project-chip · mergify · Feb 11, 2025 · Feb 7, 2025 · Feb 7, 2025 · Feb 7, 2025
diff --git a/docs/platforms/bouffalolab/getting_started.md b/docs/platforms/bouffalolab/getting_started.md
@@ -17,24 +17,34 @@ git clone --recurse-submodules https://github.com/project-chip/connectedhomeip.g
     git clone --depth=1 https://github.com/project-chip/connectedhomeip.git
     ```
 
--   check out `Bouffalo Lab` platform support repos as follows:
+-   Check out necessary submodules
+
+    Checkout `BL_IOT_SDK` for `BL602`, `BL702` and `BL702L` platform:
+
+    ```
+    ./scripts/checkout_submodules.py --shallow --recursive --platform bouffalolab
+    ```
+
+    Checkout `bouffalo_sdk` for `BL616` platform:
 
     ```
-    scripts/checkout_submodules.py --shallow --recursive --platform bouffalolab
+    ./scripts/checkout_submodules.py --shallow --recursive --platform bouffalo_sdk
     ```
 
+    > Please contact `Bouffalo Lab` for `BL616` SDK access.
+
     If you want to checkout Matter Linux example and development tools, please
     try as follows:
 
     ```
-    scripts/checkout_submodules.py --shallow --recursive --platform linux bouffalolab
+    ./scripts/checkout_submodules.py --shallow --recursive --platform linux bouffalolab
     ```
 
     Or if you want to checkout Matter Darwin example and development tools,
     please try as follows:
 
     ```
-    scripts/checkout_submodules.py --shallow --recursive --platform darwin bouffalolab
+    ./scripts/checkout_submodules.py --shallow --recursive --platform darwin bouffalolab
     ```
 
 # Setup build environment

diff --git a/docs/platforms/bouffalolab/matter_factory_data.md b/docs/platforms/bouffalolab/matter_factory_data.md
@@ -71,7 +71,7 @@ Script tool
 call `chip-cert` to generate test certificates and verify certificates.
 
 Please run below command to compile `chip-cert` tool under `connnectedhomeip`
-repo.
+repo for Linux platform.
 
 ```shell
 ./scripts/build/build_examples.py --target linux-x64-chip-cert build
@@ -111,24 +111,47 @@ repo.
 
 Please reference to `--help` for more detail.
 
-## Generate with default test certificates
+## Generate with default configuration
 
--   Run following command to generate all plain text factory data
+-   Default setting uses the following parameters
+
+    -   PAI certification:
+        [test PAI certification](../../../credentials/test/attestation/Chip-Test-PAI-FFF1-8000-Key.pem)
+
+    -   Vendor ID for DAC: 0xFFF1; Vendor ID for CD: 0x130d
+
+    -   Product ID for DAC: 0x8000, Product ID for CD: 0x1001
+
+*   Run following command to generate all plain text factory data
 
     Please create output folder first. Here takes `out/test-cert` as example.
 
     ```shell
     ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert
     ```
 
--   Run following command to generate factory data which encrypt private of
+    -   Check DAC certificate. Here takes `out_130d_1001_106_dac_cert.pem` as
+        generated test certificate.
+
+        ```shell
+        openssl x509 -noout -text -in out/test-cert/out_130d_1001_106_dac_cert.pem
+        ```
+
+    -   Check Certification Declare. Here takes `out_130d_1001_cd.der` as
+        generated test certificate.
+
+        ```shell
+        ./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
+        ```
+
+*   Run following command to generate factory data which encrypt private of
     device attestation data
 
     ```shell
     ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --key <hex string of 16 bytes>
     ```
 
-    > An example of hex string of 16 bytes: 12345678123456781234567812345678
+    > An example of hex string of 16 bytes: 12345678123456781234567812345678.
 
 After command executes successfully, the output folder will has files as below:
 
@@ -153,20 +176,26 @@ After command executes successfully, the output folder will has files as below:
 Self-defined PAA/PAI certificates may use in development and test scenario. But,
 user should know it has limit to work with real ecosystem.
 
--   Export environment variables in terminal for easy operations
+-   Export environment variables in terminal for certificates generation
 
     ```
-    export TEST_CERT_VENDOR_ID=130D # Vendor ID hex string
-    export TEST_CERT_CN=BFLB        # Common Name
+    export TEST_CERT_VENDOR_ID=130D   # Vendor ID hex string
+    export TEST_CERT_PRODUCT_ID=1001  # Product ID hex string
+    export TEST_CERT_CN=BFLB          # Common Name
     ```
 
 -   Generate PAA certificate and key to `out/cert` folder.
 
     ```shell
-    mkdir out/test-cert
     ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type a --subject-cn "${TEST_CERT_CN} PAA 01" --valid-from "2020-10-15 14:23:43" --lifetime 7305 --out-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --subject-vid ${TEST_CERT_VENDOR_ID}
     ```
 
+    -   Check PAA certificate
+
+        ```shell
+        openssl x509 -noout -text -in out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
+        ```
+
 -   Convert PAA PEM format file to PAA DER format file
 
     ```shell
@@ -182,14 +211,84 @@ user should know it has limit to work with real ecosystem.
     ./out/linux-x64-chip-cert/chip-cert gen-att-cert --type i --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-15 14:23:43" --lifetime 7305 --ca-key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --out out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem
     ```
 
--   Generate `MFD` in plain text data
+    -   Check PAI certificate
 
