[Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin #22338

vivien-apple · 2022-09-01T13:07:47Z

Problem

This PR implements some parts of "Certificate Declaration verification need to consume real signing keys (aka #21802)" by exposing a virtual method AttestationTrustStore::GetCertificationDeclarationCert and updating the code so it uses this method if it is implemented or returns the default test certificate otherwise.

In this PR this method is only implemented for the darwin controller, but it could be easily extended to the ArrayAttestationTrustStore and the FileAttestationTrustStore.

Change overview

Add a virtual method AttestationTrustStore::GetCertificationDeclarationCert and makes it return CHIP_ERROR_NOT_IMPLEMENTED for some of the implementations.
Override AttestationTrustStore::GetCertificationDeclarationCert in the darwin implementation

Testing

It has been tested by manually toying with startup params in the darwin-framework-tool command line tool.
For example here is the diff for using the default test keys

diff --git a/examples/darwin-framework-tool/commands/common/CHIPCommandBridge.mm b/examples/darwin-framework-tool/commands/common/CHIPCommandBridge.mm
index 40d265b3e17..a450789eaf3 100644
--- a/examples/darwin-framework-tool/commands/common/CHIPCommandBridge.mm
+++ b/examples/darwin-framework-tool/commands/common/CHIPCommandBridge.mm
@@ -77,6 +77,57 @@
     params.startServer = YES;
     params.otaProviderDelegate = mOTADelegate;
 
+    uint8_t paaCert[] = { 0x30, 0x82, 0x01, 0xbd, 0x30, 0x82, 0x01, 0x64, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x4e, 0xa8,
+        0xe8, 0x31, 0x82, 0xd4, 0x1c, 0x1c, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x30,
+        0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65,
+        0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x31, 0x24, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0xa2, 0x7c,
+        0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34,
+        0x32, 0x33, 0x34, 0x33, 0x5a, 0x18, 0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35,
+        0x39, 0x5a, 0x30, 0x30, 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x0f, 0x4d, 0x61, 0x74, 0x74, 0x65,
+        0x72, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x50, 0x41, 0x41, 0x31, 0x14, 0x30, 0x12, 0x06, 0x0a, 0x2b, 0x06, 0x01, 0x04,
+        0x01, 0x82, 0xa2, 0x7c, 0x02, 0x01, 0x0c, 0x04, 0x46, 0x46, 0x46, 0x31, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
+        0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0xb6,
+        0xcb, 0x63, 0x72, 0x88, 0x7f, 0x29, 0x28, 0xf5, 0xba, 0xc8, 0x1a, 0xa9, 0xd9, 0x3a, 0xe2, 0x43, 0x1c, 0xad, 0xa9, 0xd7,
+        0x9e, 0x24, 0x2f, 0x65, 0x17, 0x7e, 0xf9, 0xce, 0xd9, 0x32, 0xa2, 0x8e, 0xcd, 0x03, 0xba, 0xaf, 0x6a, 0x8f, 0xca, 0x18,
+        0x4a, 0x1a, 0x50, 0x35, 0x42, 0x96, 0x0d, 0x45, 0x3f, 0x30, 0x3f, 0x1f, 0x19, 0x42, 0x1d, 0x75, 0x1e, 0x8f, 0x8f, 0x1a,
+        0x9a, 0x9b, 0x75, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30,
+        0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03,
+        0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x6a, 0xfd, 0x22, 0x77, 0x1f, 0x51,
+        0x1f, 0xec, 0xbf, 0x16, 0x41, 0x97, 0x67, 0x10, 0xdc, 0xdc, 0x31, 0xa1, 0x71, 0x7e, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d,
+        0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x6a, 0xfd, 0x22, 0x77, 0x1f, 0x51, 0x1f, 0xec, 0xbf, 0x16, 0x41, 0x97, 0x67,
+        0x10, 0xdc, 0xdc, 0x31, 0xa1, 0x71, 0x7e, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03,
+        0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x50, 0xaa, 0x80, 0x02, 0xf4, 0xd9, 0x32, 0xa9, 0xa0, 0x05, 0x38, 0xf6, 0x53, 0x68,
+        0xad, 0x0f, 0xff, 0xc8, 0xef, 0xbb, 0xc9, 0xbe, 0xb7, 0xda, 0x56, 0x98, 0x35, 0xcf, 0x9a, 0xa7, 0x51, 0x0e, 0x02, 0x20,
+        0x23, 0xba, 0xc8, 0xfe, 0x0f, 0x23, 0xe7, 0x54, 0x45, 0xb6, 0x53, 0x39, 0x08, 0x1a, 0x47, 0x99, 0x49, 0x29, 0xc7, 0x2a,
+        0xaf, 0x0a, 0x15, 0x48, 0xd4, 0x0d, 0x03, 0x4d, 0x51, 0x4b, 0x25, 0xde };
+
+    uint8_t cdCert[] = { 0x30, 0x82, 0x01, 0xb3, 0x30, 0x82, 0x01, 0x5a, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x08, 0x45, 0xda, 0xf3,
+        0x9d, 0xe4, 0x7a, 0xa0, 0x8f, 0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x30, 0x2b, 0x31,
+        0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73,
+        0x74, 0x20, 0x43, 0x44, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
+        0x74, 0x79, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x31, 0x30, 0x36, 0x32, 0x38, 0x31, 0x34, 0x32, 0x33, 0x34, 0x33, 0x5a, 0x18,
+        0x0f, 0x39, 0x39, 0x39, 0x39, 0x31, 0x32, 0x33, 0x31, 0x32, 0x33, 0x35, 0x39, 0x35, 0x39, 0x5a, 0x30, 0x2b, 0x31, 0x29,
+        0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x20, 0x4d, 0x61, 0x74, 0x74, 0x65, 0x72, 0x20, 0x54, 0x65, 0x73, 0x74,
+        0x20, 0x43, 0x44, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74,
+        0x79, 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce,
+        0x3d, 0x03, 0x01, 0x07, 0x03, 0x42, 0x00, 0x04, 0x3c, 0x39, 0x89, 0x22, 0x45, 0x2b, 0x55, 0xca, 0xf3, 0x89, 0xc2, 0x5b,
+        0xd1, 0xbc, 0xa4, 0x65, 0x69, 0x52, 0xcc, 0xb9, 0x0e, 0x88, 0x69, 0x24, 0x9a, 0xd8, 0x47, 0x46, 0x53, 0x01, 0x4c, 0xbf,
+        0x95, 0xd6, 0x87, 0x96, 0x5e, 0x03, 0x6b, 0x52, 0x1c, 0x51, 0x03, 0x7e, 0x6b, 0x8c, 0xed, 0xef, 0xca, 0x1e, 0xb4, 0x40,
+        0x46, 0x69, 0x4f, 0xa0, 0x88, 0x82, 0xee, 0xd6, 0x51, 0x9d, 0xec, 0xba, 0xa3, 0x66, 0x30, 0x64, 0x30, 0x12, 0x06, 0x03,
+        0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x08, 0x30, 0x06, 0x01, 0x01, 0xff, 0x02, 0x01, 0x01, 0x30, 0x0e, 0x06, 0x03,
+        0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x01, 0x06, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
+        0x16, 0x04, 0x14, 0x62, 0xfa, 0x82, 0x33, 0x59, 0xac, 0xfa, 0xa9, 0x96, 0x3e, 0x1c, 0xfa, 0x14, 0x0a, 0xdd, 0xf5, 0x04,
+        0xf3, 0x71, 0x60, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x62, 0xfa, 0x82, 0x33,
+        0x59, 0xac, 0xfa, 0xa9, 0x96, 0x3e, 0x1c, 0xfa, 0x14, 0x0a, 0xdd, 0xf5, 0x04, 0xf3, 0x71, 0x60, 0x30, 0x0a, 0x06, 0x08,
+        0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03, 0x47, 0x00, 0x30, 0x44, 0x02, 0x20, 0x2c, 0x54, 0x5c, 0xe4, 0xe4,
+        0x57, 0xd8, 0xa6, 0xf0, 0xd9, 0xd9, 0xbb, 0xeb, 0xd6, 0xec, 0xe1, 0xdd, 0xfe, 0x7f, 0x8c, 0x6d, 0x9a, 0x6c, 0xf3, 0x75,
+        0x32, 0x1f, 0xc6, 0xfa, 0xc7, 0x13, 0x84, 0x02, 0x20, 0x54, 0x07, 0x78, 0xe8, 0x74, 0x39, 0x72, 0x52, 0x7e, 0xed, 0xeb,
+        0xaf, 0x58, 0x68, 0x62, 0x20, 0xb5, 0x40, 0x78, 0xf2, 0xcd, 0x4e, 0x62, 0xa7, 0x6a, 0xe7, 0xcb, 0xb9, 0x2f, 0xf5, 0x4c,
+        0x8b };
+
+    params.paaCerts = @[ [NSData dataWithBytes:&paaCert length:sizeof(paaCert)] ];
+    params.cdCerts = @[ [NSData dataWithBytes:&cdCert length:sizeof(cdCert)] ];
+
     if ([factory startup:params] == NO) {
         ChipLogError(chipTool, "Controller factory startup failed");
         return CHIP_ERROR_INTERNAL;

src/credentials/attestation_verifier/FileAttestationTrustStore.h

tcarmelveilleux

The CD trust store changes cause a model which forces using files to provide the official CDs in the default implementation. This is confusing and also overloads usage of AttestationTrustStore for 2 separate usages that are semantically different.

Provided proposed changes in vivien-apple#7 that enable the required CD files support while not overloading existing interfaces

…thod to allow controllers passing in some CD certs

…tionTrustStore::GetCertificationDeclarationCert

…initialize the test ArrayTrustStore store with the test CD cert

…ts for certification declaration verification

…if desired

- Remove CD stuff from FileAttestationTrustStore - Refactor FileAttestationTrustStore to allow loading of any X.509 cert directory - Add a command line to chip-tool to disallow test keys (`only-allow-trusted-cd-keys`) - Add plumbing to enable CD keys lookup properly without mixing-up with PAA semantics - Add official CD verifying key and official SDK CD test key in the default CD trust store as-is

github-actions · 2022-09-06T18:06:55Z

PR #22338: Size comparison from e535710 to a9e5662

Increases above 0.2%:

platform	target	config	section	`e535710`	`a9e5662`	change	% change
linux	chip-tool	debug	.bss	25272	26072	800	3.2
	chip-tool-ipv6only	arm64	.bss	33313	33937	624	1.9
	tv-app	debug	.bss	167352	168152	800	0.5
	tv-casting-app	debug	(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5

Increases (8 builds for bl602, cc13x2_26x2, linux, nrfconnect, qpg)

platform	target	config	section	`e535710`	`a9e5662`	change	% change
bl602	lighting-app	bl602	.text	1065684	`1065686`	2	0.0
cc13x2_26x2	pump-controller-app	LP_CC2652R7	(read only)	669723	669731	8	0.0
			.text	583616	583624	8	0.0
linux	chip-tool	debug	(read only)	10945849	10953873	8024	0.1
			(read/write)	657352	657736	384	0.1
			.bss	25272	26072	800	3.2
			.data.rel.ro	622288	622456	168	0.0
			.rodata	569301	570261	960	0.2
			.text	8855732	8862388	6656	0.1
	chip-tool-ipv6only	arm64	(read only)	10320484	10327244	6760	0.1
			(read/write)	705185	705601	416	0.1
			.bss	33313	33937	624	1.9
			.data.rel.ro	649784	649976	192	0.0
			.got	13840	13864	24	0.2
			.rodata	499252	499900	648	0.1
			.text	8168820	`8174324`	5504	0.1
	tv-app	debug	(read only)	`3192969`	`3196033`	3064	0.1
			(read/write)	258040	258392	352	0.1
			.bss	167352	168152	800	0.5
			.data.rel.ro	79368	79520	152	0.2
			.rodata	260328	260552	224	0.1
			.text	2742610	2745090	2480	0.1
	tv-casting-app	debug	(read only)	5511313	5516025	4712	0.1
			(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5
			.data.rel.ro	100304	100488	184	0.2
			.rodata	345393	345937	544	0.2
			.text	4894018	4897778	3760	0.1
nrfconnect	all-clusters-minimal-app	nrf52840dk_nrf52840	text	803460	803464	4	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1129156	1129164	8	0.0
			.text	576252	576260	8	0.0

Decreases (13 builds for bl602, cc13x2_26x2, k32w, linux, nrfconnect, psoc6, telink)

platform	target	config	section	`e535710`	`a9e5662`	change	% change
bl602	lighting-app	bl602+rpc	.text	1097032	`1097030`	-2	-0.0
cc13x2_26x2	pump-controller-app	LP_CC2652R7	(read/write)	172812	172804	-8	-0.0
k32w	lock	k32w0+release	(read/write)	705216	705200	-16	-0.0
			.text	629252	629236	-16	-0.0
linux	chip-tool	debug	.data	3266	2690	-576	-17.6
	chip-tool-ipv6only	arm64	.data	3280	2856	-424	-12.9
	tv-app	debug	.data	4752	4144	-608	-12.8
	tv-casting-app	debug	.data	2432	1824	-608	-25.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	text	815072	815068	-4	-0.0
psoc6	all-clusters	cy8ckit_062s2_43012	.debug_info	26715430	26715429	-1	-0.0
	light	cy8ckit_062s2_43012	.debug_info	21914335	21914334	-1	-0.0
	lock	cy8ckit_062s2_43012	.debug_info	22294083	22294082	-1	-0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	809096	809088	-8	-0.0
			text	571518	571514	-4	-0.0
	lighting-app	tlsr9518adk80d	text	589642	589640	-2	-0.0

Full report (45 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, qpg, telink)

