Message ID | 20241115054616.1226735-3-alistair@alistair23.me |
---|---|
State | New |
Headers | show |
Series | lib: Rust implementation of SPDM | expand |
On Fri, Nov 15, 2024 at 03:46:12PM +1000, Alistair Francis wrote: > In preparation for adding a Rust SPDM library change SPDM to a > dependency so that the user can select which SPDM library to use at > build time. Run "git log --oneline drivers/pci" and follow the existing subject line convention. > Signed-off-by: Alistair Francis <alistair@alistair23.me> > --- > drivers/pci/Kconfig | 2 +- > lib/Kconfig | 30 +++++++++++++++--------------- > 2 files changed, 16 insertions(+), 16 deletions(-) > > diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig > index f1c39a6477a5..690a2a38cb52 100644 > --- a/drivers/pci/Kconfig > +++ b/drivers/pci/Kconfig > @@ -128,7 +128,7 @@ config PCI_CMA > select CRYPTO_SHA256 > select CRYPTO_SHA512 > select PCI_DOE > - select SPDM > + depends on SPDM > help > Authenticate devices on enumeration per PCIe r6.2 sec 6.31. > A PCI DOE mailbox is used as transport for DMTF SPDM based > diff --git a/lib/Kconfig b/lib/Kconfig > index 68f46e4a72a6..4db9bc8e29f8 100644 > --- a/lib/Kconfig > +++ b/lib/Kconfig > @@ -739,6 +739,21 @@ config LWQ_TEST > help > Run boot-time test of light-weight queuing. > > +config SPDM > + bool "SPDM" If this appears in a menuconfig or similar menu, I think expanding "SPDM" would be helpful to users. > + select CRYPTO > + select KEYS > + select ASYMMETRIC_KEY_TYPE > + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE > + select X509_CERTIFICATE_PARSER > + help > + The Security Protocol and Data Model (SPDM) allows for device > + authentication, measurement, key exchange and encrypted sessions. > + > + Crypto algorithms negotiated with SPDM are limited to those enabled > + in .config. Drivers selecting SPDM therefore need to also select > + any algorithms they deem mandatory. > + > endmenu > > config GENERIC_IOREMAP > @@ -777,18 +792,3 @@ config POLYNOMIAL > > config FIRMWARE_TABLE > bool > - > -config SPDM > - tristate > - select CRYPTO > - select KEYS > - select ASYMMETRIC_KEY_TYPE > - select ASYMMETRIC_PUBLIC_KEY_SUBTYPE > - select X509_CERTIFICATE_PARSER > - help > - The Security Protocol and Data Model (SPDM) allows for device > - authentication, measurement, key exchange and encrypted sessions. > - > - Crypto algorithms negotiated with SPDM are limited to those enabled > - in .config. Drivers selecting SPDM therefore need to also select > - any algorithms they deem mandatory. > -- > 2.47.0 >
> > diff --git a/lib/Kconfig b/lib/Kconfig > > index 68f46e4a72a6..4db9bc8e29f8 100644 > > --- a/lib/Kconfig > > +++ b/lib/Kconfig > > @@ -739,6 +739,21 @@ config LWQ_TEST > > help > > Run boot-time test of light-weight queuing. > > > > +config SPDM > > + bool "SPDM" > > If this appears in a menuconfig or similar menu, I think expanding > "SPDM" would be helpful to users. Not sure it will! Security Protocol and Data Model which to me is completely useless for hinting what it is ;) Definitely keep (SPDM) on end of expanded name as I suspect most people can't remember the terms (I had to look it up ;) Jonathan
On Fri, Nov 22, 2024 at 4:30 PM Jonathan Cameron <Jonathan.Cameron@huawei.com> wrote: > > Not sure it will! Security Protocol and Data Model > which to me is completely useless for hinting what it is ;) > > Definitely keep (SPDM) on end of expanded name as I suspect most > people can't remember the terms (I had to look it up ;) If that is the case, then perhaps it may make sense to put it at the beginning if no one knows what the expanded form is: bool "SPDM (Security Protocol and Data Model)" However, from a quick grep, this "at the beginning" style does not seem common... Cheers, Miguel
On Fri, Nov 22, 2024 at 03:30:40PM +0000, Jonathan Cameron wrote: > > > > diff --git a/lib/Kconfig b/lib/Kconfig > > > index 68f46e4a72a6..4db9bc8e29f8 100644 > > > --- a/lib/Kconfig > > > +++ b/lib/Kconfig > > > @@ -739,6 +739,21 @@ config LWQ_TEST > > > help > > > Run boot-time test of light-weight queuing. > > > > > > +config SPDM > > > + bool "SPDM" > > > > If this appears in a menuconfig or similar menu, I think expanding > > "SPDM" would be helpful to users. > > Not sure it will! Security Protocol and Data Model > which to me is completely useless for hinting what it is ;) > > Definitely keep (SPDM) on end of expanded name as I suspect most > people can't remember the terms (I had to look it up ;) Agree that the expansion doesn't add a whole lot, but I do think the unadorned "SPDM" config prompt is not quite enough since this is in the "Library routines" section and there's no useful context at all. Maybe a hint that it's related to PCIe (although I'm not sure it's *only* PCIe?) or device authentication or even some kind of general "security" connection? I admit that you're in good company; "parman" and "objagg" have zero context and not even any help text at all. Bjorn
