dac in kmu

ArekBalysNordic · ArekBalysNordic · commit aaf316dce3b4 · 2024-10-22T11:15:04.000+02:00
diff --git a/config/nrfconnect/chip-module/CMakeLists.txt b/config/nrfconnect/chip-module/CMakeLists.txt
@@ -235,6 +235,11 @@ target_compile_definitions(chip INTERFACE _POSIX_C_SOURCE=200809)
 # Make sure that kernel symbols that are only referenced by the Matter libraries are resolved.
 target_link_libraries(chip INTERFACE $<TARGET_FILE:kernel>)
 
+if(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU)
+    include(cracenpsa/cracenpsa.cmake)
+    target_link_libraries(chip INTERFACE cracen_psa_driver)
+endif()
+
 if (CONFIG_CHIP_MALLOC_SYS_HEAP_OVERRIDE)
     target_link_options(chip INTERFACE
         -Wl,--wrap=malloc
diff --git a/config/nrfconnect/chip-module/Kconfig b/config/nrfconnect/chip-module/Kconfig
@@ -365,15 +365,40 @@ config CHIP_ENABLE_READ_CLIENT
 	  Disabling this config can save flash and RAM space.
 
 config CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY
-	bool "Migrate DAC private key from factory data to PSA ITS"
+	bool "Migrate Migrate DAC private key from factory data to secure storage"
 	depends on CHIP_CRYPTO_PSA
 	depends on CHIP_FACTORY_DATA
+
+choice CHIP_CRYPTO_PSA_DAC_PRIV_KEY_MIGRATION_DEST
+	prompt "Destination for DAC private key migration"
+	default CHIP_CRYPTO_PSA_DAC_PRIV_KEY_ITS
+
+config CHIP_CRYPTO_PSA_DAC_PRIV_KEY_ITS
+	bool "Migrate DAC private key from factory data to PSA ITS"
 	help
 	  Move DAC private key from the factory data set to the PSA ITS secure storage
 	  and remove it. After the first boot of the device the DAC private key will be moved
 	  to the PSA ITS secure storage and will not be available in the factory data anymore.
 	  It will be overwritten in the factory data set by zeros.
 
+config CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU
+	bool "Migrate DAC private key from factory data to CRACEN KMU"
+	depends on CRACEN_LIB_KMU
+	select EXPERIMENTAL
+	help
+	  Move DAC private key from the factory data set to the CRACEN Key Management Unit (KMU) secure
+	  storage and remove it. After the first boot of the device the DAC private key will be
+	  moved to the CRACEN KMU secure storage and will not be available in the factory data anymore.
+	  It will be overwritten in the factory data set by zeros.
+
+endchoice
+
+config CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID
+	int "Destination DAC private key slot ID inside CRACEN KMU"
+	depends on CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU
+	range 0 179 # Allow using the application usage space only
+	default 179
+
 config CHIP_PERSISTENT_SUBSCRIPTIONS
 	default n
 	# selecting experimental for this feature since there is an issue with multiple controllers.
diff --git a/src/platform/nrfconnect/FactoryDataProvider.cpp b/src/platform/nrfconnect/FactoryDataProvider.cpp
@@ -26,6 +26,11 @@
 
 #include <lib/support/logging/CHIPLogging.h>
 
+#if defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU)
+#include <cracen_psa.h>
+#include <cracen_psa_kmu.h>
+#endif
+
 #ifdef CONFIG_CHIP_CRYPTO_PSA
 #include <lib/support/ScopedBuffer.h>
 #include <psa/crypto.h>
@@ -139,24 +144,46 @@ CHIP_ERROR FactoryDataProvider<FlashFactoryData>::MoveDACPrivateKeyToSecureStora
         {
             ChipLogProgress(DeviceLayer, "Found DAC Private Key in factory data set. Copying to secure storage...");
 
+#if defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_ITS)
             // Remove the key if any exists and can be corrupted.
             psa_destroy_key(mDACPrivKeyId);
+#endif
 
             psa_reset_key_attributes(&attributes);
             psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
             psa_set_key_bits(&attributes, kDACPrivateKeyLength * 8);
             psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+            psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
 #ifdef CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY
+#if defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_ITS)
             psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_PERSISTENT);
             psa_set_key_id(&attributes, mDACPrivKeyId);
+            VerifyOrReturnError(psa_import_key(&attributes, reinterpret_cast<uint8_t *>(mFactoryData.dac_priv_key.data),
+                                               kDACPrivateKeyLength, &mDACPrivKeyId) == PSA_SUCCESS,
+                                CHIP_ERROR_INTERNAL);
+#elif defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU)
+            size_t key_bits;
+            uint8_t opaque_buffer[2];
+            size_t outlen;
+
+            psa_set_key_lifetime(
+                &attributes,
+                PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, PSA_KEY_LOCATION_CRACEN_KMU));
+            psa_set_key_id(&attributes,
+                           PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW,
+                                                               CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID));
+            VerifyOrReturnError(cracen_import_key(&attributes, reinterpret_cast<uint8_t *>(mFactoryData.dac_priv_key.data),
+                                                  kDACPrivateKeyLength, opaque_buffer, sizeof(opaque_buffer), &outlen,
+                                                  &key_bits) == PSA_SUCCESS,
+                                CHIP_ERROR_INTERNAL);
+
+#endif
 #else
             psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
-#endif
-            psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
-
             VerifyOrReturnError(psa_import_key(&attributes, reinterpret_cast<uint8_t *>(mFactoryData.dac_priv_key.data),
                                                kDACPrivateKeyLength, &mDACPrivKeyId) == PSA_SUCCESS,
                                 CHIP_ERROR_INTERNAL);
+#endif // CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY
         }
 
 #ifdef CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY
@@ -275,8 +302,14 @@ CHIP_ERROR FactoryDataProvider<FlashFactoryData>::SignWithDeviceAttestationKey(c
 
 #ifdef CONFIG_CHIP_CRYPTO_PSA
     size_t outputLen = 0;
+#if defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_ITS)
+    psa_key_id_t keyId = mDACPrivKeyId;
+#elif defined(CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU)
+    psa_key_id_t keyId = static_cast<psa_key_id_t>(
+        PSA_KEY_HANDLE_FROM_CRACEN_KMU_SLOT(CRACEN_KMU_KEY_USAGE_SCHEME_RAW, CONFIG_CHIP_CRYPTO_PSA_DAC_PRIV_KEY_KMU_SLOT_ID));
+#endif
 
-    psa_status_t err = psa_sign_message(mDACPrivKeyId, PSA_ALG_ECDSA(PSA_ALG_SHA_256), messageToSign.data(), messageToSign.size(),
+    psa_status_t err = psa_sign_message(keyId, PSA_ALG_ECDSA(PSA_ALG_SHA_256), messageToSign.data(), messageToSign.size(),
                                         signature.Bytes(), signature.Capacity(), &outputLen);
 
     VerifyOrReturnError(!err, CHIP_ERROR_INTERNAL);
