From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750784; cv=none; d=zohomail.com; s=zohoarc; b=TqH8n7AXw/791gTnCEQ41Rv+3CquoNiKMXx57ElXujxdKBhjkKcWu3gxoRulRnsaGmVDS3B8OBYMgwDAr3wTmv7gEqIsYITztdYSGRPZPaJvZ8a5BnQw1CoVDmmBCy7s7kKEXJAZsD4aAdWr7DuTHPCyXO4+hmkJOYbiDKdghPQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750784; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=187g8xBrS5TMW3MvNUYirVv4uVD10hfDJCnQx3OvLY4=; b=bVzDkrKTs2EEux/evtll6oYlYLYfdIhNy4GYLPE9ozz6IaJf2Sgq8z0YyWYSuQeP7KXRSELbEsmD2Az3U1oFSRGJpDfh8IicQRg8pJrFJNyxKdKckz6Qp8Wn98B0Dzes2xhUH5tswt9o1UspuUI7dqvrRSfnKHFfyXXaMy52w/k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750784254262.64073515139626; Thu, 5 Mar 2026 14:46:24 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOQ-0000z9-ML; Thu, 05 Mar 2026 17:42:06 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOO-0000yK-Sk; Thu, 05 Mar 2026 17:42:04 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOM-00073v-Pa; Thu, 05 Mar 2026 17:42:04 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625FCTum2241852; Thu, 5 Mar 2026 22:41:56 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksk45f63-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:56 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625MEYLe010300; Thu, 5 Mar 2026 22:41:55 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdah8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:55 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mfshu26608146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:54 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2B57558057; Thu, 5 Mar 2026 22:41:54 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EB47D58058; Thu, 5 Mar 2026 22:41:52 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=187g8xBrS5TMW3MvN UYirVv4uVD10hfDJCnQx3OvLY4=; b=PLXQMcH2lvrX2yhc32cNIFQZtHxQgDqsv 4Bv2mQ8RGoiMpCdQcqC7U2TET7MondrvN4UUujGkRd+NbN1mk3h2+/jCfOHGvMa7 U32nyGEk5MMxOGpnpXHzdj0qWe012H9aOKP/GL5xeYI6BuY9rdabmT9omZFYg5p2 FQyKPBRAfqLFDxoVjzYc2VTQou2ZQ1IrTYzLpP+g4f3LdQHaXU2kxIUDJOTD51ww 9pbzf9ht4TR+vfQsnAw/RGqdG8hGBRGsxKb4BSvud+PtiqIawWoFfq8cuRUHajos 0R4hB159QIMcknraEpK/C4LF72uKIBenMpTnEMSllwAie6P8SjwjA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 01/30] Add boot-certs to s390-ccw-virtio machine type option Date: Thu, 5 Mar 2026 17:41:16 -0500 Message-ID: <20260305224146.664053-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: u2yt7FpHuQC1VmJvE4c-9lW9V8SOclUZ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX5Rdr9wkbrUUU yZBweGYFXNx9vQ4yUU6TJ04o+VRmVc9UmnwNu+hcVhcX1X+qYxKDM8wujdE2/OVOTKxYeHruUxe lVoae5BMD6D4Pb0Etaskp8vGRGxA8T7QGuerRI7z9LHLeQF4cBhpU58tb6z0vspfH1VJh4/qmYk XQAa8GkXHPoDthmC4n5mhNgAUrVySZzgbxuyENi7YsiGVo7kgg+DusOKdC0MwbCaWi4wkTa5hj7 ciObEgLO7zTSkM+V000y4KSpiQbHJSpbq2/JfzAHOS2/8b+jq5UQW9DLC1BXs3WZ6jb4Mx4Q07G g/MSHN319QyD+tQ6KjwhEwXngyAGM+jB2dAMd6HBcUB6jI9br/rc1mB6tJHzL+ewAPRtQGKpMlJ No56zwAah0U+yo6+KpkQVOROvFsYWkQxJLoSIWvG41zHv7RCYqZlPUu75JdtnLPSMzXOboidbsM BOWC66/CYDc+vR4HEDw== X-Authority-Analysis: v=2.4 cv=csCWUl4i c=1 sm=1 tr=0 ts=69aa06b4 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=pOjPfhpiL-oY2_FcObYA:9 X-Proofpoint-GUID: u2yt7FpHuQC1VmJvE4c-9lW9V8SOclUZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 adultscore=0 clxscore=1011 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750786092154100 Content-Type: text/plain; charset="utf-8" Introduce a new `boot-certs` machine type option for the s390-ccw-virtio machine. This allows users to specify one or more certificate file paths or directories to be used during secure boot. Each entry is specified using the syntax: boot-certs..path=3D/path/to/cert.pem Multiple paths can be specify using array properties: boot-certs.0.path=3D/path/to/cert.pem, boot-certs.1.path=3D/path/to/cert-dir, boot-certs.2.path=3D/path/to/another-dir... Signed-off-by: Zhuoying Cai Acked-by: Markus Armbruster --- docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++++++ docs/system/target-s390x.rst | 1 + hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 2 ++ qapi/machine-s390x.json | 23 +++++++++++++++++++++++ qapi/pragma.json | 1 + qemu-options.hx | 6 +++++- 7 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 docs/system/s390x/secure-ipl.rst diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst new file mode 100644 index 0000000000..0a02f171b4 --- /dev/null +++ b/docs/system/s390x/secure-ipl.rst @@ -0,0 +1,20 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +Secure IPL Command Line Options +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D + +The s390-ccw-virtio machine type supports secure IPL. These parameters all= ow +users to provide certificates and enable secure IPL directly via the comma= nd +line. + +Providing Certificates +---------------------- + +The certificate store can be populated by supplying a list of X.509 certif= icate +file paths or directories containing certificate files on the command-line: + +Note: certificate files must have a .pem extension. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/docs/system/target-s390x.rst b/docs/system/target-s390x.rst index 94c981e732..8938a13d10 100644 --- a/docs/system/target-s390x.rst +++ b/docs/system/target-s390x.rst @@ -35,3 +35,4 @@ Architectural features s390x/bootdevices s390x/protvirt s390x/cpu-topology + s390x/secure-ipl diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index 3ef009463d..a6f0fc4e00 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -44,6 +44,7 @@ #include "target/s390x/kvm/pv.h" #include "migration/blocker.h" #include "qapi/visitor.h" +#include "qapi/qapi-visit-machine-s390x.h" #include "hw/s390x/cpu-topology.h" #include "kvm/kvm_s390x.h" #include "hw/virtio/virtio-md-pci.h" @@ -788,6 +789,30 @@ static void machine_set_loadparm(Object *obj, Visitor = *v, g_free(val); } =20 +static void machine_get_boot_certs(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList **certs =3D &ms->boot_certs; + + visit_type_BootCertificatesList(v, name, certs, errp); +} + +static void machine_set_boot_certs(Object *obj, Visitor *v, const char *na= me, + void *opaque, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList *cert_list =3D NULL; + + visit_type_BootCertificatesList(v, name, &cert_list, errp); + if (!cert_list) { + return; + } + + ms->boot_certs =3D cert_list; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -841,6 +866,11 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) "Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars conve= rted" " to upper case) to pass to machine loader, boot manager," " and guest kernel"); + + object_class_property_add(oc, "boot-certs", "BootCertificatesList", + machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); + object_class_property_set_description(oc, "boot-certs", + "provide paths to a directory and/or a certificate file for se= cure boot"); } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index f1f06119d6..5ad1ea2f24 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -14,6 +14,7 @@ #include "hw/core/boards.h" #include "qom/object.h" #include "hw/s390x/sclp.h" +#include "qapi/qapi-types-machine-s390x.h" =20 #define TYPE_S390_CCW_MACHINE "s390-ccw-machine" =20 @@ -31,6 +32,7 @@ struct S390CcwMachineState { uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; + BootCertificatesList *boot_certs; =20 SCLPDevice *sclp; }; diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json index ea430e1b88..53936c2554 100644 --- a/qapi/machine-s390x.json +++ b/qapi/machine-s390x.json @@ -140,3 +140,26 @@ { 'event': 'SCLP_CPI_INFO_AVAILABLE', 'features': [ 'unstable' ] } + +## +# @BootCertificates: +# +# Boot certificates for secure IPL. +# +# @path: path to an X.509 certificate file or a directory containing +# certificate files. +# +# Since: 11.0 +## +{ 'struct': 'BootCertificates', + 'data': {'path': 'str'} } + +## +# @DummyBootCertificates: +# +# Not used by QMP; hack to let us use BootCertificatesList internally. +# +# Since: 11.0 +## +{ 'struct': 'DummyBootCertificates', + 'data': {'unused-boot-certs': ['BootCertificates'] } } diff --git a/qapi/pragma.json b/qapi/pragma.json index 193bc39059..aad270402f 100644 --- a/qapi/pragma.json +++ b/qapi/pragma.json @@ -49,6 +49,7 @@ 'DisplayProtocol', 'DriveBackupWrapper', 'DummyBlockCoreForceArrays', + 'DummyBootCertificates', 'DummyForceArrays', 'DummyVirtioForceArrays', 'HotKeyMod', diff --git a/qemu-options.hx b/qemu-options.hx index 0da2b4d034..8873083792 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" - " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n", + " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -209,6 +210,9 @@ SRST :: =20 -machine smp-cache.0.cache=3Dl1d,smp-cache.0.topology=3Dcore,s= mp-cache.1.cache=3Dl1i,smp-cache.1.topology=3Dcore + + ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` + Provide paths to a directory and/or a certificate file on the host= [s390x only]. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750561; cv=none; d=zohomail.com; s=zohoarc; b=X0KSmKvggEfwOrAnl2tFljSaO5nClxcM/8sqCZcn0+BBSYMsnEIKqIVpSpxkWQJbAz+VM01UJA0fG7i5qR10my+fEhG9SflnoQIQT2iyLR3heG1M1L2G2c3qzayK6JJjcuxNenqQsJcE9l/qaJXI7Bsq8FrekxV37KeXoSNWoMo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750561; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=WKks+EdIYbxgjkTxmJqLBnT3Rd/1ziDHPOiDpayzQQo=; b=PPlkrlFKvNL+4yJPEW1FIK/VlS806wNapxqDBFW1H1UZnycPDj1V0pUquMN9WmeGENMEPl0ELo7Y5iOhI/GOGZe//FijXJ/zns70JMUDLSi6IT3gZteTNpKbyDx3V54ipri1SShU4x7wViX9NHOD9Ylwyyjd9/7FQBN4vUL2Rlg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750561794775.7364482424603; Thu, 5 Mar 2026 14:42:41 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOR-0000zr-G5; Thu, 05 Mar 2026 17:42:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOQ-0000yv-86; Thu, 05 Mar 2026 17:42:06 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHON-000742-9d; Thu, 05 Mar 2026 17:42:06 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625FXND02060996; Thu, 5 Mar 2026 22:41:57 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksrje0nk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:57 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625JXM90027733; Thu, 5 Mar 2026 22:41:56 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4k2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:56 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mft7S25363018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:55 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7278158057; Thu, 5 Mar 2026 22:41:55 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4510558058; Thu, 5 Mar 2026 22:41:54 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:54 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=WKks+E dIYbxgjkTxmJqLBnT3Rd/1ziDHPOiDpayzQQo=; b=tpOn/UjeoKXax9ffY4yeLi aASrsFP1X6tr9KvGjTFXcHh35179cIMKeL5v0I8Y1E2K2AsTLQ3ooZv29Q5tI2jr z/ZOVFfySZ4uIsCu8hCA/RIvl9a2Eu5FSzQvey33sLxjBlhvzo8e91Du8a8vS9Mf BZONcEdSIzUj/8fW03Tmm9xn1mryoxMB6iFVsYy/ERNvdwso+rfb2HvqQAvUPJZ9 PyOu4/urZr8CxDuDaFyl2x9NvfEiRDX8m9bf6xxFANzUn1s3qDq2fRUWZtH9Z0HW fBObOGZPsnLlwaudLHauoheIW+qygM02m60N6SDJBELYn3Ib8h6dhFknaPOM5IfQ == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 02/30] crypto/x509-utils: Refactor with GNUTLS fallback Date: Thu, 5 Mar 2026 17:41:17 -0500 Message-ID: <20260305224146.664053-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Rp/I7SmK c=1 sm=1 tr=0 ts=69aa06b5 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=FUyA0-9y5A7gcD0mOlIA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX7cbzMtU4R7zF Vm4rrv3eGvioy3QD4i0p/ftNrXwE74MkZwKjgPXI3x5Vc4HYTXFA8N3MyEwcjx8jWC4ji2NqFNV HRGVSdNm+lxDqlLz0BmiNKVPfEjI5HK5kIeqEOX3yzd1iTnvpstRbvXOB6hTzELj3ysDF2dpkQ/ 3oVn8qlCAfXXC7f4GJ2Rm15+kX3Te54Ik6KtweLG0thQeA3mRSNW5J0CYTtDm96b+R5zmBmvLte 8qG8d9wnpERtK4dLIOKy01bw/sOZa0KoaM5nOuDXEjJJt0IXbJpDAp0TrYCY5Vzoch4nOyAulW5 PiHvBWH2wANyqSEbNQMPIXJc6egfe1m+a8SVcxMB2yk7OsahMlGxHMh1rENKH4QDyUeuhuGtRbr o6+k8A5u66M3Yewxa7rqiRIScpzroQyHbUD2EmUAHNB6WJvU7FK02fGg1SPutazcmh1ykw4GV1M cjNZo1ob7WWeF5hezMg== X-Proofpoint-GUID: 8lxRr7H_Tqx79_D62j4V3mK-hkCeNWTn X-Proofpoint-ORIG-GUID: 8lxRr7H_Tqx79_D62j4V3mK-hkCeNWTn X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 clxscore=1011 impostorscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750563559154100 Always compile x509-utils.c and add a fallback when GNUTLS is unavailable. These functions will be needed in the s390x code regardless of whether GNUTLS is available. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/meson.build | 2 +- crypto/x509-utils.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/meson.build b/crypto/meson.build index b51597a879..fda85543de 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -22,12 +22,12 @@ crypto_ss.add(files( 'tlscredsx509.c', 'tlssession.c', 'rsakey.c', + 'x509-utils.c', )) =20 if gnutls.found() crypto_ss.add(files( 'tlscredsbox.c', - 'x509-utils.c', )) endif =20 diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 39bb6d4d8c..6176a88653 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -11,6 +11,8 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "crypto/x509-utils.h" + +#ifdef CONFIG_GNUTLS #include #include #include @@ -78,3 +80,17 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, gnutls_x509_crt_deinit(crt); return ret; } + +#else /* ! CONFIG_GNUTLS */ + +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, + QCryptoHashAlgo hash, + uint8_t *result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get fingerprint"); + return -1; +} + +#endif /* ! CONFIG_GNUTLS */ --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750582; cv=none; d=zohomail.com; s=zohoarc; b=H7w0kfXOHPNxxSP8XGTiY5GVUe2f1LABXdJzjmvHk5PuIwLDPEzIOiHapXh3ag1tJQJhS0S99c9FgdAtj1qOKcD8Jyo/mXgMTJzt3FnA8u/AzzNriGqv6rEo8/8jkBqTL8Ti3pQwZmg0CZaz/W5yHbnrNpjRk2KBU9mmUXtEZRc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750582; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=QD5O1xGaUG4/7Rrqjf+RXzCnnv0+4bav5v+IJcUSyso=; b=mY54aRyKAUSD021vPceAoRQraumdCJtlIAhK628cug9dPBzg+2VB3RBJxTzPZGaC5Vn0fqJN35NbhegnOsSLw/bIArVx9QjmcaxQQl/nEJZJnh4rRDjjhxH0PtoL8XMuqoNE50/mCvXs1XHl6dYJAa0GnZruA7BMB39PRi8ME/c= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750582565814.024252500835; Thu, 5 Mar 2026 14:43:02 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOS-00011M-Mq; Thu, 05 Mar 2026 17:42:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOQ-0000yu-5e; Thu, 05 Mar 2026 17:42:06 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHON-000749-45; Thu, 05 Mar 2026 17:42:05 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625EtVnk1183853; Thu, 5 Mar 2026 22:41:58 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskc5dqv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:58 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625MEYLf010300; Thu, 5 Mar 2026 22:41:58 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdaha-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:41:58 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mfupq28508842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:56 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B6F7158061; Thu, 5 Mar 2026 22:41:56 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C13A58058; Thu, 5 Mar 2026 22:41:55 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:55 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=QD5O1x GaUG4/7Rrqjf+RXzCnnv0+4bav5v+IJcUSyso=; b=rK3X0uOLSP+V0IuF5INzq+ 7fVodU7YIDseuZCUeGDQxU49V1/03oZHRvfsVPlZy4U0dNWZ8I/zsXqJHMxJQLO6 eLdOkqC3mWTxiqY2obRZ4KxtWon89wrVvJlVOv1kaAOGY+8xTOAkrhSb8cUWNFBi Z7mvMYLyJNYfh/6FUved7Wcvnfh1pjSk64J2dSE3rzr+NEjcvjqePR0bRFDfTXXd jFpCm1tdX86P8NidN3tqzWls9U1x0vXSzXg6Bbb9yyYUMR54J9EreqnZXrJT037j u1xDBNlU/Q8Yom4VjMFosgkWnroBO5l+HKVrehC4OEr/dUcwvpPrkH2v25s8a3IA == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 03/30] crypto/x509-utils: Add helper functions for certificate store Date: Thu, 5 Mar 2026 17:41:18 -0500 Message-ID: <20260305224146.664053-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: Vw1GgWmSFqobpGPayBaiwZvO17nIAKDK X-Authority-Analysis: v=2.4 cv=b66/I9Gx c=1 sm=1 tr=0 ts=69aa06b6 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=GX81FK21qHpjiM7aGUoA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX72MWLcZXdmjZ lYOJdQrC5AaZ8NFh2+ZHoZma5djPRiktWC4Urd4+3AfjUrE8px+n3alxTyh/Avl3Nu/HmAwzQm9 yBOBhfj6widRmpjUjkX7hv8doEj2/c+xcUFEbB16GioJyvqKMKWOfA+uF/p7VswyTP5qACVzJFY 6tszd3OSWy+KIc9oMDf0RmsL7dnYXBE62ON8Q6BlH42WDUCmL+a/dPXaceLHCBsNrhqefiD945V hSYOhVBFPxu/4/VHk+Q8C///GIrpSGilA6b3n7Ba0ek7dvM7049EZYuFTzNnjDvwYs7lhuPgz8l Cp5ZLrqxLBwJ1OmJ9ZX8IDbaS9sBwEQcKD2+TSrQPrDnYMqloInMxTvVYtqvbswVO1sDSk1xatx /OfGP5R44xPar8v+uJWmaXsV/zed++FtHc7b+bFKfi5YUfiTHWHnQbVTDDnoPKCI5NS6c+WV35N 0Kgmwca+HilJJHUfxIg== X-Proofpoint-GUID: Vw1GgWmSFqobpGPayBaiwZvO17nIAKDK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750584885158500 Introduce new helper functions for x509 certificate, which will be used by the certificate store: qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER fo= rmat These functions provide support for certificate format conversion. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 49 +++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 21 ++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 6176a88653..2696d48155 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -81,6 +81,46 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, return ret; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_datum_t datum_der =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum_der); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert certificate to DER format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D datum_der.size; + *result =3D g_memdup2(datum_der.data, datum_der.size); + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(datum_der.data); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -93,4 +133,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, si= ze_t size, return -1; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export X.509 certificate"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 1e99661a71..91ae79fb03 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -19,4 +19,25 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_convert_cert_der + * @cert: pointer to the raw certificate data in PEM format + * @size: size of the certificate + * @result: output location for the allocated buffer for the certificate + * in DER format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer (will be updated with the + * actual size of the DER-encoded certificate) + * @errp: error pointer + * + * Convert the given @cert from PEM to DER format. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750561; cv=none; d=zohomail.com; s=zohoarc; b=XmwZc43IsXmQVN+EfIox/af/OYxXHsY103VXWvnD5mP5ReKmhrcVz2ZIAwGW+Il2wbqx69toXx2kOzngIHtmhXzqQRGgUx7G+b7JM4nuhWuw+nqivHdI8QXsOjQV+BMP+wBU4R9UIHFF/5UH5b2yP8v6IiP0SuFQyV6ECicyWLU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750561; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=4tS2l5lE2y3uNmLn0Q1QFrblGEZgl3ec7H/+dLHUo1Y=; b=BBXzrwyOKxQH8SYkBIWXATuA64yuthePCUwgBjFq6H9//oPOaJ02bHJWDyEbCIf/zNm+XN5K7qQ7Q9BuK5AAwH+31kfVgDv/IWdL6y7BGPQAWDu7h6c9GJvD0Dz8JtVBB2NeDpTP/QizLmja8pXj1hW6PLUcaF7BBGzk7yeoV6Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750561844800.0279777496768; Thu, 5 Mar 2026 14:42:41 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOX-000149-Ag; Thu, 05 Mar 2026 17:42:13 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOR-0000zd-4q; Thu, 05 Mar 2026 17:42:07 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOP-00074X-0X; Thu, 05 Mar 2026 17:42:06 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625HHL6f2073025; Thu, 5 Mar 2026 22:42:01 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckssmwgkb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:00 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625Ivc21008791; Thu, 5 Mar 2026 22:42:00 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmdd1n3sa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:00 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MfwEe15729318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:58 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 12D6D58057; Thu, 5 Mar 2026 22:41:58 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D055B58058; Thu, 5 Mar 2026 22:41:56 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:56 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=4tS2l5lE2y3uNmLn0 Q1QFrblGEZgl3ec7H/+dLHUo1Y=; b=Wjp+ura5+VHnA6twBp8IC097Ad30CJwjR NPoKiI1sLbVectz62mvHAY6MQamrfq4CXq/y3ezv782BXqm5skjGm8v70W+U+BEH 554x9AVUyBlAk9zdNgPZOZXYM0/tQfCkO7t3dZYjvbbs8Vuib3uu0kChwE71fF+6 QjEwKGIdivGPI/hWjw7/zV6CouhRtItZa9Mm1IoIT60ZNj20Y91X8N+FdXEsspPL KwK77DXsgS0qQe0fmQfK4bbKrX/1H7fj9sZS7g9nZlPsL6gK9yjVOeNl8N1H7zG8 XNOLbRih+qxMxs58QvEtEjXorQtNPGn/puW/tCceYHAMm1UNHhznA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 04/30] hw/s390x/ipl: Create certificate store Date: Thu, 5 Mar 2026 17:41:19 -0500 Message-ID: <20260305224146.664053-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXzIFrVtn3YrZD 09uaSQ3L1NALrKnwE9Sv5Zt5bQ9OxuZGFPowBpGNYIASAyPpOHlvZGkWGeaouQeQ4wVtdUnVQW5 NRhaOJjtcWTYLg1neHY9BR4GTCkCNvawT+suspPZ02PBrjdwjp0+5PgyS0mF+H5nCFW7B9d9p6H s1WOWmkoXnGHCEa40+loI6nBT5vc0aaTnLIhPtApBzKxKL4vBed+pPvxD7ntSHhivaODpCi8q3s j4W9+A8GmDbqxFLuWNIt7r+vPKqj+3QBE32LlgUBEfcjt45lTnw4uBQI/d7o0QHpZa+HDKSaCYq lCtMmNrj9mW2b7dEYiywIvbYG3L2WSDI3rNHAmpFiOOvbygZVyhAlImfb/PR5Mpk6pkn+CLgdOe OtFNJwoSuG6nNHRb1QRii6DjYRpSsaULlIQRZbuxNaEdKNc9K0KNmHWMYq5oUWEmb7DHOR3R1/g d8dQB30R5fTXY7PhsFQ== X-Proofpoint-ORIG-GUID: 4Aswp40M-en1Eyc6z0GmvrJCE3THSoVj X-Proofpoint-GUID: 4Aswp40M-en1Eyc6z0GmvrJCE3THSoVj X-Authority-Analysis: v=2.4 cv=AobjHe9P c=1 sm=1 tr=0 ts=69aa06b8 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=6ph8WD7lSjxTzuMCr3kA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1011 suspectscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750563661154100 Content-Type: text/plain; charset="utf-8" Create a certificate store for boot certificates used for secure IPL. Load certificates from the `boot-certs` parameter of s390-ccw-virtio machine type option into the cert store. Currently, only X.509 certificates in PEM format are supported, as the QEMU command line accepts certificates in PEM format only. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- docs/specs/index.rst | 1 + docs/specs/s390x-secure-ipl.rst | 16 +++ hw/s390x/cert-store.c | 221 ++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 39 ++++++ hw/s390x/ipl.c | 10 ++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 2 + 8 files changed, 293 insertions(+) create mode 100644 docs/specs/s390x-secure-ipl.rst create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/docs/specs/index.rst b/docs/specs/index.rst index b7909a108a..76d439782c 100644 --- a/docs/specs/index.rst +++ b/docs/specs/index.rst @@ -40,3 +40,4 @@ guest hardware that is specific to QEMU. riscv-aia aspeed-intc iommu-testdev + s390x-secure-ipl diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst new file mode 100644 index 0000000000..7ddac98a37 --- /dev/null +++ b/docs/specs/s390x-secure-ipl.rst @@ -0,0 +1,16 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +s390 Certificate Store and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +s390 Certificate Store +---------------------- + +A certificate store is implemented for s390-ccw guests to retain within +memory all certificates provided by the user via the command-line, which +are expected to be stored somewhere on the host's file system. The store +will keep track of the number of certificates, their respective size, +and a summation of the sizes. + +Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate +store. diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..a4f15627e9 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,221 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" +#include "qapi/qapi-types-machine-s390x.h" + +static BootCertificatesList *s390_get_boot_certs(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; +} + +static S390IPLCertificate *init_cert(char *path, Error **errp) +{ + int rc; + char *buf; + size_t size; + size_t der_len; + char name[CERT_NAME_MAX_LEN]; + g_autofree gchar *filename =3D NULL; + S390IPLCertificate *cert =3D NULL; + g_autofree uint8_t *cert_der =3D NULL; + Error *local_err =3D NULL; + + filename =3D g_path_get_basename(path); + + if (!g_file_get_contents(path, &buf, &size, NULL)) { + error_setg(errp, "Failed to load certificate: %s", path); + return NULL; + } + + rc =3D qcrypto_x509_convert_cert_der((uint8_t *)buf, size, + &cert_der, &der_len, &local_err); + if (rc !=3D 0) { + error_propagate_prepend(errp, local_err, + "Failed to initialize certificate: %s: ", = path); + g_free(buf); + return NULL; + } + + cert =3D g_new0(S390IPLCertificate, 1); + cert->size =3D size; + /* + * Store DER length only - reused for size calculation. + * cert_der is discarded because DER certificate data will be used once + * and can be regenerated from cert->raw. + */ + cert->der_size =3D der_len; + /* store raw pointer - ownership transfers to cert */ + cert->raw =3D (uint8_t *)buf; + + /* + * Left justified certificate name with padding on the right with blan= ks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(name, CERT_NAME_MAX_LEN, filename, ' '); + ebcdic_put(cert->name, name, CERT_NAME_MAX_LEN); + + return cert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *cert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size =3D ROUND_UP(CERT_KEY_ID_LEN, 4); + hash_buf_size =3D ROUND_UP(CERT_HASH_LEN, 4); + cert_buf_size =3D ROUND_UP(cert->der_size, 4); + data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->largest_cert_size < data_buf_size) { + cert_store->largest_cert_size =3D data_buf_size; + } + + g_assert(cert_store->count < MAX_CERTIFICATES); + + cert_store->certs[cert_store->count] =3D *cert; + cert_store->total_bytes +=3D data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(Error **errp) +{ + struct stat st; + BootCertificatesList *path_list =3D NULL; + BootCertificatesList *list =3D NULL; + gchar *cert_path; + GDir *dir =3D NULL; + const gchar *filename; + bool is_empty; + g_autoptr(GError) err =3D NULL; + g_autoptr(GPtrArray) cert_path_builder =3D g_ptr_array_new_full(0, g_f= ree); + + path_list =3D s390_get_boot_certs(); + + for (list =3D path_list; list; list =3D list->next) { + cert_path =3D list->value->path; + + if (g_strcmp0(cert_path, "") =3D=3D 0) { + error_setg(errp, "Empty path in certificate path list is not a= llowed"); + goto fail; + } + + if (stat(cert_path, &st) !