diff --git a/.gitmodules b/.gitmodules
index 86981aa68619aa..9f69906a4909aa 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -354,3 +354,10 @@
 	url = https://github.com/paullouisageneau/libdatachannel.git
 	platforms = linux
 	recursive = true
+[submodule "third_party/libtrustymatter/repo"]
+	path = third_party/libtrustymatter/repo
+	url = https://github.com/nxp-imx/libtrustymatter
+[submodule "repo"]
+	path = third_party/imx-secure-enclave/repo
+	url = https://github.com/nxp-imx/imx-secure-enclave.git
+	branch = lf-6.12.3_1.0.0
diff --git a/examples/platform/linux/AppMain.cpp b/examples/platform/linux/AppMain.cpp
index 52fd41d79dabe8..d836300bf3ee0f 100644
--- a/examples/platform/linux/AppMain.cpp
+++ b/examples/platform/linux/AppMain.cpp
@@ -1,6 +1,7 @@
 /*
  *
  *    Copyright (c) 2021-2022 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
  *    All rights reserved.
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
@@ -126,6 +127,24 @@
 #include <platform/Linux/NetworkCommissioningDriver.h>
 #endif // CHIP_DEVICE_LAYER_TARGET_LINUX
 
+#if CHIP_ATTESTATION_TRUSTY_OS
+#include "DeviceAttestationCredsTrusty.h"
+using namespace chip::Credentials::Trusty;
+#elif CHIP_ATTESTATION_ELE
+#include "DeviceAttestationCredsEle.h"
+using namespace chip::Credentials::ele;
+#endif
+
+#if CHIP_OP_KEYSTORE_TRUSTY_OS
+#include "PersistentStorageOperationalKeystoreTrusty.h"
+using namespace chip::Trusty;
+#endif
+
+#if CHIP_OP_KEYSTORE_ELE
+#include "PersistentStorageOperationalKeystoreEle.h"
+using namespace chip::ele;
+#endif
+
 using namespace chip;
 using namespace chip::ArgParser;
 using namespace chip::Credentials;
@@ -571,6 +590,16 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     }
 #endif // CHIP_CONFIG_TERMS_AND_CONDITIONS_REQUIRED
 
+#if CHIP_OP_KEYSTORE_TRUSTY_OS
+    static chip::Trusty::PersistentStorageOperationalKeystoreTrusty sPersistentStorageOperationalKeystore;
+    initParams.operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
+
+#if CHIP_OP_KEYSTORE_ELE
+    static chip::ele::PersistentStorageOperationalKeystoreEle sPersistentStorageOperationalKeystore;
+    initParams.operationalKeystore = &sPersistentStorageOperationalKeystore;
+#endif
+
 #if defined(ENABLE_CHIP_SHELL)
     Engine::Root().Init();
     Shell::RegisterCommissioneeCommands();
@@ -710,7 +739,13 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     PrintOnboardingCodes(LinuxDeviceOptions::GetInstance().payload);
 
     // Initialize device attestation config
+#if CHIP_ATTESTATION_TRUSTY_OS
+    SetDeviceAttestationCredentialsProvider(&TrustyDACProvider::GetTrustyDACProvider());
+#elif CHIP_ATTESTATION_ELE
+    SetDeviceAttestationCredentialsProvider(&EleDACProvider::GetEleDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(LinuxDeviceOptions::GetInstance().dacProvider);
+#endif
 
 #if CHIP_DEVICE_CONFIG_ENABLE_BOTH_COMMISSIONER_AND_COMMISSIONEE
     ChipLogProgress(AppServer, "Starting commissioner");
@@ -737,9 +772,9 @@ void ChipLinuxAppMainLoop(AppMainLoopImplementation * impl)
     signal(SIGTERM, StopSignalHandler);
     // NOLINTEND(bugprone-signal-handler)
 #else
-    struct sigaction sa                        = {};
-    sa.sa_handler                              = StopSignalHandler;
-    sa.sa_flags                                = SA_RESETHAND;
+    struct sigaction sa = {};
+    sa.sa_handler       = StopSignalHandler;
+    sa.sa_flags         = SA_RESETHAND;
     sigaction(SIGINT, &sa, nullptr);
     sigaction(SIGTERM, &sa, nullptr);
 #endif
diff --git a/examples/platform/linux/BUILD.gn b/examples/platform/linux/BUILD.gn
index a31a72ed834e15..4cab99fa5c91bd 100644
--- a/examples/platform/linux/BUILD.gn
+++ b/examples/platform/linux/BUILD.gn
@@ -1,4 +1,5 @@
 # Copyright (c) 2020 Project CHIP Authors
+# Copyright 2025 NXP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,7 +18,9 @@ import("${chip_root}/examples/common/pigweed/pigweed_rpcs.gni")
 import("${chip_root}/src/app/common_flags.gni")
 import("${chip_root}/src/app/icd/icd.gni")
 import("${chip_root}/src/lib/core/core.gni")
+import("${chip_root}/src/lib/imx_ele.gni")
 import("${chip_root}/src/lib/lib.gni")
+import("${chip_root}/src/lib/trusty.gni")
 import("${chip_root}/src/tracing/tracing_args.gni")
 
 if (current_os != "nuttx") {
@@ -96,6 +99,25 @@ source_set("app-main") {
     "testing/CustomCSRResponseOperationalKeyStore.h",
   ]
 
+  if (chip_with_trusty_os == 1) {
+    sources += [
+      "DeviceAttestationCredsTrusty.cpp",
+      "DeviceAttestationCredsTrusty.h",
+      "PersistentStorageOperationalKeystoreTrusty.cpp",
+      "PersistentStorageOperationalKeystoreTrusty.h",
+    ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    sources += [
+      #TODO enable this when official tool ready
+      #     "DeviceAttestationCredsEle.cpp",
+      #     "DeviceAttestationCredsEle.h",
+      "PersistentStorageOperationalKeystoreEle.cpp",
+      "PersistentStorageOperationalKeystoreEle.h",
+    ]
+  }
+
   public_deps = [
     ":boolean-state-configuration-test-event-trigger",
     ":commissioner-main",
@@ -122,6 +144,36 @@ source_set("app-main") {
     public_deps += [ jsoncpp_root ]
   }
 
