CMA-SPDM: Component Measurement & Authentication

Deep-Dive: Device Identity, Firmware Integrity, and Cryptographic Authentication via SPDM Protocol

1. CMA-SPDM Overview

Component Measurement and Authentication (CMA) uses the Security Protocol and Data Model (SPDM) to provide cryptographic authentication of PCIe devices and measurement of their firmware/hardware state. This is essential for establishing trust in the hardware platform.

Security Goals

  • Device Authentication: Verify device identity using certificates
  • Firmware Integrity: Measure and attest firmware state
  • Supply Chain Security: Detect counterfeit or tampered devices
  • IDE Key Exchange: Establish keys for data encryption
  • Platform Attestation: Include device state in TCG measurements

SPDM in the PCIe Security Stack

┌─────────────────────────────────────────────────────────────────────────────┐ │ PCIe Security Architecture │ │ │ │ ┌─────────────────────────────────────────────────────────────────────┐ │ │ │ Trusted Execution Environment │ │ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │ │ │ TDISP │ │ IDE Key │ │ Attestation │ │ │ │ │ │ Manager │ │ Manager │ │ Service │ │ │ │ │ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │ │ │ └─────────┼────────────────┼────────────────┼──────────────────────────┘ │ │ │ │ │ │ │ └────────────────┼────────────────┘ │ │ │ │ │ ┌─────────▼─────────┐ │ │ │ CMA-SPDM │ ← SPDM over DOE │ │ │ (in DOE Cap) │ │ │ └─────────┬─────────┘ │ │ │ │ │ ┌───────────────┼───────────────┐ │ │ │ │ │ │ │ ┌──────▼──────┐ ┌──────▼──────┐ ┌──────▼──────┐ │ │ │ PCIe │ │ PCIe │ │ PCIe │ │ │ │ Device A │ │ Device B │ │ Device C │ │ │ │ (w/ cert) │ │ (w/ cert) │ │ (w/ cert) │ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ └─────────────────────────────────────────────────────────────────────────────┘

2. SPDM Protocol

2.1 SPDM Message Flow

SPDM Authentication Sequence: Requester (Host) Responder (Device) │ │ │ GET_VERSION │ │───────────────────────────────────►│ │ │ │ VERSION │ │◄───────────────────────────────────│ │ │ │ GET_CAPABILITIES │ │───────────────────────────────────►│ │ │ │ CAPABILITIES │ │◄───────────────────────────────────│ │ │ │ NEGOTIATE_ALGORITHMS │ │───────────────────────────────────►│ │ │ │ ALGORITHMS │ │◄───────────────────────────────────│ │ │ │ GET_DIGESTS │ │───────────────────────────────────►│ │ │ │ DIGESTS (cert chain hashes) │ │◄───────────────────────────────────│ │ │ │ GET_CERTIFICATE (slot N) │ │───────────────────────────────────►│ │ │ │ CERTIFICATE (chain) │ │◄───────────────────────────────────│ │ │ │ CHALLENGE (nonce) │ │───────────────────────────────────►│ │ │ │ CHALLENGE_AUTH (signature) │ │◄───────────────────────────────────│ │ │ │ [Device identity verified] │ │ │

