Pull request project-chip#1728: Adds PSA crypto support for SiWx917 SoC

Merge in WMN_TOOLS/matter from feature/MATTER-2073_adds-psa-crypto-support to RC_2.3.0-1.3

Squashed commit of the following:

commit 4824f1918311f770067fa487916ad4c895ed72a7
Author: Rohan Sahay <rohan.sahay@silabs.com>
Date:   Tue Apr 16 21:35:08 2024 +0530

    Update crypto flavor variable names in SiWx917 platform code

commit 9c2f2681c79203993e2a8ce26f24ea3d364fd018
Merge: c4ee4e0f48 aa13c6e
Author: Rohan Sahay <rohan.sahay@silabs.com>
Date:   Sun Apr 14 23:14:03 2024 +0530

    Merge remote-tracking branch 'origin/RC_2.3.0-1.3' into feature/MATTER-2073_adds-psa-crypto-support

commit c4ee4e0f48615dcc31a098619be58bd2f1a52b26
Author: Rohan Sahay <rohan.sahay@silabs.com>
Date:   Sun Apr 14 23:12:28 2024 +0530

    Update crypto flavor variable names in SiWx917 platform code

... and 15 more commits

Author: rosahay-silabs

examples/platform/silabs/provision/AttestationKeyPSA.cpp

@@ -8,6 +8,10 @@
 #include <stdio.h>
 #include <string.h>
 
+#ifdef SLI_SI91X_MCU_INTERFACE
+#include "sl_si91x_psa_wrap.h"
+#endif
+
 namespace chip {
 namespace DeviceLayer {
 namespace Silabs {
@@ -32,7 +36,6 @@ int destroyKey(uint32_t kid)
     return err;
 }
 
-
 int generateKey(uint32_t kid)
 {
     destroyKey(kid);
@@ -45,28 +48,35 @@ int generateKey(uint32_t kid)
     psa_set_key_algorithm(&attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
     psa_set_key_usage_flags(
         &attr, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
+#ifdef SLI_SI91X_MCU_INTERFACE
+    psa_set_key_lifetime(
+        &attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT, PSA_KEY_VOLATILE_PERSISTENT_WRAPPED));
+#else
     psa_set_key_lifetime(
         &attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT, sl_psa_get_most_secure_key_location()));
-
+#endif
     psa_key_id_t id = 0;
     psa_status_t err = psa_generate_key(&attr, &id);
     return err;
 }
 
-
 int importKey(uint32_t kid, const uint8_t * value, size_t size)
 {
     destroyKey(kid);
-
     psa_key_attributes_t attr = psa_key_attributes_init();
     psa_set_key_id(&attr, kid);
     psa_set_key_type(&attr, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
     psa_set_key_bits(&attr, 256);
     psa_set_key_algorithm(&attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
     psa_set_key_usage_flags(
         &attr, PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
+#ifdef SLI_SI91X_MCU_INTERFACE
+    psa_set_key_lifetime(
+        &attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT, PSA_KEY_VOLATILE_PERSISTENT_WRAPPED));
+#else
     psa_set_key_lifetime(
         &attr, PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT, sl_psa_get_most_secure_key_location()));
+#endif
 
     psa_key_id_t id = 0;
     psa_status_t err = psa_import_key(&attr, value, size, &id);

examples/platform/silabs/provision/BUILD.gn

@@ -14,11 +14,11 @@
 
 import("//build_overrides/chip.gni")
 import("//build_overrides/efr32_sdk.gni")
+import("${efr32_sdk_build_root}/SiWx917_sdk.gni")
 import("${efr32_sdk_build_root}/silabs_board.gni")
 
 silabs_common_plat_dir = "${chip_root}/examples/platform/silabs"
 
-
 config("provision-config") {
   include_dirs = [ "${chip_root}" ]
 
@@ -28,19 +28,18 @@ config("provision-config") {
   }
 }
 
-
 source_set("provision-common") {
   sources = [
     "${silabs_common_plat_dir}/provision/AttestationKey.h",
     "${silabs_common_plat_dir}/provision/ProvisionChannel.h",
-    "${silabs_common_plat_dir}/provision/ProvisionEncoder.h",
     "${silabs_common_plat_dir}/provision/ProvisionEncoder.cpp",
-    "${silabs_common_plat_dir}/provision/ProvisionManager.h",
+    "${silabs_common_plat_dir}/provision/ProvisionEncoder.h",
     "${silabs_common_plat_dir}/provision/ProvisionManager.cpp",
+    "${silabs_common_plat_dir}/provision/ProvisionManager.h",
     "${silabs_common_plat_dir}/provision/ProvisionProtocol.h",
     "${silabs_common_plat_dir}/provision/ProvisionProtocolV2.cpp",
-    "${silabs_common_plat_dir}/provision/ProvisionStorage.h",
     "${silabs_common_plat_dir}/provision/ProvisionStorage.cpp",
+    "${silabs_common_plat_dir}/provision/ProvisionStorage.h",
     "${silabs_common_plat_dir}/provision/ProvisionStorageCustom.cpp",
   ]
 
