Support for Hardware Secure Module (HSM) using Infineon Optiga Trust M (

#28397)

* Added support for Optiga Trust M.

* * Added no warning flag when applying patch for optiga-trust-m.
* Add the optiga_lib_config_mtb.h

* 1)Updated README.md for psoc6 lock-app example

2)Added infineon_trustm_provisioning.md

* 1)Updated README.md for psoc6 lock-app

* 1)Updated README.md for psoc6 lock-app

* 1)Updated optiga-trust-m submodule

2)Updated README.md for psoc6 lock-app

* 1)Updated DeviceAttestationCredsExampleTrustM.cpp

2)Updated the argument with infineon added

* 1)Updated CHIPCryptoPALHsm_HKDF_trustm.cpp and CHIPCryptoPALHsm_HMAC_trustm.cpp

* Merging with v1.1-branch

* Resolve merge conflicts with v1.1-branch

* * Updated the copyright dates.
* Updated README.

* Removed PersistentStorage File.

* 1)Changes to enable build door-lock example with Trust M using python script
2)Fixed the bug for CHIPCryptoPALHsm_HMAC_trustm.cpp

* Restyled by whitespace

* Restyled by clang-format

* [Cherrypick] CI: Fix for v1.1-branch CI, broken due to gdbgui (#28507)

* ESP32: avoid installing gdbgui when not needed (#26542)

ESP-IDF v4.4.4 requires gdbgui only when Python before 3.11 is used (see
espressif/esp-idf@3974be7).
Avoid installing it when not needed.

Fixes: #25385

* Remove gdbgui requirement for esp32 (#28007)

* Remove gdbgui requirement for esp32

* Fix qemu

* Fix chef as well

---------

Co-authored-by: Stefan Agner <[email protected]>
Co-authored-by: Andrei Litvin <[email protected]>

* Fix CI/CD issues:
- Misspell
- restyling
- infineon build

* Resolve CI/CD Build issues for  "Build on Linux"

---------

Co-authored-by: Ank Khandelwal <[email protected]>
Co-authored-by: Restyled.io <[email protected]>
Co-authored-by: Shubham Patil <[email protected]>
Co-authored-by: Stefan Agner <[email protected]>
Co-authored-by: Andrei Litvin <[email protected]>

.github/.wordlist.txt

@@ -633,6 +633,8 @@ HomePods
 hostapd
 hostname
 href
+HSM
+hsm
 HTTPS
 HW
 hwadr
@@ -939,6 +941,7 @@ objcopy
 OccupancySensing
 OctetString
 OECORE
+OID
 ol
 Onboarding
 onboardingcodes
@@ -958,6 +961,7 @@ openweave
 OperationalCredentials
 operationalDataset
 opkg
+OPTIGA
 optionMask
 optionOverride
 optionsMask
@@ -1367,6 +1371,7 @@ transitionTime
 TransportMgrBase
 TriggerEffect
 TRNG
+trustm
 TrustedRootCertificates
 tsan
 TSG

.gitmodules

@@ -293,3 +293,7 @@
 	path = third_party/imgui/repo
 	url = https://github.com/ocornut/imgui
 	platforms = linux
+[submodule "third_party/infineon/trustm/optiga-trust-m"]
+	path = third_party/infineon/trustm/optiga-trust-m
+	url = https://github.com/Infineon/optiga-trust-m
+	platforms = infineon

docs/guides/README.md

@@ -6,6 +6,7 @@
 -   [Apple - Testing with iPhone, iPad, macOS, Apple TV, HomePod, Watch, etc](./darwin.md)
 -   [Espressif (ESP32) - Getting Started Guide](./esp32/README.md)
 -   [Infineon PSoC6 - Software Update](./infineon_psoc6_software_update.md)
+-   [Infineon Trust M Provisioning](./infineon_trustm_provisioning.md)
 -   [Linux - Simulated Devices](./simulated_device_linux.md)
 -   [mbedOS - Adding a new target](./mbedos_add_new_target.md)
 -   [mbedOS - Commissioning](./mbedos_commissioning.md)

