Add SPDM over TCP support
The current SPDM daemon design facilitates the BMC in retrieving
certificates and measurement data from various MCTP-based devices via
the SPDM protocol and exposing this information externally through
redfish.
This update extends the design to enable the SPDM daemon to communicate
with other SPDM-capable devices over a TCP transport for retrieving
certificates and measurement data.
Change-Id: Ib63f7bdeba64d20d65916f029b0329e52817bf72
Signed-off-by: Manojkiran Eda <manojkiran.eda@gmail.com>
diff --git a/designs/redfish-spdm-attestation.md b/designs/redfish-spdm-attestation.md
index 6120c0c..4de7636 100644
--- a/designs/redfish-spdm-attestation.md
+++ b/designs/redfish-spdm-attestation.md
@@ -2,7 +2,7 @@
Author: Zhichuang Sun
-Other contributors: Jerome Glisse, Ed Tanous
+Other contributors: Jerome Glisse, Ed Tanous, Manojkiran Eda
Created: June 27th, 2023 Last Updated: Oct 30th, 2023
@@ -114,14 +114,24 @@
PCI-VDM, SMBus/I2C, and so on. Note,
[`libspdm` already provides transport layer protocol binding](https://github.com/DMTF/libspdm/blob/main/include/internal/libspdm_common_lib.h#L445-L446)
with message encoding/decoding support. The device send/receive function is left
-for SPDM daemon to implement If the transport layer is using standard MCTP or
-PCIe-DOE, setting up the transport layer connection could be easy. In this
-design, we only consider SPDM over standard MCTP and PCIe-DOE connection.
+for SPDM daemon to implement If the transport layer is using standard MCTP,
+PCIe-DOE, or TCP setting up the transport layer connection could be easy. In
+this design, we only consider SPDM over standard MCTP,TCP & PCIe-DOE connection.
For SPDM-over-MCTP, SPDM daemon can query the mctpd for information about MCTP
endpoint, including the endpoint id(eid) and upper layer responder, and create a
connection only for endpoint that has SPDM as its upper layer responder.
+For SPDM-over-TCP, SPDM daemon can query [entity-manager][entity-source] for
+information about remote TCP endpoints, including the `hostname / ip-address` &
+`port` details from the `SpdmTcpResponder` interface and create a connection
+either by using the reach out model (or) reach down model as stated in the [SPDM
+over TCP specification][spdm-tcp-spec]
+
+[entity-source]: https://github.com/openbmc/entity-manager
+[spdm-tcp-spec]:
+ https://www.dmtf.org/sites/default/files/standards/documents/DSP0287_1.0.0.pdf
+
For SPDM-over-PCIe-DOE, SPDM daemon need the PCIe device BDF to handle DOE
mailbox discovery. Given that not all PCIe devices support DOE support SPDM, we
cannot query about whether a DOE capable device supports SPDM. Therefore, we
@@ -155,6 +165,13 @@
measurements. For signals sent before SPDM daemon launches, SPDM daemon should
query the `mctpd` for any detected endpoints after it gets launched.
+For Network based device detection , SPDM daemon would monitor for
+`InterfacesAdded` signal provided by
+`xyz.openbmc_project.Configuration.SpdmTcpResponder` interface, which exposes
+the `Hostname` & `Port` of the remote entity. For signals sent before SPDM
+daemon launches, SPDM daemon should query the `entity-manager` for any detected
+endpoints after it gets launched.
+
Below is a high-level diagram showing the relationship between different
components.
@@ -181,11 +198,12 @@
for SPDM daemon.
1. Check transport layer protocol. For MCTP, it queries mctpd to gather all eids
that support SPDM; For PCIe-DOE, it performs DOE mailbox discovery with the
- PCIe device ID.
-2. For each endpoint, which could be MCTP or PCIe-DOE, SPDM daemon query Entity
- Manger for the matching trusted component configuration. It then creates and
- initializes the corresponding D-Bus object for `TrustedComponent` and
- `ComponentIntegrity` with device specific information.
+ PCIe device ID; For TCP, it queries entity-manager to gather the remote IP
+ address & Port.
+2. For each endpoint, which could be MCTP, PCIe-DOE or TCP, SPDM daemon query
+ Entity Manger for the matching trusted component configuration. It then
+ creates and initializes the corresponding D-Bus object for `TrustedComponent`
+ and `ComponentIntegrity` with device specific information.
3. Create the associations between the above objects and associations with other
objects, e.g., protected components, active software images;
4. Set up a connection between the BMC and each SPDM-capable device;
@@ -280,7 +298,7 @@
This change will:
- Create a SPDM daemon that can do SPDM attestation for SPDM-capable devices
- over PCIe DOE or MCTP.
+ over PCIe DOE, MCTP or TCP.
- Add `ComponentIntegrity` and `TrustedComponent` related D-Bus interfaces in
phosphor-dbus-interfaces.
- Extend existing certificate service in BMCWeb.
@@ -306,6 +324,8 @@
cases:
- Set up a transport layer connection with the device.
+- Unit tests should be implemented to ensure the infrastructure functions
+ reliably, regardless of the underlying transport mechanisms.
- SPDM connection setup, including get capabilities, negotiate algorithms.
- Get device certificates from device and create D-Bus object.
- `SPDMGetSignedMeasurements` method test.