Merge branch 'master' into issue/30754-dependabot-CI-runs-for-both-push-and-pull

Author: kliao-csa

.github/.wordlist.txt

@@ -643,6 +643,8 @@ HomePods
 hostapd
 hostname
 href
+HSM
+hsm
 HTTPS
 HW
 hwadr
@@ -965,6 +967,7 @@ objcopy
 OccupancySensing
 OctetString
 OECORE
+OID
 ol
 Onboarding
 onboardingcodes
@@ -986,6 +989,7 @@ openweave
 OperationalCredentials
 operationalDataset
 opkg
+OPTIGA
 optionMask
 optionOverride
 optionsMask
@@ -1429,6 +1433,7 @@ transitionTime
 TransportMgrBase
 TriggerEffect
 TRNG
+trustm
 TrustedRootCertificates
 tsan
 TSG

.github/workflows/darwin-tests.yaml

@@ -72,15 +72,7 @@ jobs:
 
             - name: Run macOS Darwin Framework Tool Build Debug
               working-directory: src/darwin/Framework
-              # Keep whatever Xcode settings
-              # for OTHER_CFLAGS exist by using ${inherited}.
-              #
-              # Enable -Wconversion by hand as well, because it seems to not be
-              # enabled by default in the Xcode config.
-              #
-              # Disable availability annotations, since we are not building against a system
-              # Matter.framework.
-              run: xcodebuild -target "darwin-framework-tool" -sdk macosx -configuration Debug OTHER_CFLAGS='${inherited} -Wconversion' GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1'
+              run: xcodebuild -target "darwin-framework-tool" -sdk macosx -configuration Debug
             - name: Delete Defaults
               run: defaults delete com.apple.dt.xctest.tool
               continue-on-error: true

.github/workflows/darwin.yaml

@@ -37,16 +37,14 @@ jobs:
         strategy:
             matrix:
                 options: # We don't need a full matrix
-                    - flavor: macos-release-availability
-                      arguments: -sdk macosx -configuration Release   WARNING_CFLAGS='${inherited} -Werror -Wconversion -Wno-unguarded-availability-new'
+                    - flavor: macos-release
+                      arguments: -sdk macosx -configuration Release
                     - flavor: ios-release
-                      arguments: -sdk iphoneos -configuration Release WARNING_CFLAGS='${inherited} -Werror -Wconversion' GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1'
-                    - flavor: ios-debug
-                      arguments: -sdk iphoneos -configuration Debug   WARNING_CFLAGS='${inherited} -Werror -Wconversion' GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1'
+                      arguments: -sdk iphoneos -configuration Release
                     - flavor: tvos-debug
-                      arguments: -sdk appletvos -configuration Debug  WARNING_CFLAGS='${inherited} -Werror -Wconversion' GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1'
+                      arguments: -sdk appletvos -configuration Debug
                     - flavor: watchos-debug
-                      arguments: -sdk watchos -configuration Debug    WARNING_CFLAGS='${inherited} -Werror -Wconversion' GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1'
+                      arguments: -sdk watchos -configuration Debug
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -115,7 +113,7 @@ jobs:
 
                   # Disable BLE (CHIP_IS_BLE=NO) because the app does not have the permission to use it and that may crash the CI.
                   xcodebuild test -target "Matter" -scheme "Matter Framework Tests" -sdk macosx ${{ matrix.options.arguments }} \
-                    OTHER_CFLAGS='${inherited} -Werror -Wconversion' CHIP_IS_BLE=NO GCC_PREPROCESSOR_DEFINITIONS='${inherited} MTR_NO_AVAILABILITY=1 ${{ matrix.options.defines }}' \
+                    CHIP_IS_BLE=NO GCC_PREPROCESSOR_DEFINITIONS='${inherited} ${{ matrix.options.defines }}' \
                     > >(tee /tmp/darwin/framework-tests/darwin-tests.log) 2> >(tee /tmp/darwin/framework-tests/darwin-tests-err.log >&2)
             - name: Collect crash logs
               if: failure() && !env.ACT

