From 53fc1c27eda6134d8148a0ca7342a54fad268fc0 Mon Sep 17 00:00:00 2001 From: Wenxing Hou Date: Mon, 19 Feb 2024 22:27:33 +0800 Subject: [PATCH] MdePkg: Add SPDM1.2 support. Signed-off-by: Wenxing Hou --- MdePkg/Include/IndustryStandard/Spdm.h | 613 ++++++++++++++++++++++--- 1 file changed, 549 insertions(+), 64 deletions(-) diff --git a/MdePkg/Include/IndustryStandard/Spdm.h b/MdePkg/Include/IndustryStandard/Spdm.h index f32432f3235..b7323900573 100644 --- a/MdePkg/Include/IndustryStandard/Spdm.h +++ b/MdePkg/Include/IndustryStandard/Spdm.h @@ -12,6 +12,10 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #pragma pack(1) +#define SPDM_MAX_SLOT_COUNT 8 +#define SPDM_MAX_OPAQUE_DATA_SIZE 1024 +#define SPDM_NONCE_SIZE 32 +#define SPDM_RANDOM_DATA_SIZE 32 /// /// SPDM response code (1.0) /// @@ -37,6 +41,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define SPDM_ENCAPSULATED_RESPONSE_ACK 0x6B #define SPDM_END_SESSION_ACK 0x6C /// +/// SPDM response code (1.2) +/// +#define SPDM_CSR 0x6D +#define SPDM_SET_CERTIFICATE_RSP 0x6E +#define SPDM_CHUNK_SEND_ACK 0x05 +#define SPDM_CHUNK_RESPONSE 0x06 +/// /// SPDM request code (1.0) /// #define SPDM_GET_DIGESTS 0x81 @@ -60,6 +71,13 @@ SPDX-License-Identifier: BSD-2-Clause-Patent #define SPDM_GET_ENCAPSULATED_REQUEST 0xEA #define SPDM_DELIVER_ENCAPSULATED_RESPONSE 0xEB #define SPDM_END_SESSION 0xEC +/// +/// SPDM request code (1.2) +/// +#define SPDM_GET_CSR 0xED +#define SPDM_SET_CERTIFICATE 0xEE +#define SPDM_CHUNK_SEND 0x85 +#define SPDM_CHUNK_GET 0x86 /// /// SPDM message header @@ -73,6 +91,7 @@ typedef struct { #define SPDM_MESSAGE_VERSION_10 0x10 #define SPDM_MESSAGE_VERSION_11 0x11 +#define SPDM_MESSAGE_VERSION_12 0x12 #define SPDM_MESSAGE_VERSION SPDM_MESSAGE_VERSION_10 /// @@ -99,13 +118,17 @@ typedef struct { /// /// SPDM VERSION structure /// -typedef struct { - UINT16 Alpha : 4; - UINT16 UpdateVersionNumber : 4; - UINT16 MinorVersion : 4; - UINT16 MajorVersion : 4; -} SPDM_VERSION_NUMBER; +/// bit[15:12] major_version +/// bit[11:8] minor_version +/// bit[7:4] update_version_number +/// bit[3:0] alpha +typedef UINT16 SPDM_VERSION_NUMBER; +#define SPDM_VERSION_NUMBER_SHIFT_BIT 8 +#define SPDM_VERSION_1_2_SIGNING_PREFIX_CONTEXT "dmtf-spdm-v1.2.*" +#define SPDM_VERSION_1_2_SIGNING_PREFIX_CONTEXT_SIZE \ + (sizeof(SPDM_VERSION_1_2_SIGNING_PREFIX_CONTEXT) - 1) +#define SPDM_VERSION_1_2_SIGNING_CONTEXT_SIZE 100 /// /// SPDM GET_CAPABILITIES request /// @@ -114,25 +137,33 @@ typedef struct { // Param1 == RSVD // Param2 == RSVD // Below field is added in 1.1. - UINT8 Reserved; - UINT8 CTExponent; - UINT16 Reserved2; - UINT32 Flags; + UINT8 Reserved; + UINT8 CTExponent; + UINT16 Reserved2; + UINT32 Flags; + //Below field is added in 1.2. + UINT32 DataTransferSize; + UINT32 MaxSpdmMsgSize; } SPDM_GET_CAPABILITIES_REQUEST; /// /// SPDM GET_CAPABILITIES response /// typedef struct { - SPDM_MESSAGE_HEADER Header; + SPDM_MESSAGE_HEADER Header; // Param1 == RSVD // Param2 == RSVD - UINT8 Reserved; - UINT8 CTExponent; - UINT16 Reserved2; - UINT32 Flags; + UINT8 Reserved; + UINT8 CTExponent; + UINT16 Reserved2; + UINT32 Flags; + // Below field is added in 1.2. + UINT32 DataTransferSize; + UINT32 MaxSpdmMsgSize; } SPDM_CAPABILITIES_RESPONSE; +#define SPDM_MIN_DATA_TRANSFER_SIZE_VERSION_12 42 + /// /// SPDM GET_CAPABILITIES request Flags (1.1) /// @@ -149,7 +180,27 @@ typedef struct { #define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_UPD_CAP BIT14 #define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP BIT15 #define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_PUB_KEY_ID_CAP BIT16 - +#define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_11_MASK (\ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CERT_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHAL_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCRYPT_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MAC_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_MUT_AUTH_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_EX_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_PSK_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_ENCAP_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HBEAT_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_KEY_UPD_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_PUB_KEY_ID_CAP) + +/// +/// SPDM GET_CAPABILITIES request Flags (1.2) +/// +#define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHUNK_CAP BIT17 +#define SPDM_GET_CAPABILITIES_REQUEST_FLAGS_12_MASK (\ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_11_MASK | \ + SPDM_GET_CAPABILITIES_REQUEST_FLAGS_CHUNK_CAP) /// /// SPDM GET_CAPABILITIES response Flags (1.0) /// @@ -160,6 +211,12 @@ typedef struct { #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_NO_SIG BIT3 #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP_SIG BIT4 #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_FRESH_CAP BIT5 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_10_MASK (\ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CACHE_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHAL_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MEAS_FRESH_CAP) /// /// SPDM GET_CAPABILITIES response Flags (1.1) /// @@ -175,29 +232,70 @@ typedef struct { #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_UPD_CAP BIT14 #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP BIT15 #define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_PUB_KEY_ID_CAP BIT16 - +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_11_MASK (\ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_10_MASK | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCRYPT_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MAC_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_MUT_AUTH_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_EX_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_PSK_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ENCAP_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HBEAT_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_KEY_UPD_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_HANDSHAKE_IN_THE_CLEAR_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_PUB_KEY_ID_CAP) +/// +/// SPDM GET_CAPABILITIES response Flags (1.2) +/// +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHUNK_CAP BIT17 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP BIT18 + +/// +/// SPDM GET_CAPABILITIES response Flags (1.2.1) +/// +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_CERT_CAP BIT19 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CSR_CAP BIT20 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP BIT21 +#define SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_12_MASK (\ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_11_MASK | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CHUNK_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_CERT_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CSR_CAP | \ + SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP) /// /// SPDM NEGOTIATE_ALGORITHMS request /// typedef struct { - SPDM_MESSAGE_HEADER Header; - // Param1 == Number of Algorithms Structure Tables + SPDM_MESSAGE_HEADER Header; + // Param1 == Number of Algorithms Structure Tables // Param2 == RSVD - UINT16 Length; - UINT8 MeasurementSpecification; - UINT8 Reserved; - UINT32 BaseAsymAlgo; - UINT32 BaseHashAlgo; - UINT8 Reserved2[12]; - UINT8 