1. Patchew
  2. linux
  3. [RFC 0/6] lib: Rust implementation of SPDM
  4. View patch

[RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency

Alistair Francis posted 6 patches 1 week ago
[RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Alistair Francis 1 week ago 
In preparation for adding a Rust SPDM library change SPDM to a
dependency so that the user can select which SPDM library to use at
build time.

Signed-off-by: Alistair Francis <alistair@alistair23.me>
---
 drivers/pci/Kconfig |  2 +-
 lib/Kconfig         | 30 +++++++++++++++---------------
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
index f1c39a6477a5..690a2a38cb52 100644
--- a/drivers/pci/Kconfig
+++ b/drivers/pci/Kconfig
@@ -128,7 +128,7 @@ config PCI_CMA
 	select CRYPTO_SHA256
 	select CRYPTO_SHA512
 	select PCI_DOE
-	select SPDM
+	depends on SPDM
 	help
 	  Authenticate devices on enumeration per PCIe r6.2 sec 6.31.
 	  A PCI DOE mailbox is used as transport for DMTF SPDM based
diff --git a/lib/Kconfig b/lib/Kconfig
index 68f46e4a72a6..4db9bc8e29f8 100644
--- a/lib/Kconfig
+++ b/lib/Kconfig
@@ -739,6 +739,21 @@ config LWQ_TEST
 	help
           Run boot-time test of light-weight queuing.
 
+config SPDM
+	bool "SPDM"
+	select CRYPTO
+	select KEYS
+	select ASYMMETRIC_KEY_TYPE
+	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
+	select X509_CERTIFICATE_PARSER
+	help
+	  The Security Protocol and Data Model (SPDM) allows for device
+	  authentication, measurement, key exchange and encrypted sessions.
+
+	  Crypto algorithms negotiated with SPDM are limited to those enabled
+	  in .config.  Drivers selecting SPDM therefore need to also select
+	  any algorithms they deem mandatory.
+
 endmenu
 
 config GENERIC_IOREMAP
@@ -777,18 +792,3 @@ config POLYNOMIAL
 
 config FIRMWARE_TABLE
 	bool
-
-config SPDM
-	tristate
-	select CRYPTO
-	select KEYS
-	select ASYMMETRIC_KEY_TYPE
-	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
-	select X509_CERTIFICATE_PARSER
-	help
-	  The Security Protocol and Data Model (SPDM) allows for device
-	  authentication, measurement, key exchange and encrypted sessions.
-
-	  Crypto algorithms negotiated with SPDM are limited to those enabled
-	  in .config.  Drivers selecting SPDM therefore need to also select
-	  any algorithms they deem mandatory.
-- 
2.47.0
Re: [RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Bjorn Helgaas 1 week ago 
On Fri, Nov 15, 2024 at 03:46:12PM +1000, Alistair Francis wrote:
> In preparation for adding a Rust SPDM library change SPDM to a
> dependency so that the user can select which SPDM library to use at
> build time.

Run "git log --oneline drivers/pci" and follow the existing
subject line convention.

> Signed-off-by: Alistair Francis <alistair@alistair23.me>
> ---
>  drivers/pci/Kconfig |  2 +-
>  lib/Kconfig         | 30 +++++++++++++++---------------
>  2 files changed, 16 insertions(+), 16 deletions(-)
> 
> diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig
> index f1c39a6477a5..690a2a38cb52 100644
> --- a/drivers/pci/Kconfig
> +++ b/drivers/pci/Kconfig
> @@ -128,7 +128,7 @@ config PCI_CMA
>  	select CRYPTO_SHA256
>  	select CRYPTO_SHA512
>  	select PCI_DOE
> -	select SPDM
> +	depends on SPDM
>  	help
>  	  Authenticate devices on enumeration per PCIe r6.2 sec 6.31.
>  	  A PCI DOE mailbox is used as transport for DMTF SPDM based
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 68f46e4a72a6..4db9bc8e29f8 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -739,6 +739,21 @@ config LWQ_TEST
>  	help
>            Run boot-time test of light-weight queuing.
>  
> +config SPDM
> +	bool "SPDM"

If this appears in a menuconfig or similar menu, I think expanding
"SPDM" would be helpful to users.

> +	select CRYPTO
> +	select KEYS
> +	select ASYMMETRIC_KEY_TYPE
> +	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> +	select X509_CERTIFICATE_PARSER
> +	help
> +	  The Security Protocol and Data Model (SPDM) allows for device
> +	  authentication, measurement, key exchange and encrypted sessions.
> +
> +	  Crypto algorithms negotiated with SPDM are limited to those enabled
> +	  in .config.  Drivers selecting SPDM therefore need to also select
> +	  any algorithms they deem mandatory.
> +
>  endmenu
>  
>  config GENERIC_IOREMAP
> @@ -777,18 +792,3 @@ config POLYNOMIAL
>  
>  config FIRMWARE_TABLE
>  	bool
> -
> -config SPDM
> -	tristate
> -	select CRYPTO
> -	select KEYS
> -	select ASYMMETRIC_KEY_TYPE
> -	select ASYMMETRIC_PUBLIC_KEY_SUBTYPE
> -	select X509_CERTIFICATE_PARSER
> -	help
> -	  The Security Protocol and Data Model (SPDM) allows for device
> -	  authentication, measurement, key exchange and encrypted sessions.
> -
> -	  Crypto algorithms negotiated with SPDM are limited to those enabled
> -	  in .config.  Drivers selecting SPDM therefore need to also select
> -	  any algorithms they deem mandatory.
> -- 
> 2.47.0
>
Re: [RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Jonathan Cameron 6 hours ago 
> > diff --git a/lib/Kconfig b/lib/Kconfig
> > index 68f46e4a72a6..4db9bc8e29f8 100644
> > --- a/lib/Kconfig
> > +++ b/lib/Kconfig
> > @@ -739,6 +739,21 @@ config LWQ_TEST
> >  	help
> >            Run boot-time test of light-weight queuing.
> >  
> > +config SPDM
> > +	bool "SPDM"  
> 
> If this appears in a menuconfig or similar menu, I think expanding
> "SPDM" would be helpful to users.

