-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SPDM 1.3 new feature:get_key_pair_info #2771
Conversation
4008d36
to
6c88236
Compare
return LIBSPDM_STATUS_UNSUPPORTED_CAP; | ||
} | ||
|
||
if ((key_pair_id == 0) || (key_pair_id > SPDM_MAX_SLOT_COUNT)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@steven-bellock, do you agree this check: key_pair_id > SPDM_MAX_SLOT_COUNT
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The number of KeyPairId
s can be larger than the number of certificate slots. But we can run that by the SPDM Working Group to ensure that's what was intended in the specification.
2ce3544
to
512d4a6
Compare
512d4a6
to
ddc0712
Compare
ddc0712
to
327f710
Compare
@@ -503,6 +503,7 @@ libspdm_return_t libspdm_set_data(void *spdm_context, libspdm_data_type_t data_t | |||
return LIBSPDM_STATUS_INVALID_PARAMETER; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The check at line 499
should be > LIBSPDM_MAX_KEY_PAIR_COUNT
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
libspdm/library/spdm_common_lib/libspdm_com_context_data.c
Lines 494 to 506 in 504fd45
case LIBSPDM_DATA_LOCAL_KEY_PAIR_ID: | |
if (parameter->location != LIBSPDM_DATA_LOCATION_LOCAL) { | |
return LIBSPDM_STATUS_INVALID_PARAMETER; | |
} | |
slot_id = parameter->additional_data[0]; | |
if (slot_id >= SPDM_MAX_SLOT_COUNT) { | |
return LIBSPDM_STATUS_INVALID_PARAMETER; | |
} | |
if (data_size != sizeof(spdm_key_pair_id_t)) { | |
return LIBSPDM_STATUS_INVALID_PARAMETER; | |
} | |
context->local_context.local_key_pair_id[slot_id] = *(spdm_key_pair_id_t *)data; | |
break; |
This set data operation is just to create a association between slot_id and key_pair_id.
Do you mean we need add a check for the data? The set data(key pair id) should < LIBSPDM_MAX_KEY_PAIR_COUNT.
For the Requester API I'm not sure there's much value to storing the
the values returned can then be evaluated and used in |
c3df0d7
to
e9b6e59
Compare
The keypairinfo should be saved to device NVS. |
d2deba1
to
c8eb63a
Compare
libspdm_key_pair_info_t key_pair_info[LIBSPDM_MAX_KEY_PAIR_COUNT]; | ||
|
||
/*provisioned key pair info*/ | ||
uint8_t public_key_info_rsa2048[] = {0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to add all algorithms.
57ef870
to
eb82b98
Compare
136ed0f
to
ed66ff2
Compare
7b2e16b
to
aec9ac5
Compare
66670a6
to
8295e85
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I filed https://github.com/DMTF/SPDM-WG/issues/3543. There may be more checks if the Responder's SET_KEY_PAIR_INFO_CAP == 0
.
* @param spdm_context A pointer to the SPDM context. | ||
* @param key_pair_id Indicate which key pair ID's information to retrieve. | ||
* | ||
* @param total_key_pairs Indicate the total number of key pairs on the responder. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As was clarified in https://github.com/DMTF/SPDM-WG/issues/3526#issuecomment-2233350803, total_key_pairs
is fixed. As such it can be stored in the spdm_context
and removed from this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi. The total_key_pair
is still returned in the function.
Because the key pair info is provisioned by the responder device, the key pair number should be consistent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'll see what @jyao1's opinion is when he gets back.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we design a new API named libspdm_get_total_key_pairs()
?
Then, we don't need total_key_pairs
parameter in this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we design a new API named libspdm_get_total_key_pairs() ?
If it's going to be returned in a function then it should be in libspdm_read_key_pair_info
. What I, and the SPDM specification, is saying is that since total_key_pairs
is fixed at the beginning of the connection and cannot change then just put it in the spdm_context
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am fine with that. We can add LIBSPDM_DATA_TOTAL_KEY_PAIRS_NUMBER data type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just LIBSPDM_DATA_TOTAL_KEY_PAIRS
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just LIBSPDM_DATA_TOTAL_KEY_PAIRS.
This will cause misunderstanding. LIBSPDM_DATA_TOTAL_KEY_PAIRS
may be interpreted as total key pairs information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I have fixed the feedback. Please review the comparing:
https://github.com/DMTF/libspdm/compare/6fc54f2033535b9f78a1bfe0faf519e5c9396ba3..6a04b803a95ec3406e09a6d13e81e1530012a14c
8295e85
to
5d751ae
Compare
As was clarified in https://github.com/DMTF/SPDM-WG/issues/3543#issuecomment-2273487285 if the Responder's
needs to be removed. |
1f59699
to
c511829
Compare
Yes. I have added the check:
And I have deleted the assoc_cert_slot_mask check in get_key_pair_info. |
c511829
to
6fc54f2
Compare
6a04b80
to
b5a9431
Compare
doc/user_guide.md
Outdated
@@ -421,6 +421,12 @@ Refer to spdm_server_init() in [spdm_responder.c](https://github.com/DMTF/spdm-e | |||
|
|||
1.7, if PSK is required, optionally deploy PSK Hint in the call to libspdm_start_session(). | |||
|
|||
1.8, if responder can support multi key pairs, the total_key_pairs need be set. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if Responder sets
GET_KEY_PAIR_INFO_CAP
thenLIBSPDM_DATA_TOTAL_KEY_PAIRS
must be set.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I have fixed it.
|
||
total_key_pairs = spdm_context->local_context.total_key_pairs; | ||
key_pair_id = spdm_request->key_pair_id; | ||
if ((key_pair_id == 0) || (key_pair_id >= total_key_pairs)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
key_pair_id > total_key_pairs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I have fixed it.
@@ -0,0 +1,157 @@ | |||
/** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
File should be libspdm_rsp_get_key_pair_info.c
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I have changed the file name.
b5a9431
to
d9b4df7
Compare
Refer the issue:DMTF#2293 Signed-off-by: Wenxing Hou <[email protected]>
Signed-off-by: Wenxing Hou <[email protected]>
Signed-off-by: Wenxing Hou <[email protected]>
d9b4df7
to
14acd18
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the pull request is in a good place to start testing.
Refer the issue: #2293