From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229740; cv=none; d=zohomail.com; s=zohoarc; b=e7sLvtZriFyvNEmWcAkdo1Gl7dk4FGPTD80JjZzzrZqWM45nyPe/z1VZ4J8Lf5d0iBoOW0mTiWJfIXObSY4ekGTZHAcz2/JMtefY1DSeS5XRG3NJH2U3hDv6ovQsNsw3yG8Vxl6F6khshCkv8LSlaYXTxoVVtAYqnffXpU4zvCg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229740; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=2pS9Wm0pvPEQlnR0vs3V1f9DrKEPmfIEneah4ok+LSk=; b=ela8GEcaLlDLXPF9vOx4NMW85unSbKqJE3O9JuMgf0Za1WfU2UkvgRJ9VN7Q6qaseX28FZ+W1OaupA6a8vSh70cpFkwwNcDayzku0JTa86jWLbtkSzDTry+gyBuB8iolfIRJ9yTuVlOmf2ozjahxBnKA3BwUCUaHudSAidU83kI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229740516192.33438411865768; Mon, 8 Dec 2025 13:35:40 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSiqv-0007D7-CU; Mon, 08 Dec 2025 16:33:05 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqn-0007Bm-Gf; Mon, 08 Dec 2025 16:32:58 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiql-0000Zk-Ly; Mon, 08 Dec 2025 16:32:57 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JV2Ek025179; Mon, 8 Dec 2025 21:32:54 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avawv1g01-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:54 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IJkic008391; Mon, 8 Dec 2025 21:32:53 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs28-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:53 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWqvC197128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:32:52 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DCA935805C; Mon, 8 Dec 2025 21:32:51 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2209158059; Mon, 8 Dec 2025 21:32:50 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:50 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=2pS9Wm0pvPEQlnR0v s3V1f9DrKEPmfIEneah4ok+LSk=; b=gu9VaXrLs/pvKsoLmEfCdBzgiK0QN9ST9 EufB3oUGlcC6RUCGIc85vQ4iL+mRD0OVuFngG4mMuZU9isgYyLK9H4mJTrikCXZ9 pd9GuMfk0M/IEjoycTCw5Gsv+6wCkp4kmvGTHU5kzqA2mw27vaDRsXAYwvq78o3A 7t6j5HadfLMExkeB3OxdQklK87YZH1Fj6o/zJz/ATlq5sD/QH+Bkng/tqHwpPPJP Yg4HUvPtsOXHoTw23UqXtUsoZ91X9l0tooRhx/ymvENZjtWAHCEgziRMbbkLTd25 Ccb07/tO4XXCBp0hf2NtIgB1b+FZ2yaKo3Y5ga68WWr1Ln/jcfDCw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 01/29] Add boot-certs to s390-ccw-virtio machine type option Date: Mon, 8 Dec 2025 16:32:18 -0500 Message-ID: <20251208213247.702569-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: sJq_9JYUSiIrYu0ayzW85mnvGT5MzF5N X-Proofpoint-ORIG-GUID: sJq_9JYUSiIrYu0ayzW85mnvGT5MzF5N X-Authority-Analysis: v=2.4 cv=aY9sXBot c=1 sm=1 tr=0 ts=69374406 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=45xdXbyIuVMhCIclKDQA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwNyBTYWx0ZWRfXx+18gr/EBDrR soozm3FmWmqATkSpngywBrUnmbGuB1r6fXBS7/CxR5lJmU5nEVXJUCyFXczC484k0tfMjetE0s+ 5tAAi9lQIXMBUvmSAdwnooUb04wir6MlCGcln7fXB75Ipbe31SjrzqgYxBIiEj1+hkhAGHuSPDl dKELCf5m55b2l/lB1iXitX/4pHatyJIBXN6ODr0YG36q6j0NAd5SLTtMa/6BpJcByrpSRB7hA25 YHAVWmKk9qNmWLjqwBOg6fzFEJJRzbrSMvSa6TBiLexpJXjyqTIEuxLTpY31d0EFI6twhRyADzO VwAVC39nM+eLDnEEYvHEexdVrWpxtxEHAnKETKbCv6wx41OJRzUAT/FYx6lkJhnDLRQv/4ScH9n 00e1bCQT1kqpOVeHcQ8Iu/LBIfOmow== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060007 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229742441158501 Content-Type: text/plain; charset="utf-8" Introduce a new `boot-certs` machine type option for the s390-ccw-virtio machine. This allows users to specify one or more certificate file paths or directories to be used during secure boot. Each entry is specified using the syntax: boot-certs..path=3D/path/to/cert.pem Multiple paths can be specify using array properties: boot-certs.0.path=3D/path/to/cert.pem, boot-certs.1.path=3D/path/to/cert-dir, boot-certs.2.path=3D/path/to/another-dir... Signed-off-by: Zhuoying Cai Acked-by: Markus Armbruster --- docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++++++ hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 2 ++ qapi/machine-s390x.json | 23 +++++++++++++++++++++++ qapi/pragma.json | 1 + qemu-options.hx | 6 +++++- 6 files changed, 81 insertions(+), 1 deletion(-) create mode 100644 docs/system/s390x/secure-ipl.rst diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst new file mode 100644 index 0000000000..0a02f171b4 --- /dev/null +++ b/docs/system/s390x/secure-ipl.rst @@ -0,0 +1,20 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +Secure IPL Command Line Options +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D + +The s390-ccw-virtio machine type supports secure IPL. These parameters all= ow +users to provide certificates and enable secure IPL directly via the comma= nd +line. + +Providing Certificates +---------------------- + +The certificate store can be populated by supplying a list of X.509 certif= icate +file paths or directories containing certificate files on the command-line: + +Note: certificate files must have a .pem extension. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index c1a3f415e2..d880613fe7 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -45,6 +45,7 @@ #include "target/s390x/kvm/pv.h" #include "migration/blocker.h" #include "qapi/visitor.h" +#include "qapi/qapi-visit-machine-s390x.h" #include "hw/s390x/cpu-topology.h" #include "kvm/kvm_s390x.h" #include "hw/virtio/virtio-md-pci.h" @@ -778,6 +779,30 @@ static void machine_set_loadparm(Object *obj, Visitor = *v, g_free(val); } =20 +static void machine_get_boot_certs(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList **certs =3D &ms->boot_certs; + + visit_type_BootCertificatesList(v, name, certs, errp); +} + +static void machine_set_boot_certs(Object *obj, Visitor *v, const char *na= me, + void *opaque, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList *cert_list =3D NULL; + + visit_type_BootCertificatesList(v, name, &cert_list, errp); + if (!cert_list) { + return; + } + + ms->boot_certs =3D cert_list; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -831,6 +856,11 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) "Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars conve= rted" " to upper case) to pass to machine loader, boot manager," " and guest kernel"); + + object_class_property_add(oc, "boot-certs", "BootCertificatesList", + machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); + object_class_property_set_description(oc, "boot-certs", + "provide paths to a directory and/or a certificate file for se= cure boot"); } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 526078a4e2..7c30ba22cb 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -14,6 +14,7 @@ #include "hw/boards.h" #include "qom/object.h" #include "hw/s390x/sclp.h" +#include "qapi/qapi-types-machine-s390x.h" =20 #define TYPE_S390_CCW_MACHINE "s390-ccw-machine" =20 @@ -31,6 +32,7 @@ struct S390CcwMachineState { uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; + BootCertificatesList *boot_certs; =20 SCLPDevice *sclp; }; diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json index ea430e1b88..0103fc91cd 100644 --- a/qapi/machine-s390x.json +++ b/qapi/machine-s390x.json @@ -140,3 +140,26 @@ { 'event': 'SCLP_CPI_INFO_AVAILABLE', 'features': [ 'unstable' ] } + +## +# @BootCertificates: +# +# Boot certificate for secure IPL. +# +# @path: path to an X.509 certificate file or a directory containing +# certificate files. +# +# Since: 10.2 +## +{ 'struct': 'BootCertificates', + 'data': {'path': 'str'} } + +## +# @DummyBootCertificates: +# +# Not used by QMP; hack to let us use BootCertificatesList internally. +# +# Since: 10.2 +## +{ 'struct': 'DummyBootCertificates', + 'data': {'unused-boot-certs': ['BootCertificates'] } } diff --git a/qapi/pragma.json b/qapi/pragma.json index 023a2ef7bc..66401837ad 100644 --- a/qapi/pragma.json +++ b/qapi/pragma.json @@ -49,6 +49,7 @@ 'DisplayProtocol', 'DriveBackupWrapper', 'DummyBlockCoreForceArrays', + 'DummyBootCertificates', 'DummyForceArrays', 'DummyVirtioForceArrays', 'HotKeyMod', diff --git a/qemu-options.hx b/qemu-options.hx index fca2b7bc74..06ce35e58b 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -44,7 +44,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ #endif " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" - " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n", + " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -205,6 +206,9 @@ SRST :: =20 -machine smp-cache.0.cache=3Dl1d,smp-cache.0.topology=3Dcore,s= mp-cache.1.cache=3Dl1i,smp-cache.1.topology=3Dcore + + ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` + Provide paths to a directory and/or a certificate file on the host= [s390x only]. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229832; cv=none; d=zohomail.com; s=zohoarc; b=TF4f3+LyV5bQGRokIz7UpUw73qwiY3TeiiF+0vJNjx4RGNKectVOyYCTGKiRPV1cv46BhfgmXh2eYExm27Im+x+TZa7bC3dMZa7KHrcaV78CzdUC2UAXeHEH+stsTy+esYu7UfNgj+u/k20AcQ7FM17KGrJ9+DhO6FSJdmW2tDc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229832; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=IAyXx+b8IBfOB/oSEacU4Q1xsFX1zk+VPH292IUJhEI=; b=PL1hVNsr7vRnqpAQL3/aOLFKIF6tPr/8nHMYzMwTeOzUHhFZobeV8H40BboCzDU7NtRpPXXUkms53ujSlgnY0wUBK6KVRPE8xF7Ty9FqITMG8MrC5omVBgfjiruhWCPi4QUbjUHY766bqNRTE2Oire0mUZf4XiQr+jrkk8koCNw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17652298329514.290505023757191; Mon, 8 Dec 2025 13:37:12 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir0-0007Gj-U7; Mon, 08 Dec 2025 16:33:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqr-0007CV-5q; Mon, 08 Dec 2025 16:33:03 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqp-0000aH-Lb; Mon, 08 Dec 2025 16:33:00 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8AaZXn018892; Mon, 8 Dec 2025 21:32:56 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc0jsumc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:56 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8LV82q028141; Mon, 8 Dec 2025 21:32:55 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvwb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:55 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWr0q63570416 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:32:54 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D274A58058; Mon, 8 Dec 2025 21:32:53 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1840558059; Mon, 8 Dec 2025 21:32:52 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=IAyXx+ b8IBfOB/oSEacU4Q1xsFX1zk+VPH292IUJhEI=; b=lGqVDVht5tUJUYAw8T/Rre 60IDVN9PLkVm7Uy/l/rAehK+6DOxwqBZAPR6gPMRRLFLPgrMhr8X9YlLFTKzy0BX Yd+QXNasup/qnD/h+nHre4vHUfJjpCSVCdXYMQnPoIWnHO6nlGDJHga2QYjZ+AyU xhOG22cCdAtb6ETyecIeJgk3Ik+oWdazWjhyrswMozF3+6l86Do4Iejk5pk0PyIk 7gEe9hgk7LIZwZzlQpsP14gangAtBloPqLDdgR/dXfXh/YBJV0DztvE4SqTXdS8a T3dtecetV18Pjg69iPy2/uzZMfZqV7E7TRvDgGVTmYjckSq6fm05tqyHkjT2MwvQ == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Date: Mon, 8 Dec 2025 16:32:19 -0500 Message-ID: <20251208213247.702569-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Cf8FJbrl c=1 sm=1 tr=0 ts=69374408 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=IkcTkHD0fZMA:10 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=FUyA0-9y5A7gcD0mOlIA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-ORIG-GUID: 4fQ-5DQx9q5QeohXNgzvjbC78Y50ueBZ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAxNiBTYWx0ZWRfX3B6n9LBfZ96X nvsTfLtE/3oqPPMZ3SCVIc6oZFXc8DMM5xDSDIz+uwJetAGsJR25hx1Oh2pw+RIF2dzOB7q40Er mcpqUOphRnE03UfqbTWKiy977n0RR+V4IBXkkNNH95VDTNF7Qm+ENV2TA47eDZwBz6Zs1usVFyM qIFwAvH3YBCAtN+EqFV1ycBffCDtwhJUi1GnDMvWVz/D3RODTuVY0ulUZiuaN+gS7O844E0+vfC LMaOjMryB7CqxMunaia8wd9NI0ZxiUnGiRfaLopCjnsGJiwxULQKo5o46PFArOqMIWSiC98+s0c yamCOE3ri8a/wlmSa+ebGWF894lXfafnltw31e6Hy0bA8TexhUd40/nI/bPUGHV2la+2amz6dtk LW4tlFNKn3e1lEj24sYbe/BEkzo+FA== X-Proofpoint-GUID: 4fQ-5DQx9q5QeohXNgzvjbC78Y50ueBZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 malwarescore=0 clxscore=1015 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 spamscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229834708158500 Always compile x509-utils.c and add a fallback when GNUTLS is unavailable. These functions will be needed in the s390x code regardless of whether GNUTLS is available. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali --- crypto/meson.build | 2 +- crypto/x509-utils.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/meson.build b/crypto/meson.build index b51597a879..fda85543de 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -22,12 +22,12 @@ crypto_ss.add(files( 'tlscredsx509.c', 'tlssession.c', 'rsakey.c', + 'x509-utils.c', )) =20 if gnutls.found() crypto_ss.add(files( 'tlscredsbox.c', - 'x509-utils.c', )) endif =20 diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 39bb6d4d8c..6176a88653 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -11,6 +11,8 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "crypto/x509-utils.h" + +#ifdef CONFIG_GNUTLS #include #include #include @@ -78,3 +80,17 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, gnutls_x509_crt_deinit(crt); return ret; } + +#else /* ! CONFIG_GNUTLS */ + +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, + QCryptoHashAlgo hash, + uint8_t *result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get fingerprint"); + return -1; +} + +#endif /* ! CONFIG_GNUTLS */ --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229816; cv=none; d=zohomail.com; s=zohoarc; b=N0Dw7XV9yWD/+HVeL4JaMKw/BiUiWkWa67fpN8MkI9pz9VdBEVnaC0OzMoSCfWoBdlDfcHUCue8KpiHjJ2KNRU8IaQnpMYGsEjokvjhqCFcFdYwPPdwDivNX1b5vfxQKczUv682RpHUpGZkNj5ncJYIRMTMuTodJ/QGWFp+2UeU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229816; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=j2B2VY3b48sJJD8J67a+OSPLHQI7oNEd5bbcw4F0sYI=; b=kx9BgTUuxeaBYmgY0loHuJyJYdsz28Dfo3+9q0X0xGGxu/3v6ismVw7HEHeeP8yCSyZ/FPQ1NTQ86HzhinbReTxC+wQ1hlcXPJe8eP6oLxijwNxH8oWRzoCtXIhW0QcRlCUMzHqMwqCFc29GeVaIbwDSfHqN0LYwbelKMiEO+vE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229816499389.3453344597093; Mon, 8 Dec 2025 13:36:56 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSiqy-0007Eq-OC; Mon, 08 Dec 2025 16:33:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqr-0007CW-89; Mon, 08 Dec 2025 16:33:03 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqp-0000aM-Mg; Mon, 08 Dec 2025 16:33:01 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8HHcXo023041; Mon, 8 Dec 2025 21:32:58 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmku-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:57 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IAaV8008405; Mon, 8 Dec 2025 21:32:57 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs2e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:57 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWtUo6619810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:32:55 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C1BF258058; Mon, 8 Dec 2025 21:32:55 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 065AD58059; Mon, 8 Dec 2025 21:32:54 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:53 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=j2B2VY 3b48sJJD8J67a+OSPLHQI7oNEd5bbcw4F0sYI=; b=Z5ZhNesAjo1SdIMqSUD76U MBsU7xkIRVSfLump/9aOEN14eA55vwP0lOKqqpBMe9zgHNg3ge5ay7TCF3clFchY ygkrOmMg5UXxgPXPWTDkYgkPvQcBu/tHMxkdee73Y9xZbfy2e1uN0D7XdsaGdfbV aqFxNSu48oikQqy/vv8Sw7sXNbc4BtaV9xTFGHA8ko9t//P3p4Yz5r32sa8IXsH4 3qXIsK6RT1yEeUmK21LEWytynm1SWed2wyLVg13cuo+1o9bGbGHVAWIDwA9gpmOj ITg2+AxNjCXTnykK8DF4HGq2b9lQZl1RHXcRHQPdFMTTCs+pFmsHc2YhFudc+VMw == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 03/29] crypto/x509-utils: Add helper functions for certificate store Date: Mon, 8 Dec 2025 16:32:20 -0500 Message-ID: <20251208213247.702569-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: CJIphaKnGhjNM2gqy0pYeCOqi1NFhtTL X-Proofpoint-ORIG-GUID: CJIphaKnGhjNM2gqy0pYeCOqi1NFhtTL X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=69374409 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=GX81FK21qHpjiM7aGUoA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX4OJtzaHH3oNk t0JDfvusSDX4mNs5OCb9LX4L2yhS26gdu3M2EzjFBh7Mi5RSq7fUjh7x5vV+kwvlFQpdBH1k1Lf hYCRI9lj2OYq7OGGQ+MVf+GGBdcR6HmXbJ0JqM0TD3aeL8CcgjLojZ2iFAvzDCzk/HhSOntFUe4 QCA2TOun2RGTuvMO9x4PBPokRP4KwHG434YlEmd52Tb2dWCKOqKt6pmuTE+J1aIv6ch/mNnBnSx Lccwk79Z745aiQSw82zX3oWopcXhaSkmIXcW6kDJC6QqdD+NyZv3UJFu60u5CfNUUdJ2TLbxpbM QMEdq6pNehfcLM7WOB4sGxJ35bBih9bvGZsvt1aVLHjGgQXDkB9oaWnhmJ4eUcWWgpQgs8OwlA6 ZW37VumpOj+ElveCDiyk3qvG61VfvQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229816682158500 Introduce new helper functions for x509 certificate, which will be used by the certificate store: qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER fo= rmat These functions provide support for certificate format conversion. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali --- crypto/x509-utils.c | 49 +++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 21 ++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 6176a88653..2696d48155 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -81,6 +81,46 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, return ret; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_datum_t datum_der =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum_der); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert certificate to DER format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D datum_der.size; + *result =3D g_memdup2(datum_der.data, datum_der.size); + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(datum_der.data); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -93,4 +133,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, si= ze_t size, return -1; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export X.509 certificate"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 1e99661a71..91ae79fb03 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -19,4 +19,25 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_convert_cert_der + * @cert: pointer to the raw certificate data in PEM format + * @size: size of the certificate + * @result: output location for the allocated buffer for the certificate + * in DER format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer (will be updated with the + * actual size of the DER-encoded certificate) + * @errp: error pointer + * + * Convert the given @cert from PEM to DER format. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229816; cv=none; d=zohomail.com; s=zohoarc; b=mIPAnbFSmQQc52gqJoBe1BBagNiO7BON6+mcl21FfjeOFMsCvgkafw7l+3WAb6MtNXkWJMXW8zDZo/Q7/WmDRlPAsu3p6xVOJamRe3bm2Yhz7u8ZdtCNqX9l3pMjRAIT2NOroMf4JijoDprYQXQ2nGp7cIcoxw4dt2PiFZVse9U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229816; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7JgKHNDWz7vOUDagXzg1pdAXNQYqH5uZn8slKjHNTq0=; b=Ltw3wymSp6Oe3Q7lefyb6841fy+R4Cv3Qfm9Yl4Q4WF/Y380H+wKsd2r5BaTv3IM0IWRUps7uamf58wxoNFCFw8GQrkDYyYZq4xBQJF56eKeF68NDB/Ov2ZtzaoUE8Ocqa+edtCSkyzM0eJsOWGCJBPQHCCBpIeVQLmiCw+cWZk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229816333597.5716377594612; Mon, 8 Dec 2025 13:36:56 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir0-0007Gn-VE; Mon, 08 Dec 2025 16:33:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqv-0007DD-2e; Mon, 08 Dec 2025 16:33:05 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqs-0000cf-0j; Mon, 08 Dec 2025 16:33:03 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8E7clK019356; Mon, 8 Dec 2025 21:33:00 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmky-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:00 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Jnmpu026799; Mon, 8 Dec 2025 21:32:59 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw1h0yf83-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:32:59 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWvqu35193572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:32:57 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B24155805C; Mon, 8 Dec 2025 21:32:57 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E9A7C58059; Mon, 8 Dec 2025 21:32:55 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7JgKHNDWz7vOUDagX zg1pdAXNQYqH5uZn8slKjHNTq0=; b=Qvc6iEPb5VQJq6esmNnMGwPjWmzUQfrZW KHYx4GSEONiSRi/tHaTf8oYU6nkU8AI2UeCLIdqiuBxH8nE0sTEZBpfugnlc9Rir CFc8sL+cZ/qbsu3Tn0nwCWcHOWQkKxba/hp0r7Kbn6fDtNAL5AiPSZPo4EvKqPVf uM+g8OlMkWdcFK9S2GcMK75MBocV8F0KqoT7T529ezhGdpAWbOObwyKGV9SEfpLh WTDDc4iKsg5zFAB2VaPWVVhgVRAThKhmahl71AhGmFZKNPoPfPy6qXtZqio4aLPN CfMCwrxnTAsuX3QF+klFn0y+Meq/Z9PtBM068qHU8a5+548q01L8A== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 04/29] hw/s390x/ipl: Create certificate store Date: Mon, 8 Dec 2025 16:32:21 -0500 Message-ID: <20251208213247.702569-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: OqUc6Zc485mucELUT3ExVNhP4S7JPFVo X-Proofpoint-ORIG-GUID: OqUc6Zc485mucELUT3ExVNhP4S7JPFVo X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=6937440c cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=6ph8WD7lSjxTzuMCr3kA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX/Y/DdZT4l3G5 ONplcI8OB9aIHj8pYM+wFrGVtb81l9oOSFeye8WTDdd2XoC1f0Rx8chc7z62LaSm8BpaLls8lmW oZ+BmK6jN/PVy8Vp1GX4ISgPLmCdnNRLx5LPlTvxWP229Mkwv5oveMoL6jkDV5mWP3PCxRpVVBK LPAEwz/X9+HLxvjVFtod3N5OywMSaicG0LBuw4jQodo8Pii1HJeJvdsXK+GKUfYmo2Pj8uQxbDw oGFp9rEDY6LcPDcbb5XmlX3R3KPFDb5PVLhgEo1HLyE2lPfLA2Qq9kWEZQIC1D6T/UCZ3TfvmVg 78hNDny1EjONZ+GAiIohzbor/g3jf1Smymv30AeE4J8zrMQ/44j/6W/OX1ihE1eljRn51fVZfN7 tfrWA1CYZBTB0MBnEggDDOaXh1qs0w== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229816752158500 Content-Type: text/plain; charset="utf-8" Create a certificate store for boot certificates used for secure IPL. Load certificates from the `boot-certs` parameter of s390-ccw-virtio machine type option into the cert store. Currently, only X.509 certificates in PEM format are supported, as the QEMU command line accepts certificates in PEM format only. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 16 +++ hw/s390x/cert-store.c | 211 ++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 41 +++++++ hw/s390x/ipl.c | 19 +++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 2 + 7 files changed, 293 insertions(+) create mode 100644 docs/specs/s390x-secure-ipl.rst create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst new file mode 100644 index 0000000000..7ddac98a37 --- /dev/null +++ b/docs/specs/s390x-secure-ipl.rst @@ -0,0 +1,16 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +s390 Certificate Store and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +s390 Certificate Store +---------------------- + +A certificate store is implemented for s390-ccw guests to retain within +memory all certificates provided by the user via the command-line, which +are expected to be stored somewhere on the host's file system. The store +will keep track of the number of certificates, their respective size, +and a summation of the sizes. + +Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate +store. diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..cf16911d09 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,211 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" +#include "qapi/qapi-types-machine-s390x.h" + +static BootCertificatesList *s390_get_boot_certs(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; +} + +static S390IPLCertificate *init_cert_x509(size_t size, uint8_t *raw, Error= **errp) +{ + S390IPLCertificate *cert =3D NULL; + g_autofree uint8_t *cert_der =3D NULL; + size_t der_len =3D size; + int rc; + + rc =3D qcrypto_x509_convert_cert_der(raw, size, &cert_der, &der_len, e= rrp); + if (rc !=3D 0) { + return NULL; + } + + cert =3D g_new0(S390IPLCertificate, 1); + cert->size =3D size; + cert->der_size =3D der_len; + /* store raw pointer - ownership transfers to cert */ + cert->raw =3D raw; + + return cert; +} + +static S390IPLCertificate *init_cert(char *path, Error **errp) +{ + char *buf; + size_t size; + char vc_name[VC_NAME_LEN_BYTES]; + g_autofree gchar *filename =3D NULL; + S390IPLCertificate *cert =3D NULL; + Error *local_err =3D NULL; + + filename =3D g_path_get_basename(path); + + if (!g_file_get_contents(path, &buf, &size, NULL)) { + error_setg(errp, "Failed to load certificate: %s", path); + return NULL; + } + + cert =3D init_cert_x509(size, (uint8_t *)buf, &local_err); + if (cert =3D=3D NULL) { + error_propagate_prepend(errp, local_err, + "Failed to initialize certificate: %s: ", = path); + g_free(buf); + return NULL; + } + + /* + * Left justified certificate name with padding on the right with blan= ks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' '); + ebcdic_put(cert->vc_name, vc_name, VC_NAME_LEN_BYTES); + + return cert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *cert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size =3D ROUND_UP(CERT_KEY_ID_LEN, 4); + hash_buf_size =3D ROUND_UP(CERT_HASH_LEN, 4); + cert_buf_size =3D ROUND_UP(cert->der_size, 4); + data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->max_cert_size < data_buf_size) { + cert_store->max_cert_size =3D data_buf_size; + } + + cert_store->certs[cert_store->count] =3D *cert; + cert_store->total_bytes +=3D data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(Error **errp) +{ + struct stat st; + BootCertificatesList *path_list =3D NULL; + BootCertificatesList *list =3D NULL; + gchar *cert_path; + GDir *dir =3D NULL; + const gchar *filename; + g_autoptr(GError) err =3D NULL; + g_autoptr(GPtrArray) cert_path_builder =3D g_ptr_array_new_full(0, g_f= ree); + + path_list =3D s390_get_boot_certs(); + if (path_list =3D=3D NULL) { + return g_steal_pointer(&cert_path_builder); + } + + for (list =3D path_list; list; list =3D list->next) { + cert_path =3D list->value->path; + + if (g_strcmp0(cert_path, "") =3D=3D 0) { + error_setg(errp, "Empty path in certificate path list is not a= llowed"); + goto fail; + } + + if (stat(cert_path, &st) !=3D 0) { + error_setg(errp, "Failed to stat path '%s': %s", + cert_path, g_strerror(errno)); + goto fail; + } + + if (S_ISREG(st.st_mode)) { + if (!g_str_has_suffix(cert_path, ".pem")) { + error_setg(errp, "Certificate file '%s' must have a .pem e= xtension", + cert_path); + goto fail; + } + + g_ptr_array_add(cert_path_builder, g_strdup(cert_path)); + } else if (S_ISDIR(st.st_mode)) { + dir =3D g_dir_open(cert_path, 0, &err); + if (dir =3D=3D NULL) { + error_setg(errp, "Failed to open directory '%s': %s", + cert_path, err->message); + + goto fail; + } + + while ((filename =3D g_dir_read_name(dir))) { + if (g_str_has_suffix(filename, ".pem")) { + g_ptr_array_add(cert_path_builder, + g_build_filename(cert_path, filename, = NULL)); + } + } + + g_dir_close(dir); + } else { + error_setg(errp, "Path '%s' is neither a file nor a directory"= , cert_path); + goto fail; + } + } + + qapi_free_BootCertificatesList(path_list); + return g_steal_pointer(&cert_path_builder); + +fail: + qapi_free_BootCertificatesList(path_list); + return NULL; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + Error *err =3D NULL; + + cert_path_builder =3D get_cert_paths(&err); + if (cert_path_builder =3D=3D NULL) { + error_report_err(err); + exit(1); + } + + if (cert_path_builder->len =3D=3D 0) { + g_ptr_array_free(cert_path_builder, TRUE); + return; + } + + if (cert_path_builder->len > MAX_CERTIFICATES - 1) { + error_report("Cert store exceeds maximum of %d certificates", MAX_= CERTIFICATES); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + cert_store->max_cert_size =3D 0; + cert_store->total_bytes =3D 0; + + for (int i =3D 0; i < cert_path_builder->len; i++) { + S390IPLCertificate *cert =3D init_cert((char *) cert_path_builder-= >pdata[i], &err); + if (!cert) { + error_report_err(err); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + update_cert_store(cert_store, cert); + } + + g_ptr_array_free(cert_path_builder, TRUE); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..17a945a147 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,41 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define VC_NAME_LEN_BYTES 64 + +#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 +#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 + +struct S390IPLCertificate { + uint8_t vc_name[VC_NAME_LEN_BYTES]; + size_t size; + size_t der_size; + uint8_t *raw; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t max_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +}; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; +QEMU_BUILD_BUG_MSG(sizeof(S390IPLCertificateStore) !