This project provides a Rust language implementation of SPDM, IDE_KM and TDISP. These protocols are used to facilitate direct device assignment for Trusted Execution Environment I/O (TEE-I/O) in Confidential Computing.

There are a number of use cases that benefit from including devices and accelerators in the trust boundary of a Confidential Virtual Machine (CVM). In machine learning, for example, these protocols can be used to build a trusted connection between a GPU’s TEE and a CVM to accelerate performance.

DMTF DSP0274 Security Protocol and Data Model (SPDM) Specification (version 1.2.2)

DMTF DSP0277 Secured Messages using SPDM Specification (version 1.1.1)

PCIe Base Specification Version 6.0.1, 6.1

PCIe DOE 1.0 ECN in PCIe 6.0, DOE 1.1 ECN in PCIe 6.1.

PCIe CMA 1.0 ECN in PCIe 6.0, CMA 1.1 ECN in PCIe TBD.

PCIe IDE ECN in PCIe 6.0.

PCIe TDISP ECN in PCIe 6.1.

SPDM 1.0: GET_VERSION, GET_CAPABILITIES, NEGOTIATE_ALGORITHMS, GET_DIGESTS, GET_CERTIFICATE, CHALLENGE, and GET_MEASUREMENTS.

SPDM 1.1: KEY_EXCHANGE, FINISH, PSK_EXCHANGE, PSK_FINISH, END_SESSION, HEARTBEAT, KEY_UPDATE messages.

SPDM 1.2: Support 1.0/1.1 messages and new format. New SPDM 1.2 messages are not supported yet.

SPDM 1.3: Not support yet.

IDE_KM 1.0 in PCIe 6.0/6.1.

TDISP 1.0 in PCIe 6.1.

Requester: ENCRYPT_CAP, MAC_CAP, KEY_EX_CAP, PSK_CAP, HBEAT_CAP, KEY_UPD_CAP, HANDSHAKE_IN_THE_CLEAR_CAP.

Responder: CERT_CAP, CHAL_CAP, MEAS_CAP_NO_SIG, MEAS_CAP_SIG, MEAS_FRESH_CAP, ENCRYPT_CAP, MAC_CAP, KEY_EX_CAP, PSK_CAP_WITHOUT_CONTEXT, PSK_CAP_WITH_CONTEXT, HBEAT_CAP, KEY_UPD_CAP, HANDSHAKE_IN_THE_CLEAR_CAP.

It depends on crypto wrapper. Current support algorithms:

• Hash: SHA2(256/384/512)
• Signature: RSA-SSA(2048/3072/4096) / RSA-PSS(2048/3072/4096) / ECDSA (P256/P384)
• KeyExchange: ECDHE(P256/P384)
• AEAD: AES_GCM(128/256) / ChaCha20Poly1305

All documents are put at doc folder.

git clone https://github.com/intel/rust-spdm.git
git submodule update --init --recursive

Then patch the ring/webpki.

sh_script/pre-build.sh

1. Install RUST

Please use nightly-2023-08-28.

2. Install NASM

Please make sure nasm can be found in PATH.

3. Install LLVM

Please make sure clang can be found in PATH.

4. Install Perl

   1. This is for crate ring
   2. This is for windows

Please make sure perl can be found in PATH.

Unset env (CC and AR):

export CC=
export AR=

Set the following environment variables:

export AR_x86_64_unknown_none=llvm-ar
export CC_x86_64_unknown_none=clang

Enter linux shell or mingw shell (e.g. git bash) in windows.

cargo clippy
cargo fmt
cargo build

pushd spdmlib
cargo build -Z build-std=core,alloc,compiler_builtins --target x86_64-unknown-none --release --no-default-features --features="spdm-ring"

Open one command windows and run:

cargo run -p spdm-responder-emu --no-default-features --features "spdm-ring,hashed-transcript-data"

Open another command windows and run:

cargo run -p spdm-requester-emu --no-default-features --features "spdm-ring,hashed-transcript-data"

The following list shows the supported combinations for both spdm-requester-emu and spdm-responder-emu

For example, run the emulator with spdm-ring enabled and without hashed-transcript-data enabled.
Open one command windows and run:

cargo run -p spdm-responder-emu --no-default-features --features "spdm-ring"

run the emulator with spdm-mbedtls enabled and with hashed-transcript-data enabled.
Open another command windows and run:

cargo run -p spdm-requester-emu --no-default-features --features "spdm-mbedtls,hashed-transcript-data"

NOTE: In order to run the emu without hashed-transcript-data, please change max_cert_chain_data_size in spdmlib/etc/config.json from 4096 to 3500.

Open one command windows in workspace and run:

git clone https://github.com/DMTF/spdm-emu.git
cd spdm-emu
git submodule update --init --recursive
mkdir build
cd build
cmake -G"NMake Makefiles" -DARCH=<x64|ia32> -DTOOLCHAIN=<toolchain> -DTARGET=<Debug|Release> -DCRYPTO=<mbedtls|openssl> ..
nmake copy_sample_key
nmake

Test rust-spdm as requester:

1. run libspdm in spdm-emu as responder:

cd bin
spdm_responder_emu.exe --trans PCI_DOE

2. run rust-spdm-emu as requester:

cargo run -p spdm-requester-emu --no-default-features --features "spdm-ring,hashed-transcript-data"

Test rust-spdm as responder:

1. run rust-spdm-emu as Test rust-spdm as responder:

cargo run -p spdm-responder-emu --no-default-features --features "spdm-ring,hashed-transcript-data"

2. run libspdm in spdm-emu as requester:

cd bin
spdm_requester_emu.exe --trans PCI_DOE --exe_conn DIGEST,CERT,CHAL,MEAS --exe_session KEY_EX,PSK,KEY_UPDATE,HEARTBEAT,MEAS,DIGEST,CERT

Setting up enough stack before running tests

export RUST_MIN_STACK=10485760

Test with hashed-transcript-data:

cargo test --no-default-features --features "spdmlib/std,spdmlib/spdm-ring,spdmlib/hashed-transcript-data" -- --test-threads=1

Test without hashed-transcript-data:

cargo test --no-default-features --features "spdmlib/std,spdmlib/spdm-ring" -- --test-threads=1

To run a specific test, use cargo test <test_func_name>

To run test with println!() message, use cargo test -- --nocapture

This package is only the sample code to show the concept. It does not have a full validation such as robustness functional test and fuzzing test. It does not meet the production quality yet. Any codes including the API definition, the libary and the drivers are subject to change.