Skip to content

Commit

Permalink
[Silabs] Attestation credentials auto-detect.
Browse files Browse the repository at this point in the history
  • Loading branch information
rcasallas-silabs committed Aug 17, 2023
1 parent e1f0ffd commit d62524c
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 66 deletions.
9 changes: 1 addition & 8 deletions examples/platform/silabs/SiWx917/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -134,11 +134,6 @@ source_set("siwx917-matter-shell") {

config("attestation-credentials-config") {
include_dirs = [ "${chip_root}" ]

defines = [
# Set to 1 to enable SI917 attestation credentials
"SILABS_ATTESTATION_CREDENTIALS",
]
}

source_set("siwx917-attestation-credentials") {
Expand Down Expand Up @@ -294,9 +289,7 @@ source_set("siwx917-common") {
}

# Attestation Credentials
if (chip_build_platform_attestation_credentials_provider) {
deps += [ ":siwx917-attestation-credentials" ]
}
deps += [ ":siwx917-attestation-credentials" ]

# Factory Data Provider
if (use_efr32_factory_data_provider) {
Expand Down
96 changes: 59 additions & 37 deletions examples/platform/silabs/SilabsDeviceAttestationCreds.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include <lib/support/CodeUtils.h>
#include <lib/support/Span.h>
#include <platform/silabs/SilabsConfig.h>
#include <credentials/examples/DeviceAttestationCredsExample.h>
#include <psa/crypto.h>

#include "silabs_creds.h"
Expand All @@ -28,9 +29,6 @@ using namespace chip::DeviceLayer::Internal;

using chip::DeviceLayer::Internal::SilabsConfig;

extern uint8_t linker_nvm_end[];
static uint8_t * _credentials_address = (uint8_t *) linker_nvm_end;

namespace chip {
namespace Credentials {
namespace Silabs {
Expand All @@ -46,8 +44,17 @@ class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider
public:
CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_span) override
{
return GetFile("GetCertificationDeclaration", SilabsConfig::kConfigKey_Creds_CD_Offset, SILABS_CREDENTIALS_CD_OFFSET,
SilabsConfig::kConfigKey_Creds_CD_Size, SILABS_CREDENTIALS_CD_SIZE, out_span);
if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr))
{
// Provisioned CD
return GetFile("GetCertificationDeclaration", SilabsConfig::kConfigKey_Creds_CD_Offset, SILABS_CREDENTIALS_CD_OFFSET,
SilabsConfig::kConfigKey_Creds_CD_Size, SILABS_CREDENTIALS_CD_SIZE, out_span);
}
else
{
// Example CD
return Examples::GetExampleDACProvider()->GetCertificationDeclaration(out_span);
}
}

CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override
Expand All @@ -59,68 +66,83 @@ class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider

CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_span) override
{
return GetFile("GetDeviceAttestationCert", SilabsConfig::kConfigKey_Creds_DAC_Offset, SILABS_CREDENTIALS_DAC_OFFSET,
SilabsConfig::kConfigKey_Creds_DAC_Size, SILABS_CREDENTIALS_DAC_SIZE, out_span);
if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr))
{
// Provisioned DAC
return GetFile("GetDeviceAttestationCert", SilabsConfig::kConfigKey_Creds_DAC_Offset, SILABS_CREDENTIALS_DAC_OFFSET,
SilabsConfig::kConfigKey_Creds_DAC_Size, SILABS_CREDENTIALS_DAC_SIZE, out_span);
}
else
{
// Example DAC
return Examples::GetExampleDACProvider()->GetDeviceAttestationCert(out_span);
}
}

CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_span) override
{
return GetFile("GetProductAttestationIntermediateCert", SilabsConfig::kConfigKey_Creds_PAI_Offset,
SILABS_CREDENTIALS_PAI_OFFSET, SilabsConfig::kConfigKey_Creds_PAI_Size, SILABS_CREDENTIALS_PAI_SIZE,
out_span);
if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr))
{
// Provisioned PAI
return GetFile("GetProductAttestationIntermediateCert", SilabsConfig::kConfigKey_Creds_PAI_Offset,
SILABS_CREDENTIALS_PAI_OFFSET, SilabsConfig::kConfigKey_Creds_PAI_Size, SILABS_CREDENTIALS_PAI_SIZE,
out_span);
}
else
{
// Example PAI
return Examples::GetExampleDACProvider()->GetProductAttestationIntermediateCert(out_span);
}
}

CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_span) override
{
uint32_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID;
uint8_t signature[64] = { 0 };
size_t signature_size = sizeof(signature);

if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_KeyId))
{
// Provisioned DAC key
uint32_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID;
uint8_t signature[64] = { 0 };
size_t signature_size = sizeof(signature);

ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_KeyId, key_id));
}

ChipLogProgress(DeviceLayer, "SignWithDeviceAttestationKey, key:%lu", key_id);
ChipLogProgress(DeviceLayer, "SignWithDeviceAttestationKey, key:%lu", key_id);

psa_status_t err =
psa_sign_message(static_cast<psa_key_id_t>(key_id), PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(),
message_to_sign.size(), signature, signature_size, &signature_size);
VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
psa_status_t err =
psa_sign_message(static_cast<psa_key_id_t>(key_id), PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(),
message_to_sign.size(), signature, signature_size, &signature_size);
VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);

return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_span);
return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_span);
}
else
{
// Example DAC key
return Examples::GetExampleDACProvider()->SignWithDeviceAttestationKey(message_to_sign, out_span);
}
}

private:
CHIP_ERROR GetFile(const char * description, uint32_t offset_key, uint32_t offset_default, uint32_t size_key,
uint32_t size_default, MutableByteSpan & out_span)
{
uint32_t base_addr = 0;
uint8_t * address = nullptr;
uint32_t offset = offset_default;
uint32_t size = size_default;

ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_Base_Addr, base_addr));
address = (uint8_t *) (base_addr + offset);

// Offset
if (SilabsConfig::ConfigValueExists(offset_key))
{
// NVM-provided offset
ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(offset_key, offset));
}

if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr))
{
// NVM-provided location
uint32_t base_addr = 0;
ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_Base_Addr, base_addr));
address = (uint8_t *) (base_addr + offset);
}
else
{
// Default location
address = _credentials_address + offset;
}

// Size
uint32_t size = size_default;
if (SilabsConfig::ConfigValueExists(size_key))
{
// NVM-provided size
ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(size_key, size));
}

Expand Down
3 changes: 0 additions & 3 deletions examples/platform/silabs/SilabsDeviceAttestationCreds.h
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@
*/
#pragma once

// The "sl_token_manager.h" include belongs to the .cpp file, but the formatter change the order
// of the headers, causing a compilation error, so the include had to be added here instead
#include "sl_token_manager.h"
#include <credentials/DeviceAttestationCredsProvider.h>

namespace chip {
Expand Down
9 changes: 1 addition & 8 deletions examples/platform/silabs/efr32/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -160,11 +160,6 @@ source_set("efr-matter-shell") {

config("attestation-credentials-config") {
include_dirs = [ "${chip_root}" ]

defines = [
# Set to 1 to enable EFR32 attestation credentials
"SILABS_ATTESTATION_CREDENTIALS",
]
}

source_set("efr32-attestation-credentials") {
Expand Down Expand Up @@ -329,9 +324,7 @@ source_set("efr32-common") {
}

# Attestation Credentials
if (chip_build_platform_attestation_credentials_provider) {
public_deps += [ ":efr32-attestation-credentials" ]
}
public_deps += [ ":efr32-attestation-credentials" ]

# Factory Data Provider
if (use_efr32_factory_data_provider) {
Expand Down
8 changes: 0 additions & 8 deletions examples/platform/silabs/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,7 @@
#include <MatterConfig.h>
#include <app/server/Server.h>
#include <credentials/DeviceAttestationCredsProvider.h>
#ifdef SILABS_ATTESTATION_CREDENTIALS
#include <examples/platform/silabs/SilabsDeviceAttestationCreds.h>
#else
#include <credentials/examples/DeviceAttestationCredsExample.h>
#endif

#include <platform/silabs/platformAbstraction/SilabsPlatform.h>

Expand All @@ -56,11 +52,7 @@ int main(void)

chip::DeviceLayer::PlatformMgr().LockChipStack();
// Initialize device attestation config
#ifdef SILABS_ATTESTATION_CREDENTIALS
SetDeviceAttestationCredentialsProvider(Credentials::Silabs::GetSilabsDacProvider());
#else
SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
#endif
chip::DeviceLayer::PlatformMgr().UnlockChipStack();

SILABS_LOG("Starting App Task");
Expand Down
2 changes: 0 additions & 2 deletions src/platform/silabs/MigrationManager.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,7 @@ typedef struct
#define COUNT_OF(A) (sizeof(A) / sizeof((A)[0]))
static migrationData_t migrationTable[] = {
{ .migrationGroup = 1, .migrationFunc = MigrateKvsMap },
#ifdef SILABS_ATTESTATION_CREDENTIALS
{ .migrationGroup = 2, .migrationFunc = MigrateDacProvider },
#endif
// add any additional migration neccesary. migrationGroup should stay equal if done in the same commit or increment by 1 for
// each new entry.
};
Expand Down

0 comments on commit d62524c

Please sign in to comment.