[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 3/3] hw/nvme: Add SPDM over DOE support
|
From: |
Lukas Wunner |
|
Subject: |
Re: [PATCH 3/3] hw/nvme: Add SPDM over DOE support |
|
Date: |
Mon, 2 Oct 2023 14:50:35 +0200 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Mon, Oct 02, 2023 at 11:36:25AM +0000, Yao, Jiewen wrote:
> Comment on subjectAltName.
>
> PCI-SIG realized that it may cause problem for certain device
> and decided to remove such requirement in future ECN.
> I don't think that is absolutely needed.
We have to follow what's in the spec. We can't just leave out
certain elements because they might possibly maybe be removed
in the future.
PCIe r6.1 does require the Subject Alternative Name and that's
the latest version, so we follow that.
The ECN that you're referring to only exists as a draft in the
PCISIG's Review Zone Archive.
My understanding is that the Subject Alternative Name's purpose
is to eliminate certain threats in the CMA threat model:
The Subject Alternative Name is basically a signed version of the
device's identity in config space. Without it, a different device
might misappropriate a device's certificate + private key.
If the Subject Alternative Name requirement is dropped, I would
like to know how that threat is prevented instead?
I don't quite understand what you mean by "may cause problem for
certain device". I've asked the editor of the PCIe Base Spec why
they're considering removing the requirement and the gist of the
answer was -- I'm paraphrasing here -- that vendors thought the
requirement is generally quite narrow and perceived as a straight-jacket
and that at this point, more flexibility is desired as to the
identification scheme. There was no mention at all of "problems
for certain devices".
Thanks,
Lukas