Feature/secure element ci (#7816)

* script for building with Secure Element * debug ==> release as it is actually built in release mode * added secure element build * Added with secure element build * added build instrctions * added lf * spacing * spacing * added se * image of se * Updated Readme * default host is host_k32w * restyled * spell corrected * Only One binary for code size analysis * extended for se * Removed the extra copy paste line * build fixes. Motivation fo this PR * restyled * Review comment updates * made it simpler * made const * labelling it correctly
project-chip · Jul 7, 2021 · d029172 · d029172
1 parent c67a9b1
commit d029172
Show file tree

Hide file tree

Showing 7 changed files with 85 additions and 18 deletions.
diff --git a/.github/workflows/examples-k32w.yaml b/.github/workflows/examples-k32w.yaml
@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-name: Build example - K32W
+name: Build example - K32W with SE051
 
 on:
     push:
@@ -65,14 +65,14 @@ jobs:
               timeout-minutes: 5
               run: scripts/examples/k32w_example.sh
                    examples/lock-app/k32w out/lock_app_debug
-            - name: Build example K32W Lighting App
-              timeout-minutes: 5
-              run: scripts/examples/k32w_example.sh
-                   examples/lighting-app/k32w out/lighting_app_debug
             - name: Build example K32W Shell App
               timeout-minutes: 5
               run: scripts/examples/k32w_example.sh
                    examples/shell/k32w out/shell_app_debug
+            - name: Build example K32W Lighting App with Secure Element
+              timeout-minutes: 5
+              run: scripts/examples/k32w_se_example.sh
+                   examples/lighting-app/k32w out/lighting_app_se_release
             - name: Binary artifact suffix
               id: outsuffix
               uses: haya14busa/action-cond@v1.0.0

diff --git a/examples/lighting-app/k32w/README.md b/examples/lighting-app/k32w/README.md
@@ -55,6 +55,22 @@ default settings by pressing a button. However, this mode does not guarantee
 that the device will be able to communicate with the CHIP controller and other
 devices.
 
+### SE051H Secure Element
+
+Deployment of this firmware configuration requires the K32W061 board setups
+using the K32W0/JN5189 module board, SE051 Expansion board and Generic Expansion
+board as shown below:
+
+![SE051H  + K32W061 DK6](../../platform/k32w/doc/images/k32w-se.jpg)
+
+The SE051H Secure Element extension may be used for best in class security and
+offloading some of the Project CHIP cryptographic operations. Depending on your
+hardware configuration, choose one of the options below (building with or
+without Secure Element). NOTE: the SE051H is a derivative of the SE051 product
+family (see http://www.nxp.com/SE051) including dedicated CHIP support in
+addition to the SE051 feature set. See the material provided separately by NXP
+for more details on SE051H.
+
 ### Bluetooth LE Advertising
 
 In this example, to commission the device onto a Project CHIP network, it must
@@ -153,18 +169,22 @@ distribution (the demo-application was compiled on Ubuntu 20.04).
     the one from the image below.
     ![MCUXpresso SDK Download](../../platform/k32w/doc/images/mcux-sdk-download.JPG)
 
--   Start building the application
+-   Start building the application either with Secure Element or without
+    -   with Secure Element
 
 ```
 user@ubuntu:~/Desktop/git/connectedhomeip$ export K32W061_SDK_ROOT=/home/user/Desktop/SDK_2.6.3_K32W061DK6/
 user@ubuntu:~/Desktop/git/connectedhomeip$ ./third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh
 user@ubuntu:~/Desktop/git/connectedhomeip$ source ./scripts/activate.sh
 user@ubuntu:~/Desktop/git/connectedhomeip$ cd examples/lighting-app/k32w/
-user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false"
+user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1"
 user@ubuntu:~/Desktop/git/connectedhomeip/examples/lightin-app/k32w$ ninja -C out/debug
 user@ubuntu:~/Desktop/git/connectedhomeip/examples/lighting-app/k32w$ $K32W061_SDK_ROOT/tools/imagetool/sign_images.sh out/debug/
 ```
 
+    -   without Secure element
+        Exactly the same steps as above but set chip_with_se05x=0 in the gn command
+
 Note that "patch_k32w_sdk.sh" script must be run for patching the K32W061 SDK
 2.6.3.
 

diff --git a/examples/lock-app/k32w/README.md b/examples/lock-app/k32w/README.md
@@ -56,6 +56,22 @@ default settings by pressing a button. However, this mode does not guarantee
 that the device will be able to communicate with the CHIP controller and other
 devices.
 
