[Infineon] CYW30739 supports using provisioned data from Optiga Trust M. (#33564)

* Update CYW30739 README files.
* Add OptigaFactoryDataProvider class to support using provisioned data
  from Optiga Trust M.
* Add UnprovisionedOptigaFactoryDataProvider class to support updating
  factory data to an unprovisioned Optiga Trust M.

Author: hsusid

examples/light-switch-app/infineon/cyw30739/README.md

@@ -18,6 +18,7 @@ An example showing the use of Matter on the Infineon CYW30739 platform.
         -   [Commissionable Data](#commissionable-data)
         -   [Device Information](#device-information)
         -   [DAC / DAC Key / PAI Certificate / Certificate Declaration](#dac--dac-key--pai-certificate--certificate-declaration)
+        -   [Use Provisioned Optiga Trust M](#use-provisioned-optiga-trust-m)
     -   [Flashing the Application](#flashing-the-application)
         -   [Enter Recovery Mode](#enter-recovery-mode)
         -   [Run Flash Script](#run-flash-script)
@@ -163,6 +164,29 @@ keys, and CD by the following arguments:
     'matter_cd="/path/to/cd.der"'
     ```
 
+### Use Provisioned Optiga Trust M
+
+For boards supported by Optiga Trust M, CYW30739 will provision factory data to
+the Optiga Trust M by default for easy development.
+
+The Optiga Trust M on a production board should come with provisioned factory
+data. To ensure its optimal use, please configure the Optiga using the following
+arguments:
+
+-   `use_provisioned_optiga`, `optiga_dac_object_id`,
+    `optiga_dac_key_object_id`, `optiga_pai_cert_object_id`
+
+    ```bash
+    $ cd ~/connectedhomeip
+    $ scripts/examples/gn_build_example.sh examples/light-switch-app/infineon/cyw30739 out/cyw30739-light-switch \
+    'optiga_dac_object_id="0xe0e0"' \
+    'optiga_dac_key_object_id="0xe0f0"' \
+    'optiga_pai_cert_object_id="0xe0e8"'
+    ```
+
+The developer must set the object IDs to corresponding values matching the
+configurations used in the Optiga provisioning procedure.
+
 ## Flashing the Application
 
 ### Enter Recovery Mode

examples/lighting-app/infineon/cyw30739/README.md

@@ -18,6 +18,7 @@ An example showing the use of Matter on the Infineon CYW30739 platform.
         -   [Commissionable Data](#commissionable-data)
         -   [Device Information](#device-information)
         -   [DAC / DAC Key / PAI Certificate / Certificate Declaration](#dac--dac-key--pai-certificate--certificate-declaration)
+        -   [Use Provisioned Optiga Trust M](#use-provisioned-optiga-trust-m)
     -   [Flashing the Application](#flashing-the-application)
         -   [Enter Recovery Mode](#enter-recovery-mode)
         -   [Run Flash Script](#run-flash-script)
@@ -163,6 +164,29 @@ keys, and CD by the following arguments:
     'matter_cd="/path/to/cd.der"'
     ```
 
+### Use Provisioned Optiga Trust M
+
+For boards supported by Optiga Trust M, CYW30739 will provision factory data to
+the Optiga Trust M by default for easy development.
+
+The Optiga Trust M on a production board should come with provisioned factory
+data. To ensure its optimal use, please configure the Optiga using the following
+arguments:
+
+-   `use_provisioned_optiga`, `optiga_dac_object_id`,
+    `optiga_dac_key_object_id`, `optiga_pai_cert_object_id`
+
+    ```bash
+    $ cd ~/connectedhomeip
+    $ scripts/examples/gn_build_example.sh examples/lighting-app/infineon/cyw30739 out/cyw30739-light \
+    'optiga_dac_object_id="0xe0e0"' \
+    'optiga_dac_key_object_id="0xe0f0"' \
+    'optiga_pai_cert_object_id="0xe0e8"'
+    ```
+
+The developer must set the object IDs to corresponding values matching the
+configurations used in the Optiga provisioning procedure.
+
 ## Flashing the Application
 
 ### Enter Recovery Mode

examples/lock-app/infineon/cyw30739/README.md

@@ -18,6 +18,7 @@ An example showing the use of Matter on the Infineon CYW30739 platform.
         -   [Commissionable Data](#commissionable-data)
         -   [Device Information](#device-information)
         -   [DAC / DAC Key / PAI Certificate / Certificate Declaration](#dac--dac-key--pai-certificate--certificate-declaration)
+        -   [Use Provisioned Optiga Trust M](#use-provisioned-optiga-trust-m)
     -   [Flashing the Application](#flashing-the-application)
         -   [Enter Recovery Mode](#enter-recovery-mode)
         -   [Run Flash Script](#run-flash-script)
@@ -163,6 +164,29 @@ keys, and CD by the following arguments:
     'matter_cd="/path/to/cd.der"'
     ```
 
