Implement GET_MEASUREMENTS request generation

Author: embediver

examples/spdm_requester.rs

@@ -14,6 +14,7 @@ use spdm_lib::commands::certificate::request::generate_get_certificate;
 use spdm_lib::commands::challenge::{
     request::generate_challenge_request, MeasurementSummaryHashType,
 };
+use spdm_lib::commands::measurements::request::generate_get_measurements;
 use spdm_lib::context::SpdmContext;
 use spdm_lib::error::SpdmError;
 use spdm_lib::protocol::algorithms::{
@@ -472,6 +473,26 @@ fn full_flow(stream: TcpStream, config: &RequesterConfig) -> IoResult<()> {
         println!("CHALLENGE_AUTH signature verification successfull");
     }
 
+    // GET_MEASUREMENTS
+    message_buffer.reset();
+    generate_get_measurements(
+        &mut spdm_context,
+        &mut message_buffer,
+        false,
+        false,
+        0x01,
+        Some(0),
+        None,
+    )
+    .unwrap();
+    spdm_context
+        .requester_send_request(&mut message_buffer, EID)
+        .unwrap();
+
+    if config.verbose {
+        println!("GET_MEASUREMENTS: {:?}", &message_buffer.message_data());
+    }
+
     Ok(())
 }
 

src/commands/measurements/mod.rs

@@ -38,9 +38,9 @@ bitfield! {
     struct GetMeasurementsReqAttr(u8);
     impl Debug;
     u8;
-    pub signature_requested, _: 0, 0;
-    pub raw_bitstream_requested, _: 1, 1;
-    pub new_measurement_requested, _: 2, 2;
+    pub signature_requested, set_signature_requested: 0, 0;
+    pub raw_bitstream_requested, set_raw_bitstream_requested: 1, 1;
+    pub new_measurement_requested, set_new_measurement_requested: 2, 2;
     reserved, _: 7, 3;
 }
 

