Infineon OPTIGA™ Trust M Provisioning for Matter#

To use Infineon OPTIGA™ Trust M for device attestation, Provisioning for OPTIGA™ Trust M with Matter test device Attestation certificate is needed.

Hardware setup:#

Raspberry Pi 4

OPTIGA™ Trust M MTR

Shield2Go Adapter for Raspberry Pi or Jumping Wire

Provisioning for OPTIGA™ Trust M#

The Linux Tools for OPTIGA™ Trust M can be used to perform provisioning by following the steps mentioned below.

 $ git clone --recurse-submodules https://github.com/Infineon/linux-optiga-trust-m.git
  • Build the Linux tools for OPTIGA™ Trust M

 $ cd linux-optiga-trust-m/
 $ git checkout provider_dev
 $ git submodule update -f
 $ ./provider_installation_script.sh
  • Run the script to generate Matter test DAC for lock-app using the public key extracted from the Infineon pre-provisioned Certificate and store it into 0xE0E0

$ cd scripts/matter_provisioning/
$ ./matter_test_provisioning.sh

Note:

By running this example matter_test_provisioning.sh, the steps shown below are executed:

Step1: Extract the public key from the Infineon pre-provisioned Certificate(0xE0E0) using openssl command.

Step2: Generate DAC test certificate using the extracted public key, Signed by Matter test PAI. Please note that production devices cannot re-use these test keys/certificates.

Step3: Write DAC test certificate into OPTIGA™ Trust M certificate slot 0xE0E0.

Step4: Write Matter test PAI into OPTIGA™ Trust M certificate slot 0xE0E8 and test CD into OPTIGA™ Trust M Arbitrary OID 0xF1E0.

For certificate claim and OPTIGA™ Trust M MTR provisioning, please refer to our README for Late-stage Provisioning