ExtAsymCount; - UINT8 ExtHashCount; - UINT16 Reserved3; -//SPDM_EXTENDED_ALGORITHM ExtAsym[ExtAsymCount]; -//SPDM_EXTENDED_ALGORITHM ExtHash[ExtHashCount]; + UINT16 Length; + UINT8 MeasurementSpecification; + + // OtherParamsSupport is added in 1.2. + // BIT[0:3]=opaque_data_format support + // BIT[4:7]=Reserved + UINT8 OtherParamsSupport; + UINT32 BaseAsymAlgo; + UINT32 BaseHashAlgo; + UINT8 Reserved2[12]; + UINT8 ExtAsymCount; + UINT8 ExtHashCount; + UINT16 Reserved3; + // SPDM_EXTENDED_ALGORITHM ExtAsym[ExtAsymCount]; + // SPDM_EXTENDED_ALGORITHM ExtHash[ExtHashCount]; // Below field is added in 1.1. -//SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE AlgStruct[Param1]; + // SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE AlgStruct[Param1]; } SPDM_NEGOTIATE_ALGORITHMS_REQUEST; +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_LENGTH_VERSION_10 BIT6 +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_LENGTH_VERSION_11 BIT7 +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_LENGTH_VERSION_12 BIT7 +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_EXT_ALG_COUNT_VERSION_10 BIT3 +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_EXT_ALG_COUNT_VERSION_11 (BIT4 | BIT2) +#define SPDM_NEGOTIATE_ALGORITHMS_REQUEST_MAX_EXT_ALG_COUNT_VERSION_12 (BIT4 | BIT2) + typedef struct { UINT8 AlgType; UINT8 AlgCount; // BIT[0:3]=ExtAlgCount, BIT[4:7]=FixedAlgByteCount @@ -210,6 +308,8 @@ typedef struct { UINT8 FixedAlgByteCount:4; } SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_COUNT; +#define SPDM_NEGOTIATE_ALGORITHMS_MAX_NUM_STRUCT_TABLE_ALG 4 + #define SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_DHE 2 #define SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_AEAD 3 #define SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE_ALG_TYPE_REQ_BASE_ASYM_ALG 4 @@ -234,6 +334,13 @@ typedef struct { #define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P384 BIT7 #define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_ECDSA_ECC_NIST_P521 BIT8 +/// +/// SPDM NEGOTIATE_ALGORITHMS request base_asym_algo/REQ_BASE_ASYM_ALG (1.2) +/// +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_TPM_ALG_SM2_ECC_SM2_P256 BIT9 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_EDDSA_ED25519 BIT10 +#define SPDM_ALGORITHMS_BASE_ASYM_ALGO_EDDSA_ED448 BIT11 + /// /// SPDM NEGOTIATE_ALGORITHMS request BaseHashAlgo /// @@ -244,6 +351,11 @@ typedef struct { #define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_384 BIT4 #define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SHA3_512 BIT5 +/// +/// SPDM NEGOTIATE_ALGORITHMS request base_hash_algo (1.2) +/// +#define SPDM_ALGORITHMS_BASE_HASH_ALGO_TPM_ALG_SM3_256 BIT6 + /// /// SPDM NEGOTIATE_ALGORITHMS request DHE /// @@ -254,6 +366,11 @@ typedef struct { #define SPDM_ALGORITHMS_DHE_NAMED_GROUP_SECP_384_R1 BIT4 #define SPDM_ALGORITHMS_DHE_NAMED_GROUP_SECP_521_R1 BIT5 +/// +/// SPDM NEGOTIATE_ALGORITHMS request DHE (1.2) +/// +#define SPDM_ALGORITHMS_DHE_NAMED_GROUP_SM2_P256 BIT6 + /// /// SPDM NEGOTIATE_ALGORITHMS request AEAD /// @@ -261,6 +378,10 @@ typedef struct { #define SPDM_ALGORITHMS_AEAD_CIPHER_SUITE_AES_256_GCM BIT1 #define SPDM_ALGORITHMS_AEAD_CIPHER_SUITE_CHACHA20_POLY1305 BIT2 +/// +/// SPDM NEGOTIATE_ALGORITHMS request AEAD (1.2) +/// +#define SPDM_ALGORITHMS_AEAD_CIPHER_SUITE_AEAD_SM4_GCM BIT3 /// /// SPDM NEGOTIATE_ALGORITHMS request KEY_SCHEDULE /// @@ -270,23 +391,27 @@ typedef struct { /// SPDM NEGOTIATE_ALGORITHMS response /// typedef struct { - SPDM_MESSAGE_HEADER Header; + SPDM_MESSAGE_HEADER Header; // Param1 == Number of Algorithms Structure Tables // Param2 == RSVD - UINT16 Length; - UINT8 MeasurementSpecificationSel; - UINT8 Reserved; - UINT32 MeasurementHashAlgo; - UINT32 BaseAsymSel; - UINT32 BaseHashSel; - UINT8 Reserved2[12]; - UINT8 ExtAsymSelCount; - UINT8 ExtHashSelCount; - UINT16 Reserved3; -//SPDM_EXTENDED_ALGORITHM ExtAsymSel[ExtAsymSelCount]; -//SPDM_EXTENDED_ALGORITHM ExtHashSel[ExtHashSelCount]; + UINT16 Length; + UINT8 MeasurementSpecificationSel; + + // OtherParamsSelection is added in 1.2. + // BIT[0:3]=opaque_data_format select, + // BIT[4:7]=Reserved + UINT8 OtherParamsSelection; + UINT32 MeasurementHashAlgo; + UINT32 BaseAsymSel; + UINT32 BaseHashSel; + UINT8 Reserved2[12]; + UINT8 ExtAsymSelCount; + UINT8 ExtHashSelCount; + UINT16 Reserved3; + // SPDM_EXTENDED_ALGORITHM ExtAsymSel[ExtAsymSelCount]; + // SPDM_EXTENDED_ALGORITHM ExtHashSel[ExtHashSelCount]; // Below field is added in 1.1. -//SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE AlgStruct[Param1]; + // SPDM_NEGOTIATE_ALGORITHMS_STRUCT_TABLE AlgStruct[Param1]; } SPDM_ALGORITHMS_RESPONSE; /// @@ -300,6 +425,28 @@ typedef struct { #define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_384 BIT5 #define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SHA3_512 BIT6 +/// +/// SPDM NEGOTIATE_ALGORITHMS response measurement_hash_algo (1.2) +/// +#define SPDM_ALGORITHMS_MEASUREMENT_HASH_ALGO_TPM_ALG_SM3_256 BIT7 + +/// +/// SPDM Opaque Data Format (1.2) +/// +#define SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_NONE 0x0 +#define SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_0 0x1 +#define SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_1 0x2 +#define SPDM_ALGORITHMS_OPAQUE_DATA_FORMAT_MASK 0xF + +/// +/// SPDM Opaque Data Format 1 (1.2) +/// +typedef struct { + UINT8 TotalElements; + UINT8 Reserved[3]; + // opaque_element_table_t opaque_list[]; +} SPDM_GENERAL_OPAQUE_DATA_TABLE_HEADER; + /// /// SPDM extended algorithm /// @@ -352,6 +499,7 @@ typedef struct { UINT16 Length; } SPDM_GET_CERTIFICATE_REQUEST; +#define SPDM_GET_CERTIFICATE_REQUEST_SLOT_ID_MASK 0xF /// /// SPDM GET_CERTIFICATE response /// @@ -364,6 +512,8 @@ typedef struct { //UINT8 CertChain[PortionLength]; } SPDM_CERTIFICATE_RESPONSE; +#define SPDM_CERTIFICATE_RESPONSE_SLOT_ID_MASK 0xF + typedef struct { // // Total length of the certificate chain, in bytes, @@ -385,6 +535,10 @@ typedef struct { //UINT8 Certificates[Length - 4 - HashSize]; } SPDM_CERT_CHAIN; +/// +/// Maximum size, in bytes, of a certificate chain. +/// +#define SPDM_MAX_CERTIFICATE_CHAIN_SIZE 65535 /// /// SPDM CHALLENGE request /// @@ -395,13 +549,6 @@ typedef struct { UINT8 Nonce[32]; } SPDM_CHALLENGE_REQUEST; -/// -/// SPDM CHALLENGE request HashType -/// -#define SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH 0 -#define SPDM_CHALLENGE_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH 1 -#define SPDM_CHALLENGE_REQUEST_ALL_MEASUREMENTS_HASH 0xFF - /// /// SPDM CHALLENGE response /// @@ -417,13 +564,38 @@ typedef struct { //UINT8 Signature[KeySize]; } SPDM_CHALLENGE_AUTH_RESPONSE; +/// +/// SPDM generic request measurement summary HashType +/// +#define SPDM_REQUEST_NO_MEASUREMENT_SUMMARY_HASH 0 +#define SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH 1 +#define SPDM_REQUEST_ALL_MEASUREMENTS_HASH 0xFF + +/// +/// SPDM CHALLENGE request measurement summary HashType +/// +#define SPDM_CHALLENGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH SPDM_REQUEST_NO_MEASUREMENT_SUMMARY_HASH +#define SPDM_CHALLENGE_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH \ + SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH +#define SPDM_CHALLENGE_REQUEST_ALL_MEASUREMENTS_HASH SPDM_REQUEST_ALL_MEASUREMENTS_HASH + +#define SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_SLOT_ID_MASK 0xF + typedef struct { UINT8 SlotNum:4; UINT8 Reserved:3; UINT8 