+### Use Provisioned Optiga Trust M
+
+For boards supported by Optiga Trust M, CYW30739 will provision factory data to
+the Optiga Trust M by default for easy development.
+
+The Optiga Trust M on a production board should come with provisioned factory
+data. To ensure its optimal use, please configure the Optiga using the following
+arguments:
+
+-   `use_provisioned_optiga`, `optiga_dac_object_id`,
+    `optiga_dac_key_object_id`, `optiga_pai_cert_object_id`
+
+    ```bash
+    $ cd ~/connectedhomeip
+    $ scripts/examples/gn_build_example.sh examples/lock-app/infineon/cyw30739 out/cyw30739-lock \
+    'optiga_dac_object_id="0xe0e0"' \
+    'optiga_dac_key_object_id="0xe0f0"' \
+    'optiga_pai_cert_object_id="0xe0e8"'
+    ```
+
+The developer must set the object IDs to corresponding values matching the
+configurations used in the Optiga provisioning procedure.
+
 ## Flashing the Application
 
 ### Enter Recovery Mode

examples/platform/infineon/cyw30739/matter_config.cpp

@@ -44,14 +44,21 @@
 #include <lib/support/CHIPPlatformMemory.h>
 #include <mbedtls/platform.h>
 #include <platform/DeviceInstanceInfoProvider.h>
-#include <platform/Infineon/CYW30739/FactoryDataProvider.h>
 #include <platform/KeyValueStoreManager.h>
 #include <protocols/secure_channel/PASESession.h>
-#ifdef BOARD_ENABLE_OPTIGA
-#include "wiced_optiga.h"
-#endif
 #include <wiced_rtos.h>
 
+#ifdef BOARD_USE_OPTIGA
+#include "wiced_optiga.h"
+#ifdef USE_PROVISIONED_OPTIGA
+#include <platform/Infineon/CYW30739/OptigaFactoryDataProvider.h>
+#else /* !USE_PROVISIONED_OPTIGA */
+#include <platform/Infineon/CYW30739/UnprovisionedOptigaFactoryDataProvider.h>
+#endif /* USE_PROVISIONED_OPTIGA */
+#else  /* !BOARD_USE_OPTIGA */
+#include <platform/Infineon/CYW30739/FactoryDataProvider.h>
+#endif /* BOARD_USE_OPTIGA */
+
 using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::Credentials;
@@ -60,7 +67,15 @@ using namespace ::chip::Shell;
 using namespace ::chip::app;
 
 static DeviceInfoProviderImpl sExampleDeviceInfoProvider;
+#ifdef BOARD_USE_OPTIGA
+#ifdef USE_PROVISIONED_OPTIGA
+static OptigaFactoryDataProvider sFactoryDataProvider;
+#else  /* !USE_PROVISIONED_OPTIGA */
+static UnprovisionedOptigaFactoryDataProvider sFactoryDataProvider;
+#endif /* USE_PROVISIONED_OPTIGA */
+#else  /* !BOARD_USE_OPTIGA */
 static FactoryDataProvider sFactoryDataProvider;
+#endif /* BOARD_USE_OPTIGA */
 
 // NOTE! This key is for test/certification only and should not be available in production devices!
 uint8_t sTestEventTriggerEnableKey[chip::TestEventTriggerDelegate::kEnableKeyLength] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55,
@@ -135,7 +150,7 @@ void CYW30739MatterConfig::InitBoard(void)
 #ifdef BOARD_ENABLE_DISPLAY
     GUI_Init();
 #endif
-#ifdef BOARD_ENABLE_OPTIGA
+#ifdef BOARD_USE_OPTIGA
     wiced_optiga_init();
 #endif
 }
@@ -186,6 +201,8 @@ void CYW30739MatterConfig::InitApp(void)
     LogAppInit();
     ConfigurationMgr().LogDeviceConfig();
 