platform	target	config	section	`e535710`	`a9e5662`	change	% change
bl602	lighting-app	bl602	(read/write)	`1410254`	`1410254`	0	0.0
			.bss	121585	121585	0	0.0
			.data	9816	9816	0	0.0
			.text	1065684	`1065686`	2	0.0
		bl602+rpc	(read/write)	1455450	1455450	0	0.0
			.bss	129017	129017	0	0.0
			.data	10200	10200	0	0.0
			.text	1097032	`1097030`	-2	-0.0
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	675359	675359	0	0.0
			(read/write)	176048	176048	0	0.0
			.bss	74300	74300	0	0.0
			.data	3380	3380	0	0.0
			.rodata	89215	89215	0	0.0
			.text	585832	585832	0	0.0
	all-clusters-minimal-app	LP_CC2652R7	(read only)	640071	640071	0	0.0
			(read/write)	157868	157868	0	0.0
			.bss	73572	73572	0	0.0
			.data	3380	3380	0	0.0
			.rodata	78367	78367	0	0.0
			.text	561384	561384	0	0.0
	lock-ftd	LP_CC2652R7	(read only)	676419	676419	0	0.0
			(read/write)	165300	165300	0	0.0
			.bss	71500	71500	0	0.0
			.data	3304	3304	0	0.0
			.rodata	77067	77067	0	0.0
			.text	598872	598872	0	0.0
	lock-mtd	LP_CC2652R7	(read only)	659379	659379	0	0.0
			(read/write)	178028	178028	0	0.0
			.bss	67188	67188	0	0.0
			.data	3304	3304	0	0.0
			.rodata	102323	102323	0	0.0
			.text	556576	556576	0	0.0
	pump-app	LP_CC2652R7	(read only)	685247	685247	0	0.0
			(read/write)	157176	157176	0	0.0
			.bss	71436	71436	0	0.0
			.data	3296	3296	0	0.0
			.rodata	90079	90079	0	0.0
			.text	594684	594684	0	0.0
	pump-controller-app	LP_CC2652R7	(read only)	669723	669731	8	0.0
			(read/write)	172812	172804	-8	-0.0
			.bss	71548	71548	0	0.0
			.data	3292	3292	0	0.0
			.rodata	85627	85627	0	0.0
			.text	583616	583624	8	0.0
	shell	LP_CC2652R7	(read only)	666010	666010	0	0.0
			(read/write)	180916	180916	0	0.0
			.bss	76620	76620	0	0.0
			.data	3376	3376	0	0.0
			.rodata	85770	85770	0	0.0
			.text	579924	579924	0	0.0
cyw30739	light	cyw930739m2evb_01	(read/write)	586882	586882	0	0.0
			.app_xip_area	463540	463540	0	0.0
			.bss	65776	65776	0	0.0
			.data	744	744	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	lock	cyw930739m2evb_01	(read/write)	592634	592634	0	0.0
			.app_xip_area	464508	464508	0	0.0
			.bss	70560	70560	0	0.0
			.data	748	748	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	599810	599810	0	0.0
			.app_xip_area	477188	477188	0	0.0
			.bss	65088	65088	0	0.0
			.data	716	716	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
efr32	lighting-app	BRD4161A	(read/write)	1108544	1108544	0	0.0
			.bss	136332	136332	0	0.0
			.data	2072	2072	0	0.0
			.text	970120	970120	0	0.0
		BRD4161A+rpc	(read/write)	972188	972188	0	0.0
			.bss	150844	150844	0	0.0
			.data	2252	2252	0	0.0
			.text	819072	819072	0	0.0
		BRD4161A+rs911x	(read/write)	1002048	1002048	0	0.0
			.bss	169168	169168	0	0.0
			.data	2064	2064	0	0.0
			.text	830796	830796	0	0.0
	lock-app	BRD4161A+wf200	(read/write)	1150116	1150116	0	0.0
			.bss	152248	152248	0	0.0
			.data	2072	2072	0	0.0
			.text	995776	995776	0	0.0
	window-app	BRD4161A	(read/write)	1099784	1099784	0	0.0
			.bss	137772	137772	0	0.0
			.data	2096	2096	0	0.0
			.text	959896	959896	0	0.0
esp32	all-clusters-app	c3devkit	(read only)	1033856	1033856	0	0.0
			(read/write)	1493494	1493494	0	0.0
			.dram0.bss	71120	71120	0	0.0
			.dram0.data	13696	13696	0	0.0
			.flash.rodata	218008	218008	0	0.0
			.flash.text	1033856	1033856	0	0.0
			.iram0.text	65204	65204	0	0.0
		m5stack	(read only)	1086195	1086195	0	0.0
			(read/write)	490772	490772	0	0.0
			.dram0.bss	76640	76640	0	0.0
			.dram0.data	34152	34152	0	0.0
			.flash.rodata	247312	247312	0	0.0
			.flash.text	1080811	1080811	0	0.0
			.iram0.text	123939	123939	0	0.0
k32w	light	k32w0+release	(read/write)	648204	648204	0	0.0
			.bss	70712	70712	0	0.0
			.data	2068	2068	0	0.0
			.text	572696	572696	0	0.0
	lock	k32w0+release	(read/write)	705216	705200	-16	-0.0
			.bss	71160	71160	0	0.0
			.data	2076	2076	0	0.0
			.text	629252	629236	-16	-0.0
linux	all-clusters-app	debug	(read only)	3046409	3046409	0	0.0
			(read/write)	156064	156064	0	0.0
			.bss	61824	61824	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	85768	85768	0	0.0
			.dynamic	608	608	0	0.0
			.got	4568	4568	0	0.0
			.init	27	27	0	0.0
			.init_array	1176	1176	0	0.0
			.rodata	275659	275659	0	0.0
			.text	2591314	2591314	0	0.0
	all-clusters-minimal-app	debug	(read only)	2882273	2882273	0	0.0
			(read/write)	147664	147664	0	0.0
			.bss	61056	61056	0	0.0
			.data	2064	2064	0	0.0
			.data.rel.ro	78264	78264	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	1160	1160	0	0.0
			.rodata	275883	275883	0	0.0
			.text	2429730	2429730	0	0.0
	bridge-app	debug+rpc	(read only)	2379977	2379977	0	0.0
			(read/write)	127752	127752	0	0.0
			.bss	50656	50656	0	0.0
			.data	3600	3600	0	0.0
			.data.rel.ro	67640	67640	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	832	832	0	0.0
			.rodata	204488	204488	0	0.0
			.text	`2012578`	`2012578`	0	0.0
	chip-tool	debug	(read only)	10945849	10953873	8024	0.1
			(read/write)	657352	657736	384	0.1
			.bss	25272	26072	800	3.2
			.data	3266	2690	-576	-17.6
			.data.rel.ro	622288	622456	168	0.0
			.dynamic	608	608	0	0.0
			.got	5096	5096	0	0.0
			.init	27	27	0	0.0
			.init_array	776	776	0	0.0
			.rodata	569301	570261	960	0.2
			.text	8855732	8862388	6656	0.1
	chip-tool-ipv6only	arm64	(read only)	10320484	10327244	6760	0.1
			(read/write)	705185	705601	416	0.1
			.bss	33313	33937	624	1.9
			.data	3280	2856	-424	-12.9
			.data.rel.ro	649784	649976	192	0.0
			.dynamic	560	560	0	0.0
			.got	13840	13864	24	0.2
			.init	24	24	0	0.0
			.init_array	200	200	0	0.0
			.rodata	499252	499900	648	0.1
			.text	8168820	`8174324`	5504	0.1
	lighting-app	debug+rpc	(read only)	2605401	2605401	0	0.0
			(read/write)	130536	130536	0	0.0
			.bss	49792	49792	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	72680	72680	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	928	928	0	0.0
			.rodata	221328	221328	0	0.0
			.text	2212882	2212882	0	0.0
	lock-app	debug	(read only)	2588385	2588385	0	0.0
			(read/write)	125712	125712	0	0.0
			.bss	48288	48288	0	0.0
			.data	1712	1712	0	0.0
			.data.rel.ro	69688	69688	0	0.0
			.dynamic	608	608	0	0.0
			.got	4464	4464	0	0.0
			.init	27	27	0	0.0
			.init_array	904	904	0	0.0
			.rodata	238320	238320	0	0.0
			.text	2183122	2183122	0	0.0
	ota-provider-app	debug	(read only)	2365657	2365657	0	0.0
			(read/write)	119144	119144	0	0.0
			.bss	47808	47808	0	0.0
			.data	1936	1936	0	0.0
			.data.rel.ro	63512	63512	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	768	768	0	0.0
			.rodata	210328	210328	0	0.0
			.text	1991570	1991570	0	0.0
	ota-requestor-app	debug	(read only)	2530969	2530969	0	0.0
			(read/write)	127552	127552	0	0.0
			.bss	50368	50368	0	0.0
			.data	2304	2304	0	0.0
			.data.rel.ro	68920	68920	0	0.0
			.dynamic	608	608	0	0.0
			.got	4480	4480	0	0.0
			.init	27	27	0	0.0
			.init_array	856	856	0	0.0
			.rodata	217120	217120	0	0.0
			.text	2140946	2140946	0	0.0
	shell	debug	(read only)	2614713	2614713	0	0.0
			(read/write)	142184	142184	0	0.0
			.bss	57704	57704	0	0.0
			.data	1264	1264	0	0.0
			.data.rel.ro	77376	77376	0	0.0
			.dynamic	608	608	0	0.0
			.got	4136	4136	0	0.0
			.init	27	27	0	0.0
			.init_array	1048	1048	0	0.0
			.rodata	235762	235762	0	0.0
			.text	2220242	2220242	0	0.0
	thermostat-no-ble	arm64	(read only)	2364132	2364132	0	0.0
			(read/write)	141857	141857	0	0.0
			.bss	55233	55233	0	0.0
			.data	1680	1680	0	0.0
			.data.rel.ro	76112	76112	0	0.0
			.dynamic	560	560	0	0.0
			.got	5056	5056	0	0.0
			.init	24	24	0	0.0
			.init_array	416	416	0	0.0
			.rodata	141324	141324	0	0.0
			.text	1984768	1984768	0	0.0
	tv-app	debug	(read only)	`3192969`	`3196033`	3064	0.1
			(read/write)	258040	258392	352	0.1
			.bss	167352	168152	800	0.5
			.data	4752	4144	-608	-12.8
			.data.rel.ro	79368	79520	152	0.2
			.dynamic	608	608	0	0.0
			.got	4856	4856	0	0.0
			.init	27	27	0	0.0
			.init_array	1080	1080	0	0.0
			.rodata	260328	260552	224	0.1
			.text	2742610	2745090	2480	0.1
	tv-casting-app	debug	(read only)	5511313	5516025	4712	0.1
			(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5
			.data	2432	1824	-608	-25.0
			.data.rel.ro	100304	100488	184	0.2
			.dynamic	608	608	0	0.0
			.got	4776	4776	0	0.0
			.init	27	27	0	0.0
			.init_array	1048	1048	0	0.0
			.rodata	345393	345937	544	0.2
			.text	4894018	4897778	3760	0.1
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0	0.0
			(read/write)	`2455032`	`2455032`	0	0.0
			.bss	215044	215044	0	0.0
			.data	5872	5872	0	0.0
			.text	1417676	1417676	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	1181199	1181199	0	0.0
			bss	143641	143641	0	0.0
			rodata	143552	143552	0	0.0
			text	815072	815068	-4	-0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	(read/write)	1160395	1160395	0	0.0
			bss	142868	142868	0	0.0
			rodata	135140	135140	0	0.0
			text	803460	803464	4	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	(read only)	841960	841960	0	0.0
			(read/write)	1742548	1742548	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	188720	188720	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	1221471	1221471	0	0.0
			.debug_aranges	111728	111728	0	0.0
			.debug_frame	372964	372964	0	0.0
			.debug_info	26715430	26715429	-1	-0.0
			.debug_line	3657437	3657437	0	0.0
			.debug_loc	3573305	3573305	0	0.0
			.debug_ranges	338440	338440	0	0.0
			.debug_str	3427396	3427396	0	0.0
			.heap	841960	841960	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	570587	570587	0	0.0
			.symtab	421456	421456	0	0.0
			.text	1542776	1542776	0	0.0
			.zero.table	8	8	0	0.0
			text	0	0	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	(read only)	842696	842696	0	0.0
			(read/write)	1685748	1685748	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	187984	187984	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	1213310	1213310	0	0.0
			.debug_aranges	111200	111200	0	0.0
			.debug_frame	376044	376044	0	0.0
			.debug_info	26452052	26452052	0	0.0
			.debug_line	3677953	3677953	0	0.0
			.debug_loc	3560942	3560942	0	0.0
			.debug_ranges	337056	337056	0	0.0
			.debug_str	3416401	3416401	0	0.0
			.heap	842696	842696	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	535061	535061	0	0.0
			.symtab	408048	408048	0	0.0
			.text	1486712	1486712	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	light	cy8ckit_062s2_43012	(read only)	850928	850928	0	0.0
			(read/write)	1603020	1603020	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	179960	179960	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2456	2456	0	0.0
			.debug_abbrev	`1048129`	`1048129`	0	0.0
			.debug_aranges	103376	103376	0	0.0
			.debug_frame	346312	346312	0	0.0
			.debug_info	21914335	21914334	-1	-0.0
			.debug_line	3248418	3248418	0	0.0
			.debug_loc	3259284	3259284	0	0.0
			.debug_ranges	302528	302528	0	0.0
			.debug_str	3221667	3221667	0	0.0
			.heap	850928	850928	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	468360	468360	0	0.0
			.symtab	375136	375136	0	0.0
			.text	1412216	1412216	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	lock	cy8ckit_062s2_43012	(read only)	845896	845896	0	0.0
			(read/write)	1640708	1640708	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	184976	184976	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2472	2472	0	0.0
			.debug_abbrev	1055564	1055564	0	0.0
			.debug_aranges	104048	104048	0	0.0
			.debug_frame	349140	349140	0	0.0
			.debug_info	22294083	22294082	-1	-0.0
			.debug_line	`3257239`	`3257239`	0	0.0
			.debug_loc	3299137	3299137	0	0.0
			.debug_ranges	305872	305872	0	0.0
			.debug_str	3249088	3249088	0	0.0
			.heap	845896	845896	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	474563	474563	0	0.0
			.symtab	378320	378320	0	0.0
			.text	1444872	1444872	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1129156	1129164	8	0.0
			.bss	106112	106112	0	0.0
			.data	1028	1028	0	0.0
			.text	576252	576260	8	0.0
	lock-app	qpg6105+debug	(read/write)	1100176	1100176	0	0.0
			.bss	102344	102344	0	0.0
			.data	1032	1032	0	0.0
			.text	547276	547276	0	0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	809096	809088	-8	-0.0
			bss	71344	71344	0	0.0
			noinit	43488	43488	0	0.0
			text	571518	571514	-4	-0.0
	lighting-app	tlsr9518adk80d	(read/write)	831004	831004	0	0.0
			bss	72200	72200	0	0.0
			noinit	43488	43488	0	0.0
			text	589642	589640	-2	-0.0