+  if (chip_with_trusty_os == 1) {
+    public_deps += [ "${chip_root}/third_party/libtrustymatter" ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    public_deps +=
+        [ "${chip_root}/third_party/imx-secure-enclave:libelematter" ]
+  }
+
+  if (chip_with_trusty_os == 1) {
+    defines += [ "CHIP_ATTESTATION_TRUSTY_OS=1" ]
+  } else {
+    defines += [ "CHIP_ATTESTATION_TRUSTY_OS=0" ]
+  }
+
+  if (chip_with_trusty_os == 1) {
+    defines += [ "CHIP_OP_KEYSTORE_TRUSTY_OS=1" ]
+  } else {
+    defines += [ "CHIP_OP_KEYSTORE_TRUSTY_OS=0" ]
+  }
+
+  if (chip_with_imx_ele == 1) {
+    defines += [ "CHIP_OP_KEYSTORE_ELE=1" ]
+    #TODO enable this when official tool ready
+    #   defines += [ "CHIP_ATTESTATION_ELE=1" ]
+  } else {
+    defines += [ "CHIP_OP_KEYSTORE_ELE=0" ]
+    defines += [ "CHIP_ATTESTATION_ELE=0" ]
+  }
+
   if (chip_enable_pw_rpc) {
     defines += [ "PW_RPC_ENABLED" ]
   }
diff --git a/examples/platform/linux/DeviceAttestationCredsEle.cpp b/examples/platform/linux/DeviceAttestationCredsEle.cpp
new file mode 100644
index 00000000000000..03a0fe948b275b
--- /dev/null
+++ b/examples/platform/linux/DeviceAttestationCredsEle.cpp
@@ -0,0 +1,219 @@
+/*
+ *
+ *    Copyright (c) 2021-2022 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ */
+#include "DeviceAttestationCredsEle.h"
+
+#include <crypto/CHIPCryptoPAL.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/Span.h>
+
+#define KEY_STORE_ID (0xBBBB)
+#define AUTHEN_NONCE (0x2222)
+#define PAI_DATA_ID 0x1111
+#define DAC_DATA_ID 0x1112
+#define CD_DATA_ID 0x1113
+#define DAC_PRIVATE_KEY_ID 0x1114
+
+namespace chip {
+namespace Credentials {
+namespace ele {
+
+EleDACProvider::EleDACProvider()
+{
+    hsm_err_t err;
+
+    // open the session
+    open_session_args_t open_session_args = { 0 };
+    open_session_args.mu_type             = HSM1;
+    err                                   = hsm_open_session(&open_session_args, &hsm_session_hdl);
+    if (err != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "ELE device attestation session open failed. ret: 0x%x\n", err);
+        return;
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "ELE device attestation session open successfully.\n");
+    }
+
+    // open the keystore
+    open_svc_key_store_args_t open_svc_key_store_args = { 0 };
+    open_svc_key_store_args.key_store_identifier      = KEY_STORE_ID;
+    open_svc_key_store_args.authentication_nonce      = AUTHEN_NONCE;
+    // try to create a new keystore, if it already exist, open it
+    open_svc_key_store_args.flags = (HSM_SVC_KEY_STORE_FLAGS_CREATE | HSM_SVC_KEY_STORE_FLAGS_STRICT_OPERATION);
+    err                           = hsm_open_key_store_service(hsm_session_hdl, &open_svc_key_store_args, &key_store_hdl);
+    if (err == HSM_KEY_STORE_CONFLICT)
+    {
+        ChipLogDetail(Crypto, "device attestation keystore already existed, open it...\n");
+        open_svc_key_store_args.flags = HSM_SVC_KEY_STORE_FLAGS_LOAD;
+        err                           = hsm_open_key_store_service(hsm_session_hdl, &open_svc_key_store_args, &key_store_hdl);
+        if (err != HSM_NO_ERROR)
+        {
+            ChipLogDetail(Crypto, "device attestation keystore open failed. ret:0x%x\n", err);
+            return;
+        }
+        else
+            ChipLogDetail(Crypto, "device attestation keystore open successfully.\n");
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "device attestation keystore created successfully.\n");
+    }
+}
+
+EleDACProvider::~EleDACProvider()
+{
+    hsm_err_t err;
+
+    ChipLogDetail(Crypto, "close all ELE device attestation services.\n");
+
+    err           = hsm_close_key_store_service(key_store_hdl);
+    key_store_hdl = 0;
+    ChipLogDetail(Crypto, "close device attestation key store service returns:0x%x\n", err);
+
+    err             = hsm_close_session(hsm_session_hdl);
+    hsm_session_hdl = 0;
+    ChipLogDetail(Crypto, "close ELE device attestation session returns:0x%x\n", err);
+}
+
+CHIP_ERROR EleDACProvider::GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer)
+{
+    op_data_storage_args_t data_storage_args;
+    hsm_err_t err;
+
+    data_storage_args.svc_flags = 0;
+    data_storage_args.data      = out_dac_buffer.data();
+    data_storage_args.data_size = out_dac_buffer.size();
+    data_storage_args.data_id   = DAC_DATA_ID;
+    data_storage_args.flags |= HSM_OP_DATA_STORAGE_FLAGS_RETRIEVE;
+    err = hsm_data_ops(key_store_hdl, &data_storage_args);
+    if (err)
+    {
+        ChipLogDetail(Crypto, "ELE get DAC failed. ret: 0x%x\n", err);
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+    }
+
+    out_dac_buffer.reduce_size(data_storage_args.exp_output_size);
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR EleDACProvider::GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer)
+{
+    op_data_storage_args_t data_storage_args;
+    hsm_err_t err;
+
+    data_storage_args.svc_flags = 0;
+    data_storage_args.data      = out_pai_buffer.data();
+    data_storage_args.data_size = out_pai_buffer.size();
+    data_storage_args.data_id   = PAI_DATA_ID;
+    data_storage_args.flags |= HSM_OP_DATA_STORAGE_FLAGS_RETRIEVE;
+    err = hsm_data_ops(key_store_hdl, &data_storage_args);
+    if (err)
+    {
+        ChipLogDetail(Crypto, "ELE get PAI failed. ret: 0x%x\n", err);
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+    }
+
+    out_pai_buffer.reduce_size(data_storage_args.exp_output_size);
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR EleDACProvider::GetCertificationDeclaration(MutableByteSpan & out_cd_buffer)
+{
+    op_data_storage_args_t data_storage_args;
+    hsm_err_t err;
+
+    data_storage_args.svc_flags = 0;
+    data_storage_args.data      = out_cd_buffer.data();
+    data_storage_args.data_size = out_cd_buffer.size();
+    data_storage_args.data_id   = CD_DATA_ID;
+    data_storage_args.flags |= HSM_OP_DATA_STORAGE_FLAGS_RETRIEVE;
+    err = hsm_data_ops(key_store_hdl, &data_storage_args);
+    if (err)
+    {
+        ChipLogDetail(Crypto, "ELE get CD failed. ret: 0x%x\n", err);
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+    }
+
+    out_cd_buffer.reduce_size(data_storage_args.exp_output_size);
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR EleDACProvider::GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer)
+{
+    // TODO: We need a real example FirmwareInformation to be populated.
+    out_firmware_info_buffer.reduce_size(0);
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR EleDACProvider::SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer)
+{
+    open_svc_sign_gen_args_t open_sig_gen_args;
+    op_generate_sign_args_t sig_gen_args;
+    uint8_t signature[64];
+    hsm_hdl_t sig_gen_hdl;
+    size_t out_size = 0;
+    hsm_err_t hsmret;
+
+    VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(out_signature_buffer.size() >= sizeof(signature), CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    // open signature generation service
+    memset(&open_sig_gen_args, 0, sizeof(open_sig_gen_args));
+    hsmret = hsm_open_signature_generation_service(key_store_hdl, &open_sig_gen_args, &sig_gen_hdl);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "open signature generation service failed. ret:0x%x\n", hsmret);
+        return CHIP_ERROR_HSM;
+    }
+
+    // generate signature
+    memset(&sig_gen_args, 0, sizeof(sig_gen_args));
+    sig_gen_args.key_identifier = DAC_PRIVATE_KEY_ID;
+    sig_gen_args.scheme_id      = HSM_SIGNATURE_SCHEME_ECDSA_SHA256;
+    sig_gen_args.message        = (uint8_t *) (message_to_sign.data());
+    sig_gen_args.signature      = signature;
+    sig_gen_args.message_size   = message_to_sign.size();
+    sig_gen_args.signature_size = sizeof(signature);
+    sig_gen_args.flags          = HSM_OP_GENERATE_SIGN_FLAGS_INPUT_MESSAGE;
+    hsmret                      = hsm_generate_signature(sig_gen_hdl, &sig_gen_args);
+    hsm_close_signature_generation_service(sig_gen_hdl);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "generate signature failed. ret:0x%x\n", hsmret);
+        return CHIP_ERROR_HSM;
+    }
+
+    memcpy(out_signature_buffer.data(), signature, sizeof(signature));
+    out_signature_buffer.reduce_size(sizeof(signature));
+    return CHIP_NO_ERROR;
+}
+
+EleDACProvider & EleDACProvider::GetEleDACProvider()
+{
+    static EleDACProvider ele_dac_provider;
+
+    return ele_dac_provider;
+}
+
+} // namespace ele
+} // namespace Credentials
+} // namespace chip
diff --git a/examples/platform/linux/DeviceAttestationCredsEle.h b/examples/platform/linux/DeviceAttestationCredsEle.h
new file mode 100644
index 00000000000000..5d027bcbe23738
--- /dev/null
+++ b/examples/platform/linux/DeviceAttestationCredsEle.h
@@ -0,0 +1,46 @@
+/*
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include "hsm_api.h"
+#include <credentials/DeviceAttestationCredsProvider.h>
+
+namespace chip {
+namespace Credentials {
+namespace ele {
+
+class EleDACProvider : public DeviceAttestationCredentialsProvider
+{
+public:
+    EleDACProvider();
+    ~EleDACProvider();
+    static EleDACProvider & GetEleDACProvider();
+
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_cd_buffer) override;
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override;
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer) override;
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override;
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer) override;
+
+private:
+    hsm_hdl_t hsm_session_hdl = 0;
+    hsm_hdl_t key_store_hdl   = 0;
+};
+
+} // namespace ele
+} // namespace Credentials
+} // namespace chip
diff --git a/examples/platform/linux/DeviceAttestationCredsTrusty.cpp b/examples/platform/linux/DeviceAttestationCredsTrusty.cpp
new file mode 100644
index 00000000000000..7667a8c745a494
--- /dev/null
+++ b/examples/platform/linux/DeviceAttestationCredsTrusty.cpp
@@ -0,0 +1,112 @@
+/*
+ *
+ *    Copyright (c) 2021-2022 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#include "DeviceAttestationCredsTrusty.h"
+
+#include <crypto/CHIPCryptoPAL.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/Span.h>
+#include <trusty_matter.h>
+
+using namespace matter;
+
+namespace chip {
+namespace Credentials {
+namespace Trusty {
+
+CHIP_ERROR TrustyDACProvider::GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportDACCert(out_dac_buffer.data(), out_dac_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_dac_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportPAICert(out_pai_buffer.data(), out_pai_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_pai_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetCertificationDeclaration(MutableByteSpan & out_cd_buffer)
+{
+    size_t out_size = 0;
+    int rc;
+
+    rc = trusty_matter.ExportCDCert(out_cd_buffer.data(), out_cd_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_cd_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+CHIP_ERROR TrustyDACProvider::GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer)
+{
+    // TODO: We need a real example FirmwareInformation to be populated.
+    out_firmware_info_buffer.reduce_size(0);
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR TrustyDACProvider::SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer)
+{
+    int rc          = 0;
+    size_t out_size = 0;
+
+    VerifyOrReturnError(IsSpanUsable(out_signature_buffer), CHIP_ERROR_INVALID_ARGUMENT);
+    VerifyOrReturnError(IsSpanUsable(message_to_sign), CHIP_ERROR_INVALID_ARGUMENT);
+
+    rc = trusty_matter.SignWithDACKey(message_to_sign.data(), message_to_sign.size(), out_signature_buffer.data(),
+                                      out_signature_buffer.size(), out_size);
+    if (rc == 0)
+    {
+        out_signature_buffer.reduce_size(out_size);
+        return CHIP_NO_ERROR;
+    }
+    else
+        return CHIP_ERROR_CERT_LOAD_FAILED;
+}
+
+TrustyDACProvider & TrustyDACProvider::GetTrustyDACProvider()
+{
+    static TrustyDACProvider trusty_dac_provider;
+
+    return trusty_dac_provider;
+}
+
+} // namespace Trusty
+} // namespace Credentials
+} // namespace chip
diff --git a/examples/platform/linux/DeviceAttestationCredsTrusty.h b/examples/platform/linux/DeviceAttestationCredsTrusty.h
new file mode 100644
index 00000000000000..a8906b7802390d
--- /dev/null
+++ b/examples/platform/linux/DeviceAttestationCredsTrusty.h
@@ -0,0 +1,45 @@
+/*
+ *    Copyright (c) 2021 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+#pragma once
+
+#include <credentials/DeviceAttestationCredsProvider.h>
+#include <trusty_matter.h>
+
+using namespace matter;
+
+namespace chip {
+namespace Credentials {
+namespace Trusty {
+
+class TrustyDACProvider : public DeviceAttestationCredentialsProvider
+{
+public:
+    static TrustyDACProvider & GetTrustyDACProvider();
+
+    CHIP_ERROR GetCertificationDeclaration(MutableByteSpan & out_cd_buffer) override;
+    CHIP_ERROR GetFirmwareInformation(MutableByteSpan & out_firmware_info_buffer) override;
+    CHIP_ERROR GetDeviceAttestationCert(MutableByteSpan & out_dac_buffer) override;
+    CHIP_ERROR GetProductAttestationIntermediateCert(MutableByteSpan & out_pai_buffer) override;
+    CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & message_to_sign, MutableByteSpan & out_signature_buffer) override;
+
+private:
+    TrustyMatter trusty_matter;
+};
+
+} // namespace Trusty
+} // namespace Credentials
+} // namespace chip
diff --git a/examples/platform/linux/PersistentStorageOperationalKeystoreEle.cpp b/examples/platform/linux/PersistentStorageOperationalKeystoreEle.cpp
new file mode 100644
index 00000000000000..8547ad4948098f
--- /dev/null
+++ b/examples/platform/linux/PersistentStorageOperationalKeystoreEle.cpp
@@ -0,0 +1,637 @@
+/*
+ *    Copyright (c) 2022 Project CHIP Authors
+ *    Copyright 2023, 2025 NXP
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include <crypto/OperationalKeystore.h>
+#include <lib/core/CHIPError.h>
+#include <lib/core/CHIPPersistentStorageDelegate.h>
+#include <lib/core/DataModelTypes.h>
+#include <lib/support/CHIPMem.h>
+#include <lib/support/CodeUtils.h>
+#include <lib/support/DefaultStorageKeyAllocator.h>
+#include <lib/support/SafeInt.h>
+
+#include "PersistentStorageOperationalKeystoreEle.h"
+
+const uint8_t kTlvHeader = 2;
+
+#define KEY_STORE_ID (0xAAAA)
+#define AUTHEN_NONCE (0x1111)
+#define KEY_GROUP (1)
+#define PUBKEY_SIZE (65)
+#define KEY_GROUP_SYNC (0x1U << 7)
+
+/* Used for CSR generation */
+// Organisation info.
+#define SUBJECT_STR "CSR"
+#define ASN1_BIT_STRING 0x03
+#define ASN1_NULL 0x05
+#define ASN1_OID 0x06
+#define ASN1_SEQUENCE 0x10
+#define ASN1_SET 0x11
+#define ASN1_UTF8_STRING 0x0C
+#define ASN1_CONSTRUCTED 0x20
+#define ASN1_CONTEXT_SPECIFIC 0x80
+
+namespace chip {
+namespace ele {
+
+using namespace chip::Crypto;
+
+PersistentStorageOperationalKeystoreEle::PersistentStorageOperationalKeystoreEle()
+{
+    hsm_err_t err;
+
+    // open the session
+    open_session_args_t open_session_args = { 0 };
+    open_session_args.mu_type             = HSM1;
+    err                                   = hsm_open_session(&open_session_args, &hsm_session_hdl);
+    if (err != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "ELE session open failed. ret: 0x%x\n", err);
+        return;
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "ELE session open successfully.\n");
+    }
+
+    // open the keystore
+    open_svc_key_store_args_t open_svc_key_store_args = { 0 };
+    open_svc_key_store_args.key_store_identifier      = KEY_STORE_ID;
+    open_svc_key_store_args.authentication_nonce      = AUTHEN_NONCE;
+    // try to create a new keystore, if it already exist, open it
+    open_svc_key_store_args.flags = (HSM_SVC_KEY_STORE_FLAGS_CREATE | HSM_SVC_KEY_STORE_FLAGS_STRICT_OPERATION);
+    err                           = hsm_open_key_store_service(hsm_session_hdl, &open_svc_key_store_args, &key_store_hdl);
+    if (err == HSM_KEY_STORE_CONFLICT)
+    {
+        ChipLogDetail(Crypto, "keystore already existed, open it...\n");
+        open_svc_key_store_args.flags = HSM_SVC_KEY_STORE_FLAGS_LOAD;
+        err                           = hsm_open_key_store_service(hsm_session_hdl, &open_svc_key_store_args, &key_store_hdl);
+        if (err != HSM_NO_ERROR)
+        {
+            ChipLogDetail(Crypto, "keystore open failed. ret:0x%x\n", err);
+            return;
+        }
+        else
+            ChipLogDetail(Crypto, "keystore open successfully.\n");
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "keystore created successfully.\n");
+    }
+
+    // open key managerment service
+    open_svc_key_management_args_t key_mgmt_args = { 0 };