-    ```shell
-    ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem
-    ```
+        ```shell
+        openssl x509 -noout -text -in out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem
+        ```
 
-    > Appending `--key <hex string of 16 bytes>` option to enable encrypt
-    > private key of attestation device data.
+-   Generate `MFD` in plain text data with same VID/PID in DAC and CD
+
+    -   Use same environment variables `TEST_CERT_VENDOR_ID` and
+        `TEST_CERT_PRODUCT_ID` for CD.
+
+        ```shell
+        ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --dac_pid 0x${TEST_CERT_PRODUCT_ID} --vendor_id 0x${TEST_CERT_VENDOR_ID} --product_id 0x${TEST_CERT_PRODUCT_ID}
+        ```
+
+        > Appending `--key <hex string of 16 bytes>` option to enable encrypt
+        > private key of attestation device data.
+
+    -   Check DAC certificate. Here takes `out_130d_1001_1349_dac_cert.pem` as
+        generated test certification.
+
+        ```shell
+        openssl x509 -noout -text -in out/test-cert/out_130d_1001_1349_dac_cert.pem
+        ```
+
+    -   Check PAA/PAI/DAC certificate chain.
+
+        ```shell
+        ./out/linux-x64-chip-cert/chip-cert validate-att-cert --dac out/test-cert/out_130d_1001_1349_dac_cert.pem --pai out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --paa out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
+        ```
+
+    -   Check Certification Declare. Here takes `out_130d_1001_cd.der` as
+        generated test certification.
+
+        ```shell
+        ./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
+        ```
+
+-   Generate `MFD` in plain text data with different VID/PID in DAC and CD
+
+    -   Export vendor ID and product ID for CD
+
+        ```shell
+        export TEST_CD_VENDOR_ID=730D   # Vendor ID hex string
+        export TEST_CD_PRODUCT_ID=7001  # Product ID hex string
+        ```
+
+    -   Run script to generate DAC/CD and `MFD`.
+
+        ```shell
+        ./scripts/tools/bouffalolab/generate_factory_data.py --output out/test-cert --paa_cert out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem --paa_key out/test-cert/Chip-PAA-Key-${TEST_CERT_VENDOR_ID}.pem --pai_cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --pai_key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --dac_pid 0x${TEST_CERT_PRODUCT_ID} --vendor_id 0x${TEST_CD_VENDOR_ID} --product_id 0x${TEST_CD_PRODUCT_ID}
+        ```
+
+        > Appending `--key <hex string of 16 bytes>` option to enable encrypt
+        > private key of attestation device data.
+        >
+        > Please use --`vendor_name` and `--product_name` to change vendor name
+        > and product name.
+
+    -   Check DAC certificate. Here takes `out_130d_1001_1349_dac_cert.pem` as
+        generated test certification.
+
+        ```shell
+        openssl x509 -noout -text -in out/test-cert/out_130d_1001_1349_dac_cert.pem
+        ```
+
+    -   Check PAA/PAI/DAC certificate chain.
+
+        ```shell
+        ./out/linux-x64-chip-cert/chip-cert validate-att-cert --dac out/test-cert/out_130d_1001_1349_dac_cert.pem --pai out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --paa out/test-cert/Chip-PAA-Cert-${TEST_CERT_VENDOR_ID}.pem
+        ```
+
+    -   Check Certification Declare. Here takes `out_730D_7001_cd.der` as
+        generated test certification.
+
+        ```shell
+        ./out/linux-x64-chip-cert/chip-cert print-cd out/test-cert/out_130d_1001_cd.der
+        ```
 
 ## Generate with self-defined DAC certificate and key
 
@@ -200,14 +299,14 @@ user should know it has limit to work with real ecosystem.
 
     ```
     export TEST_CERT_VENDOR_ID=130D  # Vendor ID hex string
-    export TEST_CERT_PRODUCT_ID=1001 # Vendor ID hex string
+    export TEST_CERT_PRODUCT_ID=1001 # Product ID hex string
