Changingtec Security Support

Secure APP

Secure app is a set of secure function excute in the trust zone. It includes sorts of certificate management, cryptographic opration.

Secure App Function

The detailed function of secure app is as below.

Name

Description

SECURE_APP_FUNCTION_INIT_MODULE

Initialize secure module

SECURE_APP_FUNCTION_RELEASE_MODULE

Release secure module

SECURE_APP_FUNCTION_GET_DAC

Get certificate signed by PAI

SECURE_APP_FUNCTION_GET_PAI_CERT

Get certificate signed by PAA

SECURE_APP_FUNCTION_SIGN_WITH_DACKEY

Sign with private key to DAC

Enable Secure App Support

The default configuration of the Matter platform code does not enable the Secure App. Users can enable it by setting ENABLE_CG_SECURE_DAC_VENDOR to ON in the preset chosen in ./subsys/matter/CMakePresets.json.

Preparing Secure APP

To enable trustzone on the Matter platform, a secure app needs to be provided. The following explains how to compile the secure APP.

Open the command prompt and navigate to the matter directory.

$ cd ./subsys/matter

Go to the compilation directory of the single bank secure app.

$ cd thirdparty/cg/app_s_cg/proj/gcc

Start build

$ make

After a successful compilation, the application bin file app_s_MP_sdk_0.0.0.0_xxxx.bin will be generated in the directory ./subsys/matter/thirdparty/cg/app_s_cg/proj/gcc/build/bin .

Preparing Non-Secure APP

Enter the compilation directory of the non-secure app

$ cd ./subsys/matter/samples

Start build

$ ./build.py rtl8777g lighting --preset secure

After a successful build, the application bin file matter-cli-ftd_bank0_MP_dev_xxxx.bin will be generated in the ./subsys/matter/samples/build/bank0/bin directory.

User Data

User data is a set of secure parameters during the manufacturing process. It includes sorts of certification, firmware version, cryptographic keys.

Content of User data

The detailed component with its size of user data is as below.

Name

Size(Bytes)

Description

PAI Certificate

600

A certificate signed by PAA

DAC Certificate

600

A certificate signed by PAI.

DAC key

32

private key to DAC(or encrypted in case of data breach in production line)

Format of User Data

The user data is saved as a bin file (userdata_MP_0.0.0.0_xxxx.bin) that can be downloaded into the region starting at defined adress. It is encrypted by cryptographic key.

Enable User Data Support

The default configuration of the Matter platform code does not enable the customer User Data. Users can enable it by setting ENABLE_CG_SECURE_DAC_VENDOR to ON in the preset chosen in ./subsys/matter/CMakePresets.json.

User Data Generation

This section introduces the use of tool to generate user data from DAC packages.

Supported Platforms

Platform

Architecture

Windows

☒ x64

Linux

☒ x64

Usage

Before use, you must first configure the RealtekTeeGenBinTool.cfg file.

  • batchSize : maximum DAC folders to process

  • privateKeyPath : absolute path of private key PEM file

  • dacFolderPath : absolute path of working folder where containing PAI cert and DAC folders

  • headerPrependToolPath : absolute path of prepend_header tool

  • headerPrependToolArgs : arguments for prepend_header tool

  • md5ToolPath : absolute path of md5 tool

Example of DAC working folder structure

└── DAC-1316-1A25-A0001_enc
   ├── DAC-1316-1A25-A0001-00000279
      ├── DAC-1316-1A25-Cert-A0001-00000279.der
      ├── DAC-1316-1A25-Cert-A0001-00000279.pem
      ├── DAC-1316-1A25-Key-A0001-00000279.pem.enc
      └── DAC-1316-1A25-PrivateKey-A0001-00000279.der.enc
   ├── DAC-1316-1A25-A0001-00000280
      ├── DAC-1316-1A25-Cert-A0001-00000280.der
      ├── DAC-1316-1A25-Cert-A0001-00000280.pem
      ├── DAC-1316-1A25-Key-A0001-00000280.pem.enc
      └── DAC-1316-1A25-PrivateKey-A0001-00000280.der.enc
   ├── DAC-1316-1A25-A0001-00000281
      ├── DAC-1316-1A25-Cert-A0001-00000281.der
      ├── DAC-1316-1A25-Cert-A0001-00000281.pem
      ├── DAC-1316-1A25-Key-A0001-00000281.pem.enc
      └── DAC-1316-1A25-PrivateKey-A0001-00000281.der.enc
   ├── Pankore-Test-PAA-novid-Cert.der
   ├── Pankore-Test-PAA-novid-Cert.pem
   ├── Test-PAI-1316-1A25-Cert.der
   └── Test-PAI-1316-1A25-Cert.pem

Then, generate the bin file using the following command:

$ RealtekTeeGenBinTool ./RealtekTeeGenBinTool.cfg

After a successful generation, the user data bin file userdata_MP_0.0.0.0_xxxx.bin will be generated in the directory ./subsys/matter/thirdparty/cg/realtekteegentool/bin/DAC-1316-1A25-A0001_enc/output.