Skip to content

Commit

Permalink
[bouffalo lab] update scripts and documents to support more options t… (
Browse files Browse the repository at this point in the history 
project-chip#37454)

* [bouffalo lab] update scripts and documents to support more options to generate and download test mfd

* Restyled by prettier-markdown

* Restyled by autopep8

* Restyled by isort

* Restyled by prettier-markdown

---------

Co-authored-by: Restyled.io <commits@restyled.io>
  • Loading branch information
@wy-hh @restyled-commits
wy-hh and restyled-commits authored Feb 11, 2025
1 parent 63f9782 commit cb137f0
Show file tree
Hide file tree
Showing 5 changed files with 264 additions and 71 deletions.
18 changes: 14 additions & 4 deletions docs/platforms/bouffalolab/getting_started.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,24 +17,34 @@ git clone --recurse-submodules https://github.com/project-chip/connectedhomeip.g
git clone --depth=1 https://github.com/project-chip/connectedhomeip.git
```
- check out `Bouffalo Lab` platform support repos as follows:
- Check out necessary submodules
Checkout `BL_IOT_SDK` for `BL602`, `BL702` and `BL702L` platform:
```
./scripts/checkout_submodules.py --shallow --recursive --platform bouffalolab
```
Checkout `bouffalo_sdk` for `BL616` platform:
```
scripts/checkout_submodules.py --shallow --recursive --platform bouffalolab
./scripts/checkout_submodules.py --shallow --recursive --platform bouffalo_sdk
```
> Please contact `Bouffalo Lab` for `BL616` SDK access.
If you want to checkout Matter Linux example and development tools, please
try as follows:
```
scripts/checkout_submodules.py --shallow --recursive --platform linux bouffalolab
./scripts/checkout_submodules.py --shallow --recursive --platform linux bouffalolab
```
Or if you want to checkout Matter Darwin example and development tools,
please try as follows:
```
scripts/checkout_submodules.py --shallow --recursive --platform darwin bouffalolab
./scripts/checkout_submodules.py --shallow --recursive --platform darwin bouffalolab
```
# Setup build environment
Expand Down
140 changes: 116 additions & 24 deletions docs/platforms/bouffalolab/matter_factory_data.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ Script tool
call `chip-cert` to generate test certificates and verify certificates.

Please run below command to compile `chip-cert` tool under `connnectedhomeip`
repo.
repo for Linux platform.

```shell
./scripts/build/build_examples.py --target linux-x64-chip-cert build
Expand Down Expand Up @@ -111,24 +111,47 @@ repo.

Please reference to `--help` for more detail.

## Generate with default test certificates
## Generate with default configuration

- Run following command to generate all plain text factory data
- Default setting uses the following parameters

- PAI certification:
[test PAI certification](../../../credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Key.pem)

- Vendor ID for DAC: 0xFFF1; Vendor ID for CD: 0x130d

- Product ID for DAC: 0x8000, Product ID for CD: 0x1001

* Run following command to generate all plain text factory data

Please create output folder first. Here takes `out/test-cert` as example.

```shell
./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert
```

- Run following command to generate factory data which encrypt private of
- Check DAC certificate. Here takes `out_130d_1001_106_dac_cert.pem` as
generated test certificate.

```shell
openssl x509 -noout -text -in out/test-cert/out_130d_1001_106_dac_cert.pem
```

- Check Certification Declare. Here takes `out_130d_1001_cd.der` as
generated test certificate.

```shell
./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
```

* Run following command to generate factory data which encrypt private of
device attestation data

```shell
./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --key <hex string of 16 bytes>
```

> An example of hex string of 16 bytes: 12345678123456781234567812345678
> An example of hex string of 16 bytes: 12345678123456781234567812345678.

After command executes successfully, the output folder will has files as below:

Expand All @@ -153,20 +176,26 @@ After command executes successfully, the output folder will has files as below:
Self-defined PAA/PAI certificates may use in development and test scenario. But,
user should know it has limit to work with real ecosystem.

