Re: [RFC v3 00/27] lib: Rust implementation of SPDM

[dan.j.williams]

Lukas Wunner wrote:
> On Wed, Feb 18, 2026 at 03:40:10PM -0800, dan.j.williams@xxxxxxxxx wrote:
> > However, I notice that Aneesh needs x509 certificate parsing for his TSM
> > driver [1], I think TDX would benefit from the same to offload needing
> > to specify the wall-clock time to the module [2] for cert verification,
> > and SEV-TIO (already upstream) is currently missing any facility for the
> > host to attest the device.
> > 
> > [1]: http://lore.kernel.org/20250728135216.48084-17-aneesh.kumar@xxxxxxxxxx
> 
> There's a newer version:
> 
> https://lore.kernel.org/all/20251027095602.1154418-1-aneesh.kumar@xxxxxxxxxx/

As I understand this still has a dependency on a new base ARM CCA
posting. So the nearest term solution is to just wire up the existing
certificate blobs retrieved by the upstream SEV-TIO driver.

> This would allow upstreaming at least the three X.509 patches at the
> beginning of my CMA series (and Alistair's rSPDM series) and thus
> reduce the patch count a little bit.

ARM CCA only needs to parse the certificates to confirm to the TSM which
public-key to use. I am struggling to find another near term need for
the kernel to parse the certificate.

> However I don't know how far along Aneesh's CCA work is.
> 
> Note that David Howells' introduction of ML-DSA in v7.0 moves around
> a lot of the X.509 code so the three X.509 patches for CMA will no longer
> apply cleanly:
> 
> https://lore.kernel.org/all/2977832.1770384806@xxxxxxxxxxxxxxxxxxxxxx/
> 
> I'll rebase my development branch after v7.0-rc1 is out and Aneesh can
> then pick up the latest version from it:
> 
> https://github.com/l1k/linux/commits/doe

Sounds good, but I want to focus on the blob dump interface for the
existing upstream SPDM requester, SEV-TIO, and then go from there.