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h

github-actions · 2022-09-06T20:35:46Z

PR #22338: Size comparison from e535710 to 62f8c70

Increases above 0.2%:

platform	target	config	section	`e535710`	`62f8c70`	change	% change
linux	chip-tool	debug	.bss	25272	26072	800	3.2
	chip-tool-ipv6only	arm64	.bss	33313	33937	624	1.9
	tv-app	debug	.bss	167352	168152	800	0.5
	tv-casting-app	debug	(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5

Increases (10 builds for cc13x2_26x2, esp32, linux, nrfconnect, psoc6, qpg)

platform	target	config	section	`e535710`	`62f8c70`	change	% change
cc13x2_26x2	pump-controller-app	LP_CC2652R7	(read only)	669723	669731	8	0.0
			.text	583616	583624	8	0.0
esp32	all-clusters-app	c3devkit	(read only)	1033856	1033858	2	0.0
			.flash.text	1033856	1033858	2	0.0
linux	chip-tool	debug	(read only)	10945849	10953873	8024	0.1
			(read/write)	657352	657736	384	0.1
			.bss	25272	26072	800	3.2
			.data.rel.ro	622288	622456	168	0.0
			.rodata	569301	570261	960	0.2
			.text	8855732	8862388	6656	0.1
	chip-tool-ipv6only	arm64	(read only)	10320484	10327244	6760	0.1
			(read/write)	705185	705601	416	0.1
			.bss	33313	33937	624	1.9
			.data.rel.ro	649784	649976	192	0.0
			.got	13840	13864	24	0.2
			.rodata	499252	499900	648	0.1
			.text	8168820	`8174324`	5504	0.1
	tv-app	debug	(read only)	`3192969`	`3196033`	3064	0.1
			(read/write)	258040	258392	352	0.1
			.bss	167352	168152	800	0.5
			.data.rel.ro	79368	79520	152	0.2
			.rodata	260328	260552	224	0.1
			.text	2742610	2745090	2480	0.1
	tv-casting-app	debug	(read only)	5511313	5516025	4712	0.1
			(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5
			.data.rel.ro	100304	100488	184	0.2
			.rodata	345393	345937	544	0.2
			.text	4894018	4897778	3760	0.1
nrfconnect	all-clusters-minimal-app	nrf52840dk_nrf52840	text	803460	803464	4	0.0
psoc6	all-clusters-minimal	cy8ckit_062s2_43012	.debug_info	26452052	26452054	2	0.0
	light	cy8ckit_062s2_43012	.debug_info	21914335	21914336	1	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1129156	1129164	8	0.0
			.text	576252	576260	8	0.0

Decreases (10 builds for cc13x2_26x2, k32w, linux, psoc6, qpg, telink)

platform	target	config	section	`e535710`	`62f8c70`	change	% change
cc13x2_26x2	pump-controller-app	LP_CC2652R7	(read/write)	172812	172804	-8	-0.0
k32w	lock	k32w0+release	(read/write)	705216	705200	-16	-0.0
			.text	629252	629236	-16	-0.0
linux	chip-tool	debug	.data	3266	2690	-576	-17.6
	chip-tool-ipv6only	arm64	.data	3280	2856	-424	-12.9
	tv-app	debug	.data	4752	4144	-608	-12.8
	tv-casting-app	debug	.data	2432	1824	-608	-25.0
psoc6	lock	cy8ckit_062s2_43012	.debug_info	22294083	22294081	-2	-0.0
qpg	lock-app	qpg6105+debug	(read/write)	1100176	`1100168`	-8	-0.0
			.text	547276	547268	-8	-0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	809096	809088	-8	-0.0
			text	571518	571516	-2	-0.0
	lighting-app	tlsr9518adk80d	text	589642	589638	-4	-0.0

Full report (45 builds for bl602, cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, psoc6, qpg, telink)

