Merge pull request #8 from aidangarske/add-wiki-page-for-wolfspdm

Add wolfSPDM wiki documentation

Author: aidangarske

CLAUDE.md

@@ -101,6 +101,19 @@ export SPDM_EMU_PATH=../spdm-emu/build/bin
 
 The driver starts/stops `spdm_responder_emu` per test and runs six scenarios — Session, Signed Measurements, Unsigned Measurements, Challenge, Heartbeat, Key Update — across SPDM 1.2, 1.3, and 1.4 (18 tests total).
 
+## Relationship to wolfTPM's SPDM
+
+wolfTPM ships its own SPDM implementation in `src/spdm/` for hardware-backed responders (Nuvoton NPCT75x, NSING NS350) with PSK / TCG-binding extensions. **wolfSPDM is a separate implementation** focused on the standard DSP0274 / DSP0277 requester for embedded use with `spdm-emu` and any standards-compliant peer. The two share heritage and are both designed for lightweight embedded use, with different deployment targets:
+
+| | wolfSPDM | wolfTPM `src/spdm/` |
+|---|---|---|
+| Role | Requester only | Requester + responder |
+| Scope | Pure standard SPDM 1.2 / 1.3 / 1.4 | Same, plus PSK / TCG / Nuvoton / Nations vendor bindings |
+| Target | Embedded / spdm-emu / generic SPDM peer | TPM hardware (Nuvoton, NS350) |
+| Footprint | ~32 KB context, zero-malloc (default static mode) | Lightweight embedded footprint; size depends on TPM stack, target, and build configuration |
+
+Either library can be used standalone; they aren't link-time compatible.
+
 ## CI / Testing
 
 Runs on every push and PR:
@@ -114,18 +127,27 @@ Runs on every push and PR:
 - **SPDM Emulator Integration**: 18-test matrix (6 scenarios x SPDM 1.2 / 1.3 / 1.4) across ubuntu-22.04 x64, ubuntu-24.04 x64, and ubuntu-24.04-arm aarch64
 - **Skoll review**: wolfSSL deep-review pipeline, pre-merge security and code review
 
-## Relationship to wolfTPM's SPDM
-
-wolfTPM ships its own SPDM implementation in `src/spdm/` for hardware-backed responders (Nuvoton NPCT75x, NSING NS350) with PSK / TCG-binding extensions. **wolfSPDM is a separate implementation** focused on the standard DSP0274 / DSP0277 requester for embedded use with `spdm-emu` and any standards-compliant peer. The two share heritage but solve different problems:
-
-| | wolfSPDM | wolfTPM `src/spdm/` |
-|---|---|---|
-| Role | Requester only | Requester + responder |
-| Scope | Pure standard SPDM 1.2 / 1.3 / 1.4 | Same, plus PSK / TCG / Nuvoton / Nations vendor bindings |
-| Target | Embedded / spdm-emu / generic SPDM peer | TPM hardware (Nuvoton, NS350) |
-| Footprint | ~32 KB context, zero-malloc | Larger; includes TPM stack |
-
-Either library can be used standalone; they aren't link-time compatible.
+<a href="https://github.com/aidangarske/wolfSPDM/actions">
+  <img src="https://img.shields.io/github/actions/workflow/status/aidangarske/wolfSPDM/build-test.yml?label=CI&logo=github">
+</a>
+<a href="https://github.com/wolfssl/skoll">
+  <img src="https://img.shields.io/badge/skoll-passed-blue">
+</a>
+<a href="https://github.com/wolfssl/fenrir">
+  <img src="https://img.shields.io/badge/fenrir-passed-blueviolet">
+</a>
+
+## Documentation
+
+Full documentation is available in the Wiki:
+
+- [Getting Started](https://github.com/aidangarske/wolfSPDM/wiki/Getting-Started): Build instructions, prerequisites, memory modes, and first connection steps
+- [Supported Operations](https://github.com/aidangarske/wolfSPDM/wiki/Supported-Operations): SPDM operation coverage and API mapping
+- [API Reference](https://github.com/aidangarske/wolfSPDM/wiki/API-Reference): Public function groups and common error-code references
+- [Configuration and Macros](https://github.com/aidangarske/wolfSPDM/wiki/Configuration-and-Macros): Configure flags and compile-time feature controls
+- [Testing and CI](https://github.com/aidangarske/wolfSPDM/wiki/Testing-and-CI): Unit tests, emulator integration tests, and CI workflow coverage
+- [Project Structure](https://github.com/aidangarske/wolfSPDM/wiki/Project-Structure): Source layout and module responsibilities
+- [Attestation Notes](https://github.com/aidangarske/wolfSPDM/wiki/Attestation-Notes): Measurement and challenge attestation behavior
 
