Skip to content

Commit

Permalink
[nrfconnect] Adapt nrfconnect examples to PSA Crypto API
Browse files Browse the repository at this point in the history
Enabled PSA Crypto api in all nrfconnect examples.
  • Loading branch information
ArekBalysNordic committed Mar 11, 2024
1 parent 8bf8c25 commit a072093
Show file tree
Hide file tree
Showing 7 changed files with 201 additions and 4 deletions.
25 changes: 24 additions & 1 deletion examples/all-clusters-app/nrfconnect/main/AppTask.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@
#include "OTAUtil.h"
#endif

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <crypto/PSAOperationalKeystore.h>
#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
#include "MigrationManager.h"
#endif
#endif

#include <dk_buttons_and_leds.h>
#include <zephyr/kernel.h>
#include <zephyr/logging/log.h>
Expand Down Expand Up @@ -88,6 +95,9 @@ bool sHaveBLEConnections = false;

app::Clusters::TemperatureControl::AppSupportedTemperatureLevelsDelegate sAppSupportedTemperatureLevelsDelegate;

#ifdef CONFIG_CHIP_CRYPTO_PSA
chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{};
#endif
} // namespace

namespace LedConsts {
Expand Down Expand Up @@ -209,14 +219,27 @@ CHIP_ERROR AppTask::Init()
static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{};
VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR);
VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR);
(void) initParams.InitializeStaticResourcesBeforeServerInit();
#ifdef CONFIG_CHIP_CRYPTO_PSA
initParams.operationalKeystore = &sPSAOperationalKeystore;
#endif
initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate;
(void) initParams.InitializeStaticResourcesBeforeServerInit();
ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams));
AppFabricTableDelegate::Init();

gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);

#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate,
sLocalInitData.mServerInitParams->operationalKeystore);
if (err != CHIP_NO_ERROR)
{
LOG_ERR("MoveOperationalKeysFromKvsToIts() failed");
return err;
}
#endif

// We only have network commissioning on endpoint 0.
emberAfEndpointEnableDisable(kNetworkCommissioningEndpointSecondary, false);
ConfigurationMgr().LogDeviceConfig();
Expand Down
24 changes: 24 additions & 0 deletions examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,13 @@
#include "OTAUtil.h"
#endif

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <crypto/PSAOperationalKeystore.h>
#ifdef CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
#include "MigrationManager.h"
#endif
#endif

#include <dk_buttons_and_leds.h>
#include <zephyr/kernel.h>
#include <zephyr/logging/log.h>
Expand All @@ -59,6 +66,10 @@ FactoryResetLEDsWrapper<3> sFactoryResetLEDs{ { FACTORY_RESET_SIGNAL_LED, FACTOR
bool sIsNetworkProvisioned = false;
bool sIsNetworkEnabled = false;
bool sHaveBLEConnections = false;

#ifdef CONFIG_CHIP_CRYPTO_PSA
chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{};
#endif
} // namespace

namespace LedConsts {
Expand Down Expand Up @@ -155,10 +166,23 @@ CHIP_ERROR AppTask::Init()
#endif

static chip::CommonCaseDeviceServerInitParams initParams;
#ifdef CONFIG_CHIP_CRYPTO_PSA
initParams.operationalKeystore = &sPSAOperationalKeystore;
#endif
(void) initParams.InitializeStaticResourcesBeforeServerInit();
ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams));
AppFabricTableDelegate::Init();

#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate,
sLocalInitData.mServerInitParams->operationalKeystore);
if (err != CHIP_NO_ERROR)
{
LOG_ERR("MoveOperationalKeysFromKvsToIts() failed");
return err;
}
#endif

// We only have network commissioning on endpoint 0.
emberAfEndpointEnableDisable(kNetworkCommissioningEndpointSecondary, false);
ConfigurationMgr().LogDeviceConfig();
Expand Down
16 changes: 15 additions & 1 deletion examples/chef/nrfconnect/main.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,13 @@
#include "Rpc.h"
#endif

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <crypto/PSAOperationalKeystore.h>
#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
#include "MigrationManager.h"
#endif
#endif

LOG_MODULE_REGISTER(app, CONFIG_CHIP_APP_LOG_LEVEL);

using namespace chip;
Expand All @@ -51,7 +58,11 @@ using namespace chip::DeviceLayer;

namespace {
constexpr int kExtDiscoveryTimeoutSecs = 20;
}

#ifdef CONFIG_CHIP_CRYPTO_PSA
chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{};
#endif
} // namespace

int main()
{
Expand Down Expand Up @@ -110,6 +121,9 @@ int main()

// Start IM server
static chip::CommonCaseDeviceServerInitParams initParams;
#ifdef CONFIG_CHIP_CRYPTO_PSA
initParams.operationalKeystore = &sPSAOperationalKeystore;
#endif
(void) initParams.InitializeStaticResourcesBeforeServerInit();
err = chip::Server::GetInstance().Init(initParams);
if (err != CHIP_NO_ERROR)
Expand Down
16 changes: 15 additions & 1 deletion examples/light-switch-app/nrfconnect/main/AppTask.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,13 @@
#include "OTAUtil.h"
#endif

