diff --git a/.github/.wordlist.txt b/.github/.wordlist.txt index 722e7804bc327c..7c117d5f65634f 100644 --- a/.github/.wordlist.txt +++ b/.github/.wordlist.txt @@ -879,6 +879,7 @@ MoveWithOnOff MPSL MRP MTD +MTR MTU Multiband Multicast diff --git a/docs/guides/infineon_psoc6_trustm_software_update.md b/docs/guides/infineon_psoc6_trustm_software_update.md new file mode 100644 index 00000000000000..63a97f6fc11fd6 --- /dev/null +++ b/docs/guides/infineon_psoc6_trustm_software_update.md @@ -0,0 +1,88 @@ +# Matter Software Update with Infineon PSoC6 and OPTIGA™ Trust M example applications + +The Over The Air (OTA) Software Update functionality can be added to any of the +Infineon PSoC6 example applications by passing the +`chip_enable_ota_requestor=true` option to the build script. + +## Running the OTA Download scenario + +- An OTA Provider is a node that can respond to the OTA Requestors' queries + about available software updates and share the update packages with them. An + OTA Requestor is any node that needs to be updated and can communicate with + the OTA Provider to fetch applicable software updates. In the procedure + described below, the OTA Provider will be a Linux application and the + example running on the Infineon PSoC6 board will work as the OTA Requestor. + +- On a Linux or Darwin platform build the chip-tool and the ota-provider-app + as follows: + + This step can be ignored if Test Harness(Raspberry Pi) is used as OTA + Provider. + + ``` + scripts/examples/gn_build_example.sh examples/chip-tool out/ + scripts/examples/gn_build_example.sh examples/ota-provider-app/linux out/debug chip_config_network_layer_ble=false + ``` + +- Build the PSoC6 OTA Requestor application with OPTIGA™ Trust M from the + connectedhomeip root dir: + + ``` + $ scripts/build/build_examples.py --enable-flashbundle --target infineon-psoc6-lock-trustm-ota build + $ third_party/infineon/psoc6/psoc6_sdk/ota/ota_base_build.sh out/infineon-psoc6-lock-trustm-ota chip-psoc6-lock-example + ``` + + Note: In order for the Provider to successfully serve the image to a device + during the OTA Software Update process the softwareVersion parameter in the + Provider config file must be greater than the + CHIP_DEVICE_CONFIG_DEVICE_SOFTWARE_VERSION parameter set in the + application's CHIPProjectConfig.h file. + +* Build the PSoC6 OTA Update application with OPTIGA™ Trust M from the + connectedhomeip root dir and create OTA file + + ``` + $ scripts/build/build_examples.py --enable-flashbundle --no-log-timestamps --target infineon-psoc6-lock-trustm-ota-updateimage build + $ third_party/infineon/psoc6/psoc6_sdk/ota/ota_update_build.sh out/infineon-psoc6-lock-trustm-ota-updateimage chip-psoc6-lock-example + ``` + +* Additionally a pre-compiled bootloader must be flashed to the board using + [Cypress Programmer](https://softwaretools.infineon.com/tools/com.ifx.tb.tool.cypressprogrammer). + This image can be found at: + + $ ./third_party/infineon/psoc6/psoc6_sdk/ota/matter-psoc6-mcuboot-bootloader.hex + +* In a terminal start the Provider app passing to it the path to the Matter + OTA file created in the previous step:(output of ota_update_build step) + + ``` + rm -r /tmp/chip_* + ./chip-ota-provider-app --discriminator 3840 --passcode 20202021 -f ../chip-psoc6-lock-example.ota + ``` + +* In a separate terminal run the chip-tool commands to provision the Provider: + + ``` + ./chip-tool pairing onnetwork-long 1 20202021 3840 + ./chip-tool accesscontrol write acl '[{"fabricIndex": 1, "privilege": 5, "authMode": 2, "subjects": [112233], "targets": null}, {"fabricIndex": 1, "privilege": 3, "authMode": 2, "subjects": null, "targets": null}]' 1 0 + ``` + + Note: If the application device had been previously commissioned press USER + Button2 to factory-reset the device. + +* In the chip-tool terminal enter: + + ``` + ./chip-tool pairing ble-wifi 2 20202021 3840 + ``` + +* Once the commissioning process completes enter: + + ``` + ./chip-tool otasoftwareupdaterequestor announce-ota-provider 1 0 0 0 2 0 + ``` + +* The application device will connect to the Provider and start the image + download. Status of the transfer can be monitored in the OTA Provider + terminal. Once the image is downloaded the device will reboot into the + downloaded image. diff --git a/docs/guides/infineon_trustm_provisioning.md b/docs/guides/infineon_trustm_provisioning.md index fdb9bfe8d6c676..04baaa088dbb55 100644 --- a/docs/guides/infineon_trustm_provisioning.md +++ b/docs/guides/infineon_trustm_provisioning.md @@ -7,7 +7,7 @@ OPTIGA™ Trust M with Matter test device Attestation certificate is needed. [Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/) -[OPTIGA™ Trust M S2GO](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/) +[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/) [Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/) or Jumping Wire @@ -30,32 +30,38 @@ can be used to perform provisioning by following the steps mentioned below. ``` $ cd linux-optiga-trust-m/ - $ ./trustm_installation_aarch64_script.sh + $ git checkout provider_dev + $ git submodule update -f + $ ./provider_installation_script.sh ``` - Run the script to generate Matter test DAC for lock-app using the public key extracted from the Infineon pre-provisioned Certificate and store it into - 0xe0e3 + 0xE0E0 ``` $ cd scripts/matter_provisioning/ -$ ./matter_dac_provisioning.sh +$ ./matter_test_provisioning.sh ``` _Note:_ -_By running this example matter_dac_provisioning.sh, the steps shown below are +_By running this example matter_test_provisioning.sh, the steps shown below are executed:_ _Step1: Extract the public key from the Infineon pre-provisioned -Certificate(0xe0e0) using openssl command._ +Certificate(0xE0E0) using openssl command._ _Step2: Generate DAC test certificate using the extracted public key, Signed by [Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_. Please note that production devices cannot re-use these test keys/certificates. _Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot -0xe0e3_ +0xE0E0._ -_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xe0e8 -and test CD into OPTIGA™ Trust M Arbitrary OID 0xf1e0._ +_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8 +and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0._ + +For certificate claim and OPTIGA™ Trust M MTR provisioning, please refer +to our +[README for Late-stage Provisioning](https://github.com/Infineon/linux-optiga-trust-m/blob/provider_dev/scripts/matter_provisioning/README.md#certificate-claiming) diff --git a/examples/platform/infineon/trustm/DeviceAttestationCredsExampleTrustM.cpp b/examples/platform/infineon/trustm/DeviceAttestationCredsExampleTrustM.cpp index 454fbe9f89fdf5..e2ef8331cee31f 100644 --- a/examples/platform/infineon/trustm/DeviceAttestationCredsExampleTrustM.cpp +++ b/examples/platform/infineon/trustm/DeviceAttestationCredsExampleTrustM.cpp @@ -32,7 +32,7 @@ /* Device attestation key ids for Trust M */ #define DEV_ATTESTATION_KEY_ID 0xE0F0 -#define DEV_ATTESTATION_CERT_ID 0xE0E3 +#define DEV_ATTESTATION_CERT_ID 0xE0E0 #define PAI_CERT_ID 0xE0E8 #define CERT_DECLARATION_ID 0xF1E0