.gitmodules

@@ -324,3 +324,9 @@
 	path = third_party/infineon/psoc6/psoc6_sdk/libs/lwip-network-interface-integration
 	url = https://github.com/Infineon/lwip-network-interface-integration.git
 	platforms = infineon
+[submodule "third_party/infineon/trustm/optiga-trust-m"]
+	path = third_party/infineon/trustm/optiga-trust-m
+	url = https://github.com/Infineon/optiga-trust-m.git
+	branch = matter_support
+	platforms = infineon
+

build/chip/chip_test_suite.gni

@@ -39,7 +39,6 @@ assert(chip_build_tests)
 #
 #   public_deps = [
 #     "${chip_root}/src/lib/foo",         # add dependencies here
-#     "${nlunit_test_root}:nlunit-test",
 #   ]
 # }
 #
@@ -57,7 +56,6 @@ assert(chip_build_tests)
 #
 #   public_deps = [
 #     "${chip_root}/src/lib/foo",         # add dependencies here
-#     "${nlunit_test_root}:nlunit-test",
 #   ]
 #
 #   tests = [
@@ -94,6 +92,8 @@ template("chip_test_suite") {
       public_deps = []
     }
 
+    deps = [ dir_pw_unit_test ]
+
     if (current_os != "zephyr" && current_os != "mbed") {
       # Depend on stdio logging, and have it take precedence over the default platform backend
       public_deps += [ "${chip_root}/src/platform/logging:force_stdio" ]
@@ -106,6 +106,11 @@ template("chip_test_suite") {
       foreach(_test, invoker.test_sources) {
         _test_name = string_replace(_test, ".cpp", "")
 
+        _test_output_dir = "${root_out_dir}/tests"
+        if (defined(invoker.output_dir)) {
+          _test_output_dir = invoker.output_dir
+        }
+
         pw_test(_test_name) {
           forward_variables_from(invoker,
                                  [
@@ -116,13 +121,19 @@ template("chip_test_suite") {
                                  ])
           public_deps += [ ":${_suite_name}.lib" ]
           sources = [ _test ]
+          output_dir = _test_output_dir
         }
         tests += [ _test_name ]
       }
     }
 
     if (defined(invoker.tests)) {
       foreach(_test, invoker.tests) {
+        _test_output_dir = "${root_out_dir}/tests"
+        if (defined(invoker.output_dir)) {
+          _test_output_dir = invoker.output_dir
+        }
+
         pw_test(_test) {
           forward_variables_from(invoker,
                                  [
@@ -137,6 +148,7 @@ template("chip_test_suite") {
             "${_test}.cpp",
             "${_test}Driver.cpp",
           ]
+          output_dir = _test_output_dir
         }
         tests += [ _test ]
       }
@@ -164,7 +176,7 @@ template("chip_test_suite") {
   }
 }
 
-# TODO: remove this once transition away from nlunit-test is completed
+# TODO [PW_MIGRATION]: remove this once transition away from nlunit-test is completed
 template("chip_test_suite_using_nltest") {
   _suite_name = target_name
 

config/nrfconnect/chip-module/CMakeLists.txt

@@ -140,6 +140,8 @@ matter_add_gn_arg_bool  ("chip_system_config_provide_statistics"  CONFIG_CHIP_ST
 matter_add_gn_arg_bool  ("chip_enable_icd_server"                 CONFIG_CHIP_ENABLE_ICD_SUPPORT)
 matter_add_gn_arg_bool  ("chip_enable_factory_data"               CONFIG_CHIP_FACTORY_DATA)
 matter_add_gn_arg_bool  ("chip_enable_read_client"                CONFIG_CHIP_ENABLE_READ_CLIENT)
+matter_add_gn_arg_bool  ("chip_mdns_minimal"                      CONFIG_WIFI_NRF700X)
+matter_add_gn_arg_bool  ("chip_mdns_platform"                     CONFIG_NET_L2_OPENTHREAD)
 
