HSM key store to handle AddNOC / UpdateNOC (project-chip#21667)

* draft code for hsm integration in key store

* updated crypto build file

* updated keystore hsm file

* updated keystore file

* code cleanup

* code cleanup

* restyler

* using hsm util file

* bug fixes

* removed hsm key store. Will be moved to application specific code.

* reseting pending slot

* restyler

* review comments - update

* draft code for hsm integration in key store

* updated crypto build file

* updated keystore hsm file

* updated keystore file

* code cleanup

* code cleanup

* restyler

* using hsm util file

* bug fixes

* removed hsm key store. Will be moved to application specific code.

* reseting pending slot

* restyler

* review comments - update

* review comments - updated

* declaring variable where it is used

src/credentials/FabricTable.cpp

@@ -28,9 +28,6 @@
 #include <lib/support/DefaultStorageKeyAllocator.h>
 #include <lib/support/SafeInt.h>
 #include <lib/support/ScopedBuffer.h>
-#if CHIP_CRYPTO_HSM
-#include <crypto/hsm/CHIPCryptoPALHsm.h>
-#endif
 
 namespace chip {
 using namespace Credentials;
@@ -257,11 +254,7 @@ CHIP_ERROR FabricInfo::SetOperationalKeypair(const P256Keypair * keyPair)
 
     if (mOperationalKey == nullptr)
     {
-#ifdef ENABLE_HSM_CASE_OPS_KEY
-        mOperationalKey = chip::Platform::New<P256KeypairHSM>();
-#else
         mOperationalKey = chip::Platform::New<P256Keypair>();
-#endif
     }
     VerifyOrReturnError(mOperationalKey != nullptr, CHIP_ERROR_NO_MEMORY);
     return mOperationalKey->Deserialize(serialized);

src/credentials/FabricTable.h

@@ -230,13 +230,8 @@ class DLL_EXPORT FabricInfo
 
     VendorId mVendorId                                  = VendorId::NotSpecified;
     char mFabricLabel[kFabricLabelMaxLengthInBytes + 1] = { '\0' };
-
-#ifdef ENABLE_HSM_CASE_OPS_KEY
-    mutable Crypto::P256KeypairHSM * mOperationalKey = nullptr;
-#else
-    mutable Crypto::P256Keypair * mOperationalKey = nullptr;
-#endif
-    bool mHasExternallyOwnedOperationalKey = false;
+    mutable Crypto::P256Keypair * mOperationalKey       = nullptr;
+    bool mHasExternallyOwnedOperationalKey              = false;
 
     CHIP_ERROR CommitToStorage(PersistentStorageDelegate * storage) const;
     CHIP_ERROR LoadFromStorage(PersistentStorageDelegate * storage, FabricIndex newFabricIndex, const ByteSpan & rcac,

src/crypto/BUILD.gn

@@ -167,6 +167,8 @@ static_library("crypto") {
       "hsm/nxp/CHIPCryptoPALHsm_SE05X_PBKDF.cpp",
       "hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp",
       "hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.cpp",
+      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.cpp",
+      "hsm/nxp/PersistentStorageOperationalKeystoreHSM.h",
     ]
     public_deps += [ "${chip_root}/third_party/simw-top-mini:se05x" ]
     public_configs += [ "${chip_root}/third_party/simw-top-mini:se05x_config" ]

src/crypto/hsm/CHIPCryptoPALHsm.h

@@ -145,8 +145,6 @@ class P256KeypairHSM : public P256Keypair
 
     uint32_t GetKeyId(void) { return keyid; }
 
-    CHIP_ERROR CreateOperationalKey(FabricIndex fabricIdx);
-
 private:
     uint32_t keyid;
     P256PublicKeyHSM mPublicKeyHSM;

src/crypto/hsm/CHIPCryptoPALHsm_config.h

@@ -25,7 +25,7 @@
 /*
  * Enable HSM for SPAKE VERIFIER
  */
-#define ENABLE_HSM_SPAKE_VERIFIER 0
+#define ENABLE_HSM_SPAKE_VERIFIER 1
 
 /*
  * Enable HSM for SPAKE PROVER
@@ -58,8 +58,6 @@
 
 #if ((CHIP_CRYPTO_HSM) && (ENABLE_HSM_GENERATE_EC_KEY))
 #define ENABLE_HSM_EC_KEY
-#define ENABLE_HSM_CASE_EPHEMERAL_KEY
-//#define ENABLE_HSM_CASE_OPS_KEY
 //#define ENABLE_HSM_ECDSA_VERIFY
 #endif
 

src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_P256.cpp

@@ -693,19 +693,6 @@ CHIP_ERROR P256KeypairHSM::NewCertificateSigningRequest(uint8_t * csr, size_t &
     return error;
 }
 