@@ -53,9 +52,7 @@ source_set("provision-common") {
   public_configs = [ ":provision-config" ]
 }
 
-
 source_set("provision-flash-only") {
-
   sources = [
     "${silabs_common_plat_dir}/provision/AttestationKeyMbed.cpp",
     "${silabs_common_plat_dir}/provision/ProvisionStorageFlash.cpp",
@@ -64,9 +61,7 @@ source_set("provision-flash-only") {
   public_deps = [ ":provision-common" ]
 }
 
-
 static_library("provision-efr32") {
-
   sources = [
     "${silabs_common_plat_dir}/provision/AttestationKeyPSA.cpp",
     "${silabs_common_plat_dir}/provision/ProvisionChannelEFR32BLE.cpp",
@@ -76,14 +71,19 @@ static_library("provision-efr32") {
   public_deps = [ ":provision-common" ]
 }
 
-
 static_library("provision-siwx917") {
-
   sources = [
-    "${silabs_common_plat_dir}/provision/AttestationKeyMbed.cpp",
     "${silabs_common_plat_dir}/provision/ProvisionChannelSi917BLE.cpp",
     "${silabs_common_plat_dir}/provision/ProvisionStorageDefault.cpp",
   ]
 
+  if (sl_si91x_crypto_flavor == "tinycrypt") {
+    sources += [ "${silabs_common_plat_dir}/provision/AttestationKeyMbed.cpp" ]
+  }
+
+  if (sl_si91x_crypto_flavor == "psa") {
+    sources += [ "${silabs_common_plat_dir}/provision/AttestationKeyPSA.cpp" ]
+  }
+
   public_deps = [ ":provision-common" ]
-}
+}

examples/platform/silabs/provision/ProvisionStorageDefault.cpp

@@ -511,7 +511,8 @@ CHIP_ERROR Storage::GetDeviceAttestationCert(MutableByteSpan & value)
     return err;
 }
 
-#ifdef SLI_SI91X_MCU_INTERFACE
+#if defined(SLI_SI91X_MCU_INTERFACE) && defined(SL_MBEDTLS_USE_TINYCRYPT)
+
 CHIP_ERROR Storage::SetDeviceAttestationKey(const ByteSpan & value)
 {
     return SilabsConfig::WriteConfigValueBin(SilabsConfig::kConfigKey_Creds_KeyId, value.data(), value.size());
@@ -545,7 +546,7 @@ CHIP_ERROR Storage::SignWithDeviceAttestationKey(const ByteSpan & message, Mutab
         return Examples::GetExampleDACProvider()->SignWithDeviceAttestationKey(message, signature);
 #else
         return CHIP_ERROR_NOT_FOUND;
-#endif
+#endif // CHIP_DEVICE_CONFIG_ENABLE_EXAMPLE_CREDENTIALS
     }
 }
 
@@ -569,7 +570,7 @@ CHIP_ERROR Storage::SignWithDeviceAttestationKey(const ByteSpan & message, Mutab
 {
     CHIP_ERROR err = CHIP_ERROR_NOT_FOUND;
     uint32_t kid = 0;
-
+  
     if (SilabsConfig::ConfigValueExists(SilabsConfig::kConfigKey_Creds_KeyId))
     {
         ReturnErrorOnFailure(SilabsConfig::ReadConfigValue(SilabsConfig::kConfigKey_Creds_KeyId, kid));
@@ -658,4 +659,4 @@ void MigrateDacProvider(void)
 
 } // namespace Silabs
 } // namespace DeviceLayer
-} // namespace chip
+} // namespace chip

src/platform/silabs/SiWx917/BUILD.gn

@@ -18,11 +18,14 @@ import("${chip_root}/src/platform/device.gni")
 
 import("${chip_root}/build/chip/buildconfig_header.gni")
 import("${chip_root}/src/crypto/crypto.gni")
+import("${chip_root}/src/platform/silabs/wifi_args.gni")
+import("${chip_root}/third_party/silabs/SiWx917_sdk.gni")
 import("${chip_root}/third_party/silabs/silabs_board.gni")
 
 silabs_platform_dir = "${chip_root}/src/platform/silabs"
 
 assert(chip_device_platform == "SiWx917")
+
 if (chip_crypto == "platform") {
   import("//build_overrides/mbedtls.gni")
 }
@@ -81,7 +84,14 @@ static_library("SiWx917") {
 
   # Add platform crypto implementation
   if (chip_crypto == "platform") {
-    sources += [ "CHIPCryptoPALTinyCrypt.cpp" ]
+    if (sl_si91x_crypto_flavor == "tinycrypt") {
+      sources += [ "CHIPCryptoPALTinyCrypt.cpp" ]
+    }
+
+    if (sl_si91x_crypto_flavor == "psa") {
+      sources += [ "${silabs_platform_dir}/efr32/CHIPCryptoPALPsaEfr32.cpp" ]
+    }
+
     public_deps += [
       "${chip_root}/src/crypto",
       "${mbedtls_root}:mbedtls",