From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168205; cv=none; d=zohomail.com; s=zohoarc; b=O3KncegjmaB3rG/wrZm1OuF8x7eekp8AkQLyDSBV+5YxZ4xmebhCqOdAVGxWDEXk3dkiM9iT3Vt/tpDmbFxaLOmHWr3L9po4a3BNRhkFYVhwzoCd4G3JHZVVLgZTKM+cilqgUC00YoO9KAFEJUzT4RLmSOWN8+iVOeFcFEQxI7g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168205; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Cxez5btC+vurzFGzs5j5X6Y1MNMQUB/QklmmfxkWO+Q=; b=X1JkQ2Mezu9ce4IyhXzBg/s/KYgPqOMyIXDskF2bs/mjbUrGamUcU/Z0aLoUrEzX+P/86qXYXm4JxG3UDiOl2vO14C0El5fxfxjdLPZU3sGb4Ryc2uGOTf0odQB0MvwW5IVxS7h+ASD+JrBHp+DpB7Mb8MlerczgmbATh3rq4Uo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17751682053551011.7425205157609; Thu, 2 Apr 2026 15:16:45 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJs-0000eY-M0; Thu, 02 Apr 2026 18:15:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJr-0000dX-3D; Thu, 02 Apr 2026 18:15:19 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJp-0004lH-1Q; Thu, 02 Apr 2026 18:15:18 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 6328WI1m2903666; Thu, 2 Apr 2026 22:15:11 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66nnxs7w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:10 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632Jwg7O006362; Thu, 2 Apr 2026 22:15:09 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0uh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:09 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MF8oi1442646 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:08 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DBC9058052; Thu, 2 Apr 2026 22:15:07 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 741D358056; Thu, 2 Apr 2026 22:15:06 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:06 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Cxez5btC+vurzFGzs 5j5X6Y1MNMQUB/QklmmfxkWO+Q=; b=gpV4xHLbdv479TklsryybI7hX8OiJjc1J UzxqKW8WYt8TBJ+lu6zxKxQn1ZBT/EWxhfPKsVCweh0cxGjKq2v0KtQLdHXsi91t s3t3I7IYIaiDEWQlIXSpJl1C+mrFsxv4QvOKOTjsbZWr2h39EyuNvSWM5p7LcpB5 PXcnmjJKeXw2OFLY5rEkKMmE5ZMxZ8Gtx83+j1uEwDwYnwm3O27w/cZ/6JJ6tPmH MbP68ZD0eM3BM5PFFIAnXiFoVm304b2ZMnxEKK0P4P+0qV0VdXazQr9GpEy2wWZ4 yTSgK7zLqz572FyPwzx9/6mLVKxZjEATYLjUiD1WW+4nQ+2Q9uovA== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 01/30] Add boot-certs to s390-ccw-virtio machine type option Date: Thu, 2 Apr 2026 18:14:23 -0400 Message-ID: <20260402221453.1602899-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 13wZKQvDgUeZdZ6BokmdFIaIt-eS3VJf X-Authority-Analysis: v=2.4 cv=KslAGGWN c=1 sm=1 tr=0 ts=69ceea6e cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=pOjPfhpiL-oY2_FcObYA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX5VQao+8mfOyB rw0EN6ko6gZhzwDHb2H+Nwmxb1iesKNmdCvowtH+nMfgc3HDzjGFORbzRrPXh6oInK1ImqSwKy8 efPeQd1qwUgPjHHoIvbxLLwsGB4vpBPf5/gSoSFV4a1+MjPIkyts+5FLqOF+aLrlGN1DMJ65y9n qFYSeIdcGgcjZnC3LoiGh4hSc/C1vrRUbYk7WZ0wZAaQ0YIQuQIK8Sl5kKnd45fnVB4eg5Bf6/e DGGpFLmjH8xh9x6IsIhrbZ5X4lKcQKeYW8AvXbl8XirP096N6pITtacMKHebfqJJ9cS4SUbn58K XpZ46JFYmiSdK1QgSPcyqVbQ2IOz5XTWiJ3Dmrlp7JLfHi+LMgBLMnrmSP/E4DV6mblYo7G4qzC FMji+Tr4vhOK+sk9Og6TEiqhQlzT2HZA0dqxvHHFfkCDiO+WAANQ0X4AdDD5dhuiNLD/x9h+iqg Gr2cYe/ILsEM7nAq6sw== X-Proofpoint-ORIG-GUID: 13wZKQvDgUeZdZ6BokmdFIaIt-eS3VJf X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 clxscore=1011 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168206437158500 Content-Type: text/plain; charset="utf-8" Introduce a new `boot-certs` machine type option for the s390-ccw-virtio machine. This allows users to specify one or more certificate file paths or directories to be used during secure boot. Each entry is specified using the syntax: boot-certs..path=3D/path/to/cert.pem Multiple paths can be specify using array properties: boot-certs.0.path=3D/path/to/cert.pem, boot-certs.1.path=3D/path/to/cert-dir, boot-certs.2.path=3D/path/to/another-dir... Signed-off-by: Zhuoying Cai Acked-by: Markus Armbruster --- docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++++++ docs/system/target-s390x.rst | 1 + hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 2 ++ qapi/machine-s390x.json | 23 +++++++++++++++++++++++ qapi/pragma.json | 1 + qemu-options.hx | 6 +++++- 7 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 docs/system/s390x/secure-ipl.rst diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst new file mode 100644 index 0000000000..0a02f171b4 --- /dev/null +++ b/docs/system/s390x/secure-ipl.rst @@ -0,0 +1,20 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +Secure IPL Command Line Options +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D + +The s390-ccw-virtio machine type supports secure IPL. These parameters all= ow +users to provide certificates and enable secure IPL directly via the comma= nd +line. + +Providing Certificates +---------------------- + +The certificate store can be populated by supplying a list of X.509 certif= icate +file paths or directories containing certificate files on the command-line: + +Note: certificate files must have a .pem extension. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/docs/system/target-s390x.rst b/docs/system/target-s390x.rst index 94c981e732..8938a13d10 100644 --- a/docs/system/target-s390x.rst +++ b/docs/system/target-s390x.rst @@ -35,3 +35,4 @@ Architectural features s390x/bootdevices s390x/protvirt s390x/cpu-topology + s390x/secure-ipl diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index 3ef009463d..a6f0fc4e00 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -44,6 +44,7 @@ #include "target/s390x/kvm/pv.h" #include "migration/blocker.h" #include "qapi/visitor.h" +#include "qapi/qapi-visit-machine-s390x.h" #include "hw/s390x/cpu-topology.h" #include "kvm/kvm_s390x.h" #include "hw/virtio/virtio-md-pci.h" @@ -788,6 +789,30 @@ static void machine_set_loadparm(Object *obj, Visitor = *v, g_free(val); } =20 +static void machine_get_boot_certs(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList **certs =3D &ms->boot_certs; + + visit_type_BootCertificatesList(v, name, certs, errp); +} + +static void machine_set_boot_certs(Object *obj, Visitor *v, const char *na= me, + void *opaque, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList *cert_list =3D NULL; + + visit_type_BootCertificatesList(v, name, &cert_list, errp); + if (!cert_list) { + return; + } + + ms->boot_certs =3D cert_list; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -841,6 +866,11 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) "Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars conve= rted" " to upper case) to pass to machine loader, boot manager," " and guest kernel"); + + object_class_property_add(oc, "boot-certs", "BootCertificatesList", + machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); + object_class_property_set_description(oc, "boot-certs", + "provide paths to a directory and/or a certificate file for se= cure boot"); } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index f1f06119d6..5ad1ea2f24 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -14,6 +14,7 @@ #include "hw/core/boards.h" #include "qom/object.h" #include "hw/s390x/sclp.h" +#include "qapi/qapi-types-machine-s390x.h" =20 #define TYPE_S390_CCW_MACHINE "s390-ccw-machine" =20 @@ -31,6 +32,7 @@ struct S390CcwMachineState { uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; + BootCertificatesList *boot_certs; =20 SCLPDevice *sclp; }; diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json index ea430e1b88..bbe3646e91 100644 --- a/qapi/machine-s390x.json +++ b/qapi/machine-s390x.json @@ -140,3 +140,26 @@ { 'event': 'SCLP_CPI_INFO_AVAILABLE', 'features': [ 'unstable' ] } + +## +# @BootCertificates: +# +# Boot certificates for secure IPL. +# +# @path: path to an X.509 certificate file or a directory containing +# certificate files. +# +# Since: 11.1 +## +{ 'struct': 'BootCertificates', + 'data': {'path': 'str'} } + +## +# @DummyBootCertificates: +# +# Not used by QMP; hack to let us use BootCertificatesList internally. +# +# Since: 11.1 +## +{ 'struct': 'DummyBootCertificates', + 'data': {'unused-boot-certs': ['BootCertificates'] } } diff --git a/qapi/pragma.json b/qapi/pragma.json index 24aebbe8f5..342cedc42e 100644 --- a/qapi/pragma.json +++ b/qapi/pragma.json @@ -49,6 +49,7 @@ 'DisplayProtocol', 'DriveBackupWrapper', 'DummyBlockCoreForceArrays', + 'DummyBootCertificates', 'DummyForceArrays', 'DummyVirtioForceArrays', 'HotKeyMod', diff --git a/qemu-options.hx b/qemu-options.hx index 21972f8326..75e6c0f025 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" - " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n", + " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -209,6 +210,9 @@ SRST :: =20 -machine smp-cache.0.cache=3Dl1d,smp-cache.0.topology=3Dcore,s= mp-cache.1.cache=3Dl1i,smp-cache.1.topology=3Dcore + + ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` + Provide paths to a directory and/or a certificate file on the host= [s390x only]. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168292; cv=none; d=zohomail.com; s=zohoarc; b=fRzymXeAfSi+PSETwtzTZPOoXrxVRlm2Cs2cRrt/7oTmpyrXJU+3qSa0R3AMihTMCNPDfuhEWAkT/VQCO872dKBSIW+vtRi9F4Rb9Q7Eti0BpnWD7ldydf8bltIRAKhavroYxC1LkBD+uD9LBf3fRVzmSw/3qc/3zcKpZQ/X8Sk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168292; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=WKks+EdIYbxgjkTxmJqLBnT3Rd/1ziDHPOiDpayzQQo=; b=jX7NhCwvfa5/L59WkgZ7ZbMuWcfwcbRrHiRhv33XYexGei0RQhWm6KcK7ygh5JMl0hC+GiBl+8RFWNrodvPAt2c3JjGJ1wKnrg08wNnqWCYe+9zvwqw2xIgc8DoL1E2SZXWgn/BeiLpP2AI+f4psKutA5iYSVDHOqFbDY2YxopU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168292754974.1918776375069; Thu, 2 Apr 2026 15:18:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJu-0000gh-AE; Thu, 02 Apr 2026 18:15:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJs-0000eE-8A; Thu, 02 Apr 2026 18:15:20 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJp-0004lQ-GQ; Thu, 02 Apr 2026 18:15:19 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EdSUb188586; Thu, 2 Apr 2026 22:15:12 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66nnxs7y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:11 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632L2nrG013922; Thu, 2 Apr 2026 22:15:10 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6ttkuuqs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:10 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MF9JT22479420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:09 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5AEEA58065; Thu, 2 Apr 2026 22:15:09 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 048B858056; Thu, 2 Apr 2026 22:15:08 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:07 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=WKks+E dIYbxgjkTxmJqLBnT3Rd/1ziDHPOiDpayzQQo=; b=noGRX4cAZwRMMjQJuK1Z0q WxLB66dYVwPlDY018AVdbqWbe/3Ue8rHm9gugjFUaOiyoFqLqXxjPAK34E4pxIMp jvWeJC+OIAvCdKJGh4dOKgJh6t5DGqS9FF/T6ufjXCEzr7WcHkZbfp1QpDeomMRO NJIHIkTKc81tn2Zl4/83UREBmO3K8/9lOehJKBmuG/9gn1nSUUSSn/Eq+yenxSOk lRYsb9wQtj536EVCDrN9lpgFUHAFZIhGydy4m6cmcViKLPjJTeTHdvYXJfAtj5GE XdMjHXz5Cw7n66sEL4rAiZew2HYz+ZnL4+u106+XH6TOQLAgKcnYTosaFLeSCDRQ == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 02/30] crypto/x509-utils: Refactor with GNUTLS fallback Date: Thu, 2 Apr 2026 18:14:24 -0400 Message-ID: <20260402221453.1602899-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: hsep4-eUCeV-sVcd27sg_lf8SjRviLIr X-Authority-Analysis: v=2.4 cv=KslAGGWN c=1 sm=1 tr=0 ts=69ceea6f cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=FUyA0-9y5A7gcD0mOlIA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXzO6Qlo/ppJTc 4vYjGUF4QYXsofgFwKBd4bMLKzqS+pPYxKNSbph1GzZjcbR7QI2cHma4h59FptLVBUOGNd3csEz 35FsQ+EGE/XQptyaPRVp2YVntuIQayu0UscNMW0z5zk6Y3wzUagQNp8VKhyXNY14HbdCUFFfqxl ARmsVtgV8xeOiHjx66MKMBDT4LRJsph77MC997bioGqEI2Na4abCy9z+4ktpfxXkN0gzVH3E9Hv 5iU7DPR1hdNPp32PZ+e38fwjZUtAU6A0jMQhqHvWbW8oHepLpv7McAEgpnQI2E/IAjIV+EbPpHx bGMiYVxAVGRkPmsegUc4uHcPZt9gKQ4EOF05JGBoQpbvQX+w+KNwZF3r6VyYnP1s7zKnwlN5C8w EI4pPuJpCLKr7i1s1gksIR1n02KLCfpTKZXMTRiJA2xbE00+0UJ+T7T2oiYGKE3nbatJQyZWCxN UeIYoa8OIuDXERfhnaw== X-Proofpoint-ORIG-GUID: hsep4-eUCeV-sVcd27sg_lf8SjRviLIr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 clxscore=1011 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168294677158500 Always compile x509-utils.c and add a fallback when GNUTLS is unavailable. These functions will be needed in the s390x code regardless of whether GNUTLS is available. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/meson.build | 2 +- crypto/x509-utils.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/meson.build b/crypto/meson.build index b51597a879..fda85543de 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -22,12 +22,12 @@ crypto_ss.add(files( 'tlscredsx509.c', 'tlssession.c', 'rsakey.c', + 'x509-utils.c', )) =20 if gnutls.found() crypto_ss.add(files( 'tlscredsbox.c', - 'x509-utils.c', )) endif =20 diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 39bb6d4d8c..6176a88653 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -11,6 +11,8 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "crypto/x509-utils.h" + +#ifdef CONFIG_GNUTLS #include #include #include @@ -78,3 +80,17 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, gnutls_x509_crt_deinit(crt); return ret; } + +#else /* ! CONFIG_GNUTLS */ + +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, + QCryptoHashAlgo hash, + uint8_t *result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get fingerprint"); + return -1; +} + +#endif /* ! CONFIG_GNUTLS */ --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168240; cv=none; d=zohomail.com; s=zohoarc; b=GyaHa3EkQJ1UK+W5CwuY2ZZblweLv+SbfTBkP720tR7JXKTnGuDbdCxQq7i/88unqUyVnnuX9182EOvUi0UjKvFlclJVEJBgExaWz7vfbPX0i7OPOd+5YPVQjo5J5ERIifXVYM0PfvGAV0TZFCPq5FigPfeU8Pn9SCATxgzbmQA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168240; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=QD5O1xGaUG4/7Rrqjf+RXzCnnv0+4bav5v+IJcUSyso=; b=I1bQqI5Zu+U2T2T19k8MQ3Uf91GHOCj8x5W/9e9mBphUZYolb9fxyLsAVTH808PvGTvXzxxEw1OUCntlrG/2scozFs7iMj99N/xLcvXf4p8/DmLjUJoJRmHI1XXv8kuxXe4gQN7Q7aqDbUOW0s1BnLMjox+eCqX03NEw9JATSkM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168240389265.1558298641904; Thu, 2 Apr 2026 15:17:20 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJu-0000gz-Hd; Thu, 02 Apr 2026 18:15:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJs-0000eZ-J4; Thu, 02 Apr 2026 18:15:20 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJp-0004lU-Tk; Thu, 02 Apr 2026 18:15:20 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632D0HeV3435060; Thu, 2 Apr 2026 22:15:13 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvem-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:12 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LJ9pZ030952; Thu, 2 Apr 2026 22:15:11 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rjp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:11 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFA2R27132650 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:11 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E49C558068; Thu, 2 Apr 2026 22:15:10 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 81AA358052; Thu, 2 Apr 2026 22:15:09 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:09 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=QD5O1x GaUG4/7Rrqjf+RXzCnnv0+4bav5v+IJcUSyso=; b=s2czc4xvrZ6F4nIKiJ38+d JhY2xGjwJEzghq9e0qHmMe33rbq380UNCTQB9v1i55fnM8nNNR3BgsVNIh5+Y7K2 ikDlIoSG6wOVICXZR+GKTYKbgOvm5O/Z2RFVYj8vzKnJT949pmN7coguQiS2X6Rq I/lCjd/3blkKxHm1mndXdBNxXXW8G9XOcgDcTOEn/0mTB+/9gPcplXSivLEq0LoT 2pRDT8ObZP7V3tCX7heym6WvNd9WA2/dk/geqt94a1BBfXTPDjdsHhTVEn/8FmN/ /bGSpsIJ4YsAE4dBmBB5IREVGkGoPJaCQ8q2t8vf/JckessUXp0Y9ZBImtaY5o1A == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 03/30] crypto/x509-utils: Add helper functions for certificate store Date: Thu, 2 Apr 2026 18:14:25 -0400 Message-ID: <20260402221453.1602899-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea70 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=GX81FK21qHpjiM7aGUoA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: mXYY91L_o89b9cE26ZPkjMSN19Y2Pfkk X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX/SD6+GJJDpIw pF4yfc5IhkxwrzbBSlmrMQ9JIAREvDgu4ttd6Ob7cZ9Vv1pHvJTb0PIg2v3y5JtapawgPXq29zg oc0W28UVNmt5h3JqIvBP53YBv/SlPpEAT1r4BacM45vh5qNpP1QBBGxOpmOQBil3fA7ZNS7hhyY JMYgICq+vNzE5C0jBEhdLn1C34RjZjOCMlv9whBhiPUtr+h/N6zoy7sa2ountSfrRIp1ZDOq7Fg LZM/9lku6CXamyA7PBB01c2cM+vobNgciBF2Df3fTwEwkv+niVBbWs+qGcbUZXxjY+JvtLx4M+x 2kVfHCrHH2/r/28bWY7o3F93rMQE2hO08mQe2GiaHVsJMeOjTqPAEojf4iPCqgoq4yuaI1RIKae /FuT172PCQ6Ew8AFOpq42dRDvAUCuEvwAuCrm+WJkt+jnyPtv4qfITC8SDHrdWg7QzycOOye69j RZcqlABHggd+6/gM6FA== X-Proofpoint-ORIG-GUID: mXYY91L_o89b9cE26ZPkjMSN19Y2Pfkk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 clxscore=1011 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168241945154100 Introduce new helper functions for x509 certificate, which will be used by the certificate store: qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER fo= rmat These functions provide support for certificate format conversion. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 49 +++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 21 ++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 6176a88653..2696d48155 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -81,6 +81,46 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, return ret; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_datum_t datum_der =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum_der); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert certificate to DER format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D datum_der.size; + *result =3D g_memdup2(datum_der.data, datum_der.size); + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(datum_der.data); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -93,4 +133,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, si= ze_t size, return -1; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export X.509 certificate"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 1e99661a71..91ae79fb03 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -19,4 +19,25 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_convert_cert_der + * @cert: pointer to the raw certificate data in PEM format + * @size: size of the certificate + * @result: output location for the allocated buffer for the certificate + * in DER format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer (will be updated with the + * actual size of the DER-encoded certificate) + * @errp: error pointer + * + * Convert the given @cert from PEM to DER format. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168211; cv=none; d=zohomail.com; s=zohoarc; b=Sc/8/nkGjpjvceKvlRnNLfzWmBYAd6nfBswNtyZe190Mmr41Qed2i16L5pUXRgk1ZdTPAhTbpvkRZkpDMyz48LFVdhtpX5hOWeafFlsSIANWjfxI7qVQQeM0uzLdQWbMKzr3xf8eUnb/iD1cWpy02p7NNJ60poKJKkvBJoG2EiQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168211; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Fhv58ISPTiK07cD6K6OR72kN2mYOGtdegx3Out2IwW8=; b=jbFIffWTNYSKR4Wr2nwhEAHPUXH7HsZhRwNk+Dtc0nOrUfXA9RDa7rby2PIJEWmNZXHTBWzPykh3GH1AulXjbrpebTa/aMlrqOXE6/wCic97XXK/7hjGoNiHnU7ataoeQ2FuoqKk3HactNtp2nTZp3H99+uvhsRHrDPOFSybYYU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168211502988.2857853872811; Thu, 2 Apr 2026 15:16:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJw-0000jz-PO; Thu, 02 Apr 2026 18:15:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJv-0000ic-5N; Thu, 02 Apr 2026 18:15:23 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJs-0004m3-Pr; Thu, 02 Apr 2026 18:15:22 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632GrtwQ395498; Thu, 2 Apr 2026 22:15:15 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66g26vcm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:15 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632Li4GW031007; Thu, 2 Apr 2026 22:15:14 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rk1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:14 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MEmiS20054562 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:14:48 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 669AC58056; Thu, 2 Apr 2026 22:15:12 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 09DE658052; Thu, 2 Apr 2026 22:15:11 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:10 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Fhv58ISPTiK07cD6K 6OR72kN2mYOGtdegx3Out2IwW8=; b=fS9Mxlgr5W01oPG5eR+sijbqWT/GXKxW4 p+3uTQQyaRubRKHnBp6BmqzV2c4FIK+sJFKtzo0ivVyp2AIKRRiG78d3TgY/vli9 0LgkWBmDmM7A7KoV5DxXu5HgCRSNRcCS2TTfo9AbbqzeQ8a95BbMeEyyCyVPsKVI MH9ccmpwd0wbk/YTuWyjNHpWUN3mgpvT0qoV3WyAyv55LwrugnK/VLW/A60nCLMy mhmJMZDdBZamx/N+iy0KnV0NzUWXMKxp4N9i8awYuu5lN+5hN4YxU9Cn78Y47vjj jh4ZWWobaV87K89/8geFCNhrthFv2D7mLqUH6eZjRgkdXkw94juIQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 04/30] hw/s390x/ipl: Create certificate store Date: Thu, 2 Apr 2026 18:14:26 -0400 Message-ID: <20260402221453.1602899-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Fdo6BZ+6 c=1 sm=1 tr=0 ts=69ceea73 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=6ph8WD7lSjxTzuMCr3kA:9 X-Proofpoint-ORIG-GUID: d6h9_KBV5wEpmpUaqIbxxPWH3OvJ_tiz X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX3jprIxmRobKy 8u0kPR6wN7K1T+fm+PfdAEa/7c5TL9s/jD7/yneE0FSbCkJQXDrDsISyEsV7JAZNMZ4pJ9k/2au AvI7NjtLmOHtFySSXwCvj2S46B4p2qbu82AfYYGOWEOvDqsw4n8wYuqtW3BnD2sE0RRE6ezDPq2 /EKm4kWuP9v5gIIMddlwuoDZOL8RYhxWT0k7WyAJskZHJodQ3r+NqWD0S3l9JClwlYtrmkrYvpr RsuZ0UqkcFK/W/tLFpENhKz+5/MPITgpTKyW4i/bg50NghBWl4ajx8B4tDWAVvL0ZL6ysXx8aIX /nHQ+uEXo/+cTWQ/Z+sIjkvsY8wmeYf2sYoUyEx857GR4qgnkMLCDxYtPXwpog4WPKv9K/n62dx eoxCGaLhQNy2QajKjbvWZqc7FIgrd6RazGiuaNdNERmF6x9USYZcfMDQ6ugBxNta0gEomZ+HzLe 9eHYKlxCdT5itVSP5fg== X-Proofpoint-GUID: d6h9_KBV5wEpmpUaqIbxxPWH3OvJ_tiz X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 bulkscore=0 suspectscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168213740154100 Content-Type: text/plain; charset="utf-8" Create a certificate store for boot certificates used for secure IPL. Load certificates from the `boot-certs` parameter of s390-ccw-virtio machine type option into the cert store. Currently, only X.509 certificates in PEM format are supported, as the QEMU command line accepts certificates in PEM format only. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- docs/specs/index.rst | 1 + docs/specs/s390x-secure-ipl.rst | 16 +++ hw/s390x/cert-store.c | 221 ++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 39 ++++++ hw/s390x/ipl.c | 10 ++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 2 + 8 files changed, 293 insertions(+) create mode 100644 docs/specs/s390x-secure-ipl.rst create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/docs/specs/index.rst b/docs/specs/index.rst index b7909a108a..76d439782c 100644 --- a/docs/specs/index.rst +++ b/docs/specs/index.rst @@ -40,3 +40,4 @@ guest hardware that is specific to QEMU. riscv-aia aspeed-intc iommu-testdev + s390x-secure-ipl diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst new file mode 100644 index 0000000000..7ddac98a37 --- /dev/null +++ b/docs/specs/s390x-secure-ipl.rst @@ -0,0 +1,16 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +s390 Certificate Store and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +s390 Certificate Store +---------------------- + +A certificate store is implemented for s390-ccw guests to retain within +memory all certificates provided by the user via the command-line, which +are expected to be stored somewhere on the host's file system. The store +will keep track of the number of certificates, their respective size, +and a summation of the sizes. + +Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate +store. diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..a4f15627e9 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,221 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" +#include "qapi/qapi-types-machine-s390x.h" + +static BootCertificatesList *s390_get_boot_certs(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; +} + +static S390IPLCertificate *init_cert(char *path, Error **errp) +{ + int rc; + char *buf; + size_t size; + size_t der_len; + char name[CERT_NAME_MAX_LEN]; + g_autofree gchar *filename =3D NULL; + S390IPLCertificate *cert =3D NULL; + g_autofree uint8_t *cert_der =3D NULL; + Error *local_err =3D NULL; + + filename =3D g_path_get_basename(path); + + if (!g_file_get_contents(path, &buf, &size, NULL)) { + error_setg(errp, "Failed to load certificate: %s", path); + return NULL; + } + + rc =3D qcrypto_x509_convert_cert_der((uint8_t *)buf, size, + &cert_der, &der_len, &local_err); + if (rc !=3D 0) { + error_propagate_prepend(errp, local_err, + "Failed to initialize certificate: %s: ", = path); + g_free(buf); + return NULL; + } + + cert =3D g_new0(S390IPLCertificate, 1); + cert->size =3D size; + /* + * Store DER length only - reused for size calculation. + * cert_der is discarded because DER certificate data will be used once + * and can be regenerated from cert->raw. + */ + cert->der_size =3D der_len; + /* store raw pointer - ownership transfers to cert */ + cert->raw =3D (uint8_t *)buf; + + /* + * Left justified certificate name with padding on the right with blan= ks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(name, CERT_NAME_MAX_LEN, filename, ' '); + ebcdic_put(cert->name, name, CERT_NAME_MAX_LEN); + + return cert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *cert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size =3D ROUND_UP(CERT_KEY_ID_LEN, 4); + hash_buf_size =3D ROUND_UP(CERT_HASH_LEN, 4); + cert_buf_size =3D ROUND_UP(cert->der_size, 4); + data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->largest_cert_size < data_buf_size) { + cert_store->largest_cert_size =3D data_buf_size; + } + + g_assert(cert_store->count < MAX_CERTIFICATES); + + cert_store->certs[cert_store->count] =3D *cert; + cert_store->total_bytes +=3D data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(Error **errp) +{ + struct stat st; + BootCertificatesList *path_list =3D NULL; + BootCertificatesList *list =3D NULL; + gchar *cert_path; + GDir *dir =3D NULL; + const gchar *filename; + bool is_empty; + g_autoptr(GError) err =3D NULL; + g_autoptr(GPtrArray) cert_path_builder =3D g_ptr_array_new_full(0, g_f= ree); + + path_list =3D s390_get_boot_certs(); + + for (list =3D path_list; list; list =3D list->next) { + cert_path =3D list->value->path; + + if (g_strcmp0(cert_path, "") =3D=3D 0) { + error_setg(errp, "Empty path in certificate path list is not a= llowed"); + goto fail; + } + + if (stat(cert_path, &st) !=3D 0) { + error_setg(errp, "Failed to stat path '%s': %s", + cert_path, g_strerror(errno)); + goto fail; + } + + if (S_ISREG(st.st_mode)) { + if (!g_str_has_suffix(cert_path, ".pem")) { + error_setg(errp, "Certificate file '%s' must have a .pem e= xtension", + cert_path); + goto fail; + } + + g_ptr_array_add(cert_path_builder, g_strdup(cert_path)); + } else if (S_ISDIR(st.st_mode)) { + dir =3D g_dir_open(cert_path, 0, &err); + if (dir =3D=3D NULL) { + error_setg(errp, "Failed to open directory '%s': %s", + cert_path, err->message); + + goto fail; + } + + is_empty =3D true; + while ((filename =3D g_dir_read_name(dir))) { + is_empty =3D false; + + if (g_str_has_suffix(filename, ".pem")) { + g_ptr_array_add(cert_path_builder, + g_build_filename(cert_path, filename, = NULL)); + } else { + warn_report("skipping '%s': not a .pem file", filename= ); + } + } + + if (is_empty) { + warn_report("'%s' directory is empty", cert_path); + } + + g_dir_close(dir); + } else { + error_setg(errp, "Path '%s' is neither a file nor a directory"= , cert_path); + goto fail; + } + } + + qapi_free_BootCertificatesList(path_list); + return g_steal_pointer(&cert_path_builder); + +fail: + qapi_free_BootCertificatesList(path_list); + return NULL; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + Error *err =3D NULL; + + /* If cert store is already populated, then no work to do */ + if (cert_store->count) { + return; + } + + cert_path_builder =3D get_cert_paths(&err); + if (cert_path_builder =3D=3D NULL) { + error_report_err(err); + exit(1); + } + + if (cert_path_builder->len =3D=3D 0) { + g_ptr_array_free(cert_path_builder, TRUE); + return; + } + + if (cert_path_builder->len > MAX_CERTIFICATES) { + error_report("Cert store exceeds maximum of %d certificates", MAX_= CERTIFICATES); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + cert_store->largest_cert_size =3D 0; + cert_store->total_bytes =3D 0; + + for (int i =3D 0; i < cert_path_builder->len; i++) { + g_autofree S390IPLCertificate *cert =3D + init_cert((char *) cert_path_builder->pdata[i], + &err); + if (!cert) { + error_report_err(err); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + update_cert_store(cert_store, cert); + } + + g_ptr_array_free(cert_path_builder, TRUE); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..7fc9503cb9 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,39 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define CERT_NAME_MAX_LEN 64 + +#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 +#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 + +struct S390IPLCertificate { + uint8_t name[CERT_NAME_MAX_LEN]; + size_t size; + size_t der_size; + uint8_t *raw; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t largest_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +}; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 1babcd2b7d..fbef46aee5 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -38,6 +38,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" =20 #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -453,6 +454,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t= *ebcdic_lp) } } =20 +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return &ipl->cert_store; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -771,6 +779,8 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->start_addr; cpu->env.psw.mask =3D IPL_PSW_MASK; =20 + s390_ipl_create_cert_store(&ipl->cert_store); + if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 403cd08450..57f6a072a0 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H =20 +#include "cert-store.h" #include "cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); =20 enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -63,6 +65,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 57cc2a6be3..6b39ad012f 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 8d3c83a80b..ed1a91182a 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -31,6 +31,8 @@ typedef enum S390IplType S390IplType; =20 #define QEMU_DEFAULT_IPL S390_IPL_TYPE_CCW =20 +#define MAX_CERTIFICATES 64 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168202; cv=none; d=zohomail.com; s=zohoarc; b=V8oc+oDpXfDRsa4eKO5h38HQbQJ9l8c49hzuvtKYmJZYsmBT5w/Tb9hVUJMnXCN42ILTtaMTRIej9t0nSk5NRk0reLKnvS3N4WCn7MYpSZNr38pQl05JO1qfX7a2i/wotEPr5/h+1b+6NRQGmcc7s0Pvt1+2la/UnV0vZMS3K/w= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168202; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=wBtiu3IvJuZ7qxAOJTq4p8fSjzGtEdWxM1fpf9vt0YU=; b=ZZo6Z5zLRjbhvlOBzHMNHRgbzzvA+oGWNr+BFN1vI6pRl6PILSNLVWiGxG93y/sf52e2mZWf0yqFfeAgRh2iS1njXwFDxkYUK20JfQs8NFu2ucTxhHhr8qR+mHhbVoTjqzHlYHCdLpmBo0dT4dRMg5reCcKgk7aRsajNa8B6qpQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168202620696.9827173243386; Thu, 2 Apr 2026 15:16:42 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJw-0000jD-8x; Thu, 02 Apr 2026 18:15:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJv-0000iH-0F; Thu, 02 Apr 2026 18:15:23 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJs-0004m7-RO; Thu, 02 Apr 2026 18:15:22 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632CCbUj3661500; Thu, 2 Apr 2026 22:15:16 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvev-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:16 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JqSA8005947; Thu, 2 Apr 2026 22:15:15 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0v7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:15 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFEF656427000 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:14 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D81BE58056; Thu, 2 Apr 2026 22:15:13 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 842E458052; Thu, 2 Apr 2026 22:15:12 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:12 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=wBtiu3IvJuZ7qxAOJ Tq4p8fSjzGtEdWxM1fpf9vt0YU=; b=j6v7M2CTH+F1IR42JAb4RIno9axzrL4qF RZBiQl6r80a0xIcU+IzAdY8Kqo1AAZ3VLdRYFtax70DNhl04sVZxYdtGulkmzwqN 4Rlilxb4OUwMtGVLavPJKXPVoTsap1NfE9AcZXOVFOVd/zamB0t8cUWsO9RgROx7 tWIfHE8k7vZiJOEwjuCaiE9KS89wMXlxJCsSawoSObssCKl17U843umIJw24c30X kKuIkAYUTMLZ4Ak3CVFMx8pZfIAo0WRo09PonS+Y9Z6f2Ta+Ady7nfIpajfUCSjk xu+CKkXV2rVBYKergssPo4OZkvrGttcVdpKnS9yZjBijVOffqqWUg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Date: Thu, 2 Apr 2026 18:14:27 -0400 Message-ID: <20260402221453.1602899-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea74 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=mM8oulnVqnlOJU-pfAMA:9 X-Proofpoint-GUID: BcbBwqYMYi5m2PVxUyzwZNwAbsP1s5O2 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXwRvpLscanFow Qz/4LlBtU8wtYeR0s97vgpCP45Yg0IVHkqaEa4pb2yEdRkX17Wfgjv9yBw+IwheiNK4a+IyBtjh K8XhqMtJgHO4VKmEOBQvDvyXtGTay5h5b7A4CIPDYxgqOaA/MQMYKHOoaGYmrrY6rSGJek1vpP2 xC6gEpxEcZ6z1zkKhrzKdtF1exaHcMgFzHflh21D2HsJnBmZcXWNZFraggHmScn53QSBdGindum Iuja+WAzUXi8ua76AjWlsLFtL0sy3SKIuFwUj5TBxEYQdGNxxRRhqGiHglkUgTptri4YPQzfNuk Cc80iOaqn9DOn2IdpmwpJVr+DHavJHjz1SE2dKEkiRGl+ya7yYcKdzJwOhAxg0GF4ELYZswWE30 +b2eI4cmoLyeg8636RxYtgog5R1/CW2LFen7CKR5rBivfWYbmXYC5JcPg/ZU89v+i/zXSCth0G8 rIDeFM4zMwmYLLXD4CQ== X-Proofpoint-ORIG-GUID: BcbBwqYMYi5m2PVxUyzwZNwAbsP1s5O2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 clxscore=1011 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168204487158500 Content-Type: text/plain; charset="utf-8" DIAGNOSE 320 is introduced to support Certificate Store (CS) Facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query the Installed Subcodes Mask (ISM). This subcode is only supported when the CS facility is enabled. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Byte 134's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Note: secure IPL is not available for Secure Execution (SE) guests, as their images are already integrity protected, and an additional protection of the kernel by secure IPL is not necessary. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 12 +++++++++ include/hw/s390x/ipl/diag320.h | 20 ++++++++++++++ target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/diag.c | 42 +++++++++++++++++++++++++++++ target/s390x/gen-features.c | 3 +++ target/s390x/kvm/kvm.c | 16 +++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++ 10 files changed, 106 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 7ddac98a37..96a8d0fb83 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -14,3 +14,15 @@ and a summation of the sizes. =20 Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. + +DIAGNOSE function code 'X'320' - Certificate Store Facility +----------------------------------------------------------- + +DIAGNOSE 'X'320' is used to provide support for guest code to directly +query the s390 certificate store. Guest code may be the s390-ccw BIOS or +the guest kernel. + +Subcode 0 - query installed subcodes + Returns a 256-bit installed subcodes mask (ISM) stored in the installed + subcodes block (ISB). This mask indicates which subcodes are currently + installed and available for use. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..aa04b699c6 --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,20 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOT_SUPPORTED 0x0102 + +#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 + +#endif diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..436471f4b4 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index c017bffcdc..2976ecd0ee 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s =20 /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relativ= e to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") +DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 0b88868289..962f135f42 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_CERT_STORE: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/diag.c b/target/s390x/diag.c index da44b0133e..6373544bb2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -18,6 +18,7 @@ #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" #include "hw/s390x/ipl.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -192,3 +193,44 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + S390CPU *cpu =3D env_archcpu(env); + uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (!s390_has_feat(S390_FEAT_CERT_STORE) || + (subcode & ~0x000ffULL) || + (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + /* + * The Installed Subcode Block (ISB) can be up 8 words in size, + * but the current set of subcodes can fit within a single word + * for now. + */ + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + env->regs[r1 + 1] =3D DIAG_320_RC_OK; + break; + default: + env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; + break; + } +} diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 8218e6470e..6c20c3a862 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_PAIE, S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, + S390_FEAT_CERT_STORE, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_KIMD_SHA_512, S390_FEAT_KLMD_SHA_512, S390_FEAT_PRNO_TRNG, + S390_FEAT_EXTENDED_LENGTH_SCCB, + S390_FEAT_CERT_STORE, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 54d28e37d4..fb7a99f380 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -98,6 +98,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 =20 @@ -1560,6 +1561,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm= _run *run) } } =20 +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1590,6 +1601,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r =3D handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); @@ -2488,6 +2502,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } =20 + set_bit(S390_FEAT_CERT_STORE, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 40850bcdc4..b16490bce6 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -388,6 +388,8 @@ int mmu_translate_real(CPUS390XState *env, hwaddr raddr= , int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 1fd900fbbf..4d73475d95 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) /* time bomb (watchdog) */ r =3D handle_diag_288(env, r1, r3); break; + case 0x320: + /* cert store */ + bql_lock(); + handle_diag_320(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168260; cv=none; d=zohomail.com; s=zohoarc; b=TYnesQycTFx53/VWfGbvjZyPov+jdoh2p2mTyzCohIjBV9szAC6m0wYNFqArLdRv1T8WMQYTdLHz+1HuPFW1wqvGh0rHzDP/T6SOU6rWjMRmJT4ntMrYZmUoPsFpYF52mjbZYi7WakLeuWYN8cqqwBcwglC3DPnN8MKcAOeNgak= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168260; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7jCarr+WGbmHu+2Yi3YrMYGZaXdJCHOLAvclBahg01U=; b=XTXU7H6SaDtsih728OETg18ah6rlTo9SaS3UbAhgllrSOl6H6EMXM+ooiKrkJLQ0zdnHAe7oqUrLrbYiVQD7+84Zg8VJpykX4GCESrqs9/3p9eAzpAtVI2XkIRvhTHvZTBTQMplg85pWdR0y1SA0h7CAU8UsGUHfVX8PiYhzrcA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168260493879.3731147823091; Thu, 2 Apr 2026 15:17:40 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJv-0000iz-MM; Thu, 02 Apr 2026 18:15:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJu-0000h4-Jj; Thu, 02 Apr 2026 18:15:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJt-0004mD-2W; Thu, 02 Apr 2026 18:15:22 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EOvlv119453; Thu, 2 Apr 2026 22:15:18 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtfj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:17 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JWV7Z005910; Thu, 2 Apr 2026 22:15:17 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0vc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:17 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFFtj27918992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:15 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 66DDF58056; Thu, 2 Apr 2026 22:15:15 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0897D58052; Thu, 2 Apr 2026 22:15:14 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:13 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7jCarr+WGbmHu+2Yi 3YrMYGZaXdJCHOLAvclBahg01U=; b=jgw096SCW6gZ7hPkZhZoLVK6QVJn9yP/v oqVBHmXyk8Dp9mj7QjFMcJeLqvoZP8d5wdecnus6rhn/X94NWfwu0Izc01TI6qUE gtnnuObXq6RKwsKzD3dBWhkEQj+jLiPo3p3EfFiYkxA+7BTc/ByHycjR1jYP4mZB IV7N4s+kiX6ImRes+1/zoW2wDCm4iAHDbR2/RLMC2nrCJpQBQKP3I1U/Rixp3QAV 1mLpq/yFvqLtG6FidzxYeu6dgLBlegHBGOJH/WyevUxfJjCAyK20AP4FCY/P1nwz 24eUHX3OpwNTqzwPvYrCU2iPBFRSbRO7fcZcDQHuGN39mz8C5ZJ5w== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 06/30] s390x/diag: Refactor address validation check from diag308_parm_check Date: Thu, 2 Apr 2026 18:14:28 -0400 Message-ID: <20260402221453.1602899-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea75 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=130TwiEZxdn8fhqcL5YA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX/8EznLBrjF8b dJu7LL0QeSXM8osnHnVsSUKiwdBqoDoO10lG8+5b1X8lxIRNymeZ8p6/2MPU5w2kL4rFre5S/I0 c+JTtKM0mjaSJwNsWKrD8hiZ41S/idBSUEMvh3qgkVUyYoPTcCW5VRvhTXNTFrkiYLkAHp1YGDm xgdUwLXWfYiJvH82qzSCDNjvvd9Cw9pfQYdp1bwdLym/T0frRys/EI9EbMpUuVfPI90Jydh71eK UoFPcXk6x7ALMYKjhsbZm7RIx/CHu6w92ZSZsA8Kgo1Cs55ukg1ZYXouwcBSdymAeeWnvdEj4DV zjxV07gLVUnVV8kGFvE9/Tz+JTOQlJVOatLd8dPP/sTHkpRXQQbQ9rkg/4IJOcK6XjeqUnm+eIP QhlHui0nHoUy+yRZLpRFQBBWHMC/K5eiYsfEqPs8/Zx/208/HXVID0FGwbEqfi/PyaRf7H6sv5B fmZZ5Bn7LzmvA0fwFtw== X-Proofpoint-GUID: emhI1b7og59J_X8_3h95tBtWG5mu5RqK X-Proofpoint-ORIG-GUID: emhI1b7og59J_X8_3h95tBtWG5mu5RqK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168262563158500 Content-Type: text/plain; charset="utf-8" Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling Reviewed-by: Hendrik Brueckner Reviewed-by: Thomas Huth --- target/s390x/diag.