Infineon OPTIGA™ Trust M Provisioning for Matter

To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for OPTIGA™ Trust M with Matter test device Attestation certificate is needed.

Hardware setup:

Raspberry Pi 4

OPTIGA™ Trust M MTR

Shield2Go Adapter for Raspberry Pi or Jumping Wire

Provisioning for OPTIGA™ Trust M

The Linux Tools for OPTIGA™ Trust M can be used to perform provisioning by following the steps mentioned below.

• Set up chip-tool on Raspberry Pi 4 by following the instruction listed at Building chip-tool on Raspberry Pi
• Clone the repo from Infineon Public GitHub

 $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git

• Build the Linux tools for OPTIGA™ Trust M

 $ cd linux-optiga-trust-m/
 $ ./trustm_installation_aarch64_script.sh

• Run the script to generate Matter test DAC for lock-app using the public key extracted from the Infineon pre-provisioned Certificate and store it into 0xE0E0

$ cd scripts/matter_provisioning/
$ ./matter_dac_provisioning.sh

Note:

By running this example matter_dac_provisioning.sh, the steps shown below are executed:

Step1: Extract the public key from the Infineon pre-provisioned Certificate(0xE0E0) using openssl command.

Step2: Generate DAC test certificate using the extracted public key, Signed by Matter test PAI. Please note that production devices cannot re-use these test keys/certificates.

Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot 0xE0E0

_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8 and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0.