From f8f4c37552a7b60f50a258454bd363901d230f17 Mon Sep 17 00:00:00 2001 From: Ricardo Casallas Date: Thu, 30 Jun 2022 09:12:47 -0400 Subject: [PATCH 1/4] EFR32: DeviceAttestationCredentialsProvider implemented. --- examples/platform/efr32/efr32_certs.h | 15 +++ .../operational-credentials-server.cpp | 1 - src/credentials/BUILD.gn | 17 ++- .../platform/KvsPersistentStorageDelegate.h | 1 + src/platform/EFR32/BUILD.gn | 4 + .../EFR32/DeviceAttestationCredsImpl.cpp | 104 ++++++++++++++++++ src/platform/device.gni | 3 + third_party/silabs/efr32_sdk.gni | 13 +++ 8 files changed, 151 insertions(+), 7 deletions(-) create mode 100644 examples/platform/efr32/efr32_certs.h create mode 100644 src/platform/EFR32/DeviceAttestationCredsImpl.cpp diff --git a/examples/platform/efr32/efr32_certs.h b/examples/platform/efr32/efr32_certs.h new file mode 100644 index 00000000000000..35a77a89599d0a --- /dev/null +++ b/examples/platform/efr32/efr32_certs.h @@ -0,0 +1,15 @@ +#ifndef MATTER_MFG_TOKENS_EFR32 +#define MATTER_MFG_TOKENS_EFR32 + +#define EFR32_CERTS_DAC_ID PSA_KEY_ID_USER_MIN + 1 + +#define CREATOR_MFG_MATTER_CD (USERDATA_TOKENS | 0x200) // 4 bytes 0x226 +#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x444) // 4 bytes +#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x614) // 4 bytes + +#define MFG_MATTER_CD_SIZE 541 +#define MFG_MATTER_PAI_SIZE 463 +#define MFG_MATTER_DAC_SIZE 492 +#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 + +#endif // MATTER_MFG_TOKENS_EFR32 diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index 20c5be2e8052f7..3127a3f75b0c08 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -41,7 +41,6 @@ #include #include #include -#include #include #include #include diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn index ad809326b892d2..875cc378350584 100644 --- a/src/credentials/BUILD.gn +++ b/src/credentials/BUILD.gn @@ -47,16 +47,21 @@ static_library("credentials") { "attestation_verifier/DeviceAttestationDelegate.h", "attestation_verifier/DeviceAttestationVerifier.cpp", "attestation_verifier/DeviceAttestationVerifier.h", - "examples/DeviceAttestationCredsExample.cpp", - "examples/DeviceAttestationCredsExample.h", - "examples/ExampleDACs.cpp", - "examples/ExampleDACs.h", - "examples/ExamplePAI.cpp", - "examples/ExamplePAI.h", "examples/LastKnownGoodTimeCertificateValidityPolicyExample.h", "examples/StrictCertificateValidityPolicyExample.h", ] + if (!chip_device_attestation_credentials) { + sources += [ + "examples/DeviceAttestationCredsExample.cpp", + "examples/DeviceAttestationCredsExample.h", + "examples/ExampleDACs.cpp", + "examples/ExampleDACs.h", + "examples/ExamplePAI.cpp", + "examples/ExamplePAI.h", + ] + } + # TODO: These tests files should be removed after the DeviceAttestationCredsExample implementation # is changed to generate it's own credentials instead of using Test credentials. # For mbed and nrfconnect test builds, which are bilding monolithic test library these files are not needed. diff --git a/src/include/platform/KvsPersistentStorageDelegate.h b/src/include/platform/KvsPersistentStorageDelegate.h index 42ca6f481e6b4c..0348e92bf2c08d 100644 --- a/src/include/platform/KvsPersistentStorageDelegate.h +++ b/src/include/platform/KvsPersistentStorageDelegate.h @@ -22,6 +22,7 @@ #include #include #include +#include #include namespace chip { diff --git a/src/platform/EFR32/BUILD.gn b/src/platform/EFR32/BUILD.gn index a50db957df5e48..860fa8e905d4bc 100644 --- a/src/platform/EFR32/BUILD.gn +++ b/src/platform/EFR32/BUILD.gn @@ -56,6 +56,10 @@ static_library("EFR32") { "gatt_db.h", ] + if (chip_device_attestation_credentials) { + sources += [ "DeviceAttestationCredsImpl.cpp" ] + } + if (chip_enable_ota_requestor) { sources += [ "OTAImageProcessorImpl.cpp", diff --git a/src/platform/EFR32/DeviceAttestationCredsImpl.cpp b/src/platform/EFR32/DeviceAttestationCredsImpl.cpp new file mode 100644 index 00000000000000..54d26ba359731e --- /dev/null +++ b/src/platform/EFR32/DeviceAttestationCredsImpl.cpp @@ -0,0 +1,104 @@ +/* + * + * Copyright (c) 2021 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include +#include +#include +#include + +#include "efr32_certs.h" +#include "psa/crypto.h" +#include "sl_token_api.h" +#include "sl_token_manager.h" + +namespace chip { +namespace Credentials { +namespace Examples { + +namespace { + +class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider +{ +public: + CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override + { + uint8_t cd_buf[MFG_MATTER_CD_SIZE]; + ByteSpan cd_span(cd_buf); + + int err = sl_token_get_data(CREATOR_MFG_MATTER_CD, 0, cd_buf, sizeof(cd_buf)); + ChipLogProgress(DeviceLayer, "~ GetCertificationDeclaration-1.2, size:%u, err:%d\r\n", sizeof(cd_buf), err); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + ChipLogByteSpan(DeviceLayer, cd_span); + return CopySpanToMutableSpan(cd_span, out_buffer); + } + + CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override + { + // TODO: We need a real example FirmwareInformation to be populated. + out_firmware_info_buffer.reduce_size(0); + return CHIP_NO_ERROR; + } + + CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_buffer) override + { + uint8_t cert_buf[MFG_MATTER_DAC_SIZE]; + ByteSpan cert_span(cert_buf); + + int err = sl_token_get_data(CREATOR_MFG_MATTER_DAC, 0, cert_buf, sizeof(cert_buf)); + ChipLogProgress(DeviceLayer, "~ GetDeviceAttestationCert, size:%u, err:%d\r\n", sizeof(cert_buf), err); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + ChipLogByteSpan(DeviceLayer, cert_span); + return CopySpanToMutableSpan(cert_span, out_buffer); + } + + CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override + { + uint8_t cert_buf[MFG_MATTER_PAI_SIZE]; + ByteSpan cert_span(cert_buf); + + int err = sl_token_get_data(CREATOR_MFG_MATTER_PAI, 0, cert_buf, sizeof(cert_buf)); + ChipLogProgress(DeviceLayer, "~ GetProductAttestationIntermediateCert, size:%u, err:%d\r\n", sizeof(cert_buf), err); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + ChipLogByteSpan(DeviceLayer, cert_span); + return CopySpanToMutableSpan(cert_span, out_pai_buffer); + } + + CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override + { + psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; + uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 }; + size_t signature_size = sizeof(signature); + + psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(), + signature, signature_size, &signature_size); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + + return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_buffer); + } +}; + +} // namespace + +DeviceAttestationCredentialsProvider * GetExampleDACProvider() +{ + static DeviceAttestationCredsImpl dac_provider; + return &dac_provider; +} + +} // namespace Examples +} // namespace Credentials +} // namespace chip diff --git a/src/platform/device.gni b/src/platform/device.gni index 9af7d49c0d3141..6880e85efdb1f6 100755 --- a/src/platform/device.gni +++ b/src/platform/device.gni @@ -23,6 +23,9 @@ declare_args() { # Substitute fake platform when building with chip_device_platform=auto. chip_fake_platform = false + + # Set to true to use actual device attestation credentials + chip_device_attestation_credentials = false } if (chip_device_platform == "auto") { diff --git a/third_party/silabs/efr32_sdk.gni b/third_party/silabs/efr32_sdk.gni index 6e2ec20615d7ed..a40cda2108c7b3 100644 --- a/third_party/silabs/efr32_sdk.gni +++ b/third_party/silabs/efr32_sdk.gni @@ -103,6 +103,13 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/service/sleeptimer/config", "${efr32_sdk_root}/platform/service/system/inc", "${efr32_sdk_root}/platform/service/udelay/inc", + "${efr32_sdk_root}/platform/service/legacy_hal/inc", + "${efr32_sdk_root}/platform/service/token_manager/config", + "${efr32_sdk_root}/platform/service/token_manager/inc", + "${efr32_sdk_root}/platform/service/token_manager/test", + "${efr32_sdk_root}/platform/service/token_manager/test/include", + "${efr32_sdk_root}/platform/service/token_manager/test/stack/config", + "${efr32_sdk_root}/platform/service/token_manager/test/stack/include", "${efr32_sdk_root}/platform/middleware/glib", "${efr32_sdk_root}/platform/middleware/glib/glib", "${efr32_sdk_root}/platform/middleware/glib/dmd", @@ -153,6 +160,8 @@ template("efr32_sdk") { "MBEDTLS_THREADING_ALT=1", "SL_THREADING_ALT=1", "SL_COMPONENT_CATALOG_PRESENT", + "PLATFORM_HEADER=\"platform-header.h\"", + "USE_NVM3=1", #"__STACK_SIZE=0", ] @@ -346,6 +355,7 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/radio/rail_lib/plugin/rail_util_pti/sl_rail_util_pti.c", "${efr32_sdk_root}/platform/service/device_init/src/sl_device_init_nvic.c", "${efr32_sdk_root}/platform/service/hfxo_manager/src/sl_hfxo_manager.c", + "${efr32_sdk_root}/platform/service/legacy_hal/src/token_legacy.c", "${efr32_sdk_root}/platform/service/mpu/src/sl_mpu.c", "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager.c", "${efr32_sdk_root}/platform/service/power_manager/src/sl_power_manager_debug.c", @@ -357,6 +367,9 @@ template("efr32_sdk") { "${efr32_sdk_root}/platform/service/system/src/sl_system_init.c", "${efr32_sdk_root}/platform/service/system/src/sl_system_kernel.c", "${efr32_sdk_root}/platform/service/system/src/sl_system_process_action.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_def.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manager.c", + "${efr32_sdk_root}/platform/service/token_manager/src/sl_token_manufacturing.c", "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay.c", "${efr32_sdk_root}/platform/service/udelay/src/sl_udelay_armv6m_gcc.S", "${efr32_sdk_root}/protocol/bluetooth/src/sl_bt_mbedtls_context.c", From 76863b3cef49564884cf8eed0606522e87d8f035 Mon Sep 17 00:00:00 2001 From: Ricardo Casallas Date: Thu, 30 Jun 2022 13:19:03 -0400 Subject: [PATCH 2/4] EFR32: DeviceAttestationCredentialsProvider: Review comments applied. --- .../light-switch-app/efr32/src/AppTask.cpp | 8 +++ examples/lighting-app/efr32/src/AppTask.cpp | 8 +++ examples/lock-app/efr32/src/AppTask.cpp | 8 +++ examples/platform/efr32/BUILD.gn | 5 ++ examples/platform/efr32/efr32_certs.h | 15 ----- examples/platform/efr32/efr32_creds.h | 57 +++++++++++++++++++ examples/window-app/common/src/WindowApp.cpp | 8 +++ src/credentials/BUILD.gn | 17 ++---- src/platform/EFR32/BUILD.gn | 7 +-- ...pl.cpp => EFR32DeviceAttestationCreds.cpp} | 25 +++----- .../EFR32/EFR32DeviceAttestationCreds.h | 39 +++++++++++++ src/platform/device.gni | 3 - 12 files changed, 150 insertions(+), 50 deletions(-) delete mode 100644 examples/platform/efr32/efr32_certs.h create mode 100644 examples/platform/efr32/efr32_creds.h rename src/platform/EFR32/{DeviceAttestationCredsImpl.cpp => EFR32DeviceAttestationCreds.cpp} (75%) create mode 100644 src/platform/EFR32/EFR32DeviceAttestationCreds.h diff --git a/examples/light-switch-app/efr32/src/AppTask.cpp b/examples/light-switch-app/efr32/src/AppTask.cpp index fe982497bd6245..d92124af297648 100644 --- a/examples/light-switch-app/efr32/src/AppTask.cpp +++ b/examples/light-switch-app/efr32/src/AppTask.cpp @@ -42,7 +42,11 @@ #include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else #include +#endif #include #include @@ -198,7 +202,11 @@ CHIP_ERROR AppTask::Init() chip::DeviceLayer::PlatformMgr().LockChipStack(); // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); +#else SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif chip::DeviceLayer::PlatformMgr().UnlockChipStack(); // Create FreeRTOS sw timer for Function Selection. diff --git a/examples/lighting-app/efr32/src/AppTask.cpp b/examples/lighting-app/efr32/src/AppTask.cpp index 7e1e8d9a811e82..4e43169e4a1a2c 100644 --- a/examples/lighting-app/efr32/src/AppTask.cpp +++ b/examples/lighting-app/efr32/src/AppTask.cpp @@ -40,7 +40,11 @@ #include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else #include +#endif #include #include @@ -203,7 +207,11 @@ CHIP_ERROR AppTask::Init() chip::DeviceLayer::PlatformMgr().LockChipStack(); // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); +#else SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif chip::DeviceLayer::PlatformMgr().UnlockChipStack(); // Create FreeRTOS sw timer for Function Selection. diff --git a/examples/lock-app/efr32/src/AppTask.cpp b/examples/lock-app/efr32/src/AppTask.cpp index d3cc7e9a6f17d6..c835b26bdbc036 100644 --- a/examples/lock-app/efr32/src/AppTask.cpp +++ b/examples/lock-app/efr32/src/AppTask.cpp @@ -44,7 +44,11 @@ #include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else #include +#endif #include #include @@ -212,7 +216,11 @@ CHIP_ERROR AppTask::Init() chip::DeviceLayer::PlatformMgr().LockChipStack(); // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); +#else SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif chip::DeviceLayer::PlatformMgr().UnlockChipStack(); // Create FreeRTOS sw timer for Function Selection. diff --git a/examples/platform/efr32/BUILD.gn b/examples/platform/efr32/BUILD.gn index 185651c5de3a61..7b981b118798d7 100644 --- a/examples/platform/efr32/BUILD.gn +++ b/examples/platform/efr32/BUILD.gn @@ -37,6 +37,11 @@ config("chip_examples_project_config") { "-Wl,--wrap=_free_r", "-Wl,--wrap=_calloc_r", ] + + defines = [ + # Set to 1 to enable EFR32 attestation credentials + "EFR32_ATTESTATION_CREDENTIALS=0", + ] } source_set("openthread_core_config_efr32_chip_examples") { diff --git a/examples/platform/efr32/efr32_certs.h b/examples/platform/efr32/efr32_certs.h deleted file mode 100644 index 35a77a89599d0a..00000000000000 --- a/examples/platform/efr32/efr32_certs.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef MATTER_MFG_TOKENS_EFR32 -#define MATTER_MFG_TOKENS_EFR32 - -#define EFR32_CERTS_DAC_ID PSA_KEY_ID_USER_MIN + 1 - -#define CREATOR_MFG_MATTER_CD (USERDATA_TOKENS | 0x200) // 4 bytes 0x226 -#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x444) // 4 bytes -#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x614) // 4 bytes - -#define MFG_MATTER_CD_SIZE 541 -#define MFG_MATTER_PAI_SIZE 463 -#define MFG_MATTER_DAC_SIZE 492 -#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 - -#endif // MATTER_MFG_TOKENS_EFR32 diff --git a/examples/platform/efr32/efr32_creds.h b/examples/platform/efr32/efr32_creds.h new file mode 100644 index 00000000000000..3ce14016918ad3 --- /dev/null +++ b/examples/platform/efr32/efr32_creds.h @@ -0,0 +1,57 @@ +#ifndef MATTER_DEVICE_CREDENTIALS_EFR32 +#define MATTER_DEVICE_CREDENTIALS_EFR32 + +//-> format_version = 1 +//-> vendor_id = 0xFFF1 +//-> product_id_array = [ 0x8000, 0x8001, 0x8002, 0x8003, 0x8004, 0x8005, 0x8006, 0x8007, 0x8008, 0x8009, 0x800A, 0x800B, +// 0x800C, 0x800D, 0x800E, 0x800F, 0x8010, 0x8011, 0x8012, 0x8013, 0x8014, 0x8015, 0x8016, 0x8017, 0x8018, 0x8019, 0x801A, +// 0x801B, 0x801C, 0x801D, 0x801E, 0x801F, 0x8020, 0x8021, 0x8022, 0x8023, 0x8024, 0x8025, 0x8026, 0x8027, 0x8028, 0x8029, +// 0x802A, 0x802B, 0x802C, 0x802D, 0x802E, 0x802F, 0x8030, 0x8031, 0x8032, 0x8033, 0x8034, 0x8035, 0x8036, 0x8037, 0x8038, +// 0x8039, 0x803A, 0x803B, 0x803C, 0x803D, 0x803E, 0x803F, 0x8040, 0x8041, 0x8042, 0x8043, 0x8044, 0x8045, 0x8046, 0x8047, +// 0x8048, 0x8049, 0x804A, 0x804B, 0x804C, 0x804D, 0x804E, 0x804F, 0x8050, 0x8051, 0x8052, 0x8053, 0x8054, 0x8055, 0x8056, +// 0x8057, 0x8058, 0x8059, 0x805A, 0x805B, 0x805C, 0x805D, 0x805E, 0x805F, 0x8060, 0x8061, 0x8062, 0x8063 ] +//-> device_type_id = 0x0016 +//-> certificate_id = "ZIG20142ZB330003-24" +//-> security_level = 0 +//-> security_information = 0 +//-> version_number = 0x2694 +//-> certification_type = 0 +//-> dac_origin_vendor_id is not present +//-> dac_origin_product_id is not present +const uint8_t kCertificationDeclaration[541] = { + 0x30, 0x82, 0x02, 0x19, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x02, 0x0a, 0x30, 0x82, + 0x02, 0x06, 0x02, 0x01, 0x03, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, + 0x82, 0x01, 0x71, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0xa0, 0x82, 0x01, 0x62, 0x04, 0x82, 0x01, + 0x5e, 0x15, 0x24, 0x00, 0x01, 0x25, 0x01, 0xf1, 0xff, 0x36, 0x02, 0x05, 0x00, 0x80, 0x05, 0x01, 0x80, 0x05, 0x02, 0x80, 0x05, + 0x03, 0x80, 0x05, 0x04, 0x80, 0x05, 0x05, 0x80, 0x05, 0x06, 0x80, 0x05, 0x07, 0x80, 0x05, 0x08, 0x80, 0x05, 0x09, 0x80, 0x05, + 0x0a, 0x80, 0x05, 0x0b, 0x80, 0x05, 0x0c, 0x80, 0x05, 0x0d, 0x80, 0x05, 0x0e, 0x80, 0x05, 0x0f, 0x80, 0x05, 0x10, 0x80, 0x05, + 0x11, 0x80, 0x05, 0x12, 0x80, 0x05, 0x13, 0x80, 0x05, 0x14, 0x80, 0x05, 0x15, 0x80, 0x05, 0x16, 0x80, 0x05, 0x17, 0x80, 0x05, + 0x18, 0x80, 0x05, 0x19, 