From nobody Sat Nov 15 07:42:57 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1755553686; cv=none; d=zohomail.com; s=zohoarc; b=nhE3YuKssaPCjKhAkix0jCmr5wIyq4bF1S+1izw/E2gUc9Fk9z6veMrieVSJRgRgScebv7BGRIN8UeI44oIheFcsewCYKH07rEg99A2DNhmJRmAtduyD9jb/D51Un8WmD7ExemkiMbG2C0UnQZBTEG3g0UkUHAEWeAyZ7ortrRk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1755553686; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=pJaKCl2aGMg52Zp19ezkQh/VO9kWusZanGs0Us9ijC0=; b=TOSi6SYkekZYnc/hIfxbCQQix1DJd7D9XCrLG2IU7lfVC50IrtFQE0NuM3pNNYxUF2sM2U89qbZW2RArUrH8z/+u9fGcPVr1pjcdz1cCVWgCjaV4AXnmkOoGTl8wge5v/WoYq4YY1zIUWnjOmTtr87Dj9YiNk8SUtB6wsbcNeT4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1755553686523669.2248412953095; Mon, 18 Aug 2025 14:48:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uo7ej-0002Jo-Od; Mon, 18 Aug 2025 17:44:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7eN-0001qo-4H; Mon, 18 Aug 2025 17:44:20 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uo7eG-0003oU-Se; Mon, 18 Aug 2025 17:44:17 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 57IBVT9M031299; Mon, 18 Aug 2025 21:43:57 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 48jfdrujjp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:56 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 57IIpcZj014735; Mon, 18 Aug 2025 21:43:56 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 48k5tmqgp8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 18 Aug 2025 21:43:56 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 57ILhsoO24773244 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Aug 2025 21:43:54 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 85D4D58057; Mon, 18 Aug 2025 21:43:54 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8386F58058; Mon, 18 Aug 2025 21:43:53 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.98.172]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Mon, 18 Aug 2025 21:43:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=pJaKCl2aGMg52Zp19 ezkQh/VO9kWusZanGs0Us9ijC0=; b=NWYvy7OnhAqahWv3dHXtEYrUoZKyl+Ljf 4yzlsHmeDpgu1higCvBwBz5g9RmHXmngx4AW5RAYYmvGtZQd+YNpFB9btE4gzxwW Ir9AMLaZOkARqM4kF+8hatEGkZa1fm6iHoLTWnKzmh6PdUBAbKI2w830rriR+iDS T1Pzhih4wLbHGWL2u8IK4lzGDB/4U8yrLlzWl1K4Rx39L1JRjHG2hPWxSb7lq4HX bQxO+0wwdOPXWPE3qYebgRuE09r7HMXM21tgKyEqSrdcVfnESSprwKcVVlNA4Sx/ x/Z5DJ3P6SsDARpMMV81SMJ/JF2a5Ad5iGmSFPnqUfv0SKQ1EsMyA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com, zycai@linux.ibm.com Subject: [PATCH v5 25/29] pc-bios/s390-ccw: Handle true secure IPL mode Date: Mon, 18 Aug 2025 17:43:18 -0400 Message-ID: <20250818214323.529501-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250818214323.529501-1-zycai@linux.ibm.com> References: <20250818214323.529501-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: KB_TTLf3V0tCSPnIHJ8ysvVahIPo27de X-Proofpoint-GUID: KB_TTLf3V0tCSPnIHJ8ysvVahIPo27de X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwODE2MDAwMSBTYWx0ZWRfXxpSej+IgRnx+ buytQzcfPcrFWCxLRrS8oPj5M60E9wrvHlUiSrejIla3jt1MLnelbCP2f0nk5H2Hx7nbDK6nEEj Ubnt+QUfGpZTjGdz8IAJxW9iBADIQEJs8XW4BMIW2ZvwlaPhrd04OWDZ8UkUivUIzhs7lCt38LT rR8M+N9unroA9oqt5Y3x4xMWTBnif3nz/CsJ2wriNOEhjx0PY07kG1JSTRKc0Nl9Jd4ehtvBEkx MFob3BohV2zcYHZPKJtZvFQlkLFNTbLD4qG1q7+sKAgn8fmqXFQFkjM9b7Hg0gCoqnDhlON/n6F 4N5Q8/FkAD5rAepukFVn3vBOzc2F8NbocluVoP2ZboHH6rqRUP9q8sRRIosJW2MAKCa1JHzH0ei 2enCTTgJ X-Authority-Analysis: v=2.4 cv=GotC+l1C c=1 sm=1 tr=0 ts=68a39e9c cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=2OwXVqhp2XgA:10 a=VnNF1IyMAAAA:8 a=YZg3iBzERQu5FGnwKEMA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-08-18_06,2025-08-14_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 adultscore=0 suspectscore=0 clxscore=1015 priorityscore=1501 malwarescore=0 bulkscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2508160001 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1755553688823116600 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 16 ++++++++++++++++ pc-bios/s390-ccw/bootmap.c | 19 ++++++++++++++++--- pc-bios/s390-ccw/main.c | 7 ++++++- pc-bios/s390-ccw/s390-ccw.h | 2 ++ pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 6 files changed, 47 insertions(+), 4 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 0d14d0d62d..8ab457f1e1 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -66,3 +66,19 @@ Configuration: qemu-system-s390x -machine s390-ccw-virtio, \ boot-certs.0.path=3D/.../qemu/certs, \ boot-certs.1.path=3D/another/path/cert.pem = ... + +Secure Mode +----------- + +With *both* the presence of certificates in the store and the ``secure-boo= t=3Don`` +option, it is understood that secure boot should be performed with errors +reported and boot will abort. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio, \ + secure-boot=3Don, \ + boot-certs.0.path=3D/.../qemu/certs, \ + boot-certs.1.path=3D/another/path/cert.pem = ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 3922e7cdde..3ab89b91fb 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -737,6 +737,9 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_INVALID: + return -1; + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: if (zipl_run_secure(&entry, tmp_sec)) { return -1; @@ -1118,9 +1121,16 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + return ZIPL_BOOT_MODE_INVALID; + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; @@ -1131,7 +1141,8 @@ void zipl_load(void) VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Secure boot from ISO image is not supported!"); } ipl_iso_el_torito(); @@ -1140,7 +1151,8 @@ void zipl_load(void) } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Virtio net boot device does not support secure boot!"); } netmain(); @@ -1153,7 +1165,8 @@ void zipl_load(void) return; } =20 - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("ECKD boot device does not support secure boot!"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 668660e64d..c5b425209a 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -277,10 +277,15 @@ static void ipl_boot_device(void) boot_mode =3D zipl_mode(iplb->hdr_flags); } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_INVALID) { + panic("Need at least one certificate for secure boot!"); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Passthrough (vfio) device does not support secure boot!= "); } =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 6d51d07c90..389cc8ea7c 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -83,9 +83,11 @@ int virtio_read(unsigned long sector, void *load_addr); void zipl_load(void); =20 typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_INVALID =3D -1, ZIPL_BOOT_MODE_UNSPECIFIED =3D 0, ZIPL_BOOT_MODE_NORMAL =3D 1, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 2, + ZIPL_BOOT_MODE_SECURE =3D 3, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 8c696828cd..09554a55ae 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -273,6 +273,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, comps->device_entries[comp_index].cei |=3D S390_IPL_COMPONENT_CEI_= INVALID_SCLAB; =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic is not matched. SCLAB does not exist= "); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index d60201bf45..9ddb5b79b7 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -58,6 +58,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + IPL_assert(false, message); + break; default: break; } --=20 2.50.1