Sync Set_certificate to 1.3 for erase cert feature

Wenxing-hou · Wenxing-hou · commit 2962233cee6c · 2023-11-15T09:34:37.000+08:00
Fix the issue: #2292 Only add the erase new 1.3 feature for set_certificate. Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
diff --git a/include/hal/library/responder/setcertlib.h b/include/hal/library/responder/setcertlib.h
@@ -38,6 +38,17 @@ extern bool libspdm_write_certificate_to_nvm(uint8_t slot_id, const void * cert_
                                              size_t cert_chain_size,
                                              uint32_t base_hash_algo, uint32_t base_asym_algo);
 
+/**
+ * Erase a certificate chain in non-volatile memory.
+ *
+ *
+ * @param[in]  slot_id          The number of slot for the certificate chain.
+ *
+ * @retval true   The certificate chain was successfully erased to non-volatile memory.
+ * @retval false  Unable to erase certificate chain to non-volatile memory.
+ **/
+extern bool libspdm_erase_nvm_certificate(uint8_t slot_id);
+
 #endif /* LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP */
 
 #endif /* RESPONDER_SETCERTLIB_H */
diff --git a/include/industry_standard/spdm.h b/include/industry_standard/spdm.h
@@ -439,7 +439,9 @@ typedef struct {
     uint16_t length;
 } spdm_get_certificate_request_t;
 
-#define SPDM_GET_CERTIFICATE_REQUEST_SLOT_ID_MASK 0xF
+#define SPDM_GET_CERTIFICATE_REQUEST_SLOT_ID_MASK        0xF
+#define SPDM_SET_CERTIFICATE_REQUEST_SETCERTMODEL_MASK   0x70
+#define SPDM_SET_CERTIFICATE_REQUEST_ERASE_MASK          0x80
 
 /* SPDM GET_CERTIFICATE response */
 typedef struct {
@@ -669,6 +671,9 @@ typedef struct {
 #define SPDM_ERROR_CODE_LARGE_RESPONSE 0x0F
 #define SPDM_ERROR_CODE_MESSAGE_LOST 0x10
 
+/* SPDM error code (1.3) */
+#define SPDM_ERROR_CODE_OPERATION_FAILED 0x44
+
 /* SPDM ResponseNotReady extended data */
 typedef struct {
     uint8_t rd_exponent;
@@ -959,6 +964,9 @@ typedef struct {
     spdm_message_header_t header;
     /* param1 == BIT[0:3]=slot_id, BIT[4:7]=RSVD
      * param2 == RSVD
+     * param1 and param2 are updated in 1.3
+     * param1 == Request attributes, BIT[0:3]=slot_id, BIT[4:6]=SetCertModel, BIT[7]=Erase
+     * param2 == KeyPairID
      * void * cert_chain*/
 } spdm_set_certificate_request_t;
 
diff --git a/include/library/spdm_requester_lib.h b/include/library/spdm_requester_lib.h
@@ -705,6 +705,22 @@ libspdm_return_t libspdm_set_certificate(void *spdm_context,
                                          const uint32_t *session_id, uint8_t slot_id,
                                          void *cert_chain, size_t cert_chain_size);
 
+/**
+ * This function try to send SET_CERTIFICATE
+ * to erase certificate from the device.
+ *
+ * @param  context          A pointer to the SPDM context.
+ * @param  session_id       Indicates if it is a secured message protected via SPDM session.
+ *                          If session_id is NULL, it is a normal message.
+ *                          If session_id is NOT NULL, it is a secured message.
+ * @param  slot_id          The number of slot for the certificate chain.
+ *
+ * @retval RETURN_SUCCESS               The erase certificate measurement is got successfully.
+ * @retval RETURN_DEVICE_ERROR          A device error occurs when communicates with the device.
+ * @retval RETURN_SECURITY_VIOLATION    Any verification fails.
+ **/
+libspdm_return_t libspdm_set_certificate_erase(void *spdm_context,
+                                               const uint32_t *session_id, uint8_t slot_id);
 #endif /* LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP */
 
