[Realtek] Support trustzone (project-chip#41534)

* [Realtek] add CONFIG_DAC_KEY_ENC

* [Realtek] Improve code maintainability

* [Realtek] Add cg dac vendor

* [Realtek] Restyle files

* [Realtek] Modify according to bot

* [Realtek] Modify according by bot

* [Realtek] modify according to bot

* [Realtek] Fix some error

* [Realtek] Fix some error

* [Realtek] Fix some error

* [Realtek] Modify return value

* [Realtek] Support RTK trustzone

* [Realtek] Restyle files

* [Realtek] modify according bot

* [Realtek] Optimize code

* [Realtek] Fix bug

* [Realtek] Fix some bug

* [Realtek] Restyle files

Author: pankore

src/platform/realtek/BEE/BUILD.gn

@@ -95,6 +95,7 @@ static_library("BEE") {
       "CG/CGSecureDACVendorProvider.cpp",
       "CG/CGSecureDACVendorProvider.h",
     ]
+    defines = [ "CONFIG_USE_CG_SECURE_DAC_VENDOR=1" ]
   }
 }
 

src/platform/realtek/BEE/PlatformManagerImpl.h

@@ -95,7 +95,11 @@ inline PlatformManagerImpl & PlatformMgrImpl(void)
 inline void PlatformManagerImpl::_RunEventLoop(void)
 {
 #if defined(FEATURE_TRUSTZONE_ENABLE) && (FEATURE_TRUSTZONE_ENABLE == 1)
+#if CONFIG_USE_CG_SECURE_DAC_VENDOR
     constexpr size_t kPlatformManagerSecureContextSize = 2 * 1024;
+#else // RTK Encrypt DAC
+    constexpr size_t kPlatformManagerSecureContextSize = 8 * 1024;
+#endif
     os_alloc_secure_ctx(kPlatformManagerSecureContextSize);
 #endif
     Internal::GenericPlatformManagerImpl_FreeRTOS<PlatformManagerImpl>::_RunEventLoop();

src/platform/realtek/BEE/RTK/RTKDACVendorProvider.cpp

@@ -187,6 +187,32 @@ CHIP_ERROR RTKDACVendorProvider::GetProductAttestationIntermediateCert(MutableBy
     return CHIP_NO_ERROR;
 }
 
+#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
+CHIP_ERROR RTKDACVendorProvider::ImportDACKey()
+{
+    VerifyOrReturnError(pFactoryData->dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
+    VerifyOrReturnError(pFactoryData->dac.dac_key.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
+    ByteSpan dacCertSpan{ pFactoryData->dac.dac_cert.value, pFactoryData->dac.dac_cert.len };
+    chip::Crypto::P256PublicKey dacPublicKey;
+    ReturnErrorOnFailure(chip::Crypto::ExtractPubkeyFromX509Cert(dacCertSpan, dacPublicKey));
+
+    DAC_IMPORT_PARAM key_param       = {};
+    key_param.encrypted_priv_key     = pFactoryData->dac.dac_key.value;
+    key_param.encrypted_priv_key_len = pFactoryData->dac.dac_key.len;
+    key_param.public_key             = dacPublicKey.Bytes();
+    key_param.public_key_len         = dacPublicKey.Length();
+
+    secure_app_function_call(SECURE_APP_FUNCTION_DAC_KEY_IMPORT, &key_param);
+    if (key_param.ret)
+    {
+        ChipLogError(DeviceLayer, "secure_app_function_call DAC key import %d", key_param.ret);
+        return CHIP_ERROR_INTERNAL;
+    }
+
+    return CHIP_NO_ERROR;
+}
+#endif
+
 CHIP_ERROR RTKDACVendorProvider::SignWithDeviceAttestationKey(const ByteSpan & messageToSign, MutableByteSpan & outSignBuffer)
 {
     CHIP_ERROR err = CHIP_NO_ERROR;
@@ -199,8 +225,32 @@ CHIP_ERROR RTKDACVendorProvider::SignWithDeviceAttestationKey(const ByteSpan & m
 
 #if CONFIG_FACTORY_DATA
 #if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
-    ChipLogError(DeviceLayer, "TrustZone build: Device attestation is NOT implemented. Attestation will fail.");
-    ReturnErrorOnFailure(CHIP_ERROR_NOT_IMPLEMENTED);
+    if (!mDACKeyImported)
+    {
+        ReturnErrorOnFailure(ImportDACKey());
+        mDACKeyImported = true;
+    }
+
+    uint8_t sig_tmp_buf[Crypto::kP256_ECDSA_Signature_Length_Raw] = {};
+    DAC_SIGN_PARAM param                                          = {};
+    param.msg                                                     = messageToSign.data();
+    param.msg_len                                                 = messageToSign.size();
+    param.sig                                                     = sig_tmp_buf;
+    param.p_sig_len                                               = sizeof(sig_tmp_buf);
+
+    secure_app_function_call(SECURE_APP_FUNCTION_DAC_KEY_SIGN, &param);
+    if (param.ret)
+    {
+        ChipLogError(DeviceLayer, "secure_app_function_call DAC key sign %d", param.ret);
+        return CHIP_ERROR_INTERNAL;
+    }
+    if (param.sig_len == 0 || param.sig_len > sizeof(sig_tmp_buf))
+    {
+        ChipLogError(DeviceLayer, "Signature length out of bounds: %d", param.sig_len);
+        return CHIP_ERROR_INTERNAL;
+    }
+
+    return CopySpanToMutableSpan(ByteSpan{ sig_tmp_buf, static_cast<size_t>(param.sig_len) }, outSignBuffer);
 #else
     VerifyOrReturnError(pFactoryData->dac.dac_cert.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);
     VerifyOrReturnError(pFactoryData->dac.dac_key.value, CHIP_ERROR_PERSISTED_STORAGE_VALUE_NOT_FOUND);

src/platform/realtek/BEE/RTK/RTKDACVendorProvider.h

@@ -22,7 +22,9 @@
 #include <platform/CommissionableDataProvider.h>
 #include <platform/DeviceInstanceInfoProvider.h>
 #include <platform/realtek/BEE/FactoryDataProvider.h>
-
+#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
+#include "rtk/include/nsc_veneer_customize.h"
+#endif
 namespace chip {
 namespace DeviceLayer {
 
@@ -40,6 +42,10 @@ class RTKDACVendorProvider : public chip::Credentials::DeviceAttestationCredenti
 
 private:
     const FactoryData * pFactoryData;
+    bool mDACKeyImported = false;
+#if FEATURE_TRUSTZONE_ENABLE && CONFIG_DAC_KEY_ENC
+    CHIP_ERROR ImportDACKey();
+#endif
 };
 
 } // namespace DeviceLayer

src/platform/realtek/BEE/ThreadStackManagerImpl.cpp

@@ -42,7 +42,7 @@
 
 namespace {
 #if defined(FEATURE_TRUSTZONE_ENABLE) && (FEATURE_TRUSTZONE_ENABLE == 1)
-constexpr size_t kThreadManagerSecureContextSize = 5 * 1024;
+constexpr size_t kThreadManagerSecureContextSize = 1024;
 static void AllocateThreadTaskSecureContext()
 {
     os_alloc_secure_ctx(kThreadManagerSecureContextSize);