Revert "[nxp fromtree] [NXP][rw61x][k32w1] Rework reference apps (project-chip#35172)"

This reverts commit 2237612.

Signed-off-by: marius-alex-tache <marius.tache@nxp.com>

Author: marius-alex-tache

.github/workflows/examples-nxp.yaml

@@ -150,7 +150,7 @@ jobs:
         if: github.actor != 'restyled-io[bot]'
 
         container:
-            image: ghcr.io/project-chip/chip-build-nxp:74
+            image: ghcr.io/project-chip/chip-build-rw61x:66
             volumes:
                 - "/tmp/bloat_reports:/tmp/bloat_reports"
         steps:

docs/guides/nxp/nxp_manufacturing_flow.md

@@ -251,58 +251,24 @@ adding the following gn argument `chip_use_plain_dac_key=true`.
 
 Supported platforms:
 
--   RW61X
-
-there are three implementations for factory data protection
-
--   whole factory data protection with AES encryption ( chip_with_factory_data=1
-    chip_enable_secure_whole_factory_data=true )
-    `examples/platform/nxp/rt/rw61x/factory_data/source/AppFactoryDataExample.cpp`\
-    `src/platform/nxp/rt/rw61x/FactoryDataProviderEncImpl.cpp`
-
--   only dac private key protection ( chip_with_factory_data=1
-    chip_enable_secure_dac_private_key_storage=true )  
-    `examples/platform/nxp/rt/rw61x/factory_data/source/AppFactoryDataExample.cpp`
-    \
-    `src/platform/nxp/rt/rw61x/FactoryDataProviderImpl.cpp`
-
--   whole factory data protection with hard-coded AES key (
-    chip_with_factory_data=1 )
-    `examples/platform/nxp/common/factory_data/source/AppFactoryDataDefaultImpl.cpp`
-    \
-    `src/platform/nxp/common/factory_data/FactoryDataProviderFwkImpl.cpp`
-
-for the first one, the whole factory data is encrypted by an AES-256 key, the
-AES key can be passed through serial link when in factory production mode, and
-will be provisioned into Edge Lock, and the returned AES Key blob (wrapped key)
-can be stored in the end of factory data region in TLV format. for the
-decryption process, the blob is retrieved and provisioned into Edge Lock and the
-whole factory data can be decrypted using the returned key index in Edge Lock.
-Compared with only dac private key protection solution, this solution can avoid
-tampering with the original factory data.
-
-the factory data should be encrypted by an AES-256 key using "--aes256_key"
-option in "generate.py" script file.
-
-it will check whether there is AES key blob in factory data region when in each
-initialization, if not, the default AES key is converted and the result is
-stored into flash, it run only once.
-
-for the second one, it only protect the dac private key inside the factory data,
-the dac private key is retrieved and provisioned into Edge Lock, the returned
-key blob replace the previous dac private key, and also update the overall size
-and hash, and re-write the factory data. when device is doing matter
-commissioning, the blob is retrieved and provisioned into Edge Lock and the
-signing can be done using the returned key index in Edge Lock.
-
-the factory data should be plain text for the first programming. it will check
-whether there is dac private key blob (base on the size of blob, should be 48)
-in factory data when in each initialization, if not, the dac private key is
-converted and the result is stored into flash, it run only once.
-
-for the third one, it is a little similar to the first one, the whole factory
-data is encrypted by an AES key, but there are two differences:
-
--   the AES key is hard-coded and not provisioned into Edge Lock
--   the factory data should be encrypted by AES-128 key using "--aes128_key"
-    option in "generate.py" script file.
+-   RW61X - `src/plaftorm/nxp/rt/rw61x/FactoryDataProviderImpl.h`
+
+For platforms that have a secure subsystem (`SE50`), the DAC private key can be
+converted to an encrypted blob. This blob will overwrite the DAC private key in
+factory data and will be imported in the `SE50` before to sign, by the factory
+data provider instance.
+
+The conversion process shall happen at manufacturing time and should be run one
+time only:
+
+-   Write factory data binary.
+-   Build the application with
+    `chip_with_factory_data=1 chip_convert_dac_private_key=1` set.
+-   Write the application to the board and let it run.
+
+After the conversion process:
+
+-   Make sure the application is built with `chip_with_factory_data=1`, but
+    without `chip_convert_dac_private_key` arg, since conversion already
+    happened.
+-   Write the application to the board.