src/commands/measurements/request.rs

@@ -1 +1,127 @@
 // Licensed under the Apache-2.0 license
+
+use crate::{
+    codec::{Codec, MessageBuf},
+    commands::measurements::{
+        GetMeasurementsReqAttr, GetMeasurementsReqCommon, GetMeasurementsReqSignature,
+    },
+    context::SpdmContext,
+    error::{CommandError, CommandResult, PlatformError},
+    protocol::{ReqRespCode, SpdmMsgHdr, SpdmVersion, NONCE_LEN},
+    state::ConnectionState,
+};
+
+pub fn generate_get_measurements<'a>(
+    ctx: &mut SpdmContext<'a>,
+    req_buf: &mut MessageBuf<'a>,
+    raw_bitstream_requested: bool,
+    new_measurement_requested: bool,
+    meas_op: u8,
+    slot_id: Option<u8>,
+    context: Option<&[u8; 8]>,
+) -> CommandResult<()> {
+    // Validate connection state - algorithms must be negotiated first
+    if ctx.state.connection_info.state() < ConnectionState::AlgorithmsNegotiated {
+        return Err((true, CommandError::UnsupportedRequest));
+    }
+
+    // TODO: maybe add a check if measuements are supported by the responder
+
+    // Get connection version
+    let connection_version = ctx.state.connection_info.version_number();
+
+    // Create and encode SPDM message header
+    let spdm_hdr = SpdmMsgHdr::new(connection_version, ReqRespCode::GetMeasurements);
+    let mut payload_len = spdm_hdr
+        .encode(req_buf)
+        .map_err(|e| (false, CommandError::Codec(e)))?;
+
+    let mut req_attr = GetMeasurementsReqAttr(0);
+
+    // signature requested is available in all versions
+    if slot_id.is_some() {
+        // Error if the responder doesn't support this
+        if !responder_supports_signed_measurements(ctx) {
+            return Err((true, CommandError::UnsupportedRequest));
+        }
+        req_attr.set_signature_requested(1);
+    }
+
+    if raw_bitstream_requested {
+        if connection_version < SpdmVersion::V12 {
+            return Err((true, CommandError::UnsupportedRequest));
+        }
+        // TODO Check measuement block spec
+        req_attr.set_raw_bitstream_requested(1);
+    }
+
+    if new_measurement_requested {
+        if connection_version < SpdmVersion::V13 {
+            return Err((true, CommandError::UnsupportedRequest));
+        }
+        req_attr.set_new_measurement_requested(1);
+    }
+
+    // Encode request attributes and `Measurement` operation
+    let get_meas_common = GetMeasurementsReqCommon { req_attr, meas_op };
+    payload_len += get_meas_common
+        .encode(req_buf)
+        .map_err(|e| (false, CommandError::Codec(e)))?;
+
+    // Generate Nonce if signature was requested
+    if let Some(id) = slot_id {
+        let mut nonce = [0; NONCE_LEN];
+        ctx.rng
+            .get_random_bytes(&mut nonce)
+            .map_err(|e| (true, PlatformError::from(e).into()))?;
+
+        if connection_version < SpdmVersion::V11 {
+            todo!("Implement encoding of nonce only for v1.0");
+        } else {
+            let get_meas_sig = GetMeasurementsReqSignature {
+                requester_nonce: nonce,
+                slot_id: id,
+            };
+            payload_len += get_meas_sig
+                .encode(req_buf)
+                .map_err(|e| (false, CommandError::Codec(e)))?;
+        }
+    }
+
+    // encode context data if spdm version is >= v1.3
+    if connection_version >= SpdmVersion::V13 {
+        if let Some(context) = context {
+            payload_len +=
+                crate::codec::encode_u8_slice(context, req_buf).map_err(|e| (true, e.into()))?;
+        } else {
+            payload_len +=
+                crate::codec::encode_u8_slice(&[0; 8], req_buf).map_err(|e| (true, e.into()))?;
+        }
+    }
+
+    // Finalize message by pushing total payload length
+    req_buf
+        .push_data(payload_len)
+        .map_err(|_| (false, CommandError::BufferTooSmall))?;
+
+    ctx.append_message_to_transcript(req_buf, crate::transcript::TranscriptContext::L1)
+}
+
+/// Check if the responder supports signing its measurements
+///
+/// Currently only the `MEAS_CAP` is checked.
+/// Checking `BaseAsymSel` and `ExtAsymSelCount` might need to checked,
+/// to determine if a signed measurement can be requested.
+/// (The Spec is a bit fuzzy about that.)
+fn responder_supports_signed_measurements(ctx: &SpdmContext<'_>) -> bool {
+    let flags = &ctx.state.connection_info.peer_capabilities().flags;
+    // 0b00 no measurements support
+    // 0b01 measurements support without signing
+    // 0b10 measurements with signing supported
+    // 0b11 reserved
+    if flags.meas_cap() == 0b10 {
+        return true;
+    } else {
+        return false;
+    }
+}

src/error.rs

@@ -37,6 +37,12 @@ pub enum PlatformError {
     EvidenceError(SpdmEvidenceError),
 }
 
+impl From<SpdmRngError> for PlatformError {
+    fn from(value: SpdmRngError) -> Self {
+        PlatformError::RngError(value)
+    }
+}
+
 #[non_exhaustive]
 #[derive(Debug, PartialEq)]
 pub enum CommandError {
@@ -62,3 +68,15 @@ pub enum CommandError {
     /// in a dependency, or a uncaught platform misbehavior.
     InternalError,
 }
+
+impl From<PlatformError> for CommandError {
+    fn from(value: PlatformError) -> Self {
+        CommandError::Platform(value)
+    }
+}
+
+impl From<CodecError> for CommandError {
+    fn from(value: CodecError) -> Self {
+        CommandError::Codec(value)
+    }
+}