=3D 5656, + "size of S390IPLCertificateStore is wrong"); + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 3843d2a850..38d5fff154 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -35,6 +35,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" =20 #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -424,6 +425,20 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t= *ebcdic_lp) } } =20 +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return &ipl->cert_store; +} + +static bool s390_has_certificate(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -719,6 +734,10 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) =20 if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr =3D ipl->bios_start_addr; + /* initialize cert store if it's empty */ + if (!s390_has_certificate()) { + s390_ipl_create_cert_store(&ipl->cert_store); + } if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); } else { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 8f83c7da29..bee72dfbb3 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H =20 +#include "cert-store.h" #include "cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); =20 enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -64,6 +66,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 8866012ddc..80d3d4a74d 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 6824391111..e505f44020 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -20,6 +20,8 @@ #define LOADPARM_LEN 8 #define NO_LOADPARM "\0\0\0\0\0\0\0\0" =20 +#define MAX_CERTIFICATES 64 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229838; cv=none; d=zohomail.com; s=zohoarc; b=S3/Aln7t6AGGjnV7957tIj81NLuMopUe5JyfWdOVZJ5n0/cN6FitS6IT7wu2cPta7BQhqa7IvtPuQDbKipIJMzpW16OenCwQLwRM3BtXor6advYKfd4fY4DUsOd7s+4JT1xkf0uQSF+4Y7fwz5N12O9J7JO0Jq/xCT0C7v0sRSU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229838; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YGlGyYRy1W1JTYEcH6tYcRJeYfiQ4WejuT1ANe5Xwjk=; b=EhBC2FSQZiCsf1SCtY7/uWdwDg6ZWuov2Yx/NntVcEsmru4lLawHnBJTEvtbp3QjXtkbYH5CSZS3rGRlDn1t4Y8SNUkdN+ED8vlmogyEaDM08EhFgxKtxmqiq39HcsmrRu+P1qU+86E7KlbgnFmP2RiiFRDCynzdwLiKVfObs94= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229838191695.0902288524563; Mon, 8 Dec 2025 13:37:18 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir1-0007H3-5K; Mon, 08 Dec 2025 16:33:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqw-0007EK-Us; Mon, 08 Dec 2025 16:33:07 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqt-0000cr-U9; Mon, 08 Dec 2025 16:33:06 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DLrxQ012921; Mon, 8 Dec 2025 21:33:02 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avawv1g0e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:02 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IWARq002053; Mon, 8 Dec 2025 21:33:01 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw11j7ju5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:01 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWxKY9175718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:00 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A5FE65805B; Mon, 8 Dec 2025 21:32:59 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DAD3258058; Mon, 8 Dec 2025 21:32:57 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:57 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YGlGyYRy1W1JTYEcH 6tYcRJeYfiQ4WejuT1ANe5Xwjk=; b=PRDhkqzHNFpa3TPpNgid41gTo31yAx3IK qbWxJrIg6sJDslsUYAl97dsZD7wGPb5Cff3LbAfS0wZrcrHMS3mirRflSU+bTUK5 t5kWXV9+dulhJjP8AVX8iYds53VMs7AwYnmODFsAyIy0O/PVn8cP4OZg+pwsi9Sk O3PaG8ZTB+KwLmdcNdOHaAekYwiVXO99GEGLB9xe4wTEToltKXC9xTp4sc++ODee XTZoFRuaavpvSehi8AqepqPVbDrwX/XCScw79tu6ekxwNXuDoBi6d2KNT/ZJ0397 gvhfzt9xThq/UTl+/iNn/oTgs3cX8phnZjGedc90kSKzAWFi1ld3w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Date: Mon, 8 Dec 2025 16:32:22 -0500 Message-ID: <20251208213247.702569-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: ETEscpdP5vWm5aHgtUTnZYTktngkP5UU X-Proofpoint-ORIG-GUID: ETEscpdP5vWm5aHgtUTnZYTktngkP5UU X-Authority-Analysis: v=2.4 cv=aY9sXBot c=1 sm=1 tr=0 ts=6937440e cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=mM8oulnVqnlOJU-pfAMA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwNyBTYWx0ZWRfX7UiqIhYg4fPR 0OmmCpSH52ZlOJ0NdlMsBtr9QEVCqerAQv8U+QzQgbVY2V4GbQYAJPwSAlplMsU3NXzDhk2jgNZ rHON7YxC6ko0shVA2ksyD0yvaCyaEbr0zTLueE2xeUKHwzvs1T421h7pR3rrkPjYJv4j1RlZNXw Lxq93J+egAMstrfHVeTkLDew1Y6hpHHok5yHdskGmgpvpDvcAgngAsv5ygd0cexTjRnNV22Le4d m8ZBaRuj8WEmlhP1XRYKqH9prFm7Lr673PDY4HeHZ8MGjIrWfifmHjFNXIKLpwqUJ7VIJkgg+FH 8UwvZs5IwzxuPs9plqKgR/hdd9E8uKGNfd1tfSTF3Yxjyx5Mi2+0fc34rozrn3aWZ9Wo7pYOUC5 dL496t8v9iJjxYvk0QI9jZZYLWsDKg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060007 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229838905158500 Content-Type: text/plain; charset="utf-8" DIAGNOSE 320 is introduced to support Certificate Store (CS) Facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query the Installed Subcodes Mask (ISM). This subcode is only supported when the CS facility is enabled. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Byte 134's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Note: secure IPL is not available for Secure Execution (SE) guests, as their images are already integrity protected, and an additional protection of the kernel by secure IPL is not necessary. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 12 ++++++++ include/hw/s390x/ipl/diag320.h | 20 +++++++++++++ target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/diag.c | 44 +++++++++++++++++++++++++++++ target/s390x/gen-features.c | 3 ++ target/s390x/kvm/kvm.c | 16 +++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++ 10 files changed, 108 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 7ddac98a37..c2e8f7aba5 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -14,3 +14,15 @@ and a summation of the sizes. =20 Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. + +DIAGNOSE function code 'X'320' - Certificate Store Facility +----------------------------------------------------------- + +DIAGNOSE 'X'320' is used to provide support for userspace to directly +query the s390 certificate store. Userspace may be the s390-ccw BIOS or +the guest kernel. + +Subcode 0 - query installed subcodes + Returns a 256-bit installed subcodes mask (ISM) stored in the installed + subcodes block (ISB). This mask indicates which subcodes are currently + installed and available for use. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..aa04b699c6 --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,20 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOT_SUPPORTED 0x0102 + +#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 + +#endif diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..436471f4b4 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index c017bffcdc..941a69e013 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s =20 /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relativ= e to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") +DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide Certificate Store = functions") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 954a7a99a9..6b8471700e 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_CERT_STORE: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/diag.c b/target/s390x/diag.c index cff9fbc4b0..a35d808fd7 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -18,6 +18,7 @@ #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" #include "hw/s390x/ipl.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -191,3 +192,46 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + S390CPU *cpu =3D env_archcpu(env); + uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (!s390_has_feat(S390_FEAT_CERT_STORE)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + if ((subcode & ~0x000ffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + /* + * The Installed Subcode Block (ISB) can be up 8 words in size, + * but the current set of subcodes can fit within a single word + * for now. + */ + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + env->regs[r1 + 1] =3D DIAG_320_RC_OK; + break; + default: + env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; + break; + } +} diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 8218e6470e..6c20c3a862 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_PAIE, S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, + S390_FEAT_CERT_STORE, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_KIMD_SHA_512, S390_FEAT_KLMD_SHA_512, S390_FEAT_PRNO_TRNG, + S390_FEAT_EXTENDED_LENGTH_SCCB, + S390_FEAT_CERT_STORE, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index e4be4dac4d..e65d754112 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -98,6 +98,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 =20 @@ -1560,6 +1561,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm= _run *run) } } =20 +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1590,6 +1601,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r =3D handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); @@ -2490,6 +2504,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } =20 + set_bit(S390_FEAT_CERT_STORE, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 9691366ec9..771b62fbe2 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -388,6 +388,8 @@ int mmu_translate_real(CPUS390XState *env, target_ulong= raddr, int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 215b5b9d93..16eddd7593 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) /* time bomb (watchdog) */ r =3D handle_diag_288(env, r1, r3); break; + case 0x320: + /* cert store */ + bql_lock(); + handle_diag_320(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229711; cv=none; d=zohomail.com; s=zohoarc; b=PxjyK6O5vhwLF/m0LeEbkbbUb4XRpj2bJimyk7DhnJnXd5lDIxa/5s7Rx5czXD2EK+v6VPRSGrwSLVOeGFAp5xZCFHss/jiUVRW0UONauScWew4lu4TBFhXiDiiDEvYrUvknu+dbcN4NnSqO5MNeSLpFrKSLNioVu4ttc6KXQOo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229711; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=l3DzyinW/w87pOea0yCCqMc5cM19kDSUYFWpYzNj1G0=; b=LSebsheF9zy/JfTGEHgjtOo2z/89PWgaD7fKCil1s+qSj5k78OPWex+OaqjkPXjTfSiwUXhnYl//FKXhOh47tictfQD01YololKYNQ+hk9Cd083DmbZh9RGqbd8S/jx2y5meSuWTEH0r7tezESbK3zP12lRERJlR0mrHgbCsqzk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229711088387.03464471782047; Mon, 8 Dec 2025 13:35:11 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir1-0007HY-GZ; Mon, 08 Dec 2025 16:33:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqz-0007Fo-Pg; Mon, 08 Dec 2025 16:33:09 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqx-0000dd-0V; Mon, 08 Dec 2025 16:33:09 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DVOIw005833; Mon, 8 Dec 2025 21:33:04 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc0jsums-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:04 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IAaV9008405; Mon, 8 Dec 2025 21:33:02 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:02 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LX1pM25100810 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:01 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 99ED55805B; Mon, 8 Dec 2025 21:33:01 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CE8AD58058; Mon, 8 Dec 2025 21:32:59 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:32:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=l3DzyinW/w87pOea0 yCCqMc5cM19kDSUYFWpYzNj1G0=; b=NkwidvHUjwI4kS+mHsxOAB6GATssPia70 drs/GWtMwhHs8IF8aQx/duDsmijGtMGxZhVHKC82l0d6d8MHXk0vQGX80NgXf+Wq +kMM/YZWAaliVPiG4YXw4ksXdFVnrEXU1hyWLnlzR/mt4myXKZ585DeybQmX7LdE q1Tzr7bNYu+ZRfLQp60LYKvdeJrWGyMUT8EDBHb9KTiSSRWSzfUjyJf3VKrEN502 6uq2bDd3uJyKv6ZBNex/X4iCKgou2//9Pdmu/fOew3mXVIK8oRiZM/yS4IG4tQWB gf6i9Ht9FlEXu3CKI84HQxmTwXziWjKsIMh5qoYtXamEfmDE2U8/A== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Date: Mon, 8 Dec 2025 16:32:23 -0500 Message-ID: <20251208213247.702569-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Cf8FJbrl c=1 sm=1 tr=0 ts=69374410 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=130TwiEZxdn8fhqcL5YA:9 X-Proofpoint-ORIG-GUID: vtx3D_qTcc-OxmcV9cte-WceEKvUrkdM X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAxNiBTYWx0ZWRfX3n+wz+9+wG9W PWW2coI/X0sE3JDdaxWCJkzJwNsmPStPmrFwVFeEg44BEEuXpD9xQrTil3h8cQx0928zHhmJhlz Z+msK6aWG7idarg2bDjcI23zzPRilQDzwWVMuZek8D0YCL8t4rernDlD/4ivemmWIjEDuiJhdpm 2gSkc0HkQR9VI8696eByusYGlAANNlkprbqM26XChWANPMQDtY0nwXSjxa/Li6cI1AC5hiKlrrY KMb1lwBuUnuGYaUwvDZe9Hlz5inq752DsXwZp+2ftUXqmzAiM+0HGUd1eUM/9dDlSqxHtrNK2QQ eV4Yh+qtFaztz7/fqCaKafA0potFinEkZf3k+r+rLXXqrIUrXULtWueJRHaiELg1mSPMFqWpke+ uL5HwkCTsI0MOWrr+EMV36XlSKD/Ag== X-Proofpoint-GUID: vtx3D_qTcc-OxmcV9cte-WceEKvUrkdM X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 malwarescore=0 clxscore=1015 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 spamscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229712399158500 Content-Type: text/plain; charset="utf-8" Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- target/s390x/diag.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/target/s390x/diag.c b/target/s390x/diag.c index a35d808fd7..a347be7633 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -26,6 +26,12 @@ #include "qemu/error-report.h" =20 =20 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) { uint64_t func =3D env->regs[r1]; @@ -65,9 +71,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_= t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229622; cv=none; d=zohomail.com; s=zohoarc; b=JeZxLDqWlZwE8tQJiz0T191fnn5RBfoh6XTEa2rPKy+GRLIolDWPw1KH2EYweGGT9JX54WkUmjm8kK1MHnpmtjFvn1i1OiHfQwqk6ohbtWGlVtAnvndVNyo/K/Ju3muGon/4o/IGYAt5ZNVsMA67QaKovya8yHaFOlpdrNrlIyI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229622; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=d2VYQzijgEZUQj84DjP4pfH27ZfVPKcBdYXt5w/F4B8=; b=aPTAWX2PYK0MFqwwk5cVgHBCjAhW3Oy/fhjDvS5wwBjDrMBSyrA/vh/LZVdkZRWJ6SR6X1BfJS844s0MjB9AsZzxJaNyeKMrrSYx3rw2f/1yXTi9oFN4o25Ny+5p8qkU3jSpbpxxCY1Dk9IcX1KK6UNY0OhSaxaU3CgvKbqpto4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229622769460.4623212447906; Mon, 8 Dec 2025 13:33:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir4-0007Jv-CK; Mon, 08 Dec 2025 16:33:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqz-0007Fp-QT; Mon, 08 Dec 2025 16:33:09 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiqx-0000dk-9C; Mon, 08 Dec 2025 16:33:09 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DC1jX016479; Mon, 8 Dec 2025 21:33:06 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539ahj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:05 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8LV82s028141; Mon, 8 Dec 2025 21:33:05 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvwn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:05 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LX3Sh32375504 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:03 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A6C158059; Mon, 8 Dec 2025 21:33:03 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C260458058; Mon, 8 Dec 2025 21:33:01 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=d2VYQzijgEZUQj84D jP4pfH27ZfVPKcBdYXt5w/F4B8=; b=eO7x+qqxes5RRNvf0nomytZ9WTKMMkYnd Po82LgvKCg1CxDjVuXtrnyerwcKYmY6gi9dIL/NaACMkBAE9mipfxmk8szxlszhM LkwzrpRI85JIJts2gdkla5YdLqVTKgfV2Htf24JASikAXtL5Z27aWnw/AdfOBvjT ruvV4A/XRt0ciQUXXHPfSM3IOEvfgmID2YknUFawIxPvOQUxy4uqFgYP343EEZJP DP446T3zbjN4gxX2Yj8YAVi1Q0rUZPO7wFKZWf0o46S9INwDnCpRLcP5tVDUMkh+ GjbRGcT87/ogopMdQFQuvSsDxRa/KaVgEPL+luYlNaVO9rG7X/CxQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 07/29] s390x/diag: Implement DIAG 320 subcode 1 Date: Mon, 8 Dec 2025 16:32:24 -0500 Message-ID: <20251208213247.702569-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfXxxTIOlUWBGl9 iYqEw00ursmREly7L3ajwcYCD1DG5/rMhIiREBDZdzZ+FM5DgQn623fal9D57RCo8SmXWbw77wI +5iMAd553laZlzQeecg02p5AmiQroL6htDyJxHCMswgRjvMFPH3md5YC9f6Jr6vlnTLhNaCZQ+H KUe+iwpdZGu/xUkyJ1h3GhyJKLcLagPCRbkidYm514Riv0lCTXRouq9KjUur9/fdHzG+LFjerLF Z1k2VftuXzvZjgKgHOawPdLpWeHGLkjrxe4DqV+xgV8LNC+xuyU9g5igpq07piXgIUBRDbkhDaB amkglRT9iTReIwWk4CtlBuJyJNSfHM0KDDMeSPc2lbYAehGdYqH3sXV9eUJ5z+mkJrvJeFEeLUT 0JcUbjzx9zLFQn8PKtmBBhvBGXaR6w== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=69374411 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=vmAlfMB145uIY6ZofiUA:9 X-Proofpoint-ORIG-GUID: zseelKnMMmbPzHNYBRIK1x7aoyVhTDQ0 X-Proofpoint-GUID: zseelKnMMmbPzHNYBRIK1x7aoyVhTDQ0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1011 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229624917158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates from the certificate store. Upon successful completion, this subcode returns information of the current cert store, such as the number of certificates stored and allowed in the ce= rt store, amount of space may need to be allocate to store a certificate, etc for verification-certificate blocks (VCBs). The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. A VCSSB length of 4 indicates that no certificate are available in the cert store. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 12 +++++++ include/hw/s390x/ipl/diag320.h | 22 ++++++++++++ target/s390x/diag.c | 59 ++++++++++++++++++++++++++++++++- 3 files changed, 92 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index c2e8f7aba5..d3ece8a82d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -26,3 +26,15 @@ Subcode 0 - query installed subcodes Returns a 256-bit installed subcodes mask (ISM) stored in the installed subcodes block (ISB). This mask indicates which subcodes are currently installed and available for use. + +Subcode 1 - query verification certificate storage information + Provides the information required to determine the amount of memory ne= eded + to store one or more verification-certificates (VCs) from the certific= ate + store (CS). + + Upon successful completion, this subcode returns various storage size = values + for verification-certificate blocks (VCBs). + + The output is returned in the verification-certificate-storage-size bl= ock + (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble + in the CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index aa04b699c6..6e4779c699 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -11,10 +11,32 @@ #define S390X_DIAG320_H =20 #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 +#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 +#define DIAG_320_ISM_QUERY_VCSI 0x40000000 + +#define VCSSB_NO_VC 4 +#define VCSSB_MIN_LEN 128 +#define VCE_HEADER_LEN 128 +#define VCB_HEADER_LEN 64 + +struct VCStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t total_vc_ct; + uint16_t max_vc_ct; + uint32_t reserved3[11]; + uint32_t max_single_vcb_len; + uint32_t total_vcb_len; + uint32_t reserved4[10]; +}; +typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index a347be7633..0e1897e03d 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -197,11 +197,50 @@ out: } } =20 +static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t= r1, + uintptr_t ra, S390IPLCertificateStore= *qcs) +{ + g_autofree VCStorageSizeBlock *vcssb =3D NULL; + + vcssb =3D g_new0(VCStorageSizeBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcssb, sizeof(*vcssb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + if (be32_to_cpu(vcssb->length) < VCSSB_MIN_LEN) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (!qcs->count) { + vcssb->length =3D cpu_to_be32(VCSSB_NO_VC); + } else { + vcssb->version =3D 0; + vcssb->total_vc_ct =3D cpu_to_be16(qcs->count); + vcssb->max_vc_ct =3D cpu_to_be16(MAX_CERTIFICATES); + vcssb->max_single_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + VCE_HEA= DER_LEN + + qcs->max_cert_size); + vcssb->total_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + qcs->count *= VCE_HEADER_LEN + + qcs->total_bytes); + } + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcssb, be32_to_cpu(vcssb->l= ength))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + return DIAG_320_RC_OK; +} + +QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, + "size of VCStorageSizeBlock is wrong"); + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { S390CPU *cpu =3D env_archcpu(env); + S390IPLCertificateStore *qcs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; uint64_t addr =3D env->regs[r1]; + int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { s390_program_interrupt(env, PGM_PRIVILEGED, ra); @@ -225,7 +264,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * but the current set of subcodes can fit within a single word * for now. */ - uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | + DIAG_320_ISM_QUERY_VCSI); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -234,6 +274,23 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 env->regs[r1 + 1] =3D DIAG_320_RC_OK; break; + case DIAG_320_SUBC_QUERY_VCSI: + if (!diag_parm_addr_valid(addr, sizeof(VCStorageSizeBlock), true))= { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + if (addr & 0x7) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag320_query_vcsi(cpu, addr, r1, ra, qcs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229717; cv=none; d=zohomail.com; s=zohoarc; b=O6FHR9rHCMyJX7hOzF+g3U3Ay5vYg8QNLjNqQWIsPZJS8XUPUYDmf9su4+FzrJjpU89VRRmGoSACJt7pJTWN1FV8aU0Tl4nOae6wSX4RROgtryN7NLjTEhBn0BIGoAopLix30lOEmx/iGMJwV7nt5zpdMaAg1qaJV7Wz6sL1/Nc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229717; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=D4t9IOncsJcFtOw1jZ0eLvTtQxf7amG7D3wO/lbV3qU=; b=gG7F8DjMrWXqf7iWy3WSqg4H+SMe49e3p5/vFkBi/R7R/ZrBg4nkJair+JHIRdb1VUZVF+ZTet7iVhQTtA4q/QN7xJ2HZlJwKQwL4/ZeGypSKnNyxA/GXCgQG+RMXwH95QukLAmFnyapMmdhPDu0nuwq8Mc+yYC1PQb/9Sz710g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229717672635.5834912916176; Mon, 8 Dec 2025 13:35:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir5-0007Km-FY; Mon, 08 Dec 2025 16:33:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir2-0007IX-Tw; Mon, 08 Dec 2025 16:33:12 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir0-0000eo-K2; Mon, 08 Dec 2025 16:33:12 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8LDkcR015153; Mon, 8 Dec 2025 21:33:08 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc619v6n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:08 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8I0wkr028123; Mon, 8 Dec 2025 21:33:06 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvwt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:06 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LX5wV197302 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:05 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5831F58059; Mon, 8 Dec 2025 21:33:05 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A29CC58058; Mon, 8 Dec 2025 21:33:03 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=D4t9IOncsJcFtOw1j Z0eLvTtQxf7amG7D3wO/lbV3qU=; b=EhOuCpNJdL99t8PeK202EM0eOctnP8I1N BOt4g89UaOiVITtfdBDoOFTOJxNZWea5D/h1CQ8drIMfm7aC7H01lLLfK1sdctyM mKwNyZiL9e7ldPHxlhgNeKm/fQamaAC9Qsjbj56PE2Qjqvrqx1TfsNXvabMPGBNK 0CZmvsiTXTwVveTD+47avUqjJQtpp7FYwNU2LV0jZ9goiehGIX3thUWF3uAbmy93 QbWcDgY6di3nSpAXBql/SYiFMVveiar8sY3O+bJS7mIcqhtr1mqEvOClUFRBa5Hm 6IMgLLa9ZiNcusrbT6PPWI55KDfuyxheQWpO9EMnurEwhBDdDMjQQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Mon, 8 Dec 2025 16:32:25 -0500 Message-ID: <20251208213247.702569-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX97o+ZjjblaTt WPnUMQJnYFllGMzqLTUUyXLzDfGIOmldJCzpKNV0vJ37XdMGGIfRfqTsS5iMIO6gAGPA0GAwUs6 VQz8usvA28u837jCQAu2K8LZgia7Qbz1nnTZEcvbnocYfpqBEAad26S4eLnMZ06bWZfo08R2ITD u5kHHntWjb8UttPUU+OOiqijG3wkDtnKtFjSXt+tPLdFbkHkcpXsCzGIeGcg5sy+5AvOkZuNqNI ir/9yQ7f4hY5vDhlvW2hfquhIsx37wpx30jlRsdDcrWSRp/Pvhgs3wTrPpcxHQbyBhaehW0G5r9 ilDuc8V3xhIk3BrZ47PmKtjsBlg8EG1A0y2ij5ZG0GKBO1hXejSNl1jiod6vyWfR0E5P0nhUW5i i65poFaJsKBwUrTe+lT89YPYyl6qxw== X-Proofpoint-GUID: NKnUmyE1X6GOr4EES58NDQqN78xBWDEq X-Proofpoint-ORIG-GUID: NKnUmyE1X6GOr4EES58NDQqN78xBWDEq X-Authority-Analysis: v=2.4 cv=O/U0fR9W c=1 sm=1 tr=0 ts=69374414 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=FrWqK8lHM1FzpY_CdjIA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1011 phishscore=0 suspectscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229718401158500 Content-Type: text/plain; charset="utf-8" Introduce new helper functions to extract certificate metadata: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in = the certificate qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate qcrypto_x509_is_ecc_curve_p521() - determines the ECC public key algorithm = uses P-521 curve These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai --- crypto/x509-utils.c | 248 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 73 +++++++++++ 2 files changed, 321 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 2696d48155..f91fa56563 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,25 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int gnutls_to_qcrypto_pk_alg_map[] =3D { + [GNUTLS_PK_RSA] =3D QCRYPTO_PK_ALGO_RSA, + [GNUTLS_PK_DSA] =3D QCRYPTO_PK_ALGO_DSA, + [GNUTLS_PK_ECDSA] =3D QCRYPTO_PK_ALGO_ECDSA, + [GNUTLS_PK_RSA_OAEP] =3D QCRYPTO_PK_ALGO_RSA_OAEP, + [GNUTLS_PK_EDDSA_ED25519] =3D QCRYPTO_PK_ALGO_ED25519, + [GNUTLS_PK_EDDSA_ED448] =3D QCRYPTO_PK_ALGO_ED448, +}; + +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_MD5] =3D -1, + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA224] =3D -1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA384] =3D -1, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, + [QCRYPTO_HASH_ALGO_RIPEMD160] =3D -1, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -121,6 +140,207 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(0); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc >=3D G_N_ELEMENTS(gnutls_to_qcrypto_pk_alg_map) || rc < 0) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D gnutls_to_qcrypto_pk_alg_map[rc]; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { + error_setg(errp, "Unknown hash algorithm %d", hash_alg); + return ret; + } + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) || + qcrypto_to_gnutls_keyid_flags_map[hash_alg] =3D=3D -1) { + error_setg(errp, "Unsupported key id flag %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **= errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_ecc_curve_t curve_id; + gnutls_datum_t x =3D {.data =3D NULL, .size =3D 0}; + gnutls_datum_t y =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y); + if (rc !