macro_check: enforce capability dependencies for KEM/DHE and signature algorithms by czwolak · Pull Request #3621 · DMTF/libspdm

czwolak · 2026-05-11T15:55:18Z

Summary

Why needed: SPDM 1.4 + PQC can currently produce role/capability macro combinations that are detected as invalid only later (integration/CI/runtime). Build profiles (both/requester/responder) plus compile-time fail-fast checks make configuration deterministic, reject invalid combinations immediately at build time, and keep backward compatibility because both remains the default.
Introduce SPDM 1.4 build-profile selection for requester/responder focused builds in libspdm while preserving backward-compatible default behavior.

Changes

Add LIBSPDM_SPDM14_BUILD_PROFILE CMake option with values: both (default), requester, responder.
Add profile-specific config headers:
- include/library/spdm_lib_config_profile_requester.h
- include/library/spdm_lib_config_profile_responder.h
Add profile ID constants and default profile ID in include/library/spdm_lib_config.h.
Add fail-fast macro checks in include/internal/libspdm_macro_check.h for:
- valid profile ID,
- responder-profile constraints,
- PQC capability dependencies (ML-KEM / ML-DSA).

Validation

Built requester/responder profile configurations for OpenSSL and mbedtls.
Verified profile selection via CMake configuration and successful library builds.

Scope notes

SLH-DSA support is explicitly out of scope for this change.
Product direction for mbedtls-based PQC integration remains wrapper-based (ipp-crypto) for ML-KEM and ML-DSA.

jyao1 · 2026-05-14T06:23:29Z

please clarify the problem statement. Why this is needed?

czwolak · 2026-05-14T13:24:29Z

please clarify the problem statement. Why this is needed?

Thanks for the feedback.
The need is to make SPDM 1.4 + PQC configuration deterministic and fail early.

Today, requester/responder role selection and PQC capability combinations can lead to invalid macro sets that are only discovered later (integration/CI/runtime).
This PR adds explicit SPDM 1.4 build profiles (both/requester/responder) and compile-time fail-fast checks so invalid combinations are rejected immediately.

So the value is:

clearer role-focused builds,
earlier detection of invalid SPDM/PQC configs,
lower integration/debug cost, while keeping backward compatibility (both remains default).

jyao1 · 2026-05-20T03:10:06Z

+#ifndef SPDM_LIB_CONFIG_PROFILE_REQUESTER_H
+#define SPDM_LIB_CONFIG_PROFILE_REQUESTER_H
+
+#define LIBSPDM_SPDM14_BUILD_PROFILE_ID LIBSPDM_SPDM14_BUILD_PROFILE_REQUESTER


I am not sure why we need SPDM14 here.
What about SPDM10, SPDM11, SPDM12, SPDM13, and future SPDM15?
Do we want to add for each specific version?

jyao1 · 2026-05-20T03:11:30Z

+#endif
+
+#if (LIBSPDM_ML_KEM_SUPPORT) && !(LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP)
+    #error ML-KEM support requires KEY_EX_CAP capability.


why only check KEM? DHE also need KEY_EX.

added for LIBSPDM_DHE_ALGO_SUPPORT

jyao1 · 2026-05-20T03:13:44Z

+#if ((LIBSPDM_ML_DSA_SUPPORT) || (LIBSPDM_SLH_DSA_SUPPORT)) && \
+    !((LIBSPDM_ENABLE_CAPABILITY_CERT_CAP) || (LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP) || \
+    (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) || (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP))
+    #error ML-DSA/SLH-DSA support requires CERT_CAP, CHAL_CAP, KEY_EX_CAP, or MUT_AUTH_CAP.


same question. RSA/ECDSA/EdDSA/... also need similar check.

added for LIBSPDM_ASYM_ALGO_SUPPORT and removed MUT_AUTH_CAP from the condition. added condition that MUT_AUTH_CAP requires KEY_EX_CAP

jyao1 · 2026-05-20T03:15:26Z

I notice this PR include 2 features: 1) add consistency check, 2) add PROFILE_ID.

I think those are 2 different features. I suggest we split to 2 different PRs.

jyao1 · 2026-05-20T04:12:33Z

+#define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1
+#define LIBSPDM_SEND_CHALLENGE_SUPPORT 1
+#define LIBSPDM_EVENT_RECIPIENT_SUPPORT 1
+#define LIBSPDM_SEND_GET_ENDPOINT_INFO_SUPPORT 1


I do not understand why those should be in profile.

jyao1 · 2026-05-20T04:12:51Z

+#define LIBSPDM_SEND_GET_CERTIFICATE_SUPPORT 1
+#define LIBSPDM_SEND_CHALLENGE_SUPPORT 1
+#define LIBSPDM_EVENT_RECIPIENT_SUPPORT 0
+#define LIBSPDM_SEND_GET_ENDPOINT_INFO_SUPPORT 0


I do not understand why this is a must.

czwolak · 2026-05-20T09:07:28Z

@jyao1 I think I see your point. Lets close this PR and related task. I will try to introduce 1.4 as 1.1-1.3 was before without additional profiles, checks. Just pure support, OK?

czwolak · 2026-05-20T09:09:31Z

I will try to introduce 1.4 as 1.1-1.3 was before, without additional build profiles, checks.

jyao1 · 2026-05-22T01:34:28Z

please change the descript if the scope is changed.

jyao1 · 2026-05-22T01:35:23Z

+#if (LIBSPDM_ENABLE_CAPABILITY_MUT_AUTH_CAP) && !(LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP)
+    #error If MUT_AUTH_CAP is enabled then KEY_EX_CAP must also be enabled.
+#endif


The SPDM spec does not mention this rule.
I suggest to remove it.

…ture algorithms Drop SPDM 1.4 build-profile specific checks and keep focused macro validation updates: - require KEY_EX_CAP when KEM or DHE algorithms are enabled - require CERT_CAP/CHAL_CAP/KEY_EX_CAP when any signature algorithm is enabled - require KEY_EX_CAP when MUT_AUTH_CAP is enabled This addresses reviewer concerns around algorithm-to-capability consistency in libspdm_macro_check.h. Signed-off-by: Cezary Zwolak <cezary.zwolak@intel.com>

czwolak requested review from jyao1 and steven-bellock as code owners May 11, 2026 15:55

czwolak force-pushed the feature/spdm14-build-profiles branch 3 times, most recently from 7bec0d7 to 7a4f216 Compare May 12, 2026 09:20

jyao1 reviewed May 20, 2026

View reviewed changes

czwolak closed this May 20, 2026

czwolak reopened this May 21, 2026

czwolak force-pushed the feature/spdm14-build-profiles branch from 7a4f216 to 3793857 Compare May 21, 2026 07:40

czwolak changed the title ~~Add SPDM 1.4 requester/responder build profiles~~ macro_check: enforce capability dependencies for KEM/DHE and signature algorithms May 21, 2026

jyao1 reviewed May 22, 2026

View reviewed changes

czwolak force-pushed the feature/spdm14-build-profiles branch from 3793857 to 357c7cd Compare May 22, 2026 11:00

Conversation

czwolak commented May 11, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Changes

Validation

Scope notes

Uh oh!

jyao1 commented May 14, 2026

Uh oh!

czwolak commented May 14, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

jyao1 commented May 20, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

czwolak commented May 20, 2026

Uh oh!

czwolak commented May 20, 2026

Uh oh!

jyao1 commented May 22, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

czwolak commented May 11, 2026 •

edited

Loading