From nobody Sun Sep 28 17:03:47 2025
Delivered-To: importer@patchew.org
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass(p=none dis=none)  header.from=gmail.com
ARC-Seal: i=1; a=rsa-sha256; t=1757392534; cv=none;
	d=zohomail.com; s=zohoarc;
	b=OFrhV4QQvRJRYtnsrV7PK47QSO4wkWzPmJxewASiTcDKM+PjAoUy3Xll5gOlQ8LSYaBcAGERFcabwhoFPdzQr0P+64H7etrRCd3Jnd8SU/7kS2eLNwYS+Q2n+lTkhNSptFho26BF+6eA764PTx39YtvBgawHLSn7P/E1bvohBQE=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1757392534;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To;
	bh=M01fkta1eJg+Tq+svkiBqT7oQzN8dljIIUY5Xwa7T5M=;
	b=KkVbdCFKaZgdrZ9k0X/VV32YZc0tKw+9lQqWTRStYFYrjY3n87TGpdVQghM4po1bpTlAIWY8B1lM3DNiQlZ+PxRtWv8UNLVgK7FlfJWi8BMk4A/b9RIEBq/ePALOjjj49jPJNW0+ElLGZvfTTJT5aeWSH2ndQ4WzXRqyNbAUYig=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as
 permitted sender)
  smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org;
	dmarc=pass header.from=<wilfred.opensource@gmail.com> (p=none dis=none)
Return-Path: <qemu-devel-bounces+importer=patchew.org@nongnu.org>
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by
 mx.zohomail.com
	with SMTPS id 175739253468198.81082769766499;
 Mon, 8 Sep 2025 21:35:34 -0700 (PDT)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <qemu-devel-bounces@nongnu.org>)
	id 1uvq3n-0006Ie-Ql; Tue, 09 Sep 2025 00:34:27 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <wilfred.opensource@gmail.com>)
 id 1uvq3l-0006I5-ES; Tue, 09 Sep 2025 00:34:26 -0400
Received: from mail-pf1-x432.google.com ([2607:f8b0:4864:20::432])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <wilfred.opensource@gmail.com>)
 id 1uvq3d-0003FM-RR; Tue, 09 Sep 2025 00:34:24 -0400
Received: by mail-pf1-x432.google.com with SMTP id
 d2e1a72fcca58-77287fb79d3so4141339b3a.1;
 Mon, 08 Sep 2025 21:34:15 -0700 (PDT)
Received: from fedora ([159.196.5.243]) by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-774661247cdsm606534b3a.33.2025.09.08.21.34.08
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 08 Sep 2025 21:34:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1757392454; x=1757997254; darn=nongnu.org;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=M01fkta1eJg+Tq+svkiBqT7oQzN8dljIIUY5Xwa7T5M=;
 b=bcgmarUOIUfvOy9SPlOVQhsCsKRtgfNCCHToGNdzXe2tMQGdqt4m59uxuD5ovHN2Oh
 NyEDHgSeo+Q4qDbCtr1BYDRhe8MIz8rkrBovQHkzC29PGgUihHl8w0YM9UhJ5bjPZ2hY
 JQxKNPpgD/76pkTrkuRIDdo2tXflFP1ZfPdKHbGmVHlgrUGrYjVQY+hmo+/u4vYcZkvu
 ODZj9wDWuvAInlpWBEzo9xP/DZAkuJzjvIwmy3ZNE5tEFD7ZJgf/RIBiOHf1o+lOeb9P
 HQgApcOqy6IAF1g2oCUcjLfZBJKYTw90MMq5G95pv4ewZzcDLrA+IJ/lUjeCXCg1oqdd
 P4RQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1757392454; x=1757997254;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=M01fkta1eJg+Tq+svkiBqT7oQzN8dljIIUY5Xwa7T5M=;
 b=u904TVX9sojvoo/BneipxZ6Odn6hfip5Dfg4vSlK5eOpFYQ8wUdPlPKOq6LJeOWRme
 hanp5wqyxHcQP6aD8TIKzC6XEB59KmCdQs2sp9Vlqy+M1j5pm2O1ABuESEEJfKzEctOj
