OpenPRoT · FerralCoder · Sep 17, 2025 · Sep 17, 2025
diff --git a/docs/src/specification/middleware/spdm.md b/docs/src/specification/middleware/spdm.md
@@ -0,0 +1,113 @@
+# SPDM
+
+Status: Draft
+
+SPDM OpenPRoT devices shall use SPDM to conduct all attestation operations both
+with downstream devices (as a requester) and upstream devices (as a responder.)
+Devices may choose to act as a requester, a responder, or both. All SPDM version
+references assume alignment with the most recently released versions of the spec
+(i.e. 1.2.1, 1.3.2.)
+
+1.  [OCP Attestation Spec 1.1](https://github.com/google/spdm-accelerator-requirement/blob/main/OCP-Attestation-v1.1.docx.pdf)
+    Alignment OpenPRoT implementations of SPDM must align with the OCP
+    Attestation Spec 1.1, linked above. All following sections have taken this
+    spec into account. Please refer to that specification for details on
+    specific requirements.
+2.  Baseline Version OpenPRoT sets a baseline version of SPDM 1.2.
+3.  Requesters OpenPRoT devices implementing an SPDM requester will implement
+    support for SPDM 1.2 minimum and may implement SPDM 1.3 and up. The minimum
+    and maximum supported SPDM versions can be changed if support for other
+    versions is not necessary.
+4.  Responders OpenPRoT devices implementing an SPDM responder must implement
+    support for SPDM 1.2 or higher. Responders may only report (via
+    `GET_VERSION`) a single supported version of SPDM.
+5.  Required Commands All requesters and responders shall implement the four (4)
+    *spec mandatory* SPDM commands:
+
+    *   `GET_VERSION`
+
+    *   `GET_CAPABILITIES`
+
+    *   `NEGOTIATE_ALGORITHMS`
+
+    *   `RESPOND_IF_READY`
+
+    All requesters and responders shall implement the following *spec optional*
+    commands:
+
+    *   `GET_DIGESTS`
+    *   `GET_CERTIFICATE`
+    *   `CHALLENGE`
+    *   `GET_MEASUREMENTS`
+    *   `GET_CSR`
+    *   `SET_CERTIFICATE`
+    *   `CHUNK_SEND`
+    *   `CHUNK_GET`
+
+    Requesters and responders may implement the following recommended *spec
+    optional* commands:
+
+    *   Events
+        *   `GET_SUPPORTED_EVENT_TYPES`
+        *   `SUBSCRIBE_EVENT_TYPES`
+        *   `SEND_EVENT`
+    *   Encapsulated requests
+        *   `GET_ENCAPSULATED_REQUEST`
+        *   `DELIVER_ENCAPSULATED_RESPONSE`
+    *   `GET_KEY_PAIR_INFO`
+    *   `SET_KEY_PAIR_INFO`
+    *   `KEY_UPDATE`
+    *   `KEY_EXCHANGE`
+    *   `FINISH`
+    *   `PSK_EXCHANGE`
+    *   `PSK_FINISH`
+
+    All other *spec optional* commands may be implemented as the integrator sees
+    fit for their use case.
+
+6.  Required Capabilities
+
+    *   `CERT_CAP` (required for `GET_CERTIFICATE`)
+    *   `CHAL_CAP` (required for `CHALLENGE`)
+    *   `MEAS_CAP` (required for `GET_MEASUREMENT`)
+    *   `MEAS_FRESH_CAP`
+
+7.  Algorithms The following cryptographic algorithms are accepted for use
+    within OpenPRoT, but may be further constrained by hardware capabilities. At
+    a minimum OpenPRoT hardware must support:
+
+    *   `TPM_ALG_ECDSA_ECC_NIST_P384`
+    *   `TPM_ALG_SHA3_384`
+
+    All others are optional and may be used if supported.
+
+    *   Asymmetric
+        *   `TPM_ALG_RSASSA_2048`
+        *   `TPM_ALG_RSAPSS_2048`
+        *   `TPM_ALG_RSASSA_3072`
+        *   `TPM_ALG_RSAPSS_3072`
+        *   `TPM_ALG_ECDSA_ECC_NIST_P256`
+        *   `TPM_ALG_RSASSA_4096`
+        *   `TPM_ALG_RSAPSS_4096`
+        *   `TPM_ALG_ECDSA_ECC_NIST_P384`
+        *   `EdDSA ed25519`
+        *   `EdDSA ed448`
+        *   `TPM_ALG_SHA_384`
+    *   Hash
+        *   `TPM_ALG_SHA_256`
+        *   `TPM_ALG_SHA_384`
+        *   `TPM_ALG_SHA_512`
+        *   `TPM_ALG_SHA3_256`
+        *   `TPM_ALG_SHA3_384`
+        *   `TPM_ALG_SHA3_512`
+    *   AEAD Cipher
+        *   `AES-128-GCM`
+        *   `AES-256-GCM`
+        *   `CHACHA20_POLY1305`
+
+8.  Attestation Report Format Devices will support either RATS EAT (as CWT) or
+    an SPDM evidence manifest TOC per the *TCG DICE Concise Evidence for SPDM*
+    specification.
+
+9.  Measurement block 0xF0 Devices that do not provide a Measurement Manifest
+    shall locate RATS EAT at SPDM measurement block 0xF0