Re: [PATCH 07/12] spdm: Introduce library to authenticate devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2023-10-03 at 15:39 +0100, Jonathan Cameron wrote:
> On Thu, 28 Sep 2023 19:32:37 +0200
> Lukas Wunner <lukas@xxxxxxxxx> wrote:
> 
> > From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
> > 
> > The Security Protocol and Data Model (SPDM) allows for
> > authentication,
> > measurement, key exchange and encrypted sessions with devices.
> > 
> > A commonly used term for authentication and measurement is
> > attestation.
> > 
> > SPDM was conceived by the Distributed Management Task Force (DMTF).
> > Its specification defines a request/response protocol spoken
> > between
> > host and attached devices over a variety of transports:
> > 
> >   https://www.dmtf.org/dsp/DSP0274
> > 
> > This implementation supports SPDM 1.0 through 1.3 (the latest
> > version).
> 
> I've no strong objection in allowing 1.0, but I think we do need
> to control min version accepted somehow as I'm not that keen to get
> security folk analyzing old version...

Agreed. I'm not sure we even need to support 1.0

> 
> > It is designed to be transport-agnostic as the kernel already
> > supports
> > two different SPDM-capable transports:
> > 
> > * PCIe Data Object Exchange (PCIe r6.1 sec 6.30, drivers/pci/doe.c)
> > * Management Component Transport Protocol (MCTP,
> >   Documentation/networking/mctp.rst)
> 
> The MCTP side of things is going to be interesting because mostly you
> need to jump through a bunch of hoops (address assignment, routing
> setup
> etc) before you can actually talk to a device.   That all involves
> a userspace agent.  So I'm not 100% sure how this will all turn out.
> However still makes sense to have a transport agnostic implementation
> as if nothing else it makes it easier to review as keeps us within
> one specification.

This list will probably expand in the future though

> > 
> > Use cases for SPDM include, but are not limited to:
> > 
> > * PCIe Component Measurement and Authentication (PCIe r6.1 sec
> > 6.31)
> > * Compute Express Link (CXL r3.0 sec 14.11.6)
> > * Open Compute Project (Attestation of System Components r1.0)
> >  
> > https://www.opencompute.org/documents/attestation-v1-0-20201104-pdf
> 
> Alastair, would it make sense to also call out some of the storage
> use cases you are interested in?

I don't really have anything to add at the moment. I think PCIe CMA
covers the current DOE work

Alistair




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux