From nobody Sat Nov 15 07:42:41 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1755553719; cv=none; d=zohomail.com; s=zohoarc; b=Cg/5YrnpmUJ3FgYdyqC1+9qAnaus2XzNs8GTTXrYkoRZ9VdSwUOvA2KYJxvASzQEz+4DSR6jmgFkyK2gvFXfIkS8v2y+orojTEGts8diSr1vKKKDP4imwA86gArsRIvqlAh86y9fQeoq55MTzmSt5fPl/nuqqEcesq7/kUWMzps= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1755553719; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KgtadV4KyUFkHAMkRRIyGE0IJgWXf3DvcKaQ91Q10NU=; b=mBfFeheIG6ALn2Gn7QrrGmbM8Yt95Uhc0oXOFx+prvROzHJnIf9UkH+jpanccrNcryzt19VfsZ9dNEkQT1NdFO2j6yJYnz9iHH3OUPY+eYdfJ01x2coT+5GWSdlVhjZqx1iBfpyEJB3Y3BZ48VapBpzIqk0FCjU3o30M4STdR/Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1755553719142178.48843127830605; Mon, 18 Aug 2025 14:48:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uo7em-0002MS-41; Mon, 18 Aug 2025 17:44:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7ee-0002DW-Jj; Mon, 18 Aug 2025 17:44:37 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7ea-0003oS-TB; Mon, 18 Aug 2025 17:44:35 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57IKJO8i016893; Mon, 18 Aug 2025 21:43:56 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 48k60g0cpe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:56 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 57IIesaY028695; Mon, 18 Aug 2025 21:43:55 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 48k5apfk08-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:55 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 57ILhrkR29753794 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Aug 2025 21:43:53 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6AC9A58057; Mon, 18 Aug 2025 21:43:53 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6851B58058; Mon, 18 Aug 2025 21:43:52 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.98.172]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 Aug 2025 21:43:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=KgtadV4KyUFkHAMkR RIyGE0IJgWXf3DvcKaQ91Q10NU=; b=qtluG5zfPJyS0d+faLeXjLvD66jmyIxbE MF2/XS8o3VheRj4/ug7cHR1KpzKE9bac5HqgapTq7++gwpxmb7wCwuP4jpi2mpiu OdK/uD2pZLC3Xjz3yluC+sREaYzlpD8IfKTnTJ8jJgKkPyKd/Xn/VbcN9M8Szvwj pJIQU9AuVN/LTIOKT26jWDp5KiNklRWDUVP3e1JDtbWD65YaErSHfOsKRilMCU5Q G7rhjmGS5kMR3Edk/vv3on22+bhAkPMFt7kDiGfJ01pWpHiGaV/f9NgerjRpxc4T M1sf/3NV38VuKFS4XyjHyeXPvgmN4EKQDOis+wkMp0F0o898A4QlQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com, zycai@linux.ibm.com Subject: [PATCH v5 24/29] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Mon, 18 Aug 2025 17:43:17 -0400 Message-ID: <20250818214323.529501-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818214323.529501-1-zycai@linux.ibm.com> References: <20250818214323.529501-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: WwosAwWbLsETfyj-mOmUBEuM_fNEojeG X-Authority-Analysis: v=2.4 cv=coObk04i c=1 sm=1 tr=0 ts=68a39e9c cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=2OwXVqhp2XgA:10 a=VnNF1IyMAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-GUID: WwosAwWbLsETfyj-mOmUBEuM_fNEojeG X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE3MDAxNiBTYWx0ZWRfX6fuhU3mChO2v ywDW5BtVL+kkYnUacsK418fQG23nw5iCVEwzJRGbIdMUF+hslGPwGKDfSk1uO7UXcRLlgnXBOPx huI1SYQqrNwfw/HV9daYiyA9xIR+UJhKaA3qMV8IQGiPIbBFGRcSK19KWrcDN+Axu7Zpf98Gawu dfRieX8ZBkbTi3XQiwnQrZuzZsoKoBXh+bUyseM+SmNc6Vw+V/tqYBUA2VSzgm0ZJkuQ6G5AkCw KlZSnMlUOAziEueqE8MTUPv3X6altBVguZiegeK0lh+3jF6c/AqD0/y4A/0PwEKwVsl/ywh6YU0 LIPNQ0Q9O8gRsEpyyMtsJXspDrdNgQMcOGVH2/vRGoH56ln92TnrfObFGNm81rrDlAQbWEGWUK1 DA0E4HMB X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-18_06,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 suspectscore=0 bulkscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 adultscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508170016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1755553719742124100 Content-Type: text/plain; charset="utf-8" If `-secure-boot on` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index d1a972ac8d..a196e1d648 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -437,6 +437,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -494,6 +499,17 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to = trigger + * secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -503,7 +519,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; } =20 --=20 2.50.1