+    sFactoryDataProvider.Init();
+
     // Print QR Code URL
     PrintOnboardingCodes(chip::RendezvousInformationFlag(chip::RendezvousInformationFlag::kBLE));
     /* Start CHIP datamodel server */

examples/thermostat/infineon/cyw30739/README.md

@@ -18,6 +18,7 @@ An example showing the use of Matter on the Infineon CYW30739 platform.
         -   [Commissionable Data](#commissionable-data)
         -   [Device Information](#device-information)
         -   [DAC / DAC Key / PAI Certificate / Certificate Declaration](#dac--dac-key--pai-certificate--certificate-declaration)
+        -   [Use Provisioned Optiga Trust M](#use-provisioned-optiga-trust-m)
     -   [Flashing the Application](#flashing-the-application)
         -   [Enter Recovery Mode](#enter-recovery-mode)
         -   [Run Flash Script](#run-flash-script)
@@ -163,6 +164,29 @@ keys, and CD by the following arguments:
     'matter_cd="/path/to/cd.der"'
     ```
 
+### Use Provisioned Optiga Trust M
+
+For boards supported by Optiga Trust M, CYW30739 will provision factory data to
+the Optiga Trust M by default for easy development.
+
+The Optiga Trust M on a production board should come with provisioned factory
+data. To ensure its optimal use, please configure the Optiga using the following
+arguments:
+
+-   `use_provisioned_optiga`, `optiga_dac_object_id`,
+    `optiga_dac_key_object_id`, `optiga_pai_cert_object_id`
+
+    ```bash
+    $ cd ~/connectedhomeip
+    $ scripts/examples/gn_build_example.sh examples/thermostat/infineon/cyw30739 out/cyw30739-thermostat \
+    'optiga_dac_object_id="0xe0e0"' \
+    'optiga_dac_key_object_id="0xe0f0"' \
+    'optiga_pai_cert_object_id="0xe0e8"'
+    ```
+
+The developer must set the object IDs to corresponding values matching the
+configurations used in the Optiga provisioning procedure.
+
 ## Flashing the Application
 
 ### Enter Recovery Mode

scripts/setup/requirements.infineon.txt

@@ -1 +1,2 @@
 leb128
+zcbor

src/platform/Infineon/CYW30739/BUILD.gn

@@ -34,8 +34,6 @@ static_library("CYW30739") {
     "ConfigurationManagerImpl.h",
     "ConnectivityManagerImpl.cpp",
     "ConnectivityManagerImpl.h",
-    "FactoryDataProvider.cpp",
-    "FactoryDataProvider.h",
     "InetPlatformConfig.h",
     "KeyValueStoreManagerImpl.cpp",
     "KeyValueStoreManagerImpl.h",
@@ -57,6 +55,8 @@ static_library("CYW30739") {
     "EventFlags.h",
     "FactoryDataProvider.h",
     "OTAImageProcessorImpl.h",
+    "OptigaFactoryDataProvider.h",
+    "UnprovisionedOptigaFactoryDataProvider.h",
     "cycfg_gatt_db.h",
   ]
 