=3D 0) { + error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_= strerror(rc)); + goto cleanup; + } + + ret =3D curve_id; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(x.data); + gnutls_free(y.data); + return ret; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + int curve_id; + + curve_id =3D qcrypto_x509_get_ecc_curve(cert, size, errp); + if (curve_id =3D=3D -1) { + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_INVALID) { + error_setg(errp, "Invalid ECC curve"); + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1) { + return 1; + } + + return 0; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -142,4 +362,32 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get public key algorithm"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + error_setg(errp, "GNUTLS is required to determine ecc curve"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 91ae79fb03..f65be67a2c 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -13,6 +13,15 @@ =20 #include "crypto/hash.h" =20 +typedef enum { + QCRYPTO_PK_ALGO_RSA, + QCRYPTO_PK_ALGO_DSA, + QCRYPTO_PK_ALGO_ECDSA, + QCRYPTO_PK_ALGO_RSA_OAEP, + QCRYPTO_PK_ALGO_ED25519, + QCRYPTO_PK_ALGO_ED448, +} QCryptoPkAlgo; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo hash, uint8_t *result, @@ -40,4 +49,68 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_pk_algorithm + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine the public key algorithm of the @cert. + * + * Returns: a value from the QCryptoPkAlgo enum on success, + * -1 on error. + */ +int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_check_ecc_curve_p521 + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine whether the ECC public key in the given certificate uses the = P-521 + * curve. + * + * Returns: 0 if ECC public key does not use P521 curve. + * 1 if ECC public key uses P521 curve. + * -1 on error. + */ +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); + #endif --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229748; cv=none; d=zohomail.com; s=zohoarc; b=SxzcGzFpE3PEDHpgbO1tnmaeak5d5MSVZ3rxECZTK8Aax8+7BjMQRbDo/fMnNhb7PRdYlLYAT4WVw3tTk3jS0KiYVjcTdAbx9o2YzJg4zv+qKnMU5akrn2T2bpGkgtJOX7LJCRBmZivT8vMCaDiP1243TQIOAKG+4Ov0oB/foAo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229748; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4oii9NWVprW4GDkGrj//X0eJGMua+qizuV75nFVTu1E=; b=fQRinyilRsSlfSvZixJ+JRWCsDEIZaewa+yBANXWf54WEWGf50+heN1ImMmqjPdYI/UOojoaUNQ2uyjP9pOJTWz5+I/5X9RyQRNsoy1rIyR6rf/skKtr6L6RIsaHRgAt3CshcNoWA3soaAyCP48DIj5uEJIewrQU6KXB5w+zN+k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229747812614.3308424367083; Mon, 8 Dec 2025 13:35:47 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir5-0007LK-WC; Mon, 08 Dec 2025 16:33:16 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir3-0007Ix-CI; Mon, 08 Dec 2025 16:33:13 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir1-0000fK-1h; Mon, 08 Dec 2025 16:33:13 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8KSf6q016932; Mon, 8 Dec 2025 21:33:09 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avawv1g0p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:09 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8I3rxp008397; Mon, 8 Dec 2025 21:33:08 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs2x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:08 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LX7wk7340992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:07 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4756658058; Mon, 8 Dec 2025 21:33:07 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 811335805B; Mon, 8 Dec 2025 21:33:05 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:05 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=4oii9NWVprW4GDkGr j//X0eJGMua+qizuV75nFVTu1E=; b=D7Y5wyEvAkZIvb3++zeAp6BVsa0wM6Jnz l+G9sTgHaKzzi4nFqrCo5NsVAzHY107yBu3tdaz8L2u1TdJLroH25cbA2CwlO6lJ M3X25hpJhp1yTphXxeczh85wriWQ6xWc15DYaELJi1Sl50FOuJOvUKTnDplFEJcJ MVrFXpM3tcuKKohA79s9lOxnziwrpoDZdEeHjgWgowT/kJGPjrIaQEibXKMc+XuT yKZAD4Dj1CMs7yfPoNmJ8OtntRpAAuZsEH5j9bWr4sdLIEgMOomhV1G3jP7pc2Oi j18CIxBhbOvDF9pLrS8scjEDsEEEyhK5jmJ0B/9qFTEoF4auJqZVg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 09/29] s390x/diag: Implement DIAG 320 subcode 2 Date: Mon, 8 Dec 2025 16:32:26 -0500 Message-ID: <20251208213247.702569-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: BjfyabXJ_QDd8w_3ujIonDMf0Y38VtnY X-Proofpoint-ORIG-GUID: BjfyabXJ_QDd8w_3ujIonDMf0Y38VtnY X-Authority-Analysis: v=2.4 cv=aY9sXBot c=1 sm=1 tr=0 ts=69374415 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=3ePTxMe9kE3GuEYbGYMA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwNyBTYWx0ZWRfX5zTdmqixfpOy 5sxfNbKsA7kRCSVcRnk0UfdbGqJACX162SgBpDjPD0Ay70Fmqp+Z3zIHA8BROZrpE1hGSz8aP6w 23TDDg2oHcJzN4zN5xGYXFUgujqSxN0jR35ZQN16FGLt2/jDY3D17tcpbRJbMsx2u8O4lwR70Km QWnzmPdp5GAqNn8emXqSazSC7Cjlrd9x+G2/U/Uy66Of9m5fkeKl4IWLNjVFcvV2WmjUckEvXbq A2w33LPQ0Rbpc0BWxcTrrxsv3Dn9BPk+3/ZjtCoRFlDcgQE9uMGpjh8a7/43P8tz3Jo8baD495o MrOmyIpsWRO5WZKXu6iWW4E5YCaC0kTwgKxMm+9SRa7zJilm1rMQPDodnh0KqnIpQRW1HvhmzF3 vYZuSRjuNs0OOMyPuqknhSTQvP1cFg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060007 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229748521158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the certificate store. Only X509 certificates in DER format and SHA-256 hash type are recognized. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The Verification Certificate Block (VCB) contains the output data when the operation completes successfully. It includes a common header followed by zero or more Verification Certificate Entries (VCEs), depending on the VCB input length and the VC range (from the first VC index to the last VC index) in the certificate store. Each VCE contains information about a certificate retrieved from the S390IPLCertificateStore, such as the certificate name, key type, key ID length, hash length, and the raw certificate data. The key ID and hash are extracted from the raw certificate by the crypto AP= I. Note: SHA2-256 VC hash type is required for retrieving the hash (fingerprint) of the certificate. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 13 ++ include/hw/s390x/ipl/diag320.h | 49 +++++ target/s390x/diag.c | 334 +++++++++++++++++++++++++++++++- 3 files changed, 395 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index d3ece8a82d..560cf9b4f5 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -38,3 +38,16 @@ Subcode 1 - query verification certificate storage infor= mation The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble in the CS. + +Subcode 2 - store verification certificates + Provides VCs that are in the certificate store. + + The output is provided in a VCB, which includes a common header follow= ed by + zero or more verification-certificate entries (VCEs). + + The first-VC index and last-VC index fields of VCB specify the range o= f VCs + to be stored by subcode 2. Stored count and remained count fields spec= ify + the number of VCs stored and could not be stored in the VCB due to + insufficient storage specified in the VCB input length field. + + VCE contains various information of a VC from the CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 6e4779c699..2af14b9f01 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -12,19 +12,30 @@ =20 #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 #define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 #define DIAG_320_ISM_QUERY_VCSI 0x40000000 +#define DIAG_320_ISM_STORE_VC 0x20000000 =20 #define VCSSB_NO_VC 4 #define VCSSB_MIN_LEN 128 #define VCE_HEADER_LEN 128 +#define VCE_INVALID_LEN 72 #define VCB_HEADER_LEN 64 =20 +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_KEYTYPE_ECDSA_P521 1 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 + struct VCStorageSizeBlock { uint32_t length; uint8_t reserved0[3]; @@ -39,4 +50,42 @@ struct VCStorageSizeBlock { }; typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 +struct VCBlock { + uint32_t in_len; + uint32_t reserved0; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t reserved1[5]; + uint32_t out_len; + uint8_t reserved2[3]; + uint8_t version; + uint16_t stored_ct; + uint16_t remain_ct; + uint32_t reserved3[5]; + uint8_t vce_buf[]; +}; +typedef struct VCBlock VCBlock; + +struct VCEntry { + uint32_t len; + uint8_t flags; + uint8_t key_type; + uint16_t cert_idx; + uint32_t name[16]; + uint8_t format; + uint8_t reserved0; + uint16_t keyid_len; + uint8_t reserved1; + uint8_t hash_type; + uint16_t hash_len; + uint32_t reserved2; + uint32_t cert_len; + uint32_t reserved3[2]; + uint16_t hash_offset; + uint16_t cert_offset; + uint32_t reserved4[7]; + uint8_t cert_buf[]; +}; +typedef struct VCEntry VCEntry; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 0e1897e03d..1498b29a0d 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,6 +17,7 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" @@ -24,6 +25,7 @@ #include "kvm/kvm_s390x.h" #include "target/s390x/kvm/pv.h" #include "qemu/error-report.h" +#include "crypto/x509-utils.h" =20 =20 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) @@ -231,8 +233,330 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, ui= nt64_t addr, uint64_t r1, return DIAG_320_RC_OK; } =20 +static bool is_cert_valid(S390IPLCertificate cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_cert_times(cert.raw, cert.size, &err); + if (rc !=3D 0) { + error_report_err(err); + return false; + } + + return true; +} + +static void handle_key_id(VCEntry *vce, S390IPLCertificate cert) +{ + int rc; + g_autofree unsigned char *key_id_data =3D NULL; + size_t key_id_len; + Error *err =3D NULL; + + key_id_len =3D CERT_KEY_ID_LEN; + /* key id and key id len */ + rc =3D qcrypto_x509_get_cert_key_id(cert.raw, cert.size, + QCRYPTO_HASH_ALGO_SHA256, + &key_id_data, &key_id_len, &err); + if (rc < 0) { + error_report_err(err); + return; + } + + if (VCE_HEADER_LEN + key_id_len > be32_to_cpu(vce->len)) { + error_report("Unable to write key ID: exceeds buffer bounds"); + return; + } + + vce->keyid_len =3D cpu_to_be16(key_id_len); + + memcpy(vce->cert_buf, key_id_data, key_id_len); +} + +static int handle_hash(VCEntry *vce, S390IPLCertificate cert, uint16_t key= id_field_len) +{ + int rc; + uint16_t hash_offset; + g_autofree void *hash_data =3D NULL; + size_t hash_len; + Error *err =3D NULL; + + hash_len =3D CERT_HASH_LEN; + /* hash and hash len */ + hash_data =3D g_malloc0(hash_len); + rc =3D qcrypto_get_x509_cert_fingerprint(cert.raw, cert.size, + QCRYPTO_HASH_ALGO_SHA256, + hash_data, &hash_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + hash_offset =3D VCE_HEADER_LEN + keyid_field_len; + if (hash_offset + hash_len > be32_to_cpu(vce->len)) { + error_report("Unable to write hash: exceeds buffer bounds"); + return -1; + } + + vce->hash_len =3D cpu_to_be16(hash_len); + vce->hash_type =3D DIAG_320_VCE_HASHTYPE_SHA2_256; + vce->hash_offset =3D cpu_to_be16(hash_offset); + + memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len); + + return 0; +} + +static int handle_cert(VCEntry *vce, S390IPLCertificate cert, uint16_t has= h_field_len) +{ + int rc; + uint16_t cert_offset; + g_autofree uint8_t *cert_der =3D NULL; + Error *err =3D NULL; + + /* certificate in DER format */ + rc =3D qcrypto_x509_convert_cert_der(cert.raw, cert.size, + &cert_der, &cert.der_size, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + cert_offset =3D be16_to_cpu(vce->hash_offset) + hash_field_len; + if (cert_offset + cert.der_size > be32_to_cpu(vce->len)) { + error_report("Unable to write certificate: exceeds buffer bounds"); + return -1; + } + + vce->format =3D DIAG_320_VCE_FORMAT_X509_DER; + vce->cert_len =3D cpu_to_be32(cert.der_size); + vce->cert_offset =3D cpu_to_be16(cert_offset); + + memcpy((uint8_t *)vce + cert_offset, cert_der, cert.der_size); + + return 0; +} + +static int get_key_type(S390IPLCertificate cert) +{ + int algo; + int rc; + Error *err =3D NULL; + + /* public key algorithm */ + algo =3D qcrypto_x509_get_pk_algorithm(cert.raw, cert.size, &err); + if (algo < 0) { + error_report_err(err); + return -1; + } + + if (algo =3D=3D QCRYPTO_PK_ALGO_ECDSA) { + rc =3D qcrypto_x509_check_ecc_curve_p521(cert.raw, cert.size, &err= ); + if (rc =3D=3D -1) { + error_report_err(err); + return -1; + } + + return (rc =3D=3D 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 : + DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; + } + + return DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; +} + +static int build_vce_header(VCEntry *vce, S390IPLCertificate cert, int idx) +{ + int key_type; + + vce->len =3D cpu_to_be32(VCE_HEADER_LEN); + vce->cert_idx =3D cpu_to_be16(idx + 1); + strncpy((char *)vce->name, (char *)cert.vc_name, VC_NAME_LEN_BYTES); + + key_type =3D get_key_type(cert); + if (key_type =3D=3D -1) { + return -1; + } + vce->key_type =3D key_type; + + return 0; +} + +static int build_vce_data(VCEntry *vce, S390IPLCertificate cert) +{ + uint16_t keyid_field_len; + uint16_t hash_field_len; + uint32_t cert_field_len; + uint32_t vce_len; + int rc; + + handle_key_id(vce, cert); + /* vce key id field length - can be 0 if failed to retrieve */ + keyid_field_len =3D ROUND_UP(be16_to_cpu(vce->keyid_len), 4); + + rc =3D handle_hash(vce, cert, keyid_field_len); + if (rc) { + return -1; + } + hash_field_len =3D ROUND_UP(be16_to_cpu(vce->hash_len), 4); + + rc =3D handle_cert(vce, cert, hash_field_len); + if (rc || !is_cert_valid(cert)) { + return -1; + } + /* vce certificate field length */ + cert_field_len =3D ROUND_UP(be32_to_cpu(vce->cert_len), 4); + + vce_len =3D VCE_HEADER_LEN + keyid_field_len + hash_field_len + cert_f= ield_len; + if (vce_len > be32_to_cpu(vce->len)) { + return -1; + } + + /* The certificate is valid and VCE contains the certificate */ + vce->flags |=3D DIAG_320_VCE_FLAGS_VALID; + + /* Update vce length to reflect the actual size used by vce */ + vce->len =3D cpu_to_be32(vce_len); + + return 0; +} + +static VCEntry *diag_320_build_vce(S390IPLCertificate cert, uint32_t vce_l= en, int idx) +{ + g_autofree VCEntry *vce =3D NULL; + int rc; + + /* + * Construct VCE + * Allocate enough memory for all certificate data + * (key id, hash and certificate). + * Unused area following the VCE field contains zeros. + */ + vce =3D g_malloc0(vce_len); + rc =3D build_vce_header(vce, cert, idx); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + goto out; + } + + vce->len =3D cpu_to_be32(vce_len); + rc =3D build_vce_data(vce, cert); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + } + +out: + return g_steal_pointer(&vce); +} + +static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r= 1, uintptr_t ra, + S390IPLCertificateStore *qcs) +{ + g_autofree VCBlock *vcb =3D NULL; + size_t vce_offset; + size_t remaining_space; + uint32_t vce_len; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t in_len; + + vcb =3D g_new0(VCBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + in_len =3D be32_to_cpu(vcb->in_len); + first_vc_index =3D be16_to_cpu(vcb->first_vc_index); + last_vc_index =3D be16_to_cpu(vcb->last_vc_index); + + if (in_len % TARGET_PAGE_SIZE !=3D 0) { + return DIAG_320_RC_INVAL_VCB_LEN; + } + + if (first_vc_index > last_vc_index) { + return DIAG_320_RC_BAD_RANGE; + } + + vcb->out_len =3D VCB_HEADER_LEN; + + if (first_vc_index =3D=3D 0) { + /* + * Zero is a valid index for the first and last VC index. + * Zero index results in the VCB header and zero certificates retu= rned. + */ + if (last_vc_index =3D=3D 0) { + goto out; + } + + /* DIAG320 certificate store remains a one origin for cert entries= */ + vcb->first_vc_index =3D 1; + first_vc_index =3D 1; + } + + vce_offset =3D VCB_HEADER_LEN; + remaining_space =3D in_len - VCB_HEADER_LEN; + + for (int i =3D first_vc_index - 1; i < last_vc_index && i < qcs->count= ; i++) { + VCEntry *vce; + S390IPLCertificate cert =3D qcs->certs[i]; + /* + * Each VCE is word aligned. + * Each variable length field within the VCE is also word aligned. + */ + vce_len =3D VCE_HEADER_LEN + + ROUND_UP(CERT_KEY_ID_LEN, 4) + + ROUND_UP(CERT_HASH_LEN, 4) + + ROUND_UP(cert.der_size, 4); + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < vce_len) { + vcb->remain_ct =3D cpu_to_be16(last_vc_index - i); + break; + } + + vce =3D diag_320_build_vce(cert, vce_len, i); + + /* Write VCE */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_offset, r1, + vce, be32_to_cpu(vce->len))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + g_free(vce); + return -1; + } + + vce_offset +=3D be32_to_cpu(vce->len); + vcb->out_len +=3D be32_to_cpu(vce->len); + remaining_space -=3D be32_to_cpu(vce->len); + vcb->stored_ct++; + + g_free(vce); + } + vcb->stored_ct =3D cpu_to_be16(vcb->stored_ct); + +out: + vcb->out_len =3D cpu_to_be32(vcb->out_len); + /* + * Write VCB header + * All VCEs have been populated with the latest information + * and write VCB header last. + */ + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb, VCB_HEADER_LEN)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + return DIAG_320_RC_OK; +} + QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, "size of VCStorageSizeBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCBlock) !=3D VCB_HEADER_LEN, "size of VCBlock i= s wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCEntry) !=3D VCE_HEADER_LEN, "size of VCEntry i= s wrong"); =20 void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { @@ -265,7 +589,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * for now. */ uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | - DIAG_320_ISM_QUERY_VCSI); + DIAG_320_ISM_QUERY_VCSI | + DIAG_320_ISM_STORE_VC); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -291,6 +616,13 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] =3D rc; break; + case DIAG_320_SUBC_STORE_VC: + rc =3D handle_diag320_store_vc(cpu, addr, r1, ra, qcs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229711; cv=none; d=zohomail.com; s=zohoarc; b=UupXKabCzbmLP/6OQHTQp/T1iNtDIANUj5AuF7h+g1K3up7Ntfcwpj4lNTuzAGMRv5sIxP6MCYME0DQTk2zK0DRgQT6OqKx2saRzMZlnBKG8wojbXNqQpxsDXF4fWCz9VnjZXPQffwFRt+XXPJ+HL8fJttWo5NK7r/NLvhtN+Q4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229711; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=huh4bYf+BaXw4sSH7xmD1LKVof03IZp8NvKREvINOhE=; b=G4PjFzrGAA9ji1LnIxOyrM9HtO0aCjbjOxBT7qUSTGxW5tCYjTLPhfA4H4iXP7wIXpaeAEj3oXXffSfi+t9Cx3+FsCB4HUSSgxzX9uB4tuRmCBqEdqEy/jsVeAvmAFpnVYB1W7XOc1XcaWQCRGdPVeBswBo7uto/gDgy56+xbvw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229711900494.75195812440586; Mon, 8 Dec 2025 13:35:11 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir7-0007Mc-Tf; Mon, 08 Dec 2025 16:33:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir5-0007Kg-9I; Mon, 08 Dec 2025 16:33:15 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir3-0000gX-F1; Mon, 08 Dec 2025 16:33:15 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8E186n006746; Mon, 8 Dec 2025 21:33:12 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmmh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:11 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JIvsH026813; Mon, 8 Dec 2025 21:33:10 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw1h0yf8b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:10 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LWrdb30474904 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:32:53 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3172658058; Mon, 8 Dec 2025 21:33:09 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6FDE65805B; Mon, 8 Dec 2025 21:33:07 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:07 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=huh4bYf+BaXw4sSH7 xmD1LKVof03IZp8NvKREvINOhE=; b=FOlxRmfqLVP8o2+2flFum3PfNaEH3bC+n 7sR4/G+/kucvqtAvcazcNrNY4qsZMNBVWFIX6SDjMmzSk4wP4UVQWQL1/PZBim1N 8gmJPvOx0qkjjCfSWXytCWTIYrbFFMbskuwWc54BWgUsRRhtMb9Old12Gx92KBKo PFVLZnSqXP5klUPXX0Xs8WQ/15ek4GxfkdOot/JSGfMzBrjM9wkvo7aAx8No9ZtF TMBLm+/UBYMwYLFeXoXT3L4wDBnp2XVTasYk9faPb/IREZARMrlLJCUd8alNM3sq B+6fTfrLuIz/nsQAqOVJl96A+Qcv+ffb7ZEjzNuQhGJJyUTgZKiUw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Mon, 8 Dec 2025 16:32:27 -0500 Message-ID: <20251208213247.702569-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: PSo1r7xXtg3hio58V21sTrDYGPh1q1em X-Proofpoint-ORIG-GUID: PSo1r7xXtg3hio58V21sTrDYGPh1q1em X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=69374417 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=hXQcL9AfcS-IPDpH2m0A:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX3yQB3qTK6/gt 14tudGMnV8zxL6GEul9YuYjoof4IzRmEW4A/jdv6IajbhI53NInnRDYkg0EGrl0mwJdEShnvfU/ bv0MDVFNRYEou22wEnMgwGYwfnzmpTlPOjDm9F/iShqYo8awou1KaVOfQAW6Vc8mG49eXdPaIvb 7R3/YoQLohywOn2p/d4FWAr+Hu5hvsC8jcsBiW/jhOb6je0kIX7qE4X/6h1C7sqy3mdFGxUviqU lZNZLhXp0yiAJimsx6+480OmDuN9145tJPew4cOdRvM7sK2L9mUIXqvnXDa9PSr8oovJQ/gyYQ5 JEAkJmJxdg2C5aIiTbhEA5f2KJee9VrMYMZ0CEhyOhM7/chKbN73CnOno4wxXRhfh1JC2vt83ty u5rk35c6ytF4FBv/mhVMoQvfHxNFng== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229712479158500 Content-Type: text/plain; charset="utf-8" From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ target/s390x/diag.c | 27 +++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++++ 6 files changed, 83 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 560cf9b4f5..84a1691e1b 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -51,3 +51,21 @@ Subcode 2 - store verification certificates insufficient storage specified in the VCB input length field. =20 VCE contains various information of a VC from the CS. + + +Secure IPL Data Structures, Facilities, and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + +DIAGNOSE function code 'X'508' - IPL extensions +--------------------------------------------------- + +DIAGNOSE 'X'508' is reserved for guest use in order to facilitate communic= ation +of additional IPL operations that cannot be handled by userspace, such as +signature verification for secure IPL. + +If the function code specifies 0x508, IPL extension functions are performe= d. +These functions are meant to provide extended functionality for s390 guest= boot +that requires assistance from QEMU. + +Subcode 0 - query installed subcodes + Returns a 64-bit mask indicating which subcodes are supported. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..6281ad8299 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,15 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 1498b29a0d..5878745eb9 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -20,6 +20,7 @@ #include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -628,3 +629,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) break; } } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + uint64_t subcode =3D env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc =3D 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] =3D rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index e65d754112..fc253ecf18 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -101,6 +101,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 =20 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1571,6 +1572,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct= kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } =20 +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1604,6 +1615,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 771b62fbe2..949a6a4552 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -390,6 +390,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 16eddd7593..f03bd7d13a 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -149,6 +149,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) bql_unlock(); r =3D 0; break; + case 0x508: + /* secure ipl operations */ + bql_lock(); + handle_diag_508(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229681; cv=none; d=zohomail.com; s=zohoarc; b=GrVdp5vaXYL7gt2eWA4Pxnmiuc7Nyk5DGYKdQRJDYygoGq7DFufSevlvsII+QWzAcLfRMeVRiC+9/AjQ1KTWgCIQEH17x+4D5Id1JWu0G//pRGqd4oZNraYJEFkvcCvAQBP7w7pnOix2JuURhud4ZC5SPGY992d0B4OgfP5M/Xo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229681; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4QagXK15lEGBNY69j3/Ip8T+HoPJ4u8BU8bY8UX4lFA=; b=POZdAFaqQLoGt2zDF79+sqi7/LdSK0OS/d0aomqP9V8exjlfBRWstbAdr0QdzUkaDO8G+OQOdBwbTtk/gZdT0FLdj/Vb41JMUfgeBI9vz4245GR3xWepkRqAZYG68jJ28/WLWG6tj44um604aWo+L+tvb0MHktNon3Kg+YO9ib4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229681096669.9038781180826; Mon, 8 Dec 2025 13:34:41 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSir8-0007N6-Vk; Mon, 08 Dec 2025 16:33:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir6-0007LL-8D; Mon, 08 Dec 2025 16:33:16 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir4-0000h3-Gl; Mon, 08 Dec 2025 16:33:16 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JMo53029631; Mon, 8 Dec 2025 21:33:13 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539ahw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:12 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Hebow028126; Mon, 8 Dec 2025 21:33:12 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvwy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:12 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXBR930474922 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:11 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 198EC5805B; Mon, 8 Dec 2025 21:33:11 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59CB758058; Mon, 8 Dec 2025 21:33:09 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:09 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=4QagXK 15lEGBNY69j3/Ip8T+HoPJ4u8BU8bY8UX4lFA=; b=WvUhS2mPfVrZYk9Egz8oWl dASXYfn/JsYv+Q0wKMkbS31cI1dTSDGG2xTheCYEEBAMkuL5NblQotmwK4anB3lo eQS0g3ZbA7RQkzY/Eg8c0MjYB/XJXbW51B8LdwkrM5nJUJV46Y8GZkN78l1qXxWa qPbNWiwN3lzPmjCEOzLpXTwM0cTAM2MHuL2l1A2ckY1buPDY+k2/tUNxtZj3I9nT KAWRCfRbptJ3ZTSgGaEXBBcCP4g9MnXNNOURj+Lf1thbww8MxNuJPmFF5VvZ5zNd N8AY6/Z5+qu+umiNeT2aolXSI9iOUw61d4OF21R9On420AOnum/+VQBr5Z/QaZJw == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Date: Mon, 8 Dec 2025 16:32:28 -0500 Message-ID: <20251208213247.702569-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX/goZsMhN5ZDt J8VZa6LeQP1h2mFaUrycrBPe7n1+Rfc77UAIsk56WDo4epkR3/9Jn2RuFz97Gf4tm5bdmDJ2975 d2WajyXrV+FIzAKeamWSND5QpjiXLTYHXtCOkL19UhpV/h2cIeWGAHlFVeVdcxgm2epTkGrAXEb WlPBtY2/bVWpAAeWfdIiCctECGARuY4ujHuC/j1XOxo/kxmmNbEy9OThyPurrb4RNfbQVQQRVW+ zFVSfKuV6oOSMQ/Iekosfn6nyCvs0PHoMCa2q4ik+aeQkJtok7O/NlR6BDmaXqcFG8RPx8lDYfz pVp/s//0fRQ79ElgDbYNoOSRJZezVa0nKMgZ2Zc4EvB6E56o0kb66nrqZlpghuq7//nTOgKc92N /17K+hXsddTPEKdS6C3H8coV/v2c6g== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=69374419 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=IkcTkHD0fZMA:10 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-ORIG-GUID: ZooGejH0f15ULM14GEaQaWTKK0LQ8CoI X-Proofpoint-GUID: ZooGejH0f15ULM14GEaQaWTKK0LQ8CoI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229682319158500 Introduce helper functions to support signature verification required by DIAG 508 subcode 1: qcrypto_pkcs7_convert_sig_pem() =E2=80=93 converts a signature from DER to = PEM format qcrypto_x509_verify_sig() =E2=80=93 verifies the provided data against the = given signature These functions enable basic signature verification support. Signed-off-by: Zhuoying Cai --- crypto/x509-utils.c | 108 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 41 ++++++++++++++ 2 files changed, 149 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index f91fa56563..370df8dabd 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = =3D { [QCRYPTO_HASH_ALGO_MD5] =3D GNUTLS_DIG_MD5, @@ -341,6 +342,96 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return 0; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_pkcs7_t signature; + gnutls_datum_t sig_datum_der =3D {.data =3D sig, .size =3D sig_size}; + gnutls_datum_t sig_datum_pem =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initalize pkcs7 data: %s", gnutls_stre= rror(rc)); + return ret; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_= DER); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum= _pem); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert signature to PEM format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D sig_datum_pem.size; + *result =3D g_memdup2(sig_datum_pem.data, sig_datum_pem.size); + + ret =3D 0; + +cleanup: + gnutls_pkcs7_deinit(signature); + gnutls_free(sig_datum_pem.data); + return ret; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt =3D NULL; + gnutls_pkcs7_t signature =3D NULL; + gnutls_datum_t cert_datum =3D {.data =3D cert, .size =3D cert_size}; + gnutls_datum_t data_datum =3D {.data =3D comp, .size =3D comp_size}; + gnutls_datum_t sig_datum =3D {.data =3D sig, .size =3D sig_size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initalize pkcs7 data: %s", gnutls_stre= rror(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM= ); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0); + if (rc !