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 6373544bb2..8ab40437a2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -26,6 +26,12 @@ #include "qemu/error-report.h" =20 =20 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) { uint64_t func =3D env->regs[r1]; @@ -65,9 +71,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_= t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168315; cv=none; d=zohomail.com; s=zohoarc; b=FzkGJpx1D/y1lgZyrkqjbaU0mwCrIohqaSrs+w+cuFcDjcs38SlCfya3DGcTdgkQzvbPShjhr1puC/Ly9ehU0mtP20yWjaoA22QBJGX1AFZgdV5EiYKL6hKGwR1k9gmmQP9FGDEFh7U/0fflPN0JIHFJxrjJeUZ3NHn2Bsy8MSc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168315; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=39Aj+pBu0pWqFpxG91Dpbyl4JiYetEEQGGcVLcibH9Y=; b=XjgUGYgLaf5URTeLgdWbYWiawzDkKWLVB2fCjR7GzcZbBcNm24OJQD7/tL5jy+LixWW9KP1vN+FpXOUB3++C7EOuiHZcrOyGRinDW2Q4oixeSnT8+ChS/5+7MnNtcCP1LMklrwkgoQ9ce/urd9Y69NAduaeSPmKAkneVDdLabv8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168315135505.0899210079838; Thu, 2 Apr 2026 15:18:35 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QJy-0000lc-Qb; Thu, 02 Apr 2026 18:15:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJw-0000jx-Mi; Thu, 02 Apr 2026 18:15:24 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJu-0004mh-U5; Thu, 02 Apr 2026 18:15:24 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632CYH1l3941833; Thu, 2 Apr 2026 22:15:19 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtfm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:19 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632KcXUr014339; Thu, 2 Apr 2026 22:15:18 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6ttkuurd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:18 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFG9W65536428 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:17 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D6A3458065; Thu, 2 Apr 2026 22:15:16 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8320158052; Thu, 2 Apr 2026 22:15:15 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:15 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=39Aj+pBu0pWqFpxG9 1Dpbyl4JiYetEEQGGcVLcibH9Y=; b=DaKR/hhKnxhDG0CNeGry2+o/sAM40mFDc Qp2+Xb1kMypD4Ui4B7ogVkyTzqsVY4DmnoosriB4WFVROZsNi14n++qG22kpLNB1 +/lEP/S/6EZVPpBQRQu5UZCM12qHxrpjAxMdG9+Wat+6xbwSbnLexGsPFcJktKnt OM2HJaOpgFg0ursLdTZkAokmQGkAEIjgyyiIYLUP2pp8YPcWJEKMegNavUBiG/me YW1NoJ9nAvqPu5D96Yt6+6g/vYufo2d58Mk6NbdGr9E/NwsSJgqeKAUzq854903/ wTkGFpEl9rbc9mDCMA+Nq40FukDKxrRjhW1DmRtrvUmVD+FWDcOPw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 07/30] s390x/diag: Implement DIAG 320 subcode 1 Date: Thu, 2 Apr 2026 18:14:29 -0400 Message-ID: <20260402221453.1602899-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea77 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=vmAlfMB145uIY6ZofiUA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX1Yt0ETosCDBB oKvU1XFunU8sxgPy5EAFlw1XGoIWDwb0OVWs4qQBf9kttbJEkPXwfBgIvOnYXBWfOVGHicZ55pC 9tYkewVW3jIpM16/rPOdm6+TkfKvLyGxX3NiOUT58zdVfmWAyq8DGZDprRzYBB95p9OEAdiW1PG SbVWFCtVlsO8H0lF1K5ax2dNjl22q2l+vhDdK5TLE1Bob9sxbgryQLrwaiJ/UynKc9uQGuHzCH+ orm9iP1bPxTZu5vX6R6yTyt6SyFqa2rrSf5zltJLR9D3cKhj/5pyhVUIG//1UvwsV0vaQqhwbsf /c7nb8eS1xwwlBz5zvHYk4pSaqGiQdL4ldOSyniAzSR54QyFbFgSIIxfH2YkOey/RutubDiTps+ rBxNrfPCA8q0Lk50FIYYRJ/hP3ta3S96IzGk0MU4Z/2jHKgZLvetFzDWmE/rDyr7hH+/vozsEHc 75mG2WGeBpS8J5qCT1A== X-Proofpoint-GUID: cOyLiYOuMOnJl8UYzhe42aRmApEElghd X-Proofpoint-ORIG-GUID: cOyLiYOuMOnJl8UYzhe42aRmApEElghd X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168316851158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates from the certificate store. Upon successful completion, this subcode returns information of the current cert store, such as the number of certificates stored and allowed in the ce= rt store, amount of space may need to be allocate to store a certificate, etc for verification-certificate blocks (VCBs). The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. A VCSSB length of 4 indicates that no certificate are available in the cert store. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 12 +++++++ include/hw/s390x/ipl/diag320.h | 22 ++++++++++++ target/s390x/diag.c | 63 ++++++++++++++++++++++++++++++++- 3 files changed, 96 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 96a8d0fb83..52661fab00 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -26,3 +26,15 @@ Subcode 0 - query installed subcodes Returns a 256-bit installed subcodes mask (ISM) stored in the installed subcodes block (ISB). This mask indicates which subcodes are currently installed and available for use. + +Subcode 1 - query verification certificate storage information + Provides the information required to determine the amount of memory ne= eded + to store one or more verification-certificates (VCs) from the certific= ate + store (CS). + + Upon successful completion, this subcode returns various storage size = values + for verification-certificate blocks (VCBs). + + The output is returned in the verification-certificate-storage-size bl= ock + (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble + in the CS. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index aa04b699c6..6e4779c699 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -11,10 +11,32 @@ #define S390X_DIAG320_H =20 #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 +#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 +#define DIAG_320_ISM_QUERY_VCSI 0x40000000 + +#define VCSSB_NO_VC 4 +#define VCSSB_MIN_LEN 128 +#define VCE_HEADER_LEN 128 +#define VCB_HEADER_LEN 64 + +struct VCStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t total_vc_ct; + uint16_t max_vc_ct; + uint32_t reserved3[11]; + uint32_t max_single_vcb_len; + uint32_t total_vcb_len; + uint32_t reserved4[10]; +}; +typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 8ab40437a2..c44624e1e6 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -198,11 +198,54 @@ out: } } =20 +static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t= r1, + uintptr_t ra, S390IPLCertificateStore= *cs) +{ + g_autofree VCStorageSizeBlock *vcssb =3D NULL; + + vcssb =3D g_new0(VCStorageSizeBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcssb, sizeof(*vcssb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + if (be32_to_cpu(vcssb->length) > sizeof(*vcssb)) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (be32_to_cpu(vcssb->length) < VCSSB_MIN_LEN) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (!cs->count) { + vcssb->length =3D cpu_to_be32(VCSSB_NO_VC); + } else { + vcssb->version =3D 0; + vcssb->total_vc_ct =3D cpu_to_be16(cs->count); + vcssb->max_vc_ct =3D cpu_to_be16(MAX_CERTIFICATES); + vcssb->max_single_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + VCE_HEA= DER_LEN + + cs->largest_cert_size); + vcssb->total_vcb_len =3D cpu_to_be32(VCB_HEADER_LEN + cs->count * = VCE_HEADER_LEN + + cs->total_bytes); + } + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcssb, be32_to_cpu(vcssb->l= ength))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + return DIAG_320_RC_OK; +} + +QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, + "size of VCStorageSizeBlock is wrong"); + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { S390CPU *cpu =3D env_archcpu(env); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; uint64_t addr =3D env->regs[r1]; + int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { s390_program_interrupt(env, PGM_PRIVILEGED, ra); @@ -224,7 +267,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * but the current set of subcodes can fit within a single word * for now. */ - uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | + DIAG_320_ISM_QUERY_VCSI); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -233,6 +277,23 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 env->regs[r1 + 1] =3D DIAG_320_RC_OK; break; + case DIAG_320_SUBC_QUERY_VCSI: + if (addr & 0x7) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + if (!diag_parm_addr_valid(addr, sizeof(VCStorageSizeBlock), true))= { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag320_query_vcsi(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168206; cv=none; d=zohomail.com; s=zohoarc; b=RqHRPhAUHmRHrMCMQKq3MpstgNscBtPHmn35+aPR/f3Y97RwoMyLVv3npxMLqr+93NDqlzUGzRocyPiIl+OIlsZlvQfTInHSYx9bq+FBLjQqNMzE4Blg299Z5Bvbmq9EyGFA+HWtnqRpieCDe40iWqnFBdl2Y4bFC7T7TZ035L0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168206; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YTvImtdp6bKRkcIJFrlMd3YRl3SOzPgde3i0zWwHJKA=; b=aYH6Ed4aPBDRQkEsj9j5WcpjtoOzxpYcvm/9IqeeQbp9YND77nJJhhmclfYzoT/RbkFdCYDXnSa2ZQh9fiiKWJ9n/FYPiknJ4DotNoJe82gDQfR3/6RI4NgaAoKiuQkE1/M1+uxBOKUfKyYn8+EaxjZOWGXOhrjlEP/H0XBozfw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168206489291.80572503434405; Thu, 2 Apr 2026 15:16:46 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK0-0000lf-86; Thu, 02 Apr 2026 18:15:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJy-0000lB-5N; Thu, 02 Apr 2026 18:15:26 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJw-0004nJ-3U; Thu, 02 Apr 2026 18:15:25 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632MEmVT3639069; Thu, 2 Apr 2026 22:15:20 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtfp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:20 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632M0qlM008685; Thu, 2 Apr 2026 22:15:19 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6v11upmg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:19 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFIPs33161936 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:18 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6237758069; Thu, 2 Apr 2026 22:15:18 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F2DF658052; Thu, 2 Apr 2026 22:15:16 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:16 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YTvImtdp6bKRkcIJF rlMd3YRl3SOzPgde3i0zWwHJKA=; b=W8w/WfA165EjD2dgUFinvxYupLAiBpqoO 8xv4bciiW8Jm+9tA8EMyWZmZyu+66fgB9BKxvz/KAXRVUY6i6FLitX2Z2aeQSy3w df2vGo1ZyaSTkjdzOZyNV23ZyyP/JVN8lOJsjQKJARpslJNl5oyJhjFyFi0E3cjG 9JAu5SbUVwVlKy7NIyHIy/60mYvydTGsLN8dWqokPFCZZ72XTwObGOTMVEAUYq0f 1YKuT4jgMS9jRWPp2GI92lvPdpgYtxORAxspgDi88zZbX3PAX1JuaXR1D/dhwjUI OY7fY7Nu72z5HicSRUdUVdOrZjj1dX+NnFizlUI5wZc5A4Y7KtFpw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 08/30] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Thu, 2 Apr 2026 18:14:30 -0400 Message-ID: <20260402221453.1602899-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea78 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=cx8EP_J7U0ANkHmDKVUA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX8k7TbtnlW2Ea Uk6WVHuENrH9aDNFvoulkqf4+Gp8jJrscCWiGL1TRiTD+RPEXj81RN+NdfBXCv1Fw2FKh8KWJ4W SbgqqsIF5pHSE2Fr0eNFICeRSSfjjvzTMPwv/zxmhS77cNmHlZllznNaOL94fR3yuuLY+EY3tz0 JUXdAFTkMuiwRQQVPIq4mJWvY44YkPbyeXRD7KVFdYAqSre2iMLhnVYB5t5+us/QwCEuofxdTwZ SkOCejNiPFVFsDF7mxDfcXABniRE8p2JHPl8mX8aZ2vd2Bq01cqhM5JT9Mc4AGTzPJgHb6XiS6+ HcD571rv3+Y1579/TAdhlfHf4JaWi6JioZ0Ch8qFKLtpWJ6nb0mdcsgkPEVCQY4diwE7zVX7DJf bKeLeiY3E3nelQeoCKxMt6ReJhYLEgMnoV2HMlajcamd7arHD8cj3XqBwPsb4VqulMaMJ32CFOf ipDs5i6KSWbYDJF6CBA== X-Proofpoint-GUID: A6n0iY8YFnFTQ20x-yMOT8zlNVOa0Sh5 X-Proofpoint-ORIG-GUID: A6n0iY8YFnFTQ20x-yMOT8zlNVOa0Sh5 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1011 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168207677154100 Content-Type: text/plain; charset="utf-8" Introduce new helper functions to extract certificate metadata: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_pk_algorithm() - returns the public key algorithm used in = the certificate qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorit= hm uses P-521 curve These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 51 ++++++++ 2 files changed, 287 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 2696d48155..906d5e5e87 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_MD5] =3D -1, + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA224] =3D -1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA384] =3D -1, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, + [QCRYPTO_HASH_ALGO_RIPEMD160] =3D -1, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -121,6 +131,210 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(NULL); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error= **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc < 0) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D rc; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { + error_setg(errp, "Unknown hash algorithm %d", hash_alg); + return ret; + } + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) || + qcrypto_to_gnutls_keyid_flags_map[hash_alg] =3D=3D -1) { + error_setg(errp, "Unsupported key id flag %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **= errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_ecc_curve_t curve_id; + gnutls_datum_t x =3D {.data =3D NULL, .size =3D 0}; + gnutls_datum_t y =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y); + if (rc !