diff --git a/examples/all-clusters-app/nrfconnect/main/AppTask.cpp b/examples/all-clusters-app/nrfconnect/main/AppTask.cpp index f8d117790fac3d..664f6982d5eddf 100644 --- a/examples/all-clusters-app/nrfconnect/main/AppTask.cpp +++ b/examples/all-clusters-app/nrfconnect/main/AppTask.cpp @@ -45,6 +45,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -88,6 +95,9 @@ bool sHaveBLEConnections = false; app::Clusters::TemperatureControl::AppSupportedTemperatureLevelsDelegate sAppSupportedTemperatureLevelsDelegate; +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -209,14 +219,27 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); - (void) initParams.InitializeStaticResourcesBeforeServerInit(); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; + (void) initParams.InitializeStaticResourcesBeforeServerInit(); ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + // We only have network commissioning on endpoint 0. emberAfEndpointEnableDisable(kNetworkCommissioningEndpointSecondary, false); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp b/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp index 02f0704f080a58..b3c8b951372c0f 100644 --- a/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp +++ b/examples/all-clusters-minimal-app/nrfconnect/main/AppTask.cpp @@ -34,6 +34,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -59,6 +66,10 @@ FactoryResetLEDsWrapper<3> sFactoryResetLEDs{ { FACTORY_RESET_SIGNAL_LED, FACTOR bool sIsNetworkProvisioned = false; bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -155,10 +166,23 @@ CHIP_ERROR AppTask::Init() #endif static chip::CommonCaseDeviceServerInitParams initParams; +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + // We only have network commissioning on endpoint 0. emberAfEndpointEnableDisable(kNetworkCommissioningEndpointSecondary, false); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/chef/nrfconnect/main.cpp b/examples/chef/nrfconnect/main.cpp index d132252ecd87b3..c79694e2e792a7 100644 --- a/examples/chef/nrfconnect/main.cpp +++ b/examples/chef/nrfconnect/main.cpp @@ -43,6 +43,13 @@ #include "Rpc.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + LOG_MODULE_REGISTER(app, CONFIG_CHIP_APP_LOG_LEVEL); using namespace chip; @@ -51,7 +58,11 @@ using namespace chip::DeviceLayer; namespace { constexpr int kExtDiscoveryTimeoutSecs = 20; -} + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif +} // namespace int main() { @@ -110,6 +121,9 @@ int main() // Start IM server static chip::CommonCaseDeviceServerInitParams initParams; +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif (void) initParams.InitializeStaticResourcesBeforeServerInit(); err = chip::Server::GetInstance().Init(initParams); if (err != CHIP_NO_ERROR) diff --git a/examples/light-switch-app/nrfconnect/main/AppTask.cpp b/examples/light-switch-app/nrfconnect/main/AppTask.cpp index 06ac797f6a6899..77f6d59d8055eb 100644 --- a/examples/light-switch-app/nrfconnect/main/AppTask.cpp +++ b/examples/light-switch-app/nrfconnect/main/AppTask.cpp @@ -46,6 +46,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -94,6 +101,10 @@ k_timer sDimmerPressKeyTimer; k_timer sDimmerTimer; chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -220,8 +231,11 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); - (void) initParams.InitializeStaticResourcesBeforeServerInit(); initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif + (void) initParams.InitializeStaticResourcesBeforeServerInit(); ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); diff --git a/examples/lock-app/nrfconnect/main/AppTask.cpp b/examples/lock-app/nrfconnect/main/AppTask.cpp index 07a96b6d6c29b2..04e2be63f3fd84 100644 --- a/examples/lock-app/nrfconnect/main/AppTask.cpp +++ b/examples/lock-app/nrfconnect/main/AppTask.cpp @@ -47,6 +47,13 @@ #include "OTAUtil.h" #endif +#ifdef CONFIG_CHIP_CRYPTO_PSA +#include +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +#include "MigrationManager.h" +#endif +#endif + #include #include #include @@ -90,6 +97,10 @@ bool sIsNetworkEnabled = false; bool sHaveBLEConnections = false; chip::DeviceLayer::DeviceInfoProviderImpl gExampleDeviceInfoProvider; + +#ifdef CONFIG_CHIP_CRYPTO_PSA +chip::Crypto::PSAOperationalKeystore sPSAOperationalKeystore{}; +#endif } // namespace namespace LedConsts { @@ -214,11 +225,24 @@ CHIP_ERROR AppTask::Init() static OTATestEventTriggerHandler sOtaTestEventTriggerHandler{}; VerifyOrDie(sTestEventTriggerDelegate.Init(ByteSpan(sTestEventTriggerEnableKey)) == CHIP_NO_ERROR); VerifyOrDie(sTestEventTriggerDelegate.AddHandler(&sOtaTestEventTriggerHandler) == CHIP_NO_ERROR); - (void) initParams.InitializeStaticResourcesBeforeServerInit(); +#ifdef CONFIG_CHIP_CRYPTO_PSA + initParams.operationalKeystore = &sPSAOperationalKeystore; +#endif initParams.testEventTriggerDelegate = &sTestEventTriggerDelegate; + (void) initParams.InitializeStaticResourcesBeforeServerInit(); ReturnErrorOnFailure(chip::Server::GetInstance().Init(initParams)); AppFabricTableDelegate::Init(); +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS + err = MoveOperationalKeysFromKvsToIts(sLocalInitData.mServerInitParams->persistentStorageDelegate, + sLocalInitData.mServerInitParams->operationalKeystore); + if (err != CHIP_NO_ERROR) + { + LOG_ERR("MoveOperationalKeysFromKvsToIts() failed"); + return err; + } +#endif + gExampleDeviceInfoProvider.SetStorageDelegate(&Server::GetInstance().GetPersistentStorage()); chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider); ConfigurationMgr().LogDeviceConfig(); diff --git a/examples/platform/nrfconnect/util/MigrationManager.cpp b/examples/platform/nrfconnect/util/MigrationManager.cpp new file mode 100644 index 00000000000000..364120863bc7e2 --- /dev/null +++ b/examples/platform/nrfconnect/util/MigrationManager.cpp @@ -0,0 +1,57 @@ +/* + * Copyright (c) 2024 Project CHIP Authors + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "migration_manager.h" + +#include +#include + +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore) +{ + CHIP_ERROR err = CHIP_NO_ERROR; + + VerifyOrReturnError(keystore && storage, CHIP_ERROR_INVALID_ARGUMENT); + + /* Initialize the obsolete Operational Keystore*/ + chip::PersistentStorageOperationalKeystore obsoleteKeystore; + err = obsoleteKeystore.Init(storage); + VerifyOrReturnError(err == CHIP_NO_ERROR, err); + + /* Migrate all obsolete Operational Keys to PSA ITS */ + for (const chip::FabricInfo & fabric : chip::Server::GetInstance().GetFabricTable()) + { + err = keystore->MigrateOpKeypairForFabric(fabric.GetFabricIndex(), obsoleteKeystore); + if (CHIP_NO_ERROR != err) + { + break; + } + } + +#ifdef CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + if (CHIP_NO_ERROR != err) + { + chip::Server::GetInstance().ScheduleFactoryReset(); + /* Return a success to not block the Matter event Loop and allow to call scheduled factory + * reset. */ + err = CHIP_NO_ERROR; + } +#endif /* CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE */ + + return err; +} +#endif /* CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS */ diff --git a/examples/platform/nrfconnect/util/include/MigrationManager.h b/examples/platform/nrfconnect/util/include/MigrationManager.h new file mode 100644 index 00000000000000..22b2c5de110de3 --- /dev/null +++ b/examples/platform/nrfconnect/util/include/MigrationManager.h @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2024 Project CHIP Authors + * All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +#ifdef CONFIG_CHIP_MIGRATE_OPERATIONAL_KEYS_TO_ITS +/** + * @brief Migrate all stored Operational Keys from the persistent storage (KVS) to secure PSA ITS. + * + * This function will schedule a factory reset automatically if the + * CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE + * Kconfig option is set to 'y'. In this case, the function returns CHIP_NO_ERROR to not block any further + * operations until the scheduled factory reset is done. + * + * @note This function should be called just after Matter Server Init to avoid problems with further CASE + * session re-establishments. + * @param storage + * @param keystore + * @retval CHIP_NO_ERROR if all keys have been migrated properly to PSA ITS or if the error occurs, but + * the CONFIG_CHIP_FACTORY_RESET_ON_KEY_MIGRATION_FAILURE kconfig is set to 'y'. + * @retval CHIP_ERROR_INVALID_ARGUMENT when keystore or storage are not defined. + * @retval Other CHIP_ERROR codes related to internal Migration operations. + */ +CHIP_ERROR MoveOperationalKeysFromKvsToIts(chip::PersistentStorageDelegate * storage, chip::Crypto::OperationalKeystore * keystore); +#endif