From nobody Sun Apr 12 06:08:39 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1770929299; cv=none; d=zohomail.com; s=zohoarc; b=DepPvhNdbWTYwchb8zsM6yKVIxL2h/0L2N84sI+fwPUnMPlYDBF6J3q/tvA+UKWhDJjmZaIWpB3/2Zu+a7jXMCTPjagqF4gYfQcFCAHyQy+xJwaGmqVspM/SOzHyB8wCafMAsQVsPaVcXKhRsId7jGgmo+SA6+fkjd7/dmJxBcE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1770929299; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=jkYTLHEKaQN7e3asisnz+SHGihmpOdvqYbvIm6mOIRk=; b=HnflIdWOaUTQs5VYZYYNLBglQg9A/t0VkWo3XagJipQ50EUr555aKz0TAMagk5W20OFqR6JsR5hwZbsTGhqxinvzU/42CTBJfTV0E2KmuaVZMbzHxJvjDt4vj+MY/70i3oUjw0+yxbYsjmZ88/VmUWZajRZflEmX+oHS9JChmCc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1770929299410655.0265167831088; Thu, 12 Feb 2026 12:48:19 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vqdYl-0001b4-DQ; Thu, 12 Feb 2026 15:45:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vqdYj-0001Ym-K1; Thu, 12 Feb 2026 15:45:09 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vqdYi-0008Al-3m; Thu, 12 Feb 2026 15:45:09 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 61C9GGue477927; Thu, 12 Feb 2026 20:44:44 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4c696ur4e5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Feb 2026 20:44:44 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 61CGjI8s008390; Thu, 12 Feb 2026 20:44:42 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4c6g3ym7vs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 12 Feb 2026 20:44:42 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 61CKiftj16843300 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 12 Feb 2026 20:44:41 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 63F135804E; Thu, 12 Feb 2026 20:44:41 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A416358054; Thu, 12 Feb 2026 20:44:39 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.112.15]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Thu, 12 Feb 2026 20:44:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=jkYTLHEKaQN7e3asi snz+SHGihmpOdvqYbvIm6mOIRk=; b=rHKnWgnxe/8lzQnh6ys+yEme0VLjWtRvQ yzKKYvLAqPC02oooe/ckYcXVy9Ufs6I1CO7MFDsK8RwZRaAGmBgJgdHdOWjr20gC EHKHzsEFhIu3M71rU5RnUoMX0Lk3QF8nZG41Wt92HhGtakopLCZlm6la28VtxI9A RQu2QwSWksUQX022TGh0v725sjSN1Ba4mBxytzfoiXzzSYqMDOJ4XB5xLoWFP2Yl V2XIdJT10NfB1Qzd/g8/qWBFiS0aUNNN+paD18XdiUQpuW8qdIYdfJ2ZZ+/ukwL/ Np7pSlRg2Hts/SY0UzwyHWe1dPvgIVMZDPQ4rgnoIHIdu+jSSrMSg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com Subject: [PATCH v8 24/30] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Thu, 12 Feb 2026 15:43:45 -0500 Message-ID: <20260212204352.1044699-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20260212204352.1044699-1-zycai@linux.ibm.com> References: <20260212204352.1044699-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=YZiwJgRf c=1 sm=1 tr=0 ts=698e3bbc cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22 a=GgsMoib0sEa3-_RKJdDe:22 a=VnNF1IyMAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-ORIG-GUID: U9TcIeA55WaOnD-f6mCr3Qq6Pk071vjo X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMjEyMDE1NyBTYWx0ZWRfXwuduqOEeCvoT J/jRLlLCSNuvl4NxL7crGTTAm4pA1aDSu/WYa/JEkSfXj52sZ5iAKzjzDVBTa0C8MDWHYpBXUp/ X/Zz7QsX6Abu7N19xe6WklBAC17jM5FPa8WfnE3SbKMBA86kygKGqXPFpJK0occ0krTSRzeoBav 5+0tbt7j52rm9+Y2nsLIyGAKu9+6i9y9cQsXvbSBl549Zio3dRSvlgwb0aX3OPMeyKCykVEgD0n zV6WfHCeq5FYJfwpCEBnvABn0pK3X2DloRDRVWzW7SLgD/R5kZ/RnEwFJJVC1Q/kc8olA0XKS+D eKp73CiGotvvnzh4pPaGFUeLqtBp9fiO8M4K9a+TMb9+alAYMntPVwGVfsU5ljqe/XVJ8Q4m/Ch EmsKfXkHlrEXHqPZJUVEzXls4zGbS/VVoeJZqYDHc07yxnyEc1ohhd24f2C6xY2TqFBpf18zMLX xLhFPbWPjz9Fm2mujjg== X-Proofpoint-GUID: U9TcIeA55WaOnD-f6mCr3Qq6Pk071vjo X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-02-12_05,2026-02-12_03,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 spamscore=0 impostorscore=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602120157 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -19 X-Spam_score: -2.0 X-Spam_bar: -- X-Spam_report: (-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1770929300200158500 Content-Type: text/plain; charset="utf-8" If `-M secure-boot=3Don` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index b66dfd06bd..f8dd50f69d 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -440,6 +440,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -497,6 +502,18 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -506,7 +523,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); } --=20 2.52.0