 #if LIBSPDM_ENABLE_MSG_LOG
diff --git a/library/spdm_requester_lib/libspdm_req_set_certificate.c b/library/spdm_requester_lib/libspdm_req_set_certificate.c
@@ -19,14 +19,16 @@
  * @param  cert_chain                   The pointer for the certificate chain to set.
  *                                      The cert chain is a full SPDM certificate chain, including Length and Root Cert Hash.
  * @param  cert_chain_size              The size of the certificate chain to set.
+ * @param  erase_cert                   If ture, erase the slot_id cert chain.
  *
  * @retval RETURN_SUCCESS               The measurement is got successfully.
  * @retval RETURN_DEVICE_ERROR          A device error occurs when communicates with the device.
  * @retval RETURN_SECURITY_VIOLATION    Any verification fails.
  **/
 static libspdm_return_t libspdm_try_set_certificate(libspdm_context_t *spdm_context,
                                                     const uint32_t *session_id, uint8_t slot_id,
-                                                    void *cert_chain, size_t cert_chain_size)
+                                                    void *cert_chain, size_t cert_chain_size,
+                                                    bool erase_cert)
 {
     libspdm_return_t status;
     spdm_set_certificate_request_t *spdm_request;
@@ -48,8 +50,10 @@ static libspdm_return_t libspdm_try_set_certificate(libspdm_context_t *spdm_cont
 
     LIBSPDM_ASSERT(slot_id < SPDM_MAX_SLOT_COUNT);
 
-    if ((cert_chain == NULL) || (cert_chain_size == 0)) {
-        return LIBSPDM_STATUS_INVALID_PARAMETER;
+    if (libspdm_get_connection_version (spdm_context) < SPDM_MESSAGE_VERSION_13) {
+        if ((cert_chain == NULL) || (cert_chain_size == 0)) {
+            return LIBSPDM_STATUS_INVALID_PARAMETER;
+        }
     }
 
     if (spdm_context->connection_info.connection_state <
@@ -87,11 +91,24 @@ static libspdm_return_t libspdm_try_set_certificate(libspdm_context_t *spdm_cont
     spdm_request->header.param1 = slot_id;
     spdm_request->header.param2 = 0;
 
+    if (spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_13) {
+        if (erase_cert) {
+            /*the CertChain field shall be absent*/
+            cert_chain_size = 0;
+            /*the value of SetCertModel shall be zero*/
+            spdm_request->header.param1 &= ~SPDM_SET_CERTIFICATE_REQUEST_SETCERTMODEL_MASK;
+            /*set Erase bit */
+            spdm_request->header.param1 |= SPDM_SET_CERTIFICATE_REQUEST_ERASE_MASK;
+        }
+    }
+
     LIBSPDM_ASSERT(spdm_request->header.spdm_version >= SPDM_MESSAGE_VERSION_12);
 
-    libspdm_copy_mem(spdm_request + 1,
-                     spdm_request_size - sizeof(spdm_set_certificate_request_t),
-                     (uint8_t *)cert_chain, cert_chain_size);
+    if (libspdm_get_connection_version (spdm_context) < SPDM_MESSAGE_VERSION_13) {
+        libspdm_copy_mem(spdm_request + 1,
+                         spdm_request_size - sizeof(spdm_set_certificate_request_t),
+                         (uint8_t *)cert_chain, cert_chain_size);
+    }
 
     spdm_request_size = sizeof(spdm_set_certificate_request_t) + cert_chain_size;
 
@@ -171,7 +188,32 @@ libspdm_return_t libspdm_set_certificate(void *spdm_context,
     retry_delay_time = context->retry_delay_time;
     do {
         status = libspdm_try_set_certificate(context, session_id, slot_id,
-                                             cert_chain, cert_chain_size);
+                                             cert_chain, cert_chain_size, false);
+        if ((status != LIBSPDM_STATUS_BUSY_PEER) || (retry == 0)) {
+            return status;
+        }
+
+        libspdm_sleep(retry_delay_time);
+    } while (retry-- != 0);
+
+    return status;
+}
+
+libspdm_return_t libspdm_set_certificate_erase(void *spdm_context,
+                                               const uint32_t *session_id, uint8_t slot_id)
+{
+    libspdm_context_t *context;
+    size_t retry;
+    uint64_t retry_delay_time;
+    libspdm_return_t status;
+
+    context = spdm_context;
+    context->crypto_request = true;
+    retry = context->retry_times;
+    retry_delay_time = context->retry_delay_time;
+    do {
+        status = libspdm_try_set_certificate(context, session_id, slot_id,
+                                             NULL, 0, true);
         if ((status != LIBSPDM_STATUS_BUSY_PEER) || (retry == 0)) {
             return status;
         }
diff --git a/library/spdm_responder_lib/libspdm_rsp_set_certificate.c b/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
@@ -147,63 +147,83 @@ libspdm_return_t libspdm_get_response_set_certificate(libspdm_context_t *spdm_co
     root_cert_hash_size = libspdm_get_hash_size(
         spdm_context->connection_info.algorithm.base_hash_algo);
 
-    if (request_size < sizeof(spdm_set_certificate_request_t) +
-        sizeof(spdm_cert_chain_t) + root_cert_hash_size) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_INVALID_REQUEST, 0,
-                                               response_size, response);
-    }
+    if ((libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_13) &&
+        ((spdm_request->header.param1 & SPDM_SET_CERTIFICATE_REQUEST_ERASE_MASK) != 0)) {
+        /*the CertChain field shall be absent;the value of SetCertModel shall be zero*/
+        if ((request_size != sizeof(spdm_set_certificate_request_t)) ||
+            ((spdm_request->header.param1 & SPDM_SET_CERTIFICATE_REQUEST_SETCERTMODEL_MASK) != 0)) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                                                   response_size, response);
+        }
 
-    /*point to full SPDM certificate chain*/
-    cert_chain = (const void*)(spdm_request + 1);
-    cert_chain_header = cert_chain;
+        /* erase slot_id cert_chain*/
+        result = libspdm_erase_nvm_certificate(slot_id);
+        if (!result) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_OPERATION_FAILED, 0,
+                                                   response_size, response);
+        }
+    } else {
+        if (request_size < sizeof(spdm_set_certificate_request_t) +
+            sizeof(spdm_cert_chain_t) + root_cert_hash_size) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                                                   response_size, response);
+        }
 
-    if (cert_chain_header->length < sizeof(spdm_cert_chain_t) + root_cert_hash_size) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_INVALID_REQUEST, 0,
-                                               response_size, response);
-    }
-    if (cert_chain_header->length > request_size - sizeof(spdm_set_certificate_request_t)) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_INVALID_REQUEST, 0,
-                                               response_size, response);
-    }
+        /*point to full SPDM certificate chain*/
+        cert_chain = (const void*)(spdm_request + 1);
+        cert_chain_header = cert_chain;
 
-    /*get actual cert_chain size*/
-    cert_chain_size = cert_chain_header->length - sizeof(spdm_cert_chain_t) - root_cert_hash_size;
+        if (cert_chain_header->length < sizeof(spdm_cert_chain_t) + root_cert_hash_size) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                                                   response_size, response);
+        }
+        if (cert_chain_header->length > request_size - sizeof(spdm_set_certificate_request_t)) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_INVALID_REQUEST, 0,
+                                                   response_size, response);
+        }
 
-    /*point to actual cert_chain*/
-    cert_chain = (const void*)((const uint8_t *)cert_chain
-                               + sizeof(spdm_cert_chain_t) + root_cert_hash_size);
+        /*get actual cert_chain size*/
+        cert_chain_size = cert_chain_header->length - sizeof(spdm_cert_chain_t) -
+                          root_cert_hash_size;
 
-    is_device_cert_model = false;
-    if((spdm_context->local_context.capability.flags &
-        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP) == 0) {
-        is_device_cert_model = true;
-    }
+        /*point to actual cert_chain*/
+        cert_chain = (const void*)((const uint8_t *)cert_chain
+                                   + sizeof(spdm_cert_chain_t) + root_cert_hash_size);
+
+        is_device_cert_model = false;
+        if((spdm_context->local_context.capability.flags &
+            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_ALIAS_CERT_CAP) == 0) {
+            is_device_cert_model = true;
+        }
 
 #if LIBSPDM_CERT_PARSE_SUPPORT
-    /*check the cert_chain*/
-    result = libspdm_set_cert_verify_certchain(cert_chain, cert_chain_size,
-                                               spdm_context->connection_info.algorithm.base_asym_algo,
-                                               spdm_context->connection_info.algorithm.base_hash_algo,
-                                               is_device_cert_model);
-    if (!result) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_UNSPECIFIED, 0,
-                                               response_size, response);
-    }
+        /*check the cert_chain*/
+        result = libspdm_set_cert_verify_certchain(cert_chain, cert_chain_size,
+                                                   spdm_context->connection_info.algorithm.base_asym_algo,
+                                                   spdm_context->connection_info.algorithm.base_hash_algo,
+                                                   is_device_cert_model);
+        if (!result) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_UNSPECIFIED, 0,
+                                                   response_size, response);
+        }
 #endif /*LIBSPDM_CERT_PARSE_SUPPORT*/
 
-    /* set certificate to NV*/
-    result = libspdm_write_certificate_to_nvm(slot_id, cert_chain,
-                                              cert_chain_size,
-                                              spdm_context->connection_info.algorithm.base_hash_algo,
-                                              spdm_context->connection_info.algorithm.base_asym_algo);
-    if (!result) {
-        return libspdm_generate_error_response(spdm_context,
-                                               SPDM_ERROR_CODE_UNSPECIFIED, 0,
-                                               response_size, response);
+        /* set certificate to NV*/
+        result = libspdm_write_certificate_to_nvm(slot_id, cert_chain,
+                                                  cert_chain_size,
+                                                  spdm_context->connection_info.algorithm.base_hash_algo,
+                                                  spdm_context->connection_info.algorithm.base_asym_algo);
+        if (!result) {
+            return libspdm_generate_error_response(spdm_context,
+                                                   SPDM_ERROR_CODE_UNSPECIFIED, 0,
+                                                   response_size, response);
+        }
     }
 
     LIBSPDM_ASSERT(*response_size >= sizeof(spdm_set_certificate_response_t));
diff --git a/os_stub/spdm_device_secret_lib_null/lib.c b/os_stub/spdm_device_secret_lib_null/lib.c
@@ -139,6 +139,12 @@ bool libspdm_write_certificate_to_nvm(uint8_t slot_id, const void * cert_chain,
 {
     return false;
 }
+
+bool libspdm_erase_nvm_certificate(uint8_t slot_id)
+{
+    return false;
+}
+
 #endif /* LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP */
 
 #if LIBSPDM_ENABLE_CAPABILITY_CSR_CAP
diff --git a/os_stub/spdm_device_secret_lib_sample/lib.c b/os_stub/spdm_device_secret_lib_sample/lib.c
@@ -1725,4 +1725,37 @@ bool libspdm_write_certificate_to_nvm(uint8_t slot_id, const void * cert_chain,
 
     return true;
 }
+
+bool libspdm_erase_nvm_certificate(uint8_t slot_id)
+{
+#if defined(_WIN32) || (defined(__clang__) && (defined (LIBSPDM_CPU_AARCH64) || \
+    defined(LIBSPDM_CPU_ARM)))
+    FILE *fp_out;
+#else
+    int64_t fp_out;
+#endif
+
+    char file_name[] = "slot_id_0_cert_chain.der";
+    /*change the file name, for example: slot_id_1_cert_chain.der*/
+    file_name[8] = (char)(slot_id+'0');
+
+#if defined(_WIN32) || (defined(__clang__) && (defined (LIBSPDM_CPU_AARCH64) || \
+    defined(LIBSPDM_CPU_ARM)))
+    if ((fp_out = fopen(file_name, "w+b")) == NULL) {
+        printf("Unable to open file %s\n", file_name);
+        return false;
+    }
+
+    fclose(fp_out);
+#else
+    if ((fp_out = open(file_name, O_WRONLY | O_TRUNC)) == -1) {
+        printf("Unable to open file %s\n", file_name);
+        return false;
+    }
+
+    close(fp_out);
+#endif
+
+    return true;
+}
 #endif /* LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP */

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,12 @@ bool libspdm_write_certificate_to_nvm(uint8_t slot_id, const void * cert_chain,`
`139`	`139`	`{`
`140`	`140`	`return false;`
`141`	`141`	`}`
	`142`	`+`
	`143`	`+bool libspdm_erase_nvm_certificate(uint8_t slot_id)`
	`144`	`+{`
	`145`	`+ return false;`
	`146`	`+}`
	`147`	`+`
`142`	`148`	`#endif /* LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP */`
`143`	`149`
`144`	`150`	`#if LIBSPDM_ENABLE_CAPABILITY_CSR_CAP`