From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151410; cv=none; d=zohomail.com; s=zohoarc; b=OKl40DSaf0djC7yL78Ehb3bpFsSAcIfquzrG1RDBqgV+Wddsw5ZTc1z5DVfnHCWei2Ua9/g2leAqrY5lKuujZCMgRall1+pgyGtB7O2HzN3f3HN01JShXFpRUDyJIRiFI+n7AneeQZ0valkcu4e9SfFhe/9Au74cDeVpVAOrYL8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151410; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=HI2dOT3ByAVc/B/jk6yDX+plq0qVvsBfrkLmgYHOCHw=; b=L0yuA/o6oYf5L37jxBvv1uTTyE+v/b4nm4VnpGfNgNkJ8U+j6yY6zF64uSWun6YzBpF5UfQmJBCj5cAf7hhGl7A1BnqaJEiQ0TRGGgtLPPx+gkwNBTTUJq0D9TaSk+DCLUB+HPbvbrvmW3BL5G0bnCEkP7vGmYzyjFNligFlKPk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151410689408.29847823820774; Wed, 17 Sep 2025 16:23:30 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TF-0005UC-SJ; Wed, 17 Sep 2025 19:21:55 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T5-0005Pw-Pe; Wed, 17 Sep 2025 19:21:44 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T3-0002M6-EN; Wed, 17 Sep 2025 19:21:43 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJq7KB011526; Wed, 17 Sep 2025 23:21:37 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4j6usv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:36 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HMcvYN009486; Wed, 17 Sep 2025 23:21:35 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kghd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:35 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLXVR31588826 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:34 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C2065805A; Wed, 17 Sep 2025 23:21:33 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C7F05805C; Wed, 17 Sep 2025 23:21:32 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:32 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=HI2dOT3ByAVc/B/jk 6yDX+plq0qVvsBfrkLmgYHOCHw=; b=NwrIeUcckgnWOzwwIQMhIOSPkDrgZCbzB rRgWsBU6oae6N+jmiJJ9KRsSYl+0cMBYWOs8KC1MNK6GjXL/QgB4xmEIgXb3Zy/e 9olhN2+lw7K8wNQmgNuw1XqBeYDBvL6NbTG3IRVcS96dYhXVSHBBRro7d3pp0LK4 feJcLDOPRz576UNfOl5v/BLKZiluUAs6Lf6y6woQXzqJlixhIKLTcTE1b1YUOwtC CgyL5L376VzR8lpmxERPtJs/MDiqVHt2Ru53jMtOT1QmyYvWMuuU0rTWmK6tAuM6 QkB1towN6UVTpLHXEHvC6iS9ENaADBYVurgAZ/36JMBpgDvlcHLpA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 01/28] Add boot-certs to s390-ccw-virtio machine type option Date: Wed, 17 Sep 2025 19:21:03 -0400 Message-ID: <20250917232131.495848-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Qf5mvtbv c=1 sm=1 tr=0 ts=68cb4280 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=51CbwtZII9I6y_JNZ0sA:9 X-Proofpoint-ORIG-GUID: tVZFKx-cJ3ipWlAMqmJX99MK0FvJKfGP X-Proofpoint-GUID: tVZFKx-cJ3ipWlAMqmJX99MK0FvJKfGP X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX+uCz3a/6CAfe QEyifrDOLwEOFgoiEVMRXaGzSizIaFaD851MTd//KC6LJ8pf6xZf+qvAUTru2UCC30VSl6zIiJz FVZFNFtH9saCALSu1EfLzuSxg3aj+XFre5YK1tTkEVKhFWmMg/WrlD5Qr7OplNVKRccTAPY56VD YvkGSl/4fUq2zIODqaYYbNcIpE/EtfMArxvs+PkZWl/bpp2Eyib9JjKzKrAZLDnt9e4R3O7PgR0 kp8v2iTAeFQ40EYNQ2CS9l4miLHLeWr6QDJ+XIKBLyeZ39cEiDrV/xmEyF4Wfqiyn7FDYqBOt++ sR5CSlsH49cA7eg3UEAWLMGNn32kYJpkdZtIMfNoWZHGfHyb0oqHbguNwKTrIcPwsxVqJCiirsR BuM6Mkxw X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151412419116600 Content-Type: text/plain; charset="utf-8" Introduce a new `boot-certs` machine type option for the s390-ccw-virtio machine. This allows users to specify one or more certificate file paths or directories to be used during secure boot. Each entry is specified using the syntax: boot-certs..path=3D/path/to/cert.pem Multiple paths can be specify using array properties: boot-certs.0.path=3D/path/to/cert.pem, boot-certs.1.path=3D/path/to/cert-dir, boot-certs.2.path=3D/path/to/another-dir... Signed-off-by: Zhuoying Cai Acked-by: Markus Armbruster --- docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++ hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 2 ++ qapi/machine-s390x.json | 22 ++++++++++++++++++++++ qapi/pragma.json | 1 + qemu-options.hx | 6 +++++- 6 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 docs/system/s390x/secure-ipl.rst diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst new file mode 100644 index 0000000000..92c1bb2153 --- /dev/null +++ b/docs/system/s390x/secure-ipl.rst @@ -0,0 +1,21 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +Secure IPL Command Line Options +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D + +The s390-ccw-virtio machine type supports secure IPL. These parameters all= ow users +to provide certificates and enable secure IPL directly via the command lin= e. + +Providing Certificates +---------------------- + +The certificate store can be populated by supplying a list of X.509 certif= icate file +paths or directories containing certificate files on the command-line: + +Note: certificate files must have a .pem extension. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio, \ + boot-certs.0.path=3D/.../qemu/certs, \ + boot-certs.1.path=3D/another/path/cert.pem = ... diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index b1dc52807a..b825f4cce1 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -45,6 +45,7 @@ #include "target/s390x/kvm/pv.h" #include "migration/blocker.h" #include "qapi/visitor.h" +#include "qapi/qapi-visit-machine-s390x.h" #include "hw/s390x/cpu-topology.h" #include "kvm/kvm_s390x.h" #include "hw/virtio/virtio-md-pci.h" @@ -798,6 +799,30 @@ static void machine_set_loadparm(Object *obj, Visitor = *v, g_free(val); } =20 +static void machine_get_boot_certs(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificateList **certs =3D &ms->boot_certs; + + visit_type_BootCertificateList(v, name, certs, errp); +} + +static void machine_set_boot_certs(Object *obj, Visitor *v, const char *na= me, + void *opaque, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificateList *cert_list =3D NULL; + + visit_type_BootCertificateList(v, name, &cert_list, errp); + if (!cert_list) { + return; + } + + ms->boot_certs =3D cert_list; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -851,6 +876,11 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) "Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars conve= rted" " to upper case) to pass to machine loader, boot manager," " and guest kernel"); + + object_class_property_add(oc, "boot-certs", "BootCertificateList", + machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); + object_class_property_set_description(oc, "boot-certs", + "provide paths to a directory and/or a certificate file for se= cure boot"); } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 526078a4e2..334b67ef05 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -14,6 +14,7 @@ #include "hw/boards.h" #include "qom/object.h" #include "hw/s390x/sclp.h" +#include "qapi/qapi-types-machine-s390x.h" =20 #define TYPE_S390_CCW_MACHINE "s390-ccw-machine" =20 @@ -31,6 +32,7 @@ struct S390CcwMachineState { uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; + BootCertificateList *boot_certs; =20 SCLPDevice *sclp; }; diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json index 966dbd61d2..51bf791fe6 100644 --- a/qapi/machine-s390x.json +++ b/qapi/machine-s390x.json @@ -119,3 +119,25 @@ { 'command': 'query-s390x-cpu-polarization', 'returns': 'CpuPolarizationIn= fo', 'features': [ 'unstable' ] } + +## +# @BootCertificate: +# +# Boot certificate for secure IPL. +# +# @path: path to an X.509 certificate file or a directory containing certi= ficate files. +# +# Since: 10.2 +## +{ 'struct': 'BootCertificate', + 'data': {'path': 'str'} } + +## +# @DummyBootCertificates: +# +# Not used by QMP; hack to let us use BootCertificateList internally. +# +# Since: 10.2 +## +{ 'struct': 'DummyBootCertificates', + 'data': {'unused-boot-certs': ['BootCertificate'] } } diff --git a/qapi/pragma.json b/qapi/pragma.json index 023a2ef7bc..66401837ad 100644 --- a/qapi/pragma.json +++ b/qapi/pragma.json @@ -49,6 +49,7 @@ 'DisplayProtocol', 'DriveBackupWrapper', 'DummyBlockCoreForceArrays', + 'DummyBootCertificates', 'DummyForceArrays', 'DummyVirtioForceArrays', 'HotKeyMod', diff --git a/qemu-options.hx b/qemu-options.hx index ab23f14d21..ac497eb3a0 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -44,7 +44,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ #endif " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" - " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n", + " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -205,6 +206,9 @@ SRST :: =20 -machine smp-cache.0.cache=3Dl1d,smp-cache.0.topology=3Dcore,s= mp-cache.1.cache=3Dl1i,smp-cache.1.topology=3Dcore + + ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` + Provide paths to a directory and/or a certificate file on the host= [s390x only]. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151422; cv=none; d=zohomail.com; s=zohoarc; b=N60Vq6PoCRA2Via5UsBv4B/ky9lmh7EoC6i5c8bgqM6JfIQkjllMT9JmF0E3kTju5E4GK8Zg6JdR80XC0w/lozIOT8vnPOPuU+h1CT6qsIAWGUqN6DCrxNDeBVX8l43iAMNhwvUj3vxLJIlrQ6VDiTtluroTEellINcyOJkhBsM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151422; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=9ew3Jc5y+V+2UAkyHlG8hfSEjxHxlN9XFba8BovmwUU=; b=NZ6hNimY8d5l4ubMw+cPNgPAnGTlPDax60v+SyLj+tAZEAgUv40W0Y4OLPtp1bTDbZ6ncPNgE6O8uaaOU+Agja/QtjL4Wr7cyjfptdRt7jJeUK4jnz0uJ4LwtbbLVj4MH9DiavQRuRvjXHQ4aGFhI2KL+NqoSHcfztVNm2GMpAA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151422067211.4620375081065; Wed, 17 Sep 2025 16:23:42 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TF-0005Ts-8F; Wed, 17 Sep 2025 19:21:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T5-0005Po-E2; Wed, 17 Sep 2025 19:21:43 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T3-0002M5-Es; Wed, 17 Sep 2025 19:21:43 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHKTTq023755; Wed, 17 Sep 2025 23:21:37 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf0n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:37 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKQ7Zd029484; Wed, 17 Sep 2025 23:21:36 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kb140j0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:36 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLY0D14549602 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:35 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BE9DE5805C; Wed, 17 Sep 2025 23:21:34 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B82945805E; Wed, 17 Sep 2025 23:21:33 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=9ew3Jc5y+V+2UAkyH lG8hfSEjxHxlN9XFba8BovmwUU=; b=kUOSdE/SbajNRisyQ4kKJ7on+l9yuiS0Z fnDyqrplyDsqgT+gOCjHNw6j9plK1qi0O3Sq6yDkHiRN/KzkCWZY6A8rT50sd//o 4oL4f5s7lWZiLda83sIEiC7rDrbuP9CNmucc4I2OSJzFc+dBnrDOU2HnYZqxo64/ Phxa4yPZ5phyIyb4kP95ywznwnED2/9LIT6agkY6856jeLbvXq8d6bcWQAFaZxwF GnsJd2o9kI9ufvwViYPKF7luJgJ64g0Mc+6o9BGwvi4C39rcIQJ1IgHwKjY9KnYj Y/xEQ/ufJ47eSF6DQVaV8bZOHJJMh98iBp3IN510VPLVOqWW1BzWg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 02/28] crypto/x509-utils: Refactor with GNUTLS fallback Date: Wed, 17 Sep 2025 19:21:04 -0400 Message-ID: <20250917232131.495848-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: GYnNjCd2DbJ8YjTixFKqUOdJky7rouVr X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX4NrBT05HAy1e 01omvmp4f1LcqR4P2Uk8qOtwEcHmI4en0mcLQbXUGMVeq1JpZWvIvmMYnF6heyjGjL/srmUyX9l MSe8AkSobzUorqiMcqcQNL5FpIQ4lytF7zik/cozaMZS32JvFACfYXI0V84PTeSr9SBq69Frhvy e7YMmwiq0fc8fgzO+8C3RDmGH55aqwsP05VL1NmMNHqbSx+U4LZ5xbwyGMVEL4GDVIzWfxiDd+i TGlM7ns6v5mc5H8ddQrlIh+qmzgyVhkU/pr0EdO+AGsgLvrz7SgW2+EJ3PEtQO3NfspvlJCY7wI TJO2onVnzdhtrDhd4KppS4+O8UCI/YQd2WdS0uA96JIHgqu3Igrw8htb+32zJoe/LYfYi64+iy1 okLweN7S X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4281 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=T_s58H7i8r0Cr3xvmrYA:9 X-Proofpoint-GUID: GYnNjCd2DbJ8YjTixFKqUOdJky7rouVr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151424254116600 Content-Type: text/plain; charset="utf-8" Always compile x509-utils.c and add a fallback when GNUTLS is unavailable. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali --- crypto/meson.build | 5 +---- crypto/x509-utils.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/crypto/meson.build b/crypto/meson.build index 735635de1f..0614bfa914 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -22,12 +22,9 @@ crypto_ss.add(files( 'tlscredsx509.c', 'tlssession.c', 'rsakey.c', + 'x509-utils.c', )) =20 -if gnutls.found() - crypto_ss.add(files('x509-utils.c')) -endif - if nettle.found() crypto_ss.add(nettle, files('hash-nettle.c', 'hmac-nettle.c', 'pbkdf-net= tle.c')) if hogweed.found() diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 39bb6d4d8c..6176a88653 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -11,6 +11,8 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "crypto/x509-utils.h" + +#ifdef CONFIG_GNUTLS #include #include #include @@ -78,3 +80,17 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, gnutls_x509_crt_deinit(crt); return ret; } + +#else /* ! CONFIG_GNUTLS */ + +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, + QCryptoHashAlgo hash, + uint8_t *result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get fingerprint"); + return -1; +} + +#endif /* ! CONFIG_GNUTLS */ --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151619; cv=none; d=zohomail.com; s=zohoarc; b=UgJiQagkh47Bs8LR62ZeTbTC+Lhxwy0Hm4HCNQGAl2zi0KrUQJ+2tw30cYLtOvuARhNO5jmZk0qkptnpvZhVw9M83rCHhAWhFInI61V29AdF+oWZ3Tli0JKs+MtbHxxIVgFoSw91gGFZzrxZ+cwD+AIO9Dzu9OdAf/atJjVjSyQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151619; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Dp/3enbQ/YjwTtks4JSzb6RB48Ag6reVY/kSPMbmTGk=; b=IZyvQidXzuM0Up36Nibt1ANYDF5wrvrbdwIL4T9DK7q1PcnT+fqqQ0i0sLMkSbN+8RoAxwi7y2AM8MUHOx18sXbmCbSIYVDUlTeIOy/o4Jso1DSCQFI+dETCuU2CPkluG4KfS2sAkwIQ2fU938ft9aw9YazfopVpWZWXca7XnFE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151619519890.5132618903076; Wed, 17 Sep 2025 16:26:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tc-0005dG-3R; Wed, 17 Sep 2025 19:22:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T5-0005Pp-Dm; Wed, 17 Sep 2025 19:21:43 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T2-0002MH-4f; Wed, 17 Sep 2025 19:21:43 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJxC9I020554; Wed, 17 Sep 2025 23:21:38 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4m6fbd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:37 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKwM57022384; Wed, 17 Sep 2025 23:21:37 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kxpuu6x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:37 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLaji33423920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:36 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 00D5958065; Wed, 17 Sep 2025 23:21:36 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D85E75805E; Wed, 17 Sep 2025 23:21:34 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:34 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Dp/3enbQ/YjwTtks4 JSzb6RB48Ag6reVY/kSPMbmTGk=; b=cNQxC5dEKV+oGNF8B/3pk+GlZ1Nbo+XOt fZcQu6lsSAQmJ/ybmxZ9hG/2kVoE8xHcsCKPM9kXF7z8B/HovzZTiYfiwnoSrwys 3B/8jZIR1SzQrIFX6ZHirDTQqjcTN/30Cm/xCDzR7QfGAvVcVXpho0z6mqlfSyH+ vrt2Jnd8J8zDqAZXkZHYkafyrNaXyj0tLMSQa4IbuanGyrYFCh+u9+EuTaZ8JHKn 6QGSa6rBfKwkfxMVQxFolALNuvzpcHhpyuLIc0mUM7+XhfhjdNvwDf1WJSRhgQ+C wc+JjXniw/Zxi8hB0Dpz0JhRLj1t4Q0ArEskwvc3jQKQEROVG8FCw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 03/28] crypto/x509-utils: Add helper functions for certificate store Date: Wed, 17 Sep 2025 19:21:05 -0400 Message-ID: <20250917232131.495848-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: AOJ3_EbA4FZCXnTDoYAln0FhuuCV3SQ2 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX18cMGywjZzEA aU8fuJ2mdqXJ5BmfZH22Raybr4Ik8celRqkoKSJrFifx+8Dvb2Li4jYkadiAt69TqhIPVriinn6 QsrtJb4Ra9TMEhptrH3pTILUzjSDClA7NiVyp+kQfPB9fTAIAffev7bocMxj9LdOR6e3OL6CoxY ZXckIiDv7oTt6DfzFPR4h2gKGkguZtDe3lVzVzzKQ1PEPtLesKjL5rGFn6gGdcVnm6TZ5PJAV+l Kh9l94Mgsi0vHch9olJxEFPPubodsZ5jDeROoMYXrA43jHlrxkdVTaQR3ZaxsB8wXLkqa/MrCmm AqlaoqU+v2xVQerC6Q8k2od6de3OdU4d2JpkDPD4h9rpOph74AL7web5LGWaxuqC8VFaiOK+fi/ dDyuQBek X-Proofpoint-ORIG-GUID: AOJ3_EbA4FZCXnTDoYAln0FhuuCV3SQ2 X-Authority-Analysis: v=2.4 cv=QrNe3Uyd c=1 sm=1 tr=0 ts=68cb4281 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=rS3Z-B4KkOQ9K9HQ9W4A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 phishscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 spamscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151620393116600 Content-Type: text/plain; charset="utf-8" Introduce new helper functions for x509 certificate, which will be used by the certificate store: qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER fo= rmat These functions provide support for certificate format conversion. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali --- crypto/x509-utils.c | 50 +++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 20 +++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 6176a88653..5d43b0ec96 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -81,6 +81,47 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, return ret; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_datum_t datum_der =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum_der); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert certificate to DER format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *result =3D g_new0(uint8_t, datum_der.size); + *resultlen =3D datum_der.size; + memcpy(*result, datum_der.data, datum_der.size); + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(datum_der.data); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -93,4 +134,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, si= ze_t size, return -1; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export X.509 certificate"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 1e99661a71..4239e3e55a 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -19,4 +19,24 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_convert_cert_der + * @cert: pointer to the raw certificate data in PEM format + * @size: size of the certificate + * @result: output location for the allocated buffer for the certificate i= n DER format + (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + (will be updated with the actual size of the DER-encoded ce= rtificate) + * @errp: error pointer + * + * Convert the given @cert from PEM to DER format. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151426; cv=none; d=zohomail.com; s=zohoarc; b=H28OIVBH/spZ9vJdZdxVvitHd6HfiiZ+/R86npKGWTuEgFO1Ao4kCPjN76fM2F/rdvCyGmHgaYl0w532q4xCD3/j5icfpTqOYWVb3Mh2oJxQkDaAKmM+YrfF48Il4Sws26LdtTzgP3CwTTzAt3Jn4g6DVGmSv30OQ6wEdSZm2qk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151426; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=TuwpGH+++Kf3sIZEbYhFUBUvwudQ8y2JmWpixuSXa6M=; b=NoIegQUoTQC6uv6Tc0bbe18ScUfZwbVC/80/4Z/A9Ai12nqjybveHmRsCIEpgxcCbtF5FLYfl1yvl/ewjfU6T22bUeiWdyG9/YkHhAsb9DNns+BiiVrqS+Qw48CfX9x2lx7XxAc4rtYfeKr6AY4cA4pCB/QIZIXXeLOTeefYiA8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 175815142613856.08719529636494; Wed, 17 Sep 2025 16:23:46 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TH-0005Uj-Rm; Wed, 17 Sep 2025 19:21:56 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T6-0005Q3-6D; Wed, 17 Sep 2025 19:21:45 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T3-0002Ma-JX; Wed, 17 Sep 2025 19:21:43 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HH27Ed031341; Wed, 17 Sep 2025 23:21:39 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4hpuuu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:39 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKVCxg005940; Wed, 17 Sep 2025 23:21:38 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1m2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:38 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLbKZ27722378 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:37 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 213125805E; Wed, 17 Sep 2025 23:21:37 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1A4205805A; Wed, 17 Sep 2025 23:21:36 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:36 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=TuwpGH+++Kf3sIZEb YhFUBUvwudQ8y2JmWpixuSXa6M=; b=ZK9bZcklGgnupbcyHHBm+aZTwEATMnQZw Y1mTWeYKpJLXhBd4PTqy7bsRrruKagmFbEq5uZCuG9KDg8L+g8Wh9DxzIktZ2ivf H21B7seexx5DS1706jnzEbtD63rLANI4j1q4MBgrsugTEP1R5V3pFm6+MaKwlFwT 0wzKCL5hPs7d4G1B+AyIakjrHhhVSnrZZGNsOg4LUo8Bo+m8hLz2UZD6dIz11klv tYp/SV9jm7WS/wShJctlIeHEdk53WEIU/T904/YlXpqSrA1fwIMpAxbHGwZH4nUR mS2ZMt2P4RxBthvBF+TNDCftJWVX8V4wWHf8dTrKXCCL1mZfUknIw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 04/28] hw/s390x/ipl: Create certificate store Date: Wed, 17 Sep 2025 19:21:06 -0400 Message-ID: <20250917232131.495848-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: KJvpdJmF5MVNMYwnwBDCybmr-6LNXay6 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXxHM4P2p8NmvH kisLsYK13RZ8WFYCB/XZdYfawRvXCEYikqS2kmsvrPDr1yYypm1YDrmZxIvUfo51LJ7+wsY69Ie rIIHJB09Q4fMnj7gi3dVDFCdkQknITWM/LxiGd8NQfW4HW6fG4OiaT5JSCPZQUdBk6vRrztHQbR kF/H+Lr4LrNBgm9dp9XpiBCxrpKAifr1q1NynZuYxQjdpl7F4Riregsp07t587Zp62bAsyqsr7N dP1+VaZ5j2Ea3VhZmXll1R5gdqZqkPpZdhobpMf2OD3qJdbe1YV0TSdvGAe0Nl3y8v4zZBcoYyg TfyuIKwArBkx/fNC6066Uu4YORDC/hldX088O0hsY1RjN8dZV9AlHtUyU8LRadjwuX0VhzyFApU MlBjfC/5 X-Proofpoint-GUID: KJvpdJmF5MVNMYwnwBDCybmr-6LNXay6 X-Authority-Analysis: v=2.4 cv=co2bk04i c=1 sm=1 tr=0 ts=68cb4283 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=6ph8WD7lSjxTzuMCr3kA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151428527116600 Content-Type: text/plain; charset="utf-8" Create a certificate store for boot certificates used for secure IPL. Load certificates from the `boot-certs` parameter of s390-ccw-virtio machine type option into the cert store. Currently, only X.509 certificates in PEM format are supported, as the QEMU command line accepts certificates in PEM format only. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 15 +++ hw/s390x/cert-store.c | 213 ++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 39 ++++++ hw/s390x/ipl.c | 19 +++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 2 + 7 files changed, 292 insertions(+) create mode 100644 docs/specs/s390x-secure-ipl.rst create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst new file mode 100644 index 0000000000..9b1de5c604 --- /dev/null +++ b/docs/specs/s390x-secure-ipl.rst @@ -0,0 +1,15 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +s390 Certificate Store and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +s390 Certificate Store +---------------------- + +A certificate store is implemented for s390-ccw guests to retain within +memory all certificates provided by the user via the command-line, which +are expected to be stored somewhere on the host's file system. The store +will keep track of the number of certificates, their respective size, +and a summation of the sizes. + +Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..318acfb1f6 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,213 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" +#include "qapi/qapi-types-machine-s390x.h" + +static BootCertificateList *s390_get_boot_certs(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; +} + +static size_t cert2buf(char *path, char **cert_buf) +{ + size_t size; + + if (!g_file_get_contents(path, cert_buf, &size, NULL)) { + return 0; + } + + return size; +} + +static S390IPLCertificate *init_cert_x509(size_t size, uint8_t *raw, Error= **errp) +{ + S390IPLCertificate *cert =3D NULL; + g_autofree uint8_t *cert_der =3D NULL; + size_t der_len =3D size; + int rc; + + rc =3D qcrypto_x509_convert_cert_der(raw, size, &cert_der, &der_len, e= rrp); + if (rc !=3D 0) { + return NULL; + } + + cert =3D g_new0(S390IPLCertificate, 1); + cert->size =3D size; + cert->der_size =3D der_len; + /* store raw pointer - ownership transfers to cert */ + cert->raw =3D raw; + + return cert; +} + +static S390IPLCertificate *init_cert(char *path) +{ + char *buf; + size_t size; + char vc_name[VC_NAME_LEN_BYTES]; + g_autofree gchar *filename =3D NULL; + S390IPLCertificate *cert =3D NULL; + Error *local_err =3D NULL; + + filename =3D g_path_get_basename(path); + + size =3D cert2buf(path, &buf); + if (size =3D=3D 0) { + error_report("Failed to load certificate: %s", path); + return NULL; + } + + cert =3D init_cert_x509(size, (uint8_t *)buf, &local_err); + if (cert =3D=3D NULL) { + error_reportf_err(local_err, "Failed to initialize certificate: %s= : ", path); + g_free(buf); + return NULL; + } + + /* + * Left justified certificate name with padding on the right with blan= ks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' '); + ebcdic_put(cert->vc_name, vc_name, VC_NAME_LEN_BYTES); + + return cert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *cert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size =3D ROUND_UP(CERT_KEY_ID_LEN, 4); + hash_buf_size =3D ROUND_UP(CERT_HASH_LEN, 4); + cert_buf_size =3D ROUND_UP(cert->der_size, 4); + data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->max_cert_size < data_buf_size) { + cert_store->max_cert_size =3D data_buf_size; + } + + cert_store->certs[cert_store->count] =3D *cert; + cert_store->total_bytes +=3D data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(void) +{ + BootCertificateList *path_list =3D NULL; + BootCertificateList *list =3D NULL; + gchar *cert_path; + GDir *dir =3D NULL; + const gchar *filename; + g_autoptr(GError) err =3D NULL; + g_autoptr(GPtrArray) cert_path_builder =3D g_ptr_array_new_full(0, g_f= ree); + + path_list =3D s390_get_boot_certs(); + if (path_list =3D=3D NULL) { + return g_steal_pointer(&cert_path_builder); + } + + for (list =3D path_list; list; list =3D list->next) { + cert_path =3D list->value->path; + + if (g_strcmp0(cert_path, "") =3D=3D 0) { + error_report("Empty path in certificate path list is not allow= ed"); + goto fail; + } + + struct stat st; + if (stat(cert_path, &st) !