platform	target	config	section	`e535710`	`62f8c70`	change	% change
bl602	lighting-app	bl602	(read/write)	`1410254`	`1410254`	0	0.0
			.bss	121585	121585	0	0.0
			.data	9816	9816	0	0.0
			.text	1065684	1065684	0	0.0
		bl602+rpc	(read/write)	1455450	1455450	0	0.0
			.bss	129017	129017	0	0.0
			.data	10200	10200	0	0.0
			.text	1097032	1097032	0	0.0
cc13x2_26x2	all-clusters-app	LP_CC2652R7	(read only)	675359	675359	0	0.0
			(read/write)	176048	176048	0	0.0
			.bss	74300	74300	0	0.0
			.data	3380	3380	0	0.0
			.rodata	89215	89215	0	0.0
			.text	585832	585832	0	0.0
	all-clusters-minimal-app	LP_CC2652R7	(read only)	640071	640071	0	0.0
			(read/write)	157868	157868	0	0.0
			.bss	73572	73572	0	0.0
			.data	3380	3380	0	0.0
			.rodata	78367	78367	0	0.0
			.text	561384	561384	0	0.0
	lock-ftd	LP_CC2652R7	(read only)	676419	676419	0	0.0
			(read/write)	165300	165300	0	0.0
			.bss	71500	71500	0	0.0
			.data	3304	3304	0	0.0
			.rodata	77067	77067	0	0.0
			.text	598872	598872	0	0.0
	lock-mtd	LP_CC2652R7	(read only)	659379	659379	0	0.0
			(read/write)	178028	178028	0	0.0
			.bss	67188	67188	0	0.0
			.data	3304	3304	0	0.0
			.rodata	102323	102323	0	0.0
			.text	556576	556576	0	0.0
	pump-app	LP_CC2652R7	(read only)	685247	685247	0	0.0
			(read/write)	157176	157176	0	0.0
			.bss	71436	71436	0	0.0
			.data	3296	3296	0	0.0
			.rodata	90079	90079	0	0.0
			.text	594684	594684	0	0.0
	pump-controller-app	LP_CC2652R7	(read only)	669723	669731	8	0.0
			(read/write)	172812	172804	-8	-0.0
			.bss	71548	71548	0	0.0
			.data	3292	3292	0	0.0
			.rodata	85627	85627	0	0.0
			.text	583616	583624	8	0.0
	shell	LP_CC2652R7	(read only)	666010	666010	0	0.0
			(read/write)	180916	180916	0	0.0
			.bss	76620	76620	0	0.0
			.data	3376	3376	0	0.0
			.rodata	85770	85770	0	0.0
			.text	579924	579924	0	0.0
cyw30739	light	cyw930739m2evb_01	(read/write)	586882	586882	0	0.0
			.app_xip_area	463540	463540	0	0.0
			.bss	65776	65776	0	0.0
			.data	744	744	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	lock	cyw930739m2evb_01	(read/write)	592634	592634	0	0.0
			.app_xip_area	464508	464508	0	0.0
			.bss	70560	70560	0	0.0
			.data	748	748	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
	ota-requestor-no-progress-logging	cyw930739m2evb_01	(read/write)	599810	599810	0	0.0
			.app_xip_area	477188	477188	0	0.0
			.bss	65088	65088	0	0.0
			.data	716	716	0	0.0
			.rodata	0	0	0	0.0
			.text	112	112	0	0.0
efr32	lighting-app	BRD4161A	(read/write)	1108544	1108544	0	0.0
			.bss	136332	136332	0	0.0
			.data	2072	2072	0	0.0
			.text	970120	970120	0	0.0
		BRD4161A+rpc	(read/write)	972188	972188	0	0.0
			.bss	150844	150844	0	0.0
			.data	2252	2252	0	0.0
			.text	819072	819072	0	0.0
		BRD4161A+rs911x	(read/write)	1002048	1002048	0	0.0
			.bss	169168	169168	0	0.0
			.data	2064	2064	0	0.0
			.text	830796	830796	0	0.0
	lock-app	BRD4161A+wf200	(read/write)	1150116	1150116	0	0.0
			.bss	152248	152248	0	0.0
			.data	2072	2072	0	0.0
			.text	995776	995776	0	0.0
	window-app	BRD4161A	(read/write)	1099784	1099784	0	0.0
			.bss	137772	137772	0	0.0
			.data	2096	2096	0	0.0
			.text	959896	959896	0	0.0
esp32	all-clusters-app	c3devkit	(read only)	1033856	1033858	2	0.0
			(read/write)	1493494	1493494	0	0.0
			.dram0.bss	71120	71120	0	0.0
			.dram0.data	13696	13696	0	0.0
			.flash.rodata	218008	218008	0	0.0
			.flash.text	1033856	1033858	2	0.0
			.iram0.text	65204	65204	0	0.0
		m5stack	(read only)	1086195	1086195	0	0.0
			(read/write)	490772	490772	0	0.0
			.dram0.bss	76640	76640	0	0.0
			.dram0.data	34152	34152	0	0.0
			.flash.rodata	247312	247312	0	0.0
			.flash.text	1080811	1080811	0	0.0
			.iram0.text	123939	123939	0	0.0
k32w	light	k32w0+release	(read/write)	648204	648204	0	0.0
			.bss	70712	70712	0	0.0
			.data	2068	2068	0	0.0
			.text	572696	572696	0	0.0
	lock	k32w0+release	(read/write)	705216	705200	-16	-0.0
			.bss	71160	71160	0	0.0
			.data	2076	2076	0	0.0
			.text	629252	629236	-16	-0.0
linux	all-clusters-app	debug	(read only)	3046409	3046409	0	0.0
			(read/write)	156064	156064	0	0.0
			.bss	61824	61824	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	85768	85768	0	0.0
			.dynamic	608	608	0	0.0
			.got	4568	4568	0	0.0
			.init	27	27	0	0.0
			.init_array	1176	1176	0	0.0
			.rodata	275659	275659	0	0.0
			.text	2591314	2591314	0	0.0
	all-clusters-minimal-app	debug	(read only)	2882273	2882273	0	0.0
			(read/write)	147664	147664	0	0.0
			.bss	61056	61056	0	0.0
			.data	2064	2064	0	0.0
			.data.rel.ro	78264	78264	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	1160	1160	0	0.0
			.rodata	275883	275883	0	0.0
			.text	2429730	2429730	0	0.0
	bridge-app	debug+rpc	(read only)	2379977	2379977	0	0.0
			(read/write)	127752	127752	0	0.0
			.bss	50656	50656	0	0.0
			.data	3600	3600	0	0.0
			.data.rel.ro	67640	67640	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	832	832	0	0.0
			.rodata	204488	204488	0	0.0
			.text	`2012578`	`2012578`	0	0.0
	chip-tool	debug	(read only)	10945849	10953873	8024	0.1
			(read/write)	657352	657736	384	0.1
			.bss	25272	26072	800	3.2
			.data	3266	2690	-576	-17.6
			.data.rel.ro	622288	622456	168	0.0
			.dynamic	608	608	0	0.0
			.got	5096	5096	0	0.0
			.init	27	27	0	0.0
			.init_array	776	776	0	0.0
			.rodata	569301	570261	960	0.2
			.text	8855732	8862388	6656	0.1
	chip-tool-ipv6only	arm64	(read only)	10320484	10327244	6760	0.1
			(read/write)	705185	705601	416	0.1
			.bss	33313	33937	624	1.9
			.data	3280	2856	-424	-12.9
			.data.rel.ro	649784	649976	192	0.0
			.dynamic	560	560	0	0.0
			.got	13840	13864	24	0.2
			.init	24	24	0	0.0
			.init_array	200	200	0	0.0
			.rodata	499252	499900	648	0.1
			.text	8168820	`8174324`	5504	0.1
	lighting-app	debug+rpc	(read only)	2605401	2605401	0	0.0
			(read/write)	130536	130536	0	0.0
			.bss	49792	49792	0	0.0
			.data	2096	2096	0	0.0
			.data.rel.ro	72680	72680	0	0.0
			.dynamic	608	608	0	0.0
			.got	4392	4392	0	0.0
			.init	27	27	0	0.0
			.init_array	928	928	0	0.0
			.rodata	221328	221328	0	0.0
			.text	2212882	2212882	0	0.0
	lock-app	debug	(read only)	2588385	2588385	0	0.0
			(read/write)	125712	125712	0	0.0
			.bss	48288	48288	0	0.0
			.data	1712	1712	0	0.0
			.data.rel.ro	69688	69688	0	0.0
			.dynamic	608	608	0	0.0
			.got	4464	4464	0	0.0
			.init	27	27	0	0.0
			.init_array	904	904	0	0.0
			.rodata	238320	238320	0	0.0
			.text	2183122	2183122	0	0.0
	ota-provider-app	debug	(read only)	2365657	2365657	0	0.0
