Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
machine. This allows users to specify one or more certificate file paths
or directories to be used during secure boot.
Each entry is specified using the syntax:
boot-certs.<index>.path=/path/to/cert.pem
Multiple paths can be specify using array properties:
boot-certs.0.path=/path/to/cert.pem,
boot-certs.1.path=/path/to/cert-dir,
boot-certs.2.path=/path/to/another-dir...
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++
hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++
include/hw/s390x/s390-virtio-ccw.h | 2 ++
qapi/machine-s390x.json | 22 ++++++++++++++++++++++
qapi/pragma.json | 1 +
qemu-options.hx | 6 +++++-
6 files changed, 81 insertions(+), 1 deletion(-)
create mode 100644 docs/system/s390x/secure-ipl.rst
diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
new file mode 100644
index 0000000000..92c1bb2153
--- /dev/null
+++ b/docs/system/s390x/secure-ipl.rst
@@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: GPL-2.0-or-later
+
+Secure IPL Command Line Options
+===============================
+
+The s390-ccw-virtio machine type supports secure IPL. These parameters allow users
+to provide certificates and enable secure IPL directly via the command line.
+
+Providing Certificates
+----------------------
+
+The certificate store can be populated by supplying a list of X.509 certificate file
+paths or directories containing certificate files on the command-line:
+
+Note: certificate files must have a .pem extension.
+
+.. code-block:: shell
+
+ qemu-system-s390x -machine s390-ccw-virtio, \
+ boot-certs.0.path=/.../qemu/certs, \
+ boot-certs.1.path=/another/path/cert.pem ...
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index b1dc52807a..b825f4cce1 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -45,6 +45,7 @@
#include "target/s390x/kvm/pv.h"
#include "migration/blocker.h"
#include "qapi/visitor.h"
+#include "qapi/qapi-visit-machine-s390x.h"
#include "hw/s390x/cpu-topology.h"
#include "kvm/kvm_s390x.h"
#include "hw/virtio/virtio-md-pci.h"
@@ -798,6 +799,30 @@ static void machine_set_loadparm(Object *obj, Visitor *v,
g_free(val);
}
+static void machine_get_boot_certs(Object *obj, Visitor *v,
+ const char *name, void *opaque,
+ Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+ BootCertificateList **certs = &ms->boot_certs;
+
+ visit_type_BootCertificateList(v, name, certs, errp);
+}
+
+static void machine_set_boot_certs(Object *obj, Visitor *v, const char *name,
+ void *opaque, Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+ BootCertificateList *cert_list = NULL;
+
+ visit_type_BootCertificateList(v, name, &cert_list, errp);
+ if (!cert_list) {
+ return;
+ }
+
+ ms->boot_certs = cert_list;
+}
+
static void ccw_machine_class_init(ObjectClass *oc, const void *data)
{
MachineClass *mc = MACHINE_CLASS(oc);
@@ -851,6 +876,11 @@ static void ccw_machine_class_init(ObjectClass *oc, const void *data)
"Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars converted"
" to upper case) to pass to machine loader, boot manager,"
" and guest kernel");
+
+ object_class_property_add(oc, "boot-certs", "BootCertificateList",
+ machine_get_boot_certs, machine_set_boot_certs, NULL, NULL);
+ object_class_property_set_description(oc, "boot-certs",
+ "provide paths to a directory and/or a certificate file for secure boot");
}
static inline void s390_machine_initfn(Object *obj)
diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h
index 526078a4e2..334b67ef05 100644
--- a/include/hw/s390x/s390-virtio-ccw.h
+++ b/include/hw/s390x/s390-virtio-ccw.h
@@ -14,6 +14,7 @@
#include "hw/boards.h"
#include "qom/object.h"
#include "hw/s390x/sclp.h"
+#include "qapi/qapi-types-machine-s390x.h"
#define TYPE_S390_CCW_MACHINE "s390-ccw-machine"
@@ -31,6 +32,7 @@ struct S390CcwMachineState {
uint8_t loadparm[8];
uint64_t memory_limit;
uint64_t max_pagesize;
+ BootCertificateList *boot_certs;
SCLPDevice *sclp;
};
diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json
index 966dbd61d2..51bf791fe6 100644
--- a/qapi/machine-s390x.json
+++ b/qapi/machine-s390x.json
@@ -119,3 +119,25 @@
{ 'command': 'query-s390x-cpu-polarization', 'returns': 'CpuPolarizationInfo',
'features': [ 'unstable' ]
}
+
+##
+# @BootCertificate:
+#
+# Boot certificate for secure IPL.