=3D 0) { + error_report("Failed to stat path '%s': %s", cert_path, g_stre= rror(errno)); + goto fail; + } + + if (S_ISREG(st.st_mode)) { + if (!g_str_has_suffix(cert_path, ".pem")) { + error_report("Certificate file '%s' must have a .pem exten= sion", + cert_path); + goto fail; + } + + g_ptr_array_add(cert_path_builder, g_strdup(cert_path)); + } else if (S_ISDIR(st.st_mode)) { + dir =3D g_dir_open(cert_path, 0, &err); + if (dir =3D=3D NULL) { + error_report("Failed to open directory '%s': %s", + cert_path, err->message); + goto fail; + } + + while ((filename =3D g_dir_read_name(dir))) { + if (g_str_has_suffix(filename, ".pem")) { + g_ptr_array_add(cert_path_builder, + g_build_filename(cert_path, filename, = NULL)); + } + } + + g_dir_close(dir); + } else { + error_report("Path '%s' is neither a file nor a directory", ce= rt_path); + goto fail; + } + } + + qapi_free_BootCertificateList(path_list); + return g_steal_pointer(&cert_path_builder); + +fail: + qapi_free_BootCertificateList(path_list); + exit(1); +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + + cert_path_builder =3D get_cert_paths(); + if (cert_path_builder->len =3D=3D 0) { + g_ptr_array_free(cert_path_builder, TRUE); + return; + } + + if (cert_path_builder->len > MAX_CERTIFICATES - 1) { + error_report("Cert store exceeds maximum of %d certificates", MAX_= CERTIFICATES); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + cert_store->max_cert_size =3D 0; + cert_store->total_bytes =3D 0; + + for (int i =3D 0; i < cert_path_builder->len; i++) { + S390IPLCertificate *cert =3D init_cert((char *) cert_path_builder-= >pdata[i]); + if (!cert) { + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + update_cert_store(cert_store, cert); + } + + g_ptr_array_free(cert_path_builder, TRUE); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..3f76a00277 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,39 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define VC_NAME_LEN_BYTES 64 + +#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 +#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 + +struct S390IPLCertificate { + uint8_t vc_name[VC_NAME_LEN_BYTES]; + size_t size; + size_t der_size; + uint8_t *raw; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t max_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +} QEMU_PACKED; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 2f082396c7..917166ba31 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -35,6 +35,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" =20 #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -422,6 +423,20 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t= *ebcdic_lp) } } =20 +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return &ipl->cert_store; +} + +static bool s390_has_certificate(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -717,6 +732,10 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) =20 if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr =3D ipl->bios_start_addr; + /* initialize cert store if it's empty */ + if (!s390_has_certificate()) { + s390_ipl_create_cert_store(&ipl->cert_store); + } if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); } else { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 8f83c7da29..bee72dfbb3 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H =20 +#include "cert-store.h" #include "cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); =20 enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -64,6 +66,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 8866012ddc..80d3d4a74d 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 6824391111..e505f44020 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -20,6 +20,8 @@ #define LOADPARM_LEN 8 #define NO_LOADPARM "\0\0\0\0\0\0\0\0" =20 +#define MAX_CERTIFICATES 64 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151377; cv=none; d=zohomail.com; s=zohoarc; b=CRA/O9QHq7REli3Xv/oMlHvUZFp1Qo2oYcHbcXtVmtvZaufXwKFoqSsoUheN5vSz3TUPqGB+7gl80Oq1DeEDTYC4GtyTSCsVsYGhJjLBUXbD8633eo8QyjvqkE9meihO6a8akKE8kllUHwisazK4gsJax1VLx2M8PKW4fryETDs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151377; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=akmeh5BIdgBbdwuYokpNhHy3LyguapZ2Z0XaxD5G/0g=; b=mT+w+QTArDKBzzQC19tAu92JhScBfkecOr8WU5Ay+MaTCeaP921Pss0Ce0Lj19OTM9FANjH2iZ5TfxQQooG5e6a9rfjmamICwRRveIA0Y7Q0rCHbQgK0jxgXHEiJ+IkM0BkmB2ICpMdu/D25zGMfnqfpV1KIylNCJFD419iD/0s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151377266891.5726663503951; Wed, 17 Sep 2025 16:22:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TT-0005Ym-Az; Wed, 17 Sep 2025 19:22:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T7-0005QM-3g; Wed, 17 Sep 2025 19:21:45 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T3-0002Mi-V6; Wed, 17 Sep 2025 19:21:44 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHMIbs023769; Wed, 17 Sep 2025 23:21:40 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf0w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:40 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKKKcD005929; Wed, 17 Sep 2025 23:21:39 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1m8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:39 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLcdm8061620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:38 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 71D015805E; Wed, 17 Sep 2025 23:21:38 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3A7B05805A; Wed, 17 Sep 2025 23:21:37 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=akmeh5BIdgBbdwuYo kpNhHy3LyguapZ2Z0XaxD5G/0g=; b=d8xIHTspIaeSjw2xBQ7ue8VetU0hly4N7 JnZh6BDYwKbzKlnEiT3dh0SJ11hosUX0A78nHJk9ZNirNTB0cZTVAZyuIVWxiznN N6sHZx52/yTHS7x3QYIJ+p8PkkeJf3FLiuRjGJzzXV/f/HU9HkpYDYk7luyeMacZ 6nNy0UF1+JlnEjvpOl2P82MC0uRQOXGecK6MKJQ/i8o7RN8hnIYVelgqKyb5xQUB eLUQ373+Qlur6cBS6f2PmXCFVCCtK/3pZX6O7GjPl1Y7h8DZzYsfMUyid68B4Fyg REaqpypIXyelpjRXU59lE3HGx9IVakzqvfTyuAg5wvuvd0kSXTYEQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 05/28] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Date: Wed, 17 Sep 2025 19:21:07 -0400 Message-ID: <20250917232131.495848-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: CvUyN01Fteff8IJXxzBtbWgFmJuXmjyJ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX19z3ZuhmDNsW zmB/Fw7Onmyt/ubT4oNiMcAyr0y2w2NGhX47ftSKxYn3OeL1g9cvTh8WdWLTPHH6qT7cRUsxqBS VgTmeCpcYpcYBCY+wVHq3F1KxjuYMMqXFjQCTb+WgasMHudGpf5gMws+pygK+vTmfadky8CdoBJ BVXLeDZTPoy0AORQz9/N2WTEjBQWMDxpMa4CrUqhn+gK8nbb6M234a7DIyY1N7FpCLr44LNPmaA YO+uDNLL/p3ExYhNLvPhK347vTa261+Tlzijs8DIhz03W4TPucLJn4kTzNTGF8WrKXGlYhJ4T0f YMAE0rtCUVwpkae/J1TNCyE9D6HwhSFQJ328c0NyxPionHTBvK8m67fqe+SPKqYus7SYn7iKtEy sHZZIdSk X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4284 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=mM8oulnVqnlOJU-pfAMA:9 X-Proofpoint-GUID: CvUyN01Fteff8IJXxzBtbWgFmJuXmjyJ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151378477116600 Content-Type: text/plain; charset="utf-8" DIAGNOSE 320 is introduced to support Certificate Store (CS) Facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query the Installed Subcodes Mask (ISM). This subcode is only supported when the CS facility is enabled. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Byte 134's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Note: secure IPL is not available for Secure Execution (SE) guests, as their images are already integrity protected, and an additional protection of the kernel by secure IPL is not necessary. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 12 ++++++++ include/hw/s390x/ipl/diag320.h | 20 +++++++++++++ target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/diag.c | 44 +++++++++++++++++++++++++++++ target/s390x/gen-features.c | 3 ++ target/s390x/kvm/kvm.c | 16 +++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++ 10 files changed, 108 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 9b1de5c604..30ddc81c2b 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -13,3 +13,15 @@ will keep track of the number of certificates, their res= pective size, and a summation of the sizes. =20 Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. + +DIAGNOSE function code 'X'320' - Certificate Store Facility +----------------------------------------------------------- + +DIAGNOSE 'X'320' is used to provide support for userspace to directly +query the s390 certificate store. Userspace may be the s390-ccw BIOS or +the guest kernel. + +Subcode 0 - query installed subcodes + Returns a 256-bit installed subcodes mask (ISM) stored in the installed + subcodes block (ISB). This mask indicates which sucodes are currently + installed and available for use. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..aa04b699c6 --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,20 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOT_SUPPORTED 0x0102 + +#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 + +#endif diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..436471f4b4 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index c017bffcdc..941a69e013 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s =20 /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relativ= e to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") +DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide Certificate Store = functions") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 954a7a99a9..6b8471700e 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_CERT_STORE: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/diag.c b/target/s390x/diag.c index cff9fbc4b0..a35d808fd7 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -18,6 +18,7 @@ #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" #include "hw/s390x/ipl.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -191,3 +192,46 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + S390CPU *cpu =3D env_archcpu(env); + uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (!s390_has_feat(S390_FEAT_CERT_STORE)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + if ((subcode & ~0x000ffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + /* + * The Installed Subcode Block (ISB) can be up 8 words in size, + * but the current set of subcodes can fit within a single word + * for now. + */ + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + env->regs[r1 + 1] =3D DIAG_320_RC_OK; + break; + default: + env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; + break; + } +} diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 8218e6470e..6c20c3a862 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_PAIE, S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, + S390_FEAT_CERT_STORE, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_KIMD_SHA_512, S390_FEAT_KLMD_SHA_512, S390_FEAT_PRNO_TRNG, + S390_FEAT_EXTENDED_LENGTH_SCCB, + S390_FEAT_CERT_STORE, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 8ee33924df..5510fc2fc5 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -98,6 +98,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 =20 @@ -1560,6 +1561,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm= _run *run) } } =20 +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1590,6 +1601,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r =3D handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); @@ -2490,6 +2504,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } =20 + set_bit(S390_FEAT_CERT_STORE, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 56cce2e7f5..ecff2d07a1 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -391,6 +391,8 @@ int mmu_translate_real(CPUS390XState *env, target_ulong= raddr, int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index f7101be574..412c34ed93 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) /* time bomb (watchdog) */ r =3D handle_diag_288(env, r1, r3); break; + case 0x320: + /* cert store */ + bql_lock(); + handle_diag_320(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151564; cv=none; d=zohomail.com; s=zohoarc; b=SgJuLD69l8mllnNdtAomevZbQpdy6ZFuPnnSTvtuDflCalOA9tPCVoRSxe7GtJ6D0+l//Vk3KmyyiUhv2rY1HlSecCPLw7qN1COzysf1ig5OvgrZcc634cyHwOMJlYkyRvTmCbaeA8IQN6TqEuFDaNoVZl4si6QCbNDcRE6YnnQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151564; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=THpkQTG4LTlWFhOgO9Qn5YiL1fa1RQNXXgd+IgH2YWw=; b=K6vHAgQrVSIT/TnBcTPsIeXgFBvwyvMsLlBHfnURPfpamChkAElXBjMR/hTQijZxgLmlXoIYK6jJsmzm0yDNgfeIvnXkUBAx6ByerloNVWKps9Q6uYiLnNUW1hrUD8pMDigz6jz11iSri1pEtFTanE5aaCmtuYAF/JbXl8VlWCo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151564484230.32933696175667; Wed, 17 Sep 2025 16:26:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TX-0005bt-Pd; Wed, 17 Sep 2025 19:22:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T7-0005QP-Da; Wed, 17 Sep 2025 19:21:45 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T5-0002NJ-VF; Wed, 17 Sep 2025 19:21:45 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HGriNg010424; Wed, 17 Sep 2025 23:21:42 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4neg59-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:42 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HK8TLU005981; Wed, 17 Sep 2025 23:21:41 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1mc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:41 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLTAr12583440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:29 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 93BB65805C; Wed, 17 Sep 2025 23:21:39 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8AC035805A; Wed, 17 Sep 2025 23:21:38 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=THpkQTG4LTlWFhOgO 9Qn5YiL1fa1RQNXXgd+IgH2YWw=; b=c+giJClvCM0LcAMSwg5CYhLHfMKXXXGfX VON9+NNzUWc6YQa/Kr+89oWH7tqMs4yaSvnLxU6h/A89FykJ/ZMqK+sON97PLWPU 5ix7qoZW9V5VRX2QvuATwAWGhOPSFsrO3OBiXYhV6yfZcDUsdqsYDPGJfHV3UY0j dKTJbkYGeBFgWDkZRBlJXTcWcwupDgMi5p/svtm8HtH5asGqvGd6PLc5ED26LjlQ zw2aZ7xNVQ1SiuapYAJMSlAMrxEafg+m635d4WwLRij1cxjLXgFN42wC5lNv1o8L nXLrEEVY1WPgwWrLacCPMcnQ5Iun1Bc71Ww+Ob7STYC+rnO8XWkng== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 06/28] s390x/diag: Refactor address validation check from diag308_parm_check Date: Wed, 17 Sep 2025 19:21:08 -0400 Message-ID: <20250917232131.495848-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=MN5gmNZl c=1 sm=1 tr=0 ts=68cb4286 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=130TwiEZxdn8fhqcL5YA:9 X-Proofpoint-GUID: dUIaWT_t0vcvinFDvpSwQvWp_gDKt5PE X-Proofpoint-ORIG-GUID: dUIaWT_t0vcvinFDvpSwQvWp_gDKt5PE X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX+cb6vEQgaB0v tqwlhd5ULYkeCcLP7u3qsWuX1q2sDpdAsk2mdLKUWlQRye1t8WrycFDV2Nb9PqTxX0sEtuHWKEX aUg1IfORKD0Xrw1UPgKrWhfOtBAojIDeDPzWog6vTUeUyYF/UyrFUxUKJ4Pa6rXkXXbj4rWcw8d WYUnzqHLBhIplBmP0lvNfUcA31awO3x6Mp32czX4ySxPK2nohOdVUyVZhswnXeDWWQVdBBjdIHm bN2wGaaEOLPr7FxxCuvHXisxFGdUbWqDC9yqZwQ5cY8t0feaECPvWhuqg2UIbNdsL+TNGzSxDgg YGQE9seNIpZrgE9jA5oN7/z9fmhUlKg7N+Y+6sprAQ6YBnPemAySfbtwIzKowy1rjZfdsDWZkNZ oTxoEXIK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 adultscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151565620116600 Content-Type: text/plain; charset="utf-8" Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- hw/s390x/ipl.h | 6 ++++++ target/s390x/diag.c | 4 +--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index bee72dfbb3..e26fc1cd6a 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -118,6 +118,12 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "= alignment of iplb wrong"); #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 =20 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + static inline bool iplb_valid_len(IplParameterBlock *iplb) { return be32_to_cpu(iplb->len) <=3D sizeof(IplParameterBlock); diff --git a/target/s390x/diag.c b/target/s390x/diag.c index a35d808fd7..e67ee57f01 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -65,9 +65,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_= t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151646; cv=none; d=zohomail.com; s=zohoarc; b=JwEP+Q+zxClaHtp64J5doSCb2DdS37kWcvB+qYqD8ssNeJoVEVvK2Dfmd+Mbu5zJh+DzzJRhvETeDuiHgCqZn2OC81ttNuaIsPQOntUQpsZWmq9KmK6BHLPUJigInVSCxXpxtVCuT4ovSmSpurrkR2SX4/7hpk49lz272gfRmEI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151646; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=yWV2WmvpHGJS0nriUIOn7xFT2EHNM9X6/HTn2fXgXyA=; b=S5V7Qv2QpvlSPSKU2/vQN1Jy8EOCxR1hxRp7/odNXle9sfQA048cxSc9e3EAYzDkwvN8gaKcCQTuC274FBLdsO6zJUxJzjvEfzoTdUyjz708iSM4nGZRVetwxOpRuU5/DIkeVK4bTX/D4EA1cJeLeSamsUAd/L1zkT5U2HavdKA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151646948883.1300828700939; Wed, 17 Sep 2025 16:27:26 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Td-0005fD-II; Wed, 17 Sep 2025 19:22:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T8-0005Qy-Td; Wed, 17 Sep 2025 19:21:47 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T7-0002Nt-6B; Wed, 17 Sep 2025 19:21:46 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHLw8C023732; Wed, 17 Sep 2025 23:21:43 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf17-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:43 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKGCRh006385; Wed, 17 Sep 2025 23:21:42 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1me-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:42 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLeWM23921242 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:41 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B8BC55805C; Wed, 17 Sep 2025 23:21:40 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id ADE7F5805A; Wed, 17 Sep 2025 23:21:39 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=yWV2WmvpHGJS0nriU IOn7xFT2EHNM9X6/HTn2fXgXyA=; b=tdXhSH7/pFdH16LtcR4lExNKBqIssn/Lk Ay/3g3R2z/8nmfZcWE1PDvmzXYerY2cGolr0O1B/hTtB9IYdxqbHQMcEIARFCa9J qX/iVXPziowQr/aBCq1uzyQAGLW/BhNrHQANH7DF69D8zl1X6ktPt3l2uHQbCKUZ jC7CO9GmBjFLX0698nK7QIFY0yPXFxhcBz294CDX1umh39HERbaVyEbEYtJkprdg KggVJx7B6dX/4qhrqGauKFgeZ3oGJXmhgTy/CauYATFLGtVg0bhqD43I6SV5atd4 VV4Vn7zQiY4WO+KeiUqbtzNhOCvx8w+4AM+oqZsBgt96qg2HvGdyg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 07/28] s390x/diag: Implement DIAG 320 subcode 1 Date: Wed, 17 Sep 2025 19:21:09 -0400 Message-ID: <20250917232131.495848-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: pSuB3YnnBVGZIhpNIR6RnzihKQkFkxtW X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX3JzW/ER5ll3J qW8RfBpelEE8mUJboqqdUO27FDo3Evhq2RBLqJXn4+pgfO6fAmXkuWoxWs5aJjpIS8LosXs4nVj w4mz4o5itY3Iu+k588Ue4S2qWW4dZJuc+1fdCqebb8fCoyHX/i1+Dw7zXciardGc4+4DyRKqg4f p1H3958R5iwKGFf22hoVkH7/+mrKnsIig4RCFDfPix8FKu4SDLXhLeNm5jU2pdrwguXlfcJsfR2 bDhCpIHZiJVd5fVAyFd4fQmtpYM6g/cWiCNqolSKfCE8GnPx8VFNlbJ60E8hbXvWOA2pV2DOh0M Vxiv79GVAEU93jMrGp6rp5AA+Ol3mo0xsR7TJgj10Tm03rZlUUzOellYtxfOoHzQ33qi6+l9vcZ ow0EWBkG X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4287 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=vmAlfMB145uIY6ZofiUA:9 X-Proofpoint-GUID: pSuB3YnnBVGZIhpNIR6RnzihKQkFkxtW X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151648596116600 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates from the certificate store. Upon successful completion, this subcode returns information of the current cert store, such as the number of certificates stored and allowed in the ce= rt store, amount of space may need to be allocate to store a certificate, etc for verification-certificate blocks (VCBs). The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. A VCSSB length of 4 indicates that no certificate are available in the cert store. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 10 ++++++ include/hw/s390x/ipl/diag320.h | 22 ++++++++++++ target/s390x/diag.c | 59 ++++++++++++++++++++++++++++++++- 3 files changed, 90 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 30ddc81c2b..4217f19c84 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -25,3 +25,13 @@ Subcode 0 - query installed subcodes Returns a 256-bit installed subcodes mask (ISM) stored in the installed subcodes block (ISB). This mask indicates which sucodes are currently installed and available for use. + +Subcode 1 - query verification certificate storage information + Provides the information required to determine the amount of memory ne= eded to + store one or more verification-certificates (VCs) from the certificate= store (CS). + + Upon successful completion, this subcode returns various storage size = values for + verification-certificate blocks (VCBs). + + The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). + A VCSSB length of 4 indicates that no certificates are available in th= e CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index aa04b699c6..6e4779c699 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -11,10 +11,32 @@ #define S390X_DIAG320_H =20 #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 +#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 +#define DIAG_320_ISM_QUERY_VCSI 0x40000000 + +#define VCSSB_NO_VC 4 +#define VCSSB_MIN_LEN 128 +#define VCE_HEADER_LEN 128 +#define VCB_HEADER_LEN 64 + +struct VCStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t total_vc_ct; + uint16_t max_vc_ct; + uint32_t reserved3[11]; + uint32_t max_single_vcb_len; + uint32_t total_vcb_len; + uint32_t reserved4[10]; +}; +typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index e67ee57f01..4e6de483b8 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -191,11 +191,50 @@ out: } } =20 +static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t= r1, + uintptr_t ra, S390IPLCertificateStore= *qcs) +{ + g_autofree VCStorageSizeBlock *vcssb =3D NULL; + + vcssb =3D g_new0(VCStorageSizeBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcssb, sizeof(*vcssb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + if (be32_to_cpu(vcssb->length) < VCSSB_MIN_LEN) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (!qcs->count) { + vcssb->length =3D cpu_to_be32(VCSSB_NO_VC); + } else { + vcssb->version =3D 0; + vcssb->total_vc_ct =3D cpu_to_be16(qcs->count); + vcssb->max_vc_ct =3D cpu_to_be16(MAX_CERTIFICATES); + vcssb->max_single_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + VCE_HEA= DER_LEN + + qcs->max_cert_size); + vcssb->total_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + qcs->count *= VCE_HEADER_LEN + + qcs->total_bytes); + } + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcssb, be32_to_cpu(vcssb->l= ength))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + return DIAG_320_RC_OK; +} + +QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, + "size of VCStorageSizeBlock is wrong"); + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { S390CPU *cpu =3D env_archcpu(env); + S390IPLCertificateStore *qcs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; uint64_t addr =3D env->regs[r1]; + int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { s390_program_interrupt(env, PGM_PRIVILEGED, ra); @@ -219,7 +258,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * but the current set of subcodes can fit within a single word * for now. */ - uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | + DIAG_320_ISM_QUERY_VCSI); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -228,6 +268,23 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 env->regs[r1 + 1] =3D DIAG_320_RC_OK; break; + case DIAG_320_SUBC_QUERY_VCSI: + if (!diag_parm_addr_valid(addr, sizeof(VCStorageSizeBlock), true))= { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + if (addr & 0x7) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag320_query_vcsi(cpu, addr, r1, ra, qcs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151466; cv=none; d=zohomail.com; s=zohoarc; b=gClBhai8bNZqdkGmowN5vEanZ3tnGL1baQkDj0mszRwPa7vChw9hdRjhCk9JLYIX+IanhqhyDruSweKmkihRl7cdUwSn7d1ia/AEhHSLf1nKtmO64jraO+0i4NpFiM0TSqSQVIfRjc0jka5JFfuMyYaWEmbRNwToDicxw8BkASc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151466; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=/CF5Fyqc2sz7PhhtP8Zi1JnihpDpST/YNYMk2/vxLBE=; b=CTWWEZBIcGxpbsQD+OMg2tjgZ4+RJnzDhqUz0vpQoYeeP7y5vZNDRCa+r34OmTLjmgzEL6P0WdfqCOcSYy6TeCsSpCBFpcQ9eEh99DNQ82Kw0CytBvVILmvQKxXKF8t/+Cm2T8kpKFEkdrFCEnfoOh+vVrEAZCFo+N5X3+dOwbQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151466402828.0784163555627; Wed, 17 Sep 2025 16:24:26 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tf-0005gs-12; Wed, 17 Sep 2025 19:22:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TA-0005Sd-PA; Wed, 17 Sep 2025 19:21:49 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1T8-0002OI-Dz; Wed, 17 Sep 2025 19:21:48 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJCttQ022029; Wed, 17 Sep 2025 23:21:45 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4m6fc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:44 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HMaY1i008987; Wed, 17 Sep 2025 23:21:44 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kghq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:43 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLgNK30016128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:42 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E36AB5805E; Wed, 17 Sep 2025 23:21:41 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2E965805A; Wed, 17 Sep 2025 23:21:40 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=/CF5Fyqc2sz7PhhtP 8Zi1JnihpDpST/YNYMk2/vxLBE=; b=GVUOa0bANOQrkYVUSy6m79Q5YTHKDSOUl F2qwgaccZtACc87kh4lLhsGC1OJFzdEXelHJUB9Q4f+3j48rhqS/oF83T42LCJk5 asYtVn+16NTQ705LaEg28eo2BKt2JF+XfXxQYtbju9klGJceoCyJKIUKlG7nXFGU OAJB9uxP/2vx3BDr0sHdcG8eEvkkvPWX00MgE8I+/4IyLdzrj/ftB5wEZQjFLsk1 nzXiZG5sdvIhZ0RHgqGdWmGcz+VwSYG5h7ybx66yOoNkm8BYPPfxUdUg92NRokEo rlBU32QOrKziCESG/jUPGadxpo+ojJ7bP/zJ7NQsNTvkAhXevmd0A== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 08/28] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Wed, 17 Sep 2025 19:21:10 -0400 Message-ID: <20250917232131.495848-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: G85fUajuC_-gXDPaW1L1JuKWKHc0BKj_ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX5C7HuX3Y2zT7 LrDK+lu4e/JlVMIqjjex2mcUi6+sGG0G9mUPGERg72CfrW22YjQ28vgkvDx9EI8cK0jm+brZ4vN 4UnVPGbe+TYGSEAQ5ndGExkT89lX74xPuVWzszlDaHMDPxj+XFPjHWn3Erk1Mb6Yy72t/GR+bQg +k5wdizte9TxCwBKE9oxR5lG3KeYa+z8eMZmqOumvI5dP10+lXjvHQ9yr7uDbZrnPPLgo3h4k+D 7ePkbXNY9FVKSX5/C0tKsNo4b93eI7W+IRJri76MsvzOfnJ3e+r/Z5m3KU2imticzuXfBwnXbMm 279eHzivDXiL9BYyqK3qgwwG7AFX/RNA1pH+W2kCt6JPquzlAcVdJ894ssUoB3L90FyluJOuaAc 3YbyRQN6 X-Proofpoint-ORIG-GUID: G85fUajuC_-gXDPaW1L1JuKWKHc0BKj_ X-Authority-Analysis: v=2.4 cv=QrNe3Uyd c=1 sm=1 tr=0 ts=68cb4288 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=FrWqK8lHM1FzpY_CdjIA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 phishscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 spamscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151469011116600 Content-Type: text/plain; charset="utf-8" Introduce new helper functions to extract certificate metadata needed for DIAG 320 subcode 2: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in = the certificate qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate qcrypto_x509_is_ecc_curve_p521() - determines the ECC public key algorithm = uses P-521 curve These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai --- crypto/x509-utils.c | 248 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 72 +++++++++++ 2 files changed, 320 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 5d43b0ec96..763eccb190 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,25 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int gnutls_to_qcrypto_pk_alg_map[] =3D { + [GNUTLS_PK_RSA] =3D QCRYPTO_PK_ALGO_RSA, + [GNUTLS_PK_DSA] =3D QCRYPTO_PK_ALGO_DSA, + [GNUTLS_PK_ECDSA] =3D QCRYPTO_PK_ALGO_ECDSA, + [GNUTLS_PK_RSA_OAEP] =3D QCRYPTO_PK_ALGO_RSA_OAEP, + [GNUTLS_PK_EDDSA_ED25519] =3D QCRYPTO_PK_ALGO_ED25519, + [GNUTLS_PK_EDDSA_ED448] =3D QCRYPTO_PK_ALGO_ED448, +}; + +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_MD5] =3D -1, + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA224] =3D -1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA384] =3D -1, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, + [QCRYPTO_HASH_ALGO_RIPEMD160] =3D -1, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -122,6 +141,207 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(0); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc >=3D G_N_ELEMENTS(gnutls_to_qcrypto_pk_alg_map)) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D gnutls_to_qcrypto_pk_alg_map[rc]; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { + error_setg(errp, "Unknown hash algorithm %d", hash_alg); + return ret; + } + + if (qcrypto_to_gnutls_keyid_flags_map[hash_alg] =3D=3D -1 || + hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map)) { + error_setg(errp, "Unsupported key id flag %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **= errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_ecc_curve_t curve_id; + gnutls_datum_t x =3D {.data =3D NULL, .size =3D 0}; + gnutls_datum_t y =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y); + if (rc !=3D 0) { + error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_= strerror(rc)); + goto cleanup; + } + + ret =3D curve_id; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(x.data); + gnutls_free(y.data); + return ret; +} + +int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size_t size, Error **err= p) +{ + int curve_id; + + curve_id =3D qcrypto_x509_get_ecc_curve(cert, size, errp); + if (curve_id =3D=3D -1) { + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_INVALID) { + error_setg(errp, "Invalid ECC curve"); + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1) { + return 1; + } + + return 0; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -143,4 +363,32 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get public key algorithm"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + +int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size_t size, Error **err= p) +{ + error_setg(errp, "GNUTLS is required to determine ecc curve"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 4239e3e55a..6fc8d982b7 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -13,6 +13,15 @@ =20 #include "crypto/hash.h" =20 +typedef enum { + QCRYPTO_PK_ALGO_RSA, + QCRYPTO_PK_ALGO_DSA, + QCRYPTO_PK_ALGO_ECDSA, + QCRYPTO_PK_ALGO_RSA_OAEP, + QCRYPTO_PK_ALGO_ED25519, + QCRYPTO_PK_ALGO_ED448, +} QCryptoPkAlgo; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo hash, uint8_t *result, @@ -39,4 +48,67 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_pk_algorithm + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine the public key algorithm of the @cert. + * + * Returns: a value from the QCryptoPkAlgo enum on success, + * -1 on error. + */ +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_is_ecc_curve_p521 + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine whether the ECC public key in the given certificate uses the = P-521 curve. + * + * Returns: 0 if ECC public key does not use P521 curve. + * 1 if ECC public key uses P521 curve. + -1 on error. + */ +int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size_t size, Error **err= p); + #endif --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151653; cv=none; d=zohomail.com; s=zohoarc; b=oJWzgWhM2e9q/nystgudbyaYgZQq6Ei6jikllNUHTKC8h1QcuQRvGI9FvZOFnFuj9Ufj6hauzu/TnhRyzWtVS9RCzXemRNngUW9eQwyL1oDd7vU7qggDEG8SBQ70TN6+W+ftbqrQJ28/6rAmwRqyXjSojV6ViFI1Lb5vb7iVY3A= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151653; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Q0OP33Ti/TV8VAzuo9eQaH1YMM5zK+/jbLinXz41Zk0=; b=lF3RYXRs/wcYRUKS0FWZ6LMnV7NIoqyCJbBajh2W5EEw1kIqFsOLnOZvR1cJsccLlzGj9BW3sPUO/m25VvEvAvHq55UNQi+Oa+wsqe/B2GHxN/lA3evLSOssafbGHG24I6GYD9m67KHkZO+XL8U7Geyr9QrIoQ2xhuqj4Jq8PMo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151653759792.285126317581; Wed, 17 Sep 2025 16:27:33 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TL-0005Xh-21; Wed, 17 Sep 2025 19:21:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TD-0005TL-A0; Wed, 17 Sep 2025 19:21:51 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TA-0002Os-TZ; Wed, 17 Sep 2025 19:21:51 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJ8OpQ028021; Wed, 17 Sep 2025 23:21:46 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4p6uy8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:46 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HLhiiJ027349; Wed, 17 Sep 2025 23:21:44 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495menbqxe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:44 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLhJj8782456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:43 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1DC735805C; Wed, 17 Sep 2025 23:21:43 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 08C0E5805A; Wed, 17 Sep 2025 23:21:42 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Q0OP33Ti/TV8VAzuo 9eQaH1YMM5zK+/jbLinXz41Zk0=; b=FPfMqE5NtG3fW+sBFlozlDRAotVY/60Fu 4UZEwfGR4Jc7QkUK0jOwOSsU73DC9eDe6OQE2OIqypk1MM6HAMeiETDNJBREW0wa QjmVzU3l9niiDi/BKKTUdwyidDn2gxLqsvVNrAmos1KJ/DOLRQL4VLLAnuw60XLl p5o2ItwgoanCFiytX1GJ4DEbTLr3DidV1YiwJLIZrAojWG6LvFdyiiS6GCwmgi/R X+X/yvtuKPgjfqZGz/uGoS1yBliV6kkgpQnlc4m+qOu8sD1UoO+vhJdy297fCnLI CUH7uZ3RqOfPfB7gx0XVISYaIIFvRy+IFwwac1IK+d4ZHU+7UoHKA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 09/28] s390x/diag: Implement DIAG 320 subcode 2 Date: Wed, 17 Sep 2025 19:21:11 -0400 Message-ID: <20250917232131.495848-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX2NDQWq5F4BqB 33GihSbmhfLYVq8c/0hM+Ak2J9mPne5NuJScpUJ5ipdclwKfc1g//SkPucvtS1LVWCsztMvjlTw 3uVtbZlrjc6w6zO4TnyPz0l9l8N6wORYdLxdXazqrxka5DZoMUJ99ZMz6vEA5SefHrqN45RPjJ1 U9S4MxWQ42Dj4GxHdDBeSLMwuzTcDZk7IezB5w8iPos0of+KHCYgy4/BqXzWtcSJQY+wcowlLqH coSrk3kMXThUHevPdVW9h1tV/VTqtH4d+JRuP8EbcFymaTkfLjLQ3wD32FKMT5hiU68/iK8Gfz5 s7qIqD0eq8aDuU8sHxnBRh61/d99evOZOvFh42mZl9wR8XMIFN+HYANb66BfgK1NWlJbsLXsIB4 YxShGOqO X-Proofpoint-ORIG-GUID: _4IEQumjTZYcnIa9YLUgrNTAZ6gNcf0o X-Proofpoint-GUID: _4IEQumjTZYcnIa9YLUgrNTAZ6gNcf0o X-Authority-Analysis: v=2.4 cv=cNzgskeN c=1 sm=1 tr=0 ts=68cb428a cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=3ePTxMe9kE3GuEYbGYMA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151654724116600 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the certificate store. Only X509 certificates in DER format and SHA-256 hash type are recognized. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The Verification Certificate Block (VCB) contains the output data when the operation completes successfully. It includes a common header followed by zero or more Verification Certificate Entries (VCEs), depending on the VCB input length and the VC range (from the first VC index to the last VC index) in the certificate store. Each VCE contains information about a certificate retrieved from the S390IPLCertificateStore, such as the certificate name, key type, key ID length, hash length, and the raw certificate data. The key ID and hash are extracted from the raw certificate by the crypto AP= I. Note: SHA2-256 VC hash type is required for retrieving the hash (fingerprint) of the certificate. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 13 ++ include/hw/s390x/ipl/diag320.h | 49 +++++ target/s390x/diag.c | 312 +++++++++++++++++++++++++++++++- 3 files changed, 373 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 4217f19c84..e28f0b40d7 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -35,3 +35,16 @@ Subcode 1 - query verification certificate storage infor= mation =20 The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). A VCSSB length of 4 indicates that no certificates are available in th= e CS. + +Subcode 2 - store verification certificates + Provides VCs that are in the certificate store. + + The output is provided in a VCB, which includes a common header follow= ed by zero + or more verification-certificate entries (VCEs). + + The first-VC index and last-VC index fields of VCB specify the range o= f VCs + to be stored by subcode 2. Stored count and remained count fields spec= ify the + number of VCs stored and could not be stored in the VCB due to insuffi= cient + storage specified in the VCB input length field. + + VCE contains various information of a VC from the CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 6e4779c699..2af14b9f01 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -12,19 +12,30 @@ =20 #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 #define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 #define DIAG_320_ISM_QUERY_VCSI 0x40000000 +#define DIAG_320_ISM_STORE_VC 0x20000000 =20 #define VCSSB_NO_VC 4 #define VCSSB_MIN_LEN 128 #define VCE_HEADER_LEN 128 +#define VCE_INVALID_LEN 72 #define VCB_HEADER_LEN 64 =20 +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_KEYTYPE_ECDSA_P521 1 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 + struct VCStorageSizeBlock { uint32_t length; uint8_t reserved0[3]; @@ -39,4 +50,42 @@ struct VCStorageSizeBlock { }; typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 +struct VCBlock { + uint32_t in_len; + uint32_t reserved0; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t reserved1[5]; + uint32_t out_len; + uint8_t reserved2[3]; + uint8_t version; + uint16_t stored_ct; + uint16_t remain_ct; + uint32_t reserved3[5]; + uint8_t vce_buf[]; +}; +typedef struct VCBlock VCBlock; + +struct VCEntry { + uint32_t len; + uint8_t flags; + uint8_t key_type; + uint16_t cert_idx; + uint32_t name[16]; + uint8_t format; + uint8_t reserved0; + uint16_t keyid_len; + uint8_t reserved1; + uint8_t hash_type; + uint16_t hash_len; + uint32_t reserved2; + uint32_t cert_len; + uint32_t reserved3[2]; + uint16_t hash_offset; + uint16_t cert_offset; + uint32_t reserved4[7]; + uint8_t cert_buf[]; +}; +typedef struct VCEntry VCEntry; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 4e6de483b8..d5f6c54df3 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,6 +17,7 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" @@ -24,6 +25,7 @@ #include "kvm/kvm_s390x.h" #include "target/s390x/kvm/pv.h" #include "qemu/error-report.h" +#include "crypto/x509-utils.h" =20 =20 int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) @@ -225,8 +227,308 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, ui= nt64_t addr, uint64_t r1, return DIAG_320_RC_OK; } =20 +static bool is_cert_valid(S390IPLCertificate cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_cert_times(cert.raw, cert.size, &err); + if (rc !=3D 0) { + error_report_err(err); + return false; + } + + return true; +} + +static void handle_key_id(VCEntry *vce, S390IPLCertificate cert) +{ + int rc; + g_autofree unsigned char *key_id_data =3D NULL; + size_t key_id_len; + Error *err =3D NULL; + + key_id_len =3D CERT_KEY_ID_LEN; + /* key id and key id len */ + rc =3D qcrypto_x509_get_cert_key_id(cert.raw, cert.size, + QCRYPTO_HASH_ALGO_SHA256, + &key_id_data, &key_id_len, &err); + if (rc < 0) { + error_report_err(err); + return; + } + vce->keyid_len =3D cpu_to_be16(key_id_len); + + memcpy(vce->cert_buf, key_id_data, key_id_len); +} + +static int handle_hash(VCEntry *vce, S390IPLCertificate cert, uint16_t key= id_field_len) +{ + int rc; + uint16_t hash_offset; + g_autofree void *hash_data =3D NULL; + size_t hash_len; + Error *err =3D NULL; + + hash_len =3D CERT_HASH_LEN; + /* hash and hash len */ + hash_data =3D g_malloc0(hash_len); + rc =3D qcrypto_get_x509_cert_fingerprint(cert.raw, cert.size, + QCRYPTO_HASH_ALGO_SHA256, + hash_data, &hash_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + vce->hash_len =3D cpu_to_be16(hash_len); + + /* hash type */ + vce->hash_type =3D DIAG_320_VCE_HASHTYPE_SHA2_256; + + hash_offset =3D VCE_HEADER_LEN + keyid_field_len; + vce->hash_offset =3D cpu_to_be16(hash_offset); + + memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len); + + return 0; +} + +static int handle_cert(VCEntry *vce, S390IPLCertificate cert, uint16_t has= h_field_len) +{ + int rc; + uint16_t cert_offset; + g_autofree uint8_t *cert_der =3D NULL; + Error *err =3D NULL; + + /* certificate in DER format */ + rc =3D qcrypto_x509_convert_cert_der(cert.raw, cert.size, + &cert_der, &cert.der_size, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + vce->format =3D DIAG_320_VCE_FORMAT_X509_DER; + vce->cert_len =3D cpu_to_be32(cert.der_size); + cert_offset =3D be16_to_cpu(vce->hash_offset) + hash_field_len; + vce->cert_offset =3D cpu_to_be16(cert_offset); + + memcpy((uint8_t *)vce + cert_offset, cert_der, cert.der_size); + + return 0; +} + +static int get_key_type(S390IPLCertificate cert) +{ + int algo; + int rc; + Error *err =3D NULL; + + /* public key algorithm */ + algo =3D qcrypto_x509_get_pk_algorithm(cert.raw, cert.size, &err); + if (algo < 0) { + error_report_err(err); + return -1; + } + + if (algo =3D=3D QCRYPTO_PK_ALGO_ECDSA) { + rc =3D qcrypto_x509_is_ecc_curve_p521(cert.raw, cert.size, &err); + if (rc =3D=3D -1) { + error_report_err(err); + return -1; + } + + return (rc =3D=3D 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 : + DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; + } + + return DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; +} + +static int build_vce_header(VCEntry *vce, S390IPLCertificate cert, int idx) +{ + int key_type; + + vce->len =3D cpu_to_be32(VCE_HEADER_LEN); + vce->cert_idx =3D cpu_to_be16(idx + 1); + strncpy((char *)vce->name, (char *)cert.vc_name, VC_NAME_LEN_BYTES); + + key_type =3D get_key_type(cert); + if (key_type =3D=3D -1) { + return -1; + } + vce->key_type =3D key_type; + + return 0; +} + +static int build_vce_data(VCEntry *vce, S390IPLCertificate cert) +{ + uint16_t keyid_field_len; + uint16_t hash_field_len; + uint32_t cert_field_len; + int rc; + + handle_key_id(vce, cert); + /* vce key id field length - can be 0 if failed to retrieve */ + keyid_field_len =3D ROUND_UP(be16_to_cpu(vce->keyid_len), 4); + + rc =3D handle_hash(vce, cert, keyid_field_len); + if (rc) { + return -1; + } + hash_field_len =3D ROUND_UP(be16_to_cpu(vce->hash_len), 4); + + rc =3D handle_cert(vce, cert, hash_field_len); + if (rc || !is_cert_valid(cert)) { + return -1; + } + /* vce certificate field length */ + cert_field_len =3D ROUND_UP(be32_to_cpu(vce->cert_len), 4); + + /* The certificate is valid and VCE contains the certificate */ + vce->flags |=3D DIAG_320_VCE_FLAGS_VALID; + + /* Update vce length to reflect the acutal size used by vce */ + vce->len +=3D cpu_to_be32(keyid_field_len + hash_field_len + cert_fiel= d_len); + + return 0; +} + +static VCEntry *diag_320_build_vce(S390IPLCertificate cert, uint32_t vce_l= en, int idx) +{ + g_autofree VCEntry *vce =3D NULL; + int rc; + + /* + * Construct VCE + * Allocate enough memory for all certificate data (key id, hash and c= ertificate). + * Unused area following the VCE field contains zeros. + */ + vce =3D g_malloc0(vce_len); + rc =3D build_vce_header(vce, cert, idx); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + goto out; + } + vce->len =3D cpu_to_be32(VCE_HEADER_LEN); + + rc =3D build_vce_data(vce, cert); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + } + +out: + return g_steal_pointer(&vce); +} + +static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r= 1, uintptr_t ra, + S390IPLCertificateStore *qcs) +{ + g_autofree VCBlock *vcb =3D NULL; + size_t vce_offset; + size_t remaining_space; + uint32_t vce_len; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t in_len; + + vcb =3D g_new0(VCBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + in_len =3D be32_to_cpu(vcb->in_len); + first_vc_index =3D be16_to_cpu(vcb->first_vc_index); + last_vc_index =3D be16_to_cpu(vcb->last_vc_index); + + if (in_len % TARGET_PAGE_SIZE !=3D 0) { + return DIAG_320_RC_INVAL_VCB_LEN; + } + + if (first_vc_index > last_vc_index) { + return DIAG_320_RC_BAD_RANGE; + } + + vcb->out_len =3D VCB_HEADER_LEN; + + if (first_vc_index =3D=3D 0) { + /* + * Zero is a valid index for the first and last VC index. + * Zero index results in the VCB header and zero certificates retu= rned. + */ + if (last_vc_index =3D=3D 0) { + goto out; + } + + /* DIAG320 certificate store remains a one origin for cert entries= */ + vcb->first_vc_index =3D 1; + first_vc_index =3D 1; + } + + vce_offset =3D VCB_HEADER_LEN; + remaining_space =3D in_len - VCB_HEADER_LEN; + + for (int i =3D first_vc_index - 1; i < last_vc_index && i < qcs->count= ; i++) { + VCEntry *vce; + S390IPLCertificate cert =3D qcs->certs[i]; + /* + * Each VCE is word aligned. + * Each variable length field within the VCE is also word aligned. + */ + vce_len =3D VCE_HEADER_LEN + + ROUND_UP(CERT_KEY_ID_LEN, 4) + + ROUND_UP(CERT_HASH_LEN, 4) + + ROUND_UP(cert.der_size, 4); + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < vce_len) { + vcb->remain_ct =3D cpu_to_be16(last_vc_index - i); + break; + } + + vce =3D diag_320_build_vce(cert, vce_len, i); + + /* Write VCE */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_offset, r1, + vce, be32_to_cpu(vce->len))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + g_free(vce); + return -1; + } + + vce_offset +=3D be32_to_cpu(vce->len); + vcb->out_len +=3D be32_to_cpu(vce->len); + remaining_space -=3D be32_to_cpu(vce->len); + vcb->stored_ct++; + + g_free(vce); + } + vcb->stored_ct =3D cpu_to_be16(vcb->stored_ct); + +out: + vcb->out_len =3D cpu_to_be32(vcb->out_len); + /* + * Write VCB header + * All VCEs have been populated with the latest information + * and write VCB header last. + */ + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb, VCB_HEADER_LEN)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + return DIAG_320_RC_OK; +} + QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, "size of VCStorageSizeBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCBlock) !=3D VCB_HEADER_LEN, "size of VCBlock i= s wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCEntry) !=3D VCE_HEADER_LEN, "size of VCEntry i= s wrong"); =20 void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { @@ -259,7 +561,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * for now. */ uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | - DIAG_320_ISM_QUERY_VCSI); + DIAG_320_ISM_QUERY_VCSI | + DIAG_320_ISM_STORE_VC); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -285,6 +588,13 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] =3D rc; break; + case DIAG_320_SUBC_STORE_VC: + rc =3D handle_diag320_store_vc(cpu, addr, r1, ra, qcs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151522; cv=none; d=zohomail.com; s=zohoarc; b=F2XqMD9zmkQcQ/JC2VkI6tPHJ5IgxF4klUWMljavJUsvkbM37VQi03D9HJAeybfYv4Wja3wdR8/EWR+LrxLIk+q9p5hAWvLigYRfxcFa/KCLUan6plfziKAQYmrQM71dEzS0N10yMlNYQnjGW4lF1eijqomEHKyOL2L3vKLb7zY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151522; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=PpHeXPGl7wTIuZEHZf1IIiNwiFU7B+2okPWdCch/37k=; b=KhssEYbSncBbluK8hpPYRA+gyVVk5JlK35cU6qqAWytc+FFD78pJVgJZx16cAYcGObjkdhaKqWJ2+UYjFEKT2ER+uSjiAxieCL2Bv7rrhzijZYjbuhresr29C39ZFNQ7rTj0e780mwxrOdw2b/MEwwWSRml1g8QjphAjHpryVeg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151522440375.9403151484544; Wed, 17 Sep 2025 16:25:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TU-0005Zy-4S; Wed, 17 Sep 2025 19:22:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TC-0005TE-31; Wed, 17 Sep 2025 19:21:51 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TA-0002Ol-60; Wed, 17 Sep 2025 19:21:49 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIT4US013993; Wed, 17 Sep 2025 23:21:46 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4neg5p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:46 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HMcvYR009486; Wed, 17 Sep 2025 23:21:45 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kghr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:45 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLiJV33358550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:44 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 434605805C; Wed, 17 Sep 2025 23:21:44 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3763F5805A; Wed, 17 Sep 2025 23:21:43 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=PpHeXPGl7wTIuZEHZ f1IIiNwiFU7B+2okPWdCch/37k=; b=YAa95xkBlw8nNKWMTTqQNrQdiwCO7wX0U TofonI7FpdQ0LHhNmF49/P6B8Nr1fWxzfSAVUFIYO4PIMteZX20mCuJe/ioyH1gE tXKDvZ+lJSkxhCqB1dF9wa9wB3THONLrinhOQRaI/iH7bSaBxvJCpZMiZepO2zye otUHm1XcRA8ffbHI68v+iX+VNjgMhmImkfUEMpBF8OJujOiJ9vGChQhHBZdeoaPf qawcJZIkMFA4dZHo5g1/waHU33YHCmvUp5LoLJmweafKpLONg3IGDWR63TqxUWoC 8t8oPDdxj7LVLnRYZzEaIS/IEVyqw3xUv63ameCyWTkynuLMmrS1g== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 10/28] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Wed, 17 Sep 2025 19:21:12 -0400 Message-ID: <20250917232131.495848-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=MN5gmNZl c=1 sm=1 tr=0 ts=68cb428a cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=hXQcL9AfcS-IPDpH2m0A:9 X-Proofpoint-GUID: 4fvumvxmPxsE4Xwv2RY1TcOzYR6pXUnl X-Proofpoint-ORIG-GUID: 4fvumvxmPxsE4Xwv2RY1TcOzYR6pXUnl X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX/O7owMNIyZXG hnvgPBFgFSA2LttcLgpQBtM2whG+Sksx6HIvjpO7q/zyhE5pcKX0dws2iIBls7MfXk7OMyY7t3G rhX65SXeTjGXajn5hNQz52hDfDasA+fO0kMa+SQt/SKWuopDAVqhVvCaVCT1WEHFNuwZZdCQAjo wimRVVhWnzUHpsTyVIdZFk5aps06QhqA2cHwopIJhvt6R9tpq0QapC29QE9SnBsbzS3LHKQ0VjI xtOdoCD8t2ufxkC/IPo9WeBFdrefh4Mr5Az1LCeLSVaucL+WSKKjpNtIcQtjbKyqR7RSMAINA3m xLQY9f1/pNgdUdkcejfqyAcLn72aPgA/jhBphYdmWqq+dl8aTbLEQzuO5EWRa6bZibwI9uMBN7X 4jPyPgzp X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 adultscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151525044116600 Content-Type: text/plain; charset="utf-8" From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ target/s390x/diag.c | 27 +++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++++ 6 files changed, 83 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index e28f0b40d7..0919425e9a 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -48,3 +48,21 @@ Subcode 2 - store verification certificates storage specified in the VCB input length field. =20 VCE contains various information of a VC from the CS. + + +Secure IPL Data Structures, Facilities, and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + +DIAGNOSE function code 'X'508' - KVM IPL extensions +--------------------------------------------------- + +DIAGNOSE 'X'508' is reserved for KVM guest use in order to facilitate +communication of additional IPL operations that cannot be handled by users= pace, +such as signature verification for secure IPL. + +If the function code specifies 0x508, KVM IPL extension functions are perf= ormed. +These functions are meant to provide extended functionality for s390 guest= boot +that requires assistance from QEMU. + +Subcode 0 - query installed subcodes + Returns a 64-bit mask indicating which subcodes are supported. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..6281ad8299 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,15 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index d5f6c54df3..ee64257dbc 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -20,6 +20,7 @@ #include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -600,3 +601,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) break; } } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + uint64_t subcode =3D env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc =3D 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] =3D rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 5510fc2fc5..ae6cd3d506 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -101,6 +101,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 =20 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1571,6 +1572,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct= kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } =20 +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1604,6 +1615,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index ecff2d07a1..7cca8a67de 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -393,6 +393,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 412c34ed93..ddbf495118 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -149,6 +149,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) bql_unlock(); r =3D 0; break; + case 0x508: + /* secure ipl operations */ + bql_lock(); + handle_diag_508(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151509; cv=none; d=zohomail.com; s=zohoarc; b=WJsqFGMZTQL/LDKZZhwV9JTWX+wf9vIE0ddk0cMBaZlIjpV+TwfYWmu6lawd5BxJpITMA7DHXdJG1HUzRn1MZWZpagDC9whRWf2myWBIjAyeSHiKXwcNlwRdkBKSozxpV0XwxFNLgTyYStmZZdPgHRIjuzvQ77bPa9mLZ4xu2U0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151509; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=9dZPppfjO+b19mtQM6/MrW8mgdNv9B7yB4oAIB6B2O8=; b=Fsl1yNzGxom70DVUFJg1PyHBieJ6HW4mp/qOKD2YJqeNWmh/iPs7ibGZUMMRa77CNIYxi9xi62+GOBLQHkMRRFUu2O9bAFhRlqscNVQ4E/KjTlUJ0AhFuhPI7mcEvIJxsC2xl+5qF38NLKqC238Th8+SFsVBoMsa78imugdKgIY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151509759680.3364372817314; Wed, 17 Sep 2025 16:25:09 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TK-0005Xc-GZ; Wed, 17 Sep 2025 19:21:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TD-0005TN-FN; Wed, 17 Sep 2025 19:21:51 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TB-0002P9-9n; Wed, 17 Sep 2025 19:21:51 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKFM6j021247; Wed, 17 Sep 2025 23:21:47 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4m6fc7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:47 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKtYnr022347; Wed, 17 Sep 2025 23:21:47 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kxpuu75-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:47 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLjfJ10617974 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:45 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E02A5805C; Wed, 17 Sep 2025 23:21:45 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5C8365805A; Wed, 17 Sep 2025 23:21:44 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=9dZPpp fjO+b19mtQM6/MrW8mgdNv9B7yB4oAIB6B2O8=; b=kv4ev2303M5lSPFvBaXHne wM+0wxkhqlQ8BVBG1oU1iMzprdsM6RPRQWF6jR72L5JfGfBm5aXAP/LucCkUt7yo CLX+ukhO/XIDYl2hC2VfC4PshcfmQvfp9b7d8XP91oJZLgEQHNjWn7KCSR5whlVm Gev+HAl2YbqUgEYWhWPaEUrN7f6SW5gqdhBkY+P7e0okpXJpUZYvYxDE1YhdMV1F w2aFh7lHifFH3yU3UXRTUmh7FcsLkMGcBX2oABWRBQ4k7kEE2+1wJsyCQgUA160R syGK4hws9+wb574kxLQ4iHCm76sCP3AcfeiFUAYeeKNb+sEaBESTlOPAwMFdheag == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 11/28] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Date: Wed, 17 Sep 2025 19:21:13 -0400 Message-ID: <20250917232131.495848-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: zzc7Wn4pHDdQ0X6l9YPPqwhy7Iidgkuv X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX8OfMePq9gFcq SZ9gHyls+36s+pggPfKkNiLiVBeitivyLz3T0b2pPLixPsmsb/IBJxEen/nV5P8Q+Qv4NsYeke+ 4yXw2KsQJ+T5k5vc+hbAm94wMaVKibvwSYF0jjLIFH/Jlstk+AVwAR74gryC+3Rzys9HM/LED/8 ygwGGGf2kcMGAHHVwSZqMD6I78R6VTWRR8BMbm8B0qe703e4BYIcYPIPLTh0lIAN5GNXVVkBEC/ tYdorM508mw3Iq+3NxJftKto25/hj3eW+Vv85PELdX+2rlaX5kxFOmIvdqzl7EW85XdYLwVgSl1 tGYiDiF+HH5yPCz9+oN2HAyO8/XRPkJxk0Lop6mAW/rS6qAQ4nUoApaYAiI78/PLOU2QRElviW5 nu+9ayb9 X-Proofpoint-ORIG-GUID: zzc7Wn4pHDdQ0X6l9YPPqwhy7Iidgkuv X-Authority-Analysis: v=2.4 cv=QrNe3Uyd c=1 sm=1 tr=0 ts=68cb428b cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 phishscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 spamscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151511123116600 Introduce helper functions to support signature verification required by DIAG 508 subcode 1: qcrypto_pkcs7_convert_sig_pem() =E2=80=93 converts a signature from DER to = PEM format qcrypto_x509_verify_sig() =E2=80=93 verifies the provided data against the = given signature These functions enable basic signature verification support. Signed-off-by: Zhuoying Cai --- crypto/x509-utils.c | 109 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 39 +++++++++++++ 2 files changed, 148 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 763eccb190..8f3c895d7c 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = =3D { [QCRYPTO_HASH_ALGO_MD5] =3D GNUTLS_DIG_MD5, @@ -342,6 +343,97 @@ int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size= _t size, Error **errp) return 0; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_pkcs7_t signature; + gnutls_datum_t sig_datum_der =3D {.data =3D sig, .size =3D sig_size}; + gnutls_datum_t sig_datum_pem =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initalize pkcs7 data: %s", gnutls_stre= rror(rc)); + return ret; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_= DER); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum= _pem); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert signature to PEM format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *result =3D g_new0(uint8_t, sig_datum_pem.size); + *resultlen =3D sig_datum_pem.size; + memcpy(*result, sig_datum_pem.data, sig_datum_pem.size); + + ret =3D 0; + +cleanup: + gnutls_pkcs7_deinit(signature); + gnutls_free(sig_datum_pem.data); + return ret; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt =3D NULL; + gnutls_pkcs7_t signature =3D NULL; + gnutls_datum_t cert_datum =3D {.data =3D cert, .size =3D cert_size}; + gnutls_datum_t data_datum =3D {.data =3D comp, .size =3D comp_size}; + gnutls_datum_t sig_datum =3D {.data =3D sig, .size =3D sig_size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initalize pkcs7 data: %s", gnutls_stre= rror(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM= ); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0); + if (rc !