			(read/write)	119144	119144	0	0.0
			.bss	47808	47808	0	0.0
			.data	1936	1936	0	0.0
			.data.rel.ro	63512	63512	0	0.0
			.dynamic	608	608	0	0.0
			.got	4488	4488	0	0.0
			.init	27	27	0	0.0
			.init_array	768	768	0	0.0
			.rodata	210328	210328	0	0.0
			.text	1991570	1991570	0	0.0
	ota-requestor-app	debug	(read only)	2530969	2530969	0	0.0
			(read/write)	127552	127552	0	0.0
			.bss	50368	50368	0	0.0
			.data	2304	2304	0	0.0
			.data.rel.ro	68920	68920	0	0.0
			.dynamic	608	608	0	0.0
			.got	4480	4480	0	0.0
			.init	27	27	0	0.0
			.init_array	856	856	0	0.0
			.rodata	217120	217120	0	0.0
			.text	2140946	2140946	0	0.0
	shell	debug	(read only)	2614713	2614713	0	0.0
			(read/write)	142184	142184	0	0.0
			.bss	57704	57704	0	0.0
			.data	1264	1264	0	0.0
			.data.rel.ro	77376	77376	0	0.0
			.dynamic	608	608	0	0.0
			.got	4136	4136	0	0.0
			.init	27	27	0	0.0
			.init_array	1048	1048	0	0.0
			.rodata	235762	235762	0	0.0
			.text	2220242	2220242	0	0.0
	thermostat-no-ble	arm64	(read only)	2364132	2364132	0	0.0
			(read/write)	141857	141857	0	0.0
			.bss	55233	55233	0	0.0
			.data	1680	1680	0	0.0
			.data.rel.ro	76112	76112	0	0.0
			.dynamic	560	560	0	0.0
			.got	5056	5056	0	0.0
			.init	24	24	0	0.0
			.init_array	416	416	0	0.0
			.rodata	141324	141324	0	0.0
			.text	1984768	1984768	0	0.0
	tv-app	debug	(read only)	`3192969`	`3196033`	3064	0.1
			(read/write)	258040	258392	352	0.1
			.bss	167352	168152	800	0.5
			.data	4752	4144	-608	-12.8
			.data.rel.ro	79368	79520	152	0.2
			.dynamic	608	608	0	0.0
			.got	4856	4856	0	0.0
			.init	27	27	0	0.0
			.init_array	1080	1080	0	0.0
			.rodata	260328	260552	224	0.1
			.text	2742610	2745090	2480	0.1
	tv-casting-app	debug	(read only)	5511313	5516025	4712	0.1
			(read/write)	160536	160888	352	0.2
			.bss	51352	52120	768	1.5
			.data	2432	1824	-608	-25.0
			.data.rel.ro	100304	100488	184	0.2
			.dynamic	608	608	0	0.0
			.got	4776	4776	0	0.0
			.init	27	27	0	0.0
			.init_array	1048	1048	0	0.0
			.rodata	345393	345937	544	0.2
			.text	4894018	4897778	3760	0.1
mbed	lock-app	CY8CPROTO_062_4343W+release	(read only)	6224	6224	0	0.0
			(read/write)	`2455032`	`2455032`	0	0.0
			.bss	215044	215044	0	0.0
			.data	5872	5872	0	0.0
			.text	1417676	1417676	0	0.0
nrfconnect	all-clusters-app	nrf52840dk_nrf52840	(read/write)	1181199	1181199	0	0.0
			bss	143641	143641	0	0.0
			rodata	143552	143552	0	0.0
			text	815072	815072	0	0.0
	all-clusters-minimal-app	nrf52840dk_nrf52840	(read/write)	1160395	1160395	0	0.0
			bss	142868	142868	0	0.0
			rodata	135140	135140	0	0.0
			text	803460	803464	4	0.0
psoc6	all-clusters	cy8ckit_062s2_43012	(read only)	841960	841960	0	0.0
			(read/write)	1742548	1742548	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	188720	188720	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	1221471	1221471	0	0.0
			.debug_aranges	111728	111728	0	0.0
			.debug_frame	372964	372964	0	0.0
			.debug_info	26715430	26715430	0	0.0
			.debug_line	3657437	3657437	0	0.0
			.debug_loc	3573305	3573305	0	0.0
			.debug_ranges	338440	338440	0	0.0
			.debug_str	3427396	3427396	0	0.0
			.heap	841960	841960	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	570587	570587	0	0.0
			.symtab	421456	421456	0	0.0
			.text	1542776	1542776	0	0.0
			.zero.table	8	8	0	0.0
			text	0	0	0	0.0
	all-clusters-minimal	cy8ckit_062s2_43012	(read only)	842696	842696	0	0.0
			(read/write)	1685748	1685748	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	187984	187984	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2664	2664	0	0.0
			.debug_abbrev	1213310	1213310	0	0.0
			.debug_aranges	111200	111200	0	0.0
			.debug_frame	376044	376044	0	0.0
			.debug_info	26452052	26452054	2	0.0
			.debug_line	3677953	3677953	0	0.0
			.debug_loc	3560942	3560942	0	0.0
			.debug_ranges	337056	337056	0	0.0
			.debug_str	3416401	3416401	0	0.0
			.heap	842696	842696	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	535061	535061	0	0.0
			.symtab	408048	408048	0	0.0
			.text	1486712	1486712	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	light	cy8ckit_062s2_43012	(read only)	850928	850928	0	0.0
			(read/write)	1603020	1603020	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	179960	179960	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2456	2456	0	0.0
			.debug_abbrev	`1048129`	`1048129`	0	0.0
			.debug_aranges	103376	103376	0	0.0
			.debug_frame	346312	346312	0	0.0
			.debug_info	21914335	21914336	1	0.0
			.debug_line	3248418	3248418	0	0.0
			.debug_loc	3259284	3259284	0	0.0
			.debug_ranges	302528	302528	0	0.0
			.debug_str	3221667	3221667	0	0.0
			.heap	850928	850928	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	468360	468360	0	0.0
			.symtab	375136	375136	0	0.0
			.text	1412216	1412216	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
	lock	cy8ckit_062s2_43012	(read only)	845896	845896	0	0.0
			(read/write)	1640708	1640708	0	0.0
			.ARM.attributes	46	46	0	0.0
			.ARM.exidx	8	8	0	0.0
			.bss	184976	184976	0	0.0
			.comment	204	204	0	0.0
			.copy.table	24	24	0	0.0
			.cy_m0p_image	6216	6216	0	0.0
			.cy_sharedmem	8	8	0	0.0
			.data	2472	2472	0	0.0
			.debug_abbrev	1055564	1055564	0	0.0
			.debug_aranges	104048	104048	0	0.0
			.debug_frame	349140	349140	0	0.0
			.debug_info	22294083	22294081	-2	-0.0
			.debug_line	`3257239`	`3257239`	0	0.0
			.debug_loc	3299137	3299137	0	0.0
			.debug_ranges	305872	305872	0	0.0
			.debug_str	3249088	3249088	0	0.0
			.heap	845896	845896	0	0.0
			.noinit	148	148	0	0.0
			.ramVectors	736	736	0	0.0
			.shstrtab	288	288	0	0.0
			.stab	156	156	0	0.0
			.stabstr	335	335	0	0.0
			.stack_dummy	4096	4096	0	0.0
			.strtab	474563	474563	0	0.0
			.symtab	378320	378320	0	0.0
			.text	1444872	1444872	0	0.0
			.zero.table	0	0	0	0.0
				8	8	0	0.0
qpg	lighting-app	qpg6105+debug	(read/write)	1129156	1129164	8	0.0
			.bss	106112	106112	0	0.0
			.data	1028	1028	0	0.0
			.text	576252	576260	8	0.0
	lock-app	qpg6105+debug	(read/write)	1100176	`1100168`	-8	-0.0
			.bss	102344	102344	0	0.0
			.data	1032	1032	0	0.0
			.text	547276	547268	-8	-0.0
telink	light-switch-app	tlsr9518adk80d	(read/write)	809096	809088	-8	-0.0
			bss	71344	71344	0	0.0
			noinit	43488	43488	0	0.0
			text	571518	571516	-2	-0.0
	lighting-app	tlsr9518adk80d	(read/write)	831004	831004	0	0.0
			bss	72200	72200	0	0.0
			noinit	43488	43488	0	0.0
			text	589642	589638	-4	-0.0

