1)Added Crypto Function provided by Infineon HSM OPTIGA Trust M

.github/.wordlist.txt

@@ -643,6 +643,8 @@ HomePods
 hostapd
 hostname
 href
+HSM
+hsm
 HTTPS
 HW
 hwadr
@@ -965,6 +967,7 @@ objcopy
 OccupancySensing
 OctetString
 OECORE
+OID
 ol
 Onboarding
 onboardingcodes
@@ -986,6 +989,7 @@ openweave
 OperationalCredentials
 operationalDataset
 opkg
+OPTIGA
 optionMask
 optionOverride
 optionsMask
@@ -1429,6 +1433,7 @@ transitionTime
 TransportMgrBase
 TriggerEffect
 TRNG
+trustm
 TrustedRootCertificates
 tsan
 TSG

.gitmodules

@@ -324,3 +324,9 @@
 	path = third_party/infineon/psoc6/psoc6_sdk/libs/lwip-network-interface-integration
 	url = https://github.com/Infineon/lwip-network-interface-integration.git
 	platforms = infineon
+[submodule "third_party/infineon/trustm/optiga-trust-m"]
+	path = third_party/infineon/trustm/optiga-trust-m
+	url = https://github.com/Infineon/optiga-trust-m.git
+	branch = matter_support
+	platforms = infineon
+

docs/guides/README.md

@@ -7,6 +7,7 @@
 -   [ASR - Getting Started Guide](./asr_getting_started_guide.md)
 -   [Espressif (ESP32) - Getting Started Guide](./esp32/README.md)
 -   [Infineon PSoC6 - Software Update](./infineon_psoc6_software_update.md)
+-   [Infineon Trust M Provisioning](./infineon_trustm_provisioning.md)
 -   [Linux - Simulated Devices](./simulated_device_linux.md)
 -   [mbedOS - Adding a new target](./mbedos_add_new_target.md)
 -   [mbedOS - Commissioning](./mbedos_commissioning.md)

docs/guides/infineon_trustm_provisioning.md

@@ -0,0 +1,61 @@
+# Infineon OPTIGA™ Trust M Provisioning for Matter
+
+To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for
+OPTIGA™ Trust M with Matter test device Attestation certificate is needed.
+
+## Hardware setup:
+
+[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
+
+[OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)
+
+[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/)
+or Jumping Wire
+
+## Provisioning for OPTIGA™ Trust M
+
+The
+[Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m)
+can be used to perform provisioning by following the steps mentioned below.
+
+-   Set up chip-tool on Raspberry Pi 4 by following the instruction listed at
+    [Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4)
+-   Clone the repo from Infineon Public GitHub
+
+```
+ $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
+```
+
+-   Build the Linux tools for OPTIGA™ Trust M
+
+```
+ $ cd linux-optiga-trust-m/
+ $ ./trustm_installation_aarch64_script.sh
+```
+
+-   Run the script to generate Matter test DAC for lock-app using the public key
+    extracted from the Infineon pre-provisioned Certificate and store it into
+    0xE0E0
+
+```
+$ cd scripts/matter_provisioning/
+$ ./matter_dac_provisioning.sh
+```
+
+_Note:_
+
+_By running this example matter_dac_provisioning.sh, the steps shown below are
+executed:_
+
+_Step1: Extract the public key from the Infineon pre-provisioned
+Certificate(0xE0E0) using openssl command._
+
+_Step2: Generate DAC test certificate using the extracted public key, Signed by
+[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_.
+Please note that production devices cannot re-use these test keys/certificates.
+
+_Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot
+0xE0E0_
+
+_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8
+and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0.

examples/lock-app/infineon/psoc6/BUILD.gn

@@ -15,9 +15,11 @@
 import("//build_overrides/build.gni")
 import("//build_overrides/chip.gni")
 import("//build_overrides/psoc6.gni")
-
 import("${build_root}/config/defaults.gni")
+import("${chip_root}/src/crypto/crypto.gni")
+import("${chip_root}/src/platform/Infineon/crypto/infineon_crypto.gni")
 import("${chip_root}/src/platform/device.gni")
+import("${chip_root}/third_party/infineon/trustm/trustm_config.gni")
 import("${psoc6_sdk_build_root}/psoc6_executable.gni")
 import("${psoc6_sdk_build_root}/psoc6_sdk.gni")
 
