1.4 Add SET_KEY_PAIR_RESET_CAP support

Li-Aaron · Li-Aaron · commit 0edfcd3f80e3 · 2025-09-09T22:16:17.000+08:00
fix #3133 Signed-off-by: Aaron Li <aaron.li@intel.com>
diff --git a/library/spdm_requester_lib/libspdm_req_handle_error_response.c b/library/spdm_requester_lib/libspdm_req_handle_error_response.c
@@ -131,6 +131,18 @@ libspdm_return_t libspdm_handle_simple_error_response(libspdm_context_t *spdm_co
         }
     }
 
+    if (last_spdm_request->header.request_response_code == SPDM_SET_KEY_PAIR_INFO) {
+        if (error_code == SPDM_ERROR_CODE_RESET_REQUIRED) {
+            if ((libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) &&
+                !libspdm_is_capabilities_flag_supported(
+                    spdm_context, true, 0,
+                    SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_RESET_CAP)) {
+                return LIBSPDM_STATUS_ERROR_PEER;
+            }
+            return LIBSPDM_STATUS_RESET_REQUIRED_PEER;
+        }
+    }
+
     if (error_code == SPDM_ERROR_CODE_REQUEST_RESYNCH) {
         spdm_context->connection_info.connection_state = LIBSPDM_CONNECTION_STATE_NOT_STARTED;
         return LIBSPDM_STATUS_RESYNCH_PEER;
diff --git a/library/spdm_responder_lib/libspdm_rsp_set_key_pair_info_ack.c b/library/spdm_responder_lib/libspdm_rsp_set_key_pair_info_ack.c
@@ -276,9 +276,15 @@ libspdm_return_t libspdm_get_response_set_key_pair_info_ack(libspdm_context_t *s
         }
     }
 
-    need_reset = libspdm_is_capabilities_flag_supported(
-        spdm_context, false, 0,
-        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP);
+    if (libspdm_get_connection_version(spdm_context) >= SPDM_MESSAGE_VERSION_14) {
+        need_reset = libspdm_is_capabilities_flag_supported(
+            spdm_context, false, 0,
+            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_RESET_CAP);
+    } else {
+        need_reset = libspdm_is_capabilities_flag_supported(
+            spdm_context, false, 0,
+            SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_CERT_INSTALL_RESET_CAP);
+    }
     result = libspdm_write_key_pair_info(
         spdm_context,
         key_pair_id,
diff --git a/unit_test/test_spdm_requester/set_key_pair_info.c b/unit_test/test_spdm_requester/set_key_pair_info.c
@@ -21,6 +21,7 @@ libspdm_return_t libspdm_requester_set_key_pair_info_test_send_message(
     case 0x1:
     case 0x2:
     case 0x3:
+    case 0x4:
         return LIBSPDM_STATUS_SUCCESS;
     default:
         return LIBSPDM_STATUS_SEND_FAIL;
@@ -97,7 +98,26 @@ libspdm_return_t libspdm_requester_set_key_pair_info_test_receive_message(
                                               response);
     }
         return LIBSPDM_STATUS_SUCCESS;
+    case 0x4: {
+        spdm_error_response_t *spdm_response;
+        size_t spdm_response_size;
+        size_t transport_header_size;
+
+        transport_header_size = LIBSPDM_TEST_TRANSPORT_HEADER_SIZE;
+        spdm_response = (void *)((uint8_t *)*response + transport_header_size);
+        spdm_response_size = sizeof(spdm_error_response_t);
+
+        spdm_response->header.spdm_version = SPDM_MESSAGE_VERSION_14;
+        spdm_response->header.request_response_code = SPDM_ERROR;
+        spdm_response->header.param1 = SPDM_ERROR_CODE_RESET_REQUIRED;
+        spdm_response->header.param2 = 0;
 
+        libspdm_transport_test_encode_message(spdm_context, NULL, false,
+                                              false, spdm_response_size,
+                                              spdm_response, response_size,
+                                              response);
+    }
+        return LIBSPDM_STATUS_SUCCESS;
     default:
         return LIBSPDM_STATUS_RECEIVE_FAIL;
     }
@@ -228,6 +248,47 @@ void libspdm_test_requester_set_key_pair_info_case3(void **state)
     assert_int_equal(status, LIBSPDM_STATUS_INVALID_MSG_FIELD);
 }
 