=3D 0) { + error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_= strerror(rc)); + goto cleanup; + } + + ret =3D curve_id; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_free(x.data); + gnutls_free(y.data); + return ret; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + int algo; + int curve_id; + + algo =3D qcrypto_x509_get_pk_algorithm(cert, size, errp); + if (algo !=3D GNUTLS_PK_ECDSA) { + return 0; + } + + curve_id =3D qcrypto_x509_get_ecc_curve(cert, size, errp); + if (curve_id =3D=3D -1) { + error_setg(errp, "Failed to get ECC curve"); + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_INVALID) { + error_setg(errp, "Invalid ECC curve"); + return -1; + } + + return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -142,4 +356,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + error_setg(errp, "GNUTLS is required to determine ecc curve"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 91ae79fb03..6040894a46 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -40,4 +40,55 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_check_ecc_curve_p521 + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine whether the ECC public key in the given certificate uses the = P-521 + * curve. + * + * Returns: 0 if ECC public key does not use P521 curve. + * 1 if ECC public key uses P521 curve. + * -1 on error. + */ +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); + #endif --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168204; cv=none; d=zohomail.com; s=zohoarc; b=fcjc8o9vPZ6zcFXY48DJGqkkGXDewD5sp8WmM6oflhnhDlKxv52MzlRWSb7fAVbhLaq4O8vw0Z9Sx83tmIDOAWPtmEXX62p5RVUpwAjm7GlsEmTJUZabq9Dy31VspTlD2CowDv4ohKeGiUZmqSEt217F5IO1mlMK9cmN1VrNOEg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168204; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=v1ZQVi8UvQVOhwDiaMd0vew3OF15YZuhnxWIDW5x3+E=; b=c8jZMMlDW0Sqj3fG8HE21yNDtZzwOlN2PiYgLmfNDc9nsSP54MAu+wI/rrLxdiCnbUxUAOyfC6wIbrYoJlAPQ4g8woSmqXe3EBy/ZgpsCaiZnM5Y8dFV/WgS4b9FpX+O4rE8LxJB46nBoE1idBRy/RlJpDe3egdKWFCaE7sLfoc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168204756196.13102889317406; Thu, 2 Apr 2026 15:16:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK2-0000nM-Gq; Thu, 02 Apr 2026 18:15:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK0-0000lk-BY; Thu, 02 Apr 2026 18:15:28 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QJx-0004nY-PU; Thu, 02 Apr 2026 18:15:28 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632E9KxD3843131; Thu, 2 Apr 2026 22:15:22 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtfr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:21 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LZU19030955; Thu, 2 Apr 2026 22:15:20 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rm3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:20 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFJvf15467014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:20 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D92A25806C; Thu, 2 Apr 2026 22:15:19 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7EF825806A; Thu, 2 Apr 2026 22:15:18 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:18 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=v1ZQVi8UvQVOhwDia Md0vew3OF15YZuhnxWIDW5x3+E=; b=ligYfTanSTb7B7IdRum66h9dgLTABzUnB 2CsM9rEWwE44v3bTstMM+IJ7kP/5sId8OX+buAIrQVseD9chYJJGOD317/OVc+EF FeXY8SFU2r8mPZzzcQDQdyQZniuiflcOkXUfYfDrMz4z7LvA7ssg8xMn23ESZeSr YFa02AzAuVZUeaaN7vWpAlzvzwDhUAnge9ZZewh0NU2GAU9v7SMkwBQUXFOA/Si5 Yme5cofMkE75deDaRomgxM3w9jrPThwEzE4UWYu42ONJiOB2bbOsuqXNGia++1iP gEiZMe6RG7gK2pH/mxvcSZvZo8LKjTAKuvlsYE9hkOW+W46npciJA== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 09/30] s390x/diag: Implement DIAG 320 subcode 2 Date: Thu, 2 Apr 2026 18:14:31 -0400 Message-ID: <20260402221453.1602899-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea79 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=P_7nqk-uq5PAz_mi5GAA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX8cc4xwhsaIYb +g6yO1fuLpqteF49k3sLXnNKvRBI0c7YXZYfB7bgJAt8tO+A9v63SLTXbRT+jHi0GHAFFMApE+U 8Pto2VkAJfMems6ddUTYqYJGII/tRfpcMVTF3X+UnOnRScKU6gQuGje0gHXaRh+6qrtJioFhPOy ibojl0SQHsTJxiQGbxsvfeu/hpViR6aheeYW0aKyrQt1tQsILcD4T94NuTMuSby/OxoTH7EuWLb MNcYTnQl89O/UJpgWMQJO2dl6XupiaGT4m5XIaGNd1TDOz9DxjNoFiFepSLa47iUeUv1VX9824d b21ycl3dgqXulf3wPYdojXsD8q55gr3dsPSn0Dnytob8AEtxWSq01oNioLGpKwBoGXqOj//lOyd hsaZSNQqd+LAhvOSVCKENHiUyQplQHnJSFZHQiKYxLUAYK9GsTqj1pkq+fACtkuDthKYCWXyqkg KvUffavPvtHYrdHA6rg== X-Proofpoint-GUID: nzcBBW00HfdNMW0MVOGCiCyf4YXB002Y X-Proofpoint-ORIG-GUID: nzcBBW00HfdNMW0MVOGCiCyf4YXB002Y X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168206462158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the certificate store. Only X509 certificates in DER format and SHA-256 hash type are recognized. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The Verification Certificate Block (VCB) contains the output data when the operation completes successfully. It includes a common header followed by zero or more Verification Certificate Entries (VCEs), depending on the VCB input length and the VC range (from the first VC index to the last VC index) in the certificate store. Each VCE contains information about a certificate retrieved from the S390IPLCertificateStore, such as the certificate name, key type, key ID length, hash length, and the raw certificate data. The key ID and hash are extracted from the raw certificate by the crypto AP= I. Note: SHA2-256 VC hash type is required for retrieving the hash (fingerprint) of the certificate. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 24 +++ hw/s390x/cert-store.h | 3 +- include/hw/s390x/ipl/diag320.h | 55 ++++++ target/s390x/diag.c | 338 +++++++++++++++++++++++++++++++- 4 files changed, 417 insertions(+), 3 deletions(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 52661fab00..1a712a0e0c 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -38,3 +38,27 @@ Subcode 1 - query verification certificate storage infor= mation The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble in the CS. + +Subcode 2 - store verification certificates + Provides VCs that are in the certificate store. + + The output is provided in a VCB, which includes a common header follow= ed by + zero or more verification-certificate entries (VCEs). + + The instruction expects the cert store to maintain an origin of 1 for = the + index (i.e. a retrieval of the first certificate in the store should be + denoted by setting first-VC to 1). + + The first-VC and last-VC fields of the VCB specify the index range of + VCs to be stored in the VCB. Certs are stored sequentially, starting + with first-VC index. As each cert is stored, a "stored count" is + incremented. If there is not enough space to store all certs requested + by the index range, a "remaining count" will be recorded and no more + certificates will be stored. + + Each VCE contains a header followed by information extracted from a + certificate within the certificate store. The information includes: + key-id, hash, and certificate data. This information is stored + contiguously in a VCE (with zero-padding). Following the header, the + key-id is immediately stored. The hash and certificate data follow and + may be accessed via the respective offset fields stored in the VCE. diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h index 7fc9503cb9..6f5ee63177 100644 --- a/hw/s390x/cert-store.h +++ b/hw/s390x/cert-store.h @@ -11,10 +11,9 @@ #define HW_S390_CERT_STORE_H =20 #include "hw/s390x/ipl/qipl.h" +#include "hw/s390x/ipl/diag320.h" #include "crypto/x509-utils.h" =20 -#define CERT_NAME_MAX_LEN 64 - #define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 #define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 =20 diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 6e4779c699..bfd6385b40 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -12,19 +12,37 @@ =20 #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 #define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 #define DIAG_320_ISM_QUERY_VCSI 0x40000000 +#define DIAG_320_ISM_STORE_VC 0x20000000 =20 #define VCSSB_NO_VC 4 #define VCSSB_MIN_LEN 128 #define VCE_HEADER_LEN 128 +/* + * If the VCE flags indicate an invalid certificate, + * the VCE length is set to 72, containing only the + * first five fields of VCEntry. + */ +#define VCE_INVALID_LEN 72 #define VCB_HEADER_LEN 64 =20 +#define CERT_NAME_MAX_LEN 64 + +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_KEYTYPE_ECDSA_P521 1 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 + struct VCStorageSizeBlock { uint32_t length; uint8_t reserved0[3]; @@ -39,4 +57,41 @@ struct VCStorageSizeBlock { }; typedef struct VCStorageSizeBlock VCStorageSizeBlock; =20 +struct VCBlock { + uint32_t in_len; + uint32_t reserved0; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t reserved1[5]; + uint32_t out_len; + uint8_t reserved2[4]; + uint16_t stored_ct; + uint16_t remain_ct; + uint32_t reserved3[5]; + uint8_t vce_buf[]; +}; +typedef struct VCBlock VCBlock; + +struct VCEntry { + uint32_t len; + uint8_t flags; + uint8_t key_type; + uint16_t cert_idx; + uint8_t name[CERT_NAME_MAX_LEN]; + uint8_t format; + uint8_t reserved0; + uint16_t keyid_len; + uint8_t reserved1; + uint8_t hash_type; + uint16_t hash_len; + uint32_t reserved2; + uint32_t cert_len; + uint32_t reserved3[2]; + uint16_t hash_offset; + uint16_t cert_offset; + uint32_t reserved4[7]; + uint8_t cert_buf[]; +}; +typedef struct VCEntry VCEntry; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index c44624e1e6..d62e134f74 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,13 +17,16 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" #include "target/s390x/kvm/pv.h" +#include "qapi/error.h" #include "qemu/error-report.h" +#include "crypto/x509-utils.h" =20 =20 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) @@ -236,8 +239,328 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, ui= nt64_t addr, uint64_t r1, return DIAG_320_RC_OK; } =20 +static bool is_cert_valid(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_cert_times(cert->raw, cert->size, &err); + if (rc !