When secure boot is enabled (-secure-boot on) and certificate(s) are
provided, the boot operates in True Secure IPL mode.
Any verification error during True Secure IPL mode will cause the
entire boot process to terminate.
Secure IPL in audit mode requires at least one certificate provided in
the key store along with necessary facilities. If secure boot is enabled
but no certificate is provided, the boot process will also terminate, as
this is not a valid secure boot configuration.
Note: True Secure IPL mode is implemented for the SCSI scheme of
virtio-blk/virtio-scsi devices.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
docs/system/s390x/secure-ipl.rst | 16 ++++++++++++++++
pc-bios/s390-ccw/bootmap.c | 19 ++++++++++++++++---
pc-bios/s390-ccw/main.c | 7 ++++++-
pc-bios/s390-ccw/s390-ccw.h | 2 ++
pc-bios/s390-ccw/secure-ipl.c | 4 ++++
pc-bios/s390-ccw/secure-ipl.h | 3 +++
6 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
index 205de8bc02..579b7b4993 100644
--- a/docs/system/s390x/secure-ipl.rst
+++ b/docs/system/s390x/secure-ipl.rst
@@ -67,3 +67,19 @@ Configuration:
qemu-system-s390x -machine s390-ccw-virtio, \
boot-certs.0.path=/.../qemu/certs, \
boot-certs.1.path=/another/path/cert.pem ...
+
+Secure Mode
+-----------
+
+With *both* the presence of certificates in the store and the ``secure-boot=on``
+option, it is understood that secure boot should be performed with errors
+reported and boot will abort.
+
+Configuration:
+
+.. code-block:: shell
+
+ qemu-system-s390x -machine s390-ccw-virtio, \
+ secure-boot=on, \
+ boot-certs.0.path=/.../qemu/certs, \
+ boot-certs.1.path=/another/path/cert.pem ...
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 3922e7cdde..3ab89b91fb 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -737,6 +737,9 @@ static int zipl_run(ScsiBlockPtr *pte)
entry = (ComponentEntry *)(&header[1]);
switch (boot_mode) {
+ case ZIPL_BOOT_MODE_INVALID:
+ return -1;
+ case ZIPL_BOOT_MODE_SECURE:
case ZIPL_BOOT_MODE_SECURE_AUDIT:
if (zipl_run_secure(&entry, tmp_sec)) {
return -1;
@@ -1118,9 +1121,16 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags)
{
bool sipl_set = hdr_flags & DIAG308_IPIB_FLAGS_SIPL;
bool iplir_set = hdr_flags & DIAG308_IPIB_FLAGS_IPLIR;
+ VCStorageSizeBlock *vcssb;
if (!sipl_set && iplir_set) {
return ZIPL_BOOT_MODE_SECURE_AUDIT;
+ } else if (sipl_set && iplir_set) {
+ vcssb = zipl_secure_get_vcssb();
+ if (vcssb == NULL || vcssb->length == VCSSB_NO_VC) {
+ return ZIPL_BOOT_MODE_INVALID;
+ }
+ return ZIPL_BOOT_MODE_SECURE;
}
return ZIPL_BOOT_MODE_NORMAL;
@@ -1131,7 +1141,8 @@ void zipl_load(void)
VDev *vdev = virtio_get_device();
if (vdev->is_cdrom) {
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT) {
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
+ boot_mode == ZIPL_BOOT_MODE_SECURE) {
panic("Secure boot from ISO image is not supported!");
}
ipl_iso_el_torito();
@@ -1140,7 +1151,8 @@ void zipl_load(void)
}
if (virtio_get_device_type() == VIRTIO_ID_NET) {
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT) {
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
+ boot_mode == ZIPL_BOOT_MODE_SECURE) {
panic("Virtio net boot device does not support secure boot!");
}
netmain();
@@ -1153,7 +1165,8 @@ void zipl_load(void)
return;
}
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT) {
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
+ boot_mode == ZIPL_BOOT_MODE_SECURE) {
panic("ECKD boot device does not support secure boot!");
}
diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
index 668660e64d..c5b425209a 100644
--- a/pc-bios/s390-ccw/main.c
+++ b/pc-bios/s390-ccw/main.c
@@ -277,10 +277,15 @@ static void ipl_boot_device(void)
boot_mode = zipl_mode(iplb->hdr_flags);
}
+ if (boot_mode == ZIPL_BOOT_MODE_INVALID) {
+ panic("Need at least one certificate for secure boot!");
+ }
+
switch (cutype) {
case CU_TYPE_DASD_3990:
case CU_TYPE_DASD_2107:
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT) {
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
+ boot_mode == ZIPL_BOOT_MODE_SECURE) {
panic("Passthrough (vfio) device does not support secure boot!");
}
diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h
index 6d51d07c90..389cc8ea7c 100644
--- a/pc-bios/s390-ccw/s390-ccw.h
+++ b/pc-bios/s390-ccw/s390-ccw.h
@@ -83,9 +83,11 @@ int virtio_read(unsigned long sector, void *load_addr);
void zipl_load(void);
typedef enum ZiplBootMode {
+ ZIPL_BOOT_MODE_INVALID = -1,
ZIPL_BOOT_MODE_UNSPECIFIED = 0,
ZIPL_BOOT_MODE_NORMAL = 1,
ZIPL_BOOT_MODE_SECURE_AUDIT = 2,
+ ZIPL_BOOT_MODE_SECURE = 3,
} ZiplBootMode;
extern ZiplBootMode boot_mode;
diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c
index cd798c1198..92e3e1e021 100644
--- a/pc-bios/s390-ccw/secure-ipl.c
+++ b/pc-bios/s390-ccw/secure-ipl.c
@@ -287,6 +287,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic,
comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_SCLAB;
/* a missing SCLAB will not be reported in audit mode */
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE) {
+ zipl_secure_handle("Magic is not matched. SCLAB does not exist");
+ }
+
return false;
}
diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h
index 87aa6e1465..d7786158c4 100644
--- a/pc-bios/s390-ccw/secure-ipl.h
+++ b/pc-bios/s390-ccw/secure-ipl.h
@@ -58,6 +58,9 @@ static inline void zipl_secure_handle(const char *message)
case ZIPL_BOOT_MODE_SECURE_AUDIT:
IPL_check(false, message);
break;
+ case ZIPL_BOOT_MODE_SECURE:
+ IPL_assert(false, message);
+ break;
default:
break;
}
--
2.50.1