blob: a514c04adcfee8f99593898f8baf514e6d6477e7 [file] [log] [blame] [view]
ying-css6a7961d2024-04-04 13:35:11 +08001# Infineon OPTIGA™ Trust M Provisioning for Matter
2
3To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for
4OPTIGA™ Trust M with Matter test device Attestation certificate is needed.
5
6## Hardware setup:
7
8[Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
9
10[OPTIGA Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/)
11
12[Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/)
13or Jumping Wire
14
15## Provisioning for OPTIGA™ Trust M
16
17The
18[Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m)
19can be used to perform provisioning by following the steps mentioned below.
20
21- Set up chip-tool on Raspberry Pi 4 by following the instruction listed at
22 [Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4)
23- Clone the repo from Infineon Public GitHub
24
25```
26 $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
27```
28
29- Build the Linux tools for OPTIGA™ Trust M
30
31```
32 $ cd linux-optiga-trust-m/
ying-css80c19cd2024-04-30 23:05:05 +080033 $ git checkout provider_dev
34 $ git submodule update -f
35 $ ./provider_installation_script.sh
ying-css6a7961d2024-04-04 13:35:11 +080036```
37
38- Run the script to generate Matter test DAC for lock-app using the public key
39 extracted from the Infineon pre-provisioned Certificate and store it into
40 0xE0E0
41
42```
43$ cd scripts/matter_provisioning/
ying-css80c19cd2024-04-30 23:05:05 +080044$ ./matter_test_provisioning.sh
ying-css6a7961d2024-04-04 13:35:11 +080045```
46
47_Note:_
48
ying-css80c19cd2024-04-30 23:05:05 +080049_By running this example `matter_test_provisioning.sh`, the steps shown below
50are executed:_
ying-css6a7961d2024-04-04 13:35:11 +080051
52_Step1: Extract the public key from the Infineon pre-provisioned
53Certificate(0xE0E0) using openssl command._
54
55_Step2: Generate DAC test certificate using the extracted public key, Signed by
56[Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_.
57Please note that production devices cannot re-use these test keys/certificates.
58
59_Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot
ying-css80c19cd2024-04-30 23:05:05 +0800600xE0E0._
ying-css6a7961d2024-04-04 13:35:11 +080061
ying-css80c19cd2024-04-30 23:05:05 +080062_Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8
63and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0._
64
65For certificate claim and OPTIGA™ Trust M MTR provisioning, please refer
66to our
67[README for Late-stage Provisioning](https://github.com/Infineon/linux-optiga-trust-m/blob/provider_dev/scripts/matter_provisioning/README.md#certificate-claiming)