src/platform/Infineon/CYW30739/CYW30739Config.h

@@ -72,25 +72,33 @@ class CYW30739Config
     static constexpr Key kConfigKey_PAICert               = CYW30739ConfigKey(kChipFactory_KeyBase, 0x22);
     static constexpr Key kConfigKey_CertDeclaration       = CYW30739ConfigKey(kChipFactory_KeyBase, 0x23);
     // CHIP Config Keys
-    static constexpr Key kConfigKey_ServiceConfig      = CYW30739ConfigKey(kChipConfig_KeyBase, 0x00);
-    static constexpr Key kConfigKey_PairedAccountId    = CYW30739ConfigKey(kChipConfig_KeyBase, 0x01);
-    static constexpr Key kConfigKey_ServiceId          = CYW30739ConfigKey(kChipConfig_KeyBase, 0x02);
-    static constexpr Key kConfigKey_LastUsedEpochKeyId = CYW30739ConfigKey(kChipConfig_KeyBase, 0x03);
-    static constexpr Key kConfigKey_FailSafeArmed      = CYW30739ConfigKey(kChipConfig_KeyBase, 0x04);
-    static constexpr Key kConfigKey_GroupKey           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x05);
-    static constexpr Key kConfigKey_RegulatoryLocation = CYW30739ConfigKey(kChipConfig_KeyBase, 0x07);
-    static constexpr Key kConfigKey_CountryCode        = CYW30739ConfigKey(kChipConfig_KeyBase, 0x08);
-    static constexpr Key kConfigKey_RebootCount        = CYW30739ConfigKey(kChipConfig_KeyBase, 0x09);
-    static constexpr Key kConfigKey_UniqueId           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0a);
-    static constexpr Key kConfigKey_LockUser           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0b);
-    static constexpr Key kConfigKey_Credential         = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0c);
-    static constexpr Key kConfigKey_LockUserName       = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0d);
-    static constexpr Key kConfigKey_CredentialData     = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0e);
-    static constexpr Key kConfigKey_UserCredentials    = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0f);
-    static constexpr Key kConfigKey_WeekDaySchedules   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x10);
-    static constexpr Key kConfigKey_YearDaySchedules   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x11);
-    static constexpr Key kConfigKey_HolidaySchedules   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x12);
-    static constexpr Key kConfigKey_BootReason         = CYW30739ConfigKey(kChipConfig_KeyBase, 0x13);
+    static constexpr Key kConfigKey_ServiceConfig              = CYW30739ConfigKey(kChipConfig_KeyBase, 0x00);
+    static constexpr Key kConfigKey_PairedAccountId            = CYW30739ConfigKey(kChipConfig_KeyBase, 0x01);
+    static constexpr Key kConfigKey_ServiceId                  = CYW30739ConfigKey(kChipConfig_KeyBase, 0x02);
+    static constexpr Key kConfigKey_LastUsedEpochKeyId         = CYW30739ConfigKey(kChipConfig_KeyBase, 0x03);
+    static constexpr Key kConfigKey_FailSafeArmed              = CYW30739ConfigKey(kChipConfig_KeyBase, 0x04);
+    static constexpr Key kConfigKey_GroupKey                   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x05);
+    static constexpr Key kConfigKey_RegulatoryLocation         = CYW30739ConfigKey(kChipConfig_KeyBase, 0x07);
+    static constexpr Key kConfigKey_CountryCode                = CYW30739ConfigKey(kChipConfig_KeyBase, 0x08);
+    static constexpr Key kConfigKey_RebootCount                = CYW30739ConfigKey(kChipConfig_KeyBase, 0x09);
+    static constexpr Key kConfigKey_UniqueId                   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0a);
+    static constexpr Key kConfigKey_LockUser                   = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0b);
+    static constexpr Key kConfigKey_Credential                 = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0c);
+    static constexpr Key kConfigKey_LockUserName               = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0d);
+    static constexpr Key kConfigKey_CredentialData             = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0e);
+    static constexpr Key kConfigKey_UserCredentials            = CYW30739ConfigKey(kChipConfig_KeyBase, 0x0f);
+    static constexpr Key kConfigKey_WeekDaySchedules           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x10);
+    static constexpr Key kConfigKey_YearDaySchedules           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x11);
+    static constexpr Key kConfigKey_HolidaySchedules           = CYW30739ConfigKey(kChipConfig_KeyBase, 0x12);
+    static constexpr Key kConfigKey_BootReason                 = CYW30739ConfigKey(kChipConfig_KeyBase, 0x13);
+    static constexpr Key kConfigKey_ProvisioningDAC            = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe0);
+    static constexpr Key kConfigKey_ProvisioningPAICert        = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe1);
+    static constexpr Key kConfigKey_ProvisioningSecret         = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe2);
+    static constexpr Key kConfigKey_ProvisioningSecretMetaData = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe3);
+    static constexpr Key kConfigKey_ProvisioningDACMetaData    = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe4);
+    static constexpr Key kConfigKey_ProvisioningDACKeyMetaData = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe5);
+    static constexpr Key kConfigKey_ProvisioningManifest       = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe6);
+    static constexpr Key kConfigKey_ProvisioningFragment       = CYW30739ConfigKey(kChipConfig_KeyBase, 0xe7);
 
     // Set key id limits for each group.
     static constexpr Key kMinConfigKey_ChipFactory = CYW30739ConfigKey(kChipFactory_KeyBase, 0x00);

src/platform/Infineon/CYW30739/FactoryDataProvider.cpp

@@ -25,6 +25,11 @@ namespace DeviceLayer {
 
 using namespace chip::DeviceLayer::Internal;
 
+CHIP_ERROR FactoryDataProvider::Init()
+{
+    return CHIP_NO_ERROR;
+}
+
 /*
  * Members functions that implement the CommissionableDataProvider
  */

src/platform/Infineon/CYW30739/FactoryDataProvider.h

@@ -30,6 +30,8 @@ class FactoryDataProvider : public CommissionableDataProvider,
                             public DeviceInstanceInfoProvider
 {
 public:
+    CHIP_ERROR Init();
+
     // ===== Members functions that implement the CommissionableDataProvider
     CHIP_ERROR GetSetupDiscriminator(uint16_t & setupDiscriminator);
     CHIP_ERROR SetSetupDiscriminator(uint16_t setupDiscriminator);