 ## License
 

README.md

@@ -0,0 +1,78 @@
+# API Reference
+
+Public APIs are declared in `wolfspdm/spdm.h`.
+
+All APIs return `WOLFSPDM_SUCCESS` (`0`) on success unless documented otherwise; failures are negative error codes from `wolfspdm/spdm_error.h`.
+
+## Context and lifecycle
+
+- `wolfSPDM_Init`
+- `wolfSPDM_InitStatic`
+- `wolfSPDM_GetCtxSize`
+- `wolfSPDM_Free`
+- `wolfSPDM_New` *(only when built with `WOLFSPDM_DYNAMIC_MEMORY`)*
+
+## Configuration
+
+- `wolfSPDM_SetIO`
+- `wolfSPDM_SetMaxVersion`
+- `wolfSPDM_SetRequesterSessionId`
+- `wolfSPDM_AllowUntrustedCerts`
+- `wolfSPDM_SetTrustedCAs`
+- `wolfSPDM_SetDebug`
+
+## Session establishment and state
+
+- `wolfSPDM_Connect`
+- `wolfSPDM_IsConnected`
+- `wolfSPDM_Disconnect`
+- `wolfSPDM_GetSessionId`
+- `wolfSPDM_GetNegotiatedVersion`
+- `wolfSPDM_GetVersion_Negotiated` *(legacy compatibility symbol)*
+- `wolfSPDM_GetLastPeerError`
+
+## Fine-grained handshake
+
+- `wolfSPDM_GetVersion`
+- `wolfSPDM_GetCapabilities`
+- `wolfSPDM_NegotiateAlgorithms`
+- `wolfSPDM_GetDigests`
+- `wolfSPDM_GetCertificate`
+- `wolfSPDM_KeyExchange`
+- `wolfSPDM_Finish`
+
+## Secured messaging
+
+- `wolfSPDM_SecuredExchange`
+- `wolfSPDM_SendData` *(not in `WOLFSPDM_LEAN`)*
+- `wolfSPDM_ReceiveData` *(not in `WOLFSPDM_LEAN`)*
+- `wolfSPDM_EncryptMessage` *(not in `WOLFSPDM_LEAN`)*
+- `wolfSPDM_DecryptMessage` *(not in `WOLFSPDM_LEAN`)*
+
+## Attestation
+
+- `wolfSPDM_GetMeasurements` *(not with `NO_WOLFSPDM_MEAS`)*
+- `wolfSPDM_GetMeasurementCount` *(not with `NO_WOLFSPDM_MEAS`)*
+- `wolfSPDM_GetMeasurementBlock` *(not with `NO_WOLFSPDM_MEAS`)*
+- `wolfSPDM_Challenge` *(not with `NO_WOLFSPDM_CHALLENGE`)*
+
+## Session maintenance
+
+- `wolfSPDM_Heartbeat`
+- `wolfSPDM_KeyUpdate`
+
+## Error utilities
+
+- `wolfSPDM_GetErrorString`
+
+## Common error codes
+
+Examples:
+- `WOLFSPDM_E_INVALID_ARG`
+- `WOLFSPDM_E_BAD_STATE`
+- `WOLFSPDM_E_NOT_CONNECTED`
+- `WOLFSPDM_E_IO_FAIL`
+- `WOLFSPDM_E_PEER_ERROR`
+- `WOLFSPDM_E_MEAS_SIG_FAIL`
+- `WOLFSPDM_E_CHALLENGE`
+- `WOLFSPDM_E_KEY_UPDATE`

