spdm: Add support for measuring devices

Signed-off-by: Jonathan Cameron <[email protected]>
Signed-off-by: Lukas Wunner <[email protected]>

Author: l1k

Documentation/ABI/testing/sysfs-devices-spdm

@@ -157,9 +157,9 @@ Description:
 
 		Note:  To ease signature verification, the "transcript" file
 		does not contain the trailing signature.  However the signature
-		is part of the final CHALLENGE_AUTH message, so the protocol
-		dissector needs to be fed the concatenation of "transcript"
-		and "signature".
+		is part of the final CHALLENGE_AUTH or MEASUREMENT message,
+		so the protocol dissector needs to be fed the concatenation of
+		"transcript" and "signature".
 
 		Signatures are added to the log even if the kernel was unable
 		to verify them (e.g. due to a missing trusted root certificate
@@ -190,6 +190,7 @@ Description:
 		generation.  It is one of (sans quotes):
 
 		"responder-challenge_auth signing"
+		"responder-measurements signing"
 
 
 What:		/sys/devices/.../signatures/[0-9]*_requester_nonce
@@ -223,13 +224,13 @@ Contact:	Lukas Wunner <[email protected]>
 Description:
 		If you do not trust the kernel to always use a fresh nonce,
 		write 32 bytes to this file to set the requester nonce used
-		in the next SPDM authentication sequence.
+		in the next SPDM authentication or measurement sequence.
 
 		Meant for remote attestation services.  You are responsible
 		for providing a nonce with sufficient entropy.  The kernel
 		only uses the nonce once, so provide a new one every time
-		you reauthenticate the device.  If you do not provide a
-		nonce, the kernel generates a random one.
+		you reauthenticate or measure the device.  If you do not
+		provide a nonce, the kernel generates a random one.
 
 		After the nonce has been consumed, it becomes readable as
 		the newest [0-9]*_requester_nonce, which proves its usage::

Documentation/admin-guide/sysctl/spdm.rst

@@ -20,10 +20,10 @@ The log is meant for re-verification of signatures by remote attestation
 services which do not trust the kernel to have verified the signatures
 correctly or which want to apply policy constraints of their own.
 A signature is computed over the transcript (a concatenation of all
-SPDM messages exchanged with the device during an authentication
-sequence).  The transcript can be a few kBytes or up to several MBytes
-in size, hence this parameter prevents the log from consuming too much
-memory.
+SPDM messages exchanged with the device during an authentication or
+measurement sequence).  The transcript can be a few kBytes or up to
+several MBytes in size, hence this parameter prevents the log from
+consuming too much memory.
 
 The kernel always stores the most recent signature in the log even if it
 exceeds ``max_signatures_size``.  Additionally as many older signatures

lib/spdm/core.c

@@ -162,8 +162,8 @@ ssize_t spdm_exchange(struct spdm_state *spdm_state,
  * @spdm_state: SPDM session state
  *
  * Allocate a buffer to accommodate the concatenation of all SPDM messages
- * exchanged during an authentication sequence.  Used to verify the signature,
- * as it is computed over the hashed transcript.
+ * exchanged during an authentication or measurement sequence.  Used to verify
+ * the signature, as it is computed over the hashed transcript.
  *
  * Transcript size is initially one page.  It grows by additional pages as
  * needed.  Minimum size of an authentication sequence is 1k (only one slot
@@ -189,8 +189,9 @@ int spdm_alloc_transcript(struct spdm_state *spdm_state)
  *
  * @spdm_state: SPDM session state
  *
- * Free the transcript buffer after performing authentication.  Reset the
- * pointer to the current end of transcript as well as the allocation size.
+ * Free the transcript buffer after performing authentication or measurement.
+ * Reset the pointer to the current end of transcript as well as the allocation
+ * size.
  */
 void spdm_free_transcript(struct spdm_state *spdm_state)
 {

lib/spdm/req-authenticate.c

@@ -237,6 +237,7 @@ static int spdm_negotiate_algs(struct spdm_state *spdm_state)
 	*req = (struct spdm_negotiate_algs_req) {
 		.code = SPDM_NEGOTIATE_ALGS,
 		.length = cpu_to_le16(req_sz),
+		.measurement_specification = SPDM_MEAS_SPEC_DMTF,
 		.base_asym_algo = cpu_to_le32(SPDM_ASYM_ALGOS),
 		.base_hash_algo = cpu_to_le32(SPDM_HASH_ALGOS),
 	};
@@ -264,6 +265,7 @@ static int spdm_negotiate_algs(struct spdm_state *spdm_state)
 
 	spdm_state->base_asym_alg = le32_to_cpu(rsp->base_asym_sel);
 	spdm_state->base_hash_alg = le32_to_cpu(rsp->base_hash_sel);
+	spdm_state->meas_hash_alg = le32_to_cpu(rsp->measurement_hash_algo);
 
 	if ((spdm_state->base_asym_alg & SPDM_ASYM_ALGOS) == 0 ||
 	    (spdm_state->base_hash_alg & SPDM_HASH_ALGOS) == 0) {
@@ -276,7 +278,10 @@ static int spdm_negotiate_algs(struct spdm_state *spdm_state)
 	    hweight32(spdm_state->base_hash_alg) != 1 ||
 	    rsp->ext_asym_sel_count != 0 ||
 	    rsp->ext_hash_sel_count != 0 ||
-	    rsp->param1 > req->param1) {
+	    rsp->param1 > req->param1 ||
+	    (spdm_state->rsp_caps & SPDM_MEAS_CAP_MASK &&
+	     (hweight32(spdm_state->meas_hash_alg) != 1 ||
+	      rsp->measurement_specification_sel != SPDM_MEAS_SPEC_DMTF))) {
 		dev_err(spdm_state->dev, "Malformed algorithms response\n");
 		return -EPROTO;
 	}

