On Thu, Oct 05, 2023 at 04:04:47PM +0200, Lukas Wunner wrote: > On Tue, Oct 03, 2023 at 04:04:55PM +0100, Jonathan Cameron wrote: > > On Thu, 28 Sep 2023 19:32:39 +0200 Lukas Wunner <lukas@xxxxxxxxx> wrote: > > > PCIe r6.1 sec 6.31.3 stipulates requirements for X.509 Leaf Certificates The PCIe spec does not contain "X.509", so I assume this is sort of a transitive requirement from SPDM. > > > presented by devices, in particular the presence of a Subject Alternative > > > Name extension with a name that encodes the Vendor ID, Device ID, Device > > > Serial Number, etc. > > > > Lets you do any of > > * What you have here > > * Reference Integrity Manifest, e.g. see Trusted Computing Group > > * A pointer to a location where such a Reference Integrity Manifest can be > > obtained. > > > > So this text feels a little strong though I'm fine with only support the > > Subject Alternative Name bit for now. Whoever has one of the other options > > can add that support :) > > I intend to amend the commit message as follows. If anyone believes > this is inaccurate, please let me know: > > Side note: Instead of a Subject Alternative Name, Leaf Certificates may > include "a Reference Integrity Manifest, e.g., see Trusted Computing > Group" or "a pointer to a location where such a Reference Integrity > Manifest can be obtained" (PCIe r6.1 sec 6.31.3). > > A Reference Integrity Manifest contains "golden" measurements which can > be compared to actual measurements retrieved from a device. It serves a > different purpose than the Subject Alternative Name, hence it is unclear > why the spec says only either of them is necessary. It is also unclear > how a Reference Integrity Manifest shall be encoded into a certificate. > > Ignore the Reference Integrity Manifest requirement until this confusion > is resolved by a spec update. Thanks for this; I was about to comment the same. Bjorn