Merge changes from topic "da_libspdm" into integration

* changes:
  feat(da): add libspdm version 3.3.0
  feat(lib/libc): add strchr required by new mbedtls configs

.gitignore

@@ -10,3 +10,4 @@ out
 *~
 *.patch
 *.swp
+ext/libspdm

cmake/CommonConfigs.cmake

@@ -59,6 +59,12 @@ arm_config_option(
     TYPE STRING
     DEFAULT 1)
 
+arm_config_option(
+    NAME RMM_CCA_DA
+    HELP "Enable Device Assignment support in RMM (experimental)"
+    TYPE BOOL
+    DEFAULT OFF)
+
 #
 # Introduce a pseudo-library purely for applying flags to RMM's libraries.
 # This is applied to any targets created after this point.
@@ -126,4 +132,10 @@ endif()
 target_compile_definitions(rmm-common
     INTERFACE "COMMIT_INFO=\"${COMMIT_INFO}\"")
 
+if(RMM_CCA_DA)
+    message(WARNING "DA is an experimental feature")
+    target_compile_definitions(rmm-common
+        INTERFACE "RMM_CCA_DA=1")
+endif()
+
 link_libraries(rmm-common)

configs/libspdm/0001-cryptlib_mbedtls-use-external-Mbed-TLS.patch

@@ -0,0 +1,58 @@
+From dc3ce817bb479bdf1317c68e5496b93dbbbcb310 Mon Sep 17 00:00:00 2001
+From: Arunachalam Ganapathy <[email protected]>
+Date: Wed, 3 Apr 2024 14:13:44 +0100
+Subject: [PATCH] cryptlib_mbedtls: use external Mbed TLS
+
+Do not include mbedtls headers files from libspdm fork of Mbed TLS.
+This change is RMM specific, for building cryptlib_mbedtls library
+from RMM.
+
+crt_wrapper_host.c: duplicate symbols
+Rename mbedtls_platform_zeroize as it conflicts with RMM MbedTLS
+
+Signed-off-by: Arunachalam Ganapathy <[email protected]>
+---
+ os_stub/cryptlib_mbedtls/CMakeLists.txt              | 9 ---------
+ os_stub/cryptlib_mbedtls/sys_call/crt_wrapper_host.c | 2 +-
+ 2 files changed, 1 insertion(+), 10 deletions(-)
+
+diff --git a/os_stub/cryptlib_mbedtls/CMakeLists.txt b/os_stub/cryptlib_mbedtls/CMakeLists.txt
+index fc87e2cf54..0e8e2248d2 100644
+--- a/os_stub/cryptlib_mbedtls/CMakeLists.txt
++++ b/os_stub/cryptlib_mbedtls/CMakeLists.txt
+@@ -9,10 +9,6 @@ INCLUDE_DIRECTORIES(${LIBSPDM_DIR}/include
+                     ${LIBSPDM_DIR}/os_stub/include
+                     ${LIBSPDM_DIR}/os_stub
+                     ${LIBSPDM_DIR}/os_stub/cryptlib_mbedtls
+-                    ${LIBSPDM_DIR}/os_stub/mbedtlslib/include
+-                    ${LIBSPDM_DIR}/os_stub/mbedtlslib/include/mbedtls
+-                    ${LIBSPDM_DIR}/os_stub/mbedtlslib/mbedtls/include
+-                    ${LIBSPDM_DIR}/os_stub/mbedtlslib/mbedtls/include/mbedtls
+ )
+
+ SET(src_cryptlib_mbedtls
+@@ -48,8 +44,3 @@ if(CMAKE_SYSTEM_NAME MATCHES "Windows")
+         TARGET_COMPILE_OPTIONS(cryptlib_mbedtls PRIVATE /wd4090 /wd4200)
+     endif()
+ endif()
+-
+-if(MBEDTLS_CONFIG_FILE)
+-else()
+-    TARGET_COMPILE_DEFINITIONS(cryptlib_mbedtls PRIVATE -DMBEDTLS_CONFIG_FILE=<libspdm_mbedtls_config.h>)
+-endif()
+diff --git a/os_stub/cryptlib_mbedtls/sys_call/crt_wrapper_host.c b/os_stub/cryptlib_mbedtls/sys_call/crt_wrapper_host.c
+index 9ce520c7c5..72decdba7d 100644
+--- a/os_stub/cryptlib_mbedtls/sys_call/crt_wrapper_host.c
++++ b/os_stub/cryptlib_mbedtls/sys_call/crt_wrapper_host.c
+@@ -25,7 +25,7 @@ int my_snprintf(char *str, size_t size, const char *format, ...)
+     return 0;
+ }
+
+-void mbedtls_platform_zeroize(void *buf, size_t len)
++void my_mbedtls_platform_zeroize(void *buf, size_t len)
+ {
+     libspdm_zero_mem(buf, len);
+ }
+-- 
+2.39.2
+