=3D 0) { + error_setg(errp, "Failed to verify signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_pkcs7_deinit(signature); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -390,4 +481,21 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return -1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export pkcs7 signature"); + return -1; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + error_setg(errp, "GNUTLS is required for signature-verification suppor= t"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index f65be67a2c..a0fb3c6ebf 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -113,4 +113,45 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t= size, */ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); =20 +/** + * qcrypto_pkcs7_convert_sig_pem + * @sig: pointer to the PKCS#7 signature in DER format + * @sig_size: size of the signature + * @result: output location for the allocated buffer for the signature in + * PEM format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of the PEM-encoded + * signature) + * @errp: error pointer + * + * Convert given PKCS#7 @sig from DER to PEM format. + * + * Returns: 0 if PEM-encoded signature was successfully stored in @result, + * -1 on error. + */ +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_verify_sig + * @cert: pointer to the raw certificate data + * @cert_size: size of the certificate + * @comp: pointer to the component to be verified + * @comp_size: size of the component + * @sig: pointer to the signature + * @sig_size: size of the signature + * @errp: error pointer + * + * Verify the provided @comp against the @sig and @cert. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp); + #endif --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229622; cv=none; d=zohomail.com; s=zohoarc; b=CDo/Mb2s0llnq6DvxnE+8U4Q7f65ZTgMUmGhH1vQv8ufSlwwnUfuQF/dL0WQoYcYjWNuZZGC1Hi6ysr6p21ID4in/BImcaZuQDBW8c1nitHMHeUtaj9GI/1SCH/k1QLHUJzIPuYwtIX/K0PpsvZ1pNr6mCETAdC5B0Bqk3YEUH8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229622; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4StqYf14uIFV6bXSKfcymGNe3k6kWKD2ejMnLDzuJKE=; b=VBHpvo5PX7yr4ULFEiQFm3PTmBsly+N5RUFAopBZc65ntSED2FyLwM22LYM9ees46/rKrrhR7HjQI2W3IJ/NloKyUAxU6x4d3O6luAMbpiMZsAGyMNiz+WdXmS8Wqw8NGIvTOPnwnk8iYMdGPQ/w2oZ/emuvoBTKOn5Km1GRV+Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229622950215.57203243289234; Mon, 8 Dec 2025 13:33:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirB-0007Ob-Sb; Mon, 08 Dec 2025 16:33:21 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir9-0007Np-S0; Mon, 08 Dec 2025 16:33:19 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir6-0000hd-RE; Mon, 08 Dec 2025 16:33:18 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8I02Qo005894; Mon, 8 Dec 2025 21:33:15 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539ahy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:15 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JQ8Y7002057; Mon, 8 Dec 2025 21:33:14 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw11j7jus-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:14 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXDTL37945678 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:13 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 085D55805B; Mon, 8 Dec 2025 21:33:13 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 43C7458058; Mon, 8 Dec 2025 21:33:11 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=4StqYf14uIFV6bXSK fcymGNe3k6kWKD2ejMnLDzuJKE=; b=GQeZ2+BbAjNUc/Pp1T5/VqWg2uR6fkWRg rQy7a5RdneaZObRcIUbEq9TtFSsA6XSkK/HagsCWTmLJm4FfGxbJmngZaWqJ6lj0 aENxrdxfQ58R5HuMIa/Z9hsM1wSF+vQbiTKTplbl1w1F/l6IdEBITZJzIgwsyhl/ d2esXxAVt5fkG2sJiqIDo6Jf1AovxmeOKmcsryAmOiN0z1yNU9ku1ryxuVU6VQLT uzRayrGCavi/4l6lH3XJgWo4jvfLc6GeCCvlyWePTliHk8SLlxuEUr/BuIirEHSz cjDF2SG1oCr8EEC8SNko+GjlztdyyY6z3QbHk+blKFXK8Xtr1QKOg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Date: Mon, 8 Dec 2025 16:32:29 -0500 Message-ID: <20251208213247.702569-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX7J0Xlzgo2dCW PVdeB4EWUHAObn2kFFtyw+2XgXt21/P0+u4yogp0GHpyEMpnxxpLzmjSQ55I3Mq4/oObhJ9gI4Y W6TqKiJAcIbO5OeP6MgfXHlW8tmCcuB4kBgqu+zTHzNziyQHcoXgJ2E8aXC9Eqw9Ce6+3U8L34v LnMkIJbOXSXBAGDI8xn9yZNXnAmVfs4MFP2txhQ/eunWzZWv/A1jAo2KZp7BUeQ9VfP1OPO/ybu a3/68ypr4pGwkdLJgBxlBzYnmLHGGbo7VrZJcJOmXrX2uHHsDKdZL1T4l9Y2LJcAddd6vpNQunH QeJz2oWWt8oCLNycY6oGghATpmayEZDpnpepivanRl6BBUc1hq5hG6omTq5ufqlPUMITTYgJ6B/ GQk34SxHqXNvls3MI5QJaBpFN+LqYQ== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=6937441b cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=J-BpCOgWhlmYpWNWoYwA:9 X-Proofpoint-ORIG-GUID: VCfQHaEfBKrRV1Dm0FKrx2kruv7YjloV X-Proofpoint-GUID: VCfQHaEfBKrRV1Dm0FKrx2kruv7YjloV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229624940158500 Content-Type: text/plain; charset="utf-8" From: Collin Walling DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format= ), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: no certificates are available in the store 0x0202: component data is invalid 0x0302: PKCS#7 format signature is invalid 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 17 ++++++ include/hw/s390x/ipl/diag508.h | 26 ++++++++ target/s390x/diag.c | 103 +++++++++++++++++++++++++++++++- 3 files changed, 145 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 84a1691e1b..be98dc143d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -69,3 +69,20 @@ that requires assistance from QEMU. =20 Subcode 0 - query installed subcodes Returns a 64-bit mask indicating which subcodes are supported. + +Subcode 1 - perform signature verification + Perform signature-verification on a signed component, using certificat= es + from the certificate store and leveraging qcrypto libraries to perform + this operation. + + Note: verification of initrd is not supported. + + A return code of 1 indicates success, and the index and length of the + corresponding certificate will be set in the Diag508SigVerifBlock. + The following values indicate failure: + + * ``0x0102``: no certificates are available in the store + * ``0x0202``: component data is invalid + * ``0x0302``: PKCS#7 format signature is invalid + * ``0x0402``: signature-verification failed + * ``0x0502``: length of Diag508SigVerifBlock is invalid diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 6281ad8299..9c493f7273 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -11,5 +11,31 @@ #define S390X_DIAG508_H =20 #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x8000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0202 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0302 +#define DIAG_508_RC_FAIL_VERIF 0x0402 +#define DIAG_508_RC_INVAL_LEN 0x0502 + +#define DIAG_508_MAX_COMP_LEN 0x10000000 +#define DIAG_508_MAX_SIG_LEN 4096 + +struct Diag508SigVerifBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved[2]; + uint8_t cert_store_index; + uint8_t reserved1[7]; + uint64_t cert_len; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +}; +typedef struct Diag508SigVerifBlock Diag508SigVerifBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 5878745eb9..c7a6d4a321 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -630,9 +630,102 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1,= uint64_t r3, uintptr_t ra) } } =20 +static bool diag_508_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size) +{ + g_autofree uint8_t *sig_pem =3D NULL; + size_t sig_size_pem; + int rc; + + /* + * PKCS#7 signature with DER format + * Convert to PEM format for signature verification + * + * Ignore errors during qcrypto signature format conversion and verifi= cation + * Return false on any error, treating it as a verification failure + */ + rc =3D qcrypto_pkcs7_convert_sig_pem(sig, sig_size, &sig_pem, &sig_siz= e_pem, NULL); + if (rc < 0) { + return false; + } + + rc =3D qcrypto_x509_verify_sig(cert, cert_size, + comp, comp_size, + sig_pem, sig_size_pem, NULL); + if (rc < 0) { + return false; + } + + return true; +} + +static int handle_diag508_sig_verif(uint64_t addr) +{ + int verified; + uint32_t svb_len; + uint64_t comp_len, comp_addr; + uint64_t sig_len, sig_addr; + g_autofree uint8_t *comp =3D NULL; + g_autofree uint8_t *sig =3D NULL; + g_autofree Diag508SigVerifBlock *svb =3D NULL; + size_t svb_size =3D sizeof(Diag508SigVerifBlock); + S390IPLCertificateStore *qcs =3D s390_ipl_get_certificate_store(); + + if (!qcs->count) { + return DIAG_508_RC_NO_CERTS; + } + + svb =3D g_new0(Diag508SigVerifBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + + svb_len =3D be32_to_cpu(svb->length); + if (svb_len !=3D svb_size) { + return DIAG_508_RC_INVAL_LEN; + } + + comp_len =3D be64_to_cpu(svb->comp_len); + comp_addr =3D be64_to_cpu(svb->comp_addr); + sig_len =3D be64_to_cpu(svb->sig_len); + sig_addr =3D be64_to_cpu(svb->sig_addr); + + if (!comp_len || comp_len > DIAG_508_MAX_COMP_LEN || !comp_addr) { + return DIAG_508_RC_INVAL_COMP_DATA; + } + + if (!sig_len || sig_len > DIAG_508_MAX_SIG_LEN || !sig_addr) { + return DIAG_508_RC_INVAL_PKCS7_SIG; + } + + comp =3D g_malloc0(comp_len); + cpu_physical_memory_read(comp_addr, comp, comp_len); + + sig =3D g_malloc0(sig_len); + cpu_physical_memory_read(sig_addr, sig, sig_len); + + for (int i =3D 0; i < qcs->count; i++) { + verified =3D diag_508_verify_sig(qcs->certs[i].raw, + qcs->certs[i].size, + comp, comp_len, + sig, sig_len); + if (verified) { + svb->cert_store_index =3D i; + svb->cert_len =3D cpu_to_be64(qcs->certs[i].der_size); + cpu_physical_memory_write(addr, svb, svb_size); + return DIAG_508_RC_OK; + } + } + + return DIAG_508_RC_FAIL_VERIF; +} + +QEMU_BUILD_BUG_MSG(sizeof(Diag508SigVerifBlock) !=3D 64, + "size of Diag508SigVerifBlock is wrong"); + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { @@ -647,7 +740,15 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc =3D 0; + rc =3D DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + if (!diag_parm_addr_valid(addr, sizeof(Diag508SigVerifBlock), true= )) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag508_sig_verif(addr); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229764; cv=none; d=zohomail.com; s=zohoarc; b=Jp1PwAC9U9BJyfpbO/VoX+GdvqklCeHAI0PrVhkksrF7IDTLwYjeWXsiIBmJiolk/WHXpfScp+oMvqDqhGUKiA2EhX4CmrVRpDmHSfsUzTx4CjD4JI8HbqNtwvy2FUg8ANf9HMIyfZc9p00PlhLXk9dAB9ZDqH4xqoIgtqu5aos= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229764; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YeEOstwoR7Ari1UVaJEgtlBqWVPMtPT6Q3rOBy4a7l4=; b=CPtKyP0ZK7D7vi4kuKE0vUdl5xz2hW2NLv+vikOn97zHb57y4TSr+5aRVNDggoq0h9g3Ap2h2NNpM/BUKmPT/y11pi4oidgCZ717Ek6g826sJ0b//Hwmd+DpGBs74Ro0x2KcWXkXPu49nWPVEVaQl509a1X4nZge2eW9c/21hYw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229764468169.44126152804108; Mon, 8 Dec 2025 13:36:04 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirD-0007PT-Jv; Mon, 08 Dec 2025 16:33:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirB-0007OO-Dt; Mon, 08 Dec 2025 16:33:21 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSir9-0000iC-UN; Mon, 08 Dec 2025 16:33:21 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8E186p006746; Mon, 8 Dec 2025 21:33:17 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmmq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:17 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8HnxmU028147; Mon, 8 Dec 2025 21:33:16 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvx8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:16 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXEsd22348444 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:15 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D9C085805F; Mon, 8 Dec 2025 21:33:14 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 302FD5805C; Mon, 8 Dec 2025 21:33:13 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:13 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YeEOstwoR7Ari1UVa JEgtlBqWVPMtPT6Q3rOBy4a7l4=; b=DQu9BKzqKLicCN58y8hi4A+n3uekBapgC E88D2xHCuKojyorZmsu6tq17JHzaVKlcixBbkujhALTCyxjt2m0vs57pzH5+qrDF khZpG95ktUfnaAaZxxJCNppWXr8qjo4G0ynSxR5B0X28L0Fcj8UYOuEl34rhQf+P /f5Rpm4NBIWmiaAvXUmFCkm/NWlEGT9lfSCATg5MgJ55ALbyM2WEB8XMuO/r8cAt BFoTzFNjVraaHSZDDTm2nflU7P/cuhx3PXliS3rSNEFd8r3cwQWhYYkBNhHtbB9Q s9BFsx8zIddCiU4EnNzgIH923Ua5M8aFjBB0RiIpu+VnmXvvhcsvw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Date: Mon, 8 Dec 2025 16:32:30 -0500 Message-ID: <20251208213247.702569-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 4zcdDK8qpcTT113YbF9jLZU8vVIIcyhR X-Proofpoint-ORIG-GUID: 4zcdDK8qpcTT113YbF9jLZU8vVIIcyhR X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=6937441d cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=1JLT7A-2tSAM-sJnsQYA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX1autfbco9CZo oWPorR0uu3mI/pi6QB6BsMviAS9EDz6yCBSRVMC4xr0dKZfsLfdCkoO8kFvVREUZOF8JvVKCOrB P2f9hFKHnGrQbK3sNYm2B4EKRips+5Xhlfv6ymSwFcy17XpWhbGsHpY/uIWgeiU9oX8MFaA2oN4 A4s46bdrLNeQMbbF19Uw6+o3eXMQaMaToCh8snaRacuHOUkyV4kF4CZGDRka5azlv9IuqrbYVB4 wZLeO2evw1LlP9tb+f8rAdFuqmY7UGTyNMjFTVbfuPzLS5TM8Ms2GlEvAA7+t15WUF95YACCwkT rIHvpkJqnMNTLfoQ/0OAU9qKcNKC+dCvkiojgJK6m9xZGHhiaDVdfnHTOp8BzBeoiatSwiRMu+B a/c/hWXRcHRx3uKlzp6hM57jf/8spA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229766469158500 Content-Type: text/plain; charset="utf-8" The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 13 +++++++ pc-bios/s390-ccw/iplb.h | 62 +++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index be98dc143d..29c5d59b99 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -86,3 +86,16 @@ Subcode 1 - perform signature verification * ``0x0302``: PKCS#7 format signature is invalid * ``0x0402``: signature-verification failed * ``0x0502``: length of Diag508SigVerifBlock is invalid + +IPL Information Report Block +---------------------------- + +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended w= ith an +IPL Information Report Block (IIRB), which contains the results from secur= e IPL +operations such as: + +* component data +* verification results +* certificate data + +The guest kernel will inspect the IIRB and build the keyring. diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 08f259ff31..cc3ecc69e5 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -23,6 +23,68 @@ extern QemuIplParameters qipl; extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); extern bool have_iplb; =20 +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t iirb_flags; + uint8_t reserved1[2]; + uint8_t version; + uint8_t reserved2[8]; +}; +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t ibt; + uint8_t reserved1[3]; + uint8_t reserved2[8]; +}; +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplIbt { + IPL_IBT_CERTIFICATES =3D 1, + IPL_IBT_COMPONENTS =3D 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +}; +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +}; +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_COMPONENT_FLAG_SC 0x80 +#define S390_IPL_COMPONENT_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +}; +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_CERTIFICATES]; +}; +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +}; +typedef struct IplInfoReportBlock IplInfoReportBlock; + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229664; cv=none; d=zohomail.com; s=zohoarc; b=dxJ9K+dysIZoqk7Gwp2o/GKvT+DXc3vwhoqjU0Ihqh0sD4v4nHCor7MnnF/x1fZndy+vsrJEiHeeAP2LUJXAzJD8sjJXqLR58lXVxhKZKNeuDKDwOlepDstleYUvGL7LclRbLck0eOqn09XCB2VyQJphUnhs9cBCqtm2GVheuVk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229664; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rJ7aSbIKSQTKF79TTqMF9AMBrS7oSPgyJPe2NgvEpNw=; b=f+fu1v9WMRftY2JyRguwOWkuLx+XerXY3wzjAKgnEnErZUGqJ2Vm90V7njMU15M2NEw6dwPld7yBLhbFW4vBfxnP2pnbNjsUl5mxA0TV+fdMEeyIZUAJn3SwreW79G3DknXIQyzaCv+Gj2WtJkdL0scBwZaCYlwMuv1WqbzhfU4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229664323670.8445749853818; Mon, 8 Dec 2025 13:34:24 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirF-0007QJ-Mk; Mon, 08 Dec 2025 16:33:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirC-0007Ot-4t; Mon, 08 Dec 2025 16:33:22 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirA-0000iY-D4; Mon, 08 Dec 2025 16:33:21 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Iddwo010256; Mon, 8 Dec 2025 21:33:19 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539aj4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:18 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IWARu002053; Mon, 8 Dec 2025 21:33:18 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw11j7juw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:17 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXGaH31326958 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:17 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BF6135805B; Mon, 8 Dec 2025 21:33:16 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E6A958058; Mon, 8 Dec 2025 21:33:15 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=rJ7aSbIKSQTKF79TT qMF9AMBrS7oSPgyJPe2NgvEpNw=; b=fykm5cDgsDOV5s39OxiqDH7U5amkkHpuB zYhqZGBDXGOTM6nu/BF/DCsb3QGHG8LxzD2USzzayyxQ3NDlans9Pj7h2YXKmUss xKe+MViHk6PNkT2QqTGxnv0mBiby/KO6+uvZ95Wlnlvro5Eeq3L6mdBkhBDKxNt5 4K66Mo18d3U5nYXbC1vbPj7QKppdyanLcqef5ITIVUEK96y8ks3jp0WmgqpxNfJR JN5lpTWH/qz/JcHkXl7b2JW03AKlPPPoFWeIu+2nAQw/TMOdTlAcflUHNHI/lew9 hzboo+JPVHY/ptSvURZyA4DAUCHA9u8nXejea6YRDeS/IPCzPbL2w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Mon, 8 Dec 2025 16:32:31 -0500 Message-ID: <20251208213247.702569-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX0DFhxz6wrho/ /snrSvumQHPM/5fEvR8HHgCzKqAPJxQicqw06PwREHT4BlMI8vl0TrbyCOVdxv8W4b68LjIdSWx CHOfvdiZW3R303Wf7iXowxbpUj9vFXKjtk1tMM2O7ZBiLHbBRsZJSWRQQY3NV4AJrN70S5rtLg7 PXWbyOlb0MESU2XxfuMNTDch6OIOQCSYIvXOZn7D6MVrtXNdjDYjaAoZQo9Idcqd6eI2Msfq4px BQGu8ra1cqCOqY2tro5XrncxJLJdDofwmUAASS/usyhtVRtlGutNMkWe4SZgZfXf5ypi0vfEEkO sHQ5g62ByDyvRfFBpJh5LO5NxeppBrzj3Ax8TlvaTjBWoIKWPR4sdCbplwu/BXJGKi2UF6O9uHK kEAXHxt5yKyfe0FRQ6vHMv+9BJpvBQ== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=6937441e cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=_GZQR2ZoBes7ElOevS0A:9 X-Proofpoint-ORIG-GUID: g9oR1UhBfEUhMuoRPysNgdZdtdDCUpb8 X-Proofpoint-GUID: g9oR1UhBfEUhMuoRPysNgdZdtdDCUpb8 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229665170158500 Content-Type: text/plain; charset="utf-8" Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory sp= ace. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 13 +++++++++++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 4 files changed, 37 insertions(+), 24 deletions(-) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index cc3ecc69e5..a0f58d125c 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,7 +20,7 @@ #include =20 extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; =20 struct IplInfoReportBlockHeader { @@ -85,6 +85,15 @@ struct IplInfoReportBlock { }; typedef struct IplInfoReportBlock IplInfoReportBlock; =20 +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +}; +typedef struct IplBlocks IplBlocks; + +/* extern only allowed in header file */ +extern IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff @@ -127,7 +136,7 @@ static inline bool load_next_iplb(void) =20 qipl.index++; next_iplb =3D (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); =20 qipl.chain_len--; qipl.next_iplb =3D qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. = The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno =3D qipl.index; + if (iplb->pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno =3D qipl.index; } =20 - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 76bf743900..c9328f1c51 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -22,7 +22,9 @@ static SubChannelId blk_schid =3D { .one =3D 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data; +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -51,7 +53,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype =3D=3D CU_TYPE_VIRTIO && virtio_get_device_type() !=3D VIRT= IO_ID_NET) { - lowcore->ptr_iplb =3D ptr2u32(&iplb); + lowcore->ptr_iplb =3D ptr2u32(iplb); } } =20 @@ -162,7 +164,7 @@ static void menu_setup(void) return; } =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: case S390_IPL_TYPE_QEMU_SCSI: menu_set_parms(qipl.qipl_flags & BOOT_MENU_FLAG_MASK, @@ -191,8 +193,8 @@ static void boot_setup(void) { char lpmsg[] =3D "LOADPARM=3D[________]\n"; =20 - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) !=3D= 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN= ); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != =3D 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LE= N); } else { sclp_get_loadparm_ascii(loadparm_str); } @@ -216,21 +218,21 @@ static bool find_boot_device(void) VDev *vdev =3D virtio_get_device(); bool found =3D false; =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected =3D false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid =3D iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found =3D find_subch(iplb.ccw.devno); + found =3D find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected =3D true; - vdev->selected_scsi_device.channel =3D iplb.scsi.channel; - vdev->selected_scsi_device.target =3D iplb.scsi.target; - vdev->selected_scsi_device.lun =3D iplb.scsi.lun; - blk_schid.ssid =3D iplb.scsi.ssid & 0x3; - found =3D find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel =3D iplb->scsi.channel; + vdev->selected_scsi_device.target =3D iplb->scsi.target; + vdev->selected_scsi_device.lun =3D iplb->scsi.lun; + blk_schid.ssid =3D iplb->scsi.ssid & 0x3; + found =3D find_subch(iplb->scsi.devno); break; default: puts("Unsupported IPLB"); @@ -311,10 +313,12 @@ static void probe_boot_device(void) =20 void main(void) { + iplb =3D &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb =3D store_iplb(&iplb); + have_iplb =3D store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index a9521dff41..457fbc3095 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -528,11 +528,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); =20 - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expect= ed"); - dev_no =3D iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expec= ted"); + dev_no =3D iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid =3D iplb.ccw.ssid & 0x3; + net_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found =3D find_net_dev(&schib, dev_no); } else { --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229818; cv=none; d=zohomail.com; s=zohoarc; b=AFdQXBcxz041EY58Lyjoy5U1zBezRyPJ4z452U0hven4HztytbapdPhRF9mt51uLmVxzkYOWMuymLHLWnjd5UJa+kiUSQ2bihD8+5lr44+t+MkDSf7KoYvAPAL5GQrmlthxlxbibOvQEcPZygxczWLbMS2LuNOsWaTDxQLqkslA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229818; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=oRHoF6Wq0AKqQqLL22vxnOX3Y9l4J62BuzoU7Q+Mso4=; b=TSxKDbHMIWx8GxVXNlBWsjFWZlI3zXISb7kl3pxPynyWvfeka+0CHx3VhwN0imhks8PErTeQScNN9U5yoCMCHaD1d7diV/dDL9JRlO8AtwJkLJXHZyFCAnMvZzTmx+TT2nRXnfGVn4YkwzhQ3EOadFlBwHOj4WhAF4+T+sLkKbE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 176522981880778.26613881574701; Mon, 8 Dec 2025 13:36:58 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirK-0007S4-44; Mon, 08 Dec 2025 16:33:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirG-0007QX-53; Mon, 08 Dec 2025 16:33:27 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirE-0000jh-3K; Mon, 08 Dec 2025 16:33:25 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Dk56Z007030; Mon, 8 Dec 2025 21:33:22 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc0jsune-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:21 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IVghX012862; Mon, 8 Dec 2025 21:33:20 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4aw0ajqnn6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:20 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXIqA27984456 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:19 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B15D758058; Mon, 8 Dec 2025 21:33:18 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E07BA5805C; Mon, 8 Dec 2025 21:33:16 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:16 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=oRHoF6Wq0AKqQqLL2 2vxnOX3Y9l4J62BuzoU7Q+Mso4=; b=IQkbIe4seMbXYLX3kR8QqybTSuwrZtuUN RsQ60HVrORpUuF/SssAoQzwfBaCGmLFdM7wjPV7OkeQvb9U+mw4KhUBBswPOhxPQ W0v6aIuiIDI881Kl2cK86A1nEVx8oKJq4H5e/fiSe1ZT3gNBKWcPi7ZCvi1gK/Rt 6uwUN3pkGLzsk6CjXlRtB9mruMFYBjG3hJsFALo5mzJkLHLr0WXozP4H+NmZkkU5 MIVPkRU+tES3xdIlhUkD89yOUN3rk7K/aT+/YtZOPxzpKkoEoR/oPmkr9jdjKDrp RF0MkGIkKYfcQX/54E0ENoEJdskO4bTrcTFSVpMLqIb6nAwW9nsVw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Mon, 8 Dec 2025 16:32:32 -0500 Message-ID: <20251208213247.702569-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Cf8FJbrl c=1 sm=1 tr=0 ts=69374421 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=0RU0I6ilb4cTaI3NU4AA:9 X-Proofpoint-ORIG-GUID: LyPw5xmaBdtClgkI42ynNcsqfcESuaVb X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAxNiBTYWx0ZWRfX9i0bAa3a0REQ r56IRM2EKhs2iK3lg9+/hvmVkcbAYgreeuOAGxtqaDksWChe3EJOff8oBHWD1ohjDsLO0E7Dre2 xPwPC6inO1w7diZ1TnYn40JQntphhFXzkqNhahQRsaHgTGmH+FU4NaTqxrnp+6UU4w26Oc7NcRY +tJMQTHeqoOBE88gE3NNfB7ZZtgZVCpdE6YsanrnnO2mAIzqtG7o/XX+a7GWfOjysrzt/h6Ay2S 9t08x93CK5a3MKCUqHBw4RFvFQXUeaRJx9mOAzCQTeDfj78aSIA6RIV91oGR1qZnYVAgJEQBFGl h8mLotnj6/XQaR2iN4yQm9FDLOMaCwo0P57XNWeNDAjSRfAS2hOwGXD4NAt85F2Pciwcu558Muo 6o6xCKpyqf6nR6rRIj4h/szBPYCdtg== X-Proofpoint-GUID: LyPw5xmaBdtClgkI42ynNcsqfcESuaVb X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 malwarescore=0 clxscore=1011 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 spamscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229820703158500 Content-Type: text/plain; charset="utf-8" Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Move DIAG308 flags to a separated header file and add flags for secure IPL. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 14 ++++++++++++++ hw/s390x/ipl.h | 18 +----------------- include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 5 ++++- 4 files changed, 53 insertions(+), 18 deletions(-) create mode 100644 include/hw/s390x/ipl/diag308.h diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 38d5fff154..a95a1de647 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -496,6 +496,20 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } + return true; } =20 diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index bee72dfbb3..9e67c9446a 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -23,7 +23,6 @@ #include "qom/object.h" #include "target/s390x/kvm/pv.h" =20 -#define DIAG308_FLAGS_LP_VALID 0x80 #define MAX_BOOT_DEVS 8 /* Max number of devices that may have a bootindex= */ =20 void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp); @@ -91,22 +90,6 @@ struct S390IPLState { }; QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wr= ong"); =20 -#define DIAG_308_RC_OK 0x0001 -#define DIAG_308_RC_NO_CONF 0x0102 -#define DIAG_308_RC_INVALID 0x0402 -#define DIAG_308_RC_NO_PV_CONF 0x0902 -#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - -#define DIAG308_RESET_MOD_CLR 0 -#define DIAG308_RESET_LOAD_NORM 1 -#define DIAG308_LOAD_CLEAR 3 -#define DIAG308_LOAD_NORMAL_DUMP 4 -#define DIAG308_SET 5 -#define DIAG308_STORE 6 -#define DIAG308_PV_SET 8 -#define DIAG308_PV_STORE 9 -#define DIAG308_PV_START 10 - #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_PV 0x05 @@ -117,6 +100,7 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "a= lignment of iplb wrong"); #define S390_IPLB_MIN_CCW_LEN 200 #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 =20 static inline bool iplb_valid_len(IplParameterBlock *iplb) { diff --git a/include/hw/s390x/ipl/diag308.h b/include/hw/s390x/ipl/diag308.h new file mode 100644 index 0000000000..6e62f29215 --- /dev/null +++ b/include/hw/s390x/ipl/diag308.h @@ -0,0 +1,34 @@ +/* + * S/390 DIAGNOSE 308 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG308_H +#define S390X_DIAG308_H + +#define DIAG_308_RC_OK 0x0001 +#define DIAG_308_RC_NO_CONF 0x0102 +#define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 +#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 + +#define DIAG308_RESET_MOD_CLR 0 +#define DIAG308_RESET_LOAD_NORM 1 +#define DIAG308_LOAD_CLEAR 3 +#define DIAG308_LOAD_NORMAL_DUMP 4 +#define DIAG308_SET 5 +#define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 + +#define DIAG308_FLAGS_LP_VALID 0x80 + +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + +#endif diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index e505f44020..5c2bf3051c 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -12,6 +12,8 @@ #ifndef S390X_QIPL_H #define S390X_QIPL_H =20 +#include "diag308.h" + /* Boot Menu flags */ #define QIPL_FLAG_BM_OPTS_CMD 0x80 #define QIPL_FLAG_BM_OPTS_ZIPL 0x40 @@ -103,7 +105,8 @@ typedef struct IplBlockQemuScsi IplBlockQemuScsi; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229820; cv=none; d=zohomail.com; s=zohoarc; b=L9YB7ixBzMjrX/J8CI2s+Xric110spfrwhdcyg+WoPz9PqOorTBkuEkqY4hMENHcw66NQDAhWfjZf7FPhLhNQPgbo3oHi0Z2EKkJmM/pvMrAczv6/QWZjoRH3EQHoWGJ45BkcM7SVZ8S5PIOx+Mw1/yZYX2MtMVwUH8BtPiUlr8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229820; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SqkNWLX4u+DbZtZb0Wg7+WfTdbVDSscSFxitFQXdlsA=; b=iJl5a6g8OioIOyqDrG92BYXGk4Sbz7Dm1Pb1ZfiwLJSJHekR1nzN0xyTEq6kW54vI8LEInlDecXhOlx2nNafN41OIib31Vnqmhq9ujckwSQH000487bT2RnDNqFyAQw2XqTFUdZEHoELocXZnNMu0R4QMVhrJtTYbLAAe5sekT8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229820258169.59767689676733; Mon, 8 Dec 2025 13:37:00 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSiri-0007jv-5P; Mon, 08 Dec 2025 16:33:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirc-0007hD-Iu; Mon, 08 Dec 2025 16:33:49 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirY-0000jj-5B; Mon, 08 Dec 2025 16:33:47 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8KaBwM006480; Mon, 8 Dec 2025 21:33:22 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avawv1g18-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:22 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8I2iOw009044; Mon, 8 Dec 2025 21:33:21 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs3j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:21 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXKRd64094600 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:20 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 938125805C; Mon, 8 Dec 2025 21:33:20 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D8F3958059; Mon, 8 Dec 2025 21:33:18 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:18 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=SqkNWLX4u+DbZtZb0 Wg7+WfTdbVDSscSFxitFQXdlsA=; b=GOPJ2DO9PzwGDk+pRh3qKhgXyNSO5adIP N+3VaDUVEGwbw/Dx4FQ79vwb5ISsQxifEW00nxnClWfFRyTkdQnRFiEWT5H6n9ty rI+cmBsVuXBKc70oXMnDoLvXGJjr9XavuZM9TaAFcvmxSShZFeI7aTfJZ2rpv7td l4v3VbT90IEaWQXVvGqYUD2/VUwzcaAMwo9oYjK++xdBqbg29ImkEg7XcpO68vZv dRN8O8EL6uLF7LonapPj8fZKOela7F2bF6IlgEO2cq8Tp1AFBkPqX4dqgweeEhVf PXJrbekgE74BF4xkmMJtIK13KL3SnUR96wTYhZ1Z+P7UDQIIZ1OsQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 16/29] s390x: Guest support for Secure-IPL Facility Date: Mon, 8 Dec 2025 16:32:33 -0500 Message-ID: <20251208213247.702569-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: cPVUZi9qo8siRzka-Fra6DQ2K-dnC2T3 X-Proofpoint-ORIG-GUID: cPVUZi9qo8siRzka-Fra6DQ2K-dnC2T3 X-Authority-Analysis: v=2.4 cv=aY9sXBot c=1 sm=1 tr=0 ts=69374422 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=Bichc5AjJS213ZhIJUEA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwNyBTYWx0ZWRfX0x0+G0DTyzRy D5kqLD5tyDdvq6qoVKp919fvzfvBmSjBgmUHfGuQ1/vAXf+9yWIpGWSC/R2KO/yT/yJ8eI+m6MO AgFpSQBGFdN0HoYV5LTjKnv05+5v0Ea1sY5W1Dlm9eKY4krLhFYz1zxDXE5T5KLiLRjJVRPD3T8 vTE1uLIX3OWrI9659CgIu1wrDmmbL8skW3ro5cX7SkrMRrYQ3tL6xmUUapBecSKt03q79BcWR61 x5qj3ICx0JJRbkCNZvrBXecrojTOPznK4XBZK6SmYgShfD0+bX+6SPL915nI4xmiJEqVHECreDx pksnPvznKSe6cz76cBUYqC0vUAyZ1LtoEoNckw5xMdiW7YE2UNue6jUhhzVk1qznrMyuSaKN+iT oCXOaBLwqn6u4NgFKWHNi2jTquJUeg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060007 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229820744158501 Content-Type: text/plain; charset="utf-8" Introduce Secure-IPL (SIPL) facility. Use fac_ipl to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. Byte 136's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Secure IPL is not available for guests under protected virtualization. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 4 ++++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index c9a9c4bb37..4b3ce51867 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -146,6 +146,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC_IPL, + read_info->fac_ipl); } =20 read_info->facilities =3D cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index 33f01f85bb..f13d2ac9fc 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t fac_ipl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 137]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 436471f4b4..200bd8c15b 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -119,6 +119,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * Some facilities are not available for CPUs in protected mode: * - All SIE facilities because SIE is not available * - DIAG318 + * - Secure IPL Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -149,6 +150,9 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; + case S390_FEAT_TYPE_SCLP_FAC_IPL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..b038198555 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_FAC_IPL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 941a69e013..55eef618b8 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide Certificate Store = functions") =20 +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 6b8471700e..f99536ef9a 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 6c20c3a862..bd2060ab93 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -721,6 +721,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -922,6 +923,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_PRNO_TRNG, S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index fc253ecf18..0ac3883a5a 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2520,6 +2520,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 set_bit(S390_FEAT_CERT_STORE, model->features); =20 + /* Some Secure IPL facilities are emulated by QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229753; cv=none; d=zohomail.com; s=zohoarc; b=OZ1Uw8T9jkxro6VpeNkxTBNbK1ZBMc8sFg+fUhxiCidk4PsxEHN3sZ7N3X3ZV+7rI1NbQUnlHv9aQ/wkzma9mwZDEokmV0hxSLGZnlw2uu5frwDJ6gyB7UUpX2IBSNFKegO+1aCG4OQfj3vcgQcO10nn/ERHy1JwCflwaB6kjrc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229753; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=AiAZZrvHqDSFbG++qaCndOTzNJFqwDcJF/LDsTHP9cs=; b=MF9wzU+7AtnzCWkQjdDhbidHk1ZFr/aIhl9FuoajS5RYoJhluxcV207O9+kHlYxUm197Z9gtNfUq4VMmp+zB0i4AePF+we46nSniD1lQV3c/207U2f4YJzCmDkMO48m7w8TI3vKKWBpe77e+Sobx7uxJNamt+ki8pCY6fBTLCFE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229753213933.4651929030716; Mon, 8 Dec 2025 13:35:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirv-0007ty-DQ; Mon, 08 Dec 2025 16:34:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSire-0007j3-Ie; Mon, 08 Dec 2025 16:33:52 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirZ-0000jx-VN; Mon, 08 Dec 2025 16:33:49 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DYYax024916; Mon, 8 Dec 2025 21:33:24 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539ajd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:24 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8HxMZj008447; Mon, 8 Dec 2025 21:33:23 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avytmqs3k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:23 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LX7Bi25232032 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:07 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 766245805B; Mon, 8 Dec 2025 21:33:22 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BC38858058; Mon, 8 Dec 2025 21:33:20 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:20 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=AiAZZrvHqDSFbG++q aCndOTzNJFqwDcJF/LDsTHP9cs=; b=aCCIr0/GOv2i92Vw9JpUw3DSijJPDUFWR Kzz+SLqTAlhDE1qdM34Ut2zLtMFeVk7aVwBgaQmPz8XSC9JRVewzk9n43OTuY7Qe n2esr9EKKRe6bZkQwIiDG04i97lpXJJEiM5NBKLg9ZsARRR0wq0iFkoWX8IvSiIM tjmDgV8BLpuL2Mmj3VT9fH84jbR8l33s4S3AVLaY6vcnZkxqxAl7e26GkTrGjQiF Ow5jkbI5CF7LjpQq4WBW3JoZ/jQ391zjXPW5gsKsCUV1lwetkPN8MotRtLZtj8XR rWsFoO5cAhxZM7sXHouNOvtOtGNApZt2KSrjTMopdCxwUDkVbiXrA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 17/29] pc-bios/s390-ccw: Refactor zipl_run() Date: Mon, 8 Dec 2025 16:32:34 -0500 Message-ID: <20251208213247.702569-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX9tcyMUXUDp9j gQNoW1UIcA3E8Tf4ZLTtuhhnIXRPub1POppciO0TCDy+Ib4kLqRKqLxD0XVywgWRBMhVyMf0IYc ri5PjVJ+rRF+ACaRk3XULRDa9x1vNwm8qvhH40hmbguQIj2yxHLo3xCp1T762/Er95KBE3EKvkn ehFu09jhDjm4dkXCsagQhRPsR/TvfYfWnfyq9F5TX6V4tYOGPrUfuIcB28ff/gy+6R3MSuwjvW1 5faxIxqDt+I0fQXVXLIk16J0HR8XJkyYs7cHpmVEplahRAuHlnwdfmm/KtrRQ2amcW2cfCsTnpP 35mdtkG92r945ulq2FF/+4AwobF+MV14CCDEKQYlk6e6KgW5N3/dfCul1d0UpY8T9wvIGmy5VWI 9Gau2eLSiZBzl/BPEvEwe4gtXA+QeA== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=69374424 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=se3WwofzMRKbtILPOyIA:9 X-Proofpoint-ORIG-GUID: 7yno2LYz_QdOcym5g3BlPvB6mFec5i-Z X-Proofpoint-GUID: 7yno2LYz_QdOcym5g3BlPvB6mFec5i-Z X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229754400158500 Content-Type: text/plain; charset="utf-8" Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 51 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 0f8baa0198..22801ca746 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,12 +674,42 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } =20 +static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + ComponentEntry *entry =3D *entry_ptr; + + while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || + entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)&entry[1] > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + *entry_ptr =3D entry; + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { ComponentHeader *header; ComponentEntry *entry; uint8_t tmp_sec[MAX_SECTOR_SIZE]; + int rc; =20 if (virtio_read(pte->blockno, tmp_sec)) { puts("Cannot read header"); @@ -700,25 +730,10 @@ static int zipl_run(ScsiBlockPtr *pte) =20 /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); - while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || - entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries = */ - if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } - - if (zipl_load_segment(entry)) { - return -1; - } =20 - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } + rc =3D zipl_run_normal(&entry, tmp_sec); + if (rc) { + return rc; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229813; cv=none; d=zohomail.com; s=zohoarc; b=bV+pNeflqaMapLoPULvgxV+nKWGeLgcAJNkzmtNIbdnSkIYRPkjc7SmJEC2zHZEbf06YEQRXSRiQeuQF8vqjsQgC8UrNN/Ezvd+w6TojNuOuuUHqE4lcqBMMNnE67D3o9MCyXBt2zBx5exfFySc+s3LM4yO3fQKIeYbp5hsXm3Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229813; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZGtUQz3u27Tl6WiRgoUc5gzosfSK1k0Qda/ebvgo2vQ=; b=a7N/h+nGig7SnA4yleCLSdtsaQC78FmFgEB82gjVLsaqqXoQJgnVjjSMpRYwMPDUZeKgrak4EDIcxuL/TIOIiDFDI9jZ6foaN3eINWhiswZZs4GVN1ezUXjlU8XmTOVwH2FqDzUjjRFqHItkJvwVpXcoffy3CTZ5YYjaGTCBVFA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229813804437.8944443292514; Mon, 8 Dec 2025 13:36:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSis1-0008Bv-8W; Mon, 08 Dec 2025 16:34:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirg-0007jz-Mq; Mon, 08 Dec 2025 16:33:53 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirc-0000kR-I0; Mon, 08 Dec 2025 16:33:51 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8HbWqA021630; Mon, 8 Dec 2025 21:33:27 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmn8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:26 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JdMnj026807; Mon, 8 Dec 2025 21:33:26 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw1h0yf94-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:26 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXOq723069212 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:24 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 56AAE58059; Mon, 8 Dec 2025 21:33:24 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9E97358058; Mon, 8 Dec 2025 21:33:22 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=ZGtUQz3u27Tl6WiRg oUc5gzosfSK1k0Qda/ebvgo2vQ=; b=jcim+3jxHN0lA+7Q6FLIk3tfjwDUOXwwX /bBNl2ZMhIZ2eH0miqHC8jmP5/k0NB+UmoYvrmozEQRPnKTk5e1M+473ls33BouO q9P30uUeLGbZtp16Ck9FjjGNuLQjXVUwNHh8hblw6+8Jv3SHccs3Lc3Zb4x/2V9u DunwNNGT02nzXLPpexBn+VZOHQO7D1sq2B3MWwPr53jjVY0t94JDuiCVJmEPCK2r 7OOtJDjSnYQV0mkB9rQL4jAIwheStiRL79ybWZ4VYvyJZsiR+SBH19sLALMQvnPs CueM9OoN/MIJFMX+RlOJOelPmPLWD7bBnQ3yTWRMjjNppA0UJTTHw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 18/29] pc-bios/s390-ccw: Rework zipl_load_segment function Date: Mon, 8 Dec 2025 16:32:35 -0500 Message-ID: <20251208213247.702569-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: Shcy37rL3ITTK2N_Zj4CR0miXa2zokO7 X-Proofpoint-ORIG-GUID: Shcy37rL3ITTK2N_Zj4CR0miXa2zokO7 X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=69374427 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=wVZWP19Ib8Popp5rDVAA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX+uHqMYlr4s3g mwWooGWvPYXvWXfCqvn1Z9h2xEFOh/xNAzLYXAR/Ol8xOU8KG+TtHr4zEmDk17DocM0FIu+ykoI IxyG7bjNy2NJy1QRZO/7E8bHK0wPMEK7AbniF07+0sTgOrCkvCz0PzPoN+HWx4jBVPNLtWQ0JGq 26fGfzVYnKIFOpskrk1D12kEvHlIoMFaNnZtYz/facuoglMhDPqBMeqMOPiR/oEqY3iZ6kKXkUf OBySYGJwz7aYJ+1vDl/4Ywqyb202K+S8ZaLI3jCruloSVRpe4Q0k92Zr/b3YK74Nbg5b/d01q26 FZeWZqAq/BodvR1fnO9JwLvBv+6XrYB9h0lywMiAyf+g87AD7DvS/xpc26XWvj8JIRPEuHhpSYx 8kFGsYWdzCV8hDLkbNrX63fjbksplA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229814659158500 Content-Type: text/plain; charset="utf-8" Make the address variable a parameter of zipl_load_segment and return segment length. Modify this function to allow the caller to specify a memory address where segment data should be loaded into. seg_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 22801ca746..9a03eab6ed 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,22 @@ static int ipl_eckd(void) * IPL a SCSI disk */ =20 -static int zipl_load_segment(ComponentEntry *entry) +/* + * Returns: length of the segment on success, + * negative value on error. + */ +static int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; const int bprs_size =3D sizeof(sec); block_number_t blockno; - uint64_t address; int i; char err_msg[] =3D "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no =3D &err_msg[30]; /* where to print blockno in (those ZZs= ) */ + int seg_len =3D 0; =20 blockno =3D entry->data.blockno; - address =3D entry->compdat.load_addr; =20 debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -668,10 +671,12 @@ static int zipl_load_segment(ComponentEntry *entry) puts("zIPL load segment failed"); return -EIO; } + + seg_len +=3D bprs->size * (bprs[i].blockct + 1); } } while (blockno); =20 - return 0; + return seg_len; } =20 static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) @@ -687,7 +692,7 @@ static int zipl_run_normal(ComponentEntry **entry_ptr, = uint8_t *tmp_sec) continue; } =20 - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry, entry->compdat.load_addr) < 0) { return -1; } =20 --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229635; cv=none; d=zohomail.com; s=zohoarc; b=AojRucC2pOTVIM5DRVY+5s4igz9k0Q2y2oBu7X42vxBL7eL5YfmX1E8oKTK6fBWygR3WVDuc7VNFUpA37q8FZQGiH3QFegXQiLcZzLp1z5lKxpli37r37sSNB/BxdfSukIy0Qy2Uax0GcszxHZWp+eY9uXGHGYyK8LZycTrdVZk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229635; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=09AEYVhjhUEvUqjRo+l7Ii9zOrfjGUqntrLAcKxlclc=; b=Ud4hGvAYlE4OB/UZNsepSnkpMwEW9DZbjn1Wc0915l8pTmPkYwqm8JP6jBJBSTg/BxuYlk0TJ5kIrWwiKu2Ra26LErJl9QGItD6qIVVjLC6ZzWK1NmoidFh/83pYv+JgWpUnzenLBia0HA3ryPo51D25ukcpqGF76MtlEzHNwAs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229635702817.6456583830977; Mon, 8 Dec 2025 13:33:55 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirS-0007W3-5y; Mon, 08 Dec 2025 16:33:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirP-0007VE-3T; Mon, 08 Dec 2025 16:33:35 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirL-0000kz-9Q; Mon, 08 Dec 2025 16:33:33 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DEMq5017572; Mon, 8 Dec 2025 21:33:29 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc619v7g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:28 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JIvsM026813; Mon, 8 Dec 2025 21:33:27 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw1h0yf99-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:27 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXQMn23331386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:26 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51C3D58059; Mon, 8 Dec 2025 21:33:26 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7F57058058; Mon, 8 Dec 2025 21:33:24 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=09AEYVhjhUEvUqjRo +l7Ii9zOrfjGUqntrLAcKxlclc=; b=NHv28wOefQN8LTjB9siwelohsBGwqUg3Y hfkomn5eeAhv/dxT+g1d5pSzOwk7B8BPPb4r5HkNjJmvBvxT3kRj4o88H6LE3/oy sekPE6f5rk2RlQ50fibwUFXmiEoB8jMf8WRovFDoVY1sWwO0WzFeUgSgqfn8RSik upCXmGsuqbEf56DZKzQIFYSyaUyUHlZnvCADDCVkvCdBqJu+guGwXBW9OuLkXBs1 EvhfrrfC4wG4hizrdWooMkPfTFZUNxstChqJJf+IMCelUi+Y0206kjM5jsrU6QAg IDfNAqaGr3Ww5M3D9k2fJj8SkAe3rK/kEoF85OjYpznYQQOHg7pew== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 19/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Date: Mon, 8 Dec 2025 16:32:36 -0500 Message-ID: <20251208213247.702569-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX+mt2voXYRYF+ 9PrMIff+BuKhf26vRzcw8aGWnlmM3RTCw17e7jN2u8dIuLToP2wnXdIPoymnlnlCzac+6RKYfpN LgdVwKuSQqjwzmN7UUzUQcZ4ggEbPk3lzfVn2M4sY8obscDKC26VTCYkTYwAY+1QTezmgBTJLGa 5dhK9LLdLWg3Fz3DIfohgBbFZ2mxZbzrYqgGCz1ODDJun/4cF1u1++VcXvXf3ze/dqkXinjoBN0 Q2t9jXrqqKRXHOtU70ovGy1HI5xHCAyvrjdRD8mWEn2gYj0RY2AzBYk1anA4ptoWeZQXmzL45cB WceVuPKDI4lTUBGLnnL8CZl0jM8khaRkq8ijmopW3odKGWMstuwQVePXYGUJomo40ElNaN4n04Z VTrSpZGTDDiDVCF9teq1l24CtKwPjg== X-Proofpoint-GUID: eKSgHX_7ATY_i5ZcS2L-5R0Vde2aMgXc X-Proofpoint-ORIG-GUID: eKSgHX_7ATY_i5ZcS2L-5R0Vde2aMgXc X-Authority-Analysis: v=2.4 cv=O/U0fR9W c=1 sm=1 tr=0 ts=69374428 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=noympsQM67q5SXC5lO4A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229637175158500 Content-Type: text/plain; charset="utf-8" Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 34 +++ pc-bios/s390-ccw/Makefile | 3 +- pc-bios/s390-ccw/bootmap.c | 44 +++- pc-bios/s390-ccw/bootmap.h | 11 + pc-bios/s390-ccw/main.c | 9 + pc-bios/s390-ccw/s390-ccw.h | 15 ++ pc-bios/s390-ccw/sclp.c | 44 ++++ pc-bios/s390-ccw/sclp.h | 6 + pc-bios/s390-ccw/secure-ipl.c | 383 +++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 94 ++++++++ 10 files changed, 638 insertions(+), 5 deletions(-) create mode 100644 pc-bios/s390-ccw/secure-ipl.c create mode 100644 pc-bios/s390-ccw/secure-ipl.h diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 0a02f171b4..8958a51f0b 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -18,3 +18,37 @@ Note: certificate files must have a .pem extension. .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +IPL Modes +=3D=3D=3D=3D=3D=3D=3D=3D=3D +Multiple IPL modes are available to differentiate between the various IPL +configurations. These modes are mutually exclusive and enabled based on the +``boot-certs`` option on the QEMU command line. + +Normal Mode +----------- + +The absence of certificates will attempt to IPL a guest without secure IPL +operations. No checks are performed, and no warnings/errors are reported. +This is the default mode. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio ... + +Audit Mode +---------- + +With *only* the presence of certificates in the store, it is assumed that = secure +boot operations should be performed with errors reported as warnings. As s= uch, +the secure IPL operations will be performed, and any errors that stem from= these +operations will result in a warning. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/Makefile b/pc-bios/s390-ccw/Makefile index a0f24c94a8..603761a857 100644 --- a/pc-bios/s390-ccw/Makefile +++ b/pc-bios/s390-ccw/Makefile @@ -34,7 +34,8 @@ QEMU_DGFLAGS =3D -MMD -MP -MT $@ -MF $(@D)/$(*F).d .PHONY : all clean build-all distclean =20 OBJECTS =3D start.o main.o bootmap.o jump2ipl.o sclp.o menu.o netmain.o \ - virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o + virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o \ + secure-ipl.o =20 SLOF_DIR :=3D $(SRC_PATH)/../../roms/SLOF =20 diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 9a03eab6ed..342772860b 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -15,6 +15,7 @@ #include "bootmap.h" #include "virtio.h" #include "bswap.h" +#include "secure-ipl.h" =20 #ifdef DEBUG /* #define DEBUG_FALLBACK */ @@ -617,7 +618,7 @@ static int ipl_eckd(void) * Returns: length of the segment on success, * negative value on error. */ -static int zipl_load_segment(ComponentEntry *entry, uint64_t address) +int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; @@ -736,9 +737,22 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); =20 - rc =3D zipl_run_normal(&entry, tmp_sec); - if (rc) { - return rc; + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + rc =3D zipl_run_secure(&entry, tmp_sec); + if (rc) { + return rc; + } + break; + case ZIPL_BOOT_MODE_NORMAL: + rc =3D zipl_run_normal(&entry, tmp_sec); + if (rc) { + return rc; + } + break; + default: + puts("Unknown boot mode"); + return -1; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { @@ -1103,17 +1117,35 @@ static int zipl_load_vscsi(void) * IPL starts here */ =20 +ZiplBootMode zipl_mode(uint8_t hdr_flags) +{ + bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; + bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + + if (!sipl_set && iplir_set) { + return ZIPL_BOOT_MODE_SECURE_AUDIT; + } + + return ZIPL_BOOT_MODE_NORMAL; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Secure boot from ISO image is not supported!"); + } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Virtio net boot device does not support secure boot!"); + } netmain(); puts("Failed to IPL from this network!"); return; @@ -1124,6 +1156,10 @@ void zipl_load(void) return; } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("ECKD boot device does not support secure boot!"); + } + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..dc2783faa2 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; =20 +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; =20 typedef struct ComponentEntry { @@ -113,6 +122,8 @@ typedef struct ScsiMbr { ScsiBlockPtr pt; /* block pointer to program table */ } __attribute__ ((packed)) ScsiMbr; =20 +int zipl_load_segment(ComponentEntry *entry, uint64_t address); + #define ZIPL_MAGIC "zIPL" #define ZIPL_MAGIC_EBCDIC "\xa9\xc9\xd7\xd3" #define IPL1_MAGIC "\xc9\xd7\xd3\xf1" /* =3D=3D "IPL1" in EBCDIC */ diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index c9328f1c51..8aabce115f 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -28,6 +28,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +ZiplBootMode boot_mode; =20 #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -272,9 +273,17 @@ static int virtio_setup(void) =20 static void ipl_boot_device(void) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_UNSPECIFIED) { + boot_mode =3D zipl_mode(iplb->hdr_flags); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + panic("Passthrough (vfio) CCW device does not support secure b= oot!"); + } + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index b1dc35cded..c2ba40d067 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -39,6 +39,9 @@ typedef unsigned long long u64; #define MIN_NON_ZERO(a, b) ((a) =3D=3D 0 ? (b) : \ ((b) =3D=3D 0 ? (a) : (MIN(a, b)))) #endif +#ifndef ROUND_UP +#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) +#endif =20 #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) =20 @@ -64,6 +67,8 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_sipl_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ @@ -76,6 +81,16 @@ int virtio_read(unsigned long sector, void *load_addr); /* bootmap.c */ void zipl_load(void); =20 +typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_UNSPECIFIED =3D 0, + ZIPL_BOOT_MODE_NORMAL =3D 1, + ZIPL_BOOT_MODE_SECURE_AUDIT =3D 2, +} ZiplBootMode; + +extern ZiplBootMode boot_mode; + +ZiplBootMode zipl_mode(uint8_t hdr_flags); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..0b03c3164f 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,50 @@ void sclp_get_loadparm_ascii(char *loadparm) } } =20 +static void sclp_get_fac134(uint8_t *fac134) +{ + + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac134 =3D sccb->fac134; + } +} + +bool sclp_is_diag320_on(void) +{ + uint8_t fac134 =3D 0; + + sclp_get_fac134(&fac134); + return fac134 & SCCB_FAC134_DIAG320_BIT; +} + +/* + * Get fac_ipl (byte 136 and byte 137 of the SCLP Read Info block) + * for IPL device facilities. + */ +static void sclp_get_fac_ipl(uint16_t *fac_ipl) +{ + + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac_ipl =3D sccb->fac_ipl; + } +} + +bool sclp_is_sipl_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..cf147f4634 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; =20 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_FAC_IPL_SIPL_BIT 0x4000 =20 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t fac_ipl; } __attribute__((packed)) ReadInfo; =20 typedef struct SCCB { diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c new file mode 100644 index 0000000000..c1c5bc682a --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -0,0 +1,383 @@ +/* + * S/390 Secure IPL + * + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, + * signature verification, and certificate handling). + * + * For secure IPL overview: docs/system/s390x/secure-ipl.rst + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include "bootmap.h" +#include "s390-ccw.h" +#include "secure-ipl.h" + +uint8_t vcssb_data[VCSSB_MIN_LEN] __attribute__((__aligned__(PAGE_SIZE))); + +VCStorageSizeBlock *zipl_secure_get_vcssb(void) +{ + VCStorageSizeBlock *vcssb; + int rc; + + if (!sclp_is_diag320_on() || !is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return NULL; + } + + vcssb =3D (VCStorageSizeBlock *)vcssb_data; + /* avoid retrieving vcssb multiple times */ + if (vcssb->length >=3D VCSSB_MIN_LEN) { + return vcssb; + } + + vcssb->length =3D VCSSB_MIN_LEN; + rc =3D diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI); + if (rc !=3D DIAG_320_RC_OK) { + return NULL; + } + + return vcssb; +} + +static uint32_t get_certs_length(void) +{ + VCStorageSizeBlock *vcssb; + uint32_t len; + + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + len =3D vcssb->total_vcb_len - VCB_HEADER_LEN - vcssb->total_vc_ct * V= CE_HEADER_LEN; + + return len; +} + +static uint32_t request_certificate(uint8_t *cert, uint8_t index) +{ + VCStorageSizeBlock *vcssb; + VCBlock *vcb; + VCEntry *vce; + uint64_t rc =3D 0; + uint32_t cert_len =3D 0; + uint32_t max_single_vcb_len; + + /* Get Verification Certificate Storage Size block with DIAG320 subcod= e 1 */ + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + */ + max_single_vcb_len =3D ROUND_UP(vcssb->max_single_vcb_len, PAGE_SIZE); + vcb =3D malloc(max_single_vcb_len); + vcb->in_len =3D max_single_vcb_len; + vcb->first_vc_index =3D index + 1; + vcb->last_vc_index =3D index + 1; + + rc =3D diag320(vcb, DIAG_320_SUBC_STORE_VC); + if (rc !=3D DIAG_320_RC_OK) { + goto out; + } + + if (vcb->out_len =3D=3D VCB_HEADER_LEN) { + puts("No certificate entry"); + goto out; + } + if (vcb->remain_ct !=3D 0) { + puts("Not enough memory to store all requested certificates"); + goto out; + } + + vce =3D (VCEntry *)vcb->vce_buf; + if (!