project-chip · mergify · Jun 20, 2023 · Jun 5, 2023 · Jun 5, 2023 · Jun 7, 2023
@@ -19,17 +19,10 @@
 #include <credentials/examples/ExampleDACs.h>
 #include <credentials/examples/ExamplePAI.h>
 #include <crypto/CHIPCryptoPAL.h>
+#include <CHIPCryptoPAL_se05x.h>
 #include <lib/core/CHIPError.h>
 #include <lib/support/Span.h>
 
-#if CHIP_CRYPTO_HSM
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#endif
-
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
-
-#include <crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h>
-
 /* Device attestation key ids */
 #define DEV_ATTESTATION_KEY_SE05X_ID 0x7D300000
 #define DEV_ATTESTATION_CERT_SE05X_ID 0x7D300001
@@ -135,17 +128,34 @@ CHIP_ERROR ExampleSe05xDACProvider::SignWithDeviceAttestationKey(const ByteSpan
                                                                  MutableByteSpan & out_signature_buffer)
 {
     Crypto::P256ECDSASignature signature;
-    Crypto::P256KeypairHSM keypair;
+    Crypto::P256Keypair keypair;
+    Crypto::P256SerializedKeypair serialized_keypair;
+    uint8_t magic_bytes[] = NXP_CRYPTO_KEY_MAGIC;
 
     ChipLogDetail(Crypto, "Sign using DA key from se05x");
 
     VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(out_signature_buffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL);
 
-    keypair.SetKeyId(DEV_ATTESTATION_KEY_SE05X_ID);
-    keypair.provisioned_key = true;
-    keypair.Initialize(Crypto::ECPKeyTarget::ECDSA);
+
+    // Add public key + reference private key (ref to key inside SE)
+
+    serialized_keypair.SetLength(Crypto::kP256_PublicKey_Length + Crypto::kP256_PrivateKey_Length);
+
+    memset(serialized_keypair.Bytes(), 0, Crypto::kP256_PublicKey_Length);
+    memcpy(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length, magic_bytes, sizeof(magic_bytes));
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 0) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0xFF000000) >> (8 * 3);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 1) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x00FF0000) >> (8 * 2);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 2) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x0000FF00) >> (8 * 1);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 3) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x000000FF) >> (8 * 0);
+
+    ReturnErrorOnFailure(keypair.Deserialize(serialized_keypair));
+
 
     ReturnErrorOnFailure(keypair.ECDSA_sign_msg(message_to_sign.data(), message_to_sign.size(), signature));
 
@@ -164,5 +174,3 @@ DeviceAttestationCredentialsProvider * GetExampleSe05xDACProvider()
 } // namespace Examples
 } // namespace Credentials
 } // namespace chip
-
-#endif //#ifdef ENABLE_HSM_DEVICE_ATTESTATION
@@ -14,25 +14,21 @@
  *    See the License for the specific language governing permissions and
  *    limitations under the License.
  */
+
 #include "DeviceAttestationSe05xCredsExample.h"
 
 #include <credentials/examples/ExampleDACs.h>
 #include <credentials/examples/ExamplePAI.h>
 #include <crypto/CHIPCryptoPAL.h>
+#include <CHIPCryptoPAL_se05x.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/Span.h>
 #include <lib/core/CHIPError.h>
 #include <lib/core/TLV.h>
 #include <lib/core/TLVTags.h>
 #include <lib/core/TLVTypes.h>
-#include <lib/core/TLVUtilities.hpp>
 #include <lib/support/Span.h>
-
-#if CHIP_CRYPTO_HSM
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#endif
-
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
-
-#include <crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h>
+#include <lib/core/TLVUtilities.h>
 
 /* Device attestation key ids */
 #define DEV_ATTESTATION_KEY_SE05X_ID 0x7D300000
@@ -279,5 +275,3 @@ DeviceAttestationCredentialsProvider * GetExampleSe05xDACProviderv2()
 } // namespace Examples
 } // namespace Credentials
 } // namespace chip
-
-#endif // #ifdef ENABLE_HSM_DEVICE_ATTESTATION
@@ -77,12 +77,8 @@
 #include "AppMain.h"
 #include "CommissionableInit.h"
 
-#if CHIP_CRYPTO_HSM
+#include <CHIPCryptoPALHsm_se05x_config.h>
 #include "DeviceAttestationSe05xCredsExample.h"
-#include "se05x_t4t_utils.h"
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#include <crypto/hsm/nxp/PersistentStorageOperationalKeystoreHSM.h>
-#endif
 
 using namespace chip;
 using namespace chip::ArgParser;
@@ -289,95 +285,10 @@ int ChipLinuxAppInit(int argc, char * const argv[], OptionSet * customOptions)
     return 0;
 }
 
