[SE05x] Logic to track signature calls for attestation is removed (pr…

…oject-chip#23207)

* added readme for se05x example

* changed device attestation - Logic to track attestation calls removed

* updated simw build files

* reverting changes

* reverting changes

* using chip_device_platform

* updated simw package repo

* restyler-diff

* restyler-diff

* updated simw-repo submodule

* updated device attestation provider to handle TLV errors

* removed extra semicolon
restyler

* updated comments in DAC provider

* making only TAG3 optional

* spell check

* updated comments

* Update examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample_v2.cpp

Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>

* restyle-diff

Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>

examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample_v2.cpp

@@ -37,23 +37,27 @@
 /* Device attestation key ids */
 #define DEV_ATTESTATION_KEY_SE05X_ID 0x7D300000
 #define DEV_ATTESTATION_CERT_SE05X_ID 0x7D300001
+#define CERT_DECLARATION_DATA_SE05X_ID 0x7D300002
 
 /* Device attestation key ids (Used with internal sign) */
-#define CD_DEV_ATTESTATION_KEY_SE05X_ID 0x7D300002
-#define NOCSR_DEV_ATTESTATION_KEY_SE05X_ID 0x7D300004
-
-/* Device attestation data ids (for Cert decl) */
-#define CD_CERT_DECLARATION_DATA_SE05X_ID 0x7D300009
-#define CD_ATTEST_NONCE_DATA_SE05X_ID 0x7D30000C
-#define CD_TIME_STAMP_LEN_SE05X_ID 0x7D30000E
-#define CD_TIME_STAMP_DATA_SE05X_ID 0x7D30000F
-#define CD_ATTEST_CHALLENGE_SE05X_ID 0x7D300011
-
-/* Device attestation data ids (for CSR) */
-#define NOCSR_CSR_LEN_SE05X_ID 0x7D300014
-#define NOCSR_CSR_DATA_SE05X_ID 0x7D300015
-#define NOCSR_CSR_NONCE_DATA_SE05X_ID 0x7D300018
-#define NOCSR_ATTEST_CHALLENGE_SE05X_ID 0x7D30001A
+#define DEV_ATTESTATION_KEY_SE05X_ID_IS 0x7D300003
+#define DEV_ATTESTATION_KEY_SE05X_ID_IS_TBS 0x7D300004
+
+#define TAG1_ID 0x7D300005
+#define TAG1_LEN_ID 0x7D300006
+#define TAG1_VALUE_ID 0x7D300007
+#define TAG2_ID 0x7D300008
+#define TAG2_LEN_ID 0x7D300009
+#define TAG2_VALUE_ID 0x7D30000A
+#define TAG3_ID 0x7D30000B
+#define TAG3_LEN_ID 0x7D30000C
+#define TAG3_VALUE_ID 0x7D30000D
+#define ATTEST_CHALLENGE_ID 0x7D30000E
+
+#define START_CONTAINER_SE05X_ID 0x7D30000F
+#define END_CONTAINER_SE05X_ID 0x7D300010
+
+#define NO_OF_DEV_ATTEST_MSG_TAGS_TO_PARSE 3 /* Starting with TAG1 */
 
 extern CHIP_ERROR se05xGetCertificate(uint32_t keyId, uint8_t * buf, size_t * buflen);
 extern CHIP_ERROR se05xSetCertificate(uint32_t keyId, const uint8_t * buf, size_t buflen);
@@ -66,6 +70,11 @@ namespace Examples {
 