docs/guides/infineon_trustm_provisioning.md

@@ -0,0 +1,61 @@
+# Infineon OPTIGA™ Trust M Provisioning for Matter
+
+To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for
+OPTIGA™ Trust M with Matter test device Attestation certificate is needed.
+
+## Hardware setup:
+
+[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
+
+[OPTIGA™ Trust M S2GO](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/)
+
+[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/)
+or Jumping Wire
+
+## Provisioning for OPTIGA™ Trust M
+
+The
+[Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m)
+can be used to perform provisioning by following the steps mentioned below.
+
+-   Set up chip-tool on Raspberry Pi 4 by following the instruction listed at
+    [Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4)
+-   Clone the repo from Infineon Public GitHub
+
+```
+ $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
+```
+
+-   Build the Linux tools for OPTIGA™ Trust M
+
+```
+ $ cd linux-optiga-trust-m/
+ $ ./trustm_installation_aarch64_script.sh
+```
+
+-   Run the script to generate Matter test DAC for lock-app using the public key
+    extracted from the Infineon pre-provisioned Certificate and store it into
+    0xe0e3
+
+```
+$ cd scripts/matter_provisioning/
+$ ./matter_dac_provisioning.sh
+```
+
+_Note:_
+
+_By running this example matter_dac_provisioning.sh, the steps shown below are
+executed:_
+
+_Step1: Extract the public key from the Infineon pre-provisioned
+Certificate(0xe0e0) using openssl command._
+
+_Step2: Generate DAC test certificate using the extracted public key, Signed by
+[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_.
+Please note that production devices cannot re-use these test keys/certificates.
+
+_Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot
+0xe0e3_
+
+_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xe0e8
+and test CD into OPTIGA™ Trust M Arbitrary OID 0xf1e0._

examples/lock-app/infineon/psoc6/BUILD.gn

@@ -15,9 +15,10 @@
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
 import("//build_overrides/psoc6.gni")
-
 import("${build_root}/config/defaults.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 import("${chip_root}/src/platform/device.gni")
+import("${chip_root}/third_party/infineon/trustm/trustm_config.gni")
 import("${psoc6_sdk_build_root}/psoc6_executable.gni")
 import("${psoc6_sdk_build_root}/psoc6_sdk.gni")
 
@@ -109,6 +110,7 @@ psoc6_executable("lock_app") {
     "${chip_root}/examples/providers:device_info_provider",
     "${chip_root}/src/lib",
     "${chip_root}/src/setup_payload",
+    "${chip_root}/third_party/infineon/trustm:optiga-trust-m",
   ]
 
   include_dirs += [
@@ -117,6 +119,14 @@ psoc6_executable("lock_app") {
     "${psoc6_project_dir}/include",
   ]
 
+  if (chip_enable_infineon_trustm) {
+    include_dirs += [ "${chip_root}/third_party/infineon/trustm" ]
+  }
+
+  if (chip_enable_infineon_trustm_da) {
+    include_dirs += [ "${chip_root}/examples/platform/infineon/trustm" ]
+  }
+
   sources = [
     "${examples_plat_dir}/LEDWidget.cpp",
     "${examples_plat_dir}/init_psoc6Platform.cpp",

examples/lock-app/infineon/psoc6/README.md

@@ -14,6 +14,8 @@ An example showing the use of Matter on the Infineon CY8CKIT-062S2-43012 board.
             -   [Notes](#notes)
         -   [Cluster control](#cluster-control)
         -   [Factory Reset](#factory-reset)
+    -   [Building with OPTIGA™ Trust M as HSM](#build-trustm-hsm)
+        -   [OPTIGA™ Trust M Provisioning](#provisioning-trustm)
     -   [OTA Software Update](#ota-software-update)
 
 <hr>
@@ -55,6 +57,10 @@ will then join the network.
           $ cd ~/connectedhomeip
           $ rm -rf out/
 
+_To build with Infineon Hardware Security Module-OPTIGA™ Trust M for Device
+attestation and other security use cases, please refer to the
+[Building with OPTIGA™ Trust M as HSM](#build-trustm-hsm) for more instructions_
+
 ## Flashing the Application
 
 -   Put CY8CKIT-062S2-43012 board on KitProg3 CMSIS-DAP Mode by pressing the
@@ -128,10 +134,71 @@ commands. These power cycle the BlueTooth hardware and disable BR/EDR mode.
     on the board. All the data configured on the device during the initial
     commissioning will be deleted and device will be ready for commissioning
     again.
-
 -   Pressing the button again within 5 seconds will cancel the factory reset of
     the board.
 
