Moving NXP HSM integration code to platform folder (project-chip#27130)

* moved se050 integration code to platform folder. Also code cleanup of HSM class references

* updated simw build config file

* updated simw repo commit id

* removed duplicate files for example

* CHIPCryptoPALTest build fix

* removed hsm include

* build fix

* disabled k32 with se050 build

* removed k32 build with se050

* disabled k32 build with se050

* disabled k32 build with se050

* disabled k32 build with se050

* reverting the change

* removed se050 dependency from k32 gn file

* removed se050 dependency from k32 gn file

* removed chip_with_se05x option from gn file

* restyled

* restyled

* removed varargs in log messages

Author: sujaygkulkarni-nxp

.github/workflows/examples-k32w.yaml

@@ -86,7 +86,6 @@ jobs:
               run: |
                   scripts/run_in_build_env.sh "\
                       ./scripts/build/build_examples.py \
-                      --target k32w-light-no-ble-se05x \
                       --target k32w-light-crypto-platform-tokenizer \
                       --target k32w-lock-crypto-platform-tokenizer \
                       --target k32w-lock-crypto-platform-low-power-nologs \

examples/contact-sensor-app/nxp/k32w/k32w0/BUILD.gn

@@ -57,10 +57,6 @@ k32w0_sdk("sdk") {
     "${k32w0_platform_dir}/common",
   ]
 
-  if (chip_with_se05x == 1) {
-    include_dirs += [ "${chip_root}/examples/platform/nxp/se05x" ]
-  }
-
   defines = []
   if (is_debug) {
     defines += [ "BUILD_RELEASE=0" ]

examples/lighting-app/nxp/k32w/k32w0/BUILD.gn

@@ -57,10 +57,6 @@ k32w0_sdk("sdk") {
     "${k32w0_platform_dir}/common",
   ]
 
-  if (chip_with_se05x == 1) {
-    include_dirs += [ "${chip_root}/examples/platform/nxp/se05x" ]
-  }
-
   defines = []
   if (is_debug) {
     defines += [ "BUILD_RELEASE=0" ]

examples/lock-app/nxp/k32w/k32w0/BUILD.gn

@@ -57,10 +57,6 @@ k32w0_sdk("sdk") {
     "${k32w0_platform_dir}/common",
   ]
 
-  if (chip_with_se05x == 1) {
-    include_dirs += [ "${chip_root}/examples/platform/nxp/se05x" ]
-  }
-
   defines = []
   if (is_debug) {
     defines += [ "BUILD_RELEASE=0" ]
@@ -111,7 +107,6 @@ k32w0_executable("lock_app") {
     "${chip_root}/src/lib",
     "${chip_root}/src/platform:syscalls_stub",
     "${chip_root}/third_party/mbedtls:mbedtls",
-    "${chip_root}/third_party/simw-top-mini:se05x",
     "${k32w0_platform_dir}/app/support:freertos_mbedtls_utils",
   ]
 

examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample.cpp

@@ -16,20 +16,13 @@
  */
 #include "DeviceAttestationSe05xCredsExample.h"
 
+#include <CHIPCryptoPAL_se05x.h>
 #include <credentials/examples/ExampleDACs.h>
 #include <credentials/examples/ExamplePAI.h>
 #include <crypto/CHIPCryptoPAL.h>
 #include <lib/core/CHIPError.h>
 #include <lib/support/Span.h>
 
-#if CHIP_CRYPTO_HSM
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#endif
-
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
-
-#include <crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h>
-
 /* Device attestation key ids */
 #define DEV_ATTESTATION_KEY_SE05X_ID 0x7D300000
 #define DEV_ATTESTATION_CERT_SE05X_ID 0x7D300001
@@ -135,17 +128,32 @@ CHIP_ERROR ExampleSe05xDACProvider::SignWithDeviceAttestationKey(const ByteSpan
                                                                  MutableByteSpan & out_signature_buffer)
 {
     Crypto::P256ECDSASignature signature;
-    Crypto::P256KeypairHSM keypair;
+    Crypto::P256Keypair keypair;
+    Crypto::P256SerializedKeypair serialized_keypair;
+    uint8_t magic_bytes[] = NXP_CRYPTO_KEY_MAGIC;
 