+### SE051H Secure Element
+
+Deployment of this firmware configuration requires the K32W061 board setups
+using the K32W0/JN5189 module board, SE051 Expansion board and Generic Expansion
+board as shown below:
+
+![SE051H  + K32W061 DK6](../../platform/k32w/doc/images/k32w-se.jpg)
+
+The SE051H Secure Element extension may be used for best in class security and
+offloading some of the Project CHIP cryptographic operations. Depending on your
+hardware configuration, choose one of the options below (building with or
+without Secure Element). NOTE: the SE051H is a derivative of the SE051 product
+family (see http://www.nxp.com/SE051) including dedicated CHIP support in
+addition to the SE051 feature set. See the material provided separately by NXP
+for more details on SE051H.
+
 ### Bluetooth LE Advertising
 
 In this example, to commission the device onto a Project CHIP network, it must
@@ -156,18 +172,23 @@ distribution (the demo-application was compiled on Ubuntu 20.04).
     the one from the image below.
     ![MCUXpresso SDK Download](../../platform/k32w/doc/images/mcux-sdk-download.JPG)
 
--   Start building the application
+-   Start building the application either with Secure Element or without
+
+    -   with Secure Element
 
 ```
 user@ubuntu:~/Desktop/git/connectedhomeip$ export K32W061_SDK_ROOT=/home/user/Desktop/SDK_2.6.3_K32W061DK6/
 user@ubuntu:~/Desktop/git/connectedhomeip$ ./third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh
 user@ubuntu:~/Desktop/git/connectedhomeip$ source ./scripts/activate.sh
 user@ubuntu:~/Desktop/git/connectedhomeip$ cd examples/lock-app/k32w/
-user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false"
+user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ gn gen out/debug --args="k32w_sdk_root=\"${K32W061_SDK_ROOT}\" chip_with_OM15082=1 chip_with_ot_cli=0 is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1"
 user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ ninja -C out/debug
 user@ubuntu:~/Desktop/git/connectedhomeip/examples/lock-app/k32w$ $K32W061_SDK_ROOT/tools/imagetool/sign_images.sh out/debug/
 ```
 
+    -   without Secure element
+        Exactly the same steps as above but set chip_with_se05x=0 in the gn command
+
 Note that "patch_k32w_sdk.sh" script must be run for patching the K32W061 SDK
 2.6.3.
 

diff --git a/examples/platform/k32w/doc/images/k32w-se.jpg b/examples/platform/k32w/doc/images/k32w-se.jpg
diff --git a/scripts/examples/k32w_se_example.sh b/scripts/examples/k32w_se_example.sh
@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+
+#
+#    Copyright (c) 2021 Project CHIP Authors
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+
+set -e
+
+# Build script for K32W examples GitHub workflow.
+
+source "$(dirname "$0")/../../scripts/activate.sh"
+
+set -x
+env
+
+"$(dirname "$0")"/../../third_party/k32w_sdk/sdk_fixes/patch_k32w_sdk.sh
+
+gn gen --check --fail-on-unused-args --root="$1" "$2" --args="k32w_sdk_root=\"$K32W061_SDK_ROOT\" is_debug=false chip_crypto=\"mbedtls\" chip_with_se05x=1"
+ninja -C "$2"
diff --git a/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp b/src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp
@@ -159,11 +159,7 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c
 
     if (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER)
     {
-        if (pab == NULL)
-        {
-            /* Need X/Y value to verify abort condition */
-            goto exit;
-        }
+        VerifyOrReturnError(pab != NULL, CHIP_ERROR_INVALID_ARGUMENT);
     }
 
 #if SSS_HAVE_SE05X_VER_GTE_16_03
@@ -487,7 +483,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in,
     uint8_t pKeyKe[16] = {
         0,
     };
-    constexpr size_t pkeyKeLen = sizeof(pKeyKe);
+    size_t pkeyKeLen = sizeof(pKeyKe);
 
     const CHIP_ERROR error = Spake2p_ComputeRoundTwo_HSM(&hsm_pake_context, role, in, in_len, out, out_len, pKeyKe, &pkeyKeLen);
     if (CHIP_NO_ERROR == error)
@@ -500,7 +496,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::ComputeRoundTwo(const uint8_t * in,
 
 CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::KeyConfirm(const uint8_t * in, size_t in_len)
 {
-    VerifyOrExit(state == CHIP_SPAKE2P_STATE::R2, error = CHIP_ERROR_INTERNAL);
+    VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::R2, CHIP_ERROR_INTERNAL);
 
 #if !ENABLE_HSM_SPAKE_VERIFIER
     const bool sw_rollback_verifier = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER);
@@ -518,7 +514,6 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::KeyConfirm(const uint8_t * in, size
     {
         return Spake2p::KeyConfirm(in, in_len);
     }
-
     const CHIP_ERROR error = Spake2p_KeyConfirm_HSM(&hsm_pake_context, role, in, in_len);
     if (CHIP_NO_ERROR == error)
     {

diff --git a/third_party/simw-top-mini/simw_config.gni b/third_party/simw-top-mini/simw_config.gni
@@ -16,5 +16,5 @@
 
 declare_args() {
   # possible values host_k32w, host_linux
-  host = "host_linux"
+  host = "host_k32w"
 }