Add SPDM 1.4 requester/responder build profiles#3621
Conversation
czwolak
force-pushed
the
feature/spdm14-build-profiles
branch
2 times, most recently
from
948c46d to
7bec0d7
Compare
Introduce LIBSPDM_SPDM14_BUILD_PROFILE selection in CMake and add dedicated requester/responder profile headers. Add fail-fast macro checks for profile consistency and PQC capability dependencies (ML-KEM, ML-DSA, SLH-DSA). Signed-off-by: Cezary Zwolak <cezary.zwolak@intel.com>
czwolak
force-pushed
the
feature/spdm14-build-profiles
branch
from
7bec0d7 to
7a4f216
Compare
|
please clarify the problem statement. Why this is needed? |
Thanks for the feedback. Today, requester/responder role selection and PQC capability combinations can lead to invalid macro sets that are only discovered later (integration/CI/runtime). So the value is:
|
| #ifndef SPDM_LIB_CONFIG_PROFILE_REQUESTER_H | ||
| #define SPDM_LIB_CONFIG_PROFILE_REQUESTER_H | ||
|
|
||
| #define LIBSPDM_SPDM14_BUILD_PROFILE_ID LIBSPDM_SPDM14_BUILD_PROFILE_REQUESTER |
There was a problem hiding this comment.
I am not sure why we need SPDM14 here.
What about SPDM10, SPDM11, SPDM12, SPDM13, and future SPDM15?
Do we want to add for each specific version?
| #endif | ||
|
|
||
| #if (LIBSPDM_ML_KEM_SUPPORT) && !(LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) | ||
| #error ML-KEM support requires KEY_EX_CAP capability. |
There was a problem hiding this comment.
why only check KEM? DHE also need KEY_EX.
| #if ((LIBSPDM_ML_DSA_SUPPORT) || (LIBSPDM_SLH_DSA_SUPPORT)) && \ | ||
| !((LIBSPDM_ENABLE_CAPABILITY_CERT_CAP) || (LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP) || \ | ||
| (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) || (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP)) | ||
| #error ML-DSA/SLH-DSA support requires CERT_CAP, CHAL_CAP, KEY_EX_CAP, or MUT_AUTH_CAP. |
There was a problem hiding this comment.
same question. RSA/ECDSA/EdDSA/... also need similar check.
|
I notice this PR include 2 features: 1) add consistency check, 2) add PROFILE_ID. I think those are 2 different features. I suggest we split to 2 different PRs. |
| #define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1 | ||
| #define LIBSPDM_SEND_CHALLENGE_SUPPORT 1 | ||
| #define LIBSPDM_EVENT_RECIPIENT_SUPPORT 1 | ||
| #define LIBSPDM_SEND_GET_ENDPOINT_INFO_SUPPORT 1 |
There was a problem hiding this comment.
I do not understand why those should be in profile.
| #define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1 | ||
| #define LIBSPDM_SEND_CHALLENGE_SUPPORT 1 | ||
| #define LIBSPDM_EVENT_RECIPIENT_SUPPORT 0 | ||
| #define LIBSPDM_SEND_GET_ENDPOINT_INFO_SUPPORT 0 |
There was a problem hiding this comment.
I do not understand why this is a must.
|
@jyao1 I think I see your point. Lets close this PR and related task. I will try to introduce 1.4 as 1.1-1.3 was before without additional profiles, checks. Just pure support, OK? |
|
I will try to introduce 1.4 as 1.1-1.3 was before, without additional build profiles, checks. |
2 participants
Summary
Why needed: SPDM 1.4 + PQC can currently produce role/capability macro combinations that are detected as invalid only later (integration/CI/runtime). Build profiles (both/requester/responder) plus compile-time fail-fast checks make configuration deterministic, reject invalid combinations immediately at build time, and keep backward compatibility because both remains the default.
Introduce SPDM 1.4 build-profile selection for requester/responder focused builds in libspdm while preserving backward-compatible default behavior.
Changes
LIBSPDM_SPDM14_BUILD_PROFILECMake option with values:both(default),requester,responder.include/library/spdm_lib_config_profile_requester.hinclude/library/spdm_lib_config_profile_responder.hinclude/library/spdm_lib_config.h.include/internal/libspdm_macro_check.hfor:Validation
Scope notes