Add feature to run libspdm_fips_run_selftest at load time

Reference: DMTF#1260

Signed-off-by: Wenxing Hou <[email protected]>

doc/user_guide.md

@@ -47,6 +47,12 @@ Refer to spdm_client_init() in [spdm_requester.c](https://github.com/DMTF/spdm-e
    spdm_context = (void *)malloc (libspdm_get_context_size());
    libspdm_init_context (spdm_context);
 
+   #if LIBSPDM_FIPS_MODE
+   spdm_fips_selftest_context = (void *)malloc(libspdm_get_fips_selftest_context_size());//user only calls the function once when device start.
+   libspdm_init_fips_selftest_context(spdm_fips_selftest_context); //user only calls the function once when device start.
+   libspdm_import_fips_selftest_context_to_spdm_context(void *spdm_context, void *fips_selftest_context, size_t fips_selftest_context_size);
+   #endif
+
    scratch_buffer_size = libspdm_get_sizeof_required_scratch_buffer(m_spdm_context);
    LIBSPDM_ASSERT (scratch_buffer_size == LIBSPDM_SCRATCH_BUFFER_SIZE);
    scratch_buffer = (void *)malloc(scratch_buffer_size);
@@ -257,6 +263,9 @@ Refer to spdm_client_init() in [spdm_requester.c](https://github.com/DMTF/spdm-e
 7. Free the memory of contexts within the SPDM context when all flow is over.
    This function doesn't free the SPDM context itself.
    ```
+   #if LIBSPDM_FIPS_MODE
+   libspdm_export_fips_selftest_context_from_spdm_context(void *spdm_context, void *fips_selftest_context, size_t fips_selftest_context_size);
+   #endif
    libspdm_deinit_context(spdm_context);
    ```
 
@@ -307,6 +316,12 @@ Refer to spdm_server_init() in [spdm_responder.c](https://github.com/DMTF/spdm-e
    spdm_context = (void *)malloc (spdm_get_context_size());
    libspdm_init_context (spdm_context);
 
+  #if LIBSPDM_FIPS_MODE
+   spdm_fips_selftest_context = (void *)malloc(libspdm_get_fips_selftest_context_size());//user only calls the function once when device start.
+   libspdm_init_fips_selftest_context(spdm_fips_selftest_context); //user only calls the function once when device start.
+   libspdm_import_fips_selftest_context_to_spdm_context(void *spdm_context, void *fips_selftest_context, size_t fips_selftest_context_size);
+  #endif
+
    scratch_buffer_size = libspdm_get_sizeof_required_scratch_buffer(m_spdm_context);
    LIBSPDM_ASSERT (scratch_buffer_size == LIBSPDM_SCRATCH_BUFFER_SIZE);
    libspdm_set_scratch_buffer (spdm_context, m_scratch_buffer, scratch_buffer_size);
@@ -445,6 +460,9 @@ Refer to spdm_server_init() in [spdm_responder.c](https://github.com/DMTF/spdm-e
 4. Free the memory of contexts within the SPDM context when all flow is over.
    This function doesn't free the SPDM context itself.
    ```
+   #if LIBSPDM_FIPS_MODE
+   libspdm_export_fips_selftest_context_from_spdm_context(void *spdm_context, void *fips_selftest_context, size_t fips_selftest_context_size);
+   #endif
    libspdm_deinit_context(spdm_context);
    ```
 

include/internal/libspdm_common_lib.h

@@ -344,6 +344,21 @@ typedef struct {
 } libspdm_msg_log_t;
 #endif /* LIBSPDM_ENABLE_MSG_LOG */
 
+#if LIBSPDM_FIPS_MODE
+typedef struct {
+    /**
+     * Tested algo flag: 0 represents that the algo is not tested.
+     * See LIBSPDM_FIPS_SELF_TEST_xxx;
+     **/
+    uint32_t tested_algo;
+    /**
+     * Flag for the result of run algo self_test, 0 represents the result is failed.
+     * See LIBSPDM_FIPS_SELF_TEST_xxx;
+     **/
+    uint32_t self_test_result;
+} libspdm_fips_selftest_context;
+#endif /* LIBSPDM_FIPS_MODE */
+
 #define LIBSPDM_CONTEXT_STRUCT_VERSION 0x3
 
 typedef struct {
@@ -461,6 +476,10 @@ typedef struct {
 #if LIBSPDM_ENABLE_MSG_LOG
     libspdm_msg_log_t msg_log;
 #endif /* LIBSPDM_ENABLE_MSG_LOG */
+
+#if LIBSPDM_FIPS_MODE
+    libspdm_fips_selftest_context fips_selftest_context;
+#endif /* LIBSPDM_FIPS_MODE */
 } libspdm_context_t;
 