BasicMutAuthReq:1; } SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE; -#define SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ BIT7 +/// +/// Deprecated in SPDM 1.2 +/// +#define SPDM_CHALLENGE_AUTH_RESPONSE_ATTRIBUTE_BASIC_MUT_AUTH_REQ BIT7 + +#define SPDM_CHALLENGE_AUTH_SIGN_CONTEXT "responder-challenge_auth signing" +#define SPDM_CHALLENGE_AUTH_SIGN_CONTEXT_SIZE (sizeof(SPDM_CHALLENGE_AUTH_SIGN_CONTEXT) - 1) +#define SPDM_MUT_CHALLENGE_AUTH_SIGN_CONTEXT "requester-challenge_auth signing" +#define SPDM_MUT_CHALLENGE_AUTH_SIGN_CONTEXT_SIZE (sizeof(SPDM_MUT_CHALLENGE_AUTH_SIGN_CONTEXT) - 1) /// /// SPDM GET_MEASUREMENTS request @@ -442,17 +614,24 @@ typedef struct { UINT8 Reserved:4; } SPDM_GET_MEASUREMENTS_REQUEST_SLOT_ID_PARAMETER; +#define SPDM_GET_MEASUREMENTS_REQUEST_SLOT_ID_MASK 0xF + /// /// SPDM GET_MEASUREMENTS request Attributes /// -#define SPDM_GET_MEASUREMENTS_REQUEST_ATTRIBUTES_GENERATE_SIGNATURE BIT0 +#define SPDM_GET_MEASUREMENTS_REQUEST_ATTRIBUTES_GENERATE_SIGNATURE BIT0 +#define SPDM_GET_MEASUREMENTS_REQUEST_ATTRIBUTES_RAW_BIT_STREAM_REQUESTED BIT1 +#define SPDM_GET_MEASUREMENTS_REQUEST_ATTRIBUTES_NEW_MEASUREMENT_REQUESTED BIT2 /// /// SPDM GET_MEASUREMENTS request MeasurementOperation /// #define SPDM_GET_MEASUREMENTS_REQUEST_MEASUREMENT_OPERATION_TOTAL_NUMBER_OF_MEASUREMENTS 0 -//SPDM_GET_MEASUREMENTS_REQUEST_MEASUREMENT_OPERATION_INDEX -#define SPDM_GET_MEASUREMENTS_REQUEST_MEASUREMENT_OPERATION_ALL_MEASUREMENTS 0xFF + +/// +/// SPDM_GET_MEASUREMENTS_REQUEST_MEASUREMENT_OPERATION_INDEX +/// +#define SPDM_GET_MEASUREMENTS_REQUEST_MEASUREMENT_OPERATION_ALL_MEASUREMENTS 0xFF /// /// SPDM MEASUREMENTS block common header @@ -494,9 +673,46 @@ typedef struct { #define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_HARDWARE_CONFIGURATION 2 #define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_FIRMWARE_CONFIGURATION 3 #define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MEASUREMENT_MANIFEST 4 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_DEVICE_MODE 5 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_VERSION 6 +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_SECURE_VERSION_NUMBER 7 #define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_MASK 0x7 #define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_TYPE_RAW_BIT_STREAM BIT7 +/// +/// SPDM MEASUREMENTS block index +/// +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_INDEX_MEASUREMENT_MANIFEST 0xFD +#define SPDM_MEASUREMENT_BLOCK_MEASUREMENT_INDEX_DEVICE_MODE 0xFE + +/// +/// SPDM MEASUREMENTS device mode +/// +typedef struct { + UINT32 OperationalModeCapabilities; + UINT32 OperationalModeState; + UINT32 DeviceModeCapabilities; + UINT32 DeviceModeState; +} SPDM_MEASUREMENT_DEVICE_MODE; + +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_MANUFACTURING_MODE BIT0 +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_VALIDATION_MODE BIT1 +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_NORMAL_MODE BIT2 +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_RECOVERY_MODE BIT3 +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_RMA_MODE BIT4 +#define SPDM_MEASUREMENT_DEVICE_OPERATION_MODE_DECOMMISSIONED_MODE BIT5 + +#define SPDM_MEASUREMENT_DEVICE_MODE_NON_INVASIVE_DEBUG_MODE_IS_ACTIVE BIT0 +#define SPDM_MEASUREMENT_DEVICE_MODE_INVASIVE_DEBUG_MODE_IS_ACTIVE BIT1 +#define SPDM_MEASUREMENT_DEVICE_MODE_NON_INVASIVE_DEBUG_MODE_HAS_BEEN_ACTIVE BIT2 +#define SPDM_MEASUREMENT_DEVICE_MODE_INVASIVE_DEBUG_MODE_HAS_BEEN_ACTIVE BIT3 +#define SPDM_MEASUREMENT_DEVICE_MODE_INVASIVE_DEBUG_MODE_HAS_BEEN_ACTIVE_AFTER_MFG BIT4 + +/// +/// SPDM MEASUREMENTS SVN +/// +typedef UINT64 SPDM_MEASUREMENTS_SECURE_VERSION_NUMBER; + /// /// SPDM GET_MEASUREMENTS