configs/libspdm/rmm_libspdm_config.h

@@ -0,0 +1,172 @@
+/*
+ * SPDX-License-Identifier: BSD-3-Clause
+ * SPDX-FileCopyrightText: Copyright TF-RMM Contributors.
+ */
+
+#ifndef LIBSPDM_CONFIG_H
+#define LIBSPDM_CONFIG_H
+
+/* Disable FIPS 140-3 mode. */
+#define LIBSPDM_FIPS_MODE 0
+
+/* Based on RMM build type, set libspdm DEBUG flag */
+#ifdef DEBUG
+#define LIBSPDM_DEBUG_ENABLE 1
+#else
+#define LIBSPDM_DEBUG_ENABLE 0
+#endif
+
+/*
+ * For a Requester this value specifies the maximum number of entries that
+ * libspdm will tolerate in a `VERSION` response before returning an error.
+ */
+#define LIBSPDM_MAX_VERSION_COUNT 5
+
+/*
+ * This value specifies the maximum size, in bytes, of the
+ * `PSK_EXCHANGE.PSKHint` field. Although RMM disables PSK capability, this
+ * macro mut be defined as libspdm_secured_message_context_t uses this macro.
+ */
+#define LIBSPDM_PSK_MAX_HINT_LENGTH 16
+
+/*
+ * This value specifies the maximum number of root certificates that libspdm
+ * can support.
+ */
+#define LIBSPDM_MAX_ROOT_CERT_SUPPORT 10
+
+/* Only one session per device is supported by RMM Specification */
+#define LIBSPDM_MAX_SESSION_COUNT 1
+
+/*
+ * This value specifies the maximum size, in bytes, of a certificate chain or
+ * measurements that can be stored in a libspdm context.
+ */
+#define LIBSPDM_MAX_CERT_CHAIN_SIZE 0x1000
+#define LIBSPDM_MAX_MEASUREMENT_RECORD_SIZE 0x1000
+
+/*
+ * Partial certificates can be retrieved from a Responder and through multiple
+ * messages the complete certificate chain can be constructed. This value
+ * specifies the maximum size, in bytes, of a partial  certificate that can be
+ * received.
+ */
+#define LIBSPDM_MAX_CERT_CHAIN_BLOCK_LEN 1024
+
+/*
+ * This value specifies whether libspdm will use a running calculation over the
+ * transcript, where requests and responses are discarded as they are
+ * cryptographically consumed, or whether libspdm will buffer the entire
+ * transcript before calculating the digest or signature.
+ */
+#define LIBSPDM_RECORD_TRANSCRIPT_DATA_SUPPORT 0
+
+/* This can be set to 0 for the device which does not need X509 parser. */
+#define LIBSPDM_CERT_PARSE_SUPPORT 1
+
+/*
+ * Enable only the cryptography configuration that are required for SPDM
+ * requester for DA. todo: Disable more cryptography configuration.
+ */
+#define LIBSPDM_RSA_SSA_2048_SUPPORT 1
+#define LIBSPDM_RSA_SSA_3072_SUPPORT 1
+#define LIBSPDM_RSA_SSA_4096_SUPPORT 1
+
+#define LIBSPDM_RSA_PSS_2048_SUPPORT 1
+#define LIBSPDM_RSA_PSS_3072_SUPPORT 1
+#define LIBSPDM_RSA_PSS_4096_SUPPORT 1
+
+#define LIBSPDM_ECDSA_P256_SUPPORT 1
+#define LIBSPDM_ECDSA_P384_SUPPORT 1
+#define LIBSPDM_ECDSA_P521_SUPPORT 1
+
+#define LIBSPDM_SM2_DSA_P256_SUPPORT 0
+
+#define LIBSPDM_EDDSA_ED25519_SUPPORT 0
+#define LIBSPDM_EDDSA_ED448_SUPPORT 0
+
+#define LIBSPDM_FFDHE_2048_SUPPORT 1
+#define LIBSPDM_FFDHE_3072_SUPPORT 1
+#define LIBSPDM_FFDHE_4096_SUPPORT 1
+
+#define LIBSPDM_ECDHE_P256_SUPPORT 1