     export TEST_CERT_CN=BFLB         # Common Name
     ```
 
 -   Generate DAC certificate and key
 
     ```shell
-    out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_VENDOR_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem
+    out/linux-x64-chip-cert/chip-cert gen-att-cert --type d --subject-cn "${TEST_CERT_CN} PAI 01" --subject-vid ${TEST_CERT_VENDOR_ID} --subject-pid ${TEST_CERT_PRODUCT_ID} --valid-from "2020-10-16 14:23:43" --lifetime 5946 --ca-key out/test-cert/Chip-PAI-Key-${TEST_CERT_VENDOR_ID}.pem --ca-cert out/test-cert/Chip-PAI-Cert-${TEST_CERT_VENDOR_ID}.pem --out-key out/test-cert/Chip-DAC-Key-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem --out out/test-cert/Chip-DAC-Cert-${TEST_CERT_VENDOR_ID}-${TEST_CERT_PRODUCT_ID}.pem
     ```
 
     > **Note**, `--valid-from` and `--lifetime` should be in `--valid-from` and
@@ -238,12 +337,5 @@ key.
 > If `MFD` file has cipher text data, please append
 > `--key <hex string of 16 bytes>` option to program to this key to efuse.
 
--   Limits on BL IOT SDK
-
-    If developer would like to program `MFD` with all plain text data, option
-    `--key <hex string of 16 bytes>` needs pass to script, otherwise, flash tool
-    will raise an error. And SoC BL602, BL702 and BL702L use BL IOT SDK for
-    Matter Application.
-
 Please free contact to `Bouffalo Lab` for DAC provider service and higher
 security solution, such as SoC inside certificate requesting.
diff --git a/scripts/flashing/bouffalolab_firmware_utils.py b/scripts/flashing/bouffalolab_firmware_utils.py
@@ -446,41 +446,111 @@ def exe_gen_ota_image_cmd(flashtool_exe):
                 new_name = os.path.join(self.work_dir, "ota_images", fw_name + ota_img_name[len("FW_OTA"):])
                 os.system("mv {} {}".format(img, new_name))
 
-        def exe_prog_cmd(flashtool_exe, mfd_addr):
+        def construct_prog_confg():
+
+            iot_cfg = {
+                "param": {
+                    "interface_type": "uart",
+                    "comport_uart": self.args["port"],
+                    "speed_uart": self.args["baudrate"],
+                    "speed_jlink": "1000",
+                    "chip_xtal": self.args["xtal"],
+                    "ota": "",
+                    "version": "",
+                    "aes_key": "",
+                    "aes_iv": "",
+                    "addr": "0x0",
+                    "publickey": "",
+                    "privatekey": ""
+                },
+                "check_box": {
+                    "fw_download": True,
+                    "mfg_download": False,
+                    "media_download": False,
+                    "romfs_download": False,
+                    "psm_download": False,
+                    "key_download": False,
+                    "data_download": False,
+                    "factory_download": True if self.args["dts"] else False,
+                    "mfd_download": True if self.args["mfd"] else False,
+                    "boot2_download": True if self.args["boot2"] else False,
+                    "ckb_erase_all": "True" if self.args["erase"] else "False",
+                    "partition_download": True if self.args["pt"] else False,
+                    "encrypt": False,
+                    "sign": False,
+                    "single_download": False,
+                    "auto_efuse_verify": False
+                },
+                "input_path": {
+                    "fw_bin_input": self.args['firmware'],
+                    "mfg_bin_input": "",
+                    "media_bin_input": "",
+                    "romfs_dir_input": "",
+                    "psm_bin_input": "",
+                    "key_bin_input": "",
+                    "data_bin_input": "",
+                    "factory_bin_input": self.args["dts"],
+                    "mfd_bin_input": self.args["mfd"],