(vce->flags & DIAG_320_VCE_FLAGS_VALID)) { + puts("Invalid certificate"); + goto out; + } + + cert_len =3D vce->cert_len; + memcpy(cert, (uint8_t *)vce + vce->cert_offset, vce->cert_len); + +out: + free(vcb); + return cert_len; +} + +static void cert_list_add(IplSignatureCertificateList *certs, int cert_ind= ex, + uint8_t *cert, uint64_t cert_len) +{ + if (cert_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring cert entry [%d] because it's over %d ent= ires\n", + cert_index + 1, MAX_CERTIFICATES); + return; + } + + certs->cert_entries[cert_index].addr =3D (uint64_t)cert; + certs->cert_entries[cert_index].len =3D cert_len; + certs->ipl_info_header.len +=3D sizeof(certs->cert_entries[cert_index]= ); +} + +static void comp_list_add(IplDeviceComponentList *comps, int comp_index, + int cert_index, uint64_t comp_addr, + uint64_t comp_len, uint8_t flags) +{ + if (comp_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring comp entry [%d] because it's over %d ent= ires\n", + comp_index + 1, MAX_CERTIFICATES); + return; + } + + comps->device_entries[comp_index].addr =3D comp_addr; + comps->device_entries[comp_index].len =3D comp_len; + comps->device_entries[comp_index].flags =3D flags; + comps->device_entries[comp_index].cert_index =3D cert_index; + comps->ipl_info_header.len +=3D sizeof(comps->device_entries[comp_inde= x]); +} + +static int update_iirb(IplDeviceComponentList *comps, IplSignatureCertific= ateList *certs) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *iirb_comps; + IplSignatureCertificateList *iirb_certs; + uint32_t iirb_hdr_len; + uint32_t comps_len; + uint32_t certs_len; + + if (iplb->len % 8 !=3D 0) { + panic("IPL parameter block length field value is not multiple of 8= bytes"); + } + + iirb_hdr_len =3D sizeof(IplInfoReportBlockHeader); + comps_len =3D comps->ipl_info_header.len; + certs_len =3D certs->ipl_info_header.len; + if ((comps_len + certs_len + iirb_hdr_len) > sizeof(IplInfoReportBlock= )) { + puts("Not enough space to hold all components and certificates in = IIRB"); + return -1; + } + + /* IIRB immediately follows IPLB */ + iirb =3D &ipl_data.iirb; + iirb->hdr.len =3D iirb_hdr_len; + + /* Copy IPL device component list after IIRB Header */ + iirb_comps =3D (IplDeviceComponentList *) iirb->info_blks; + memcpy(iirb_comps, comps, comps_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D comps_len; + + /* Copy IPL sig cert list after IPL device component list */ + iirb_certs =3D (IplSignatureCertificateList *) (iirb->info_blks + + iirb_comps->ipl_info_hea= der.len); + memcpy(iirb_certs, certs, certs_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D certs_len; + + return 0; +} + +static bool secure_ipl_supported(void) +{ + if (!sclp_is_sipl_on()) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_secure_ipl_extension_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!sclp_is_diag320_on() || !is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comps, IplSignatureCertific= ateList *certs) +{ + comps->ipl_info_header.ibt =3D IPL_IBT_COMPONENTS; + comps->ipl_info_header.len =3D sizeof(comps->ipl_info_header); + + certs->ipl_info_header.ibt =3D IPL_IBT_CERTIFICATES; + certs->ipl_info_header.len =3D sizeof(certs->ipl_info_header); +} + +static uint32_t zipl_load_signature(ComponentEntry *entry, uint64_t sig_se= c) +{ + uint32_t sig_len; + + if (zipl_load_segment(entry, sig_sec) < 0) { + return -1; + } + + if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return -1; + } + sig_len =3D entry->compdat.sig_info.sig_len; + + return sig_len; +} + +/* + * Returns: 1 - New certificate requested and added to cert_table and cert= list + * 0 - Certificate already exists in the cert_table + * -1 - Error while requesting certificate + */ +static int handle_certificate(int *cert_table, uint8_t **cert, + uint64_t cert_len, uint8_t cert_table_idx, + IplSignatureCertificateList *certs, int cert_= entry_idx) +{ + if (cert_table[cert_table_idx] !=3D -1) { + return 0; + } + + if (!request_certificate(*cert, cert_table_idx)) { + puts("Could not get certificate"); + return -1; + } + + cert_list_add(certs, cert_entry_idx, *cert, cert_len); + cert_table[cert_table_idx] =3D cert_entry_idx; + return 1; +} + +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + IplDeviceComponentList comps; + IplSignatureCertificateList certs; + ComponentEntry *entry =3D *entry_ptr; + uint8_t *cert =3D NULL; + uint64_t *sig =3D NULL; + int cert_entry_idx =3D 0; + int comp_entry_idx =3D 0; + uint64_t comp_addr; + int comp_len; + uint32_t sig_len =3D 0; + uint64_t cert_len =3D -1; + uint8_t cert_table_idx =3D -1; + bool verified; + uint32_t certs_len; + /* + * Store indices of cert entry that have already used for signature + * verification to prevent allocating the same certificate multiple ti= mes. + * cert_table index (cert_table_idx): + * index of certificate from qemu cert store used for verific= ation + * cert_table value (cert_entry_idx): + * index of cert entry in cert list that contains the certifi= cate + */ + int cert_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - 1] = =3D -1}; + int rc; + int signed_count =3D 0; + + if (!secure_ipl_supported()) { + return -1; + } + + init_lists(&comps, &certs); + certs_len =3D get_certs_length(); + cert =3D malloc(certs_len); + sig =3D malloc(MAX_SECTOR_SIZE); + + while (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { + switch (entry->component_type) { + case ZIPL_COMP_ENTRY_SIGNATURE: + if (sig_len) { + goto out; + } + + sig_len =3D zipl_load_signature(entry, (uint64_t)sig); + if (sig_len < 0) { + goto out; + } + break; + case ZIPL_COMP_ENTRY_LOAD: + comp_addr =3D entry->compdat.load_addr; + comp_len =3D zipl_load_segment(entry, comp_addr); + if (comp_len < 0) { + goto out; + } + + if (!sig_len) { + break; + } + + verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, + &cert_len, &cert_table_idx); + + if (verified) { + rc =3D handle_certificate(cert_table, &cert, cert_len, + cert_table_idx, &certs, cert_entr= y_idx); + if (rc =3D=3D -1) { + goto out; + } + + /* increment for the next certificate */ + if (rc =3D=3D 1) { + cert_entry_idx++; + cert +=3D cert_len; + } + + puts("Verified component"); + comp_list_add(&comps, comp_entry_idx, cert_table[cert_tabl= e_idx], + comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC | S390_IPL_COMPON= ENT_FLAG_CSV); + } else { + comp_list_add(&comps, comp_entry_idx, -1, + comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC); + zipl_secure_handle("Could not verify component"); + } + + comp_entry_idx++; + signed_count +=3D 1; + /* After a signature is used another new one can be accepted */ + sig_len =3D 0; + break; + default: + puts("Unknown component entry type"); + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (signed_count =3D=3D 0) { + zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + } + + if (update_iirb(&comps, &certs)) { + zipl_secure_handle("Failed to write IPL Information Report Block"); + } + + *entry_ptr =3D entry; + free(sig); + + return 0; +out: + free(cert); + free(sig); + + return -1; +} diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h new file mode 100644 index 0000000000..a6fc1ac8de --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -0,0 +1,94 @@ +/* + * S/390 Secure IPL + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef _PC_BIOS_S390_CCW_SECURE_IPL_H +#define _PC_BIOS_S390_CCW_SECURE_IPL_H + +#include +#include + +VCStorageSizeBlock *zipl_secure_get_vcssb(void); +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); + +static inline void zipl_secure_handle(const char *message) +{ + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + IPL_check(false, message); + break; + default: + break; + } +} + +static inline uint64_t diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint32_t d320_ism; + + diag320(&d320_ism, DIAG_320_SUBC_QUERY_ISM); + return (d320_ism & DIAG_320_ISM_QUERY_SUBCODES) && + (d320_ism & DIAG_320_ISM_QUERY_VCSI) && + (d320_ism & DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_secure_ipl_extension_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes =3D _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(uint64_t comp_len, uint64_t comp_addr, + uint64_t sig_len, uint64_t sig_addr, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SigVerifBlock svb; + + svb.length =3D sizeof(Diag508SigVerifBlock); + svb.version =3D 0; + svb.comp_len =3D comp_len; + svb.comp_addr =3D comp_addr; + svb.sig_len =3D sig_len; + svb.sig_addr =3D sig_addr; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) =3D=3D DIAG_508_RC_OK) { + *cert_len =3D svb.cert_len; + *cert_idx =3D svb.cert_store_index; + return true; + } + + return false; +} + +#endif /* _PC_BIOS_S390_CCW_SECURE_IPL_H */ --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229654; cv=none; d=zohomail.com; s=zohoarc; b=e45lpEQjEnAjpkgAEUIEMyeUBgd+DHUXn1ILjWYow5J/9QHvqRvddbgHcKCSFTG5Ipf+eTyBKebzf78Op4AtMFgc8E17dnVFGy30H5GMtwPe/qX/FM9H6ITLQ3tDnq2EfjXbemt15Ztzy651FA6xIC8cQoIRQ4pgN6mntxtyCqo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229654; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=KuyzVP7OV6+Nl5kw6PYH/ZA2R9/GmsRunYO6uwrItmk=; b=OoaKy0yd9i094lhANLPD96E3+XQABCm3APSZr+Q9Iv126YA//goUCl18PFq76bKLvM4jGS5Hm3z0opC4vJlKAF/m9/4EFxnwQn9bqf+0AetYiQ/Rex+nvhILviz/whUyJr7nPs+fReVapqilx1oQFHSio1PCZMmjSFxvQz08SYU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229654449893.3387944621895; Mon, 8 Dec 2025 13:34:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirS-0007WJ-HT; Mon, 08 Dec 2025 16:33:38 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirP-0007VF-3e; Mon, 08 Dec 2025 16:33:35 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirN-0000lD-30; Mon, 08 Dec 2025 16:33:34 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8KIX3A030512; Mon, 8 Dec 2025 21:33:30 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc0jsunr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:30 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IpgwV012425; Mon, 8 Dec 2025 21:33:29 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4aw0ajqnnv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:29 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXSj228836592 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:28 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 324D75805B; Mon, 8 Dec 2025 21:33:28 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A74758058; Mon, 8 Dec 2025 21:33:26 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:26 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=KuyzVP7OV6+Nl5kw6 PYH/ZA2R9/GmsRunYO6uwrItmk=; b=BigJa2gr3yFP4cvCXdtt3Yzk20n7O+OFV E0K5SMt3FsZgtMvIxylqvW2Q0oKy7n+/GQHKK8qe+n1wBm07M2AkkWfmY7g6H88y Dx79Lfjk3wfdUTNRNklSTP4lzJ7sYKy7sCu8aCh9Ra25EL3ef9COiZh+s4ZudaeQ lPDrC2bJ0Qwa8Y2yX24lyFPC8HRBbcxiZhh0wjvnoj3qlyZqHFac4zCHFpIR2/Se 9ZcFa0wag9FHOsLRAfeUtJV1GxYCPK5v8qPBhBmxLPsGi0Qi7DojSfVElUquaK/U 9SxYduA1p9oDbKhfFyvZi/nfhguFcMTqSYi43NwgZ6ESvFahKrtzg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 20/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Mon, 8 Dec 2025 16:32:37 -0500 Message-ID: <20251208213247.702569-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Cf8FJbrl c=1 sm=1 tr=0 ts=6937442a cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=s2GHSiDfQs-ooOV4uGMA:9 X-Proofpoint-ORIG-GUID: FfGMKO5uRB7dCLc64de28Z2Th5pFrZND X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAxNiBTYWx0ZWRfX/CfRS3nHdrQQ 9Cxsbe5hqznt88pohsPHzz13y7mkfQbInZygK3OiwKmwvW8To8PvD1SH7wqncSPL8sD9W+YvgFG C5lcAc7iZMD5O1NR6PsgxKo4uZmVWjliSrg0z3qzUyN0UHp3YxCL2388Dtl3N7mOq2nkjS+Zu3y pEwhQlS8adM/8r8bAwspUF1LQj410Vv5bMZuaWHKfqBhLFXfSp1Puk30Y1jmLr/j+vm/wHwmXun 2Dn7KakTcHRJqlCM85lcTPRNDupoXSPHtp/OCC7u1mZgKuECuqbYpopjGeL4wgPqOd+ehZn+AZv y6PNqwBkrLSdveTW2/HlFGffdmGFitii8JR3ZbzGJsTt4M7yCWa61ZL9rwXMGlYYMxsua9hBs4Q uzzP8OsCKGMyyDswUQEl+uj5Y8u83A== X-Proofpoint-GUID: FfGMKO5uRB7dCLc64de28Z2Th5pFrZND X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 malwarescore=0 clxscore=1015 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 spamscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229655204158500 Content-Type: text/plain; charset="utf-8" The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during secure IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 19 +++++++++++++++++++ target/s390x/cpu_features.c | 2 ++ target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 3 +++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 1 + 6 files changed, 28 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 29c5d59b99..70388d77d8 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -99,3 +99,22 @@ operations such as: * certificate data =20 The guest kernel will inspect the IIRB and build the keyring. + + +Secure Code Loading Attributes Facility +--------------------------------- + +The Secure Code Loading Attributes Facility (SCLAF) enhances system securi= ty +during the IPL by enforcing additional verification rules. + +When SCLAF is available, its behavior depends on the IPL mode. It introduc= es +verification of both signed and unsigned components to help ensure that on= ly +authorized code is loaded during the IPL process. Any errors detected by S= CLAF +are reported in the IIRB. + +Unsigned components are restricted to load addresses at or above absolute +storage address ``0x2000``. + +Signed components must include a Secure Code Loading Attribute Block (SCLA= B), +which is appended at the very end of the component. The SCLAB defines secu= rity +attributes for handling the signed code. diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 200bd8c15b..29ea3bfec2 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * - All SIE facilities because SIE is not available * - DIAG318 * - Secure IPL Facility + * - Secure IPL Code Loading Attributes Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC_IPL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 55eef618b8..ecfca0faef 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide= Certificate Store functi =20 /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attribu= tes facility") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index f99536ef9a..7d214b5f72 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_SIPL }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index bd2060ab93..c3e0c6ceff 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 0ac3883a5a..8df36681c7 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2522,6 +2522,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 /* Some Secure IPL facilities are emulated by QEMU */ set_bit(S390_FEAT_SIPL, model->features); + set_bit(S390_FEAT_SCLAF, model->features); =20 /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229837; cv=none; d=zohomail.com; s=zohoarc; b=fMF8xnv8tDi1rCyzo+tHLrdtjRQVwXY0SxQHw8WamLQRMaAhwYz2pt74FfobJk5x3IL0YHd1OHvKxwGKGv4EGFnOs+BdfD3ty9siV2sNK7jmXgdbvaUGWaXEecerXO/6lDd74mSwTatR9vluHggviGE/Kk6vz/qE4vbO8qcdVm8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229837; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=RxNtS7WMRLAKvwejPjph+Rjku/1Dv2IrqL9McHc4+4U=; b=DHUaeBg++CGN7Q027xP59THbwQYpDVx+CRpVVkIHaMxWYw7XEGSkuXtTWJig8DpgaF8O+E3amR4rzPx2WAIOyjSiEaTMFgAqd+5B3dxVjCNyPPhroSgcWTcsBoh5XxZMpPq5RXX1xLx2xqnNq7hoFCzjxVbqFsRZDPa/vllsk0Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229837028334.65955551002685; Mon, 8 Dec 2025 13:37:17 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSirV-0007aJ-Cz; Mon, 08 Dec 2025 16:33:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirT-0007Wz-Ch; Mon, 08 Dec 2025 16:33:39 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirP-0000lZ-Dr; Mon, 08 Dec 2025 16:33:39 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8LDkcT015153; Mon, 8 Dec 2025 21:33:33 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc619v7q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:33 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Hebp0028126; Mon, 8 Dec 2025 21:33:31 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvxx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:31 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXUdR33686070 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:30 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 151A25805C; Mon, 8 Dec 2025 21:33:30 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5A64D58058; Mon, 8 Dec 2025 21:33:28 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:28 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=RxNtS7WMRLAKvwejP jph+Rjku/1Dv2IrqL9McHc4+4U=; b=YRkUAAY9VKOa6/z7K93NAaTw9jDsd5bU2 AxMj8m6ocPzHXyoq85q6+JLz+3m3GZMNqgf/AijFujTUiv/O4w4ZQ6PxF2t8yeef bZ8f1l6SAoRijYFWRjXOfZnttiF2i2Pv5kF8wWMN7a9s4P3SNhNxeXGvTcOvkD7V s3b3iSfe8QJsZlV4YMzGyqH0YfOETAwapoqv8Vm/flnLrHCvQ2tvqWGODf4uuki7 AnuLybSaogsNwsnoLQt2f9XwkL01S+7GE3890Hdd6WLRiJ4o+Np/6sEA8Ph/iiVP xS7r/uCAogqm9YLr+XSAB421neO5HwUerlgfZ5OzcRnlGVgwdV8Og== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 21/29] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Mon, 8 Dec 2025 16:32:38 -0500 Message-ID: <20251208213247.702569-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfXz94patMZYPX8 +gE3XimY+zOJifeL4qiMP6D1Peug07YGhFX/mVIX660IGqFoPmcUYCEfH+iotiSmdekpNY6omuo HmYLOpeHIBw0sLuAOq8EYOsgnaOtCsACuISzqhRDwpxhBMu5l+/qn4ahqlrdBx/+t7aHkdrAsNu ERwBn0OFciDup+s84OP/6ZvadzrXoPDMlE/lwV0G7EIYGNm4ThK2F0HCxFrtrBzvQ8lbxqPGl0A toELLnwbW1kXwMFvRBurHhVSTcfxvtN8wYrqEobKRIvTukkl+RrzWrNKjY5RWQqxUzCDJYSXz+k wqhYYD5+Mg0nCkT04q7YBihpkBeTH+OqkhFnC2LTAmbypuqq12k6iKT7hBfs6e920S+32u9J30h CYK3Go5NSlZT8IGHzsAXZBW6v6vc+Q== X-Proofpoint-GUID: lcIxJOB2fEqH_Dz3znHH9HoVGwS3m5IP X-Proofpoint-ORIG-GUID: lcIxJOB2fEqH_Dz3znHH9HoVGwS3m5IP X-Authority-Analysis: v=2.4 cv=O/U0fR9W c=1 sm=1 tr=0 ts=6937442d cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=aXrBhz8gZcvw6Ri5xtgA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 phishscore=0 suspectscore=0 adultscore=0 spamscore=0 malwarescore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229838916158500 Content-Type: text/plain; charset="utf-8" Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. However, a missing SCLAB will not be reported in audit mode. The SCALB checking will be skipped in this case. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 26 ++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/sclp.c | 8 + pc-bios/s390-ccw/sclp.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 422 +++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/secure-ipl.h | 55 +++++ 6 files changed, 508 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index a0f58d125c..94c8da1772 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -32,11 +32,19 @@ struct IplInfoReportBlockHeader { }; typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; =20 +#define S390_IPL_INFO_IIEI_NO_SIGNED_COMP 0x8000 /* bit 0 */ +#define S390_IPL_INFO_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ +#define S390_IPL_INFO_IIEI_FOUND_UNSIGNED_COMP 0x800 /* bit 4 */ +#define S390_IPL_INFO_IIEI_MORE_SIGNED_COMP 0x400 /* bit 5 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t ibt; uint8_t reserved1[3]; - uint8_t reserved2[8]; + uint16_t iiei; + uint8_t reserved2[6]; }; typedef struct IplInfoBlockHeader IplInfoBlockHeader; =20 @@ -60,13 +68,27 @@ typedef struct IplSignatureCertificateList IplSignature= CertificateList; #define S390_IPL_COMPONENT_FLAG_SC 0x80 #define S390_IPL_COMPONENT_FLAG_CSV 0x40 =20 +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB 0x80000000 /* bit= 0 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit= 1 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit= 2 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit= 3 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit= 4 */ +#define S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW 0x4000000 /* bit= 5 */ +#define S390_IPL_COMPONENT_CEI_NUC_NOT_IN_GLOBAL_SCLA 0x2000000 /* bit= 6 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit= 7 */ +#define S390_IPL_COMPONENT_CEI_SC_NOT_IN_GLOBAL_SCLAB 0x800000 /* bit= 8 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit= 9 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit= 10 */ +#define S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit= 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; }; typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index c2ba40d067..6d51d07c90 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -69,6 +69,7 @@ void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); bool sclp_is_diag320_on(void); bool sclp_is_sipl_on(void); +bool sclp_is_sclaf_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 0b03c3164f..16f973dde8 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -157,6 +157,14 @@ bool sclp_is_sipl_on(void) return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; } =20 +bool sclp_is_sclaf_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SCLAF_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index cf147f4634..3441020d6b 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_FAC_IPL_SIPL_BIT 0x4000 +#define SCCB_FAC_IPL_SCLAF_BIT 0x1000 =20 typedef struct ReadInfo { SCCBHeader h; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index c1c5bc682a..8733254cfb 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -206,6 +206,12 @@ static bool secure_ipl_supported(void) return false; } =20 + if (!sclp_is_sclaf_on()) { + puts("Secure IPL Code Loading Attributes Facility is not supported= by" + " the hypervisor!"); + return false; + } + return true; } =20 @@ -218,6 +224,402 @@ static void init_lists(IplDeviceComponentList *comps,= IplSignatureCertificateLis certs->ipl_info_header.len =3D sizeof(certs->ipl_info_header); } =20 +static bool is_comp_overlap(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, + uint64_t start_addr, uint64_t end_addr) +{ + /* neither a signed nor an unsigned component can overlap with a signe= d component */ + for (int i =3D 0; i < addr_range_index; i++) { + if ((comp_addr_range[i].start_addr <=3D end_addr - 1 && + start_addr <=3D comp_addr_range[i].end_addr - 1) && + comp_addr_range[i].is_signed) { + return true; + } + } + + return false; +} + +static void comp_addr_range_add(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, bool is_signed, + uint64_t start_addr, uint64_t end_addr) +{ + if (addr_range_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring component address range index [%d]" + " because it's over %d index\n", + addr_range_index, MAX_CERTIFICATES); + return; + } + + comp_addr_range[addr_range_index].is_signed =3D is_signed; + comp_addr_range[addr_range_index].start_addr =3D start_addr; + comp_addr_range[addr_range_index].end_addr =3D end_addr; +} + +static void check_unsigned_addr(uint64_t load_addr, IplDeviceComponentList= *comps, + int comp_index) +{ + uint32_t flag; + bool valid; + + /* unsigned load address must be greater than or equal to 0x2000 */ + valid =3D load_addr >=3D 0x2000; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR; + set_cei_with_log(comps, comp_index, flag, + "Load address is less than 0x2000"); + } +} + +static void addr_overlap_check(SecureIplCompAddrRange *comp_addr_range, + int *addr_range_index, + uint64_t start_addr, uint64_t end_addr, boo= l is_signed) +{ + bool overlap; + + overlap =3D is_comp_overlap(comp_addr_range, *addr_range_index, + start_addr, end_addr); + if (!overlap) { + comp_addr_range_add(comp_addr_range, *addr_range_index, is_signed, + start_addr, end_addr); + *addr_range_index +=3D 1; + } else { + zipl_secure_handle("Component addresses overlap"); + } +} + +static bool check_sclab_presence(uint8_t *sclab_magic, + IplDeviceComponentList *comps, int comp_i= ndex) +{ + /* identifies the presence of SCLAB */ + if (!magic_match(sclab_magic, ZIPL_MAGIC)) { + comps->device_entries[comp_index].cei |=3D S390_IPL_COMPONENT_CEI_= INVALID_SCLAB; + + /* a missing SCLAB will not be reported in audit mode */ + return false; + } + + return true; +} + +static void check_sclab_length(uint16_t sclab_len, + IplDeviceComponentList *comps, int comp_ind= ex) +{ + uint32_t flag; + bool valid; + + /* minimum SCLAB length is 32 bytes */ + valid =3D sclab_len >=3D 32; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN | + S390_IPL_COMPONENT_CEI_INVALID_SCLAB; + set_cei_with_log(comps, comp_index, flag, "Invalid SCLAB length"); + } +} + +static void check_sclab_format(uint8_t sclab_format, + IplDeviceComponentList *comps, int comp_ind= ex) +{ + uint32_t flag; + bool valid; + + /* SCLAB format must set to zero, indicating a format-0 SCLAB being us= ed */ + valid =3D sclab_format =3D=3D 0; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT; + set_cei_with_log(comps, comp_index, flag, + "Format-0 SCLAB is not being use"); + } +} + +static void check_sclab_opsw(SecureCodeLoadingAttributesBlock *sclab, + SecureIplSclabInfo *sclab_info, + IplDeviceComponentList *comps, int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_opsw_set; + bool valid; + + is_opsw_set =3D is_sclab_flag_set(sclab->flags, S390_SECURE_IPL_SCLAB_= FLAG_OPSW); + if (!is_opsw_set) { + /* OPSW =3D 0 - Load PSW field in SCLAB must contain zeros */ + valid =3D sclab->load_psw =3D=3D 0; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO; + msg =3D "Load PSW is not zero when Override PSW bit is zero"; + set_cei_with_log(comps, comp_index, flag, msg); + } + } else { + /* OPSW =3D 1 indicating global SCLAB */ + sclab_info->global_count +=3D 1; + if (sclab_info->global_count =3D=3D 1) { + sclab_info->load_psw =3D sclab->load_psw; + sclab_info->flags =3D sclab->flags; + } + + /* OLA must set to one */ + valid =3D is_sclab_flag_set(sclab->flags, S390_SECURE_IPL_SCLAB_FL= AG_OLA); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE; + msg =3D "Override Load Address bit is not set to one in the gl= obal SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } + } +} + +static void check_sclab_ola(SecureCodeLoadingAttributesBlock *sclab, + uint64_t load_addr, IplDeviceComponentList *co= mps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_ola_set; + bool valid; + + is_ola_set =3D is_sclab_flag_set(sclab->flags, S390_SECURE_IPL_SCLAB_F= LAG_OLA); + if (!is_ola_set) { + /* OLA =3D 0 - Load address field in SCLAB must contain zeros */ + valid =3D sclab->load_addr =3D=3D 0; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO; + msg =3D "Load Address is not zero when Override Load Address b= it is zero"; + set_cei_with_log(comps, comp_index, flag, msg); + } + + } else { + /* OLA =3D 1 - Load address field must match storage address of th= e component */ + valid =3D sclab->load_addr =3D=3D load_addr; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR; + msg =3D "Load Address does not match with component load addre= ss"; + set_cei_with_log(comps, comp_index, flag, msg); + } + } +} + +static void check_sclab_nuc(uint16_t sclab_flags, IplDeviceComponentList *= comps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_nuc_set; + bool is_global_sclab; + + is_nuc_set =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCLAB_FL= AG_NUC); + is_global_sclab =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCL= AB_FLAG_OPSW); + if (is_nuc_set && !is_global_sclab) { + flag =3D S390_IPL_COMPONENT_CEI_NUC_NOT_IN_GLOBAL_SCLA; + msg =3D "No Unsigned Components bit is set, but not in the global = SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_sclab_sc(uint16_t sclab_flags, IplDeviceComponentList *c= omps, + int comp_index) +{ + const char *msg; + uint32_t flag; + bool is_sc_set; + bool is_global_sclab; + + is_sc_set =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCLAB_FLA= G_SC); + is_global_sclab =3D is_sclab_flag_set(sclab_flags, S390_SECURE_IPL_SCL= AB_FLAG_OPSW); + if (is_sc_set && !is_global_sclab) { + flag =3D S390_IPL_COMPONENT_CEI_SC_NOT_IN_GLOBAL_SCLAB; + msg =3D "Single Component bit is set, but not in the global SCLAB"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRange *comp_addr_r= ange, + int range_index) +{ + uint32_t addr =3D psw & 0x7fffffff; + + /* PSW points within a signed binary code component */ + for (int i =3D 0; i < range_index; i++) { + if (comp_addr_range[i].is_signed && + addr >=3D comp_addr_range[i].start_addr && + addr <=3D comp_addr_range[i].end_addr - 2) { + return true; + } + } + + return false; +} + +static void check_load_psw(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, uint64_t sclab_load_psw, + uint64_t load_psw, IplDeviceComponentList *comp= s, + int comp_index) +{ + uint32_t flag; + const char *msg; + bool valid; + + valid =3D is_psw_valid(sclab_load_psw, comp_addr_range, addr_range_ind= ex) && + is_psw_valid(load_psw, comp_addr_range, addr_range_index); + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW; + msg =3D "Invalid PSW"; + set_cei_with_log(comps, comp_index, flag, msg); + } + + /* compare load PSW with the PSW specified in component */ + valid =3D sclab_load_psw =3D=3D load_psw; + if (!valid) { + flag =3D S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW; + msg =3D "Load PSW does not match with PSW in component"; + set_cei_with_log(comps, comp_index, flag, msg); + } +} + +static void check_nuc(uint16_t global_sclab_flags, int unsigned_count, + IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + bool is_nuc_set; + + is_nuc_set =3D is_sclab_flag_set(global_sclab_flags, S390_SECURE_IPL_S= CLAB_FLAG_NUC); + if (is_nuc_set && unsigned_count > 0) { + flag =3D S390_IPL_INFO_IIEI_FOUND_UNSIGNED_COMP; + msg =3D "Unsigned components are not allowed"; + set_iiei_with_log(comps, flag, msg); + } +} + +static void check_sc(uint16_t global_sclab_flags, int signed_count, + IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + bool is_sc_set; + + is_sc_set =3D is_sclab_flag_set(global_sclab_flags, S390_SECURE_IPL_SC= LAB_FLAG_SC); + if (is_sc_set && signed_count !