=3D 0) { + error_setg(errp, "Failed to stat path '%s': %s", + cert_path, g_strerror(errno)); + goto fail; + } + + if (S_ISREG(st.st_mode)) { + if (!g_str_has_suffix(cert_path, ".pem")) { + error_setg(errp, "Certificate file '%s' must have a .pem e= xtension", + cert_path); + goto fail; + } + + g_ptr_array_add(cert_path_builder, g_strdup(cert_path)); + } else if (S_ISDIR(st.st_mode)) { + dir =3D g_dir_open(cert_path, 0, &err); + if (dir =3D=3D NULL) { + error_setg(errp, "Failed to open directory '%s': %s", + cert_path, err->message); + + goto fail; + } + + is_empty =3D true; + while ((filename =3D g_dir_read_name(dir))) { + is_empty =3D false; + + if (g_str_has_suffix(filename, ".pem")) { + g_ptr_array_add(cert_path_builder, + g_build_filename(cert_path, filename, = NULL)); + } else { + warn_report("skipping '%s': not a .pem file", filename= ); + } + } + + if (is_empty) { + warn_report("'%s' directory is empty", cert_path); + } + + g_dir_close(dir); + } else { + error_setg(errp, "Path '%s' is neither a file nor a directory"= , cert_path); + goto fail; + } + } + + qapi_free_BootCertificatesList(path_list); + return g_steal_pointer(&cert_path_builder); + +fail: + qapi_free_BootCertificatesList(path_list); + return NULL; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + Error *err =3D NULL; + + /* If cert store is already populated, then no work to do */ + if (cert_store->count) { + return; + } + + cert_path_builder =3D get_cert_paths(&err); + if (cert_path_builder =3D=3D NULL) { + error_report_err(err); + exit(1); + } + + if (cert_path_builder->len =3D=3D 0) { + g_ptr_array_free(cert_path_builder, TRUE); + return; + } + + if (cert_path_builder->len > MAX_CERTIFICATES) { + error_report("Cert store exceeds maximum of %d certificates", MAX_= CERTIFICATES); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + cert_store->largest_cert_size =3D 0; + cert_store->total_bytes =3D 0; + + for (int i =3D 0; i < cert_path_builder->len; i++) { + g_autofree S390IPLCertificate *cert =3D + init_cert((char *) cert_path_builder->pdata[i], + &err); + if (!cert) { + error_report_err(err); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + update_cert_store(cert_store, cert); + } + + g_ptr_array_free(cert_path_builder, TRUE); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..7fc9503cb9 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,39 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define CERT_NAME_MAX_LEN 64 + +#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 +#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 + +struct S390IPLCertificate { + uint8_t name[CERT_NAME_MAX_LEN]; + size_t size; + size_t der_size; + uint8_t *raw; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t largest_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +}; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index d34adb5522..ea108fe370 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -36,6 +36,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" =20 #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -425,6 +426,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t= *ebcdic_lp) } } =20 +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return &ipl->cert_store; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -718,6 +726,8 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->start_addr; cpu->env.psw.mask =3D IPL_PSW_MASK; =20 + s390_ipl_create_cert_store(&ipl->cert_store); + if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 086e57681c..37f311474d 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H =20 +#include "cert-store.h" #include "cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); =20 enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -63,6 +65,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 1bc8583799..62884fc99c 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 6824391111..e505f44020 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -20,6 +20,8 @@ #define LOADPARM_LEN 8 #define NO_LOADPARM "\0\0\0\0\0\0\0\0" =20 +#define MAX_CERTIFICATES 64 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750774; cv=none; d=zohomail.com; s=zohoarc; b=AsXJ0hJPh8AWYrLKT/ql1tP0BXZXsDVUYNv00D9lG1WYvm2uEyVC0KS3QwqmgMm09vv06myGMlgY7w1qLGjrEgaVISNMzhGBJJLSLxtiP5KVzL2/NJ1iispg2G+w+Onx/lDhW5e+vAEdnEe2AKZIcOWRUfPIj3FTwE5xMjjG4Hg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750774; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=drc6SivE4GBtM0ZMBOVinGGPGigVCY9Q0vB8kFWj2qc=; b=KlpF6U8uQGF0wgamgb/0dveGuvd8pdtYf5Vnx3Pd3c8Gdyg0+L6NCnrjxf+pVJrXgtCT8NR0vp+wweeFFy9HAYJQI+aJUXF/XLhU9KQvLAaQOy7AxHpsHCWVJwYWsjRPYdFdQhoNAOobuzYO2pthskPWIda/+Zb4NBX9+9g6E5o= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750774594835.5804640539016; Thu, 5 Mar 2026 14:46:14 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOU-00012X-IC; Thu, 05 Mar 2026 17:42:10 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOS-00010H-5s; Thu, 05 Mar 2026 17:42:08 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOQ-00074m-4p; Thu, 05 Mar 2026 17:42:07 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625KmuPW371043; Thu, 5 Mar 2026 22:42:02 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksk45f6e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:02 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LfUh1029016; Thu, 5 Mar 2026 22:42:01 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh8u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:01 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mfxqu32244252 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:59 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6CC5458061; Thu, 5 Mar 2026 22:41:59 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2CA2F58058; Thu, 5 Mar 2026 22:41:58 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=drc6SivE4GBtM0ZMB OVinGGPGigVCY9Q0vB8kFWj2qc=; b=o1VWHVwr/gOPoajIS9ZWTmUmYPTDqEt7s x/S+NT2nljYflXAw0c7KCHN9H+98R5Ck+y6BGqxIGxg+iLGcYdxUf17QmI5oOZCa BaZBjQJQCmjaSBA6RhNU/MM0lkLt6SUzIlkNeM0i2PUbNTkmIlvHkjeC5FEC6sgm atZ/UHcO7Q06xv60j5VRTqNZhlEIpiCqAuEPzLSq8eUqalmsfpy4E3hMDWRb5jbs S4JwBs5niw0jcQhNOifeV9dtWD/ARaEtjaoB7OlO+4pvkke+bXB8R6h6KNmOrXgw wQGuDQU7HNYzEWVz7k4iKFp7uQQxm2PMMZfc7dKjeF+bzaR9AxaHw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Date: Thu, 5 Mar 2026 17:41:20 -0500 Message-ID: <20260305224146.664053-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: PqYb1uSLplGxuxvuj4IMA_yYnH0W7i3a X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXys94MjEnjMCm J1pXrdnYTlIHKAF+p04u9qCZ/35z9HkvPS3oXUfQ5tKv9DfR3OGobGVbpxq6mHS37MIqeQAcNcd hU+KOIRZhFvhLFo3Lx08IQVcrqFjooDgiJfUx6h6OuEVCnXoB4lLUYFTlAyuE8Vi8OCMwZ2nE+n NZoK+OOFUaGoG65PINT6PRuU0naEpUXphKOZYDRESX4Dka2kWw10eVfuqtOEnmywbW4+vdz6pEi SXlcRkWsfz6h03dOTTFKEpYyRS0/oMh3ECnBQpv8NyAUeUX29zz0DJ1TDVLPDW1GqVyFwrxsGBQ jEQKCn47661IjqLqj8y58Fy2RTRTPGpCLHWaUGyp9eD40b5egSvrWcm1TLLmQ+75uY0X4wZ776V 6LvXRSjUyZjaeXB6SBqQhDPKzf7DeAr5pIIzhTLqcpxKACLqZ0+TB+sJzrp+9tzmizHG8hS+5rX XcN73qN3p/UE6BF83MA== X-Authority-Analysis: v=2.4 cv=csCWUl4i c=1 sm=1 tr=0 ts=69aa06ba cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=mM8oulnVqnlOJU-pfAMA:9 X-Proofpoint-GUID: PqYb1uSLplGxuxvuj4IMA_yYnH0W7i3a X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 adultscore=0 clxscore=1015 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750775990154100 Content-Type: text/plain; charset="utf-8" DIAGNOSE 320 is introduced to support Certificate Store (CS) Facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query the Installed Subcodes Mask (ISM). This subcode is only supported when the CS facility is enabled. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Byte 134's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Note: secure IPL is not available for Secure Execution (SE) guests, as their images are already integrity protected, and an additional protection of the kernel by secure IPL is not necessary. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 12 +++++++++ include/hw/s390x/ipl/diag320.h | 20 ++++++++++++++ target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/diag.c | 42 +++++++++++++++++++++++++++++ target/s390x/gen-features.c | 3 +++ target/s390x/kvm/kvm.c | 16 +++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++ 10 files changed, 106 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 7ddac98a37..96a8d0fb83 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -14,3 +14,15 @@ and a summation of the sizes. =20 Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. + +DIAGNOSE function code 'X'320' - Certificate Store Facility +----------------------------------------------------------- + +DIAGNOSE 'X'320' is used to provide support for guest code to directly +query the s390 certificate store. Guest code may be the s390-ccw BIOS or +the guest kernel. + +Subcode 0 - query installed subcodes + Returns a 256-bit installed subcodes mask (ISM) stored in the installed + subcodes block (ISB). This mask indicates which subcodes are currently + installed and available for use. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..aa04b699c6 --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,20 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOT_SUPPORTED 0x0102 + +#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 + +#endif diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..436471f4b4 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index c017bffcdc..2976ecd0ee 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s =20 /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relativ= e to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") +DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 954a7a99a9..6b8471700e 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_CERT_STORE: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/diag.c b/target/s390x/diag.c index da44b0133e..6373544bb2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -18,6 +18,7 @@ #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" #include "hw/s390x/ipl.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -192,3 +193,44 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + S390CPU *cpu =3D env_archcpu(env); + uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (!s390_has_feat(S390_FEAT_CERT_STORE) || + (subcode & ~0x000ffULL) || + (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + /* + * The Installed Subcode Block (ISB) can be up 8 words in size, + * but the current set of subcodes can fit within a single word + * for now. + */ + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + env->regs[r1 + 1] =3D DIAG_320_RC_OK; + break; + default: + env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; + break; + } +} diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 8218e6470e..6c20c3a862 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_PAIE, S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, + S390_FEAT_CERT_STORE, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_KIMD_SHA_512, S390_FEAT_KLMD_SHA_512, S390_FEAT_PRNO_TRNG, + S390_FEAT_EXTENDED_LENGTH_SCCB, + S390_FEAT_CERT_STORE, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 54d28e37d4..fb7a99f380 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -98,6 +98,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 =20 @@ -1560,6 +1561,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm= _run *run) } } =20 +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1590,6 +1601,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r =3D handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); @@ -2488,6 +2502,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } =20 + set_bit(S390_FEAT_CERT_STORE, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 40850bcdc4..b16490bce6 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -388,6 +388,8 @@ int mmu_translate_real(CPUS390XState *env, hwaddr raddr= , int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 1fd900fbbf..4d73475d95 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) /* time bomb (watchdog) */ r =3D handle_diag_288(env, r1, r3); break; + case 0x320: + /* cert store */ + bql_lock(); + handle_diag_320(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750630; cv=none; d=zohomail.com; s=zohoarc; b=ZIZ9rF3/0gtdROhNEZgIEdxZ6c0/rRlSZLbpHxauSB34p9wAtpJd+TkyI2lSBF2d5CTlJ0uoopttKp781E/1Y3EyiJjYjtxSzjMO0wNDVLFdo9sWLKAOjzE+DSVytEv64wlL908FgM0tnKC77MnRQIWOh9uvTVAqYxku9FQdPe4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750630; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7jCarr+WGbmHu+2Yi3YrMYGZaXdJCHOLAvclBahg01U=; b=QvYJT4HNFkSaXmvSZynt+9Y7ltTLlBTK5Y8m291Xa654s1XRp//5Q45LzsdeYe6vQP+lWZdfNDEOa1MOR9fDPle9MkXYNsXfolN0jT4rkLR5qkIKkDVZPJWQ/k/n98nIP5RjCCMVYNEHrkaMz57+rzFuzJRVXJr+8seUfHWNvdY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750630410284.62075267033276; Thu, 5 Mar 2026 14:43:50 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOV-000134-A4; Thu, 05 Mar 2026 17:42:11 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOT-00011j-NW; Thu, 05 Mar 2026 17:42:09 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOS-00075Q-5Y; Thu, 05 Mar 2026 17:42:09 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625GmcKw2434764; Thu, 5 Mar 2026 22:42:04 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksrje0p0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:03 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LU93E028922; Thu, 5 Mar 2026 22:42:02 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh8w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:02 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg0Dr61931828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:01 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B339E58061; Thu, 5 Mar 2026 22:42:00 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 86B1558057; Thu, 5 Mar 2026 22:41:59 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:41:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7jCarr+WGbmHu+2Yi 3YrMYGZaXdJCHOLAvclBahg01U=; b=CSWwUxrccw0VfVF/jX1KBLLFH9oI5fPyB R0v0eEorzIqPcdrQ8hV1krJ12/PmzxVT2xL+6/FGza2b6idVxoqRoQkUyP3AleQY 133zrJB7/yjqadGNx1ivu/dDn8Bse6mdehtOL01m9+nNwPTHSyuJhU+0eboyb26W miOKV0+vp9f+guk8QJTyh51v/l2QEXyIn6YngxQKeQtxt9mP8LHWTlCPtWYsFZhh NZDY1+/Tcs2RJa7srXcvydi0kSqCvQ+8dX8sfcsqCobglw7lVjFhcAU7X2CB2WHB hbIV+V/wVg9sv0fUDq0AAZfXRkju+y53GsyV+eZMUrVYDvLcR+c4Q== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 06/30] s390x/diag: Refactor address validation check from diag308_parm_check Date: Thu, 5 Mar 2026 17:41:21 -0500 Message-ID: <20260305224146.664053-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Rp/I7SmK c=1 sm=1 tr=0 ts=69aa06bb cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=130TwiEZxdn8fhqcL5YA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX60ljRJDZjdGh D/kaPJkL6cCB/lqSwdfrnkrfCEwrP+vXCv6YeeUDYFx80iFgcydesRt0SpyqG1bZvpVW2ea/N2p 5qwnMRh8VEXSbyo6E+mcTmRWQJkfoAnE2Q6UYa15GSqBsesBCGnUaslwpNyDQBhYJsFEbokxMMd MuLKWMhYgmznk7yQWj6Ra3pP0dvjDWOREHV42ZtKYYj+r/ct1S6sehQnGmoPDlLl2m7hAc/Dozv Pgh58iLJU7aQhQRFJlJ0iZgflnILvJ+5GuM70VLaHGDM8YZ8j9Gbsbir7k+EMDzFxjV7072b9dr iCP215gBIx2VdOm8Bs2SLDb4yjxDpb3h/aDMVksRpZ5or9Um2W4Fzk3JgojJYcI5wU7xAs5aJBR TrzfU56NSZZ2K8nVUWPLFs4VdRWXji9Ola/QsexspYwxnYf8AggzfIS/ZK0fUZ+bzhoMypw5EVc 2dGTYDiapNtonDBBrag== X-Proofpoint-GUID: M1CaxduSBdOOlv_Jb8ddcR0aSoS2ttxR X-Proofpoint-ORIG-GUID: M1CaxduSBdOOlv_Jb8ddcR0aSoS2ttxR X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 clxscore=1011 impostorscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750631006158500 Content-Type: text/plain; charset="utf-8" Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling Reviewed-by: Hendrik Brueckner Reviewed-by: Thomas Huth --- target/s390x/diag.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 6373544bb2..8ab40437a2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -26,6 +26,12 @@ #include "qemu/error-report.h" =20 =20 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) { uint64_t func =3D env->regs[r1]; @@ -65,9 +71,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_= t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750731; cv=none; d=zohomail.com; s=zohoarc; b=BdNHnKmJ/MHOlUS0BXja2LJiy00srYi/zP9Fe2BVvc17IEVeyjeGoDHzm2JNdwQZgfJBMYWXPLjeoantj0eQw0leqkctOvATu0lLuKOcKVhDcEEaWNJe/QXqgASQVMB5UMz2qg/cQnEYAdmzknIqxpoSFV+aAnMEBptQbHkucYM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750731; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=39Aj+pBu0pWqFpxG91Dpbyl4JiYetEEQGGcVLcibH9Y=; b=Gi9W+MLRnIj+bcyM7LqzST4N/FBazhSfGu/Lh1US/voLqJHBgJTDNiZLrXF35hSudzwpToq6uYVxbxYd0axDYglqBXSHvVA+H/r0GNsPXlCMfYtB1UmX34p/aYL92sRoBVW8DyUD4Y2YIfNVevbb1MARbcpQNTg8SujcASxacN4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750731496734.1748753181014; Thu, 5 Mar 2026 14:45:31 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOW-00013p-Dc; Thu, 05 Mar 2026 17:42:12 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOT-00011m-Of; Thu, 05 Mar 2026 17:42:09 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOS-00075X-4P; Thu, 05 Mar 2026 17:42:09 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625CnS5A790207; Thu, 5 Mar 2026 22:42:04 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskc5dr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:04 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625MEYLh010300; Thu, 5 Mar 2026 22:42:03 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdahj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:03 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MfeaS24773310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:40 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0DC7158059; Thu, 5 Mar 2026 22:42:02 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CD4CA58057; Thu, 5 Mar 2026 22:42:00 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=39Aj+pBu0pWqFpxG9 1Dpbyl4JiYetEEQGGcVLcibH9Y=; b=IHFtgINWnF+z7X2l2aG4I1p9Z6HmXr99d kVdcLukXz3TCIacGP9fBDIm4srZQyx9lZFt+O095E+UezWKBvng38T51kGi+XhVE UfvEqTTHLVarS4P6d/84KvkstvN19yIVcUH+LzZwjj9y6otDw3okBomfCFak0n3i dmJoQ85q3q9p0yL/KyCxZX3IVXdXVw9oPG9qUUR6LsBW57kvKvPvntI5ImNponr8 C+GgJ5hKE+3qiGCu0DgMV0m7NXUqzFyT9DVSwcU3HwYZlhrG+5tcxvTuPj+nnZf5 cokaq81cVmfpJjiETAV8oOnJSwCkV/7m9R9bk6Wy1tY//CyenRybQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 07/30] s390x/diag: Implement DIAG 320 subcode 1 Date: Thu, 5 Mar 2026 17:41:22 -0500 Message-ID: <20260305224146.664053-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 8YGbmFx1aBYVanWqWSpCfjyS1ss0Zp8H X-Authority-Analysis: v=2.4 cv=b66/I9Gx c=1 sm=1 tr=0 ts=69aa06bc cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=vmAlfMB145uIY6ZofiUA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX4N/PIeqmwWpN kStud4UeIkR0woSB0lmBcCha4LLla24fMaPBWSJiIn4IAlMif2oGuDhf/TzdM1x0z2ph3aKIo2M +efBFzPcG6VDUvtiKf7yuSAF8ERahaOfKSaM0g+1bdbm/1USHBpU+UlbSTK9t/G02pzrEb3W8T+ WCLpP+pc072nZ0Blp2Nk4xbCTUXFU0Dd8Rkv/HQBEYV4Nyp/8MvhfGYwNhHMra11NGr8bTP3bwn jMEWj7Hl2vgYYtriLk0rv6MvKvT7c52ywRXs3TBoAHMRz20Z87uUrExyOFO1D+k2J5lx76zEbgA xtb2w3PcvLgP1LgMd16JIr6/tCqyvWnfk24AqF2jSwnf6gt/bjfNFrsj0+LF9QSjTtNv5EX7B1B ACdE7mOPQZrXeNoQAHqLiMAE5bIDTTw0YDF6UdroX7c2H6Fc9qDyMFLo4XK3BjVzD6vYCWWcjYk xBFnKAGAPWL61CWVDEw== X-Proofpoint-GUID: 8YGbmFx1aBYVanWqWSpCfjyS1ss0Zp8H X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750733290154100 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates from the certificate store. Upon successful completion, this subcode returns information of the current cert store, such as the number of certificates stored and allowed in the ce= rt store, amount of space may need to be allocate to store a certificate, etc for verification-certificate blocks (VCBs). The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. A VCSSB length of 4 indicates that no certificate are available in the cert store. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 12 +++++++ include/hw/s390x/ipl/diag320.h | 22 ++++++++++++ target/s390x/diag.c | 63 ++++++++++++++++++++++++++++++++- 3 files changed, 96 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 96a8d0fb83..52661fab00 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -26,3 +26,15 @@ Subcode 0 - query installed subcodes Returns a 256-bit installed subcodes mask (ISM) stored in the installed subcodes block (ISB). This mask indicates which subcodes are currently installed and available for use. + +Subcode 1 - query verification certificate storage information + Provides the information required to determine the amount of memory ne= eded + to store one or more verification-certificates (VCs) from the certific= ate + store (CS). + + Upon successful completion, this subcode returns various storage size = values + for verification-certificate blocks (VCBs). + + The output is returned in the verification-certificate-storage-size bl= ock + (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble + in the CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index aa04b699c6..6e4779c699 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -11,10 +11,32 @@ #define S390X_DIAG320_H =20 #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 +#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 +#define DIAG_320_ISM_QUERY_VCSI 0x40000000 + +#define VCSSB_NO_VC 4 +#define VCSSB_MIN_LEN 128 +#define VCE_HEADER_LEN 128 +#define VCB_HEADER_LEN 64 + +struct VCStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t total_vc_ct; + uint16_t max_vc_ct; + uint32_t reserved3[11]; + uint32_t max_single_vcb_len; + uint32_t total_vcb_len; + uint32_t reserved4[10]; +}; +typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 8ab40437a2..c44624e1e6 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -198,11 +198,54 @@ out: } } =20 +static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t= r1, + uintptr_t ra, S390IPLCertificateStore= *cs) +{ + g_autofree VCStorageSizeBlock *vcssb =3D NULL; + + vcssb =3D g_new0(VCStorageSizeBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcssb, sizeof(*vcssb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + if (be32_to_cpu(vcssb->length) > sizeof(*vcssb)) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (be32_to_cpu(vcssb->length) < VCSSB_MIN_LEN) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (!cs->count) { + vcssb->length =3D cpu_to_be32(VCSSB_NO_VC); + } else { + vcssb->version =3D 0; + vcssb->total_vc_ct =3D cpu_to_be16(cs->count); + vcssb->max_vc_ct =3D cpu_to_be16(MAX_CERTIFICATES); + vcssb->max_single_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + VCE_HEA= DER_LEN + + cs->largest_cert_size); + vcssb->total_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + cs->count * = VCE_HEADER_LEN + + cs->total_bytes); + } + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcssb, be32_to_cpu(vcssb->l= ength))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + return DIAG_320_RC_OK; +} + +QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, + "size of VCStorageSizeBlock is wrong"); + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { S390CPU *cpu =3D env_archcpu(env); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; uint64_t addr =3D env->regs[r1]; + int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { s390_program_interrupt(env, PGM_PRIVILEGED, ra); @@ -224,7 +267,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * but the current set of subcodes can fit within a single word * for now. */ - uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | + DIAG_320_ISM_QUERY_VCSI); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -233,6 +277,23 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 env->regs[r1 + 1] =3D DIAG_320_RC_OK; break; + case DIAG_320_SUBC_QUERY_VCSI: + if (addr & 0x7) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + if (!diag_parm_addr_valid(addr, sizeof(VCStorageSizeBlock), true))= { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag320_query_vcsi(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.53.0 From nobody Wed Apr 1 22:36:14 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750685; cv=none; d=zohomail.com; s=zohoarc; b=iGMPlhW60hNdWXtyg31ZwB3PFYSyN/qXiJo8EDncqdmidydsfCjV+gaU1DeJk2yiKnQMVjaFCTo0mesFKBFrk6Tbaf/aHYzeowP9yaLYg48wCOly3IYtkVbEnKrZGLffBUYtz7Lk6hEM/OlNGTcna/+X+43r9Xh1HSueJKnTDa8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750685; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YTvImtdp6bKRkcIJFrlMd3YRl3SOzPgde3i0zWwHJKA=; b=h30mabNwFyah7bUxdzO+yM/d5sdnCUGsZaZ5CjQ8errFnSBhyUfkww6hjkq7/5XAZETJXsY6X/tMCL/NHP5IaZN7jtnjt1Cim2e23vN5aUQlfVyd7IvSpqA1/OJ9ez81isw5/Dbex1tJooXQsKgrDGyo4Yk6fHqvMzpEF4NVQMM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750685541931.8812800653596; Thu, 5 Mar 2026 14:44:45 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOY-00015S-V0; Thu, 05 Mar 2026 17:42:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOW-00013q-KJ; Thu, 05 Mar 2026 17:42:12 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOU-000763-Kf; Thu, 05 Mar 2026 17:42:12 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625APIhI383634; Thu, 5 Mar 2026 22:42:06 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx92-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:06 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625J77P5027662; Thu, 5 Mar 2026 22:42:05 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4kc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:05 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg3L840370750 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:03 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6433A5805D; Thu, 5 Mar 2026 22:42:03 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 29BFA58057; Thu, 5 Mar 2026 22:42:02 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:02 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YTvImtdp6bKRkcIJF rlMd3YRl3SOzPgde3i0zWwHJKA=; b=oreel9eqJzlapkxVNSuc1ty0BKioNDBbD Ex05zmLNVT/fd0GqoAhJ6gxGNkNeGsnQdkBLGhflS8nv5cA+YJiPt+Ty5IndNUmV 32vAKMEatIErnDPSfmsK3BBVt70Jv9oE7T0oVhXwzdRmRQEUQP/E2aMF2et4vCc7 3Xm5JAX+MAsnBY06SF/ZvCeC5S9LPIO7ZTv7qUyAkhm+cEEitHuHnuQtG6Pl0aGp 6kQwpaA691HPLQtBwObbfAwtnv5zixP0CV7oVf3c21ofU88HQkZOAxAPJhJICto6 O7A8PZqjea2f36xFi9VKdHcWY21A7dfGJrh72+MGcEnsZvYn+t1lw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 08/30] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Thu, 5 Mar 2026 17:41:23 -0500 Message-ID: <20260305224146.664053-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06be cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=cx8EP_J7U0ANkHmDKVUA:9 X-Proofpoint-ORIG-GUID: TuJkf_IX6KhZxjCxQ4Y1RBKitW3Yq3-C X-Proofpoint-GUID: TuJkf_IX6KhZxjCxQ4Y1RBKitW3Yq3-C X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX87+iZQWWJsb+ qP6cPLlxxaeorOC1hM4hKL7LdZnpfVVZV5b8k1z37UpdymWHBuqPd7xiMsgRwExDRXSTBu5Kdh5 IjYOjzAzslQ7//svi+ujLjUsSptijkG//qCl3e2gfKFgoX3Y29Q2KD+ADtst51rjvCUwJK/PJ6g +pRfBqcJzd3RuZG6msDYMjqfrqRRPOSDjl2Xiuzma4uakPv1zvBXmfxGrmzjJrCm6NM3dGjFXwe 5jxrc6f3cYecGIbknziAbQxFP+c3cQIfc9E+caQviRtEn4l8sTMGh9eiJuQr3CIaeKTwttnu+iw 1F3QjeuMkd7e8/9+pjz23DFhxsBoGpOQcnl5eN+1RtvYSO5+sW8+SGSrjfJLGbnqEqFivha6G2H a8rwEXdAY/yfxSyG/RSwHazH2Ihc4Al4FITR13JcHNPDV0ZySY4s1zIGVi9p+xjZ1FU7D3PbSCi mUUiTiSu6IQdhrwGdHA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750686686154101 Content-Type: text/plain; charset="utf-8" Introduce new helper functions to extract certificate metadata: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in = the certificate qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorit= hm uses P-521 curve These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 51 ++++++++ 2 files changed, 287 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 2696d48155..906d5e5e87 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_MD5] =3D -1, + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA224] =3D -1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA384] =3D -1, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, + [QCRYPTO_HASH_ALGO_RIPEMD160] =3D -1, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -121,6 +131,210 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(NULL); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error= **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc < 0) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D rc; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { + error_setg(errp, "Unknown hash algorithm %d", hash_alg); + return ret; + } + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) || + qcrypto_to_gnutls_keyid_flags_map[hash_alg] =3D=3D -1) { + error_setg(errp, "Unsupported key id flag %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **= errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_ecc_curve_t curve_id; + gnutls_datum_t x =3D {.data =3D NULL, .size =3D 0}; + gnutls_datum_t y =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y); + if (rc !=3D 0) { + error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_= strerror(rc)); + goto cleanup; + } + + ret =3D curve_id; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(x.data); + gnutls_free(y.data); + return ret; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + int algo; + int curve_id; + + algo =3D qcrypto_x509_get_pk_algorithm(cert, size, errp); + if (algo !