     ChipLogDetail(Crypto, "Sign using DA key from se05x");
 
     VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(out_signature_buffer.size() >= signature.Capacity(), CHIP_ERROR_BUFFER_TOO_SMALL);
 
-    keypair.SetKeyId(DEV_ATTESTATION_KEY_SE05X_ID);
-    keypair.provisioned_key = true;
-    keypair.Initialize(Crypto::ECPKeyTarget::ECDSA);
+    // Add public key + reference private key (ref to key inside SE)
+
+    serialized_keypair.SetLength(Crypto::kP256_PublicKey_Length + Crypto::kP256_PrivateKey_Length);
+
+    memset(serialized_keypair.Bytes(), 0, Crypto::kP256_PublicKey_Length);
+    memcpy(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length, magic_bytes, sizeof(magic_bytes));
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 0) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0xFF000000) >> (8 * 3);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 1) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x00FF0000) >> (8 * 2);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 2) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x0000FF00) >> (8 * 1);
+    *(serialized_keypair.Bytes() + Crypto::kP256_PublicKey_Length + sizeof(magic_bytes) + 3) =
+        (DEV_ATTESTATION_KEY_SE05X_ID & 0x000000FF) >> (8 * 0);
+
+    ReturnErrorOnFailure(keypair.Deserialize(serialized_keypair));
 
     ReturnErrorOnFailure(keypair.ECDSA_sign_msg(message_to_sign.data(), message_to_sign.size(), signature));
 
@@ -164,5 +172,3 @@ DeviceAttestationCredentialsProvider * GetExampleSe05xDACProvider()
 } // namespace Examples
 } // namespace Credentials
 } // namespace chip
-
-#endif //#ifdef ENABLE_HSM_DEVICE_ATTESTATION

examples/platform/nxp/se05x/DeviceAttestationSe05xCredsExample_v2.cpp

@@ -14,26 +14,20 @@
  *    See the License for the specific language governing permissions and
  *    limitations under the License.
  */
+
 #include "DeviceAttestationSe05xCredsExample.h"
 
+#include <CHIPCryptoPAL_se05x.h>
 #include <credentials/examples/ExampleDACs.h>
 #include <credentials/examples/ExamplePAI.h>
 #include <crypto/CHIPCryptoPAL.h>
 #include <lib/core/CHIPError.h>
 #include <lib/core/TLV.h>
 #include <lib/core/TLVTags.h>
 #include <lib/core/TLVTypes.h>
-#include <lib/core/TLVUtilities.hpp>
+#include <lib/core/TLVUtilities.h>
 #include <lib/support/Span.h>
 
-#if CHIP_CRYPTO_HSM
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#endif
-
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
-
-#include <crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h>
-
 /* Device attestation key ids */
 #define DEV_ATTESTATION_KEY_SE05X_ID 0x7D300000
 #define DEV_ATTESTATION_CERT_SE05X_ID 0x7D300001
@@ -279,5 +273,3 @@ DeviceAttestationCredentialsProvider * GetExampleSe05xDACProviderv2()
 } // namespace Examples
 } // namespace Credentials
 } // namespace chip
-
-#endif // #ifdef ENABLE_HSM_DEVICE_ATTESTATION

examples/platform/nxp/se05x/linux/AppMain.cpp

@@ -77,12 +77,8 @@
 #include "AppMain.h"
 #include "CommissionableInit.h"
 
-#if CHIP_CRYPTO_HSM
 #include "DeviceAttestationSe05xCredsExample.h"
-#include "se05x_t4t_utils.h"
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#include <crypto/hsm/nxp/PersistentStorageOperationalKeystoreHSM.h>
-#endif
+#include <CHIPCryptoPALHsm_se05x_config.h>
 
 using namespace chip;
 using namespace chip::ArgParser;
@@ -289,95 +285,10 @@ int ChipLinuxAppInit(int argc, char * const argv[], OptionSet * customOptions)
     return 0;
 }
 
