Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SET_CERT: ResetRequired handling #2864

Open
rw8896 opened this issue Oct 18, 2024 · 1 comment
Open

SET_CERT: ResetRequired handling #2864

rw8896 opened this issue Oct 18, 2024 · 1 comment
Assignees
@steven-bellock
Labels
enhancement New feature or request

Comments

@rw8896
Copy link
Contributor

rw8896 commented Oct 18, 2024

It seems that the following behaviors haven't been implemented in libspdm yet.
If that's the case, is there any existing issue or plan to fix it?

"If the device temporarily cannot write to a slot, including in a case when it receives overlapping SET_CERTIFICATE requests from different Requesters, then the device shall respond with anErrorCode=Busy response.

When a reset is required for a pending previous SET_CERTIFICATE request and the device receives a GET_CERTIFICATE request for a pending slot or a GET_DIGESTS request, the device shall respond with an ErrorCode=ResetRequired response."
@rw8896 rw8896 mentioned this issue Oct 18, 2024
Closed
@steven-bellock
Copy link
Contributor

is there any existing issue

Not that I know of.

or plan to fix it?

There can be, if it is needed. I think in a pull request I commented that libspdm needs to check with the Integrator before sending ResetRequired. In particular libspdm_gen_csr has

libspdm/include/hal/library/responder/csrlib.h

Lines 23 to 26 in 5149b56

* @param[in, out] need_reset For input, it gives the value of CERT_INSTALL_RESET_CAP:
* If true, then device needs to be reset to complete the CSR.
* If false, the device doesn`t need to be reset to complete the CSR.
* For output, it specifies whether the device needs to be reset to complete the CSR or not.
whereas there's no such check for SET_CERTIFICATE. In particular libspdm blindly sends ResetRequired if the Responder's CERT_INSTALL_RESET_CAP is set :

libspdm/library/spdm_responder_lib/libspdm_rsp_set_certificate.c

Lines 302 to 309 in 5149b56

/*requires a reset to complete the SET_CERTIFICATE request*/
if (libspdm_is_capabilities_flag_supported(
spdm_context, false, 0,
SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP)) {
/*the device will reset to set cert*/
return libspdm_generate_error_response(spdm_context,
SPDM_ERROR_CODE_RESET_REQUIRED, 0,
response_size, response);
which is not entirely correct. Ie whether the reset is required may be conditional on other things besides the capability. So maybe libspdm_write_certificate_to_nvm can return whether errors are required to libspdm. For the Busy response to GET_CERTIFICATE we just need a per-slot way for the Integrator to communicate the state of the certificate slot in the spdm_context.

@steven-bellock steven-bellock added the enhancement New feature or request label Oct 21, 2024
@steven-bellock steven-bellock self-assigned this Oct 21, 2024
@steven-bellock steven-bellock mentioned this issue Oct 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steven-bellock steven-bellock

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steven-bellock @rw8896