform/service/hfxo_manager/src/sl_hfxo_manager.c",
+      "${efr32_sdk_root}/platform/service/legacy_hal/src/token_legacy.c",
       "${efr32_sdk_root}/platform/service/mpu/src/sl_mpu.c",
       "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager.c",
       "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager_debug.c",
@@ -357,6 +367,9 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/service/system/src/sl_system_init.c",
       "${efr32_sdk_root}/platform/service/system/src/sl_system_kernel.c",
       "${efr32_sdk_root}/platform/service/system/src/sl_system_process_action.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_def.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manager.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manufacturing.c",
       "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay.c",
       "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay_armv6m_gcc.S",
       "${efr32_sdk_root}/protocol/bluetooth/src/sl_bt_mbedtls_context.c",