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <crypto/PSAOperationalKeystore.h>
#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
#include "MigrationManager.h"
#endif
#endif

#include <dk_buttons_and_leds.h>
#include <zephyr/kernel.h>
#include <zephyr/logging/log.h>
Expand Down Expand Up @@ -94,6 +101,10 @@ k_timer sDimmerPressKeyTimer;
k_timer sDimmerTimer;

chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider;

#ifdef CONFIG_CHIP_CRYPTO_PSA
chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{};
#endif
} // namespace

namespace LedConsts {
Expand Down Expand Up @@ -220,8 +231,11 @@ CHIP_ERROR AppTask::Init()
static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{};
VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR);
VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR);
(void) initParams.InitializeStaticResourcesBeforeServerInit();
initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate;
#ifdef CONFIG_CHIP_CRYPTO_PSA
initParams.operationalKeystore = &sPSAOperationalKeystore;
#endif
(void) initParams.InitializeStaticResourcesBeforeServerInit();
ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams));
AppFabricTableDelegate::Init();

Expand Down
26 changes: 25 additions & 1 deletion examples/lock-app/nrfconnect/main/AppTask.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,13 @@
#include "OTAUtil.h"
#endif

#ifdef CONFIG_CHIP_CRYPTO_PSA
#include <crypto/PSAOperationalKeystore.h>
#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
#include "MigrationManager.h"
#endif
#endif

#include <dk_buttons_and_leds.h>
#include <zephyr/kernel.h>
#include <zephyr/logging/log.h>
Expand Down Expand Up @@ -90,6 +97,10 @@ bool sIsNetworkEnabled = false;
bool sHaveBLEConnections = false;

chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider;

#ifdef CONFIG_CHIP_CRYPTO_PSA
chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{};
#endif
} // namespace

namespace LedConsts {
Expand Down Expand Up @@ -214,11 +225,24 @@ CHIP_ERROR AppTask::Init()
static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{};
VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR);
VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR);
(void) initParams.InitializeStaticResourcesBeforeServerInit();
#ifdef CONFIG_CHIP_CRYPTO_PSA
initParams.operationalKeystore = &sPSAOperationalKeystore;
#endif
initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate;
(void) initParams.InitializeStaticResourcesBeforeServerInit();
ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams));
AppFabricTableDelegate::Init();

#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate,
sLocalInitData.mServerInitParams->operationalKeystore);
if (err != CHIP_NO_ERROR)
{
LOG_ERR("MoveOperationalKeysFromKvsToIts() failed");
return err;
}
#endif

gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage());
chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
ConfigurationMgr().LogDeviceConfig();
Expand Down
57 changes: 57 additions & 0 deletions examples/platform/nrfconnect/util/MigrationManager.cpp
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
/*
* Copyright (c) 2024 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

#include "migration_manager.h"

#include <crypto/OperationalKeystore.h>
#include <crypto/PersistentStorageOperationalKeystore.h>

#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore)
{
CHIP_ERROR err = CHIP_NO_ERROR;

VerifyOrReturnError(keystore && storage, CHIP_ERROR_INVALID_ARGUMENT);

/* Initialize the obsolete Operational Keystore*/
chip::PersistentStorageOperationalKeystore obsoleteKeystore;
err = obsoleteKeystore.Init(storage);
VerifyOrReturnError(err == CHIP_NO_ERROR, err);

/* Migrate all obsolete Operational Keys to PSA ITS */
for (const chip::FabricInfo & fabric : chip::Server::GetInstance().GetFabricTable())
{
err = keystore->MigrateOpKeypairForFabric(fabric.GetFabricIndex(), obsoleteKeystore);
if (CHIP_NO_ERROR != err)
{
break;
}
}

#ifdef CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE
if (CHIP_NO_ERROR != err)
{
chip::Server::GetInstance().ScheduleFactoryReset();
/* Return a success to not block the Matter event Loop and allow to call scheduled factory
* reset. */
err = CHIP_NO_ERROR;
}
#endif /* CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE */

return err;
}
#endif /* CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS */
41 changes: 41 additions & 0 deletions examples/platform/nrfconnect/util/include/MigrationManager.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Copyright (c) 2024 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

#pragma once

#include <app/server/Server.h>

#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS
/**
* @brief Migrate all stored Operational Keys from the persistent storage (KVS) to secure PSA ITS.
*
* This function will schedule a factory reset automatically if the
* CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE
* Kconfig option is set to 'y'. In this case, the function returns CHIP_NO_ERROR to not block any further
* operations until the scheduled factory reset is done.
*
* @note This function should be called just after Matter Server Init to avoid problems with further CASE
* session re-establishments.
* @param storage
* @param keystore
* @retval CHIP_NO_ERROR if all keys have been migrated properly to PSA ITS or if the error occurs, but
* the CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE kconfig is set to 'y'.
* @retval CHIP_ERROR_INVALID_ARGUMENT when keystore or storage are not defined.
* @retval Other CHIP_ERROR codes related to internal Migration operations.
*/
CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore);
#endif

0 comments on commit a072093

Please sign in to comment.