docs/guides/nxp/nxp_mcxw71_ota_guide.md

@@ -1,4 +1,4 @@
-# NXP `MCXW71/K32W1` OTA guide
+# NXP MCXW71/K32W1 OTA guide
 
 ### Convert `srec` into `sb3` file
 
@@ -49,12 +49,11 @@ an `.sb3` file:
 ```
 
 A note regarding OTA image header version (`-vn` option). An application binary
-has its own software version (given by
-`CHIP_DEVICE_CONFIG_DEVICE_SOFTWARE_VERSION`, which can be overwritten). In
-order to have a correct OTA process, the OTA header version should be the same
-as the binary embedded software version. A user can set a custom software
-version in the gn build args by setting `nxp_software_version` to the wanted
-version.
+has its own software version (given by `CHIP_DEVICE_CONFIG_DEVICE_SOFTWARE_VERSION`,
+which can be overwritten). In order to have a correct OTA process, the OTA header
+version should be the same as the binary embedded software version. A user can set
+a custom software version in the gn build args by setting `nxp_software_version`
+to the wanted version.
 
 ### OTA factory data
 
@@ -99,9 +98,9 @@ using CSA official instructions from
 proposed. Also, CSA official instructions document point to the OS/Docker images
 that should be used on the RPis. For compatibility reasons, we recommand
 compiling chip-tool and OTA Provider applications with the same commit id that
-was used for compiling the reference application. Also, please note that there
-is a single controller (chip-tool) running on Computer #1 which is used for
-commissioning both the device and the OTA Provider Application. If needed,
+was used for compiling the reference application. Also, please note that
+there is a single controller (chip-tool) running on Computer #1 which is used
+for commissioning both the device and the OTA Provider Application. If needed,
 [these instructions](https://itsfoss.com/connect-wifi-terminal-ubuntu/) could be
 used for connecting the RPis to WiFi.
 
@@ -152,9 +151,8 @@ user@computer1:~/connectedhomeip$ : ./out/chip-tool-app/chip-tool otasoftwareupd
     execute `ot-ctl server disable` followed by `ot-ctl server enable`. After
     this step, the commissioning process of the device can start;
 -   Due to some MDNS issues, the commissioning of the OTA Provider Application
-    may fail. Please make sure that the SRP cache is disabled
-    (`ot-ctl srp server disable`) on the openthread border router while
-    commissioning the OTA Provider Application;
+    may fail. Please make sure that the SRP cache is disabled (`ot-ctl srp server disable`)
+    on the openthread border router while commissioning the OTA Provider Application;
 -   No other Docker image should be running (e.g.: Docker image needed by Test
     Harness) except the OTBR one. A docker image can be killed using the
     command:

docs/guides/nxp/nxp_rw61x_ota_software_update.md

@@ -48,9 +48,10 @@ MCUBoot is an open-source secure bootloader used by RW61x to apply the
 self-upgrade. For more details, please refer to the
 [MCUBoot documentation](https://github.com/mcu-tools/mcuboot/blob/main/docs/design.md).
 
-For RW61x platform, the bootloader is configured to use the flash remapping
-mechanism by default, in order to perform the image upgrade. This is achieved by
-using the `MCUBoot DIRECT-XIP` upgrade mode.
+In our use case, the bootloader runs the application residing in the primary
+partition. In order to run the OTA update image, the bootloader will swap the
+content of the primary and the secondary partitions. This type of upgrade is
+called swap-move and is the default upgrade configured by MCUBoot.
 
 ## OTA Software Update process for RW61x example application
 
@@ -85,42 +86,47 @@ J-Link > exec EnableEraseAllFlashBanks
 J-Link > erase 0x8000000, 0x88a0000
 ```
 
--   MCUBoot application can be built with SDK installed, using instructions
-
-    below.
-
--   Retrieve the mcuboot directory with :
+-   Using MCUXPresso, import the `mcuboot_opensource` demo example from the SDK
+    previously downloaded. The example can be found under the `ota_examples`
+    folder.
+    ![mcuboot_demo](../../../examples/platform/nxp/rt/rw61x/doc/images/mcuboot_demo.PNG)
+-   Before building the demo example, it should be specified that the
+    application to be run by the bootloader is monolithic. As a result, only one
+    image will be upgraded by the bootloader. This can be done by defining
+    `MONOLITHIC_APP` as 1 in the settings of the `mcuboot_opensource` project :
 
 ```
-user@ubuntu: cd ~/Desktop/connectedhomeip/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/armgcc
+Right click on the Project -> Properties -> C/C++ Build -> Settings -> Tool Settings -> MCU C Compiler -> Preprocessor -> Add "MONOLITHIC_APP=1" in the Defined Symbols
 ```
 
-`<rw612 board>`: Supported rw612 boards are: `rdrw612bga` or `frdmrw612`
+![rw610_mcuboot_monolithic](../../../examples/platform/nxp/rt/rw61x/doc/images/mcuboot_monolithic_app.PNG)
 
