DMTF's Reference Implementation of SPDM

Features

1. Specifications

   The SPDM and secured message libraries follow :

   DSP0274 Security Protocol and Data Model (SPDM) Specification (version 1.0.2, version 1.1.4, version 1.2.3, version 1.3.2, and version 1.4.0)

   DSP0277 Secured Messages using SPDM Specification (version 1.0.1, version 1.1.1, version 1.2.0)

   MCTP and secured MCTP follow :

   DSP0275 Security Protocol and Data Model (SPDM) over MCTP Binding Specification (version 1.0.2)

   DSP0276 Secured Messages using SPDM over MCTP Binding Specification (version 1.2.0)

   Storage Binding follows :

   DSP0286 Security Protocol and Data Model (SPDM) to Storage Binding Specification (version 1.0.0)

   TCP Binding follows :

   DSP0287 SPDM over TCP Binding Specification (version 1.0.0)

   PCIe follows :

   PCI Express Base Specification Revision 6.2

   CXL follows :

   Compute Express Link Specification Revision 3.1

2. Includes libraries that can be used to construct an SPDM Requester and an SPDM Responder.

   Refer to the libspdm API for more information.

3. Programming Context

   The core libraries in libspdm/library require only the C99 freestanding headers and so are suitable for embedded and systems programming. Any functionality beyond the freestanding headers is provided by libspdm/os_stub or by the library's Integrator. All statically allocated memory in the core libraries is read-only. The core libraries do not dynamically allocate memory.

   Refer to programming environment for more information.

4. Implemented Requests and Responses

   SPDM 1.0: GET_VERSION, GET_CAPABILITIES, NEGOTIATE_ALGORITHMS, GET_DIGESTS, GET_CERTIFICATE, CHALLENGE, GET_MEASUREMENTS, and VENDOR_DEFINED_REQUEST.

   SPDM 1.1: KEY_EXCHANGE, FINISH, PSK_EXCHANGE, PSK_FINISH, END_SESSION, HEARTBEAT, KEY_UPDATE, and ENCAPSULATED messages.

   SPDM 1.2: GET_CSR, SET_CERTIFICATE, CHUNK_SEND, and CHUNK_GET.

   SPDM 1.3: GET_KEY_PAIR_INFO, SET_KEY_PAIR_INFO, SUBSCRIBE_EVENT_TYPE, GET_SUPPORTED_EVENT_TYPES, GET_ENDPOINT_INFO and GET_MEASUREMENT_EXTENSION_LOG. Additional SPDM 1.3 messages will be implemented in future releases.

   SPDM 1.4: Additional SPDM 1.4 messages will be implemented in future releases.

5. Cryptography Support

   The SPDM library requires cryptolib API, including random number generation, symmetric cryptography, asymmetric cryptography, hash, and message authentication code.

   Currently supported traditional algorithms: Hash:SHA2/SHA3/SM3, Signature:RSA-SSA/RSA-PSS/ECDSA/EdDSA/SM2-Sign, KeyExchange:FFDHE/ECDHE/SM2-KeyExchange, AEAD:AES_GCM/ChaCha20Poly1305/SM4_GCM. Currently supported PQC algorithms: Signature:ML-DSA/SLH-DSA, KeyEncapsulation:ML-KEM. NOTE: NIST algorithms and Shang-Mi (SM) algorithms should not be mixed together.

   ML-DSA OID is defined in RFC9881. SLH-DSA OID is defined in RFC9909.

   The endianness is defined in crypto_endianness.

   An Mbed TLS wrapper is included in cryptlib_mbedtls. NOTE: SMx, EdDSA, ML-DSA, SLH-DSA and ML-KEM are not supported.

   An OpenSSL wrapper is included in cryptlib_openssl. NOTE: SM2-KeyExchange and SM4_GCM are not supported.

   libspdm provides support for FIPS 140-3. Refer to libspdm FIPS for more information.

   libspdm implements a raw public key format as defined in RFC7250. Refer to libspdm raw public key for more information.

6. Execution Context

   Support to build an OS application for spdm_requester_emu and spdm_responder_emu to trace communication between Requester and Responder in spdm-emu.

   Support to build an OS application for SPDM validation in SPDM-Responder-Validator and TEE-IO validation in tee-io-validator.

   Support to build as part of the NVIDIA Linux kernel module driver in open-gpu-kernel-modules.

   Support to build as backend server for QEMU.

   Support is included in UEFI host environment EDKII.

   Support is included in ARM Trusted Firmware Implementation of the Realm Management Monitor TF-RMM.

   Support is included in wolfSSL.

   Support is planned to be included in OpenBMC. Details of the design for exposing measurements and certificate chains of SPDM-capable devices via Redfish are described in the OpenBMC SPDM Attestation Design.

   Support to be linked by other languages. For example, Java verifier and Rust spdm-utils.

   Support interoperability testing with other SPDM implementations. For example, intel-server-prot-spdm and spdm-rs.

7. Supported architecture and cross-compiler based on X64 platform.

| Windows System | ia32 | x64 | arm | aarch64 | riscv32 | riscv64 | | --------------- | ---- | --- | --- | ------- | ------- | ------- | | VS2015 | cl | cl | - | - | - | - | | VS2019 | cl | cl | - | - | - | - | | VS2022 | cl | cl | - | - | - | - | | ARM_DS2022 | - | - | armclang | armclang | - | - | | GCC | gcc | gcc | - | - | - | - | | CLANG | clang-cl | clang-cl | - | - | - | - |

| Linux System | ia32 | x64 | arm | aarch64 | riscv32 | riscv64 | loongarch64 | | --------------- | ---- | --- | --- | ------- | ------- | ------- | ----------- | | GCC | gcc | gcc | - | - | - | - | - | | CLANG | clang|clang| - | - | - | - | - | | ARM_DS2022 | - | - | armclang | armclang | - | - | - | | ARM_GNU | - | - | arm-none-linux-gnueabihf-gcc | aarch64-none-linux-gnu-gcc | - | - | - | | ARM_GNU_BARE_METAL | - | - | arm-none-eabi | aarch64-none-elf | - | - | - | | ARM_GCC | - | - | arm-linux-gnueabi-gcc | - | - | - | - | | AARCH64_GCC | - | - | - | aarch64-linux-gnu-gcc | - | - | - | | RISCV_GNU | - | - | - | - | riscv32-unknown-linux-gnu-gcc | riscv64-unknown-linux-gnu-gcc | - | | RISCV64_GCC | - | - | - | - | - | riscv64-linux-gnu-gcc | - | | RISCV_XPACK | - | - | - | - | riscv-none-elf-gcc | riscv-none-elf-gcc | - |