From 5710c5aca8fcb172977e8aefa0d126cfcf464895 Mon Sep 17 00:00:00 2001 From: Ricardo Casallas <77841255+rcasallas-silabs@users.noreply.github.com> Date: Mon, 27 Mar 2023 07:56:10 -0400 Subject: [PATCH] Silabs CPMS support added. (#25824) * Silabs CPMS support added. * SilabsDeviceAttestationCreds: Code review. --- .../silabs/SilabsDeviceAttestationCreds.cpp | 88 +++++++++++++++---- examples/platform/silabs/silabs_creds.h | 28 +++--- src/platform/silabs/SilabsConfig.h | 10 ++- 3 files changed, 92 insertions(+), 34 deletions(-) diff --git a/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp b/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp index 2b405196b31059..01f54cc36506c8 100644 --- a/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp +++ b/examples/platform/silabs/SilabsDeviceAttestationCreds.cpp @@ -19,11 +19,15 @@ #include #include #include +#include +#include -#include "psa/crypto.h" #include "silabs_creds.h" -extern uint8_t __attestation_credentials_base[]; +using namespace chip::DeviceLayer::Internal; + +extern uint8_t linker_nvm_end[]; +static uint8_t * _credentials_address = (uint8_t *) linker_nvm_end; namespace chip { namespace Credentials { @@ -33,12 +37,28 @@ namespace { class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider { + // Miss-aligned certificates is a common error, and printing the first few bytes is + // useful to verify proper alignment. Eight bytes is enough for this purpose. + static constexpr size_t kDebugLength = 8; public: - CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_buffer) override + CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_span) override { - ByteSpan cd_span(((uint8_t *) __attestation_credentials_base) + SILABS_CREDENTIALS_CD_OFFSET, SILABS_CREDENTIALS_CD_SIZE); - return CopySpanToMutableSpan(cd_span, out_buffer); + uint32_t offset = SILABS_CREDENTIALS_CD_OFFSET; + uint32_t size = SILABS_CREDENTIALS_CD_SIZE; + + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_CD_Offset) && + SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_CD_Size)) + { + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_CD_Offset, offset)); + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_CD_Size, size)); + } + + uint8_t * address = _credentials_address + offset; + ByteSpan cd_span(address, size); + ChipLogProgress(DeviceLayer, "GetCertificationDeclaration, addr:%p, size:%lu", address, size); + ChipLogByteSpan(DeviceLayer, ByteSpan(cd_span.data(), kDebugLength > cd_span.size() ? cd_span.size() : kDebugLength)); + return CopySpanToMutableSpan(cd_span, out_span); } CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override @@ -48,31 +68,63 @@ class DeviceAttestationCredsSilabs : public DeviceAttestationCredentialsProvider return CHIP_NO_ERROR; } - CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_buffer) override + CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_span) override { - ByteSpan cert_span(((uint8_t *) __attestation_credentials_base) + SILABS_CREDENTIALS_DAC_OFFSET, - SILABS_CREDENTIALS_DAC_SIZE); - return CopySpanToMutableSpan(cert_span, out_buffer); + uint32_t offset = SILABS_CREDENTIALS_DAC_OFFSET; + uint32_t size = SILABS_CREDENTIALS_DAC_SIZE; + + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_DAC_Offset) && + SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_DAC_Size)) + { + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_DAC_Offset, offset)); + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_DAC_Size, size)); + } + + uint8_t * address = _credentials_address + offset; + ByteSpan cert_span(address, size); + ChipLogProgress(DeviceLayer, "GetDeviceAttestationCert, addr:%p, size:%lu", address, size); + ChipLogByteSpan(DeviceLayer, ByteSpan(cert_span.data(), kDebugLength > cert_span.size() ? cert_span.size() : kDebugLength)); + return CopySpanToMutableSpan(cert_span, out_span); } - CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override + CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_span) override { - ByteSpan cert_span(((uint8_t *) __attestation_credentials_base) + SILABS_CREDENTIALS_PAI_OFFSET, - SILABS_CREDENTIALS_PAI_SIZE); - return CopySpanToMutableSpan(cert_span, out_pai_buffer); + uint32_t offset = SILABS_CREDENTIALS_PAI_OFFSET; + uint32_t size = SILABS_CREDENTIALS_PAI_SIZE; + + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_PAI_Offset) && + SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_PAI_Size)) + { + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_PAI_Offset, offset)); + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_PAI_Size, size)); + } + + uint8_t * address = _credentials_address + offset; + ByteSpan cert_span(address, size); + ChipLogProgress(DeviceLayer, "GetProductAttestationIntermediateCert, addr:%p, size:%lu", address, size); + ChipLogByteSpan(DeviceLayer, ByteSpan(cert_span.data(), kDebugLength > cert_span.size() ? cert_span.size() : kDebugLength)); + return CopySpanToMutableSpan(cert_span, out_span); } - CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_buffer) override + CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_span) override { - psa_key_id_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID; + uint32_t key_id = SILABS_CREDENTIALS_DAC_KEY_ID; uint8_t signature[64] = { 0 }; size_t signature_size = sizeof(signature); - psa_status_t err = psa_sign_message(key_id, PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(), message_to_sign.size(), - signature, signature_size, &signature_size); + if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_KeyId)) + { + ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_KeyId, key_id)); + } + + ChipLogProgress(DeviceLayer, "SignWithDeviceAttestationKey, key:%lu", key_id); + + psa_status_t err = + psa_sign_message(static_cast(key_id), PSA_ALG_ECDSA(PSA_ALG_SHA_256), message_to_sign.data(), + message_to_sign.size(), signature, signature_size, &signature_size); VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL); - return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_buffer); + return CopySpanToMutableSpan(ByteSpan(signature, signature_size), out_span); } }; diff --git a/examples/platform/silabs/silabs_creds.h b/examples/platform/silabs/silabs_creds.h index f4808c61e7589c..792c7b2238afaa 100644 --- a/examples/platform/silabs/silabs_creds.h +++ b/examples/platform/silabs/silabs_creds.h @@ -10,32 +10,32 @@ #ifndef SILABS_DEVICE_CREDENTIALS #define SILABS_DEVICE_CREDENTIALS -#ifndef SILABS_CREDENTIALS_CD_OFFSET -#define SILABS_CREDENTIALS_CD_OFFSET 0x0000 +#ifndef SILABS_CREDENTIALS_DAC_KEY_ID +#define SILABS_CREDENTIALS_DAC_KEY_ID 0x0002 #endif -#ifndef SILABS_CREDENTIALS_CD_SIZE -#define SILABS_CREDENTIALS_CD_SIZE 541 +#ifndef SILABS_CREDENTIALS_DAC_OFFSET +#define SILABS_CREDENTIALS_DAC_OFFSET 0x0000 #endif -#ifndef SILABS_CREDENTIALS_PAI_OFFSET -#define SILABS_CREDENTIALS_PAI_OFFSET 0x400 +#ifndef SILABS_CREDENTIALS_DAC_SIZE +#define SILABS_CREDENTIALS_DAC_SIZE 0 #endif -#ifndef SILABS_CREDENTIALS_PAI_SIZE -#define SILABS_CREDENTIALS_PAI_SIZE 463 +#ifndef SILABS_CREDENTIALS_PAI_OFFSET +#define SILABS_CREDENTIALS_PAI_OFFSET 0x0200 #endif -#ifndef SILABS_CREDENTIALS_DAC_OFFSET -#define SILABS_CREDENTIALS_DAC_OFFSET 0x600 +#ifndef SILABS_CREDENTIALS_PAI_SIZE +#define SILABS_CREDENTIALS_PAI_SIZE 0 #endif -#ifndef SILABS_CREDENTIALS_DAC_SIZE -#define SILABS_CREDENTIALS_DAC_SIZE 492 +#ifndef SILABS_CREDENTIALS_CD_OFFSET +#define SILABS_CREDENTIALS_CD_OFFSET 0x0400 #endif -#ifndef SILABS_CREDENTIALS_DAC_KEY_ID -#define SILABS_CREDENTIALS_DAC_KEY_ID PSA_KEY_ID_USER_MIN + 1 +#ifndef SILABS_CREDENTIALS_CD_SIZE +#define SILABS_CREDENTIALS_CD_SIZE 0 #endif #endif // SILABS_DEVICE_CREDENTIALS diff --git a/src/platform/silabs/SilabsConfig.h b/src/platform/silabs/SilabsConfig.h index cee73df868a7aa..a7aa0312aa9845 100644 --- a/src/platform/silabs/SilabsConfig.h +++ b/src/platform/silabs/SilabsConfig.h @@ -26,8 +26,6 @@ #include -#include - #include "nvm3.h" #include "nvm3_hal_flash.h" @@ -137,6 +135,14 @@ class SilabsConfig static constexpr Key kConfigKey_YearDaySchedules = SilabsConfigKey(kMatterConfig_KeyBase, 0x16); static constexpr Key kConfigKey_HolidaySchedules = SilabsConfigKey(kMatterConfig_KeyBase, 0x17); static constexpr Key kConfigKey_OpKeyMap = SilabsConfigKey(kMatterConfig_KeyBase, 0x20); + static constexpr Key kConfigKey_Creds_KeyId = SilabsConfigKey(kMatterConfig_KeyBase, 0x21); + static constexpr Key kConfigKey_Creds_Base_Addr = SilabsConfigKey(kMatterConfig_KeyBase, 0x22); + static constexpr Key kConfigKey_Creds_DAC_Offset = SilabsConfigKey(kMatterConfig_KeyBase, 0x23); + static constexpr Key kConfigKey_Creds_DAC_Size = SilabsConfigKey(kMatterConfig_KeyBase, 0x24); + static constexpr Key kConfigKey_Creds_PAI_Offset = SilabsConfigKey(kMatterConfig_KeyBase, 0x25); + static constexpr Key kConfigKey_Creds_PAI_Size = SilabsConfigKey(kMatterConfig_KeyBase, 0x26); + static constexpr Key kConfigKey_Creds_CD_Offset = SilabsConfigKey(kMatterConfig_KeyBase, 0x27); + static constexpr Key kConfigKey_Creds_CD_Size = SilabsConfigKey(kMatterConfig_KeyBase, 0x28); static constexpr Key kConfigKey_GroupKeyMax = SilabsConfigKey(kMatterConfig_KeyBase, 0x1E); // Allows 16 Group Keys to be created.