Re: [PATCH v2 3/3] hw/nvme: Add SPDM over DOE support

[Jonathan Cameron]

On Tue, 17 Oct 2023 15:21:55 +1000
Alistair Francis <alistair23@gmail.com> wrote:

> From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> 
> Setup Data Object Exchance (DOE) as an extended capability for the NVME
> controller and connect SPDM to it (CMA) to it.
> 
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
> Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
> ---
>  docs/specs/index.rst        |   1 +
>  docs/specs/spdm.rst         | 114 ++++++++++++++++++++++++++++++++++++
>  include/hw/pci/pci_device.h |   5 ++
>  include/hw/pci/pcie_doe.h   |   3 +
>  hw/nvme/ctrl.c              |  53 +++++++++++++++++
>  5 files changed, 176 insertions(+)
>  create mode 100644 docs/specs/spdm.rst
> 
> diff --git a/docs/specs/index.rst b/docs/specs/index.rst
> index e58be38c41..c398541388 100644
> --- a/docs/specs/index.rst
> +++ b/docs/specs/index.rst
> @@ -24,3 +24,4 @@ guest hardware that is specific to QEMU.
>     acpi_erst
>     sev-guest-firmware
>     fw_cfg
> +   spdm
> diff --git a/docs/specs/spdm.rst b/docs/specs/spdm.rst
> new file mode 100644
> index 0000000000..dfdc3cbb4d
> --- /dev/null
> +++ b/docs/specs/spdm.rst
> @@ -0,0 +1,114 @@
> +======================================================
> +QEMU Security Protocols and Data Models (SPDM) Support
> +======================================================
> +
> +SPDM enables authentication, attestation and key exchange to assist in
> +providing infrastructure security enablement. It's a standard published
> +by the `DMTF`_.
> +
> +QEMU supports connecting to a SPDM Responder implementation. This allows an
> +external application to emulate the SPDM Responder logic for an SPDM device.
> +
> +Setting up a SPDM server
> +========================
> +
> +When using QEMU with SPDM devices QEMU will connect to a server which
> +implements the SPDM functionality.
> +
> +SPDM-Utils
> +----------
> +
> +You can use `SPDM Utils`_ to emulate a Responder.
> +
> +SPDM-Utils is a Linux applications to manage, test and develop devices
> +supporting DMTF Security Protocol and Data Model (SPDM). It is written in 
> Rust
> +and utilises libspdm.
> +
> +To use SPDM-Utils you will need to do the followoing:

Spell check needed. following

> +
> + 1. `Build SPDM Utils`_
> + 2. `Generate the certificates`_
> + 3. `Run it as a server`_
> +
> +spdm-emu
> +--------
> +
> +You can use `spdm emu`_ to model the
> +SPDM responder.
> +
> +.. code-block:: shell
> +
> +    $ cd spdm-emu
> +    $ git submodule init; git submodule update --recursive
> +    $ mkdir build; cd build
> +    $ cmake -DARCH=x64 -DTOOLCHAIN=GCC -DTARGET=Debug -DCRYPTO=openssl ..
> +    $ make -j32
> +    $ make copy_sample_key # Build certificates, required for SPDM 
> authentication.
> +
> +It is worth noting that the certificates should be in compliance with
> +PCIe r6.1 sec 6.31.3. This means you will need to add the following to
> +openssl.cnf
> +
> +.. code-block::
> +
> +    subjectAltName = 
> otherName:2.23.147;UTF8:Vendor=1b36:Device=0010:CC=010802:REV=02:SSVID=1af4:SSID=1100
> +    2.23.147 = ASN1:OID:2.23.147
> +
> +and then manually regenerate some certificates with:
> +
> +.. code-block:: shell
> +
> +    openssl req -nodes -newkey ec:param.pem -keyout end_responder.key -out 
> end_responder.req -sha384 -batch -subj "/CN=DMTF libspdm ECP384 responder 
> cert"

For these no need to have on oneline maybe some \ ?
to make it easier to read if someone looks at the rst file.

> +    openssl x509 -req -in end_responder.req -out end_responder.cert -CA 
> inter.cert -CAkey inter.key -sha384 -days 3650 -set_serial 3 -extensions 
> v3_end -extfile ../openssl.cnf
> +    openssl asn1parse -in end_responder.cert -out end_responder.cert.der
> +    cat ca.cert.der inter.cert.der end_responder.cert.der > 
> bundle_responder.certchain.der
> +

Otherwise this all looks good to me.

Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>