 namespace {
 
+// Note: The example DAC provider class is only for demonstration purpose.
+// Modification to SignWithDeviceAttestationKey member will be required in case there is a change in device attestation sign
+// message (other TLVs are added). In the current implementation of SignWithDeviceAttestationKey only TLV1, TLV2 and TLV3 are
+// expected in the sign message.
+
 class ExampleSe05xDACProviderv2 : public DeviceAttestationCredentialsProvider
 {
 public:
@@ -150,7 +159,7 @@ CHIP_ERROR ExampleSe05xDACProviderv2::GetCertificationDeclaration(MutableByteSpa
 #else
     size_t buflen = out_cd_buffer.size();
     ChipLogDetail(Crypto, "Get certificate declaration from se05x");
-    ReturnErrorOnFailure(se05xGetCertificate(CD_CERT_DECLARATION_DATA_SE05X_ID, out_cd_buffer.data(), &buflen));
+    ReturnErrorOnFailure(se05xGetCertificate(CERT_DECLARATION_DATA_SE05X_ID, out_cd_buffer.data(), &buflen));
     out_cd_buffer.reduce_size(buflen);
     return CHIP_NO_ERROR;
 #endif
@@ -167,7 +176,9 @@ CHIP_ERROR ExampleSe05xDACProviderv2::GetFirmwareInformation(MutableByteSpan & o
 CHIP_ERROR ExampleSe05xDACProviderv2::SignWithDeviceAttestationKey(const ByteSpan & message_to_sign,
                                                                    MutableByteSpan & out_signature_buffer)
 {
-    CHIP_ERROR err = CHIP_NO_ERROR;
+    CHIP_ERROR err                                                   = CHIP_NO_ERROR;
+    uint8_t signature_se05x[Crypto::kMax_ECDSA_Signature_Length_Der] = { 0 };
+    size_t signature_se05x_len                                       = sizeof(signature_se05x);
     VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
 
@@ -178,108 +189,81 @@ CHIP_ERROR ExampleSe05xDACProviderv2::SignWithDeviceAttestationKey(const ByteSpa
 
     msg_reader.Init(message_to_sign);
 
-    /* To be removed. Use common key id to sign message */
-    static bool sign_cert_decl_attest = 1;
+    uint16_t taglen = 0;
+    ByteSpan tagvalue;
+    uint8_t tempBuf[2] = {
+        0,
+    };
+
+    tempBuf[0] = (uint8_t) TLV::TLVElementType::Structure;
+    SuccessOrExit(se05xSetCertificate(START_CONTAINER_SE05X_ID, tempBuf, 1));
 
-    if (sign_cert_decl_attest)
+    for (int i = 1; i <= NO_OF_DEV_ATTEST_MSG_TAGS_TO_PARSE; i++)
     {
-        /* Check if certificate declaration tag is present and Skip certificate declaration tag */
-        ReturnErrorOnFailure(TLV::Utilities::Find(msg_reader, TLV::ContextTag(1), tagReader));
-
-        ReturnErrorOnFailure(TLV::Utilities::Find(msg_reader, TLV::ContextTag(2), tagReader));
-        uint8_t attlen = tagReader.GetLength();
-        VerifyOrReturnError(attlen > 0, CHIP_ERROR_INVALID_TLV_TAG);
-        /* Get attestation nonce */
-        ByteSpan attest_nonce;
-        ReturnErrorOnFailure(tagReader.Get(attest_nonce));
-        /* Set attestation nonce */
-        VerifyOrReturnError(CHIP_NO_ERROR ==
-                                se05xSetCertificate(CD_ATTEST_NONCE_DATA_SE05X_ID, attest_nonce.data(), attest_nonce.size()),
-                            CHIP_ERROR_INTERNAL);
-
-        ReturnErrorOnFailure(TLV::Utilities::Find(msg_reader, TLV::ContextTag(3), tagReader));
-        uint8_t tslen = tagReader.GetLength();
-        if (tslen > 0)
+        CHIP_ERROR tlverr = CHIP_NO_ERROR;
+        tlverr            = TLV::Utilities::Find(msg_reader, TLV::ContextTag(i), tagReader);
+        if ((i == 3) && (tlverr == CHIP_ERROR_TLV_TAG_NOT_FOUND))
         {
-            ByteSpan time_stamp;
-            ReturnErrorOnFailure(tagReader.Get(time_stamp));
-            /* Set time stamp data */
-            VerifyOrReturnError(CHIP_NO_ERROR ==
-                                    se05xSetCertificate(CD_TIME_STAMP_DATA_SE05X_ID, time_stamp.data(), time_stamp.size()),
-                                CHIP_ERROR_INTERNAL);
+            continue;
         }
-        /* Set time stamp length */
-        VerifyOrReturnError(CHIP_NO_ERROR == se05xSetCertificate(CD_TIME_STAMP_LEN_SE05X_ID, &tslen, 1), CHIP_ERROR_INTERNAL);
+        SuccessOrExit(tlverr);
+
+        // Transient binary object ids starting from location 0x7D300005 (TAG1_ID) to 0x7D30000D (TAG3_VALUE_ID)
+        // are used to store the TLV contents.
+        // Binary object id are calculated using the loop iterator in the below code.
 
