From 21a04df81a393b934330b483e0316331a68576cf Mon Sep 17 00:00:00 2001 From: Jiewen Yao Date: Wed, 20 May 2026 12:00:49 +0800 Subject: [PATCH 1/2] add PQC algo FIPS consistency check. Signed-off-by: Jiewen Yao --- include/internal/libspdm_macro_check.h | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/include/internal/libspdm_macro_check.h b/include/internal/libspdm_macro_check.h index b18943d3208..883f4c6f817 100644 --- a/include/internal/libspdm_macro_check.h +++ b/include/internal/libspdm_macro_check.h @@ -1,6 +1,6 @@ /** * Copyright Notice: - * Copyright 2021-2025 DMTF. All rights reserved. + * Copyright 2021-2026 DMTF. All rights reserved. * License: BSD 3-Clause License. For full text see link: https://github.com/DMTF/libspdm/blob/main/LICENSE.md **/ @@ -22,6 +22,11 @@ ((LIBSPDM_SHA2_SUPPORT) || (LIBSPDM_SHA3_SUPPORT) || \ (LIBSPDM_SM3_SUPPORT)) +#define LIBSPDM_PQC_ASYM_ALGO_SUPPORT \ + ((LIBSPDM_ML_DSA_SUPPORT) || (LIBSPDM_SLH_DSA_SUPPORT)) + +#define LIBSPDM_KEM_ALGO_SUPPORT (LIBSPDM_ML_KEM_SUPPORT) + #if LIBSPDM_FIPS_MODE #define LIBSPDM_FIPS_ASYM_ALGO_SUPPORT \ ((LIBSPDM_RSA_SSA_SUPPORT) || (LIBSPDM_RSA_PSS_SUPPORT) || (LIBSPDM_ECDSA_SUPPORT) || \ @@ -34,6 +39,10 @@ #define LIBSPDM_FIPS_HASH_ALGO_SUPPORT \ ((LIBSPDM_SHA2_SUPPORT) || (LIBSPDM_SHA3_SUPPORT)) + +#define LIBSPDM_FIPS_PQC_ASYM_ALGO_SUPPORT (LIBSPDM_ML_DSA_SUPPORT) + +#define LIBSPDM_FIPS_KEM_ALGO_SUPPORT (LIBSPDM_ML_KEM_SUPPORT) #endif /*LIBSPDM_FIPS_MODE*/ #if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !LIBSPDM_ASYM_ALGO_SUPPORT @@ -110,18 +119,30 @@ #if (LIBSPDM_HASH_ALGO_SUPPORT) && !LIBSPDM_FIPS_HASH_ALGO_SUPPORT #error HASH algo is cleared after FIPS enforcement. #endif + +#if (LIBSPDM_PQC_ASYM_ALGO_SUPPORT) && !LIBSPDM_FIPS_PQC_ASYM_ALGO_SUPPORT + #error PQC ASYM algo is cleared after FIPS enforcement. +#endif + +#if (LIBSPDM_KEM_ALGO_SUPPORT) && !LIBSPDM_FIPS_KEM_ALGO_SUPPORT + #error KEM algo is cleared after FIPS enforcement. +#endif #endif /*LIBSPDM_FIPS_MODE*/ #undef LIBSPDM_ASYM_ALGO_SUPPORT #undef LIBSPDM_DHE_ALGO_SUPPORT #undef LIBSPDM_AEAD_ALGO_SUPPORT #undef LIBSPDM_HASH_ALGO_SUPPORT +#undef LIBSPDM_PQC_ASYM_ALGO_SUPPORT +#undef LIBSPDM_KEM_ALGO_SUPPORT #if LIBSPDM_FIPS_MODE #undef LIBSPDM_FIPS_ASYM_ALGO_SUPPORT #undef LIBSPDM_FIPS_DHE_ALGO_SUPPORT #undef LIBSPDM_FIPS_AEAD_ALGO_SUPPORT #undef LIBSPDM_FIPS_HASH_ALGO_SUPPORT +#undef LIBSPDM_FIPS_PQC_ASYM_ALGO_SUPPORT +#undef LIBSPDM_FIPS_KEM_ALGO_SUPPORT #endif /*LIBSPDM_FIPS_MODE*/ #endif /* LIBSPDM_MACRO_CHECK_H */ From 8b70ac6d4a6950d1c70d5e390d54230685782294 Mon Sep 17 00:00:00 2001 From: Jiewen Yao Date: Wed, 20 May 2026 12:08:16 +0800 Subject: [PATCH 2/2] Add PQC_ASYM and KEM check to support non-ASYM or non-DHE cases. Signed-off-by: Jiewen Yao --- include/internal/libspdm_macro_check.h | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/include/internal/libspdm_macro_check.h b/include/internal/libspdm_macro_check.h index 883f4c6f817..bdc282734f1 100644 --- a/include/internal/libspdm_macro_check.h +++ b/include/internal/libspdm_macro_check.h @@ -45,20 +45,20 @@ #define LIBSPDM_FIPS_KEM_ALGO_SUPPORT (LIBSPDM_ML_KEM_SUPPORT) #endif /*LIBSPDM_FIPS_MODE*/ -#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !LIBSPDM_ASYM_ALGO_SUPPORT - #error If KEY_EX_CAP is enabled then at least one asymmetric algorithm must also be enabled. +#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !(LIBSPDM_ASYM_ALGO_SUPPORT || LIBSPDM_PQC_ASYM_ALGO_SUPPORT) + #error If KEY_EX_CAP is enabled then at least one asymmetric or PQC asymmetric algorithm must also be enabled. #endif -#if (LIBSPDM_ENABLE_CAPABILITY_CERT_CAP) && !LIBSPDM_ASYM_ALGO_SUPPORT - #error If CERT_CAP is enabled then at least one asymmetric algorithm must also be enabled. +#if (LIBSPDM_ENABLE_CAPABILITY_CERT_CAP) && !(LIBSPDM_ASYM_ALGO_SUPPORT || LIBSPDM_PQC_ASYM_ALGO_SUPPORT) + #error If CERT_CAP is enabled then at least one asymmetric or PQC asymmetric algorithm must also be enabled. #endif -#if (LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP) && !LIBSPDM_ASYM_ALGO_SUPPORT - #error If CHAL_CAP is enabled then at least one asymmetric algorithm must also be enabled. +#if (LIBSPDM_ENABLE_CAPABILITY_CHAL_CAP) && !(LIBSPDM_ASYM_ALGO_SUPPORT || LIBSPDM_PQC_ASYM_ALGO_SUPPORT) + #error If CHAL_CAP is enabled then at least one asymmetric or PQC asymmetric algorithm must also be enabled. #endif -#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !LIBSPDM_DHE_ALGO_SUPPORT - #error If KEY_EX_CAP is enabled then at least one DHE algorithm must also be enabled. +#if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !(LIBSPDM_DHE_ALGO_SUPPORT || LIBSPDM_KEM_ALGO_SUPPORT) + #error If KEY_EX_CAP is enabled then at least one DHE or KEM algorithm must also be enabled. #endif #if (LIBSPDM_ENABLE_CAPABILITY_KEY_EX_CAP) && !LIBSPDM_AEAD_ALGO_SUPPORT