-#ifdef ENABLE_HSM_EC_KEY
-
-struct CommonCaseDeviceServerInitParams_Se05x : public CommonCaseDeviceServerInitParams
-{
-    CHIP_ERROR InitializeStaticResourcesBeforeServerInit()
-    {
-        static chip::KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
-        static chip::PersistentStorageOperationalKeystoreHSM sPersistentStorageOperationalKeystore;
-        static chip::Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
-        static chip::Credentials::GroupDataProviderImpl sGroupDataProvider;
-        static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
-        static chip::Crypto::DefaultSessionKeystore sSessionKeystore;
-
-#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
-        static chip::SimpleSessionResumptionStorage sSessionResumptionStorage;
-#endif
-        static chip::app::DefaultAclStorage sAclStorage;
-
-        // KVS-based persistent storage delegate injection
-        if (persistentStorageDelegate == nullptr)
-        {
-            chip::DeviceLayer::PersistedStorage::KeyValueStoreManager & kvsManager =
-                DeviceLayer::PersistedStorage::KeyValueStoreMgr();
-            ReturnErrorOnFailure(sKvsPersistenStorageDelegate.Init(&kvsManager));
-            this->persistentStorageDelegate = &sKvsPersistenStorageDelegate;
-        }
-
-        // PersistentStorageDelegate "software-based" operational key access injection
-        if (this->operationalKeystore == nullptr)
-        {
-            // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
-            //          for examples and for now.
-            ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
-            this->operationalKeystore = &sPersistentStorageOperationalKeystore;
-        }
-
-        // OpCertStore can be injected but default to persistent storage default
-        // for simplicity of the examples.
-        if (this->opCertStore == nullptr)
-        {
-            // WARNING: PersistentStorageOpCertStore::Finish() is never called. It's fine for
-            //          for examples and for now, since all storage is immediate for that impl.
-            ReturnErrorOnFailure(sPersistentStorageOpCertStore.Init(this->persistentStorageDelegate));
-            this->opCertStore = &sPersistentStorageOpCertStore;
-        }
-
-        // Session Keystore injection
-        this->sessionKeystore = &sSessionKeystore;
-
-        // Group Data provider injection
-        sGroupDataProvider.SetStorageDelegate(this->persistentStorageDelegate);
-        sGroupDataProvider.SetSessionKeystore(this->sessionKeystore);
-        ReturnErrorOnFailure(sGroupDataProvider.Init());
-        this->groupDataProvider = &sGroupDataProvider;
-
-#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
-        ReturnErrorOnFailure(sSessionResumptionStorage.Init(this->persistentStorageDelegate));
-        this->sessionResumptionStorage = &sSessionResumptionStorage;
-#else
-        this->sessionResumptionStorage = nullptr;
-#endif
-
-        // Inject access control delegate
-        this->accessDelegate = Access::Examples::GetAccessControlDelegate();
-
-        // Inject ACL storage. (Don't initialize it.)
-        this->aclStorage = &sAclStorage;
-
-        // Inject certificate validation policy compatible with non-wall-clock-time-synced
-        // embedded systems.
-        this->certificateValidityPolicy = &sDefaultCertValidityPolicy;
-
-        return CHIP_NO_ERROR;
-    }
-};
-
-#endif
-
 void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
 {
-#ifdef ENABLE_HSM_EC_KEY
-    static CommonCaseDeviceServerInitParams_Se05x initParams;
-#else
     static chip::CommonCaseDeviceServerInitParams initParams;
-#endif
 
-#if CHIP_CRYPTO_HSM
-    VerifyOrDie(se05x_enable_contactless_interface() == 0);
-#endif
     VerifyOrDie(initParams.InitializeStaticResourcesBeforeServerInit() == CHIP_NO_ERROR);
 
 #if defined(ENABLE_CHIP_SHELL)
@@ -423,7 +334,7 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     PrintOnboardingCodes(LinuxDeviceOptions::GetInstance().payload);
 
     // Initialize device attestation config
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+#if ENABLE_SE05X_DEVICE_ATTESTATION
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleSe05xDACProvider());
 #else
     SetDeviceAttestationCredentialsProvider(LinuxDeviceOptions::GetInstance().dacProvider);

@@ -59,6 +59,7 @@ source_set("app-main") {
   include_dirs = [
     "${chip_root}/examples/platform/linux",
     "${chip_root}/examples/platform/nxp/se05x",
+    "${chip_root}/src/platform/nxp/crypto/se05x",
   ]
 
   defines = []

@@ -14,19 +14,35 @@
 
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
+import("${chip_root}/src/platform/nxp/crypto/nxp_crypto.gni")
 
