Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the CD. #18219

emargolis · 2022-05-09T18:14:30Z

Problem

DefaultDeviceAttestationVerifier doesn't verify that PAA SKID is in the list of Authorized PAAs, which is in the Certification Declaration.

Change overview

Added this check step

Testing

existing tests

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

src/credentials/attestation_verifier/DeviceAttestationVerifier.h

github-actions · 2022-05-09T19:02:20Z

PR #18219: Size comparison from c880e28 to 68f4278

Increases (3 builds for linux)

platform	target	config	section	`c880e28`	`68f4278`	change
linux	chip-tool	debug	(read only)	9093941	9094757	816
			.text	7301429	7302245	816
	chip-tool-no-interactive-ipv6only	arm64	(read only)	8914548	8915316	768
			.text	7019108	7019876	768
	tv-app	debug	(read only)	2852865	`2853681`	816
			.text	2451778	2452594	816

Full report (32 builds for cc13x2_26x2, cyw30739, efr32, k32w, linux, mbed, nrfconnect, p6, telink)

platform	target	config	section	`c880e28`	`68f4278`	change
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	690935	690935	0
			(read/write)	161416	161416	0
			.bss	75332	75332	0
			.data	3412	3412	0
			.rodata	102983	102983	0
			.text	587468	587468	0
	lock-ftd	LP_CC2652R7	(read only)	678507	678507	0
			(read/write)	164948	164948	0
			.bss	73492	73492	0
			.data	3236	3236	0
			.rodata	94771	94771	0
			.text	583256	583256	0
	lock-mtd	LP_CC2652R7	(read only)	627259	627259	0
			(read/write)	146308	146308	0
			.bss	69212	69212	0
			.data	3236	3236	0
			.rodata	94651	94651	0
			.text	532120	532120	0
	pump-app	LP_CC2652R7	(read only)	663035	663035	0
			(read/write)	181708	181708	0
			.bss	73756	73756	0
			.data	3268	3268	0
			.rodata	80971	80971	0
			.text	581580	581580	0
	pump-controller-app	LP_CC2652R7	(read only)	655943	655943	0
			(read/write)	188600	188600	0
			.bss	73812	73812	0
			.data	3232	3232	0
			.rodata	83911	83911	0
			.text	571548	571548	0
cyw30739	light	cyw930739m2evb_01	(read/write)	627586	627586	0
			.app_xip_area	530176	530176	0
			.bss	80052	80052	0
			.data	708	708	0
			.rodata	0	0	0
			.text	0	0	0
	lock	cyw930739m2evb_01	(read/write)	626474	626474	0
			.app_xip_area	530520	530520	0
			.bss	78628	78628	0
			.data	672	672	0
			.rodata	0	0	0
			.text	0	0	0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	575234	575234	0
			.app_xip_area	469564	469564	0
			.bss	88048	88048	0
			.data	584	584	0
			.rodata	0	0	0
			.text	112	112	0
efr32	lighting-app	BRD4161A	(read only)	910096	910096	0
			(read/write)	134520	134520	0
			.bss	132456	132456	0
			.data	2064	2064	0
			.text	910088	910088	0
		BRD4161A+rpc	(read only)	944440	944440	0
			(read/write)	151208	151208	0
			.bss	148936	148936	0
			.data	2268	2268	0
			.text	944432	944432	0
		BRD4161A+rs911x	(read only)	787676	787676	0
			(read/write)	129776	129776	0
			.bss	127708	127708	0
			.data	2068	2068	0
			.text	787668	787668	0
	lock-app	BRD4161A+wf200	(read only)	946768	946768	0
			(read/write)	124268	124268	0
			.bss	122244	122244	0
			.data	2024	2024	0
			.text	946760	946760	0
	window-app	BRD4161A	(read only)	890408	890408	0
			(read/write)	134472	134472	0
			.bss	132416	132416	0
			.data	2052	2052	0
			.text	890400	890400	0
k32w	light	k32w061+release	(read/write)	685136	685136	0
			.bss	81248	81248	0
			.data	2020	2020	0
			.text	600164	600164	0
	lock	k32w061+release	(read/write)	730468	730468	0
			.bss	81680	81680	0
			.data	1980	1980	0
			.text	645104	645104	0
linux	all-clusters-app	debug	(read only)	2740441	2740441	0
			(read/write)	174488	174488	0
			.bss	83904	83904	0
			.data	2064	2064	0
			.data.rel.ro	82392	82392	0
			.dynamic	608	608	0
			.got	4464	4464	0
			.init	27	27	0
			.init_array	1008	1008	0
			.rodata	236357	236357	0
			.text	2328882	2328882	0
	bridge-app	debug+rpc	(read only)	1894545	1894545	0
