From b8c125a8cc168e16a3fbdb6c454c9c4e57a4a61b Mon Sep 17 00:00:00 2001
From: Ricardo Casallas <ricardo.casallas@silabs.com>
Date: Thu, 30 Jun 2022 09:12:47 -0400
Subject: [PATCH] EFR32: DeviceAttestationCredentialsProvider implemented.

---
 examples/platform/efr32/efr32_certs.h         |  15 +++
 .../operational-credentials-server.cpp        |   1 -
 src/credentials/BUILD.gn                      |  17 ++-
 .../platform/KvsPersistentStorageDelegate.h   |   1 +
 src/platform/EFR32/BUILD.gn                   |   4 +
 .../EFR32/DeviceAttestationCredsImpl.cpp      | 104 ++++++++++++++++++
 src/platform/device.gni                       |   3 +
 third_party/silabs/efr32_sdk.gni              |  13 +++
 8 files changed, 151 insertions(+), 7 deletions(-)
 create mode 100644 examples/platform/efr32/efr32_certs.h
 create mode 100644 src/platform/EFR32/DeviceAttestationCredsImpl.cpp

diff --git a/examples/platform/efr32/efr32_certs.h b/examples/platform/efr32/efr32_certs.h
new file mode 100644
index 00000000000000..35a77a89599d0a
--- /dev/null
+++ b/examples/platform/efr32/efr32_certs.h
@@ -0,0 +1,15 @@
+#ifndef MATTER_MFG_TOKENS_EFR32
+#define MATTER_MFG_TOKENS_EFR32
+
+#define EFR32_CERTS_DAC_ID PSA_KEY_ID_USER_MIN + 1
+
+#define CREATOR_MFG_MATTER_CD (USERDATA_TOKENS | 0x200)  //   4 bytes 0x226
+#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x444) //   4 bytes
+#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x614) //   4 bytes
+
+#define MFG_MATTER_CD_SIZE 541
+#define MFG_MATTER_PAI_SIZE 463
+#define MFG_MATTER_DAC_SIZE 492
+#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1
+
+#endif // MATTER_MFG_TOKENS_EFR32
diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
index 20c5be2e8052f7..3127a3f75b0c08 100644
--- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
+++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp
@@ -41,7 +41,6 @@
 #include <credentials/DeviceAttestationCredsProvider.h>
 #include <credentials/FabricTable.h>
 #include <credentials/GroupDataProvider.h>
-#include <credentials/examples/DeviceAttestationCredsExample.h>
 #include <lib/core/CHIPSafeCasts.h>
 #include <lib/core/PeerId.h>
 #include <lib/support/CodeUtils.h>
diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn
index ad809326b892d2..875cc378350584 100644
--- a/src/credentials/BUILD.gn
+++ b/src/credentials/BUILD.gn
@@ -47,16 +47,21 @@ static_library("credentials") {
     "attestation_verifier/DeviceAttestationDelegate.h",
     "attestation_verifier/DeviceAttestationVerifier.cpp",
     "attestation_verifier/DeviceAttestationVerifier.h",
-    "examples/DeviceAttestationCredsExample.cpp",
-    "examples/DeviceAttestationCredsExample.h",
-    "examples/ExampleDACs.cpp",
-    "examples/ExampleDACs.h",
-    "examples/ExamplePAI.cpp",
-    "examples/ExamplePAI.h",
     "examples/LastKnownGoodTimeCertificateValidityPolicyExample.h",
     "examples/StrictCertificateValidityPolicyExample.h",
   ]
 