+#
+# @path: path to an X.509 certificate file or a directory containing certificate files.
+#
+# Since: 10.2
+##
+{ 'struct': 'BootCertificate',
+ 'data': {'path': 'str'} }
+
+##
+# @DummyBootCertificates:
+#
+# Not used by QMP; hack to let us use BootCertificateList internally.
+#
+# Since: 10.2
+##
+{ 'struct': 'DummyBootCertificates',
+ 'data': {'unused-boot-certs': ['BootCertificate'] } }
diff --git a/qapi/pragma.json b/qapi/pragma.json
index 023a2ef7bc..66401837ad 100644
--- a/qapi/pragma.json
+++ b/qapi/pragma.json
@@ -49,6 +49,7 @@
'DisplayProtocol',
'DriveBackupWrapper',
'DummyBlockCoreForceArrays',
+ 'DummyBootCertificates',
'DummyForceArrays',
'DummyVirtioForceArrays',
'HotKeyMod',
diff --git a/qemu-options.hx b/qemu-options.hx
index ab23f14d21..ac497eb3a0 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -44,7 +44,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
#endif
" memory-backend='backend-id' specifies explicitly provided backend for main RAM (default=none)\n"
" cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtarget,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granularity]\n"
- " smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\n",
+ " smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\n"
+ " boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\n",
QEMU_ARCH_ALL)
SRST
``-machine [type=]name[,prop=value[,...]]``
@@ -205,6 +206,9 @@ SRST
::
-machine smp-cache.0.cache=l1d,smp-cache.0.topology=core,smp-cache.1.cache=l1i,smp-cache.1.topology=core
+
+ ``boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file``
+ Provide paths to a directory and/or a certificate file on the host [s390x only].
ERST
DEF("M", HAS_ARG, QEMU_OPTION_M,
--
2.50.1On 18/09/2025 01.21, Zhuoying Cai wrote:
> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
> machine. This allows users to specify one or more certificate file paths
> or directories to be used during secure boot.
>
> Each entry is specified using the syntax:
> boot-certs.<index>.path=/path/to/cert.pem
>
> Multiple paths can be specify using array properties:
> boot-certs.0.path=/path/to/cert.pem,
> boot-certs.1.path=/path/to/cert-dir,
> boot-certs.2.path=/path/to/another-dir...
>
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
> docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++
> hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++
> include/hw/s390x/s390-virtio-ccw.h | 2 ++
> qapi/machine-s390x.json | 22 ++++++++++++++++++++++
> qapi/pragma.json | 1 +
> qemu-options.hx | 6 +++++-
> 6 files changed, 81 insertions(+), 1 deletion(-)
> create mode 100644 docs/system/s390x/secure-ipl.rst
>
> diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
> new file mode 100644
> index 0000000000..92c1bb2153
> --- /dev/null
> +++ b/docs/system/s390x/secure-ipl.rst
> @@ -0,0 +1,21 @@
> +.. SPDX-License-Identifier: GPL-2.0-or-later
> +
> +Secure IPL Command Line Options
> +===============================
> +
> +The s390-ccw-virtio machine type supports secure IPL. These parameters allow users
> +to provide certificates and enable secure IPL directly via the command line.
> +
> +Providing Certificates
> +----------------------
> +
> +The certificate store can be populated by supplying a list of X.509 certificate file
> +paths or directories containing certificate files on the command-line:
> +
> +Note: certificate files must have a .pem extension.
> +
> +.. code-block:: shell
> +
> + qemu-system-s390x -machine s390-ccw-virtio, \
> + boot-certs.0.path=/.../qemu/certs, \
> + boot-certs.1.path=/another/path/cert.pem ...
Using newlines/spaces between parameters does not work, so people cannot
copy-n-paste this example to the shell.
So I think you either have to merge it into one line, or use multiple
"-machine" statements, e.g.:
qemu-system-s390x -M s390-ccw-virtio \
-M boot-certs.0.path=/.../qemu/certs \
-M boot-certs.1.path=/another/path/cert.pem ...