			(read/write)	120984	120984	0
			.bss	71520	71520	0
			.data	3488	3488	0
			.data.rel.ro	40648	40648	0
			.dynamic	592	592	0
			.got	4032	4032	0
			.init	27	27	0
			.init_array	688	688	0
			.rodata	161593	161593	0
			.text	`1610098`	`1610098`	0
	chip-tool	debug	(read only)	9093941	9094757	816
			(read/write)	576944	576944	0
			.bss	22816	22816	0
			.data	1136	1136	0
			.data.rel.ro	546728	546728	0
			.dynamic	624	624	0
			.got	4952	4952	0
			.init	27	27	0
			.init_array	648	648	0
			.rodata	468693	468693	0
			.text	7301429	7302245	816
	chip-tool-no-interactive-ipv6only	arm64	(read only)	8914548	8915316	768
			(read/write)	643121	643121	0
			.bss	41105	41105	0
			.data	1192	1192	0
			.data.rel.ro	582024	582024	0
			.dynamic	560	560	0
			.got	14976	14976	0
			.init	24	24	0
			.init_array	184	184	0
			.rodata	436164	436164	0
			.text	7019108	7019876	768
	lighting-app	debug+rpc	(read only)	2328625	2328625	0
			(read/write)	151936	151936	0
			.bss	73568	73568	0
			.data	2048	2048	0
			.data.rel.ro	70568	70568	0
			.dynamic	608	608	0
			.got	4320	4320	0
			.init	27	27	0
			.init_array	792	792	0
			.rodata	185721	185721	0
			.text	1976194	1976194	0
	lock-app	debug	(read only)	2235921	2235921	0
			(read/write)	146520	146520	0
			.bss	72192	72192	0
			.data	1568	1568	0
			.data.rel.ro	67080	67080	0
			.dynamic	592	592	0
			.got	4312	4312	0
			.init	27	27	0
			.init_array	752	752	0
			.rodata	195465	195465	0
			.text	1880098	1880098	0
	ota-provider-app	debug	(read only)	2064249	2064249	0
			(read/write)	139632	139632	0
			.bss	71680	71680	0
			.data	1736	1736	0
			.data.rel.ro	60440	60440	0
			.dynamic	608	608	0
			.got	4480	4480	0
			.init	27	27	0
			.init_array	648	648	0
			.rodata	176467	176467	0
			.text	`1729890`	`1729890`	0
	ota-requestor-app	debug	(read only)	`2095425`	`2095425`	0
			(read/write)	142440	142440	0
			.bss	72320	72320	0
			.data	1992	1992	0
			.data.rel.ro	62504	62504	0
			.dynamic	592	592	0
			.got	4320	4320	0
			.init	27	27	0
			.init_array	672	672	0
			.rodata	172796	172796	0
			.text	1763250	1763250	0
	shell	debug	(read only)	2565417	2565417	0
			(read/write)	198160	198160	0
			.bss	114408	114408	0
			.data	1376	1376	0
			.data.rel.ro	76656	76656	0
			.dynamic	592	592	0
			.got	4184	4184	0
			.init	27	27	0
			.init_array	928	928	0
			.rodata	217810	217810	0
			.text	`2185506`	`2185506`	0
	thermostat-no-ble	arm64	(read only)	2368620	2368620	0
			(read/write)	175121	175121	0
			.bss	86417	86417	0
			.data	1520	1520	0
			.data.rel.ro	79376	79376	0
			.dynamic	560	560	0
			.got	4768	4768	0
			.init	24	24	0
			.init_array	376	376	0
			.rodata	146844	146844	0
			.text	1992032	1992032	0
	tv-app	debug	(read only)	2852865	`2853681`	816
			(read/write)	277248	277248	0
			.bss	189464	189464	0
			.data	4672	4672	0
			.data.rel.ro	76872	76872	0
			.dynamic	592	592	0
			.got	4696	4696	0
			.init	27	27	0
			.init_array	928	928	0
			.rodata	218411	218411	0
			.text	2451778	2452594	816
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0
			(read/write)	2420084	2420084	0
			.bss	205820	205820	0
			.data	5872	5872	0
			.text	1382684	1382684	0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	`1179787`	`1179787`	0
			bss	139680	139680	0
			rodata	151532	151532	0
			text	809856	809856	0
p6	all-clusters-app	default	(read/write)	2531536	2531536	0
			.bss	139328	139328	0
			.data	2808	2808	0
			.text	1489800	1489800	0
	light-app	default	(read/write)	2421592	2421592	0
			.bss	132656	132656	0
			.data	2608	2608	0
			.text	`1379856`	`1379856`	0
	lock-app	default	(read/write)	2431096	2431096	0
			.bss	132472	132472	0
			.data	2568	2568	0
			.text	`1389360`	`1389360`	0
telink	lighting-app	tlsr9518adk80d	(read/write)	806024	806024	0
			bss	72176	72176	0
			noinit	40416	40416	0
			text	572426	572426	0