- Export environment variables in terminal for easy operations
- Export environment variables in terminal for certificates generation

```
export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string
export TEST_CERT_CN=BFLB # Common Name
export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string
export TEST_CERT_PRODUCT_ID=1001 # Product ID hex string
export TEST_CERT_CN=BFLB # Common Name
```

- Generate PAA certificate and key to `out/cert` folder.

```shell
mkdir out/test-cert
./out/linux-x64-chip-cert/chip-cert gen-att-cert --type a --subject-cn "${TEST_CERT_CN} PAA 01" --valid-from "2020-10-15 14:23:43" --lifetime 7305 --out-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --subject-vid ${TEST_CERT_VENDOR_ID}
```

- Check PAA certificate

```shell
openssl x509 -noout -text -in out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
```

- Convert PAA PEM format file to PAA DER format file

```shell
Expand All @@ -182,14 +211,84 @@ user should know it has limit to work with real ecosystem.
./out/linux-x64-chip-cert/chip-cert gen-att-cert --type i --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-15 14:23:43" --lifetime 7305 --ca-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem
```

- Generate `MFD` in plain text data
- Check PAI certificate

```shell
./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem
```
```shell
openssl x509 -noout -text -in out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem
```

> Appending `--key <hex string of 16 bytes>` option to enable encrypt
> private key of attestation device data.
- Generate `MFD` in plain text data with same VID/PID in DAC and CD

- Use same environment variables `TEST_CERT_VENDOR_ID` and
`TEST_CERT_PRODUCT_ID` for CD.

```shell
./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --dac_pid 0x${TEST_CERT_PRODUCT_ID} --vendor_id 0x${TEST_CERT_VENDOR_ID} --product_id 0x${TEST_CERT_PRODUCT_ID}
```

> Appending `--key <hex string of 16 bytes>` option to enable encrypt
> private key of attestation device data.

- Check DAC certificate. Here takes `out_130d_1001_1349_dac_cert.pem` as
generated test certification.

```shell
openssl x509 -noout -text -in out/test-cert/out_130d_1001_1349_dac_cert.pem
```

- Check PAA/PAI/DAC certificate chain.

```shell
./out/linux-x64-chip-cert/chip-cert validate-att-cert --dac out/test-cert/out_130d_1001_1349_dac_cert.pem --pai out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --paa out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
```

- Check Certification Declare. Here takes `out_130d_1001_cd.der` as
generated test certification.

```shell
./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
```

- Generate `MFD` in plain text data with different VID/PID in DAC and CD

- Export vendor ID and product ID for CD

```shell
export TEST_CD_VENDOR_ID=730D # Vendor ID hex string
export TEST_CD_PRODUCT_ID=7001 # Product ID hex string
```

- Run script to generate DAC/CD and `MFD`.

```shell
./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --dac_pid 0x${TEST_CERT_PRODUCT_ID} --vendor_id 0x${TEST_CD_VENDOR_ID} --product_id 0x${TEST_CD_PRODUCT_ID}
```

> Appending `--key <hex string of 16 bytes>` option to enable encrypt
> private key of attestation device data.
>
> Please use --`vendor_name` and `--product_name` to change vendor name
> and product name.

- Check DAC certificate. Here takes `out_130d_1001_1349_dac_cert.pem` as
generated test certification.

```shell
openssl x509 -noout -text -in out/test-cert/out_130d_1001_1349_dac_cert.pem
```

- Check PAA/PAI/DAC certificate chain.

```shell
./out/linux-x64-chip-cert/chip-cert validate-att-cert --dac out/test-cert/out_130d_1001_1349_dac_cert.pem --pai out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --paa out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
```

- Check Certification Declare. Here takes `out_730D_7001_cd.der` as
generated test certification.

```shell
./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
```

## Generate with self-defined DAC certificate and key

Expand All @@ -200,14 +299,14 @@ user should know it has limit to work with real ecosystem.

```
export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string
export TEST_CERT_PRODUCT_ID=1001 # Vendor ID hex string
export TEST_CERT_PRODUCT_ID=1001 # Product ID hex string
export TEST_CERT_CN=BFLB # Common Name
```

- Generate DAC certificate and key

```shell
out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem
out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_PRODUCT_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem
```

> **Note**, `--valid-from` and `--lifetime` should be in `--valid-from` and
Expand Down Expand Up @@ -238,12 +337,5 @@ key.
> If `MFD` file has cipher text data, please append
> `--key <hex string of 16 bytes>` option to program to this key to efuse.

- Limits on BL IOT SDK

If developer would like to program `MFD` with all plain text data, option
`--key <hex string of 16 bytes>` needs pass to script, otherwise, flash tool
will raise an error. And SoC BL602, BL702 and BL702L use BL IOT SDK for
Matter Application.