 PGSYRIu2mFdxcS63+Ej7fcBGFemlucXI/sDEao7mJuFBOmP1UvAKHvDTSN1GljnSK/wM
 RmTNGdMl4R68wKx8viwHQE2Auie9YMt9V3espIoM+9b1tiOqnhXhvx7mzcs+L7oqyr+b
 zPCn74JadA6LU5HU5lkeu7FPIJJKCYwxEsL8hrNH+uz40lMBLIJ2br27gjBaZiOGQmYR
 qT8A==
X-Forwarded-Encrypted: i=1;
 AJvYcCVUwE4dcJa7HnZjoEVDUVnQfFD69ADW430GMMtKvB7un2GLYgKrxdBv9zMoLNgnLa5nBS41RU8hezOm@nongnu.org
X-Gm-Message-State: AOJu0YzyrP5yDi7Pgq+MnUTzxVP1+WYPnSp7TPUyt6zfCDy2FQ+SO1HJ
 E9hbs66HS/c1aH0mIOckJ3YbXHnq5JiVrvn22LpwwTzAx16SMJnPNqEK
X-Gm-Gg: ASbGncu3TSSm3ANNrX2SupYVImtMwvMB6txAM2T4tHwMHnHQ0AbYtzEGtJOyltQrzH9
 Zg//qyDHmv2F3OAQXN0+Pzuu9wOP4cUq7JR6SBnRyx5Nms+Y32Du+DtjSMhsd7HcPzXztsr3zol
 BSx0tKtmTeAhGzjNP4ZhdyIIJavBZbP81tMfdsm4LWphoVjh6+Kk6iiqtKe9DjF+49BnBByomIX
 be5yQdkx5D4hU+1iAPb+vGAbnIQsHgtPo0KqYj9BY6lkxTBxlMX+bkKPTBIyhHtMafGiWabn+g/
 Yt6cwugilnbGwNHvgr0NsKNZ5Lr05/IfDBOH9rZD5UVHswWrJPkcmjlWe9MhmKdbhrM8Ia+1e0z
 oF3nm2gw7Wr+8bSvRrDctqmOlhjeRlts=
X-Google-Smtp-Source: 
 AGHT+IEnNU+wQJjrfJwaWzYAC3W9Rmn9znz+q5+im3YnDD7KQNimGq6P2HntIxVoqdMk2rkurkuu4w==
X-Received: by 2002:a05:6a21:6d9e:b0:253:2fae:5287 with SMTP id
 adf61e73a8af0-2533e18d170mr14072990637.26.1757392453938;
 Mon, 08 Sep 2025 21:34:13 -0700 (PDT)
From: Wilfred Mallawa <wilfred.opensource@gmail.com>
To: Alistair Francis <alistair.francis@wdc.com>,
 Keith Busch <kbusch@kernel.org>, Klaus Jensen <its@irrelevant.dk>,
 Jesper Devantier <foss@defmacro.it>, Stefan Hajnoczi <stefanha@redhat.com>,
 Fam Zheng <fam@euphon.net>,
 =?UTF-8?q?Philippe=20Mathieu-Daud=C3=A9?= <philmd@linaro.org>,
 Kevin Wolf <kwolf@redhat.com>, Hanna Reitz <hreitz@redhat.com>,
 "Michael S . Tsirkin" <mst@redhat.com>,
 Marcel Apfelbaum <marcel.apfelbaum@gmail.com>
Cc: qemu-devel@nongnu.org, qemu-block@nongnu.org,
 Jonathan Cameron <jonathan.cameron@huawei.com>,
 Wilfred Mallawa <wilfred.mallawa@wdc.com>
Subject: [PATCH v5 3/5] hw/nvme: add NVMe Admin Security SPDM support
Date: Tue,  9 Sep 2025 14:32:58 +1000
Message-ID: <20250909043259.93140-5-wilfred.opensource@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20250909043259.93140-2-wilfred.opensource@gmail.com>
References: <20250909043259.93140-2-wilfred.opensource@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17
 as permitted sender) client-ip=209.51.188.17;
 envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org;
 helo=lists.gnu.org;
Received-SPF: pass client-ip=2607:f8b0:4864:20::432;
 envelope-from=wilfred.opensource@gmail.com; helo=mail-pf1-x432.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org
Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org
X-ZohoMail-DKIM: pass (identity @gmail.com)
X-ZM-MESSAGEID: 1757392536132116600
Content-Type: text/plain; charset="utf-8"

From: Wilfred Mallawa <wilfred.mallawa@wdc.com>

Adds the NVMe Admin Security Send/Receive command support with support
for DMTFs SPDM. The transport binding for SPDM is defined in the
DMTF DSP0286.

Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Jonathan Cameron <jonathan.cameron@huawei.com>
---
 hw/nvme/ctrl.c               | 212 ++++++++++++++++++++++++++++++++++-
 hw/nvme/nvme.h               |   5 +
 include/block/nvme.h         |  15 +++
 include/system/spdm-socket.h |   2 +
 4 files changed, 233 insertions(+), 1 deletion(-)

diff --git a/hw/nvme/ctrl.c b/hw/nvme/ctrl.c
index f5ee6bf260..ad52e8f569 100644
--- a/hw/nvme/ctrl.c
+++ b/hw/nvme/ctrl.c
@@ -282,6 +282,8 @@ static const uint32_t nvme_cse_acs_default[256] =3D {
     [NVME_ADM_CMD_FORMAT_NVM]       =3D NVME_CMD_EFF_CSUPP | NVME_CMD_EFF_=
LBCC,
     [NVME_ADM_CMD_DIRECTIVE_RECV]   =3D NVME_CMD_EFF_CSUPP,
     [NVME_ADM_CMD_DIRECTIVE_SEND]   =3D NVME_CMD_EFF_CSUPP,
+    [NVME_ADM_CMD_SECURITY_SEND]    =3D NVME_CMD_EFF_CSUPP,
+    [NVME_ADM_CMD_SECURITY_RECV]    =3D NVME_CMD_EFF_CSUPP,
 };
=20
 static const uint32_t nvme_cse_iocs_nvm_default[256] =3D {
@@ -7282,6 +7284,207 @@ static uint16_t nvme_dbbuf_config(NvmeCtrl *n, cons=
t NvmeRequest *req)
     return NVME_SUCCESS;
 }
=20
+static uint16_t nvme_sec_prot_spdm_send(NvmeCtrl *n, NvmeRequest *req)
+{
+    StorageSpdmTransportHeader hdr =3D {0};
+    g_autofree uint8_t *sec_buf =3D NULL;
+    uint32_t transfer_len =3D le32_to_cpu(req->cmd.cdw11);
+    uint32_t transport_transfer_len =3D transfer_len;
+    uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10);
+    uint32_t recvd;
+    uint16_t nvme_cmd_status, ret;
+    uint8_t secp =3D extract32(dw10, 24, 8);
+    uint16_t spsp =3D extract32(dw10, 8, 16);
+    bool spdm_res;
+
+    if (transport_transfer_len > UINT32_MAX - sizeof(hdr)) {
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
+    transport_transfer_len +=3D sizeof(hdr);
+    if (transport_transfer_len > SPDM_SOCKET_MAX_MESSAGE_BUFFER_SIZE) {
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
+    ret =3D nvme_check_mdts(n, transport_transfer_len);
+    if (ret !=3D NVME_SUCCESS) {
+        return ret;
+    }
+
+    /* Generate the NVMe transport header */
+    hdr.security_protocol =3D secp;
+    hdr.security_protocol_specific =3D cpu_to_le16(spsp);
+    hdr.length =3D cpu_to_le32(transfer_len);
+
+    sec_buf =3D g_try_malloc0(transport_transfer_len);
+    if (!sec_buf) {
+        return NVME_INTERNAL_DEV_ERROR;
+    }
+
+    /* Attach the transport header */
+    memcpy(sec_buf, &hdr, sizeof(hdr));
+    ret =3D nvme_h2c(n, sec_buf + sizeof(hdr), transfer_len, req);
+    if (ret) {
+        return ret;
+    }
+
+    spdm_res =3D spdm_socket_send(n->spdm_socket, SPDM_SOCKET_STORAGE_CMD_=
IF_SEND,
+                                SPDM_SOCKET_TRANSPORT_TYPE_NVME, sec_buf,
+                                transport_transfer_len);
+    if (!spdm_res) {
+        return NVME_DATA_TRAS_ERROR | NVME_DNR;
+    }
