Skip to content

moshe8931/libspdm

 
 

Repository files navigation

libspdm is a sample implementation that follows the DMTF SPDM specifications

Features

  1. Specifications

    The SPDM and secured message libraries follow :

    DSP0274 Security Protocol and Data Model (SPDM) Specification (version 1.0.1, version 1.1.2 and version 1.2.1)

    DSP0277 Secured Messages using SPDM Specification (version 1.1.0)

    MCTP and secured MCTP follow :

    DSP0275 Security Protocol and Data Model (SPDM) over MCTP Binding Specification (version 1.0.0)

    DSP0276 Secured MCTP Messages over MCTP Binding Specification (version 1.0.0)

    PCIE follows :

    PCI Express Base Specification Revision 6.0 (version 1.0)

  2. Includes libraries that can be used to construct an SPDM Requester and an SPDM Responder.

  3. Programming Context

    The core libraries in libspdm/library require only the C99 freestanding headers and so are suitable for embedded and systems programming. Any functionality beyond the freestanding headers is provided by libspdm/os_stub or by the library's integrator. All statically allocated memory in the core libraries is read-only. The core libraries do not dynamically allocate memory.

  4. Implemented Requests and Responses

    SPDM 1.0: GET_VERSION, GET_CAPABILITIES, NEGOTIATE_ALGORITHMS, GET_DIGESTS, GET_CERTIFICATE, CHALLENGE, and GET_MEASUREMENTS.

    SPDM 1.1: KEY_EXCHANGE, FINISH, PSK_EXCHANGE, PSK_FINISH, END_SESSION, HEARTBEAT, KEY_UPDATE, and ENCAPSULATED messages.

    SPDM 1.2: GET_CSR, SET_CERTIFICATE, CHUNK_SEND, and CHUNK_GET.

  5. Cryptographic Algorithm Support

    The SPDM library requires cryptolib API, including random number generation, symmetric cryptography, asymmetric cryptography, hash, and message authentication code.

    Currently supported algorithms: Hash:SHA2/SHA3/SM3, Signature:RSA-SSA/RSA-PSS/ECDSA/EdDSA/SM2-Sign, KeyExchange:FFDHE/ECDHE/SM2-KeyExchange, AEAD:AES_GCM/ChaCha20Poly1305/SM4_GCM. NOTE: NIST algorithms and Shang-Mi (SM) algorithms should not be mixed together.

    An Mbed TLS wrapper is included in cryptlib_mbedtls. NOTE: SMx and EdDSA are not supported.

    An OpenSSL wrapper is included in cryptlib_openssl. NOTE: SM2-KeyExchange and SM4_GCM are not supported.

  6. Execution Context

    Support to build an OS application for spdm_requester_emu and spdm_responder_emu to trace communication between Requester and Responder.

    Support to be included in UEFI host environment EDKII, such as edkii_spdm_requester

    Support to be included in OpenBMC. It is in planning, see SPDM Integration.

Documents

  1. Presentation

    Open Source Firmware Conference 2020 - openspdm

    Free and Open Source Developers European Meeting 2021 - openspdm

  2. Library Threat Model

    The user guide can be found at threat_model.

  3. Library Design

    The detailed design can be found at design.

  4. User Guide

    The user guide can be found at user_guide.

Prerequisites

Build Tools for Windows

  1. Compiler (Choose one)

    a) Visual Studio 2022

    b) Visual Studio 2019

    c) Visual Studio 2015

    d) LLVM (LLVM13) Download: LLVM-13.0.0-win64.exe.

    • Add LLVM in PATH environment according to installation instruction.
    • Change LLVM install path to C:/LLVM.
    • LLVM13 works good for clang and libfuzzer build. Other versions are not validated for clang build.
    • Because the libfuzzer lib path is hard coded in CMakeLists, other versions may fail for libfuzzer build.
  2. CMake (Version 3.17.2 is known to work. Newer versions may fail).

Build Tools for Linux

  1. Compiler (Choose one)

    a) GCC (above GCC5)

    b) LLVM (above LLVM10), install steps: sudo apt-get install llvm-10 then sudo apt-get install clang-10. Use llvm-ar -version and clang -v to confirm the LLVM version. If LLVM installation fails or LLVM installation version is low, you can update Linux version to fix the issue.

  2. CMake.

Cryptography Library

  1. Mbed TLS as cryptography library. Version 2.28.1.

  2. OpenSSL as cryptography library. Version 1.1.1q.

Unit Test framework

  1. cmocka. Version 1.1.5.