response /// @@ -513,6 +729,21 @@ typedef struct { //UINT8 Signature[KeySize]; } SPDM_MEASUREMENTS_RESPONSE; +#define SPDM_MEASUREMENTS_RESPONSE_SLOT_ID_MASK 0xF + +/// +/// SPDM MEASUREMENTS content changed +/// +#define SPDM_MEASUREMENTS_RESPONSE_CONTENT_CHANGE_MASK 0x30 +#define SPDM_MEASUREMENTS_RESPONSE_CONTENT_CHANGE_NO_DETECTION 0x00 +#define SPDM_MEASUREMENTS_RESPONSE_CONTENT_CHANGE_DETECTED 0x10 +#define SPDM_MEASUREMENTS_RESPONSE_CONTENT_NO_CHANGE_DETECTED 0x20 + +#define SPDM_MEASUREMENTS_SIGN_CONTEXT "responder-measurements signing" +#define SPDM_MEASUREMENTS_SIGN_CONTEXT_SIZE (sizeof(SPDM_MEASUREMENTS_SIGN_CONTEXT) - 1) + +#define SPDM_MEL_SPECIFICATION_DMTF BIT0 + /// /// SPDM ERROR response /// @@ -523,6 +754,8 @@ typedef struct { // UINT8 ExtendedErrorData[]; } SPDM_ERROR_RESPONSE; +#define SPDM_EXTENDED_ERROR_DATA_MAX_SIZE 32 + /// /// SPDM error code /// @@ -531,19 +764,27 @@ typedef struct { #define SPDM_ERROR_CODE_UNEXPECTED_REQUEST 0x04 #define SPDM_ERROR_CODE_UNSPECIFIED 0x05 #define SPDM_ERROR_CODE_UNSUPPORTED_REQUEST 0x07 -#define SPDM_ERROR_CODE_MAJOR_VERSION_MISMATCH 0x41 +#define SPDM_ERROR_CODE_VERSION_MISMATCH 0x41 #define SPDM_ERROR_CODE_RESPONSE_NOT_READY 0x42 #define SPDM_ERROR_CODE_REQUEST_RESYNCH 0x43 #define SPDM_ERROR_CODE_VENDOR_DEFINED 0xFF /// /// SPDM error code (1.1) /// -#define SPDM_ERROR_CODE_INVALID_SESSION 0x02 #define SPDM_ERROR_CODE_DECRYPT_ERROR 0x06 #define SPDM_ERROR_CODE_REQUEST_IN_FLIGHT 0x08 #define SPDM_ERROR_CODE_INVALID_RESPONSE_CODE 0x09 #define SPDM_ERROR_CODE_SESSION_LIMIT_EXCEEDED 0x0A +/// +/// SPDM error code (1.2) +/// +#define SPDM_ERROR_CODE_SESSION_REQUIRED 0x0B +#define SPDM_ERROR_CODE_RESET_REQUIRED 0x0C +#define SPDM_ERROR_CODE_RESPONSE_TOO_LARGE 0x0D +#define SPDM_ERROR_CODE_REQUEST_TOO_LARGE 0x0E +#define SPDM_ERROR_CODE_LARGE_RESPONSE 0x0F +#define SPDM_ERROR_CODE_MESSAGE_LOST 0x10 /// /// SPDM ResponseNotReady extended data /// @@ -561,6 +802,22 @@ typedef struct { SPDM_ERROR_DATA_RESPONSE_NOT_READY ExtendErrorData; } SPDM_ERROR_RESPONSE_DATA_RESPONSE_NOT_READY; +/// +/// SPDM LargeResponse extended data +/// +typedef struct { + UINT8 Handle; +} SPDM_ERROR_DATA_LARGE_RESPONSE; + +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 == Error Code + // param2 == Error data + // + SPDM_ERROR_DATA_LARGE_RESPONSE ExtendErrorData; +} SPDM_ERROR_RESPONSE_LARGE_RESPONSE; + /// /// SPDM RESPONSE_IF_READY request /// @@ -570,6 +827,18 @@ typedef struct { // Param2 == Token } SPDM_RESPONSE_IF_READY_REQUEST; +/// +/// Maximum size of a vendor defined message data length +/// limited by the length field size which is 2 bytes +/// +#define SPDM_MAX_VENDOR_DEFINED_DATA_LEN 65535 + +/// +/// Maximum size of a vendor defined vendor id length +/// limited by the length field size which is 1 byte +/// +#define SPDM_MAX_VENDOR_ID_LENGTH 255 + /// /// SPDM VENDOR_DEFINED request /// @@ -618,11 +887,18 @@ typedef struct { } SPDM_KEY_EXCHANGE_REQUEST; /// -/// SPDM KEY_EXCHANGE request HashType +/// SPDM KEY_EXCHANGE request session_policy /// -#define SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH 0 -#define SPDM_KEY_EXCHANGE_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH 1 -#define SPDM_KEY_EXCHANGE_REQUEST_ALL_MEASUREMENTS_HASH 0xFF +#define SPDM_KEY_EXCHANGE_REQUEST_SESSION_POLICY_TERMINATION_POLICY_RUNTIME_UPDATE BIT0 + +/// +/// SPDM KEY_EXCHANGE request measurement summary HashType +/// +#define SPDM_KEY_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH \ + SPDM_REQUEST_NO_MEASUREMENT_SUMMARY_HASH +#define SPDM_KEY_EXCHANGE_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH \ + SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH +#define SPDM_KEY_EXCHANGE_REQUEST_ALL_MEASUREMENTS_HASH