+    memset(&key_mgmt_args, 0, sizeof(key_mgmt_args));
+    err = hsm_open_key_management_service(key_store_hdl, &key_mgmt_args, &key_mgmt_hdl);
+    if (err != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "key management service open failed. ret:0x%x\n", err);
+        return;
+    }
+    else
+        ChipLogDetail(Crypto, "key management service open successfully.\n");
+}
+
+PersistentStorageOperationalKeystoreEle::~PersistentStorageOperationalKeystoreEle()
+{
+    hsm_err_t err;
+
+    ResetPendingKey(true);
+
+    ChipLogDetail(Crypto, "close all ELE services.\n");
+
+    err          = hsm_close_key_management_service(key_mgmt_hdl);
+    key_mgmt_hdl = 0;
+    ChipLogDetail(Crypto, "close key management service returns:0x%x\n", err);
+
+    err           = hsm_close_key_store_service(key_store_hdl);
+    key_store_hdl = 0;
+    ChipLogDetail(Crypto, "close key store service returns:0x%x\n", err);
+
+    err             = hsm_close_session(hsm_session_hdl);
+    hsm_session_hdl = 0;
+    ChipLogDetail(Crypto, "close ELE session returns:0x%x\n", err);
+}
+
+void PersistentStorageOperationalKeystoreEle::ResetPendingKey(bool delete_key)
+{
+    if ((mPendingFabricIndex != kUndefinedFabricIndex) && (delete_key))
+    {
+        EleDeleteKey(mPendingFabricIndex);
+    }
+    mIsExternallyOwnedKeypair = false;
+    mIsPendingKeypairActive   = false;
+    mPendingFabricIndex       = kUndefinedFabricIndex;
+}
+
+hsm_err_t PersistentStorageOperationalKeystoreEle::EleDeleteKey(uint32_t keyId)
+{
+    hsm_err_t err;
+    op_delete_key_args_t del_args;
+
+    memset(&del_args, 0, sizeof(del_args));
+    del_args.key_identifier = keyId;
+    del_args.flags          = 0;
+
+    err = hsm_delete_key(key_mgmt_hdl, &del_args);
+    if (err != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "Delete key %d failed. ret:0x%x\n", keyId, err);
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "Delete key %d successfully.\n", keyId);
+    }
+
+    return err;
+}
+
+hsm_err_t PersistentStorageOperationalKeystoreEle::EleSignMessage(uint32_t keyId, const uint8_t * msg, size_t msgSize,
+                                                                  uint8_t * sig, size_t sigSize) const
+{
+    open_svc_sign_gen_args_t open_sig_gen_args;
+    op_generate_sign_args_t sig_gen_args;
+    hsm_hdl_t sig_gen_hdl;
+    hsm_err_t hsmret;
+
+    if ((msg == nullptr) || (sig == nullptr) || (sigSize == 0))
+    {
+        ChipLogDetail(Crypto, "Invalid parameters for generating signature.\n");
+        return HSM_INVALID_PARAM;
+    }
+
+    // open signature generation service
+    memset(&open_sig_gen_args, 0, sizeof(open_sig_gen_args));
+    hsmret = hsm_open_signature_generation_service(key_store_hdl, &open_sig_gen_args, &sig_gen_hdl);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "open signature generation service failed. ret:0x%x\n", hsmret);
+        return hsmret;
+    }
+
+    // generate signature
+    memset(&sig_gen_args, 0, sizeof(sig_gen_args));
+    sig_gen_args.key_identifier = keyId;
+    sig_gen_args.scheme_id      = HSM_SIGNATURE_SCHEME_ECDSA_SHA256;
+    sig_gen_args.message        = (uint8_t *) msg;
+    sig_gen_args.signature      = sig;
+    sig_gen_args.message_size   = msgSize;
+    sig_gen_args.signature_size = sigSize;
+    sig_gen_args.flags          = HSM_OP_GENERATE_SIGN_FLAGS_INPUT_MESSAGE;
+    hsmret                      = hsm_generate_signature(sig_gen_hdl, &sig_gen_args);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "generate signature failed. ret:0x%x\n", hsmret);
+        return hsmret;
+    }
+
+    // close signature generation service
+    hsmret = hsm_close_signature_generation_service(sig_gen_hdl);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "close signature generation service failed. ret:0x%x\n", hsmret);
+    }
+
+    return hsmret;
+}
+
+static void add_tlv(uint8_t * buf, size_t buf_index, uint8_t tag, size_t len, uint8_t * val)
+{
+    buf[buf_index++] = (uint8_t) tag;
+    buf[buf_index++] = (uint8_t) len;
+    if (len > 0 && val != NULL)
+    {
+        memcpy(&buf[buf_index], val, len);
+        buf_index = buf_index + len;
+    }
+}
+
+/*
+ * CSR format used in the below function,
+ *
+ *
+ *    (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH
+ *
+ *        (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH
+ *
+ *            VERSION ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ *            (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH
+ *
+ *                (ASN1_CONSTRUCTED | ASN1_SET) LENGTH
+ *
+ *                    (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH
+ *
+ *                        (ASN1_OID) LENGTH VALUE(Organisation OID)
+ *
+ *                        (ASN1_UTF8_STRING) LENGTH VALUE(Subject Str == "CSR")
+ *
+ *            PUBLIC KEY {WITH HEADER. 91 Bytes}
+ *
+ *        (ASN1_CONSTRUCTED | ASN1_SEQUENCE) LENGTH
+ *
+ *            (ASN1_OID) LENGTH VALUE(ECDSA SHA256 OID)
+ *
+ *            (ASN1_NULL) 0x00
+ *
+ *        (ASN1_BIT_STRING) LENGTH VALUE(SIGNATURE)
+ *
+ */
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::EleGenerateCSR(uint32_t keyId, uint8_t * csr, size_t & csrLength)
+{
+    CHIP_ERROR error = CHIP_ERROR_INTERNAL;
+    hsm_err_t hsmret = HSM_NO_ERROR;
+
+    uint8_t data_to_hash[128] = { 0 };
+    size_t data_to_hash_len   = sizeof(data_to_hash);
+    uint8_t pubKey[128]       = { 0 };
+    size_t pubKeyLen          = 0;
+    uint8_t signature[128]    = { 0 };
+    size_t signature_len      = 0x44;
+    int signature_index       = 0;
+    uint8_t signature_data[64];
+    size_t csrIndex     = 0;
+    size_t buffer_index = data_to_hash_len;
+
+    uint8_t organisation_oid[3] = { 0x55, 0x04, 0x0a };
+    // Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+    uint8_t version[3]            = { 0x02, 0x01, 0x00 };
+    uint8_t signature_oid[8]      = { 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02 };
+    uint8_t nist256_header[]      = { 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01,
+                                      0x06, 0x08, 0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00 };
+    uint8_t signature_header_t1[] = { 0x02, 0x20 };
+    uint8_t signature_header_t2[] = { 0x02, 0x21, 0x00 };
+
+    // No extensions are copied
+    buffer_index -= kTlvHeader;
+    add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_CONTEXT_SPECIFIC), 0, NULL);
+
+    // Copy public key (with header)
+    {
+        // copy header first
+        memcpy(pubKey, nist256_header, sizeof(nist256_header));
+        pubKeyLen = pubKeyLen + sizeof(nist256_header);
+
+        // public key size is 65
+        pubKey[pubKeyLen] = 0x04;
+        pubKeyLen++;
+
+        op_pub_key_recovery_args_t args = { 0 };
+        args.key_identifier             = keyId;
+        args.out_key_size               = 64;
+        args.out_key                    = (pubKey + pubKeyLen);
+        hsmret                          = hsm_pub_key_recovery(key_store_hdl, &args);
+        VerifyOrExit(hsmret == HSM_NO_ERROR, error = CHIP_ERROR_HSM);
+        pubKeyLen += 64;
+    }
+
+    buffer_index -= pubKeyLen;
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    memcpy((void *) &data_to_hash[buffer_index], pubKey, pubKeyLen);
+
+    // Copy subject (in the current implementation only organisation name info is added) and organisation OID
+    buffer_index -= (kTlvHeader + sizeof(SUBJECT_STR) - 1);
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, ASN1_UTF8_STRING, sizeof(SUBJECT_STR) - 1, (uint8_t *) SUBJECT_STR);
+
+    buffer_index -= (kTlvHeader + sizeof(organisation_oid));
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, ASN1_OID, sizeof(organisation_oid), organisation_oid);
+
+    // Add length
+    buffer_index -= kTlvHeader;
+    // Subject TLV ==> 1 + 1 + len(subject)
+    // Org OID TLV ==> 1 + 1 + len(organisation_oid)
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE),
+            ((2 * kTlvHeader) + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), NULL);
+
+    buffer_index -= kTlvHeader;
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SET),
+            ((3 * kTlvHeader) + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), NULL);
+
+    buffer_index -= kTlvHeader;
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE),
+            ((4 * kTlvHeader) + (sizeof(SUBJECT_STR) - 1) + sizeof(organisation_oid)), NULL);
+
+    buffer_index -= 3;
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    memcpy((void *) &data_to_hash[buffer_index], version, sizeof(version));
+
+    buffer_index -= kTlvHeader;
+    VerifyOrExit(buffer_index > 0, error = CHIP_ERROR_INTERNAL);
+    add_tlv(data_to_hash, buffer_index, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), (data_to_hash_len - buffer_index - kTlvHeader), NULL);
+
+    // TLV data is created by copying from backwards. move it to start of buffer.
+    data_to_hash_len = (data_to_hash_len - buffer_index);
+    memmove(data_to_hash, (data_to_hash + buffer_index), data_to_hash_len);
+
+    hsmret = EleSignMessage(keyId, (uint8_t *) data_to_hash, data_to_hash_len, signature_data, sizeof(signature_data));
+    VerifyOrExit(hsmret == HSM_NO_ERROR, error = CHIP_ERROR_HSM);
+
+    if (signature_data[0] > 0x7F)
+    {
+        signature_len += 1;
+        memcpy(signature, signature_header_t2, sizeof(signature_header_t2));
+        signature_index += 3;
+    }
+    else
+    {
+        memcpy(signature, signature_header_t1, sizeof(signature_header_t1));
+        signature_index += 2;
+    }
+    memcpy(&signature[signature_index], signature_data, 32);
+    signature_index += 32;
+    if (signature_data[32] > 0x7F)
+    {
+        signature_len += 1;
+        memcpy(&signature[signature_index], signature_header_t2, 3);
+        signature_index += 3;
+    }
+    else
+    {
+        memcpy(&signature[signature_index], signature_header_t1, 2);
+        signature_index += 2;
+    }
+    memcpy(&signature[signature_index], &signature_data[32], 32);
+
+    VerifyOrExit((csrIndex + 3) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    csr[csrIndex++] = (ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+    if ((data_to_hash_len + 14 + kTlvHeader + signature_len) >= 0x80)
+        csr[csrIndex++] = 0x81;
+    csr[csrIndex++] = (uint8_t) (data_to_hash_len + sizeof(signature_oid) + (kTlvHeader * 2) + 5 + signature_len);
+
+    VerifyOrExit((csrIndex + data_to_hash_len) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    memcpy((csr + csrIndex), data_to_hash, data_to_hash_len);
+    csrIndex = csrIndex + data_to_hash_len;
+
+    // ECDSA SHA256 Signature OID TLV ==> 1 + 1 + len(signature_oid) (8)
+    // ASN_NULL ==> 1 + 1
+    VerifyOrExit((csrIndex + kTlvHeader) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    add_tlv(csr, csrIndex, (ASN1_CONSTRUCTED | ASN1_SEQUENCE), 0x0A, NULL);
+    csrIndex = csrIndex + kTlvHeader;
+
+    VerifyOrExit((csrIndex + sizeof(signature_oid) + kTlvHeader) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    add_tlv(csr, csrIndex, ASN1_OID, sizeof(signature_oid), signature_oid);
+    csrIndex = csrIndex + kTlvHeader + sizeof(signature_oid);
+
+    // VerifyOrExit((csrIndex + kTlvHeader) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    //  add_tlv(csr, csrIndex, ASN1_NULL, 0x00, NULL);
+    //  csrIndex = csrIndex + kTlvHeader;
+
+    VerifyOrExit((csrIndex + 5) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    csr[csrIndex++] = ASN1_BIT_STRING;
+    csr[csrIndex++] = signature_len + 3;
+    csr[csrIndex++] = 0x00;
+    csr[csrIndex++] = (ASN1_CONSTRUCTED | ASN1_SEQUENCE);
+    csr[csrIndex++] = signature_len;
+
+    VerifyOrExit((csrIndex + signature_len) <= csrLength, error = CHIP_ERROR_INTERNAL);
+    memcpy(&csr[csrIndex], signature, signature_len);
+    csrLength = (csrIndex + signature_len);
+
+    error = CHIP_NO_ERROR;
+
+exit:
+    return error;
+}
+
+bool PersistentStorageOperationalKeystoreEle::HasOpKeypairForFabric(FabricIndex fabricIndex) const
+{
+    op_get_key_attr_args_t keyattr_args;
+    hsm_err_t err;
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), false);
+    // If there was a pending keypair, then there's really a usable key
+    if (mIsPendingKeypairActive && (fabricIndex == mPendingFabricIndex))
+    {
+        return true;
+    }
+
+    // get the key attributes, it shall fail if no such key
+    memset(&keyattr_args, 0, sizeof(keyattr_args));
+    keyattr_args.key_identifier = fabricIndex;
+    err                         = hsm_get_key_attr(key_mgmt_hdl, &keyattr_args);
+    if (err != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "No keypair for fabric: %d found. ELE returns: 0x%x\n", fabricIndex, err);
+        return false;
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "Found keypair for fabric: %d.\n", fabricIndex);
+        return true;
+    }
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::NewOpKeypairForFabric(FabricIndex fabricIndex,
+                                                                          MutableByteSpan & outCertificateSigningRequest)
+{
+    op_generate_key_args_t key_gen_args;
+    op_get_key_attr_args_t keyattr_args;
+    uint32_t keyId;
+    hsm_err_t hsm_err;
+    CHIP_ERROR err;
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+    // If a key is pending, we cannot generate for a different fabric index until we commit or revert.
+    if ((mPendingFabricIndex != kUndefinedFabricIndex) && (fabricIndex != mPendingFabricIndex))
+    {
+        return CHIP_ERROR_INVALID_FABRIC_INDEX;
+    }
+    VerifyOrReturnError(outCertificateSigningRequest.size() >= Crypto::kMIN_CSR_Buffer_Size, CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    // Replace previous pending keypair
+    ResetPendingKey(true);
+
+    // Delete the key if alrady existed
+    memset(&keyattr_args, 0, sizeof(keyattr_args));
+    keyattr_args.key_identifier = fabricIndex;
+    hsm_err                     = hsm_get_key_attr(key_mgmt_hdl, &keyattr_args);
+    if (hsm_err == HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "Keypair for fabric: %d exists, delete it...\n", fabricIndex);
+        EleDeleteKey(fabricIndex);
+    }
+
+    // Generate new key
+    memset(&key_gen_args, 0, sizeof(key_gen_args));
+    keyId                       = fabricIndex;
+    key_gen_args.key_identifier = &keyId;
+    key_gen_args.key_group      = KEY_GROUP;
+    key_gen_args.key_lifetime   = HSM_SE_KEY_STORAGE_PERSISTENT;
+    key_gen_args.key_usage =
+        HSM_KEY_USAGE_SIGN_HASH | HSM_KEY_USAGE_VERIFY_HASH | HSM_KEY_USAGE_SIGN_MSG | HSM_KEY_USAGE_VERIFY_MSG;
+    key_gen_args.permitted_algo = PERMITTED_ALGO_ECDSA_SHA256;
+    // "sync" flag is not set so the key won't be committed to NVM immediately.
+    // we will commit the key in the CommitOpKeypairForFabric().
+    key_gen_args.flags         = 0;
+    key_gen_args.key_type      = HSM_KEY_TYPE_ECC_NIST;
+    key_gen_args.bit_key_sz    = HSM_KEY_SIZE_ECC_NIST_256;
+    key_gen_args.key_lifecycle = (hsm_key_lifecycle_t) 0;
+    hsm_err                    = hsm_generate_key(key_mgmt_hdl, &key_gen_args);
+    ChipLogDetail(Crypto, "Generate new keypair returns: 0x%x\n", hsm_err);
+    if (hsm_err != HSM_NO_ERROR)
+        return CHIP_ERROR_HSM;
+
+    // generate the CSR
+    size_t csrLength = outCertificateSigningRequest.size();
+    err              = EleGenerateCSR(keyId, outCertificateSigningRequest.data(), csrLength);
+    if (err != CHIP_NO_ERROR)
+    {
+        ResetPendingKey(true);
+        return err;
+    }
+
+    outCertificateSigningRequest.reduce_size(csrLength);
+    mPendingFabricIndex = fabricIndex;
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::ActivateOpKeypairForFabric(FabricIndex fabricIndex,
+                                                                               const Crypto::P256PublicKey & nocPublicKey)
+{
+    uint8_t pubkey[PUBKEY_SIZE];
+    hsm_err_t hsmret = HSM_NO_ERROR;
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    // Validate public key being activated matches last generated pending keypair
+    // public key size is 65
+    pubkey[0] = 0x04;
+
+    op_pub_key_recovery_args_t args = { 0 };
+    args.key_identifier             = fabricIndex;
+    args.out_key_size               = 64;
+    args.out_key                    = &pubkey[1];
+    hsmret                          = hsm_pub_key_recovery(key_store_hdl, &args);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "recover public key failed. ret:0x%x\n", hsmret);
+        return CHIP_ERROR_HSM;
+    }
+
+    if (memcmp(pubkey, nocPublicKey.ConstBytes(), sizeof(pubkey)))
+    {
+        ChipLogDetail(Crypto, "the public key being activated doesn't match pending key.\n");