Please free contact to `Bouffalo Lab` for DAC provider service and higher
security solution, such as SoC inside certificate requesting.
120 changes: 95 additions & 25 deletions scripts/flashing/bouffalolab_firmware_utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -446,41 +446,111 @@ def exe_gen_ota_image_cmd(flashtool_exe):
new_name = os.path.join(self.work_dir, "ota_images", fw_name + ota_img_name[len("FW_OTA"):])
os.system("mv {} {}".format(img, new_name))

def exe_prog_cmd(flashtool_exe, mfd_addr):
def construct_prog_confg():

iot_cfg = {
"param": {
"interface_type": "uart",
"comport_uart": self.args["port"],
"speed_uart": self.args["baudrate"],
"speed_jlink": "1000",
"chip_xtal": self.args["xtal"],
"ota": "",
"version": "",
"aes_key": "",
"aes_iv": "",
"addr": "0x0",
"publickey": "",
"privatekey": ""
},
"check_box": {
"fw_download": True,
"mfg_download": False,
"media_download": False,
"romfs_download": False,
"psm_download": False,
"key_download": False,
"data_download": False,
"factory_download": True if self.args["dts"] else False,
"mfd_download": True if self.args["mfd"] else False,
"boot2_download": True if self.args["boot2"] else False,
"ckb_erase_all": "True" if self.args["erase"] else "False",
"partition_download": True if self.args["pt"] else False,
"encrypt": False,
"sign": False,
"single_download": False,
"auto_efuse_verify": False
},
"input_path": {
"fw_bin_input": self.args['firmware'],
"mfg_bin_input": "",
"media_bin_input": "",
"romfs_dir_input": "",
"psm_bin_input": "",
"key_bin_input": "",
"data_bin_input": "",
"factory_bin_input": self.args["dts"],
"mfd_bin_input": self.args["mfd"],
"boot2_bin_input": self.args["boot2"],
"img_bin_input": "",
"pt_table_bin_input": self.args["pt"],
"publickey": "",
"privatekey": ""
}
}

conf_toml = os.path.splitext(self.args['firmware'])[0] + "_config.toml"

with open(conf_toml, "w", encoding="utf-8") as f:
toml.dump(iot_cfg, f)

return conf_toml

def exe_prog_cmd(flashtool_exe, mfd_addr, flashtool_path):

if not self.args["port"]:
return

if self.args["mfd"] and not mfd_addr:
raise Exception("No MFD partition found in partition table.")

prog_cmd = [
flashtool_exe,
"--port", self.args["port"],
"--baudrate", self.args["baudrate"],
"--chipname", self.args["chipname"],
"--firmware", self.args["firmware"],
"--dts", self.args["dts"],
"--pt", self.args["pt"],
]
if self.args["mfd"] and not self.args["key"]:
conf_toml = construct_prog_confg()

if self.args["boot2"]:
prog_cmd += ["--boot2", self.args["boot2"]]
prog_cmd = [
flashtool_exe,
"--chipname", self.args["chipname"],
"--config", conf_toml,
]

if self.args["sk"]:
prog_cmd += ["--sk", self.args["sk"]]
else:
prog_cmd = [
flashtool_exe,
"--port", self.args["port"],
"--baudrate", self.args["baudrate"],
"--chipname", self.args["chipname"],
"--firmware", self.args["firmware"],
"--dts", self.args["dts"],
"--pt", self.args["pt"],
]

if mfd_addr and self.args["mfd_str"]:
if self.args["key"] and not self.args["iv"]:
logging.warning("mfd file has no iv, do NOT program mfd key.")
else:
prog_cmd += ["--dac_key", self.args["key"]]
prog_cmd += ["--dac_iv", self.args["iv"]]
prog_cmd += ["--dac_addr", hex(mfd_addr)]
prog_cmd += ["--dac_value", self.args["mfd_str"]]
if self.args["boot2"]:
prog_cmd += ["--boot2", self.args["boot2"]]

if self.args["sk"]:
prog_cmd += ["--sk", self.args["sk"]]

if mfd_addr and self.args["mfd_str"]:
if self.args["key"] and not self.args["iv"]:
logging.warning("mfd file has no iv, do NOT program mfd key.")
else:
prog_cmd += ["--dac_key", self.args["key"]]
prog_cmd += ["--dac_iv", self.args["iv"]]
prog_cmd += ["--dac_addr", hex(mfd_addr)]
prog_cmd += ["--dac_value", self.args["mfd_str"]]

if self.option.erase:
prog_cmd += ["--erase"]
if self.option.erase:
prog_cmd += ["--erase"]

logging.info("firmware programming: {}".format(" ".join(prog_cmd)))
process = subprocess.Popen(prog_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Expand All @@ -500,7 +570,7 @@ def exe_prog_cmd(flashtool_exe, mfd_addr):
os.chdir(self.work_dir)

exe_gen_ota_image_cmd(flashtool_exe)
exe_prog_cmd(flashtool_exe, mfd_addr)
exe_prog_cmd(flashtool_exe, mfd_addr, flashtool_path)

def bouffalo_sdk_prog(self):

Expand Down
Loading

0 comments on commit cb137f0

Please sign in to comment.