Post-quantum security in platform management: PQShield is ready for SPDM 1.4

By Matthew Stubbs

October 20, 2025

What is SPDM?

When it comes to ensuring the integrity and security of hardware components, SPDM, the Security Protocol and Data Model is a crucial standard. Developed by the Distributed Management Task Force, SPDM is becoming increasingly important as the standardized way to authenticate and establish secure communication channels between different hardware components in a system.

Hardware systems invariably use devices and components from multiple vendors, and SPDM, now widely adopted, is designed to focus on two primary goals with this landscape in mind:

1. Device attestation and authentication – ensuring the identity of components and that the firmware has not been tampered with.
2. Secure communication – establishing a secure connection channel between components or devices, protecting against eavesdropping and modification.

SPDM achieves this very simply, by establishing authentication by request/responder exchanges, measuring firmware for authenticity, and using secure key exchange to establish connections.

What about PQC?

Naturally, SPDM has been a focus point for post-quantum protection. In May 2025, the DMTF published SPDM 1.4, the first version of the protocol to support PQC for both authentication and key exchange. The supported algorithms are:

• ML-DSA – FIPS-204 (all security levels)
• SLH-DSA – FIPS-205 (SHA2/SHAKE, fast and small, all security levels)
• ML-KEM – FIPS-203 (all security levels)

It’s worth noting of course, that traditional cryptography (RSA, ECDSA and EdDSA) is also supported, and that many industries already support SPDM, though potentially not with all the features defined by this latest version.

PQShield and SPDM 1.4

Implementation is of course, where the rubber meets the road. SPDM doesn’t mandate the cryptography used by devices, but it does require endpoints to negotiate the cryptography they mutually support. For example, SLH-DSA will probably not always be used.

However, because SPDM implementations might require a broad spectrum of traditional and post-quantum algorithms, PQShield’s products would fit nicely into the Trusted Computing Base (TCB) as a building block alongside other third-party implementations. For example:

• PQPlatform
• PQMicroLib-Core

The PQPlatform family of products is highly suited for deployment in environments where cryptographic operations are anchored by a hardware root-of-trust, and in the case where users require protection against physical attacks.

PQMicroLib-Core provides a way to update ‘brownfield’ product implementations, allowing them to rapidly support SPDM 1.4-compliant algorithms ML-DSA, ML-KEM and SLH-DSA.

It is reasonable to say then that, operating as a building block of several components, PQShield is effectively ‘SPDM 1.4 ready’.

Conclusion

SPDM 1.4 is the latest iteration of the widely-used standard protocol, authenticating and establishing security between components and devices in a hardware system. It includes post-quantum cryptography support, namely, ML-KEM, ML-DSA, and SLH-DSA providing key exchange and digital signature verification. PQShield’s product suite serves as an essential, effective building block for SPDM implementation, providing these required compliant PQC primitives.