From 9e84401954b6c1d3c164490d953b4b61a9446a38 Mon Sep 17 00:00:00 2001 From: Arkadiusz Balys Date: Thu, 4 Jan 2024 13:25:39 +0100 Subject: [PATCH] manifest: Update Matter revision to pull PSA changes We need a mechanism to move the DAC private key from the factory data set to PSA ITS NVM storage during the first boot of the device. This feature is available only if the CONFIG_CHIP_CRYPTO_PSA config is set to y. You can enable removing the DAC private key from the factory data partition after the migration by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY` Kconfig option to ``y`` Signed-off-by: Arkadiusz Balys --- .../migration/migration_guide_2.6.rst | 10 ++++++++++ .../releases/release-notes-changelog.rst | 13 ++++++++++--- west.yml | 2 +- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/doc/nrf/releases_and_maturity/migration/migration_guide_2.6.rst b/doc/nrf/releases_and_maturity/migration/migration_guide_2.6.rst index 82db644fff8..12747e4ee68 100644 --- a/doc/nrf/releases_and_maturity/migration/migration_guide_2.6.rst +++ b/doc/nrf/releases_and_maturity/migration/migration_guide_2.6.rst @@ -30,6 +30,16 @@ The following changes are mandatory to make your application work in the same wa * The ``CONFIG_CHIP_SED_ACTIVE_INTERVAL`` Kconfig option was renamed to :kconfig:option:`CONFIG_CHIP_ICD_FAST_POLLING_INTERVAL`. * The ``CONFIG_CHIP_SED_ACTIVE_THRESHOLD`` Kconfig option was renamed to :kconfig:option:`CONFIG_CHIP_ICD_ACTIVE_MODE_THRESHOLD`. +* For Matter over Thread samples, starting from this release, the cryptography backend enabled by default is PSA Crypto API instead of mbedTLS. + Be aware of the change and consider the following when migrating to |NCS| v2.6.0: + + * You can keep using mbedTLS API as the cryptography backend by disabling PSA Crypto API. + You can disable it by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA` Kconfig option to ``n``. + * When the Device Attestation Certificate (DAC) private key exists in the factory data set, it can migrate to the PSA ITS secure storage. + + You can also have the DAC private key replaced by zeros in the factory data partition by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY` Kconfig option to ``y``. + This functionality is experimental. + * For samples using Wi-Fi features: * A few Kconfig options related to scan operations have been removed in the current release. diff --git a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst index cd8e17af903..9a0a6374585 100644 --- a/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst +++ b/doc/nrf/releases_and_maturity/releases/release-notes-changelog.rst @@ -93,9 +93,16 @@ Matter ------ * Updated the page about :ref:`ug_matter_device_low_power_configuration` with the information about Intermittently Connected Devices (ICD) configuration. -* Added a Kconfig option for disabling or enabling :ref:`ug_matter_configuring_read_client`. -* Added support for PSA Crypto API for devices that use Matter over Thread. - It is enabled by default and can be disabled by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA` Kconfig option to ``n``. + +* Added: + + * A Kconfig option for disabling or enabling :ref:`ug_matter_configuring_read_client`. + * Support for PSA Crypto API for devices that use Matter over Thread. + It is enabled by default and can be disabled by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA` Kconfig option to ``n``. + * Migration of the Device Attestation Certificate (DAC) private key from the factory data set to the PSA ITS secure storage. + + The DAC private key can be removed from the factory data set after the migration. + You can enable this experimental functionality by setting the :kconfig:option:`CONFIG_CHIP_CRYPTO_PSA_MIGRATE_DAC_PRIV_KEY` Kconfig option to ``y``. Matter fork +++++++++++ diff --git a/west.yml b/west.yml index fb6c91ccf47..9941f254c76 100644 --- a/west.yml +++ b/west.yml @@ -149,7 +149,7 @@ manifest: - name: matter repo-path: sdk-connectedhomeip path: modules/lib/matter - revision: 5f7a9f6a42257301c5f70b6bf78716357551d54d + revision: 50a62b4a4e48ee113eb8114e2307c9835094044d submodules: - name: nlio path: third_party/nlio/repo