From: Lukas Wunner <lukas@wunner.de>
To: Alistair Francis <alistair23@gmail.com>
Cc: wilfred.mallawa@wdc.com, Jonathan.Cameron@Huawei.com,
jiewen.yao@intel.com, qemu-devel@nongnu.org, kbusch@kernel.org,
its@irrelevant.dk, mst@redhat.com, marcel.apfelbaum@gmail.com,
hchkuo@avery-design.com.tw, cbrowy@avery-design.com,
qemu-block@nongnu.org,
Alistair Francis <alistair.francis@wdc.com>
Subject: Re: [PATCH 3/3] hw/nvme: Add SPDM over DOE support
Date: Mon, 2 Oct 2023 10:47:53 +0200 [thread overview]
Message-ID: <20231002084753.GA23546@wunner.de> (raw)
In-Reply-To: <20230915112723.2033330-3-alistair.francis@wdc.com>
On Fri, Sep 15, 2023 at 09:27:23PM +1000, Alistair Francis wrote:
> --- /dev/null
> +++ b/docs/specs/spdm.rst
> @@ -0,0 +1,56 @@
> +======================================================
> +QEMU Security Protocols and Data Models (SPDM) Support
> +======================================================
> +
> +SPDM enables authentication, attestation and key exchange to assist in
> +providing infrastructure security enablement. It's a standard published
> +by the DMTF https://www.dmtf.org/standards/SPDM.
> +
> +Setting up a SPDM server
[...]
> + $ cd spdm-emu
> + $ git submodule init; git submodule update --recursive
> + $ mkdir build; cd build
> + $ cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl ..
> + $ make -j32
> + $ make copy_sample_key # Build certificates, required for SPDM authentication.
Might be worth pointing out that certificates need to have a
Subject Alternative Name in compliance with PCIe r6.1 sec 6.31.3,
what to add to openssl.cnf to get one, e.g. ...
subjectAltName = otherName:2.23.147;UTF8:Vendor=1b36:Device=0010:CC=010802:REV=02:SSVID=1af4:SSID=1100
2.23.147 = ASN1:OID:2.23.147
... and how to regenerate certificates after modifying openssl.cnf, e.g. ...
$ openssl req -nodes -newkey ec:param.pem -keyout end_responder.key -out end_responder.req -sha384 -batch -subj "/CN=DMTF libspdm ECP384 responder cert"
$ openssl x509 -req -in end_responder.req -out end_responder.cert -CA inter.cert -CAkey inter.key -sha384 -days 3650 -set_serial 3 -extensions v3_end -extfile ../openssl.cnf
$ openssl asn1parse -in end_responder.cert -out end_responder.cert.der
$ cat ca.cert.der inter.cert.der end_responder.cert.der > bundle_responder.certchain.der
Or preferably modify upstream libspdm to automate this process,
make it less cumbersome and error-prone.
> +static bool pcie_doe_spdm_rsp(DOECap *doe_cap)
> +{
> + void *req = pcie_doe_get_write_mbox_ptr(doe_cap);
> + uint32_t req_len = pcie_doe_get_obj_len(req) * 4;
> + void *rsp = doe_cap->read_mbox;
> + uint32_t rsp_len = SPDM_SOCKET_MAX_MESSAGE_BUFFER_SIZE;
> + uint32_t recvd;
Might be worth mentioning somewhere that this only implements the
responder role.
CPUs are coming to market which contain a Trusted Security Module.
Some of those TSMs are capable of the SPDM requester role. Should
qemu ever have the need to emulate a CPU containing a TSM, it may
become necessary to add SPDM requester support.
Thanks,
Lukas
next prev parent reply other threads:[~2023-10-02 8:57 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-15 11:27 [PATCH 1/3] hw/pci: Add all Data Object Types Alistair Francis
2023-09-15 11:27 ` [PATCH 2/3] backends: Initial support for SPDM socket support Alistair Francis
2023-09-15 15:19 ` Jonathan Cameron via
2023-09-18 3:16 ` Alistair Francis
2023-09-18 10:28 ` Jonathan Cameron via
2023-09-21 6:28 ` Alistair Francis
2023-09-25 14:24 ` Jonathan Cameron via
2023-09-15 11:27 ` [PATCH 3/3] hw/nvme: Add SPDM over DOE support Alistair Francis
2023-09-15 15:00 ` Jonathan Cameron via
2023-10-02 7:15 ` Klaus Jensen
2023-10-02 8:22 ` Jonathan Cameron via
2023-10-02 8:22 ` Jonathan Cameron
2023-10-02 8:47 ` Lukas Wunner [this message]
2023-10-02 11:36 ` Yao, Jiewen
2023-10-02 12:50 ` Lukas Wunner
2023-09-15 14:46 ` [PATCH 1/3] hw/pci: Add all Data Object Types Jonathan Cameron via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231002084753.GA23546@wunner.de \
--to=lukas@wunner.de \
--cc=Jonathan.Cameron@Huawei.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=cbrowy@avery-design.com \
--cc=hchkuo@avery-design.com.tw \
--cc=its@irrelevant.dk \
--cc=jiewen.yao@intel.com \
--cc=kbusch@kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=wilfred.mallawa@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.