When secure boot is enabled (-secure-boot on) and certificate(s) are
provided, the boot operates in True Secure IPL mode.
Any verification error during True Secure IPL mode will cause the
entire boot process to terminate.
Secure IPL in audit mode requires at least one certificate provided in
the key store along with necessary facilities. If secure boot is enabled
but no certificate is provided, the boot process will also terminate, as
this is not a valid secure boot configuration.
Note: True Secure IPL mode is implemented for the SCSI scheme of
virtio-blk/virtio-scsi devices.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
Reviewed-by: Collin Walling <walling@linux.ibm.com>
---
docs/system/s390x/secure-ipl.rst | 13 +++++++++++++
pc-bios/s390-ccw/bootmap.c | 8 ++++++++
pc-bios/s390-ccw/s390-ccw.h | 1 +
pc-bios/s390-ccw/secure-ipl.c | 4 ++++
pc-bios/s390-ccw/secure-ipl.h | 3 +++
5 files changed, 29 insertions(+)
diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
index 2465f8b26d..e0af086c38 100644
--- a/docs/system/s390x/secure-ipl.rst
+++ b/docs/system/s390x/secure-ipl.rst
@@ -65,3 +65,16 @@ Configuration:
.. code-block:: shell
qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...
+
+Secure Mode
+-----------
+
+When the ``secure-boot=on`` option is set and certificates are provided,
+a secure boot is performed with error reporting enabled. The boot process aborts
+if any error occurs.
+
+Configuration:
+
+.. code-block:: shell
+
+ qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 1873a35511..bf8eee5ae0 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte)
entry = (ComponentEntry *)(&header[1]);
switch (boot_mode) {
+ case ZIPL_BOOT_MODE_SECURE:
case ZIPL_BOOT_MODE_SECURE_AUDIT:
rc = zipl_run_secure(&entry, tmp_sec);
break;
@@ -1120,9 +1121,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags)
{
bool sipl_set = hdr_flags & DIAG308_IPIB_FLAGS_SIPL;
bool iplir_set = hdr_flags & DIAG308_IPIB_FLAGS_IPLIR;
+ VCStorageSizeBlock *vcssb;
if (!sipl_set && iplir_set) {
return ZIPL_BOOT_MODE_SECURE_AUDIT;
+ } else if (sipl_set && iplir_set) {
+ vcssb = zipl_secure_get_vcssb();
+ if (vcssb == NULL || vcssb->length == VCSSB_NO_VC) {
+ panic("Need at least one certificate for secure boot!");
+ }
+ return ZIPL_BOOT_MODE_SECURE;
}
return ZIPL_BOOT_MODE_NORMAL;
diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h
index e1a8097c95..8538663bd5 100644
--- a/pc-bios/s390-ccw/s390-ccw.h
+++ b/pc-bios/s390-ccw/s390-ccw.h
@@ -91,6 +91,7 @@ void zipl_load(void);
typedef enum ZiplBootMode {
ZIPL_BOOT_MODE_NORMAL = 0,
ZIPL_BOOT_MODE_SECURE_AUDIT = 1,
+ ZIPL_BOOT_MODE_SECURE = 2,
} ZiplBootMode;
extern ZiplBootMode boot_mode;
diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c
index d4e455ed0c..0befa6a8b3 100644
--- a/pc-bios/s390-ccw/secure-ipl.c
+++ b/pc-bios/s390-ccw/secure-ipl.c
@@ -280,6 +280,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, uint32_t *cei_flags)
*cei_flags |= S390_CEI_INVALID_SCLAB;
/* a missing SCLAB will not be reported in audit mode */
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE) {
+ zipl_secure_handle("Magic does not match. SCLAB does not exist");
+ }
+
return false;
}
diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h
index 75d1c8e046..039fcec516 100644
--- a/pc-bios/s390-ccw/secure-ipl.h
+++ b/pc-bios/s390-ccw/secure-ipl.h
@@ -82,6 +82,9 @@ static inline void zipl_secure_handle(const char *message)
case ZIPL_BOOT_MODE_SECURE_AUDIT:
IPL_check(false, message);
break;
+ case ZIPL_BOOT_MODE_SECURE:
+ panic(message);
+ break;
default:
break;
}
--
2.53.0