=3D GNUTLS_PK_ECDSA) { + return 0; + } + + curve_id =3D qcrypto_x509_get_ecc_curve(cert, size, errp); + if (curve_id =3D=3D -1) { + error_setg(errp, "Failed to get ECC curve"); + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_INVALID) { + error_setg(errp, "Invalid ECC curve"); + return -1; + } + + return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -142,4 +356,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + error_setg(errp, "GNUTLS is required to determine ecc curve"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 91ae79fb03..6040894a46 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -40,4 +40,55 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_check_ecc_curve_p521 + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine whether the ECC public key in the given certificate uses the = P-521 + * curve. + * + * Returns: 0 if ECC public key does not use P521 curve. + * 1 if ECC public key uses P521 curve. + * -1 on error. + */ +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); + #endif --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750645; cv=none; d=zohomail.com; s=zohoarc; b=awhPPc+yxv1PDKWwF0joGr9NKG3UFLaSKa4PdKo/7+UFqiY7zRdC48O5LfwRtAWXY7/RtjU/Cw6p8EC7SjsnQOgryoZAXX61eE21eeTf/wzY8b81wdJyWn+coFY3sz0ECWBcrKZCRmoIPbgzhoF09I7nq6Ga5K6Py698psX5P0M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750645; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=xfWWjfQK90X3uxMZeBoHfbn+kWiTFMWTuzqMwFnaSV0=; b=HiQ5+ctPFul1eSIMwcBFPKWqFEcpcshHwP75qlHeJifNGWq9jqURlQavcpcbZ1ldmkJRM8ZII1mfThFCFUKKAgnj7Nq8mb+LDpRbTjZvFOaEvORYjMmbE0BYprg+11NuLwJ+qAzqM9P0DFi1SxByanREIqpgIWLRwqCaXpr2gmo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750645943827.9703088650514; Thu, 5 Mar 2026 14:44:05 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOY-00015U-Uq; Thu, 05 Mar 2026 17:42:14 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOW-00013x-WA; Thu, 05 Mar 2026 17:42:13 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOU-00076H-LF; Thu, 05 Mar 2026 17:42:12 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625ET6MY2080896; Thu, 5 Mar 2026 22:42:07 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckssmwgkn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:06 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LU93F028922; Thu, 5 Mar 2026 22:42:05 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh8x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:05 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg4YD11076182 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:04 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3D5058058; Thu, 5 Mar 2026 22:42:04 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7C11658062; Thu, 5 Mar 2026 22:42:03 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=xfWWjfQK90X3uxMZe BoHfbn+kWiTFMWTuzqMwFnaSV0=; b=bS/Qp6qd17xs1g+qZMb02cmV5bdPcAA+i 2Ywv6Obgv6xcRjeioO23rPBpnYub2zoYDAhllN3iCU79ffYMq7oVmM/MScoIy51C Zmv94CSQFdbvCK4HehQ0/tRWfuy2vPmq9LIgE0t6K/E+9lELVCbIew+hSFyAq3ZK zb5d+4/rVoz2KYp9IklNGaoCtydRQN4yyUWJhBW/EPdFRJhrDd3dTnnTCTlCP5PD ZLwV19uXkGDHzqxNUcVfIcksZhZAn9D3zSIUrDlO+qiABXNQeVafSExwJm8rQfGL dFs2MDLbcHf6EVjlLrrb0ydytWn8eK/Dvo2Fdu5b4qUvvMh+BquCg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 09/30] s390x/diag: Implement DIAG 320 subcode 2 Date: Thu, 5 Mar 2026 17:41:24 -0500 Message-ID: <20260305224146.664053-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX4ypiVJE0oQ8I FuAwLQsqEVnF0pxwCbP5KxlpJXclfRYwp6jOq2LXFW/9TFUV8PXTcj1eJAn+LcN2wsHPjZ2uxd9 g8HdkvfLLFdjRy1gc6vJt2Tjt5aF2IvK0n6rLvKl+XfSCqBJtIEZ/Fl07NxDpNPF5p3MtI6AU1N B7kHVvpztFnNGfS0VujMkr87r6qzYNeFaPjWQ0dMhNMtJ5iqwFv10AZmh8uLuA317dVcTgWbBKO rahBs4QEAK/uV+HqraXo7+6SHN2xsa++BSiKeYeIdJXv8ZuQbzj9/w+N9JBvauM6oVJbhtTtOpm eqfoo/Kc72TWqq7jrZeMjSchv+6oGKcLOep4LgL/KPG+GgC4Zw5L5cITshhDje28IJF+jv9iy0Z 4P/xrEKYxa4sMCq1VSh7C/N+/y90UxoAzNOKL86CWrJZ9qL8fY2HpZwoVDeqF/d5k9ChEZBLCqm isn6wiLWbSXHvHRBJXw== X-Proofpoint-ORIG-GUID: Q6MtuL9Kd4DUBFK975gdcmw1x7ucLZRh X-Proofpoint-GUID: Q6MtuL9Kd4DUBFK975gdcmw1x7ucLZRh X-Authority-Analysis: v=2.4 cv=AobjHe9P c=1 sm=1 tr=0 ts=69aa06be cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=Pfmh9_TrOzjRHWOdzC0A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 suspectscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750648090154101 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the certificate store. Only X509 certificates in DER format and SHA-256 hash type are recognized. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The Verification Certificate Block (VCB) contains the output data when the operation completes successfully. It includes a common header followed by zero or more Verification Certificate Entries (VCEs), depending on the VCB input length and the VC range (from the first VC index to the last VC index) in the certificate store. Each VCE contains information about a certificate retrieved from the S390IPLCertificateStore, such as the certificate name, key type, key ID length, hash length, and the raw certificate data. The key ID and hash are extracted from the raw certificate by the crypto AP= I. Note: SHA2-256 VC hash type is required for retrieving the hash (fingerprint) of the certificate. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 22 ++ hw/s390x/cert-store.h | 3 +- include/hw/s390x/ipl/diag320.h | 55 +++++ target/s390x/diag.c | 343 +++++++++++++++++++++++++++++++- 4 files changed, 420 insertions(+), 3 deletions(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 52661fab00..708253ac91 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -38,3 +38,25 @@ Subcode 1 - query verification certificate storage infor= mation The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble in the CS. + +Subcode 2 - store verification certificates + Provides VCs that are in the certificate store. + + The output is provided in a VCB, which includes a common header follow= ed by + zero or more verification-certificate entries (VCEs). + + The instruction expects the cert store to + maintain an origin of 1 for the index (i.e. a retrieval of the first + certificate in the store should be denoted by setting first-VC to 1). + + The first-VC index and last-VC index fields of VCB specify the range o= f VCs + to be stored by subcode 2. Stored count and remained count fields spec= ify + the number of VCs stored and could not be stored in the VCB due to + insufficient storage specified in the VCB input length field. + + Each VCE contains a header followed by information extracted from a + certificate within the certificate store. The information includes: + key-id, hash, and certificate data. This information is stored + contiguously in a VCE (with zero-padding). Following the header, the + key-id is immediately stored. The hash and certificate data follow and + may be accessed via the respective offset fields stored in the VCE. diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h index 7fc9503cb9..6f5ee63177 100644 --- a/hw/s390x/cert-store.h +++ b/hw/s390x/cert-store.h @@ -11,10 +11,9 @@ #define HW_S390_CERT_STORE_H =20 #include "hw/s390x/ipl/qipl.h" +#include "hw/s390x/ipl/diag320.h" #include "crypto/x509-utils.h" =20 -#define CERT_NAME_MAX_LEN 64 - #define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 #define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 =20 diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 6e4779c699..bfd6385b40 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -12,19 +12,37 @@ =20 #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 #define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 #define DIAG_320_ISM_QUERY_VCSI 0x40000000 +#define DIAG_320_ISM_STORE_VC 0x20000000 =20 #define VCSSB_NO_VC 4 #define VCSSB_MIN_LEN 128 #define VCE_HEADER_LEN 128 +/* + * If the VCE flags indicate an invalid certificate, + * the VCE length is set to 72, containing only the + * first five fields of VCEntry. + */ +#define VCE_INVALID_LEN 72 #define VCB_HEADER_LEN 64 =20 +#define CERT_NAME_MAX_LEN 64 + +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_KEYTYPE_ECDSA_P521 1 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 + struct VCStorageSizeBlock { uint32_t length; uint8_t reserved0[3]; @@ -39,4 +57,41 @@ struct VCStorageSizeBlock { }; typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 +struct VCBlock { + uint32_t in_len; + uint32_t reserved0; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t reserved1[5]; + uint32_t out_len; + uint8_t reserved2[4]; + uint16_t stored_ct; + uint16_t remain_ct; + uint32_t reserved3[5]; + uint8_t vce_buf[]; +}; +typedef struct VCBlock VCBlock; + +struct VCEntry { + uint32_t len; + uint8_t flags; + uint8_t key_type; + uint16_t cert_idx; + uint8_t name[CERT_NAME_MAX_LEN]; + uint8_t format; + uint8_t reserved0; + uint16_t keyid_len; + uint8_t reserved1; + uint8_t hash_type; + uint16_t hash_len; + uint32_t reserved2; + uint32_t cert_len; + uint32_t reserved3[2]; + uint16_t hash_offset; + uint16_t cert_offset; + uint32_t reserved4[7]; + uint8_t cert_buf[]; +}; +typedef struct VCEntry VCEntry; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index c44624e1e6..5326522fda 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,13 +17,16 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" #include "target/s390x/kvm/pv.h" +#include "qapi/error.h" #include "qemu/error-report.h" +#include "crypto/x509-utils.h" =20 =20 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) @@ -236,8 +239,333 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, ui= nt64_t addr, uint64_t r1, return DIAG_320_RC_OK; } =20 +static bool is_cert_valid(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_cert_times(cert->raw, cert->size, &err); + if (rc !=3D 0) { + error_report_err(err); + return false; + } + + return true; +} + +static int handle_key_id(VCEntry *vce, const S390IPLCertificate *cert) +{ + int rc; + g_autofree unsigned char *key_id_data =3D NULL; + size_t key_id_len; + Error *err =3D NULL; + + rc =3D qcrypto_x509_get_cert_key_id(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + &key_id_data, &key_id_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + if (VCE_HEADER_LEN + key_id_len > be32_to_cpu(vce->len)) { + error_report("Unable to write key ID: exceeds buffer bounds"); + return -1; + } + + vce->keyid_len =3D cpu_to_be16(key_id_len); + + memcpy(vce->cert_buf, key_id_data, key_id_len); + + return 0; +} + +static int handle_hash(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t keyid_field_len) +{ + int rc; + uint16_t hash_offset; + g_autofree void *hash_data =3D NULL; + size_t hash_len; + Error *err =3D NULL; + + hash_len =3D CERT_HASH_LEN; + hash_data =3D g_malloc0(hash_len); + rc =3D qcrypto_get_x509_cert_fingerprint(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + hash_data, &hash_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + hash_offset =3D VCE_HEADER_LEN + keyid_field_len; + if (hash_offset + hash_len > be32_to_cpu(vce->len)) { + error_report("Unable to write hash: exceeds buffer bounds"); + return -1; + } + + vce->hash_len =3D cpu_to_be16(hash_len); + vce->hash_type =3D DIAG_320_VCE_HASHTYPE_SHA2_256; + vce->hash_offset =3D cpu_to_be16(hash_offset); + + memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len); + + return 0; +} + +static int handle_cert(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t hash_field_len) +{ + int rc; + uint16_t cert_offset; + g_autofree uint8_t *cert_der =3D NULL; + size_t der_size; + Error *err =3D NULL; + + rc =3D qcrypto_x509_convert_cert_der(cert->raw, cert->size, + &cert_der, &der_size, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + cert_offset =3D be16_to_cpu(vce->hash_offset) + hash_field_len; + if (cert_offset + der_size > be32_to_cpu(vce->len)) { + error_report("Unable to write certificate: exceeds buffer bounds"); + return -1; + } + + vce->format =3D DIAG_320_VCE_FORMAT_X509_DER; + vce->cert_len =3D cpu_to_be32(der_size); + vce->cert_offset =3D cpu_to_be16(cert_offset); + + memcpy((uint8_t *)vce + cert_offset, cert_der, der_size); + + return 0; +} + +static int get_key_type(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_ecc_curve_p521(cert->raw, cert->size, &err); + if (rc =3D=3D -1) { + error_report_err(err); + return -1; + } + + return (rc =3D=3D 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 : + DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; +} + +static int build_vce_header(VCEntry *vce, const S390IPLCertificate *cert, = int idx) +{ + int key_type; + + vce->len =3D cpu_to_be32(VCE_HEADER_LEN); + vce->cert_idx =3D cpu_to_be16(idx + 1); + memcpy(vce->name, cert->name, CERT_NAME_MAX_LEN); + + key_type =3D get_key_type(cert); + if (key_type =3D=3D -1) { + return -1; + } + vce->key_type =3D key_type; + + return 0; +} + +static int build_vce_data(VCEntry *vce, const S390IPLCertificate *cert) +{ + uint16_t keyid_field_len; + uint16_t hash_field_len; + uint32_t cert_field_len; + uint32_t vce_len; + int rc; + + rc =3D handle_key_id(vce, cert); + if (rc) { + return -1; + } + keyid_field_len =3D ROUND_UP(be16_to_cpu(vce->keyid_len), 4); + + rc =3D handle_hash(vce, cert, keyid_field_len); + if (rc) { + return -1; + } + hash_field_len =3D ROUND_UP(be16_to_cpu(vce->hash_len), 4); + + rc =3D handle_cert(vce, cert, hash_field_len); + if (rc || !is_cert_valid(cert)) { + return -1; + } + cert_field_len =3D ROUND_UP(be32_to_cpu(vce->cert_len), 4); + + vce_len =3D VCE_HEADER_LEN + keyid_field_len + hash_field_len + cert_f= ield_len; + if (vce_len > be32_to_cpu(vce->len)) { + return -1; + } + + vce->flags |=3D DIAG_320_VCE_FLAGS_VALID; + + /* Update vce length to reflect the actual size used by vce */ + vce->len =3D cpu_to_be32(vce_len); + + return 0; +} + +static VCEntry *diag_320_build_vce(const S390IPLCertificate *cert, int idx) +{ + g_autofree VCEntry *vce =3D NULL; + uint32_t vce_max_size; + int rc; + + /* + * Each field of the VCE is word-aligned. + * Allocate enough space for the largest possible size for this VCE. + * As the certificate fields (key-id, hash, data) are parsed, the + * VCE's length field will be updated accordingly. + */ + vce_max_size =3D VCE_HEADER_LEN + + ROUND_UP(CERT_KEY_ID_LEN, 4) + + ROUND_UP(CERT_HASH_LEN, 4) + + ROUND_UP(cert->der_size, 4); + + vce =3D g_malloc0(vce_max_size); + rc =3D build_vce_header(vce, cert, idx); + if (rc) { + /* + * Error occurs - VCE does not contain a valid certificate. + * Bit 0 of the VCE flags is 0 and the VCE length is set. + */ + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + goto out; + } + + vce->len =3D cpu_to_be32(vce_max_size); + rc =3D build_vce_data(vce, cert); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + } + +out: + return g_steal_pointer(&vce); +} + +static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r= 1, uintptr_t ra, + S390IPLCertificateStore *cs) +{ + g_autofree VCBlock *vcb =3D NULL; + size_t entry_offset; + size_t remaining_space; + uint32_t vce_len; + uint16_t first_vc_index; + uint16_t last_vc_index; + int cs_start_index; + int cs_end_index; + uint32_t in_len; + + vcb =3D g_new0(VCBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + in_len =3D be32_to_cpu(vcb->in_len); + first_vc_index =3D be16_to_cpu(vcb->first_vc_index); + last_vc_index =3D be16_to_cpu(vcb->last_vc_index); + + if (in_len % TARGET_PAGE_SIZE !=3D 0) { + return DIAG_320_RC_INVAL_VCB_LEN; + } + + if (first_vc_index > last_vc_index) { + return DIAG_320_RC_BAD_RANGE; + } + + vcb->out_len =3D VCB_HEADER_LEN; + + /* + * DIAG 320 subcode 2 expects to query a certificate store that + * maintains an index origin of 1. However, the S390IPLCertificateStore + * maintains an index origin of 0. Thus, the indices must be adjusted + * for correct access into the cert store. A couple of special cases + * must also be accounted for. + */ + + /* Both indices are 0; return header with no certs */ + if (first_vc_index =3D=3D 0 && last_vc_index =3D=3D 0) { + goto out; + } + + /* Normalize indices */ + cs_start_index =3D (first_vc_index =3D=3D 0) ? 0 : first_vc_index - 1; + cs_end_index =3D last_vc_index - 1; + + /* Requested range is outside the cert store; return header with no ce= rts */ + if (cs_start_index >=3D cs->count || cs_end_index >=3D cs->count) { + goto out; + } + + entry_offset =3D VCB_HEADER_LEN; + remaining_space =3D in_len - VCB_HEADER_LEN; + + for (int i =3D cs_start_index; i <=3D cs_end_index; i++) { + VCEntry *vce; + const S390IPLCertificate *cert =3D &cs->certs[i]; + + /* + * Bit 0 of the VCE flags indicates whether the certificate is val= id. + * The caller of DIAG320 subcode 2 is responsible for verifying th= at + * the VCE contains a valid certificate. + */ + vce =3D diag_320_build_vce(cert, i); + vce_len =3D be32_to_cpu(vce->len); + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < vce_len) { + vcb->remain_ct =3D cpu_to_be16(last_vc_index - i); + g_free(vce); + break; + } + + /* Write VCE */ + if (s390_cpu_virt_mem_write(cpu, addr + entry_offset, r1, vce, vce= _len)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + g_free(vce); + return -1; + } + + entry_offset +=3D vce_len; + vcb->out_len +=3D vce_len; + remaining_space -=3D vce_len; + vcb->stored_ct++; + + g_free(vce); + } + vcb->stored_ct =3D cpu_to_be16(vcb->stored_ct); + +out: + vcb->out_len =3D cpu_to_be32(vcb->out_len); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb, VCB_HEADER_LEN)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + return DIAG_320_RC_OK; +} + QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, "size of VCStorageSizeBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCBlock) !=3D VCB_HEADER_LEN, "size of VCBlock i= s wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCEntry) !=3D VCE_HEADER_LEN, "size of VCEntry i= s wrong"); =20 void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { @@ -268,7 +596,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * for now. */ uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | - DIAG_320_ISM_QUERY_VCSI); + DIAG_320_ISM_QUERY_VCSI | + DIAG_320_ISM_STORE_VC); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -294,6 +623,18 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] =3D rc; break; + case DIAG_320_SUBC_STORE_VC: + if (addr & ~TARGET_PAGE_MASK) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + rc =3D handle_diag320_store_vc(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750738; cv=none; d=zohomail.com; s=zohoarc; b=CcNVPw+bUfwuA7iXCt2pQikm4CPgvVwC05Mh1jOQl3Gn0Ua6z6FLDqTIbw0+g7pes53Z6dVfo/KZWLZYhb+TI3ONfYvEOSTN4nvmfF1Gdn/7gLCb5SxXaCR0hGGF70cXIwDmpBRkNl8n7moYgzVmue2ashe4lRPPVx4zHNL3gnE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750738; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Op2RTpVwIPg4w0X+rn8Jodj6j9xRnIzY4eEPbZmN0LU=; b=UH3Fou+F32NRc15R4BpbCu04oz3V8FhN5+6Jy7zmAhzUukq3MbqAf2xHfRh9IjWFDLTRE4oYr/QU0EAmWsolvDhYC4UjEZUONq6aeJW7fy9ZFDZDKOxJ6aM/aIRfgF/fNgViKUZPNpdxdIfGT3Ak99kDzacufL8lD2mo29aSl5E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750738021627.7106834316726; Thu, 5 Mar 2026 14:45:38 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOb-00016z-7u; Thu, 05 Mar 2026 17:42:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOY-00014g-2D; Thu, 05 Mar 2026 17:42:14 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOW-00076R-70; Thu, 05 Mar 2026 17:42:13 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625BU8dN725327; Thu, 5 Mar 2026 22:42:08 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx93-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:07 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625JXM91027733; Thu, 5 Mar 2026 22:42:07 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4ke-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:06 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg6Ea27066898 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:06 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 079E658061; Thu, 5 Mar 2026 22:42:06 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CF29E58059; Thu, 5 Mar 2026 22:42:04 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Op2RTpVwIPg4w0X+r n8Jodj6j9xRnIzY4eEPbZmN0LU=; b=J6Ib7l2wl20Mbpnl5P65ZDJKEPkcKHcOg oU7IF7v948jTS4ux+C4sCsey6r4kUN2JLa3bZYq4KJSadTD/5SOW/7bVsEHHKHPa ZN96PWIkGhThJrDstNasVS9uovzM9BkgO4by9KRt+POGlM3W1/RjmSwbnA/cPCsU xctJbdypton8wcPQTcSChzNYg67p644ht4HZrr26mRzqSrjoKRoiTZwBFp9mlNBs m04uvvdCNtyMr9iDllS66a2252XMVWO0RInrn+R18+SAywAgtCrlC78wAPtlwvIS 4KWNQESqYs8YAWV7ofCfO8ZcFo9jDhfXK0bT0e6X8PuFlVFV4ustg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 10/30] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Thu, 5 Mar 2026 17:41:25 -0500 Message-ID: <20260305224146.664053-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06bf cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=hXQcL9AfcS-IPDpH2m0A:9 X-Proofpoint-ORIG-GUID: VHFqEpd89ciFb-_AoZAImu8CvMxsDnWj X-Proofpoint-GUID: VHFqEpd89ciFb-_AoZAImu8CvMxsDnWj X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXyuKQk7gVcvOY M/PgjlaKZT1BEwbOAJZFJZTB4YVBl/BUCHMLt4dvC8ZhLcQGf0sTkHYvXkBiN94vaS8vn/blKMb mWDuDL4WA24XsfnpIrRiAOXUnNSSo+16edRPR4wMXn7ehqB6IlRMg1Iw236pcvjpbmmmLAybmFr /Rd47GmZlgQpMtElklZIN2ekLCvnba4U44JKkp5pJdpn1QY0wYx/B2NqTUajLnAQiik3Od50jEb dKmrBMvq8JMO3NVZcbOWeqFXaJB5N++S3xkz/P7ULm7z2bk9Oc+LF48nbu03ZTpN1FVLynEP1WG LS9fdrujcuvz/9rfWiVWD+o8QgdILFg/33uuZM6SqXQiqqWg/toO82CXE9VOAxPalrV62f4+C/Q jRwVcEdKmTggdvlrdlPS5iKLRtmWDNmmxVTNHxScYYuEC5WknRCFn1PspOSEH2m+At2OMTksCeZ psdMhRN6AFR5Y90KCpg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750739190158500 Content-Type: text/plain; charset="utf-8" From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ target/s390x/diag.c | 27 +++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++++ 6 files changed, 83 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 708253ac91..9a3decef69 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -60,3 +60,21 @@ Subcode 2 - store verification certificates contiguously in a VCE (with zero-padding). Following the header, the key-id is immediately stored. The hash and certificate data follow and may be accessed via the respective offset fields stored in the VCE. + + +Secure IPL Data Structures, Facilities, and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + +DIAGNOSE function code 'X'508' - IPL extensions +--------------------------------------------------- + +DIAGNOSE 'X'508' is reserved for guest use in order to facilitate communic= ation +of additional IPL operations that cannot be handled by guest code, such as +signature verification for secure IPL. + +If the function code specifies 0x508, IPL extension functions are performe= d. +These functions are meant to provide extended functionality for s390 guest= boot +that requires assistance from QEMU. + +Subcode 0 - query installed subcodes + Returns a 64-bit mask indicating which subcodes are supported. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..6281ad8299 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,15 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 5326522fda..6d9bdee7e3 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -20,6 +20,7 @@ #include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -640,3 +641,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) break; } } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + uint64_t subcode =3D env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc =3D 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] =3D rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index fb7a99f380..cba431688b 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -101,6 +101,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 =20 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1571,6 +1572,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct= kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } =20 +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1604,6 +1615,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index b16490bce6..367df65970 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -390,6 +390,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 4d73475d95..562dde9cb3 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -149,6 +149,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) bql_unlock(); r =3D 0; break; + case 0x508: + /* secure ipl operations */ + bql_lock(); + handle_diag_508(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750623; cv=none; d=zohomail.com; s=zohoarc; b=hDeCwHQL/yOdQo1j3IOi69gLqkNveKGa/3pmAEDXuDk0T+2CrFcTKk35NLe+T86B6uVaxWGPXCJ/QtYZjqeWffNyRyoxNQM6KuQFWuKDbLzhHVT9hLaAcxbOg4kYrpid29o0/15wRgJXSuH1lDplgdCOiD83NgrERloczsjLxcs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750623; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8krdrxG2lBhi5BUk/WgH/kViQQhqXs4iUUqIZTgqzGQ=; b=BYk+LoKaqm3SbjcTPF8KrFsvJDVbsijxuo/BIcrCfpcZWh61TYNbFcfD28DKdlCKXMq5Bi1xBwSEY0wKN4whVBbaYK7/zx0mhC0vY6Xd8xrWkSho91j0rcUjwfBQ+dhhxfN9f5F8sk6AStA2vnPcAFG/RehRoXTVULZ0Puq4aBM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17727506228571014.0349387181114; Thu, 5 Mar 2026 14:43:42 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOb-000170-8O; Thu, 05 Mar 2026 17:42:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOZ-00015j-31; Thu, 05 Mar 2026 17:42:15 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOX-00076Y-87; Thu, 05 Mar 2026 17:42:14 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625HI7iL1850818; Thu, 5 Mar 2026 22:42:09 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xcb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:09 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LU93G028922; Thu, 5 Mar 2026 22:42:08 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh93-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:08 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg7sZ1377022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:07 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 584FA58058; Thu, 5 Mar 2026 22:42:07 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2173E58059; Thu, 5 Mar 2026 22:42:06 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:06 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=8krdrx G2lBhi5BUk/WgH/kViQQhqXs4iUUqIZTgqzGQ=; b=AtdOWL63rKft2x7K9ay8Ra RNhNxCFb3g2oC9HuAfTiBsfO/RLnu7/hHFiLnMvfCjNkMQC/t1K+kAh74gMpkdZI L0qjF7PDJ/eqkRp+Qcg2q0tSvfYafpaCH58NWH/ebgTUtE+YvRoNKltvM+8RDxAn SKPOu5EFWAdlnTqkyUN/ytK+qUSSvCYhUxP04dFVmzL3JNVHGhh/LOBlrQjrNMs4 UNcuHo828sYdy1tr2/VOCjk8AdX641eT0RFa6jgnd9tUGabtvJgP3JlM+RAT+C+P svYFvJecmN5DQ2oJYVRiZwRK9VB5KZcCXQxhapPsS/crN+bAPAUTVCUP+C2czY9Q == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 11/30] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Date: Thu, 5 Mar 2026 17:41:26 -0500 Message-ID: <20260305224146.664053-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: e019W0ATgu_0cPKHxbHd4625zoRc3lz0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX1LerI3LQCL6b dPMM5ITKCd2M6PEQxPtxHXEigXZJyYTfTa6mNMMExEvZ011I+AD134o5llb3ZyQenHsNWFr9Pf2 QpDy+H6NMLwYC9gDOtl+5bWyKn83vzDLT8XWpk0iVsXHk8pDWhk5g6MzittNCLwShbnsPKyka3X ghiBmVsVnZJ+KkoYcufOPdUTL/PjhsTb3ImoRTWfs/GgYNmbF0t7WlLQCX3qrFy/Y83Eu6wFx2o xZiL5uSWRi2L8tLvil5ZMLDOmg0xCJOQqNO6cJ0PNKexMx9kjAdog4fZhtufkx0SG79aHM2EDF7 XDccgKIRO8xK8DyxcNbvWV/Ztqr2/UoVyLCLVQcTyRWRcbzKocXsWu0mfs4j8co7cVwVYPXYWEm wUuZDsmMOiD5fD7+9IfW41NgpTbQDdGW+I/isaweK+aGeIhyjfg2yqNJEhE7xDD/BIL46tFPtUR LFYYq795xBJBOpE3Bmw== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06c1 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-ORIG-GUID: e019W0ATgu_0cPKHxbHd4625zoRc3lz0 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750624760158500 Introduce helper functions to support signature verification required by DIAG 508 subcode 1: qcrypto_pkcs7_convert_sig_pem() =E2=80=93 converts a signature from DER to = PEM format qcrypto_x509_verify_sig() =E2=80=93 verifies the provided data against the = given signature These functions enable basic signature verification support. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 108 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 41 ++++++++++++++ 2 files changed, 149 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 906d5e5e87..2b991ff9ac 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = =3D { [QCRYPTO_HASH_ALGO_MD5] =3D GNUTLS_DIG_MD5, @@ -335,6 +336,96 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_pkcs7_t signature; + gnutls_datum_t sig_datum_der =3D {.data =3D sig, .size =3D sig_size}; + gnutls_datum_t sig_datum_pem =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + return ret; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_= DER); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum= _pem); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert signature to PEM format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D sig_datum_pem.size; + *result =3D g_memdup2(sig_datum_pem.data, sig_datum_pem.size); + + ret =3D 0; + +cleanup: + gnutls_pkcs7_deinit(signature); + gnutls_free(sig_datum_pem.data); + return ret; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt =3D NULL; + gnutls_pkcs7_t signature =3D NULL; + gnutls_datum_t cert_datum =3D {.data =3D cert, .size =3D cert_size}; + gnutls_datum_t data_datum =3D {.data =3D comp, .size =3D comp_size}; + gnutls_datum_t sig_datum =3D {.data =3D sig, .size =3D sig_size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM= ); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0); + if (rc !=3D 0) { + error_setg(errp, "Failed to verify signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_pkcs7_deinit(signature); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -378,4 +469,21 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return -1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export pkcs7 signature"); + return -1; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + error_setg(errp, "GNUTLS is required for signature-verification suppor= t"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 6040894a46..02e937b14a 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -91,4 +91,45 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t s= ize, */ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); =20 +/** + * qcrypto_pkcs7_convert_sig_pem + * @sig: pointer to the PKCS#7 signature in DER format + * @sig_size: size of the signature + * @result: output location for the allocated buffer for the signature in + * PEM format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of the PEM-encoded + * signature) + * @errp: error pointer + * + * Convert given PKCS#7 @sig from DER to PEM format. + * + * Returns: 0 if PEM-encoded signature was successfully stored in @result, + * -1 on error. + */ +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_verify_sig + * @cert: pointer to the raw certificate data + * @cert_size: size of the certificate + * @comp: pointer to the component to be verified + * @comp_size: size of the component + * @sig: pointer to the signature + * @sig_size: size of the signature + * @errp: error pointer + * + * Verify the provided @comp against the @sig and @cert. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp); + #endif --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750758; cv=none; d=zohomail.com; s=zohoarc; b=jXT09ivVanEIB+GP6rMHKZ7d7gZvmvZM/8OlBuF34/nvjM49LwG8QB+KSYXthGdLEFuKy75kn0ivpZYwkjKyEoZHfDlcSPRcXr1uTB6UB+GpQ5uBX0TfnLICzftRIMkdusPaXorgPAu0mvwi57D1FK0+D50Vuklf0d+TaSv9DGA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750758; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=y13FbiFy4xBbWfzL8rH/eTuPj6+/nd5gQY5yDaLkUMc=; b=EDMia8cHNN7KUafnWxgfVM26svK9PGg0fGvFBa3S0x0OXv6f1fWehscmMldqX+C/Dy1orD+C1rkMkprBkqJQEP7qhvwAbwETYUWxcKVVRUaXWuGb0ufMZyNrhjY1NnJQE1MI2x2l4BT5gzdekK9FZgGEFhDZcsELwchq0cfY7Pg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750758806806.9753264389332; Thu, 5 Mar 2026 14:45:58 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOd-0001AR-Ux; Thu, 05 Mar 2026 17:42:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOb-00017G-Dk; Thu, 05 Mar 2026 17:42:17 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOZ-000775-CG; Thu, 05 Mar 2026 17:42:17 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625FtLN22198741; Thu, 5 Mar 2026 22:42:11 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx9b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:11 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625L5sTL003253; Thu, 5 Mar 2026 22:42:10 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmb2ydggv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:10 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg86w27197920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:08 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A3C4F58057; Thu, 5 Mar 2026 22:42:08 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 721415805D; Thu, 5 Mar 2026 22:42:07 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:07 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=y13FbiFy4xBbWfzL8 rH/eTuPj6+/nd5gQY5yDaLkUMc=; b=aEqw0ZmoKrg3PZmSupv8Ui2xFOfrE+RTz FNdAPC63jZMoi85AkPXQcoxcS0iTh3GYGmGfhlMlBke+k34/CvtG9kYmvkZPAeTY +fcPO826S7dfC1+jejetxBDQp4+HYOdxQuIc8pORXNgsLZZcG8dv/3EcjyCeLh1p mHmBY9MyI14eU0WroyaKaAViZ1GXvyIBt6TFHo/XuIFdRcrDVbKkUUKnjq4zrmn7 sLjuiJRZbCKGdrS9fkkeDDnG4ZnpWymt72GgXsVHyljPsfy8+2SFsJLvVtRz1rsZ uUTyr+pfW2Uh944g+DgbDYlmCwDGkdQxUrCKdFu5pFMgKtMt86Gsw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 12/30] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Date: Thu, 5 Mar 2026 17:41:27 -0500 Message-ID: <20260305224146.664053-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06c3 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=K66z3tz1c1WH2lCF3KIA:9 X-Proofpoint-ORIG-GUID: G-nkgP0Sj387kRZQRFcJlijl5aBAIG9j X-Proofpoint-GUID: G-nkgP0Sj387kRZQRFcJlijl5aBAIG9j X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXzBpeuNu23YYN 5JUujr2ecuIbPk7MYfoJaa1RAuzvTaWWuuK+CSYhIToPwnb948PByDDS5mTzG3Cmc7Y57lBDg+J 9m6JDdocdjoZSlwaV7wqhtDlDB2WFTuRMFAZMzIbTPT7CWNN8tt6mU6pYcx5xoHHDjQVL4hBSnU KQHesv+8vGu6QPrxW6Z6d5pwOYTdx/VQG6jsDrMqVj0fiQ6fZWqvrzTtctUSgI1EtfVnpOxcdWy 8uHse6jYGSoxoyNl8SDqhzVLKh1PSIWARtqeVipDYgl/MRZfgAc5WZWsnyV0evVMiCGlUWd7aXO IbFFk4S/ZMpJ1ScJYIcuAOZa7QmHAPTgaurSpJpVY8qtThiQOnAs56TUSnMfZdi68N9h+/7Izb/ PKoWcI87SW1uXvonLxni1Bo69EYJuAmlxpDxCrsjNnqrehFleXAf9K0TaQUK67CSnoZzlVNXK65 oK01ioyLb6FoMlBGSfg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750760000154100 Content-Type: text/plain; charset="utf-8" From: Collin Walling DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format= ), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: no certificates are available in the store 0x0202: component data is invalid 0x0302: PKCS#7 format signature is invalid 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 17 +++++ include/hw/s390x/ipl/diag508.h | 30 +++++++++ target/s390x/diag.c | 111 +++++++++++++++++++++++++++++++- 3 files changed, 157 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 9a3decef69..32add09dc1 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -78,3 +78,20 @@ that requires assistance from QEMU. =20 Subcode 0 - query installed subcodes Returns a 64-bit mask indicating which subcodes are supported. + +Subcode 1 - perform signature verification + Perform signature-verification on a signed component, using certificat= es + from the certificate store and leveraging qcrypto libraries to perform + this operation. + + Note: verification of initrd is not supported. + + A return code of 1 indicates success, and the index and length of the + corresponding certificate will be set in the Diag508SigVerifBlock. + The following values indicate failure: + + * ``0x0102``: no certificates are available in the store + * ``0x0202``: component data is invalid + * ``0x0302``: PKCS#7 format signature is invalid + * ``0x0402``: signature-verification failed + * ``0x0502``: length of Diag508SigVerifBlock is invalid diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 6281ad8299..8a147f32a0 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -11,5 +11,35 @@ #define S390X_DIAG508_H =20 #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x8000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0202 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0302 +#define DIAG_508_RC_FAIL_VERIF 0x0402 +#define DIAG_508_RC_INVAL_LEN 0x0502 + +/* + * Maximum componenet and signature sizes for current secure boot implemen= tation + * Not architecturally defined and may need to revisit if increased + */ +#define DIAG_508_MAX_COMP_LEN 0x10000000 +#define DIAG_508_MAX_SIG_LEN 4096 + +struct Diag508SigVerifBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved[2]; + uint8_t cert_store_index; + uint8_t reserved1[7]; + uint64_t cert_len; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +}; +typedef struct Diag508SigVerifBlock Diag508SigVerifBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 6d9bdee7e3..1dae4ada07 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -642,9 +642,110 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1,= uint64_t r3, uintptr_t ra) } } =20 +static bool diag_508_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size) +{ + g_autofree uint8_t *sig_pem =3D NULL; + size_t sig_size_pem; + int rc; + + /* + * PKCS#7 signature with DER format + * Convert to PEM format for signature verification + * + * Ignore errors during qcrypto signature format conversion and verifi= cation + * Return false on any error, treating it as a verification failure + */ + rc =3D qcrypto_pkcs7_convert_sig_pem(sig, sig_size, &sig_pem, &sig_siz= e_pem, NULL); + if (rc < 0) { + return false; + } + + rc =3D qcrypto_x509_verify_sig(cert, cert_size, + comp, comp_size, + sig_pem, sig_size_pem, NULL); + if (rc < 0) { + return false; + } + + return true; +} + +static int handle_diag508_sig_verif(uint64_t addr) +{ + int verified; + uint32_t svb_len; + uint64_t comp_len, comp_addr; + uint64_t sig_len, sig_addr; + g_autofree uint8_t *comp =3D NULL; + g_autofree uint8_t *sig =3D NULL; + g_autofree Diag508SigVerifBlock *svb =3D NULL; + size_t svb_size =3D sizeof(Diag508SigVerifBlock); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); + + if (!cs->count) { + return DIAG_508_RC_NO_CERTS; + } + + svb =3D g_new0(Diag508SigVerifBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + + svb_len =3D be32_to_cpu(svb->length); + if (svb_len !=3D svb_size) { + return DIAG_508_RC_INVAL_LEN; + } + + comp_len =3D be64_to_cpu(svb->comp_len); + comp_addr =3D be64_to_cpu(svb->comp_addr); + sig_len =3D be64_to_cpu(svb->sig_len); + sig_addr =3D be64_to_cpu(svb->sig_addr); + + if (!comp_len || !comp_addr || comp_len > DIAG_508_MAX_COMP_LEN) { + if (comp_len > DIAG_508_MAX_COMP_LEN) { + warn_report("DIAG 0x508: component length %lu exceeds current = maximum %u", + comp_len, DIAG_508_MAX_COMP_LEN); + } + return DIAG_508_RC_INVAL_COMP_DATA; + } + + if (!sig_len || !sig_addr || sig_len > DIAG_508_MAX_SIG_LEN) { + if (sig_len > DIAG_508_MAX_SIG_LEN) { + warn_report("DIAG 0x508: signature length %lu exceeds current = maximum %u", + sig_len, DIAG_508_MAX_SIG_LEN); + } + return DIAG_508_RC_INVAL_PKCS7_SIG; + } + + comp =3D g_malloc0(comp_len); + cpu_physical_memory_read(comp_addr, comp, comp_len); + + sig =3D g_malloc0(sig_len); + cpu_physical_memory_read(sig_addr, sig, sig_len); + + for (int i =3D 0; i < cs->count; i++) { + verified =3D diag_508_verify_sig(cs->certs[i].raw, + cs->certs[i].size, + comp, comp_len, + sig, sig_len); + if (verified) { + svb->cert_store_index =3D i; + svb->cert_len =3D cpu_to_be64(cs->certs[i].der_size); + cpu_physical_memory_write(addr, svb, svb_size); + return DIAG_508_RC_OK; + } + } + + return DIAG_508_RC_FAIL_VERIF; +} + +QEMU_BUILD_BUG_MSG(sizeof(Diag508SigVerifBlock) !=3D 64, + "size of Diag508SigVerifBlock is wrong"); + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { @@ -659,7 +760,15 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc =3D 0; + rc =3D DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + if (!diag_parm_addr_valid(addr, sizeof(Diag508SigVerifBlock), true= )) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag508_sig_verif(addr); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750759; cv=none; d=zohomail.com; s=zohoarc; b=VChGtbZI4kbajOaCXJxbXLPL8XefjfYKXPRETi4LnGascO7wOem/N/dHUVtEBkIBiEq5nMjVdm6QTCHY7csM5GCq+YtWgQz8hKQgwC39IJruOFd1tFGD25tlnYsuIztjZhNa+xUFpClgoxIKtK/OD5PjWh7fWko5RX9kOKtOjW8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750759; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=mIaPGcL4WPtBJDUknpP6kPRlGYlBJ1dbJ5TaR5JorMk=; b=Y3yGkqXp0kc75HTtxDC4gtpHjT6zcswZRgIZqhEiux3B5Apmh5LEsmwSB24zxU4Fh+qJbZG9VfDvfDdDtiI/6qbj3yoGdL34jJHDVvE6shTl7M0HfJ/NOJK/uLb1m7uxQwm07Yz1cW4F5aAHRxyZr02X7OCbQxSGNadnP8Z/780= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750759832136.9855371377779; Thu, 5 Mar 2026 14:45:59 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOd-00019w-Dm; Thu, 05 Mar 2026 17:42:19 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOc-00018j-GV; Thu, 05 Mar 2026 17:42:18 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOa-00077I-Bi; Thu, 05 Mar 2026 17:42:18 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625GF9Qo1576724; Thu, 5 Mar 2026 22:42:13 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckssmwgkt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:13 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LU93H028922; Thu, 5 Mar 2026 22:42:12 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh96-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:12 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgAqj36504022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:10 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 02C835805D; Thu, 5 Mar 2026 22:42:10 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C244558059; Thu, 5 Mar 2026 22:42:08 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:08 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=mIaPGcL4WPtBJDUkn pP6kPRlGYlBJ1dbJ5TaR5JorMk=; b=ofcVtXMQBtCW49+reDWzHE4PuXUk+IqaK 6YUjOkuK/iX2SLf2zw+k6iprytbuSy0e/Hupn1QPUKxtrJ0Ls0xCy9UJnn7+54gR FgxFzqHyNkwKgntHXL3EN/wuL7hHmJusta9NM6omO9a6LrX1+MMAZrK4iT9pmeFp W4LfzsWR+E9eZB0lKZgjryI18PeuUtgDg9A4WpjefWtiRV8wNGkTaHeCXw4vRgl+ 9nkVViOz6iPr61u+EXpMKQVHktJW/GebSYxJkZYHs2qAzA1IM7EnRK4SY4/penix t4kJr0nZbsCFPfk5DRQHiE0zAc6R/kK2WPdPwLOfDuHJgmIaAf2ug== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 13/30] s390x/ipl: Introduce IPL Information Report Block (IIRB) Date: Thu, 5 Mar 2026 17:41:28 -0500 Message-ID: <20260305224146.664053-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX+OSQoT0zKDdd w0OiEIbqII9hFozcC3h5lm98RKtY3RNy7y+XR/FeWJ/n0I/6IUm1brjLOJsZsXqaZCuP2v2WSDy 8o2rQjm7KN98t69nIY4K88edfTLi/ntEj2i07bxfg1k/bF0GB1cQf7S0PSuiQua0UEwdbMwkAez IBALni/pR1kiixGY2xCgF87bejECGtrQzizzorzEkMET8Jv6RIB/+OWIxJ2cKg0hfyfB+CjFIt2 OQUEzxkpBECLI4pz4fYBVTkmiEPJ5fVh5UrIM3UJwFCVBaX54o9xC2cWKbjLZPXY3/2lHxKN6Rd pI6iZAAFFvQsqkRPrJOLMpGi68PnuRWB7kxC6AXTnfP1QNdVkKDuoTScwu87Vqrsdmu2tliWhzz HoHTA3rq6yr/ebG0X9WFiDSzof91H8P3qjj3/BcKymJ6mkaX626KcJTyDOLSHRf9FNSv6vOqgg1 HIDlOGo5epXNxa0AzGw== X-Proofpoint-ORIG-GUID: SRCYdFaCa39mcH8qFCvhI8tWvhukScsg X-Proofpoint-GUID: SRCYdFaCa39mcH8qFCvhI8tWvhukScsg X-Authority-Analysis: v=2.4 cv=AobjHe9P c=1 sm=1 tr=0 ts=69aa06c5 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=1JLT7A-2tSAM-sJnsQYA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 suspectscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750761686154100 Content-Type: text/plain; charset="utf-8" The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 14 ++++++++ include/hw/s390x/ipl/qipl.h | 59 +++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 32add09dc1..fc37de52b9 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -95,3 +95,17 @@ Subcode 1 - perform signature verification * ``0x0302``: PKCS#7 format signature is invalid * ``0x0402``: signature-verification failed * ``0x0502``: length of Diag508SigVerifBlock is invalid + +IPL Information Report Block +---------------------------- + +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended w= ith an +IPL Information Report Block (IIRB), which contains the results from secur= e IPL +operations such as: + +* component data +* verification results +* certificate data + +The guest's kernel inspects the IIRB and uses the certificate data it cont= ains +to build the keyring. diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index e505f44020..0f1f55c428 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -126,4 +126,63 @@ union IplParameterBlock { } QEMU_PACKED; typedef union IplParameterBlock IplParameterBlock; =20 +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t flags; + uint8_t reserved1[11]; +}; +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t type; + uint8_t reserved1[11]; +}; +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplInfoBlockType { + IPL_INFO_BLOCK_TYPE_CERTIFICATES =3D 1, + IPL_INFO_BLOCK_TYPE_COMPONENTS =3D 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +}; +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +}; +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_DEV_COMP_FLAG_SC 0x80 +#define S390_IPL_DEV_COMP_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +}; +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_CERTIFICATES]; +}; +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +}; +typedef struct IplInfoReportBlock IplInfoReportBlock; + #endif --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750723; cv=none; d=zohomail.com; s=zohoarc; b=hUNLS3UUHLIfvAxkJmZYjDldbP8OGx2YvhgVnkzmjI8T4QdVp9mtaC5i9HoYqVdld13dIbAjnMJO1cH8Puk2MSAua03D/c6U1EJ1YI+LUSyEe0rb44xX11wXoOF106QW++jQwUxLBzBJKCe5STzZbas+zCmfAsPm2QikExHE1y0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750723; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=kLaTFpPSoyiB8Pmwinkx0wBqP/BgDyHAoWoEoor5x6Q=; b=ld0oO93uR8rvrju/eWW/kNsNjPNBcEe6N2GMs9oWhPSx+XVMLgO/EObz59qNohwypRAfTPj2dsysRSqftpDHkgUB4F6uddk0dwIHOGDCJ4jcy+CvEXHs2VkULvzskXQ2L2gTflUYiEGFboPLTP1qxyu4tf+qplH+dbIVnCYzHC8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177275072356016.668421902271007; Thu, 5 Mar 2026 14:45:23 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOj-0001CT-4s; Thu, 05 Mar 2026 17:42:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOh-0001Ao-8n; Thu, 05 Mar 2026 17:42:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOf-00077r-Ac; Thu, 05 Mar 2026 17:42:22 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625FNET61122091; Thu, 5 Mar 2026 22:42:15 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx9j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:14 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625J36C2027658; Thu, 5 Mar 2026 22:42:13 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4kp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:13 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgBjV29098576 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:11 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 59EB958057; Thu, 5 Mar 2026 22:42:11 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1E72D58059; Thu, 5 Mar 2026 22:42:10 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:10 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=kLaTFpPSoyiB8Pmwi nkx0wBqP/BgDyHAoWoEoor5x6Q=; b=Z/DhDRYjFD3y59k+CdatHf4mBB9Oh5hWH Xs8Uoe/vUjIbH8hf0hDukmqMb+iFo+WLqE0JjviH2JHc80jR+WFV19za1CJkt2L+ kN2CjEy8KW9tiXudW+WXclygVAGudKxf2x7HuKb1zZjYT0lxJViWRHLR4NNke2iv JutN59PL0URwQQqtYqbCNr5V7ucPbD5uvZa/dFfR8rNBc9ANE3K2XFtlMq5gT5X2 UEPZ0MGeYISJISA1oWZQ/1yj5EIf1kXKaXnCaETLrxeweCQZSwmkPnNY1NONR8Ys dS9Rm/BFI3RLvEg5QUgkVNu0s5JV412vzUGSQepEOufdMn9BryYwA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 14/30] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Thu, 5 Mar 2026 17:41:29 -0500 Message-ID: <20260305224146.664053-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06c6 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=_GZQR2ZoBes7ElOevS0A:9 X-Proofpoint-ORIG-GUID: UnqnlKWfFG7Dw_qK7BoOe9CE28daBZfR X-Proofpoint-GUID: UnqnlKWfFG7Dw_qK7BoOe9CE28daBZfR X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX4hMSDACz8F8d NbpdWjvwJ8NiiUbZKUAKYp0JDhf4XkS5c2/SmhGBWAclFRfrTRxFvmronYte8CGHranGNDpZcDb awwhoJf/n5hhDwpn9iJDr490gSfUGlGeZv2v+x3YsXueaepExWAaFP3KBE9MQT6UXsrxOKbAcQ/ mqib/jjkQpBTx3g35rmfPy7ChsE7HpoEMOQb/ayXXmQU7TP7pEQops+nD3F46Jx6tZK9cAvkuiJ 5uQCq24IvO7uDsIEslc5smhCQBuxZwfPsH8L9nlNXfTlbJ12EAA8XVGWecD23TunEYdQJBsCwZE O+ILhjhNGHqMB5Koz2wwYxrsRUHIWZzJWXsuF/0ClLjifXutfBm2YdzJOcUV6VAok9a7ZJHQVAx TSH6pWiozxAzWqDctqYhAacAK74GYsfZGVcyqyW9r0iEUCgDB/GiJXR7PRpGkVX6Og9rWEpVjua AwGGr584Hbn5MJgMwXw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750725170154100 Content-Type: text/plain; charset="utf-8" Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory sp= ace. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- include/hw/s390x/ipl/qipl.h | 6 ++++++ pc-bios/s390-ccw/iplb.h | 5 +++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 5 files changed, 35 insertions(+), 24 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 0f1f55c428..f5e63a2fdb 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -185,4 +185,10 @@ struct IplInfoReportBlock { }; typedef struct IplInfoReportBlock IplInfoReportBlock; =20 +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +}; +typedef struct IplBlocks IplBlocks; + #endif diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 08f259ff31..fefca65ac6 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,8 +20,9 @@ #include =20 extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; +extern IplBlocks ipl_data; =20 #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 @@ -65,7 +66,7 @@ static inline bool load_next_iplb(void) =20 qipl.index++; next_iplb =3D (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); =20 qipl.chain_len--; qipl.next_iplb =3D qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. = The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno =3D qipl.index; + if (iplb->pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno =3D qipl.index; } =20 - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 76bf743900..819f053009 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -22,7 +22,9 @@ static SubChannelId blk_schid =3D { .one =3D 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -51,7 +53,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype =3D=3D CU_TYPE_VIRTIO && virtio_get_device_type() !=3D VIRT= IO_ID_NET) { - lowcore->ptr_iplb =3D ptr2u32(&iplb); + lowcore->ptr_iplb =3D ptr2u32(iplb); } } =20 @@ -162,7 +164,7 @@ static void menu_setup(void) return; } =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: case S390_IPL_TYPE_QEMU_SCSI: menu_set_parms(qipl.qipl_flags & BOOT_MENU_FLAG_MASK, @@ -191,8 +193,8 @@ static void boot_setup(void) { char lpmsg[] =3D "LOADPARM=3D[________]\n"; =20 - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) !=3D= 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN= ); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != =3D 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LE= N); } else { sclp_get_loadparm_ascii(loadparm_str); } @@ -216,21 +218,21 @@ static bool find_boot_device(void) VDev *vdev =3D virtio_get_device(); bool found =3D false; =20 - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected =3D false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid =3D iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found =3D find_subch(iplb.ccw.devno); + found =3D find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected =3D true; - vdev->selected_scsi_device.channel =3D iplb.scsi.channel; - vdev->selected_scsi_device.target =3D iplb.scsi.target; - vdev->selected_scsi_device.lun =3D iplb.scsi.lun; - blk_schid.ssid =3D iplb.scsi.ssid & 0x3; - found =3D find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel =3D iplb->scsi.channel; + vdev->selected_scsi_device.target =3D iplb->scsi.target; + vdev->selected_scsi_device.lun =3D iplb->scsi.lun; + blk_schid.ssid =3D iplb->scsi.ssid & 0x3; + found =3D find_subch(iplb->scsi.devno); break; default: puts("Unsupported IPLB"); @@ -311,10 +313,12 @@ static void probe_boot_device(void) =20 void main(void) { + iplb =3D &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb =3D store_iplb(&iplb); + have_iplb =3D store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index a9521dff41..457fbc3095 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -528,11 +528,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); =20 - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expect= ed"); - dev_no =3D iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expec= ted"); + dev_no =3D iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid =3D iplb.ccw.ssid & 0x3; + net_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found =3D find_net_dev(&schib, dev_no); } else { --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750610; cv=none; d=zohomail.com; s=zohoarc; b=P77XeuJxtEDJTkAgJA1PFCs28ec8phF5Qowg2/zw2ATyxfrAtF/DL57PNxa3buTFyiZV5t06EDKLUpHdi29xJB+8+8ujzTOgNFkL0qYFJ2TFVIQ7+9m7c5rbvfeCaIK+ZKdzoMDWhPfc4GS38bTIoo90I6brJ6wTDe30c+E+wa4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750610; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=5YQnl6w2dYUQqRSmfBFpP4tSc4lWsnRIKhIRVSNR4aE=; b=bGWLwLiIMAUIzk8h5YDD7ZReH/dWOcZN98YDLp8Bgz9r0xTNm33VdRXu8LeQ9bg5+g1raPE0qf/rMrgcLjl/heCLdvTSBv/AhR505v5D1X+y3WULyLqOAuW6Q+Y+HXHKN9Xoe9vzrQt85uFE7wXKgYjU6XkHi1HxBNns4yosGo8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17727506104141016.7560937887494; Thu, 5 Mar 2026 14:43:30 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOj-0001Ec-Nv; Thu, 05 Mar 2026 17:42:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOh-0001Aw-Iw; Thu, 05 Mar 2026 17:42:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOf-00077v-Dc; Thu, 05 Mar 2026 17:42:23 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625FbB273068079; Thu, 5 Mar 2026 22:42:15 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx9p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:15 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625MBfoQ003284; Thu, 5 Mar 2026 22:42:14 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmb2ydgh3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:14 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgCRu62783856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:13 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A2EB558061; Thu, 5 Mar 2026 22:42:12 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 73AFC58058; Thu, 5 Mar 2026 22:42:11 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:11 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=5YQnl6w2dYUQqRSmf BFpP4tSc4lWsnRIKhIRVSNR4aE=; b=qRdJm0Rae0qbwLVHNyFHVVhFAPADqUi8H Vmtvs8kXRJHE9TiNDPQKR6zo8/O5qnKNVh2OxXc8KP4MprzDGf/1b1i+xCFMU/pl w+azRCcy5KluDzSX/Rn+PqLJcDarwBQh/RiWIG8c3VrrXaKRXeBbu59KJc4hNv5A IQzuCKsXT+zLMwxUuwfjsSE+8rdHEfOwxbYytrARmu3oWkfcNEI4PK0weFelCnVq T92FgT1YdxCvVfoglnN8U8TrYoNBOTJ4CfMEHfEMi5EroqOtL7cvgkKg4C11W3sL aRPvhewxFrEyVWSIUmHk9ABXVwqg1T0wLyxQ/15MLWNj+YrQGZiQA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 15/30] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Thu, 5 Mar 2026 17:41:30 -0500 Message-ID: <20260305224146.664053-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06c7 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=0RU0I6ilb4cTaI3NU4AA:9 X-Proofpoint-ORIG-GUID: Q_PO-OdGAne4lqn-wflukdaFK_oEOPqX X-Proofpoint-GUID: Q_PO-OdGAne4lqn-wflukdaFK_oEOPqX X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX8MbMbYNt4ivR wXpNPf08TgaIiiDHTG2dVdhWQSsILPd20haznbYhJg54oKaveLDr50tFkYGOKILlePp2kN+L5o9 07/NEnnpjnJ0EvD2xgmFt+V5zkbLDUcSlhX6T1W1jNR/P7MHD8W9/wabbBNzIO8iFP8sD1s6cuj zaaxktZNeRIfG9e12WgBuBDy6xHqRU5Bgw2klOhp61k1seAtAp6azTrUCY0lyDTqxDSV1BJGX8n zDa+uK8xi8Lbss8oiCfsnfKK+y89OkKWvbItlFb5MA5Je3LD4HMreuFdSqIgKr8tScd8bFHHPI2 lpmT6TeTzF0Dyetesz5hgXTW7vbqMZ6rY860HulDlTlzidqF1VlXB3PbYOpFh8foQEJmu4yyO/d RH8H/Hk3DsOsmR1lc19jqB5QedMQMkgmYfRsWrs/go30wQeCTzxiTbuns5asSxdoL+/rxjbE5ZQ vV7G68BNr1W7bPHFIFw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750610703158500 Content-Type: text/plain; charset="utf-8" Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Move DIAG308 flags to a separated header file and add flags for secure IPL. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 21 +++++++++++++++++++++ hw/s390x/ipl.h | 18 +----------------- include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 5 ++++- 4 files changed, 60 insertions(+), 18 deletions(-) create mode 100644 include/hw/s390x/ipl/diag308.h diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index ea108fe370..b66dfd06bd 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -433,6 +433,13 @@ S390IPLCertificateStore *s390_ipl_get_certificate_stor= e(void) return &ipl->cert_store; } =20 +static bool s390_has_certificate(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -490,6 +497,20 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } + return true; } =20 diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 37f311474d..f0d44a87dd 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -23,7 +23,6 @@ #include "qom/object.h" #include "target/s390x/kvm/pv.h" =20 -#define DIAG308_FLAGS_LP_VALID 0x80 #define MAX_BOOT_DEVS 8 /* Max number of devices that may have a bootindex= */ =20 void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp); @@ -90,22 +89,6 @@ struct S390IPLState { }; QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wr= ong"); =20 -#define DIAG_308_RC_OK 0x0001 -#define DIAG_308_RC_NO_CONF 0x0102 -#define DIAG_308_RC_INVALID 0x0402 -#define DIAG_308_RC_NO_PV_CONF 0x0902 -#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - -#define DIAG308_RESET_MOD_CLR 0 -#define DIAG308_RESET_LOAD_NORM 1 -#define DIAG308_LOAD_CLEAR 3 -#define DIAG308_LOAD_NORMAL_DUMP 4 -#define DIAG308_SET 5 -#define DIAG308_STORE 6 -#define DIAG308_PV_SET 8 -#define DIAG308_PV_STORE 9 -#define DIAG308_PV_START 10 - #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_PV 0x05 @@ -116,6 +99,7 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "al= ignment of iplb wrong"); #define S390_IPLB_MIN_CCW_LEN 200 #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 =20 static inline bool iplb_valid_len(IplParameterBlock *iplb) { diff --git a/include/hw/s390x/ipl/diag308.h b/include/hw/s390x/ipl/diag308.h new file mode 100644 index 0000000000..6e62f29215 --- /dev/null +++ b/include/hw/s390x/ipl/diag308.h @@ -0,0 +1,34 @@ +/* + * S/390 DIAGNOSE 308 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG308_H +#define S390X_DIAG308_H + +#define DIAG_308_RC_OK 0x0001 +#define DIAG_308_RC_NO_CONF 0x0102 +#define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 +#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 + +#define DIAG308_RESET_MOD_CLR 0 +#define DIAG308_RESET_LOAD_NORM 1 +#define DIAG308_LOAD_CLEAR 3 +#define DIAG308_LOAD_NORMAL_DUMP 4 +#define DIAG308_SET 5 +#define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 + +#define DIAG308_FLAGS_LP_VALID 0x80 + +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + +#endif diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index f5e63a2fdb..1b6cb3231d 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -12,6 +12,8 @@ #ifndef S390X_QIPL_H #define S390X_QIPL_H =20 +#include "diag308.h" + /* Boot Menu flags */ #define QIPL_FLAG_BM_OPTS_CMD 0x80 #define QIPL_FLAG_BM_OPTS_ZIPL 0x40 @@ -103,7 +105,8 @@ typedef struct IplBlockQemuScsi IplBlockQemuScsi; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750660; cv=none; d=zohomail.com; s=zohoarc; b=R2aCSy46BKHGlzR7PTEMRwZuh/GHZKpSkMRRzfLWIbse7vXlcK257kdAmNWmBLX8TfC9G7vksE37Tc5SLtL57AhB6YAytxSrW8dvf7k6RP7vkhEz8FZoBWUHKCl81t35Zgmhu9kU7VAOOCiaA6+z12Err728aYAExGNXvtLtAuQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750660; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=nwY+pgHgFV5QY8akm7g90H3EXJb2IPMLRjrjExiQyAI=; b=MQzE2F73e3FPRdv2NfSGqhg1gcfe+kCuh4ZqWE1kyE/LEBEtp44mmcT/z5VLw8e8GUDODzkT6goC08qpkJ1oJyElWj3fOt0smmv/znNKY7iHeMxrdKJrotgfoulpvO1d86KJ68FYO0CTIXuFaJboTPlJ6P90QX234xpfy+8GLUQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750660771650.7053576506578; Thu, 5 Mar 2026 14:44:20 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOk-0001F7-9B; Thu, 05 Mar 2026 17:42:26 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOh-0001B5-N8; Thu, 05 Mar 2026 17:42:23 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOf-00077x-GP; Thu, 05 Mar 2026 17:42:23 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625EoJXJ2966823; Thu, 5 Mar 2026 22:42:17 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xcq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:16 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625ITPlM010309; Thu, 5 Mar 2026 22:42:15 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdaj0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:15 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgEBC31720156 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:14 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E8AF958057; Thu, 5 Mar 2026 22:42:13 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BCC3F58062; Thu, 5 Mar 2026 22:42:12 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:12 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=nwY+pgHgFV5QY8akm 7g90H3EXJb2IPMLRjrjExiQyAI=; b=AP8x+83wFmQOdZzmWC31Rbxu4usOmrhxE /WZPihmjerjHaC3HR5Y4wSz9nuhA62U250jfZ+/nDRscAlSz0vPqK6XkW8qY82Qf IEyjGISEuLj2iEUBRoBB8hAxFeG8NTKv4QHt8Sgkv2OfC465q1IYT8YrYCNu/Fn7 DXWgd/zq/nlaoCFvqBE/dGzqFuDdTYcrsfaNJqwMDL0CMUjC4ZGdFNxOpVUW4JeI zqS/BMrEfdgPe7ofsQioncKeD+WAYOZG9Ocj3xenO8NTcNkZk8F4LDJXROfJ7WNN 5fmb4SN1l3TuOXrm49XqlMOUYr4B24HkoPPWp/wqYzAIRy4cupi8w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 16/30] s390x: Guest support for Secure-IPL Facility Date: Thu, 5 Mar 2026 17:41:31 -0500 Message-ID: <20260305224146.664053-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: WYOBzUTnPXE1PcrNzPNMro8Tg4habBoc X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX8u1UW4IHxYTw 9x9rbwyYIrSRPKgT8l+UeABU6WnySDAVLMUft9BPoPtyURr0uONtG7E6rrXYScV2P7iVhR5VDu0 SGL1dlKhshPQZQReXR6TEq2tYmqDVynHk4DDx4NJL50IIrlA4aPd0rXfX4M8AesUMKV/m8Ly46c MAtZWtEVx4dPSJBZrEhgF/WuzhOKlO+Zn9RpvGhvzzwrmgIc+GTHr5qblP1B+q0nTNJME6mB2Pn 0Bqk0N6av7Zk1rtfhNNAgnOPgxT6h2WuxSjjW9jo1wJQmnSs859lEeSsErd/pp8pcPanwtI5efv FKIq+cFCPGSJyrd2hqjUHs4d86sSEZLiuheRHtpUMa3ab7doxeoqkVa1CEPdQP7b0tTS7Q9iJ7j ATz76BpDmQ4J2l+Q5F7gOdHuqhhX8WmmXO+IJOmL1Iqpu0bBfJZ5lDscLDUdnEY/vNLh39GxuDR q5xKAK/Pi/qKqcz9tuA== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06c8 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Bichc5AjJS213ZhIJUEA:9 X-Proofpoint-ORIG-GUID: WYOBzUTnPXE1PcrNzPNMro8Tg4habBoc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750662896158500 Content-Type: text/plain; charset="utf-8" Introduce Secure-IPL (SIPL) facility. Use fac_ipl to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. Byte 136's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Secure IPL is not available for guests under protected virtualization. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Thomas Huth --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 4 ++++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index b9c3983df1..666bae33f0 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -146,6 +146,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC_IPL, + read_info->fac_ipl); } =20 read_info->facilities =3D cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index ddc61f1c21..a9595d8007 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t fac_ipl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 138]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 436471f4b4..200bd8c15b 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -119,6 +119,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * Some facilities are not available for CPUs in protected mode: * - All SIE facilities because SIE is not available * - DIAG318 + * - Secure IPL Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -149,6 +150,9 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; + case S390_FEAT_TYPE_SCLP_FAC_IPL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..b038198555 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_FAC_IPL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 2976ecd0ee..bcf8a666e4 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 6b8471700e..f99536ef9a 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 6c20c3a862..bd2060ab93 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -721,6 +721,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -922,6 +923,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_PRNO_TRNG, S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index cba431688b..40197cca7a 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2518,6 +2518,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 set_bit(S390_FEAT_CERT_STORE, model->features); =20 + /* Some Secure IPL facilities are emulated by QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750632; cv=none; d=zohomail.com; s=zohoarc; b=h4MR7dIGeUU1K1pi+Gi9za/hLQyn0TcAYdIswBFfNJm3c3we4UP+ixGCIovyfjjOj306p8x2gNGihtvI3X1O2jd24u8KBQiKpcFVUNyzFpgWWZLL+HtIhYS33MwjvDEyTJ4wWwmXmcaoTF4ytk+7wMnOggBK7jNL/jAJ6erES68= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750632; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zjAdcyVcjOXfWAk1S0Wtc7XJeFa7hG0owEKUC9JAWuo=; b=Ssxmh/8X2ZysSC/FZxsKgqK9HRSGytsIKgYZUD3S3Z9tZ3kjnH6f6JBIDwDhp9zVAqf9fkMiXK0fVy3MCEFqt70v2fa/a1c8j4AD33dSor1rnbyej7Yohtbf6th8xfYMiZXtqIIXo1yhu0RuOyd+xYp+UTYNYxnHv6MEUPS6u4s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750632053765.55225776357; Thu, 5 Mar 2026 14:43:52 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOj-0001Et-P5; Thu, 05 Mar 2026 17:42:25 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOh-0001Av-HT; Thu, 05 Mar 2026 17:42:23 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOf-000782-Kk; Thu, 05 Mar 2026 17:42:23 -0500 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625JUnjY2415161; Thu, 5 Mar 2026 22:42:18 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskc5drn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:18 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625J36C4027658; Thu, 5 Mar 2026 22:42:17 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4kw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:17 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MfrY831588994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:41:53 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 430A058057; Thu, 5 Mar 2026 22:42:15 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E95658059; Thu, 5 Mar 2026 22:42:14 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:13 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=zjAdcyVcjOXfWAk1S 0Wtc7XJeFa7hG0owEKUC9JAWuo=; b=I1T4SCU/bJ1sc3JJMgmmHdx/DUhenSFXu A9ekOsWJ6LWC0w2RqGNK6eehhy+VIWnVkSzXQvnY1doe027vT+l9/hzGNGCaqmua Cf764inwwgG9SyBNojsd9iuE/Ju68k0awoVuNwusxjpPOkEaVwvnDq4iesEYYfmH JsGp7bbTm70ctFQdLcBCe4DUo38MQNzZLF7lZaOTXeiYNNM67/wTNs697J7X+4zm RThbpD509RcSAQ/1nR1t9VOzw56CJqteiPIf0P201HqpIZu0Y5Z1rPi5MEXmiVXx BvcT7pIHqlLJ562ObO0mTmyuRbL0uxF7JT8vyEzCtmX7F5edJLcxg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 17/30] pc-bios/s390-ccw: Refactor zipl_run() Date: Thu, 5 Mar 2026 17:41:32 -0500 Message-ID: <20260305224146.664053-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: -b5hvv7EZ3AbXDDtLSGN_h2kn8jXnJ1G X-Authority-Analysis: v=2.4 cv=b66/I9Gx c=1 sm=1 tr=0 ts=69aa06ca cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=se3WwofzMRKbtILPOyIA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX8LMJJo7RDaPP AMsTJyeArz339vWA3pA0JREwjo/8/+rbSUUulX35J1xe4b1rR30ajqEGBjwdN+0miCaQUiR7Aw8 MyBPn1UajRGkooQzyNQuNQO/0SVWEWa4oVAsM7wUGPK/aR/zpydATiKg3vT4iA+yPGxZDHwoRcf 0k42wDCyQVAls73mTgGwMAlZdYmdb95y+fysDlWWEsFg8omTinhi/nbSIQ7U0RD2IOLi6HDx27l GyyXwuTrvxVQzaynzDxi5ATwk2isIQKoDvdnSWYsDfT2rWEmEAsHVeG524EtYi1mivhphVMnE7+ 21KE/sYIuzdEt2q2Ddp1v/E1PZ4bbVfFXvQfsyX5p9WEoS8QhFrxilMtYD1CUzEa9QT7vLaQezC CPsDUy8SOkoBvsANn5tJy6Wnas16GWJX6f6VSklnbbPFKfaNSF+fVYKYcV8nevgmYw3pG5zahTX rLgPTwtKfE836O6XfcA== X-Proofpoint-GUID: -b5hvv7EZ3AbXDDtLSGN_h2kn8jXnJ1G X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 adultscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750632737158500 Content-Type: text/plain; charset="utf-8" Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 51 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 0f8baa0198..22801ca746 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,12 +674,42 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } =20 +static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + ComponentEntry *entry =3D *entry_ptr; + + while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || + entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)&entry[1] > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + *entry_ptr =3D entry; + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { ComponentHeader *header; ComponentEntry *entry; uint8_t tmp_sec[MAX_SECTOR_SIZE]; + int rc; =20 if (virtio_read(pte->blockno, tmp_sec)) { puts("Cannot read header"); @@ -700,25 +730,10 @@ static int zipl_run(ScsiBlockPtr *pte) =20 /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); - while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || - entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries = */ - if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } - - if (zipl_load_segment(entry)) { - return -1; - } =20 - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } + rc =3D zipl_run_normal(&entry, tmp_sec); + if (rc) { + return rc; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750785; cv=none; d=zohomail.com; s=zohoarc; b=V4c25DsXCOpmVn/1vWWjV5UDStmqk6fVNt48Lvlayyj797tDY5oTGj8zsHPVBLo2my4WG5/4jus5iX/nQ3FairO1adMANu3R3AWyICZ1JG59gVSlsGWWJmz96anYw2IwTbtlOS65CWmxuvQhsTOUsTN2PwauUbtxjjp7ZLHnsic= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750785; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7ZtNIhCiMbUDg66tZtwao459wU6mLc1Ms4X3kPWiao0=; b=lpi5h/PQ+2rgoYWa6nyNdzgpYKp8L57TSto6Xu8DTmn4qzk9wdWVpsRd0n5Uumwmt6UxnePr8/jUo/nnx6zlIEZZgTndLX8KHqiz8L5h/LnunIAJ3fb5ZYD4oPZC+9E9C6SNoHWDmTCeOYktBwfum9yM81CdhFvGOC3/SUnOywY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750785159240.0497543436146; Thu, 5 Mar 2026 14:46:25 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOl-0001Fq-Jh; Thu, 05 Mar 2026 17:42:27 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOi-0001CL-VK; Thu, 05 Mar 2026 17:42:24 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOh-00078N-FU; Thu, 05 Mar 2026 17:42:24 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625GIno81985083; Thu, 5 Mar 2026 22:42:19 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx9t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:19 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LwZt7010317; Thu, 5 Mar 2026 22:42:18 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdaj3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:18 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgGum38797972 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:16 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8BCAA58059; Thu, 5 Mar 2026 22:42:16 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5CA8A58058; Thu, 5 Mar 2026 22:42:15 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:15 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7ZtNIhCiMbUDg66tZ twao459wU6mLc1Ms4X3kPWiao0=; b=kDa5MeHgcr1D+hctKgOOmCruIIVzYyGca w5+LTs9dEL4RLAIGqqoxrXicMkzEn5tTTE3YYTh2IXNBXrkA2oZnPWVpjJO5YvYX fnqZyCJzKERMiF4Frp4/m5dNRfg/b6GnsO8fI6zkPGxs8FM92MCpDfkUwNj/uqpv 2L+gcNUp7kkq6TcOiLOGN9SaAdnkhZYAAhKG0nWOslrZ2wO5lyT+5rzA1wzUE+Lv mSpSVGt6MRfzAlc1s3FyYg60mFuPLoS/jDBpaLtHCs6CMhtG+reFspgaJpB0R47/ jMLb9sBfCOhp6Wb7nPSHXKCON3cVDQ6TFE+yp5q6/rf6JwPpEF5Lw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 18/30] pc-bios/s390-ccw: Rework zipl_load_segment function Date: Thu, 5 Mar 2026 17:41:33 -0500 Message-ID: <20260305224146.664053-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06cb cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=wVZWP19Ib8Popp5rDVAA:9 X-Proofpoint-ORIG-GUID: uX7X2rPy0RPkLXRsNhgva9t6Ca7vXbVV X-Proofpoint-GUID: uX7X2rPy0RPkLXRsNhgva9t6Ca7vXbVV X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX26vvTeVHrEMI IF4jTG1wNfWjGlPWDIkfdOYbGwi+FCLBGCqTfdGwRolSjLWPCLamAiJbuCgnMqvYsbiprod5rdt vjTy8y8OJ9sUfqyUWXhdcLoGrIocmw0TdG1f6k/ey1fTnTHSnz1PT0dfjsvEmbvboq3UlXO+aPp GCotQUb1qa6+kV5sQ3puVUtTTGjhoV46BNNnSI/7znC+0ZYvUSyeKwoEnBHx61NOYSe+b1e6ds3 AYT//s9d6sA8nEh3SHTjowH8oA8NeG8Zhf1bG0ksn3wQlNOU9VLTd8RysCRRlB/nMbjCF2FsWxe F6OCDvOHFUGzorshkjAWIA+oqN1ZH1CsxV0L2dGWVnHG9CQebniEILanxAe361F7n09HWfvzu3x LEnfBQBiylE4Tfe4WfsX1GsCE/31LXX8sh15p2S7ufIQkBtMF9Im0kT4KcZAi+rkBxgiL1XkOZp Fg6laZ39/sdWVDNUBtw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750788043154100 Content-Type: text/plain; charset="utf-8" Make the address variable a parameter of zipl_load_segment and return segment length. Modify this function to allow the caller to specify a memory address where segment data should be loaded into. seg_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 22801ca746..9a03eab6ed 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,22 @@ static int ipl_eckd(void) * IPL a SCSI disk */ =20 -static int zipl_load_segment(ComponentEntry *entry) +/* + * Returns: length of the segment on success, + * negative value on error. + */ +static int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; const int bprs_size =3D sizeof(sec); block_number_t blockno; - uint64_t address; int i; char err_msg[] =3D "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no =3D &err_msg[30]; /* where to print blockno in (those ZZs= ) */ + int seg_len =3D 0; =20 blockno =3D entry->data.blockno; - address =3D entry->compdat.load_addr; =20 debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -668,10 +671,12 @@ static int zipl_load_segment(ComponentEntry *entry) puts("zIPL load segment failed"); return -EIO; } + + seg_len +=3D bprs->size * (bprs[i].blockct + 1); } } while (blockno); =20 - return 0; + return seg_len; } =20 static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) @@ -687,7 +692,7 @@ static int zipl_run_normal(ComponentEntry **entry_ptr, = uint8_t *tmp_sec) continue; } =20 - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry, entry->compdat.load_addr) < 0) { return -1; } =20 --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750763; cv=none; d=zohomail.com; s=zohoarc; b=C8PiVHSEkrwbUC6xnK1AshUsCjFlnROyp6gCZfFm1r8hpQCaFy1qVvE6tmv0hnnZTl49AXQqolToNKykyobRRnEait7wPoYCPndJFEBAVpcKedk0UtzM/oITbO+NPNZAiEKT0U8fphB7J9SKfQ2XtcIC2rTLP3F9QCtPJHrxNa8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750763; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=NE9wNshjqd0KsS3762haDuIR+T6W67mG6tMRtsiW4dk=; b=OCIIJEX0gLxTGUsVrQEt+I5YEtrE8ULFU5QShrCUVFPFoGhX17RJoH7T1X0p8W4avlVM0d9fakzTl+DhsP+JQqLyLpfxT2deia7GxJVh2PzBanVFqyA5tNdkpLU+/AXz02iZ+HdObvuKO2SIReQK0bUhZR6n6wy42d4etd/Wl+I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750763680891.7674595567748; Thu, 5 Mar 2026 14:46:03 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPA-0001yE-I7; Thu, 05 Mar 2026 17:42:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP7-0001sT-2V; Thu, 05 Mar 2026 17:42:49 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP3-000794-Rq; Thu, 05 Mar 2026 17:42:48 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625CvJCP892985; Thu, 5 Mar 2026 22:42:21 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnx9v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:20 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LtUpR011199; Thu, 5 Mar 2026 22:42:19 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cqau2sx2k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:19 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgI0U20972040 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:18 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF16D58057; Thu, 5 Mar 2026 22:42:17 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A567058058; Thu, 5 Mar 2026 22:42:16 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:16 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=NE9wNshjqd0KsS376 2haDuIR+T6W67mG6tMRtsiW4dk=; b=TvKBp3cd6CGrkVaEb5B4GEX/A2VJ7BGGH Z//1AXnRWCPwxEY0wTDPm+ADkdujTlFoVrJIk23X8E8qUbFZzIcQNzt8vJBsZOG0 XPW3dLxDLCsWxTgn+jQ4RFug5xkcon+AFqINlVqxVVvxyd4iAgbR0K10ScisoyGs VJO3IIff9aqPq9ZsCd1v1ujwRhypGNESwaVlfanTLew5Hl0ibfSqy1mcPnpfq44C oAfXjmKcQmPiX9UVIGUWZMQHTyViSOveQKWwIdJDrZ63zS2WzFFEZhQWUyC98zG2 9AimXE4hfuYlYD6Tnuf8jITHfNRLDlEzCfXn2pT9svajfPYOYS78w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 19/30] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Date: Thu, 5 Mar 2026 17:41:34 -0500 Message-ID: <20260305224146.664053-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06cc cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=xxmkioofEG7CYTGLI2QA:9 X-Proofpoint-ORIG-GUID: sJ1CngCrV_1FhO8AAUKGg2M86h9kq59I X-Proofpoint-GUID: sJ1CngCrV_1FhO8AAUKGg2M86h9kq59I X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX0Eq35sJ0uTcp gAHD6Wt25suTlueYY6at88j7QXJNcmwV/abuX6fkylLdxNNEzG5aG6vUFkrxctug355LJKu1168 yUQ/02MewgVMPOX6e6gjAgz+Tp/07pDcTmpeg0gZuf+Y4jgSmfatz37bbsA5D70wHV6U/zu4+ug AUVukgdMCeihQBDo+TLbdaDDIH/0ebixdz4YCrlN3wJwT6E/oZlsjyEjY6s+CBWwxq9rO+W6cCx IS/AG48akZOfAB+2bb9ZQBHj5WWcFjXnZCC1WLEDQM2XpP+NWCZICnLzlQ3pmoyhP2DEpbi3xPv WuEVqegcSY8Tt5mC48bBJ1e5sTgq08X7EAeUeH3h+rYqlNgnLa91oSebF98S00WeqXQZmqE46oX fMfIsqhR1ePSjQZIGKsi60CjErHL7IC7CBuEACEsFm7oedLOrhGPoGXJmms02vgur+Eh08m87Y5 c4LINraqbjFFN2y0hrQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750765350158500 Content-Type: text/plain; charset="utf-8" Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 35 +++ pc-bios/s390-ccw/Makefile | 3 +- pc-bios/s390-ccw/bootmap.c | 36 +++- pc-bios/s390-ccw/bootmap.h | 11 + pc-bios/s390-ccw/main.c | 6 + pc-bios/s390-ccw/s390-ccw.h | 27 +++ pc-bios/s390-ccw/sclp.c | 38 ++++ pc-bios/s390-ccw/sclp.h | 6 + pc-bios/s390-ccw/secure-ipl.c | 357 +++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 102 +++++++++ 10 files changed, 618 insertions(+), 3 deletions(-) create mode 100644 pc-bios/s390-ccw/secure-ipl.c create mode 100644 pc-bios/s390-ccw/secure-ipl.h diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 0a02f171b4..3a19b72085 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -18,3 +18,38 @@ Note: certificate files must have a .pem extension. .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +IPL Modes +=3D=3D=3D=3D=3D=3D=3D=3D=3D +Multiple IPL modes are available to differentiate between the various IPL +configurations. These modes are mutually exclusive and enabled based on the +``boot-certs`` option on the QEMU command line. + +Normal Mode +----------- + +The absence of certificates will attempt to IPL a guest without secure IPL +operations. No checks are performed, and no warnings/errors are reported. +This is the default mode. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio ... + +Audit Mode +---------- + +When the certificate store is populated with at least one certificate +and no additional secure IPL parameters are provided on the command +line, then secure IPL will proceed in "audit mode". All secure IPL +operations will be performed with signature verification errors reported +as non-disruptive warnings. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/Makefile b/pc-bios/s390-ccw/Makefile index a0f24c94a8..603761a857 100644 --- a/pc-bios/s390-ccw/Makefile +++ b/pc-bios/s390-ccw/Makefile @@ -34,7 +34,8 @@ QEMU_DGFLAGS =3D -MMD -MP -MT $@ -MF $(@D)/$(*F).d .PHONY : all clean build-all distclean =20 OBJECTS =3D start.o main.o bootmap.o jump2ipl.o sclp.o menu.o netmain.o \ - virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o + virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o \ + secure-ipl.o =20 SLOF_DIR :=3D $(SRC_PATH)/../../roms/SLOF =20 diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 9a03eab6ed..43a661325f 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -15,6 +15,7 @@ #include "bootmap.h" #include "virtio.h" #include "bswap.h" +#include "secure-ipl.h" =20 #ifdef DEBUG /* #define DEBUG_FALLBACK */ @@ -617,7 +618,7 @@ static int ipl_eckd(void) * Returns: length of the segment on success, * negative value on error. */ -static int zipl_load_segment(ComponentEntry *entry, uint64_t address) +int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; @@ -736,7 +737,19 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); =20 - rc =3D zipl_run_normal(&entry, tmp_sec); + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + rc =3D zipl_run_secure(&entry, tmp_sec); + break; + case ZIPL_BOOT_MODE_NORMAL: + rc =3D zipl_run_normal(&entry, tmp_sec); + break; + default: + puts("Unknown boot mode"); + rc =3D -1; + break; + } + if (rc) { return rc; } @@ -1103,17 +1116,33 @@ static int zipl_load_vscsi(void) * IPL starts here */ =20 +ZiplBootMode get_boot_mode(uint8_t hdr_flags) +{ + bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; + bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + + if (!sipl_set && iplir_set) { + return ZIPL_BOOT_MODE_SECURE_AUDIT; + } + + return ZIPL_BOOT_MODE_NORMAL; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot from ISO image is not supported!"); ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Virtio net boot device does not support secure boot!"= ); netmain(); puts("Failed to IPL from this network!"); return; @@ -1124,6 +1153,9 @@ void zipl_load(void) return; } =20 + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot with the ECKD scheme is not supported!"); + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..dc2783faa2 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; =20 +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; =20 typedef struct ComponentEntry { @@ -113,6 +122,8 @@ typedef struct ScsiMbr { ScsiBlockPtr pt; /* block pointer to program table */ } __attribute__ ((packed)) ScsiMbr; =20 +int zipl_load_segment(ComponentEntry *entry, uint64_t address); + #define ZIPL_MAGIC "zIPL" #define ZIPL_MAGIC_EBCDIC "\xa9\xc9\xd7\xd3" #define IPL1_MAGIC "\xc9\xd7\xd3\xf1" /* =3D=3D "IPL1" in EBCDIC */ diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 819f053009..106cdf9dec 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -28,6 +28,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +ZiplBootMode boot_mode; =20 #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -275,6 +276,9 @@ static void ipl_boot_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Passthrough (vfio) CCW device does not support secure= boot!"); + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -324,6 +328,8 @@ void main(void) probe_boot_device(); } =20 + boot_mode =3D get_boot_mode(iplb->hdr_flags); + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index b1dc35cded..a0d568696a 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -40,6 +40,22 @@ typedef unsigned long long u64; ((b) =3D=3D 0 ? (a) : (MIN(a, b)))) #endif =20 +/* + * Round number down to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_DOWN +#define ROUND_DOWN(n, d) ((n) & -(0 ? (n) : (d))) +#endif + +/* + * Round number up to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_UP +#define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d)) +#endif + #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) =20 #include "cio.h" @@ -64,6 +80,8 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_sipl_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ @@ -76,6 +94,15 @@ int virtio_read(unsigned long sector, void *load_addr); /* bootmap.c */ void zipl_load(void); =20 +typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_NORMAL =3D 0, + ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, +} ZiplBootMode; + +extern ZiplBootMode boot_mode; + +ZiplBootMode get_boot_mode(uint8_t hdr_flags); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..e3b6a1f07e 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,44 @@ void sclp_get_loadparm_ascii(char *loadparm) } } =20 +bool sclp_is_diag320_on(void) +{ + ReadInfo *sccb =3D (void *)_sccb; + uint8_t fac134 =3D 0; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + fac134 =3D sccb->fac134; + } + + return fac134 & SCCB_FAC134_DIAG320_BIT; +} + +/* + * Get fac_ipl (byte 136 and byte 137 of the SCLP Read Info block) + * for IPL device facilities. + */ +static void sclp_get_fac_ipl(uint16_t *fac_ipl) +{ + + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac_ipl =3D sccb->fac_ipl; + } +} + +bool sclp_is_sipl_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..cf147f4634 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; =20 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_FAC_IPL_SIPL_BIT 0x4000 =20 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t fac_ipl; } __attribute__((packed)) ReadInfo; =20 typedef struct SCCB { diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c new file mode 100644 index 0000000000..8d281c1cea --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -0,0 +1,357 @@ +/* + * S/390 Secure IPL + * + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, + * signature verification, and certificate handling). + * + * For secure IPL overview: docs/system/s390x/secure-ipl.rst + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include "bootmap.h" +#include "s390-ccw.h" +#include "secure-ipl.h" + +static uint8_t vcb_data[MAX_SECTOR_SIZE * 4] __attribute__((__aligned__(PA= GE_SIZE))); +static uint8_t vcssb_data[VCSSB_MIN_LEN] __attribute__((__aligned__(8))); + +VCStorageSizeBlock *zipl_secure_get_vcssb(void) +{ + VCStorageSizeBlock *vcssb; + + vcssb =3D (VCStorageSizeBlock *)vcssb_data; + /* avoid retrieving vcssb multiple times */ + if (vcssb->length >=3D VCSSB_MIN_LEN) { + return vcssb; + } + + if (!is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return NULL; + } + + vcssb->length =3D VCSSB_MIN_LEN; + if (diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI) !=3D DIAG_320_RC_OK) { + vcssb->length =3D 0; + return NULL; + } + + return vcssb; +} + +static uint32_t get_total_certs_length(void) +{ + VCStorageSizeBlock *vcssb; + + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + return vcssb->total_vcb_len - VCB_HEADER_LEN - vcssb->total_vc_ct * VC= E_HEADER_LEN; +} + +static uint32_t request_certificate(uint8_t *cert_addr, uint8_t index) +{ + VCStorageSizeBlock *vcssb; + VCBlock *vcb; + VCEntry *vce; + uint32_t cert_len =3D 0; + + /* Get Verification Certificate Storage Size block with DIAG320 subcod= e 1 */ + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + */ + vcb =3D (VCBlock *)vcb_data; + vcb->in_len =3D ROUND_UP(vcssb->max_single_vcb_len, PAGE_SIZE); + vcb->first_vc_index =3D index; + vcb->last_vc_index =3D index; + + if (diag320(vcb, DIAG_320_SUBC_STORE_VC) !=3D DIAG_320_RC_OK) { + goto out; + } + + if (vcb->out_len =3D=3D VCB_HEADER_LEN) { + puts("No certificate entry"); + goto out; + } + + if (vcb->remain_ct !=3D 0) { + puts("Not enough memory to store all requested certificates"); + goto out; + } + + vce =3D (VCEntry *)vcb->vce_buf; + if (!(vce->flags & DIAG_320_VCE_FLAGS_VALID)) { + puts("Invalid certificate"); + goto out; + } + + cert_len =3D vce->cert_len; + memcpy(cert_addr, (uint8_t *)vce + vce->cert_offset, vce->cert_len); + memcpy(vcb_data, 0, sizeof(vcb_data)); + +out: + return cert_len; +} + +static void cert_list_add(IplSignatureCertificateList *cert_list, int cert= _index, + uint8_t *cert_addr, uint64_t cert_len) +{ + if (cert_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring cert entry #%d because only %d entries a= re supported\n", + cert_index + 1, MAX_CERTIFICATES); + return; + } + + cert_list->cert_entries[cert_index].addr =3D (uint64_t)cert_addr; + cert_list->cert_entries[cert_index].len =3D cert_len; + cert_list->ipl_info_header.len +=3D sizeof(cert_list->cert_entries[cer= t_index]); +} + +static void comp_list_add(IplDeviceComponentList *comp_list, int comp_inde= x, + int cert_index, uint64_t comp_addr, + uint64_t comp_len, uint8_t flags) +{ + if (comp_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring comp entry #%d because only %d entries a= re supported\n", + comp_index + 1, MAX_CERTIFICATES); + return; + } + + comp_list->device_entries[comp_index].addr =3D comp_addr; + comp_list->device_entries[comp_index].len =3D comp_len; + comp_list->device_entries[comp_index].flags =3D flags; + comp_list->device_entries[comp_index].cert_index =3D cert_index; + comp_list->ipl_info_header.len +=3D sizeof(comp_list->device_entries[c= omp_index]); +} + +static void update_iirb(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *iirb_comps; + IplSignatureCertificateList *iirb_certs; + uint32_t iirb_hdr_len; + uint32_t comps_len; + uint32_t certs_len; + + if (iplb->len % 8 !