Add a update local cert chain callback#3658
Open
alistair23 wants to merge 3 commits into
Open
Conversation
Split the existing libspdm_verify_leaf_cert_spdm_extension() function to include a new libspdm_contains_hardware_id_oid() function that can be used elsewhere. Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
The SPDM spec states that in the AliasCert model "the Device Certificate CA should contain the Hardware identity OID." This was previously missing, let's ensure it's included and update the certificates to include it. Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
alistair23
force-pushed
the
alistair/set-cert
branch
from
42ff8f5 to
5fa0faa
Compare
After a successful SET_CERTIFICATE (that doesn't require a reset) this new callback is called. It's the implementations responsability to allocate memory to store the new certificate chain and update `LIBSPDM_DATA_LOCAL_PUBLIC_CERT_CHAIN` to use the new chain. After which the old certificate chain can be freed. Unfortunately we can't handle this in libspdm as it might require allocation, which is why the HAL must handle this. For DEVICE_CERT and GENERIC_CERT this is a simple. All that needs to be done is memory allocated, thenew certificate copied and the old certificate freed. The ALIAS_CERT is similar, but required combining the new updated certificates with the existing ones that aren't changed. Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
alistair23
force-pushed
the
alistair/set-cert
branch
from
5fa0faa to
7d56b4a
Compare
jyao1
reviewed
Jun 22, 2026
| [id_spdm_cert_oids] | ||
| field1 = SEQUENCE:id_spdm_cert_oid | ||
| [id_spdm_cert_oid] | ||
| field1 = OID:1.3.6.1.4.1.412.274.2 |
Member
There was a problem hiding this comment.
When you generate the cert, would you please handle cert for slot 4 as well?
Member
|
Could you please split this one to 3 different PR?
I am OK to merge 1) soon. But we need more time to review 2) and 3). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
After a successful SET_CERTIFICATE (that doesn't require a reset) this
new callback is called. It's the implementations responsibility to
allocate memory to store the new certificate chain and update
LIBSPDM_DATA_LOCAL_PUBLIC_CERT_CHAINto use the new chain.After which the old certificate chain can be freed. Unfortunately we can't
handle this all in libspdm as it requires allocation, which is why the
HAL must handle this.
For DEVICE_CERT and GENERIC_CERT this is a simple. All that needs to be done
is memory allocated, the new certificate copied and the old certificate freed.
The ALIAS_CERT is similar, but required combining the new updated certificates
with the existing ones that aren't changed.
While we are at it we need to fix a bug with the current
AliasCertcertificate chains.The SPDM spec states that in the AliasCert model "the Device Certificate
CA should contain the Hardware identity OID." This was previously
missing, let's ensure it's included and update the certificates to
include it.
Resolves: #873