--   Build the mcuboot application :
+-   Build the demo example project.
 
 ```
-user@ubuntu: chmod +x build_flash_release.sh
-user@ubuntu: export ARMGCC_DIR=/opt/gcc-arm-none-eabi-10.3-2021.10   # with ARMGCC_DIR referencing the compiler path
-user@ubuntu: ./build_flash_release.sh
+Right click on the Project -> Build Project
 ```
 
--   Program the generated binary to the target board.
+-   Program the demo example to the target board.
 
 ```
-J-Link > loadbin ~/Desktop/connectedhomeip/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/armgcc/flash_release/mcuboot_opensource.elf
+Right click on the Project -> Debug -> As->SEGGER JLink probes -> OK -> Select elf file
 ```
 
--   If it runs successfully, the following logs will be displayed on the
-    terminal :
+Note : The mcuboot binary is loaded in flash at address 0x8000000.
+
+-   To run the flashed demo, either press the reset button of the device or use
+    the debugger IDE of MCUXpresso. If it runs successfully, the following logs
+    will be displayed on the terminal :
 
 ```
 hello sbl.
-Disabling flash remapping function
-Bootloader Version 2.0.0
-Image 0 Primary slot: Image not found
-Image 0 Secondary slot: Image not found
-No slot to load for image 0
+Bootloader Version 1.9.0
+Primary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
+Secondary image: magic=unset, swap_type=0x1, copy_done=0x3, image_ok=0x3
+Boot source: none
+Swap type: none
+erasing trailer; fa_id=2
 Unable to find bootable image
 ```
 
@@ -129,7 +135,7 @@ partitions to be the size of 4.4 MB. If the size is to be changed, the partition
 addresses should be modified in the flash_partitioning.h accordingly. For more
 information about the flash partitioning with mcuboot, please refer to the
 dedicated readme.txt located in
-"`<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/`".
+"`SDK_RW612/boards/rdrw612bga/ota_examples/mcuboot_opensource/`".
 
 ### Generating and flashing the signed application image
 
@@ -156,15 +162,15 @@ arm-none-eabi-objcopy -R .flash_config -R .NVM -O binary chip-rw61x-all-cluster-
 
 To sign the image and wrap the raw binary of the application with the header and
 trailer, "`imgtool`" is provided in the SDK and can be found in
-"`<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/middleware/mcuboot_opensource/scripts/`".
+"`/middleware/mcuboot_opensource/scripts/`".
 
 The following commands can be run (make sure to replace the /path/to/file/binary
 with the adequate files):
 
 ```
-user@ubuntu: cd ~/Desktop/<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/middleware/mcuboot_opensource/scripts/
+user@ubuntu: cd ~/Desktop/SDK_RW612/middleware/mcuboot_opensource/scripts
 
-user@ubuntu: python3 imgtool.py sign --key ~/Desktop/<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/keys/sign-rsa2048-priv.pem --align 4 --header-size 0x1000 --pad-header --pad --confirm --slot-size 0x440000 --max-sectors 1088 --version "1.0" ~/Desktop/connectedhomeip/examples/all-clusters-app/nxp/rt/rw61x/out/debug/chip-rw61x-all-cluster-example.bin ~/Desktop/connectedhomeip/examples/all-clusters-app/nxp/rt/rw61x/out/debug/chip-rw61x-all-cluster-example_SIGNED.bin
+user@ubuntu: python3 imgtool.py sign --key ~/Desktop/SDK_RW612/boards/rdrw612bga/ota_examples/mcuboot_opensource/keys/sign-rsa2048-priv.pem --align 4 --header-size 0x1000 --pad-header --slot-size 0x440000 --max-sectors 1088 --version "1.0" ~/Desktop/connectedhomeip/examples/all-clusters-app/nxp/rt/rw61x/out/debug/chip-rw61x-all-cluster-example.bin ~/Desktop/connectedhomeip/examples/all-clusters-app/nxp/rt/rw61x/out/debug/chip-rw61x-all-cluster-example_SIGNED.bin
 ```
 
