SPDM

API for the DMTF Security Protocol and Data Model Specification v1.4.0

Common Method Parameters

spdm_versionint

Defaults to 0x10, or the latest version returned by get_version.

request_response_codeint

Defaults to the correct request code for each method.

param1int

Defaults to 0 unless specified.

param2int

Defaults to 0 unless specified.

All other parameters default to 0 unless otherwise specified.

Method arguments can be int, bytes, bytearray, str, or lists/tuples of these. List contents will be concatenated during buffer construction.

Integers will be reversed automatically if the corresponding field is little-endian. Given 0xAABB, byte 0 will be AA in a big-endian context, and byte 1 will be AA in a little-endian context. Arguments passed as bytes will not be altered.

Child fields will always overwrite parent field contents when specified in addition to their parent field.

This API is under development. Some methods defined in the SPDM specification are not yet supported.

  1. 2025 SANBlaze Technology

class SPDM(target=None, port=None, remote_address=None, **kw)
challenge(spdm_version=None, request_response_code=131, param1=0, param2=0, nonce=0, context=0)

Execute the CALLENGE command

Parameters:

  • nonce (int) – Should be a random value

  • context (int) – Optional application-specific information

get_capabilities(spdm_version=None, request_response_code=225, param1=0, param2=0, ct_exponent=0, ext_flags=0, flags=0, cert_cap=None, chal_cap=None, encrypt_cap=None, mac_cap=None, mut_auth_cap=None, key_ex_cap=None, psk_cap=None, encap_cap=None, hbeat_cap=None, key_upd_cap=None, handshake_in_the_clear_cap=None, pub_key_id_cap=None, chunk_cap=None, ep_info_cap=None, event_cap=None, multi_key_cap=None, large_resp_cap=None, data_transfer_size=8192, max_spdm_msg_size=8192)

Execute the GET_CAPABILITIES command

Parameters:

  • ct_exponent (int) – Exponent of base 2, used to calculate CT

  • ext_flags (int) – Reserved

  • flags (int) –

    The following parameters may be used for these byte/bit offsets:

    0/1 - cert_cap
    0/2 - chal_cap
    0/6 - encrypt_cap
    0/7 - mac_cap
    1/0 - mut_auth_cap
    1/1 - key_ex_cap
    1/3:2 - psk_cap,
    1/4 - encap_cap
    1/5 - hbeat_cap
    1/6 - key_upd_cap
    1/7 - handshake_in_the_clear_cap
    2/0 - pub_key_id_cap
    2/1 - chunk_cap
    2/7:6 - ep_info_cap
    3/1 - event_cap
    3/3:2 - multi_key_cap
    3/7 - large_resp_cap

  • data_transfer_size (int) – Maximum buffer size of incoming messages from responder

  • max_spdm_msg_size (int) – Maximum buffer size used to reassemble 1 Large SPDM message

get_certificate(spdm_version=None, request_response_code=130, param1=0, use_large=None, slot_id=None, param2=0, slot_size_requested=None, offset=0, length=0, large_offset=None, large_length=None)

Execute the GET_CERTIFICATE command

Parameters:

  • param1 (int) –

    The following parameters may be used for these bit offsets:

    3:0 - slot_id
    7 - use_large

  • param2 (int) –

    The following parameters may be used for these bit offsets:

    0 - slot_size_requested

  • offset (int) – Read offset in bytes from start of certificate chain

  • length (int) – Length of certificate chain data in bytes

  • large_offset (int) – Read offset in bytes from start of large certificate chain

  • large_length (int) – Length of large certificate chain data in bytes

get_digests(spdm_version=None, request_response_code=129, param1=0, param2=0)

Execute the GET_DIGESTS command

get_measurements(spdm_version=None, request_response_code=224, param1=0, signature_requested=None, raw_bit_stream_requested=None, new_measurement_requested=None, param2=0, nonce=None, slot_id_param=None, slot_id=None, context=0)

Execute the GET_MEASUREMENTS command

Parameters:

  • param1 (int) –

    The following parameters may be used for these bit offsets:

    0 - signature_requested
    1 - raw_bit_stream_requested
    2 - new_measurement_requested

  • nonce (int) – Should be a random value

  • sold_id_param (int) –

    The following parameters may be used for these bit offsets:

    3:0 - slot_id

  • context (int) – Optional application specific information

get_version(spdm_version=16, request_response_code=132, param1=0, param2=0)