+  if (!chip_device_attestation_credentials) {
+    sources += [
+      "examples/DeviceAttestationCredsExample.cpp",
+      "examples/DeviceAttestationCredsExample.h",
+      "examples/ExampleDACs.cpp",
+      "examples/ExampleDACs.h",
+      "examples/ExamplePAI.cpp",
+      "examples/ExamplePAI.h",
+    ]
+  }
+
   # TODO: These tests files should be removed after the DeviceAttestationCredsExample implementation
   # is changed to generate it's own credentials instead of using Test credentials.
   # For mbed and nrfconnect test builds, which are bilding monolithic test library these files are not needed.
diff --git a/src/include/platform/KvsPersistentStorageDelegate.h b/src/include/platform/KvsPersistentStorageDelegate.h
index 42ca6f481e6b4c..0348e92bf2c08d 100644
--- a/src/include/platform/KvsPersistentStorageDelegate.h
+++ b/src/include/platform/KvsPersistentStorageDelegate.h
@@ -22,6 +22,7 @@
 #include <lib/core/CHIPError.h>
 #include <lib/core/CHIPPersistentStorageDelegate.h>
 #include <lib/support/CodeUtils.h>
+#include <lib/support/SafeInt.h>
 #include <platform/KeyValueStoreManager.h>
 
 namespace chip {
diff --git a/src/platform/EFR32/BUILD.gn b/src/platform/EFR32/BUILD.gn
index a50db957df5e48..860fa8e905d4bc 100644
--- a/src/platform/EFR32/BUILD.gn
+++ b/src/platform/EFR32/BUILD.gn
@@ -56,6 +56,10 @@ static_library("EFR32") {
     "gatt_db.h",
   ]
 
+  if (chip_device_attestation_credentials) {
+    sources += [ "DeviceAttestationCredsImpl.cpp" ]
+  }
+
   if (chip_enable_ota_requestor) {
     sources += [
       "OTAImageProcessorImpl.cpp",
diff --git a/src/platform/EFR32/DeviceAttestationCredsImpl.cpp b/src/platform/EFR32/DeviceAttestationCredsImpl.cpp
new file mode 100644
index 00000000000000..54d26ba359731e
--- /dev/null
+++ b/src/platform/EFR32/DeviceAttestationCredsImpl.cpp
@@ -0,0 +1,104 @@
+/*
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#include <credentials/examples/DeviceAttestationCredsExample.h>
+#include <crypto/CHIPCryptoPAL.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/CodeUtils.h>
+#include <lib/support/Span.h>
+
+#include "efr32_certs.h"
+#include "psa/crypto.h"
+#include "sl_token_api.h"
+#include "sl_token_manager.h"
+
+namespace chip {
+namespace Credentials {
+namespace Examples {
+
+namespace {
+
+class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider
+{
+public:
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override
+    {
+        uint8_t cd_buf[MFG_MATTER_CD_SIZE];
+        ByteSpan cd_span(cd_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_CD, 0, cd_buf, sizeof(cd_buf));
+        ChipLogProgress(DeviceLayer, "~ GetCertificationDeclaration-1.2, size:%u, err:%d\r\n", sizeof(cd_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cd_span);
+        return CopySpanToMutableSpan(cd_span, out_buffer);
+    }
+
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override
+    {
+        // TODO: We need a real example FirmwareInformation to be populated.
+        out_firmware_info_buffer.reduce_size(0);
+        return CHIP_NO_ERROR;
+    }
+
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_buffer) override
+    {
+        uint8_t cert_buf[MFG_MATTER_DAC_SIZE];
+        ByteSpan cert_span(cert_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_DAC, 0, cert_buf, sizeof(cert_buf));
+        ChipLogProgress(DeviceLayer, "~ GetDeviceAttestationCert, size:%u, err:%d\r\n", sizeof(cert_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cert_span);
+        return CopySpanToMutableSpan(cert_span, out_buffer);
+    }
+
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override
+    {
+        uint8_t cert_buf[MFG_MATTER_PAI_SIZE];
+        ByteSpan cert_span(cert_buf);
+
+        int err = sl_token_get_data(CREATOR_MFG_MATTER_PAI, 0, cert_buf, sizeof(cert_buf));
+        ChipLogProgress(DeviceLayer, "~ GetProductAttestationIntermediateCert, size:%u, err:%d\r\n", sizeof(cert_buf), err);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+        ChipLogByteSpan(DeviceLayer, cert_span);
+        return CopySpanToMutableSpan(cert_span, out_pai_buffer);
+    }
+
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override
+    {
+        psa_key_id_t key_id                                  = MFG_MATTER_DAC_KEY_ID;
+        uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 };
+        size_t signature_size                                = sizeof(signature);
+
+        psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(),
+                                         signature, signature_size, &signature_size);
+        VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
+
+        return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_buffer);
+    }
+};
+
+} // namespace
+
+DeviceAttestationCredentialsProvider * GetExampleDACProvider()
+{
+    static DeviceAttestationCredsImpl dac_provider;
+    return &dac_provider;
+}
+
+} // namespace Examples
+} // namespace Credentials
+} // namespace chip
diff --git a/src/platform/device.gni b/src/platform/device.gni
index 9af7d49c0d3141..f8328cdfa567f1 100755
--- a/src/platform/device.gni
+++ b/src/platform/device.gni
@@ -23,6 +23,9 @@ declare_args() {
 
