On Tue, Oct 31, 2023 at 04:40:56PM -0700, Dionna Amalie Glaze wrote: > Only read? Can user space not provide a nonce for replay protection > here, or is that just inherent to the SPDM channel setup, and the That's internal to SPDM, regardless whether SPDM is handled by the TSM or OS kernel. > These vendored certificates will only grow in size, and they're The size of a cert chain is limited to 64 kByte by the SPDM spec. A device may have 8 slots, each containing a cert chain. > device-specific, so it makes sense for machines to have a local cache > of all the provisioned certificates that get forwarded to the guest > through the VMM. I'd like to see this kind of blob reporting as a more > general mechanism, however, so we can get TDX-specific blobs in too > without much fuss. Cert chains and measurements from the interface report need to be exposed as individual sysfs attributes for compatibility with TEE-IO incapable devices. Blobs make zero sense here. Doubly so if they're vendor-specific. Thanks, Lukas