2.2 SPDM Message Format

SPDM Message Header: ┌──────────────────────────────────────────────────────────────┐ │ Byte │ Field │ Description │ ├──────┼────────────────┼─────────────────────────────────────┤ │ 0 │ SPDMVersion │ SPDM version (e.g., 0x12 = 1.2) │ │ 1 │ RequestCode │ Message type (see table below) │ │ 2 │ Param1 │ Message-specific parameter │ │ 3 │ Param2 │ Message-specific parameter │ │ 4+ │ Payload │ Message-specific data │ └──────────────────────────────────────────────────────────────┘ SPDM Request Codes: 0x81: GET_VERSION 0x83: GET_CAPABILITIES 0x84: NEGOTIATE_ALGORITHMS 0x01: GET_DIGESTS 0x02: GET_CERTIFICATE 0x03: CHALLENGE 0xE0: GET_MEASUREMENTS 0xE1: KEY_EXCHANGE 0xE3: FINISH 0xE4: PSK_EXCHANGE 0xE5: PSK_FINISH 0xE6: HEARTBEAT 0xE7: KEY_UPDATE 0xE8: GET_ENCAPSULATED_REQUEST 0xE9: DELIVER_ENCAPSULATED_RESPONSE SPDM Response Codes: 0x04: VERSION 0x05: CAPABILITIES 0x63: ALGORITHMS 0x01: DIGESTS 0x02: CERTIFICATE 0x03: CHALLENGE_AUTH 0x60: MEASUREMENTS 0x64: KEY_EXCHANGE_RSP 0x65: FINISH_RSP 0x7F: ERROR (with error code)

2.3 Certificate Chain Format

SPDM Certificate Chain Structure: ┌─────────────────────────────────────────────────────────────────┐ │ Certificate Chain │ ├─────────────────────────────────────────────────────────────────┤ │ Length (2 bytes) │ ├─────────────────────────────────────────────────────────────────┤ │ Reserved (2 bytes) │ ├─────────────────────────────────────────────────────────────────┤ │ Root Certificate Hash (32/48/64 bytes based on hash algo) │ ├─────────────────────────────────────────────────────────────────┤ │ Certificate 1 (Root CA - X.509 DER encoded) │ ├─────────────────────────────────────────────────────────────────┤ │ Certificate 2 (Intermediate CA) │ ├─────────────────────────────────────────────────────────────────┤ │ ... │ ├─────────────────────────────────────────────────────────────────┤ │ Certificate N (Device/Leaf Certificate) │ │ - Contains device public key │ │ - Subject identifies device (vendor ID, serial, etc.) │ └─────────────────────────────────────────────────────────────────┘ Device Certificate Subject Fields: CN = Device Model Name O = Vendor Name serialNumber = Device Serial Number 1.3.6.1.4.1.412.274.1 = PCIe Vendor ID (OID) 1.3.6.1.4.1.412.274.2 = PCIe Device ID (OID)

3. Device Measurements

3.1 Measurement Blocks

GET_MEASUREMENTS Request: ┌──────────────────────────────────────────────────────────────┐ │ Byte │ Field │ Description │ ├──────┼───────────────────────┼──────────────────────────────┤ │ 0-3 │ SPDM Header │ RequestCode = 0xE0 │ │ 4 │ Attributes │ Bits for signature request │ │ 5 │ MeasurementOperation │ Which measurements to get │ │ 6-37 │ Nonce (optional) │ For freshness (if signing) │ │ 38 │ SlotIDParam │ Certificate slot for signing │ └──────────────────────────────────────────────────────────────┘ MeasurementOperation values: 0x00: Get number of measurement blocks 0x01-0xFE: Get specific measurement block index 0xFF: Get all measurement blocks Measurement Block Format: ┌──────────────────────────────────────────────────────────────┐ │ Field │ Size │ Description │ ├──────────────────────────┼─────────┼────────────────────────┤ │ Index │ 1 byte │ Measurement index │ │ MeasurementSpecification │ 1 byte │ DMTF spec = 0x01 │ │ MeasurementSize │ 2 bytes │ Size of measurement │ │ Measurement │ varies │ Actual measurement │ │ ├─ DMTFSpecMeasType │ 1 byte │ Type of measurement │ │ ├─ DMTFSpecMeasSize │ 2 bytes │ Size of value │ │ └─ DMTFSpecMeasValue │ varies │ Hash or raw data │ └──────────────────────────────────────────────────────────────┘ DMTFSpecMeasurementValueType: 0x00: Immutable ROM 0x01: Mutable firmware 0x02: Hardware configuration 0x03: Firmware configuration 0x04: Measurement manifest 0x05-0x7F: Reserved 0x80-0xFF: Vendor defined