Build

Git Submodule

libspdm uses submodules for mbedtls, openssl, and cmocka.

To get a fully buildable repository, use git submodule update --init. If there is an update for submodules, use git submodule update.

Windows Builds

For ia32 builds, use a x86 Native Tools Command Prompt for Visual Studio... command prompt.

For x64 builds, use a x64 Native Tools Command Prompt for Visual Studio... command prompt.

General build steps: (Note the .. at the end of the cmake command).

cd libspdm
mkdir build
cd build
cmake -G"NMake Makefiles" -DARCH=<x64|ia32> -DTOOLCHAIN=<VS2022|VS2019|VS2015|CLANG> -DTARGET=<Debug|Release> -DCRYPTO=<mbedtls|openssl> ..
nmake copy_sample_key
nmake

Example CMake commands:

cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Debug -DCRYPTO=mbedtls ..
cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=mbedtls ..
cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Debug -DCRYPTO=openssl ..
cmake -G"NMake Makefiles" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=openssl ..

Note ia32 build is not supported for CLANG build on Windows.

CMake can also generate Visual Studio project files. For example:

cmake -G"Visual Studio 16 2019" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=mbedtls ..

Support openssl binary build. For example:

Note: Please install the openssl with command `nmake install` before build libspdm.
cmake -G"Visual Studio 16 2019" -DARCH=x64 -DTOOLCHAIN=VS2019 -DTARGET=Release -DCRYPTO=openssl -DENABLE_BINARY_BUILD=1 -DCOMPILED_LIBCRYPTO_PATH=<OPENSSL_PATH>/libcrypto.lib -DCOMPILED_LIBSSL_PATH=<OPENSSL_PATH>/libssl.lib ..

Linux Builds

If ia32 builds run on a 64-bit Linux machine, then install sudo apt-get install gcc-multilib.

General build steps: (Note the .. at the end of the cmake command).

cd libspdm
mkdir build
cd build
cmake -DARCH=<x64|ia32|arm|aarch64|riscv32|riscv64|arc> -DTOOLCHAIN=<GCC|CLANG> -DTARGET=<Debug|Release> -DCRYPTO=<mbedtls|openssl> ..
make copy_sample_key
make

Example CMake commands:

cmake -DARCH=ia32 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl ..
cmake -DARCH=ia32 -DTOOLCHAIN=GCC -DTARGET=Release -DCRYPTO=openssl ..
cmake -DARCH=arm -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl ..
cmake -DARCH=x64 -DTOOLCHAIN=CLANG -DTARGET=Release -DCRYPTO=mbedtls ..

Support openssl binary build. For example:

Note: Please install the openssl with command `sudo make install` before build libspdm.
cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Release -DCRYPTO=openssl -DENABLE_BINARY_BUILD=1 -DCOMPILED_LIBCRYPTO_PATH=<OPENSSL_PATH>/libcrypto.a -DCOMPILED_LIBSSL_PATH=<OPENSSL_PATH>/libssl.a ..

Run Test

The unit test output is at libspdm/build/bin. Open one command prompt at output dir to run test_spdm_requester > NUL and test_spdm_responder > NUL.

You should see something like:

      [==========] Running 2 test(s).
      [ RUN      ] test_spdm_responder_version_case1
      [       OK ] test_spdm_responder_version_case1
      [ RUN      ] test_spdm_responder_version_case2
      [       OK ] test_spdm_responder_version_case2
      [==========] 2 test(s) run.
      [  PASSED  ] 2 test(s).
   

Note: You must use a command prompt with the current working directory at libspdm/build/bin when running unit tests or they may fail. Eg. Don't run the unit tests from libsdpm/build directory by calling "bin/test_spdm_responder > NULL"

Other Tests

libspdm also supports other tests such as code coverage, fuzzing, symbolic execution, model checker.

Refer to test for more details.

Associated Repsositories

spdm-emu implements a full SPDM Requester and a full SPDM Responder using libspdm. It can be used to test a Requester or Responder implementation, or to see how libspdm can be integrated into a Requester or Responder implementation.

spdm-dump can be used to parse pcap files that capture SPDM traffic for offline analysis.

Features not implemented yet

  1. Refer to issues for more details.

Known limitations

This package is only the sample code to show the concept of SPDM and should not be considered fit for production. Any code including the API definition is subject to change.

About

No description, website, or topics provided.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 96.5%
  • CMake 3.0%
  • Other 0.5%