 #define LIBSPDM_CONTEXT_SIZE_WITHOUT_SECURED_CONTEXT (sizeof(libspdm_context_t))

include/internal/libspdm_fips_lib.h

@@ -6,6 +6,23 @@
 
 #if LIBSPDM_FIPS_MODE
 
+#define LIBSPDM_FIPS_SELF_TEST_HMAC_SHA256   0x00000001
+#define LIBSPDM_FIPS_SELF_TEST_HMAC_SHA384   0x00000002
+#define LIBSPDM_FIPS_SELF_TEST_HMAC_SHA512   0x00000004
+#define LIBSPDM_FIPS_SELF_TEST_AES_GCM       0x00000008
+#define LIBSPDM_FIPS_SELF_TEST_RSA_SSA       0x00000010
+#define LIBSPDM_FIPS_SELF_TEST_HKDF          0x00000020
+#define LIBSPDM_FIPS_SELF_TEST_ECDH          0x00000040
+#define LIBSPDM_FIPS_SELF_TEST_SHA256        0x00000080
+#define LIBSPDM_FIPS_SELF_TEST_SHA384        0x00000100
+#define LIBSPDM_FIPS_SELF_TEST_SHA512        0x00000200
+#define LIBSPDM_FIPS_SELF_TEST_SHA3_256      0x00000400
+#define LIBSPDM_FIPS_SELF_TEST_SHA3_384      0x00000800
+#define LIBSPDM_FIPS_SELF_TEST_SHA3_512      0x00001000
+#define LIBSPDM_FIPS_SELF_TEST_FFDH          0x00002000
+#define LIBSPDM_FIPS_SELF_TEST_ECDSA         0x00004000
+#define LIBSPDM_FIPS_SELF_TEST_EDDSA         0x00008000
+
 /**
  * HMAC-SHA256 KAT covers SHA256 KAT.
  **/

include/library/spdm_common_lib.h

@@ -308,6 +308,65 @@ libspdm_return_t libspdm_init_context_with_secured_context(void *spdm_context,
                                                            void **secured_contexts,
                                                            size_t num_secured_contexts);
 
+#if LIBSPDM_FIPS_MODE
+/**
+ * Initialize an libspdm_fips_selftest_context.
+ *
+ * The
+ *
+ * @param  spdm_context         A pointer to the SPDM context.
+ *
+ * @retval RETURN_SUCCESS       context is initialized.
+ * @retval RETURN_DEVICE_ERROR  context initialization failed.
+ */
+libspdm_return_t libspdm_init_fips_selftest_context(void *fips_selftest_context);
+
+/**
+ * Return the size in bytes of the fips_selftest_context.
+ *
+ * @return the size in bytes of the fips_selftest_context.
+ **/
+size_t libspdm_get_fips_selftest_context_size(void);
+
+/**
+ * import fips_selftest_context to spdm_context;
+ *
+ * @param[in,out]  spdm_context                A pointer to the spdm_context.
+ * @param[in]      fips_selftest_context       A pointer to the fips_selftest_context.
+ * @param[in]      fips_selftest_context_size  The size of fips_selftest_context.
+ *
+ * @retval true   import fips_selftest_context successful.
+ * @retval false  spdm_context or fips_selftest_context is null.
+ */
+bool libspdm_import_fips_selftest_context_to_spdm_context(void *spdm_context,
+                                                          void *fips_selftest_context,
+                                                          size_t fips_selftest_context_size);
+
+/**
+ * export fips_selftest_context from spdm_context;
+ *
+ * @param[in]          spdm_context                A pointer to the spdm_context.
+ * @param[in,out]      fips_selftest_context       A pointer to the fips_selftest_context.
+ * @param[in]          fips_selftest_context_size  The size of fips_selftest_context.
+ *
+ * @retval true   export fips_selftest_context successful.
+ * @retval false  spdm_context or fips_selftest_context is null.
+ */
+bool libspdm_export_fips_selftest_context_from_spdm_context(void *spdm_context,
+                                                            void *fips_selftest_context,
+                                                            size_t fips_selftest_context_size);
+
+/**
+ * update fips_selftest_context in spdm_context;
+ *
+ * @param[in]    spdm_context                A pointer to the spdm_context.
+ *
+ * @retval true   run FIPS self_test successfully;
+ * @retval false  run FIPS self_test failed;
+ */
+bool libspdm_update_fips_selftest_context(void *spdm_context);
+#endif /* LIBSPDM_FIPS_MODE */
+
 /**
  * Initialize an SPDM context, as well as secured message contexts.
  * The secured message contexts are appended to the context structure.

include/library/spdm_return_status.h

@@ -159,6 +159,10 @@ typedef uint32_t libspdm_return_t;
 #define LIBSPDM_STATUS_VERIF_NO_AUTHORITY \
     LIBSPDM_STATUS_CONSTRUCT(LIBSPDM_SEVERITY_WARNING, LIBSPDM_SOURCE_CRYPTO, 0x0003)
 
+/* FIPS test failed */
+#define LIBSPDM_STATUS_FIPS_FAIL \
+    LIBSPDM_STATUS_CONSTRUCT(LIBSPDM_SEVERITY_ERROR, LIBSPDM_SOURCE_CRYPTO, 0x0004)
+
 /* - Certificate Parsing Errors - */
 
 /* Certificate is malformed or does not comply to x.509 standard. */