libspdm: Support specifyig certificate model

Signed-off-by: Alistair Francis <[email protected]>
westerndigitalcorporation · Jul 15, 2024 · 6978819 · 6978819
1 parent 3ab6b28
commit 6978819
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 13 deletions.
diff --git a/src/libspdm/responder.rs b/src/libspdm/responder.rs
@@ -15,6 +15,12 @@ use std::io::{BufRead, BufReader};
 #[cfg(not(feature = "no_std"))]
 use std::path::Path;
 
+#[derive(Debug, Copy, Clone, PartialEq)]
+pub enum CertModel {
+    Alias,
+    Device,
+}
+
 /// # Summary
 ///
 /// Setup the capabilities of the responder. This matches the minimum required
@@ -46,6 +52,7 @@ pub fn setup_capabilities(
     spdm_ver: Option<u8>,
     asym_algo: u32,
     hash_algo: u32,
+    cert_mode: CertModel,
     heartbeat_period: u8,
 ) -> Result<(), ()> {
     assert!(slot_id < 8);
@@ -59,13 +66,17 @@ pub fn setup_capabilities(
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHAL_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_SIG
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP
-            | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CSR_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_CERT_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHUNK_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP
             | SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_UPD_CAP;
+
+        if cert_mode == CertModel::Alias {
+            data |= SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP;
+        }
+
         let data_ptr = &mut data as *mut _ as *mut c_void;
         libspdm_set_data(
             context,
@@ -237,30 +248,46 @@ pub fn setup_capabilities(
             return Err(());
         }
 
-        let buffer;
+        let (cert_chain_buffer, cert_chain_size);
         #[cfg(feature = "no_std")]
         {
             assert!(slot_id == 0);
-            buffer = include_bytes!("../../certs/alias/slot0/bundle_responder.certchain.der");
+            if cert_mode == CertModel::Alias {
+                let buffer =
+                    include_bytes!("../../certs/alias/slot0/bundle_responder.certchain.der");
+                (cert_chain_buffer, cert_chain_size) =
+                    get_local_certchain(buffer, asym_algo, hash_algo, false);
+            } else {
+                let buffer = include_bytes!(
+                    "../../certs/device/slot0/bundle_responder.certchain.der"
+                )(cert_chain_buffer, cert_chain_size) =
+                    get_local_certchain(buffer, asym_algo, hash_algo, false);
+            }
         }
         #[cfg(not(feature = "no_std"))]
-        let mut reader;
-        #[cfg(not(feature = "no_std"))]
         {
-            let file_path = format!("certs/alias/slot{}/bundle_responder.certchain.der", slot_id);
+            let file_path = if cert_mode == CertModel::Alias {
+                format!("certs/alias/slot{}/bundle_responder.certchain.der", slot_id)
+            } else {
+                format!(
+                    "certs/device/slot{}/bundle_responder.certchain.der",
+                    slot_id
+                )
+            };
             let path = Path::new(&file_path);
 
             let file = match OpenOptions::new().read(true).write(false).open(path) {
                 Err(why) => panic!("couldn't open {}: {}", path.display(), why),
                 Ok(file) => file,
             };
 
-            reader = BufReader::new(file);
-            buffer = reader.fill_buf().unwrap();
+            let mut reader = BufReader::new(file);
+            let buffer = reader.fill_buf().unwrap();
+
+            (cert_chain_buffer, cert_chain_size) =
+                get_local_certchain(buffer, asym_algo, hash_algo, false);
         }
 
-        let (cert_chain_buffer, cert_chain_size) =
-            get_local_certchain(buffer, asym_algo, hash_algo, false);
         if LibspdmReturnStatus::libspdm_status_is_error(libspdm_set_data(
             context,
             libspdm_data_type_t_LIBSPDM_DATA_LOCAL_PUBLIC_CERT_CHAIN,

diff --git a/src/libspdm/spdm.rs b/src/libspdm/spdm.rs
@@ -1155,6 +1155,8 @@ pub unsafe extern "C" fn libspdm_write_certificate_to_nvm(
     }
     #[cfg(not(feature = "no_std"))]
     {
+        // TODO: We have no way to know if this is an alias or device
+        // certificate.
         let dir_name = format!("certs/alias/slot{}", slot_id);
         let file_name = format!("{}/immutable.der", dir_name);
         let path = Path::new(&file_name);

diff --git a/src/main.rs b/src/main.rs
@@ -15,7 +15,7 @@ use std::path::Path;
 #[macro_use]
 extern crate log;
 use env_logger::Env;
-use libspdm::{responder, spdm};
+use libspdm::{responder, responder::CertModel, spdm};
 
 pub static SOCKET_PATH: &str = "SPDM-Utils-loopback-socket";
 
@@ -181,6 +181,14 @@ enum Commands {
         /// These are communicated through the `GET_VERSION / VERSION` messages.
         #[arg(long, default_value = "1.3")]
         spdm_ver: Option<String>,
+
+        /// The SPDM certificate model to use. See `Figure 1 — SPDM certificate chain models`
+        /// in SPDM (DSP0274) version 1.3 for details.
+        /// Supports:
+        ///     - device: DeviceCert Model
+        ///     - alias: AliasCert Model (the default)
+        #[arg(long, default_value = "alias")]
+        certificate_model: String,
     },
     Tests,
 }
@@ -389,10 +397,31 @@ fn main() -> Result<(), ()> {
             request::prepare_request(cntx_ptr, code, cert_slot_id, cert_path, &mut session_info)
                 .unwrap();
         }
-        Commands::Response { spdm_ver } => {
+        Commands::Response {
+            spdm_ver,
+            certificate_model,
+        } => {
             let mut num_provisioned_slots = 0;
+
+            let model = if certificate_model == "alias" {
+                CertModel::Alias
+            } else if certificate_model == "device" {
+                CertModel::Device
+            } else {
+                panic!("Unsupported certificate model");
+            };
+
             for slot_id in 1..8 {
-                let file_name = format!("certs/alias/slot{}/immutable.der", slot_id);
+                let file_name = if certificate_model == "alias" {
+                    format!("certs/alias/slot{}/immutable.der", slot_id)
+                } else if certificate_model == "device" {
+                    format!(
+                        "certs/device/slot{}/bundle_responder.certchain.der",
+                        slot_id
+                    )
+                } else {
+                    panic!("Unsupported certificate model");
+                };
                 let path = Path::new(&file_name);
 
                 if OpenOptions::new()
@@ -407,6 +436,7 @@ fn main() -> Result<(), ()> {
                         None,
                         SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384,
                         SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_384,
+                        model,
                         1,
                     )
                     .unwrap();
@@ -427,6 +457,7 @@ fn main() -> Result<(), ()> {
                 ver,
                 SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384,
                 SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA_384,
+                model,
                 1,
             )
             .unwrap();