- When a device is pre-provisioned, the PKI credentials are generated for the device and stored in a partition named esp_secure_cert.
- In the Matter Pre-Provisioning service, the Matter DAC certificate is pre-flashed in esp_secure_cert partition.
- The ESP32SecureCertDACProvider reads the PKI credentials from esp_secure_cert_partition.
- The DAC,PAI and private key are read from the esp_secure_cert_partition, but the certificate declaration is read from the factory data partition. Therefore, we need to also generate a factory partition besides esp_secure_cert_partition.
- The esp_secure_cert partition can be generated on host with help of configure_esp_secure_cert.py utility.
- The use of esp_secure_cert_partition is demonstrated in lighting-app.
To generate the esp_secure_cert_partition and the factory_data_partition, we need the DAC and PAI certificate as well as the private key(DAC key) in .der format. The factory_data_provider in addition requires the certificate declaration in .der format. The generation of the required certificates and keys is mentioned in the steps given below.
Run the commands below:
cd path/to/connectedhomeip
source scripts/activate.sh
gn gen out/host
ninja -C out/host chip-cert
cd out/host
At /path/to/connectedhomeip/out/host run the below commands.
./chip-cert gen-cd -K ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem -C ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem -O esp_dac_fff1_8000.der -f 1 -V 0xfff1 -p 0x8000 -d 0x0016 -c "CSA00000SWC00000-01" -l 0 -i 0 -n 1 -t 0
./chip-cert gen-att-cert -t i -c "ESP TEST PAI" -V 0xfff1 -P 0x8000 -C ../../credentials/development/attestation/Chip-Development-PAA-Cert.pem -K ../../credentials/development/attestation/Chip-Development-PAA-Key.pem -o Esp-Development-PAI-Cert.pem -O Esp-Development-PAI-Key.pem -l 4294967295
./chip-cert gen-att-cert -t d -c "ESP TEST DAC 01" -V 0xfff1 -P 0x8000 -C Esp-Development-PAI-Cert.pem -K Esp-Development-PAI-Key.pem -o Esp-Development-DAC-01.pem -O Esp-Development-DAC-Key-01.pem -l 4294967295
- Convert DAC key from .pem to .der format.
openssl ec -in Esp-Development-DAC-Key-01.pem -out Esp-Development-DAC-Key-01.der -inform pem -outform der
- Convert DAC and PAI cert from .pem to .der format
openssl x509 -in Esp-Development-DAC-01.pem -out Esp-Development-DAC-01.der-inform pem -outform der
openssl x509 -in Esp-Development-PAI-Cert.pem -out Esp-Development-PAI-Cert.der -inform pem -outform der
The certificates in the steps 1.2 will be generated at /path/to/connectedhomeip/out/host.For steps 1.3 and 1.4 go to connectedhomeip/scripts/tools , set IDF_PATH.
To generate the esp_secure_cert_partition install esp-secure-cert-tool using
pip install esp-secure-cert-tool
Example command to generate a esp_secure_cert_partition
configure_esp_secure_cert.py --private-key path/to/dac-key \
--device-cert path/to/dac-cert \
--ca-cert path/to/pai-cert \
--target_chip esp32c3 \
--port /dev/ttyUSB0 -- skip_flash
Refer https://github.com/espressif/esp_secure_cert_mgr/tree/main/tools#generate-esp_secure_cert-partition for more help.
Example command to generate a factory_data_partition
./generate_esp32_chip_factory_bin.py -d 3434 -p 99663300 \
--product-name ESP-lighting-app --product-id 0x8000 \
--vendor-name Test-vendor --vendor-id 0xFFF1 \
--hw-ver 1 --hw-ver-str DevKit \
--dac-cert path/to/dac-cert \
--dac-key path/to/dac-key \
--pai-cert path/to/pai-cert \
--cd path/to/certificate-declaration
Refer https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/esp32/factory_data.md#generate-nvs-binary-image to generate a factory_data_partition.
# Disable the DS Peripheral support
CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL=n
# Use DAC Provider implementation which reads attestation data from secure cert partition
CONFIG_SEC_CERT_DAC_PROVIDER=y
# Enable some options which reads CD and other basic info from the factory partition
CONFIG_ENABLE_ESP32_FACTORY_DATA_PROVIDER=y
CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER=y
CONFIG_CHIP_FACTORY_NAMESPACE_PARTITION_LABEL="fctry"
In order to use the esp_secure_cert_partition, in addition to enabling the above config options, you should also have the esp_secure_cert_partition and factory partition in your app. For reference, refer to partitions.csv file of lighting-app.
idf.py -p (PORT) build flash
The esp_secure_cert partition binary contains device attestation information
and the factory partition binary contains Matter manufacturing specific data.
- Flash
esp_secure_certpartition binary
esptool.py -p (PORT) write_flash 0xd000 path/to/secure_cert_partition.bin
- Flash factory partition binary
esptool.py -p (PORT) write_flash 0x3E0000 path/to/factory_partition.bin
idf.py monitor
Please flash the above mentioned partitions by looking into the addresses in partitions.csv.The above commands are for example purpose.
Run the following command from host to commission the device.
./chip-tool pairing ble-wifi 1234 my_SSID my_PASSPHRASE my_PASSCODE my_DISCRIMINATOR --paa-trust-store-path /path/to/PAA-Certificates/
For example:
./chip-tool pairing ble-wifi 0x7283 my_SSID my_PASSPHRASE 99663300 3434 --paa-trust-store-path /path/to/connectedhomeip/credentials/development/attestation/