Pr test

.gitmodules

@@ -354,3 +354,10 @@
 	url = https://github.com/paullouisageneau/libdatachannel.git
 	platforms = linux
 	recursive = true
+[submodule "third_party/libtrustymatter/repo"]
+	path = third_party/libtrustymatter/repo
+	url = https://github.com/nxp-imx/libtrustymatter
+[submodule "repo"]
+	path = third_party/imx-secure-enclave/repo
+	url = https://github.com/nxp-imx/imx-secure-enclave.git
+	branch = lf-6.12.3_1.0.0

examples/platform/linux/AppMain.cpp

@@ -126,6 +126,21 @@
 #include <platform/Linux/NetworkCommissioningDriver.h>
 #endif // CHIP_DEVICE_LAYER_TARGET_LINUX
 
+#if CHIP_ATTESTATION_TRUSTY_OS
+#include "DeviceAttestationCreds.h"
+using namespace chip::Credentials::Trusty;
+#endif
+
+#if CHIP_OP_KEYSTORE_TRUSTY_OS
+#include "PersistentStorageOperationalKeystoreTrusty.h"
+using namespace chip::Trusty;
+#endif
+
+#if CHIP_OP_KEYSTORE_ELE
+#include "PersistentStorageOperationalKeystoreEle.h"
+using namespace chip::ele;
+#endif
+
 using namespace chip;
 using namespace chip::ArgParser;
 using namespace chip::Credentials;
@@ -571,6 +586,16 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     }
 #endif // CHIP_CONFIG_TERMS_AND_CONDITIONS_REQUIRED
 
+#if CHIP_OP_KEYSTORE_TRUSTY_OS
+    static chip::Trusty::PersistentStorageOperationalKeystoreTrusty sPersistentStorageOperationalKeystore;
+    initParams.operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
+
+#if CHIP_OP_KEYSTORE_ELE
+    static chip::ele::PersistentStorageOperationalKeystoreEle sPersistentStorageOperationalKeystore;
+    initParams.operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
+
 #if defined(ENABLE_CHIP_SHELL)
     Engine::Root().Init();
     Shell::RegisterCommissioneeCommands();
@@ -710,7 +735,11 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     PrintOnboardingCodes(LinuxDeviceOptions::GetInstance().payload);
 
     // Initialize device attestation config
+#if CHIP_ATTESTATION_TRUSTY_OS
+    SetDeviceAttestationCredentialsProvider(&TrustyDACProvider::GetTrustyDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(LinuxDeviceOptions::GetInstance().dacProvider);
+#endif
 
 #if CHIP_DEVICE_CONFIG_ENABLE_BOTH_COMMISSIONER_AND_COMMISSIONEE
     ChipLogProgress(AppServer, "Starting commissioner");
@@ -737,9 +766,9 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     signal(SIGTERM, StopSignalHandler);
     // NOLINTEND(bugprone-signal-handler)
 #else
-    struct sigaction sa                        = {};
-    sa.sa_handler                              = StopSignalHandler;
-    sa.sa_flags                                = SA_RESETHAND;
+    struct sigaction sa = {};
+    sa.sa_handler       = StopSignalHandler;
+    sa.sa_flags         = SA_RESETHAND;
     sigaction(SIGINT, &sa, nullptr);
     sigaction(SIGTERM, &sa, nullptr);
 #endif

examples/platform/linux/BUILD.gn

@@ -17,7 +17,9 @@ import("${chip_root}/examples/common/pigweed/pigweed_rpcs.gni")
 import("${chip_root}/src/app/common_flags.gni")
 import("${chip_root}/src/app/icd/icd.gni")
 import("${chip_root}/src/lib/core/core.gni")
+import("${chip_root}/src/lib/imx_ele.gni")
 import("${chip_root}/src/lib/lib.gni")
+import("${chip_root}/src/lib/trusty.gni")
 import("${chip_root}/src/tracing/tracing_args.gni")
 
 if (current_os != "nuttx") {
@@ -96,6 +98,22 @@ source_set("app-main") {
     "testing/CustomCSRResponseOperationalKeyStore.h",
   ]
 