On Fri, 22 Nov 2024 11:23:54 -0600 Bjorn Helgaas <helgaas@kernel.org> wrote: > On Fri, Nov 22, 2024 at 03:30:40PM +0000, Jonathan Cameron wrote: > > > > > > diff --git a/lib/Kconfig b/lib/Kconfig > > > > index 68f46e4a72a6..4db9bc8e29f8 100644 > > > > --- a/lib/Kconfig > > > > +++ b/lib/Kconfig > > > > @@ -739,6 +739,21 @@ config LWQ_TEST > > > > help > > > > Run boot-time test of light-weight queuing. > > > > > > > > +config SPDM > > > > + bool "SPDM" > > > > > > If this appears in a menuconfig or similar menu, I think expanding > > > "SPDM" would be helpful to users. > > > > Not sure it will! Security Protocol and Data Model > > which to me is completely useless for hinting what it is ;) > > > > Definitely keep (SPDM) on end of expanded name as I suspect most > > people can't remember the terms (I had to look it up ;) > > Agree that the expansion doesn't add a whole lot, but I do think the > unadorned "SPDM" config prompt is not quite enough since this is in > the "Library routines" section and there's no useful context at all. > > Maybe a hint that it's related to PCIe (although I'm not sure it's > *only* PCIe?) or device authentication or even some kind of general > "security" connection? It's much broader than PCIe (I believe originated in USB before being standardized?) Maybe something like... SPDM for security related message exchange (with devices) Attempting to distill the text in the Introduction of the spec. "The Security Protocol and Data Model (SPDM) Specification defines messages, data objects, and sequences for performing message exchanges over a variety of transport and physical media. The description of message exchanges includes authentication and provisioning of hardware identities, measurement for firmware identities, session key exchange protocols to enable confidentiality with integrity-protected data communication, and other related capabilities. The SPDM enables efficient access to low-level security capabilities and operations. Other mechanisms, including non-DMTF-defined mechanisms, can use the SPDM" So clear as mud ;) J > > I admit that you're in good company; "parman" and "objagg" have zero > context and not even any help text at all. > > Bjorn
diff --git a/drivers/pci/Kconfig b/drivers/pci/Kconfig index f1c39a6477a5..690a2a38cb52 100644 --- a/drivers/pci/Kconfig +++ b/drivers/pci/Kconfig @@ -128,7 +128,7 @@ config PCI_CMA select CRYPTO_SHA256 select CRYPTO_SHA512 select PCI_DOE - select SPDM + depends on SPDM help Authenticate devices on enumeration per PCIe r6.2 sec 6.31. A PCI DOE mailbox is used as transport for DMTF SPDM based diff --git a/lib/Kconfig b/lib/Kconfig index 68f46e4a72a6..4db9bc8e29f8 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -739,6 +739,21 @@ config LWQ_TEST help Run boot-time test of light-weight queuing. +config SPDM + bool "SPDM" + select CRYPTO + select KEYS + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER + help + The Security Protocol and Data Model (SPDM) allows for device + authentication, measurement, key exchange and encrypted sessions. + + Crypto algorithms negotiated with SPDM are limited to those enabled + in .config. Drivers selecting SPDM therefore need to also select + any algorithms they deem mandatory. + endmenu config GENERIC_IOREMAP @@ -777,18 +792,3 @@ config POLYNOMIAL config FIRMWARE_TABLE bool - -config SPDM - tristate - select CRYPTO - select KEYS - select ASYMMETRIC_KEY_TYPE - select ASYMMETRIC_PUBLIC_KEY_SUBTYPE - select X509_CERTIFICATE_PARSER - help - The Security Protocol and Data Model (SPDM) allows for device - authentication, measurement, key exchange and encrypted sessions. - - Crypto algorithms negotiated with SPDM are limited to those enabled - in .config. Drivers selecting SPDM therefore need to also select - any algorithms they deem mandatory.
In preparation for adding a Rust SPDM library change SPDM to a dependency so that the user can select which SPDM library to use at build time. Signed-off-by: Alistair Francis <alistair@alistair23.me> --- drivers/pci/Kconfig | 2 +- lib/Kconfig | 30 +++++++++++++++--------------- 2 files changed, 16 insertions(+), 16 deletions(-)