ying-css | 6a7961d | 2024-04-04 13:35:11 +0800 | [diff] [blame] | 1 | # Infineon OPTIGA™ Trust M Provisioning for Matter |
| 2 | |
| 3 | To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for |
| 4 | OPTIGA™ Trust M with Matter test device Attestation certificate is needed. |
| 5 | |
| 6 | ## Hardware setup: |
| 7 | |
| 8 | [Raspberry Pi 4](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/) |
| 9 | |
| 10 | [OPTIGA™ Trust M MTR](https://www.infineon.com/cms/en/product/evaluation-boards/trust-m-mtr-shield/) |
| 11 | |
| 12 | [Shield2Go Adapter for Raspberry Pi](https://www.infineon.com/cms/en/product/evaluation-boards/s2go-adapter-rasp-pi-iot/) |
| 13 | or Jumping Wire |
| 14 | |
| 15 | ## Provisioning for OPTIGA™ Trust M |
| 16 | |
| 17 | The |
| 18 | [Linux Tools for OPTIGA™ Trust M ](https://github.com/Infineon/linux-optiga-trust-m) |
| 19 | can be used to perform provisioning by following the steps mentioned below. |
| 20 | |
| 21 | - Set up chip-tool on Raspberry Pi 4 by following the instruction listed at |
| 22 | [Building chip-tool on Raspberry Pi ](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/BUILDING.md#installing-prerequisites-on-raspberry-pi-4) |
| 23 | - Clone the repo from Infineon Public GitHub |
| 24 | |
| 25 | ``` |
| 26 | $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git |
| 27 | ``` |
| 28 | |
| 29 | - Build the Linux tools for OPTIGA™ Trust M |
| 30 | |
| 31 | ``` |
| 32 | $ cd linux-optiga-trust-m/ |
ying-css | 80c19cd | 2024-04-30 23:05:05 +0800 | [diff] [blame] | 33 | $ git checkout provider_dev |
| 34 | $ git submodule update -f |
| 35 | $ ./provider_installation_script.sh |
ying-css | 6a7961d | 2024-04-04 13:35:11 +0800 | [diff] [blame] | 36 | ``` |
| 37 | |
| 38 | - Run the script to generate Matter test DAC for lock-app using the public key |
| 39 | extracted from the Infineon pre-provisioned Certificate and store it into |
| 40 | 0xE0E0 |
| 41 | |
| 42 | ``` |
| 43 | $ cd scripts/matter_provisioning/ |
ying-css | 80c19cd | 2024-04-30 23:05:05 +0800 | [diff] [blame] | 44 | $ ./matter_test_provisioning.sh |
ying-css | 6a7961d | 2024-04-04 13:35:11 +0800 | [diff] [blame] | 45 | ``` |
| 46 | |
| 47 | _Note:_ |
| 48 | |
ying-css | 80c19cd | 2024-04-30 23:05:05 +0800 | [diff] [blame] | 49 | _By running this example `matter_test_provisioning.sh`, the steps shown below |
| 50 | are executed:_ |
ying-css | 6a7961d | 2024-04-04 13:35:11 +0800 | [diff] [blame] | 51 | |
| 52 | _Step1: Extract the public key from the Infineon pre-provisioned |
| 53 | Certificate(0xE0E0) using openssl command._ |
| 54 | |
| 55 | _Step2: Generate DAC test certificate using the extracted public key, Signed by |
| 56 | [Matter test PAI](https://github.com/project-chip/connectedhomeip/blob/v1.1-branch/credentials/development/attestation/Matter-Development-PAI-FFF1-noPID-Cert.pem)_. |
| 57 | Please note that production devices cannot re-use these test keys/certificates. |
| 58 | |
| 59 | _Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot |
ying-css | 80c19cd | 2024-04-30 23:05:05 +0800 | [diff] [blame] | 60 | 0xE0E0._ |
ying-css | 6a7961d | 2024-04-04 13:35:11 +0800 | [diff] [blame] | 61 | |
ying-css | 80c19cd | 2024-04-30 23:05:05 +0800 | [diff] [blame] | 62 | _Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8 |
| 63 | and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0._ |
| 64 | |
| 65 | For certificate claim and OPTIGA™ Trust M MTR provisioning, please refer |
| 66 | to our |
| 67 | [README for Late-stage Provisioning](https://github.com/Infineon/linux-optiga-trust-m/blob/provider_dev/scripts/matter_provisioning/README.md#certificate-claiming) |