From fba0781ceb96b2890b15be14c00e13937e33594c Mon Sep 17 00:00:00 2001 From: Ricardo Casallas Date: Mon, 14 Aug 2023 14:28:50 -0400 Subject: [PATCH] [Silabs] Attestation credentials auto-detect. --- examples/platform/silabs/SiWx917/BUILD.gn | 9 +- .../silabs/SilabsDeviceAttestationCreds.cpp | 96 ++++++++++++------- .../silabs/SilabsDeviceAttestationCreds.h | 3 - examples/platform/silabs/efr32/BUILD.gn | 9 +- examples/platform/silabs/main.cpp | 8 -- src/platform/silabs/MigrationManager.cpp | 2 - 6 files changed, 61 insertions(+), 66 deletions(-) diff --git a/examples/platform/silabs/SiWx917/BUILD.gn b/examples/platform/silabs/SiWx917/BUILD.gn index f0600f012e19e7..def26b1e5db51f 100644 --- a/examples/platform/silabs/SiWx917/BUILD.gn +++ b/examples/platform/silabs/SiWx917/BUILD.gn @@ -134,11 +134,6 @@ source_set("siwx917-matter-shell") { config("attestation-credentials-config") { include_dirs = [ "${chip_root}" ] - - defines = [ - # Set to 1 to enable SI917 attestation credentials - "SILABS_ATTESTATION_CREDENTIALS", - ] } source_set("siwx917-attestation-credentials") { @@ -294,9 +289,7 @@ source_set("siwx917-common") { } # Attestation Credentials - if (chip_build_platform_attestation_credentials_provider) { - deps += [ ":siwx917-attestation-credentials" ] - } + deps += [ ":siwx917-attestation-credentials" ] # Factory Data Provider if (use_efr32_factory_data_provider) { diff --git a/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp b/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp index 92248fb8b6373d..8b097db056b92c 100644 --- a/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp +++ b/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp @@ -20,6 +20,7 @@ #include #include #include +#include #include #include "silabs_creds.h" @@ -28,9 +29,6 @@ using namespace chip::DeviceLayer::Internal; using chip::DeviceLayer::Internal::SilabsConfig; -extern uint8_t linker_nvm_end[]; -static uint8_t * _credentials_address = (uint8_t *) linker_nvm_end; - namespace chip { namespace Credentials { namespace Silabs { @@ -46,8 +44,17 @@ class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider public: CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_span) override { - return GetFile("GetCertificationDeclaration", SilabsConfig::kConfigKey_Creds_CD_Offset, SILABS_CREDENTIALS_CD_OFFSET, - SilabsConfig::kConfigKey_Creds_CD_Size, SILABS_CREDENTIALS_CD_SIZE, out_span); + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr)) + { + // Provisioned CD + return GetFile("GetCertificationDeclaration", SilabsConfig::kConfigKey_Creds_CD_Offset, SILABS_CREDENTIALS_CD_OFFSET, + SilabsConfig::kConfigKey_Creds_CD_Size, SILABS_CREDENTIALS_CD_SIZE, out_span); + } + else + { + // Example CD + return Examples::GetExampleDACProvider()->GetCertificationDeclaration(out_span); + } } CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override @@ -59,68 +66,83 @@ class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_span) override { - return GetFile("GetDeviceAttestationCert", SilabsConfig::kConfigKey_Creds_DAC_Offset, SILABS_CREDENTIALS_DAC_OFFSET, - SilabsConfig::kConfigKey_Creds_DAC_Size, SILABS_CREDENTIALS_DAC_SIZE, out_span); + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr)) + { + // Provisioned DAC + return GetFile("GetDeviceAttestationCert", SilabsConfig::kConfigKey_Creds_DAC_Offset, SILABS_CREDENTIALS_DAC_OFFSET, + SilabsConfig::kConfigKey_Creds_DAC_Size, SILABS_CREDENTIALS_DAC_SIZE, out_span); + } + else + { + // Example DAC + return Examples::GetExampleDACProvider()->GetDeviceAttestationCert(out_span); + } } CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_span) override { - return GetFile("GetProductAttestationIntermediateCert", SilabsConfig::kConfigKey_Creds_PAI_Offset, - SILABS_CREDENTIALS_PAI_OFFSET, SilabsConfig::kConfigKey_Creds_PAI_Size, SILABS_CREDENTIALS_PAI_SIZE, - out_span); + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr)) + { + // Provisioned PAI + return GetFile("GetProductAttestationIntermediateCert", SilabsConfig::kConfigKey_Creds_PAI_Offset, + SILABS_CREDENTIALS_PAI_OFFSET, SilabsConfig::kConfigKey_Creds_PAI_Size, SILABS_CREDENTIALS_PAI_SIZE, + out_span); + } + else + { + // Example PAI + return Examples::GetExampleDACProvider()->GetProductAttestationIntermediateCert(out_span); + } } CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_span) override { - uint32_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID; - uint8_t signature[64] = { 0 }; - size_t signature_size = sizeof(signature); - if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_KeyId)) { + // Provisioned DAC key + uint32_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID; + uint8_t signature[64] = { 0 }; + size_t signature_size = sizeof(signature); + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_KeyId, key_id)); - } - ChipLogProgress(DeviceLayer, "SignWithDeviceAttestationKey, key:%lu", key_id); + ChipLogProgress(DeviceLayer, "SignWithDeviceAttestationKey, key:%lu", key_id); - psa_status_t err = - psa_sign_message(static_cast(key_id), PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(), - message_to_sign.size(), signature, signature_size, &signature_size); - VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); + psa_status_t err = + psa_sign_message(static_cast(key_id), PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(), + message_to_sign.size(), signature, signature_size, &signature_size); + VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); - return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_span); + return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_span); + } + else + { + // Example DAC key + return Examples::GetExampleDACProvider()->SignWithDeviceAttestationKey(message_to_sign, out_span); + } } private: CHIP_ERROR GetFile(const char * description, uint32_t offset_key, uint32_t offset_default, uint32_t size_key, uint32_t size_default, MutableByteSpan & out_span) { + uint32_t base_addr = 0; uint8_t * address = nullptr; uint32_t offset = offset_default; + uint32_t size = size_default; + + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_Base_Addr, base_addr)); + address = (uint8_t *) (base_addr + offset); + + // Offset if (SilabsConfig::ConfigValueExists(offset_key)) { - // NVM-provided offset ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(offset_key, offset)); } - if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_Base_Addr)) - { - // NVM-provided location - uint32_t base_addr = 0; - ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_Base_Addr, base_addr)); - address = (uint8_t *) (base_addr + offset); - } - else - { - // Default location - address = _credentials_address + offset; - } - // Size - uint32_t size = size_default; if (SilabsConfig::ConfigValueExists(size_key)) { - // NVM-provided size ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(size_key, size)); } diff --git a/examples/platform/silabs/SilabsDeviceAttestationCreds.h b/examples/platform/silabs/SilabsDeviceAttestationCreds.h index c4f437c20f4b44..79f8f8df042aa8 100644 --- a/examples/platform/silabs/SilabsDeviceAttestationCreds.h +++ b/examples/platform/silabs/SilabsDeviceAttestationCreds.h @@ -16,9 +16,6 @@ */ #pragma once -// The "sl_token_manager.h" include belongs to the .cpp file, but the formatter change the order -// of the headers, causing a compilation error, so the include had to be added here instead -#include "sl_token_manager.h" #include namespace chip { diff --git a/examples/platform/silabs/efr32/BUILD.gn b/examples/platform/silabs/efr32/BUILD.gn index 5bb628ad4f99e6..ba4de46d1bed1f 100644 --- a/examples/platform/silabs/efr32/BUILD.gn +++ b/examples/platform/silabs/efr32/BUILD.gn @@ -160,11 +160,6 @@ source_set("efr-matter-shell") { config("attestation-credentials-config") { include_dirs = [ "${chip_root}" ] - - defines = [ - # Set to 1 to enable EFR32 attestation credentials - "SILABS_ATTESTATION_CREDENTIALS", - ] } source_set("efr32-attestation-credentials") { @@ -329,9 +324,7 @@ source_set("efr32-common") { } # Attestation Credentials - if (chip_build_platform_attestation_credentials_provider) { - public_deps += [ ":efr32-attestation-credentials" ] - } + public_deps += [ ":efr32-attestation-credentials" ] # Factory Data Provider if (use_efr32_factory_data_provider) { diff --git a/examples/platform/silabs/main.cpp b/examples/platform/silabs/main.cpp index 03fb25b549db67..38ee004563a03b 100644 --- a/examples/platform/silabs/main.cpp +++ b/examples/platform/silabs/main.cpp @@ -25,11 +25,7 @@ #include #include #include -#ifdef SILABS_ATTESTATION_CREDENTIALS #include -#else -#include -#endif #include @@ -56,11 +52,7 @@ int main(void) chip::DeviceLayer::PlatformMgr().LockChipStack(); // Initialize device attestation config -#ifdef SILABS_ATTESTATION_CREDENTIALS SetDeviceAttestationCredentialsProvider(Credentials::Silabs::GetSilabsDacProvider()); -#else - SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider()); -#endif chip::DeviceLayer::PlatformMgr().UnlockChipStack(); SILABS_LOG("Starting App Task"); diff --git a/src/platform/silabs/MigrationManager.cpp b/src/platform/silabs/MigrationManager.cpp index f8286c656025ac..f6a10958c7941b 100644 --- a/src/platform/silabs/MigrationManager.cpp +++ b/src/platform/silabs/MigrationManager.cpp @@ -38,9 +38,7 @@ typedef struct #define COUNT_OF(A) (sizeof(A) / sizeof((A)[0])) static migrationData_t migrationTable[] = { { .migrationGroup = 1, .migrationFunc = MigrateKvsMap }, -#ifdef SILABS_ATTESTATION_CREDENTIALS { .migrationGroup = 2, .migrationFunc = MigrateDacProvider }, -#endif // add any additional migration neccesary. migrationGroup should stay equal if done in the same commit or increment by 1 for // each new entry. };