-#ifdef ENABLE_HSM_EC_KEY
-
-struct CommonCaseDeviceServerInitParams_Se05x : public CommonCaseDeviceServerInitParams
-{
-    CHIP_ERROR InitializeStaticResourcesBeforeServerInit()
-    {
-        static chip::KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
-        static chip::PersistentStorageOperationalKeystoreHSM sPersistentStorageOperationalKeystore;
-        static chip::Credentials::PersistentStorageOpCertStore sPersistentStorageOpCertStore;
-        static chip::Credentials::GroupDataProviderImpl sGroupDataProvider;
-        static Credentials::IgnoreCertificateValidityPeriodPolicy sDefaultCertValidityPolicy;
-        static chip::Crypto::DefaultSessionKeystore sSessionKeystore;
-
-#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
-        static chip::SimpleSessionResumptionStorage sSessionResumptionStorage;
-#endif
-        static chip::app::DefaultAclStorage sAclStorage;
-
-        // KVS-based persistent storage delegate injection
-        if (persistentStorageDelegate == nullptr)
-        {
-            chip::DeviceLayer::PersistedStorage::KeyValueStoreManager & kvsManager =
-                DeviceLayer::PersistedStorage::KeyValueStoreMgr();
-            ReturnErrorOnFailure(sKvsPersistenStorageDelegate.Init(&kvsManager));
-            this->persistentStorageDelegate = &sKvsPersistenStorageDelegate;
-        }
-
-        // PersistentStorageDelegate "software-based" operational key access injection
-        if (this->operationalKeystore == nullptr)
-        {
-            // WARNING: PersistentStorageOperationalKeystore::Finish() is never called. It's fine for
-            //          for examples and for now.
-            ReturnErrorOnFailure(sPersistentStorageOperationalKeystore.Init(this->persistentStorageDelegate));
-            this->operationalKeystore = &sPersistentStorageOperationalKeystore;
-        }
-
-        // OpCertStore can be injected but default to persistent storage default
-        // for simplicity of the examples.
-        if (this->opCertStore == nullptr)
-        {
-            // WARNING: PersistentStorageOpCertStore::Finish() is never called. It's fine for
-            //          for examples and for now, since all storage is immediate for that impl.
-            ReturnErrorOnFailure(sPersistentStorageOpCertStore.Init(this->persistentStorageDelegate));
-            this->opCertStore = &sPersistentStorageOpCertStore;
-        }
-
-        // Session Keystore injection
-        this->sessionKeystore = &sSessionKeystore;
-
-        // Group Data provider injection
-        sGroupDataProvider.SetStorageDelegate(this->persistentStorageDelegate);
-        sGroupDataProvider.SetSessionKeystore(this->sessionKeystore);
-        ReturnErrorOnFailure(sGroupDataProvider.Init());
-        this->groupDataProvider = &sGroupDataProvider;
-
-#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
-        ReturnErrorOnFailure(sSessionResumptionStorage.Init(this->persistentStorageDelegate));
-        this->sessionResumptionStorage = &sSessionResumptionStorage;
-#else
-        this->sessionResumptionStorage = nullptr;
-#endif
-
-        // Inject access control delegate
-        this->accessDelegate = Access::Examples::GetAccessControlDelegate();
-
-        // Inject ACL storage. (Don't initialize it.)
-        this->aclStorage = &sAclStorage;
-
-        // Inject certificate validation policy compatible with non-wall-clock-time-synced
-        // embedded systems.
-        this->certificateValidityPolicy = &sDefaultCertValidityPolicy;
-
-        return CHIP_NO_ERROR;
-    }
-};
-
-#endif
-
 void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
 {
-#ifdef ENABLE_HSM_EC_KEY
-    static CommonCaseDeviceServerInitParams_Se05x initParams;
-#else
     static chip::CommonCaseDeviceServerInitParams initParams;
-#endif
 
-#if CHIP_CRYPTO_HSM
-    VerifyOrDie(se05x_enable_contactless_interface() == 0);
-#endif
     VerifyOrDie(initParams.InitializeStaticResourcesBeforeServerInit() == CHIP_NO_ERROR);
 
