22
33## 1.1 ESP Secure Cert Partition
44
5- - When a device is pre-provisioned, the PKI credentials are generated for the
6- device and stored in a partition named esp_secure_cert.
7- - In the Matter Pre-Provisioning service, the Matter DAC certificate is
8- pre-flashed in esp_secure_cert partition.
9- - The ESP32SecureCertDACProvider reads the PKI credentials from
10- esp_secure_cert_partition.
11- - The DAC,PAI and private key are read from the esp_secure_cert_partition, but
12- the certificate declaration is read from the factory data partition.
13- Therefore, we need to also generate a factory partition besides
14- esp_secure_cert_partition.
15- - The esp_secure_cert partition can be generated on host with help of
16- configure_esp_secure_cert.py utility.
17- - The use of esp_secure_cert_partition is demonstrated in lighting-app.
5+ - When a device is pre-provisioned, PKI credentials are generated for the
6+ device and stored in esp_secure_cert partition.
7+ - In the Matter Pre-Provisioning service, the Matter attestation information
8+ is pre-flashed into the esp_secure_cert partition.
9+ - The ESP32SecureCertDACProvider reads the attestation information from the
10+ esp_secure_cert partition.
11+ - The DAC and PAI are read from the esp_secure_cert partition, while the
12+ certification declaration is read from the factory partition.
13+ - The usage of the esp_secure_cert partition is demonstrated in the
14+ lighting-app.
15+
16+ - During the development phase, the esp_secure_cert partition can be generated
17+ on the host with the help of the configure_esp_secure_cert.py utility.
18+ - The steps below demonstrate how to generate certificates and the respective
19+ partitions to be used during the development phase.
1820
1921## 1.2 Prerequisites:
2022
2123To generate the esp_secure_cert_partition and the factory_data_partition, we
22- need the DAC and PAI certificate as well as the private key(DAC key) in .der
23- format. The factory_data_provider in addition requires the certificate
24- declaration in .der format. The generation of the required certificates and keys
25- is mentioned in the steps given below.
24+ need the DER encoded DAC, PAI certificate, DAC private key, and certification
25+ declaration.
2626
27- ### 1.2.1 Build certification generation tool :
27+ ### 1.2.1 Build chip-cert :
2828
2929Run the commands below:
3030
@@ -41,19 +41,27 @@ At /path/to/connectedhomeip/out/host run the below commands.
4141### 1.2.2 Generating Certification Declaration
4242
4343```
44- ./chip-cert gen-cd -K ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem -C ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem -O esp_dac_fff1_8000.der -f 1 -V 0xfff1 -p 0x8000 -d 0x0016 -c "CSA00000SWC00000-01" -l 0 -i 0 -n 1 -t 0
44+ ./chip-cert gen-cd -K ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Key.pem \
45+ -C ../../credentials/test/certification-declaration/Chip-Test-CD-Signing-Cert.pem \
46+ -O esp_dac_fff1_8000.der -f 1 \
47+ -V 0xfff1 -p 0x8000 -d 0x0016 -c "CSA00000SWC00000-01" -l 0 -i 0 -n 1 -t 0
4548```
4649
4750### 1.2.3 Generating PAI
4851
4952```
50- ./chip-cert gen-att-cert -t i -c "ESP TEST PAI" -V 0xfff1 -P 0x8000 -C ../../credentials/development/attestation/Chip-Development-PAA-Cert.pem -K ../../credentials/development/attestation/Chip-Development-PAA-Key.pem -o Esp-Development-PAI-Cert.pem -O Esp-Development-PAI-Key.pem -l 4294967295
53+ ./chip-cert gen-att-cert -t i -c "ESP TEST PAI" -V 0xfff1 -P 0x8000 \
54+ -C ../../credentials/development/attestation/Chip-Development-PAA-Cert.pem \
55+ -K ../../credentials/development/attestation/Chip-Development-PAA-Key.pem \
56+ -o Esp-Development-PAI-Cert.pem -O Esp-Development-PAI-Key.pem -l 4294967295
5157```
5258
5359### 1.2.4 Generating DAC
5460
5561```
56- ./chip-cert gen-att-cert -t d -c "ESP TEST DAC 01" -V 0xfff1 -P 0x8000 -C Esp-Development-PAI-Cert.pem -K Esp-Development-PAI-Key.pem -o Esp-Development-DAC-01.pem -O Esp-Development-DAC-Key-01.pem -l 4294967295
62+ ./chip-cert gen-att-cert -t d -c "ESP TEST DAC 01" -V 0xfff1 -P 0x8000 \
63+ -C Esp-Development-PAI-Cert.pem -K Esp-Development-PAI-Key.pem \
64+ -o Esp-Development-DAC-01.pem -O Esp-Development-DAC-Key-01.pem -l 4294967295
5765```
5866
5967### 1.2.5 Change format for the certificates and key (.pem to .der format)
@@ -67,30 +75,58 @@ openssl ec -in Esp-Development-DAC-Key-01.pem -out Esp-Development-DAC-Key-01.de
6775- Convert DAC and PAI cert from .pem to .der format
6876
6977```
70- openssl x509 -in Esp-Development-DAC-01.pem -out Esp-Development-DAC-01.der-inform pem -outform der
78+ openssl x509 -in Esp-Development-DAC-01.pem -out Esp-Development-DAC-01.der -inform pem -outform der
7179openssl x509 -in Esp-Development-PAI-Cert.pem -out Esp-Development-PAI-Cert.der -inform pem -outform der
7280```
7381
7482The certificates in the steps 1.2 will be generated at
7583/path/to/connectedhomeip/out/host.For steps 1.3 and 1.4 go to
76- connectedhomeip/scripts/tools , set IDF_PATH.
84+ connectedhomeip/scripts/tools, and set IDF_PATH.
7785
7886## 1.3 Generating esp_secure_cert_partition
7987
8088To generate the esp_secure_cert_partition install esp-secure-cert-tool using
89+ below command. Please use the tool with version >= 1.0.1
8190
8291```
8392pip install esp-secure-cert-tool
8493```
8594
86- Example command to generate a esp_secure_cert_partition
95+ Please use esp-secure-cert-tool with version >= esp-secure-cert-too
96+
97+ Espressif have SoCs with and without ECDSA peripheral, so there is a bit
98+ different flow for both. Currently only ESP32H2 has the ECDSA Peripheral.
99+
100+ ### 1.3.2 For SoCs without ECDSA Peripheral (Except ESP32H2)
101+
102+ The following command generates the secure cert partition and flashes it to the
103+ connected device. Additionally, it preserves the generated partition on the
104+ host, allowing it to be flashed later if the entire flash is erased.
87105
88106```
89- configure_esp_secure_cert.py --private-key path/to/dac-key \
90- --device-cert path/to/dac-cert \
91- --ca-cert path/to/pai-cert \
92- --target_chip esp32c3 \
93- --port /dev/ttyUSB0 -- skip_flash
107+ configure_esp_secure_cert.py --private-key Esp-Development-DAC-Key-01.der \
108+ --device-cert Esp-Development-DAC-01.der \
109+ --ca-cert Esp-Development-PAI-Cert.der \
110+ --target_chip esp32c3 \
111+ --keep_ds_data_on_host \
112+ --port /dev/ttyUSB0
113+ ```
114+
115+ ### 1.3.1 For SoCs with ECDSA Peripheral (ESP32H2)
116+
117+ The following command generates the secure cert partition, flashes it onto the
118+ connected device, burns the efuse block with the private key, and preserves the
119+ generated partition on the host for future use in case of a complete flash
120+ erase.
121+
122+ ```
123+ configure_esp_secure_cert.py --private-key Esp-Development-DAC-Key-01.der \
124+ --priv_key_algo ECDSA 256 --efuse_key_id 2 --configure_ds \
125+ --device-cert Esp-Development-DAC-01.der \
126+ --ca-cert Esp-Development-PAI-Cert.der \
127+ --target_chip esp32h2 \
128+ --keep_ds_data_on_host \
129+ --port /dev/ttyUSB0
94130```
95131
96132Refer
@@ -103,13 +139,10 @@ Example command to generate a factory_data_partition
103139
104140```
105141./generate_esp32_chip_factory_bin.py -d 3434 -p 99663300 \
106- --product-name ESP-lighting-app --product-id 0x8000 \
107- --vendor-name Test-vendor --vendor-id 0xFFF1 \
108- --hw-ver 1 --hw-ver-str DevKit \
109- --dac-cert path/to/dac-cert \
110- --dac-key path/to/dac-key \
111- --pai-cert path/to/pai-cert \
112- --cd path/to/certificate-declaration
142+ --product-name ESP-lighting-app --product-id 0x8000 \
143+ --vendor-name Test-vendor --vendor-id 0xFFF1 \
144+ --hw-ver 1 --hw-ver-str DevKit \
145+ --cd esp_dac_fff1_8000.der
113146```
114147
115148Refer
@@ -118,6 +151,8 @@ to generate a factory_data_partition.
118151
119152## 1.5 Build the firmware with below configuration options
120153
154+ - For SoCs without ECDSA Peripheral (Except ESP32H2)
155+
121156```
122157# Disable the DS Peripheral support
123158CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL=n
@@ -129,6 +164,19 @@ CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER=y
129164CONFIG_CHIP_FACTORY_NAMESPACE_PARTITION_LABEL="fctry"
130165```
131166
167+ - For SoCs with ECDSA Peripheral (ESP32H2)
168+
169+ ```
170+ # Enable the DS Peripheral support
171+ CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL=y
172+ # Use DAC Provider implementation which reads attestation data from secure cert partition
173+ CONFIG_SEC_CERT_DAC_PROVIDER=y
174+ # Enable some options which reads CD and other basic info from the factory partition
175+ CONFIG_ENABLE_ESP32_FACTORY_DATA_PROVIDER=y
176+ CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER=y
177+ CONFIG_CHIP_FACTORY_NAMESPACE_PARTITION_LABEL="fctry"
178+ ```
179+
132180In order to use the esp_secure_cert_partition, in addition to enabling the above
133181config options, you should also have the esp_secure_cert_partition and factory
134182partition in your app. For reference, refer to partitions.csv file of
@@ -158,26 +206,3 @@ esptool.py -p (PORT) write_flash 0xd000 path/to/secure_cert_partition.bin
158206```
159207esptool.py -p (PORT) write_flash 0x3E0000 path/to/factory_partition.bin
160208```
161-
162- ### Monitor
163-
164- ```
165- idf.py monitor
166- ```
167-
168- Please flash the above mentioned partitions by looking into the addresses in
169- partitions.csv.The above commands are for example purpose.
170-
171- ## 1.6 Test commissioning using chip-tool
172-
173- Run the following command from host to commission the device.
174-
175- ```
176- ./chip-tool pairing ble-wifi 1234 my_SSID my_PASSPHRASE my_PASSCODE my_DISCRIMINATOR --paa-trust-store-path /path/to/PAA-Certificates/
177- ```
178-
179- For example:
180-
181- ```
182- ./chip-tool pairing ble-wifi 0x7283 my_SSID my_PASSPHRASE 99663300 3434 --paa-trust-store-path /path/to/connectedhomeip/credentials/development/attestation/
183- ```
![pull[bot]](https://avatars.githubusercontent.com/in/12910?v=4&size=40){kind=avatar}
0 commit comments