=3D 0) { + panic("IPL parameter block length field value is not multiple of 8= bytes"); + } + + iirb_hdr_len =3D sizeof(IplInfoReportBlockHeader); + comps_len =3D comp_list->ipl_info_header.len; + certs_len =3D cert_list->ipl_info_header.len; + if ((comps_len + certs_len + iirb_hdr_len) > sizeof(IplInfoReportBlock= )) { + panic("Not enough space to hold all components and certificates in= IIRB"); + } + + /* IIRB immediately follows IPLB */ + iirb =3D &ipl_data.iirb; + iirb->hdr.len =3D iirb_hdr_len; + + /* Copy IPL device component list after IIRB Header */ + iirb_comps =3D (IplDeviceComponentList *) iirb->info_blks; + memcpy(iirb_comps, comp_list, comps_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D comps_len; + + /* Copy IPL sig cert list after IPL device component list */ + iirb_certs =3D (IplSignatureCertificateList *) (iirb->info_blks + + iirb_comps->ipl_info_hea= der.len); + memcpy(iirb_certs, cert_list, certs_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D certs_len; +} + +static bool secure_ipl_supported(void) +{ + if (!sclp_is_sipl_on()) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_signature_verif_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + comp_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_COMPONENTS; + comp_list->ipl_info_header.len =3D sizeof(comp_list->ipl_info_header); + + cert_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_CERTIFICATES; + cert_list->ipl_info_header.len =3D sizeof(cert_list->ipl_info_header); +} + +static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) +{ + if (zipl_load_segment(entry, sig_sec) < 0) { + return -1; + } + + if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return -1; + } + + return entry->compdat.sig_info.sig_len; +} + +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + IplDeviceComponentList comp_list =3D { 0 }; + IplSignatureCertificateList cert_list =3D { 0 }; + ComponentEntry *entry =3D *entry_ptr; + uint8_t *cert_addr =3D NULL; + uint64_t *sig =3D NULL; + int cert_entry_idx =3D 0; + int comp_entry_idx =3D 0; + uint64_t comp_addr; + int comp_len; + uint32_t sig_len =3D 0; + uint64_t cert_len =3D -1; + uint8_t cert_table_idx =3D -1; + int cert_index; + uint8_t flags; + bool verified; + /* + * Keep track of which certificate store indices correspond to the + * certificate data entries within the IplSignatureCertificateList to + * prevent allocating space for the same certificate multiple times. + * + * The array index corresponds to the certificate's cert-store index. + * + * The array value corresponds to the certificate's entry within the + * IplSignatureCertificateList (with a value of -1 denoting no entry + * exists for the certificate). + */ + int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + int signed_count =3D 0; + + if (!secure_ipl_supported()) { + panic("Unable to boot in secure/audit mode"); + } + + init_lists(&comp_list, &cert_list); + cert_addr =3D malloc(get_total_certs_length()); + sig =3D malloc(MAX_SECTOR_SIZE); + + while (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { + switch (entry->component_type) { + case ZIPL_COMP_ENTRY_SIGNATURE: + if (sig_len) { + goto out; + } + + sig_len =3D zipl_load_signature(entry, (uint64_t)sig); + if (sig_len < 0) { + goto out; + } + break; + case ZIPL_COMP_ENTRY_LOAD: + comp_addr =3D entry->compdat.load_addr; + comp_len =3D zipl_load_segment(entry, comp_addr); + if (comp_len < 0) { + goto out; + } + + if (!sig_len) { + break; + } + + verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, + &cert_len, &cert_table_idx); + + /* default cert index and flags for unverified component */ + cert_index =3D -1; + flags =3D S390_IPL_DEV_COMP_FLAG_SC; + + if (verified) { + if (cert_list_table[cert_table_idx] =3D=3D -1) { + if (!request_certificate(cert_addr, cert_table_idx)) { + puts("Could not get certificate"); + goto out; + } + + cert_list_table[cert_table_idx] =3D cert_entry_idx; + cert_list_add(&cert_list, cert_entry_idx, cert_addr, c= ert_len); + + /* increment for the next certificate */ + cert_entry_idx++; + cert_addr +=3D cert_len; + } + + puts("Verified component"); + cert_index =3D cert_list_table[cert_table_idx]; + flags |=3D S390_IPL_DEV_COMP_FLAG_CSV; + } + + comp_list_add(&comp_list, comp_entry_idx, cert_index, + comp_addr, comp_len, flags); + + if (!verified) { + zipl_secure_handle("Could not verify component"); + } + + comp_entry_idx++; + signed_count +=3D 1; + /* After a signature is used another new one can be accepted */ + sig_len =3D 0; + break; + default: + puts("Unknown component entry type"); + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (signed_count =3D=3D 0) { + zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + } + + update_iirb(&comp_list, &cert_list); + + *entry_ptr =3D entry; + free(sig); + + return 0; +out: + free(cert_addr); + free(sig); + + return -1; +} diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h new file mode 100644 index 0000000000..eb5ba0ed47 --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -0,0 +1,102 @@ +/* + * S/390 Secure IPL + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef _PC_BIOS_S390_CCW_SECURE_IPL_H +#define _PC_BIOS_S390_CCW_SECURE_IPL_H + +#include +#include + +VCStorageSizeBlock *zipl_secure_get_vcssb(void); +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); + +static inline void zipl_secure_handle(const char *message) +{ + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + IPL_check(false, message); + break; + default: + break; + } +} + +static inline uint64_t diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint32_t d320_ism; + + if (!sclp_is_diag320_on()) { + return false; + } + + diag320(&d320_ism, DIAG_320_SUBC_QUERY_ISM); + return d320_ism & (DIAG_320_ISM_QUERY_VCSI | DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_signature_verif_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes =3D _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(uint64_t comp_len, uint64_t comp_addr, + uint64_t sig_len, uint64_t sig_addr, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SigVerifBlock svb; + + svb.length =3D sizeof(Diag508SigVerifBlock); + svb.version =3D 0; + svb.comp_len =3D comp_len; + svb.comp_addr =3D comp_addr; + svb.sig_len =3D sig_len; + svb.sig_addr =3D sig_addr; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) =3D=3D DIAG_508_RC_OK) { + *cert_len =3D svb.cert_len; + /* + * DIAG 508 utilizes an index origin of 0 when indexing the cert s= tore. + * The cert_idx will be used for DIAG 320 data structures, which e= xpects + * an index origin of 1. Account for the offset here so it's easie= r to + * manage later. + */ + *cert_idx =3D svb.cert_store_index + 1; + return true; + } + + return false; +} + +#endif /* _PC_BIOS_S390_CCW_SECURE_IPL_H */ --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750769; cv=none; d=zohomail.com; s=zohoarc; b=BxBUuod4xzacje8rmEc76+Sm2HJei17E5z6sup8NDIKAlXEXDw/Bal7osg1QXOMZC6UlpNmARwU8AfS3b65mv+wX+G0jnuV8GaTRCnbxsP+cUoQmOFocWPqs1umauBA0IMpHWGhMONpoEHV62LUoGWQRWIZio9m+3FTkejk1vm4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750769; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7BibOTBwTdwZqCXi9LlSG0HpdUL4Nqdxj1fRa54T7zc=; b=kC9HPbQxBcmwHt6E04stZgiQCH15n/j0FiTZP6OP79ZhCovZIyG8z5n9T0RQncK2+cQzogE6pUCfeDUxHwAravTguvf8KCpQbyH957oodWnNsHxk2+wwJ0aeatYrZCYMaV3d6sHLihJByMs9ja/jc5H1dYLQn1DhWGP3gjIiYgE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750769861147.62655104325393; Thu, 5 Mar 2026 14:46:09 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOn-0001HH-1u; Thu, 05 Mar 2026 17:42:29 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOl-0001Fc-Ab; Thu, 05 Mar 2026 17:42:27 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOj-000792-LU; Thu, 05 Mar 2026 17:42:27 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625IapKN2517891; Thu, 5 Mar 2026 22:42:21 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksrje0ps-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:21 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625JCudM008803; Thu, 5 Mar 2026 22:42:20 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmdd1n3st-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:20 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgJDs32113228 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:19 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 46EBB58057; Thu, 5 Mar 2026 22:42:19 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1531C58059; Thu, 5 Mar 2026 22:42:18 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7BibOTBwTdwZqCXi9 LlSG0HpdUL4Nqdxj1fRa54T7zc=; b=C9ZX8vOBPItnEPTSWqq+vy8/BXrfpeltk 1fp05DFIuEX7ak6Z0TJzaaL0AGhy9VPs0noIQHlONGIAkllQjV4zDao4NuqcAK0Y Z8exR1ijwIrBWXG2C40fgh8CQjbDntYPQXFq/y4tWEbuzd6c1xgCfH2LWvn/+p+P 5ibh+EL/McKxwGtH9mUKgpoBVYz2FAzqyv2mOXP/ZG8JBu2EAjmnz1J2Lcg05B+Q l4gkjvIlGaKQQKbrb1UKFCYz0Tkv6QYTFR9oPY7ISKawJHy5+1TKMZl8Eq7lM0Yj DmpLdFRWJGgpbmBDtawbDkx3lZOIvbba3Va0pC4f8k0enRqWQ0/7g== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 20/30] pc-bios/s390-ccw: Add signed component address overlap checks Date: Thu, 5 Mar 2026 17:41:35 -0500 Message-ID: <20260305224146.664053-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Rp/I7SmK c=1 sm=1 tr=0 ts=69aa06cd cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=qRwRlr6pIYMFea3-13gA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXxVw6mM+AjjUi hbBifduEsgrKfiE3fa0mO8t5yzlVgd8zlhfVmjl29rmv9dPTtPQwDxocNG5LrqvHrBAx00xyLtU +SjGSzcZynquJUG1+r4aVSYF8WGR3o70OviTnUrGZ8U2Zq3s1px8ul/MnO/cFSqsmfL8EOTYS+F NEDqugAJBOJBxdlNVy/zpMxpfLQ5jYDBRlG6JpC7lM1XfJKaM5Y1KSyDYO9sm7bqvlJZB820H0c WOEM18qCS8RWRhmoSp7u8fSzlcNgaCqo16eFK7Sxa6brz2GsS40wgxg5GvCUCfTmovjfTr1lFaU O9nVzDJsdLr0/HTNkFAYhfEAGGAfXUFEL2G5Mrw5lyMjK5UfdpejHswunHKhPJo89z7g0/58/G3 3X/jfd794T9+dJQZkgDonKxdCWV2IYewwxabMT4KEAnX31QcmChxlUGObi9gdn4jUe24nk8qFzf KpXn/wLU/wSmSivPUYg== X-Proofpoint-GUID: rR-_Es05I04tJW0ADJ_uYUgzl5Qljj22 X-Proofpoint-ORIG-GUID: rR-_Es05I04tJW0ADJ_uYUgzl5Qljj22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 clxscore=1015 impostorscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750771835154100 Content-Type: text/plain; charset="utf-8" Add address range tracking and overlap checks to ensure that no component overlaps with a signed component during secure IPL. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/secure-ipl.c | 52 +++++++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 6 ++++ 2 files changed, 58 insertions(+) diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 8d281c1cea..68596491c5 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -211,6 +211,53 @@ static void init_lists(IplDeviceComponentList *comp_li= st, cert_list->ipl_info_header.len =3D sizeof(cert_list->ipl_info_header); } =20 +static bool is_comp_overlap(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, + uint64_t start_addr, uint64_t end_addr) +{ + /* neither a signed nor an unsigned component can overlap with a signe= d component */ + for (int i =3D 0; i < addr_range_index; i++) { + if ((comp_addr_range[i].start_addr < end_addr && + start_addr < comp_addr_range[i].end_addr) && + comp_addr_range[i].is_signed) { + return true; + } + } + + return false; +} + +static void comp_addr_range_add(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, bool is_signed, + uint64_t start_addr, uint64_t end_addr) +{ + if (addr_range_index >=3D MAX_CERTIFICATES) { + zipl_secure_handle("Component address range update failed due to o= ut-of-range" + " index; Overlapping validation cannot be guara= nteed"); + } + + comp_addr_range[addr_range_index].is_signed =3D is_signed; + comp_addr_range[addr_range_index].start_addr =3D start_addr; + comp_addr_range[addr_range_index].end_addr =3D end_addr; +} + +static void addr_overlap_check(SecureIplCompAddrRange *comp_addr_range, + int *addr_range_index, + uint64_t start_addr, uint64_t end_addr, boo= l is_signed) +{ + bool overlap; + + overlap =3D is_comp_overlap(comp_addr_range, *addr_range_index, + start_addr, end_addr); + if (overlap) { + zipl_secure_handle("Component addresses overlap"); + } + + comp_addr_range_add(comp_addr_range, *addr_range_index, is_signed, + start_addr, end_addr); + *addr_range_index +=3D 1; +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) { if (zipl_load_segment(entry, sig_sec) < 0) { @@ -254,6 +301,8 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) * exists for the certificate). */ int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; + int addr_range_index =3D 0; int signed_count =3D 0; =20 if (!secure_ipl_supported()) { @@ -283,6 +332,9 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) goto out; } =20 + addr_overlap_check(comp_addr_range, &addr_range_index, + comp_addr, comp_addr + comp_len, sig_len > = 0); + if (!sig_len) { break; } diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index eb5ba0ed47..69edfce241 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,6 +16,12 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + static inline void zipl_secure_handle(const char *message) { switch (boot_mode) { --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750606; cv=none; d=zohomail.com; s=zohoarc; b=LM7gn4JGqJth2rbQpiT1Gy7UwySawkO0XFRfHnXKbBw2oC6YGVqkjFsxVUuM/OHlBuwNQ8svnSq8CCWRbFDPPkZ3nJm/z1BsHw6ishsaqDCkIyb2ByxcA5yQMmqxvZxhHQlsfDkGdkXFc645pn2XgfZF6DT1fyki8xQTWDpB/S8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750606; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=A5gsGQOGgobEMJmVsOdmQRtQORp61clOn4lia7y5Gxc=; b=lskGE7y4yTRjYKkEcoVqABs985cL585kEBijiKj8NYqLhW4alFp7m3snRAAAfAxnaOpDG4bF2njgBiwPbDLPzWtEXA7ceFx1aXWILUl0zNxDbXkXubJmUSFLlXmDjyOUy7G871FuYmuzgOBgbiwkIpYR9eI8kFHgbwwaHIPSFqM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750606808794.7737678498033; Thu, 5 Mar 2026 14:43:26 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHP9-0001xQ-Un; Thu, 05 Mar 2026 17:42:52 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP6-0001ov-E0; Thu, 05 Mar 2026 17:42:48 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP4-00079I-I5; Thu, 05 Mar 2026 17:42:48 -0500 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625CPQYG962316; Thu, 5 Mar 2026 22:42:23 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksjdnxa0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:22 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625J2NwH008779; Thu, 5 Mar 2026 22:42:21 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmdd1n3sw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:21 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgKvB16122542 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:20 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E18058057; Thu, 5 Mar 2026 22:42:20 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6084758058; Thu, 5 Mar 2026 22:42:19 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=A5gsGQOGgobEMJmVs OdmQRtQORp61clOn4lia7y5Gxc=; b=P/7omBvwif0VJFon/pQYLCro5uNyJdffc TGGsBGY7SR7YK+yZKMqxvMfv7h2FcoozHZTgwwSEO2jTV4K4mbvZ1Sl8mkF9GHHl k2yacpDiVrFh7ElNSfVXmZtfaTEqe3ytuWjRPpN7M17Bc0E+k0Gm6YHuGNeadNju Hb0d95L7qydM7JtJDreaTtrrFK/lJRBT/70+E3YgxBUzKfTSJNB93Kc6NYUjHqYP XuiNO98IzfdB6mvuNHZyfT2oAW/W4/sDHCry0An3EJpNd4N/d+/5/Vu+mzTPvZG/ Jt9vFwsVfcM+okY+oVbJKikGDn8Cnuy4asJDODhDDnmGdCZ/MUKeQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 21/30] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Thu, 5 Mar 2026 17:41:36 -0500 Message-ID: <20260305224146.664053-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=M9BA6iws c=1 sm=1 tr=0 ts=69aa06ce cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=s2GHSiDfQs-ooOV4uGMA:9 X-Proofpoint-ORIG-GUID: 2OQVIdFw6V1WD7nlDqVhe0F6eRLSFAhG X-Proofpoint-GUID: 2OQVIdFw6V1WD7nlDqVhe0F6eRLSFAhG X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXxcnNeBE8B7NV E6JYEUOdJkU8M2DEdSPIZlPylNvlFw/p7cKYCXVXFRSr8SS8KrAyRQ/0GkOdq8fprSaTHy5m6Y3 gEchVfdxiEltsc0IRunJMeIJsGoceE90PSkgcf+mBgRrUbImG9TyiYtthgnZmNapfBRtJ6NZ5pO rl7vc6R0T6M7dd2Y3r6FzuUWJXwHzA+FX6AR8X0i7n5m+33qcJ1UeODKdCK3dpbgpAAYLRxeoKD zMQ8vHQvG6+vT1XcszCwx+eqX9dDX8Bhc4w1eZpiGhomXX+uCOQzdi+8gE6SnkLO5bwVxjbd0aI aJ3EcjerjwgQGPUXUrufx8rOEfnAL2WwDSHNq9BTRq6N0edFHe6SZsI5tYa8fdfiQ/s3ND4QI4x ASKSz66M/D3DyhTlhYM2VT2TbkPkNOB17kiFE7A7fG2N0aFW34OfLKf2StGbg/ycAKeT7kS7tXS rlRqP+TrE5ylDtShK1Q== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 priorityscore=1501 spamscore=0 adultscore=0 malwarescore=0 bulkscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 suspectscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750608717158500 Content-Type: text/plain; charset="utf-8" The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during secure IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 19 +++++++++++++++++++ target/s390x/cpu_features.c | 2 ++ target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 3 +++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 1 + 6 files changed, 28 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index fc37de52b9..9903b9dcf2 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -109,3 +109,22 @@ operations such as: =20 The guest's kernel inspects the IIRB and uses the certificate data it cont= ains to build the keyring. + + +Secure Code Loading Attributes Facility +--------------------------------------- + +The Secure Code Loading Attributes Facility (SCLAF) enhances system securi= ty +during the IPL by enforcing additional verification rules. + +When SCLAF is available, its behavior depends on the IPL mode. It introduc= es +verification of both signed and unsigned components to help ensure that on= ly +authorized code is loaded during the IPL process. Any errors detected by S= CLAF +are reported in the IIRB. + +Unsigned components are restricted to load addresses at or above absolute +storage address ``0x2000``. + +Signed components must include a Secure Code Loading Attribute Block (SCLA= B), +which is appended at the very end of the component. The SCLAB defines secu= rity +attributes for handling the signed code. diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 200bd8c15b..29ea3bfec2 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * - All SIE facilities because SIE is not available * - DIAG318 * - Secure IPL Facility + * - Secure IPL Code Loading Attributes Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC_IPL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index bcf8a666e4..f6ba9e87e1 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certifi= cate Store functions") =20 /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attribu= tes facility") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index f99536ef9a..7d214b5f72 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_SIPL }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index bd2060ab93..c3e0c6ceff 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 40197cca7a..6b7c606742 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2520,6 +2520,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 /* Some Secure IPL facilities are emulated by QEMU */ set_bit(S390_FEAT_SIPL, model->features); + set_bit(S390_FEAT_SCLAF, model->features); =20 /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750636; cv=none; d=zohomail.com; s=zohoarc; b=lblgXhd+2gK2vmENEuE6xklGPuOk9mAvYSxbGkLOfPcANPeIfI6lDUmyfyppK0y+lXMeT9JNKmLHMXOnPqhdRVjS/SoPQjylsruoF04qRGwgPbtzuA0k0HonDeZrERkl5YJLy3NxJSE8QiBOycwCHZxSPobvaZ3JkW8TTKgKLyc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750636; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8HgLi62FiRL/2+pj5l9w7+ipsyjUGhr9IR35RVYsEIk=; b=IzWirOyYjzBUByNY40cI+fH0KM0dmulLxa/j5J1oipDJJHpDD5sYZfyu8UXF2qExHgMflshrhYkVeoszmCHXvM1Df1c07Sc51clc4RyOFHIJBBzMhJX5yVi6Z8P4bnowplBNqa0hTLGSH5sYCkGb5hf1H/oHrtqYN2cZ7QYNtVY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177275063638967.20109322041151; Thu, 5 Mar 2026 14:43:56 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPC-0001ze-7N; Thu, 05 Mar 2026 17:42:54 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP9-0001wl-3Z; Thu, 05 Mar 2026 17:42:51 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP6-00079a-IU; Thu, 05 Mar 2026 17:42:50 -0500 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625HVI6N2444784; Thu, 5 Mar 2026 22:42:24 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksrje0q0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:23 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LrfN8029112; Thu, 5 Mar 2026 22:42:23 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh9h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:23 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgM9L31326740 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:22 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E807358057; Thu, 5 Mar 2026 22:42:21 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A77CD58058; Thu, 5 Mar 2026 22:42:20 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:20 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=8HgLi62FiRL/2+pj5 l9w7+ipsyjUGhr9IR35RVYsEIk=; b=PYbkRw+WLXQgv+MebWyUg+n93/TDGFu2t QU3YLlCjSc6DEmTnOZNUTDcA/fKdgpB72tc4vCrwB2m/BhtAV/38cUMVxqhZqRT8 VIHvaap6MM7JreLGY+o09xapsRX96bxxJXidrj6tjx82TNgI2N1IFrt59Qjt1aXs lTLE8izjhzZOjIT+FC9HOlFfZ8LqOgMEqgZG5EzLlaoaF86rZtBwgVLCMT3Rfc9P GLl/B6S8ntLaRPlvhdyLg+1QDx2XPiSxU91P4s6cUZpjW5k4iuKQ8xYAfuO7GzgQ EsUF4dSQ9VoQuCyjBlaM3MQukK8rH2yBUo/w3aT22Lp9zKuX5ojCg== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 22/30] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Thu, 5 Mar 2026 17:41:37 -0500 Message-ID: <20260305224146.664053-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Rp/I7SmK c=1 sm=1 tr=0 ts=69aa06d0 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=IaLYFdo72UbvXhH_9PYA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX2WP48PDDHYXB urkkryVfgm4RcYssNy/tLoG34q/VoIXOFDOUoTPFL1eD4FhQDEw7arUncdNchMk/teNXT4lSid9 whB2+Jj9BKhTVSvCv5u170K9qFj8IG/azSqyqmE8AWpwPRuRHh9tfGUIKrM2WxEktAd8ZquZYw/ DdbUPXx9AO7sMO8YkofPXj6RgaRvR8/6nBvr0+F2Urn1iGPiLP3CJAlRb2hfbtXstgemm+sb3qW qtUZkZGZeq+xjZlqWNsb144784U47IsjT+mLCMPDuNG8pRMBFSWsN7IQ+/dPkWIDzuCpIqFaUu1 bNX1mS0Fl9Ed5ZW1FRCEusIvgZu0WkbICFVezIOQyzgm8wJ4BecsUPCNQg0+5P+FRoQO2CXRkmT pv2qyBlTHMG2ZotA+rU0YjJDv8aYFMq2QJtbTIYxHD5CCs/pWUTmNZ2QHxRsie/VwNZuh8pK3R8 nE4FayKIVWsAN3coy5Q== X-Proofpoint-GUID: XA3JUZbZSHSmdQe_b-MgCFh9TSL1hbF_ X-Proofpoint-ORIG-GUID: XA3JUZbZSHSmdQe_b-MgCFh9TSL1hbF_ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 bulkscore=0 clxscore=1015 impostorscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750636846158500 Content-Type: text/plain; charset="utf-8" Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. However, a missing SCLAB will not be reported in audit mode. The SCALB checking will be skipped in this case. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- include/hw/s390x/ipl/qipl.h | 29 +++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/sclp.c | 8 + pc-bios/s390-ccw/sclp.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 314 +++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/secure-ipl.h | 42 +++++ 6 files changed, 391 insertions(+), 4 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 1b6cb3231d..9518fcb1dc 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -136,10 +136,20 @@ struct IplInfoReportBlockHeader { }; typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; =20 +/* IPL Info Error Indicators */ +#define S390_IIEI_NO_SIGNED_COMP 0x8000 /* bit 0 */ +#define S390_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ +#define S390_IIEI_FOUND_UNSIGNED_COMP 0x800 /* bit 4 */ +#define S390_IIEI_MORE_SIGNED_COMP 0x400 /* bit 5 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t type; - uint8_t reserved1[11]; + uint8_t reserved1[3]; + uint16_t iiei; + uint8_t reserved2[6]; }; typedef struct IplInfoBlockHeader IplInfoBlockHeader; =20 @@ -163,13 +173,28 @@ typedef struct IplSignatureCertificateList IplSignatu= reCertificateList; #define S390_IPL_DEV_COMP_FLAG_SC 0x80 #define S390_IPL_DEV_COMP_FLAG_CSV 0x40 =20 +/* IPL Device Component Error Indicators */ +#define S390_CEI_INVALID_SCLAB 0x80000000 /* bit 0 */ +#define S390_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit 1 */ +#define S390_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit 2 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit 3 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit 4 */ +#define S390_CEI_INVALID_LOAD_PSW 0x4000000 /* bit 5 */ +#define S390_CEI_NUC_NOT_IN_GLOBAL_SCLA 0x2000000 /* bit 6 */ +#define S390_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit 7 */ +#define S390_CEI_SC_NOT_IN_GLOBAL_SCLAB 0x800000 /* bit 8 */ +#define S390_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit 9 */ +#define S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit 10 */ +#define S390_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; }; typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index a0d568696a..7d1a9d4acc 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -82,6 +82,7 @@ void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); bool sclp_is_diag320_on(void); bool sclp_is_sipl_on(void); +bool sclp_is_sclaf_on(void); int sclp_read(char *str, size_t count); =20 /* virtio.c */ diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index e3b6a1f07e..5dbddff9ae 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -151,6 +151,14 @@ bool sclp_is_sipl_on(void) return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; } =20 +bool sclp_is_sclaf_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SCLAF_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index cf147f4634..3441020d6b 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_FAC_IPL_SIPL_BIT 0x4000 +#define SCCB_FAC_IPL_SCLAF_BIT 0x1000 =20 typedef struct ReadInfo { SCCBHeader h; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 68596491c5..840b88a699 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -198,6 +198,12 @@ static bool secure_ipl_supported(void) return false; } =20 + if (!sclp_is_sclaf_on()) { + puts("Secure IPL Code Loading Attributes Facility is not supported= by" + " the hypervisor!"); + return false; + } + return true; } =20 @@ -258,6 +264,286 @@ static void addr_overlap_check(SecureIplCompAddrRange= *comp_addr_range, *addr_range_index +=3D 1; } =20 +static void check_unsigned_addr(uint64_t load_addr, IplDeviceComponentEntr= y *comp_entry) +{ + /* unsigned load address must be greater than or equal to 0x2000 */ + if (load_addr >=3D 0x2000) { + return; + } + + set_comp_cei_with_log(comp_entry, S390_CEI_INVALID_UNSIGNED_ADDR, + "Load address is less than 0x2000"); +} + +static bool check_sclab_presence(uint8_t *sclab_magic, + IplDeviceComponentEntry *comp_entry) +{ + /* identifies the presence of SCLAB */ + if (magic_match(sclab_magic, ZIPL_MAGIC)) { + return true; + } + + if (comp_entry) { + comp_entry->cei |=3D S390_CEI_INVALID_SCLAB; + } + + /* a missing SCLAB will not be reported in audit mode */ + return false; +} + +static void check_sclab_length(uint16_t sclab_len, IplDeviceComponentEntry= *comp_entry) +{ + if (sclab_len >=3D S390_SECURE_IPL_SCLAB_MIN_LEN) { + return; + } + + set_comp_cei_with_log(comp_entry, + S390_CEI_INVALID_SCLAB_LEN | S390_CEI_INVALID_SC= LAB, + "Invalid SCLAB length"); +} + +static void check_sclab_format(uint8_t sclab_format, IplDeviceComponentEnt= ry *comp_entry) +{ + /* SCLAB format must set to zero, indicating a format-0 SCLAB being us= ed */ + if (sclab_format =3D=3D 0) { + return; + } + + set_comp_cei_with_log(comp_entry, S390_CEI_INVALID_SCLAB_FORMAT, + "Format-0 SCLAB is not being used"); +} + +static void check_sclab_opsw(SecureCodeLoadingAttributesBlock *sclab, + SecureIplSclabInfo *sclab_info, + IplDeviceComponentEntry *comp_entry) +{ + const char *msg; + uint32_t cei_flag =3D 0; + + if (!(sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW)) { + /* OPSW =3D 0 - Load PSW field in SCLAB must contain zeros */ + if (sclab->load_psw !