TianoCore EDK2 master
Loading...
Searching...
No Matches
spdm_lib_config.h
Go to the documentation of this file.
1
10#ifndef SPDM_LIB_CONFIG_H
11#define SPDM_LIB_CONFIG_H
12
13/* Enables assertions and debug printing. When `LIBSPDM_DEBUG_ENABLE` is defined it overrides or
14 * sets the values of `LIBSPDM_DEBUG_PRINT_ENABLE`, `LIBSPDM_DEBUG_ASSERT_ENABLE`, and
15 * `LIBSPDM_BLOCK_ENABLE` to the value of `LIBSPDM_DEBUG_ENABLE`.
16 *
17 * Note that if this file is used with CMake and `DTARGET=Release` is defined, then all debugging
18 * is disabled.
19 */
20#ifndef LIBSPDM_DEBUG_ENABLE
21#define LIBSPDM_DEBUG_ENABLE 1
22#endif
23
24/* The SPDM specification allows a Responder to return up to 256 version entries in the `VERSION`
25 * response to the Requester, including duplicate entries. For a Requester this value specifies the
26 * maximum number of entries that libspdm will tolerate in a `VERSION` response before returning an
27 * error. A similiar macro, `SPDM_MAX_VERSION_COUNT`, exists for the Responder. However this macro
28 * is not meant to be configured by the integrator.
29 */
30#ifndef LIBSPDM_MAX_VERSION_COUNT
31#define LIBSPDM_MAX_VERSION_COUNT 5
32#endif
33
34/* This value specifies the maximum size, in bytes, of the `PSK_EXCHANGE.RequesterContext` and,
35 * if supported by the Responder, `PSK_EXCHANGE_RSP.ResponderContext` fields. The fields are
36 * typically random or monotonically increasing numbers.
37 */
38#ifndef LIBSPDM_PSK_CONTEXT_LENGTH
39#define LIBSPDM_PSK_CONTEXT_LENGTH LIBSPDM_MAX_HASH_SIZE
40#endif
41/* This value specifies the maximum size, in bytes, of the `PSK_EXCHANGE.PSKHint` field.*/
42#ifndef LIBSPDM_PSK_MAX_HINT_LENGTH
43#define LIBSPDM_PSK_MAX_HINT_LENGTH 16
44#endif
45
46/* libspdm allows an integrator to specify multiple root certificates as trust anchors when
47 * verifying certificate chains from an endpoint. This value specifies the maximum number of root
48 * certificates that libspdm can support.
49 */
50#ifndef LIBSPDM_MAX_ROOT_CERT_SUPPORT
51#define LIBSPDM_MAX_ROOT_CERT_SUPPORT 10
52#endif
53
54/* If the Responder supports it a Requester is allowed to establish multiple secure sessions with
55 * the Responder. This value specifies the maximum number of sessions libspdm can support.
56 */
57#ifndef LIBSPDM_MAX_SESSION_COUNT
58#define LIBSPDM_MAX_SESSION_COUNT 4
59#endif
60
61/* This value specifies the maximum size, in bytes, of a certificate chain that can be stored in a
62 * libspdm context.
63 */
64#ifndef LIBSPDM_MAX_CERT_CHAIN_SIZE
65#define LIBSPDM_MAX_CERT_CHAIN_SIZE 0x1000
66#endif
67#ifndef LIBSPDM_MAX_MEASUREMENT_RECORD_SIZE
68#define LIBSPDM_MAX_MEASUREMENT_RECORD_SIZE 0x1000
69#endif
70
71/* Partial certificates can be retrieved from a Requester or Responder and through multiple messages
72 * the complete certificate chain can be constructed. This value specifies the maximum size,
73 * in bytes, of a partial certificate that can be sent or received.
74 */
75#ifndef LIBSPDM_MAX_CERT_CHAIN_BLOCK_LEN
76#define LIBSPDM_MAX_CERT_CHAIN_BLOCK_LEN 1024
77#endif
78
79/* To ensure integrity in communication between the Requester and the Responder libspdm calculates
80 * cryptographic digests and signatures over multiple requests and responses. This value specifies
81 * whether libspdm will use a running calculation over the transcript, where requests and responses
82 * are discarded as they are cryptographically consumed, or whether libspdm will buffer the entire
83 * transcript before calculating the digest or signature.