=3D 0) { + error_setg(errp, "Failed to verify signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_pkcs7_deinit(signature); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -391,4 +483,21 @@ int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size= _t size, Error **errp) return -1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export pkcs7 signature"); + return -1; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + error_setg(errp, "GNUTLS is required for signature-verification suppor= t"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 6fc8d982b7..43a3dbb7a9 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -111,4 +111,43 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t= size, */ int qcrypto_x509_is_ecc_curve_p521(uint8_t *cert, size_t size, Error **err= p); =20 +/** + * qcrypto_pkcs7_convert_sig_pem + * @sig: pointer to the PKCS#7 signature in DER format + * @sig_size: size of the signature + * @result: output location for the allocated buffer for the signature in = PEM format + (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + (will be updated with the actual size of the PEM-encoded si= gnature) + * @errp: error pointer + * + * Convert given PKCS#7 @sig from DER to PEM format. + * + * Returns: 0 if PEM-encoded signature was successfully stored in @result, + * -1 on error. + */ +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_verify_sig + * @cert: pointer to the raw certificate data + * @cert_size: size of the certificate + * @comp: pointer to the component to be verified + * @comp_size: size of the component + * @sig: pointer to the signature + * @sig_size: size of the signature + * @errp: error pointer + * + * Verify the provided @comp against the @sig and @cert. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp); + #endif --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151522; cv=none; d=zohomail.com; s=zohoarc; b=Cqx8w+UMx64N2f7d+nsKac813exttqosLrGKBZ9qnwwFujq+VebjIQzU/xizeIzhdzupQ4u7P1VLakHttiQdJP89ZEJyxaayDrt88/xH0WisHkhtrwWDnE4gko+R5o0Xj+doGuYLtXz61cl3DYlkLz46GE7LxL6UZqklk3lAURY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151522; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZxVRbYGmX0o5rI08/lndRJA+3ci50sAotVUaZsLjni4=; b=Rr/aGrqDZOsGgPChSzu4muuxWEmpAnpnCanWbhlSNupYhyAbAYMMgw3Fa7u3vJqy215xrNGEnclb/Sed83nYZH5WUmWcmPodNGyQ3OeRfwXoJ8Y5HIu1mtyvLtxUr18szCl/dXvlG+hqiqKFoZACiTeGd4arS9LWjp1s3KV20wU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151522440663.3580169615444; Wed, 17 Sep 2025 16:25:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tj-0005kN-79; Wed, 17 Sep 2025 19:22:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TG-0005Ut-BI; Wed, 17 Sep 2025 19:21:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TE-0002Pw-CL; Wed, 17 Sep 2025 19:21:54 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HI3gTY031219; Wed, 17 Sep 2025 23:21:50 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4hpuvb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:49 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKZ7j6022300; Wed, 17 Sep 2025 23:21:48 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kxpuu7a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:48 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLk5d34931054 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:47 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF8015805C; Wed, 17 Sep 2025 23:21:46 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A82AA5805A; Wed, 17 Sep 2025 23:21:45 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=ZxVRbYGmX0o5rI08/ lndRJA+3ci50sAotVUaZsLjni4=; b=J0JgWyBMzRFumM79ck73DsJfqHAjvnzV3 XIPqfGIAvvPfhiktsG/dh/yRqWNYNzS2+5RDLujSZifKAjrk+KIVorNkF88cOcYU /zDbjxGO5TnUvq7+611OXQHi75aHD5TJIIms8zp6+CCgDRQ1p8jWjNE9ihwFRxuS xtKr1PR7oZqEfexY0jEsacTbwIKgI44uiXv8/W9arFBE9hD+GRbVjfofwR17606H A03zEujGhICsKBqP29poNt+1NwcctoPQ4Fzx4Fs95SiIySV5a/nRCftMokXwOIWT 9ou5YOezgOmGrHYPkKN08LyVsvwemFQTzKRrmvkQ8X4VeTD/5RZaw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 12/28] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Date: Wed, 17 Sep 2025 19:21:14 -0400 Message-ID: <20250917232131.495848-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 9gYxKBXAzKiyxbAzCsPisVbKJfLSQFYQ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX9N/b6DWjA0F4 5fiaAyfP2AkZ6O6wvXUfX7kyrccJ6y4I+dqdBDZNHZUxYQqM5IaW6dNTgxtNK31MB3OIiAwTgYG G15VSJjUB6V3O4WscFaqOSOKfc+EqzDUNyCOWQ6ERezlBGzlEapM6x7BA0Jc8Qvn/fOLZCIud10 yxY+aOg6PEkbPslBkglYd6tBd5uXKjVrxRD1pYrfWQg2gM/B8Y7nvJnjsCiBDlynaJT5H59VLBE Iu2rakVeuB6mHkL+G3N02flHawtcQsoPU6XE264baqar4eh3sMhQZnVausiT9U/tzL+KK7xVMCW tFvEk28+CqYP7DEAnrprCKuVLtclEZHSVKLrOFzNFkgwsLC+vo6MqAt+b1UYvnV8mICW+Gbb0yA nhDJ9HLw X-Proofpoint-GUID: 9gYxKBXAzKiyxbAzCsPisVbKJfLSQFYQ X-Authority-Analysis: v=2.4 cv=co2bk04i c=1 sm=1 tr=0 ts=68cb428d cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=QUeH2xgz5R9ERI6wYg0A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151525080116600 Content-Type: text/plain; charset="utf-8" From: Collin Walling DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format= ), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. The subcode value is denoted by setting the second-to-left-most bit of a 2-byte field. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: certificate not available 0x0202: component data is invalid 0x0302: signature is not in PKCS#7 format 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 5 ++ include/hw/s390x/ipl/diag508.h | 23 +++++++ target/s390x/diag.c | 115 +++++++++++++++++++++++++++++++- 3 files changed, 142 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 0919425e9a..eec368d17b 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -66,3 +66,8 @@ that requires assistance from QEMU. =20 Subcode 0 - query installed subcodes Returns a 64-bit mask indicating which subcodes are supported. + +Subcode 1 - perform signature verification + Perform signature-verification on a signed component, using certificat= es + from the certificate store and leveraging qcrypto libraries to perform + this operation. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 6281ad8299..ad401cc867 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -11,5 +11,28 @@ #define S390X_DIAG508_H =20 #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x8000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0202 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0302 +#define DIAG_508_RC_FAIL_VERIF 0x0402 +#define DIAG_508_RC_INVAL_LEN 0x0502 + +struct Diag508SigVerifBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved[2]; + uint8_t cert_store_index; + uint8_t reserved1[7]; + uint64_t cert_len; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +}; +typedef struct Diag508SigVerifBlock Diag508SigVerifBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index ee64257dbc..379fb8f2b4 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -602,9 +602,112 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1,= uint64_t r3, uintptr_t ra) } } =20 +static int diag_508_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size) +{ + g_autofree uint8_t *sig_pem =3D NULL; + size_t sig_size_pem; + int rc; + + /* + * PKCS#7 signature with DER format + * Convert to PEM format for signature verification + */ + rc =3D qcrypto_pkcs7_convert_sig_pem(sig, sig_size, &sig_pem, &sig_siz= e_pem, NULL); + if (rc < 0) { + return -1; + } + + rc =3D qcrypto_x509_verify_sig(cert, cert_size, + comp, comp_size, + sig_pem, sig_size_pem, NULL); + if (rc < 0) { + return -1; + } + + return 0; +} + +static int handle_diag508_sig_verif(uint64_t addr, size_t svb_size, + S390IPLCertificateStore *qcs) +{ + int rc; + int verified; + uint32_t svb_len; + uint64_t comp_len, comp_addr; + uint64_t sig_len, sig_addr; + g_autofree uint8_t *svb_comp =3D NULL; + g_autofree uint8_t *svb_sig =3D NULL; + g_autofree Diag508SigVerifBlock *svb =3D NULL; + + if (!qcs || !qcs->count) { + return DIAG_508_RC_NO_CERTS; + } + + svb =3D g_new0(Diag508SigVerifBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + + svb_len =3D be32_to_cpu(svb->length); + if (svb_len !=3D svb_size) { + return DIAG_508_RC_INVAL_LEN; + } + + comp_len =3D be64_to_cpu(svb->comp_len); + comp_addr =3D be64_to_cpu(svb->comp_addr); + sig_len =3D be64_to_cpu(svb->sig_len); + sig_addr =3D be64_to_cpu(svb->sig_addr); + + if (!comp_len || !comp_addr) { + return DIAG_508_RC_INVAL_COMP_DATA; + } + + if (!sig_len || !sig_addr) { + return DIAG_508_RC_INVAL_PKCS7_SIG; + } + + svb_comp =3D g_malloc0(comp_len); + cpu_physical_memory_read(comp_addr, svb_comp, comp_len); + + svb_sig =3D g_malloc0(sig_len); + cpu_physical_memory_read(sig_addr, svb_sig, sig_len); + + rc =3D DIAG_508_RC_FAIL_VERIF; + /* + * It is uncertain which certificate contains + * the analogous key to verify the signed data + * + * Ignore errors from signature format convertion and verification, + * because currently in the certificate lookup process. + * + * Any error is treated as a verification failure, + * and the final result (verified or not) will be reported later. + */ + for (int i =3D 0; i < qcs->count; i++) { + verified =3D diag_508_verify_sig(qcs->certs[i].raw, + qcs->certs[i].size, + svb_comp, comp_len, + svb_sig, sig_len); + if (verified =3D=3D 0) { + svb->cert_store_index =3D i; + svb->cert_len =3D cpu_to_be64(qcs->certs[i].der_size); + cpu_physical_memory_write(addr, svb, be32_to_cpu(svb_size)); + rc =3D DIAG_508_RC_OK; + break; + } + } + + return rc; +} + +QEMU_BUILD_BUG_MSG(sizeof(Diag508SigVerifBlock) !=3D 64, + "size of Diag508SigVerifBlock is wrong"); + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { + S390IPLCertificateStore *qcs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { @@ -619,7 +722,17 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc =3D 0; + rc =3D DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + size_t svb_size =3D sizeof(Diag508SigVerifBlock); + + if (!diag_parm_addr_valid(addr, svb_size, true)) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag508_sig_verif(addr, svb_size, qcs); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151642; cv=none; d=zohomail.com; s=zohoarc; b=ina5kVBU50K9RdKjXDDafrmKN8i9/yVLfxngknntV3HSCRtxXLo+pgEvMZb6f4sCHECjQQKZ6UfaujZMEHWheGEoKtrZZngqflJEdg14H+Mxc67HMut912VKnYywaLB/Q/tnudqeuqOUBFfXA3EMgXAI+5Iw1QYSVAcEUIROr18= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151642; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=dtv+tJpdfslL6s1hJ5/hA8NjLyVCtoNp3TaUht+P5W0=; b=OMeGGR3rdnJpm3iavXm7qoPG4bpi6c3j/iO6VztMIvdLKyimeH4Qtd7Xwig2k455N4Ipy3SyTmBFrOlOqvEoKjHWkcaIT36xziaMDKAXhvYMA6y3/kybnMYlL3D6F2M6QMJUkyV97BzJgN19/v//nUBi51KLPQ3cmnCIjpt3ndQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151642532843.9334359057414; Wed, 17 Sep 2025 16:27:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TL-0005Y4-UJ; Wed, 17 Sep 2025 19:21:59 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TH-0005Ve-Jz for qemu-devel@nongnu.org; Wed, 17 Sep 2025 19:21:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TF-0002QQ-Dz for qemu-devel@nongnu.org; Wed, 17 Sep 2025 19:21:55 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHxt5v031253; Wed, 17 Sep 2025 23:21:51 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4hpuvf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:51 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HMZaEQ009382; Wed, 17 Sep 2025 23:21:49 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kghx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:49 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLmBl32178838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:48 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E2F1B5805E; Wed, 17 Sep 2025 23:21:47 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DC0495805A; Wed, 17 Sep 2025 23:21:46 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=dtv+tJpdfslL6s1hJ 5/hA8NjLyVCtoNp3TaUht+P5W0=; b=hpm13sQR70t3es1wio93U9hyZEZvTlGrx FJOlzPHPjEPXGwQpI5QvmWwBYa3jPuKnpdXevSMI/9n7ZzWIi0lhGg+OFadiAf9s YZeBd7cWyr8/PJX0da0TP2Tn1CocOn0utzFnVWrWQWezS8HVXkyMXb0zen3AAlnU xfidhjFVdBpG4961UpNnlzzseP5+lpPhV1veapwOVCPLEB3aRqCAGSkdvt+UCBcn LCoI0J2g6EehYf1z+pyccrb335a7xIUoGscWp+dQA2ORAni6N6AwF79r6W5GPFpT tsBUoMXO5bzrPh3xEHDh+a6CwrWGmVKe/h7UbsPWcvbxqZ49TYBKA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 13/28] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Date: Wed, 17 Sep 2025 19:21:15 -0400 Message-ID: <20250917232131.495848-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: joT-mhsC0nMVBpMoGS4pTiR-J0jdbXsy X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX8K8W/VFdg6cM 0xlV2LmU2mTejbJ67m3MT978gyM2aC+kMnfkJtG9XU5fAOcb8OfFcZn4yNybOJ6L0Izb1Ydf9fE QqYiv4qBOygB3kDfH6inOw6cM6cwbEToZ7Te3IwW6AZKJgIrLgQAqmlnXN89qwTFHiVEV8kvoHc D+bFsEHYWGKgtsLH5TZxOXjuuT5OVh0UtiQ7YCxku2FGTBg9QoevUjovEeMkf6bDLlzreDA8LVn rQuIoF700c5Fnr8wEos4cQ6IsPdADdY7b73/uWqO/iwyeqYIJkbD2U+aouTIIUZLNU60mje9Z7I 4LB8JhRxlI3iDI9oHvclCNuR1oBt6iRbRNZR/Z3h9+e/oUsUV23/T937IXbF4eOjZQZGvwHCDIW bj6/cY4u X-Proofpoint-GUID: joT-mhsC0nMVBpMoGS4pTiR-J0jdbXsy X-Authority-Analysis: v=2.4 cv=co2bk04i c=1 sm=1 tr=0 ts=68cb428f cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=1JLT7A-2tSAM-sJnsQYA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=unavailable autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151644524116600 Content-Type: text/plain; charset="utf-8" The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 14 ++++++++ pc-bios/s390-ccw/iplb.h | 62 +++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index eec368d17b..760a066084 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -71,3 +71,17 @@ Subcode 1 - perform signature verification Perform signature-verification on a signed component, using certificat= es from the certificate store and leveraging qcrypto libraries to perform this operation. + + +IPL Information Report Block +---------------------------- + +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended w= ith an +IPL Information Report Block (IIRB), which contains the results from secur= e IPL +operations such as: + +* component data +* verification results +* certificate data + +The guest kernel will inspect the IIRB and build the keyring. diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 08f259ff31..bdbc733e16 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -23,6 +23,68 @@ extern QemuIplParameters qipl; extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); extern bool have_iplb; =20 +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t iirb_flags; + uint8_t reserved1[2]; + uint8_t version; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t ibt; + uint8_t reserved1[3]; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplIbt { + IPL_IBT_CERTIFICATES =3D 1, + IPL_IBT_COMPONENTS =3D 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +} __attribute__ ((packed)); +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +} __attribute__ ((packed)); +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_COMPONENT_FLAG_SC 0x80 +#define S390_IPL_COMPONENT_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_CERTIFICATES]; +} __attribute__ ((packed)); +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +} __attribute__ ((packed)); +typedef struct IplInfoReportBlock IplInfoReportBlock; + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151539; cv=none; d=zohomail.com; s=zohoarc; b=nML6YOJcPVTkTXimBNFC5D2GzY0c2S2V56yWmL3u00oM9Zc1KTUzhk7QowWZj2Vn1XAPLAH5D39ZR7/9tJDkakCUfQdQtK+HWCceB00e2VQQFJViZC4+a6jEN/+ZSmZaZ0sQZ9Vq0W5Z8sBWAFvEAqbcwHsTneCM26LWOR37p9E= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151539; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=h/9gLqKZ2pwi+5jMezmd7tVq/SfgaUSCgXtI9/dn5jE=; b=P/KuEABGs3lYns6wGRuLWqbXQyIeVLxWNIuchtaedxJOM0W5D5Ak8l1ympLR9Aj0pEIVGEo0KAI1I1Kteqe/6sOCwASL6c/iZmLGElXNURFkV4nYYK150Yqm2qmDTrAKZ4kWY39suYqoDKqt6VLTmHXj1VY78Gi8UQnf90DUmBs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151539090884.4206788166355; Wed, 17 Sep 2025 16:25:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1TU-0005Zs-1O; Wed, 17 Sep 2025 19:22:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TH-0005VZ-1C; Wed, 17 Sep 2025 19:21:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TF-0002QO-5B; Wed, 17 Sep 2025 19:21:54 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJCo2f024010; Wed, 17 Sep 2025 23:21:51 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf1s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:51 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HN9HmC009358; Wed, 17 Sep 2025 23:21:50 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kgj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:50 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLnwK27394756 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:49 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7F7755805E; Wed, 17 Sep 2025 23:21:49 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0825B5805A; Wed, 17 Sep 2025 23:21:48 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=h/9gLqKZ2pwi+5jMe zmd7tVq/SfgaUSCgXtI9/dn5jE=; b=LlL9pUaGS0zFAkHL0nKUzAN78BXT74u+D gM23d2hJWju+PyIZANtel74kZCU7tbiolEninRFxSzqWAMYsJbihXzp2XJkkEptu PpRQjz0AudgKKO6mpxa/mpTt1YF9AguVWatM5FHL/VCp58+4ndyJmvyW4vr7IIH6 AZsZFAW3dENVSmgV9kop6Qj9CamQENE3K2GD2eJ6yL3n8exVovH7yNUBGAPytHr4 q+Y9O7iR6fQuPEus/BFP7H1Uhq0VnVYIhm1WIgSguGv0d7UZJQXNmyxvaI1EoJ/R Ycqx0fDzdAQHeFDTqs/y8LrTs3tuwDBvETT2gTobmSeGDtisiSxKQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 14/28] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Wed, 17 Sep 2025 19:21:16 -0400 Message-ID: <20250917232131.495848-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: GhG0NAy2gIi4zr3TMl7zyhuHWREWvGOY X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXzDMjZBO73dA8 kA5OPU9WTm7/RcNo7Glx9uk7omjQTuOEM/CP/ZcYujETS8O5CWTdaAEKQB++NeONQR1mf3vuDeM a1mxwAhJNUQBKKO4CDrex4xKxDiHk74YK3YBY1xeaa1TX+vmvWCD+YcbRPDSn3y5/aazwoneWod jS06TFcm3j9MF6GGQqH6FQJ8F59v3llmJmdbiB+gCenjRfE3inRWe0PD7tKa5IMNXWKqS/v34Bd ax6hvg1/UQDiB+SGnH+z9erfUnRFphsmAbG4tMWLT/IqlG2BCDiVIPgojMsBG/brigQsk49hXFC zDYVT1C36KpElnCwWCbKV47bgEwslOHoJA0/Q1fenU/XCVlnQQOUpAudNNs60r35uotR+5cwCn5 ZW8Xkym+ X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb428f cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=_GZQR2ZoBes7ElOevS0A:9 X-Proofpoint-GUID: GhG0NAy2gIi4zr3TMl7zyhuHWREWvGOY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151541445116600 Content-Type: text/plain; charset="utf-8" Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory sp= ace. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 12 ++++++++++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 4 files changed, 36 insertions(+), 24 deletions(-) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index bdbc733e16..11302e004d 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,7 +20,7 @@ #include =20 extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; =20 struct IplInfoReportBlockHeader { @@ -85,6 +85,14 @@ struct IplInfoReportBlock { } __attribute__ ((packed)); typedef struct IplInfoReportBlock IplInfoReportBlock; =20 +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +} __attribute__ ((packed)); +typedef struct IplBlocks IplBlocks; + +extern IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff @@ -127,7 +135,7 @@ static inline bool load_next_iplb(void) =20 qipl.index++; next_iplb =3D (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); =20 qipl.chain_len--; qipl.next_iplb =3D qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. = The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno =3D qipl.index; + if (iplb->pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno =3D qipl.index; } =20 - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 76bf743900..c9328f1c51 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -22,7 +22,9 @@ static SubChannelId blk_schid =3D { .one =3D 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data; +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -51,7 +53,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype =3D=3D CU_TYPE_VIRTIO && virtio_get_device_type() !=3D VIRT= IO_ID_NET) { - lowcore->ptr_iplb =3D ptr2u32(&iplb); + lowcore->ptr_iplb =3D ptr2u32(iplb); } } =20 @@ -162,7 +164,7 @@ static void menu_setup(void) return; } =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: case S390_IPL_TYPE_QEMU_SCSI: menu_set_parms(qipl.qipl_flags & BOOT_MENU_FLAG_MASK, @@ -191,8 +193,8 @@ static void boot_setup(void) { char lpmsg[] =3D "LOADPARM=3D[________]\n"; =20 - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) !=3D= 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN= ); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != =3D 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LE= N); } else { sclp_get_loadparm_ascii(loadparm_str); } @@ -216,21 +218,21 @@ static bool find_boot_device(void) VDev *vdev =3D virtio_get_device(); bool found =3D false; =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected =3D false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid =3D iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found =3D find_subch(iplb.ccw.devno); + found =3D find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected =3D true; - vdev->selected_scsi_device.channel =3D iplb.scsi.channel; - vdev->selected_scsi_device.target =3D iplb.scsi.target; - vdev->selected_scsi_device.lun =3D iplb.scsi.lun; - blk_schid.ssid =3D iplb.scsi.ssid & 0x3; - found =3D find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel =3D iplb->scsi.channel; + vdev->selected_scsi_device.target =3D iplb->scsi.target; + vdev->selected_scsi_device.lun =3D iplb->scsi.lun; + blk_schid.ssid =3D iplb->scsi.ssid & 0x3; + found =3D find_subch(iplb->scsi.devno); break; default: puts("Unsupported IPLB"); @@ -311,10 +313,12 @@ static void probe_boot_device(void) =20 void main(void) { + iplb =3D &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb =3D store_iplb(&iplb); + have_iplb =3D store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index a9521dff41..457fbc3095 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -528,11 +528,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); =20 - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expect= ed"); - dev_no =3D iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expec= ted"); + dev_no =3D iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid =3D iplb.ccw.ssid & 0x3; + net_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found =3D find_net_dev(&schib, dev_no); } else { --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151378; cv=none; d=zohomail.com; s=zohoarc; b=FmCUNfvppPhJt/xkVM+BnbWItJZhm4nnu+wZYDBnCrtCeeztjKjfSshGiHy/gD2bc14UwotZ37JFezCMkc5LLg+/MizWH1zJTlRZjx+ZFzyvjaF4BNNCmiZtNQsqgzqc8uRWfuEHrR0ra1VTmaS6Lmlt6RBM4RU21/l+1sTUYBo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151378; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=XP4LzJPHEb3JNWAJ7amQFcKcrUJ+fXHWWBo51JDQIUs=; b=XEcZHFj+3XgebsXjPjMNfUzrQLqh5RCSruNOx2DoMxTcpwaZHNkmxO0gQwSZVGd3dhUfEg9UXndPDhoFarAaJqb7sjUdIDAU/EfPnRrnrmPKP1QKz+0s/9iH3jbbxdhmGdnHDLasM05shHHqp3quEeIBXGDaljQd/fFDmQA5jdc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151378136548.3776971908103; Wed, 17 Sep 2025 16:22:58 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Ta-0005dB-LC; Wed, 17 Sep 2025 19:22:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TI-0005WI-0s; Wed, 17 Sep 2025 19:21:56 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TG-0002Qc-5w; Wed, 17 Sep 2025 19:21:55 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHLYA8023594; Wed, 17 Sep 2025 23:21:52 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf1x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:52 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKGCRk006385; Wed, 17 Sep 2025 23:21:51 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1mx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:51 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLoki32047660 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:50 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A95705805C; Wed, 17 Sep 2025 23:21:50 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9924458051; Wed, 17 Sep 2025 23:21:49 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:49 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=XP4LzJPHEb3JNWAJ7 amQFcKcrUJ+fXHWWBo51JDQIUs=; b=i3Lh9v2ApROGBfVB39wKL6WAiFi4oN8IC B+7pFvPahddzAeRrkcyzTP3TcR5ze7kOkYyldAPCFhFTvFQ8vbjj5Gnl7QN/YB/7 28S98KdZWwrcd1UMqM44uIQ0s4z55ET/AyQWKgYEysKd6Oar6Kh5KVoHaLiZaqHM V3/Bl9eo358yUjcDXRaUPElLLTnLlN1YnvFl8pKHdIcNvwh2vKY43F5q7fMeDJrg E1da3wFNtZabn45SxNTZCfhdHAD1jaV1voeAZs8OGdNv0dzfvuK0iPyt2K6nmau4 0ZhtniUKRQyXYuTdaZTZX/vA+pzOiNvf7cnZ1WlSUWY+GqOBP/gHg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 15/28] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Wed, 17 Sep 2025 19:21:17 -0400 Message-ID: <20250917232131.495848-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: SwPENUtDeyTM77VlpPaTw--RyfUOtc78 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX4TcdhNN27XNf IXk6qgx6HxGEFCUiq6UmyFSxv8f2kf4Wi/4EwByvty7Z39RRRzxVFYTzrlfObPC8CagEVG4iz47 ZGMAPN3v2ibxWnK0H7MaOlzLIWr8Xndw5jh1o+XG6gHt29MkqRCb01KCpyaMGaMSemznQEl5wng 0LHTdUhr5YGnslwfxFRPIL1Eb0rCijAqLk78Mo0nH54khrcQEphVlKTcOFJMEC98nZXoXP8xjBZ l4dwf8YeGBdl55uKLnr/9H/yNHjO/rnV/+zzAtX+XNgnzKcrspKmekg4L1VXDPSB0UEKNXjT914 la8vAU6ZyBVTjEYV4kDQXVJydHQLalgPdB6m03ShrZxFuEbY51Ig7L09hCwP8jHv5zHRu4i1rwl us9v8yPA X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4290 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=0RU0I6ilb4cTaI3NU4AA:9 X-Proofpoint-GUID: SwPENUtDeyTM77VlpPaTw--RyfUOtc78 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151379965116600 Content-Type: text/plain; charset="utf-8" Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Move DIAG308 flags to a separated header file and add flags for secure IPL. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 17 +++++++++++++++++ hw/s390x/ipl.h | 18 +----------------- include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 5 ++++- 4 files changed, 56 insertions(+), 18 deletions(-) create mode 100644 include/hw/s390x/ipl/diag308.h diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 917166ba31..c1360905c4 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -494,6 +494,23 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + } + + if (iplb->hdr_flags & DIAG308_IPIB_FLAGS_IPLIR) { + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } + return true; } =20 diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index e26fc1cd6a..01922d80c4 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -23,7 +23,6 @@ #include "qom/object.h" #include "target/s390x/kvm/pv.h" =20 -#define DIAG308_FLAGS_LP_VALID 0x80 #define MAX_BOOT_DEVS 8 /* Max number of devices that may have a bootindex= */ =20 void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp); @@ -91,22 +90,6 @@ struct S390IPLState { }; QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wr= ong"); =20 -#define DIAG_308_RC_OK 0x0001 -#define DIAG_308_RC_NO_CONF 0x0102 -#define DIAG_308_RC_INVALID 0x0402 -#define DIAG_308_RC_NO_PV_CONF 0x0902 -#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - -#define DIAG308_RESET_MOD_CLR 0 -#define DIAG308_RESET_LOAD_NORM 1 -#define DIAG308_LOAD_CLEAR 3 -#define DIAG308_LOAD_NORMAL_DUMP 4 -#define DIAG308_SET 5 -#define DIAG308_STORE 6 -#define DIAG308_PV_SET 8 -#define DIAG308_PV_STORE 9 -#define DIAG308_PV_START 10 - #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_PV 0x05 @@ -117,6 +100,7 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "a= lignment of iplb wrong"); #define S390_IPLB_MIN_CCW_LEN 200 #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 =20 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) { diff --git a/include/hw/s390x/ipl/diag308.h b/include/hw/s390x/ipl/diag308.h new file mode 100644 index 0000000000..6e62f29215 --- /dev/null +++ b/include/hw/s390x/ipl/diag308.h @@ -0,0 +1,34 @@ +/* + * S/390 DIAGNOSE 308 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG308_H +#define S390X_DIAG308_H + +#define DIAG_308_RC_OK 0x0001 +#define DIAG_308_RC_NO_CONF 0x0102 +#define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 +#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 + +#define DIAG308_RESET_MOD_CLR 0 +#define DIAG308_RESET_LOAD_NORM 1 +#define DIAG308_LOAD_CLEAR 3 +#define DIAG308_LOAD_NORMAL_DUMP 4 +#define DIAG308_SET 5 +#define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 + +#define DIAG308_FLAGS_LP_VALID 0x80 + +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + +#endif diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index e505f44020..5c2bf3051c 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -12,6 +12,8 @@ #ifndef S390X_QIPL_H #define S390X_QIPL_H =20 +#include "diag308.h" + /* Boot Menu flags */ #define QIPL_FLAG_BM_OPTS_CMD 0x80 #define QIPL_FLAG_BM_OPTS_ZIPL 0x40 @@ -103,7 +105,8 @@ typedef struct IplBlockQemuScsi IplBlockQemuScsi; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151421; cv=none; d=zohomail.com; s=zohoarc; b=JlqhcKeoS7Q1ERtA+T52hFArgi940leBm1qPGYZOPTv6EXkoJNlUvL4wpXFMj59t9ADSRInkwfMfNKY59i0Ks5FptV1HdFhxtHI8y/gbr96ti41Akpq5JoXO2tR6wlg4HlJ/mnLKBTniRc3etqoo9RQey0OvzEFPyygWCm4ihzU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151421; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=jhcDyquXiO0bnxb3nji3453q8HHLeqFiYl/YQ/I4BiU=; b=nvYWY6ZW3xB1rLfe6dX7LHa8OC288eVl/AkYjFMrW29WZEjvlsVJlnH/9PINVIcm/M1wcr/wgAeJg/71aOokvv4VjJel/84KDD4RZ6RrGlEos+7WsTW8X385PmyVlXn3O4kZbbMuxt2bPZ14EvriSG/0vEroISVuZYdHq+2IXo8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151421903913.5538017647003; Wed, 17 Sep 2025 16:23:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tp-0005r6-9K; Wed, 17 Sep 2025 19:22:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Te-0005gY-JM; Wed, 17 Sep 2025 19:22:18 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tb-0002Qu-7W; Wed, 17 Sep 2025 19:22:16 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIW9iT024719; Wed, 17 Sep 2025 23:21:53 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf21-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:53 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HMU6Mw018625; Wed, 17 Sep 2025 23:21:52 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 495n5mkma7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:52 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLpOW12124784 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:51 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CC3F758051; Wed, 17 Sep 2025 23:21:51 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C36725805E; Wed, 17 Sep 2025 23:21:50 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:50 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=jhcDyquXiO0bnxb3n ji3453q8HHLeqFiYl/YQ/I4BiU=; b=WdAYzes74Y9fv0a5/NvRF3I0hEhs5dvXF d8jyHc0x1FvBJxCxhk0zr4N2jkpyZRZ5nP+NHqXLkEnunK1l4j7tDcqJGrDHFV83 Rf/UG2+GdMEV3SwupqZkeZ7uQea1TQ5nPLyWSY8gxXRLE8z7leNmGQgVWe4Eyomb bJ3crbCunoSM5iFxRLCQBnh8BN+E5EESu8GiyIDtrOMJNRGFtepzaCzUjpwwS6sp 1rOTOm5TVOJDIMKgYsQ043ETkgpDm1YIGsddEwq9W96mku+Q/I5e2t6dVLTYYZcx FfCpePBveQwEKPoR2E8y1V5RcoAXEYPk7xPenVYtrDaCbANwB82Lg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 16/28] s390x: Guest support for Secure-IPL Facility Date: Wed, 17 Sep 2025 19:21:18 -0400 Message-ID: <20250917232131.495848-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: TyHUXxKuDmqpvLPOGl_LBzA6XzdbwWjl X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXyAEVcdCb+Lvr 111gshduw9CiWeBVkJ/UJGmivvB6vfyLDvfICZJtO8z3DFmgL8CUq1lJ0nb9YSWh4o4StqpxCDq ZmPigtLh3gsmcPLADu9g7zfJOJSLtuIvGC+GViL8ZKz8OpPBIw1GirguVZ8I87T3L7fx5YKEza/ R7qfFOO8qz2uo4yqGfj4JzWHVf4meYxasSCLfE2G2/F8FQ9tV19K7pgsiCvZd8nuSijO9uBIfv4 1CqpNBTQO4P+LXwhHFvqulXZ3lAgYXtgQKROm2hBnf3uU3RTlk5URsy4y3UZcFkcBiC7VpO+0ve g8hUEIwtGcTT46j7fMwI4ryurtCfyBlSReOX7bJGgqECJDMBYiUXDuRd7iBftzl7PR0QW06Og+s R0WbLDTy X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4291 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=Bichc5AjJS213ZhIJUEA:9 X-Proofpoint-GUID: TyHUXxKuDmqpvLPOGl_LBzA6XzdbwWjl X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151422433116600 Content-Type: text/plain; charset="utf-8" Introduce Secure-IPL (SIPL) facility. Use fac_ipl to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. Byte 136's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Secure IPL is not available for guests under protected virtualization. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 4 ++++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index 9718564fa4..69d3328a3d 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -145,6 +145,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC_IPL, + read_info->fac_ipl); } =20 read_info->facilities =3D cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index d32f6180e0..bfd330c340 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t fac_ipl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 137]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 436471f4b4..200bd8c15b 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -119,6 +119,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * Some facilities are not available for CPUs in protected mode: * - All SIE facilities because SIE is not available * - DIAG318 + * - Secure IPL Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -149,6 +150,9 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; + case S390_FEAT_TYPE_SCLP_FAC_IPL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..b038198555 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_FAC_IPL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 941a69e013..55eef618b8 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide Certificate Store = functions") =20 +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 6b8471700e..f99536ef9a 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 6c20c3a862..bd2060ab93 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -721,6 +721,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -922,6 +923,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_PRNO_TRNG, S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index ae6cd3d506..31bd574dec 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2520,6 +2520,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 set_bit(S390_FEAT_CERT_STORE, model->features); =20 + /* Some Secure IPL facilities are emulated by QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151426; cv=none; d=zohomail.com; s=zohoarc; b=kJlwoq3/vxjL/EI4qFAmT7j22r4LM32quvW4B2dz3EqYUAoLPu7F+t95amYgxKp7If3ZqToINaUPWwaaFcNraObg3jVSPHuwO1VEa8OCRf+k0OEF5A92aeyrC6S4cMT9MW65sQjiI/ibhR/8eEBQZ4emV0K/OQzcEr50OmJYY6I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151426; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=qCi60XLWq3Ji+xPA3ABpj9Y/77045NeKJ2JtqS3rM0Q=; b=T1Pp/q8BiHYsJR16NxJZiJbK+8zd98aoEd7/qIZV83W8K1cTuzeAaD5QzSvqhYU/lx4h4m5RSsE9QZ9/16mQKuXUCG7g5BaUP4mxu/d19F9h4QgqBN6nvX3GzfFXO9YgL7fMO1tVG6Ruo6TmtLFlJvd3azYdxJ95i19+qVxeKyo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151425806341.79204333128223; Wed, 17 Sep 2025 16:23:45 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tg-0005hB-Bb; Wed, 17 Sep 2025 19:22:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TM-0005YB-FU; Wed, 17 Sep 2025 19:22:01 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TK-0002RX-GQ; Wed, 17 Sep 2025 19:22:00 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIcJrf028332; Wed, 17 Sep 2025 23:21:56 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4p6v04-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:56 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HL45TU027308; Wed, 17 Sep 2025 23:21:54 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495menbqxp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:54 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLr1Y36831810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:53 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F37915805C; Wed, 17 Sep 2025 23:21:52 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E5CAD5805A; Wed, 17 Sep 2025 23:21:51 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=qCi60XLWq3Ji+xPA3 ABpj9Y/77045NeKJ2JtqS3rM0Q=; b=UIS9FFMYKnbv9t/pBoOZQr0uVZisyaYZy zLV0gMgVNLswMxB67FKZzKEhoT/3ja5uVmP2dpk/tCnI71X4sdaewLsWBX5V4Baw cV1QtwwUPkMDiawYZnjODTPAaYutIzC6C/oZnXXjQSK6LtkINlXKdptyS4yeNwNg 5xh9kNELXjAIajpEJ4i9pZZAgXbDNYB+KSU8gHS8s1DcycwFsp1qACYx4Im+jHWg xcKZviIQb2n3cfiLmj37CDWqFLQ43bYPKledrp3QXhOe4UkXiX8qfrtUgaNvx+s0 0hgWbzF72iU2KD3slQrm4SXlI/h/2cNWdxWioL8NKINZ7P8A23E/g== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 17/28] pc-bios/s390-ccw: Refactor zipl_run() Date: Wed, 17 Sep 2025 19:21:19 -0400 Message-ID: <20250917232131.495848-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXwxTQ1+canCMI 3lvUoG5OPdYKX+/+QFQ+Cz241v3zJtFojnCLvn0u3PcpUShHkZQRQfetA5Jb/Jpu9kTHOtNaS+p QkLfzeMbaWKMi/pr8PGnayfuJsNocg0P6hNh6q8dLo6xn0Horct5cmtiU68wpzYUjo8RTq/GQSz 22X9bSf8rxIyHcN9Z7PP/xqzCjETdsVZX3ZcLp9oTipgUewfEitSafjnJnG6TujJIWoLMj1VK/d YHwWE2X84I17LmbjT+x0ZGna7CUvgvpE4TPtt3hVWm8+cFxlRCyRKK1P3DZFCQPcvDa/lUtrZUf YZP7oAXWtZwBTDeRmv1CrO583JgA9xQnb0fMeOao3Kh4cmD7WKEVKkjrIbyZeDecB1JqaKPRCxr Yu0T3zSl X-Proofpoint-ORIG-GUID: OJ3yFw19E67PrP81FFlyXtIGS0ULaXki X-Proofpoint-GUID: OJ3yFw19E67PrP81FFlyXtIGS0ULaXki X-Authority-Analysis: v=2.4 cv=cNzgskeN c=1 sm=1 tr=0 ts=68cb4294 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=Ew_Uh9inpcQo8UAwJ4EA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151426271116600 Content-Type: text/plain; charset="utf-8" Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 49 ++++++++++++++++++++++++-------------- 1 file changed, 31 insertions(+), 18 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 0f8baa0198..ff0fa78cf0 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,6 +674,35 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } =20 +static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + ComponentEntry *entry =3D *entry_ptr; + + while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || + entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)&entry[1] > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + *entry_ptr =3D entry; + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { @@ -700,25 +729,9 @@ static int zipl_run(ScsiBlockPtr *pte) =20 /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); - while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || - entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries = */ - if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } =20 - if (zipl_load_segment(entry)) { - return -1; - } - - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } + if (zipl_run_normal(&entry, tmp_sec)) { + return -1; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151603; cv=none; d=zohomail.com; s=zohoarc; b=N2w3FEEBmLC3mJn9nrYoonWBXDyRVfHIjQ8+PTFcIiq/kBwrJx/063L76r3xhWfzyc7IZh1fkVj0zyNAP7w9fCZ2aqOioJzMVnr+3qzDvE8A8WD76NhTIvbk9jhs1gcP99mh3mQXv8edSdOgkhwF2klAIr6Q5ZJFw1trDIdsvb8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151603; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=kLdVofY4hPyhuje9mjmy1qv2Ka3w03SmG1oFPwghPZY=; b=G2d6wYstGaUbGyUTUkV8NQ2IaF01mG0HFPKujxcy/82NX6YzaBI1D7frH13+t6UOhr/XxBTpP0k+WJJV3z0seZUXG97guf5ti5WzhKIvdJp8g0YkDEsLVtgupvqbm2/JXfaDNZrHSkStUQo/Fi+JeWYCsC1VuleKdN1+i/VX+1U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 175815160363540.742799029508774; Wed, 17 Sep 2025 16:26:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tn-0005pI-7Z; Wed, 17 Sep 2025 19:22:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Ti-0005kB-PR; Wed, 17 Sep 2025 19:22:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Te-0002Rc-Lr; Wed, 17 Sep 2025 19:22:22 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJPqQI020599; Wed, 17 Sep 2025 23:21:57 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4m6fdg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:57 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HN9HmD009358; Wed, 17 Sep 2025 23:21:56 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 495nn3kgj9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:56 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLsd730147192 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:54 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 29A3E5805A; Wed, 17 Sep 2025 23:21:54 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1931658051; Wed, 17 Sep 2025 23:21:53 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=kLdVofY4hPyhuje9m jmy1qv2Ka3w03SmG1oFPwghPZY=; b=eZmy4LVn6O0wf2syrGhLEUobw24rJ1zwL p57D0VGBCFemtWJv+IO6NIS8+6vtUkd8ksk2Rvk6hxPur8Ev17DOVTErf08JHjSw hOte95bIESqA2sweUfC4IpBS4Np3hPvLMtnJROzrFQsy4PRVv7jcH0mMtUUi3Zfu jA14wWaG1xt/rOYo+Tmz8SCXy3gTjDCY68lg5Irwf/VYxHCipHsEHztVeiLkmUqI vEOLwGxUBL24JUlKGfPtVPGWEKdU6FOD9iYxowy0lXZn2R5FXKt2ttiW3S0v/Jlw gO8Tn0YtBAFRqsJFgXq5s75eKsiDkefjUxZDCANI2UZ6DecZD8eTw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 18/28] pc-bios/s390-ccw: Rework zipl_load_segment function Date: Wed, 17 Sep 2025 19:21:20 -0400 Message-ID: <20250917232131.495848-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: IWhujMjAmVTPb3fjUj_wRtRwhssvlMXT X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX5JLRMknwIf7F T6utJkQMtcTsINuka4TxIDAdFb3z/FbBCVA1VJ4+zgSE14BHEtwwI74blpJKwnruz/cayvIyDNa SGIERLUyt4zSJhv9z7CmewpMZ3dzDBzpYkBdwUk2cTKKDg/P1RyiJ+OKwNt93b1mgeqfUMdmc76 KcbiGPO5k9c5vSVNahzE7ZrfpD9ZSACwypQZnWav9omayiNGDOAQB2EhARQ+W1DWB5wh1zoHorE v2Gy8YaV6BLE3ZWb37Dts5pPCbD+WGuG+qmNjlB0eMNkBdUTrgW4wxpJFRvYersb0JlJQy9fAsD lYI3tJlAXUCcFmdmtrX8PEykfLDKWysX3i4822m8DxLG1sxoIH2UqMorfPO6MfF9grYTUnsLwJv Q++2Wgxb X-Proofpoint-ORIG-GUID: IWhujMjAmVTPb3fjUj_wRtRwhssvlMXT X-Authority-Analysis: v=2.4 cv=QrNe3Uyd c=1 sm=1 tr=0 ts=68cb4295 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=wVZWP19Ib8Popp5rDVAA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 adultscore=0 phishscore=0 clxscore=1015 bulkscore=0 impostorscore=0 priorityscore=1501 suspectscore=0 spamscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151604082116600 Content-Type: text/plain; charset="utf-8" Make the address variable a parameter of zipl_load_segment and return segment length. Modify this function to allow the caller to specify a memory address where segment data should be loaded into. seg_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index ff0fa78cf0..4f54c643ff 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,22 @@ static int ipl_eckd(void) * IPL a SCSI disk */ =20 -static int zipl_load_segment(ComponentEntry *entry) +/* + * Returns: length of the segment on sucess, + * negative value on error. + */ +static int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; const int bprs_size =3D sizeof(sec); block_number_t blockno; - uint64_t address; int i; char err_msg[] =3D "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no =3D &err_msg[30]; /* where to print blockno in (those ZZs= ) */ + int seg_len =3D 0; =20 blockno =3D entry->data.blockno; - address =3D entry->compdat.load_addr; =20 debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -668,10 +671,12 @@ static int zipl_load_segment(ComponentEntry *entry) puts("zIPL load segment failed"); return -EIO; } + + seg_len +=3D bprs->size * (bprs[i].blockct + 1); } } while (blockno); =20 - return 0; + return seg_len; } =20 static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) @@ -687,7 +692,7 @@ static int zipl_run_normal(ComponentEntry **entry_ptr, = uint8_t *tmp_sec) continue; } =20 - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry, entry->compdat.load_addr) < 0) { return -1; } =20 --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151412; cv=none; d=zohomail.com; s=zohoarc; b=cuGWIjJPjfIhkDnG8Vsnx/SQNk3MKsL9TXqoeqAbAsk8TPNMI8H56H7DOKdA7RwMweQR+i5AfLEI9cX/4OtX7XXBqAbOd02C1V/WvykkNtgHb1hsgpGcbXZ8kZXgKQRmZb+0qc9ZzPt4jVlHAXFwLxKwbKKkfvzwLJ16wd61qrQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151412; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=kIuYOku4z+Iz3OTXt9taIJ/mRGzXO1W0SpSULZmoJ+Q=; b=iN1bTgRWUb58XsLuyAthoUOr0BVJU7RONFDZHWssM2laXclJ755jYM8g2FPvOerYE3fv60iOPu8cKbJkk+tMcmwT1ekF3tCT8YZaDBaBC4XWdM0UzW/3LMswVwYi1RjF51bUqZJMff7ox9UxKfh5sgly6I69Fwl2X9E9DGtXc9s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151412959716.0772128316577; Wed, 17 Sep 2025 16:23:32 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Ti-0005jq-Ic; Wed, 17 Sep 2025 19:22:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TQ-0005Yp-G3; Wed, 17 Sep 2025 19:22:07 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TM-0002S3-NT; Wed, 17 Sep 2025 19:22:04 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJ4IOD011464; Wed, 17 Sep 2025 23:21:58 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4j6uuh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:58 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKsV7l022297; Wed, 17 Sep 2025 23:21:57 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kxpuu85-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:57 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLtVq25101046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:55 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 558C15805A; Wed, 17 Sep 2025 23:21:55 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4305C58051; Wed, 17 Sep 2025 23:21:54 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:54 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=kIuYOku4z+Iz3OTXt 9taIJ/mRGzXO1W0SpSULZmoJ+Q=; b=Q1wqsazmFvC1r2mih/ch9GcXUbQ+KlkFe IB2igLdI+9nzK5D2RrK4Re1/zIJjZ63X2evucu824OYfZy2FZVANxNTymIDpeCTH 6dkwLr788tkAs3kdzLzy3rN4X2d+caEIVBIqlI1SVuGjuM3DIn0r5qLvvuIh2O/z DXch1v4AktGxJ0B1eCxfa8j0QuUvLifqJ38KDg5x0yNcYtH/NQEhFFpJaVQE7N8V D7VCB4KX2k/Ke07kp5d3lZpDKjtmIwIs0qXPinEqFOhHkZAwfzCOIRT4AVo8HViT OqH3d89oXgk9UAdvHABgN4fixndswJZMhTscdwTxZpxHvBKDwfOtw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 19/28] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Date: Wed, 17 Sep 2025 19:21:21 -0400 Message-ID: <20250917232131.495848-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Qf5mvtbv c=1 sm=1 tr=0 ts=68cb4296 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=noympsQM67q5SXC5lO4A:9 X-Proofpoint-ORIG-GUID: gpBtbrTHPe6c354bMXYyoJeiZjn2Ie2B X-Proofpoint-GUID: gpBtbrTHPe6c354bMXYyoJeiZjn2Ie2B X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX6WlLzq96bYzD lC9nEv1l31KbTCQd8Mk6gMw07R8oZ8hlhYiToi5fhxcZccJqv246OhaKQHoXgYel08ynzl4QJCs QhzCG2C/685yFqI9gkBVAuLCU2bSvQQp1cOpkGXOTsuDUaOHbD/5j02YMhy10ZkWczMBxtny47t Op8JFktZJB0N1Rag9j3LKZ+rarONooDiUdqgULd+LyePhPS8tKXpib1etq5Yzmah99UqsZocHYo BjixY0SrXQisVQdA43eQzzIlcarGu9siHaf2XBvWWH2DlqYjgVlF+KlJS3+Pw3K1MNpsX6waEmE Ci7ax5PBr6iX/JRwe/3XL4LjvKH/+eHCSqNKMkZ7U/hKqD/audxI02FINWBSh4ThkyUjIl1VSau HehD+ySL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151414438116600 Content-Type: text/plain; charset="utf-8" Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 36 +++ pc-bios/s390-ccw/Makefile | 3 +- pc-bios/s390-ccw/bootmap.c | 39 +++- pc-bios/s390-ccw/bootmap.h | 11 + pc-bios/s390-ccw/main.c | 9 + pc-bios/s390-ccw/s390-ccw.h | 15 ++ pc-bios/s390-ccw/sclp.c | 44 ++++ pc-bios/s390-ccw/sclp.h | 6 + pc-bios/s390-ccw/secure-ipl.c | 371 +++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 99 +++++++++ 10 files changed, 630 insertions(+), 3 deletions(-) create mode 100644 pc-bios/s390-ccw/secure-ipl.c create mode 100644 pc-bios/s390-ccw/secure-ipl.h diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 92c1bb2153..701594b9de 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,3 +19,39 @@ Note: certificate files must have a .pem extension. qemu-system-s390x -machine s390-ccw-virtio, \ boot-certs.0.path=3D/.../qemu/certs, \ boot-certs.1.path=3D/another/path/cert.pem = ... + + +IPL Modes +=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The concept of IPL Modes are introduced to differentiate between the IPL c= onfigurations. +These modes are mutually exclusive and enabled based on the ``boot-certs``= option on the +QEMU command line. + +Normal Mode +----------- + +The absence of certificates will attempt to IPL a guest without secure IPL= operations. +No checks are performed, and no warnings/errors are reported. This is the = default mode. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio ... + +Audit Mode +---------- + +With *only* the presence of certificates in the store, it is assumed that = secure +boot operations should be performed with errors reported as warnings. As s= uch, +the secure IPL operations will be performed, and any errors that stem from= these +operations will report a warning via the SCLP console. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio, \ + boot-certs.0.path=3D/.../qemu/certs, \ + boot-certs.1.path=3D/another/path/cert.pem = ... diff --git a/pc-bios/s390-ccw/Makefile b/pc-bios/s390-ccw/Makefile index a0f24c94a8..603761a857 100644 --- a/pc-bios/s390-ccw/Makefile +++ b/pc-bios/s390-ccw/Makefile @@ -34,7 +34,8 @@ QEMU_DGFLAGS =3D -MMD -MP -MT $@ -MF $(@D)/$(*F).d .PHONY : all clean build-all distclean =20 OBJECTS =3D start.o main.o bootmap.o jump2ipl.o sclp.o menu.o netmain.o \ - virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o + virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o \ + secure-ipl.o =20 SLOF_DIR :=3D $(SRC_PATH)/../../roms/SLOF =20 diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 4f54c643ff..3922e7cdde 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -15,6 +15,7 @@ #include "bootmap.h" #include "virtio.h" #include "bswap.h" +#include "secure-ipl.h" =20 #ifdef DEBUG /* #define DEBUG_FALLBACK */ @@ -617,7 +618,7 @@ static int ipl_eckd(void) * Returns: length of the segment on sucess, * negative value on error. */ -static int zipl_load_segment(ComponentEntry *entry, uint64_t address) +int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; @@ -735,7 +736,19 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); =20 - if (zipl_run_normal(&entry, tmp_sec)) { + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + if (zipl_run_secure(&entry, tmp_sec)) { + return -1; + } + break; + case ZIPL_BOOT_MODE_NORMAL: + if (zipl_run_normal(&entry, tmp_sec)) { + return -1; + } + break; + default: + puts("Unknown boot mode"); return -1; } =20 @@ -1101,17 +1114,35 @@ static int zipl_load_vscsi(void) * IPL starts here */ =20 +ZiplBootMode zipl_mode(uint8_t hdr_flags) +{ + bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; + bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + + if (!sipl_set && iplir_set) { + return ZIPL_BOOT_MODE_SECURE_AUDIT; + } + + return ZIPL_BOOT_MODE_NORMAL; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Secure boot from ISO image is not supported!"); + } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Virtio net boot device does not support secure boot!"); + } netmain(); puts("Failed to IPL from this network!"); return; @@ -1122,6 +1153,10 @@ void zipl_load(void) return; } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("ECKD boot device does not support secure boot!"); + } + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..90fd530256 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; =20 +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} __attribute__((packed)) SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; =20 typedef struct ComponentEntry { @@ -113,6 +122,8 @@ typedef struct ScsiMbr { ScsiBlockPtr pt; /* block pointer to program table */ } __attribute__ ((packed)) ScsiMbr; =20 +int zipl_load_segment(ComponentEntry *entry, uint64_t address); + #define ZIPL_MAGIC "zIPL" #define ZIPL_MAGIC_EBCDIC "\xa9\xc9\xd7\xd3" #define IPL1_MAGIC "\xc9\xd7\xd3\xf1" /* =3D=3D "IPL1" in EBCDIC */ diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index c9328f1c51..668660e64d 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -28,6 +28,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +ZiplBootMode boot_mode; =20 #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -272,9 +273,17 @@ static int virtio_setup(void) =20 static void ipl_boot_device(void) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_UNSPECIFIED) { + boot_mode =3D zipl_mode(iplb->hdr_flags); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Passthrough (vfio) device does not support secure boot!