Feature Request: SPDM ComponentIntegrity.SPDMGetSignedMeasurements fetch and validation

[lordaule]

Feature request addition to the Redfish-Tacklebox: rf_componentintegrity.py

Retrieving SPDM Signed Measurements has multiple steps, it would be good to have a tool to:

• List all members in the ComponentIntegrity
• Fetch the measurements of a specific device, validate they are signed, and extract/print them in JSON format

When fetching ComponentIntegrity measurements, there are multiple steps:

1. GET ComponentIntegrity/DEVNAME
2. GET from the above, the SPDM / IdentityAuthentication / ResponderAuthentication / ComponentCertificate
3. Validate that the returned certificate chain is valid
4. POST the action #ComponentIntegrity.SPDMGetSignedMeasurements using either a random number or a user-supplied NONCE, and an optional slot number
5. POLL for the task action to complete
6. GET the ComponentIntegrity.SPDMGetSignedMeasurements/data when the task completes
7. Extract the SignedMeasurements and decode
8. Validate that the SignedMeasurements were fetched using the NONCE used in step 4
9. Validate that the SignedMeasurements are properly signed by the certificate returned earlier
10. Print the SignedMeasurements in JSON format

Code to perform certificate chain validate and SignedMeasurements validation are in libspdm and should be leveraged with that team.

[mraineri]

1/9: I've been considering a tool like this for some time, and have received similar requests from elsewhere already. We can put this in our backlog.