This is a working in progress project that uses EDK2 and QEMU to exchange SPDM messages between PCI devices and the firmware driver.
This repo implements work from other repos1 2 3 with personal modifications.
QEMU compiles the LibSPDM in-tree (see ./configure --help) and there are two files that
make the LibSPDM API available to use: backend/spdm.c and include/sysemu/spdm.h. Moreover,
there are modifications in hw/nvme/ctrl.c to use the implementations of spdm.c.
Files related to PCI DOE were also modified to exchange the SPDM messages and two new
files were added, hw/nvme/auth.c and hw/nvme/auth.c, to configure SPDM context.
Based on the work of the DeviceSecurity branch in edk2-staging repo, I adapted the code to use the DXE stage in OVMF. The modifications consist in changing the code to use current SPDM functions available in EDK2 and to use future PCI DOE support yet to be approved.
You can check the modifications mainly in DeviceSecurity and DeployCert folder in OvmfPkg.
git clone https://github.com/htafr/uefi-spdm.git
cd uefi-spdm
git submodule update --init --recursiveMy environment is based on Ubuntu 24.04 LTS aarch64.
Install required packages.
# EDK2
sudo apt-get install build-essential uuid-dev iasl git nasm python-is-python3
# QEMU
sudo apt-get install libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build nettle-dev
# TPM emulation
sudo apt-get install swtpmEDK2 needs to build its BaseTools.
make -C edk2/BaseToolsCopy files target.txt and tools_def.txt. The latter is needed only if the environment is not x86_64.
cp files/target.txt files/tools_def.txt edk2/ConfSource the script available at the repo path to configure environment variables.
source set-env.shRun the Makefile commands.
make qemu-build
make edk2-buildThe Makefile has three running rules: x64-run, x64-dbg and x64-log.
- x64-run: normal qemu run
- x64-dbg: attach qemu to gdb
- x64-log: persist qemu output to logs/log-x64.txt
The rsa2048 was generated using libspdm4 certificate generator script.