= "); + } + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index b1dc35cded..c2ba40d067 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -39,6 +39,9 @@ typedef unsigned long long u64; #define MIN_NON_ZERO(a, b) ((a) =3D=3D 0 ? (b) : \ ((b) =3D=3D 0 ? (a) : (MIN(a, b)))) #endif +#ifndef ROUND_UP +#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) +#endif =20 #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) =20 @@ -64,6 +67,8 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_sipl_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ @@ -76,6 +81,16 @@ int virtio_read(unsigned long sector, void *load_addr); /* bootmap.c */ void zipl_load(void); =20 +typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_UNSPECIFIED =3D 0, + ZIPL_BOOT_MODE_NORMAL =3D 1, + ZIPL_BOOT_MODE_SECURE_AUDIT =3D 2, +} ZiplBootMode; + +extern ZiplBootMode boot_mode; + +ZiplBootMode zipl_mode(uint8_t hdr_flags); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..0b03c3164f 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,50 @@ void sclp_get_loadparm_ascii(char *loadparm) } } =20 +static void sclp_get_fac134(uint8_t *fac134) +{ + + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac134 =3D sccb->fac134; + } +} + +bool sclp_is_diag320_on(void) +{ + uint8_t fac134 =3D 0; + + sclp_get_fac134(&fac134); + return fac134 & SCCB_FAC134_DIAG320_BIT; +} + +/* + * Get fac_ipl (byte 136 and byte 137 of the SCLP Read Info block) + * for IPL device facilities. + */ +static void sclp_get_fac_ipl(uint16_t *fac_ipl) +{ + + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac_ipl =3D sccb->fac_ipl; + } +} + +bool sclp_is_sipl_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..cf147f4634 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; =20 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_FAC_IPL_SIPL_BIT 0x4000 =20 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t fac_ipl; } __attribute__((packed)) ReadInfo; =20 typedef struct SCCB { diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c new file mode 100644 index 0000000000..8eab19cb09 --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -0,0 +1,371 @@ +/* + * S/390 Secure IPL + * + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, + * signature verification, and certificate handling). + * + * For secure IPL overview: docs/system/s390x/secure-ipl.rst + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include "bootmap.h" +#include "s390-ccw.h" +#include "secure-ipl.h" + +uint8_t vcssb_data[VCSSB_MIN_LEN] __attribute__((__aligned__(PAGE_SIZE))); + +VCStorageSizeBlock *zipl_secure_get_vcssb(void) +{ + VCStorageSizeBlock *vcssb; + int rc; + + if (!(sclp_is_diag320_on() && is_cert_store_facility_supported())) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return NULL; + } + + vcssb =3D (VCStorageSizeBlock *)vcssb_data; + /* avoid retrieving vcssb multiple times */ + if (vcssb->length >=3D VCSSB_MIN_LEN) { + return vcssb; + } + + vcssb->length =3D VCSSB_MIN_LEN; + rc =3D diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI); + if (rc !=3D DIAG_320_RC_OK) { + return NULL; + } + + return vcssb; +} + +static uint32_t get_certs_length(void) +{ + VCStorageSizeBlock *vcssb; + uint32_t len; + + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + len =3D vcssb->total_vcb_len - VCB_HEADER_LEN - vcssb->total_vc_ct * V= CE_HEADER_LEN; + + return len; +} + +static uint32_t request_certificate(uint8_t *cert, uint8_t index) +{ + VCStorageSizeBlock *vcssb; + VCBlock *vcb; + VCEntry *vce; + uint64_t rc =3D 0; + uint32_t cert_len =3D 0; + + /* Get Verification Certificate Storage Size block with DIAG320 subcod= e 1 */ + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + */ + vcb =3D malloc(MAX_SECTOR_SIZE * 4); + vcb->in_len =3D ROUND_UP(vcssb->max_single_vcb_len, PAGE_SIZE); + vcb->first_vc_index =3D index + 1; + vcb->last_vc_index =3D index + 1; + + rc =3D diag320(vcb, DIAG_320_SUBC_STORE_VC); + if (rc =3D=3D DIAG_320_RC_OK) { + if (vcb->out_len =3D=3D VCB_HEADER_LEN) { + puts("No certificate entry"); + goto out; + } + if (vcb->remain_ct !=3D 0) { + puts("Not enough memory to store all requested certificates"); + goto out; + } + + vce =3D (VCEntry *)vcb->vce_buf; + if (!is_vce_cert_valid(vce->flags, vce->len)) { + puts("Invalid certificate"); + goto out; + } + + cert_len =3D vce->cert_len; + memcpy(cert, (uint8_t *)vce + vce->cert_offset, vce->cert_len); + } + +out: + free(vcb); + return cert_len; +} + +static void cert_list_add(IplSignatureCertificateList *certs, int cert_ind= ex, + uint8_t *cert, uint64_t cert_len) +{ + if (cert_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring cert entry [%d] because it's over %d ent= ires\n", + cert_index + 1, MAX_CERTIFICATES); + return; + } + + certs->cert_entries[cert_index].addr =3D (uint64_t)cert; + certs->cert_entries[cert_index].len =3D cert_len; + certs->ipl_info_header.len +=3D sizeof(certs->cert_entries[cert_index]= ); +} + +static void comp_list_add(IplDeviceComponentList *comps, int comp_index, + int cert_index, uint64_t comp_addr, + uint64_t comp_len, uint8_t flags) +{ + if (comp_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring comp entry [%d] because it's over %d ent= ires\n", + comp_index + 1, MAX_CERTIFICATES); + return; + } + + comps->device_entries[comp_index].addr =3D comp_addr; + comps->device_entries[comp_index].len =3D comp_len; + comps->device_entries[comp_index].flags =3D flags; + comps->device_entries[comp_index].cert_index =3D cert_index; + comps->ipl_info_header.len +=3D sizeof(comps->device_entries[comp_inde= x]); +} + +static int update_iirb(IplDeviceComponentList *comps, IplSignatureCertific= ateList *certs) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *iirb_comps; + IplSignatureCertificateList *iirb_certs; + uint32_t iirb_hdr_len; + uint32_t comps_len; + uint32_t certs_len; + + if (iplb->len % 8 !=3D 0) { + panic("IPL parameter block length field value is not multiple of 8= bytes"); + } + + iirb_hdr_len =3D sizeof(IplInfoReportBlockHeader); + comps_len =3D comps->ipl_info_header.len; + certs_len =3D certs->ipl_info_header.len; + if ((comps_len + certs_len + iirb_hdr_len) > sizeof(IplInfoReportBlock= )) { + puts("Not enough space to hold all components and certificates in = IIRB"); + return -1; + } + + /* IIRB immediately follows IPLB */ + iirb =3D &ipl_data.iirb; + iirb->hdr.len =3D iirb_hdr_len; + + /* Copy IPL device component list after IIRB Header */ + iirb_comps =3D (IplDeviceComponentList *) iirb->info_blks; + memcpy(iirb_comps, comps, comps_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D comps_len; + + /* Copy IPL sig cert list after IPL device component list */ + iirb_certs =3D (IplSignatureCertificateList *) (iirb->info_blks + + iirb_comps->ipl_info_hea= der.len); + memcpy(iirb_certs, certs, certs_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D certs_len; + + return 0; +} + +static bool secure_ipl_supported(void) +{ + if (!sclp_is_sipl_on()) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_secure_ipl_extension_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!(sclp_is_diag320_on() && is_cert_store_facility_supported())) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comps, IplSignatureCertific= ateList *certs) +{ + comps->ipl_info_header.ibt =3D IPL_IBT_COMPONENTS; + comps->ipl_info_header.len =3D sizeof(comps->ipl_info_header); + + certs->ipl_info_header.ibt =3D IPL_IBT_CERTIFICATES; + certs->ipl_info_header.len =3D sizeof(certs->ipl_info_header); +} + +static uint32_t zipl_load_signature(ComponentEntry *entry, uint64_t sig_se= c) +{ + uint32_t sig_len; + + if (zipl_load_segment(entry, sig_sec) < 0) { + return -1; + } + + if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return -1; + } + sig_len =3D entry->compdat.sig_info.sig_len; + + return sig_len; +} + +static int handle_certificate(int *cert_table, uint8_t **cert, + uint64_t cert_len, uint8_t cert_idx, + IplSignatureCertificateList *certs, int cert_= index) +{ + bool unused; + + unused =3D cert_table[cert_idx] =3D=3D -1; + if (unused) { + if (request_certificate(*cert, cert_idx)) { + cert_list_add(certs, cert_index, *cert, cert_len); + cert_table[cert_idx] =3D cert_index; + *cert +=3D cert_len; + } else { + puts("Could not get certificate"); + return -1; + } + + /* increment cert_index for the next cert entry */ + return ++cert_index; + } + + return cert_index; +} + +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + IplDeviceComponentList comps; + IplSignatureCertificateList certs; + ComponentEntry *entry =3D *entry_ptr; + uint8_t *cert =3D NULL; + uint64_t *sig =3D NULL; + int cert_index =3D 0; + int comp_index =3D 0; + uint64_t comp_addr; + int comp_len; + uint32_t sig_len =3D 0; + uint64_t cert_len =3D -1; + uint8_t cert_idx =3D -1; + bool verified; + uint32_t certs_len; + /* + * Store indices of cert entry that have already used for signature ve= rification + * to prevent allocating the same certificate multiple times. + * cert_table index: index of certificate from qemu cert store used fo= r verification + * cert_table value: index of cert entry in cert list that contains th= e certificate + */ + int cert_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - 1] = =3D -1}; + int signed_count =3D 0; + + if (!secure_ipl_supported()) { + return -1; + } + + init_lists(&comps, &certs); + certs_len =3D get_certs_length(); + cert =3D malloc(certs_len); + sig =3D malloc(MAX_SECTOR_SIZE); + + while (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { + switch (entry->component_type) { + case ZIPL_COMP_ENTRY_SIGNATURE: + if (sig_len) { + goto out; + } + + sig_len =3D zipl_load_signature(entry, (uint64_t)sig); + if (sig_len < 0) { + goto out; + } + break; + case ZIPL_COMP_ENTRY_LOAD: + comp_addr =3D entry->compdat.load_addr; + comp_len =3D zipl_load_segment(entry, comp_addr); + if (comp_len < 0) { + goto out; + } + + if (!sig_len) { + break; + } + + verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, + &cert_len, &cert_idx); + + if (verified) { + cert_index =3D handle_certificate(cert_table, &cert, cert_= len, cert_idx, + &certs, cert_index); + if (cert_index =3D=3D -1) { + goto out; + } + + puts("Verified component"); + comp_list_add(&comps, comp_index, cert_table[cert_idx], + comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC | S390_IPL_COMPON= ENT_FLAG_CSV); + } else { + comp_list_add(&comps, comp_index, -1, + comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC); + zipl_secure_handle("Could not verify component"); + } + + comp_index++; + signed_count +=3D 1; + /* After a signature is used another new one can be accepted */ + sig_len =3D 0; + break; + default: + puts("Unknown component entry type"); + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (signed_count =3D=3D 0) { + zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + } + + if (update_iirb(&comps, &certs)) { + zipl_secure_handle("Failed to write IPL Information Report Block"); + } + + *entry_ptr =3D entry; + free(sig); + + return 0; +out: + free(cert); + free(sig); + + return -1; +} diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h new file mode 100644 index 0000000000..a264a44349 --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -0,0 +1,99 @@ +/* + * S/390 Secure IPL + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef _PC_BIOS_S390_CCW_SECURE_IPL_H +#define _PC_BIOS_S390_CCW_SECURE_IPL_H + +#include +#include + +VCStorageSizeBlock *zipl_secure_get_vcssb(void); +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); + +static inline void zipl_secure_handle(const char *message) +{ + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + IPL_check(false, message); + break; + default: + break; + } +} + +static inline uint64_t diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_vce_cert_valid(uint8_t vce_flags, uint32_t vce_len) +{ + return (vce_flags & DIAG_320_VCE_FLAGS_VALID) && (vce_len > VCE_INVALI= D_LEN); +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint32_t d320_ism; + + diag320(&d320_ism, DIAG_320_SUBC_QUERY_ISM); + return (d320_ism & DIAG_320_ISM_QUERY_SUBCODES) && + (d320_ism & DIAG_320_ISM_QUERY_VCSI) && + (d320_ism & DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_secure_ipl_extension_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes =3D _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(uint64_t comp_len, uint64_t comp_addr, + uint64_t sig_len, uint64_t sig_addr, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SigVerifBlock svb; + + svb.length =3D sizeof(Diag508SigVerifBlock); + svb.version =3D 0; + svb.comp_len =3D comp_len; + svb.comp_addr =3D comp_addr; + svb.sig_len =3D sig_len; + svb.sig_addr =3D sig_addr; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) =3D=3D DIAG_508_RC_OK) { + *cert_len =3D svb.cert_len; + *cert_idx =3D svb.cert_store_index; + return true; + } + + return false; +} + +#endif /* _PC_BIOS_S390_CCW_SECURE_IPL_H */ --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151619; cv=none; d=zohomail.com; s=zohoarc; b=VG90fEIUyZCogllKt8V9TxYvx3kfSieXUdxlaRwM3rCz3UHT6guH7jok4DSldA6gOyp/2NEBEteZEkU5/XZB1JQ84wAoU+YvllmbdfC4uxxNS8C9e+T8HENBg9ctx3YWQDwOt3hg09jhJFIlL77JpxLdXRLH5APd6ai7yYE7X+w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151619; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Zdj2u+CTiNUhvSAdK8jn5XBSqi+D7YQyvOPVavTWbsw=; b=bHrMjilTLuV2OYv4vGgQ0jozRcKbEDXjSAinJTg+atCGro1mha3CZg8e6ikxvVQ9DYx/jLuZhdPXJxuwjIVQuScbkcuQvDvrqiQh+PiTiP0ZH7/6x6S2efrO3XrEGQN6E2npgVejYsG09pnU0aZO1CJfRFfttuxYYelK2lyEe88= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151619916260.1924232293643; Wed, 17 Sep 2025 16:26:59 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tn-0005pf-NJ; Wed, 17 Sep 2025 19:22:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tj-0005ks-GS; Wed, 17 Sep 2025 19:22:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tg-0002S6-HC; Wed, 17 Sep 2025 19:22:23 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIal30011054; Wed, 17 Sep 2025 23:21:59 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4neg6y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:58 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HLVSMv027276; Wed, 17 Sep 2025 23:21:58 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495menbqxy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:58 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLud416122464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:56 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 783755805A; Wed, 17 Sep 2025 23:21:56 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F6CC58062; Wed, 17 Sep 2025 23:21:55 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Zdj2u+CTiNUhvSAdK 8jn5XBSqi+D7YQyvOPVavTWbsw=; b=oRST/oi75RZW8/nbBmqDjOgG18neTFdZo Eee4T5J6k9QdvwbIDnZBU7kL3kowMjowTauEHlKEpjGAGVmiPne2azC+k0r1NVOI fcJq4eG0HVE+eZfv/uUcO6BVuqyu56EUlV2bDn7sRXVOthh/XUNFcDmLHI6AFB+e wnC/GiKnOvMMkUFsz6xbrZxlh7IiYXadg2gtC/KSmxLr7kHNSSvkZRGZGaAwJ6Bt 5JlLuoUJSashkGGtPPsE4BH/SuFp6zNAqcZvpYowiEpfLvTfLHPik7MGBzu9Nusn imo8muhTYXURzJWIl677qH2fd20QsaawH9zca+5NI0mqUL6+fdkww== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 20/28] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Wed, 17 Sep 2025 19:21:22 -0400 Message-ID: <20250917232131.495848-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=MN5gmNZl c=1 sm=1 tr=0 ts=68cb4296 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=70PmlEAx-evh_fzWiGkA:9 X-Proofpoint-GUID: CQep38XuOri7rqJ9L6FeLwabAfNQgGAd X-Proofpoint-ORIG-GUID: CQep38XuOri7rqJ9L6FeLwabAfNQgGAd X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX/giMRivrF1dr S7QrJxpzIkmdzTlmTIZs1NWp6P9ALP2P7Bg1RRKG6I7hLq5S+mWAEGnw5NFxugw98MokRjyi+WH Xm09p99BzAYBpruy9bMU0jlB9CY4IgTNvt83PBpO2oaLInAKpoiToPv1hjWZhVmw1aly3hP+DUr INQV7oP3AyvbRjuq3D/V2VLTnZOelddYwakbfPrIzG5qSwnEyP/DjOwGMMDBVpXubEqrocZsT2e cycgAEdiVW+26NiyxaroQdtf5BWTfdrzV1qf1MoNaO9UQjVw0krUnJUKzH2PeoGqIjhxbn24l8i pXYo+oRu7KIjeHFIw5p1RdP+36Gv5RwNGKq4tmrjTBSuC9LizLIqmz2k7mZWwgPd2cYYnWs4hH7 xV0CdUc9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 adultscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151620468116600 Content-Type: text/plain; charset="utf-8" The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during secure IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 25 +++++++++++++++++++++++++ target/s390x/cpu_features.c | 2 ++ target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 3 +++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 1 + 6 files changed, 34 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 760a066084..a19b976e25 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -85,3 +85,28 @@ operations such as: * certificate data =20 The guest kernel will inspect the IIRB and build the keyring. + + +Secure Code Loading Attributes Facility +--------------------------------- + +The Secure Code Loading Attributes Facility (SCLAF) enhances system securi= ty during the +IPL by enforcing additional verification rules. + +When SCLAF is available, its behavior depends on the IPL mode. It introduc= es verification +of both signed and unsigned components to help ensure that only authorized= code is loaded +during the IPL process. Any errors detected by SCLAF are reported in the I= IRB. + +Unsigned components are restricted to load addresses at or above absolute = storage address +``0x2000``. + +Signed components must include a Secure Code Loading Attribute Block (SCLA= B), which is +appended at the very end of the component. The SCLAB defines security attr= ibutes for +handling the signed code. Specifically, it may: + +* Provide direction on how to process the rest of the component. + +* Provide further validation of information on where to load the signed bi= nary code + from the load device. + +* Specify where to start the execution of the loaded OS code. diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 200bd8c15b..29ea3bfec2 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * - All SIE facilities because SIE is not available * - DIAG318 * - Secure IPL Facility + * - Secure IPL Code Loading Attributes Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC_IPL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 55eef618b8..ecfca0faef 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide= Certificate Store functi =20 /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attribu= tes facility") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index f99536ef9a..7d214b5f72 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_SIPL }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index bd2060ab93..c3e0c6ceff 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 31bd574dec..2ed11fab52 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2522,6 +2522,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 /* Some Secure IPL facilities are emulated by QEMU */ set_bit(S390_FEAT_SIPL, model->features); + set_bit(S390_FEAT_SCLAF, model->features); =20 /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151460; cv=none; d=zohomail.com; s=zohoarc; b=IP5UxdIyaCLHqImsDhRGCbJSs3fo1ZLApk35AgOvDWfuEK/RGqvqTGld7wUr8WhLqRjOZrnWkhaJbI034jjl2cONSYmpZ/H8vWATWUmDfyVvA3ixUVI1jJm1ie29x1eAKLcufVUj7wGlqj7JQkCPjq8WDsQ93Z7uUz2pxpNhRyo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151460; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=e31pZ3afPn1LIjsNtVL3PA6fwiZvIdh5y/Wkr3dqLEQ=; b=mBLw9FrhO1NnRcIJqjLosSjjb/Xxh8O5IQT2rqbWnASnGu15pygKPr07/0XkS9rtPVqNeJQ1oNvYNWNAck8apr8Y6PR/FY714bx4TPLO9VvNk0VxoJ6+ygUUMlxAvYWvDstSZZ3BrBCLaKK0e0zw7q8l3DBxWspXwPi76+h6bCw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151460908453.5544506045594; Wed, 17 Sep 2025 16:24:20 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tq-0005sY-Tq; Wed, 17 Sep 2025 19:22:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tl-0005mr-Tv; Wed, 17 Sep 2025 19:22:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Th-0002Sb-Ql; Wed, 17 Sep 2025 19:22:24 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HHKTTs023755; Wed, 17 Sep 2025 23:22:00 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:59 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKOOB6029472; Wed, 17 Sep 2025 23:21:59 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kb140k6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:21:59 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLvrY21693128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:57 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A52E95805A; Wed, 17 Sep 2025 23:21:57 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9214158051; Wed, 17 Sep 2025 23:21:56 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:56 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=e31pZ3afPn1LIjsNt VL3PA6fwiZvIdh5y/Wkr3dqLEQ=; b=gIagEDWBoS7Prbw9TeMx6Xmwcdya1vORo AqftRKq1dAdBiJTscKNBhf+qkSk68h+RAG1232oFWsJEVrMWxum7qVl9iIgANv/G 2s8/NZxmuEPMOJ/Hs6LcSrH9Q0wjjLvuYOD+7d4T2t/2c18bwqCxumAvs0JRGpL1 iwJGL8gzpTMLgVOuxCMo1y2Wj2Gum6is61OfadmU2eX1d0/4Fpc6RWa9pDLLTB8i OCf2oeGIrrRvb2aAnzvF8DInNtaBzlJ1opzRtY1oNu1tiGbHH0eNUSGhx1n2jDJ/ HTb6d73u/9g1C+YW6hIAauPnnEN1zr9vCl1RJ8tlmNh3Obyzks5rA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 21/28] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Wed, 17 Sep 2025 19:21:23 -0400 Message-ID: <20250917232131.495848-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: GqZpKJew718sJIUL9qzYfhdxlRyp2I2y X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXx0tAqA4ObW36 tXB88iFq4QEDQlLwVEa3S67MYO977UTeH/EWeV9nqFyblFg9IFS/LB+48yyOexIQNYSIUw5toOj YMOMgRyhQdnAJI+TH6Ev/+WVgWwaswrlo0fgCpP9KdizIps8a8HvB25noJ5j3krBDJoQ5JF82B3 tGj8OXNlHQYCMk2NYD8dzXzG0JQ3DQGdGsrd8iuLmdPl0SFo2bpiA1CZuv84Sm1k+4JdYVHfUsC d2ZrJt1JzukoReWGTNGPF6cqaUzZFlRQ4mjgViWf78dTdmYAXjFZ8LUDUiCyF3nkiZlGKy2pa6G 4YUW7xsvmVu935hNdkoKa6Pjv/UC4V3nYpXw7uRLCRwwND7hAMBM0MVruNOlSpJf7AHg2hY7Ji+ ie7kL4sI X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb4297 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=-PzWCFmcDqgEtY6oAzcA:9 X-Proofpoint-GUID: GqZpKJew718sJIUL9qzYfhdxlRyp2I2y X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151463027116600 Content-Type: text/plain; charset="utf-8" Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. However, a missing SCLAB will not be reported in audit mode. The SCALB checking will be skipped in this case. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 26 ++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/sclp.c | 8 + pc-bios/s390-ccw/sclp.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 412 +++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/secure-ipl.h | 110 +++++++++ 6 files changed, 553 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 11302e004d..41cec91a68 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -32,11 +32,19 @@ struct IplInfoReportBlockHeader { } __attribute__ ((packed)); typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; =20 +#define S390_IPL_INFO_IIEI_NO_SIGNED_COMP 0x8000 /* bit 0 */ +#define S390_IPL_INFO_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ +#define S390_IPL_INFO_IIEI_FOUND_UNSIGNED_COMP 0x800 /* bit 4 */ +#define S390_IPL_INFO_IIEI_MORE_SIGNED_COMP 0x400 /* bit 5 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t ibt; uint8_t reserved1[3]; - uint8_t reserved2[8]; + uint16_t iiei; + uint8_t reserved2[6]; } __attribute__ ((packed)); typedef struct IplInfoBlockHeader IplInfoBlockHeader; =20 @@ -60,13 +68,27 @@ typedef struct IplSignatureCertificateList IplSignature= CertificateList; #define S390_IPL_COMPONENT_FLAG_SC 0x80 #define S390_IPL_COMPONENT_FLAG_CSV 0x40 =20 +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB 0x80000000 /* bit= 0 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit= 1 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit= 2 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit= 3 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit= 4 */ +#define S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW 0x4000000 /* bit= 5 */ +#define S390_IPL_COMPONENT_CEI_NUC_NOT_IN_GLOBAL_SCLA 0x2000000 /* bit= 6 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit= 7 */ +#define S390_IPL_COMPONENT_CEI_SC_NOT_IN_GLOBAL_SCLAB 0x800000 /* bit= 8 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit= 9 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit= 10 */ +#define S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit= 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; } __attribute__ ((packed)); typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index c2ba40d067..6d51d07c90 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -69,6 +69,7 @@ void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); bool sclp_is_diag320_on(void); bool sclp_is_sipl_on(void); +bool sclp_is_sclaf_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 0b03c3164f..16f973dde8 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -157,6 +157,14 @@ bool sclp_is_sipl_on(void) return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; } =20 +bool sclp_is_sclaf_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SCLAF_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index cf147f4634..3441020d6b 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_FAC_IPL_SIPL_BIT 0x4000 +#define SCCB_FAC_IPL_SCLAF_BIT 0x1000 =20 typedef struct ReadInfo { SCCBHeader h; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 8eab19cb09..cd798c1198 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -202,6 +202,12 @@ static bool secure_ipl_supported(void) return false; } =20 + if (!sclp_is_sclaf_on()) { + puts("Secure IPL Code Loading Attributes Facility is not supported= by" \ + " the hypervisor!"); + return false; + } + return true; } =20 @@ -214,6 +220,393 @@ static void init_lists(IplDeviceComponentList *comps,= IplSignatureCertificateLis certs->ipl_info_header.len =3D sizeof(certs->ipl_info_header); } =20 +static bool is_comp_overlap(SecureIplCompAddrRange *comp_addr_range, int a= ddr_range_index, + uint64_t start_addr, uint64_t end_addr) +{ + /* neither a signed nor an unsigned component can overlap with a signe= d component */ + for (int i =3D 0; i < addr_range_index; i++) { + if ((comp_addr_range[i].start_addr <=3D end_addr && + start_addr <=3D comp_addr_range[i].end_addr) && + comp_addr_range[i].is_signed) { + return true; + } + } + + return false; +} + +static void comp_addr_range_add(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, bool is_signed, + uint64_t start_addr, uint64_t end_addr) +{ + if (addr_range_index > MAX_CERTIFICATES - 1) { + return; + } + + comp_addr_range[addr_range_index].is_signed =3D is_signed; + comp_addr_range[addr_range_index].start_addr =3D start_addr; + comp_addr_range[addr_range_index].end_addr =3D end_addr; +} + +static void check_unsigned_addr(uint64_t load_addr, IplDeviceComponentList= *comps, + int comp_index) +{ + uint32_t flag; + const char *msg; + bool valid; + + valid =3D validate_unsigned_addr(load_addr); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR; + msg =3D "Load address is less than 0x2000"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void addr_overlap_check(SecureIplCompAddrRange *comp_addr_range, + int *addr_range_index, + uint64_t start_addr, uint64_t end_addr, boo= l is_signed) +{ + bool overlap; + + overlap =3D is_comp_overlap(comp_addr_range, *addr_range_index, + start_addr, end_addr); + if (!overlap) { + comp_addr_range_add(comp_addr_range, *addr_range_index, is_signed, + start_addr, end_addr); + *addr_range_index +=3D 1; + } else { + zipl_secure_handle("Component addresses overlap"); + } +} + +static bool check_sclab_presence(uint8_t *sclab_magic, + IplDeviceComponentList *comps, int comp_i= ndex) +{ + if (!validate_sclab_magic(sclab_magic)) { + comps->device_entries[comp_index].cei |=3D S390_IPL_COMPONENT_CEI_= INVALID_SCLAB; + + /* a missing SCLAB will not be reported in audit mode */ + return false; + } + + return true; +} + +static void check_sclab_length(uint16_t sclab_len, + IplDeviceComponentList *comps, int comp_ind= ex) +{ + const char *msg; + uint32_t flag; + bool valid; + + valid =3D validate_sclab_length(sclab_len); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN | + S390_IPL_COMPONENT_CEI_INVALID_SCLAB; + msg =3D "Invalid SCLAB length"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_sclab_format(uint8_t sclab_format, + IplDeviceComponentList *comps, int comp_ind= ex) +{ + const char *msg; + uint32_t flag; + bool valid; + + valid =3D validate_sclab_format(sclab_format); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT; + msg =3D "Format-0 SCLAB is not being use"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_sclab_opsw(SecureCodeLoadingAttributesBlock *sclab, + SecureIplSclabInfo *sclab_info, + IplDeviceComponentList *comps, int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_opsw_set; + bool valid; + + is_opsw_set =3D is_sclab_flag_set(sclab->flags, S390_SECURE_IPL_SCLAB_= FLAG_OPSW); + if (!is_opsw_set) { + valid =3D validate_sclab_opsw_zero(sclab->load_psw); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO; + msg =3D "Load PSW is not zero when Override PSW bit is zero"; + set_cei_with_log(comps, comp_index, flag, msg); + } + } else { + /* OPSW =3D 1 indicating global SCLAB */ + valid =3D validate_sclab_opsw_one(sclab->flags); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE; + msg =3D "Override Load Address bit is not set to one in the gl= obal SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } + + sclab_info->global_count +=3D 1; + if (sclab_info->global_count =3D=3D 1) { + sclab_info->load_psw =3D sclab->load_psw; + sclab_info->flags =3D sclab->flags; + } + } +} + +static void check_sclab_ola(SecureCodeLoadingAttributesBlock *sclab, + uint64_t load_addr, IplDeviceComponentList *co= mps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_ola_set; + bool valid; + + is_ola_set =3D is_sclab_flag_set(sclab->flags, S390_SECURE_IPL_SCLAB_F= LAG_OLA); + if (!is_ola_set) { + valid =3D validate_sclab_ola_zero(sclab->load_addr); + if (!