Not sure it will!  Security Protocol and Data Model
which to me is completely useless for hinting what it is ;)

Definitely keep (SPDM) on end of expanded name as I suspect most
people can't remember the terms (I had to look it up ;)

Jonathan
Re: [RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Bjorn Helgaas 5 hours ago 
On Fri, Nov 22, 2024 at 03:30:40PM +0000, Jonathan Cameron wrote:
> 
> > > diff --git a/lib/Kconfig b/lib/Kconfig
> > > index 68f46e4a72a6..4db9bc8e29f8 100644
> > > --- a/lib/Kconfig
> > > +++ b/lib/Kconfig
> > > @@ -739,6 +739,21 @@ config LWQ_TEST
> > >  	help
> > >            Run boot-time test of light-weight queuing.
> > >  
> > > +config SPDM
> > > +	bool "SPDM"  
> > 
> > If this appears in a menuconfig or similar menu, I think expanding
> > "SPDM" would be helpful to users.
> 
> Not sure it will!  Security Protocol and Data Model
> which to me is completely useless for hinting what it is ;)
> 
> Definitely keep (SPDM) on end of expanded name as I suspect most
> people can't remember the terms (I had to look it up ;)

Agree that the expansion doesn't add a whole lot, but I do think the
unadorned "SPDM" config prompt is not quite enough since this is in
the "Library routines" section and there's no useful context at all.

Maybe a hint that it's related to PCIe (although I'm not sure it's
*only* PCIe?) or device authentication or even some kind of general
"security" connection?

I admit that you're in good company; "parman" and "objagg" have zero
context and not even any help text at all.

Bjorn
Re: [RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Jonathan Cameron 4 hours ago 
On Fri, 22 Nov 2024 11:23:54 -0600
Bjorn Helgaas <helgaas@kernel.org> wrote:

> On Fri, Nov 22, 2024 at 03:30:40PM +0000, Jonathan Cameron wrote:
> >   
> > > > diff --git a/lib/Kconfig b/lib/Kconfig
> > > > index 68f46e4a72a6..4db9bc8e29f8 100644
> > > > --- a/lib/Kconfig
> > > > +++ b/lib/Kconfig
> > > > @@ -739,6 +739,21 @@ config LWQ_TEST
> > > >  	help
> > > >            Run boot-time test of light-weight queuing.
> > > >  
> > > > +config SPDM
> > > > +	bool "SPDM"    
> > > 
> > > If this appears in a menuconfig or similar menu, I think expanding
> > > "SPDM" would be helpful to users.  
> > 
> > Not sure it will!  Security Protocol and Data Model
> > which to me is completely useless for hinting what it is ;)
> > 
> > Definitely keep (SPDM) on end of expanded name as I suspect most
> > people can't remember the terms (I had to look it up ;)  
> 
> Agree that the expansion doesn't add a whole lot, but I do think the
> unadorned "SPDM" config prompt is not quite enough since this is in
> the "Library routines" section and there's no useful context at all.
> 
> Maybe a hint that it's related to PCIe (although I'm not sure it's
> *only* PCIe?) or device authentication or even some kind of general
> "security" connection?

It's much broader than PCIe (I believe originated in USB before
being standardized?)

Maybe something like...

SPDM for security related message exchange (with devices)

Attempting to distill the text in the Introduction of the spec.

"The Security Protocol and Data Model (SPDM) Specification defines messages, data objects, and sequences for
performing message exchanges over a variety of transport and physical media. The description of message
exchanges includes authentication and provisioning of hardware identities, measurement for firmware identities,
session key exchange protocols to enable confidentiality with integrity-protected data communication, and other
related capabilities. The SPDM enables efficient access to low-level security capabilities and operations. Other
mechanisms, including non-DMTF-defined mechanisms, can use the SPDM"

So clear as mud ;)

J


> 
> I admit that you're in good company; "parman" and "objagg" have zero
> context and not even any help text at all.
> 
> Bjorn
Re: [RFC 2/6] drivers: pci: Change CONFIG_SPDM to a dependency
Posted by Miguel Ojeda 6 hours ago 
On Fri, Nov 22, 2024 at 4:30 PM Jonathan Cameron
<Jonathan.Cameron@huawei.com> wrote:
>
> Not sure it will!  Security Protocol and Data Model
> which to me is completely useless for hinting what it is ;)
>
> Definitely keep (SPDM) on end of expanded name as I suspect most
> people can't remember the terms (I had to look it up ;)

If that is the case, then perhaps it may make sense to put it at the
beginning if no one knows what the expanded form is:

    bool "SPDM (Security Protocol and Data Model)"

However, from a quick grep, this "at the beginning" style does not
seem common...

Cheers,
Miguel

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.