84 */
85#ifndef LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT
86#define LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT 0
87#endif
88
89/* Cryptography Configuration
90 * In each category, at least one should be selected.
91 * NOTE: Not all combination can be supported. E.g. Don't mix NIST algo with SMx.*/
92
93#ifndef LIBSPDM_RSA_SSA_2048_SUPPORT
94#define LIBSPDM_RSA_SSA_2048_SUPPORT 1
95#endif
96#ifndef LIBSPDM_RSA_SSA_3072_SUPPORT
97#define LIBSPDM_RSA_SSA_3072_SUPPORT 1
98#endif
99#ifndef LIBSPDM_RSA_SSA_4096_SUPPORT
100#define LIBSPDM_RSA_SSA_4096_SUPPORT 1
101#endif
102
103#ifndef LIBSPDM_RSA_PSS_2048_SUPPORT
104#define LIBSPDM_RSA_PSS_2048_SUPPORT 0
105#endif
106#ifndef LIBSPDM_RSA_PSS_3072_SUPPORT
107#define LIBSPDM_RSA_PSS_3072_SUPPORT 0
108#endif
109#ifndef LIBSPDM_RSA_PSS_4096_SUPPORT
110#define LIBSPDM_RSA_PSS_4096_SUPPORT 0
111#endif
112
113#ifndef LIBSPDM_ECDSA_P256_SUPPORT
114#define LIBSPDM_ECDSA_P256_SUPPORT 1
115#endif
116#ifndef LIBSPDM_ECDSA_P384_SUPPORT
117#define LIBSPDM_ECDSA_P384_SUPPORT 1
118#endif
119#ifndef LIBSPDM_ECDSA_P521_SUPPORT
120#define LIBSPDM_ECDSA_P521_SUPPORT 1
121#endif
122
123#ifndef LIBSPDM_SM2_DSA_P256_SUPPORT
124#define LIBSPDM_SM2_DSA_P256_SUPPORT 0
125#endif
126
127#ifndef LIBSPDM_EDDSA_ED25519_SUPPORT
128#define LIBSPDM_EDDSA_ED25519_SUPPORT 0
129#endif
130#ifndef LIBSPDM_EDDSA_ED448_SUPPORT
131#define LIBSPDM_EDDSA_ED448_SUPPORT 0
132#endif
133
134#ifndef LIBSPDM_FFDHE_2048_SUPPORT
135#define LIBSPDM_FFDHE_2048_SUPPORT 0
136#endif
137#ifndef LIBSPDM_FFDHE_3072_SUPPORT
138#define LIBSPDM_FFDHE_3072_SUPPORT 0
139#endif
140#ifndef LIBSPDM_FFDHE_4096_SUPPORT
141#define LIBSPDM_FFDHE_4096_SUPPORT 0
142#endif
143
144#ifndef LIBSPDM_ECDHE_P256_SUPPORT
145#define LIBSPDM_ECDHE_P256_SUPPORT 1
146#endif
147#ifndef LIBSPDM_ECDHE_P384_SUPPORT
148#define LIBSPDM_ECDHE_P384_SUPPORT 1
149#endif
150#ifndef LIBSPDM_ECDHE_P521_SUPPORT
151#define LIBSPDM_ECDHE_P521_SUPPORT 1
152#endif
153
154#ifndef LIBSPDM_SM2_KEY_EXCHANGE_P256_SUPPORT
155#define LIBSPDM_SM2_KEY_EXCHANGE_P256_SUPPORT 0
156#endif
157
158#ifndef LIBSPDM_AEAD_AES_128_GCM_SUPPORT
159#define LIBSPDM_AEAD_AES_128_GCM_SUPPORT 1
160#endif
161#ifndef LIBSPDM_AEAD_AES_256_GCM_SUPPORT
162#define LIBSPDM_AEAD_AES_256_GCM_SUPPORT 1
163#endif
164
165#ifndef LIBSPDM_AEAD_CHACHA20_POLY1305_SUPPORT
166#define LIBSPDM_AEAD_CHACHA20_POLY1305_SUPPORT 0
167#endif
168
169#ifndef LIBSPDM_AEAD_SM4_128_GCM_SUPPORT
170#define LIBSPDM_AEAD_SM4_128_GCM_SUPPORT 0
171#endif
172
173#ifndef LIBSPDM_SHA256_SUPPORT
174#define LIBSPDM_SHA256_SUPPORT 1
175#endif
176#ifndef LIBSPDM_SHA384_SUPPORT
177#define LIBSPDM_SHA384_SUPPORT 1
178#endif
179#ifndef LIBSPDM_SHA512_SUPPORT
180#define LIBSPDM_SHA512_SUPPORT 0
181#endif
182
183#ifndef LIBSPDM_SHA3_256_SUPPORT
184#define LIBSPDM_SHA3_256_SUPPORT 0
185#endif
186#ifndef LIBSPDM_SHA3_384_SUPPORT
187#define LIBSPDM_SHA3_384_SUPPORT 0
188#endif
189#ifndef LIBSPDM_SHA3_512_SUPPORT
190#define LIBSPDM_SHA3_512_SUPPORT 0
191#endif
192
193#ifndef LIBSPDM_SM3_256_SUPPORT
194#define LIBSPDM_SM3_256_SUPPORT 0
195#endif
196
197/* This can be set to 0 for the device which does not need X509 parser.*/