SPDM_REQUEST_ALL_MEASUREMENTS_HASH /// /// SPDM KEY_EXCHANGE response @@ -650,6 +926,18 @@ typedef struct { #define SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_ENCAP_REQUEST BIT1 #define SPDM_KEY_EXCHANGE_RESPONSE_MUT_AUTH_REQUESTED_WITH_GET_DIGESTS BIT2 +#define SPDM_KEY_EXCHANGE_RESPONSE_SIGN_CONTEXT "responder-key_exchange_rsp signing" +#define SPDM_KEY_EXCHANGE_RESPONSE_SIGN_CONTEXT_SIZE \ + (sizeof(SPDM_KEY_EXCHANGE_RESPONSE_SIGN_CONTEXT) - 1) + +#define SPDM_VERSION_1_2_KEY_EXCHANGE_REQUESTER_CONTEXT "Requester-KEP-dmtf-spdm-v1.2" +#define SPDM_VERSION_1_2_KEY_EXCHANGE_REQUESTER_CONTEXT_SIZE \ + (sizeof(SPDM_VERSION_1_2_KEY_EXCHANGE_REQUESTER_CONTEXT) - 1) + +#define SPDM_VERSION_1_2_KEY_EXCHANGE_RESPONDER_CONTEXT "Responder-KEP-dmtf-spdm-v1.2" +#define SPDM_VERSION_1_2_KEY_EXCHANGE_RESPONDER_CONTEXT_SIZE \ + (sizeof(SPDM_VERSION_1_2_KEY_EXCHANGE_RESPONDER_CONTEXT) - 1) + /// /// SPDM FINISH request /// @@ -676,13 +964,16 @@ typedef struct { //UINT8 ResponderVerifyData[H]; } SPDM_FINISH_RESPONSE; +#define SPDM_FINISH_SIGN_CONTEXT "requester-finish signing" +#define SPDM_FINISH_SIGN_CONTEXT_SIZE (sizeof(SPDM_FINISH_SIGN_CONTEXT) - 1) + /// /// SPDM PSK_EXCHANGE request /// typedef struct { SPDM_MESSAGE_HEADER Header; // Param1 == HashType - // Param2 == RSVD + // Param2 == RSVD/session_policy (1.2) UINT16 ReqSessionID; UINT16 PSKHintLength; UINT16 RequesterContextLength; @@ -692,6 +983,15 @@ typedef struct { //UINT8 OpaqueData[OpaqueLength]; } SPDM_PSK_EXCHANGE_REQUEST; +/// +/// SPDM PSK_EXCHANGE request measurement summary HashType +/// +#define SPDM_PSK_EXCHANGE_REQUEST_NO_MEASUREMENT_SUMMARY_HASH \ + SPDM_REQUEST_NO_MEASUREMENT_SUMMARY_HASH +#define SPDM_PSK_EXCHANGE_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH \ + SPDM_REQUEST_TCB_COMPONENT_MEASUREMENT_HASH +#define SPDM_PSK_EXCHANGE_REQUEST_ALL_MEASUREMENTS_HASH SPDM_REQUEST_ALL_MEASUREMENTS_HASH + /// /// SPDM PSK_EXCHANGE response /// @@ -807,7 +1107,10 @@ typedef struct { SPDM_MESSAGE_HEADER Header; // Param1 == RequestID // Param2 == PayloadType -//UINT8 EncapsulatedRequest[]; + // below 4 bytes are added in 1.2. + UINT8 AckRequestId; + UINT8 Reserved[3]; + // UINT8 EncapsulatedRequest[]; } SPDM_ENCAPSULATED_RESPONSE_ACK_RESPONSE; /// @@ -840,6 +1143,188 @@ typedef struct { // Param2 == RSVD } SPDM_END_SESSION_RESPONSE; +// +// Below command is defined in SPDM 1.2 +// + +/// +/// SPDM SET_CERTIFICATE request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 == BIT[0:3]=slot_id, BIT[4:7]=RSVD + // param2 == RSVD + // param1 and param2 are updated in 1.3 + // param1 == Request attributes, BIT[0:3]=slot_id, BIT[4:6]=SetCertModel, BIT[7]=Erase + // param2 == KeyPairID + // void * CertChain +} SPDM_SET_CERTIFICATE_REQUEST; + +#define SPDM_SET_CERTIFICATE_REQUEST_SLOT_ID_MASK 0xF + +/// +/// SPDM SET_CERTIFICATE request Attributes +/// +#define SPDM_SET_CERTIFICATE_REQUEST_ATTRIBUTES_CERT_MODEL_MASK 0x70 +#define SPDM_SET_CERTIFICATE_REQUEST_ATTRIBUTES_CERT_MODEL_OFFSET 4 +#define SPDM_SET_CERTIFICATE_REQUEST_ATTRIBUTES_ERASE 0x80 + +/// +/// SPDM SET_CERTIFICATE_RSP response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 == BIT[0:3]=slot_id, BIT[4:7]=RSVD + // param2 == RSVD +} SPDM_SET_CERTIFICATE_RESPONSE; + +#define SPDM_SET_CERTIFICATE_RESPONSE_SLOT_ID_MASK 0xF + +/// +/// SPDM GET_CSR request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + UINT16 RequesterInfoLength; + UINT16 OpaqueDataLength; + + // UINT8 RequesterInfo[RequesterInfoLength]; + // UINT8 OpaqueData[OpaqueDataLength]; +} SPDM_GET_CSR_REQUEST; + +/// +/// SPDM GET_CSR request Attributes +/// +#define SPDM_GET_CSR_REQUEST_ATTRIBUTES_CERT_MODEL_MASK 0x07 +#define SPDM_GET_CSR_REQUEST_ATTRIBUTES_CSR_TRACKING_TAG_MASK 0x38 +#define SPDM_GET_CSR_REQUEST_ATTRIBUTES_CSR_TRACKING_TAG_OFFSET 3 +#define SPDM_GET_CSR_REQUEST_ATTRIBUTES_OVERWRITE 0x80 +#define SPDM_GET_CSR_REQUEST_ATTRIBUTES_MAX_CSR_CERT_MODEL 4 + +/// +/// Maximum size, in bytes, of a CSR. +/// +#define SPDM_MAX_CSR_SIZE 65535 + +/// +/// SPDM CSR response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 == RSVD + // param2 == RSVD + UINT16 CsrLength; + UINT16 Reserved; +} SPDM_CSR_RESPONSE; + +/// +/// SPDM CHUNK_SEND request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 - Request Attributes + // param2 - Handle + UINT16 ChunkSeqNo; + UINT16 Reserved; + UINT32 ChunkSize; + + // UINT32 LargeMessageSize; + // UINT8 SpdmChunk[ChunkSize]; +} SPDM_CHUNK_SEND_REQUEST; + +#define SPDM_CHUNK_SEND_REQUEST_ATTRIBUTE_LAST_CHUNK (1 << 0) + +/// +/// SPDM CHUNK_SEND_ACK response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 - Response Attributes + // param2 - Handle + UINT16 ChunkSeqNo; + // UINT8 response_to_large_request[variable] +} SPDM_CHUNK_SEND_ACK_RESPONSE; + +#define SPDM_CHUNK_SEND_ACK_RESPONSE_ATTRIBUTE_EARLY_ERROR_DETECTED (1 << 0) + +/// +/// SPDM CHUNK_GET request +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 - Reserved + // param2 - Handle + UINT16 ChunkSeqNo; +} SPDM_CHUNK_GET_REQUEST; + +/// +/// SPDM CHUNK_RESPONSE response +/// +typedef struct { + SPDM_MESSAGE_HEADER Header; + + // param1 - Response Attributes + // param2 - Handle + UINT16 ChunkSeqNo; + UINT16 Reserved; + UINT32 ChunkSize; + + // UINT32 LargeMessageSize; + // UINT8 SpdmChunk[ChunkSize]; +} SPDM_CHUNK_RESPONSE_RESPONSE; + +#define SPDM_CHUNK_GET_RESPONSE_ATTRIBUTE_LAST_CHUNK (1 << 0) #pragma pack() +#define SPDM_VERSION_1_1_BIN_CONCAT_LABEL "spdm1.1 " +#define SPDM_VERSION_1_2_BIN_CONCAT_LABEL "spdm1.2 " +#define SPDM_BIN_STR_0_LABEL "derived" +#define SPDM_BIN_STR_1_LABEL "req hs data" +#define SPDM_BIN_STR_2_LABEL "rsp hs data" +#define SPDM_BIN_STR_3_LABEL "req app data" +#define SPDM_BIN_STR_4_LABEL "rsp app data" +#define SPDM_BIN_STR_5_LABEL "key" +#define SPDM_BIN_STR_6_LABEL "iv" +#define SPDM_BIN_STR_7_LABEL "finished" +#define SPDM_BIN_STR_8_LABEL "exp master" +#define SPDM_BIN_STR_9_LABEL "traffic upd" + +/// +/// The maximum amount of time in microseconds the Responder has to provide a response +/// to requests that do not require cryptographic processing. +/// +#define SPDM_ST1_VALUE_US 100000 + +/// +/// id-DMTF 1.3.6.1.4.1.412 +/// +#define SPDM_OID_DMTF \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C } +// id-DMTF-spdm, { id-DMTF 274 }, 1.3.6.1.4.1.412.274 +#define SPDM_OID_DMTF_SPDM \ + {0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12 } +// id-DMTF-device-info, { id-DMTF-spdm 1 }, 1.3.6.1.4.1.412.274.1 +#define SPDM_OID_DMTF_DEVICE_INFO \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x01 } +// id-DMTF-hardware-identity, { id-DMTF-spdm 2 }, 1.3.6.1.4.1.412.274.2 +#define SPDM_OID_DMTF_HARDWARE_IDENTITY \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x02 } +// id-DMTF-eku-responder-auth, { id-DMTF-spdm 3 }, 1.3.6.1.4.1.412.274.3 +#define SPDM_OID_DMTF_EKU_RESPONDER_AUTH \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x03 } +// id-DMTF-eku-requester-auth, { id-DMTF-spdm 4 }, 1.3.6.1.4.1.412.274.4 +#define SPDM_OID_DMTF_EKU_REQUESTER_AUTH \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x04 } +// id-DMTF-mutable-certificate, { id-DMTF-spdm 5 }, 1.3.6.1.4.1.412.274.5 +#define SPDM_OID_DMTF_MUTABLE_CERTIFICATE \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x05 } +// id-DMTF-SPDM-extension, { id-DMTF-spdm 6 }, 1.3.6.1.4.1.412.274.6 +#define SPDM_OID_DMTF_SPDM_EXTENSION \ + {0x2B, 0x06, 0x01, 0x04, 0x01, 0x83, 0x1C, 0x82, 0x12, 0x06 } #endif