From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB827328BF for ; Tue, 3 Oct 2023 15:05:02 +0000 (UTC) Received: from lhrpeml500005.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4S0Ldj6N6Bz6HJcm; Tue, 3 Oct 2023 23:02:17 +0800 (CST) Received: from localhost (10.202.227.76) by lhrpeml500005.china.huawei.com (7.191.163.240) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Tue, 3 Oct 2023 16:04:56 +0100 Date: Tue, 3 Oct 2023 16:04:55 +0100 From: Jonathan Cameron To: Lukas Wunner CC: Bjorn Helgaas , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , , , , , , , , David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 09/12] PCI/CMA: Validate Subject Alternative Name in certificates Message-ID: <20231003160455.00001a4f@Huawei.com> In-Reply-To: References: Organization: Huawei Technologies Research and Development (UK) Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.33; x86_64-w64-mingw32) Precedence: bulk X-Mailing-List: linux-coco@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.202.227.76] X-ClientProxiedBy: lhrpeml100001.china.huawei.com (7.191.160.183) To lhrpeml500005.china.huawei.com (7.191.163.240) X-CFilter-Loop: Reflected On Thu, 28 Sep 2023 19:32:39 +0200 Lukas Wunner wrote: > PCIe r6.1 sec 6.31.3 stipulates requirements for X.509 Leaf Certificates > presented by devices, in particular the presence of a Subject Alternative > Name extension with a name that encodes the Vendor ID, Device ID, Device > Serial Number, etc. Lets you do any of * What you have here * Reference Integrity Manifest, e.g. see Trusted Computing Group * A pointer to a location where such a Reference Integrity Manifest can be obtained. So this text feels a little strong though I'm fine with only support the Subject Alternative Name bit for now. Whoever has one of the other options can add that support :) > > This prevents a mismatch between the device identity in Config Space and > the certificate. A device cannot misappropriate a certificate from a > different device without also spoofing Config Space. As a corollary, > it cannot dupe an arbitrary driver into binding to it. (Only those > which bind to the device identity in the Subject Alternative Name work.) > > Parse the Subject Alternative Name using a small ASN.1 module and > validate its contents. The theory of operation is explained in a code > comment at the top of the newly added cma-x509.c. > > This functionality is introduced in a separate commit on top of basic > CMA-SPDM support to split the code into digestible, reviewable chunks. > > The CMA OID added here is taken from the official OID Repository > (it's not documented in the PCIe Base Spec): > https://oid-rep.orange-labs.fr/get/2.23.147 > > Signed-off-by: Lukas Wunner I haven't looked asn.1 recently enough to have any confidence on a review of that bit... So, for everything except the asn.1 Reviewed-by: Jonathan Cameron