-CHIP_ERROR P256KeypairHSM::CreateOperationalKey(FabricIndex fabricIdx)
-{
-    (void) fabricIdx;
-    // TBD - Map fabric index to operational keys
-    SetKeyId(kKeyId_operational_key_keyid);
-    if (Initialize() == CHIP_NO_ERROR)
-    {
-        provisioned_key = true;
-        return CHIP_NO_ERROR;
-    }
-    return CHIP_ERROR_INTERNAL;
-}
-
 } // namespace Crypto
 } // namespace chip
 

src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_Spake2p.cpp

@@ -27,13 +27,13 @@
 #if ((ENABLE_HSM_SPAKE_VERIFIER) || (ENABLE_HSM_SPAKE_PROVER))
 
 #if ENABLE_HSM_SPAKE_VERIFIER
-const uint32_t w0in_id_v = 0x2347;
-const uint32_t Lin_id_v  = 0x2348;
+const uint32_t w0in_id_v = 0x7D200001;
+const uint32_t Lin_id_v  = 0x7D200002;
 #endif
 
 #if ENABLE_HSM_SPAKE_PROVER
-const uint32_t w0in_id_p = 0x2349;
-const uint32_t w1in_id_p = 0x2350;
+const uint32_t w0in_id_p = 0x7D200003;
+const uint32_t w1in_id_p = 0x7D200004;
 #endif
 
 void Spake2p_Finish_HSM(hsm_pake_context_t * phsm_pake_context)
@@ -71,7 +71,7 @@ CHIP_ERROR create_init_crypto_obj(chip::Crypto::CHIP_SPAKE2P_ROLE role, hsm_pake
     uint8_t create_crypto_obj = 1;
 #endif
 
-    ChipLogProgress(Crypto, "Using Object Id --> %d \n", spakeObjectId);
+    ChipLogProgress(Crypto, "SE05x: Using Object Id --> %d", spakeObjectId);
 
     if (spakeObjectId != 0)
     {
@@ -124,7 +124,7 @@ CHIP_ERROR Spake2p_ComputeRoundOne_HSM(hsm_pake_context_t * phsm_pake_context, c
 {
     SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId;
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundOne \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p ComputeRoundOne");
 
     VerifyOrReturnError(out != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(out_len != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
@@ -156,7 +156,7 @@ CHIP_ERROR Spake2p_ComputeRoundTwo_HSM(hsm_pake_context_t * phsm_pake_context, c
     VerifyOrReturnError(pKeyKe != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(pkeyKeLen != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p ComputeRoundTwo \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p ComputeRoundTwo");
 
     const uint8_t * const pab = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? NULL : in;
     const size_t pab_len      = (role == chip::Crypto::CHIP_SPAKE2P_ROLE::VERIFIER) ? 0 : in_len;
@@ -178,7 +178,7 @@ CHIP_ERROR Spake2p_KeyConfirm_HSM(hsm_pake_context_t * phsm_pake_context, chip::
     VerifyOrReturnError(in != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(gex_sss_chip_ctx.ks.session != NULL, CHIP_ERROR_INTERNAL);
 
-    ChipLogProgress(Crypto, "Using HSM for spake2p KeyConfirm \n");
+    ChipLogProgress(Crypto, "SE05x: Using HSM for spake2p KeyConfirm");
 
     uint8_t presult                            = 0;
     const SE05x_CryptoObjectID_t spakeObjectId = phsm_pake_context->spake_objId;
@@ -251,7 +251,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginVerifier(const uint8_t * my_id
         VerifyOrReturnError(peer_identity != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
     }
 
-    ChipLogProgress(Crypto, "HSM - BeginVerifier \n");
+    ChipLogProgress(Crypto, "SE05x: HSM - BeginVerifier");
 
     ReturnErrorOnFailure(FELoad(w0in, w0in_len, w0));
     ReturnErrorOnFailure(FEWrite(w0, w0in_mod, w0in_mod_len));
@@ -309,7 +309,7 @@ CHIP_ERROR Spake2pHSM_P256_SHA256_HKDF_HMAC::BeginProver(const uint8_t * my_iden
 
     VerifyOrReturnError(state == CHIP_SPAKE2P_STATE::INIT, CHIP_ERROR_INTERNAL);
 
-    ChipLogProgress(Crypto, "HSM - BeginProver \n");
+    ChipLogProgress(Crypto, "SE05x: HSM - BeginProver");
 
     ReturnErrorOnFailure(FELoad(w0in, w0in_len, w0));
     ReturnErrorOnFailure(FEWrite(w0, w0in_mod, w0in_mod_len));

src/crypto/hsm/nxp/CHIPCryptoPALHsm_SE05X_utils.h

@@ -42,11 +42,11 @@ extern ex_sss_boot_ctx_t gex_sss_chip_ctx;
 enum keyid_values
 {
     kKeyId_NotInitialized           = 0,
-    kKeyId_pbkdf2_sha256_hmac_keyid = 0xBCBCBCBC,
+    kKeyId_pbkdf2_sha256_hmac_keyid = 0x7D000000,
     kKeyId_hkdf_sha256_hmac_keyid,
     kKeyId_hmac_sha256_keyid,
     kKeyId_sha256_ecc_pub_keyid,
-    kKeyId_operational_key_keyid,
+    kKeyId_case_ephemeral_keyid,
 };
 
 // Enable the below macro to make spake HSM imlementation reentrant.