Thomas
On Tue, Sep 30, 2025 at 11:34:23AM +0200, Thomas Huth wrote: > On 18/09/2025 01.21, Zhuoying Cai wrote: > > Introduce a new `boot-certs` machine type option for the s390-ccw-virtio > > machine. This allows users to specify one or more certificate file paths > > or directories to be used during secure boot. > > > > Each entry is specified using the syntax: > > boot-certs.<index>.path=/path/to/cert.pem > > > > Multiple paths can be specify using array properties: > > boot-certs.0.path=/path/to/cert.pem, > > boot-certs.1.path=/path/to/cert-dir, > > boot-certs.2.path=/path/to/another-dir... > > > > Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com> > > --- > > docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++ > > hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ > > include/hw/s390x/s390-virtio-ccw.h | 2 ++ > > qapi/machine-s390x.json | 22 ++++++++++++++++++++++ > > qapi/pragma.json | 1 + > > qemu-options.hx | 6 +++++- > > 6 files changed, 81 insertions(+), 1 deletion(-) > > create mode 100644 docs/system/s390x/secure-ipl.rst > > > > diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst > > new file mode 100644 > > index 0000000000..92c1bb2153 > > --- /dev/null > > +++ b/docs/system/s390x/secure-ipl.rst > > @@ -0,0 +1,21 @@ > > +.. SPDX-License-Identifier: GPL-2.0-or-later > > + > > +Secure IPL Command Line Options > > +=============================== > > + > > +The s390-ccw-virtio machine type supports secure IPL. These parameters allow users > > +to provide certificates and enable secure IPL directly via the command line. > > + > > +Providing Certificates > > +---------------------- > > + > > +The certificate store can be populated by supplying a list of X.509 certificate file > > +paths or directories containing certificate files on the command-line: > > + > > +Note: certificate files must have a .pem extension. > > + > > +.. code-block:: shell > > + > > + qemu-system-s390x -machine s390-ccw-virtio, \ > > + boot-certs.0.path=/.../qemu/certs, \ > > + boot-certs.1.path=/another/path/cert.pem ... > > Using newlines/spaces between parameters does not work, so people cannot > copy-n-paste this example to the shell. > > So I think you either have to merge it into one line, or use multiple > "-machine" statements, e.g.: > > qemu-system-s390x -M s390-ccw-virtio \ > -M boot-certs.0.path=/.../qemu/certs \ > -M boot-certs.1.path=/another/path/cert.pem ... The inability to copy+paste is unfortunate, but IMHO the docs are better in the way they are already expressed. Repeating the -M arg in this way is not a natural way we'd expect people to configure QEMU, even if it happens to work in the case of -M/-machine. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 30/09/2025 11.37, Daniel P. Berrangé wrote: > On Tue, Sep 30, 2025 at 11:34:23AM +0200, Thomas Huth wrote: >> On 18/09/2025 01.21, Zhuoying Cai wrote: >>> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio >>> machine. This allows users to specify one or more certificate file paths >>> or directories to be used during secure boot. >>> >>> Each entry is specified using the syntax: >>> boot-certs.<index>.path=/path/to/cert.pem >>> >>> Multiple paths can be specify using array properties: >>> boot-certs.0.path=/path/to/cert.pem, >>> boot-certs.1.path=/path/to/cert-dir, >>> boot-certs.2.path=/path/to/another-dir... >>> >>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com> >>> --- >>> docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++ >>> hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ >>> include/hw/s390x/s390-virtio-ccw.h | 2 ++ >>> qapi/machine-s390x.json | 22 ++++++++++++++++++++++ >>> qapi/pragma.json | 1 + >>> qemu-options.hx | 6 +++++- >>> 6 files changed, 81 insertions(+), 1 deletion(-) >>> create mode 100644 docs/system/s390x/secure-ipl.rst >>> >>> diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst >>> new file mode 100644 >>> index 0000000000..92c1bb2153 >>> --- /dev/null >>> +++ b/docs/system/s390x/secure-ipl.rst >>> @@ -0,0 +1,21 @@ >>> +.. SPDX-License-Identifier: GPL-2.0-or-later >>> + >>> +Secure