+
+    /* The responder shall ack with message status */
+    recvd =3D spdm_socket_receive(n->spdm_socket, SPDM_SOCKET_TRANSPORT_TY=
PE_NVME,
+                                &nvme_cmd_status,
+                                SPDM_SOCKET_MAX_MSG_STATUS_LEN);
+
+    nvme_cmd_status =3D be16_to_cpu(nvme_cmd_status);
+
+    if (recvd < SPDM_SOCKET_MAX_MSG_STATUS_LEN) {
+        return NVME_DATA_TRAS_ERROR | NVME_DNR;
+    }
+
+    return nvme_cmd_status;
+}
+
+/* From host to controller */
+static uint16_t nvme_security_send(NvmeCtrl *n, NvmeRequest *req)
+{
+    uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10);
+    uint8_t secp =3D extract32(dw10, 24, 8);
+
+    switch (secp) {
+    case NVME_SEC_PROT_DMTF_SPDM:
+        if (n->spdm_socket < 0) {
+            return NVME_INVALID_FIELD | NVME_DNR;
+        }
+        return nvme_sec_prot_spdm_send(n, req);
+    default:
+        /* Unsupported Security Protocol Type */
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
+    return NVME_INVALID_FIELD | NVME_DNR;
+}
+
+static uint16_t nvme_sec_prot_spdm_receive(NvmeCtrl *n, NvmeRequest *req)
+{
+    StorageSpdmTransportHeader hdr;
+    g_autofree uint8_t *rsp_spdm_buf =3D NULL;
+    uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10);
+    uint32_t alloc_len =3D le32_to_cpu(req->cmd.cdw11);
+    uint32_t recvd, spdm_res;
+    uint16_t nvme_cmd_status, ret;
+    uint8_t secp =3D extract32(dw10, 24, 8);
+    uint8_t spsp =3D extract32(dw10, 8, 16);
+    if (!alloc_len) {
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
+    /* Generate the NVMe transport header */
+    hdr =3D (StorageSpdmTransportHeader) {
+        .security_protocol =3D secp,
+        .security_protocol_specific =3D cpu_to_le16(spsp),
+        .length =3D cpu_to_le32(alloc_len),
+    };
+
+    /* Forward if_recv to the SPDM Server with SPSP0 */
+    spdm_res =3D spdm_socket_send(n->spdm_socket, SPDM_SOCKET_STORAGE_CMD_=
IF_RECV,
+                                SPDM_SOCKET_TRANSPORT_TYPE_NVME,
+                                &hdr, sizeof(hdr));
+    if (!spdm_res) {
+        return NVME_DATA_TRAS_ERROR | NVME_DNR;
+    }
+
+    /* The responder shall ack with message status */
+    recvd =3D spdm_socket_receive(n->spdm_socket, SPDM_SOCKET_TRANSPORT_TY=
PE_NVME,
+                                &nvme_cmd_status,
+                                SPDM_SOCKET_MAX_MSG_STATUS_LEN);
+    if (recvd < SPDM_SOCKET_MAX_MSG_STATUS_LEN) {
+        return NVME_DATA_TRAS_ERROR | NVME_DNR;
+    }
+
+    nvme_cmd_status =3D be16_to_cpu(nvme_cmd_status);
+    /* An error here implies the prior if_recv from requester was spurious=
 */
+    if (nvme_cmd_status !=3D NVME_SUCCESS) {
+        return nvme_cmd_status;
+    }
+
+    /* Clear to start receiving data from the server */
