2025 OCP Global Summit - DMTF/libspdm GitHub Wiki
Motivation
At the 2024 OCP Global Summit the DMTF hosted a well-attended Manageability Workshop that allowed for more thorough exploration of topics, such as Redfish and SPDM. libspdm and SPDM-Responder-Validator are good candidates for such a workshop. In addition during the Security track there were a few questions about libspdm and a higher level presentation and introduction would fit well there.
Abstract for Security Track
libspdm: Past, Present, and Future
libspdm is the DMTF's reference implementation of the Security Protocol and Data Model (SPDM) and its related specifications. While its development began in 2020 as a proof-of-concept of the SPDM specification, the repository has since grown in features, robustness, and adoption to become a substantial open source project that is utilized by many companies and other open source projects. This high-level talk presents the history of libspdm, its architecture and development processes, and its contributions back to SPDM specifications. It also covers security issues and vulnerabilities and the ways in which they were handled. Finally, it looks forward to new technologies such as the implementation of post-quantum cryptography in SPDM.
Presentation Outline for Security Track
- History
- Projects that use libspdm
- UEFI reference implementation - edk2
- Arm Realm Management Monitor reference implementation.
- QEMU
- Architecture and Dependencies
- Core libraries like
spdm_responder_lib. - Cryptography libraries.
- Core libraries like
- Development
- Release process and schedule.
- Contributors and their companies.
- Testing and Security
- Unit and fuzz testing.
- Static analysis.
- Formal verification.
- Offensive security activities.
- CVEs.
- Relationship with SPDM Working Group
- Development of libspdm highlighted many issues in specification.
- All work is done in GitHub which makes it straightforward to cross-reference code issues and specification issues.