IPL Command Line Options >>> +=============================== >>> + >>> +The s390-ccw-virtio machine type supports secure IPL. These parameters allow users >>> +to provide certificates and enable secure IPL directly via the command line. >>> + >>> +Providing Certificates >>> +---------------------- >>> + >>> +The certificate store can be populated by supplying a list of X.509 certificate file >>> +paths or directories containing certificate files on the command-line: >>> + >>> +Note: certificate files must have a .pem extension. >>> + >>> +.. code-block:: shell >>> + >>> + qemu-system-s390x -machine s390-ccw-virtio, \ >>> + boot-certs.0.path=/.../qemu/certs, \ >>> + boot-certs.1.path=/another/path/cert.pem ... >> >> Using newlines/spaces between parameters does not work, so people cannot >> copy-n-paste this example to the shell. >> >> So I think you either have to merge it into one line, or use multiple >> "-machine" statements, e.g.: >> >> qemu-system-s390x -M s390-ccw-virtio \ >> -M boot-certs.0.path=/.../qemu/certs \ >> -M boot-certs.1.path=/another/path/cert.pem ... > > The inability to copy+paste is unfortunate, but IMHO the docs are better > in the way they are already expressed. Repeating the -M arg in this way > is not a natural way we'd expect people to configure QEMU, even if it > happens to work in the case of -M/-machine. Then I'd vote to have it rather in one line instead. Thomas
Zhuoying Cai <zycai@linux.ibm.com> writes:
> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
> machine. This allows users to specify one or more certificate file paths
> or directories to be used during secure boot.
>
> Each entry is specified using the syntax:
> boot-certs.<index>.path=/path/to/cert.pem
>
> Multiple paths can be specify using array properties:
> boot-certs.0.path=/path/to/cert.pem,
> boot-certs.1.path=/path/to/cert-dir,
> boot-certs.2.path=/path/to/another-dir...
Given we can specifiy a directory containing any number of certificate
files, is the ability to specify multiple paths worth the additional
complexity?
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
[...]
> diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json
> index 966dbd61d2..51bf791fe6 100644
> --- a/qapi/machine-s390x.json
> +++ b/qapi/machine-s390x.json
> @@ -119,3 +119,25 @@
> { 'command': 'query-s390x-cpu-polarization', 'returns': 'CpuPolarizationInfo',
> 'features': [ 'unstable' ]
> }
> +
> +##
> +# @BootCertificate:
> +#
> +# Boot certificate for secure IPL.
> +#
> +# @path: path to an X.509 certificate file or a directory containing certificate files.
> +#
> +# Since: 10.2
> +##
> +{ 'struct': 'BootCertificate',
> + 'data': {'path': 'str'} }
I'd call this BootCertificates (plural), because it can pull in any
number, not just than one.
> +
> +##
> +# @DummyBootCertificates:
> +#
> +# Not used by QMP; hack to let us use BootCertificateList internally.
> +#
> +# Since: 10.2
> +##
> +{ 'struct': 'DummyBootCertificates',
> + 'data': {'unused-boot-certs': ['BootCertificate'] } }
> diff --git a/qapi/pragma.json b/qapi/pragma.json
> index 023a2ef7bc..66401837ad 100644
> --- a/qapi/pragma.json
> +++ b/qapi/pragma.json
> @@ -49,6 +49,7 @@
> 'DisplayProtocol',
> 'DriveBackupWrapper',
> 'DummyBlockCoreForceArrays',
> + 'DummyBootCertificates',
> 'DummyForceArrays',
> 'DummyVirtioForceArrays',
> 'HotKeyMod',
On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote:
> Zhuoying Cai <zycai@linux.ibm.com> writes:
>
> > Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
> > machine. This allows users to specify one or more certificate file paths
> > or directories to be used during secure boot.
> >
> > Each entry is specified using the syntax:
> > boot-certs.<index>.path=/path/to/cert.pem
> >
> > Multiple paths can be specify using array properties:
> > boot-certs.0.path=/path/to/cert.pem,
> > boot-certs.1.path=/path/to/cert-dir,
> > boot-certs.2.path=/path/to/another-dir...
>
> Given we can specifiy a directory containing any number of certificate
> files, is the ability to specify multiple paths worth the additional
> complexity?
