Key Takeaways
- SPDM 1.4 introduces support for post-quantum cryptography, including ML-KEM, ML-DSA, and SLH-DSA.
- PQShield products support post quantum root of trust deployments for SPDM 1.4 environments.
- PQPlatform and PQMicroLib-Core help support both greenfield and brownfield implementations.
Post-quantum security in platform management: PQShield is ready for SPDM 1.4
What is SPDM?
When it comes to ensuring the integrity and security of hardware components, SPDM, the Security Protocol and Data Model is a crucial standard.
Developed by the Distributed Management Task Force, SPDM is becoming increasingly important as the standardized way to authenticate and establish secure communication channels between different hardware components in a system.
Hardware systems invariably use devices and components from multiple vendors, and SPDM, now widely adopted, is designed to focus on two primary goals with this landscape in mind:
Device Attestation and Authentication
Ensuring the identity of components and that firmware has not been tampered with.
Secure Communication
Establishing a secure connection channel between components or devices, protecting against eavesdropping and modification.
SPDM achieves this by establishing authentication by request/responder exchanges, measuring firmware for authenticity, and using secure key exchange to establish connections.
What about PQC?
Naturally, SPDM has been a focus point for post-quantum protection. In May 2025, the DMTF published SPDM 1.4, the first version of the protocol to support PQC for both authentication and key exchange.
The supported algorithms are:
- ML-DSA – FIPS-204 (all security levels)
- SLH-DSA – FIPS-205 (SHA2/SHAKE, fast and small, all security levels)
- ML-KEM – FIPS-203 (all security levels)
Traditional cryptography, including RSA, ECDSA and EdDSA, is also supported.
Supporting a Post Quantum Root of Trust
Implementation is of course, where the rubber meets the road. SPDM doesn’t mandate the cryptography used by devices, but it does require endpoints to negotiate the cryptography they mutually support. For example, SLH-DSA will probably not always be used.
However, because SPDM implementations might require a broad spectrum of traditional and post-quantum algorithms, PQShield’s products would fit nicely into the Trusted Computing Base (TCB) as a building block for a post quantum root of trust.
PQPlatform
The PQPlatform family of products is highly suited for deployment in environments where cryptographic operations are anchored by a hardware root-of-trust, and in the case where users require protection against physical attacks.
PQMicroLib-Core
PQMicroLib-Core provides a way to update ‘brownfield’ product implementations, allowing them to rapidly support SPDM 1.4-compliant algorithms ML-DSA, ML-KEM and SLH-DSA.
It is reasonable to say then that, operating as a building block of several components, PQShield is effectively ‘SPDM 1.4 ready’.
Conclusion
SPDM 1.4 is the latest iteration of the widely-used standard protocol, authenticating and establishing security between components and devices in a hardware system.
It includes post-quantum cryptography support, namely, ML-KEM, ML-DSA, and SLH-DSA providing key exchange and digital signature verification.
Why PQShield is SPDM 1.4 Ready
PQShield’s product suite serves as an essential, effective building block for SPDM implementation, providing these required compliant PQC primitives.
Explore PQShield’s Post-Quantum Root of Trust Solutions
To learn more about PQShield’s post quantum root of trust solutions and SPDM 1.4-ready technologies, contact our team to discuss your requirements.
Frequently Asked Questions
Why is post quantum root of trust important?
It helps ensure hardware trust remains secure even against future quantum-enabled attacks.
Which PQC algorithms does SPDM 1.4 support?
ML-KEM, ML-DSA, and SLH-DSA.
Can PQShield support existing infrastructure?
Yes, including brownfield environments through PQMicroLib-Core.
What role does PQPlatform play?
It supports hardware-anchored cryptographic trust and physical attack resistance.