198#ifndef LIBSPDM_CERT_PARSE_SUPPORT
199#define LIBSPDM_CERT_PARSE_SUPPORT 1
200#endif
201
202/* Code space optimization for Optional request/response messages.*/
203
204/* Consumers of libspdm may wish to not fully implement all of the optional
205 * SPDM request/response messages. Therefore we have provided these
206 * SPDM_ENABLE_CAPABILITY_***_CAP compile time switches as an optimization
207 * disable the code (#if 0) related to said optional capability, thereby
208 * reducing the code space used in the image.*/
209
210/* A single switch may enable/disable a single capability or group of related
211 * capabilities.*/
212
213/* LIBSPDM_ENABLE_CAPABILITY_CERT_CAP - Enable/Disable single CERT capability.
214 * LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP - Enable/Disable single CHAL capability.
215 * LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP - Enable/Disables multiple MEAS capabilities:
216 * (MEAS_CAP_NO_SIG, MEAS_CAP_SIG, MEAS_FRESH_CAP)*/
217
218/* LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP - Enable/Disable single Key Exchange capability.
219 * LIBSPDM_ENABLE_CAPABILITY_PSK_EX_CAP - Enable/Disable PSK_EX and PSK_FINISH.*/
220
221/* LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP - Enable/Disable mutual authentication.
222* LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP - Enable/Disable encapsulated message.*/
223
224/* LIBSPDM_ENABLE_CAPABILITY_CSR_CAP - Enable/Disable get csr capability.
225 * LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP - Enable/Disable set certificate capability. */
226
227#ifndef LIBSPDM_ENABLE_CAPABILITY_CERT_CAP
228#define LIBSPDM_ENABLE_CAPABILITY_CERT_CAP 1
229#endif
230#ifndef LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP
231#define LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP 1
232#endif
233#ifndef LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP
234#define LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP 1
235#endif
236
237#ifndef LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP
238#define LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP 0
239#endif
240#ifndef LIBSPDM_ENABLE_CAPABILITY_PSK_EX_CAP
241#define LIBSPDM_ENABLE_CAPABILITY_PSK_EX_CAP 0
242#endif
243
244#ifndef LIBSPDM_ENABLE_CAPABILITY_HBEAT_CAP
245#define LIBSPDM_ENABLE_CAPABILITY_HBEAT_CAP 0
246#endif
247
248#ifndef LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP
249#define LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP 0
250#endif
251
252#ifndef LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP
253#define LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP 0
254#endif
255
256#ifndef LIBSPDM_ENABLE_CAPABILITY_CSR_CAP
257#define LIBSPDM_ENABLE_CAPABILITY_CSR_CAP 0
258#endif
259
260#ifndef LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP
261#define LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP 0
262#endif
263
264#ifndef LIBSPDM_ENABLE_CAPABILITY_CHUNK_CAP
265#define LIBSPDM_ENABLE_CAPABILITY_CHUNK_CAP 0
266#endif
267
268/* If 1 then endpoint supports sending GET_CERTIFICATE and GET_DIGESTS requests.
