By default, the example application is configured to use generic test certificates and provisioning data embedded with the application code. It is possible for a final stage application to generate its own manufacturing data:
Generate new certificates
PAI_VID and PAI_PID variables must be changed accordingly inside generate_cert.sh script
generate_cert.sh script needs as input parameter the path to chip-cert tool (compile it from ./src/tools/chip-cert). The output of the script is: the DAC, PAI and PAA certificates. The DAC and PAI certificates will be written in a special section of the internal flash, while the PAA will be used on the chip-tool side as trust anchor. Please note that for real production manufacturing the “production PAA” is trusted via the DCL rather than thorough PAA certificate generated along with DAC and PAI. The PAI cert may also have a different lifecycle.
user@ubuntu:~/Desktop/git/connectedhomeip$ ./examples/platform/nxp/k32w/k32w0/scripts/generate_cert.sh ./src/tools/chip-cert/out/chip-cert
Generate new provisioning data and convert all the data to a binary:
user@ubuntu:~/Desktop/git/connectedhomeip$ python3 ./scripts/tools/nxp/generate_nxp_chip_factory_bin.py -i 10000 -s ABCDEFGHIJKLMNOPQRSXYZ -p 14014 -d 1000 --dac_cert /home/ubuntu/manufacturing/Chip-DAC-NXP-Cert.der --dac_key /home/ubuntu/manufacturing/Chip-DAC-NXP-Key.der --pai_cert /home/ubuntu/manufacturing/Chip-PAI-NXP-Cert.der --spake2p_path ./src/tools/spake2p/out/spake2p --out out.bin
Here is the interpretation of the parameters:
-i -> SPAKE2+ iteration -s -> SPAKE2+ salt -p -> SPAKE2+ passcode - d -> discriminator --dac_cert -> path to the DAC (der format) location --dac_key -> path to the DAC key (der format) location --pai_cert -> path to the PAI (der format) location --spake2p_path -> path to the spake2p tool (compile it from ./src/tools/spake2p) --out -> name of the binary that will be used for storing all the generated data
Write out.bin to the internal flash at location 0x9D200:
DK6Programmer.exe -Y -V2 -s <COM_PORT> -P 1000000 -Y -p FLASH@0x9D200="out.bin"
Generate a new CD (certification declaration):
Inside gen-test-cds.sh, the parameters vids, pid0, device_type_id must be changed accordingly. Use Chip-Test-CD-Signing-* key and certificate already available in ./credentials/test/certification-declaration/ which acts as CSA Certificate. This CSA certificate is also hard-coded as Trust Anchor in the current chip-tool version. To use this certificate and avoid generating a new one, lines 69-70 must be commented in the gen-test-cds.sh script (the ones that are generating a new CD signing authority).
user@ubuntu:~/Desktop/git/connectedhomeip$ ./credentials/test/gen-test-cds.sh ./src/tools/chip-cert/out/chip-cert
Set the correct VID/PID and CD in the examples/$APP_NAME/nxp/k32w/k32w0/ChipProjectConfig.h file VID and PID values should correspond to the ones used for DAC. CD bytes should be the ones obtained at the step above:
user@ubuntu:~/manufacturing hexdump -ve '1/1 "0x%.2x, "' Chip-Test-CD-1037-A220.der
Use chip_with_factory_data=1 gn compilation argument
This is needed in order to load the data from the special flash section. Build and flash the application.
Run chip-tool with a new PAA:
./chip-tool pairing ble-thread 2 hex: $hex_value 14014 1000 --paa-trust-store-path /home/ubuntu/certs/paa
Here is the interpretation of the parameters:
--paa-trust-store-path -> path to the generated PAA (der format)
paa-trust-store-path must contain only the PAA certificate. Avoid placing other certificates in the same location as this may confuse chip-tool.
PAA certificate can be copied to the chip-tool machine using SCP for example.
This is needed for testing self-generated DACs, but likely not required for “true production” with production PAI issued DACs.
Useful information/Known issues
Implementation of manufacturing data provisioning has been validated using test certificates generated by OpenSSL 1.1.1l. Also, demo DAC, PAI and PAA certificates needed in case _chip_with_factory_data=1_ is used can be found in examples/platform/nxp/k32w/k32w0/scripts/demo_generated_certs. dut1/dut2 folders contains different DACs/Private Keys and can be used for testing topologies with 2 DUTS. out_dut1.bin/out2_dut2.bin contains the corresponding DACs/PAIs generated using generate_nxp_chip_factory_bin.py script. The discriminator is 14014 and the passcode is 1000. These demo certificates are working with the CDs installed in CHIPProjectConfig.h.