+        return CHIP_ERROR_INVALID_PUBLIC_KEY;
+    }
+
+    mIsPendingKeypairActive = true;
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::CommitOpKeypairForFabric(FabricIndex fabricIndex)
+{
+    hsm_err_t hsmret = HSM_NO_ERROR;
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+    VerifyOrReturnError(mIsPendingKeypairActive == true, CHIP_ERROR_INCORRECT_STATE);
+
+    // Try to store persistent key. On failure, leave everything pending as-is
+    op_manage_key_group_args_t keygroup_args;
+    memset(&keygroup_args, 0, sizeof(keygroup_args));
+    keygroup_args.key_group = KEY_GROUP;
+    keygroup_args.flags     = KEY_GROUP_SYNC;
+    hsmret                  = hsm_manage_key_group(key_mgmt_hdl, &keygroup_args);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "commit key failed. ret: 0x%x\n", hsmret);
+        ReturnErrorOnFailure(CHIP_ERROR_INTERNAL);
+    }
+    else
+    {
+        ChipLogDetail(Crypto, "commit key successfully.\n");
+    }
+
+    // If we got here, we succeeded and can reset the pending key: next `SignWithOpKeypair` will use the stored key.
+    ResetPendingKey(false);
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::RemoveOpKeypairForFabric(FabricIndex fabricIndex)
+{
+    hsm_err_t hsmret = HSM_NO_ERROR;
+    op_get_key_attr_args_t keyattr_args;
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    // Remove pending state if matching
+    if ((fabricIndex == mPendingFabricIndex))
+    {
+        ResetPendingKey(true);
+        return CHIP_NO_ERROR;
+    }
+
+    // get the key attributes, it shall fail if no such key.
+    memset(&keyattr_args, 0, sizeof(keyattr_args));
+    keyattr_args.key_identifier = fabricIndex;
+    hsmret                      = hsm_get_key_attr(key_mgmt_hdl, &keyattr_args);
+    if (hsmret != HSM_NO_ERROR)
+    {
+        ChipLogDetail(Crypto, "No keypair for fabric: %d found. No need to delete\n", fabricIndex);
+        return CHIP_NO_ERROR;
+    }
+    else
+    {
+        hsmret = EleDeleteKey(fabricIndex);
+        if (hsmret != HSM_NO_ERROR)
+            return CHIP_ERROR_HSM;
+    }
+
+    return CHIP_NO_ERROR;
+}
+
+void PersistentStorageOperationalKeystoreEle::RevertPendingKeypair()
+{
+    // Just reset the pending key, it hasn't been stored into secure storage.
+    ResetPendingKey(true);
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreEle::SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
+                                                                      Crypto::P256ECDSASignature & outSignature) const
+{
+    uint8_t sig[kP256_ECDSA_Signature_Length_Raw];
+    hsm_err_t hsmret = HSM_NO_ERROR;
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    hsmret = EleSignMessage(fabricIndex, message.data(), message.size(), sig, kP256_ECDSA_Signature_Length_Raw);
+    VerifyOrReturnError(hsmret == HSM_NO_ERROR, CHIP_ERROR_INTERNAL);
+    VerifyOrReturnError(outSignature.SetLength(kP256_ECDSA_Signature_Length_Raw) == CHIP_NO_ERROR, CHIP_ERROR_INTERNAL);
+    memcpy(outSignature.Bytes(), sig, kP256_ECDSA_Signature_Length_Raw);
+
+    return CHIP_NO_ERROR;
+}
+
+Crypto::P256Keypair * PersistentStorageOperationalKeystoreEle::AllocateEphemeralKeypairForCASE()
+{
+    return Platform::New<Crypto::P256Keypair>();
+}
+
+void PersistentStorageOperationalKeystoreEle::ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair)
+{
+    Platform::Delete<Crypto::P256Keypair>(keypair);
+}
+
+} // namespace ele
+} // namespace chip
diff --git a/examples/platform/linux/PersistentStorageOperationalKeystoreEle.h b/examples/platform/linux/PersistentStorageOperationalKeystoreEle.h
new file mode 100644
index 00000000000000..1a74ab2760415c
--- /dev/null
+++ b/examples/platform/linux/PersistentStorageOperationalKeystoreEle.h
@@ -0,0 +1,81 @@
+/*
+ *    Copyright (c) 2022 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ *    Copyright 2023 NXP
+ */
+
+#pragma once
+
+#include <crypto/OperationalKeystore.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/CHIPMem.h>
+#include <lib/support/CodeUtils.h>
+
+#include "hsm_api.h"
+
+namespace chip {
+namespace ele {
+
+/**
+ * @brief OperationalKeystore implementation making use of ELE secure storage
+ *        to load/store keypairs.
+ *
+ */
+class PersistentStorageOperationalKeystoreEle : public Crypto::OperationalKeystore
+{
+public:
+    PersistentStorageOperationalKeystoreEle();
+    ~PersistentStorageOperationalKeystoreEle();
+
+    // Non-copyable
+    PersistentStorageOperationalKeystoreEle(PersistentStorageOperationalKeystoreEle const &) = delete;
+    void operator=(PersistentStorageOperationalKeystoreEle const &)                          = delete;
+
+    bool HasPendingOpKeypair() const override { return (mPendingFabricIndex != kUndefinedFabricIndex); }
+
+    bool HasOpKeypairForFabric(FabricIndex fabricIndex) const override;
+    CHIP_ERROR NewOpKeypairForFabric(FabricIndex fabricIndex, MutableByteSpan & outCertificateSigningRequest) override;
+    CHIP_ERROR ActivateOpKeypairForFabric(FabricIndex fabricIndex, const Crypto::P256PublicKey & nocPublicKey) override;
+    CHIP_ERROR CommitOpKeypairForFabric(FabricIndex fabricIndex) override;
+    CHIP_ERROR RemoveOpKeypairForFabric(FabricIndex fabricIndex) override;
+    void RevertPendingKeypair() override;
+    CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
+                                 Crypto::P256ECDSASignature & outSignature) const override;
+
+    Crypto::P256Keypair * AllocateEphemeralKeypairForCASE() override;
+    void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) override;
+
+protected:
+    FabricIndex mPendingFabricIndex = kUndefinedFabricIndex;
+    bool mIsPendingKeypairActive    = false;
+
+    // If overridding NewOpKeypairForFabric method in a subclass, set this to true in
+    // `NewOpKeypairForFabric` if the mPendingKeypair should not be deleted when no longer in use.
+    bool mIsExternallyOwnedKeypair = false;
+
+private:
+    void ResetPendingKey(bool delete_key);
+    hsm_err_t EleDeleteKey(uint32_t keyId);
+    CHIP_ERROR EleGenerateCSR(uint32_t keyId, uint8_t * csr, size_t & csrLength);
+    hsm_err_t EleSignMessage(uint32_t keyId, const uint8_t * msg, size_t msgSize, uint8_t * sig, size_t sigSize) const;
+
+    hsm_hdl_t hsm_session_hdl = 0;
+    hsm_hdl_t key_store_hdl   = 0;
+    hsm_hdl_t key_mgmt_hdl    = 0;
+};
+
+} // namespace ele
+} // namespace chip
diff --git a/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.cpp b/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.cpp
new file mode 100644
index 00000000000000..00f937c17d5349
--- /dev/null
+++ b/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.cpp
@@ -0,0 +1,176 @@
+/*
+ *    Copyright (c) 2022 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ *    Copyright 2023 NXP
+ */
+
+#include <crypto/OperationalKeystore.h>
+#include <lib/core/CHIPError.h>
+#include <lib/core/CHIPPersistentStorageDelegate.h>
+#include <lib/core/DataModelTypes.h>
+#include <lib/support/CHIPMem.h>
+#include <lib/support/CodeUtils.h>
+#include <lib/support/DefaultStorageKeyAllocator.h>
+#include <lib/support/SafeInt.h>
+
+#include "PersistentStorageOperationalKeystoreTrusty.h"
+
+using namespace matter;
+
+namespace chip {
+namespace Trusty {
+
+using namespace chip::Crypto;
+
+bool PersistentStorageOperationalKeystoreTrusty::HasOpKeypairForFabric(FabricIndex fabricIndex) const
+{
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), false);
+
+    // If there was a pending keypair, then there's really a usable key
+    if (mIsPendingKeypairActive && (fabricIndex == mPendingFabricIndex) && (mPendingKeypair != nullptr))
+    {
+        return true;
+    }
+
+    return trusty_matter.HasOpKeypairForFabric(fabricIndex);
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreTrusty::NewOpKeypairForFabric(FabricIndex fabricIndex,
+                                                                             MutableByteSpan & outCertificateSigningRequest)
+{
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+    // If a key is pending, we cannot generate for a different fabric index until we commit or revert.
+    if ((mPendingFabricIndex != kUndefinedFabricIndex) && (fabricIndex != mPendingFabricIndex))
+    {
+        return CHIP_ERROR_INVALID_FABRIC_INDEX;
+    }
+    VerifyOrReturnError(outCertificateSigningRequest.size() >= Crypto::kMIN_CSR_Buffer_Size, CHIP_ERROR_BUFFER_TOO_SMALL);
+
+    // Replace previous pending keypair, if any was previously allocated
+    ResetPendingKey();
+
+    mPendingKeypair = Platform::New<Crypto::P256Keypair>();
+    VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_NO_MEMORY);
+
+    mPendingKeypair->fabricIndex = fabricIndex;
+    mPendingKeypair->Initialize(Crypto::ECPKeyTarget::ECDSA);
+    size_t csrLength = outCertificateSigningRequest.size();
+    CHIP_ERROR err   = mPendingKeypair->NewCertificateSigningRequest(outCertificateSigningRequest.data(), csrLength);
+    if (err != CHIP_NO_ERROR)
+    {
+        ResetPendingKey();
+        return err;
+    }
+
+    outCertificateSigningRequest.reduce_size(csrLength);
+    mPendingFabricIndex = fabricIndex;
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreTrusty::ActivateOpKeypairForFabric(FabricIndex fabricIndex,
+                                                                                  const Crypto::P256PublicKey & nocPublicKey)
+{
+    VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_INVALID_FABRIC_INDEX);
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    // Validate public key being activated matches last generated pending keypair
+    VerifyOrReturnError(mPendingKeypair->Pubkey().Matches(nocPublicKey), CHIP_ERROR_INVALID_PUBLIC_KEY);
+
+    mIsPendingKeypairActive = true;
+
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreTrusty::CommitOpKeypairForFabric(FabricIndex fabricIndex)
+{
+    int rc = 0;
+    VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_INVALID_FABRIC_INDEX);
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex) && (fabricIndex == mPendingFabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+    VerifyOrReturnError(mIsPendingKeypairActive == true, CHIP_ERROR_INCORRECT_STATE);
+
+    // Try to store persistent key. On failure, leave everything pending as-is
+    rc = trusty_matter.CommitOpKeypairForFabric(mPendingKeypair->p256_handler, fabricIndex);
+    if (rc != MATTER_ERROR_OK)
+        ReturnErrorOnFailure(CHIP_ERROR_INTERNAL);
+
+    // If we got here, we succeeded and can reset the pending key: next `SignWithOpKeypair` will use the stored key.
+    ResetPendingKey();
+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreTrusty::RemoveOpKeypairForFabric(FabricIndex fabricIndex)
+{
+    int rc = 0;
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    // Remove pending state if matching
+    if ((mPendingKeypair != nullptr) && (fabricIndex == mPendingFabricIndex))
+    {
+        RevertPendingKeypair();
+    }
+
+    rc = trusty_matter.RemoveOpKeypairForFabric(fabricIndex);
+    if (rc != MATTER_ERROR_OK)
+        return CHIP_ERROR_INVALID_FABRIC_INDEX;
+
+    return CHIP_NO_ERROR;
+}
+
+void PersistentStorageOperationalKeystoreTrusty::RevertPendingKeypair()
+{
+    // Just reset the pending key, it hasn't been stored into secure storage.
+    ResetPendingKey();
+}
+
+CHIP_ERROR PersistentStorageOperationalKeystoreTrusty::SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
+                                                                         Crypto::P256ECDSASignature & outSignature) const
+{
+    int rc          = 0;
+    size_t sig_size = 0;
+    uint8_t sig[kP256_ECDSA_Signature_Length_Raw];
+
+    VerifyOrReturnError(IsValidFabricIndex(fabricIndex), CHIP_ERROR_INVALID_FABRIC_INDEX);
+
+    if (mIsPendingKeypairActive && (fabricIndex == mPendingFabricIndex))
+    {
+        VerifyOrReturnError(mPendingKeypair != nullptr, CHIP_ERROR_INTERNAL);
+        // We have an override key: sign with it!
+        return mPendingKeypair->ECDSA_sign_msg(message.data(), message.size(), outSignature);
+    }
+
+    rc = trusty_matter.SignWithStoredOpKey(fabricIndex, message.data(), message.size(), sig, sig_size);
+    if (rc != MATTER_ERROR_OK)
+        return CHIP_ERROR_INTERNAL;
+
+    VerifyOrReturnError(sig_size == kP256_ECDSA_Signature_Length_Raw, CHIP_ERROR_INTERNAL);
+    VerifyOrReturnError(outSignature.SetLength(sig_size) == CHIP_NO_ERROR, CHIP_ERROR_INTERNAL);
+    memcpy(outSignature.Bytes(), sig, sig_size);
+    return CHIP_NO_ERROR;
+}
+
+Crypto::P256Keypair * PersistentStorageOperationalKeystoreTrusty::AllocateEphemeralKeypairForCASE()
+{
+    return Platform::New<Crypto::P256Keypair>();
+}
+
+void PersistentStorageOperationalKeystoreTrusty::ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair)
+{
+    Platform::Delete<Crypto::P256Keypair>(keypair);
+}
+
+} // namespace Trusty
+} // namespace chip
diff --git a/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.h b/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.h
new file mode 100644
index 00000000000000..04ff0f8ba709f0
--- /dev/null
+++ b/examples/platform/linux/PersistentStorageOperationalKeystoreTrusty.h
@@ -0,0 +1,93 @@
+/*
+ *    Copyright (c) 2022 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ *
+ *    Copyright 2023 NXP
+ */
+
+#pragma once
+
+#include <crypto/OperationalKeystore.h>
+#include <lib/core/CHIPError.h>
+#include <lib/support/CHIPMem.h>
+#include <lib/support/CodeUtils.h>
+
+#include <trusty_matter.h>
+
+using namespace matter;
+
+namespace chip {
+namespace Trusty {
+
+/**
+ * @brief OperationalKeystore implementation making use of Trusty secure storage
+ *        to load/store keypairs.
+ *
+ */
+class PersistentStorageOperationalKeystoreTrusty : public Crypto::OperationalKeystore
+{
+public:
+    PersistentStorageOperationalKeystoreTrusty() = default;
+    virtual ~PersistentStorageOperationalKeystoreTrusty() { Finish(); }
+
+    // Non-copyable
+    PersistentStorageOperationalKeystoreTrusty(PersistentStorageOperationalKeystoreTrusty const &) = delete;
+    void operator=(PersistentStorageOperationalKeystoreTrusty const &)                             = delete;
+
+    /**
+     * @brief Finalize the keystore, so that subsequent operations fail
+     */
+    void Finish() { ResetPendingKey(); }
+
+    bool HasPendingOpKeypair() const override { return (mPendingKeypair != nullptr); }
+
+    bool HasOpKeypairForFabric(FabricIndex fabricIndex) const override;
+    CHIP_ERROR NewOpKeypairForFabric(FabricIndex fabricIndex, MutableByteSpan & outCertificateSigningRequest) override;
+    CHIP_ERROR ActivateOpKeypairForFabric(FabricIndex fabricIndex, const Crypto::P256PublicKey & nocPublicKey) override;
+    CHIP_ERROR CommitOpKeypairForFabric(FabricIndex fabricIndex) override;
+    CHIP_ERROR RemoveOpKeypairForFabric(FabricIndex fabricIndex) override;
+    void RevertPendingKeypair() override;
+    CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message,
+                                 Crypto::P256ECDSASignature & outSignature) const override;
+    Crypto::P256Keypair * AllocateEphemeralKeypairForCASE() override;
+    void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) override;
+
+protected:
+    void ResetPendingKey()
+    {
+        if (!mIsExternallyOwnedKeypair && (mPendingKeypair != nullptr))
+        {
+            Platform::Delete(mPendingKeypair);
+        }
+        mPendingKeypair           = nullptr;
+        mIsExternallyOwnedKeypair = false;
+        mIsPendingKeypairActive   = false;
+        mPendingFabricIndex       = kUndefinedFabricIndex;
+    }
+
+    FabricIndex mPendingFabricIndex       = kUndefinedFabricIndex;
+    Crypto::P256Keypair * mPendingKeypair = nullptr;
+    bool mIsPendingKeypairActive          = false;
+
+    // If overridding NewOpKeypairForFabric method in a subclass, set this to true in
+    // `NewOpKeypairForFabric` if the mPendingKeypair should not be deleted when no longer in use.
+    bool mIsExternallyOwnedKeypair = false;
+
+private:
+    mutable TrustyMatter trusty_matter;
+};
+
+} // namespace Trusty
+} // namespace chip
diff --git a/scripts/examples/imxlinux_example.sh b/scripts/examples/imxlinux_example.sh
old mode 100755
new mode 100644
index 36ad7923d8c706..055ec996e7a331
--- a/scripts/examples/imxlinux_example.sh
+++ b/scripts/examples/imxlinux_example.sh
@@ -1,7 +1,7 @@
-#!/usr/bin/env bash
-
+#!/bin/bash
 #
 #    Copyright (c) 2022 Project CHIP Authors
+#    Copyright 2023, 2025 NXP
 #
 #    Licensed under the Apache License, Version 2.0 (the "License");
 #    you may not use this file except in compliance with the License.
@@ -18,11 +18,73 @@
 
