On Thu, 28 Sep 2023 19:32:39 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote: > PCIe r6.1 sec 6.31.3 stipulates requirements for X.509 Leaf Certificates > presented by devices, in particular the presence of a Subject Alternative > Name extension with a name that encodes the Vendor ID, Device ID, Device > Serial Number, etc. Lets you do any of * What you have here * Reference Integrity Manifest, e.g. see Trusted Computing Group * A pointer to a location where such a Reference Integrity Manifest can be obtained. So this text feels a little strong though I'm fine with only support the Subject Alternative Name bit for now. Whoever has one of the other options can add that support :) > > This prevents a mismatch between the device identity in Config Space and > the certificate. A device cannot misappropriate a certificate from a > different device without also spoofing Config Space. As a corollary, > it cannot dupe an arbitrary driver into binding to it. (Only those > which bind to the device identity in the Subject Alternative Name work.) > > Parse the Subject Alternative Name using a small ASN.1 module and > validate its contents. The theory of operation is explained in a code > comment at the top of the newly added cma-x509.c. > > This functionality is introduced in a separate commit on top of basic > CMA-SPDM support to split the code into digestible, reviewable chunks. > > The CMA OID added here is taken from the official OID Repository > (it's not documented in the PCIe Base Spec): > https://oid-rep.orange-labs.fr/get/2.23.147 > > Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx> I haven't looked asn.1 recently enough to have any confidence on a review of that bit... So, for everything except the asn.1 Reviewed-by: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