emargolis · 2022-09-07T01:23:08Z

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

@@ -166,6 +165,9 @@ void DefaultDACVerifier::VerifyAttestationInformation(const DeviceAttestationVer
    VerifyOrExit(info.attestationElementsBuffer.size() <= kMaxResponseLength,
                 attestationError = AttestationVerificationResult::kInvalidArgument);

+    // Ensure PAI is present


If you are adding this check here for PAI then it also makes sense to add it for DAC and PAA. Regardless, the ExtractVIDPIDFromX509Cert() calls below should return errors in this case.

emargolis · 2022-09-07T02:01:25Z

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

+
+CHIP_ERROR CsaCdKeysTrustStore::AddTrustedKey(const ByteSpan & derCertBytes)
+{
+    // TODO: Verify cert against CD root of trust (i.e. verify signatures). To do so,


Interesting that we do the check here but not in the AddTrustedKey(const ByteSpan & kid, const Crypto::P256PublicKey & pubKey) method above. Is that a loophole to bypass security?

emargolis · 2022-09-07T02:08:12Z

src/credentials/attestation_verifier/DeviceAttestationVerifier.h

+     * @returns CHIP_NO_ERROR on success, CHIP_INVALID_ARGUMENT if `kid` or `pubKey` arguments
+     *          are not usable, CHIP_ERROR_KEY_NOT_FOUND if no key is found that matches `kid`.
+     */
+    virtual CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const = 0;


Suggested change

virtual CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const = 0;

virtual CHIP_ERROR LookupCdVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const = 0;

Otherwise, it is not very clear if the method is looking for the CD Signing Cert or CD Root of Trust.

emargolis · 2022-09-07T02:26:07Z

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

+    return CHIP_NO_ERROR;
+}
+
+CHIP_ERROR CsaCdKeysTrustStore::AddTrustedKey(const ByteSpan & derCertBytes)


Suggested change

CHIP_ERROR CsaCdKeysTrustStore::AddTrustedKey(const ByteSpan & derCertBytes)

CHIP_ERROR CsaCdKeysTrustStore::AddCdSigningKey(const ByteSpan & derCertBytes)

Was thinking that it is clearer. Also, terms CdSigningKey and CdVerifyingKey are synonyms - maybe stick with only one of them.

emargolis · 2022-09-07T02:32:22Z

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.cpp

+}
+
+CHIP_ERROR CsaCdKeysTrustStore::AddTrustedKey(const ByteSpan & derCertBytes)
+{


Where CD root of trust is stored? Is it one of the certificates in the PAA Trust Store?