+## <a name="build-trustm-hsm"></a>
+
+## Building with OPTIGA™ Trust M as HSM
+
+Infineon Hardware Security Module-OPTIGA™ Trust M is a high-end security
+solution that provides an anchor of trust for connecting IoT devices to the
+cloud, giving every IoT device its own unique identity.
+
+For different security use cases, please set the flags in
+CHIPCryptoPALHsm*config.h which is located at */src/crypto/hsm/\_
+
+For device attestation please enable the flag ENABLE*HSM_DEVICE_ATTESTATION in
+CHIPCryptoPALHsm_config.h which is located at */src/crypto/hsm/\_
+
+-   Supported hardware setup:
+    [CY8CKIT-062S2-43012](https://www.cypress.com/CY8CKIT-062S2-43012)
+
+    [OPTIGA™ Trust M S2GO](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-security-optiga-m/)
+
+    [MY IOT ADAPTER](https://www.infineon.com/cms/en/product/evaluation-boards/my-iot-adapter/)
+
+-   Building
+
+    Follow the steps to build:
+
+    ```
+      $ cd examples/lock-app/infineon/psoc6
+      $ source third_party/conenctedhomeip/scripts/activate.sh
+      $ export PSOC6_BOARD=CY8CKIT-062S2-43012
+    ```
+
+    Note: export PSOC6_BOARD=CY8CKIT-062S2-43012 is used to set up the
+    development platform and environment to use CY8CKIT-062S2-43012 board for
+    code compilation.
+
+    To enable OPTIGA™ Trust M for device attestation use case:
+
+    ```
+      $ gn gen out/debug --args="chip_enable_infineon_trustm=true chip_enable_infineon_trustm_da=true"
+      $ ninja -C out/debug
+    ```
+
+-   To delete generated executable, libraries and object files use:
+
+        $ cd examples/lock-app/infineon/psoc6
+        $ rm -rf out/
+
+-   Proceed to OPTIGA™ Trust M Provisioning section to complete the credential
+    storage into HSM.
+
+### <a name="provisioning-trustm"></a>
+
+### OPTIGA™ Trust M Provisioning
+
+For the description of OPTIGA™ Trust M Provisioning with test DAC generation and
+PAI and CD storage, please refer to
+[Infineon OPTIGA™ Trust M Provisioning](../../../../docs/guides/infineon_trustm_provisioning.md)
+
+After completing OPTIGA™ Trust M Provisioning, proceed to
+[Flashing the Application](#flashing-the-application) section to continue with
+subsequent steps.
+
 ## OTA Software Update
 
 For the description of Software Update process with infineon PSoC6 example

examples/lock-app/infineon/psoc6/args.gni

@@ -19,3 +19,5 @@ import("${chip_root}/src/platform/Infineon/PSOC6/args.gni")
 
 psoc6_target_project =
     get_label_info(":lock_app_sdk_sources", "label_no_toolchain")
+chip_enable_infineon_trustm = false
+chip_enable_infineon_trustm_da = false

examples/lock-app/infineon/psoc6/src/AppTask.cpp

@@ -45,6 +45,14 @@
 #include <app/clusters/door-lock-server/door-lock-server.h>
 #include <app/clusters/identify-server/identify-server.h>
 
+#if CHIP_CRYPTO_HSM
+#include <crypto/hsm/CHIPCryptoPALHsm.h>
+#endif
+
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+#include "DeviceAttestationCredsExampleTrustM.h"
+#endif
+
 /* OTA related includes */
 #if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
 #include <app/clusters/ota-requestor/BDXDownloader.h>
@@ -155,7 +163,12 @@ static void InitServer(intptr_t context)
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
     // Initialize device attestation config
+#ifdef ENABLE_HSM_DEVICE_ATTESTATION
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleTrustMDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+
 #if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
     GetAppTask().InitOTARequestor();
 #endif