From: Lukas Wunner <lukas@wunner.de>
To: Alistair Francis <alistair23@gmail.com>
Cc: wilfred.mallawa@wdc.com, Jonathan.Cameron@Huawei.com,
jiewen.yao@intel.com, qemu-devel@nongnu.org, kbusch@kernel.org,
its@irrelevant.dk, mst@redhat.com, marcel.apfelbaum@gmail.com,
hchkuo@avery-design.com.tw, cbrowy@avery-design.com,
qemu-block@nongnu.org,
Alistair Francis <alistair.francis@wdc.com>
Subject: Re: [PATCH 3/3] hw/nvme: Add SPDM over DOE support
Date: Mon, 2 Oct 2023 10:47:53 +0200 [thread overview]
Message-ID: <20231002084753.GA23546@wunner.de> (raw)
In-Reply-To: <20230915112723.2033330-3-alistair.francis@wdc.com>
On Fri, Sep 15, 2023 at 09:27:23PM +1000, Alistair Francis wrote:
> --- /dev/null
> +++ b/docs/specs/spdm.rst
> @@ -0,0 +1,56 @@
> +======================================================
> +QEMU Security Protocols and Data Models (SPDM) Support
> +======================================================
> +
> +SPDM enables authentication, attestation and key exchange to assist in
> +providing infrastructure security enablement. It's a standard published
> +by the DMTF https://www.dmtf.org/standards/SPDM.
> +
> +Setting up a SPDM server
[...]
> + $ cd spdm-emu
> + $ git submodule init; git submodule update --recursive
> + $ mkdir build; cd build
> + $ cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl ..
> + $ make -j32
> + $ make copy_sample_key # Build certificates, required for SPDM authentication.
Might be worth pointing out that certificates need to have a
Subject Alternative Name in compliance with PCIe r6.1 sec 6.31.3,
what to add to openssl.cnf to get one, e.g. ...
subjectAltName = otherName:2.23.147;UTF8:Vendor=1b36:Device=0010:CC=010802:REV=02:SSVID=1af4:SSID=1100
2.23.147 = ASN1:OID:2.23.147
... and how to regenerate certificates after modifying openssl.cnf, e.g. ...
$ openssl req -nodes -newkey ec:param.pem -keyout end_responder.key -out end_responder.req -sha384 -batch -subj "/CN=DMTF libspdm ECP384 responder cert"
$ openssl x509 -req -in end_responder.req -out end_responder.cert -CA inter.cert -CAkey inter.key -sha384 -days 3650 -set_serial 3 -extensions v3_end -extfile ../openssl.cnf
$ openssl asn1parse -in end_responder.cert -out end_responder.cert.der
$ cat ca.cert.der inter.cert.der end_responder.cert.der > bundle_responder.certchain.der
Or preferably modify upstream libspdm to automate this process,
make it less cumbersome and error-prone.
> +static bool pcie_doe_spdm_rsp(DOECap *doe_cap)
> +{
> + void *req = pcie_doe_get_write_mbox_ptr(doe_cap);
> + uint32_t req_len = pcie_doe_get_obj_len(req) * 4;
> + void *rsp = doe_cap->read_mbox;
> + uint32_t rsp_len = SPDM_SOCKET_MAX_MESSAGE_BUFFER_SIZE;
> + uint32_t recvd;
Might be worth mentioning somewhere that this only implements the
responder role.
CPUs are coming to market which contain a Trusted Security Module.
Some of those TSMs are capable of the SPDM requester role. Should
qemu ever have the need to emulate a CPU containing a TSM, it may
become necessary to add SPDM requester support.
Thanks,
Lukas
next prev parent reply other threads:[~2023-10-02 8:57 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-15 11:27 [PATCH 1/3] hw/pci: Add all Data Object Types Alistair Francis
2023-09-15 11:27 ` [PATCH 2/3] backends: Initial support for SPDM socket support Alistair Francis
2023-09-15 15:19 ` Jonathan Cameron via
2023-09-18 3:16 ` Alistair Francis
2023-09-18 10:28 ` Jonathan Cameron via
2023-09-21 6:28 ` Alistair Francis
2023-09-25 14:24 ` Jonathan Cameron via
2023-09-15 11:27 ` [PATCH 3/3] hw/nvme: Add SPDM over DOE support Alistair Francis
2023-09-15 15:00 ` Jonathan Cameron via
2023-10-02 7:15 ` Klaus Jensen
2023-10-02 8:22 ` Jonathan Cameron via
2023-10-02 8:22 ` Jonathan Cameron
2023-10-02 8:47 ` Lukas Wunner [this message]
2023-10-02 11:36 ` Yao, Jiewen
2023-10-02 12:50 ` Lukas Wunner
2023-09-15 14:46 ` [PATCH 1/3] hw/pci: Add all Data Object Types Jonathan Cameron via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231002084753.GA23546@wunner.de \
--to=lukas@wunner.de \
--cc=Jonathan.Cameron@Huawei.com \
--cc=alistair.francis@wdc.com \
--cc=alistair23@gmail.com \
--cc=cbrowy@avery-design.com \
--cc=hchkuo@avery-design.com.tw \
--cc=its@irrelevant.dk \
--cc=jiewen.yao@intel.com \
--cc=kbusch@kernel.org \
--cc=marcel.apfelbaum@gmail.com \
--cc=mst@redhat.com \
--cc=qemu-block@nongnu.org \
--cc=qemu-devel@nongnu.org \
--cc=wilfred.mallawa@wdc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).