=3D 0) { + cei_flag |=3D S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO; + msg =3D "Load PSW is not zero when Override PSW bit is zero"; + } + } else { + /* OPSW =3D 1 indicating global SCLAB */ + sclab_info->global_count +=3D 1; + if (sclab_info->global_count =3D=3D 1) { + sclab_info->load_psw =3D sclab->load_psw; + sclab_info->flags =3D sclab->flags; + } + + /* OLA must set to one */ + if (!(sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OLA)) { + cei_flag |=3D S390_CEI_SCLAB_OLA_NOT_ONE; + msg =3D "Override Load Address bit is not set to one in the gl= obal SCLAB"; + } + } + + if (cei_flag) { + set_comp_cei_with_log(comp_entry, cei_flag, msg); + } +} + +static void check_sclab_ola(SecureCodeLoadingAttributesBlock *sclab, uint6= 4_t load_addr, + IplDeviceComponentEntry *comp_entry) +{ + const char *msg; + uint32_t cei_flag =3D 0; + + if (!(sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OLA)) { + /* OLA =3D 0 - Load address field in SCLAB must contain zeros */ + if (sclab->load_addr !=3D 0) { + cei_flag |=3D S390_CEI_SCLAB_LOAD_ADDR_NOT_ZERO; + msg =3D "Load Address is not zero when Override Load Address b= it is zero"; + } + } else { + /* OLA =3D 1 - Load address field must match storage address of th= e component */ + if (sclab->load_addr !=3D load_addr) { + cei_flag |=3D S390_CEI_UNMATCHED_SCLAB_LOAD_ADDR; + msg =3D "Load Address does not match with component load addre= ss"; + } + } + + if (cei_flag) { + set_comp_cei_with_log(comp_entry, cei_flag, msg); + } +} + +static void check_sclab_nuc(uint16_t sclab_flags, IplDeviceComponentEntry = *comp_entry) +{ + const char *msg; + bool is_nuc_set; + bool is_global_sclab; + + is_nuc_set =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_NUC; + is_global_sclab =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW; + if (is_nuc_set && !is_global_sclab) { + msg =3D "No Unsigned Components bit is set, but not in the global = SCLAB"; + set_comp_cei_with_log(comp_entry, S390_CEI_NUC_NOT_IN_GLOBAL_SCLA,= msg); + } +} + +static void check_sclab_sc(uint16_t sclab_flags, IplDeviceComponentEntry *= comp_entry) +{ + const char *msg; + bool is_sc_set; + bool is_global_sclab; + + is_sc_set =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_SC; + is_global_sclab =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW; + if (is_sc_set && !is_global_sclab) { + msg =3D "Single Component bit is set, but not in the global SCLAB"; + set_comp_cei_with_log(comp_entry, S390_CEI_SC_NOT_IN_GLOBAL_SCLAB,= msg); + } +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRange *comp_addr_r= ange, + int range_index) +{ + uint32_t addr =3D psw & 0x7fffffff; + + /* PSW points within a signed binary code component */ + for (int i =3D 0; i < range_index; i++) { + if (comp_addr_range[i].is_signed && + addr >=3D comp_addr_range[i].start_addr && + addr <=3D comp_addr_range[i].end_addr - 2) { + return true; + } + } + + return false; +} + +static void check_load_psw(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, uint64_t sclab_load_psw, + uint64_t load_psw, IplDeviceComponentEntry *com= p_entry) +{ + bool valid; + + valid =3D is_psw_valid(sclab_load_psw, comp_addr_range, addr_range_ind= ex) && + is_psw_valid(load_psw, comp_addr_range, addr_range_index); + if (!valid) { + set_comp_cei_with_log(comp_entry, S390_CEI_INVALID_LOAD_PSW, "Inva= lid PSW"); + } + + /* compare load PSW with the PSW specified in component */ + if (sclab_load_psw !=3D load_psw) { + set_comp_cei_with_log(comp_entry, S390_CEI_UNMATCHED_SCLAB_LOAD_PS= W, + "Load PSW does not match with PSW in compone= nt"); + } +} + +static void check_nuc(uint16_t global_sclab_flags, int unsigned_count, + IplDeviceComponentList *comp_list) +{ + bool is_nuc_set; + + is_nuc_set =3D global_sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_NUC; + if (is_nuc_set && unsigned_count > 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_FOUND_UNSIGNED_COMP; + zipl_secure_handle("Unsigned components are not allowed"); + } +} + +static void check_sc(uint16_t global_sclab_flags, + int signed_count, int unsigned_count, + IplDeviceComponentList *comp_list) +{ + bool is_sc_set; + + is_sc_set =3D global_sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_SC; + if (is_sc_set && signed_count !=3D 1 && unsigned_count >=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_SIGNED_COMP; + zipl_secure_handle("Only one signed component is allowed"); + } +} + +void check_global_sclab(SecureIplSclabInfo sclab_info, + int unsigned_count, int signed_count, + IplDeviceComponentList *comp_list) +{ + if (sclab_info.count =3D=3D 0) { + return; + } + + if (sclab_info.global_count =3D=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_NO_GLOBAL_SCLAB; + zipl_secure_handle("Global SCLAB does not exists"); + return; + } + + if (sclab_info.global_count > 1) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_GLOBAL_SCLAB; + zipl_secure_handle("More than one global SCLAB"); + return; + } + + if (sclab_info.flags) { + /* Unsigned components are not allowed if NUC flag is set in the g= lobal SCLAB */ + check_nuc(sclab_info.flags, unsigned_count, comp_list); + + /* Only one signed component is allowed is SC flag is set in the g= lobal SCLAB */ + check_sc(sclab_info.flags, signed_count, unsigned_count, comp_list= ); + } +} + +static void check_signed_comp(int signed_count, IplDeviceComponentList *co= mp_list) +{ + if (signed_count > 0) { + return; + } + + comp_list->ipl_info_header.iiei |=3D S390_IIEI_NO_SIGNED_COMP; + zipl_secure_handle("Secure boot is on, but components are not signed"); +} + +static void check_sclab_count(int count, IplDeviceComponentList *comp_list) +{ + if (count > 0) { + return; + } + + comp_list->ipl_info_header.iiei |=3D S390_IIEI_NO_SCLAB; + zipl_secure_handle("No recognizable SCLAB"); +} + +static void check_sclab(uint64_t comp_addr, uint64_t comp_len, + IplDeviceComponentEntry *comp_entry, + SecureIplSclabInfo *sclab_info) +{ + SclabOriginLocator *sclab_locator; + SecureCodeLoadingAttributesBlock *sclab; + bool exist; + + /* sclab locator is located at the last 8 bytes of the signed comp */ + sclab_locator =3D (SclabOriginLocator *)(comp_addr + comp_len - 8); + + /* return early if sclab does not exist */ + exist =3D check_sclab_presence(sclab_locator->magic, comp_entry); + if (!exist) { + return; + } + + check_sclab_length(sclab_locator->len, comp_entry); + + /* return early if sclab is invalid */ + if (comp_entry && (comp_entry->cei & S390_CEI_INVALID_SCLAB)) { + return; + } + + sclab_info->count +=3D 1; + sclab =3D (SecureCodeLoadingAttributesBlock *)(comp_addr + comp_len - + sclab_locator->len); + + check_sclab_format(sclab->format, comp_entry); + check_sclab_opsw(sclab, sclab_info, comp_entry); + check_sclab_ola(sclab, comp_addr, comp_entry); + check_sclab_nuc(sclab->flags, comp_entry); + check_sclab_sc(sclab->flags, comp_entry); +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) { if (zipl_load_segment(entry, sig_sec) < 0) { @@ -304,6 +590,9 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; int addr_range_index =3D 0; int signed_count =3D 0; + int unsigned_count =3D 0; + SecureIplSclabInfo sclab_info =3D { 0 }; + IplDeviceComponentEntry *comp_entry; =20 if (!secure_ipl_supported()) { panic("Unable to boot in secure/audit mode"); @@ -335,10 +624,21 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) addr_overlap_check(comp_addr_range, &addr_range_index, comp_addr, comp_addr + comp_len, sig_len > = 0); =20 + comp_entry =3D (comp_entry_idx < MAX_CERTIFICATES) ? + &comp_list.device_entries[comp_entry_idx] : NULL; + if (!sig_len) { + check_unsigned_addr(comp_addr, comp_entry); + comp_list_add(&comp_list, comp_entry_idx, cert_entry_idx, + comp_addr, comp_len, 0x00); + + unsigned_count +=3D 1; + comp_entry_idx++; break; } =20 + check_sclab(comp_addr, comp_len, + &comp_list.device_entries[comp_entry_idx], &sclab_= info); verified =3D verify_signature(comp_len, comp_addr, sig_len, (u= int64_t)sig, &cert_len, &cert_table_idx); =20 @@ -391,10 +691,20 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) } } =20 - if (signed_count =3D=3D 0) { - zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + /* validate load PSW with PSW specified in the final entry */ + if (sclab_info.load_psw) { + comp_entry =3D (comp_entry_idx < MAX_CERTIFICATES) ? + &comp_list.device_entries[comp_entry_idx] : NULL; + check_load_psw(comp_addr_range, addr_range_index, + sclab_info.load_psw, entry->compdat.load_psw, comp_= entry); + comp_list_add(&comp_list, comp_entry_idx, -1, + entry->compdat.load_psw, 0, 0x00); } =20 + check_signed_comp(signed_count, &comp_list); + check_sclab_count(sclab_info.count, &comp_list); + check_global_sclab(sclab_info, unsigned_count, signed_count, &comp_lis= t); + update_iirb(&comp_list, &cert_list); =20 *entry_ptr =3D entry; diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 69edfce241..4e9f4f08b9 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,6 +16,38 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +#define S390_SECURE_IPL_SCLAB_FLAG_OPSW 0x8000 +#define S390_SECURE_IPL_SCLAB_FLAG_OLA 0x4000 +#define S390_SECURE_IPL_SCLAB_FLAG_NUC 0x2000 +#define S390_SECURE_IPL_SCLAB_FLAG_SC 0x1000 + +#define S390_SECURE_IPL_SCLAB_MIN_LEN 32 + +struct SecureCodeLoadingAttributesBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SecureCodeLoadingAttributesBlock SecureCodeLoadingAttribute= sBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + +typedef struct SecureIplSclabInfo { + int count; + int global_count; + uint64_t load_psw; + uint16_t flags; +} SecureIplSclabInfo; + typedef struct SecureIplCompAddrRange { bool is_signed; uint64_t start_addr; @@ -33,6 +65,16 @@ static inline void zipl_secure_handle(const char *messag= e) } } =20 +static inline void set_comp_cei_with_log(IplDeviceComponentEntry *comp_ent= ry, + uint32_t flag, const char *messag= e) +{ + if (comp_entry) { + comp_entry->cei |=3D flag; + } + + zipl_secure_handle(message); +} + static inline uint64_t diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") =3D (unsigned long)data; --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750670; cv=none; d=zohomail.com; s=zohoarc; b=cb4Qxp4geFesm9JVVqRWtd5P6s00Z6kzn+GiOj800tWqgteIfsVvGBA0L20kOD3hCpabDc9Kxp1OofYdOge168wpqeG1PsQQnlLxNHKcId6nuD7WvUAT9aYyJ2I2h7gEod26DpaHIpjaKaMlMV3xFOx0yVyVO5HB0hoVyZAON3Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750670; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=dDcE15Pa3eYtqEKd9TFkL8ZHtz822jxFq6TzilT77L0=; b=G4iUuQM1j0BcnUXBmtfNd8j8DibwdUU7gL145pTxE7ZIx0FFsOaC9OssKY6gnS94Y89TfZKvaL6iox7opTI9hHMTizM3iNvWuE2KrAS0BZnwiH5lZTMj5gu1VgYJox60m45SuhjfAOf73vD80Ofg09m2CjibM5X9YTMqGXPNygY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750670223595.4258181673288; Thu, 5 Mar 2026 14:44:30 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOq-0001JA-O5; Thu, 05 Mar 2026 17:42:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOp-0001Is-3c; Thu, 05 Mar 2026 17:42:31 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOn-00079g-I3; Thu, 05 Mar 2026 17:42:30 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625H90uv2267739; Thu, 5 Mar 2026 22:42:26 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckssmwgm8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:26 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LSfXr029748; Thu, 5 Mar 2026 22:42:25 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdh9j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:25 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgNE431720110 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:23 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3F61F58061; Thu, 5 Mar 2026 22:42:23 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D67C58058; Thu, 5 Mar 2026 22:42:22 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:21 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=dDcE15Pa3eYtqEKd9 TFkL8ZHtz822jxFq6TzilT77L0=; b=Yydn4HP/6hawiWGvdKChiS8ZyVdiM+iaz UP8pEBy9dlQ+mxnAYCot0VaUW1MvqGML4JWT547Ju0e8qS0UPF6BzH10sCj2dTmp sASblsSz5vOf0lPw+AQRQsfb4RdopN4MS10ipk0frCyxvMpzQzQaXn/n5oMsINq8 00tyT+kl2XlcdVF7Tpvk8VqYvyETpLYWTFjCrsdkH+RuqYr9RtTIPFl32rU5p+l8 zEvAxAxoiKUpV3wuNa8AQwC5BPKmuhLRXb309DCmlIKg8AeLF+3XeAwUruLPrPC0 jMA46UEq2ADvlA0buvlGQLS7BZLLDFMLDfiUNNBF+cc1YQ21enVRw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 23/30] Add secure-boot to s390-ccw-virtio machine type option Date: Thu, 5 Mar 2026 17:41:38 -0500 Message-ID: <20260305224146.664053-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX4clemjNzK8eG yjdjMRJ4+wOU4I2knphyNQbLfDoT8eBmpmPwESA4RINCT2TBhiCduQWght02+X2L7YdkGpPtE4e uVok6cdNB3UJOSKr7yWHFhXMNRM3hr6rQUNqt+8m4nXX+AX0tAzBAEoSRGi25REwmFYTR3ZpnNn ctAEOPhxKCJtDBsPFwzx+AaqT/PprpRsbR9KlODqL9mBarG5lYBE/NY6pyWUPD3hEfH/BSjhiBh uDZa53Gpb1a4uNrXuc1HIPim+l5fnuAcNIJF4iA0r9zscFucen3HAd92cZ8eVo8K7GZIb7EfQZr 5/4QG+qkMUUXX1iSsfHuM2YR+qfUdNB5Ah0rjENYvL3ZyVG8Pt/d8TTRPyC35tJPQJMfJBiNcjN IBTvBXvVdaS+GnzwxVi3eZKwQ0M9/OoVD3ybowojTRB94QB61Rrnusy0sGMjh39/GwF8QHciFhP 9O0LQL0/DOZ7ooY8UFw== X-Proofpoint-ORIG-GUID: MmugAv9g-9pXLdqArMHDh4__Ix4a6O5w X-Proofpoint-GUID: MmugAv9g-9pXLdqArMHDh4__Ix4a6O5w X-Authority-Analysis: v=2.4 cv=AobjHe9P c=1 sm=1 tr=0 ts=69aa06d2 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=uyvjcAWwEQu1yBn7KtoA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 suspectscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750672540154100 Content-Type: text/plain; charset="utf-8" Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=3Don|off` parameter is implemented to enable secure IPL. By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++----- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 3a19b72085..2465f8b26d 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,19 +19,31 @@ Note: certificate files must have a .pem extension. =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... =20 +Enabling Secure IPL +------------------- + +Secure IPL is enabled by explicitly setting ``secure-boot=3Don``; if not +specified, secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don|off + =20 IPL Modes =3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple IPL modes are available to differentiate between the various IPL -configurations. These modes are mutually exclusive and enabled based on the -``boot-certs`` option on the QEMU command line. +configurations. These modes are mutually exclusive and enabled based on sp= ecific +combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU +command line. =20 Normal Mode ----------- =20 -The absence of certificates will attempt to IPL a guest without secure IPL -operations. No checks are performed, and no warnings/errors are reported. -This is the default mode. +The absence of both certificates and the ``secure-boot`` option will attem= pt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explic= itly +enabled with ``secure-boot=3Doff``. =20 Configuration: =20 diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index a6f0fc4e00..a24cc14906 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -813,6 +813,21 @@ static void machine_set_boot_certs(Object *obj, Visito= r *v, const char *name, ms->boot_certs =3D cert_list; } =20 +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + ms->secure_boot =3D value; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -871,6 +886,13 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for se= cure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 5ad1ea2f24..93a4c0ccad 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -29,6 +29,7 @@ struct S390CcwMachineState { bool aes_key_wrap; bool dea_key_wrap; bool pv; + bool secure_boot; uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; diff --git a/qemu-options.hx b/qemu-options.hx index 8873083792..7f58d129de 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -46,7 +46,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" - " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=3Don|off enable/disable secure boot (defa= ult=3Doff) \n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -213,6 +214,9 @@ SRST =20 ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` Provide paths to a directory and/or a certificate file on the host= [s390x only]. + + ``secure-boot=3Don|off`` + Enables or disables secure boot on s390-ccw guest. The default is = off. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750631; cv=none; d=zohomail.com; s=zohoarc; b=UU/t8t/mL4/6e6zzLYIvsF93kXrwb6xYD6UlFelNK7aZU0RiiDlD3GBGeYdVSN756GONrbe9lRTEEeFEhkfdOYtoXZv2ujhVSDFrzAY1TBKvMhwNc+2k18/UyPIhgSFzGVmijBYqadoJwy4oz8UpB2Xg+Ma2zjlNrY/+glV6HO0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750631; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=49vKmP3tTAU8Jw5SE0dYyRJWBEcCc3MIsK95PicC6tw=; b=nQLbKuO/l1OZ65GzUt4VTENh1NqHhX1TsASsYUueiW//CMG1BwglUKIb63mp/+GZt86x3dJIXPziSX4o6Fe6BEeIUk8ygkodg8zYpRqk+q5RL6fHz0pbAP8rHtk3cQoZFXkNgTmRPZ2hmJc6S/z80zDxc99L5e1iFdkvfCH9xEQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750631440517.9188767435488; Thu, 5 Mar 2026 14:43:51 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPF-00020y-34; Thu, 05 Mar 2026 17:42:57 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPA-0001yY-S3; Thu, 05 Mar 2026 17:42:52 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHP9-00079o-9j; Thu, 05 Mar 2026 17:42:52 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625GqrW62182589; Thu, 5 Mar 2026 22:42:27 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xda-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:27 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625ItqPN008782; Thu, 5 Mar 2026 22:42:26 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmdd1n3t8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:26 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgONe57803114 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:24 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8596258061; Thu, 5 Mar 2026 22:42:24 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5951A58058; Thu, 5 Mar 2026 22:42:23 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:23 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=49vKmP3tTAU8Jw5SE 0dYyRJWBEcCc3MIsK95PicC6tw=; b=C67rLBgqW2cF9gvekAtwAH7Ex5bhJW7Lk phkH1bnH8bJHPU96z0/crjpBEYlMa0iVfNko7/8iV1ytRl1wca/ujx8FZ2PUPkjV 3UDQQYZsGoc0uRGBDTADvrKWjQeoPcJ7sBMJ16aNCVkpScnH7Jq/nH4inR8DH4X4 aV4z83lyJVpSzNhx2DQldSJx0p3rxP6LU8lXExLHkDBTB0sBRzBI7MXUckhpIGh/ Tp7H9zJxem9ruCXAQ49OZ6ZhGgW6/bBcCmfNmQMMoWAG9ZUqxfGGm6X6R57LezDF SpKDqgboh+LTTkuupCbWICZY9YlxNrcZL/eGoDtKdYqfOw7b6qb1w== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 24/30] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Thu, 5 Mar 2026 17:41:39 -0500 Message-ID: <20260305224146.664053-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: ByeFde57Ss-as7-e00BDRYJsiyI-3HUj X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX3iOMf1l8oVnf tpdXkt9Ku9GW3UkkKUT+g8x5qZDsHsTIbGb1R5/ptHX41q2V4WjkVv0UdZOUS+mfVu1NZbapC0S rjYIxoWb7HQ4MZyAhUaHRuHbAwOIrAGqN+oDrxSnIx1YemS2vu8e2KFKuEohjtLj4TwFtHmcrDY maCxcrniXXHi7vpcnA8nG/Kr0EyU9Yd5Vt+2JVuTa2KKS3oNpFRoZ5bzFOujYpGJy3RU7dBvnbW nwBrt6rBgc4z7anXs0UK+6aPC59SAhJCGduNR018eRJA3fDMPiOLW1GJ/JI/PtbZrCSY9MCyY/X //Zs01/JANu7h5qas3XPvwPaPc28QearvgRyLLSXg/Nn7Ifx5nFh2bMHv+dsBAb91RhIsqvvCoG LLZKJPhQO70LJh2JqFDwWynsLOmfyGRqgp6c5BDw4oNDMXABSxUrXRWZtIbW4MTTNtvRJmwJudj gh7G6VDFhYBlhz6gr1A== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06d3 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-ORIG-GUID: ByeFde57Ss-as7-e00BDRYJsiyI-3HUj X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750632739158500 Content-Type: text/plain; charset="utf-8" If `-M secure-boot=3Don` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index b66dfd06bd..f8dd50f69d 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -440,6 +440,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -497,6 +502,18 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -506,7 +523,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); } --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750693; cv=none; d=zohomail.com; s=zohoarc; b=d3ox6ly6hrEmtiyTspLzB0qRfckqTF6kEwb/Zc0CnV8Or5HmxqEW6PeIhQyz10DeuL5H628RIzcC7qIK0qtaJhzNi/AR/Mvoygf0+qDl6EWyV2tCe40SwxOG2NnRyDctul8s+DdbmVnTz3/rwj2lf8bdu1iYZtZfhxaxOQNm+mA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750693; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=UBCSYTtcDtHUfnQP8FILzLzHhxGQip36GzVqspovLW4=; b=D0HZhZ8LQXwLlt/ns7eRUp2UDc+TL/QW/2nek9idYn1mImUvnENTjFVgCDYv57CxUkh/8Ooy3DBpvydofUx3hEcA6mKMI1uZ+5YqwUBbRT0yFeUMbhCI73Csdx7rBXL1qbd0oOrLsWsUGigDnhpNH+B+Qg5djQW0tnX/20Gx7R0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750693750632.9971379224266; Thu, 5 Mar 2026 14:44:53 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOt-0001Ll-6X; Thu, 05 Mar 2026 17:42:35 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOr-0001JM-3P; Thu, 05 Mar 2026 17:42:33 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOp-00079w-Hj; Thu, 05 Mar 2026 17:42:32 -0500 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625CLKpU614134; Thu, 5 Mar 2026 22:42:28 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckssmwgmc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:28 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625MBEGJ010305; Thu, 5 Mar 2026 22:42:27 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cmc6kdajr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:27 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgPX962783876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:26 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CCB8D5805D; Thu, 5 Mar 2026 22:42:25 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9F9C658058; Thu, 5 Mar 2026 22:42:24 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=UBCSYTtcDtHUfnQP8 FILzLzHhxGQip36GzVqspovLW4=; b=BLknBdlDpFOOTtwPLjMPMFKD08eqTm5gN K1TkHdh6PaDteJad1KArMYJrmvBlScm+EApbGYWPR3g244/shr1B7iZn8Q6L7d7d OZxiuzIHGKXVkDP6wWYgEaAfFQMQG7xiyXyRt0duAoGZ9f9uhs9HghzCRprUiIJf lFUCkwaE9KMkZrPG3C1DM5nKkdSaVK0FC2pON6Q5PCGWz2YW+pzqvMQ+qNxXXJV6 t+eX0ImST5/6CGAcZxbm9U3rpEngM4AyJuRIloUowLNu8I3dLgppw7BPGKhVmktT cJFwvvQw0z4se6CNmPG1GmUVUB9PWWIOOr8y5pWNq0z27RPi6IjhQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 25/30] pc-bios/s390-ccw: Handle true secure IPL mode Date: Thu, 5 Mar 2026 17:41:40 -0500 Message-ID: <20260305224146.664053-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXwJ0UeOrqLKZ6 4jEZM3Q3+l/mlPJNiDjPPAHfJrKjzIKuuM4+PrnBHNOH3kwVKp1MhCfb3lqHjsBH5cu65gJkjEK KZfqB5bqi1mpWy8IhgOxGnVd/SL8nhoN7XfK7dQYKu411z3AyLn34JJx3NWZuwwB1foarVpbyv/ 2fa6LPCaeCVdAF33K7rOj5ulRAYMbck/J065ewGBjCd0o0x5OkcsarOehNBq+zWck5moiWB3tn2 QAeHlOnX1xEnh5B4xvNAw+q9buj+ko7884wfBNFlZ2RU+OBKwzCGpG16YNU9NYsoyCZS+LapzGR 45IYTd9rlJVvX5+dOGJssL52x+Rpk6pineSCv0Uyc6mge2Fpzw04AaOIn2IiG3xvNHRx5CkCcQ6 dDgWToPp/RQnNrVE/hom5qsBUH79Z4/Vl6BM6ZrX2PeVEmSOuSblVb4Nj8J9IDW/7z//odYXOh5 ODO9qONnrJA347G2vjw== X-Proofpoint-ORIG-GUID: d9vWOaX5znLegzPtUjSsvdHWngTTnvc5 X-Proofpoint-GUID: d9vWOaX5znLegzPtUjSsvdHWngTTnvc5 X-Authority-Analysis: v=2.4 cv=AobjHe9P c=1 sm=1 tr=0 ts=69aa06d4 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 lowpriorityscore=0 bulkscore=0 impostorscore=0 malwarescore=0 spamscore=0 clxscore=1015 suspectscore=0 adultscore=0 priorityscore=1501 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750694905154100 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 13 +++++++++++++ pc-bios/s390-ccw/bootmap.c | 8 ++++++++ pc-bios/s390-ccw/main.c | 3 +++ pc-bios/s390-ccw/s390-ccw.h | 2 ++ pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 6 files changed, 33 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 2465f8b26d..e0af086c38 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -65,3 +65,16 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + +Secure Mode +----------- + +When the ``secure-boot=3Don`` option is set and certificates are provided, +a secure boot is performed with error reporting enabled. The boot process = aborts +if any error occurs. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 43a661325f..9a61e989e0 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: rc =3D zipl_run_secure(&entry, tmp_sec); break; @@ -1120,9 +1121,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + return ZIPL_BOOT_MODE_INVALID; + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 106cdf9dec..1678ede8fb 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -329,6 +329,9 @@ void main(void) } =20 boot_mode =3D get_boot_mode(iplb->hdr_flags); + if (boot_mode =3D=3D ZIPL_BOOT_MODE_INVALID) { + panic("Need at least one certificate for secure boot!"); + } =20 while (have_iplb) { boot_setup(); diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 7d1a9d4acc..7092942280 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -96,8 +96,10 @@ int virtio_read(unsigned long sector, void *load_addr); void zipl_load(void); =20 typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_INVALID =3D -1, ZIPL_BOOT_MODE_NORMAL =3D 0, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, + ZIPL_BOOT_MODE_SECURE =3D 2, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 840b88a699..76b72fc8f4 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -288,6 +288,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, } =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic does not match. SCLAB does not exist"); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 4e9f4f08b9..1e736d53fe 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -60,6 +60,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + panic(message); + break; default: break; } --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750740; cv=none; d=zohomail.com; s=zohoarc; b=j2E5KKRs8ZWFOugMOBuMPUfkrORLH8pqExjaoJD2WkjEOZobBKtsxWDdFjs5sw4hKdZ/lj5cJOQnimB/LUkxdTEs55J57b49L6ffVkzAPEKrLv3d9zzIU9mFtmeUWoDXfiARWCPlP+7KSPwWBURDDmQuAu/stSWQu/GnB9OdeQ4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750740; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=QmQndQisAyVrNbCsyfcu/C+f9/NEDnmg14SBc4obgQQ=; b=JGQdtVuEA6rJT82qA+32Pqz2UU9CukQ/Ljjv8XxfVTJhIDeRLjV8/XU1/Ry+erd9lx0WCY951aDXSC8lkpHvX92uQBI7PAXwX0acao1pFsv2HYg8s8QXJ8bY2nqCxw9veFKDKO8g8jIZICgtRmhH6TXvPx6PGBDBcb13eGvU31U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750740298689.7101655496206; Thu, 5 Mar 2026 14:45:40 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPG-0002BZ-Ie; Thu, 05 Mar 2026 17:42:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPD-00020A-NJ; Thu, 05 Mar 2026 17:42:56 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPC-0007AH-0f; Thu, 05 Mar 2026 17:42:55 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625KEaPT2123727; Thu, 5 Mar 2026 22:42:30 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xdd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:30 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625J36C5027658; Thu, 5 Mar 2026 22:42:29 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmcwjn4m3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:29 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgR2Q31720172 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:27 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2674458057; Thu, 5 Mar 2026 22:42:27 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E652E58058; Thu, 5 Mar 2026 22:42:25 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:25 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=QmQndQisAyVrNbCsy fcu/C+f9/NEDnmg14SBc4obgQQ=; b=Rkm0f9n99TPTXDp5Fw+H6nCQUp77U4mlw 8lLMGJKCHasfANTEN9wZdymUW3GyOyCH2eHsc8PUFWOpsFP82aZ2gk2Bt1Geq7e3 L1PbzUZ/45UsBdodKUuho0jCGVBzyEXNbFKyJj7/YGuwXhC4+No7TOrCxzdt+340 jjqecv3hB+y/pCtJkhUxAxlUhXKP9GSK3JurjJQx3bfNbgj8BDU8dGzu1HEjaVqL BxT2k04aNuYo0vhAyqgYPuUfKrD3dnSe1l826eF+/lhfsp7+P1UvGbyqChfx4nhu 1sVn67O3xMramb9T2kPb/JplIem8nj7Eym5n6OAUy89in6yRT5ZZA== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 26/30] hw/s390x/ipl: Handle secure boot with multiple boot devices Date: Thu, 5 Mar 2026 17:41:41 -0500 Message-ID: <20260305224146.664053-27-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hJUYUEQSXSfAcooRDAn-D2EckIvCOWj_ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX28ahaAOq3Oaw dbp5bZQ/3dCpIXLFzn0W/iDJBHmo0udLWYdKn7xcU9jwSD5Lea/ruPqklWxlxku192dmi5UjxGw DeDBEF5trxx9ON0Jb2GBjPsNFJoMDC3Gp8bkRZUH5q3H9UgNYeWgKpSi+plCI91fx55zWM7wE2C vbb4cnvB9oi6e59d898gV7vAsDSy1IGsHiq1hEnS0wlX/icHnRZdsllMy+8V8FcD6+jBoaXn/uH 7qcVkVrgwVaCa204gx0LqeKvpXHmvNRFeCkrHTE1WRZqFqtIMN3Y+x+JPw2Y98oOcBV5y/XIePn /m9oTJ8JdAbUJyxmSP42C400YHLkEbXNJE2blohOhz0RZTdPakCqVM44iT4sKQQUj57JXX63Bx0 Oeo4t89bHmzP31m/XyKBnwq5RNsIbThZYnW6xgOLTzMjeKve5pOw/3b3QM2GEKoufC2iCI90YVV 8aehhWP+mejP2zNQ9Tw== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06d6 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Q8-XYP680VqNmkEzHFAA:9 X-Proofpoint-ORIG-GUID: hJUYUEQSXSfAcooRDAn-D2EckIvCOWj_ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750743415154100 Content-Type: text/plain; charset="utf-8" The current approach to enable