…in the Certification Declaration.

github-actions · 2022-05-09T20:27:08Z

PR #18219: Size comparison from afb7ccb to f622684

Increases (3 builds for linux)

platform	target	config	section	`afb7ccb`	`f622684`	change
linux	chip-tool	debug	(read only)	9104757	9105653	896
			.text	`7309237`	7310133	896
	chip-tool-no-interactive-ipv6only	arm64	(read only)	`8924476`	8925404	928
			.text	7026468	7027396	928
	tv-app	debug	(read only)	2852865	`2853761`	896
			.text	2451778	2452674	896

Full report (34 builds for cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)

platform	target	config	section	`afb7ccb`	`f622684`	change
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	690935	690935	0
			(read/write)	161416	161416	0
			.bss	75332	75332	0
			.data	3412	3412	0
			.rodata	102983	102983	0
			.text	587468	587468	0
	lock-ftd	LP_CC2652R7	(read only)	678507	678507	0
			(read/write)	164948	164948	0
			.bss	73492	73492	0
			.data	3236	3236	0
			.rodata	94771	94771	0
			.text	583256	583256	0
	lock-mtd	LP_CC2652R7	(read only)	627259	627259	0
			(read/write)	146308	146308	0
			.bss	69212	69212	0
			.data	3236	3236	0
			.rodata	94651	94651	0
			.text	532120	532120	0
	pump-app	LP_CC2652R7	(read only)	663035	663035	0
			(read/write)	181708	181708	0
			.bss	73756	73756	0
			.data	3268	3268	0
			.rodata	80971	80971	0
			.text	581580	581580	0
	pump-controller-app	LP_CC2652R7	(read only)	655943	655943	0
			(read/write)	188600	188600	0
			.bss	73812	73812	0
			.data	3232	3232	0
			.rodata	83911	83911	0
			.text	571548	571548	0
cyw30739	light	cyw930739m2evb_01	(read/write)	627586	627586	0
			.app_xip_area	530176	530176	0
			.bss	80052	80052	0
			.data	708	708	0
			.rodata	0	0	0
			.text	0	0	0
	lock	cyw930739m2evb_01	(read/write)	626474	626474	0
			.app_xip_area	530520	530520	0
			.bss	78628	78628	0
			.data	672	672	0
			.rodata	0	0	0
			.text	0	0	0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	575234	575234	0
			.app_xip_area	469564	469564	0
			.bss	88048	88048	0
			.data	584	584	0
			.rodata	0	0	0
			.text	112	112	0
efr32	lighting-app	BRD4161A	(read only)	910096	910096	0
			(read/write)	134520	134520	0
			.bss	132456	132456	0
			.data	2064	2064	0
			.text	910088	910088	0
		BRD4161A+rpc	(read only)	944440	944440	0
			(read/write)	151208	151208	0
			.bss	148936	148936	0
			.data	2268	2268	0
			.text	944432	944432	0
		BRD4161A+rs911x	(read only)	787676	787676	0
			(read/write)	129776	129776	0
			.bss	127708	127708	0
			.data	2068	2068	0
			.text	787668	787668	0
	lock-app	BRD4161A+wf200	(read only)	946768	946768	0
			(read/write)	124268	124268	0
			.bss	122244	122244	0
			.data	2024	2024	0
			.text	946760	946760	0
	window-app	BRD4161A	(read only)	890408	890408	0
			(read/write)	134472	134472	0
			.bss	132416	132416	0
			.data	2052	2052	0
			.text	890400	890400	0
esp32	all-clusters-app	c3devkit	(read only)	1001090	1001090	0
			(read/write)	`1475658`	`1475658`	0
			.dram0.bss	68464	68464	0
			.dram0.data	14444	14444	0
			.flash.rodata	208304	208304	0
			.flash.text	1001090	1001090	0
			.iram0.text	62020	62020	0
		m5stack	(read only)	1056031	1056031	0
			(read/write)	478088	478088	0
			.dram0.bss	73984	73984	0
			.dram0.data	34184	34184	0
			.flash.rodata	238084	238084	0
			.flash.text	1050647	1050647	0
			.iram0.text	123107	123107	0
k32w	light	k32w061+release	(read/write)	685136	685136	0
			.bss	81248	81248	0
			.data	2020	2020	0
			.text	600164	600164	0
	lock	k32w061+release	(read/write)	730468	730468	0
			.bss	81680	81680	0
			.data	1980	1980	0
			.text	645104	645104	0
linux	all-clusters-app	debug	(read only)	2740441	2740441	0
			(read/write)	174488	174488	0
			.bss	83904	83904	0
			.data	2064	2064	0
			.data.rel.ro	82392	82392	0
			.dynamic	608	608	0
			.got	4464	4464	0
			.init	27	27	0
			.init_array	1008	1008	0
			.rodata	236357	236357	0
			.text	2328882	2328882	0