+#define LIBSPDM_ECDHE_P384_SUPPORT 1
+#define LIBSPDM_ECDHE_P521_SUPPORT 1
+
+#define LIBSPDM_SM2_KEY_EXCHANGE_P256_SUPPORT 0
+
+#define LIBSPDM_AEAD_AES_128_GCM_SUPPORT 1
+#define LIBSPDM_AEAD_AES_256_GCM_SUPPORT 1
+
+#define LIBSPDM_AEAD_CHACHA20_POLY1305_SUPPORT 1
+
+#define LIBSPDM_AEAD_SM4_128_GCM_SUPPORT 0
+
+#define LIBSPDM_SHA256_SUPPORT 1
+#define LIBSPDM_SHA384_SUPPORT 1
+#define LIBSPDM_SHA512_SUPPORT 1
+
+#define LIBSPDM_SHA3_256_SUPPORT 0
+#define LIBSPDM_SHA3_384_SUPPORT 0
+#define LIBSPDM_SHA3_512_SUPPORT 0
+
+#define LIBSPDM_SM3_256_SUPPORT 0
+
+/* Enable only the capabilities that are required for SPDM requester for DA */
+#define LIBSPDM_ENABLE_CAPABILITY_CERT_CAP 1
+#define LIBSPDM_ENABLE_CAPABILITY_MEAS_CAP 1
+#define LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP 1
+#define LIBSPDM_ENABLE_CAPABILITY_CHUNK_CAP 1
+#define LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_PSK_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_HBEAT_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_CSR_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_CSR_CAP_EX 0
+#define LIBSPDM_ENABLE_CAPABILITY_SET_CERT_CAP 0
+#define LIBSPDM_ENABLE_CAPABILITY_EVENT_CAP 0
+
+/* Required for IDE_KM and TDISP VDM messages */
+#define LIBSPDM_ENABLE_VENDOR_DEFINED_MESSAGES 1
+
+/*
+ * If 1 then endpoint supports sending GET_CERTIFICATE and GET_DIGESTS requests.
+ */
+#define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1
+
+/* If 1 then endpoint supports sending CHALLENGE request. */
+#define LIBSPDM_SEND_CHALLENGE_SUPPORT 0
+
+/*
+ * If 1 then endpoint supports sending the GET_SUPPORTED_EVENT_TYPES,
+ * SUBSCRIBE_EVENT_TYPES, and encapsulated EVENT_ACK messages. In addition,
+ * LIBSPDM_ENABLE_CAPABILITY_ENCAP_CAP must also be 1.
+ */
+#define LIBSPDM_EVENT_RECIPIENT_SUPPORT 0
+
+/*
+ * When LIBSPDM_RESPOND_IF_READY_SUPPORT is 0 then
+ * - For a Requester, if the Responder sends a ResponseNotReady ERROR response
+ *   then the error is immediately returned to the Integrator. The Requester
+ *   cannot send a RESPOND_IF_READY request.
+ * When LIBSPDM_RESPOND_IF_READY_SUPPORT is 1 then
+ * - For a Requester, if the Responder sends a ResponseNotReady ERROR response
+ *   then libspdm waits an amount of time, as specified by the RDTExponent
+ *   parameter, before sending RESPOND_IF_READY.
+ */
+#define LIBSPDM_RESPOND_IF_READY_SUPPORT 1
+
+/* Enable message logging. */
+#define LIBSPDM_ENABLE_MSG_LOG 0
+
+/* Enable libspdm configs macro checking during compilation. */
+#define LIBSPDM_CHECK_MACRO 1
+
+/* Enable checks to the SPDM context during runtime. */
+#define LIBSPDM_CHECK_SPDM_CONTEXT 1
+
+/* Enable passing the SPDM context to HAL functions. */
+#define LIBSPDM_HAL_PASS_SPDM_CONTEXT 0
+
+#endif /* LIBSPDM_CONFIG_H */

configs/mbedtls/rmm_mbedtls_config.h

@@ -14,6 +14,12 @@
  * [1] https://github.com/Mbed-TLS/mbedtls/blob/v3.6.0/docs/3.0-migration-guide.md
  */
 