…ing keys and use it in darwin (project-chip#22338) * Add AttestationTrustStore::GetCertificationDeclarationCert virtual method to allow controllers passing in some CD certs * Add cdCerts member to MTRControllerFactoryparams and override AttestationTrustStore::GetCertificationDeclarationCert * Implement ArrayTrustStore::GetCertificationDeclarationSigningKey and initialize the test ArrayTrustStore store with the test CD cert * Update the FileAttestationTrustStore to read a directory with der certs for certification declaration verification * Add credentials/development/cd-certs/ and update chip-tool to use it if desired * Update API to match conversation - Remove CD stuff from FileAttestationTrustStore - Refactor FileAttestationTrustStore to allow loading of any X.509 cert directory - Add a command line to chip-tool to disallow test keys (`only-allow-trusted-cd-keys`) - Add plumbing to enable CD keys lookup properly without mixing-up with PAA semantics - Add official CD verifying key and official SDK CD test key in the default CD trust store as-is * Update src/darwin to take into account the proposed changes * Add unit test for `CsaCdKeysTrustStore` Co-authored-by: Tennessee Carmel-Veilleux <tennessee.carmelveilleux@gmail.com>

…ntation (#23239) * Add missing pthread header (#22833) * [build] Fix #21255 - allow circular initialization of SimpleStateMachine test. (#22461) * [build] Fix #21255 - allow circular initialization of SimpleStateMachine test. * [build] Add comment per review feedback. * [Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin (#22338) * Add AttestationTrustStore::GetCertificationDeclarationCert virtual method to allow controllers passing in some CD certs * Add cdCerts member to MTRControllerFactoryparams and override AttestationTrustStore::GetCertificationDeclarationCert * Implement ArrayTrustStore::GetCertificationDeclarationSigningKey and initialize the test ArrayTrustStore store with the test CD cert * Update the FileAttestationTrustStore to read a directory with der certs for certification declaration verification * Add credentials/development/cd-certs/ and update chip-tool to use it if desired * Update API to match conversation - Remove CD stuff from FileAttestationTrustStore - Refactor FileAttestationTrustStore to allow loading of any X.509 cert directory - Add a command line to chip-tool to disallow test keys (`only-allow-trusted-cd-keys`) - Add plumbing to enable CD keys lookup properly without mixing-up with PAA semantics - Add official CD verifying key and official SDK CD test key in the default CD trust store as-is * Update src/darwin to take into account the proposed changes * Add unit test for `CsaCdKeysTrustStore` Co-authored-by: Tennessee Carmel-Veilleux <tennessee.carmelveilleux@gmail.com> * [Attestation] Updated to Use CD Signed by a Valid CSA Cert (#22685) * Updated CSA Official CD Signing Certificates (#23027) * restyled. * Remove fixed versioning for git in cirque (#23257) Co-authored-by: Gene Harvey <gene.harvey@smartthings.com> Co-authored-by: Martin Turon <mturon@google.com> Co-authored-by: Vivien Nicolas <vnicolas@apple.com> Co-authored-by: Tennessee Carmel-Veilleux <tennessee.carmelveilleux@gmail.com> Co-authored-by: Andrei Litvin <andy314@gmail.com>

vivien-apple self-assigned this Sep 1, 2022

github-actions bot added the darwin label Sep 1, 2022

vivien-apple requested a review from andy31415 September 2, 2022 09:59

vivien-apple force-pushed the Darwin_ExposeAMechanismToCustomizeCDSigningKeys branch from 10de793 to e10cc58 Compare September 2, 2022 10:12

bzbarsky-apple approved these changes Sep 2, 2022

View reviewed changes

src/credentials/attestation_verifier/FileAttestationTrustStore.h Outdated Show resolved Hide resolved

vivien-apple force-pushed the Darwin_ExposeAMechanismToCustomizeCDSigningKeys branch from e10cc58 to 6f8c4b1 Compare September 5, 2022 07:48

tcarmelveilleux requested changes Sep 6, 2022

View reviewed changes

vivien-apple and others added 7 commits September 6, 2022 17:37

Add AttestationTrustStore::GetCertificationDeclarationCert virtual me…

29c01ee

…thod to allow controllers passing in some CD certs

Add cdCerts member to MTRControllerFactoryparams and override Attesta…

88fdd34

…tionTrustStore::GetCertificationDeclarationCert

Implement ArrayTrustStore::GetCertificationDeclarationSigningKey and …

edc8b20

…initialize the test ArrayTrustStore store with the test CD cert

Update the FileAttestationTrustStore to read a directory with der cer…

d91f683

…ts for certification declaration verification

Add credentials/development/cd-certs/ and update chip-tool to use it …

587f9b9

…if desired

Update src/darwin to take into account the proposed changes

a9e5662

vivien-apple force-pushed the Darwin_ExposeAMechanismToCustomizeCDSigningKeys branch from 6f8c4b1 to a9e5662 Compare September 6, 2022 17:43

github-actions bot added core lib labels Sep 6, 2022

Add unit test for CsaCdKeysTrustStore

51d87e3

tcarmelveilleux reviewed Sep 6, 2022

View reviewed changes

src/credentials/attestation_verifier/DefaultDeviceAttestationVerifier.h Show resolved Hide resolved

tcarmelveilleux approved these changes Sep 6, 2022

View reviewed changes

pullapprove bot added review - approved and removed review - pending labels Sep 6, 2022

Merge pull request #8 from tcarmelveilleux/add-cd-store-unit-test

62f8c70

woody-apple mentioned this pull request Sep 7, 2022

We have to implement in Linux chip-tool as well #22439

Closed

woody-apple merged commit e06d1bc into project-chip:master Sep 7, 2022

emargolis reviewed Sep 7, 2022

View reviewed changes

emargolis mentioned this pull request Oct 17, 2022

[SVE2] Cherry Pick Matter Official CDs and CD Trusted Storage Implementation #23239

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin #22338

[Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin #22338

vivien-apple commented Sep 1, 2022

tcarmelveilleux left a comment

github-actions bot commented Sep 6, 2022 •

edited

Loading

github-actions bot commented Sep 6, 2022 •

edited

Loading

emargolis Sep 7, 2022

emargolis Sep 7, 2022

emargolis Sep 7, 2022

emargolis Sep 7, 2022

emargolis Sep 7, 2022

	virtual CHIP_ERROR LookupVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const = 0;
	virtual CHIP_ERROR LookupCdVerifyingKey(const ByteSpan & kid, Crypto::P256PublicKey & outPubKey) const = 0;

	CHIP_ERROR CsaCdKeysTrustStore::AddTrustedKey(const ByteSpan & derCertBytes)
	CHIP_ERROR CsaCdKeysTrustStore::AddCdSigningKey(const ByteSpan & derCertBytes)

[Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin #22338

[Darwin][AttestationVerifier] Expose a mechanism to customise cd signing keys and use it in darwin #22338

Conversation

vivien-apple commented Sep 1, 2022

Problem

Change overview

Testing

tcarmelveilleux left a comment

Choose a reason for hiding this comment

github-actions bot commented Sep 6, 2022 • edited Loading

github-actions bot commented Sep 6, 2022 • edited Loading

emargolis Sep 7, 2022

Choose a reason for hiding this comment

emargolis Sep 7, 2022

Choose a reason for hiding this comment

emargolis Sep 7, 2022

Choose a reason for hiding this comment

emargolis Sep 7, 2022

Choose a reason for hiding this comment

emargolis Sep 7, 2022

Choose a reason for hiding this comment

github-actions bot commented Sep 6, 2022 •

edited

Loading

github-actions bot commented Sep 6, 2022 •

edited

Loading