	bridge-app	debug+rpc	(read only)	1894545	1894545	0
			(read/write)	120984	120984	0
			.bss	71520	71520	0
			.data	3488	3488	0
			.data.rel.ro	40648	40648	0
			.dynamic	592	592	0
			.got	4032	4032	0
			.init	27	27	0
			.init_array	688	688	0
			.rodata	161593	161593	0
			.text	`1610098`	`1610098`	0
	chip-tool	debug	(read only)	9104757	9105653	896
			(read/write)	576944	576944	0
			.bss	22816	22816	0
			.data	1136	1136	0
			.data.rel.ro	546728	546728	0
			.dynamic	624	624	0
			.got	4952	4952	0
			.init	27	27	0
			.init_array	648	648	0
			.rodata	471701	471701	0
			.text	`7309237`	7310133	896
	chip-tool-no-interactive-ipv6only	arm64	(read only)	`8924476`	8925404	928
			(read/write)	643089	643089	0
			.bss	41105	41105	0
			.data	1192	1192	0
			.data.rel.ro	582000	582000	0
			.dynamic	560	560	0
			.got	14976	14976	0
			.init	24	24	0
			.init_array	184	184	0
			.rodata	438748	438748	0
			.text	7026468	7027396	928
	lighting-app	debug+rpc	(read only)	2328625	2328625	0
			(read/write)	151936	151936	0
			.bss	73568	73568	0
			.data	2048	2048	0
			.data.rel.ro	70568	70568	0
			.dynamic	608	608	0
			.got	4320	4320	0
			.init	27	27	0
			.init_array	792	792	0
			.rodata	185721	185721	0
			.text	1976194	1976194	0
	lock-app	debug	(read only)	2235921	2235921	0
			(read/write)	146520	146520	0
			.bss	72192	72192	0
			.data	1568	1568	0
			.data.rel.ro	67080	67080	0
			.dynamic	592	592	0
			.got	4312	4312	0
			.init	27	27	0
			.init_array	752	752	0
			.rodata	195465	195465	0
			.text	1880098	1880098	0
	ota-provider-app	debug	(read only)	2064249	2064249	0
			(read/write)	139632	139632	0
			.bss	71680	71680	0
			.data	1736	1736	0
			.data.rel.ro	60440	60440	0
			.dynamic	608	608	0
			.got	4480	4480	0
			.init	27	27	0
			.init_array	648	648	0
			.rodata	176467	176467	0
			.text	`1729890`	`1729890`	0
	ota-requestor-app	debug	(read only)	`2095425`	`2095425`	0
			(read/write)	142440	142440	0
			.bss	72320	72320	0
			.data	1992	1992	0
			.data.rel.ro	62504	62504	0
			.dynamic	592	592	0
			.got	4320	4320	0
			.init	27	27	0
			.init_array	672	672	0
			.rodata	172796	172796	0
			.text	1763250	1763250	0
	shell	debug	(read only)	2565417	2565417	0
			(read/write)	198160	198160	0
			.bss	114408	114408	0
			.data	1376	1376	0
			.data.rel.ro	76656	76656	0
			.dynamic	592	592	0
			.got	4184	4184	0
			.init	27	27	0
			.init_array	928	928	0
			.rodata	217810	217810	0
			.text	`2185506`	`2185506`	0
	thermostat-no-ble	arm64	(read only)	2368620	2368620	0
			(read/write)	175121	175121	0
			.bss	86417	86417	0
			.data	1520	1520	0
			.data.rel.ro	79376	79376	0
			.dynamic	560	560	0
			.got	4768	4768	0
			.init	24	24	0
			.init_array	376	376	0
			.rodata	146844	146844	0
			.text	1992032	1992032	0
	tv-app	debug	(read only)	2852865	`2853761`	896
			(read/write)	277248	277248	0
			.bss	189464	189464	0
			.data	4672	4672	0
			.data.rel.ro	76872	76872	0
			.dynamic	592	592	0
			.got	4696	4696	0
			.init	27	27	0
			.init_array	928	928	0
			.rodata	218411	218411	0
			.text	2451778	2452674	896
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0
			(read/write)	2420084	2420084	0
			.bss	205820	205820	0
			.data	5872	5872	0
			.text	1382684	1382684	0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	`1179787`	`1179787`	0
			bss	139680	139680	0
			rodata	151532	151532	0
			text	809856	809856	0
p6	all-clusters-app	default	(read/write)	2531536	2531536	0
			.bss	139328	139328	0
			.data	2808	2808	0
			.text	1489800	1489800	0
	light-app	default	(read/write)	2421592	2421592	0
			.bss	132656	132656	0
			.data	2608	2608	0
			.text	`1379856`	`1379856`	0
	lock-app	default	(read/write)	2431096	2431096	0
			.bss	132472	132472	0
			.data	2568	2568	0
			.text	`1389360`	`1389360`	0
telink	lighting-app	tlsr9518adk80d	(read/write)	806024	806024	0
			bss	72176	72176	0
			noinit	40416	40416	0
			text	572426	572426	0

