1. Patchew
  2. QEMU
  3. [PATCH v7 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices
  4. View patch

[PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device

Zhuoying Cai posted 29 patches 2 months ago
Maintainers: "Daniel P. Berrangé" <berrange@redhat.com>, Thomas Huth <thuth@redhat.com>, Halil Pasic <pasic@linux.ibm.com>, Christian Borntraeger <borntraeger@linux.ibm.com>, Eric Farman <farman@linux.ibm.com>, Matthew Rosato <mjrosato@linux.ibm.com>, Richard Henderson <richard.henderson@linaro.org>, Ilya Leoshkevich <iii@linux.ibm.com>, David Hildenbrand <david@kernel.org>, Jared Rossi <jrossi@linux.ibm.com>, Zhuoying Cai <zycai@linux.ibm.com>, Jason Herne <jjherne@linux.ibm.com>, Eric Blake <eblake@redhat.com>, Markus Armbruster <armbru@redhat.com>, Hendrik Brueckner <brueckner@linux.ibm.com>
[PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device
Posted by Zhuoying Cai 2 months ago 
If secure boot in audit mode or True Secure IPL mode is enabled without
specifying a boot device, the boot process will terminate with an error.

Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
 hw/s390x/ipl.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index bfac156afe..2809fb718d 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -771,6 +771,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
         }
         if (!ipl->iplb_valid) {
             ipl->iplb_valid = s390_init_all_iplbs(ipl);
+
+            /*
+             * Secure IPL without specifying a boot device.
+             * IPLB is not generated if no boot device is defined.
+             */
+            if ((s390_has_certificate() || s390_secure_boot_enabled()) &&
+                !ipl->iplb_valid) {
+                error_report("No boot device defined for Secure IPL");
+                exit(1);
+            }
         } else {
             ipl->qipl.chain_len = 0;
         }
-- 
2.51.1
Re: [PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device
Posted by Thomas Huth 3 weeks, 6 days ago 
On 08/12/2025 22.32, Zhuoying Cai wrote:
> If secure boot in audit mode or True Secure IPL mode is enabled without
> specifying a boot device, the boot process will terminate with an error.
> 
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
>   hw/s390x/ipl.c | 10 ++++++++++
>   1 file changed, 10 insertions(+)
> 
> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
> index bfac156afe..2809fb718d 100644
> --- a/hw/s390x/ipl.c
> +++ b/hw/s390x/ipl.c
> @@ -771,6 +771,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
>           }
>           if (!ipl->iplb_valid) {
>               ipl->iplb_valid = s390_init_all_iplbs(ipl);
> +
> +            /*
> +             * Secure IPL without specifying a boot device.
> +             * IPLB is not generated if no boot device is defined.
> +             */
> +            if ((s390_has_certificate() || s390_secure_boot_enabled()) &&
> +                !ipl->iplb_valid) {
> +                error_report("No boot device defined for Secure IPL");
> +                exit(1);
> +            }
>           } else {
>               ipl->qipl.chain_len = 0;
>           }

Reviewed-by: Thomas Huth <thuth@redhat.com>

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.