lib/spdm/req-sysfs.c

@@ -231,8 +231,9 @@ static unsigned int spdm_max_log_sz = SZ_16M; /* per device */
  * @req_nonce: sysfs attribute of requester nonce (located within transcript).
  * @rsp_nonce: sysfs attribute of responder nonce (located within transcript).
  * @transcript: sysfs attribute of transcript (concatenation of all SPDM
- *	messages exchanged during an authentication sequence) sans trailing
- *	signature (to simplify signature verification by user space).
+ *	messages exchanged during an authentication or measurement sequence)
+ *	sans trailing signature (to simplify signature verification by user
+ *	space).
  * @combined_prefix: sysfs attribute of combined_spdm_prefix
  *	(SPDM 1.2.0 margin no 806, needed to verify signature).
  * @spdm_context: sysfs attribute of spdm_context
@@ -405,9 +406,9 @@ static void spdm_shrink_log(struct spdm_state *spdm_state)
  * @req_nonce_off: Requester nonce offset within the transcript
  * @rsp_nonce_off: Responder nonce offset within the transcript
  *
- * Allocate and populate a struct spdm_log_entry upon device authentication.
- * Publish it in sysfs if the device has already been registered through
- * device_add().
+ * Allocate and populate a struct spdm_log_entry upon device authentication or
+ * measurement.  Publish it in sysfs if the device has already been registered
+ * through device_add().
  */
 void spdm_create_log_entry(struct spdm_state *spdm_state,
 			   const char *spdm_context, u8 slot,
@@ -519,10 +520,11 @@ void spdm_create_log_entry(struct spdm_state *spdm_state,
  * @spdm_state: SPDM session state
  *
  * sysfs attributes representing received SPDM signatures are not static,
- * but created dynamically upon authentication.  If a device was authenticated
- * before it became visible in sysfs, the attributes could not be created.
- * This function retroactively creates those attributes in sysfs after the
- * device has become visible through device_add().
+ * but created dynamically upon authentication or measurement.  If a device
+ * was authenticated or measured before it became visible in sysfs, the
+ * attributes could not be created.  This function retroactively creates
+ * those attributes in sysfs after the device has become visible through
+ * device_add().
  */
 void spdm_publish_log(struct spdm_state *spdm_state)
 {

lib/spdm/spdm.h

@@ -103,6 +103,19 @@
 #define SPDM_HASH_SHA3_512		BIT(5)		/* 1.0 */
 #define SPDM_HASH_SM3_256		BIT(6)		/* 1.2 */
 
+/* SPDM measurement specifications (SPDM 1.0.0 sec 4.10.1.3) */
+#define SPDM_MEAS_SPEC_DMTF		BIT(0)		/* 1.0 */
+
+/* SPDM measurement hash algorithms (SPDM 1.0.0 table 14) */
+#define SPDM_MEAS_HASH_RAW		BIT(0)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA_256		BIT(1)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA_384		BIT(2)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA_512		BIT(3)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA3_256		BIT(4)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA3_384		BIT(5)		/* 1.0 */
+#define SPDM_MEAS_HASH_SHA3_512		BIT(6)		/* 1.0 */
+#define SPDM_MEAS_HASH_SM3_257		BIT(7)		/* 1.2 */
+
 #if IS_ENABLED(CONFIG_CRYPTO_RSA)
 #define SPDM_ASYM_RSA			SPDM_ASYM_RSASSA_2048 |		\
 					SPDM_ASYM_RSASSA_3072 |		\
@@ -433,10 +446,12 @@ struct spdm_error_rsp {
  * @rsp_caps: Cached capabilities of responder.
  *	Received during GET_CAPABILITIES exchange.
  * @base_asym_alg: Asymmetric key algorithm for signature verification of
- *	CHALLENGE_AUTH messages.
+ *	CHALLENGE_AUTH and MEASUREMENTS messages.
  *	Selected by responder during NEGOTIATE_ALGORITHMS exchange.
  * @base_hash_alg: Hash algorithm for signature verification of
- *	CHALLENGE_AUTH messages.
+ *	CHALLENGE_AUTH and MEASUREMENTS messages.
+ *	Selected by responder during NEGOTIATE_ALGORITHMS exchange.
+ * @meas_hash_alg: Hash algorithm for measurement blocks.
  *	Selected by responder during NEGOTIATE_ALGORITHMS exchange.
  * @supported_slots: Bitmask of responder's supported certificate slots.
  *	Received during GET_DIGESTS exchange (from SPDM 1.3).
@@ -462,8 +477,8 @@ struct spdm_error_rsp {
  *	responder's certificate chain.
  * @validate: Function to validate additional leaf certificate requirements.
  * @transcript: Concatenation of all SPDM messages exchanged during an
- *	authentication sequence.  Used to verify the signature, as it is
- *	computed over the hashed transcript.
+ *	authentication or measurement sequence.  Used to verify the signature,
+ *	as it is computed over the hashed transcript.
  * @transcript_end: Pointer into the @transcript buffer.  Marks the current
  *	end of transcript.  If another message is transmitted, it is appended
  *	at this position.
@@ -495,6 +510,7 @@ struct spdm_state {
 	u32 rsp_caps;
 	u32 base_asym_alg;
 	u32 base_hash_alg;
+	u32 meas_hash_alg;
 	unsigned long supported_slots;
 	unsigned long provisioned_slots;