Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SPDM

Status: Draft

SPDM OpenPRoT devices shall use SPDM to conduct all attestation operations both with downstream devices (as a requester) and upstream devices (as a responder.) Devices may choose to act as a requester, a responder, or both. All SPDM version references assume alignment with the most recently released versions of the spec (i.e. 1.2.1, 1.3.2.)

  1. OCP Attestation Spec 1.1 Alignment OpenPRoT implementations of SPDM must align with the OCP Attestation Spec 1.1, linked above. All following sections have taken this spec into account. Please refer to that specification for details on specific requirements.

  2. Baseline Version OpenPRoT sets a baseline version of SPDM 1.2.

  3. Requesters OpenPRoT devices implementing an SPDM requester will implement support for SPDM 1.2 minimum and may implement SPDM 1.3 and up. The minimum and maximum supported SPDM versions can be changed if support for other versions is not necessary.

  4. Responders OpenPRoT devices implementing an SPDM responder must implement support for SPDM 1.2 or higher. Responders may only report (via GET_VERSION) a single supported version of SPDM.

  5. Required Commands All requesters and responders shall implement the four (4) spec mandatory SPDM commands:

    • GET_VERSION

    • GET_CAPABILITIES

    • NEGOTIATE_ALGORITHMS

    • RESPOND_IF_READY

    All requesters and responders shall implement the following spec optional commands:

    • GET_DIGESTS
    • GET_CERTIFICATE
    • CHALLENGE
    • GET_MEASUREMENTS
    • GET_CSR
    • SET_CERTIFICATE
    • CHUNK_SEND
    • CHUNK_GET

    Requesters and responders may implement the following recommended spec optional commands:

    • Events
      • GET_SUPPORTED_EVENT_TYPES
      • SUBSCRIBE_EVENT_TYPES
      • SEND_EVENT
    • Encapsulated requests
      • GET_ENCAPSULATED_REQUEST
      • DELIVER_ENCAPSULATED_RESPONSE
    • GET_KEY_PAIR_INFO
    • SET_KEY_PAIR_INFO
    • KEY_UPDATE
    • KEY_EXCHANGE
    • FINISH
    • PSK_EXCHANGE
    • PSK_FINISH

    All other spec optional commands may be implemented as the integrator sees fit for their use case.

  6. Required Capabilities

    • CERT_CAP (required for GET_CERTIFICATE)
    • CHAL_CAP (required for CHALLENGE)
    • MEAS_CAP (required for GET_MEASUREMENT)
    • MEAS_FRESH_CAP

  7. Algorithms The following cryptographic algorithms are accepted for use within OpenPRoT, but may be further constrained by hardware capabilities. At a minimum OpenPRoT hardware must support:

    • TPM_ALG_ECDSA_ECC_NIST_P384
    • TPM_ALG_SHA3_384

    All others are optional and may be used if supported.

    • Asymmetric
      • TPM_ALG_RSASSA_2048
      • TPM_ALG_RSAPSS_2048
      • TPM_ALG_RSASSA_3072
      • TPM_ALG_RSAPSS_3072
      • TPM_ALG_ECDSA_ECC_NIST_P256
      • TPM_ALG_RSASSA_4096
      • TPM_ALG_RSAPSS_4096
      • TPM_ALG_ECDSA_ECC_NIST_P384
      • EdDSA ed25519
      • EdDSA ed448
      • TPM_ALG_SHA_384
    • Hash
      • TPM_ALG_SHA_256
      • TPM_ALG_SHA_384
      • TPM_ALG_SHA_512
      • TPM_ALG_SHA3_256
      • TPM_ALG_SHA3_384
      • TPM_ALG_SHA3_512
    • AEAD Cipher
      • AES-128-GCM
      • AES-256-GCM
      • CHACHA20_POLY1305

  8. Attestation Report Format Devices will support either RATS EAT (as CWT) or an SPDM evidence manifest TOC per the TCG DICE Concise Evidence for SPDM specification.

  9. Measurement block 0xF0 Devices that do not provide a Measurement Manifest shall locate RATS EAT at SPDM measurement block 0xF0