 set -e
 set -x
-if [ "$#" != 2 && "$#" != 3 ]; then
-    exit -1
+helpFunction() {
+    cat <<EOF
+Usage: $0 -s|--src <src folder> -o|--out <out folder> [-d|--debug] [-n|--no-init] [-t|--trusty] [-m|--imx_ele]
+    -s, --src       Source folder
+    -o, --out       Output folder
+    -d, --debug     Debug build (optional)
+    -n, --no-init   No init mode (optional)
+    -t, --trusty    Build with Trusty OS backed security enhancement (optional)
+    -m, --imx_ele   Build with IMX ELE (EdgeLock Enclave) based security enhancement (optional)
+EOF
+    exit 1
+}
+
+trusty=0
+imx_ele=0
+imx_ele_path="third_party/imx-secure-enclave/repo/"
+release_build=true
+PARSED_OPTIONS="$(getopt -o s:o:tdmn --long src:,out:,trusty,imx_ele,debug,no-init -- "$@")"
+if [ $? -ne 0 ]; then
+    helpFunction
+fi
+eval set -- "$PARSED_OPTIONS"
+while true; do
+    case "$1" in
+        -s | --src)
+            src="$2"
+            shift 2
+            ;;
+        -o | --out)
+            out="$2"
+            shift 2
+            ;;
+        -t | --trusty)
+            trusty=1
+            shift
+            ;;
+        -m | --imx_ele)
+            imx_ele=1
+            shift
+            ;;
+        -d | --debug)
+            release_build=false
+            shift
+            ;;
+        -n | --no-init)
+            no_init=1
+            shift
+            ;;
+        --)
+            shift
+            break
+            ;;
+        *)
+            echo "Invalid option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+if [ -z "$src" ] || [ -z "$out" ]; then
+    echo "Some or all of the required -s|--src and -o|--out parameters are empty."
+    helpFunction
 fi
 
-source "$(dirname "$0")/../../scripts/activate.sh"
+if [ "$no_init" != 1 ]; then
+    source "$(dirname "$0")/../../scripts/activate.sh"
+fi
 
 if [ "$IMX_SDK_ROOT" = "" -o ! -d "$IMX_SDK_ROOT" ]; then
     echo "the Yocto SDK path is not specified with the shell env IMX_SDK_ROOT or an invalid path is specified"
@@ -100,13 +162,19 @@ if [ -z "$target_cpu" -o -z "$cross_compile" ]; then
     exit 1
 fi
 
-release_build=true
-if [ "$3" = "debug" ]; then
-    release_build=false
+if [ "$imx_ele" -ne 0 ]; then
+    if [ -f "$imx_ele_path/Makefile" ]; then
+        make -C "third_party/imx-secure-enclave/repo" "install_version"
+    else
+        echo "Makefile does not exist in $imx_ele_path."
+        exit 1
+    fi
 fi
 
 PLATFORM_CFLAGS='-DCHIP_DEVICE_CONFIG_WIFI_STATION_IF_NAME=\"mlan0\"", "-DCHIP_DEVICE_CONFIG_LINUX_DHCPC_CMD=\"udhcpc -b -i %s \"'
-gn gen --check --fail-on-unused-args --root="$1" "$2" --args="target_os=\"linux\" target_cpu=\"$target_cpu\" arm_arch=\"$arm_arch\"
+gn gen --check --fail-on-unused-args --root="$src" "$out" --args="target_os=\"linux\" target_cpu=\"$target_cpu\" arm_arch=\"$arm_arch\"
+chip_with_trusty_os=$trusty
+chip_with_imx_ele=$imx_ele
 treat_warnings_as_errors=false
 import(\"//build_overrides/build.gni\")
 sysroot=\"$sdk_target_sysroot\"
@@ -117,4 +185,4 @@ target_cxx=\"$IMX_SDK_ROOT/sysroots/x86_64-pokysdk-linux/usr/bin/$cross_compile/
 target_ar=\"$IMX_SDK_ROOT/sysroots/x86_64-pokysdk-linux/usr/bin/$cross_compile/$cross_compile-ar\"
 $(if [ "$release_build" = "true" ]; then echo "is_debug=false"; else echo "optimize_debug=true"; fi)"
 
-ninja -C "$2"
+ninja -C "$out"
diff --git a/src/crypto/BUILD.gn b/src/crypto/BUILD.gn
index 746126873e5b58..29dc2ae7289ca7 100644
--- a/src/crypto/BUILD.gn
+++ b/src/crypto/BUILD.gn
@@ -1,4 +1,5 @@
 # Copyright (c) 2020 Project CHIP Authors
+# Copyright 2025 NXP
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,6 +21,9 @@ import("${chip_root}/build/chip/buildconfig_header.gni")
 
 import("crypto.gni")
 
+import("${chip_root}/src/lib/imx_ele.gni")
+import("${chip_root}/src/lib/trusty.gni")
+
 if (chip_crypto == "") {
   if (current_os == "android" || current_os == "freertos" ||
       current_os == "zephyr" || current_os == "mbed" || current_os == "webos" ||
@@ -74,6 +78,12 @@ buildconfig_header("crypto_buildconfig") {
     "CHIP_CRYPTO_BORINGSSL=${chip_crypto_boringssl}",
     "CHIP_CRYPTO_PLATFORM=${chip_crypto_platform}",
   ]
+
+  if (chip_with_trusty_os == 1) {
+    defines += [ "CHIP_CRYPTO_TRUSTY_OS=1" ]
+  } else {
+    defines += [ "CHIP_CRYPTO_TRUSTY_OS=0" ]
+  }
 }
 
 source_set("public_headers") {
@@ -92,6 +102,10 @@ source_set("public_headers") {
     "${chip_root}/src/lib/support",
     "${nlassert_root}:nlassert",
   ]
+
+  if (chip_with_trusty_os == 1) {
+    public_deps += [ "${chip_root}/third_party/libtrustymatter" ]
+  }
 }
 
 if (chip_crypto == "openssl") {
diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h
index 8d6c8ba6feb21f..c69bc12594de8d 100644
--- a/src/crypto/CHIPCryptoPAL.h
+++ b/src/crypto/CHIPCryptoPAL.h
@@ -1,6 +1,7 @@
 /*
  *
  *    Copyright (c) 2020-2023 Project CHIP Authors
+ *    Copyright 2025 NXP
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -588,6 +589,11 @@ class P256Keypair : public P256KeypairBase
     /** Release resources associated with this key pair */
     void Clear();
 
+#if CHIP_CRYPTO_TRUSTY_OS
+    uint64_t p256_handler = 0;
+    uint8_t fabricIndex   = 0;
+#endif
+
 protected:
     P256PublicKey mPublicKey;
     mutable P256KeypairContext mKeypair;
diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp
index 9f2592a12aee0c..6fe04fa9408e8d 100644
--- a/src/crypto/CHIPCryptoPALOpenSSL.cpp
+++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp
@@ -1,6 +1,7 @@
 /*
  *
  *    Copyright (c) 2020-2023 Project CHIP Authors
+ *    Copyright 2025 NXP
  *
  *    Licensed under the Apache License, Version 2.0 (the "License");
  *    you may not use this file except in compliance with the License.
@@ -55,9 +56,18 @@
 
 #include <string.h>
 
+#if CHIP_CRYPTO_TRUSTY_OS
+#include <trusty_matter.h>
+using namespace matter;
+#endif
+
 namespace chip {
 namespace Crypto {
 
+#if CHIP_CRYPTO_TRUSTY_OS
+TrustyMatter trusty_matter;
+#endif
+
 // BoringSSL is designed to implement the same interface as OpenSSL in most
 // cases. However, it removes some APIs that can allow very weak configuration.
 // (Example: CCM ciphers with low tag lengths.) In order to support Matter,
@@ -744,6 +754,43 @@ static inline const EC_KEY * to_const_EC_KEY(const P256KeypairContext * context)
     return *SafePointerCast<const EC_KEY * const *>(context);
 }
 
+#if CHIP_CRYPTO_TRUSTY_OS
+CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature) const
+{
+    CHIP_ERROR error = CHIP_NO_ERROR;
+    size_t sig_size  = 0;
+    int rc           = 0;
+
+    VerifyOrReturnError((msg != nullptr) && (msg_length > 0), CHIP_ERROR_INVALID_ARGUMENT);
+
+    uint8_t digest[kSHA256_Hash_Length];
+    uint8_t sig[kP256_ECDSA_Signature_Length_Raw];
+    memset(&digest[0], 0, sizeof(digest));
+    memset(&sig[0], 0, sizeof(sig));
+
+    ReturnErrorOnFailure(Hash_SHA256(msg, msg_length, &digest[0]));
+
+    ERR_clear_error();
+
+    static_assert(P256ECDSASignature::Capacity() >= kP256_ECDSA_Signature_Length_Raw, "P256ECDSASignature must be large enough");
+    VerifyOrExit(mInitialized, error = CHIP_ERROR_UNINITIALIZED);
+
+    rc = trusty_matter.P256KeypairECSignMsg(p256_handler, digest, kSHA256_Hash_Length, sig, sig_size);
+    VerifyOrExit(rc == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+    VerifyOrExit(sig_size == kP256_ECDSA_Signature_Length_Raw, error = CHIP_ERROR_INTERNAL);
+
+    VerifyOrExit(out_signature.SetLength(kP256_ECDSA_Signature_Length_Raw) == CHIP_NO_ERROR, error = CHIP_ERROR_INTERNAL);
+    memcpy(out_signature.Bytes() + 0u, sig, sig_size);
+
+exit:
+    if (error != CHIP_NO_ERROR)
+    {
+        _logSSLError();
+    }
+
+    return error;
+}
+#else
 CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_length, P256ECDSASignature & out_signature) const
 {
     CHIP_ERROR error = CHIP_NO_ERROR;
@@ -799,6 +846,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
 
     return error;
 }
+#endif
 
 CHIP_ERROR P256PublicKey::ECDSA_validate_msg_signature(const uint8_t * msg, const size_t msg_length,
                                                        const P256ECDSASignature & signature) const
@@ -968,6 +1016,25 @@ static CHIP_ERROR _create_evp_key_from_binary_p256_key(const P256PublicKey & key
     return error;
 }
 
+#if CHIP_CRYPTO_TRUSTY_OS
+CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const
+{
+    ERR_clear_error();
+    CHIP_ERROR error      = CHIP_NO_ERROR;
+    int result            = -1;
+    size_t out_buf_length = 0;
+
+    result = trusty_matter.P256KeypairECDH_derive_secret(p256_handler, Uint8::to_const_uchar(remote_public_key),
+                                                         remote_public_key.Length(), out_secret.Bytes(), out_buf_length);
+    VerifyOrExit(result == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+    VerifyOrExit((out_buf_length > 0), error = CHIP_ERROR_INTERNAL);
+    SuccessOrExit(error = out_secret.SetLength(out_buf_length));
+
+exit:
+    _logSSLError();
+    return error;
+}
+#else
 CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_key, P256ECDHDerivedSecret & out_secret) const
 {
     ERR_clear_error();
@@ -1035,6 +1102,7 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
     _logSSLError();
     return error;
 }
+#endif
 
 void ClearSecretData(uint8_t * buf, size_t len)
 {
@@ -1082,6 +1150,101 @@ static CHIP_ERROR P256PublicKeyFromECKey(EC_KEY * ec_key, P256PublicKey & pubkey
     return error;
 }
 
+#if CHIP_CRYPTO_TRUSTY_OS
+CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
+{
+    ERR_clear_error();
+    CHIP_ERROR error = CHIP_NO_ERROR;
+    uint8_t public_key[kP256_PublicKey_Length];
+    int rc = 0;
+
+    rc = trusty_matter.P256KeypairInitialize(p256_handler, fabricIndex, public_key);
+    VerifyOrExit(rc == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+
+    memcpy(Uint8::to_uchar(mPublicKey), public_key, kP256_PublicKey_Length);
+
+    mInitialized = true;
+
+exit:
+    _logSSLError();
+    return error;
+}
+
+CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
+{
+    CHIP_ERROR error = CHIP_NO_ERROR;
+    uint8_t privkey[kP256_PrivateKey_Length];
+    int rc = 0;
+
+    rc = trusty_matter.P256KeypairSerialize(p256_handler, privkey);
+    VerifyOrExit(rc == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+
+    {
+        size_t len = output.Length() == 0 ? output.Capacity() : output.Length();
+        Encoding::BufferWriter bbuf(output.Bytes(), len);
+        bbuf.Put(mPublicKey, mPublicKey.Length());
+        bbuf.Put(privkey, sizeof(privkey));
+        VerifyOrExit(bbuf.Fit(), error = CHIP_ERROR_NO_MEMORY);
+        output.SetLength(bbuf.Needed());
+    }
+
+exit:
+    ClearSecretData(privkey, sizeof(privkey));
+    _logSSLError();
+    return error;
+}
+
+CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
+{
+    CHIP_ERROR error = CHIP_NO_ERROR;
+    Encoding::BufferWriter bbuf(mPublicKey, mPublicKey.Length());
+    int rc = 0;
+
+    uint8_t * pubkey  = input.Bytes();
+    uint8_t * privkey = input.Bytes() + mPublicKey.Length();
+
+    VerifyOrExit(input.Length() == mPublicKey.Length() + kP256_PrivateKey_Length, error = CHIP_ERROR_INVALID_ARGUMENT);
+    bbuf.Put(input.ConstBytes(), mPublicKey.Length());
+    VerifyOrExit(bbuf.Fit(), error = CHIP_ERROR_NO_MEMORY);
+
+    rc = trusty_matter.P256KeypairDeserialize(p256_handler, pubkey, mPublicKey.Length(), privkey, kP256_PrivateKey_Length);
+    VerifyOrExit(rc == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+
+    mInitialized = true;
+
+exit:
+    _logSSLError();
+    return error;
+}
+
+void P256Keypair::Clear()
+{
+    mInitialized = false;
+    p256_handler = 0;
+}
+
+P256Keypair::~P256Keypair()
+{
+    trusty_matter.P256KeypairDestory(p256_handler);
+    Clear();
+}
+
+CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
+{
+    ERR_clear_error();
+    CHIP_ERROR error = CHIP_NO_ERROR;
+    int rc           = 0;
+
+    VerifyOrExit(mInitialized, error = CHIP_ERROR_UNINITIALIZED);
+
+    rc = trusty_matter.P256KeypairNewCSR(p256_handler, out_csr, csr_length);
+    VerifyOrExit(rc == MATTER_ERROR_OK, error = CHIP_ERROR_INTERNAL);
+
+exit:
+    _logSSLError();
+    return error;
+}
+#else
 CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
 {
     ERR_clear_error();
@@ -1314,6 +1477,7 @@ CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t &
     _logSSLError();
     return error;
 }
+#endif
 
 CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr, size_t csr_length, P256PublicKey & pubkey)
 {
diff --git a/src/lib/imx_ele.gni b/src/lib/imx_ele.gni
new file mode 100644
index 00000000000000..35963045eaae6e
--- /dev/null
+++ b/src/lib/imx_ele.gni
@@ -0,0 +1,17 @@
+# Copyright (c) 2023 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+declare_args() {
+  chip_with_imx_ele = 0
+}
diff --git a/src/lib/trusty.gni b/src/lib/trusty.gni
new file mode 100644
index 00000000000000..f13c9bffe351fd
--- /dev/null
+++ b/src/lib/trusty.gni
@@ -0,0 +1,17 @@
+# Copyright (c) 2023 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+declare_args() {
+  chip_with_trusty_os = 0
+}
diff --git a/third_party/imx-secure-enclave/BUILD.gn b/third_party/imx-secure-enclave/BUILD.gn
new file mode 100644
index 00000000000000..7ca2da17563a4a
--- /dev/null
+++ b/third_party/imx-secure-enclave/BUILD.gn
@@ -0,0 +1,184 @@
+# Copyright (c) 2023 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build_overrides/chip.gni")
+
+declare_args() {
+  NOT_SUPPORTED = 0
+  ROM = 1
+  FMW = 2
+
+  MAJOR_VER = 1
+  MINOR_VER = 0
+
+  PLAT_PATH = "src/plat/ele"
+  PLAT_COMMON_PATH = "src/common"
+}
+
+config("libele_config") {
+  defines = [
+    "DEBUG=0",
+    "LIB_MAJOR_VERSION=${MAJOR_VER}",
+    "LIB_MINOR_VERSION=${MINOR_VER}",
+
+    "CONFIG_PLAT_ELE=1",
+    "PLAT_ELE_FEAT_NOT_SUPPORTED=0",
+    "PSA_COMPLIANT=1",
+    "SECONDARY_API_SUPPORTED=1",
+
+    "MT_SAB_SIGN_GEN=${FMW}",
+    "MT_SAB_VERIFY_SIGN=${FMW}",
+    "MT_SAB_KEY_GENERATE=${FMW}",
+    "MT_SAB_MANAGE_KEY_GROUP=${FMW}",
+    "MT_SAB_IMPORT_KEY=${FMW}",
+    "MT_SAB_DELETE_KEY=${FMW}",
+    "MT_SAB_GET_KEY_ATTR=${FMW}",
+    "MT_SAB_HASH_GEN=${FMW}",
+    "MT_SAB_CIPHER=${FMW}",
+    "MT_SAB_SESSION=${FMW}",
+    "MT_SAB_KEY_STORE=${FMW}",
+    "MT_SAB_KEY_STORE_REPROV_EN=${FMW}",
+    "MT_SAB_KEY_MANAGEMENT=${FMW}",
+    "MT_SAB_MAC=${FMW}",
+    "MT_SAB_RNG=${FMW}",
+    "MT_SAB_KEY_RECOVERY=${FMW}",
+    "MT_SAB_GET_INFO=${FMW}",
+    "MT_SAB_AUTH_ENC=${FMW}",
+    "MT_SAB_AUTH_ENC_NEW=${FMW}",
+    "MT_SAB_DATA_STORAGE=${FMW}",
+    "MT_SAB_DATA_STORAGE_DELETE=${FMW}",
+    "MT_SAB_DEBUG_DUMP=${ROM}",
+    "MT_SAB_DEV_ATTEST=${ROM}",
+    "MT_SAB_DEV_GETINFO=${ROM}",
+    "MT_SAB_LC_UPDATE=${ROM}",
+    "MT_SAB_STORAGE_MASTER_IMPORT=${FMW}",
+    "MT_SAB_STORAGE_MASTER_EXPORT_REQ=${FMW}",
+    "MT_SAB_STORAGE_EXPORT_FINISH_REQ=${FMW}",
+    "MT_SAB_STORAGE_CHUNK_GET_REQ=${FMW}",
+    "MT_SAB_STORAGE_CHUNK_GET_DONE_REQ=${FMW}",
+    "MT_SAB_STORAGE_CHUNK_EXPORT_REQ=${FMW}",
+    "MT_SAB_STORAGE_OPEN=${FMW}",
+    "MT_SAB_STORAGE_CLOSE=${FMW}",
+    "MT_SAB_STORAGE_KEY_DB_REQ=${FMW}",
+    "MT_SAB_ENC_DATA_STORAGE=${FMW}",
+
+    "HSM_SIGN_GEN=1",
+    "HSM_VERIFY_SIGN=1",
+    "HSM_KEY_GENERATE=1",
+    "HSM_MANAGE_KEY_GROUP=1",
+    "HSM_IMPORT_KEY=1",
+    "HSM_DELETE_KEY=1",
+    "HSM_GET_KEY_ATTR=1",
+    "HSM_HASH_GEN=1",
+    "HSM_CIPHER=1",
+    "HSM_SESSION=1",
+    "HSM_KEY_STORE=1",
+    "HSM_KEY_MANAGEMENT=1",
+    "HSM_MAC=1",
+    "HSM_RNG=1",
+    "HSM_KEY_RECOVERY=1",
+    "HSM_GET_INFO=1",
+    "HSM_AUTH_ENC=1",
+    "HSM_DATA_STORAGE=1",
+    "HSM_DEBUG_DUMP=1",
+    "HSM_DEV_ATTEST=1",
+    "HSM_DEV_GETINFO=1",
+    "HSM_LC_UPDATE=1",
+    "HSM_ENC_DATA_STORAGE=1",
+  ]
+
+  include_dirs = [
+    "repo/src/plat/ele/include",
+    "repo/src/common/include",
+    "repo/src/common/sab_msg/include",
+    "repo/include",
+    "repo/include/common",
+    "repo/include/hsm",
+    "repo/include/she",
+  ]
+}
+
+source_set("libelematter") {
+  sources = [
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_auth_enc.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_cipher.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_data_storage.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_debug_dump.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_delete_key.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_dev_attest.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_dev_getinfo.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_get_info.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_get_key_attr.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_handle.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_hash.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_importkey.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_key_generate.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_key_management.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_key_recovery.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_key_store.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_lc_update.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_mac.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_manage_key_group.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_rng.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_session.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_sign_gen.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_utils.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_api/hsm_verify_sign.c",
+    "repo/${PLAT_COMMON_PATH}/hsm_lib.c",
+    "repo/${PLAT_COMMON_PATH}/sab_common_err.c",
+    "repo/${PLAT_COMMON_PATH}/sab_messaging.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_auth_enc.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_cipher.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_data_storage.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_debug_dump.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_delete_key.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_dev_attest.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_dev_getinfo.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_get_info.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_get_key_attr.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_hash.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_import_key.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_init_proc_msg.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_key_generate.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_key_management.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_key_recovery.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_key_store.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_lc_update.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_mac.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_manage_key_group.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_process_msg.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_rng.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_session.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_sign_gen.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_chunk_export.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_close.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_export_finish.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_get_chunk.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_get_chunk_done.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_key_db.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_master_export.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_master_import.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_storage_open.c",
+    "repo/${PLAT_COMMON_PATH}/sab_msg/sab_verify_sign.c",
+    "repo/${PLAT_COMMON_PATH}/se_global_info.c",
+    "repo/${PLAT_PATH}/ele_os_abs_linux.c",
+    "repo/${PLAT_PATH}/ele_utils.c",
+    "repo/${PLAT_PATH}/plat_err.c",
+  ]
+
+  cflags = [ "-Wno-implicit-fallthrough -O1 -Werror -Wformat -fPIC" ]
+  cflags_cc = [ "-std=c++17" ]
+
+  public_configs = [ ":libele_config" ]
+}
diff --git a/third_party/imx-secure-enclave/repo b/third_party/imx-secure-enclave/repo
new file mode 160000
index 00000000000000..1b8582de2f6d18
--- /dev/null
+++ b/third_party/imx-secure-enclave/repo
@@ -0,0 +1 @@
+Subproject commit 1b8582de2f6d18ee05ecac23f4ce6abeb104cff5
diff --git a/third_party/libtrustymatter/BUILD.gn b/third_party/libtrustymatter/BUILD.gn
new file mode 100644
index 00000000000000..f172f1251a8581
--- /dev/null
+++ b/third_party/libtrustymatter/BUILD.gn
@@ -0,0 +1,48 @@
+# Copyright (c) 2023 Project CHIP Authors
+# Copyright 2025 NXP
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build_overrides/chip.gni")
+
+config("libtrustymatter_config") {
+  include_dirs = [
+    "repo/matter_client/include",
+    "repo/libtrusty/include",
+  ]
+}
+
+source_set("libtrustymatter") {
+  sources = [
+    "repo/libtrusty/include/trusty/ipc.h",
+    "repo/libtrusty/include/trusty/tipc.h",
+    "repo/libtrusty/trusty.c",
+    "repo/matter_client/include/UniquePtr.h",
+    "repo/matter_client/include/matter_defs.h",
+    "repo/matter_client/include/matter_ipc.h",
+    "repo/matter_client/include/matter_messages.h",
+    "repo/matter_client/include/mem.h",
+    "repo/matter_client/include/serializable.h",
+    "repo/matter_client/include/trusty_matter.h",
+    "repo/matter_client/include/trusty_matter_ipc.h",
+    "repo/matter_client/matter_messages.cpp",
+    "repo/matter_client/serializable.cpp",
+    "repo/matter_client/trusty_matter.cpp",
+    "repo/matter_client/trusty_matter_ipc.cpp",
+  ]
+
+  cflags = [ "-Wno-implicit-fallthrough" ]
+  cflags_cc = [ "-std=c++17" ]
+
+  public_configs = [ ":libtrustymatter_config" ]
+}
diff --git a/third_party/libtrustymatter/repo b/third_party/libtrustymatter/repo
new file mode 160000
index 00000000000000..2be9d3c10c4ba9
--- /dev/null
+++ b/third_party/libtrustymatter/repo
@@ -0,0 +1 @@
+Subproject commit 2be9d3c10c4ba947d09e300ca03d0cb69df65143