The typical scenario would be point to somewhere in /etc/pki
for some globally provided certs, and then also point to
somewhere local ($HOME) for custom extra certs. So IMHO it
is reasonable to want multiple paths, to avoid copying around
certs from different locations.
>
> > Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>
> [...]
>
> > diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json
> > index 966dbd61d2..51bf791fe6 100644
> > --- a/qapi/machine-s390x.json
> > +++ b/qapi/machine-s390x.json
> > @@ -119,3 +119,25 @@
> > { 'command': 'query-s390x-cpu-polarization', 'returns': 'CpuPolarizationInfo',
> > 'features': [ 'unstable' ]
> > }
> > +
> > +##
> > +# @BootCertificate:
> > +#
> > +# Boot certificate for secure IPL.
> > +#
> > +# @path: path to an X.509 certificate file or a directory containing certificate files.
> > +#
> > +# Since: 10.2
> > +##
> > +{ 'struct': 'BootCertificate',
> > + 'data': {'path': 'str'} }
>
> I'd call this BootCertificates (plural), because it can pull in any
> number, not just than one.
>
> > +
> > +##
> > +# @DummyBootCertificates:
> > +#
> > +# Not used by QMP; hack to let us use BootCertificateList internally.
> > +#
> > +# Since: 10.2
> > +##
> > +{ 'struct': 'DummyBootCertificates',
> > + 'data': {'unused-boot-certs': ['BootCertificate'] } }
> > diff --git a/qapi/pragma.json b/qapi/pragma.json
> > index 023a2ef7bc..66401837ad 100644
> > --- a/qapi/pragma.json
> > +++ b/qapi/pragma.json
> > @@ -49,6 +49,7 @@
> > 'DisplayProtocol',
> > 'DriveBackupWrapper',
> > 'DummyBlockCoreForceArrays',
> > + 'DummyBootCertificates',
> > 'DummyForceArrays',
> > 'DummyVirtioForceArrays',
> > 'HotKeyMod',
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 9/18/25 4:38 AM, Daniel P. Berrangé wrote:
> On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote:
>> Zhuoying Cai <zycai@linux.ibm.com> writes:
>>
>>> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
>>> machine. This allows users to specify one or more certificate file paths
>>> or directories to be used during secure boot.
>>>
>>> Each entry is specified using the syntax:
>>> boot-certs.<index>.path=/path/to/cert.pem
>>>
>>> Multiple paths can be specify using array properties:
>>> boot-certs.0.path=/path/to/cert.pem,
>>> boot-certs.1.path=/path/to/cert-dir,
>>> boot-certs.2.path=/path/to/another-dir...
>>
>> Given we can specifiy a directory containing any number of certificate
>> files, is the ability to specify multiple paths worth the additional
>> complexity?
>
> The typical scenario would be point to somewhere in /etc/pki
> for some globally provided certs, and then also point to
> somewhere local ($HOME) for custom extra certs. So IMHO it
> is reasonable to want multiple paths, to avoid copying around
> certs from different locations.
>
Thank you for the comments.
Since Secure IPL on s390x is supported in QEMU, I would like to begin
drafting the corresponding Libvirt interface and seek feedback before
proceeding with the implementation.
While Libvirt already provides a secure boot interface
(https://libvirt.org/kbase/secureboot.html), it appears to be primarily
intended for x86 systems, where secure boot is configured using the
<firmware>, <loader>, and <nvram> tags.
<os firmware='efi'>
<firmware>
<feature enabled='yes' name='enrolled-keys'/>
<feature enabled='yes' name='secure-boot'/>
</firmware>
<loader secure='yes' type='pflash'>...</loader>
<nvram template='...'>...</nvram>
</os>
For s390x, some of these existing tags may be reused, but additional
elements will be needed.
Below is my initial proposal for the secure boot interface in Libvirt:
<!-- New s390-ccw-bios firmware value -->
<os firmware='s390-ccw-bios'>
<type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type>
<firmware>
<!-- To enable secure boot -->
<feature enabled='yes' name='secure-boot'/>
</firmware>
<!-- To provide boot certificates for secure boot -->
<boot-certs path='/path/to/cert.pem' />
<boot-certs path='/path/to/cert-dir' />
<boot dev='hd'/>
</os>
I would be greatly appreciate any suggestions or feedback on this
proposal, and I am open to refining the design to better align with
existing Libvirt structures.
