On Tue, 17 Oct 2023 15:21:55 +1000 Alistair Francis <alistai...@gmail.com> wrote:
> From: Wilfred Mallawa <wilfred.mall...@wdc.com> > > Setup Data Object Exchance (DOE) as an extended capability for the NVME > controller and connect SPDM to it (CMA) to it. > > Signed-off-by: Wilfred Mallawa <wilfred.mall...@wdc.com> > Signed-off-by: Alistair Francis <alistair.fran...@wdc.com> > --- > docs/specs/index.rst | 1 + > docs/specs/spdm.rst | 114 ++++++++++++++++++++++++++++++++++++ > include/hw/pci/pci_device.h | 5 ++ > include/hw/pci/pcie_doe.h | 3 + > hw/nvme/ctrl.c | 53 +++++++++++++++++ > 5 files changed, 176 insertions(+) > create mode 100644 docs/specs/spdm.rst > > diff --git a/docs/specs/index.rst b/docs/specs/index.rst > index e58be38c41..c398541388 100644 > --- a/docs/specs/index.rst > +++ b/docs/specs/index.rst > @@ -24,3 +24,4 @@ guest hardware that is specific to QEMU. > acpi_erst > sev-guest-firmware > fw_cfg > + spdm > diff --git a/docs/specs/spdm.rst b/docs/specs/spdm.rst > new file mode 100644 > index 0000000000..dfdc3cbb4d > --- /dev/null > +++ b/docs/specs/spdm.rst > @@ -0,0 +1,114 @@ > +====================================================== > +QEMU Security Protocols and Data Models (SPDM) Support > +====================================================== > + > +SPDM enables authentication, attestation and key exchange to assist in > +providing infrastructure security enablement. It's a standard published > +by the `DMTF`_. > + > +QEMU supports connecting to a SPDM Responder implementation. This allows an > +external application to emulate the SPDM Responder logic for an SPDM device. > + > +Setting up a SPDM server > +======================== > + > +When using QEMU with SPDM devices QEMU will connect to a server which > +implements the SPDM functionality. > + > +SPDM-Utils > +---------- > + > +You can use `SPDM Utils`_ to emulate a Responder. > + > +SPDM-Utils is a Linux applications to manage, test and develop devices > +supporting DMTF Security Protocol and Data Model (SPDM). It is written in > Rust > +and utilises libspdm. > + > +To use SPDM-Utils you will need to do the followoing: Spell check needed. following > + > + 1. `Build SPDM Utils`_ > + 2. `Generate the certificates`_ > + 3. `Run it as a server`_ > + > +spdm-emu > +-------- > + > +You can use `spdm emu`_ to model the > +SPDM responder. > + > +.. code-block:: shell > + > + $ cd spdm-emu > + $ git submodule init; git submodule update --recursive > + $ mkdir build; cd build > + $ cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl .. > + $ make -j32 > + $ make copy_sample_key # Build certificates, required for SPDM > authentication. > + > +It is worth noting that the certificates should be in compliance with > +PCIe r6.1 sec 6.31.3. This means you will need to add the following to > +openssl.cnf > + > +.. code-block:: > + > + subjectAltName = > otherName:2.23.147;UTF8:Vendor=1b36:Device=0010:CC=010802:REV=02:SSVID=1af4:SSID=1100 > + 2.23.147 = ASN1:OID:2.23.147 > + > +and then manually regenerate some certificates with: > + > +.. code-block:: shell > + > + openssl req -nodes -newkey ec:param.pem -keyout end_responder.key -out > end_responder.req -sha384 -batch -subj "/CN=DMTF libspdm ECP384 responder > cert" For these no need to have on oneline maybe some \ ? to make it easier to read if someone looks at the rst file. > + openssl x509 -req -in end_responder.req -out end_responder.cert -CA > inter.cert -CAkey inter.key -sha384 -days 3650 -set_serial 3 -extensions > v3_end -extfile ../openssl.cnf > + openssl asn1parse -in end_responder.cert -out end_responder.cert.der > + cat ca.cert.der inter.cert.der end_responder.cert.der > > bundle_responder.certchain.der > + Otherwise this all looks good to me. Reviewed-by: Jonathan Cameron <jonathan.came...@huawei.com>