-        if ((tagReader.GetRemainingLength() + 1 /* End container */) >= 16)
+        taglen     = tagReader.GetLength();
+        tempBuf[0] = tagReader.GetControlByte();
+        tempBuf[1] = i;
+        SuccessOrExit(se05xSetCertificate(TAG1_ID + (3 /* tag + length + value ids */ * (i - 1)), tempBuf, 2));
+        if (taglen > 256)
         {
-            /* Set attestation challenge */
-            VerifyOrReturnError(CHIP_NO_ERROR ==
-                                    se05xSetCertificate(CD_ATTEST_CHALLENGE_SE05X_ID, (message_to_sign.end() - 16), 16),
-                                CHIP_ERROR_INTERNAL);
+            tempBuf[0] = taglen & 0xFF;
+            tempBuf[1] = (taglen >> 8) & 0xFF;
+            SuccessOrExit(se05xSetCertificate(TAG1_LEN_ID + (3 * (i - 1)), tempBuf, 2));
         }
-    }
-    else
-    {
-        ReturnErrorOnFailure(TLV::Utilities::Find(msg_reader, TLV::ContextTag(1), tagReader));
-        uint8_t csrlen = tagReader.GetLength();
-        VerifyOrReturnError(csrlen > 0, CHIP_ERROR_INVALID_TLV_TAG);
-        ByteSpan csr_data;
-        /* Get nocsr */
-        ReturnErrorOnFailure(tagReader.Get(csr_data));
-        /* Set nocsr length */
-        VerifyOrReturnError(CHIP_NO_ERROR == se05xSetCertificate(NOCSR_CSR_LEN_SE05X_ID, &csrlen, 1), CHIP_ERROR_INTERNAL);
-        /* Set nocsr data */
-        se05x_delete_key(NOCSR_CSR_DATA_SE05X_ID);
-        VerifyOrReturnError(CHIP_NO_ERROR == se05xSetCertificate(NOCSR_CSR_DATA_SE05X_ID, csr_data.data(), csr_data.size()),
-                            CHIP_ERROR_INTERNAL);
-
-        ReturnErrorOnFailure(TLV::Utilities::Find(msg_reader, TLV::ContextTag(2), tagReader));
-        uint8_t noncelen = tagReader.GetLength();
-        VerifyOrReturnError(noncelen > 0, CHIP_ERROR_INVALID_TLV_TAG);
-        /* Get nocsr nonce */
-        ByteSpan nocsr_nonce;
-        ReturnErrorOnFailure(tagReader.Get(nocsr_nonce));
-        /* Set nocsr nonce data */
-        VerifyOrReturnError(CHIP_NO_ERROR ==
-                                se05xSetCertificate(NOCSR_CSR_NONCE_DATA_SE05X_ID, nocsr_nonce.data(), nocsr_nonce.size()),
-                            CHIP_ERROR_INTERNAL);
-
-        if ((tagReader.GetRemainingLength() + 1 /* End container */) >= 16)
+        else
         {
-            /* Set attestation challenge */
-            VerifyOrReturnError(CHIP_NO_ERROR ==
-                                    se05xSetCertificate(NOCSR_ATTEST_CHALLENGE_SE05X_ID, (message_to_sign.end() - 16), 16),
-                                CHIP_ERROR_INTERNAL);
+            tempBuf[0] = taglen;
+            SuccessOrExit(se05xSetCertificate(TAG1_LEN_ID + (3 * (i - 1)), tempBuf, 1));
+        }
+        if (taglen > 0)
+        {
+            SuccessOrExit(tagReader.Get(tagvalue));
+            SuccessOrExit(se05xSetCertificate(TAG1_VALUE_ID + (3 * (i - 1)), tagvalue.data(), taglen));
         }
     }
 
-    uint8_t signature_se05x[Crypto::kMax_ECDSA_Signature_Length_Der] = { 0 };
-    size_t signature_se05x_len                                       = sizeof(signature_se05x);
+    tempBuf[0] = (uint8_t) TLV::TLVElementType::EndOfContainer;
+    SuccessOrExit(se05xSetCertificate(END_CONTAINER_SE05X_ID, tempBuf, 1));
 
-    if (sign_cert_decl_attest)
-    {
-        err = se05xPerformInternalSign(CD_DEV_ATTESTATION_KEY_SE05X_ID, signature_se05x, &signature_se05x_len);
-        se05x_delete_key(CD_ATTEST_NONCE_DATA_SE05X_ID);
-        se05x_delete_key(CD_TIME_STAMP_LEN_SE05X_ID);
-        se05x_delete_key(CD_TIME_STAMP_DATA_SE05X_ID);
-        se05x_delete_key(CD_ATTEST_CHALLENGE_SE05X_ID);
-        sign_cert_decl_attest = 0;
-    }
-    else
+    if ((tagReader.GetRemainingLength() + 1 /* End container */) >= 16)
     {
-        err = se05xPerformInternalSign(NOCSR_DEV_ATTESTATION_KEY_SE05X_ID, signature_se05x, &signature_se05x_len);
-        se05x_delete_key(NOCSR_CSR_LEN_SE05X_ID);
-        se05x_delete_key(NOCSR_CSR_DATA_SE05X_ID);
-        se05x_delete_key(NOCSR_CSR_NONCE_DATA_SE05X_ID);
-        se05x_delete_key(NOCSR_ATTEST_CHALLENGE_SE05X_ID);
-        sign_cert_decl_attest = 1;
+        /* Set attestation challenge */
+        SuccessOrExit(se05xSetCertificate(ATTEST_CHALLENGE_ID, (message_to_sign.end() - 16), 16));
     }
 
-    ReturnErrorOnFailure(err);
-
-    return chip::Crypto::EcdsaAsn1SignatureToRaw(chip::Crypto::kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len },
-                                                 out_signature_buffer);
+    SuccessOrExit(se05xPerformInternalSign(DEV_ATTESTATION_KEY_SE05X_ID_IS, signature_se05x, &signature_se05x_len));
+
+    err = chip::Crypto::EcdsaAsn1SignatureToRaw(chip::Crypto::kP256_FE_Length, ByteSpan{ signature_se05x, signature_se05x_len },
+                                                out_signature_buffer);
+
+exit:
+    // Delete existing objects if any
+    se05x_delete_key(START_CONTAINER_SE05X_ID);
+    se05x_delete_key(TAG1_ID);
+    se05x_delete_key(TAG1_LEN_ID);
+    se05x_delete_key(TAG1_VALUE_ID);
+    se05x_delete_key(TAG2_ID);
+    se05x_delete_key(TAG2_LEN_ID);
+    se05x_delete_key(TAG2_VALUE_ID);
+    se05x_delete_key(TAG3_ID);
+    se05x_delete_key(TAG3_LEN_ID);
+    se05x_delete_key(TAG3_VALUE_ID);
+    se05x_delete_key(END_CONTAINER_SE05X_ID);
+    se05x_delete_key(ATTEST_CHALLENGE_ID);
+
+    return err;
 }
 