3.2 Typical Device Measurements

Index Type Description
1 Immutable ROM Boot ROM hash
2 Mutable Firmware Active firmware image hash
3 Mutable Firmware Recovery firmware hash
4 HW Configuration Security-relevant fuse values
5 FW Configuration Security policy settings
6 Manifest Signed firmware manifest

4. PCIe Integration (DOE)

4.1 SPDM over DOE

CMA-SPDM uses DOE (Data Object Exchange) for transport: DOE Capability Structure: ┌─────────────────────────────────────────────────────────────────┐ │ DOE Header │ │ Vendor ID: 0x0001 (PCI-SIG) │ │ Data Object Type: 0x01 (CMA/SPDM) │ ├─────────────────────────────────────────────────────────────────┤ │ DOE Data Object Header (2 DW) │ │ DW0: Vendor ID (0x0001) | Type (0x01) | Reserved │ │ DW1: Length (in DWs) │ ├─────────────────────────────────────────────────────────────────┤ │ SPDM Message │ │ (Padded to DW boundary) │ └─────────────────────────────────────────────────────────────────┘ DOE Protocol for SPDM: 1. Host writes SPDM request to DOE Write Data Mailbox 2. Host sets DOE Go bit 3. Device processes SPDM request 4. Device sets DOE Data Object Ready bit 5. Host reads SPDM response from DOE Read Data Mailbox CMA-SPDM Feature ID: Vendor ID: 0x0001 (PCI-SIG) Data Object Type: 0x01 (CMA) Secured CMA-SPDM Feature ID: Vendor ID: 0x0001 (PCI-SIG) Data Object Type: 0x02 (Secured Messages)

4.2 Secured SPDM Session

Establishing Secured SPDM Session: After authentication, key exchange creates encrypted session: Host Device │ │ │ KEY_EXCHANGE (DHE public, req sig) │ │───────────────────────────────────────►│ │ │ │ KEY_EXCHANGE_RSP (DHE public, sig) │ │◄───────────────────────────────────────│ │ │ │ [Both derive session keys from DHE] │ │ │ │ FINISH (HMAC of transcript) │ │───────────────────────────────────────►│ │ │ │ FINISH_RSP (HMAC verification) │ │◄───────────────────────────────────────│ │ │ │ [Secure session established] │ │ [All further messages encrypted] │ │ │ Session Keys Derived: - Request Direction Encryption Key - Request Direction Integrity Key - Response Direction Encryption Key - Response Direction Integrity Key Secured Message Format: ┌─────────────────────────────────────────────────────────────────┐ │ Session ID (4 bytes) │ ├─────────────────────────────────────────────────────────────────┤ │ Sequence Number (8 bytes, for replay protection) │ ├─────────────────────────────────────────────────────────────────┤ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ Encrypted: │ │ │ │ SPDM Message │ │ │ │ Random Data (for padding) │ │ │ └─────────────────────────────────────────────────────────────┘ │ ├─────────────────────────────────────────────────────────────────┤ │ AEAD Tag (16 bytes) - Authentication tag │ └─────────────────────────────────────────────────────────────────┘

5. Normative Rules

CMA-SPDM Rules

  1. R1: Devices supporting CMA MUST implement DOE capability.
  2. R2: SPDM responders MUST support at least one asymmetric algorithm (RSA or ECDSA).
  3. R3: Device certificates MUST chain to a trusted root certificate.
  4. R4: Measurements MUST be cryptographically bound to challenge nonce.
  5. R5: Secured sessions MUST use AEAD encryption (AES-GCM).
  6. R6: Session keys MUST be derived using approved KDF (HKDF).
  7. R7: Sequence numbers MUST NOT be reused within a session.
  8. R8: Certificate slot 0 MUST contain device identity certificate.
  9. R9: Requester MUST verify certificate chain before using device.
  10. R10: Measurement index 0 is reserved for TCB measurement summary.