0x80, 0x05, 0x1a, 0x80, 0x05, 0x1b, 0x80, 0x05, 0x1c, 0x80, 0x05, 0x1d, 0x80, 0x05, 0x1e, 0x80, 0x05, + 0x1f, 0x80, 0x05, 0x20, 0x80, 0x05, 0x21, 0x80, 0x05, 0x22, 0x80, 0x05, 0x23, 0x80, 0x05, 0x24, 0x80, 0x05, 0x25, 0x80, 0x05, + 0x26, 0x80, 0x05, 0x27, 0x80, 0x05, 0x28, 0x80, 0x05, 0x29, 0x80, 0x05, 0x2a, 0x80, 0x05, 0x2b, 0x80, 0x05, 0x2c, 0x80, 0x05, + 0x2d, 0x80, 0x05, 0x2e, 0x80, 0x05, 0x2f, 0x80, 0x05, 0x30, 0x80, 0x05, 0x31, 0x80, 0x05, 0x32, 0x80, 0x05, 0x33, 0x80, 0x05, + 0x34, 0x80, 0x05, 0x35, 0x80, 0x05, 0x36, 0x80, 0x05, 0x37, 0x80, 0x05, 0x38, 0x80, 0x05, 0x39, 0x80, 0x05, 0x3a, 0x80, 0x05, + 0x3b, 0x80, 0x05, 0x3c, 0x80, 0x05, 0x3d, 0x80, 0x05, 0x3e, 0x80, 0x05, 0x3f, 0x80, 0x05, 0x40, 0x80, 0x05, 0x41, 0x80, 0x05, + 0x42, 0x80, 0x05, 0x43, 0x80, 0x05, 0x44, 0x80, 0x05, 0x45, 0x80, 0x05, 0x46, 0x80, 0x05, 0x47, 0x80, 0x05, 0x48, 0x80, 0x05, + 0x49, 0x80, 0x05, 0x4a, 0x80, 0x05, 0x4b, 0x80, 0x05, 0x4c, 0x80, 0x05, 0x4d, 0x80, 0x05, 0x4e, 0x80, 0x05, 0x4f, 0x80, 0x05, + 0x50, 0x80, 0x05, 0x51, 0x80, 0x05, 0x52, 0x80, 0x05, 0x53, 0x80, 0x05, 0x54, 0x80, 0x05, 0x55, 0x80, 0x05, 0x56, 0x80, 0x05, + 0x57, 0x80, 0x05, 0x58, 0x80, 0x05, 0x59, 0x80, 0x05, 0x5a, 0x80, 0x05, 0x5b, 0x80, 0x05, 0x5c, 0x80, 0x05, 0x5d, 0x80, 0x05, + 0x5e, 0x80, 0x05, 0x5f, 0x80, 0x05, 0x60, 0x80, 0x05, 0x61, 0x80, 0x05, 0x62, 0x80, 0x05, 0x63, 0x80, 0x18, 0x24, 0x03, 0x16, + 0x2c, 0x04, 0x13, 0x5a, 0x49, 0x47, 0x32, 0x30, 0x31, 0x34, 0x32, 0x5a, 0x42, 0x33, 0x33, 0x30, 0x30, 0x30, 0x33, 0x2d, 0x32, + 0x34, 0x24, 0x05, 0x00, 0x24, 0x06, 0x00, 0x25, 0x07, 0x94, 0x26, 0x24, 0x08, 0x00, 0x18, 0x31, 0x7d, 0x30, 0x7b, 0x02, 0x01, + 0x03, 0x80, 0x14, 0x62, 0xfa, 0x82, 0x33, 0x59, 0xac, 0xfa, 0xa9, 0x96, 0x3e, 0x1c, 0xfa, 0x14, 0x0a, 0xdd, 0xf5, 0x04, 0xf3, + 0x71, 0x60, 0x30, 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, + 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x04, 0x47, 0x30, 0x45, 0x02, 0x20, 0x24, 0xe5, 0xd1, 0xf4, 0x7a, 0x7d, 0x7b, 0x0d, 0x20, + 0x6a, 0x26, 0xef, 0x69, 0x9b, 0x7c, 0x97, 0x57, 0xb7, 0x2d, 0x46, 0x90, 0x89, 0xde, 0x31, 0x92, 0xe6, 0x78, 0xc7, 0x45, 0xe7, + 0xf6, 0x0c, 0x02, 0x21, 0x00, 0xf8, 0xaa, 0x2f, 0xa7, 0x11, 0xfc, 0xb7, 0x9b, 0x97, 0xe3, 0x97, 0xce, 0xda, 0x66, 0x7b, 0xae, + 0x46, 0x4e, 0x2b, 0xd3, 0xff, 0xdf, 0xc3, 0xcc, 0xed, 0x7a, 0xa8, 0xca, 0x5f, 0x4c, 0x1a, 0x7c +}; + +#define CREATOR_MFG_MATTER_PAI (USERDATA_TOKENS | 0x400) // 4 bytes +#define CREATOR_MFG_MATTER_DAC (USERDATA_TOKENS | 0x600) // 4 bytes + +#define MFG_MATTER_PAI_SIZE 463 +#define MFG_MATTER_DAC_SIZE 492 +#define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 + +#endif // MATTER_DEVICE_CREDENTIALS_EFR32 diff --git a/examples/window-app/common/src/WindowApp.cpp b/examples/window-app/common/src/WindowApp.cpp index 4c846ecf6a8c05..c8e6429fb88c3d 100644 --- a/examples/window-app/common/src/WindowApp.cpp +++ b/examples/window-app/common/src/WindowApp.cpp @@ -22,7 +22,11 @@ #include #include #include +#ifdef EFR32_ATTESTATION_CREDENTIALS +#include +#else #include +#endif #include #include @@ -113,7 +117,11 @@ WindowApp::Cover * WindowApp::GetCover(chip::EndpointId endpoint) CHIP_ERROR WindowApp::Init() { // Initialize device attestation config +#ifdef EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); +#else SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif ConfigurationMgr().LogDeviceConfig(); diff --git a/src/credentials/BUILD.gn b/src/credentials/BUILD.gn index 875cc378350584..ad809326b892d2 100644 --- a/src/credentials/BUILD.gn +++ b/src/credentials/BUILD.gn @@ -47,21 +47,16 @@ static_library("credentials") { "attestation_verifier/DeviceAttestationDelegate.h", "attestation_verifier/DeviceAttestationVerifier.cpp", "attestation_verifier/DeviceAttestationVerifier.h", + "examples/DeviceAttestationCredsExample.cpp", + "examples/DeviceAttestationCredsExample.h", + "examples/ExampleDACs.cpp", + "examples/ExampleDACs.h", + "examples/ExamplePAI.cpp", + "examples/ExamplePAI.h", "examples/LastKnownGoodTimeCertificateValidityPolicyExample.h", "examples/StrictCertificateValidityPolicyExample.h", ] - if (!chip_device_attestation_credentials) { - sources += [ - "examples/DeviceAttestationCredsExample.cpp", - "examples/DeviceAttestationCredsExample.h", - "examples/ExampleDACs.cpp", - "examples/ExampleDACs.h", - "examples/ExamplePAI.cpp", - "examples/ExamplePAI.h", - ] - } - # TODO: These tests files should be removed after the DeviceAttestationCredsExample implementation # is changed to generate it's own credentials instead of using Test credentials. # For mbed and nrfconnect test builds, which are bilding monolithic test library these files are not needed. diff --git a/src/platform/EFR32/BUILD.gn b/src/platform/EFR32/BUILD.gn index 860fa8e905d4bc..814d9b835ca17d 100644 --- a/src/platform/EFR32/BUILD.gn +++ b/src/platform/EFR32/BUILD.gn @@ -25,6 +25,7 @@ if (chip_enable_openthread) { static_library("EFR32") { sources = [ + "${chip_root}/src/credentials/DeviceAttestationCredsProvider.h", "../FreeRTOS/SystemTimeSupport.cpp", "../SingletonConfigurationManager.cpp", "BLEManagerImpl.cpp", @@ -43,6 +44,8 @@ static_library("EFR32") { "DiagnosticDataProviderImpl.h", "EFR32Config.cpp", "EFR32Config.h", + "EFR32DeviceAttestationCreds.cpp", + "EFR32DeviceAttestationCreds.h", "InetPlatformConfig.h", "KeyValueStoreManagerImpl.cpp", "KeyValueStoreManagerImpl.h", @@ -56,10 +59,6 @@ static_library("EFR32") { "gatt_db.h", ] - if (chip_device_attestation_credentials) { - sources += [ "DeviceAttestationCredsImpl.cpp" ] - } - if (chip_enable_ota_requestor) { sources += [ "OTAImageProcessorImpl.cpp", diff --git a/src/platform/EFR32/DeviceAttestationCredsImpl.cpp b/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp similarity index 75% rename from src/platform/EFR32/DeviceAttestationCredsImpl.cpp rename to src/platform/EFR32/EFR32DeviceAttestationCreds.cpp index 54d26ba359731e..678099d1c54410 100644 --- a/src/platform/EFR32/DeviceAttestationCredsImpl.cpp +++ b/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp @@ -14,35 +14,28 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#include +#include "EFR32DeviceAttestationCreds.h" #include #include #include #include -#include "efr32_certs.h" +#include "efr32_creds.h" #include "psa/crypto.h" #include "sl_token_api.h" -#include "sl_token_manager.h" namespace chip { namespace Credentials { -namespace Examples { +namespace EFR32 { namespace { -class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider +class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider { public: CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override { - uint8_t cd_buf[MFG_MATTER_CD_SIZE]; - ByteSpan cd_span(cd_buf); - - int err = sl_token_get_data(CREATOR_MFG_MATTER_CD, 0, cd_buf, sizeof(cd_buf)); - ChipLogProgress(DeviceLayer, "~ GetCertificationDeclaration-1.2, size:%u, err:%d\r\n", sizeof(cd_buf), err); - VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); - ChipLogByteSpan(DeviceLayer, cd_span); + ByteSpan cd_span(kCertificationDeclaration); return CopySpanToMutableSpan(cd_span, out_buffer); } @@ -59,7 +52,6 @@ class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider ByteSpan cert_span(cert_buf); int err = sl_token_get_data(CREATOR_MFG_MATTER_DAC, 0, cert_buf, sizeof(cert_buf)); - ChipLogProgress(DeviceLayer, "~ GetDeviceAttestationCert, size:%u, err:%d\r\n", sizeof(cert_buf), err); VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); ChipLogByteSpan(DeviceLayer, cert_span); return CopySpanToMutableSpan(cert_span, out_buffer); @@ -71,7 +63,6 @@ class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider ByteSpan cert_span(cert_buf); int err = sl_token_get_data(CREATOR_MFG_MATTER_PAI, 0, cert_buf, sizeof(cert_buf)); - ChipLogProgress(DeviceLayer, "~ GetProductAttestationIntermediateCert, size:%u, err:%d\r\n", sizeof(cert_buf), err); VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); ChipLogByteSpan(DeviceLayer, cert_span); return CopySpanToMutableSpan(cert_span, out_pai_buffer); @@ -93,12 +84,12 @@ class DeviceAttestationCredsImpl : public DeviceAttestationCredentialsProvider } // namespace -DeviceAttestationCredentialsProvider * GetExampleDACProvider() +DeviceAttestationCredentialsProvider * GetDACProvider() { - static DeviceAttestationCredsImpl dac_provider; + static DeviceAttestationCredsEFR32 dac_provider; return &dac_provider; } -} // namespace Examples +} // namespace EFR32 } // namespace Credentials } // namespace chip diff --git a/src/platform/EFR32/EFR32DeviceAttestationCreds.h b/src/platform/EFR32/EFR32DeviceAttestationCreds.h new file mode 100644 index 00000000000000..923b8d45f68471 --- /dev/null +++ b/src/platform/EFR32/EFR32DeviceAttestationCreds.h @@ -0,0 +1,39 @@ +/* + * + * Copyright (c) 2022 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#pragma once + +// The "sl_token_manager.h" include belongs to the .cpp file, but the formatter change the order +// of the headers, causing a compilation error, so the include had to be added here instead +#include "sl_token_manager.h" +#include + +namespace chip { +namespace Credentials { +namespace EFR32 { + +/** + * @brief Get implementation of a sample DAC provider to validate device + * attestation procedure. + * + * @returns a singleton DeviceAttestationCredentialsProvider that relies on no + * storage abstractions. + */ +DeviceAttestationCredentialsProvider * GetDACProvider(); + +} // namespace EFR32 +} // namespace Credentials +} // namespace chip diff --git a/src/platform/device.gni b/src/platform/device.gni index 6880e85efdb1f6..9af7d49c0d3141 100755 --- a/src/platform/device.gni +++ b/src/platform/device.gni @@ -23,9 +23,6 @@ declare_args() { # Substitute fake platform when building with chip_device_platform=auto. chip_fake_platform = false - - # Set to true to use actual device attestation credentials - chip_device_attestation_credentials = false } if (chip_device_platform == "auto") { From 9ae8cb10db3193b6abbd3a6def931dc686518bb4 Mon Sep 17 00:00:00 2001 From: Ricardo Casallas Date: Thu, 30 Jun 2022 15:17:17 -0400 Subject: [PATCH 3/4] EFR32: DeviceAttestationCredentialsProvider: Review comments applied. --- examples/chef/efr32/BUILD.gn | 7 +++++++ examples/chef/efr32/src/AppTask.cpp | 9 -------- examples/chef/efr32/src/main.cpp | 16 ++++++++++++++ examples/light-switch-app/efr32/BUILD.gn | 7 +++++++ .../light-switch-app/efr32/src/AppTask.cpp | 17 --------------- examples/light-switch-app/efr32/src/main.cpp | 16 ++++++++++++++ examples/lighting-app/efr32/BUILD.gn | 7 +++++++ examples/lighting-app/efr32/src/AppTask.cpp | 17 --------------- examples/lighting-app/efr32/src/main.cpp | 16 ++++++++++++++ examples/lock-app/efr32/BUILD.gn | 7 +++++++ examples/lock-app/efr32/src/AppTask.cpp | 17 --------------- examples/lock-app/efr32/src/main.cpp | 16 ++++++++++++++ examples/platform/efr32/BUILD.gn | 21 ++++++++++++++----- .../efr32}/EFR32DeviceAttestationCreds.cpp | 8 +++---- .../efr32}/EFR32DeviceAttestationCreds.h | 2 +- examples/platform/efr32/efr32_creds.h | 15 ++++++++++--- examples/window-app/efr32/BUILD.gn | 7 +++++++ src/lib/lib.gni | 3 +++ src/platform/EFR32/BUILD.gn | 3 --- 19 files changed, 135 insertions(+), 76 deletions(-) rename {src/platform/EFR32 => examples/platform/efr32}/EFR32DeviceAttestationCreds.cpp (91%) rename {src/platform/EFR32 => examples/platform/efr32}/EFR32DeviceAttestationCreds.h (95%) diff --git a/examples/chef/efr32/BUILD.gn b/examples/chef/efr32/BUILD.gn index 4161916a993f49..ac399e9f46297d 100644 --- a/examples/chef/efr32/BUILD.gn +++ b/examples/chef/efr32/BUILD.gn @@ -336,6 +336,13 @@ efr32_executable("chef_app") { ] } + # Attestation Credentials + if (chip_build_device_attestation_credentials) { + deps += [ + "${examples_plat_dir}:efr32-attestation-credentials", + ] + } + output_dir = root_out_dir } diff --git a/examples/chef/efr32/src/AppTask.cpp b/examples/chef/efr32/src/AppTask.cpp index 15ff91d64a5fa6..b6450ba696d126 100644 --- a/examples/chef/efr32/src/AppTask.cpp +++ b/examples/chef/efr32/src/AppTask.cpp @@ -43,9 +43,6 @@ #include -#include -#include - #include #include @@ -167,7 +164,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -205,11 +201,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/chef/efr32/src/main.cpp b/examples/chef/efr32/src/main.cpp index 920f51b8e5805d..3f2cc598599b4e 100644 --- a/examples/chef/efr32/src/main.cpp +++ b/examples/chef/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Chef-App" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/light-switch-app/efr32/BUILD.gn b/examples/light-switch-app/efr32/BUILD.gn index 7d870ecd737eb0..3514a6a2329c45 100644 --- a/examples/light-switch-app/efr32/BUILD.gn +++ b/examples/light-switch-app/efr32/BUILD.gn @@ -323,6 +323,13 @@ efr32_executable("light_switch_app") { ] } + # Attestation Credentials + if (chip_build_device_attestation_credentials) { + deps += [ + "${examples_plat_dir}:efr32-attestation-credentials", + ] + } + output_dir = root_out_dir } diff --git a/examples/light-switch-app/efr32/src/AppTask.cpp b/examples/light-switch-app/efr32/src/AppTask.cpp index d92124af297648..da0e20396ba733 100644 --- a/examples/light-switch-app/efr32/src/AppTask.cpp +++ b/examples/light-switch-app/efr32/src/AppTask.cpp @@ -41,13 +41,6 @@ #include -#include -#ifdef EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -162,7 +155,6 @@ Identify gIdentify = { }; } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -200,15 +192,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#ifdef EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/light-switch-app/efr32/src/main.cpp b/examples/light-switch-app/efr32/src/main.cpp index 685d223daf8eed..12e9d085b953ef 100644 --- a/examples/light-switch-app/efr32/src/main.cpp +++ b/examples/light-switch-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light-Switch" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lighting-app/efr32/BUILD.gn b/examples/lighting-app/efr32/BUILD.gn index 192833797494b2..dcc4f37a91522e 100644 --- a/examples/lighting-app/efr32/BUILD.gn +++ b/examples/lighting-app/efr32/BUILD.gn @@ -331,6 +331,13 @@ efr32_executable("lighting_app") { ] } + # Attestation Credentials + if (chip_build_device_attestation_credentials) { + deps += [ + "${examples_plat_dir}:efr32-attestation-credentials", + ] + } + output_dir = root_out_dir } diff --git a/examples/lighting-app/efr32/src/AppTask.cpp b/examples/lighting-app/efr32/src/AppTask.cpp index 4e43169e4a1a2c..3edc00dfa8855e 100644 --- a/examples/lighting-app/efr32/src/AppTask.cpp +++ b/examples/lighting-app/efr32/src/AppTask.cpp @@ -39,13 +39,6 @@ #include -#include -#if EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -167,7 +160,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -205,15 +197,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#if EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lighting-app/efr32/src/main.cpp b/examples/lighting-app/efr32/src/main.cpp index 54137f45c89043..1484e6e18a4290 100644 --- a/examples/lighting-app/efr32/src/main.cpp +++ b/examples/lighting-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Light" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&chip::Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/lock-app/efr32/BUILD.gn b/examples/lock-app/efr32/BUILD.gn index 679ed1f46cda3d..68b3ea1852f13c 100644 --- a/examples/lock-app/efr32/BUILD.gn +++ b/examples/lock-app/efr32/BUILD.gn @@ -328,6 +328,13 @@ efr32_executable("lock_app") { ] } + # Attestation Credentials + if (chip_build_device_attestation_credentials) { + deps += [ + "${examples_plat_dir}:efr32-attestation-credentials", + ] + } + output_dir = root_out_dir } group("efr32") { diff --git a/examples/lock-app/efr32/src/AppTask.cpp b/examples/lock-app/efr32/src/AppTask.cpp index c835b26bdbc036..d87601c361fd74 100644 --- a/examples/lock-app/efr32/src/AppTask.cpp +++ b/examples/lock-app/efr32/src/AppTask.cpp @@ -43,13 +43,6 @@ #include -#include -#ifdef EFR32_ATTESTATION_CREDENTIALS -#include -#else -#include -#endif - #include #include @@ -176,7 +169,6 @@ Identify gIdentify = { } // namespace using namespace chip::TLV; -using namespace ::chip::Credentials; using namespace ::chip::DeviceLayer; AppTask AppTask::sAppTask; @@ -214,15 +206,6 @@ CHIP_ERROR AppTask::Init() sWiFiNetworkCommissioningInstance.Init(); #endif - chip::DeviceLayer::PlatformMgr().LockChipStack(); - // Initialize device attestation config -#ifdef EFR32_ATTESTATION_CREDENTIALS - SetDeviceAttestationCredentialsProvider(EFR32::GetDACProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif - chip::DeviceLayer::PlatformMgr().UnlockChipStack(); - // Create FreeRTOS sw timer for Function Selection. sFunctionTimer = xTimerCreate("FnTmr", // Just a text name, not used by the RTOS kernel 1, // == default timer period (mS) diff --git a/examples/lock-app/efr32/src/main.cpp b/examples/lock-app/efr32/src/main.cpp index cbc0c3643f07ff..444910bf16856e 100644 --- a/examples/lock-app/efr32/src/main.cpp +++ b/examples/lock-app/efr32/src/main.cpp @@ -25,12 +25,19 @@ #include "sl_system_kernel.h" #include #include +#include #include +#if EFR32_ATTESTATION_CREDENTIALS +#include +#else +#include +#endif #define BLE_DEV_NAME "SiLabs-Door-Lock" using namespace ::chip; using namespace ::chip::Inet; using namespace ::chip::DeviceLayer; +using namespace ::chip::Credentials; #define UNUSED_PARAMETER(a) (a = a) @@ -49,6 +56,15 @@ int main(void) gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); + chip::DeviceLayer::PlatformMgr().LockChipStack(); + // Initialize device attestation config +#if EFR32_ATTESTATION_CREDENTIALS + SetDeviceAttestationCredentialsProvider(EFR32::GetEFR32DacProvider()); +#else + SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); +#endif + chip::DeviceLayer::PlatformMgr().UnlockChipStack(); + EFR32_LOG("Starting App Task"); if (GetAppTask().StartAppTask() != CHIP_NO_ERROR) appError(CHIP_ERROR_INTERNAL); diff --git a/examples/platform/efr32/BUILD.gn b/examples/platform/efr32/BUILD.gn index 7b981b118798d7..2b941225e3557d 100644 --- a/examples/platform/efr32/BUILD.gn +++ b/examples/platform/efr32/BUILD.gn @@ -37,11 +37,6 @@ config("chip_examples_project_config") { "-Wl,--wrap=_free_r", "-Wl,--wrap=_calloc_r", ] - - defines = [ - # Set to 1 to enable EFR32 attestation credentials - "EFR32_ATTESTATION_CREDENTIALS=0", - ] } source_set("openthread_core_config_efr32_chip_examples") { @@ -69,3 +64,19 @@ source_set("efr-matter-shell") { ] } } + +source_set("efr32-attestation-credentials") { + + public_deps = [ + "${chip_root}/src/credentials", + "${chip_root}/src/platform:platform_base", + ] + defines = [ + # Set to 1 to enable EFR32 attestation credentials + "EFR32_ATTESTATION_CREDENTIALS=1", + ] + sources = [ + "EFR32DeviceAttestationCreds.cpp", + "EFR32DeviceAttestationCreds.h", + ] +} \ No newline at end of file diff --git a/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp b/examples/platform/efr32/EFR32DeviceAttestationCreds.cpp similarity index 91% rename from src/platform/EFR32/EFR32DeviceAttestationCreds.cpp rename to examples/platform/efr32/EFR32DeviceAttestationCreds.cpp index 678099d1c54410..3ef57746e8341b 100644 --- a/src/platform/EFR32/EFR32DeviceAttestationCreds.cpp +++ b/examples/platform/efr32/EFR32DeviceAttestationCreds.cpp @@ -70,9 +70,9 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & digest_to_sign, MutableByteSpan & out_buffer) override { - psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; - uint8_t signature[chip::Crypto::kSHA256_Hash_Length] = { 0 }; - size_t signature_size = sizeof(signature); + psa_key_id_t key_id = MFG_MATTER_DAC_KEY_ID; + uint8_t signature[64] = { 0 }; + size_t signature_size = sizeof(signature); psa_status_t err = psa_sign_hash(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), digest_to_sign.data(), digest_to_sign.size(), signature, signature_size, &signature_size); @@ -84,7 +84,7 @@ class DeviceAttestationCredsEFR32 : public DeviceAttestationCredentialsProvider } // namespace -DeviceAttestationCredentialsProvider * GetDACProvider() +DeviceAttestationCredentialsProvider * GetEFR32DacProvider() { static DeviceAttestationCredsEFR32 dac_provider; return &dac_provider; diff --git a/src/platform/EFR32/EFR32DeviceAttestationCreds.h b/examples/platform/efr32/EFR32DeviceAttestationCreds.h similarity index 95% rename from src/platform/EFR32/EFR32DeviceAttestationCreds.h rename to examples/platform/efr32/EFR32DeviceAttestationCreds.h index 923b8d45f68471..3dbc48a01b0872 100644 --- a/src/platform/EFR32/EFR32DeviceAttestationCreds.h +++ b/examples/platform/efr32/EFR32DeviceAttestationCreds.h @@ -32,7 +32,7 @@ namespace EFR32 { * @returns a singleton DeviceAttestationCredentialsProvider that relies on no * storage abstractions. */ -DeviceAttestationCredentialsProvider * GetDACProvider(); +DeviceAttestationCredentialsProvider * GetEFR32DacProvider(); } // namespace EFR32 } // namespace Credentials diff --git a/examples/platform/efr32/efr32_creds.h b/examples/platform/efr32/efr32_creds.h index 3ce14016918ad3..52514adec3969f 100644 --- a/examples/platform/efr32/efr32_creds.h +++ b/examples/platform/efr32/efr32_creds.h @@ -1,5 +1,14 @@ -#ifndef MATTER_DEVICE_CREDENTIALS_EFR32 -#define MATTER_DEVICE_CREDENTIALS_EFR32 +/** + * This is a boilerplat header to define the EFR32 authentication credentials. + * Applications must provide their own version of this header, and include: + * - The content of the CSA-provided Certification Declaration + * - The location and size of the PAI, and DAC + * - The key ID of the key-pair associated with the DAC + * + * These credentials MUST be provided if the build variable "chip_build_device_attestation_credentials" is set to true. + */ +#ifndef EFR32_EXAMPLE_DEVICE_CREDENTIALS +#define EFR32_EXAMPLE_DEVICE_CREDENTIALS //-> format_version = 1 //-> vendor_id = 0xFFF1 @@ -54,4 +63,4 @@ const uint8_t kCertificationDeclaration[541] = { #define MFG_MATTER_DAC_SIZE 492 #define MFG_MATTER_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 -#endif // MATTER_DEVICE_CREDENTIALS_EFR32 +#endif // EFR32_EXAMPLE_DEVICE_CREDENTIALS diff --git