 } // namespace

examples/platform/nxp/se05x/linux/AppMain.cpp

@@ -78,6 +78,7 @@
 
 #if CHIP_CRYPTO_HSM
 #include "DeviceAttestationSe05xCredsExample.h"
+#include "se05x_t4t_utils.h"
 #include <crypto/hsm/CHIPCryptoPALHsm.h>
 #include <crypto/hsm/nxp/PersistentStorageOperationalKeystoreHSM.h>
 #endif
@@ -367,6 +368,10 @@ void ChipLinuxAppMainLoop()
 #else
     static chip::CommonCaseDeviceServerInitParams initParams;
 #endif
+
+#if CHIP_CRYPTO_HSM
+    VerifyOrDie(se05x_enable_contactless_interface() == 0);
+#endif
     VerifyOrDie(initParams.InitializeStaticResourcesBeforeServerInit() == CHIP_NO_ERROR);
 
 #if defined(ENABLE_CHIP_SHELL)

examples/thermostat/nxp/linux-se05x/README.md

@@ -0,0 +1,4 @@
+To cross-compile this example on x64 host and run on **NXP i.MX 8M Mini**
+**EVK**, see the associated
+[README document](../../../../../docs/guides/nxp_imx8m_linux_examples.md) for
+details.

examples/thermostat/nxp/linux-se05x/args.gni

@@ -15,4 +15,3 @@
 import("//build_overrides/chip.gni")
 import("${chip_root}/config/standalone/args.gni")
 chip_with_se05x = 1
-host = "host_linux"

third_party/simw-top-mini/BUILD.gn

@@ -13,6 +13,7 @@
 # limitations under the License.
 
 import("//build_overrides/chip.gni")
+import("${chip_root}/src/platform/device.gni")
 import("${chip_root}/third_party/simw-top-mini/simw_config.gni")
 
 config("se05x_config") {
@@ -26,14 +27,18 @@ config("se05x_config") {
 
   #defines += ["FLOW_VERBOSE"]
 
-  if (host == "host_k32w") {
+  if (chip_device_platform == "k32w0") {
     defines += [
       "AX_EMBEDDED",
       "LPC_K32W",
       "SDK_OS_FREE_RTOS=1",
     ]
   }
 
+  if (chip_rpi_se05x_t4t_demo == 1) {
+    defines += [ "CHIP_RPI_SE05X_T4T_DEMO" ]
+  }
+
   include_dirs = [
     "${chip_root}/third_party/simw-top-mini/repo",
     "${chip_root}/third_party/simw-top-mini/repo/sss/inc",
@@ -49,7 +54,7 @@ config("se05x_config") {
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/inc",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/libCommon/smCom",
   ]
-  if (host == "host_k32w") {
+  if (chip_device_platform == "k32w0") {
     include_dirs += [
       "${chip_root}/third_party/simw-top-mini/repo/demos/ksdk/common/boards/DK6/wireless_examples/chip",
       "${chip_root}/third_party/simw-top-mini/repo/demos/ksdk/common/freertos/boards/DK6",
@@ -66,6 +71,7 @@ source_set("se05x") {
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/libCommon/infra/sm_printf.c",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/libCommon/log/nxLog.c",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/libCommon/smCom/smCom.c",
+    "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/generic/se05x_t4t_utils.cpp",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/rsp/se05x_reset.c",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/se05x/src/se05x_ECC_curves.c",
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/se05x/src/se05x_mw.c",
@@ -93,12 +99,12 @@ source_set("se05x") {
     "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/libCommon/smCom/smComT1oI2C.c",
   ]
 
-  if (host == "host_k32w") {
+  if (chip_device_platform == "k32w0") {
     sources += [
       "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/ksdk/i2c_dk6.c",
       "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/ksdk/timer_kinetis_freertos.c",
     ]
-  } else if (host == "host_linux") {
+  } else if (chip_device_platform == "linux") {
     sources += [
       "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/generic/sm_timer.c",
       "${chip_root}/third_party/simw-top-mini/repo/hostlib/hostLib/platform/linux/i2c_a7.c",

third_party/simw-top-mini/simw_config.gni

@@ -15,6 +15,5 @@
 # Configuration file
 
 declare_args() {
-  # possible values host_k32w, host_linux
-  host = "host_k32w"
+  chip_rpi_se05x_t4t_demo = 0
 }