=3D 1) { + flag =3D S390_IPL_INFO_IIEI_MORE_SIGNED_COMP; + msg =3D "Only one signed component is allowed"; + set_iiei_with_log(comps, flag, msg); + } +} + +void check_global_sclab(SecureIplSclabInfo sclab_info, + SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, uint64_t load_psw, + int unsigned_count, int signed_count, + IplDeviceComponentList *comps, int comp_index) +{ + uint16_t flag; + const char *msg; + + if (sclab_info.count =3D=3D 0) { + return; + } + + if (sclab_info.global_count =3D=3D 0) { + flag =3D S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB; + msg =3D "Global SCLAB does not exists"; + set_iiei_with_log(comps, flag, msg); + return; + } + + if (sclab_info.global_count > 1) { + flag =3D S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB; + msg =3D "More than one global SCLAB"; + set_iiei_with_log(comps, flag, msg); + return; + } + + if (sclab_info.load_psw) { + /* Verify PSW from the final component entry with PSW from the glo= bal SCLAB */ + check_load_psw(comp_addr_range, addr_range_index, + sclab_info.load_psw, load_psw, + comps, comp_index); + } + + if (sclab_info.flags) { + /* Unsigned components are not allowed if NUC flag is set in the g= lobal SCLAB */ + check_nuc(sclab_info.flags, unsigned_count, comps); + + /* Only one signed component is allowed is SC flag is set in the g= lobal SCLAB */ + check_sc(sclab_info.flags, signed_count, comps); + } +} + +static void check_signed_comp(int signed_count, IplDeviceComponentList *co= mps) +{ + uint16_t flag; + const char *msg; + + if (signed_count > 0) { + return; + } + + flag =3D S390_IPL_INFO_IIEI_NO_SIGNED_COMP; + msg =3D "Secure boot is on, but components are not signed"; + set_iiei_with_log(comps, flag, msg); +} + +static void check_sclab_count(int count, IplDeviceComponentList *comps) +{ + uint16_t flag; + const char *msg; + + if (count > 0) { + return; + } + + flag =3D S390_IPL_INFO_IIEI_NO_SCLAB; + msg =3D "No recognizable SCLAB"; + set_iiei_with_log(comps, flag, msg); +} + +static void check_unsigned_comp(uint64_t comp_addr, IplDeviceComponentList= *comps, + int comp_index, int cert_index, uint64_t c= omp_len) +{ + check_unsigned_addr(comp_addr, comps, comp_index); + + comp_list_add(comps, comp_index, cert_index, comp_addr, comp_len, 0x00= ); +} + +static void check_sclab(uint64_t comp_addr, IplDeviceComponentList *comps, + uint64_t comp_len, int comp_index, SecureIplSclabI= nfo *sclab_info) +{ + SclabOriginLocator *sclab_locator; + SecureCodeLoadingAttributesBlock *sclab; + bool exist; + bool valid; + + sclab_locator =3D (SclabOriginLocator *)(comp_addr + comp_len - 8); + + /* return early if sclab does not exist */ + exist =3D check_sclab_presence(sclab_locator->magic, comps, comp_index= ); + if (!exist) { + return; + } + + check_sclab_length(sclab_locator->len, comps, comp_index); + + /* return early if sclab is invalid */ + valid =3D (comps->device_entries[comp_index].cei & + S390_IPL_COMPONENT_CEI_INVALID_SCLAB) =3D=3D 0; + if (!valid) { + return; + } + + sclab_info->count +=3D 1; + sclab =3D (SecureCodeLoadingAttributesBlock *)(comp_addr + comp_len - + sclab_locator->len); + + check_sclab_format(sclab->format, comps, comp_index); + check_sclab_opsw(sclab, sclab_info, comps, comp_index); + check_sclab_ola(sclab, comp_addr, comps, comp_index); + check_sclab_nuc(sclab->flags, comps, comp_index); + check_sclab_sc(sclab->flags, comps, comp_index); +} + static uint32_t zipl_load_signature(ComponentEntry *entry, uint64_t sig_se= c) { uint32_t sig_len; @@ -284,7 +686,11 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) */ int cert_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - 1] = =3D -1}; int rc; + SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; + int addr_range_index =3D 0; int signed_count =3D 0; + int unsigned_count =3D 0; + SecureIplSclabInfo sclab_info =3D { 0 }; =20 if (!secure_ipl_supported()) { return -1; @@ -314,10 +720,18 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) goto out; } =20 + addr_overlap_check(comp_addr_range, &addr_range_index, + comp_addr, comp_addr + comp_len, sig_len > = 0); + if (!sig_len) { + check_unsigned_comp(comp_addr, &comps, + comp_entry_idx, cert_entry_idx, comp_l= en); + unsigned_count +=3D 1; + comp_entry_idx++; break; } =20 + check_sclab(comp_addr, &comps, comp_len, comp_entry_idx, &scla= b_info); verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, &cert_len, &cert_table_idx); =20 @@ -363,9 +777,11 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) } } =20 - if (signed_count =3D=3D 0) { - zipl_secure_handle("Secure boot is on, but components are not sign= ed"); - } + check_signed_comp(signed_count, &comps); + check_sclab_count(sclab_info.count, &comps); + check_global_sclab(sclab_info, comp_addr_range, addr_range_index, + entry->compdat.load_psw, unsigned_count, signed_cou= nt, + &comps, comp_entry_idx); =20 if (update_iirb(&comps, &certs)) { zipl_secure_handle("Failed to write IPL Information Report Block"); diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index a6fc1ac8de..6ff4f0382c 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,6 +16,42 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +#define S390_SECURE_IPL_SCLAB_FLAG_OPSW 0x8000 +#define S390_SECURE_IPL_SCLAB_FLAG_OLA 0x4000 +#define S390_SECURE_IPL_SCLAB_FLAG_NUC 0x2000 +#define S390_SECURE_IPL_SCLAB_FLAG_SC 0x1000 + +struct SecureCodeLoadingAttributesBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SecureCodeLoadingAttributesBlock SecureCodeLoadingAttribute= sBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + +typedef struct SecureIplSclabInfo { + int count; + int global_count; + uint64_t load_psw; + uint16_t flags; +} SecureIplSclabInfo; + static inline void zipl_secure_handle(const char *message) { switch (boot_mode) { @@ -27,6 +63,25 @@ static inline void zipl_secure_handle(const char *messag= e) } } =20 +static inline bool is_sclab_flag_set(uint16_t sclab_flags, uint16_t flag) +{ + return (sclab_flags & flag) !=3D 0; +} + +static inline void set_cei_with_log(IplDeviceComponentList *comps, int com= p_index, + uint32_t flag, const char *message) +{ + comps->device_entries[comp_index].cei |=3D flag; + zipl_secure_handle(message); +} + +static inline void set_iiei_with_log(IplDeviceComponentList *comps, uint16= _t flag, + const char *message) +{ + comps->ipl_info_header.iiei |=3D flag; + zipl_secure_handle(message); +} + static inline uint64_t diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") =3D (unsigned long)data; --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229826; cv=none; d=zohomail.com; s=zohoarc; b=cJuMw1ASlvwIDuN93eieoCQ72U1VV7c0DhJQ9VDqfNN5PzprCuCbIei6FngW3kefTgS9jOQ0ctfjChuQEehW4P9xw59Dp3iMA0Hjhi+LYXLSumdfVhZQy+i6S/FgnfuWt+MWElcC63cxJABKi/WPkoPZe6qhLnPbvpMPODR7kIA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229826; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=z/zpHMBnSOVgBzZSSaDy+y2ZyGCbeaT1c+DRRGF3A4M=; b=hnAFbFaWMkLbF26/xHdek998xoa7qtXArSD4KveZm7DnJQ6C1xYj7DLKiTidH4p0GZ51YN+xSYKzNs/gUm76FcOAo1nyMDzZ7xrLJd3JfE5zX77b1px0andsAhTOCUdJ3NBBP82aYC/gAwOnB7krAibUAEXKsU5NakKSMx8wDGw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229826404424.4788884677622; Mon, 8 Dec 2025 13:37:06 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSis1-0008CA-6t; Mon, 08 Dec 2025 16:34:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiri-0007lE-CS; Mon, 08 Dec 2025 16:33:54 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSire-0000nt-Q3; Mon, 08 Dec 2025 16:33:53 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8KCwJs021763; Mon, 8 Dec 2025 21:33:48 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc7bsuj1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:48 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IwheC002034; Mon, 8 Dec 2025 21:33:33 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw11j7jvu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:33 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXWrw26870384 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:32 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F0FA05805D; Mon, 8 Dec 2025 21:33:31 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3D5D45805E; Mon, 8 Dec 2025 21:33:30 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=z/zpHMBnSOVgBzZSS aDy+y2ZyGCbeaT1c+DRRGF3A4M=; b=NSPfMwdP3OyttB2BdMKpBrO7KqY+/OA2W 1MfI/goU1DVa+Ix0dUm1bhB/VXg89i9Yr1szSBrrPMwux8QZGzeVQ9dRYF/zxuRL o5JInFeY0mm20n+q0IJ56lvh2zPCEoC+e3fGkhjISAAQiAyEa4RiTAIf80LgP4g9 uJqCzJ+wmHQ21YGZ8siMoBRVQQkIxpzpdrQ1fB68JICQfeRJOBDofAAUywaj/JWL FQiMtFdHv7nOZDTj6M2qZ68+fPD1HJnLz6OCRjt0K9iO35YtDGhvytS+5nvD7GGH hN1UI9pUmjlwyKCwLYa4uzF0tm1uHlJ7dZoOlmRbGi3ohw89AWRQA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 22/29] Add secure-boot to s390-ccw-virtio machine type option Date: Mon, 8 Dec 2025 16:32:39 -0500 Message-ID: <20251208213247.702569-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: YUHD0yDon9drlRAidZ0s_u9YFK-cV-9N X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX2jaMZ5LXMCGv P4VdgrBWoWbYJZ8cdASm819oXoe1YsLphZbjD4xCUB8E4NwyvmM9jvP6kxBgrfNSqWZVMgyao5M 0Xztcy2la7kCWMMUkXi48vP/N7Z/8UTB7q7pPkeRI/inRXzx3vp8PYHR5Kwy6ii3KMWEr6FQ63K VbqgArYRX/+m8/69UxZxG5jTN6eafgG4OAhoHNm14kEEltg+qnVotzbivbRwEZqnk2rczNpl77M Fw+UUgd256c8JSDjh56z3nRjrFNfesym+SXXRLfKZ6HuloXOPlgA5LrSBg6yBrA5GWukPBICBhW vnzo3iGKA/gqf2hsMuo4tYeak1oKY4pQ95Y84eIBerSj0wD/lDhaKqPLebzwNqR56eeR76lcQ/U tFW3ZZIn0I7UV1H1oCQB7aupnIENOA== X-Proofpoint-GUID: YUHD0yDon9drlRAidZ0s_u9YFK-cV-9N X-Authority-Analysis: v=2.4 cv=FpwIPmrq c=1 sm=1 tr=0 ts=6937443c cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=uyvjcAWwEQu1yBn7KtoA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 phishscore=0 clxscore=1015 adultscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229826753158500 Content-Type: text/plain; charset="utf-8" Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=3Don|off` parameter is implemented to enable secure IPL. By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++----- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 8958a51f0b..675724d324 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,19 +19,31 @@ Note: certificate files must have a .pem extension. =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... =20 +Enabling Secure IPL +------------------- + +Secure IPL is enabled by explicitly setting ``secure-boot=3Don``; if not +specified, secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don|off + =20 IPL Modes =3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple IPL modes are available to differentiate between the various IPL -configurations. These modes are mutually exclusive and enabled based on the -``boot-certs`` option on the QEMU command line. +configurations. These modes are mutually exclusive and enabled based on sp= ecific +combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU +command line. =20 Normal Mode ----------- =20 -The absence of certificates will attempt to IPL a guest without secure IPL -operations. No checks are performed, and no warnings/errors are reported. -This is the default mode. +The absence of both certificates and the ``secure-boot`` option will attem= pt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explic= itly +enabled with ``secure-boot=3Doff``. =20 Configuration: =20 diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index d880613fe7..7957dae1b0 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -803,6 +803,21 @@ static void machine_set_boot_certs(Object *obj, Visito= r *v, const char *name, ms->boot_certs =3D cert_list; } =20 +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + ms->secure_boot =3D value; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -861,6 +876,13 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for se= cure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 7c30ba22cb..4e9c08d9d9 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -29,6 +29,7 @@ struct S390CcwMachineState { bool aes_key_wrap; bool dea_key_wrap; bool pv; + bool secure_boot; uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; diff --git a/qemu-options.hx b/qemu-options.hx index 06ce35e58b..23bccb9a3c 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" - " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=3Don|off enable/disable secure boot (defa= ult=3Doff) \n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -209,6 +210,9 @@ SRST =20 ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` Provide paths to a directory and/or a certificate file on the host= [s390x only]. + + ``secure-boot=3Don|off`` + Enables or disables secure boot on s390-ccw guest. The default is = off. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229801; cv=none; d=zohomail.com; s=zohoarc; b=evAaQbwGahbrMmJNBvO8KjQbN9cOKI3r+rGNydPfVSHsHdemJ+WONi/Z7hzf3mLIHTCgclGUHmLNbKoWm6qR3wdlIBnNQhZA4mO7DzrTUGAmsIizi+f9OGG3bMI1BGOlJAwecZPbK+DasRCNkfO7O6MypKDE/H4PVSJ/y+QyykA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229801; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=07TganXm29rqqSZKQxAJcxNQWws4OcRWYfErsj+BkIQ=; b=f9a/YDIz1ahmVrSAl0kzEtiEHtyllfkCNV885KesbeW/4KKfrllqg2Fb69Tg/lrZ0tEV8qjz33SZwcqLdBYakdv+85kUoN5YC8MM27ifD4LLcD2rc/4z5V8d/SLdLmChv3RVNKMC60N0jvHajP+Dgz5Hg6UrEMJFPgRAC2ct1JI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229801787459.9719214954713; Mon, 8 Dec 2025 13:36:41 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSisO-0000oC-H3; Mon, 08 Dec 2025 16:34:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiro-0007on-7F; Mon, 08 Dec 2025 16:34:01 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirl-0000m1-A7; Mon, 08 Dec 2025 16:33:59 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8E7PsA024049; Mon, 8 Dec 2025 21:33:36 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmnn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:35 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8I0wl2028123; Mon, 8 Dec 2025 21:33:35 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4avy6xqvyk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:35 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXXP253936546 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:34 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CEE5158058; Mon, 8 Dec 2025 21:33:33 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 24C875805F; Mon, 8 Dec 2025 21:33:32 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:32 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=07TganXm29rqqSZKQ xAJcxNQWws4OcRWYfErsj+BkIQ=; b=L0XxgCfjgjeGmSuBAbcHvzLOKn4Si61cq nryKop54MhuVcn1uiiuuNHRvhtb2X27Yu/re8yqi4U7Em3Gby7cNLC9qyWYqXrVm qlnZx4TM83ny4+Yy0tDBnXKQkAUeEzOEzXBTIVRv0E7jV1AwFFBvl5P44194zrSn LGE1kV4eMxHZMpLoJzmLyrWkodkJ/i+FCSBR2V2CzZbB1q20HBiB7ysMwtWlZDss rBRsB0EegIklupnfaz4j+g1HwazadIeLX2+1Yaw8z9oLh9VXlb5nAX78wPG+G8yD pISkXINhAqlM2O+syelJHHBlmy5VTe66axbwy9Es8Ze0KdQPo8n3w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 23/29] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Mon, 8 Dec 2025 16:32:40 -0500 Message-ID: <20251208213247.702569-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hFdDHojWbIyXSs8yAKxwfkZHQbFkfDib X-Proofpoint-ORIG-GUID: hFdDHojWbIyXSs8yAKxwfkZHQbFkfDib X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=6937442f cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX7Nq6MOjgxW5Y e5mUMtX8VoSD/Fw4kE6TYnnVhQBFhzvdK/S1vVOunVng/rzcApt2D4j+PuphZ0xubGlfTubqPib upxXcheUJ/pU0Qdk9A+T55xwP1mwL9KuuDMZ+bDBRbLLphhDfjq3ag7XbCw+GtG2J0qdmk9dklD 9L2PtEExTgIy0gTQAnZm6c5RwfknVdEQTwA/FFR8hDm4+r85B6/JGDfggN/O4Rvx+dSEZvnZels xzLVmvMzabVvncqemdSg1bvYXGkFz7ImCV4c7gSvyd4MoMDgHwv8C939SdhXkRbteegq4aFMKq2 r5EqMzAy86pfrDbg0T0cu1BE46ah3Uw+8trtXZEntbUyrpAfzVdjWW0E50LMAiAFumNMKrHWIuN UcgkOkdR95K10Y1YwDOcPuNiOvmZrA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229802605158500 Content-Type: text/plain; charset="utf-8" If `-secure-boot on` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index a95a1de647..bfac156afe 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -439,6 +439,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -496,6 +501,18 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -505,7 +522,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); } --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229730; cv=none; d=zohomail.com; s=zohoarc; b=fZR4kxAzQeZmzmsHqeH7SwZ8CstGnXFxZpl5BAeEzBwQhNfqrM7+BdrqKx1x4odn2A31nmtSMwubhOZGFUqFFCLV420q3l4nmGA6c8U4sPnxOJwI+auCvPR5smoce3I5gIcC79Ot9979U5mKz1txsL5L1dnOtJ+acJ1zdh8vmUM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229730; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=c6aDpv9jGAGanmV4g6+hrSmhZLsJmay/DNzjc8cQ9OM=; b=NhxQNdMp4nRwmMXkyDJBBBW/syAHmW+rbyYk6xvaCvs6VZn2y8aLJxPrrniAhHeQ2fmQBeNE2PzTtJNiNzVHRWadXG0Tk/x1GFzG1/P9hh646P0KvXwAPpn/Fs3OO7NU4QzF1+hI8L20Q74SZ0JIlSx+5c6+niudSCfJZ/RfGTk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229730236970.3933134597091; Mon, 8 Dec 2025 13:35:30 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSire-0007ie-6h; Mon, 08 Dec 2025 16:33:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirW-0007dv-Mc; Mon, 08 Dec 2025 16:33:42 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirU-0000mE-KC; Mon, 08 Dec 2025 16:33:42 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Cmnn2022275; Mon, 8 Dec 2025 21:33:38 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc0jsup6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:38 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8ITc6Z012432; Mon, 8 Dec 2025 21:33:37 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4aw0ajqnpk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:37 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXK3129229766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:20 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AD55758059; Mon, 8 Dec 2025 21:33:35 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02EBA5805B; Mon, 8 Dec 2025 21:33:34 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=c6aDpv9jGAGanmV4g 6+hrSmhZLsJmay/DNzjc8cQ9OM=; b=sMTDXuJbAR5YvmkY7qH734b2JlAEpNhZ4 /f0A9WZqR2wxltp4D4ZXP1WRhZ1mIrJF9jmt2kkwVkqcizCtJ302DRnFiiS/0cz/ L9ygcQKJHFDk6KaiG2ARdRF6NAtqduuUKE1Bi6oP5cyLxHElPXkdl7iCa9+lLuS7 Vd6YwAGB29brOf2I+08qIbXVYSgwbTwIBUngzMy3e40SxX0zQ7FIJSogEb2fGOn/ n+hqG8g5VyRxbXN4BgGt4CZ6l33B+93VMyhJsJPRZBc4YaV+n6OAIaKcfo2c5126 1nn/fiki1zkNXAG890tETCI0dKjc9wPwnakEkHKcy2K9INyuOvrqg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 24/29] pc-bios/s390-ccw: Handle true secure IPL mode Date: Mon, 8 Dec 2025 16:32:41 -0500 Message-ID: <20251208213247.702569-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Cf8FJbrl c=1 sm=1 tr=0 ts=69374432 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=YZg3iBzERQu5FGnwKEMA:9 X-Proofpoint-ORIG-GUID: Ai1vGU38YFrVl_7AGk76EiXBiB_xdk3U X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAxNiBTYWx0ZWRfXxS28BrEjRDGV uCS01QZn9o1MeBp6LrYZiGaRQJpwR20jHHFkKSaW4lMIfQbAe1uNVYku5I6nB4XGzsftuQzwcRq QdHSgNeNx+y1f5crOIcdUjrohUvhyruNy/vZ+rwz7PeOpXRQ1wOlabl8+/yXmQIPQ0qE7AgE/+8 eKU28IHYidV8ObaJwRpgpjajAxZeiEe/UkeY7QZMLQJ+rGNHjy8Rzm6DaSXsp9F1fvNnwRXfs90 p7OiIeXWEgTrtN1NFbLf804Cacd/ZDcsXQoSSTvdG6zLEvrqc4eFy34om1QOuKkdhggIhvODXeC ksg4vW3/15J8XbkpiwGTpUq1LfPNfy5cXUULeHYX2OgE9F0D5g7Xo0BmdggDqt0cAbwSBKpc5lV AXdgY63QGsAArtf0/NTK76+Pw9cvGQ== X-Proofpoint-GUID: Ai1vGU38YFrVl_7AGk76EiXBiB_xdk3U X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 bulkscore=0 malwarescore=0 clxscore=1015 adultscore=0 lowpriorityscore=0 impostorscore=0 priorityscore=1501 spamscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060016 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229732385158500 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 13 +++++++++++++ pc-bios/s390-ccw/bootmap.c | 19 ++++++++++++++++--- pc-bios/s390-ccw/main.c | 7 ++++++- pc-bios/s390-ccw/s390-ccw.h | 2 ++ pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 6 files changed, 44 insertions(+), 4 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 675724d324..a03e59ae14 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -64,3 +64,16 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + +Secure Mode +----------- + +When both certificates are provided and ``secure-boot=3Don`` option is set, +a secure boot is performed with error reporting enabled. The boot process = aborts +if any error occurs. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 342772860b..cc9a8cec6a 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -738,6 +738,9 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_INVALID: + return -1; + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: rc =3D zipl_run_secure(&entry, tmp_sec); if (rc) { @@ -1121,9 +1124,16 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + return ZIPL_BOOT_MODE_INVALID; + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; @@ -1134,7 +1144,8 @@ void zipl_load(void) VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Secure boot from ISO image is not supported!"); } ipl_iso_el_torito(); @@ -1143,7 +1154,8 @@ void zipl_load(void) } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Virtio net boot device does not support secure boot!"); } netmain(); @@ -1156,7 +1168,8 @@ void zipl_load(void) return; } =20 - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("ECKD boot device does not support secure boot!"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 8aabce115f..5cea9d3ac7 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -277,10 +277,15 @@ static void ipl_boot_device(void) boot_mode =3D zipl_mode(iplb->hdr_flags); } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_INVALID) { + panic("Need at least one certificate for secure boot!"); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT) { + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || + boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { panic("Passthrough (vfio) CCW device does not support secure b= oot!"); } =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 6d51d07c90..389cc8ea7c 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -83,9 +83,11 @@ int virtio_read(unsigned long sector, void *load_addr); void zipl_load(void); =20 typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_INVALID =3D -1, ZIPL_BOOT_MODE_UNSPECIFIED =3D 0, ZIPL_BOOT_MODE_NORMAL =3D 1, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 2, + ZIPL_BOOT_MODE_SECURE =3D 3, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 8733254cfb..bfe021fffe 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -296,6 +296,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, comps->device_entries[comp_index].cei |=3D S390_IPL_COMPONENT_CEI_= INVALID_SCLAB; =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic does not matched. SCLAB does not exi= st"); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 6ff4f0382c..587a87a27c 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -58,6 +58,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + panic(message); + break; default: break; } --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229767; cv=none; d=zohomail.com; s=zohoarc; b=LsvN/13QwgOcXzVie8J0yvMebuFWzoShAi6LbMyC7Zb4ZGjkjChujFzwycvcEFLwxmOEQV1LFd7mtAhpBBdg1iqfJG/DRds8XHhoZMj9Yg4SsqiIxgZH5U8Xs1CqJSoeQNrr+EqmGIC/0rreUNpQVdc6pYREnf3f8ajyitsAlOc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229767; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=aIcWBliuHD29rS09BXpaWF67wzhqIhfOikH6E78NIzo=; b=ImV1UnClvdCWJwUY0oaAteS0vst5Imm38epXjLKIiB4M67Nx6l8e8YPs+FTzNYBm6PXTqsa2rcZWabTRqgAWcNMWwB8fjBF9nBOHk2zpHN1oGPbLUb6pJ11miMwBGIX7dDoVsaViMrALgB0x+boUlg+vYGrk8PLESNuV5RYB06Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229767092914.0495256827826; Mon, 8 Dec 2025 13:36:07 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSiri-0007lT-L1; Mon, 08 Dec 2025 16:33:56 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirc-0007h6-Hw; Mon, 08 Dec 2025 16:33:49 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirW-0000md-Ig; Mon, 08 Dec 2025 16:33:44 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8DFi4m001504; Mon, 8 Dec 2025 21:33:40 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc7bsuk6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:40 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8Ia02b012902; Mon, 8 Dec 2025 21:33:38 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4aw0ajqnpr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:38 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXbDE22872828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:37 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8D5865805C; Mon, 8 Dec 2025 21:33:37 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D514458059; Mon, 8 Dec 2025 21:33:35 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:35 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=aIcWBliuHD29rS09B XpaWF67wzhqIhfOikH6E78NIzo=; b=IsxAaBaQSVQ51nNYayQTa08hWM6C9zKM3 ZMSrFWbYNNSZZfA4jAH5bcwL8nKUogghqOB8ZBqdFlwfels3KbZk+w37eycpgcXo Y7RM51+F4JMhrUHGhoSoTwBgIw0UBX1nDydXnX84M+uIJ1m/M9stp1WXF9kT0QG9 9X/cqzCPYOwngstkhsFjvSH2G1jNWNhQVvZArNBUchSpXgKS9RDSS7AU3y6Kwx1m ETuY54uT7+GTk7qu8agXQW2RLzDhsTacVu9vTt7wj3AptyocwMvTM17+oD8W9qvt fWUIHajk6GWmpvQ0YWrBWO8bnYnasc016JS5NEqdg03tJjS4DflTA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 25/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Date: Mon, 8 Dec 2025 16:32:42 -0500 Message-ID: <20251208213247.702569-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: HoIbMpsT5v_pm96O3HTsJrmujlXsNIk1 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX2yNiuPbyUVds MBq2kanFlhkCarsB/zmds6PFfdaNcHcKcH6+NffGWbQoRbQerQUIGI5L/U26UUDCK/pvPKg3Hx/ qpbwmRTu6iqajHmG7pf71tYuQuGODzSnpnmX4MTsjc5KjTDAEOaTI3fl12jR1N9/cwb1/JUHIKq hOuX+1uHVt4ALx0qY7oKzY8LibC+btdms7brJd4VEMk/yJ4JgmaOyEKLMm6nBI/cyOxBjNmlISE XZJhJRHqJYSZ1ooqOm+YJRqlQTN6ciqVi6gL0oCjrETqU0LkgcEzaxNC1gXnERvlNd5zDLBIzxA mIhQhwemaWcAeV5M4pwCpq66uhd8Er83RF7xOCnYLkuEK9Lt31Ba5lR88Fz1tVmTwgAJSuII4W/ XtM83Wn3ef/HLc81ChacWxr2CQ+HRw== X-Proofpoint-GUID: HoIbMpsT5v_pm96O3HTsJrmujlXsNIk1 X-Authority-Analysis: v=2.4 cv=FpwIPmrq c=1 sm=1 tr=0 ts=69374434 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=OWglaXZkh0GZWmb_D2oA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 phishscore=0 clxscore=1015 adultscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229768512158500 Content-Type: text/plain; charset="utf-8" The current approach to enable secure boot relies on providing secure-boot and boot-certs parameters of s390-ccw-virtio machine type option, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 31 +++++++++------- pc-bios/s390-ccw/main.c | 73 ++++++++++++++++++++++++++++++++++--- pc-bios/s390-ccw/s390-ccw.h | 1 + 3 files changed, 86 insertions(+), 19 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index cc9a8cec6a..e3c12697e0 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -1139,25 +1139,35 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags) return ZIPL_BOOT_MODE_NORMAL; } =20 +int zipl_check_scsi_mbr_magic(void) +{ + ScsiMbr *mbr =3D (void *)sec; + + /* Grab the MBR */ + memset(sec, FREE_SPACE_FILLER, sizeof(sec)); + if (virtio_read(0, mbr)) { + puts("Cannot read block 0"); + return -EIO; + } + + if (!magic_match(mbr->magic, ZIPL_MAGIC)) { + return -1; + } + + return 0; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Secure boot from ISO image is not supported!"); - } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Virtio net boot device does not support secure boot!"); - } netmain(); puts("Failed to IPL from this network!"); return; @@ -1168,11 +1178,6 @@ void zipl_load(void) return; } =20 - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("ECKD boot device does not support secure boot!"); - } - switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 5cea9d3ac7..7ce4761d34 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -271,8 +271,43 @@ static int virtio_setup(void) return ret; } =20 -static void ipl_boot_device(void) +static void validate_secure_boot_device(void) +{ + switch (cutype) { + case CU_TYPE_DASD_3990: + case CU_TYPE_DASD_2107: + panic("Passthrough (vfio) CCW device does not support secure boot!