libspdm is a sample implementation that follows the DMTF SPDM specification
-
Specification
The SPDM and secured message follow :
DSP0274 Security Protocol and Data Model (SPDM) Specification (version 1.0.0 and version 1.1.0)
DSP0277 Secured Messages using SPDM Specification (version 1.0.0b)
The MCTP and secured MCTP follow :
DSP0275 Security Protocol and Data Model (SPDM) over MCTP Binding Specification (version 1.0.0)
DSP0276 Secured MCTP Messages over MCTP Binding Specification (version 1.0.0a)
The PCI DOE / IDE follow :
PCI Data Object Exchange (DOE) ECN
PCI Component Measurement and Authentication (CMA) ECN
PCI Integrity and Data Encryption (IDE) ECN
-
Both SPDM requester and SPDM responder.
-
Programming Context:
No heap is required in the SPDM lib. No writable global variable is required in the SPDM lib.
-
Implemented command and response:
SPDM 1.0: GET_VERSION, GET_CAPABILITY, NEGOTIATE_ALGORITHM, GET_DIGEST, GET_CERTIFICATE, CHALLENGE, GET_MEASUREMENT.
SPDM 1.1: KEY_EXCHANGE, FINISH, PSK_EXCHANGE, PSK_FINISH, END_SESSION, HEARTBEAT, KEY_UPDATE, ENCAPSULATED message
-
Cryptographic algorithm support:
The SPDM lib requires cryptolib API, including random number, symmetric crypto, asymmetric crypto, hash and message authentication code etc.
Current support algorithm: SHA-2, RSA-SSA/ECDSA, FFDHE/ECDHE, AES_GCM/ChaCha20Poly1305, HMAC.
An mbedtls wrapper is included in cryptlib_mbedtls.
An openssl wrapper is included in cryptlib_openssl.
-
Execution context:
Support to build an OS application for spdm_requester_emu and SpdmResponder_emu to trace the communication.
Support to be included in UEFI host environment EDKII, such as edkii_spdm_requester
Support to be included in OpenBMC. It is in planning, see SPDM Integration.
-
Presentation
Open Source Firmware Conference 2020 - openspdm
Free and Open Source Developers European Meeting 2021 - openspdm
-
openspdm library threat model:
The user guide can be found at threat_model
-
openspdm library design:
The detailed design can be found at design
-
openspdm user guide:
The user guide can be found at user_guide
-
Visual Studio (VS2015 or VS2019)
-
GCC (above GCC5)
-
LLVM (LLVM9)
Download and install LLVM9. Ensure LLVM9 executable directory is in PATH environment variable.
- cmocka. Version 1.1.5.
libspdm uses submodules for mbedtls, openssl and cmocka.
To get a full buildable repo, please use git submodule update --init
.
If there is an update for submodules, please use git submodule update
.
Use x86 command prompt for ARCH=ia32 and x64 command prompt for ARCH=x64. (TOOLCHAIN=VS2019|VS2015|CLANG)
cd libspdm
mkdir build
cd build
cmake -G"NMake Makefiles" -DARCH=<x64|ia32> -DTOOLCHAIN=<toolchain> -DTARGET=<Debug|Release> -DCRYPTO=<mbedtls|openssl> ..
nmake copy_sample_key
nmake
(TOOLCHAIN=GCC|CLANG)
cd libspdm
mkdir build
cd build
cmake -DARCH=<x64|ia32|arm|aarch64|riscv32|riscv64|arc> -DTOOLCHAIN=<toolchain> -DTARGET=<Debug|Release> -DCRYPTO=<mbedtls|openssl> ..
make copy_sample_key
make
Run unit_test
The UnitTest output is at libspdm/build/bin.
Open one command prompt at output dir to run test_spdm_requester > NUL
and test_spdm_responder > NUL
.
You may see something like:
[==========] Running 2 test(s). [ RUN ] test_spdm_responder_version_case1 [ OK ] test_spdm_responder_version_case1 [ RUN ] test_spdm_responder_version_case2 [ OK ] test_spdm_responder_version_case2 [==========] 2 test(s) run. [ PASSED ] 2 test(s).
Run spdm_emu
The spdm_emu output is at spdm_emu/build/bin.
Open one command prompt at output dir to run spdm_responder_emu
and another command prompt to run spdm_requester_emu
.
Please refer to spdm_emu for detail.
spdm_dump tool
The tool output is at spdm_dump/build/bin. It can be used to parse the pcap file for offline analysis.
Please refer to spdm_dump for detail.
openspdm also supports other test such as code coverage, fuzzing, symbolic execution, model checker.
Please refer to test for detail.
- Please refer to issues for detail
This package is only the sample code to show the concept. It does not have a full validation such as robustness functional test and fuzzing test. It does not meet the production quality yet. Any codes including the API definition, the libary and the drivers are subject to change.