Skip to content

Instantly share code, notes, and snippets.

@oidebrett

oidebrett/Generate_Certs_and_Flash_to_Secure_Partition.txt

Last active January 3, 2024 20:15
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save oidebrett/3c037827cf7cb387c312d5032290e001 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save oidebrett/3c037827cf7cb387c312d5032290e001 to your computer and use it in GitHub Desktop.
Download ZIP
Generate PKI credentials for ESP32 matter devices and storing them in esp_secure_cert partition
Raw
Generate_Certs_and_Flash_to_Secure_Partition.txt
#Generate the certs and keys and flash into factory data
git checkout 4cc18bb24fc7b0a95104846fdf746cbba7cebaf2 # this adds support for factory data CD API
source script/bootstrap.sh
#Create the PKI certs and keys
Export your custom VID/PID as environment variables to decrease chances of clerical error when editing your command arguments:
export VID=hexVendorId
export PID=hexProductId
#echo ${VID} FFAA
#echo ${PID} FFA1
#Change format for the certificates and key (.pem to .der format).
#Convert DAC key from .pem to .der format.
openssl ec -in credentials/test/attestation/"test-DAC-${VID}-${PID}-key".pem -out credentials/test/attestation/"test-DAC-${VID}-${PID}-key".der -inform pem -outform der
#Convert DAC and PAI cert from .pem to .der format
openssl x509 -in credentials/test/attestation/"test-DAC-${VID}-${PID}-cert".pem -out credentials/test/attestation/"test-DAC-${VID}-${PID}-cert".der -inform pem -outform der
openssl x509 -in credentials/test/attestation/"test-PAI-${VID}-cert".pem -out credentials/test/attestation/"test-PAI-${VID}-cert".der -inform pem -outform der
#Flash the secure partition
The following command generates the secure cert partition and flashes it to the connected device. Additionally, it preserves the generated partition on the host, allowing it to be flashed later if the entire flash is erased.
configure_esp_secure_cert.py --private-key credentials/test/attestation/"test-DAC-${VID}-${PID}-key".der \
--device-cert credentials/test/attestation/"test-DAC-${VID}-${PID}-cert".der \
--ca-cert credentials/test/attestation/"test-PAI-${VID}-cert".der \
--target_chip esp32 \
--keep_ds_data_on_host \
--port /dev/ttyUSB0 \
--priv_key_algo ECDSA 256
# Generate the Factory Data Partition
# Example command to generate a factory_data_partition
python3 -m pip install bitarray # somehow missing from
cd connectedhomeip
#check that the command works
python3 scripts/tools/generate_esp32_chip_factory_bin.py -h
cd ~/Projects/certs
#Generate the esp32_chip_factory_bin
python3 ../connectedhomeip/scripts/tools/generate_esp32_chip_factory_bin.py \
-d 3434 -p 99663300 \
--product-name ESP-lighting-app --product-id 0xFFA1 \
--vendor-name Test-vendor --vendor-id 0xFFAA \
--hw-ver 1 --hw-ver-str DevKit \
--cd ../connectedhomeip/credentials/test/certification-declaration/Chip-Test-CD-FFAA-FFA1.der
#Set up idf target
cd connectedhomeip/examples/lighting-app/esp32
idf.py set-target esp32
#Change the ESP32 image using ESP IDF menuconfig - Configuration Options
# Disable the DS Peripheral support
CONFIG_ESP_SECURE_CERT_DS_PERIPHERAL=n
# Use DAC Provider implementation which reads attestation data from secure cert partition
CONFIG_SEC_CERT_DAC_PROVIDER=y
# Enable some options which reads CD and other basic info from the factory partition
CONFIG_ENABLE_ESP32_FACTORY_DATA_PROVIDER=y
CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER=y
CONFIG_CHIP_FACTORY_NAMESPACE_PARTITION_LABEL="fctry"
#check that the settings have been set in the menuconfig
idf.py menuconfig
Enable config option CONFIG_SEC_CERT_DAC_PROVIDER to use the Secure Cert DAC provider
[Component config → CHIP Device Layer → Commissioning options → Use Secure Cert DAC Provider]
Enable config option CONFIG_ENABLE_ESP32_FACTORY_DATA_PROVIDER to use ESP32 specific implementation of CommissionableDataProvider and DeviceAttestationCredentialsProvider.
[Component config → CHIP Device Layer → Commissioning options → Use ESP32 Factory Data Provider]
By default, the factory data provider implementation reads the Certification Declaration (CD) from the 'chip-factory' NVS namespace. Enable CONFIG_ENABLE_SET_CERT_DECLARATION_API option to enable an API which lets you set the CD from the application and the configured CD will be used for subsequent CD reads.
[Component config -> CHIP Device Layer -> Commissioning options -> Enable Set CD API]
Enable config option CONFIG_ENABLE_ESP32_DEVICE_INSTANCE_INFO_PROVIDER to use ESP32 specific implementation of DeviceInstanceInfoProvider.
[Component config → CHIP Device Layer → Commissioning options → Use ESP32 Device Instance Info Provider]
ESP32 implementation reads factory data from nvs partition, chip-factory data must be flashed into the configured nvs partition. Factory partition can be configured using CONFIG_CHIP_FACTORY_NAMESPACE_PARTITION_LABEL option, default is "nvs". Change to "fctry"
[Component config -> CHIP Device Layer -> Matter Manufacturing Options -> chip-factory namespace partition label]
#Then build and flash
idf.py build
idf.py -p /dev/ttyUSB0 erase-flash
idf.py -p /dev/ttyUSB0 flash
# Flash the secure cert and factory partitions
Flash esp_secure_cert and factory partition binaries
The esp_secure_cert partition binary contains device attestation information and the factory partition binary contains Matter manufacturing specific data.
Flash esp_secure_cert partition binary
esptool.py -p /dev/ttyUSB0 write_flash 0xd000 ~/Projects/certs/esp_secure_cert_data/esp_secure_cert.bin
Flash factory partition binary
esptool.py -p /dev/ttyUSB0 write_flash 0x3E0000 path/to/factory_partition.bin
#Then monitor the esp32
idf.py -p /dev/ttyUSB0 monitor
#Now try to pair the device using the chip-tool
cd connectedhomeip
rm -rf /tmp/chip*
./out/chip-tool pairing ble-wifi 1 <SSID> <PASSWORD> 99663300 3434
#check that pairing worked by reading basic information
./out/chip-tool basicinformation read vendor-name 1 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment