Re: [PATCH 07/12] spdm: Introduce library to authenticate devices

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/12/23 12:26, Alistair Francis wrote:
> On Tue, 2023-10-03 at 15:39 +0100, Jonathan Cameron wrote:
>> On Thu, 28 Sep 2023 19:32:37 +0200
>> Lukas Wunner <lukas@xxxxxxxxx> wrote:
>>
>>> From: Jonathan Cameron <Jonathan.Cameron@xxxxxxxxxx>
>>>
>>> The Security Protocol and Data Model (SPDM) allows for
>>> authentication,
>>> measurement, key exchange and encrypted sessions with devices.
>>>
>>> A commonly used term for authentication and measurement is
>>> attestation.
>>>
>>> SPDM was conceived by the Distributed Management Task Force (DMTF).
>>> Its specification defines a request/response protocol spoken
>>> between
>>> host and attached devices over a variety of transports:
>>>
>>>   https://www.dmtf.org/dsp/DSP0274
>>>
>>> This implementation supports SPDM 1.0 through 1.3 (the latest
>>> version).
>>
>> I've no strong objection in allowing 1.0, but I think we do need
>> to control min version accepted somehow as I'm not that keen to get
>> security folk analyzing old version...
> 
> Agreed. I'm not sure we even need to support 1.0
> 
>>
>>> It is designed to be transport-agnostic as the kernel already
>>> supports
>>> two different SPDM-capable transports:
>>>
>>> * PCIe Data Object Exchange (PCIe r6.1 sec 6.30, drivers/pci/doe.c)
>>> * Management Component Transport Protocol (MCTP,
>>>   Documentation/networking/mctp.rst)
>>
>> The MCTP side of things is going to be interesting because mostly you
>> need to jump through a bunch of hoops (address assignment, routing
>> setup
>> etc) before you can actually talk to a device.   That all involves
>> a userspace agent.  So I'm not 100% sure how this will all turn out.
>> However still makes sense to have a transport agnostic implementation
>> as if nothing else it makes it easier to review as keeps us within
>> one specification.
> 
> This list will probably expand in the future though
> 
>>>
>>> Use cases for SPDM include, but are not limited to:
>>>
>>> * PCIe Component Measurement and Authentication (PCIe r6.1 sec
>>> 6.31)
>>> * Compute Express Link (CXL r3.0 sec 14.11.6)
>>> * Open Compute Project (Attestation of System Components r1.0)
>>>  
>>> https://www.opencompute.org/documents/attestation-v1-0-20201104-pdf
>>
>> Alastair, would it make sense to also call out some of the storage
>> use cases you are interested in?
> 
> I don't really have anything to add at the moment. I think PCIe CMA
> covers the current DOE work

Specifications for SPDM encapsulation in SCSI and ATA commands (SECURITY
PROTOCOL IN/OUT and TRUSTED SNED/RECEIVE) is being worked on now but that is
still in early phases of definition. So that support can come later. I suspect
the API may need some modification to accommodate that use case, but we need
more complete specification first to clearly see what is needed (if anything at
all).


-- 
Damien Le Moal
Western Digital Research




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux