On Tue, Jul 09, 2024 at 10:45:27AM +1000, Alexey Kardashevskiy wrote: > On 8/7/24 22:54, Lukas Wunner wrote: > > The short answer is, it's a bug in libspdm and the issue should > > go away once you update libspdm to version 3.1.0 or newer. > > Easier to hack lib/spdm/req-authenticate.c just to see how far I can get > with my device, now it is "Malformed certificate at slot 0 offset 0". In that case all (up to 8) certificate chains should have been retrieved and are available for examination in the certificates/ directory in sysfs (below the PCI device's directory). You can use ordinary openssl tooling to examine the certificates and see what's wrong with them, see the ABI documentation in patch [12/18] for examples: https://lore.kernel.org/all/e42905e3e5f1d5be39355e833fefc349acb0b03c.1719771133.git.lukas@xxxxxxxxx/ The "Malformed certificate at slot 0 offset 0" message means that the first certificate in the chain in slot 0 does not comply with requirements set forth in the SPDM spec. (E.g. Basic Constraints CA value shall be false for leaf cert, true for intermediate and root certs per SPDM 1.3.0 table 42.) The expectation is that vendors will test their devices and fix issues like this, so that end users never see those messages. The error message is emitted by spdm_validate_cert_chain(). The implementation calls that to identify a certificate chain which is considered valid by the kernel. The first one found is used for challenge-response authentication. If none is found valid, the kernel will try to perform challenge-response authentication with the first *provisioned* slot, regardless of its validity. That is done to expose a signature in sysfs about which user space can make up its own mind, see patch [17/18]: https://lore.kernel.org/all/dff8bcb091a3123e1c7c685f8149595e39bbdb8f.1719771133.git.lukas@xxxxxxxxx/ So despite the error message you should see a signature with full SPDM transcript and other ancillary data in the signatures/ directory in sysfs. Not sure yet whether that feature (exposing a signature despite cert chains' invalidity from the kernel POV) makes sense. We can also discuss adding ABI which allows user space to force challenge-response with a specific slot, or to declare a specific slot valid. Thanks, Lukas