 if (CONFIG_CHIP_ENABLE_ICD_SUPPORT)
     matter_add_gn_arg_bool  ("chip_enable_icd_lit"                       CONFIG_CHIP_ICD_LIT_SUPPORT)
@@ -157,10 +159,10 @@ if (CONFIG_CHIP_ROTATING_DEVICE_ID)
     matter_add_gn_arg_bool("chip_enable_additional_data_advertising" TRUE)
 endif()
 
-if (CONFIG_NET_L2_OPENTHREAD)
-    matter_add_gn_arg_string("chip_mdns" "platform")
-elseif(CONFIG_WIFI_NRF700X)
+if(CONFIG_WIFI_NRF700X)
     matter_add_gn_arg_string("chip_mdns" "minimal")
+elseif (CONFIG_NET_L2_OPENTHREAD)
+    matter_add_gn_arg_string("chip_mdns" "platform")
 else()
     matter_add_gn_arg_string("chip_mdns" "none")
 endif()

docs/guides/README.md

@@ -7,6 +7,7 @@
 -   [ASR - Getting Started Guide](./asr_getting_started_guide.md)
 -   [Espressif (ESP32) - Getting Started Guide](./esp32/README.md)
 -   [Infineon PSoC6 - Software Update](./infineon_psoc6_software_update.md)
+-   [Infineon Trust M Provisioning](./infineon_trustm_provisioning.md)
 -   [Linux - Simulated Devices](./simulated_device_linux.md)
 -   [mbedOS - Adding a new target](./mbedos_add_new_target.md)
 -   [mbedOS - Commissioning](./mbedos_commissioning.md)

docs/guides/infineon_trustm_provisioning.md

@@ -0,0 +1,61 @@
+# Infineon OPTIGA™ Trust M Provisioning for Matter
+
+To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for
+OPTIGA™ Trust M with Matter test device Attestation certificate is needed.
+
+## Hardware setup:
+
+[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
+
+[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)
+
+[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/)
+or Jumping Wire
+
+## Provisioning for OPTIGA™ Trust M
+
+The
+[Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m)
+can be used to perform provisioning by following the steps mentioned below.
+
+-   Set up chip-tool on Raspberry Pi 4 by following the instruction listed at
+    [Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4)
+-   Clone the repo from Infineon Public GitHub
+
+```
+ $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
+```
+
+-   Build the Linux tools for OPTIGA™ Trust M
+
+```
+ $ cd linux-optiga-trust-m/
+ $ ./trustm_installation_aarch64_script.sh
+```
+
+-   Run the script to generate Matter test DAC for lock-app using the public key
+    extracted from the Infineon pre-provisioned Certificate and store it into
+    0xE0E0
+
+```
+$ cd scripts/matter_provisioning/
+$ ./matter_dac_provisioning.sh
+```
+
+_Note:_
+
+_By running this example matter_dac_provisioning.sh, the steps shown below are
+executed:_
+
+_Step1: Extract the public key from the Infineon pre-provisioned
+Certificate(0xE0E0) using openssl command._
+
+_Step2: Generate DAC test certificate using the extracted public key, Signed by
+[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_.
+Please note that production devices cannot re-use these test keys/certificates.
+
+_Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot
+0xE0E0_
+
+\_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot
+0xE0E8 and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0.

examples/all-clusters-app/esp32/main/Kconfig.projbuild

@@ -59,6 +59,10 @@ menu "Demo"
             depends on IDF_TARGET_ESP32H2
     endchoice
 