269 * If enabled and endpoint is a Responder then LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP
270 * must also be enabled.
271 */
272#ifndef LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT
273#define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1
274#endif
275
276/* If 1 then endpoint supports sending CHALLENGE request.
277 * If enabled and endpoint is a Responder then LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP
278 * must also be enabled.
279 */
280#ifndef LIBSPDM_SEND_CHALLENGE_SUPPORT
281#define LIBSPDM_SEND_CHALLENGE_SUPPORT 1
282#endif
283
284/* When LIBSPDM_RESPOND_IF_READY_SUPPORT is 0 then
285 * - For a Requester, if the Responder sends a ResponseNotReady ERROR response then the error
286 * is immediately returned to the Integrator. The Requester cannot send a RESPOND_IF_READY
287 * request.
288 * - For a Responder, it cannot send a RESPOND_IF_READY ERROR response and does not support
289 * RESPOND_IF_READY.
290 * When LIBSPDM_RESPOND_IF_READY_SUPPORT is 1 then
291 * - For a Requester, if the Responder sends a ResponseNotReady ERROR response then libspdm
292 * waits an amount of time, as specified by the RDTExponent parameter, before sending
293 * RESPOND_IF_READY.
294 * - For a Responder, if its response state is NOT_READY then it will send a ResponseNotReady
295 * ERROR response to the Requester, and will accept a subsequent RESPOND_IF_READY request.
296 */
297#ifndef LIBSPDM_RESPOND_IF_READY_SUPPORT
298#define LIBSPDM_RESPOND_IF_READY_SUPPORT 1
299#endif
300
301/*
302 * MinDataTransferSize = 42
303 *
304 * H = HashLen = HmacLen = [32, 64]
305 * S = SigLen = [64, 512]
306 * D = ExchangeDataLen = [64, 512]
307 * R = RequesterContextLen >= 32
308 * R = ResponderContextLen >= 0
309 * O = OpaqueDataLen <= 1024
310 *
311 * Max Chunk No = 1, if (message size <= 42)
312 * Max Chunk No = [(message size + 4) / 30] roundup, if (message size > 42)
313 *
314 * +==========================+==========================================+=========+
315 * | Command | Size |MaxChunk |
316 * +==========================+==========================================+=========+
317 * | GET_VERSION | 4 | 1 |
318 * | VERSION {1.0, 1.1, 1.2} | 6 + 2 * 3 = 12 | 1 |
319 * +--------------------------+------------------------------------------+---------+
320 * | GET_CAPABILITIES 1.2 | 20 | 1 |
321 * | CAPABILITIES 1.2 | 20 | 1 |
322 * +--------------------------+------------------------------------------+---------+
323 * | ERROR | 4 | 1 |
324 * | ERROR(ResponseTooLarge) | 4 + 4 = 8 | 1 |
325 * | ERROR(LargeResponse) | 4 + 1 = 5 | 1 |
326 * | ERROR(ResponseNotReady) | 4 + 4 = 8 | 1 |
327 * +--------------------------+------------------------------------------+---------+
328 * | CHUNK_SEND header | 12 + L0 (0 or 4) | 1 |
329 * | CHUNK_RESPONSE header | 12 + L0 (0 or 4) | 1 |
330 * +==========================+==========================================+=========+
331 * | NEGOTIATE_ALGORITHMS 1.2 | 32 + 4 * 4 = 48 | 2 |
332 * | ALGORITHMS 1.2 | 36 + 4 * 4 = 52 | 2 |
333 * +--------------------------+------------------------------------------+---------+
334 * | GET_DIGESTS 1.2 | 4 | 1 |