   # Substitute fake platform when building with chip_device_platform=auto.
   chip_fake_platform = false
+
+  # Use actual device attestation credentials
+  chip_device_attestation_credentials = false
 }
 
 if (chip_device_platform == "auto") {
diff --git a/third_party/silabs/efr32_sdk.gni b/third_party/silabs/efr32_sdk.gni
index 6e2ec20615d7ed..a40cda2108c7b3 100644
--- a/third_party/silabs/efr32_sdk.gni
+++ b/third_party/silabs/efr32_sdk.gni
@@ -103,6 +103,13 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/service/sleeptimer/config",
       "${efr32_sdk_root}/platform/service/system/inc",
       "${efr32_sdk_root}/platform/service/udelay/inc",
+      "${efr32_sdk_root}/platform/service/legacy_hal/inc",
+      "${efr32_sdk_root}/platform/service/token_manager/config",
+      "${efr32_sdk_root}/platform/service/token_manager/inc",
+      "${efr32_sdk_root}/platform/service/token_manager/test",
+      "${efr32_sdk_root}/platform/service/token_manager/test/include",
+      "${efr32_sdk_root}/platform/service/token_manager/test/stack/config",
+      "${efr32_sdk_root}/platform/service/token_manager/test/stack/include",
       "${efr32_sdk_root}/platform/middleware/glib",
       "${efr32_sdk_root}/platform/middleware/glib/glib",
       "${efr32_sdk_root}/platform/middleware/glib/dmd",
@@ -153,6 +160,8 @@ template("efr32_sdk") {
       "MBEDTLS_THREADING_ALT=1",
       "SL_THREADING_ALT=1",
       "SL_COMPONENT_CATALOG_PRESENT",
+      "PLATFORM_HEADER=\"platform-header.h\"",
+      "USE_NVM3=1",
 
       #"__STACK_SIZE=0",
     ]
@@ -346,6 +355,7 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/radio/rail_lib/plugin/rail_util_pti/sl_rail_util_pti.c",
       "${efr32_sdk_root}/platform/service/device_init/src/sl_device_init_nvic.c",
       "${efr32_sdk_root}/platform/service/hfxo_manager/src/sl_hfxo_manager.c",
+      "${efr32_sdk_root}/platform/service/legacy_hal/src/token_legacy.c",
       "${efr32_sdk_root}/platform/service/mpu/src/sl_mpu.c",
       "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager.c",
       "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager_debug.c",
@@ -357,6 +367,9 @@ template("efr32_sdk") {
       "${efr32_sdk_root}/platform/service/system/src/sl_system_init.c",
       "${efr32_sdk_root}/platform/service/system/src/sl_system_kernel.c",
       "${efr32_sdk_root}/platform/service/system/src/sl_system_process_action.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_def.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manager.c",
+      "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manufacturing.c",
       "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay.c",
       "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay_armv6m_gcc.S",
       "${efr32_sdk_root}/protocol/bluetooth/src/sl_bt_mbedtls_context.c",