+/**
+ * Test 4: Successful reset required error code
+ * Expected Behavior: get a RESET_REQURED_PEER return code
+ **/
+void libspdm_test_requester_set_key_pair_info_case4(void **state)
+{
+    libspdm_return_t status;
+    libspdm_test_context_t *spdm_test_context;
+    libspdm_context_t *spdm_context;
+
+    uint8_t key_pair_id;
+    uint8_t operation;
+    uint16_t desired_key_usage;
+    uint32_t desired_asym_algo;
+    uint8_t desired_assoc_cert_slot_mask;
+
+    spdm_test_context = *state;
+    spdm_context = spdm_test_context->spdm_context;
+    spdm_test_context->case_id = 0x4;
+    spdm_context->connection_info.version = SPDM_MESSAGE_VERSION_14 <<
+                                            SPDM_VERSION_NUMBER_SHIFT_BIT;
+
+    spdm_context->connection_info.connection_state =
+        LIBSPDM_CONNECTION_STATE_NEGOTIATED;
+    spdm_context->connection_info.capability.flags |=
+        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_INFO_CAP;
+    spdm_context->connection_info.capability.flags |=
+        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_RESET_CAP;
+
+    key_pair_id = 1;
+    operation = SPDM_SET_KEY_PAIR_INFO_ERASE_OPERATION;
+    desired_key_usage = 0;
+    desired_asym_algo = 0;
+    desired_assoc_cert_slot_mask = 0;
+    status = libspdm_set_key_pair_info(spdm_context, NULL, key_pair_id,
+                                       operation, desired_key_usage, desired_asym_algo,
+                                       desired_assoc_cert_slot_mask);
+
+    assert_int_equal(status, LIBSPDM_STATUS_RESET_REQUIRED_PEER);
+}
+
 int libspdm_requester_set_key_pair_info_test_main(void)
 {
     const struct CMUnitTest spdm_requester_set_key_pair_info_tests[] = {
@@ -237,6 +298,8 @@ int libspdm_requester_set_key_pair_info_test_main(void)
         cmocka_unit_test(libspdm_test_requester_set_key_pair_info_case2),
         /* The response code is incorrect */
         cmocka_unit_test(libspdm_test_requester_set_key_pair_info_case3),
+        /* Successful response with reset required error code */
+        cmocka_unit_test(libspdm_test_requester_set_key_pair_info_case4),
     };
 
     libspdm_test_context_t test_context = {
diff --git a/unit_test/test_spdm_responder/set_key_pair_info_ack.c b/unit_test/test_spdm_responder/set_key_pair_info_ack.c
@@ -503,6 +503,179 @@ void libspdm_test_responder_set_key_pair_info_ack_case3(void **state)
     assert_int_equal(spdm_response->header.param2, 0);
 }
 
+/**
+ * Test 4: Successful response to set key pair info with key pair id 4: need reset, spdm 1.4
+ * Expected Behavior: get a RETURN_SUCCESS return code, and correct response message size and fields
+ **/
+void libspdm_test_responder_set_key_pair_info_ack_case4(void **state)
+{
+    /* reference case 2 */
+    libspdm_return_t status;
+    libspdm_test_context_t *spdm_test_context;
+    libspdm_context_t *spdm_context;
+    size_t response_size;
+    uint8_t response[LIBSPDM_MAX_SPDM_MSG_SIZE];
+    spdm_set_key_pair_info_ack_response_t *spdm_response;
+
+    uint8_t key_pair_id;
+    size_t set_key_pair_info_request_size;
+    spdm_set_key_pair_info_request_t *set_key_pair_info_request;
+    uint8_t *ptr;
+    uint16_t desired_key_usage;
+    uint32_t desired_asym_algo;
+    uint8_t desired_assoc_cert_slot_mask;
+    uint8_t desired_pqc_asym_algo_len;
+    uint32_t desired_pqc_asym_algo;
+
+    set_key_pair_info_request = malloc(sizeof(spdm_set_key_pair_info_request_t) +
+                                       sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t) +
+                                       sizeof(uint8_t) + sizeof(uint8_t) + sizeof(uint32_t));
+
+    spdm_test_context = *state;
+    spdm_context = spdm_test_context->spdm_context;
+    spdm_test_context->case_id = 0x4;
+    spdm_context->connection_info.version = SPDM_MESSAGE_VERSION_14 <<
+                                            SPDM_VERSION_NUMBER_SHIFT_BIT;
+    spdm_context->connection_info.connection_state =
+        LIBSPDM_CONNECTION_STATE_AUTHENTICATED;
+    spdm_context->connection_info.algorithm.base_asym_algo =
+        m_libspdm_use_asym_algo;
+    spdm_context->local_context.capability.flags = 0; /* clear flags */
+    spdm_context->local_context.capability.flags |=
+        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_INFO_CAP;
+    spdm_context->local_context.total_key_pairs = libspdm_read_total_key_pairs();
+    key_pair_id = 4;
+
+    /*set responder need reset, spdm 1.4 */
+    spdm_context->local_context.capability.flags |=
+        SPDM_GET_CAPABILITIES_RESPONSE_FLAGS_SET_KEY_PAIR_RESET_CAP;
+
+    response_size = sizeof(response);
+
+    /*Before reset, change: remove an association with slot*/
+    set_key_pair_info_request_size =
+        sizeof(spdm_set_key_pair_info_request_t) +
+        sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) +
+        sizeof(uint8_t);
+
+    libspdm_zero_mem(set_key_pair_info_request, set_key_pair_info_request_size);
+    set_key_pair_info_request->header.spdm_version = SPDM_MESSAGE_VERSION_14;
+    set_key_pair_info_request->header.request_response_code = SPDM_SET_KEY_PAIR_INFO;
+    set_key_pair_info_request->header.param1 = SPDM_SET_KEY_PAIR_INFO_CHANGE_OPERATION;
+    set_key_pair_info_request->header.param2 = 0;
+    set_key_pair_info_request->key_pair_id = key_pair_id;
+
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size, sizeof(spdm_error_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_ERROR);
+    assert_int_equal(spdm_response->header.param1,
+                     SPDM_ERROR_CODE_RESET_REQUIRED);
+    assert_int_equal(spdm_response->header.param2, 0);
+
+    /*After reset, change: remove an association with slot*/
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size,
+                     sizeof(spdm_set_key_pair_info_ack_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_SET_KEY_PAIR_INFO_ACK);
+
+    /*Before reset, erase: erase the keyusage and asymalgo*/
+    set_key_pair_info_request->header.param1 = SPDM_SET_KEY_PAIR_INFO_ERASE_OPERATION;
+    set_key_pair_info_request_size =
+        sizeof(spdm_set_key_pair_info_request_t);
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size, sizeof(spdm_error_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_ERROR);
+    assert_int_equal(spdm_response->header.param1,
+                     SPDM_ERROR_CODE_RESET_REQUIRED);
+    assert_int_equal(spdm_response->header.param2, 0);
+
+    /*After reset, erase: erase the keyusage and asymalgo*/
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size,
+                     sizeof(spdm_set_key_pair_info_ack_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_SET_KEY_PAIR_INFO_ACK);
+
+
+    /*Before reset, generate: generate a new key pair*/
+    desired_key_usage = SPDM_KEY_USAGE_BIT_MASK_KEY_EX_USE;
+    desired_asym_algo = SPDM_KEY_PAIR_ASYM_ALGO_CAP_ECC256;
+    desired_pqc_asym_algo_len = sizeof(desired_pqc_asym_algo);
+    desired_pqc_asym_algo = 0;
+    desired_assoc_cert_slot_mask = 0x08;
+    set_key_pair_info_request_size =
+        sizeof(spdm_set_key_pair_info_request_t) +
+        sizeof(uint8_t) + sizeof(uint16_t) + sizeof(uint32_t) + sizeof(uint8_t) +
+        sizeof(uint8_t) + sizeof(uint32_t);
+
+    libspdm_zero_mem(set_key_pair_info_request, set_key_pair_info_request_size);
+    set_key_pair_info_request->header.spdm_version = SPDM_MESSAGE_VERSION_14;
+    set_key_pair_info_request->header.request_response_code = SPDM_SET_KEY_PAIR_INFO;
+    set_key_pair_info_request->header.param1 = SPDM_SET_KEY_PAIR_INFO_CHANGE_OPERATION;
+    set_key_pair_info_request->header.param2 = 0;
+    set_key_pair_info_request->key_pair_id = key_pair_id;
+
+    ptr = (uint8_t*)(set_key_pair_info_request + 1);
+    ptr += sizeof(uint8_t);
+
+    libspdm_write_uint16(ptr, desired_key_usage);
+    ptr += sizeof(uint16_t);
+
+    libspdm_write_uint32(ptr, desired_asym_algo);
+    ptr += sizeof(uint32_t);
+
+    *ptr = desired_assoc_cert_slot_mask;
+    ptr += sizeof(uint8_t);
+
+    *ptr = desired_pqc_asym_algo_len;
+    ptr += sizeof(uint8_t);
+
+    libspdm_write_uint32(ptr, desired_pqc_asym_algo);
+
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size, sizeof(spdm_error_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_ERROR);
+    assert_int_equal(spdm_response->header.param1,
+                     SPDM_ERROR_CODE_RESET_REQUIRED);
+    assert_int_equal(spdm_response->header.param2, 0);
+
+    /*After reset, generate: generate a new key pair*/
+    status = libspdm_get_response_set_key_pair_info_ack(
+        spdm_context, set_key_pair_info_request_size,
+        set_key_pair_info_request, &response_size, response);
+    assert_int_equal(status, LIBSPDM_STATUS_SUCCESS);
+    assert_int_equal(response_size,
+                     sizeof(spdm_set_key_pair_info_ack_response_t));
+    spdm_response = (void *)response;
+    assert_int_equal(spdm_response->header.request_response_code,
+                     SPDM_SET_KEY_PAIR_INFO_ACK);
+    free(set_key_pair_info_request);
+}
+
 int libspdm_responder_set_key_pair_info_ack_test_main(void)
 {
     const struct CMUnitTest spdm_responder_set_key_pair_info_ack_tests[] = {
@@ -512,6 +685,8 @@ int libspdm_responder_set_key_pair_info_ack_test_main(void)
         cmocka_unit_test(libspdm_test_responder_set_key_pair_info_ack_case2),
         /* The collection of multiple sub-cases.*/
         cmocka_unit_test(libspdm_test_responder_set_key_pair_info_ack_case3),
+        /* Success Case to set key pair info with reset, spdm 1.4*/
+        cmocka_unit_test(libspdm_test_responder_set_key_pair_info_ack_case4),
     };
 
     libspdm_test_context_t test_context = {