335 * | DIGESTS 1.2 | 4 + H * SlotNum = [36, 516] | [1, 18] |
336 * +--------------------------+------------------------------------------+---------+
337 * | GET_CERTIFICATE 1.2 | 8 | 1 |
338 * | CERTIFICATE 1.2 | 8 + PortionLen | [1, ] |
339 * +--------------------------+------------------------------------------+---------+
340 * | CHALLENGE 1.2 | 40 | 1 |
341 * | CHALLENGE_AUTH 1.2 | 38 + H * 2 + S [+ O] = [166, 678] | [6, 23] |
342 * +--------------------------+------------------------------------------+---------+
343 * | GET_MEASUREMENTS 1.2 | 5 + Nonce (0 or 32) | 1 |
344 * | MEASUREMENTS 1.2 | 42 + MeasRecLen (+ S) [+ O] = [106, 554] | [4, 19] |
345 * +--------------------------+------------------------------------------+---------+
346 * | KEY_EXCHANGE 1.2 | 42 + D [+ O] = [106, 554] | [4, 19] |
347 * | KEY_EXCHANGE_RSP 1.2 | 42 + D + H + S (+ H) [+ O] = [234, 1194] | [8, 40] |
348 * +--------------------------+------------------------------------------+---------+
349 * | FINISH 1.2 | 4 (+ S) + H = [100, 580] | [4, 20] |
350 * | FINISH_RSP 1.2 | 4 (+ H) = [36, 69] | [1, 3] |
351 * +--------------------------+------------------------------------------+---------+
352 * | PSK_EXCHANGE 1.2 | 12 [+ PSKHint] + R [+ O] = 44 | 2 |
353 * | PSK_EXCHANGE_RSP 1.2 | 12 + R + H (+ H) [+ O] = [108, 172] | [4, 6] |
354 * +--------------------------+------------------------------------------+---------+
355 * | PSK_FINISH 1.2 | 4 + H = [36, 68] | [1, 3] |
356 * | PSK_FINISH_RSP 1.2 | 4 | 1 |
357 * +--------------------------+------------------------------------------+---------+
358 * | GET_CSR 1.2 | 8 + RequesterInfoLen [+ O] | [1, ] |
359 * | CSR 1.2 | 8 + CSRLength | [1, ] |
360 * +--------------------------+------------------------------------------+---------+
361 * | SET_CERTIFICATE 1.2 | 4 + CertChainLen | [1, ] |
362 * | SET_CERTIFICATE_RSP 1.2 | 4 | 1 |
363 * +==========================+==========================================+=========+
364 */
365
366/* Required sender/receive buffer in device io.
367 * NOTE: This is transport specific. Below configuration is just an example.
368 * +-------+--------+---------------------------+------+--+------+---+--------+-----+
369 * | TYPE |TransHdr| EncryptionHeader |AppHdr| |Random|MAC|AlignPad|FINAL|
370 * | | |SessionId|SeqNum|Len|AppLen| | | | | | |
371 * +-------+--------+---------------------------+------+ +------+---+--------+-----+
372 * | MCTP | 1 | 4 | 2 | 2 | 2 | 1 | | 32 | 12| 0 | 56 |
373 * |PCI_DOE| 8 | 4 | 0 | 2 | 2 | 0 | | 0 | 12| 3 | 31 |
374 * +-------+--------+---------------------------+------+--+------+---+--------+-----+
375 */
376
377/* Enable message logging.
378 * See https://github.com/DMTF/libspdm/blob/main/doc/user_guide.md#message-logging
379 * for more information */
380#ifndef LIBSPDM_ENABLE_MSG_LOG
381#define LIBSPDM_ENABLE_MSG_LOG 1
382#endif
383
384/* Enable macro checking during compilation. */
385#ifndef LIBSPDM_CHECK_MACRO
386#define LIBSPDM_CHECK_MACRO 0
387#endif
388
389/* Enable checks to the SPDM context during runtime. */
390#ifndef LIBSPDM_CHECK_SPDM_CONTEXT
391#define LIBSPDM_CHECK_SPDM_CONTEXT 1
392#endif
393
394#endif /* SPDM_LIB_CONFIG_H */