+#include <limits.h>
+/* This is needed for size_t */
+#include <stddef.h>
+/* For snprintf function declaration */
+#include <stdio.h>
+
 /* This file is compatible with release 3.6.0 */
 #define MBEDTLS_CONFIG_VERSION         0x03060000
 
@@ -89,8 +95,39 @@
 #define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY
 #endif
 
-/* This is needed for size_t used below */
-#include <stddef.h>
+/* Configs required by SPDM requester used by RMM_CCA_DA */
+#ifdef RMM_CCA_DA
+#define MBEDTLS_OID_C
+#define MBEDTLS_RSA_C
+#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
+#define MBEDTLS_GENPRIME
+
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_CRL_PARSE_C
+#define MBEDTLS_X509_CSR_PARSE_C
+#define MBEDTLS_X509_CREATE_C
+#define MBEDTLS_X509_CSR_WRITE_C
+
+#define MBEDTLS_AES_C
+#define MBEDTLS_GCM_C
+
+#define MBEDTLS_CHACHA20_C
+#define MBEDTLS_POLY1305_C
+#define MBEDTLS_CHACHAPOLY_C
+
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_DHM_C
+
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PK_WRITE_C
+
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif /* RMM_CCA_DA */
 
 /*
  * Declare memory allocation primitives to be used by MbedTLS

docs/getting_started/build-options.rst

@@ -290,6 +290,7 @@ The |RMM| build system supports the following CMake build options.
    RMM_HTML_COV_REPORT		,ON | OFF		,ON			,"Enable HTML output report for coverage analysis"
    RMM_CBMC_VIEWER_OUTPUT	,ON | OFF		,OFF			,"Generate report of CBMC results using the tool cbmc-viewer"
    RMM_CBMC_SINGLE_TESTBENCH	,			,OFF			,"Run CBMC on a single testbench instead on all of them"
+   RMM_CCA_DA			,ON | OFF		,OFF			,"Enable Device Assignment support in RMM (experimental)"
 
 .. _llvm_build:
 

docs/readme.rst

@@ -71,8 +71,9 @@ Third Party Projects
 
 The `TF-RMM`_ project requires to be linked with certain other 3rd party
 projects and they are to be cloned from their repositories into ``ext`` folder
-before building. The projects are `MbedTLS`_, `t_cose`_, `QCBOR`_ and
-`CppUTest`_.
+before building. The projects are `MbedTLS`_, `t_cose`_, `QCBOR`_,
+`CppUTest`_ and `libspdm`_. `libspdm`_ repository is fetched during config phase
+when RMM_CCA_DA build option is enabled.
 
 The project also contains files which are imported from other projects
 into the source tree and may have a different license. Such files with
@@ -128,5 +129,6 @@ To report a bug, please file an `issue on Github`_
 .. _License and Copyright for Contributions: https://tf-rmm.readthedocs.io/en/latest/process/contributing.html#license-and-copyright-for-contributions
 .. _Contributor's Guide: https://tf-rmm.readthedocs.io/en/latest/process/contributing.html
 .. _CppUTest: https://github.com/cpputest/cpputest.git
+.. _libspdm: https://github.com/DMTF/libspdm.git
 .. _Trusted Firmware: https://www.trustedfirmware.org/
 .. _TF-RMM: https://www.trustedfirmware.org/projects/tf-rmm/

lib/CMakeLists.txt

@@ -39,3 +39,8 @@ add_subdirectory("s2tt")
 add_subdirectory("slot_buf")
 add_subdirectory("t_cose")
 add_subdirectory("xlat")
+
+if(RMM_CCA_DA)
+    target_link_libraries(rmm-lib INTERFACE rmm-lib-spdm_requester)
+    add_subdirectory("spdm_requester")
+endif()

lib/libc/CMakeLists.txt

@@ -28,7 +28,8 @@ if(NOT RMM_ARCH STREQUAL fake_host)
             "src/strcmp.c"
             "src/strlcpy.c"
             "src/strncmp.c"
-            "src/strnlen.c")
+            "src/strnlen.c"
+            "src/strchr.c")
 
     target_sources(rmm-lib-libc
         PRIVATE

lib/libc/include/string.h

@@ -18,5 +18,6 @@ size_t strlen(const char *s);
 size_t strlcpy(char *dst, const char *src, size_t dsize);
 int strncmp(const char *s1, const char *s2, size_t n);
 size_t strnlen(const char *s, size_t maxlen);
+char *strchr(const char *s, int c);
 
 #endif