From: sashiko-bot@kernel.org
To: alistair23@gmail.com
Cc: ojeda@kernel.org, linux-cxl@vger.kernel.org, linux-pci@vger.kernel.org
Subject: Re: [PATCH v2 13/21] PCI/CMA: Validate Subject Alternative Name in certificates
Date: Tue, 23 Jun 2026 05:07:16 +0000 [thread overview]
Message-ID: <20260623050716.CFCA31F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623045406.2589547-14-alistair.francis@wdc.com>
> From: Lukas Wunner <lukas@wunner.de>
>
> PCIe r6.1 sec 6.31.3 stipulates requirements for Leaf Certificates
> presented by devices, in particular the presence of a Subject Alternative
> Name which encodes the Vendor ID, Device ID, Device Serial Number, etc.
>
> This prevents a mismatch between the device identity in Config Space and
> the certificate. A device cannot misappropriate a certificate from a
> different device without also spoofing Config Space. As a corollary,
> it cannot dupe an arbitrary driver into binding to it. Only drivers
> which bind to the device identity in the Subject Alternative Name work
> (PCIe r6.1 sec 6.31 "Implementation Note: Overview of Threat Model").
>
> The Subject Alternative Name is signed, hence constitutes a signed copy
> of a Config Space portion. It's the same concept as web certificates
> [ ... ]
> Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> # except ASN.1
> [ Changed by AF:
> - Fixup a few issues caught by Sashiko
> ]
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Sashiko has reviewed this patch and found no issues. It looks great!
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623045406.2589547-1-alistair.francis@wdc.com?part=13
next prev parent reply other threads:[~2026-06-23 5:07 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 4:53 [PATCH v2 00/21] lib: Rust implementation of SPDM alistair23
2026-06-23 4:53 ` [PATCH v2 01/21] rust: transmute: add `cast_slice[_mut]` functions alistair23
2026-06-23 5:05 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 02/21] rust: create basic untrusted data API alistair23
2026-06-23 5:09 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 03/21] rust: validate: add `Validate` trait alistair23
2026-06-23 5:10 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 04/21] X.509: Make certificate parser public alistair23
2026-06-23 5:03 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 05/21] X.509: Parse Subject Alternative Name in certificates alistair23
2026-06-23 5:07 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 06/21] X.509: Move certificate length retrieval into new helper alistair23
2026-06-23 5:02 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 07/21] rust: add bindings for hash.h alistair23
2026-06-23 7:01 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 08/21] rust: error: impl From<FromBytesWithNulError> for Kernel Error alistair23
2026-06-23 5:01 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 09/21] lib: rspdm: Initial commit of Rust SPDM alistair23
2026-06-23 5:09 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 10/21] PCI/TSM: Rename pf0 to host alistair23
2026-06-23 5:12 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 11/21] PCI/TSM: Support connecting to PCIe CMA devices alistair23
2026-06-23 5:16 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 12/21] PCI/CMA: Add a PCI TSM CMA driver using SPDM alistair23
2026-06-23 5:07 ` sashiko-bot
2026-06-23 4:53 ` [PATCH v2 13/21] PCI/CMA: Validate Subject Alternative Name in certificates alistair23
2026-06-23 5:07 ` sashiko-bot [this message]
2026-06-23 4:53 ` [PATCH v2 14/21] lib: rspdm: Support SPDM get_version alistair23
2026-06-23 5:10 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 15/21] lib: rspdm: Support SPDM get_capabilities alistair23
2026-06-23 5:09 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 16/21] lib: rspdm: Support SPDM negotiate_algorithms alistair23
2026-06-23 5:17 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 17/21] lib: rspdm: Support SPDM get_digests alistair23
2026-06-23 5:17 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 18/21] lib: rspdm: Support SPDM get_certificate alistair23
2026-06-23 5:20 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 19/21] lib: rspdm: Support SPDM certificate validation alistair23
2026-06-23 5:19 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 20/21] rust: allow extracting the buffer from a CString alistair23
2026-06-23 5:13 ` sashiko-bot
2026-06-23 4:54 ` [PATCH v2 21/21] lib: rspdm: Support SPDM challenge alistair23
2026-06-23 5:21 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623050716.CFCA31F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=alistair23@gmail.com \
--cc=linux-cxl@vger.kernel.org \
--cc=linux-pci@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox