[v2,1/1] package/libspdm: bump version to 3.3.0

Message ID	20240603003706.87432-2-wilfred.mallawa@wdc.com
State	Changes Requested
Headers	show Return-Path: <buildroot-bounces@buildroot.org> DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 8C9774012D Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=68.232.141.245; helo=esa1.hgst.iphmx.com; envelope-from=prvs=87711d278=wilfred.mallawa@wdc.com; receiver=<UNKNOWN> IronPort-SDR: 665d02ad_7A5+6ePLK0mTCy+Gd5CM0zgZDdBi6Cs7ebPHLVKHMfWsYT5 Xodv0mtLKlQ53LyI0hD9nwc1sYdjjdw+7TvEnZg== WDCIronportException: Internal To: buildroot@buildroot.org Date: Mon, 3 Jun 2024 10:37:07 +1000 Message-ID: <20240603003706.87432-2-wilfred.mallawa@wdc.com> MIME-Version: 1.0 X-Mailman-Original-DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=wdc.com; i=@wdc.com; q=dns/txt; s=dkim.wdc.com; t=1717375491; x=1748911491; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=O0OcthPynTpENriinNA0jCB5Sh4jszuatOKnJRNuGfY=; b=ATpmPXXgQXkoILv8V5bLepIKWbYigLa7JXxI0sPZOfhjbVg67BDY1wJ1 Frm1UXjWK69o52A7inDvejXwScRBzkvC6QZmCpQHH+1yvsVIUBTw5q4Jp qbfD1tZmLj3N6CLjnC5Zl4cgQdaQDjcDgtRhT+5lLxWeUrJCYysIKhQvO 1qRVnj1NT2QmxzNhk1ACsfNN346mLLRj/LUVak8hR/VzqhIYDtfodNX4c grprvWXRxUS5kd3NAnT/1j//TWvE2x/a15VQ8vfrOW3rWJml1XCzd009A NyoWUJ8X6jzlBTgm4JzNjmdFtW0GS5sYQbtNi9Mk5oeBoL26B5WC8hG9p A==; X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dmarc=pass (p=quarantine dis=none) header.from=wdc.com X-Mailman-Original-Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=wdc.com header.i=@wdc.com header.a=rsa-sha256 header.s=dkim.wdc.com header.b=ATpmPXXg Subject: [Buildroot] [PATCH v2 1/1] package/libspdm: bump version to 3.3.0 Precedence: list From: Wilfred Mallawa via buildroot <buildroot@buildroot.org> Reply-To: Wilfred Mallawa <wilfred.mallawa@wdc.com> Cc: Wilfred Mallawa <wilfred.mallawa@wdc.com>, Alistair Francis <alistair@alistair23.me> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: buildroot-bounces@buildroot.org Sender: "buildroot" <buildroot-bounces@buildroot.org>
Series	[v2,1/1] package/libspdm: bump version to 3.3.0 \| expand [v2,1/1] package/libspdm: bump version to 3.3.0

Message ID

20240603003706.87432-2-wilfred.mallawa@wdc.com

State

Changes Requested

Headers

DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 8C9774012D
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=68.232.141.245;
 helo=esa1.hgst.iphmx.com;
 envelope-from=prvs=87711d278=wilfred.mallawa@wdc.com;
 receiver=<UNKNOWN>
IronPort-SDR: 665d02ad_7A5+6ePLK0mTCy+Gd5CM0zgZDdBi6Cs7ebPHLVKHMfWsYT5
 Xodv0mtLKlQ53LyI0hD9nwc1sYdjjdw+7TvEnZg==
WDCIronportException: Internal
To: buildroot@buildroot.org
Date: Mon,  3 Jun 2024 10:37:07 +1000
Message-ID: <20240603003706.87432-2-wilfred.mallawa@wdc.com>
MIME-Version: 1.0
X-Mailman-Original-Authentication-Results: smtp2.osuosl.org;
 dmarc=pass (p=quarantine dis=none)
 header.from=wdc.com
X-Mailman-Original-Authentication-Results: smtp2.osuosl.org;
 dkim=pass (2048-bit key,
 unprotected) header.d=wdc.com header.i=@wdc.com header.a=rsa-sha256
 header.s=dkim.wdc.com header.b=ATpmPXXg
Subject: [Buildroot] [PATCH v2 1/1] package/libspdm: bump version to 3.3.0
X-BeenThere: buildroot@buildroot.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.buildroot.org>
List-Unsubscribe: <https://lists.buildroot.org/mailman/options/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=unsubscribe>
List-Archive: <http://lists.buildroot.org/pipermail/buildroot/>
List-Post: <mailto:buildroot@buildroot.org>
List-Help: <mailto:buildroot-request@buildroot.org?subject=help>
List-Subscribe: <https://lists.buildroot.org/mailman/listinfo/buildroot>,
 <mailto:buildroot-request@buildroot.org?subject=subscribe>
From: Wilfred Mallawa via buildroot <buildroot@buildroot.org>
Reply-To: Wilfred Mallawa <wilfred.mallawa@wdc.com>
Cc: Wilfred Mallawa <wilfred.mallawa@wdc.com>,
 Alistair Francis <alistair@alistair23.me>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: buildroot-bounces@buildroot.org
Sender: "buildroot" <buildroot-bounces@buildroot.org>

Series

[v2,1/1] package/libspdm: bump version to 3.3.0 | expand

Commit Message

Wilfred Mallawa June 3, 2024, 12:37 a.m. UTC

`libspdm 3.3.0` now supports the SPDM event capability, however this
patch disables support for EVENT_CAP as it is optional, and requires
additional functionality implemented at link time.

Adds a pending upstream patch that fixes the incorrect parsing of
certificates with `id-DMTF-hardware-identity OID` tags.

Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
---
Changes in V2:
	- Keep LTO enabled.

 ...eLists-remove-fixed-options-for-NONE.patch | 52 -----------------
 ...spdm_responder-Fixup-set-cert-checks.patch | 56 +++++++++++++++++++
 package/libspdm/libspdm.hash                  |  2 +-
 package/libspdm/libspdm.mk                    |  5 +-
 4 files changed, 60 insertions(+), 55 deletions(-)
 delete mode 100644 package/libspdm/0001-CMakeLists-remove-fixed-options-for-NONE.patch
 create mode 100644 package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch

Comments

Arnout Vandecappelle July 11, 2024, 9:55 p.m. UTC | #1

On 03/06/2024 02:37, Wilfred Mallawa via buildroot wrote:
> `libspdm 3.3.0` now supports the SPDM event capability, however this
> patch disables support for EVENT_CAP as it is optional, and requires
> additional functionality implemented at link time.
> 
> Adds a pending upstream patch that fixes the incorrect parsing of
> certificates with `id-DMTF-hardware-identity OID` tags.
> 
> Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>

[snip]
> diff --git a/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch b/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch
> new file mode 100644
> index 0000000000..1708568500
> --- /dev/null
> +++ b/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch
> @@ -0,0 +1,56 @@
> +From e41eea4f4119d1efb9a633092b32e6717a1c246c Mon Sep 17 00:00:00 2001
> +From: Alistair Francis <alistair.francis@wdc.com>
> +Date: Thu, 23 May 2024 15:33:26 +1000
> +Subject: [PATCH] library/spdm_responder: Fixup set cert checks
> +
> +When we run checks against the certificate that the requester set we
> +have the following function calls
> + - libspdm_set_cert_verify_certchain()
> +  - libspdm_x509_set_cert_certificate_check()
> +  ...
> +   - libspdm_verify_leaf_cert_spdm_extension()
> +
> +At which point libspdm_verify_leaf_cert_spdm_extension() checks to make
> +sure the id-DMTF-hardware-identity OID is not set if it's an AliasCert
> +model.
> +
> +This ends up being incorrect though. If using an AliasCert the
> +SET_CERTIFICATE CertChain (table 93 - section 770) will "contain a partial
> +certificate chain from the root CA to the Device Certificate CA". This
> +means that the leaf certificate of that chain should set the the
> +id-DMTF-hardware-identity OID as it isn't an alias certificate.
> +
> +At this point the check in libspdm_verify_leaf_cert_spdm_extension() is
> +incorrect.
> +
> +The documentation of libspdm_x509_set_cert_certificate_check() states
> +that:
> +    is_requester_cert     Is the function verifying requester or responder cert.
> +
> +Although we are a responder, we are verifying a certificate set by the
> +requester, so change the is_requester_cert to true to avoid the
> +incorrect id-DMTF-hardware-identity OID check and match the
> +documentation.
> +
> +Upstream: https://github.com/DMTF/libspdm/pull/2708
> +Signed-off-by: Alistair Francis <alistair.francis@wdc.com>

  It seems that this patch was not accepted upstream and replaced with 
https://github.com/DMTF/libspdm/pull/2721
Could you update  with that?

  Regards,
  Arnout

> +---
> + library/spdm_responder_lib/libspdm_rsp_set_certificate.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/library/spdm_responder_lib/libspdm_rsp_set_certificate.c b/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
> +index 8c2d36fca8..bed87d9e9a 100644
> +--- a/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
> ++++ b/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
> +@@ -42,7 +42,7 @@ static bool libspdm_set_cert_verify_certchain(const uint8_t *cert_chain, size_t
> +     /*verify leaf cert*/
> +     if (!libspdm_x509_set_cert_certificate_check(leaf_cert_buffer, leaf_cert_buffer_size,
> +                                                  base_asym_algo, base_hash_algo,
> +-                                                 false, is_device_cert_model)) {
> ++                                                 true, is_device_cert_model)) {
> +         return false;
> +     }
> +
> +--
> +2.45.1

[snip]

diff --git a/package/libspdm/0001-CMakeLists-remove-fixed-options-for-NONE.patch b/package/libspdm/0001-CMakeLists-remove-fixed-options-for-NONE.patch
deleted file mode 100644
index 0de0ad0079..0000000000
--- a/package/libspdm/0001-CMakeLists-remove-fixed-options-for-NONE.patch
+++ /dev/null
@@ -1,52 +0,0 @@ 
-From d4d6b138d727e484fa9d0fef476ca181681d0695 Mon Sep 17 00:00:00 2001
-From: Wilfred Mallawa <wilfred.mallawa@wdc.com>
-Date: Mon, 19 Feb 2024 09:56:14 +1000
-Subject: [PATCH] CMakeLists: remove fixed options for NONE
-
-The use of the NONE toolchain option is such that we can provide at the
-build project level (buildroot etc...). However, the changes introduced
-in 811f2b596def04b3a36368cf2098546d7907767f set certain compiler/linker
-option that does not comply with the definition of the options as
-specified in [1]. This change removes those options.
-
-[1] https://github.com/DMTF/libspdm/blob/main/doc/build.md#linux-builds-inside-build-environments
-
-Upstream: https://github.com/DMTF/libspdm/commit/d4d6b138d727e484fa9d0fef476ca181681d0695
-Signed-off-by: Wilfred Mallawa <wilfred.mallawa@wdc.com>
----
- CMakeLists.txt | 19 -------------------
- 1 file changed, 19 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 9c300cc817..f6cf17d269 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -618,25 +618,6 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux")
-         SET(CMAKE_EXE_LINKER_FLAGS "")
- 
-         SET(CMAKE_C_LINK_EXECUTABLE "")
--
--    elseif(TOOLCHAIN STREQUAL "NONE")
--        ADD_COMPILE_OPTIONS(-fshort-wchar -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -ffunction-sections -fdata-sections -fno-common -Wno-address -fpie -fno-asynchronous-unwind-tables -flto -DUSING_LTO  -Wno-maybe-uninitialized -Wno-uninitialized  -Wno-builtin-declaration-mismatch -Wno-nonnull-compare -Werror-implicit-function-declaration)
--        if(CMAKE_BUILD_TYPE STREQUAL "Debug")
--            ADD_COMPILE_OPTIONS(-g)
--        endif()
--        if(GCOV STREQUAL "ON")
--        ADD_COMPILE_OPTIONS(--coverage -fprofile-arcs -ftest-coverage)
--        endif()
--        SET(OPENSSL_FLAGS -include base.h -Wno-error=maybe-uninitialized -Wno-error=format -Wno-format -Wno-error=unused-but-set-variable -Wno-cast-qual -Wno-error=implicit-function-declaration)
--        SET(CMOCKA_FLAGS -std=gnu99 -Wpedantic -Wall -Wshadow -Wmissing-prototypes -Wcast-align -Werror=address -Wstrict-prototypes -Werror=strict-prototypes -Wwrite-strings -Werror=write-strings -Werror-implicit-function-declaration -Wpointer-arith -Werror=pointer-arith -Wdeclaration-after-statement -Werror=declaration-after-statement -Wreturn-type -Werror=return-type -Wuninitialized -Werror=uninitialized -Werror=strict-overflow -Wstrict-overflow=2 -Wno-format-zero-length -Wmissing-field-initializers -Wformat-security -Werror=format-security -fno-common -Wformat -fno-common -fstack-protector-strong -Wno-cast-qual)
--
--        SET(CMAKE_LINKER ${CMAKE_C_COMPILER})
--        SET(CMAKE_EXE_LINKER_FLAGS "-flto -Wno-error -no-pie" )
--        if(GCOV STREQUAL "ON")
--        SET(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}  --coverage -lgcov -fprofile-arcs -ftest-coverage")
--        endif()
--        SET(CMAKE_C_LINK_EXECUTABLE "<CMAKE_LINKER> <CMAKE_C_LINK_FLAGS> <LINK_FLAGS> <OBJECTS> -o <TARGET> -Wl,--start-group <LINK_LIBRARIES> -Wl,--end-group")
--
-     endif()
- 
-     if(NOT TOOLCHAIN STREQUAL "NIOS2_GCC")
--- 
-2.43.2
-
diff --git a/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch b/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch
new file mode 100644
index 0000000000..1708568500
--- /dev/null
+++ b/package/libspdm/0001-library-spdm_responder-Fixup-set-cert-checks.patch
@@ -0,0 +1,56 @@ 
+From e41eea4f4119d1efb9a633092b32e6717a1c246c Mon Sep 17 00:00:00 2001
+From: Alistair Francis <alistair.francis@wdc.com>
+Date: Thu, 23 May 2024 15:33:26 +1000
+Subject: [PATCH] library/spdm_responder: Fixup set cert checks
+
+When we run checks against the certificate that the requester set we
+have the following function calls
+ - libspdm_set_cert_verify_certchain()
+  - libspdm_x509_set_cert_certificate_check()
+  ...
+   - libspdm_verify_leaf_cert_spdm_extension()
+
+At which point libspdm_verify_leaf_cert_spdm_extension() checks to make
+sure the id-DMTF-hardware-identity OID is not set if it's an AliasCert
+model.
+
+This ends up being incorrect though. If using an AliasCert the
+SET_CERTIFICATE CertChain (table 93 - section 770) will "contain a partial
+certificate chain from the root CA to the Device Certificate CA". This
+means that the leaf certificate of that chain should set the the
+id-DMTF-hardware-identity OID as it isn't an alias certificate.
+
+At this point the check in libspdm_verify_leaf_cert_spdm_extension() is
+incorrect.
+
+The documentation of libspdm_x509_set_cert_certificate_check() states
+that:
+    is_requester_cert     Is the function verifying requester or responder cert.
+
+Although we are a responder, we are verifying a certificate set by the
+requester, so change the is_requester_cert to true to avoid the
+incorrect id-DMTF-hardware-identity OID check and match the
+documentation.
+
+Upstream: https://github.com/DMTF/libspdm/pull/2708
+Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
+---
+ library/spdm_responder_lib/libspdm_rsp_set_certificate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/library/spdm_responder_lib/libspdm_rsp_set_certificate.c b/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
+index 8c2d36fca8..bed87d9e9a 100644
+--- a/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
++++ b/library/spdm_responder_lib/libspdm_rsp_set_certificate.c
+@@ -42,7 +42,7 @@ static bool libspdm_set_cert_verify_certchain(const uint8_t *cert_chain, size_t
+     /*verify leaf cert*/
+     if (!libspdm_x509_set_cert_certificate_check(leaf_cert_buffer, leaf_cert_buffer_size,
+                                                  base_asym_algo, base_hash_algo,
+-                                                 false, is_device_cert_model)) {
++                                                 true, is_device_cert_model)) {
+         return false;
+     }
+ 
+-- 
+2.45.1
+
diff --git a/package/libspdm/libspdm.hash b/package/libspdm/libspdm.hash
index 32415bcfce..7067f010e2 100644
--- a/package/libspdm/libspdm.hash
+++ b/package/libspdm/libspdm.hash
@@ -1,3 +1,3 @@ 
 # Locally calculated
-sha256  0ee460c0ce5c4d126ca65f9c4bdabd5725b87cec7160b2d06721169df58f3a95  libspdm-3.2.0.tar.gz
+sha256  178c7bd785b3ac71b886b8360dab926d42e4d5edc55009bcd341295f25f56c91  libspdm-3.3.0.tar.gz
 sha256  7dc072bff163df39209bbb63e0916f4667c2a84cf3c36ccc84ec7425bc3e4779  LICENSE.md
diff --git a/package/libspdm/libspdm.mk b/package/libspdm/libspdm.mk
index 2ec35be0ac..76386eee70 100644
--- a/package/libspdm/libspdm.mk
+++ b/package/libspdm/libspdm.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-LIBSPDM_VERSION = 3.2.0
+LIBSPDM_VERSION = 3.3.0
 LIBSPDM_SITE = $(call github,DMTF,libspdm,$(LIBSPDM_VERSION))
 LIBSPDM_LICENSE = BSD-3-Clause
 LIBSPDM_LICENSE_FILES = LICENSE.md
@@ -27,7 +27,8 @@  LIBSPDM_CONF_OPTS = \
 	-DCOMPILED_LIBSSL_PATH=/usr/lib/ \
 	-DDISABLE_TESTS=1 \
 	-DDISABLE_EDDSA=1 \
-	-DLINK_FLAGS=$(STAGING_DIR)
+	-DLINK_FLAGS=$(STAGING_DIR) \
+	-DCMAKE_C_FLAGS="-DLIBSPDM_ENABLE_CAPABILITY_EVENT_CAP=0" ..
 
 define LIBSPDM_INSTALL_STAGING_CMDS
 	mkdir -p $(STAGING_DIR)/usr/lib

[v2,1/1] package/libspdm: bump version to 3.3.0

Commit Message

Comments

Patch