+    rsp_spdm_buf =3D g_try_malloc0(alloc_len);
+    if (!rsp_spdm_buf) {
+        return NVME_INTERNAL_DEV_ERROR;
+    }
+
+    recvd =3D spdm_socket_receive(n->spdm_socket,
+                                SPDM_SOCKET_TRANSPORT_TYPE_NVME,
+                                rsp_spdm_buf, alloc_len);
+    if (!recvd) {
+        return NVME_DATA_TRAS_ERROR | NVME_DNR;
+    }
+
+    ret =3D nvme_c2h(n, rsp_spdm_buf, MIN(recvd, alloc_len), req);
+    if (ret) {
+        return ret;
+    }
+
+    return NVME_SUCCESS;
+}
+
+static uint16_t nvme_get_sec_prot_info(NvmeCtrl *n, NvmeRequest *req)
+{
+    uint32_t alloc_len =3D le32_to_cpu(req->cmd.cdw11);
+    uint8_t resp[10] =3D {
+        /* Support Security Protol List Length */
+        [6] =3D 0, /* MSB */
+        [7] =3D 2, /* LSB */
+        /* Support Security Protocol List */
+        [8] =3D SFSC_SECURITY_PROT_INFO,
+        [9] =3D 0,
+    };
+
+    if (n->spdm_socket >=3D 0) {
+        resp[9] =3D NVME_SEC_PROT_DMTF_SPDM;
+    }
+
+    if (alloc_len < 10) {
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+
+    return nvme_c2h(n, resp, sizeof(resp), req);
+}
+
+/* From controller to host */
+static uint16_t nvme_security_receive(NvmeCtrl *n, NvmeRequest *req)
+{
+    uint32_t dw10 =3D le32_to_cpu(req->cmd.cdw10);
+    uint16_t spsp =3D extract32(dw10, 8, 16);
+    uint8_t secp =3D extract32(dw10, 24, 8);
+
+    switch (secp) {
+    case SFSC_SECURITY_PROT_INFO:
+        switch (spsp) {
+        case 0:
+            /* Supported security protocol list */
+            return nvme_get_sec_prot_info(n, req);
+        case 1:
+            /* Certificate data */
+            /* fallthrough */
+        default:
+            return NVME_INVALID_FIELD | NVME_DNR;
+        }
+    case NVME_SEC_PROT_DMTF_SPDM:
+        if (n->spdm_socket < 0) {
+            return NVME_INVALID_FIELD | NVME_DNR;
+        }
+        return nvme_sec_prot_spdm_receive(n, req);
+    default:
+        return NVME_INVALID_FIELD | NVME_DNR;
+    }
+}
+
 static uint16_t nvme_directive_send(NvmeCtrl *n, NvmeRequest *req)
 {
     return NVME_INVALID_FIELD | NVME_DNR;
@@ -7389,6 +7592,10 @@ static uint16_t nvme_admin_cmd(NvmeCtrl *n, NvmeRequ=
est *req)
         return nvme_directive_send(n, req);
     case NVME_ADM_CMD_DIRECTIVE_RECV:
         return nvme_directive_receive(n, req);
+    case NVME_ADM_CMD_SECURITY_SEND:
+        return nvme_security_send(n, req);
+    case NVME_ADM_CMD_SECURITY_RECV:
+        return nvme_security_receive(n, req);
     default:
         g_assert_not_reached();
     }
@@ -8459,6 +8666,8 @@ static void nvme_init_state(NvmeCtrl *n)
         sctrl->vfn =3D cpu_to_le16(i + 1);
     }
=20
+    n->spdm_socket =3D -1;
+
     cap->cntlid =3D cpu_to_le16(n->cntlid);
     cap->crt =3D NVME_CRT_VQ | NVME_CRT_VI;
