Received: by 2002:a05:7412:518d:b0:e2:908c:2ebd with SMTP id fn13csp532097rdb; Thu, 5 Oct 2023 13:09:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHQVgSXEId9f53StaYk/V7ZELdQ4SwxgxnYCec/Jd9UM1Ckk+RyqW6BaPFb87Ofwpo/7P/l X-Received: by 2002:a05:6a00:a8a:b0:693:4a5c:268f with SMTP id b10-20020a056a000a8a00b006934a5c268fmr7378881pfl.6.1696536570237; Thu, 05 Oct 2023 13:09:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1696536570; cv=none; d=google.com; s=arc-20160816; b=IeoWFttBzOcD6Fo3yHrbIRKhqKmLeUGXLBfT8QtcZSgbeNk9yiHwLYvbtMI8hvEQ1W 0M4cFlrkRcLWbKUz+YRRlD6xHmArbLioe7ddBBwcc9kE7tZ1LrpOMfR8uYd5Jr78IkMd uuW1Sd7tOQ0v9KxNnsZcfaAc4O9ogxBR7uQOdSgBI+rUKRiGNfvkoVSir65fahJo18wv r439QGWaYgt+tmDoFohswygRpGoIq+uoGq/1e+ZibStXe0w2IFb3WWNhCEcs6pP2kKIj VEOUSPK+NAp19OddpHqDuf+MVp0Vgq5jLZLleSl5BFtMcs02YiF0aRi+apbUA1xpLu/S UauQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :message-id:subject:cc:to:from:date:dkim-signature; bh=kshCAyKUFPGx0DH6IDvUR9+y1bE3p9wJbGZb0QQX3oo=; fh=UqJnIK0ir3eUtKGQENTcXPJAhZG9fejslxX9ap4c2W0=; b=tKkZiGFUj1aIP87ZmBxsSKzmMISKllZ2uj0Wsvwg+O5P1fKP9Iml6USBFx9x3aYi7v BGA5L3tTU4OYsCtdSvoj6cAQ/Fy8KDo5C6qQIPhk7qfRLmPupiOmxk7cppMams9Io6LS UtKFHlxxoxZNfTlmX83P3Peo3i8m0q40pm/GSMkezoe07mQEqdLUZDD453WzwyJ1Bkl9 TwLVxrkVhkSwfqZDn927RwoSFgxTTJWqgbCAQq6t9Y0ylYkmWT1T3CwzET/ZS6DtIJBw NdQZmE9ffKyfTGxgdChWj4MamK7aMVjNaLqeztmFR2FfIoX6uDSiKtZUcCw53LemZ3TU tpaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="mPMh/Yzl"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id by8-20020a056a00400800b0069353ac3d3csi1996424pfb.72.2023.10.05.13.09.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 Oct 2023 13:09:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="mPMh/Yzl"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 44BCF8077575; Thu, 5 Oct 2023 13:09:28 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229843AbjJEUJX (ORCPT + 99 others); Thu, 5 Oct 2023 16:09:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49152 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229682AbjJEUJW (ORCPT ); Thu, 5 Oct 2023 16:09:22 -0400 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABBD0F2; Thu, 5 Oct 2023 13:09:19 -0700 (PDT) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 01A5EC433C9; Thu, 5 Oct 2023 20:09:18 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1696536559; bh=gviqkF5bCtrPEnmL/efrb5ugCp6oRzHfV/DcplqOK/w=; h=Date:From:To:Cc:Subject:In-Reply-To:From; b=mPMh/YzlW9oTh5h9AJ5aAB26BKNe2mE/3C+n+4v4/3A/CAe2k4Yecrw+PoqctpsCM 7Rz9NE1k5UayDDxAOm9iNh49IS4NPl3z7Z1PJ9/Xk/cvDzdiK5fOzsp10llBeSnwax udSKrphyyopprBbpM8FEO+w5hthYv2c6Tq8BoPNW+rRfweDFkzRci8hxE+wv+wV38F rfaiern/5q24z3ng5ohmgFBbmvxW21IgYxkExh7y+5d/jGlf3aJ2u2PJ/ZKA9hjxaX SzXBqCFyHL6SDZzCYBPatbmI79HVeskhOL1mn7NDoZ6rtrvfnTF+8Lcn0dkzITIw8U 26WOBNO0H119A== Date: Thu, 5 Oct 2023 15:09:17 -0500 From: Bjorn Helgaas To: Lukas Wunner Cc: Jonathan Cameron , David Howells , David Woodhouse , Herbert Xu , "David S. Miller" , Alex Williamson , linux-pci@vger.kernel.org, linux-cxl@vger.kernel.org, linux-coco@lists.linux.dev, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, kvm@vger.kernel.org, linuxarm@huawei.com, David Box , Dan Williams , Dave Jiang , "Li, Ming" , Zhi Wang , Alistair Francis , Wilfred Mallawa , Alexey Kardashevskiy , Tom Lendacky , Sean Christopherson , Alexander Graf Subject: Re: [PATCH 09/12] PCI/CMA: Validate Subject Alternative Name in certificates Message-ID: <20231005200917.GA789502@bhelgaas> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231005140447.GA23472@wunner.de> X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 05 Oct 2023 13:09:28 -0700 (PDT) On Thu, Oct 05, 2023 at 04:04:47PM +0200, Lukas Wunner wrote: > On Tue, Oct 03, 2023 at 04:04:55PM +0100, Jonathan Cameron wrote: > > On Thu, 28 Sep 2023 19:32:39 +0200 Lukas Wunner wrote: > > > PCIe r6.1 sec 6.31.3 stipulates requirements for X.509 Leaf Certificates The PCIe spec does not contain "X.509", so I assume this is sort of a transitive requirement from SPDM. > > > presented by devices, in particular the presence of a Subject Alternative > > > Name extension with a name that encodes the Vendor ID, Device ID, Device > > > Serial Number, etc. > > > > Lets you do any of > > * What you have here > > * Reference Integrity Manifest, e.g. see Trusted Computing Group > > * A pointer to a location where such a Reference Integrity Manifest can be > > obtained. > > > > So this text feels a little strong though I'm fine with only support the > > Subject Alternative Name bit for now. Whoever has one of the other options > > can add that support :) > > I intend to amend the commit message as follows. If anyone believes > this is inaccurate, please let me know: > > Side note: Instead of a Subject Alternative Name, Leaf Certificates may > include "a Reference Integrity Manifest, e.g., see Trusted Computing > Group" or "a pointer to a location where such a Reference Integrity > Manifest can be obtained" (PCIe r6.1 sec 6.31.3). > > A Reference Integrity Manifest contains "golden" measurements which can > be compared to actual measurements retrieved from a device. It serves a > different purpose than the Subject Alternative Name, hence it is unclear > why the spec says only either of them is necessary. It is also unclear > how a Reference Integrity Manifest shall be encoded into a certificate. > > Ignore the Reference Integrity Manifest requirement until this confusion > is resolved by a spec update. Thanks for this; I was about to comment the same. Bjorn