 #if defined(ENABLE_CHIP_SHELL)
@@ -423,7 +334,7 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     PrintOnboardingCodes(LinuxDeviceOptions::GetInstance().payload);
 
     // Initialize device attestation config
-#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+#if ENABLE_SE05X_DEVICE_ATTESTATION
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleSe05xDACProvider());
 #else
     SetDeviceAttestationCredentialsProvider(LinuxDeviceOptions::GetInstance().dacProvider);

examples/platform/nxp/se05x/linux/BUILD.gn

@@ -59,6 +59,7 @@ source_set("app-main") {
   include_dirs = [
     "${chip_root}/examples/platform/linux",
     "${chip_root}/examples/platform/nxp/se05x",
+    "${chip_root}/src/platform/nxp/crypto/se05x",
   ]
 
   defines = []

examples/shell/nxp/k32w/k32w0/BUILD.gn

@@ -69,7 +69,6 @@ k32w0_executable("shell_app") {
     "${chip_root}/examples/shell/shell_common:shell_common",
     "${chip_root}/src/platform:syscalls_stub",
     "${chip_root}/third_party/mbedtls:mbedtls",
-    "${chip_root}/third_party/simw-top-mini:se05x",
     "${k32w0_platform_dir}/app/support:freertos_mbedtls_utils",
   ]
 

examples/thermostat/nxp/linux-se05x/BUILD.gn

@@ -14,19 +14,35 @@
 
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
+import("${chip_root}/src/platform/nxp/crypto/nxp_crypto.gni")
 
-executable("thermostat-se05x-app") {
-  sources = [ "${chip_root}/examples/thermostat/linux/main.cpp" ]
-
+executable("thermostat-app") {
+  sources = [
+    "../../linux/include/low-power/LowPowerManager.cpp",
+    "../../linux/include/low-power/LowPowerManager.h",
+    "../../linux/main.cpp",
+  ]
   include_dirs = [ "${chip_root}/examples/platform/linux" ]
 
   deps = [
-    "${chip_root}/examples/platform/nxp/se05x/linux:app-main",
+    "${chip_root}/examples/platform/nxp/${nxp_crypto_impl}/linux:app-main",
     "${chip_root}/examples/thermostat/thermostat-common",
     "${chip_root}/src/lib",
   ]
 
   cflags = [ "-Wconversion" ]
 
   output_dir = root_out_dir
+
+  deps += [
+    "${chip_root}/src/platform/nxp/crypto/${nxp_crypto_impl}:nxp_crypto_lib",
+  ]
+}
+
+group("linux") {
+  deps = [ ":thermostat-app" ]
+}
+
+group("default") {
+  deps = [ ":linux" ]
 }

examples/thermostat/nxp/linux-se05x/args.gni

@@ -13,5 +13,8 @@
 # limitations under the License.
 
 import("//build_overrides/chip.gni")
+
 import("${chip_root}/config/standalone/args.gni")
-chip_with_se05x = 1
+
+# Include to define nxp_crypto_impl
+import("${chip_root}/src/platform/nxp/crypto/se05x/args.gni")

src/crypto/BUILD.gn

@@ -55,14 +55,6 @@ buildconfig_header("crypto_buildconfig") {
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
   ]
-
-  if (chip_with_se05x == 1) {
-    defines += [ "CHIP_CRYPTO_HSM=1" ]
-    defines += [ "CHIP_CRYPTO_HSM_NXP=1" ]
-  } else {
-    defines += [ "CHIP_CRYPTO_HSM=0" ]
-    defines += [ "CHIP_CRYPTO_HSM_NXP=0" ]
-  }
 }
 
 source_set("public_headers") {
@@ -177,19 +169,4 @@ static_library("crypto") {
   } else {
     assert(false, "Invalid CHIP crypto")
   }
-
-  if (chip_with_se05x == 1) {
-    sources += [
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_HKDF.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_HMAC.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_PBKDF.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp",
-      "hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp",
-      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.cpp",
-      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.h",
-    ]
-    public_deps += [ "${chip_root}/third_party/simw-top-mini:se05x" ]
-    public_configs += [ "${chip_root}/third_party/simw-top-mini:se05x_config" ]
-  }
 }