-executable("thermostat-se05x-app") {
-  sources = [ "${chip_root}/examples/thermostat/linux/main.cpp" ]
-
+executable("thermostat-app") {
+  sources = [
+    "../../linux/main.cpp",
+    "../../linux/include/low-power/LowPowerManager.cpp",
+    "../../linux/include/low-power/LowPowerManager.h",
+  ]
   include_dirs = [ "${chip_root}/examples/platform/linux" ]
 
   deps = [
-    "${chip_root}/examples/platform/nxp/se05x/linux:app-main",
+    "${chip_root}/examples/platform/nxp/${nxp_crypto_impl}/linux:app-main",
     "${chip_root}/examples/thermostat/thermostat-common",
     "${chip_root}/src/lib",
   ]
 
   cflags = [ "-Wconversion" ]
 
   output_dir = root_out_dir
+
+  deps += [
+    "${chip_root}/src/platform/nxp/crypto/${nxp_crypto_impl}:nxp_crypto_lib"
+  ]
+}
+
+group("linux") {
+  deps = [ ":thermostat-app" ]
+}
+
+group("default") {
+  deps = [ ":linux" ]
 }
@@ -13,5 +13,8 @@
 # limitations under the License.
 
 import("//build_overrides/chip.gni")
+
 import("${chip_root}/config/standalone/args.gni")
-chip_with_se05x = 1
+
+# Include to define nxp_crypto_impl
+import("${chip_root}/src/platform/nxp/crypto/se05x/args.gni")
diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
@@ -55,14 +55,6 @@ buildconfig_header("crypto_buildconfig") {
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
   ]
-
-  if (chip_with_se05x == 1) {
-    defines += [ "CHIP_CRYPTO_HSM=1" ]
-    defines += [ "CHIP_CRYPTO_HSM_NXP=1" ]
-  } else {
-    defines += [ "CHIP_CRYPTO_HSM=0" ]
-    defines += [ "CHIP_CRYPTO_HSM_NXP=0" ]
-  }
 }
 
 source_set("public_headers") {
@@ -177,19 +169,4 @@ static_library("crypto") {
   } else {
     assert(false, "Invalid CHIP crypto")
   }
-
-  if (chip_with_se05x == 1) {
-    sources += [
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_HKDF.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_HMAC.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_PBKDF.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp",
-      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.cpp",
-      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.h",
-    ]
-    public_deps += [ "${chip_root}/third_party/simw-top-mini:se05x" ]
-    public_configs += [ "${chip_root}/third_party/simw-top-mini:se05x_config" ]
-  }
 }
diff --git a/src/crypto/CHIPCryptoPAL.cpp b/src/crypto/CHIPCryptoPAL.cpp
@@ -197,11 +197,7 @@ CHIP_ERROR ConvertIntegerRawToDerInternal(const ByteSpan & raw_integer, MutableB
 namespace chip {
 namespace Crypto {
 
-#ifdef ENABLE_HSM_HKDF
-using HKDF_sha_crypto = HKDF_shaHSM;
-#else
 using HKDF_sha_crypto = HKDF_sha;
-#endif
 
 CHIP_ERROR Spake2p::InternalHash(const uint8_t * in, size_t in_len)
 {
@@ -549,11 +545,7 @@ CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan &
     size_t len;
 
     // Create local Spake2+ object for w0 and L computations.
-#ifdef ENABLE_HSM_SPAKE
-    Spake2pHSM_P256_SHA256_HKDF_HMAC spake2p;
-#else
     Spake2p_P256_SHA256_HKDF_HMAC spake2p;
-#endif
     uint8_t context[kSHA256_Hash_Length] = { 0 };
     SuccessOrExit(err = spake2p.Init(context, sizeof(context)));
 
@@ -575,11 +567,7 @@ CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan &
 CHIP_ERROR Spake2pVerifier::ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin, uint8_t * ws,
                                       uint32_t ws_len)
 {
-#ifdef ENABLE_HSM_PBKDF2
-    PBKDF2_sha256HSM pbkdf2;
-#else
     PBKDF2_sha256 pbkdf2;
-#endif
     uint8_t littleEndianSetupPINCode[sizeof(uint32_t)];
     Encoding::LittleEndian::Put32(littleEndianSetupPINCode, setupPin);
 

diff --git a/src/crypto/RawKeySessionKeystore.cpp b/src/crypto/RawKeySessionKeystore.cpp
@@ -22,11 +22,7 @@
 namespace chip {
 namespace Crypto {
 
-#ifdef ENABLE_HSM_HKDF
-using HKDF_sha_crypto = HKDF_shaHSM;
-#else
 using HKDF_sha_crypto = HKDF_sha;
-#endif
 
 CHIP_ERROR RawKeySessionKeystore::CreateKey(const Aes128KeyByteArray & keyMaterial, Aes128KeyHandle & key)
 {