@@ -117,6 +119,19 @@ psoc6_executable("lock_app") {
     "${psoc6_project_dir}/include",
   ]
 
+  if (chip_crypto == "platform") {
+    include_dirs += [ "${chip_root}/third_party/infineon/trustm" ]
+    include_dirs += [ "${chip_root}/examples/platform/infineon/trustm" ]
+    include_dirs += [ "${chip_root}/src/platform/Infineon/crypto/trustm" ]
+
+    defines = [ "ENABLE_DEVICE_ATTESTATION=1" ]
+
+    public_deps += [
+      "${chip_root}/src/platform/Infineon/crypto/${infineon_crypto_impl}:infineon_crypto_lib",
+      "${chip_root}/third_party/infineon/trustm:optiga-trust-m",
+    ]
+  }
+
   sources = [
     "${examples_plat_dir}/LEDWidget.cpp",
     "${examples_plat_dir}/init_psoc6Platform.cpp",

examples/lock-app/infineon/psoc6/README.md

@@ -14,6 +14,8 @@ An example showing the use of Matter on the Infineon CY8CKIT-062S2-43012 board.
             -   [Notes](#notes)
         -   [Cluster control](#cluster-control)
         -   [Factory Reset](#factory-reset)
+    -   [Building with OPTIGA™ Trust M as HSM](#build-trustm-hsm)
+        -   [OPTIGA™ Trust M Provisioning](#provisioning-trustm)
     -   [OTA Software Update](#ota-software-update)
 
 <hr>
@@ -55,6 +57,10 @@ will then join the network.
           $ cd ~/connectedhomeip
           $ rm -rf out/
 
+_To build with Infineon Hardware Security Module-OPTIGA™ Trust M for Device
+attestation and other security use cases, please refer to the
+[Building with OPTIGA™ Trust M as HSM](#build-trustm-hsm) for more instructions_
+
 ## Flashing the Application
 
 -   Put CY8CKIT-062S2-43012 board on KitProg3 CMSIS-DAP Mode by pressing the
@@ -128,10 +134,52 @@ commands. These power cycle the BlueTooth hardware and disable BR/EDR mode.
     on the board. All the data configured on the device during the initial
     commissioning will be deleted and device will be ready for commissioning
     again.
-
 -   Pressing the button again within 5 seconds will cancel the factory reset of
     the board.
 
+## <a name="build-trustm-hsm"></a>
+
+## Building with OPTIGA™ Trust M as HSM
+
+Infineon Hardware Security Module-OPTIGA™ Trust M is a high-end security
+solution that provides an anchor of trust for connecting IoT devices to the
+cloud, giving every IoT device its own unique identity.
+
+-   Supported hardware setup:
+    [CY8CKIT-062S2-43012](https://www.cypress.com/CY8CKIT-062S2-43012)
+
+    [OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)
+
+    [OPTIGA™ Trust Adapter](https://www.infineon.com/cms/en/product/evaluation-boards/optiga-trust-adapter/)
+
+-   Building
+
+    Follow the steps to build with OPTIGA™ Trust M for device attestation use case:
+
+    ```
+      $ source scripts/activate.sh
+      $ scripts/build/build_examples.py --no-log-timestamps --target 'infineon-psoc6-lock-trustm' build
+    ```
+-   To delete generated executable, libraries and object files use:
+
+        $ cd ~/connectedhomeip
+        $ rm -rf out/
+
+-   Proceed to OPTIGA™ Trust M Provisioning section to complete the credential
+    storage into HSM.
+
+### <a name="provisioning-trustm"></a>
+
+### OPTIGA™ Trust M Provisioning
+
+For the description of OPTIGA™ Trust M Provisioning with test DAC generation and
+PAI and CD storage, please refer to
+[Infineon OPTIGA™ Trust M Provisioning](../../../../docs/guides/infineon_trustm_provisioning.md)
+
+After completing OPTIGA™ Trust M Provisioning, proceed to
+[Flashing the Application](#flashing-the-application) section to continue with
+subsequent steps.
+
 ## OTA Software Update
 
 For the description of Software Update process with infineon PSoC6 example

examples/lock-app/infineon/psoc6/args.gni

@@ -15,7 +15,10 @@
 import("//build_overrides/chip.gni")
 import("//build_overrides/pigweed.gni")
 import("${chip_root}/config/standalone/args.gni")
+import("${chip_root}/src/crypto/crypto.gni")
 import("${chip_root}/src/platform/Infineon/PSOC6/args.gni")
 
 psoc6_target_project =
     get_label_info(":lock_app_sdk_sources", "label_no_toolchain")
+
+import("${chip_root}/src/platform/Infineon/crypto/trustm/args.gni")

examples/lock-app/infineon/psoc6/src/AppTask.cpp

@@ -45,6 +45,10 @@
 #include <app/clusters/door-lock-server/door-lock-server.h>
 #include <app/clusters/identify-server/identify-server.h>
 
+#if ENABLE_DEVICE_ATTESTATION
+#include <DeviceAttestationCredsExampleTrustM.h>
+#endif
+
 /* OTA related includes */
 #if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
 #include <app/clusters/ota-requestor/BDXDownloader.h>
@@ -157,7 +161,12 @@ static void InitServer(intptr_t context)
     chip::DeviceLayer::SetDeviceInfoProvider(&gExampleDeviceInfoProvider);
 
     // Initialize device attestation config
+#if ENABLE_DEVICE_ATTESTATION
+    SetDeviceAttestationCredentialsProvider(Examples::GetExampleTrustMDACProvider());
+#else
     SetDeviceAttestationCredentialsProvider(Examples::GetExampleDACProvider());
+#endif
+
 #if CHIP_DEVICE_CONFIG_ENABLE_OTA_REQUESTOR
     GetAppTask().InitOTARequestor();
 #endif

scripts/build/build/targets.py

@@ -409,6 +409,7 @@ def BuildInfineonTarget():
     # modifiers
     target.AppendModifier('ota', enable_ota_requestor=True)
     target.AppendModifier('updateimage', update_image=True)
+    target.AppendModifier('trustm', enable_trustm=True)
 
     return target
 

scripts/build/builders/infineon.py

@@ -80,7 +80,8 @@ def __init__(self,
                  app: InfineonApp = InfineonApp.LOCK,
                  board: InfineonBoard = InfineonBoard.PSOC6BOARD,
                  enable_ota_requestor: bool = False,
-                 update_image: bool = False):
+                 update_image: bool = False,
+                 enable_trustm: bool = False): 
         super(InfineonBuilder, self).__init__(
             root=app.BuildRoot(root),
             runner=runner)
@@ -92,7 +93,10 @@ def __init__(self,
             self.extra_gn_options.append('chip_enable_ota_requestor=true')
         if update_image:
             self.extra_gn_options.append('build_update_image=true')
-
+        if enable_trustm:
+            self.extra_gn_options.append('chip_crypto=\"platform\"')
+        if enable_trustm is False:
+            self.extra_gn_options.append('chip_crypto=\"mbedtls\"')
     def GnBuildArgs(self):
         return self.extra_gn_options
 