+    config CHIP_PROJECT_CONFIG
+        string "CHIP Project Configuration file"
+        default "main/include/CHIPProjectConfig.h"
+
     choice
       prompt "Rendezvous Mode"
       default RENDEZVOUS_MODE_BLE if BT_ENABLED

examples/all-clusters-app/esp32/main/include/CHIPProjectConfig.h

@@ -0,0 +1,38 @@
+/*
+ *
+ *    Copyright (c) 2023 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *          Example project configuration file for CHIP.
+ *
+ *          This is a place to put application or project-specific overrides
+ *          to the default configuration values for general CHIP features.
+ *
+ */
+
+#pragma once
+
+/**
+ * @def CONFIG_BUILD_FOR_HOST_UNIT_TEST
+ *
+ * @brief Defines whether we're currently building for unit testing, which enables a set of features
+ *        that are only utilized in those tests. This flag should not be enabled on devices. If you have a test
+ *        that uses this flag, either appropriately conditionalize the entire test on this flag, or to exclude
+ *        the compliation of that test source file entirely.
+ */
+#define CONFIG_BUILD_FOR_HOST_UNIT_TEST 1

examples/all-clusters-minimal-app/esp32/main/Kconfig.projbuild

@@ -48,6 +48,10 @@ menu "Demo"
             depends on IDF_TARGET_ESP32C2
     endchoice
 
+    config CHIP_PROJECT_CONFIG
+        string "CHIP Project Configuration file"
+        default "main/include/CHIPProjectConfig.h"
+
     choice
       prompt "Rendezvous Mode"
       default RENDEZVOUS_MODE_BLE if BT_ENABLED

examples/all-clusters-minimal-app/esp32/main/include/CHIPProjectConfig.h

@@ -0,0 +1,38 @@
+/*
+ *
+ *    Copyright (c) 2023 Project CHIP Authors
+ *    All rights reserved.
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+/**
+ *    @file
+ *          Example project configuration file for CHIP.
+ *
+ *          This is a place to put application or project-specific overrides
+ *          to the default configuration values for general CHIP features.
+ *
+ */
+
+#pragma once
+
+/**
+ * @def CONFIG_BUILD_FOR_HOST_UNIT_TEST
+ *
+ * @brief Defines whether we're currently building for unit testing, which enables a set of features
+ *        that are only utilized in those tests. This flag should not be enabled on devices. If you have a test
+ *        that uses this flag, either appropriately conditionalize the entire test on this flag, or to exclude
+ *        the compliation of that test source file entirely.
+ */
+#define CONFIG_BUILD_FOR_HOST_UNIT_TEST 1

examples/lock-app/infineon/psoc6/BUILD.gn

@@ -15,9 +15,11 @@
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
 import("//build_overrides/psoc6.gni")
-
 import("${build_root}/config/defaults.gni")
+import("${chip_root}/src/crypto/crypto.gni")
+import("${chip_root}/src/platform/Infineon/crypto/infineon_crypto.gni")
 import("${chip_root}/src/platform/device.gni")
+import("${chip_root}/third_party/infineon/trustm/trustm_config.gni")
 import("${psoc6_sdk_build_root}/psoc6_executable.gni")
 import("${psoc6_sdk_build_root}/psoc6_sdk.gni")
 
@@ -117,6 +119,19 @@ psoc6_executable("lock_app") {
     "${psoc6_project_dir}/include",
   ]
 
+  if (chip_crypto == "platform") {
+    include_dirs += [ "${chip_root}/third_party/infineon/trustm" ]
+    include_dirs += [ "${chip_root}/examples/platform/infineon/trustm" ]
+    include_dirs += [ "${chip_root}/src/platform/Infineon/crypto/trustm" ]
+
+    defines = [ "ENABLE_DEVICE_ATTESTATION=1" ]
+
+    public_deps += [
+      "${chip_root}/src/platform/Infineon/crypto/${infineon_crypto_impl}:infineon_crypto_lib",
+      "${chip_root}/third_party/infineon/trustm:optiga-trust-m",
+    ]
+  }
+
   sources = [
     "${examples_plat_dir}/LEDWidget.cpp",
     "${examples_plat_dir}/init_psoc6Platform.cpp",