(valid)) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO; + msg =3D "Load Address is not zero when Override Load Address b= it is zero"; + set_cei_with_log(comps, comp_index, flag, msg); + } + + } else { + valid =3D validate_sclab_ola_one(sclab->load_addr, load_addr); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR; + msg =3D "Load Address does not match with component load addre= ss"; + set_cei_with_log(comps, comp_index, flag, msg); + } + } +} + +static void check_sclab_nuc(uint16_t sclab_flags, IplDeviceComponentList *= comps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_nuc_set; + bool is_global_sclab; + + is_nuc_set =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCLAB_FL= AG_NUC); + is_global_sclab =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCL= AB_FLAG_OPSW); + if (is_nuc_set && !is_global_sclab) { + flag =3D S390_IPL_COMPONENT_CEI_NUC_NOT_IN_GLOBAL_SCLA; + msg =3D "No Unsigned Components bit is set, but not in the global = SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_sclab_sc(uint16_t sclab_flags, IplDeviceComponentList *c= omps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_sc_set; + bool is_global_sclab; + + is_sc_set =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCLAB_FLA= G_SC); + is_global_sclab =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCL= AB_FLAG_OPSW); + if (is_sc_set && !is_global_sclab) { + flag =3D S390_IPL_COMPONENT_CEI_SC_NOT_IN_GLOBAL_SCLAB; + msg =3D "Single Component bit is set, but not in the global SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRange *comp_addr_r= ange, + int range_index) +{ + uint32_t addr =3D psw & 0x3FFFFFFF; + + /* PSW points within a signed binary code component */ + for (int i =3D 0; i < range_index; i++) { + if (comp_addr_range[i].is_signed && + addr >=3D comp_addr_range[i].start_addr && + addr <=3D comp_addr_range[i].end_addr) { + return true; + } + } + + return false; +} + +static void check_load_psw(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, uint64_t sclab_load_psw, + uint64_t load_psw, IplDeviceComponentList *comp= s, + int comp_index) +{ + uint32_t flag; + const char *msg; + bool valid; + + valid =3D is_psw_valid(sclab_load_psw, comp_addr_range, addr_range_ind= ex) && + is_psw_valid(load_psw, comp_addr_range, addr_range_index); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW; + msg =3D "Invalid PSW"; + set_cei_with_log(comps, comp_index, flag, msg); + } + + valid =3D validate_lpsw(sclab_load_psw, load_psw); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW; + msg =3D "Load PSW does not match with PSW in component"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_nuc(uint16_t global_sclab_flags, int unsigned_count, + IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + bool is_nuc_set; + + is_nuc_set =3D is_sclab_flag_set(global_sclab_flags, S390_SECURE_IPL_S= CLAB_FLAG_NUC); + if (is_nuc_set && unsigned_count > 0) { + flag =3D S390_IPL_INFO_IIEI_FOUND_UNSIGNED_COMP; + msg =3D "Unsigned components are not allowed"; + set_iiei_with_log(comps, flag, msg); + } +} + +static void check_sc(uint16_t global_sclab_flags, int signed_count, + IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + bool is_sc_set; + + is_sc_set =3D is_sclab_flag_set(global_sclab_flags, S390_SECURE_IPL_SC= LAB_FLAG_SC); + if (is_sc_set && signed_count !=3D 1) { + flag =3D S390_IPL_INFO_IIEI_MORE_SIGNED_COMP; + msg =3D "Only one signed component is allowed"; + set_iiei_with_log(comps, flag, msg); + } +} + +void check_global_sclab(SecureIplSclabInfo sclab_info, + SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, uint64_t load_psw, + int unsigned_count, int signed_count, + IplDeviceComponentList *comps, int comp_index) +{ + uint16_t flag; + const char *msg; + + if (sclab_info.count =3D=3D 0) { + return; + } + + if (sclab_info.global_count =3D=3D 0) { + flag =3D S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB; + msg =3D "Global SCLAB does not exists"; + set_iiei_with_log(comps, flag, msg); + return; + } + + if (sclab_info.global_count > 1) { + flag =3D S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB; + msg =3D "More than one global SCLAB"; + set_iiei_with_log(comps, flag, msg); + return; + } + + if (sclab_info.load_psw) { + /* Verify PSW from the final component entry with PSW from the glo= bal SCLAB */ + check_load_psw(comp_addr_range, addr_range_index, + sclab_info.load_psw, load_psw, + comps, comp_index); + } + + if (sclab_info.flags) { + /* Unsigned components are not allowed if NUC flag is set in the g= lobal SCLAB */ + check_nuc(sclab_info.flags, unsigned_count, comps); + + /* Only one signed component is allowed is SC flag is set in the g= lobal SCLAB */ + check_sc(sclab_info.flags, signed_count, comps); + } +} + +static void check_signed_comp(int signed_count, IplDeviceComponentList *co= mps) +{ + uint16_t flag; + const char *msg; + + if (signed_count > 0) { + return; + } + + flag =3D S390_IPL_INFO_IIEI_NO_SIGNED_COMP; + msg =3D "Secure boot is on, but components are not signed"; + set_iiei_with_log(comps, flag, msg); +} + +static void check_sclab_count(int count, IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + + if (count > 0) { + return; + } + + flag =3D S390_IPL_INFO_IIEI_NO_SCLAB; + msg =3D "No recognizable SCLAB"; + set_iiei_with_log(comps, flag, msg); +} + +static void check_unsigned_comp(uint64_t comp_addr, IplDeviceComponentList= *comps, + int comp_index, int cert_index, uint64_t c= omp_len) +{ + check_unsigned_addr(comp_addr, comps, comp_index); + + comp_list_add(comps, comp_index, cert_index, comp_addr, comp_len, 0x00= ); +} + +static void check_sclab(uint64_t comp_addr, IplDeviceComponentList *comps, + uint64_t comp_len, int comp_index, SecureIplSclabI= nfo *sclab_info) +{ + SclabOriginLocator *sclab_locator; + SecureCodeLoadingAttributesBlock *sclab; + bool exist; + bool valid; + + sclab_locator =3D (SclabOriginLocator *)(comp_addr + comp_len - 8); + + /* return early if sclab does not exist */ + exist =3D check_sclab_presence(sclab_locator->magic, comps, comp_index= ); + if (!exist) { + return; + } + + check_sclab_length(sclab_locator->len, comps, comp_index); + + /* return early if sclab is invalid */ + valid =3D (comps->device_entries[comp_index].cei & + S390_IPL_COMPONENT_CEI_INVALID_SCLAB) =3D=3D 0; + if (!valid) { + return; + } + + sclab_info->count +=3D 1; + sclab =3D (SecureCodeLoadingAttributesBlock *)(comp_addr + comp_len - + sclab_locator->len); + + check_sclab_format(sclab->format, comps, comp_index); + check_sclab_opsw(sclab, sclab_info, comps, comp_index); + check_sclab_ola(sclab, comp_addr, comps, comp_index); + check_sclab_nuc(sclab->flags, comps, comp_index); + check_sclab_sc(sclab->flags, comps, comp_index); +} + static uint32_t zipl_load_signature(ComponentEntry *entry, uint64_t sig_se= c) { uint32_t sig_len; @@ -278,7 +671,11 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) * cert_table value: index of cert entry in cert list that contains th= e certificate */ int cert_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - 1] = =3D -1}; + SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; + int addr_range_index =3D 0; int signed_count =3D 0; + int unsigned_count =3D 0; + SecureIplSclabInfo sclab_info =3D { 0 }; =20 if (!secure_ipl_supported()) { return -1; @@ -308,10 +705,17 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) goto out; } =20 + addr_overlap_check(comp_addr_range, &addr_range_index, + comp_addr, comp_addr + comp_len, sig_len > = 0); + if (!sig_len) { + check_unsigned_comp(comp_addr, &comps, comp_index, cert_in= dex, comp_len); + unsigned_count +=3D 1; + comp_index++; break; } =20 + check_sclab(comp_addr, &comps, comp_len, comp_index, &sclab_in= fo); verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, &cert_len, &cert_idx); =20 @@ -351,9 +755,11 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) } } =20 - if (signed_count =3D=3D 0) { - zipl_secure_handle("Secure boot is on, but components are not sign= ed"); - } + check_signed_comp(signed_count, &comps); + check_sclab_count(sclab_info.count, &comps); + check_global_sclab(sclab_info, comp_addr_range, addr_range_index, + entry->compdat.load_psw, unsigned_count, signed_cou= nt, + &comps, comp_index); =20 if (update_iirb(&comps, &certs)) { zipl_secure_handle("Failed to write IPL Information Report Block"); diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index a264a44349..87aa6e1465 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,6 +16,42 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +#define S390_SECURE_IPL_SCLAB_FLAG_OPSW 0x8000 +#define S390_SECURE_IPL_SCLAB_FLAG_OLA 0x4000 +#define S390_SECURE_IPL_SCLAB_FLAG_NUC 0x2000 +#define S390_SECURE_IPL_SCLAB_FLAG_SC 0x1000 + +struct SecureCodeLoadingAttributesBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SecureCodeLoadingAttributesBlock SecureCodeLoadingAttribute= sBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + +typedef struct SecureIplSclabInfo { + int count; + int global_count; + uint64_t load_psw; + uint16_t flags; +} SecureIplSclabInfo; + static inline void zipl_secure_handle(const char *message) { switch (boot_mode) { @@ -27,6 +63,80 @@ static inline void zipl_secure_handle(const char *messag= e) } } =20 +static inline bool is_sclab_flag_set(uint16_t sclab_flags, uint16_t flag) +{ + return (sclab_flags & flag) !=3D 0; +} + +static inline bool validate_unsigned_addr(uint64_t comp_load_addr) +{ + /* usigned load address must be greater than or equal to 0x2000 */ + return comp_load_addr >=3D 0x2000; +} + +static inline bool validate_sclab_magic(uint8_t *sclab_magic) +{ + /* identifies the presence of SCLAB */ + return magic_match(sclab_magic, ZIPL_MAGIC); +} + +static inline bool validate_sclab_length(uint16_t sclab_len) +{ + /* minimum SCLAB length is 32 bytes */ + return sclab_len >=3D 32; +} + +static inline bool validate_sclab_format(uint8_t sclab_format) +{ + /* SCLAB format must set to zero, indicating a format-0 SCLAB being us= ed */ + return sclab_format =3D=3D 0; +} + +static inline bool validate_sclab_ola_zero(uint64_t sclab_load_addr) +{ + /* Load address field in SCLAB must contain zeros */ + return sclab_load_addr =3D=3D 0; +} + +static inline bool validate_sclab_ola_one(uint64_t sclab_load_addr, + uint64_t comp_load_addr) +{ + /* Load address field must match storage address of the component */ + return sclab_load_addr =3D=3D comp_load_addr; +} + +static inline bool validate_sclab_opsw_zero(uint64_t sclab_load_psw) +{ + /* Load PSW field in SCLAB must contain zeros */ + return sclab_load_psw =3D=3D 0; +} + +static inline bool validate_sclab_opsw_one(uint16_t sclab_flags) +{ + /* OLA must set to one */ + return is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCLAB_FLAG_OLA); +} + +static inline bool validate_lpsw(uint64_t sclab_load_psw, uint64_t comp_lo= ad_psw) +{ + /* compare load PSW with the PSW specified in component */ + return sclab_load_psw =3D=3D comp_load_psw; +} + +static inline void set_cei_with_log(IplDeviceComponentList *comps, int com= p_index, + uint32_t flag, const char *message) +{ + comps->device_entries[comp_index].cei |=3D flag; + zipl_secure_handle(message); +} + +static inline void set_iiei_with_log(IplDeviceComponentList *comps, uint16= _t flag, + const char *message) +{ + comps->ipl_info_header.iiei |=3D flag; + zipl_secure_handle(message); +} + static inline uint64_t diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") =3D (unsigned long)data; --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151376; cv=none; d=zohomail.com; s=zohoarc; b=O/Suehw1cxpMygpltNfeGsvewu5PUmUUpaEA7GT98zoe86yhj+8a4Yg32yT3LXWIeZCr6oJhtsUR25LYCLjTZAiI34D46tmVADy55RqBjoddgAr+n2qmrtMJWrVUEgcwze5T7D0gVPtgZK4WRoMXs9cMrKQERHPuL+lKUPVOJdc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151376; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8/HrgQO9z2ThjFArTvEQo9FIdkAEwo990ImKV3JN9gQ=; b=Qz2/miAEK2/Mb0Sugcvjfywi5d2Aaz7gTgeYzHwYwgEp7Kvztlg3ADTMRIn7JgNsKhGl0vmOVZKwIDWKeVh3wDUSBjk/aOIKETGTpXO3MRo7Hu5JadaJ3Uk1qkT3ZdyMpA/MIm48wDzI5UwHNUs14t4KJqGrfyDNgWnQJn0W5h0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151376327333.10696076270244; Wed, 17 Sep 2025 16:22:56 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tj-0005kr-Ml; Wed, 17 Sep 2025 19:22:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TR-0005Yx-Pv; Wed, 17 Sep 2025 19:22:07 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TP-0002Sx-Sd; Wed, 17 Sep 2025 19:22:05 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HGZH0G027531; Wed, 17 Sep 2025 23:22:01 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4p6v0j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:01 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HK8q5P005963; Wed, 17 Sep 2025 23:22:00 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1na-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:00 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLwbI25297420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:59 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D802F5805A; Wed, 17 Sep 2025 23:21:58 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BEAB65805C; Wed, 17 Sep 2025 23:21:57 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=8/HrgQO9z2ThjFArT vEQo9FIdkAEwo990ImKV3JN9gQ=; b=rxBRxunWBLVdcyI8+XQW0Q5gZPVPApz05 rXS6sQS7Zo9d+rdAXmQOHfbKd52Z6c4yQrNd49Whg1Em0xcswzoBnaId2XhY6oSt GBmR8pQuCgP5A09smFQ/oqmqPoJc2F91XTEyC3kWVGD17LKDWaCmm71MLwMqHDiR tQLn+l404FjGlNK7arUNKAQ/f8uPVsp6jm71Ce8QAZfIS9DKMlrhiX5AUYONa4a7 RYQQPcir8+CC4uTv4eQoCnfTizJtdvpWi6euRNOMtrJzurn1AOFLXzgSpaYm+BnJ zXI/mCEJICZZTTw2s6XzNiqn09dFHykerGVgSHrGVJduE5O6007Gg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 22/28] Add secure-boot to s390-ccw-virtio machine type option Date: Wed, 17 Sep 2025 19:21:24 -0400 Message-ID: <20250917232131.495848-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXxL4vtrUlP7ai HDDnGooG+lBn0DuaSmwLLmw4QKte1pAYvIVVlRiJQduoEkVRDFwFbE1sX2Gy0Tt7WT8GTmvRzJ5 vTW/DwSqq0xQsrK4K2mREc5JZwK71hPlGLsUtMtiNNgZ0yJtXABVI3+7CjdtZvT6nLuUYUKkItq wxXzj0z2jLuCimPV5MeN9rf+B9FMFqob+GDBB8s7044uP7nnumRak4EHoF2P1ju8CzD4rbqTv96 rqQuyxmxk1vwATXYjQ0/l77h1AhMqvY9R4NiLF3phmnpG1UJba1cL4tXasSE2ccPd6Xw8HA9k7I sEqImiT0twGxjHJh4tVEmOg+vLEpI7d8W5+g1oHF3/4tbnamCRWq5Mk8nIogOOYA4HO8ynB6mQB e3aOnDLA X-Proofpoint-ORIG-GUID: Xu0GEcoNROUelh6tQ9C4QF-kOH7qZ3qm X-Proofpoint-GUID: Xu0GEcoNROUelh6tQ9C4QF-kOH7qZ3qm X-Authority-Analysis: v=2.4 cv=cNzgskeN c=1 sm=1 tr=0 ts=68cb4299 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=uyvjcAWwEQu1yBn7KtoA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151378330116600 Content-Type: text/plain; charset="utf-8" Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=3Don|off` parameter is implemented to enable secure IPL. By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++---- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 44 insertions(+), 5 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 701594b9de..205de8bc02 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -20,19 +20,31 @@ Note: certificate files must have a .pem extension. boot-certs.0.path=3D/.../qemu/certs, \ boot-certs.1.path=3D/another/path/cert.pem = ... =20 +Enabling Secure IPL +------------------- + +Secure IPL is enabled by explicitly setting ``secure-boot=3Don``; if not s= pecified, +secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don|off + =20 IPL Modes =3D=3D=3D=3D=3D=3D=3D=3D=3D =20 The concept of IPL Modes are introduced to differentiate between the IPL c= onfigurations. -These modes are mutually exclusive and enabled based on the ``boot-certs``= option on the -QEMU command line. +These modes are mutually exclusive and enabled based on specific combinati= ons of +the ``secure-boot`` and ``boot-certs`` options on the QEMU command line. =20 Normal Mode ----------- =20 -The absence of certificates will attempt to IPL a guest without secure IPL= operations. -No checks are performed, and no warnings/errors are reported. This is the = default mode. +The absence of both certificates and the ``secure-boot`` option will attem= pt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explic= itly +enabled with ``secure-boot=3Doff``. =20 Configuration: =20 diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index b825f4cce1..5c15908b8f 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -823,6 +823,21 @@ static void machine_set_boot_certs(Object *obj, Visito= r *v, const char *name, ms->boot_certs =3D cert_list; } =20 +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + ms->secure_boot =3D value; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -881,6 +896,13 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for se= cure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 334b67ef05..1dba5ab37e 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -33,6 +33,7 @@ struct S390CcwMachineState { uint64_t memory_limit; uint64_t max_pagesize; BootCertificateList *boot_certs; + bool secure_boot; =20 SCLPDevice *sclp; }; diff --git a/qemu-options.hx b/qemu-options.hx index ac497eb3a0..5d9cd0d0f1 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" - " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=3Don|off enable/disable secure boot (defa= ult=3Doff) \n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -209,6 +210,9 @@ SRST =20 ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` Provide paths to a directory and/or a certificate file on the host= [s390x only]. + + ``secure-boot=3Don|off`` + Enables or disables secure boot on s390-ccw guest. The default is = off. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151603; cv=none; d=zohomail.com; s=zohoarc; b=BNW7kiku3aqftYAVfCIOB4MFyfLmJxQqMuD9ynEkfrrnRghMjKkVEIq4W7Oy07x+afhDakDw0eNh1YhAr9DYcJ1F+iOje2bt/wTPQ3E2Z8JM9jKgN5brxaD47hcQGlyxvGsTPhqTmZaL/QqmMIevpmY00p4h3Fq1X6PoCe0T2ZU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151603; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0VADqfCcDESB8M7vZIEZCA+Sy/rZcnIxdjZ63q9e6zU=; b=Pxvre9KwdfXDB3Vv1Wnq9Fxj8A5b4zDXZLddujxOce6OGEA/qvswfgQNZPDBR57IF6zV9xfAsFUbepJlcz5JtT1TJxJ9PK5IkVbRTYou7OLRFD+S9G9kObWS/5VG1ynDJ+3Jo/fb9IxGdTxQpSHZBvvjalH0m4lpWO9YCJojymQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151603837345.22053511616764; Wed, 17 Sep 2025 16:26:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1To-0005qA-9r; Wed, 17 Sep 2025 19:22:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tl-0005nJ-Gq; Wed, 17 Sep 2025 19:22:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tj-0002T2-Ux; Wed, 17 Sep 2025 19:22:25 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIW9iU024719; Wed, 17 Sep 2025 23:22:02 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4qpf2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:02 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKCTHW029468; Wed, 17 Sep 2025 23:22:01 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kb140k9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:01 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNM0n031654570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:22:00 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 12A965805A; Wed, 17 Sep 2025 23:22:00 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0058A5805C; Wed, 17 Sep 2025 23:21:59 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:21:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=0VADqfCcDESB8M7vZ IEZCA+Sy/rZcnIxdjZ63q9e6zU=; b=U9DnN+erf3lsMR6Ro2I1Apm0HWBXkgyaA MDbjIjJbuVUYby81sWy8s1D6aOTb/TTJm27m0rypxKYg1EgLQD25yQsmwzBSuxuk PGjjYsFGwHSSfsebImOGUjRIhMHZD2vkpQd0sGMoDBBiVqIx5qhH+iCP04aBPVeu 696vM5gL/kCG+ZDiMMwJ05eI/ruaLUALwCTyhuUyTXjuuXggp0a84++nBRJ41FNE +E7J+03Q6Q1beAfptF0ExOfyOurBpIl/XQSXIouYYDvd8JHFkiAUektzSlfegdIp 7vhHAb6thnYLuIeKspnmrO9pqO5Lvq7idw66APO2fPsZYuSVxzGjg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 23/28] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Wed, 17 Sep 2025 19:21:25 -0400 Message-ID: <20250917232131.495848-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: RWL9_Syi1-yTQXLRK_vhrrLLF1AjiSmC X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXyOF6m/du2Ptx aXr0ytetPZTj4HPpsMb+oBtnU+WCeJHQg4He2IS8yhnwS7W9QdcfNgfpa1MplCH7mTC/eyZxnpZ dQs9Cu4ORHqGclRWMDXnduFBwaWkpEIWYjwUzrdZP679M07MaAEG4xC+mDGAVYtlkeuBKP4Vs+D /IST6e9EKzmwbTtZpODyFTQIdAozs0Px3CG2zTaKuiWx080qgB6s566b0uTuoZCPx4eRYbdnPG9 d+GDhRt4IhBVKMtL0kbcqoYUCkfNEH0kJhCdz1ZpVmSIL2cO6hhr40YTusNmoP16gAFeihOFdpi Bf/19YPaIVvDOs0+Duz0t1BwN2HEhzggC0YTvgz5w/OklyiRQ81MB1FuOxJutLl+Q5QIHs4rysj GSHaMwv6 X-Authority-Analysis: v=2.4 cv=R8oDGcRX c=1 sm=1 tr=0 ts=68cb429a cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-GUID: RWL9_Syi1-yTQXLRK_vhrrLLF1AjiSmC X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 suspectscore=0 malwarescore=0 bulkscore=0 spamscore=0 adultscore=0 impostorscore=0 priorityscore=1501 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151606026116600 Content-Type: text/plain; charset="utf-8" If `-secure-boot on` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index c1360905c4..42b25513a2 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -437,6 +437,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -494,6 +499,17 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to = trigger + * secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -503,7 +519,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; } =20 --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151417; cv=none; d=zohomail.com; s=zohoarc; b=QLBCRvAEfH1K2EsEu2gVckhUyesYmAz/EFM2toaeIrH6+mbAfGw+yEayFeXDYkxogPq+zhPYaraztdjK+cv0DsnqogQJBk5paH7DhR7pf2Nvj63+oMkDrNFFa/tvNQG7cU4vWtcsaYeGcjykR65yMQM2y6cmK19HtrW5QHa8OqM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151417; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=HWqdAsJPhLqaInWuF78u6cqXP9tvvNnaUajTlBE2mQs=; b=mzqJbuzYUu/0tqfyyzAjrjpqXxjaidhrFanI3gVOD4MCQmgw/3hrIzmCacvqu6bvUOQSBCF8z3XpqsVv8sgq74KPHxxloAP5CnHY2c7d9d3q8cMiN2N8lL0bA+tmIfNOo91OiWr56EvYo2HmGGuwdHB9QU1vaz+pscaOcv5bLv8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151417291476.3951417604162; Wed, 17 Sep 2025 16:23:37 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tk-0005lJ-EC; Wed, 17 Sep 2025 19:22:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TU-0005at-Ez; Wed, 17 Sep 2025 19:22:09 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TS-0002TW-FL; Wed, 17 Sep 2025 19:22:08 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIC2Cd001506; Wed, 17 Sep 2025 23:22:04 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4hpuwg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:04 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HK8q5Q005963; Wed, 17 Sep 2025 23:22:02 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1nc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:02 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNM1fZ59244834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:22:01 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4138658062; Wed, 17 Sep 2025 23:22:01 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2B4765805C; Wed, 17 Sep 2025 23:22:00 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:22:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=HWqdAsJPhLqaInWuF 78u6cqXP9tvvNnaUajTlBE2mQs=; b=Jqx90vR9BSYqZFL22HSGxfKtkxdYxEytU ER3JWAZxrHZ6tpWtaXNANlnvOi0MfcGY13oGeTknLrUMWhlvehuRk6k/maZvR8ov /eA57PMiSPf8/hlX4o16yiW0H7T6MN/xGOqv+tY47xEzNBRKxvAjWsX5PkUZ7yX1 XN3Tk1oSaQ/wS66UfbVfW8gckZ1ZECOien1Us2wlrL+3cccMtXa7dlKiIUf4nUr2 xH8QRqxtUWkIGTZZ3XDEih/cv+Lx8WEW9fZlMmr03Jgw0Ga2wiS3GMc1l4olf/OQ R8Er1fUHRHqgDYJNFbJxJOn3YShLkeDE6+u5BuNMKcTVCRhIrybGQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 24/28] pc-bios/s390-ccw: Handle true secure IPL mode Date: Wed, 17 Sep 2025 19:21:26 -0400 Message-ID: <20250917232131.495848-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: rS2MYD6dR1qYPx74_FAQGSmBA_j6ydZo X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX2bRlhC0hOXDo 08aFOjV05OgU95gpcd9LHNMKg++d8kxiLP30DdE8/hKrIZZLSbegiA7LfCI2Ci7eh1CfehxxcIT taLQZbL8Wj9UDULZX/HW9vsAlJ1O4x2ySFG3tPyg0pn5yo3OUWzfgbd9DsvMtnbW97cQApJH9ZR 1foCLOZ8x4vak1xxQnCAJcQZRGz8iG5wEPnCLzPNeH2aWJke7mQ8P2oN1LQPQjGMdNisOq3IYm6 bR7Vw+F3YuWRXhIQvHI+kteP9siNFGhTkL4u4FVaQAZHzwXIFbmBmSmISGCsHSgg2W0S4NgoQsv CBbsQa5WAsQiKTAnbr3xwSFah+/JBXP/W4XSKqPtE2vhwM/Mq38QpMBJONLiyRGchQGBlFo97DZ QD/dnt6z X-Proofpoint-GUID: rS2MYD6dR1qYPx74_FAQGSmBA_j6ydZo X-Authority-Analysis: v=2.4 cv=co2bk04i c=1 sm=1 tr=0 ts=68cb429c cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=YZg3iBzERQu5FGnwKEMA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 impostorscore=0 priorityscore=1501 suspectscore=0 adultscore=0 phishscore=0 malwarescore=0 spamscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151418364116600 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 16 ++++++++++++++++ pc-bios/s390-ccw/bootmap.c | 19 ++++++++++++++++--- pc-bios/s390-ccw/main.c | 7 ++++++- pc-bios/s390-ccw/s390-ccw.h | 2 ++ pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 6 files changed, 47 insertions(+), 4 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 205de8bc02..579b7b4993 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -67,3 +67,19 @@ Configuration: qemu-system-s390x -machine s390-ccw-virtio, \ boot-certs.0.path=3D/.../qemu/certs, \ boot-certs.1.path=3D/another/path/cert.pem = ... + +Secure Mode +----------- + +With *both* the presence of certificates in the store and the ``secure-boo= t=3Don`` +option, it is understood that secure boot should be performed with errors +reported and boot will abort. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio, \ + secure-boot=3Don, \ + boot-certs.0.path=3D/.../qemu/certs, \ + boot-certs.1.path=3D/another/path/cert.pem = ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 3922e7cdde..3ab89b91fb 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -737,6 +737,9 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_INVALID: + return -1; + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: if (zipl_run_secure(&entry, tmp_sec)) { return -1; @@ -1118,9 +1121,16 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + return ZIPL_BOOT_MODE_INVALID; + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; @@ -1131,7 +1141,8 @@ void zipl_load(void) VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Secure boot from ISO image is not supported!"); } ipl_iso_el_torito(); @@ -1140,7 +1151,8 @@ void zipl_load(void) } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Virtio net boot device does not support secure boot!"); } netmain(); @@ -1153,7 +1165,8 @@ void zipl_load(void) return; } =20 - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("ECKD boot device does not support secure boot!"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 668660e64d..c5b425209a 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -277,10 +277,15 @@ static void ipl_boot_device(void) boot_mode =3D zipl_mode(iplb->hdr_flags); } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_INVALID) { + panic("Need at least one certificate for secure boot!"); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Passthrough (vfio) device does not support secure boot!= "); } =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 6d51d07c90..389cc8ea7c 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -83,9 +83,11 @@ int virtio_read(unsigned long sector, void *load_addr); void zipl_load(void); =20 typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_INVALID =3D -1, ZIPL_BOOT_MODE_UNSPECIFIED =3D 0, ZIPL_BOOT_MODE_NORMAL =3D 1, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 2, + ZIPL_BOOT_MODE_SECURE =3D 3, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index cd798c1198..92e3e1e021 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -287,6 +287,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, comps->device_entries[comp_index].cei |=3D S390_IPL_COMPONENT_CEI_= INVALID_SCLAB; =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic is not matched. SCLAB does not exist= "); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 87aa6e1465..d7786158c4 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -58,6 +58,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + IPL_assert(false, message); + break; default: break; } --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151415; cv=none; d=zohomail.com; s=zohoarc; b=GnaEpU9SrByBCAk70FGeni2mZOG1gim6JNu+fDU5kltbS1nlSr0TYQFNSiptfo/S/68V38hxdJ7wxoCaiV4U0+fguLjCl1DyLkuHXsmnJ7z50kNo0czFN3iX+mhH6FB5/MFqAnokt0aO7Wt9ZpRwiYjva7KhUBFRpWrxIASHOKE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151415; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4x+WT6lb7CEAsIr3qiRPURO1S0J07qNcICn0EVTg6Kk=; b=fib66SHLn4T8PTxHT11+7ZGfQjcgS1Ia5DsUpi1tWHmDxoU6lYup82a2U4tmLINm4GLkKzhS58TR4eLSkirAZEA5LGlnkQucOul0+blOLaEMxwm429+Z1vrRwhbQ3Nu1VWfM9amv0FmzK0Ty4d01JdEU2+zWnR7OIojQ3zZD5h0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151415764392.60050365586665; Wed, 17 Sep 2025 16:23:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tl-0005nD-Ow; Wed, 17 Sep 2025 19:22:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TV-0005bV-IJ; Wed, 17 Sep 2025 19:22:11 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TT-0002Tl-H9; Wed, 17 Sep 2025 19:22:09 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HJE3pj027583; Wed, 17 Sep 2025 23:22:05 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4p6v0v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:04 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKtYo2022347; Wed, 17 Sep 2025 23:22:03 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 495kxpuu8h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:03 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNM2J926411650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:22:02 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 63EF958065; Wed, 17 Sep 2025 23:22:02 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B4435805A; Wed, 17 Sep 2025 23:22:01 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:22:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=4x+WT6lb7CEAsIr3q iRPURO1S0J07qNcICn0EVTg6Kk=; b=G0ssJL0L5+XrlKTAk1Izf+uF540Wk8MMA 7hrcPxOsV/OzKNJj+9BgqeQFW3UDLrGcbxHExl3VGeLGX3ryA3yzoqqJfNH16hm3 scvv2X2DnpBfXROqo9J/ljxKtKDpp76Nni/zoXtyNLQLVvatZlbxWAUZ00f7wUco 8pVdt5S1NXQxxzymNHhYlLvLGi51jgKiKyNnu+YVk3Ou2J/6Q2KC1RIlB3rP4QzN cqv4lMjfFEx09x9ZQ/99jMiQPsdZLCL6+E6WcnI/Sk73HT/H4SRqXxgvekz8C0ub Xrs1wrR6FwQo4+YBLWDjK5JymYUEMX4TZGvdujynfO0KA9sf+iELA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 25/28] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Date: Wed, 17 Sep 2025 19:21:27 -0400 Message-ID: <20250917232131.495848-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXzQ+e/Zf8OZwp 5ufVK0A5oVoApmB8G0P6HSlhVgWwK5Q1OUg2OsU5iiqSmSPZaTMsVLinVnwEUzUwR63J6T3jszw yl24IXTTg/5elFT4GyJTHbFU1E0pHqpXhyK+Of5bymyTg+pVYOTzDfoPMBXNdiHlQiEFJH1g8JD HSKDFH4vdMZ/6kM6l4mwI88Ciubyq8yM6Fre9tQMnIjWNimNjoHkLvMkBdyy9cBRsLTXbB+7BEk wiwJ1B4vRsmL/kr6iyRK2mVqhz8BsHsUxtYkjLQQVtIZggiTDD43w8PMLawqXWsDJ1kcpuwHVG0 +J+4+hWC6mVvRO5k6PNCkwIyPat2Gq+CSaktU1sh/dY/XzGiKqAQadJfNkoI4wPWnxIDygfZMrQ TTB6uvOb X-Proofpoint-ORIG-GUID: W8u5ptRXRgNMbgupT0f3VKImvXMatmje X-Proofpoint-GUID: W8u5ptRXRgNMbgupT0f3VKImvXMatmje X-Authority-Analysis: v=2.4 cv=cNzgskeN c=1 sm=1 tr=0 ts=68cb429d cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=OWglaXZkh0GZWmb_D2oA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 spamscore=0 bulkscore=0 malwarescore=0 adultscore=0 priorityscore=1501 impostorscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151416375116600 Content-Type: text/plain; charset="utf-8" The current approach to enable secure boot relies on providing secure-boot and boot-certs parameters of s390-ccw-virtio machine type option, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 31 ++++++++------- pc-bios/s390-ccw/main.c | 75 ++++++++++++++++++++++++++++++++++--- pc-bios/s390-ccw/s390-ccw.h | 1 + 3 files changed, 88 insertions(+), 19 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 3ab89b91fb..8297f22c3c 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -1136,25 +1136,35 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags) return ZIPL_BOOT_MODE_NORMAL; } =20 +int zipl_check_scsi_mbr_magic(void) +{ + ScsiMbr *mbr =3D (void *)sec; + + /* Grab the MBR */ + memset(sec, FREE_SPACE_FILLER, sizeof(sec)); + if (virtio_read(0, mbr)) { + puts("Cannot read block 0"); + return -EIO; + } + + if (!magic_match(mbr->magic, ZIPL_MAGIC)) { + return -1; + } + + return 0; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Secure boot from ISO image is not supported!"); - } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Virtio net boot device does not support secure boot!"); - } netmain(); puts("Failed to IPL from this network!"); return; @@ -1165,11 +1175,6 @@ void zipl_load(void) return; } =20 - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("ECKD boot device does not support secure boot!"); - } - switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index c5b425209a..228b52a37e 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -271,8 +271,43 @@ static int virtio_setup(void) return ret; } =20 -static void ipl_boot_device(void) +static void validate_secure_boot_device(void) +{ + switch (cutype) { + case CU_TYPE_DASD_3990: + case CU_TYPE_DASD_2107: + panic("Passthrough (vfio) device does not support secure boot!"); + break; + case CU_TYPE_VIRTIO: + if (virtio_setup() =3D=3D 0) { + VDev *vdev =3D virtio_get_device(); + + if (vdev->is_cdrom) { + panic("Secure boot from ISO image is not supported!"); + } + + if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + panic("Virtio net boot device does not support secure boot= !"); + } + + if (zipl_check_scsi_mbr_magic()) { + panic("ECKD boot device does not support secure boot!"); + } + } + break; + default: + panic("Secure boot from unexpected device type is not supported!"); + } + + printf("SCSI boot device supports secure boot.\n"); +} + +static void check_secure_boot_support(void) { + bool have_iplb_copy; + IplParameterBlock *iplb_copy; + QemuIplParameters *qipl_copy; + if (boot_mode =3D=3D ZIPL_BOOT_MODE_UNSPECIFIED) { boot_mode =3D zipl_mode(iplb->hdr_flags); } @@ -281,14 +316,40 @@ static void ipl_boot_device(void) panic("Need at least one certificate for secure boot!"); } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL) { + return; + } + + /* + * Store copies of have_iplb, iplb and qipl. + * They will be updated in load_next_iplb(). + */ + have_iplb_copy =3D have_iplb; + iplb_copy =3D malloc(sizeof(IplParameterBlock)); + qipl_copy =3D malloc(sizeof(QemuIplParameters)); + + memcpy(qipl_copy, &qipl, sizeof(QemuIplParameters)); + memcpy(iplb_copy, iplb, sizeof(IplParameterBlock)); + + while (have_iplb_copy) { + if (have_iplb_copy && find_boot_device()) { + validate_secure_boot_device(); + } + have_iplb_copy =3D load_next_iplb(); + } + + memcpy(&qipl, qipl_copy, sizeof(QemuIplParameters)); + memcpy(iplb, iplb_copy, sizeof(IplParameterBlock)); + + free(qipl_copy); + free(iplb_copy); +} + +static void ipl_boot_device(void) +{ switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Passthrough (vfio) device does not support secure boot!= "); - } - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -338,6 +399,8 @@ void main(void) probe_boot_device(); } =20 + check_secure_boot_support(); + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 389cc8ea7c..3009104686 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -93,6 +93,7 @@ typedef enum ZiplBootMode { extern ZiplBootMode boot_mode; =20 ZiplBootMode zipl_mode(uint8_t hdr_flags); +int zipl_check_scsi_mbr_magic(void); =20 /* jump2ipl.c */ void write_reset_psw(uint64_t psw); --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151424; cv=none; d=zohomail.com; s=zohoarc; b=XgxrYiHATkZ6u2539eYU+b8uF4EQ29Q2p1mSnH2Bax7HSAGIqGAqTkXFrdBbY5SW5ctMNXl06yp9iUan9Huk50VLISXqJI2jPmRERcSFAeZ5l8TF76NxD8lGh6urmLnXfh9Jts9GypXjgPk27nyEM9DrttaE9l77u3HR0nYgXaI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151424; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=noMgNZpkt+3Wp0Re5mJYKBhrJmvhOLJOKtBZXtk2c18=; b=bVyxvgkUQtnZBgFe+R7NAKNgVgP6WD7rbxs/qJRgYoe7mlyy7kg8zmFyDdPy3+4z2VAx6VQjwXxuv67s2XxuOon1QiKXTOTJ7bJhoLWORAZE1Uqbwp5qref0X6hm5VWpy74JeY+ag5hKR5ThYx4yKlMbaTz2YAicDa7flJ48+DI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 175815142420643.48584356145784; Wed, 17 Sep 2025 16:23:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tm-0005oR-Ie; Wed, 17 Sep 2025 19:22:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TW-0005bZ-5i; Wed, 17 Sep 2025 19:22:11 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1TU-0002Ts-8w; Wed, 17 Sep 2025 19:22:09 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIVQSX011488; Wed, 17 Sep 2025 23:22:06 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4j6uva-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:05 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HKGCRm006385; Wed, 17 Sep 2025 23:22:04 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 495jxuc1nh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:04 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNM3Jv24117790 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:22:03 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 90A4C5805E; Wed, 17 Sep 2025 23:22:03 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7E0EB5805A; Wed, 17 Sep 2025 23:22:02 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:22:02 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=noMgNZpkt+3Wp0Re5 mJYKBhrJmvhOLJOKtBZXtk2c18=; b=lXYgXDsJ54TK7YiyDvix6LYsJz+KEheg9 PkYCFNamKKy+3gKBITF1kC9deoXg8cQVCNS6MSOBPqAVWKinNWhmxZebk8rmYsDa UjCUwD0fv1mDGTZiaLhmVaNVqa2X43CIfi09fYfW5jVEAZ/VrJJ2+G0tXGyGl5JZ q2bgGa3Uyj1+aSr1NxU9Ybwv6FTV/vdPx+Adr7Li+VzL8BJdVoQwrkj8GZcbVxm/ f3xrlMeDwj3KsWq3WdnkNDVQl67GRrUD8xfahrVS//XYRjr2ljurXO6jKGYj2diy zWiWpHb5Pim6GsiX+ZWCiPGo7C9PCoIeWRhCgsrBKhUInydcnvKtw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 26/28] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Wed, 17 Sep 2025 19:21:28 -0400 Message-ID: <20250917232131.495848-27-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Qf5mvtbv c=1 sm=1 tr=0 ts=68cb429d cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=98YBU2wH__9RKlX8yukA:9 X-Proofpoint-ORIG-GUID: 0ac1tWQeCXE719iHglwOmXKOnAp9p7R5 X-Proofpoint-GUID: 0ac1tWQeCXE719iHglwOmXKOnAp9p7R5 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXzpNZqISk8WZj JKyF6P0Igk2oslHvu5mkwqErgXBBw9ikxN1OWLstMMON2d/1+Fm5B6quKx2dqsMaTZi6vMDMsrp srVtdt6bn8HeYVRwsgl2TcV89EaxctMxPvVqgtyY6aTxOdrdxsSg/HkZyOkGsNNDK0rIKvn1P85 hX78giJh/IGVsQCKPC9D/lXC9Aqv/cUt7InGE/2xvI4aN2EFRLzLcF3n8DKyJJY7sm5sB0jxriW iBY1rc7nkS1//LM5YpfFl3xTYd6bG3VDY1Mc/BUR1UG2nkv06IfoKzgGYl80nJvh9VUdK4SH57t qx18nU+lIOpSQcZgO3M4thC5DTbbHVLBcKFi0TsDrQEYk123lCSnPCiwJVJwykRi0HkDhNQQVuB XGSO2LsN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151426236116600 Content-Type: text/plain; charset="utf-8" If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 42b25513a2..5edbc2451b 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -771,6 +771,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) } if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot device defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len =3D 0; } --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151422; cv=none; d=zohomail.com; s=zohoarc; b=grp/dht3xYhk4ogfKeTEogmLCHhjH1OySmlaOsBCEXIaj2SPJVkfxnlYVwUuSAnLGgsC3j3dR12rGLEs8T3ptSJx2ncTkkHSokxs8L93CMARgzqWX/HTFW3nE+dy3wq+B27pnoDzhM26irIRKwIdIWpZF745Aq/gA/IO1Sas048= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151422; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FrZJ8DKrE8kgnhZ8KVVSFityQ2MpHlsORCtsgHVi+wo=; b=B9boRmZWYn4u6Sgu0bMozrUJzh1QwoA/rx1igd8xZoV7FCXAm//FthD0O2m0Va4RGZb40YNHy25TH66DkiDs7QyPYghSOHe5fRZ+BTuBn247AWmy4Fbf0hgBGZ1ky6pbkyi8PO3ZbI4vR7IQ0niPsqdINSEmJs6af2Z3dqTNWmo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151422129138.5706522950935; Wed, 17 Sep 2025 16:23:42 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1Tw-0005vA-SR; Wed, 17 Sep 2025 19:22:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tq-0005sj-Tx; Wed, 17 Sep 2025 19:22:31 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tp-0002UF-7S; Wed, 17 Sep 2025 19:22:30 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HIJTc4013515; Wed, 17 Sep 2025 23:22:07 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4j6uvf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:06 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HLpxxt018637; Wed, 17 Sep 2025 23:22:05 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 495n5mkmas-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:05 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNM4Uu17105550 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:22:04 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B30915805E; Wed, 17 Sep 2025 23:22:04 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AA3815805A; Wed, 17 Sep 2025 23:22:03 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:22:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FrZJ8DKrE8kgnhZ8K VVSFityQ2MpHlsORCtsgHVi+wo=; b=KHA5WcW2ayuL/tFi1xzyjxswGUj5o13QL cm93SADmBaOxlfH9K/3dFxPih3d3N43jsrkjYMBp3vEaqEnp9tIpNXVXMI+LOH4I Va5TJbrwqNpp1/ER0GK6NEv7WKeKMkXdSHrLuE3NWr19YE0nIgR7VYQ+dHXULGaQ csbc8MqhJHIl2wuSyHJNlHw06terPracqBOo0DCNBxMdiDPGsD/GX0kRF2eZ99W9 41DvkKtmWE9KvKZPCyn2ftyBBSaKWLsbFtEMDBuMnPXEepZeEg7iBlB3LIgaCEVN GHZO7FwgthtFcA1tb707WZuBARMU1efYiFvpVCGLIdyZsL0uIv6Jw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 27/28] docs/specs: Add secure IPL documentation Date: Wed, 17 Sep 2025 19:21:29 -0400 Message-ID: <20250917232131.495848-28-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Qf5mvtbv c=1 sm=1 tr=0 ts=68cb429e cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=pevZWc-pxkjX5tstIEcA:9 X-Proofpoint-ORIG-GUID: Y6m-uAxXU9ss0oMDZz14PBXsbZVmyYiz X-Proofpoint-GUID: Y6m-uAxXU9ss0oMDZz14PBXsbZVmyYiz X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfXyEG5O3z3/nHc Dsb5N2mTcjABTqMMYQXcd0FxY66PBHlDbFyrrw1OaDccRjCuyhkKxZ7gnZmKd+0iGpUzc9p3Cab s5Yz3z4mrQC8RPXHjkJAmTPti8+PbaqrAEnBe/3WLyB4uvYFO4SJN3ctLER/vXJh2EW02kcDn9u Wgr/HrTMnf9CJ5sqjxVyRtOJ1LJbxAP0oS0MT4HCbz/p1flo1vssIaAm1Ydiku2MfPPr1d4pz6B ZFxQgVtdCyi+nNuFbez0Vxl3YFkW0vlYPrJLggp7CtDEVuSYmi4xy6TfR1Om8qLGvrgUOpJajY/ 2pj+fM0PmUoFQip4KRJoGSFwgOkDHj0W0kLQdxSllUeoe72/dHy3SUpoMnS8yne2UzzmZqkEtX0 e3h97/g3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 priorityscore=1501 malwarescore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151424307116600 Content-Type: text/plain; charset="utf-8" Add documentation for secure IPL Signed-off-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 53 +++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index a19b976e25..8238fad30a 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -1,5 +1,58 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL (a.k.a. secure boot) enables s390-ccw virtual machines to +leverage qcrypto libraries and z/Architecture emulations to verify the +integrity of signed kernels. The qcrypto libraries are used to perform +certificate validation and signature-verification, whereas the +z/Architecture emulations are used to ensure secure IPL data has not +been tampered with, convey data between QEMU and userspace, and set up +the relevant secure IPL data structures with verification results. + +To find out more about using this feature, see ``docs/system/s390x/secure-= ipl.rst``. + +Note that "userspace" will refer to the s390-ccw BIOS unless stated +otherwise. + +Both QEMU and userspace work in tandem to perform secure IPL. The Secure +Loading Attributes Facility (SCLAF) is used to check the Secure Code +Loading Attribute Block (SCLAB) and ensure that secure IPL data has not +been tampered with. DIAGNOSE 'X'320' is invoked by userspace to query +the certificate store info and retrieve specific certificates from QEMU. +DIAGNOSE 'X'508' is used by userspace to leverage qcrypto libraries to +perform signature-verification in QEMU. Lastly, userspace generates and +appends an IPL Information Report Block (IIRB) at the end of the IPL +Parameter Block, which is used by the kernel to store signed and +verified entries. + +The logical steps are as follows: + +- Userspace reads data payload from disk (e.g. stage3 boot loader, kernel) +- Userspace checks the validity of the SCLAB +- Userspace invokes DIAG 508 subcode 1 and provides it the payload +- QEMU handles DIAG 508 request by reading the payload and retrieving the + certificate store +- QEMU DIAG 508 utilizes qcrypto libraries to perform signature-verificati= on on + the payload, attempting with each cert in the store (until success or ex= hausted) +- QEMU DIAG 508 returns: + + - success: index of cert used to verify payload + - failure: error code + +- Userspace responds to this operation: + + - success: retrieves cert from store via DIAG 320 using returned index + - failure: reports with warning (audit mode), aborts with error (secure = mode) + +- Userspace appends IIRB at the end of the IPLB +- Userspace kicks off IPL + +More information regarding the respective DIAGNOSE commands and IPL data +structures are outlined within this document. + + s390 Certificate Store and Functions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.50.1 From nobody Sat Nov 15 00:41:28 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1758151599; cv=none; d=zohomail.com; s=zohoarc; b=nVmQFH/FhZ+pI+OjFOJ1xzSkl0hhlxVxs5Lw2Gatcpwvga7Zo+XCGJ0HMaVWpCP+nClGK2SyHMJr3aAxDnYYWKi5Ih66Y8Zux8CTqcKae1ATWNVYxACqSwvp7pAeyMcahoKKTScSgm2TLCMmhVQYAA5ZjJDotfbNPJ6mDlrRaMg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1758151599; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IaQahwmjdXS87XFYtN291F806fRZ4N7/OKF7lW5JSwM=; b=K7f2E3SF9mS8Qlgkqc7aZvSfn7Wc1qJLKMesT68Tqfb539aiYoLnXPb2K8XF4RpyFyPjeZ9I7wGauCn9U8cGTYLpcdjKzo/z37GxeoXgTp4SVZSNgVobIFpTYPW6jiq795XqEV6xAPH81OuNmRgHrKaIzCu9Nd7nrIk0Mw0oZ9E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1758151599820104.20854897892332; Wed, 17 Sep 2025 16:26:39 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uz1U4-0005zW-K0; Wed, 17 Sep 2025 19:22:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Ts-0005tZ-AX; Wed, 17 Sep 2025 19:22:32 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uz1Tq-0002Ue-Bx; Wed, 17 Sep 2025 19:22:31 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 58HITnCw010975; Wed, 17 Sep 2025 23:22:09 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 497g4neg7e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:08 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 58HLpxxu018637; Wed, 17 Sep 2025 23:22:07 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 495n5mkmau-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 17 Sep 2025 23:22:07 +0000 Received: from smtpav02.dal12v.mail.ibm.com (smtpav02.dal12v.mail.ibm.com [10.241.53.101]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 58HNLt8T29950716 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Sep 2025 23:21:56 GMT Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DFC245805C; Wed, 17 Sep 2025 23:22:05 +0000 (GMT) Received: from smtpav02.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CCE745805A; Wed, 17 Sep 2025 23:22:04 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.34.172]) by smtpav02.dal12v.mail.ibm.com (Postfix) with ESMTP; Wed, 17 Sep 2025 23:22:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=IaQahw mjdXS87XFYtN291F806fRZ4N7/OKF7lW5JSwM=; b=iC70FrcyW4rdQaqYxhJuoc epbm2ptM7s9lHyNJ/rXjOX3/OqN4jdZTuFp5HjPh3Zvy+MrXyO6JgCOI6ZgISUQv MDyvMq7mfF61US+vDY1sxkoyBjSmJQGG1aOOLDepl6blHuXuUUn1quPsQQbU3hCR M91IwGfv6IBC4d/F30/0SRVsV3rR1ZqswijQmZsc1Fp7kwgZfzWylTR4Gl1vfGja jyH728kcV8wPw4Z+oG1tUpL+vAQwvyMJ5bqd6R2ODKIZ1aRLGxG/hpc92LzGBFIu GKmCMUFn/5yICzw9pGfFfj5UxBzStG1uogVm8PQhFdTomD+wfBNgqOLMM1ouhW2A == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v6 28/28] docs/system/s390x: Add secure IPL documentation Date: Wed, 17 Sep 2025 19:21:30 -0400 Message-ID: <20250917232131.495848-29-zycai@linux.ibm.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: <20250917232131.495848-1-zycai@linux.ibm.com> References: <20250917232131.495848-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=MN5gmNZl c=1 sm=1 tr=0 ts=68cb42a0 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=IkcTkHD0fZMA:10 a=yJojWOMRYYMA:10 a=VnNF1IyMAAAA:8 a=q5T4S90kAAAA:8 a=pLVlpZFyWxzbV8Ps1vQA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=LnBBZQxPVJ0Z7KJyRdxh:22 X-Proofpoint-GUID: x7dMuntE7qES3L8-H5723xoaHE5Kzsq6 X-Proofpoint-ORIG-GUID: x7dMuntE7qES3L8-H5723xoaHE5Kzsq6 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwOTE2MDIwNCBTYWx0ZWRfX+yWACQa4aOSE 32fx21dNHg4SjALoBgNJSYFBU41J5xQR23fciB/px1PrJ+4gfTiYYGhEP7ABcGJAA6Ya+4wLURf CS+L5269HLhoW2olqJR1s84INhigfqZVls1BCQ014oplKjrSNo0pMsbwElnHbIJk4xlYuCVAFkO jnitvXr80kXLpFnRjZO7BsSr/F4ZAy8g43EfICcG7nxs8aLVCTxv4iXrrG8uwqlI0hLrfjdkWDh ixWjjWj6+QLfCy68a4hKGhoafUfF6QkHd/U9eMbtvi9LewT9pdByasVbojj6Zfu5S3qZMDkNLQE M6aB4duqrqllUBFnhuZuwNtJWKhk84bQNNcTkdB8fch64wiavCDiFHNOC6XdMs2EQnE8/1exMfm sTZe92lx X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1117,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-09-17_01,2025-09-17_02,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 priorityscore=1501 bulkscore=0 impostorscore=0 malwarescore=0 adultscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2507300000 definitions=main-2509160204 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1758151602127116600 Add documentation for secure IPL Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 96 ++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 579b7b4993..110dea9fdd 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -1,5 +1,21 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL, also known as secure boot, enables s390-ccw virtual machines to +verify the integrity of guest kernels. + +For technical details of this feature, see ``docs/specs/s390x-secure-ipl.r= st``. + +This document explains how to use secure IPL with s390x in QEMU. It covers +new command line options for providing certificates and enabling secure IP= L, +the different IPL modes (Normal, Audit, and Secure), and system requiremen= ts. + +A quickstart guide is provided to demonstrate how to generate certificates, +sign images, and start a guest in Secure Mode. + + Secure IPL Command Line Options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D =20 @@ -83,3 +99,83 @@ Configuration: secure-boot=3Don, \ boot-certs.0.path=3D/.../qemu/certs, \ boot-certs.1.path=3D/another/path/cert.pem = ... + + +Constraints +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The following constraints apply when attempting to secure IPL an s390 gues= t: + +- z16 CPU model +- certificates must be in X.509 PEM format +- only support for SCSI scheme of virtio-blk/virtio-scsi devices +- a boot device must be specified +- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e= .g., + Net) will cause the entire boot process terminating early with an error + logged to the console. + + +Secure IPL Quickstart +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Build QEMU with gnutls enabled +------------------------------- + +.. code-block:: shell + + ./configure =E2=80=A6 --enable-gnutls + +Generate certificate (e.g. via certtool) +---------------------------------------- + +A private key is required before generating a certificate. This key must b= e kept secure +and confidential. + +Use an RSA private key for signing. + +.. code-block:: shell + + certtool --generate-privkey > key.pem + +A self-signed certificate requires the organization name. Use the ``cert.i= nfo`` template +to pre-fill values and avoid interactive prompts from certtool. + +.. code-block:: shell + + cat > cert.info <