+                    "boot2_bin_input": self.args["boot2"],
+                    "img_bin_input": "",
+                    "pt_table_bin_input": self.args["pt"],
+                    "publickey": "",
+                    "privatekey": ""
+                }
+            }
+
+            conf_toml = os.path.splitext(self.args['firmware'])[0] + "_config.toml"
+
+            with open(conf_toml, "w", encoding="utf-8") as f:
+                toml.dump(iot_cfg, f)
+
+            return conf_toml
+
+        def exe_prog_cmd(flashtool_exe, mfd_addr, flashtool_path):
 
             if not self.args["port"]:
                 return
 
             if self.args["mfd"] and not mfd_addr:
                 raise Exception("No MFD partition found in partition table.")
 
-            prog_cmd = [
-                flashtool_exe,
-                "--port", self.args["port"],
-                "--baudrate", self.args["baudrate"],
-                "--chipname", self.args["chipname"],
-                "--firmware", self.args["firmware"],
-                "--dts", self.args["dts"],
-                "--pt", self.args["pt"],
-            ]
+            if self.args["mfd"] and not self.args["key"]:
+                conf_toml = construct_prog_confg()
 
-            if self.args["boot2"]:
-                prog_cmd += ["--boot2", self.args["boot2"]]
+                prog_cmd = [
+                    flashtool_exe,
+                    "--chipname", self.args["chipname"],
+                    "--config", conf_toml,
+                ]
 
-            if self.args["sk"]:
-                prog_cmd += ["--sk", self.args["sk"]]
+            else:
+                prog_cmd = [
+                    flashtool_exe,
+                    "--port", self.args["port"],
+                    "--baudrate", self.args["baudrate"],
+                    "--chipname", self.args["chipname"],
+                    "--firmware", self.args["firmware"],
+                    "--dts", self.args["dts"],
+                    "--pt", self.args["pt"],
+                ]
 
-            if mfd_addr and self.args["mfd_str"]:
-                if self.args["key"] and not self.args["iv"]:
-                    logging.warning("mfd file has no iv, do NOT program mfd key.")
-                else:
-                    prog_cmd += ["--dac_key", self.args["key"]]
-                    prog_cmd += ["--dac_iv", self.args["iv"]]
-                    prog_cmd += ["--dac_addr", hex(mfd_addr)]
-                    prog_cmd += ["--dac_value", self.args["mfd_str"]]
+                if self.args["boot2"]:
+                    prog_cmd += ["--boot2", self.args["boot2"]]
+
+                if self.args["sk"]:
+                    prog_cmd += ["--sk", self.args["sk"]]
+
+                if mfd_addr and self.args["mfd_str"]:
+                    if self.args["key"] and not self.args["iv"]:
+                        logging.warning("mfd file has no iv, do NOT program mfd key.")
+                    else:
+                        prog_cmd += ["--dac_key", self.args["key"]]
+                        prog_cmd += ["--dac_iv", self.args["iv"]]
+                        prog_cmd += ["--dac_addr", hex(mfd_addr)]
+                        prog_cmd += ["--dac_value", self.args["mfd_str"]]
 
-            if self.option.erase:
-                prog_cmd += ["--erase"]
+                if self.option.erase:
+                    prog_cmd += ["--erase"]
 
             logging.info("firmware programming: {}".format(" ".join(prog_cmd)))
             process = subprocess.Popen(prog_cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -500,7 +570,7 @@ def exe_prog_cmd(flashtool_exe, mfd_addr):
         os.chdir(self.work_dir)
 
         exe_gen_ota_image_cmd(flashtool_exe)
-        exe_prog_cmd(flashtool_exe, mfd_addr)
+        exe_prog_cmd(flashtool_exe, mfd_addr, flashtool_path)
 
     def bouffalo_sdk_prog(self):