Execute the GET_VERSION command

negotiate_algorithms(spdm_version=None, request_response_code=227, param1=0, param2=0, length=None, measurement_specification=0, dmtf_meas_spec=None, other_params_support=0, opaque_data_fmt_0=None, opaque_data_fmt_1=None, responder_multi_key_conn=None, base_asym_algo=0, tpm_alg_rsassa_2048=None, tpm_alg_rsapss_2048=None, tpm_alg_rsassa_3072=None, tpm_alg_rsapss_3072=None, tpm_alg_ecdsa_ecc_nist_p256=None, tpm_alg_rsassa_4096=None, tpm_alg_rsapss_4096=None, tpm_alg_ecdsa_ecc_nist_p384=None, tpm_alg_ecdsa_ecc_nist_p521=None, tpm_alg_sm2_ecc_sm2_p256=None, ed_dsa_ed25519=None, ed_dsa_ed448=None, base_hash_algo=0, tpm_alg_sha_256=None, tpm_alg_sha_384=None, tpm_alg_sha_512=None, tpm_alg_sha3_256=None, tpm_alg_sha3_384=None, tpm_alg_sha3_512=None, tpm_alg_sm3_256=None, pqc_asym_algo=0, ml_dsa_44=None, ml_dsa_65=None, ml_dsa_87=None, slh_dsa_sha2_128s=None, slh_dsa_shake_128s=None, slh_dsa_sha2_128f=None, slh_dsa_shake_128f=None, slh_dsa_sha2_192s=None, slh_dsa_shake_192s=None, slh_dsa_sha2_192f=None, slh_dsa_shake_192f=None, slh_dsa_sha2_256s=None, slh_dsa_shake_256s=None, slh_dsa_sha2_256f=None, slh_dsa_shake_256f=None, ext_asym_count=0, ext_hash_count=0, mel_specification=0, dmtf_mel_spec=None, ext_asym=None, ext_hash=None, req_alg_struct=None)

Execute the NEGOTIATE_ALGORITHMS command

Parameters:

lengthint

Message length. Automatically populated unless specified by user

measurement_specificationint

The following parameters may be used for these bit offsets:

0 - dmtf_meas_spec
other_params_supportint

The following parameters may be used for these bit offsets:

0 - opaque_data_fmt_0
1 - opaque_data_fmt_1
4 - responder_multi_key_conn
base_asym_algoint

Requester-supported assymetric key signature algorithms. The following parameters may be used for these byte/bit offsets:

0/0 - tpm_alg_rsassa_2048
0/1 - tpm_alg_rsapss_2048
0/2 - tpm_alg_rsassa_3072
0/3 - tpm_alg_rsapss_3072
0/4 - tpm_alg_ecdsa_ecc_nist_p256
0/5 - tpm_alg_rsassa_4096
0/6 - tpm_alg_rsapss_4096
0/7 - tpm_alg_ecdsa_ecc_nist_p384
1/0 - tpm_alg_ecdsa_ecc_nist_p521
1/1 - tpm_alg_sm2_ecc_sm2_p256
1/2 - ed_dsa_ed25519
1/3 - ed_dsa_ed448
base_hash_algoint

Requester-supported cryptographic hashing algorithms. The following parameters may be used for these byte/bit offsets:

0/0 - tpm_alg_sha_256
0/1 - tpm_alg_sha_384
0/2 - tpm_alg_sha_512
0/3 - tpm_alg_sha3_256
0/4 - tpm_alg_sha3_384
0/5 - tpm_alg_sha3_512
0/6 - tpm_alg_sm3_256
pqc_asym_algoint

Requester-supported PQC assymetric key signature algorithms. The following parameters may be used for these byte/bit offsets:

0/0 - ml_dsa_44
0/1 - ml_dsa_65
0/2 - ml_dsa_87
0/3 - slh_dsa_sha2_128s
0/4 - slh_dsa_shake_128s
0/5 - slh_dsa_sha2_128f
0/6 - slh_dsa_shake_128f
0/7 - slh_dsa_sha2_192s
1/0 - slh_dsa_shake_192s
1/1 - slh_dsa_sha2_192f
1/2 - slh_dsa_shake_192f
1/3 - slh_dsa_sha2_256s
1/4 - slh_dsa_shake_256s
1/5 - slh_dsa_sha2_256f
1/6 - slh_dsa_shake_256f
ext_asym_countint

Number of Requester-supported extended asymmetric key signature algorithms.

ext_hash_countint

Number of Requester-supported extended hashing algorithms.

mel_specificationint

The following parameters may be used for these bit offsets:

0 - dmtf_mel_spec
ext_asymlist

List of Requester-supported extended asymmetric key signature algorithms.

ext_hashlist

List of Requester-supported extended hashing algorithms.

req_alg_structlist

Algorithm request structures. Helper functions can be found in sanblaze.dmtf.spdm.templates: dhe, aead, req_base_asym_alg, key_schedule, req_pqc_asym_alg, kem_alg, extended_algorithm

class Utils(api)