= "); + break; + case CU_TYPE_VIRTIO: + if (virtio_setup() =3D=3D 0) { + VDev *vdev =3D virtio_get_device(); + + if (vdev->is_cdrom) { + panic("Secure boot from ISO image is not supported!"); + } + + if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + panic("Virtio net boot device does not support secure boot= !"); + } + + if (zipl_check_scsi_mbr_magic()) { + panic("ECKD boot device does not support secure boot!"); + } + } + break; + default: + panic("Secure boot from unexpected device type is not supported!"); + } + + printf("SCSI boot device supports secure boot.\n"); +} + +static void check_secure_boot_support(void) { + bool have_iplb_copy; + IplParameterBlock *iplb_copy; + QemuIplParameters qipl_copy; + if (boot_mode =3D=3D ZIPL_BOOT_MODE_UNSPECIFIED) { boot_mode =3D zipl_mode(iplb->hdr_flags); } @@ -281,14 +316,38 @@ static void ipl_boot_device(void) panic("Need at least one certificate for secure boot!"); } =20 + if (boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL) { + return; + } + + /* + * Store copies of have_iplb, iplb and qipl. + * They will be updated in load_next_iplb(). + */ + have_iplb_copy =3D have_iplb; + iplb_copy =3D malloc(sizeof(IplParameterBlock)); + + memcpy(&qipl_copy, &qipl, sizeof(QemuIplParameters)); + memcpy(iplb_copy, iplb, sizeof(IplParameterBlock)); + + while (have_iplb_copy) { + if (have_iplb_copy && find_boot_device()) { + validate_secure_boot_device(); + } + have_iplb_copy =3D load_next_iplb(); + } + + memcpy(&qipl, &qipl_copy, sizeof(QemuIplParameters)); + memcpy(iplb, iplb_copy, sizeof(IplParameterBlock)); + + free(iplb_copy); +} + +static void ipl_boot_device(void) +{ switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE_AUDIT || - boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { - panic("Passthrough (vfio) CCW device does not support secure b= oot!"); - } - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -338,6 +397,8 @@ void main(void) probe_boot_device(); } =20 + check_secure_boot_support(); + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 389cc8ea7c..3009104686 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -93,6 +93,7 @@ typedef enum ZiplBootMode { extern ZiplBootMode boot_mode; =20 ZiplBootMode zipl_mode(uint8_t hdr_flags); +int zipl_check_scsi_mbr_magic(void); =20 /* jump2ipl.c */ void write_reset_psw(uint64_t psw); --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229765; cv=none; d=zohomail.com; s=zohoarc; b=io1/Nevwrg3DWjuJO/PGmO91+eTrH/uOOiV2SFgoLIsLZftaqzrm6FJSnjzW65K+5G8kScg4rgV5BS7YUDmlSJVVRCtjj4CLmT2NTaV+CWEYud/dUNWf5Uq8CMm2oy4u7YKxc69EDxi+UoNvKeRDjOSo3CqDvZ5ipsEuEYXQot0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229765; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=DuoRUcjHOV+1ufsdfMBGE/kIzrSux4/aR14Wx8l/zos=; b=GLv90kUhIcu2EZjhrtMWCP4y/dep/7ygIFzF63oZ8IrynxGAOzoGI7P78iQPlrF4T+gwOYOUCOZJ+biG+98pNFHU45lRKcNkOJnicNBTKJmGMwSKIaY3T+wiOO5tU88o8Rgw6Iq4aw5FO+nsa3JUjB5DFp0eNMVstt6tYy7IaYw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229765587375.9703598430225; Mon, 8 Dec 2025 13:36:05 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSisG-0000FF-9t; Mon, 08 Dec 2025 16:34:30 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiru-0007rC-8M; Mon, 08 Dec 2025 16:34:06 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirr-0000my-Dw; Mon, 08 Dec 2025 16:34:06 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8L8JQ0017887; Mon, 8 Dec 2025 21:33:42 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4av9wvhmp8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:41 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8ITc6d012432; Mon, 8 Dec 2025 21:33:41 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4aw0ajqnq9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:41 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXdxT33620562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:39 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7C03A58059; Mon, 8 Dec 2025 21:33:39 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B5C7F5805B; Mon, 8 Dec 2025 21:33:37 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=DuoRUcjHOV+1ufsdf MBGE/kIzrSux4/aR14Wx8l/zos=; b=CNyWjhqOECyQUIGL7gyQpoKhWwZBXlz2j JzcgnJKTuLykm+of8RaLUBhHkXG2T46V6RkTr3IBotTJ9S4fJ7n6phT5/n6meUR8 LqdroOWC975VCm+Bn+qkhRqqn+SNoRT5fO7Bx5Zt9MNRo11V9y07ibh+TgLFwHUC 2RG86QLMYgUv2G/o+zaBUUmMg9alYy32z7boKybbMSVIqgC5gN+9cHd5C7DqP1yn p8BiZtQWUHcCmoSnxvrtC+43sfjbfgOkR8k6r3wXpSvjwEMy2K7PLzF+iMK0LeFK warXp58jE9K+wovSHug6tHMRC79g4yrXBOqrNKpRONNbNlFSy1/0A== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Mon, 8 Dec 2025 16:32:43 -0500 Message-ID: <20251208213247.702569-27-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: NPRYcIN4KeVAw8F02e-1frkXHlU1iVpj X-Proofpoint-ORIG-GUID: NPRYcIN4KeVAw8F02e-1frkXHlU1iVpj X-Authority-Analysis: v=2.4 cv=AdS83nXG c=1 sm=1 tr=0 ts=69374435 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=98YBU2wH__9RKlX8yukA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwMCBTYWx0ZWRfX8APUsWTBIN27 iWZaiOvMVEGndrlwCeQ4/Pfx4NydoR8tVTtJ8gf2AtrL+9EBR2WxYUPhScrWm7JKAha6AQP9DC+ Z3A9eI5tSNjpwFYKM5ZsQJgjZ2f2yqjyX1iSa9/O0pkpeYojZkrXbZ70mhftcoCittUOL4cStGX ZjdvH2r9OrvSbx4/J4V74cn3godgp8ORuKA0G698Y2cEDqbvWs7iacpvSuvR1B/OyVnS1AHJHKd LID5IITqxolo1OsXZf0K+qfaXkJSOhNgFl0o4+ZM1LMaBdrGWl5sXERMahU1HDwPtJkb9QbiBZl HRbkWH7vmo6ARXItffeTU1wY0KUCe5UsudD+iI4ig9EKHISQzBtthXHz2uO5NDO33dqgVZbosst nH+TsFJ1rfzvc/mEVd2GI/TC8P4ZKw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 priorityscore=1501 spamscore=0 phishscore=0 lowpriorityscore=0 bulkscore=0 clxscore=1015 malwarescore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060000 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229766434158500 Content-Type: text/plain; charset="utf-8" If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index bfac156afe..2809fb718d 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -771,6 +771,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) } if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot device defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len =3D 0; } --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229783; cv=none; d=zohomail.com; s=zohoarc; b=O5+yK+2XpgUsLdq/2ANyH75azGciSh3BEZllF8uUU7vx7OsKoi1koW/DMW9r6jCV/ndQepoDdI/wpUU65MPLU7ZW/aqWM2m6Y/wcRFxEhAytKoMAlEMsjpDxXkaFwZ5Qzo5gOHcswUK9s1A1j7Pjq8twe9QDWAmHvWvYIxJqEH0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229783; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=CU2d/TahXy+yPuloSa8X85ORezrpHMLTlc8LsztB9mI=; b=LPydEU5r3fxaaoLQjwfQZohlehtzQIgkLGRjknI3czOWwMvvP22rWPuU1r9VW3msPTQhWPqJofCtprmzg5vbGHkU+n7VuaClbjYtnqG4AYbntpMoUl8KnZ84Q9VLcvgkVRHw+ffB8R/G3xHlbT06RGRCB82j5g1Gc5BqJsd078Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229783037346.30213051439114; Mon, 8 Dec 2025 13:36:23 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSisR-00019X-1G; Mon, 08 Dec 2025 16:34:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirz-00087m-3E; Mon, 08 Dec 2025 16:34:12 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirv-0000nF-Sg; Mon, 08 Dec 2025 16:34:10 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8G2GZ0022721; Mon, 8 Dec 2025 21:33:44 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avawv1g2m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:44 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8IwZSg002409; Mon, 8 Dec 2025 21:33:43 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw11j7jx2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:43 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXfjq24183500 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:41 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 643615805B; Mon, 8 Dec 2025 21:33:41 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A44E558058; Mon, 8 Dec 2025 21:33:39 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=CU2d/TahXy+yPuloS a8X85ORezrpHMLTlc8LsztB9mI=; b=nA5FS3usrmBSBegYOtZyp5AuqQ0QQnDtE HV/L9UC9ElB/7qL6lRj00waIXJGloRlyl1SWR7cMhmKwtrl1MnuoAEaDJjahW3NZ ggRg5jRWvoAuVMyvQNJulQPElp2weoB6mk62vawtTEvlb8+QRR6yQqTLJ2Lek8n8 mVqcPbcRXqe2rSh9RGBCVifAPu281wWuDFioUrcEvvWBjo2uAuq704FQSZVFcRMh i85NBSnzs3v7VgtN0kqGlrXgkCeVEUnknfEvJvlS5+dAWmANFMWkxdxIgt9lHyhx 5W8TvdlAh+KdKFJGztKV4sLDTrOxRgLqdojUT0lXsKk1NWI6c4GpA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 27/29] tests/functional/s390x: Add secure IPL functional test Date: Mon, 8 Dec 2025 16:32:44 -0500 Message-ID: <20251208213247.702569-28-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: O6utzkDl9CO-2w_9cNlaHXUGmerAnLki X-Proofpoint-ORIG-GUID: O6utzkDl9CO-2w_9cNlaHXUGmerAnLki X-Authority-Analysis: v=2.4 cv=aY9sXBot c=1 sm=1 tr=0 ts=69374438 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8 a=5_EEge2SnRu3uP573-sA:9 a=t8Kx07QrZZTALmIZmm-o:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAwNyBTYWx0ZWRfXxsJAN7H59UOZ GtLcu69ostuSKFMWf9Y3PwbaQxpUJbp8gH8iu4rIHQOCIpc3VaqqzGXUwDd6aKSvkrso4fTLwG9 KzFU933SM9KX7wrl5qBRVMIDwpyv6EjlA+O8NnV4ecjkqgw9Agzk5/7rlMvtp5OgQAXWXQfuxwe Olcj0GBG88Uju/L1ysbzlaqYaG9HbPPrDpWpvhx/eKOyapWcPAFs7kKQ5iYaR4xsbLfKh8cF9AP eiussxd2aAZ4+JHZ7t2XzvOrrPnAjrz79i+2H3vYjdbH9PAehRBEM+C4iuAGBSypD3ToQvaZp3T LMMgfS4e2WMacAhKnmOq1aQVAXlyKdDMT2cLLfisLkt+T0O4cNq6qfBnS/SPMG9Ud0CZF1yDD+O NEIHzkaWEemJdCOp8b8/WqZnEpADgA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 phishscore=0 lowpriorityscore=0 bulkscore=0 adultscore=0 impostorscore=0 malwarescore=0 priorityscore=1501 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060007 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229786596158500 Content-Type: text/plain; charset="utf-8" Add functional test for secure IPL. Signed-off-by: Zhuoying Cai --- tests/functional/s390x/meson.build | 2 + tests/functional/s390x/test_secure_ipl.py | 140 ++++++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 tests/functional/s390x/test_secure_ipl.py diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/me= son.build index 70cd36e291..cb050f3c01 100644 --- a/tests/functional/s390x/meson.build +++ b/tests/functional/s390x/meson.build @@ -2,6 +2,7 @@ =20 test_s390x_timeouts =3D { 'ccw_virtio' : 420, + 'secure_ipl' : 280, } =20 tests_s390x_system_quick =3D [ @@ -12,6 +13,7 @@ tests_s390x_system_thorough =3D [ 'ccw_virtio', 'pxelinux', 'replay', + 'secure_ipl', 'topology', 'tuxrun', ] diff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s= 390x/test_secure_ipl.py new file mode 100644 index 0000000000..c4c7ec3897 --- /dev/null +++ b/tests/functional/s390x/test_secure_ipl.py @@ -0,0 +1,140 @@ +#!/usr/bin/env python3 +# +# s390x Secure IPL functional test: validates secure-boot verification res= ults +# +# SPDX-License-Identifier: GPL-2.0-or-later + +import os +import time + +from qemu_test import QemuSystemTest, Asset +from qemu_test import exec_command_and_wait_for_pattern, exec_command +from qemu_test import wait_for_console_pattern, skipBigDataTest +from qemu.utils import kvm_available, tcg_available + +class S390xSecureIpl(QemuSystemTest): + ASSET_F40_QCOW2 =3D Asset( + ('https://archives.fedoraproject.org/pub/archive/' + 'fedora-secondary/releases/40/Server/s390x/images/' + 'Fedora-Server-KVM-40-1.14.s390x.qcow2'), + '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f') + + # Boot a temporary VM to set up secure IPL image: + # - Create certificate + # - Sign stage3 binary and kernel + # - Run zipl + # - Extract certificate + # Small delay added to allow the guest prompt/filesystem updates to se= ttle + def setup_s390x_secure_ipl(self): + temp_vm =3D self.get_vm(name=3D'sipl_setup') + temp_vm.set_machine('s390-ccw-virtio') + self.require_accelerator('kvm') + + self.qcow2_path =3D self.ASSET_F40_QCOW2.fetch() + + temp_vm.set_console() + temp_vm.add_args('-nographic', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive0,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive0,bootind= ex=3D1') + temp_vm.launch() + + # Initial root account setup (Fedora first boot screen) + self.root_password =3D 'fedora40password' + wait_for_console_pattern(self, 'Please make a selection from the a= bove', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=3Dtem= p_vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Password (confirm):', vm=3Dtemp= _vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Please make a selection from the abov= e', + vm=3Dtemp_vm) + + # Login as root + exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', v= m=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=3D= temp_vm) + exec_command_and_wait_for_pattern(self, self.root_password, + '[root@localhost ~]#', vm=3Dtemp= _vm) + + # Certificate generation + time.sleep(1) + exec_command_and_wait_for_pattern(self, + 'openssl version', 'OpenSSL 3.2.1= 30', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'openssl req -new -x509 -newkey rsa:2048 ' + '-keyout mykey.pem -outform PEM -out mycert.pe= m ' + '-days 36500 -subj "/CN=3DMy Name/" -nodes -ve= rbose', + 'Writing private key to \'mykey.pem\'', vm=3Dt= emp_vm) + + # Install kernel-devel (needed for sign-file) + exec_command_and_wait_for_pattern(self, + 'sudo dnf install kernel-devel-$(uname -r)= -y', + 'Complete!', vm=3Dtemp_vm) + time.sleep(1) + exec_command_and_wait_for_pattern(self, + 'ls /usr/src/kernels/$(uname -r)/scrip= ts/', + 'sign-file', vm=3Dtemp_vm) + + # Sign stage3 binary and kernel + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bi= n', + vm=3Dtemp_vm) + time.sleep(1) + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)= ', + vm=3Dtemp_vm) + time.sleep(1) + + # Run zipl to prepare for secure boot + exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Do= ne.', + vm=3Dtemp_vm) + + # Extract certificate to host + out =3D exec_command_and_wait_for_pattern(self, 'cat mycert.pem', + '-----END CERTIFICATE-----= ', + vm=3Dtemp_vm) + # strip first line to avoid console echo artifacts + cert =3D "\n".join(out.decode("utf-8").splitlines()[1:]) + self.log.info("%s", cert) + + self.cert_path =3D self.scratch_file("mycert.pem") + + with open(self.cert_path, 'w') as file_object: + file_object.write(cert) + + # Shutdown temp vm + temp_vm.shutdown() + + @skipBigDataTest() + def test_s390x_secure_ipl(self): + self.setup_s390x_secure_ipl() + + self.set_machine('s390-ccw-virtio') + + self.vm.set_console() + self.vm.add_args('-nographic', + '-machine', 's390-ccw-virtio,secure-boot=3Don,' + f'boot-certs.0.path=3D{self.cert_path}', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive1,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive1,bootind= ex=3D1') + self.vm.launch() + + # Expect two verified components + verified_output =3D "Verified component" + wait_for_console_pattern(self, verified_output); + wait_for_console_pattern(self, verified_output); + + # Login and verify the vm is booted using secure boot + wait_for_console_pattern(self, 'localhost login:') + exec_command_and_wait_for_pattern(self, 'root', 'Password:') + exec_command_and_wait_for_pattern(self, self.root_password,'[root@= localhost ~]#') + exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/sec= ure', '1') + +if __name__ =3D=3D '__main__': + QemuSystemTest.main() --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229696; cv=none; d=zohomail.com; s=zohoarc; b=kd1Lz9cHToG3TJqxYK63WD8d7MfGjoiCIDyE/b1R5MGrDNxSkrbZol5OSt8/6m+RJaQ59dPJb+vYlz7zuq6irqoUI9F5BIxGpOP7B3tYRYpUtsRMRx8zoIj41cPBb5M7WLYU/I1HwXN84MvIX5MyXt2VCq0hSee8ElD8+wmtCV0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229696; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=agWhPWVkEpmMziSjG26beBShB4aMwkqUjK3b3fJNEA0=; b=LbMG+u2ppRHWhgCzE+QYqXmOb/RZwQaTtRyobDVRNztnO+HUEPNMjcfCPeUloRug7tkknlVdhirsiVnHdbFioXam7IFfgXNb62man6M20DAZQArjdNcqzQQAo/yKYomtubZwaNnk/C3fkGO0offTRUjd+MhjpJB8cB9SvIb/YbE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1765229696176439.03395585500016; Mon, 8 Dec 2025 13:34:56 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSisO-0000oM-EQ; Mon, 08 Dec 2025 16:34:36 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirz-0008AU-Ri; Mon, 08 Dec 2025 16:34:12 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSirw-0000nN-LU; Mon, 08 Dec 2025 16:34:11 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JMh7J016359; Mon, 8 Dec 2025 21:33:45 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc539am3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:45 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8JsjrI026887; Mon, 8 Dec 2025 21:33:44 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4aw1h0yfaw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:44 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXhAo21758656 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:43 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 490E75805C; Mon, 8 Dec 2025 21:33:43 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C22758058; Mon, 8 Dec 2025 21:33:41 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:41 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=agWhPWVkEpmMziSjG 26beBShB4aMwkqUjK3b3fJNEA0=; b=bgBH8WoFUhTABUvpe7wtrMMT9uh6jMIZM kK9DtRppb2Jt7/x2u9duEZS8GBul/FBKxd0hHuHHZLVMtFzZTklxIinVn7g89oF2 TpPj5dL25gKn6Ejlr4a602q3F+h7WW7IZSGVxAZPT81trB5BFcDwR8hA5gqJ/TM8 XCG0ZivRsHiy+GrtaJ2Bd/nPZBnX3LAJxlbZFj6/w9OlOR2/dAPSm+DsqHP+RtDi mArafFhYqqHo7H/GUg5zLZH3n28i9rpRXmVhVC5BGGymZ7jEFciDDmri+yq2ZFY3 kVyHBFhzFi4Uptd4bYoIObpglDCbPxM/xNYDUUqmQV4FtFaQ8BrDQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 28/29] docs/specs: Add secure IPL documentation Date: Mon, 8 Dec 2025 16:32:45 -0500 Message-ID: <20251208213247.702569-29-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX3y1bMtcPFkNU P+tWbczQNMAhI8GBZScofbUBAG3TopvD120k0c0SAkNAMSMgv9SQF0Hn5dY9IA/xkkNC1X95Ncu 5iWJlX27EDo2CsRvchIBjGFWz1spN0tLOu0Bb1E9Oo768Hz81XeG/v8oihqZp+lLA7hTD44T9O1 GtyOUqrITA9qVckcVFPatj2WA5MhgxW3Zm7xgL8Sk2nbZSdFrMMATJPl9mNSH5r80QDUUkEbjI4 +e0q3DJU/FKVkwzYlv/Hm4q0KTP9hq1KvXr8z/uF9OQKdHTgF7bCEJ7xgUafLLlzqauT1l7NWbM VsIlnlw+HjNNlTD8fBIl7KAexnwS4ngwL2WNr71Tenes9kshAKiPzcO3wXRhi4ZG8b3v31+R1JQ fvqASAH5xyYZIhLMWTyjfrr2JKv4JA== X-Authority-Analysis: v=2.4 cv=S/DUAYsP c=1 sm=1 tr=0 ts=69374439 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=pevZWc-pxkjX5tstIEcA:9 X-Proofpoint-ORIG-GUID: c-Q2FatsZofNhzH8VbowfUE49uiJ2gq4 X-Proofpoint-GUID: c-Q2FatsZofNhzH8VbowfUE49uiJ2gq4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 clxscore=1015 impostorscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 bulkscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229698307158500 Content-Type: text/plain; charset="utf-8" Add documentation for secure IPL Signed-off-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 70388d77d8..45f58ab49d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -1,5 +1,60 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL (a.k.a. secure boot) enables s390-ccw virtual machines to +leverage qcrypto libraries and z/Architecture emulations to verify the +integrity of signed kernels. The qcrypto libraries are used to perform +certificate validation and signature-verification, whereas the +z/Architecture emulations are used to ensure secure IPL data has not +been tampered with, convey data between QEMU and userspace, and set up +the relevant secure IPL data structures with verification results. + +To find out more about using this feature, see +``docs/system/s390x/secure-ipl.rst``. + +Note that "userspace" will refer to the s390-ccw BIOS unless stated +otherwise. + +Both QEMU and userspace work in tandem to perform secure IPL. The Secure +Loading Attributes Facility (SCLAF) is used to check the Secure Code +Loading Attribute Block (SCLAB) and ensure that secure IPL data has not +been tampered with. DIAGNOSE 'X'320' is invoked by userspace to query +the certificate store info and retrieve specific certificates from QEMU. +DIAGNOSE 'X'508' is used by userspace to leverage qcrypto libraries to +perform signature-verification in QEMU. Lastly, userspace generates and +appends an IPL Information Report Block (IIRB) at the end of the IPL +Parameter Block, which is used by the kernel to store signed and +verified entries. + +The logical steps are as follows: + +- Userspace reads data payload from disk (e.g. stage3 boot loader, kernel) +- Userspace checks the validity of the SCLAB +- Userspace invokes DIAG 508 subcode 1 and provides it the payload +- QEMU handles DIAG 508 request by reading the payload and retrieving the + certificate store +- QEMU DIAG 508 utilizes qcrypto libraries to perform signature-verificati= on on + the payload, attempting with each cert in the store (until success or + exhausted) +- QEMU DIAG 508 returns: + + - success: index of cert used to verify payload + - failure: error code + +- Userspace responds to this operation: + + - success: retrieves cert from store via DIAG 320 using returned index + - failure: reports with warning (audit mode), aborts with error (secure = mode) + +- Userspace appends IIRB at the end of the IPLB +- Userspace kicks off IPL + +More information regarding the respective DIAGNOSE commands and IPL data +structures are outlined within this document. + + s390 Certificate Store and Functions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.51.1 From nobody Sun Dec 14 06:42:53 2025 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1765229749; cv=none; d=zohomail.com; s=zohoarc; b=MExXlANPvaB7xW/4H5IgObnrgrz/RqtPhx5IGCNbtjV9guq98M2o4OVcMbZgvA3A0Sb1kkEj+iMM9gZUhUy7ykhgYVDmr7+t3+oFJCV+QhJi+J+KdcH+th2favQwO6XWWKFOL+axRWwyZUy7vidz0fxOmPzbDsL1wTg/i7xsdhI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1765229749; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rwM9+ImeiEPKKb35bFUj+Wsf33qD4NMEvWoWR+an334=; b=bvKgsEX66WrKneZgoKLaIL0l83DDYzTuU8BujjtQYKT7D0f6l3O+xi1OHKqLmWx0irulX0IPTQ4hqjnpNruQvt4o9viheOJ0eJ+g2aghZCdCvHn1hOhuCQ5ucIlrZBRWCWEUIvbLNNMXZ10xVgBMZFIlxMIwPMhiGTBJVOA834g= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17652297493124.97819500005869; Mon, 8 Dec 2025 13:35:49 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vSisN-0000XQ-07; Mon, 08 Dec 2025 16:34:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSiri-0007lD-CP; Mon, 08 Dec 2025 16:33:54 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vSire-0000ng-If; Mon, 08 Dec 2025 16:33:53 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8CqYZu022889; Mon, 8 Dec 2025 21:33:47 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4avc7bsum2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:47 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 5B8HkWPW030452; Mon, 8 Dec 2025 21:33:46 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4avxtryx9y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 08 Dec 2025 21:33:46 +0000 Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 5B8LXjUg22676008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 8 Dec 2025 21:33:45 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 270FA5805B; Mon, 8 Dec 2025 21:33:45 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7145058059; Mon, 8 Dec 2025 21:33:43 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.66.246]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Mon, 8 Dec 2025 21:33:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=rwM9+I meiEPKKb35bFUj+Wsf33qD4NMEvWoWR+an334=; b=lEiNkmJ4G42yOqCxTXgbll +0DFxHgG2rPCa0NWI/fQFfRVmNYNnMRNdXRHApQ8toLwI5bZe2rUquodtSvhWRUs Go2tSSRhDy8XQl4DJ5z+mgd6SDdYb/dLEhQbjn8rWMIsKv5CRdPHwj7aFPisER4+ 3snDMGDNv1xrqoFUr7tRGPOxc88Kzrfn1J8TVD5r++RhLW8Q7b7Wfhu1vyYjt+et Z9AjP/kSMzg7GkQCahKuiZXZCu4oumqkqx+FI1QYeFOW8NFZKHqpl49t0JvqDnoh pCYpMQZClMgIeszQD0Y5TiiotAMi3iucabG4CYlko7k1GZE1oiWu2XYfjSO37CIg == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, brueckner@linux.ibm.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com Subject: [PATCH v7 29/29] docs/system/s390x: Add secure IPL documentation Date: Mon, 8 Dec 2025 16:32:46 -0500 Message-ID: <20251208213247.702569-30-zycai@linux.ibm.com> X-Mailer: git-send-email 2.51.1 In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com> References: <20251208213247.702569-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: AHIIvaqIG0tYZXYDbg2XirlbjHl_zYVP X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMjA2MDAyMCBTYWx0ZWRfX0UsLnN204Rti 9FCQWA5Ky0GEk8/hKYuMlkp3LgHlQIEpGeO6Lf1R87m7DGd6HP6A6nkVTb1KAPAgWI/AuG487O+ swwbum8wqosfEubu9ICbd1xVzA/cJBvjRGfURFGezUDZRi/84/eTLHQMOOCyswxHCorFHJdtQrD DLA/we6rwXxXbP8wox/pW25J8JYtVgD2hxRj0SsiFlBYt8CKSXufeU668q7TolYkQuK5YSux4Cp pQLrOTBp0l7GtrROq/Ao7vHaao+drodU/egfiKiOdB2krjS3utlxHVijds+4/Li/KFz4D2Qous2 NvwJXW9B8tLjwP8NfGutyDyQtSmMuW+Ce3j3eWo0GEJvwy5uO+NFKOYgVx8cxRnWbcuOiVDb9Hz 0dsVr/s+ihme4AhlSXM9i9/53T9aTA== X-Proofpoint-GUID: AHIIvaqIG0tYZXYDbg2XirlbjHl_zYVP X-Authority-Analysis: v=2.4 cv=FpwIPmrq c=1 sm=1 tr=0 ts=6937443b cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=IkcTkHD0fZMA:10 a=wP3pNCr1ah4A:10 a=VkNPw1HP01LnGYTKEx00:22 a=VnNF1IyMAAAA:8 a=q5T4S90kAAAA:8 a=pLVlpZFyWxzbV8Ps1vQA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=LnBBZQxPVJ0Z7KJyRdxh:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.100.49 definitions=2025-12-06_02,2025-12-04_04,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 bulkscore=0 spamscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 phishscore=0 clxscore=1015 adultscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.19.0-2510240000 definitions=main-2512060020 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1765229750412158500 Add documentation for secure IPL Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 96 ++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index a03e59ae14..89e20b9f1d 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -1,5 +1,21 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL, also known as secure boot, enables s390-ccw virtual machines to +verify the integrity of guest kernels. + +For technical details of this feature, see ``docs/specs/s390x-secure-ipl.r= st``. + +This document explains how to use secure IPL with s390x in QEMU. It covers +new command line options for providing certificates and enabling secure IP= L, +the different IPL modes (Normal, Audit, and Secure), and system requiremen= ts. + +A quickstart guide is provided to demonstrate how to generate certificates, +sign images, and start a guest in Secure Mode. + + Secure IPL Command Line Options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D =20 @@ -77,3 +93,83 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +Constraints +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The following constraints apply when attempting to secure IPL an s390 gues= t: + +- z16 CPU model +- certificates must be in X.509 PEM format +- only support for SCSI scheme of virtio-blk/virtio-scsi devices +- a boot device must be specified +- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e= .g., + Net) will cause the entire boot process terminating early with an error + logged to the console. + + +Secure IPL Quickstart +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Build QEMU with gnutls enabled +------------------------------- + +.. code-block:: shell + + ./configure =E2=80=A6 --enable-gnutls + +Generate certificate (e.g. via certtool) +---------------------------------------- + +A private key is required before generating a certificate. This key must b= e kept +secure and confidential. + +Use an RSA private key for signing. + +.. code-block:: shell + + certtool --generate-privkey > key.pem + +A self-signed certificate requires the organization name. Use the ``cert.i= nfo`` +template to pre-fill values and avoid interactive prompts from certtool. + +.. code-block:: shell + + cat > cert.info <