a/examples/window-app/efr32/BUILD.gn b/examples/window-app/efr32/BUILD.gn index d829fa9d15116b..ff3e96d6ee41b0 100644 --- a/examples/window-app/efr32/BUILD.gn +++ b/examples/window-app/efr32/BUILD.gn @@ -278,6 +278,13 @@ efr32_executable("window_app") { "-Wl,SILABS_WIFI=1", ] } + + # Attestation Credentials + if (chip_build_device_attestation_credentials) { + deps += [ + "${examples_plat_dir}:efr32-attestation-credentials", + ] + } } group("efr32") { diff --git a/src/lib/lib.gni b/src/lib/lib.gni index c78be22c2d9196..8150042ef4a4e7 100644 --- a/src/lib/lib.gni +++ b/src/lib/lib.gni @@ -20,4 +20,7 @@ declare_args() { # a Commissioner or Administrator that employs different or more complex # logic, this should be set to false. chip_build_default_attestation_verifier = true + + # Set to true to enable device-specific attestation credentials + chip_build_device_attestation_credentials = true } diff --git a/src/platform/EFR32/BUILD.gn b/src/platform/EFR32/BUILD.gn index 814d9b835ca17d..a50db957df5e48 100644 --- a/src/platform/EFR32/BUILD.gn +++ b/src/platform/EFR32/BUILD.gn @@ -25,7 +25,6 @@ if (chip_enable_openthread) { static_library("EFR32") { sources = [ - "${chip_root}/src/credentials/DeviceAttestationCredsProvider.h", "../FreeRTOS/SystemTimeSupport.cpp", "../SingletonConfigurationManager.cpp", "BLEManagerImpl.cpp", @@ -44,8 +43,6 @@ static_library("EFR32") { "DiagnosticDataProviderImpl.h", "EFR32Config.cpp", "EFR32Config.h", - "EFR32DeviceAttestationCreds.cpp", - "EFR32DeviceAttestationCreds.h", "InetPlatformConfig.h", "KeyValueStoreManagerImpl.cpp", "KeyValueStoreManagerImpl.h", From 85da2fb38b6a597f504da4f30454d17a9209968e Mon Sep 17 00:00:00 2001 From: "Restyled.io" Date: Thu, 30 Jun 2022 19:50:24 +0000 Subject: [PATCH 4/4] Restyled by gn --- examples/chef/efr32/BUILD.gn | 4 +--- examples/light-switch-app/efr32/BUILD.gn | 4 +--- examples/lighting-app/efr32/BUILD.gn | 4 +--- examples/lock-app/efr32/BUILD.gn | 4 +--- examples/platform/efr32/BUILD.gn | 27 ++++++++++++------------ examples/window-app/efr32/BUILD.gn | 4 +--- 6 files changed, 18 insertions(+), 29 deletions(-) diff --git a/examples/chef/efr32/BUILD.gn b/examples/chef/efr32/BUILD.gn index ac399e9f46297d..9509cde10de3ec 100644 --- a/examples/chef/efr32/BUILD.gn +++ b/examples/chef/efr32/BUILD.gn @@ -338,9 +338,7 @@ efr32_executable("chef_app") { # Attestation Credentials if (chip_build_device_attestation_credentials) { - deps += [ - "${examples_plat_dir}:efr32-attestation-credentials", - ] + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] } output_dir = root_out_dir diff --git a/examples/light-switch-app/efr32/BUILD.gn b/examples/light-switch-app/efr32/BUILD.gn index 3514a6a2329c45..e1ded1d429698b 100644 --- a/examples/light-switch-app/efr32/BUILD.gn +++ b/examples/light-switch-app/efr32/BUILD.gn @@ -325,9 +325,7 @@ efr32_executable("light_switch_app") { # Attestation Credentials if (chip_build_device_attestation_credentials) { - deps += [ - "${examples_plat_dir}:efr32-attestation-credentials", - ] + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] } output_dir = root_out_dir diff --git a/examples/lighting-app/efr32/BUILD.gn b/examples/lighting-app/efr32/BUILD.gn index dcc4f37a91522e..60ca29f04a408d 100644 --- a/examples/lighting-app/efr32/BUILD.gn +++ b/examples/lighting-app/efr32/BUILD.gn @@ -333,9 +333,7 @@ efr32_executable("lighting_app") { # Attestation Credentials if (chip_build_device_attestation_credentials) { - deps += [ - "${examples_plat_dir}:efr32-attestation-credentials", - ] + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] } output_dir = root_out_dir diff --git a/examples/lock-app/efr32/BUILD.gn b/examples/lock-app/efr32/BUILD.gn index 68b3ea1852f13c..163f1a944fe696 100644 --- a/examples/lock-app/efr32/BUILD.gn +++ b/examples/lock-app/efr32/BUILD.gn @@ -330,9 +330,7 @@ efr32_executable("lock_app") { # Attestation Credentials if (chip_build_device_attestation_credentials) { - deps += [ - "${examples_plat_dir}:efr32-attestation-credentials", - ] + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] } output_dir = root_out_dir diff --git a/examples/platform/efr32/BUILD.gn b/examples/platform/efr32/BUILD.gn index 2b941225e3557d..cefa2c94599d8a 100644 --- a/examples/platform/efr32/BUILD.gn +++ b/examples/platform/efr32/BUILD.gn @@ -66,17 +66,16 @@ source_set("efr-matter-shell") { } source_set("efr32-attestation-credentials") { - - public_deps = [ - "${chip_root}/src/credentials", - "${chip_root}/src/platform:platform_base", - ] - defines = [ - # Set to 1 to enable EFR32 attestation credentials - "EFR32_ATTESTATION_CREDENTIALS=1", - ] - sources = [ - "EFR32DeviceAttestationCreds.cpp", - "EFR32DeviceAttestationCreds.h", - ] -} \ No newline at end of file + public_deps = [ + "${chip_root}/src/credentials", + "${chip_root}/src/platform:platform_base", + ] + defines = [ + # Set to 1 to enable EFR32 attestation credentials + "EFR32_ATTESTATION_CREDENTIALS=1", + ] + sources = [ + "EFR32DeviceAttestationCreds.cpp", + "EFR32DeviceAttestationCreds.h", + ] +} diff --git a/examples/window-app/efr32/BUILD.gn b/examples/window-app/efr32/BUILD.gn index ff3e96d6ee41b0..802eeeb30f3960 100644 --- a/examples/window-app/efr32/BUILD.gn +++ b/examples/window-app/efr32/BUILD.gn @@ -281,9 +281,7 @@ efr32_executable("window_app") { # Attestation Credentials if (chip_build_device_attestation_credentials) { - deps += [ - "${examples_plat_dir}:efr32-attestation-credentials", - ] + deps += [ "${examples_plat_dir}:efr32-attestation-credentials" ] } }