scripts/build/testdata/all_targets_linux_x64.txt

@@ -13,7 +13,7 @@ linux-fake-tests[-mbedtls][-boringssl][-asan][-tsan][-ubsan][-libfuzzer][-ossfuz
 linux-{x64,arm64}-{rpc-console,all-clusters,all-clusters-minimal,chip-tool,thermostat,java-matter-controller,kotlin-matter-controller,minmdns,light,lock,shell,ota-provider,ota-requestor,simulated-app1,simulated-app2,python-bindings,tv-app,tv-casting-app,bridge,tests,chip-cert,address-resolve-tool,contact-sensor,dishwasher,microwave-oven,refrigerator,rvc,air-purifier,lit-icd,air-quality-sensor,network-manager,energy-management}[-nodeps][-nlfaultinject][-platform-mdns][-minmdns-verbose][-libnl][-same-event-loop][-no-interactive][-ipv6only][-no-ble][-no-wifi][-no-thread][-mbedtls][-boringssl][-asan][-tsan][-ubsan][-libfuzzer][-ossfuzz][-coverage][-dmalloc][-clang][-test][-rpc][-with-ui][-evse-test-event]
 linux-x64-efr32-test-runner[-clang]
 imx-{chip-tool,lighting-app,thermostat,all-clusters-app,all-clusters-minimal-app,ota-provider-app}[-release]
-infineon-psoc6-{lock,light,all-clusters,all-clusters-minimal}[-ota][-updateimage]
+infineon-psoc6-{lock,light,all-clusters,all-clusters-minimal}[-ota][-updateimage][-trustm]
 rw61x-{all-clusters-app,thermostat,laundry-washer}[-ota][-wifi][-thread][-factory-data][-matter-shell]
 nxp-{k32w0,k32w1}-{lighting,contact-sensor}[-factory][-low-power][-lit][-fro32k][-smu2][-dac-conversion][-rotating-id][-sw-v2]
 mbed-cy8cproto_062_4343w-{lock,light,all-clusters,all-clusters-minimal,pigweed,ota-requestor,shell}[-release][-develop][-debug]

src/crypto/crypto.gni

@@ -16,7 +16,7 @@ declare_args() {
   # Crypto implementation: mbedtls, openssl, boringssl, platform.
   chip_crypto = ""
   chip_with_se05x = 0
-
+  
   # Compile mbedtls externally. Only used if chip_crypto == "mbedtls"
   chip_external_mbedtls = false
 }

src/platform/Infineon/crypto/infineon_crypto.gni

@@ -0,0 +1,20 @@
+# Copyright (c) 2024 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+declare_args() {
+  infineon_crypto_impl = ""
+  infineon_crypto_root = ""
+}
+assert(infineon_crypto_impl != "", "infineon_crypto_impl should be defined")
+assert(infineon_crypto_root != "", "infineon_crypto_root should be defined")

src/platform/Infineon/crypto/trustm/BUILD.gn

@@ -0,0 +1,68 @@
+# Copyright (c) 2024 Project CHIP Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import("//build_overrides/chip.gni")
+import("//build_overrides/nlassert.gni")
+import("${chip_root}/build/chip/buildconfig_header.gni")
+import("${chip_root}/src/crypto/crypto.gni")
+import("${chip_root}/src/platform/Infineon/crypto/trustm/args.gni")
+
+if (chip_crypto == "platform") {
+  import("//build_overrides/mbedtls.gni")
+}
+
+source_set("public_headers") {
+  sources = [
+  ]
+
+  public_deps = [
+    "${chip_root}/src/lib/asn1",
+    "${chip_root}/src/lib/core",
+    "${chip_root}/src/lib/support",
+    "${nlassert_root}:nlassert",
+    "${chip_root}/src/crypto",
+
+  ]
+}
+
+static_library("infineon_crypto_lib") {
+  sources = [
+    "CHIPCryptoPAL_HostFallBack.cpp",
+    "CHIPCryptoPALHost.cpp",
+    "CHIPCryptoPALHsm_HKDF_trustm.cpp",
+    "CHIPCryptoPALHsm_HMAC_trustm.cpp",
+    "CHIPCryptoPALHsm_P256_trustm.cpp",
+    "CHIPCryptoPALHsm_rng_trustm.cpp",
+    "CHIPCryptoPALHsm_utils_trustm.cpp",
+    "DeviceAttestationCredsExampleTrustM.cpp",
+  ]
+
+  public_deps = [ ":public_headers" ]
+  public_configs = []
+  public_deps += [ "${chip_root}/third_party/infineon/trustm:optiga-trust-m" ]
+  public_configs +=
+    [ "${chip_root}/third_party/infineon/trustm:trustm_config" ]
+  deps = [ "${chip_root}/${infineon_crypto_root}:optiga-trust-m" ]
+  external_mbedtls = current_os == "zephyr"
+
+  if (!external_mbedtls) {
+    public_deps += [ "${mbedtls_root}:mbedtls" ]
+  }
+  include_dirs = [
+    ".",
+    "${chip_root}/src/crypto",
+    "${chip_root}/src/platform/Infineon/crypto/trustm",
+  ]
+
+}