Skip to content

Commit 9479649

Browse files
authored
[Realtek] Support trustzone (project-chip#41534)
* [Realtek] add CONFIG_DAC_KEY_ENC * [Realtek] Improve code maintainability * [Realtek] Add cg dac vendor * [Realtek] Restyle files * [Realtek] Modify according to bot * [Realtek] Modify according by bot * [Realtek] modify according to bot * [Realtek] Fix some error * [Realtek] Fix some error * [Realtek] Fix some error * [Realtek] Modify return value * [Realtek] Support RTK trustzone * [Realtek] Restyle files * [Realtek] modify according bot * [Realtek] Optimize code * [Realtek] Fix bug * [Realtek] Fix some bug * [Realtek] Restyle files
1 parent 1b0ab7e commit 9479649

File tree

5 files changed

+65
-4
lines changed

5 files changed

+65
-4
lines changed

src/platform/realtek/BEE/BUILD.gn

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,7 @@ static_library("BEE") {
9595
"CG/CGSecureDACVendorProvider.cpp",
9696
"CG/CGSecureDACVendorProvider.h",
9797
]
98+
defines = [ "CONFIG_USE_CG_SECURE_DAC_VENDOR=1" ]
9899
}
99100
}
100101

src/platform/realtek/BEE/PlatformManagerImpl.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,11 @@ inline PlatformManagerImpl & PlatformMgrImpl(void)
9595
inline void PlatformManagerImpl::_RunEventLoop(void)
9696
{
9797
#if defined(FEATURE_TRUSTZONE_ENABLE) && (FEATURE_TRUSTZONE_ENABLE == 1)
98+
#if CONFIG_USE_CG_SECURE_DAC_VENDOR
9899
constexpr size_t kPlatformManagerSecureContextSize = 2 * 1024;
100+
#else // RTK Encrypt DAC
101+
constexpr size_t kPlatformManagerSecureContextSize = 8 * 1024;
102+
#endif
99103
os_alloc_secure_ctx(kPlatformManagerSecureContextSize);
100104
#endif
101105
Internal::GenericPlatformManagerImpl_FreeRTOS<PlatformManagerImpl>::_RunEventLoop();

src/platform/realtek/BEE/RTK/RTKDACVendorProvider.cpp

Lines changed: 52 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -187,6 +187,32 @@ CHIP_ERROR RTKDACVendorProvider::GetProductAttestationIntermediateCert(MutableBy
187187
return CHIP_NO_ERROR;
188188
}
189189

190+
#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
191+
CHIP_ERROR RTKDACVendorProvider::ImportDACKey()
192+
{
193+
VerifyOrReturnError(pFactoryData->dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
194+
VerifyOrReturnError(pFactoryData->dac.dac_key.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
195+
ByteSpan dacCertSpan{ pFactoryData->dac.dac_cert.value, pFactoryData->dac.dac_cert.len };
196+
chip::Crypto::P256PublicKey dacPublicKey;
197+
ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey));
198+
199+
DAC_IMPORT_PARAM key_param = {};
200+
key_param.encrypted_priv_key = pFactoryData->dac.dac_key.value;
201+
key_param.encrypted_priv_key_len = pFactoryData->dac.dac_key.len;
202+
key_param.public_key = dacPublicKey.Bytes();
203+
key_param.public_key_len = dacPublicKey.Length();
204+
205+
secure_app_function_call(SECURE_APP_FUNCTION_DAC_KEY_IMPORT, &key_param);
206+
if (key_param.ret)
207+
{
208+
ChipLogError(DeviceLayer, "secure_app_function_call DAC key import %d", key_param.ret);
209+
return CHIP_ERROR_INTERNAL;
210+
}
211+
212+
return CHIP_NO_ERROR;
213+
}
214+
#endif
215+
190216
CHIP_ERROR RTKDACVendorProvider::SignWithDeviceAttestationKey(const ByteSpan & messageToSign, MutableByteSpan & outSignBuffer)
191217
{
192218
CHIP_ERROR err = CHIP_NO_ERROR;
@@ -199,8 +225,32 @@ CHIP_ERROR RTKDACVendorProvider::SignWithDeviceAttestationKey(const ByteSpan & m
199225

200226
#if CONFIG_FACTORY_DATA
201227
#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
202-
ChipLogError(DeviceLayer, "TrustZone build: Device attestation is NOT implemented. Attestation will fail.");
203-
ReturnErrorOnFailure(CHIP_ERROR_NOT_IMPLEMENTED);
228+
if (!mDACKeyImported)
229+
{
230+
ReturnErrorOnFailure(ImportDACKey());
231+
mDACKeyImported = true;
232+
}
233+
234+
uint8_t sig_tmp_buf[Crypto::kP256_ECDSA_Signature_Length_Raw] = {};
235+
DAC_SIGN_PARAM param = {};
236+
param.msg = messageToSign.data();
237+
param.msg_len = messageToSign.size();
238+
param.sig = sig_tmp_buf;
239+
param.p_sig_len = sizeof(sig_tmp_buf);
240+
241+
secure_app_function_call(SECURE_APP_FUNCTION_DAC_KEY_SIGN, &param);
242+
if (param.ret)
243+
{
244+
ChipLogError(DeviceLayer, "secure_app_function_call DAC key sign %d", param.ret);
245+
return CHIP_ERROR_INTERNAL;
246+
}
247+
if (param.sig_len == 0 || param.sig_len > sizeof(sig_tmp_buf))
248+
{
249+
ChipLogError(DeviceLayer, "Signature length out of bounds: %d", param.sig_len);
250+
return CHIP_ERROR_INTERNAL;
251+
}
252+
253+
return CopySpanToMutableSpan(ByteSpan{ sig_tmp_buf, static_cast<size_t>(param.sig_len) }, outSignBuffer);
204254
#else
205255
VerifyOrReturnError(pFactoryData->dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
206256
VerifyOrReturnError(pFactoryData->dac.dac_key.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);

src/platform/realtek/BEE/RTK/RTKDACVendorProvider.h

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,9 @@
2222
#include <platform/CommissionableDataProvider.h>
2323
#include <platform/DeviceInstanceInfoProvider.h>
2424
#include <platform/realtek/BEE/FactoryDataProvider.h>
25-
25+
#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
26+
#include "rtk/include/nsc_veneer_customize.h"
27+
#endif
2628
namespace chip {
2729
namespace DeviceLayer {
2830

@@ -40,6 +42,10 @@ class RTKDACVendorProvider : public chip::Credentials::DeviceAttestationCredenti
4042

4143
private:
4244
const FactoryData * pFactoryData;
45+
bool mDACKeyImported = false;
46+
#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
47+
CHIP_ERROR ImportDACKey();
48+
#endif
4349
};
4450

4551
} // namespace DeviceLayer

src/platform/realtek/BEE/ThreadStackManagerImpl.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@
4242

4343
namespace {
4444
#if defined(FEATURE_TRUSTZONE_ENABLE) && (FEATURE_TRUSTZONE_ENABLE == 1)
45-
constexpr size_t kThreadManagerSecureContextSize = 5 * 1024;
45+
constexpr size_t kThreadManagerSecureContextSize = 1024;
4646
static void AllocateThreadTaskSecureContext()
4747
{
4848
os_alloc_secure_ctx(kThreadManagerSecureContextSize);

0 commit comments

Comments
 (0)