pullapprove bot requested review from sagar-apple, saurabhst, selissia, tcarmelveilleux, tecimovic, turon, vijs, vivien-apple, wbschiller, woody-apple, xylophone21 and yufengwangca May 9, 2022 18:14

pullapprove bot added the review - pending label May 9, 2022

tcarmelveilleux reviewed May 9, 2022

View reviewed changes

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp Outdated Show resolved Hide resolved

tcarmelveilleux reviewed May 9, 2022

View reviewed changes

src/credentials/attestation_verifier/DeviceAttestationVerifier.h Outdated Show resolved Hide resolved

Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is …

f622684

…in the Certification Declaration.

emargolis force-pushed the emargolis/feature/authorized-paa-to-default-att-verifier branch from 68f4278 to f622684 Compare May 9, 2022 19:49

tcarmelveilleux approved these changes May 9, 2022

View reviewed changes

emargolis mentioned this pull request May 9, 2022

Add Support for AuthorizedPAAList elements to the Certification Declaration APIs #18061

Closed

msandstedt approved these changes May 10, 2022

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels May 10, 2022

bzbarsky-apple approved these changes May 11, 2022

View reviewed changes

bzbarsky-apple merged commit b351579 into project-chip:master May 11, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the CD. #18219

Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the CD. #18219

emargolis commented May 9, 2022

github-actions bot commented May 9, 2022 •

edited

Loading

github-actions bot commented May 9, 2022 •

edited

Loading

Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the CD. #18219

Updated DefaultDeviceAttestationVerifier to Verify that PAA KeyId is in the CD. #18219

Conversation

emargolis commented May 9, 2022

Problem

Change overview

Testing

github-actions bot commented May 9, 2022 • edited Loading

github-actions bot commented May 9, 2022 • edited Loading

github-actions bot commented May 9, 2022 •

edited

Loading

github-actions bot commented May 9, 2022 •

edited

Loading