secure boot relies on providing secure-boot and boot-certs parameters of s390-ccw-virtio machine type option, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 79 ++++++++++++++++++++++++++++------------- pc-bios/s390-ccw/main.c | 3 -- 2 files changed, 54 insertions(+), 28 deletions(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index f8dd50f69d..e46e655ef1 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -445,6 +445,58 @@ static bool s390_secure_boot_enabled(void) return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; } =20 +static bool s390_validate_secure_boot_device(int devtype, Error **errp) +{ + switch (devtype) { + case CCW_DEVTYPE_VFIO: + error_setg(errp, "Passthrough (vfio) CCW device does not support se= cure boot!"); + return false; + case CCW_DEVTYPE_VIRTIO_NET: + error_setg(errp, "Virtio net boot device does not support secure bo= ot!"); + return false; + default: + return true; + } +} + +static void s390_apply_secure_boot(IplParameterBlock *iplb, int devtype, + bool secure_boot, bool audit_mode) +{ + Error *local_error =3D NULL; + + if (!secure_boot && !audit_mode) { + return; + } + + if (!s390_validate_secure_boot_device(devtype, &local_error)) { + error_report_err(local_error); + exit(1); + } + + /* + * If secure-boot is enabled, then toggle the secure IPL flags (SIPL) = to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure boot. + */ + if (secure_boot) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_SIPL; + } + + /* + * For both secure boot and audit mode, enable the IPL Information + * Report (IPLIR) flag so that the firmware generates an IPL + * Information Report Block (IIRB). + * + * Results of secure boot will be stored in IIRB. + * + * Extend the IPL parameter block to its maximum length to ensure + * sufficient space for the BIOS to populate the IIRB. + */ + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -502,31 +554,8 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 - /* - * If secure-boot is enabled, then toggle the secure IPL flags to - * trigger secure boot in the s390 BIOS. - * - * Boot process will terminate if any error occurs during secure b= oot. - * - * If SIPL is on, IPLIR must also be on. - */ - if (s390_secure_boot_enabled()) { - iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } - /* - * Secure boot in audit mode will perform - * if certificate(s) exist in the key store. - * - * IPL Information Report Block (IIRB) will exist - * for secure boot in audit mode. - * - * Results of secure boot will be stored in IIRB. - */ - else if (s390_has_certificate()) { - iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } + s390_apply_secure_boot(iplb, devtype, s390_secure_boot_enabled(), + s390_has_certificate()); =20 return true; } diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 1678ede8fb..6633a2cbaf 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -276,9 +276,6 @@ static void ipl_boot_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), - "Passthrough (vfio) CCW device does not support secure= boot!"); - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750751; cv=none; d=zohomail.com; s=zohoarc; b=jwJ+EFdYFZcxGJ8WP1zCPvWst09xqrH/EgnqL3nJmgc/x/i1wzN9Ag8v86FpjHy5x/5DP1SBGWfGHc9ILfMb/zqt1T6zmtVYTOCfY3Wcg69BC4tMQM8d0LhVWbhiFK3JgnSVZqh/p03Ux5DeLUHh3mxni8sMBtetnqDbqRUbfqY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750751; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=H3FTjtiDzzuEOIejQBwh2B3cafHKVqG9tj8ticw0VQk=; b=GHOaLhUAtIn5mkgFht2gn6W00tHYM2ltbXzQPZT/nFiSFf2YpLf2cLyYaD041MzvmNvjtcHHcrRQ9JRrpe/sGJAs4fOs9RQtqeulRcQmjgARKJkQ3D6GVioH+ngOKTQTgdMOAuSH/UcM1eV2CwxOR4UwAiMKPxYtEhaAeVW3iWk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177275075099977.50969161941168; Thu, 5 Mar 2026 14:45:50 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPG-000285-4N; Thu, 05 Mar 2026 17:42:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPE-00020C-A0; Thu, 05 Mar 2026 17:42:56 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPC-0007AV-Uk; Thu, 05 Mar 2026 17:42:56 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625HKiC83650273; Thu, 5 Mar 2026 22:42:31 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xdf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:31 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625Ivc25008791; Thu, 5 Mar 2026 22:42:30 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmdd1n3td-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:30 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625Mg6xd24773354 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:06 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 799E758059; Thu, 5 Mar 2026 22:42:28 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4007F58061; Thu, 5 Mar 2026 22:42:27 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:27 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=H3FTjtiDzzuEOIejQ Bwh2B3cafHKVqG9tj8ticw0VQk=; b=MDbIBHfDsrsqkrZWEIJeUHP1icY5G3h8T WgtaDlR48Qk8IU+EroXMWgiAsfyKupciJhy20InjiQIeo+hcfb44CbisOGJ68F5d HsO28WA5Wf5QeMk5U4cDKkgrO5ETvmWKbV7Nk3JIVn05AUDN+2wjO/OgiWKGBG9R LmP9kX97BgNowGwtqBTEhbGDAKzawOkSQ41NPQEa+q1IPt5jG6L42qlLUMAiExLf yuNcRff/GC3sFCD3nEOxm/am8sGKPL15kYuupqKQiLvbIg2/Tbgn9q/TiIA224w4 jJtWZ+r2bxg3noXHBTsdeeT6F8CR9rg4Z9gVK8JhJFEFVBZQNytQQ== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 27/30] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Thu, 5 Mar 2026 17:41:42 -0500 Message-ID: <20260305224146.664053-28-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: MFhiIBL3z-FGAEQz_dzVKhnCFxogKUK9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX5i91I1qPsfkW 6RA/3fPGlpuFe9t19gAQWLtYJiYMLyaPPEiW0Qdqpt0aSLi80MICKv83UydmWCTljgozpRYtROx aP33KZsDGKH7qjXHzqrzo6EjVuImXoqVMdUXekI7/rEF7WzdIs+B7DgNgoABOFHoqvc4ZcBqa15 S8S4Sg3H7H2mVdX5PZEMrDlOEIfTOYIUh90sEIt+qxO98TCxSGG0lBNvMuB5ovzVKwwo2TKh8SN geZLz8uEzDBzSON5B8mmITId9KgKZZJZyriGJqIWjrQTfNyVaRILE2Dc5jmyGDGVvqdauPxeZO2 nVnR11MSVnmx9FcIfo//QVYLhbtvvktscpJFdklA8IkfGmjeqqiUrvi1iZ5Nf7MxXIzV3pMMVTJ qkIFhiXMwBhDJNXCMHxGfPPRDvoYm5mGeap+B2pFE8lo+WV/xVlmOU5Kcr6ne8JfeDQNr+QSz0D mpy66UvtZaEdMky4gZQ== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06d7 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=98YBU2wH__9RKlX8yukA:9 X-Proofpoint-ORIG-GUID: MFhiIBL3z-FGAEQz_dzVKhnCFxogKUK9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1015 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750751170158500 Content-Type: text/plain; charset="utf-8" If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index e46e655ef1..00ddfcf858 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -799,6 +799,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot device defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len =3D 0; } --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750766; cv=none; d=zohomail.com; s=zohoarc; b=Gbd2mfEYlh2dYrva7w7QWpponHHbolGrW+ILJgA98qjS+/hMe2UFvfY2ZfwV/4Ema5ceJDyFBbXtDAj37qNQpIkYFWQYQGBloeG6qyhpYJMhTqs15vSi1GSNsBlLZvukjztXgSbQG/3ZgMDPGNutrU/CKDTfXZxjX7b3djLP8So= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750766; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=fgo/QArjjHRRP4aPDLJUfA8TArlKTIxtYJFlrYdfzKI=; b=XGLIpAV/Lg/65IskjMf4hPMRxmjrHKNrtAm9E0HfnqaiBOfnL56idiIQJSgP4eZm+A0sMGfa42F9QqjDWBUkbMtPQfgiDaZZRa7+Nmk53fX+GlCURAHUw4KVAehGh02vRQ/loEIfda3dPrAxV1xi2FJPCTPzHe7++oNbwVSHuTU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750766805418.137420036713; Thu, 5 Mar 2026 14:46:06 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOx-0001ND-0y; Thu, 05 Mar 2026 17:42:39 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOw-0001Ma-0r; Thu, 05 Mar 2026 17:42:38 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOu-0007Am-8d; Thu, 05 Mar 2026 17:42:37 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625IUcHG2063698; Thu, 5 Mar 2026 22:42:32 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksk45f7h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:32 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LSfXu029748; Thu, 5 Mar 2026 22:42:31 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdha8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:31 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgTut41484910 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:30 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CBF285805D; Thu, 5 Mar 2026 22:42:29 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9307C58061; Thu, 5 Mar 2026 22:42:28 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:28 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=fgo/QArjjHRRP4aPD LJUfA8TArlKTIxtYJFlrYdfzKI=; b=mWlVkwhrq9FFGXzCYutT+wDRmhTkUEqAD lSvJ0BLUjC3IZkh+Rb+vRM2vwa2X9THoSK1zak5DpliHV8OZ6ua3tzUd3Eu2aIqe pEyNmaiB85SWURYJBytMQf0ybYTCcCOsxkUCw+Vy7pCYUyd+fOEYZ/4GwA2O4bZY NW1eKSDiPUXrfS4EwVzTizYDVParycGkhq5x1y0e4nqEhRyc0AzfNYQsft+fcG2O J6HnIna+GvbQ+8oYDfxvpDXR+oCKcSB+/jD9fgZso4h9JQ+19V9cc0JbudsMf/3s L2LuDTo6LrtCa+H8EyFPWMX19n/zLVpfLZJj6bUVfTTv5C6KXmH2g== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 28/30] tests/functional/s390x: Add secure IPL functional test Date: Thu, 5 Mar 2026 17:41:43 -0500 Message-ID: <20260305224146.664053-29-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: pRDkqsthP1OoCE9vnDhSJWJkbsOYHtf- X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfX5NsQ6dYHVVc6 RrpC48nYWsHND4po9J19DlzxLiqDZy9m8NTMw4p2TPy+4ugBED6KE5X+Pb2sQ//sjmiaU5pNtWn nqlvwKHepAqX0M3/oFRaH5+ZzSi32o0GmILZkB60E0M8i4exZzUFL8h8XhoP+OgiLkQMFA1+O1n 3qX/vcp0DlhbWKHyAzxtzxKa4GDjXD9yI/CTYCj4B7CT7gdVVpbY/iHSY0XdWyXpG2EF4HB3Pl0 GnbXbvoNTnkCCSDbV3kmAOKAywGalBHHjSOQ9DKEd+XN6ljQ4FMhevn9d8kBJfuZSFxfvXCt+QL BvCsB8fdcoV5UkB9jsjTYDQybTb/j3xb0SVMcgzsd6XasIbeeOG/4LM1iTn/ddTbt17WzbjeEpC irNeeb0tiitytG+ObHIhn4bjzrU4UF7GjpBNkkDNNbfoQqXyz4HFGJgmrNFY6pFWZuWZsIXJjwV Dq04squhRftaNNZ/WKw== X-Authority-Analysis: v=2.4 cv=csCWUl4i c=1 sm=1 tr=0 ts=69aa06d8 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8 a=gSyHUACR81Cq5hz7ILYA:9 a=t8Kx07QrZZTALmIZmm-o:22 X-Proofpoint-GUID: pRDkqsthP1OoCE9vnDhSJWJkbsOYHtf- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 adultscore=0 clxscore=1015 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750767359158500 Content-Type: text/plain; charset="utf-8" Add functional test for secure IPL. Signed-off-by: Zhuoying Cai --- tests/functional/s390x/meson.build | 2 + tests/functional/s390x/test_secure_ipl.py | 148 ++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100755 tests/functional/s390x/test_secure_ipl.py diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/me= son.build index 0f03e1c9db..07191ec996 100644 --- a/tests/functional/s390x/meson.build +++ b/tests/functional/s390x/meson.build @@ -2,6 +2,7 @@ =20 test_s390x_timeouts =3D { 'ccw_virtio' : 420, + 'secure_ipl' : 280, } =20 tests_s390x_system_quick =3D [ @@ -13,6 +14,7 @@ tests_s390x_system_thorough =3D [ 'ccw_virtio', 'pxelinux', 'replay', + 'secure_ipl', 'topology', 'tuxrun', ] diff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s= 390x/test_secure_ipl.py new file mode 100755 index 0000000000..0980daace1 --- /dev/null +++ b/tests/functional/s390x/test_secure_ipl.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# +# s390x Secure IPL functional test: validates secure-boot verification res= ults +# +# SPDX-License-Identifier: GPL-2.0-or-later + +from subprocess import check_call, DEVNULL + +from qemu_test import QemuSystemTest, Asset, get_qemu_img +from qemu_test import exec_command_and_wait_for_pattern, exec_command +from qemu_test import wait_for_console_pattern, skipBigDataTest + +class S390xSecureIpl(QemuSystemTest): + ASSET_F40_QCOW2 =3D Asset( + ('https://archives.fedoraproject.org/pub/archive/' + 'fedora-secondary/releases/40/Server/s390x/images/' + 'Fedora-Server-KVM-40-1.14.s390x.qcow2'), + '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f') + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.root_password =3D None + self.qcow2_path =3D None + self.cert_path =3D None + self.prompt =3D None + + # Boot a temporary VM to set up secure IPL image: + # - Create certificate + # - Sign stage3 binary and kernel + # - Run zipl + # - Extract certificate + def setup_s390x_secure_ipl(self): + temp_vm =3D self.get_vm(name=3D'sipl_setup') + temp_vm.set_machine('s390-ccw-virtio') + + asset_path =3D self.ASSET_F40_QCOW2.fetch() + self.qcow2_path =3D self.scratch_file('f40.qcow2') + qemu_img =3D get_qemu_img(self) + check_call([qemu_img, 'create', '-f', 'qcow2', '-b', asset_path, + '-F', 'qcow2', self.qcow2_path], stdout=3DDEVNULL, std= err=3DDEVNULL) + + temp_vm.set_console() + temp_vm.add_args('-nographic', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive0,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive0,bootind= ex=3D1') + temp_vm.launch() + + # Initial root account setup (Fedora first boot screen) + self.root_password =3D 'fedora40password' + wait_for_console_pattern(self, 'Please make a selection from the a= bove', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=3Dtem= p_vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Password (confirm):', vm=3Dtemp= _vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Please make a selection from the abov= e', + vm=3Dtemp_vm) + + # Login as root + self.prompt =3D '[root@localhost ~]#' + exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', v= m=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=3D= temp_vm) + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt, + vm=3Dtemp_vm) + + # Certificate generation + exec_command_and_wait_for_pattern(self, + 'openssl version', 'OpenSSL 3.2.= 1 30', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'openssl req -new -x509 -newkey rsa:2048 ' + '-keyout mykey.pem -outform PEM -out mycert.pe= m ' + '-days 36500 -subj "/CN=3DMy Name/" -nodes -ve= rbose', + 'Writing private key to \'mykey.pem\'', vm=3Dt= emp_vm) + + # Install kernel-devel (needed for sign-file) + exec_command_and_wait_for_pattern(self, + 'sudo dnf install kernel-devel-$(uname -r)= -y', + 'Complete!', vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'ls /usr/src/kernels/$(uname -r)/scrip= ts/', + 'sign-file', vm=3Dtemp_vm) + + # Sign stage3 binary and kernel + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bi= n', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)= ', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + + # Run zipl to prepare for secure boot + exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Do= ne.', + vm=3Dtemp_vm) + + # Extract certificate to host + out =3D exec_command_and_wait_for_pattern(self, 'cat mycert.pem', + '-----END CERTIFICATE-----= ', + vm=3Dtemp_vm) + # strip first line to avoid console echo artifacts + cert =3D "\n".join(out.decode("utf-8").splitlines()[1:]) + self.log.info("%s", cert) + + self.cert_path =3D self.scratch_file("mycert.pem") + + with open(self.cert_path, 'w', encoding=3D"utf-8") as file_object: + file_object.write(cert) + + # Shutdown temp vm + temp_vm.shutdown() + + @skipBigDataTest() + def test_s390x_secure_ipl(self): + self.require_accelerator('kvm') + self.setup_s390x_secure_ipl() + + self.set_machine('s390-ccw-virtio') + + self.vm.set_console() + self.vm.add_args('-nographic', + '-machine', 's390-ccw-virtio,secure-boot=3Don,' + f'boot-certs.0.path=3D{self.cert_path}', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive1,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive1,bootind= ex=3D1') + self.vm.launch() + + # Expect two verified components + verified_output =3D "Verified component" + wait_for_console_pattern(self, verified_output) + wait_for_console_pattern(self, verified_output) + + # Login and verify the vm is booted using secure boot + wait_for_console_pattern(self, 'localhost login:') + exec_command_and_wait_for_pattern(self, 'root', 'Password:') + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt) + exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/sec= ure', '1') + +if __name__ =3D=3D '__main__': + QemuSystemTest.main() --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750763; cv=none; d=zohomail.com; s=zohoarc; b=lIEN+reT8qSYO2t6mxlQN9ic4i+9AY6nuSG60CIRa7F35dGA32w//QlvEQ9EQKqQi7rL/2TICMWkLyC/yJS7TqU2YTy77GCnu9SnDxLBHxNoywf24Ar8vmSQwJIJAQQBfzJGL7WfeGMCtqv7rBi8z3wb2hKycJhsJdieg1QmW4g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750763; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=jOkP0SJtO7lJHun0M706dbFch+Rk2AyNq7r9dj7CulI=; b=JUEQGePmjDeDymaOpRyJRda9fyCGQpyd7qkFtliS5PsY83BgkSTXIfYGWjU8DynprLezwHBZ2EA0Ud+66gSE29ZGp2EI4lko1xx0XG1irYgiZPm0SM5qkaDhJedFzKvw8tlkJs2vwoa5HLqIhcD7SU/AtRzOaJ614aiX4DhlA6w= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750763292190.6839518508391; Thu, 5 Mar 2026 14:46:03 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHOy-0001O4-FK; Thu, 05 Mar 2026 17:42:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOv-0001MW-RZ; Thu, 05 Mar 2026 17:42:37 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHOu-0007Aq-9J; Thu, 05 Mar 2026 17:42:37 -0500 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625G3FuP2100389; Thu, 5 Mar 2026 22:42:33 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4cksk45f7j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:33 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625LfUh5029016; Thu, 5 Mar 2026 22:42:32 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4cmapsdhaa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:32 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgVWt20972060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:31 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1BE905805D; Thu, 5 Mar 2026 22:42:31 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E5AFF58061; Thu, 5 Mar 2026 22:42:29 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:29 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=jOkP0SJtO7lJHun0M 706dbFch+Rk2AyNq7r9dj7CulI=; b=E6XuttuKx1dew1r3HjEkjnWf4U3Idf0Yj RliQyLWYF67m8hrz2jNDSBtH62vTSUezkYLxeaxgBOGTQYSeOXEjNJrWeoqXNCU2 tKJlKRulxrpuPNE1B9oM0VvLuw2ARdQfVZEiyrdz+vN2nUgTJqYMLuI4mgz69wwR I5owdgjKcDhIvU59q/8AogUFiz3EdM+lCudrUaa5NL0rLbBhFH9gorkG5Bmp0ps5 cPfB0nnO8x1vYJgclqotEBcUKpTYwbaWlzZySvlDwfbGc+n5QB2Cf+DANWGqpb+c 0GU0DHXrXNtQOInppkJrHSOhCXxJ6y9UbZ2O7lfzvQobtOn/qwoRw== From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 29/30] docs/specs: Add secure IPL documentation Date: Thu, 5 Mar 2026 17:41:44 -0500 Message-ID: <20260305224146.664053-30-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: VZdV36yHbWWI0o3-qqXQ5Y5mI4t8B4-4 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXzyDE16kFB80u nMf1uO2qWbp3mdp46wp9aP5jr7VmH/JKCLX6BCLO+ELRP1kT5E/wW1tJTVrMhktUa6ZSZTNZNrw hAYqHDauii8km3/tdMzPZVn/KFbI3kcYmW6mELSJzsYKUUU3g+RsYujTxj/uf07Fan7s1u1Xmz4 duON3V2/TTkYMUJIkXy/L0vSukrS96/mqzSnMyGCdVAydtAff5CYNoJ4R6JGdUf0sAg03SJKasP kj93PTOQnKTgjriuU2kOu/uaku4Wj6j7hDpQQfdLh8161HdeAJoKz3WSGRV5RqjyMl35TPfy0k2 bqsx9GME0D9Ru0iBKXct0H/eFkt367nWCjhi8stH7Btwevws44oBeAM/g97/11DfA910sL4Orsp edlKpF4WJ7Kue0/bjvB2BWffhms8u0LNU9YXKl3+QRZFkwqEolUg53FR3/3S9x3GTvmnrr9JP2P qpsjXLQqln2z+OWyA7g== X-Authority-Analysis: v=2.4 cv=csCWUl4i c=1 sm=1 tr=0 ts=69aa06d9 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=XijvyHP8Q_8UnoOVIU8A:9 X-Proofpoint-GUID: VZdV36yHbWWI0o3-qqXQ5Y5mI4t8B4-4 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 adultscore=0 clxscore=1015 bulkscore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750763758154100 Content-Type: text/plain; charset="utf-8" Add documentation for secure IPL Signed-off-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 9903b9dcf2..60d5246286 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -1,5 +1,60 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL (a.k.a. secure boot) enables s390-ccw virtual machines to +leverage qcrypto libraries and z/Architecture emulations to verify the +integrity of signed kernels. The qcrypto libraries are used to perform +certificate validation and signature-verification, whereas the +z/Architecture emulations are used to ensure secure IPL data has not +been tampered with, convey data between QEMU and guest code, and set up +the relevant secure IPL data structures with verification results. + +To find out more about using this feature, see +``docs/system/s390x/secure-ipl.rst``. + +Note that "guest code" will refer to the s390-ccw BIOS unless stated +otherwise. + +Both QEMU and guest code work in cooperation to perform secure IPL. The Se= cure +Loading Attributes Facility (SCLAF) is used to check the Secure Code +Loading Attribute Block (SCLAB) and ensure that secure IPL data has not +been tampered with. DIAGNOSE 'X'320' is invoked by guest code to query +the certificate store info and retrieve specific certificates from QEMU. +DIAGNOSE 'X'508' is used by guest code to leverage qcrypto libraries to +perform signature-verification in QEMU. Lastly, guest code generates and +appends an IPL Information Report Block (IIRB) at the end of the IPL +Parameter Block, which is used by the kernel to store signed and +verified entries. + +The logical steps are as follows: + +- guest code reads data payload from disk (e.g. stage3 boot loader, kernel) +- guest code checks the validity of the SCLAB +- guest code invokes DIAG 508 subcode 1 and provides it the payload +- QEMU handles DIAG 508 request by reading the payload and retrieving the + certificate store +- QEMU DIAG 508 utilizes qcrypto libraries to perform signature-verificati= on on + the payload, attempting with each cert in the store (until success or + exhausted) +- QEMU DIAG 508 returns: + + - success: index of cert used to verify payload + - failure: error code + +- guest code responds to this operation: + + - success: retrieves cert from store via DIAG 320 using returned index + - failure: reports with warning (audit mode), aborts with error (secure = mode) + +- guest code appends IIRB at the end of the IPLB +- guest code kicks off IPL + +More information regarding the respective DIAGNOSE commands and IPL data +structures are outlined within this document. + + s390 Certificate Store and Functions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.53.0 From nobody Wed Apr 1 22:36:15 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1772750629; cv=none; d=zohomail.com; s=zohoarc; b=U2um9xc8oqgd2MkoNZpjnl9xIrWDhaPEOootKitnBBM412LXobt/hkARxN7RWpoJl8Lir860i6RnDfa3axJ3uELkOrU435AoYAHh8kdGoCcj8MhPJcnyAlyQo7M8Iqlf8DswHyJhBWrsWRCGUhGdCEFXzdnAScj6ZrdZyXuZNMY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1772750629; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7mZHEUlrkDHYcKaVogiTvJFoaCaJTSlKyLQJKyjRluk=; b=PpNwHZjdb8lmJLelcA4Inho1jKTjB86OJ5Tw/7P4X2T4yYdvGqXu6883CGRVrEFDyKrhsm9J2vQearyXCmOVdJ++E5cOjO81ijIxCbjLrsDBEWRcvvtHRqogas5MWaNKWMqxOgSCuhiM1f4VYcCCfBljU9yHyv9yHWujDGKfNmk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1772750629925549.036047480877; Thu, 5 Mar 2026 14:43:49 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vyHPK-0002LP-OC; Thu, 05 Mar 2026 17:43:02 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPI-0002IS-Jl; Thu, 05 Mar 2026 17:43:00 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vyHPG-0007BG-Sb; Thu, 05 Mar 2026 17:43:00 -0500 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 625EKFMK888437; Thu, 5 Mar 2026 22:42:35 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4ckskd5xdr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:34 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 625Lg2W1011183; Thu, 5 Mar 2026 22:42:33 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4cqau2sx39-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 05 Mar 2026 22:42:33 +0000 Received: from smtpav01.dal12v.mail.ibm.com (smtpav01.dal12v.mail.ibm.com [10.241.53.100]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 625MgW6h30474870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 5 Mar 2026 22:42:32 GMT Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6521F58057; Thu, 5 Mar 2026 22:42:32 +0000 (GMT) Received: from smtpav01.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 35C8458061; Thu, 5 Mar 2026 22:42:31 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.36.214]) by smtpav01.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 5 Mar 2026 22:42:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=7mZHEU lrkDHYcKaVogiTvJFoaCaJTSlKyLQJKyjRluk=; b=VecwCLilqLO/F29xpUs+dD RuO7DEKu2Igk+7sUbme8ExpaT7axpbhzp8mISlLMs10lcNdcMsV8qFLxKORd4+09 25zGYLlQm/gFpVsOQoke57N7fD4GZHMHgaFcjOGO9wF6b/GtXpLOTEwWFP48LJwa I28dTElAWXyIZQdVuk/0WvoF2l6EgpN8EybhizLcrk+nTAhWtVOA8fV0cpxwxsGC Cwone/VL1lk17VXmpe2W7krQyC7EJEl2RTRvd0xRTvDdL9mZMob/53c7f62HARFv 70xQJrnPBC2ZjOXkMGGRIqoy0CAJrEaY9rj5y2f55597MFp3aR+YTVbSyMSl5NQQ == From: Zhuoying Cai To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v9 30/30] docs/system/s390x: Add secure IPL documentation Date: Thu, 5 Mar 2026 17:41:45 -0500 Message-ID: <20260305224146.664053-31-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com> References: <20260305224146.664053-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: oOEs7bBWLgShH2B7JIB5AKTPQgHcpZBQ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwMzA1MDE5NCBTYWx0ZWRfXztfnlt+d4K5F ykVgjVB2MWvD5vuNhC8ML+GtprPjhOu9zHTtMeECkp79dvTbPtD7LYe6Q9QxM/pcSaKa2tX+4lj rZCYlyMzI/+h+Uyg5e5mLX1vk7f0N2Ry9M7IYM2P707/WlN8iTYfg7NZBPq2zkNr8Rln06uzjXt WoSknSUgVmjkpngt5SC5x5G8j+zabsXgbJvRMZNG1q8MUZZNbHyXTJg8k+Z05tj/E5LO9QvVDsY FCZ1CBH5PfZbQCIWGtPLSP11R8W5nDyK7JPrJHjObW266fcfL06tGm8oUvfGUKjs5MMADmWNlxi x6nzPDiorpVNaVpnucMxzZEuwcRKpGQ/uTTFcD+Ne0HcPqCtib4KlNtiTcLpBhtd/yTmz6DFvDC Ntob9/B5Fv37RFpuPE5vFLvVWsta6L7WkBL+0T6xGS6cMjhQch93mscZFgofqWkjOc7jy8q5dnO +VMZ8/AvfrNSM/5QCeA== X-Authority-Analysis: v=2.4 cv=H7DWAuYi c=1 sm=1 tr=0 ts=69aa06da cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=Yq5XynenixoA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=q5T4S90kAAAA:8 a=xOmL8MRHFtDrr2fuNQ0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=LnBBZQxPVJ0Z7KJyRdxh:22 X-Proofpoint-ORIG-GUID: oOEs7bBWLgShH2B7JIB5AKTPQgHcpZBQ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-03-05_06,2026-03-04_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 suspectscore=0 phishscore=0 clxscore=1011 priorityscore=1501 adultscore=0 bulkscore=0 spamscore=0 malwarescore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2602130000 definitions=main-2603050194 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -11 X-Spam_score: -1.2 X-Spam_bar: - X-Spam_report: (-1.2 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.892, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.622, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1772750631879154100 Add documentation for secure IPL Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 97 ++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index e0af086c38..db9fb46fea 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -1,5 +1,21 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL, also known as secure boot, enables s390-ccw virtual machines to +verify the integrity of guest kernels. + +For technical details of this feature, see ``docs/specs/s390x-secure-ipl.r= st``. + +This document explains how to use secure IPL with s390x in QEMU. It covers +the command line options for providing certificates and enabling secure IP= L, +the different IPL modes (Normal, Audit, and Secure), and system requiremen= ts. + +A quickstart guide is provided to demonstrate how to generate certificates, +sign images, and start a guest in Secure Mode. + + Secure IPL Command Line Options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D =20 @@ -78,3 +94,84 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +Constraints +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The following constraints apply when attempting to boot an s390x guest in = secure +mode: + +- z16 or "qemu" CPU model +- certificates must be in X.509 PEM format +- only support for SCSI scheme of virtio-blk/virtio-scsi devices +- a boot device must be specified +- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e= .g., + network) will cause the entire boot process terminating early with an er= ror + logged to the console. + + +Secure IPL Quickstart +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Build QEMU with gnutls enabled +------------------------------- + +.. code-block:: shell + + ./configure =E2=80=A6 --enable-gnutls + +Generate certificate (e.g. via certtool) +---------------------------------------- + +A private key is required before generating a certificate. This key must b= e kept +secure and confidential. + +Use an RSA private key for signing. + +.. code-block:: shell + + certtool --generate-privkey > key.pem + +A self-signed certificate requires the organization name. Use the ``cert.i= nfo`` +template to pre-fill values and avoid interactive prompts from certtool. + +.. code-block:: shell + + cat > cert.info <