Skip to content

Commit 2420fef

Browse files
steven-bellocksteven-bellock
committed
Initial draft for multikey guide
Fix #3084. Signed-off-by: Steven Bellock <[email protected]>
1 parent 2621058 commit 2420fef

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

doc/multikey.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# Multikey Guide
2+
3+
In SPDM versions 1.0 through 1.2, for a given negotiated asymmetric algorithm, leaf certificates
4+
throughout all certificate slots needed to use the same private/public key. SPDM 1.3 relaxed this
5+
constraint, so that different certificate chains and asymmetric keys can be used for different
6+
purposes. For example, an endpoint can restrict a key so that it can only sign the L1/L2 transcript,
7+
while a different key can be restricted to only sign the M1/M2 transcript. As such, when a peer
8+
endpoint supports multikey, the local endpoint must ensure that it uses the appropriate key and
9+
certificate slot when signing or verifying messages.
10+
11+
## Endpoint Support for Multikey
12+
13+
SPDM allows an endpoint to support multikey in one of three ways.
14+
1. No support at all (`MULTI_KEY_CAP == 0`).
15+
2. Strict support (`MULTI_KEY_CAP == 1`).
16+
3. Conditional support based on the peer endpoint's preference (`MULTI_KEY_CAP == 2`).
17+
18+
Use `libspdm_set_data`, `LIBSPDM_DATA_OTHER_PARAMS_SUPPORT`, and the
19+
`SPDM_ALGORITHMS_MULTI_KEY_CONN` boolean to specify how libspdm should handle the case when the peer
20+
endpoint's multikey support is conditional (`MULTI_KEY_CAP == 2`).
21+
22+
### Multikey Flow for libspdm Requester
23+
24+
1. Call `libspdm_init_connection` and check that the call is successful.
25+
2. Call `libspdm_get_data` with `LIBSPDM_DATA_MULTI_KEY_CONN_RSP` to determine whether the
26+
connection utilizes multikey (`true`) or not (`false`). If the value is `true` then continue with
27+
this flow, else the connection behaves in a single key manner.
28+
3. Call `libspdm_get_digest` and check that the call is successful.
29+
4. For each populated certificate chain slot call `libspdm_get_certificate` and check that each call
30+
is successful.
31+
4. Use `libspdm_get_data` with `LIBSPDM_DATA_PEER_KEY_USAGE_BIT_MASK` to query the `KeyUsageMask`
32+
for each populated certificate slot. Use the `SPDM_KEY_USAGE_BIT_MASK_*` macros to determine the
33+
legal messages for that certificate slot and key.

0 commit comments

Comments
 (0)