Best regards,
Joy
>>
>>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>>
>> [...]
>>
>>> diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json
>>> index 966dbd61d2..51bf791fe6 100644
>>> --- a/qapi/machine-s390x.json
>>> +++ b/qapi/machine-s390x.json
>>> @@ -119,3 +119,25 @@
>>> { 'command': 'query-s390x-cpu-polarization', 'returns': 'CpuPolarizationInfo',
>>> 'features': [ 'unstable' ]
>>> }
>>> +
>>> +##
>>> +# @BootCertificate:
>>> +#
>>> +# Boot certificate for secure IPL.
>>> +#
>>> +# @path: path to an X.509 certificate file or a directory containing certificate files.
>>> +#
>>> +# Since: 10.2
>>> +##
>>> +{ 'struct': 'BootCertificate',
>>> + 'data': {'path': 'str'} }
>>
>> I'd call this BootCertificates (plural), because it can pull in any
>> number, not just than one.
>>
>>> +
>>> +##
>>> +# @DummyBootCertificates:
>>> +#
>>> +# Not used by QMP; hack to let us use BootCertificateList internally.
>>> +#
>>> +# Since: 10.2
>>> +##
>>> +{ 'struct': 'DummyBootCertificates',
>>> + 'data': {'unused-boot-certs': ['BootCertificate'] } }
>>> diff --git a/qapi/pragma.json b/qapi/pragma.json
>>> index 023a2ef7bc..66401837ad 100644
>>> --- a/qapi/pragma.json
>>> +++ b/qapi/pragma.json
>>> @@ -49,6 +49,7 @@
>>> 'DisplayProtocol',
>>> 'DriveBackupWrapper',
>>> 'DummyBlockCoreForceArrays',
>>> + 'DummyBootCertificates',
>>> 'DummyForceArrays',
>>> 'DummyVirtioForceArrays',
>>> 'HotKeyMod',
>>
>
> With regards,
> Daniel
On 9/22/25 19:48, Zhuoying Cai wrote: > On 9/18/25 4:38 AM, Daniel P. Berrangé wrote: [...] > > Thank you for the comments. > > Since Secure IPL on s390x is supported in QEMU, I would like to begin > drafting the corresponding Libvirt interface and seek feedback before > proceeding with the implementation. > > While Libvirt already provides a secure boot interface > (https://libvirt.org/kbase/secureboot.html), it appears to be primarily > intended for x86 systems, where secure boot is configured using the > <firmware>, <loader>, and <nvram> tags. > > <os firmware='efi'> > <firmware> > <feature enabled='yes' name='enrolled-keys'/> > <feature enabled='yes' name='secure-boot'/> > </firmware> > <loader secure='yes' type='pflash'>...</loader> > <nvram template='...'>...</nvram> > </os> > > For s390x, some of these existing tags may be reused, but additional > elements will be needed. > > Below is my initial proposal for the secure boot interface in Libvirt: > > <!-- New s390-ccw-bios firmware value --> > <os firmware='s390-ccw-bios'> > <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type> > <firmware> > <!-- To enable secure boot --> > <feature enabled='yes' name='secure-boot'/> > </firmware> > <!-- To provide boot certificates for secure boot --> > <boot-certs path='/path/to/cert.pem' /> > <boot-certs path='/path/to/cert-dir' /> > <boot dev='hd'/> > </os> > > I would be greatly appreciate any suggestions or feedback on this > proposal, and I am open to refining the design to better align with > existing Libvirt structures. > > Best regards, > Joy > You should post an RFC to the libvirt list -- no code needed. I suggest posting what you wrote above while also giving an example of the QEMU commandline. Lastly, give a short background of what you've been working on and provide a link to these patches for a more detail. CC those who have been involved in review as well as Boris, please. Thanks! [...] -- Regards, Collin
On 9/29/25 2:29 PM, Collin Walling wrote: > On 9/22/25 19:48, Zhuoying Cai wrote: >> On 9/18/25 4:38 AM, Daniel P. Berrangé wrote: > > [...] > >> >> Thank you for the comments. >> >> Since Secure IPL on s390x is supported in QEMU, I would like to begin >> drafting the corresponding Libvirt interface and seek feedback before >> proceeding with the implementation. >> >> While Libvirt already provides a secure boot interface >> (https://libvirt.org/kbase/secureboot.html), it appears to be primarily >> intended for x86 systems, where secure boot is configured using the >> <firmware>, <loader>, and <nvram> tags. >> >> <os firmware='efi'> >> <firmware> >> <feature enabled='yes' name='enrolled-keys'/> >> <feature enabled='yes' name='secure-boot'/> >> </firmware> >> <loader secure='yes' type='pflash'>...