=20
@@ -8824,7 +9033,8 @@ static void nvme_init_ctrl(NvmeCtrl *n, PCIDevice *pc=
i_dev)
     id->mdts =3D n->params.mdts;
     id->ver =3D cpu_to_le32(NVME_SPEC_VER);
=20
-    oacs =3D NVME_OACS_NMS | NVME_OACS_FORMAT | NVME_OACS_DIRECTIVES;
+    oacs =3D NVME_OACS_NMS | NVME_OACS_FORMAT | NVME_OACS_DIRECTIVES |
+           NVME_OACS_SECURITY;
=20
     if (n->params.dbcs) {
         oacs |=3D NVME_OACS_DBCS;
diff --git a/hw/nvme/nvme.h b/hw/nvme/nvme.h
index b5c9378ea4..67ed562e00 100644
--- a/hw/nvme/nvme.h
+++ b/hw/nvme/nvme.h
@@ -461,6 +461,8 @@ static inline const char *nvme_adm_opc_str(uint8_t opc)
     case NVME_ADM_CMD_DIRECTIVE_RECV:   return "NVME_ADM_CMD_DIRECTIVE_REC=
V";
     case NVME_ADM_CMD_DBBUF_CONFIG:     return "NVME_ADM_CMD_DBBUF_CONFIG";
     case NVME_ADM_CMD_FORMAT_NVM:       return "NVME_ADM_CMD_FORMAT_NVM";
+    case NVME_ADM_CMD_SECURITY_SEND:    return "NVME_ADM_CMD_SECURITY_SEND=
";
+    case NVME_ADM_CMD_SECURITY_RECV:    return "NVME_ADM_CMD_SECURITY_RECV=
";
     default:                            return "NVME_ADM_CMD_UNKNOWN";
     }
 }
@@ -648,6 +650,9 @@ typedef struct NvmeCtrl {
     } next_pri_ctrl_cap;    /* These override pri_ctrl_cap after reset */
     uint32_t    dn; /* Disable Normal */
     NvmeAtomic  atomic;
+
+    /* Socket mapping to SPDM over NVMe Security In/Out commands */
+    int spdm_socket;
 } NvmeCtrl;
=20
 typedef enum NvmeResetType {
diff --git a/include/block/nvme.h b/include/block/nvme.h
index 358e516e38..9fa2ecaf28 100644
--- a/include/block/nvme.h
+++ b/include/block/nvme.h
@@ -1779,6 +1779,21 @@ enum NvmeDirectiveOperations {
     NVME_DIRECTIVE_RETURN_PARAMS =3D 0x1,
 };
=20
+typedef enum SfscSecurityProtocol {
+    SFSC_SECURITY_PROT_INFO =3D 0x00,
+} SfscSecurityProtocol;
+
+typedef enum NvmeSecurityProtocols {
+    NVME_SEC_PROT_DMTF_SPDM    =3D 0xE8,
+} NvmeSecurityProtocols;
+
+typedef enum SpdmOperationCodes {
+    SPDM_STORAGE_DISCOVERY      =3D 0x1, /* Mandatory */
+    SPDM_STORAGE_PENDING_INFO   =3D 0x2, /* Optional */
+    SPDM_STORAGE_MSG            =3D 0x5, /* Mandatory */
+    SPDM_STORAGE_SEC_MSG        =3D 0x6, /* Optional */
+} SpdmOperationCodes;
+
 typedef struct QEMU_PACKED NvmeFdpConfsHdr {
     uint16_t num_confs;
     uint8_t  version;
diff --git a/include/system/spdm-socket.h b/include/system/spdm-socket.h
index c5f9f3611c..3d27cc366f 100644
--- a/include/system/spdm-socket.h
+++ b/include/system/spdm-socket.h
@@ -112,7 +112,9 @@ typedef struct {
=20
 #define SPDM_SOCKET_TRANSPORT_TYPE_MCTP           0x01
 #define SPDM_SOCKET_TRANSPORT_TYPE_PCI_DOE        0x02
+#define SPDM_SOCKET_TRANSPORT_TYPE_NVME           0x04
=20
 #define SPDM_SOCKET_MAX_MESSAGE_BUFFER_SIZE       0x1200
+#define SPDM_SOCKET_MAX_MSG_STATUS_LEN            0x02
=20
 #endif
--=20
2.51.0