Skip to content

Latest commit

 

History

History
227 lines (161 loc) · 5.8 KB

COMPILATION_README.md

File metadata and controls

227 lines (161 loc) · 5.8 KB

SPDM Library

A Rust implementation of the Security Protocol and Data Model (SPDM) specification with static X.509 certificates.

Overview

This library provides a complete SPDM responder implementation with:

  • Real SPDM protocol processing using the integrated SPDM library
  • Static X.509 certificates (no dynamic generation complexity)
  • DMTF SPDM device validator compatibility
  • P-384 ECDSA cryptography with SHA-384 hashing
  • TCP socket transport for testing and validation

Features

  • SPDM versions 1.1 and 1.2 support
  • Certificate-based authentication
  • Challenge-response authentication
  • Signed measurements with attestation
  • Chunked message support for large transfers
  • Static certificate chain (419 + 453 = 872 bytes total)

Prerequisites

  • Rust (1.70 or later)
  • Cargo (comes with Rust)
  • OpenSSL (for certificate verification tests, optional)

Project Structure

spdm-lib/
├── src/
│   ├── lib.rs           # Main library
│   └── ...              # SPDM protocol implementation
├── examples/
│   ├── platform/        # Reference platform implementations
│   │   ├── certs.rs     # Static X.509 certificates (OpenSSL generated)
│   │   ├── cert_store.rs # Certificate store with ECDSA signing
│   │   ├── crypto.rs    # SHA-384 hash and system RNG
│   │   ├── socket_transport.rs # TCP transport with DMTF protocol
│   │   ├── evidence.rs  # Demo device evidence
│   │   └── mod.rs       # Platform module exports
│   ├── spdm_responder.rs # Clean SPDM responder using platform implementations
│   └── test_static_certs.rs # Certificate verification test
└── tests/               # Integration tests

Compilation

Build the Library

cargo build

Build Examples

Build the main SPDM responder:

cargo build --example spdm_responder

Build all examples:

cargo build --examples

Release Build (Optimized)

cargo build --release --example spdm_responder

Running Tests

Unit Tests

Run all library unit tests:

cargo test

Running the SPDM Responder

Basic Usage

Start the SPDM responder on default port 2323:

cargo run --example spdm_responder

With Custom Port

cargo run --example spdm_responder -- --port 8080

With Verbose Logging

cargo run --example spdm_responder -- --verbose

All Options

cargo run --example spdm_responder -- \
    --port 2323 \
    --cert device_cert.pem \
    --key device_key.pem \
    --measurements measurements.json \
    --verbose

Command Line Options

The SPDM responder supports the following command line arguments:

  • -p, --port <PORT> - TCP port to listen on (default: 2323)
  • -c, --cert <CERT_FILE> - Path to certificate file (default: device_cert.pem)
  • -k, --key <KEY_FILE> - Path to private key file (default: device_key.pem)
  • -m, --measurements <FILE> - Path to measurements file (default: measurements.json)
  • -v, --verbose - Enable verbose logging
  • -h, --help - Print help message

Testing with DMTF SPDM Device Validator

The responder is compatible with the DMTF SPDM device validator:

  1. Start the responder:

    cargo run --example spdm_responder -- --verbose

  2. In another terminal, test with nc (netcat):

    echo -ne '\x00\x00\xFF\xFE\x00\x00\x00\x03\x00\x00\x00\x00' | nc localhost 2323

  3. Or use the DMTF SPDM device validator (if available):

    spdm-device-validator --host localhost --port 2323

Certificate Information

The responder uses static X.509 certificates generated by OpenSSL:

  • Root CA Certificate: 419 bytes (self-signed, CA:TRUE)
  • Attestation Certificate: 453 bytes (signed by root CA, CA:FALSE)
  • Combined Chain: 872 bytes (root CA + attestation certificate)
  • Cryptography: P-384 ECDSA with SHA-384
  • Validity: September 2025 - September 2026

These certificates pass OpenSSL verification:

openssl verify -CAfile root_ca.pem attestation.pem
# Output: attestation.pem: OK

Development

Adding New Examples

  1. Create a new file in examples/
  2. Add necessary dependencies to Cargo.toml if needed
  3. Build with: cargo build --example your_example

Modifying Certificates

The static certificates are in examples/platform/certs.rs. They were generated from working OpenSSL certificates and should not be modified unless you have replacement certificates that pass verification.

Debugging

Enable verbose logging to see detailed SPDM message processing:

RUST_LOG=debug cargo run --example spdm_responder -- --verbose

Troubleshooting

Build Errors

If you encounter build errors:

  1. Update Rust: rustup update
  2. Clean build: cargo clean && cargo build

Connection Issues

If the responder doesn't accept connections:

  1. Check port availability: netstat -ln | grep :2323
  2. Firewall settings: Ensure port 2323 is open
  3. Bind address: The responder binds to 0.0.0.0:2323 (all interfaces)

Certificate Issues

If certificate-related errors occur:

  1. Run certificate test: cargo run --example test_static_certs
  2. Check certificate format: Certificates are in DER format, not PEM
  3. Static certificates: The responder uses hardcoded certificates, not files

License

Licensed under the Apache-2.0 license. See LICENSE file for details.

Contributing

  1. Fork the repository
  2. Create a feature branch
  3. Make your changes
  4. Add tests if applicable
  5. Run cargo test
  6. Submit a pull request

Support

For issues and questions:

  1. Check the troubleshooting section above
  2. Run tests to verify your setup
  3. Enable verbose logging for debugging
  4. Check that certificates pass verification tests