+  if (chip_with_trusty_os == 1) {
+    sources += [
+      "DeviceAttestationCreds.cpp",
+      "DeviceAttestationCreds.h",
+      "PersistentStorageOperationalKeystoreTrusty.cpp",
+      "PersistentStorageOperationalKeystoreTrusty.h",
+    ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    sources += [
+      "PersistentStorageOperationalKeystoreEle.cpp",
+      "PersistentStorageOperationalKeystoreEle.h",
+    ]
+  }
+
   public_deps = [
     ":boolean-state-configuration-test-event-trigger",
     ":commissioner-main",
@@ -122,6 +140,33 @@ source_set("app-main") {
     public_deps += [ jsoncpp_root ]
   }
 
+  if (chip_with_trusty_os == 1) {
+    public_deps += [ "${chip_root}/third_party/libtrustymatter" ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    public_deps +=
+        [ "${chip_root}/third_party/imx-secure-enclave:libelematter" ]
+  }
+
+  if (chip_with_trusty_os == 1) {
+    defines += [ "CHIP_ATTESTATION_TRUSTY_OS=1" ]
+  } else {
+    defines += [ "CHIP_ATTESTATION_TRUSTY_OS=0" ]
+  }
+
+  if (chip_with_trusty_os == 1) {
+    defines += [ "CHIP_OP_KEYSTORE_TRUSTY_OS=1" ]
+  } else {
+    defines += [ "CHIP_OP_KEYSTORE_TRUSTY_OS=0" ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    defines += [ "CHIP_OP_KEYSTORE_ELE=1" ]
+  } else {
+    defines += [ "CHIP_OP_KEYSTORE_ELE=0" ]
+  }
+
   if (chip_enable_pw_rpc) {
     defines += [ "PW_RPC_ENABLED" ]
   }

examples/platform/linux/DeviceAttestationCreds.cpp

@@ -0,0 +1,113 @@
+/*
+ *
+ *    Copyright (c) 2021-2022 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ *    Copyright 2023 NXP
+ */
+#include "DeviceAttestationCreds.h"
+
+#include <crypto/CHIPCryptoPAL.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/Span.h>
+#include <trusty_matter.h>
+
+using namespace matter;
+
+namespace chip {
+namespace Credentials {
+namespace Trusty {
+
+CHIP_ERROR TrustyDACProvider::GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportDACCert(out_dac_buffer.data(), out_dac_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_dac_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportPAICert(out_pai_buffer.data(), out_pai_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_pai_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetCertificationDeclaration(MutableByteSpan & out_cd_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportCDCert(out_cd_buffer.data(), out_cd_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_cd_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer)
+{
+    // TODO: We need a real example FirmwareInformation to be populated.
+    out_firmware_info_buffer.reduce_size(0);
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR TrustyDACProvider::SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer)
+{
+    int rc          = 0;
+    size_t out_size = 0;
+
+    VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
+
+    rc = trusty_matter.SignWithDACKey(message_to_sign.data(), message_to_sign.size(), out_signature_buffer.data(),
+                                      out_signature_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_signature_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+TrustyDACProvider & TrustyDACProvider::GetTrustyDACProvider()
+{
+    static TrustyDACProvider trusty_dac_provider;
+
+    return trusty_dac_provider;
+}
+
+} // namespace Trusty
+} // namespace Credentials
+} // namespace chip

examples/platform/linux/DeviceAttestationCreds.h

@@ -0,0 +1,46 @@
+/*
+ *    Copyright 2023 NXP
+ *
+ *    Copyright (c) 2021 Project CHIP Authors
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include <credentials/DeviceAttestationCredsProvider.h>
+#include <trusty_matter.h>
+
+using namespace matter;
+
+namespace chip {
+namespace Credentials {
+namespace Trusty {
+
+class TrustyDACProvider : public DeviceAttestationCredentialsProvider
+{
+public:
+    static TrustyDACProvider & GetTrustyDACProvider();
+
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_cd_buffer) override;
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override;
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer) override;
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override;
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer) override;
+
+private:
+    TrustyMatter trusty_matter;
+};
+
+} // namespace Trusty
+} // namespace Credentials
+} // namespace chip