 Notes :
@@ -176,7 +182,7 @@ Notes :
     adjusted accordingly.
 -   In this example, the image is signed with the private key provided by the
     SDK as an example
-    (`<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/keys/sign-rsa2048-priv.pem`),
+    (`SDK_RW612/boards/rdrw612bga/ota_examples/mcuboot_opensource/keys/sign-rsa2048-priv.pem`),
     MCUBoot is built with its corresponding public key which would be used to
     verify the integrity of the image. It is possible to generate a new pair of
     keys using the following commands. This procedure should be done prior to
@@ -195,7 +201,7 @@ user@ubuntu: python3 imgtool.py getpub -k priv_key.pem
 ```
 
 -   The extracted public key can then be copied to the
-    `<matter_repo_root>/third_party/nxp/nxp_matter_support/github_sdk/common_sdk/repo/examples/<rw612 board>/ota_examples/mcuboot_opensource/keys/sign-rsa2048-pub.c`,
+    `SDK_RW612/boards/rdrw612bga/ota_examples/mcuboot_opensource/keys/sign-rsa2048-pub.c`,
     given as a value to the rsa_pub_key[] array.
 
 The resulting output is the signed binary of the application version "1.0".
@@ -215,12 +221,11 @@ application and run it.
 To generate the OTA update image the same procedure can be followed from the
 [Generating and flashing the signed application image](#generating-and-flashing-the-signed-application-image)
 sub-section, replacing the "--version "1.0"" argument with "--version "2.0""
-(recent version of the update), without arguments "--pad" "--confirm" when
-running `imgtool` script during OTA Update Image generation.
+(recent version of the update).
 
 Note : When building the update image, the build arguments
-nxp_software_version=2 nxp_software_version_string=\"2.0\" can be added to the
-gn gen command in order to specify the upgraded version.
+`nxp_software_version=2 nxp_sofware_version_string=\"2.0\"` can be added to the
+`gn gen` command in order to specify the upgraded version.
 
 When the signed binary of the update is generated, the file should be converted
 into OTA format. To do so, the ota_image_tool is provided in the repo and can be

examples/all-clusters-app/nxp/rt/rw61x/BUILD.gn

@@ -57,8 +57,7 @@ rt_sdk("sdk") {
   defines = []
 
   # To be moved, temporary mbedtls config fix to build app with factory data
-  if (chip_enable_secure_dac_private_key_storage ||
-      chip_enable_secure_whole_factory_data) {
+  if (chip_enable_secure_dac_private_key_storage == 1) {
     defines += [
       "MBEDTLS_NIST_KW_C",
       "MBEDTLS_PSA_CRYPTO_CLIENT",
@@ -75,18 +74,10 @@ rt_sdk("sdk") {
   include_dirs += [ "${example_platform_dir}/board/" ]
   sources += [ "${example_platform_dir}/board/pin_mux.c" ]
   sources += [ "${example_platform_dir}/board/hardware_init.c" ]
+  sources += [ "${example_platform_dir}/board/clock_config.c" ]
+  sources += [ "${example_platform_dir}/board/board.c" ]
   sources += [ "${example_platform_dir}/board/peripherals.c" ]
 
-  if (board_version == "frdm") {
-    include_dirs += [ "${example_platform_dir}/board/frdmrw612/" ]
-    sources += [ "${example_platform_dir}/board/frdmrw612/clock_config.c" ]
-    sources += [ "${example_platform_dir}/board/frdmrw612/board.c" ]
-  } else {
-    include_dirs += [ "${example_platform_dir}/board/rdrw612bga/" ]
-    sources += [ "${example_platform_dir}/board/rdrw612bga/clock_config.c" ]
-    sources += [ "${example_platform_dir}/board/rdrw612bga/board.c" ]
-  }
-
   # Indicate the path to CHIPProjectConfig.h
   include_dirs += [ "include/config" ]
 
@@ -98,7 +89,7 @@ rt_sdk("sdk") {
 
   # For matter with BR feature, increase FreeRTOS heap size
   if (chip_enable_wifi && chip_enable_openthread) {
-    defines += [ "configTOTAL_HEAP_SIZE=(size_t)(170 * 1024)" ]
+    defines += [ "configTOTAL_HEAP_SIZE=(size_t)(160 * 1024)" ]
   }
 
   defines += [
@@ -142,12 +133,10 @@ rt_executable("all_cluster_app") {
     "../../common/main/main.cpp",
   ]
 
-  if (chip_enable_secure_dac_private_key_storage ||
-      chip_enable_secure_whole_factory_data) {
-    sources += [ "${chip_root}/examples/platform/nxp/${nxp_platform}/factory_data/source/AppFactoryDataExample.cpp" ]
-    if (chip_enable_secure_whole_factory_data) {
-      defines += [ "ENABLE_SECURE_WHOLE_FACTORY_DATA" ]
-    }
+  if (chip_enable_secure_dac_private_key_storage == 1) {
+    sources += [
+      "${example_platform_dir}/factory_data/source/AppFactoryDataExample.cpp",
+    ]
   } else {
     sources += [
       "${common_example_dir}/factory_data/source/AppFactoryDataDefaultImpl.cpp",