docs/wiki/API-Reference.md

@@ -0,0 +1,57 @@
+# Attestation Notes
+
+wolfSPDM supports SPDM attestation through both measurement retrieval and challenge authentication.
+
+## Measurement attestation (`GET_MEASUREMENTS`)
+
+Primary API:
+
+```c
+int wolfSPDM_GetMeasurements(WOLFSPDM_CTX* ctx, byte measOperation,
+    int requestSignature);
+```
+
+Behavior:
+- `requestSignature=1`: requests signed measurements; verifies signature when verification support is compiled in
+- `requestSignature=0`: retrieves unsigned measurements (informational)
+
+Result access:
+- `wolfSPDM_GetMeasurementCount`
+- `wolfSPDM_GetMeasurementBlock`
+
+Relevant return codes:
+- `WOLFSPDM_SUCCESS`
+- `WOLFSPDM_E_MEAS_NOT_VERIFIED`
+- `WOLFSPDM_E_MEAS_SIG_FAIL`
+- `WOLFSPDM_E_MEASUREMENT`
+
+## Sessionless challenge attestation (`CHALLENGE_AUTH`)
+
+Primary API:
+
+```c
+int wolfSPDM_Challenge(WOLFSPDM_CTX* ctx, int slotId, byte measHashType);
+```
+
+Typical prerequisite state:
+- Version/capabilities/algorithms negotiated
+- Digest and cert chain retrieved
+
+## Trust anchor handling
+
+Load trusted CA material with:
+
+```c
+int wolfSPDM_SetTrustedCAs(WOLFSPDM_CTX* ctx, const byte* derCerts,
+    word32 derCertsSz);
+```
+
+`wolfSPDM_SetTrustedCAs` currently accepts a single DER certificate buffer for root-hash matching.
+
+## Feature toggles
+
+- `NO_WOLFSPDM_MEAS` disables measurements
+- `NO_WOLFSPDM_MEAS_VERIFY` disables measurement signature verification
+- `NO_WOLFSPDM_CHALLENGE` disables challenge API
+
+For deeper measurement details and test examples, see `docs/ATTESTATION.md`.

docs/wiki/Attestation-Notes.md

@@ -0,0 +1,52 @@
+# Configuration and Macros
+
+## Configure-time options
+
+From `configure.ac`:
+
+| Option | Default | Effect |
+|--------|---------|--------|
+| `--with-wolfssl=PATH` | system paths | Adds wolfSSL include/library search paths |
+| `--enable-debug` | off | Defines `WOLFSPDM_DEBUG`, builds with `-g -O0` |
+| `--enable-dynamic-mem` | off | Defines `WOLFSPDM_DYNAMIC_MEMORY` and enables `wolfSPDM_New` |
+
+## Public feature macros
+
+Defined in `wolfspdm/spdm.h` depending on build flags:
+
+- `WOLFSPDM_HAS_MEASUREMENTS` *(not defined if `NO_WOLFSPDM_MEAS`)*
+- `WOLFSPDM_HAS_CHALLENGE` *(not defined if `NO_WOLFSPDM_CHALLENGE`)*
+- `WOLFSPDM_HAS_HEARTBEAT`
+- `WOLFSPDM_HAS_KEY_UPDATE`
+
+## Size and protocol constants
+
+From `wolfspdm/spdm.h` and `wolfspdm/spdm_types.h`:
+
+- `WOLFSPDM_CTX_STATIC_SIZE` = `32768`
+- `WOLFSPDM_MAX_MSG_SIZE` = `4096`
+- `WOLFSPDM_MAX_CERT_CHAIN` = `4096`
+- `WOLFSPDM_MAX_TRANSCRIPT` = `4096`
+
+Version constants:
+- `SPDM_VERSION_12`, `SPDM_VERSION_13`, `SPDM_VERSION_14`
+
+Measurement constants (when enabled):
+- `SPDM_MEAS_OPERATION_ALL`
+- `SPDM_MEAS_SUMMARY_HASH_NONE`, `_TCB`, `_ALL`
+
+## Common compile-time feature toggles
+
+These are used in source-level conditional compilation:
+
+| Macro | Effect |
+|-------|--------|
+| `NO_WOLFSPDM_MEAS` | Removes measurement APIs and related fields/code |
+| `NO_WOLFSPDM_MEAS_VERIFY` | Keeps retrieval path but disables measurement signature verification |
+| `NO_WOLFSPDM_CHALLENGE` | Removes challenge-attestation API/code |
+| `WOLFSPDM_LEAN` | Excludes selected convenience secured-message helpers |
+
+## Notes
+
+- `wolfspdm/options.h` is auto-generated from `config.h` during build/install.
+- API availability should be detected using feature macros rather than hard-coded assumptions.