</loader> >> <nvram template='...'>...</nvram> >> </os> >> >> For s390x, some of these existing tags may be reused, but additional >> elements will be needed. >> >> Below is my initial proposal for the secure boot interface in Libvirt: >> >> <!-- New s390-ccw-bios firmware value --> >> <os firmware='s390-ccw-bios'> >> <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type> >> <firmware> >> <!-- To enable secure boot --> >> <feature enabled='yes' name='secure-boot'/> >> </firmware> >> <!-- To provide boot certificates for secure boot --> >> <boot-certs path='/path/to/cert.pem' /> >> <boot-certs path='/path/to/cert-dir' /> >> <boot dev='hd'/> >> </os> >> >> I would be greatly appreciate any suggestions or feedback on this >> proposal, and I am open to refining the design to better align with >> existing Libvirt structures. >> >> Best regards, >> Joy >> > > You should post an RFC to the libvirt list -- no code needed. I suggest > posting what you wrote above while also giving an example of the QEMU > commandline. Lastly, give a short background of what you've been > working on and provide a link to these patches for a more detail. > > CC those who have been involved in review as well as Boris, please. Thanks! > Thank you for the suggestion! I posted an RFC to the libvirt list (https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/thread/DWCOPLUGJKYZ6BOCX3JWU2FJGFLG7DUF/). > [...] >
Daniel P. Berrangé <berrange@redhat.com> writes: > On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote: >> Zhuoying Cai <zycai@linux.ibm.com> writes: >> >> > Introduce a new `boot-certs` machine type option for the s390-ccw-virtio >> > machine. This allows users to specify one or more certificate file paths >> > or directories to be used during secure boot. >> > >> > Each entry is specified using the syntax: >> > boot-certs.<index>.path=/path/to/cert.pem >> > >> > Multiple paths can be specify using array properties: >> > boot-certs.0.path=/path/to/cert.pem, >> > boot-certs.1.path=/path/to/cert-dir, >> > boot-certs.2.path=/path/to/another-dir... >> >> Given we can specifiy a directory containing any number of certificate >> files, is the ability to specify multiple paths worth the additional >> complexity? > > The typical scenario would be point to somewhere in /etc/pki > for some globally provided certs, and then also point to > somewhere local ($HOME) for custom extra certs. So IMHO it > is reasonable to want multiple paths, to avoid copying around > certs from different locations. Thanks. Preferably with BootCertificate renamed to BootCertificates Acked-by: Markus Armbruster <armbru@redhat.com>
On 9/18/25 4:51 AM, Markus Armbruster wrote: > Daniel P. Berrangé <berrange@redhat.com> writes: > >> On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote: >>> Zhuoying Cai <zycai@linux.ibm.com> writes: >>> >>>> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio >>>> machine. This allows users to specify one or more certificate file paths >>>> or directories to be used during secure boot. >>>> >>>> Each entry is specified using the syntax: >>>> boot-certs.<index>.path=/path/to/cert.pem >>>> >>>> Multiple paths can be specify using array properties: >>>> boot-certs.0.path=/path/to/cert.pem, >>>> boot-certs.1.path=/path/to/cert-dir, >>>> boot-certs.2.path=/path/to/another-dir... >>> >>> Given we can specifiy a directory containing any number of certificate >>> files, is the ability to specify multiple paths worth the additional >>> complexity? >> >> The typical scenario would be point to somewhere in /etc/pki >> for some globally provided certs, and then also point to >> somewhere local ($HOME) for custom extra certs. So IMHO it >> is reasonable to want multiple paths, to avoid copying around >> certs from different locations. > > Thanks. > > Preferably with BootCertificate renamed to BootCertificates > Acked-by: Markus Armbruster <armbru@redhat.com> > I'll rename it in the next version. Thanks for the review!
© 2016 - 2025 Red Hat, Inc.