=3D 0) { + error_report_err(err); + return false; + } + + return true; +} + +static int handle_key_id(VCEntry *vce, const S390IPLCertificate *cert) +{ + int rc; + g_autofree unsigned char *key_id_data =3D NULL; + size_t key_id_len; + Error *err =3D NULL; + + rc =3D qcrypto_x509_get_cert_key_id(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + &key_id_data, &key_id_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + if (VCE_HEADER_LEN + key_id_len > be32_to_cpu(vce->len)) { + error_report("Unable to write key ID: exceeds buffer bounds"); + return -1; + } + + vce->keyid_len =3D cpu_to_be16(key_id_len); + + memcpy(vce->cert_buf, key_id_data, key_id_len); + + return 0; +} + +static int handle_hash(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t keyid_field_len) +{ + int rc; + uint16_t hash_offset; + g_autofree void *hash_data =3D NULL; + size_t hash_len; + Error *err =3D NULL; + + hash_len =3D CERT_HASH_LEN; + hash_data =3D g_malloc0(hash_len); + rc =3D qcrypto_get_x509_cert_fingerprint(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + hash_data, &hash_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + hash_offset =3D VCE_HEADER_LEN + keyid_field_len; + if (hash_offset + hash_len > be32_to_cpu(vce->len)) { + error_report("Unable to write hash: exceeds buffer bounds"); + return -1; + } + + vce->hash_len =3D cpu_to_be16(hash_len); + vce->hash_type =3D DIAG_320_VCE_HASHTYPE_SHA2_256; + vce->hash_offset =3D cpu_to_be16(hash_offset); + + memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len); + + return 0; +} + +static int handle_cert(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t hash_field_len) +{ + int rc; + uint16_t cert_offset; + g_autofree uint8_t *cert_der =3D NULL; + size_t der_size; + Error *err =3D NULL; + + rc =3D qcrypto_x509_convert_cert_der(cert->raw, cert->size, + &cert_der, &der_size, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + cert_offset =3D be16_to_cpu(vce->hash_offset) + hash_field_len; + if (cert_offset + der_size > be32_to_cpu(vce->len)) { + error_report("Unable to write certificate: exceeds buffer bounds"); + return -1; + } + + vce->format =3D DIAG_320_VCE_FORMAT_X509_DER; + vce->cert_len =3D cpu_to_be32(der_size); + vce->cert_offset =3D cpu_to_be16(cert_offset); + + memcpy((uint8_t *)vce + cert_offset, cert_der, der_size); + + return 0; +} + +static int get_key_type(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_ecc_curve_p521(cert->raw, cert->size, &err); + if (rc =3D=3D -1) { + error_report_err(err); + return -1; + } + + return (rc =3D=3D 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 : + DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; +} + +static int build_vce_header(VCEntry *vce, const S390IPLCertificate *cert, = int idx) +{ + int key_type; + + vce->len =3D cpu_to_be32(VCE_HEADER_LEN); + vce->cert_idx =3D cpu_to_be16(idx + 1); + memcpy(vce->name, cert->name, CERT_NAME_MAX_LEN); + + key_type =3D get_key_type(cert); + if (key_type =3D=3D -1) { + return -1; + } + vce->key_type =3D key_type; + + return 0; +} + +static int build_vce_data(VCEntry *vce, const S390IPLCertificate *cert) +{ + uint16_t keyid_field_len; + uint16_t hash_field_len; + uint32_t cert_field_len; + uint32_t vce_len; + int rc; + + rc =3D handle_key_id(vce, cert); + if (rc) { + return -1; + } + keyid_field_len =3D ROUND_UP(be16_to_cpu(vce->keyid_len), 4); + + rc =3D handle_hash(vce, cert, keyid_field_len); + if (rc) { + return -1; + } + hash_field_len =3D ROUND_UP(be16_to_cpu(vce->hash_len), 4); + + rc =3D handle_cert(vce, cert, hash_field_len); + if (rc || !is_cert_valid(cert)) { + return -1; + } + cert_field_len =3D ROUND_UP(be32_to_cpu(vce->cert_len), 4); + + vce_len =3D VCE_HEADER_LEN + keyid_field_len + hash_field_len + cert_f= ield_len; + if (vce_len > be32_to_cpu(vce->len)) { + return -1; + } + + vce->flags |=3D DIAG_320_VCE_FLAGS_VALID; + + /* Update vce length to reflect the actual size used by vce */ + vce->len =3D cpu_to_be32(vce_len); + + return 0; +} + +static VCEntry *diag_320_build_vce(const S390IPLCertificate *cert, int idx) +{ + g_autofree VCEntry *vce =3D NULL; + uint32_t vce_max_size; + int rc; + + /* + * Each field of the VCE is word-aligned. + * Allocate enough space for the largest possible size for this VCE. + * As the certificate fields (key-id, hash, data) are parsed, the + * VCE's length field will be updated accordingly. + */ + vce_max_size =3D VCE_HEADER_LEN + + ROUND_UP(CERT_KEY_ID_LEN, 4) + + ROUND_UP(CERT_HASH_LEN, 4) + + ROUND_UP(cert->der_size, 4); + + vce =3D g_malloc0(vce_max_size); + rc =3D build_vce_header(vce, cert, idx); + if (rc) { + /* + * Error occurs - VCE does not contain a valid certificate. + * Bit 0 of the VCE flags is 0 and the VCE length is set. + */ + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + goto out; + } + + vce->len =3D cpu_to_be32(vce_max_size); + rc =3D build_vce_data(vce, cert); + if (rc) { + vce->len =3D cpu_to_be32(VCE_INVALID_LEN); + } + +out: + return g_steal_pointer(&vce); +} + +static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r= 1, uintptr_t ra, + S390IPLCertificateStore *cs) +{ + g_autofree VCBlock *vcb =3D NULL; + size_t remaining_space; + uint16_t first_vc_index; + uint16_t last_vc_index; + int cs_start_index; + int cs_end_index; + uint32_t in_len; + + vcb =3D g_new0(VCBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + in_len =3D be32_to_cpu(vcb->in_len); + first_vc_index =3D be16_to_cpu(vcb->first_vc_index); + last_vc_index =3D be16_to_cpu(vcb->last_vc_index); + + if (in_len % TARGET_PAGE_SIZE !=3D 0) { + return DIAG_320_RC_INVAL_VCB_LEN; + } + + if (first_vc_index > last_vc_index) { + return DIAG_320_RC_BAD_RANGE; + } + + vcb->out_len =3D VCB_HEADER_LEN; + + /* + * DIAG 320 subcode 2 expects to query a certificate store that + * maintains an index origin of 1. However, the S390IPLCertificateStore + * maintains an index origin of 0. Thus, the indices must be adjusted + * for correct access into the cert store. A couple of special cases + * must also be accounted for. + */ + + /* Both indices are 0; return header with no certs */ + if (first_vc_index =3D=3D 0 && last_vc_index =3D=3D 0) { + goto out; + } + + /* Normalize indices */ + cs_start_index =3D (first_vc_index =3D=3D 0) ? 0 : first_vc_index - 1; + cs_end_index =3D last_vc_index - 1; + + /* Requested range is outside the cert store; return header with no ce= rts */ + if (cs_start_index >=3D cs->count || cs_end_index >=3D cs->count) { + goto out; + } + + remaining_space =3D in_len - VCB_HEADER_LEN; + + for (int i =3D cs_start_index; i <=3D cs_end_index; i++) { + VCEntry *vce; + const S390IPLCertificate *cert =3D &cs->certs[i]; + + /* + * Bit 0 of the VCE flags indicates whether the certificate is val= id. + * The caller of DIAG320 subcode 2 is responsible for verifying th= at + * the VCE contains a valid certificate. + */ + vce =3D diag_320_build_vce(cert, i); + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < vce->len) { + vcb->remain_ct =3D cpu_to_be16(last_vc_index - i); + g_free(vce); + break; + } + + /* Write VCE */ + if (s390_cpu_virt_mem_write(cpu, addr + vcb->out_len, r1, vce, vce= ->len)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + g_free(vce); + return -1; + } + + vcb->out_len +=3D vce->len; + remaining_space -=3D vce->len; + vcb->stored_ct++; + + g_free(vce); + } + vcb->stored_ct =3D cpu_to_be16(vcb->stored_ct); + +out: + vcb->out_len =3D cpu_to_be32(vcb->out_len); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb, VCB_HEADER_LEN)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + return DIAG_320_RC_OK; +} + QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, "size of VCStorageSizeBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCBlock) !=3D VCB_HEADER_LEN, "size of VCBlock i= s wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCEntry) !=3D VCE_HEADER_LEN, "size of VCEntry i= s wrong"); =20 void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { @@ -268,7 +591,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * for now. */ uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | - DIAG_320_ISM_QUERY_VCSI); + DIAG_320_ISM_QUERY_VCSI | + DIAG_320_ISM_STORE_VC); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -294,6 +618,18 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] =3D rc; break; + case DIAG_320_SUBC_STORE_VC: + if (addr & ~TARGET_PAGE_MASK) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + rc =3D handle_diag320_store_vc(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168221; cv=none; d=zohomail.com; s=zohoarc; b=CPlioZsrPKQEmPuzAR9cgmty5ND9orcZjk1qCNkVnRWIb7rhyET4DXSrUyi2UMCOz46VFZDBjSkO8itHIXRR8QULZq62TmMXSQ1trWdVHZ2ddifvnUnAC6/eGMqsLqOtIDapsYytnnN1cEl577ftCtLv814cB52Uum/2uNwhxY4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168221; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YFSVgddncazjv+xZpn3NVIrZMQLZZaodPY8GsrK39W4=; b=DEpWazRuZ4rVCvVr1R1rt/z+MRQMk+VXbqXlVV6b0DwqUdnSvYRMgN+5vH63XtnSeAtu3b7EQYTQxGBpk/P0rZSRKn+ByBBR3rz30D7k+LgsAiyBu8iHBaWTD4UL/GzqvW0YB77Q4bRRJOaX987K5JXLgcSCnJ8Qh1yc3LUBUJY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168221401280.4186387307567; Thu, 2 Apr 2026 15:17:01 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK3-0000o2-U8; Thu, 02 Apr 2026 18:15:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK1-0000n1-Vz; Thu, 02 Apr 2026 18:15:30 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK0-0004nr-5K; Thu, 02 Apr 2026 18:15:29 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632BoiUG3661208; Thu, 2 Apr 2026 22:15:24 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0r8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:24 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632Li4Ga031007; Thu, 2 Apr 2026 22:15:23 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rmc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:23 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFL2X27197982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:21 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5310358052; Thu, 2 Apr 2026 22:15:21 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F386E58065; Thu, 2 Apr 2026 22:15:19 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YFSVgddncazjv+xZp n3NVIrZMQLZZaodPY8GsrK39W4=; b=Z5IvUcjg7nydSnTGRxJCEl76CUL62pzfj wvoqP937uQYfIlhvn/TkaBl3bKfMUsCWo/kBqh2zBAdOI5NYd5Guwvl9NrB5t123 CYUurpnU50oRXtE8hfG+O5u+NXzdGTsLWG6uL4gSHOsvSpO2g93IsAUFXR3CLjqZ 7CTYbGhItN6RAIJhA7CGWJ6X1iix03TbyezSVD8TlwN/byWn2tCbomAiIY/H21KP BEHa+nAoKuh4VXVKUH7aYZrj3Gc5Ir0l8J345/rbXxis2AKwdMqLqoUW5EGe/eXV vskNeevEk1kDpvu+sJusrUe+knHJILwzwZkWP51lOIx8BaZQ6Tc+g== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 10/30] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Thu, 2 Apr 2026 18:14:32 -0400 Message-ID: <20260402221453.1602899-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX9IAdNtoaTku2 Tbfo0Y2uUalAg1CnHG826AVxPVr1ry+Zp8rw1YpRRTMY4crGg8DKY+yCIVb+8S9353fBipgRR5y adpK25roSNH5at4lvgJ6ezduCDcKMCDNK5ut8sjrAn7gfqPXI1yN4cqtEhn0LIbEdlbuhGPtj5H Fln1o0vG0Iuwmgbgn+1cFtDf6cll+VK+NnWrn/h4VPOQZNQwFvYL4wH09l4lyk/Kuq0+UVByrYq cH7EvC1gC3bxYU8sBplNtrlfTIhPE+sZsym3Thl7CMyLKB5ZkSlRMgQr5vdVAl8wdCEZllnBgQt 4zzmSSmxY7Vs6ZjIDfhLELMQonqKJ9Do3icSPqJEbXZib4vzjcLbcLgAiFOgYZUbp7zjQJAaohq H3tmM8dzZ3lMUyGHhM+cOuRis1cqdG6KT8/gworzhQ7ZQNxIbHU/L0KqDQ/dlGWfWzcOq+tqEvW Be/59PwJkbyLm8sAqCw== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea7c cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=hXQcL9AfcS-IPDpH2m0A:9 X-Proofpoint-GUID: P_N5w5eZxZjQeWgsVPO5pMezxITC3y9A X-Proofpoint-ORIG-GUID: P_N5w5eZxZjQeWgsVPO5pMezxITC3y9A X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168222670158500 Content-Type: text/plain; charset="utf-8" From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ target/s390x/diag.c | 27 +++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++++ 6 files changed, 83 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 1a712a0e0c..83feb5d6b5 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -62,3 +62,21 @@ Subcode 2 - store verification certificates contiguously in a VCE (with zero-padding). Following the header, the key-id is immediately stored. The hash and certificate data follow and may be accessed via the respective offset fields stored in the VCE. + + +Secure IPL Data Structures, Facilities, and Functions +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D + +DIAGNOSE function code 'X'508' - IPL extensions +--------------------------------------------------- + +DIAGNOSE 'X'508' is reserved for guest use in order to facilitate communic= ation +of additional IPL operations that cannot be handled by guest code, such as +signature verification for secure IPL. + +If the function code specifies 0x508, IPL extension functions are performe= d. +These functions are meant to provide extended functionality for s390 guest= boot +that requires assistance from QEMU. + +Subcode 0 - query installed subcodes + Returns a 64-bit mask indicating which subcodes are supported. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..6281ad8299 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,15 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index d62e134f74..343a1fa584 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -20,6 +20,7 @@ #include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -635,3 +636,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) break; } } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + uint64_t subcode =3D env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc =3D 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] =3D rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index fb7a99f380..cba431688b 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -101,6 +101,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 =20 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1571,6 +1572,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct= kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } =20 +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1604,6 +1615,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index b16490bce6..367df65970 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -390,6 +390,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 4d73475d95..562dde9cb3 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -149,6 +149,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) bql_unlock(); r =3D 0; break; + case 0x508: + /* secure ipl operations */ + bql_lock(); + handle_diag_508(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168212; cv=none; d=zohomail.com; s=zohoarc; b=mFAMVSt38fEBtEh2+M4JM2gpURDjWBUmNcwFAvLEBQxk1ek0hcH7JLQAlv2OfEV7cEEdM8xYxCBd09NacbScCFQz14ClsI+O5GgdlZSjdO5GlqbHHOTejgYuPkJ6BJI5TVRn6ec/WN+wT1BWGusiOL1JVHTDL49jkO3WMUUyMyY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168212; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8krdrxG2lBhi5BUk/WgH/kViQQhqXs4iUUqIZTgqzGQ=; b=Rp9LAdVDseSYPbjEHtCIVX5Z5T4va3jiVs94MLI9R7RE79dT4IFZNqgTGwKzqf87k02QVGROiQ+lHRqvmMNi8h2xGVzT9gqKhK8UlruM3qJeiBrNlxkumTKkB7dz7W5YaK9RR+J585g4vr5lVBoblZuhKlPAbit37jankMTbcHw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168212250757.4398086184053; Thu, 2 Apr 2026 15:16:52 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK3-0000o0-JH; Thu, 02 Apr 2026 18:15:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK2-0000n6-5T; Thu, 02 Apr 2026 18:15:30 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK0-0004nu-Fh; Thu, 02 Apr 2026 18:15:29 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EQb454131589; Thu, 2 Apr 2026 22:15:25 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0rb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:24 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632K5BGM022197; Thu, 2 Apr 2026 22:15:24 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbw6s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:24 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFMuS5046876 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:23 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D35FD5806C; Thu, 2 Apr 2026 22:15:22 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 791D05805D; Thu, 2 Apr 2026 22:15:21 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:21 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=8krdrx G2lBhi5BUk/WgH/kViQQhqXs4iUUqIZTgqzGQ=; b=JV/ouMHjrC+31JfKQLNoOu 8XbmZTdPhJjWpfVqHiLe1VekiMPOCQ+wGIz0GVar8du9ACnBvKUiUGwic0DuD2Ac kl830emOknlgtNrGaBTZvC3p6oaiOLOwQD2xSztn0BRMLPsG/W2xgI0+4q/9bgvg 86KaijJgovsOJnOgIsMNUd+dlIPgfZ8yktJRx7HUjlQ5NagLhN+c4AmLVmRC7XQI kQ7rXcfxWFg32oE0FHl3E7nWRyQlRI295H+IIMxEdtFKprREUmKTcpRWzPkhehq3 OBaowREKKvJOiFo4+MD2ayK1WyaIAg3x9u6dqFJ6LXk1cNsRC9dgCNZPLVG/yVzg == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 11/30] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Date: Thu, 2 Apr 2026 18:14:33 -0400 Message-ID: <20260402221453.1602899-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXwFavbqv9Z6A9 B4OlMuFenoTn7uFPupHE7L1ZlQ4hCk5fkIK6XnUCt4/eoHyPvd5Os/u+S/AedicgG/tHF5Dwnqe 58f/ofmTQHdCME30mwNTGz7C75+9+IcdxIK/VLkGwz7t6eHEJ+WctnO/gHcBOQ8MjHZVgSrKC5o Vg8vVGfrQgYJ56WsOj/b/Lr0E/2X7NsHw8AmwfPOoOIkjY3+PPLyoiC+izgspTY25M7aeZJpenI vaHrYE87SDrNdaKSdSqfh8DU2zj/iW8zF0mFGea2TpIZYYUVJGOhFI6XMyjMbvFTdoIMCHspVha alkGvzYJF2D1ygVErsufo3p09Xy+0dRxAyLfGb3CF6PbMIlwv392HYk5RHQS3ABTOLM+2W6fNzf SX2OFpH6CTDqglCLVMqnJwBKlqKDHx7rV+UzG3WchzIjPA+D6fzEXijc26t02JY99NS+T4bPLWi MGzhKwyP+PQPvaPZbUw== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea7d cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: bViDEuBsCaQEdgjPXub22tRJ1XD5nRZq X-Proofpoint-ORIG-GUID: bViDEuBsCaQEdgjPXub22tRJ1XD5nRZq X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168212345158500 Introduce helper functions to support signature verification required by DIAG 508 subcode 1: qcrypto_pkcs7_convert_sig_pem() =E2=80=93 converts a signature from DER to = PEM format qcrypto_x509_verify_sig() =E2=80=93 verifies the provided data against the = given signature These functions enable basic signature verification support. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 108 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 41 ++++++++++++++ 2 files changed, 149 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 906d5e5e87..2b991ff9ac 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = =3D { [QCRYPTO_HASH_ALGO_MD5] =3D GNUTLS_DIG_MD5, @@ -335,6 +336,96 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_pkcs7_t signature; + gnutls_datum_t sig_datum_der =3D {.data =3D sig, .size =3D sig_size}; + gnutls_datum_t sig_datum_pem =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + return ret; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_= DER); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum= _pem); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert signature to PEM format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D sig_datum_pem.size; + *result =3D g_memdup2(sig_datum_pem.data, sig_datum_pem.size); + + ret =3D 0; + +cleanup: + gnutls_pkcs7_deinit(signature); + gnutls_free(sig_datum_pem.data); + return ret; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt =3D NULL; + gnutls_pkcs7_t signature =3D NULL; + gnutls_datum_t cert_datum =3D {.data =3D cert, .size =3D cert_size}; + gnutls_datum_t data_datum =3D {.data =3D comp, .size =3D comp_size}; + gnutls_datum_t sig_datum =3D {.data =3D sig, .size =3D sig_size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM= ); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0); + if (rc !=3D 0) { + error_setg(errp, "Failed to verify signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_pkcs7_deinit(signature); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -378,4 +469,21 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return -1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export pkcs7 signature"); + return -1; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + error_setg(errp, "GNUTLS is required for signature-verification suppor= t"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 6040894a46..02e937b14a 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -91,4 +91,45 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t s= ize, */ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); =20 +/** + * qcrypto_pkcs7_convert_sig_pem + * @sig: pointer to the PKCS#7 signature in DER format + * @sig_size: size of the signature + * @result: output location for the allocated buffer for the signature in + * PEM format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of the PEM-encoded + * signature) + * @errp: error pointer + * + * Convert given PKCS#7 @sig from DER to PEM format. + * + * Returns: 0 if PEM-encoded signature was successfully stored in @result, + * -1 on error. + */ +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_verify_sig + * @cert: pointer to the raw certificate data + * @cert_size: size of the certificate + * @comp: pointer to the component to be verified + * @comp_size: size of the component + * @sig: pointer to the signature + * @sig_size: size of the signature + * @errp: error pointer + * + * Verify the provided @comp against the @sig and @cert. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp); + #endif --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168262; cv=none; d=zohomail.com; s=zohoarc; b=TCqZ0X/hZReaewqotaZ2EI3XOfLbdwgJDsiJhP/ikx3Z3h4ndlEADAznif0HIMY4bockECBm/Sp7eHSqlV9qL5HAe4+oBTwLYk3U24SdRxHsO/HQzQRdDqT74WA44bbazAuflPGIFaB8a6khGMkQ/OXRorR4okE031UDie8vNsc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168262; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=LX1Olh/npG89T/DASBPIzEI0pH8oE5W2ilQaiFHLgBo=; b=dEp+mMXJ+jZQPFeDzWjLjssp46vjXAKqr7sXRLC4qT1qrDjBuueUDzPGXVDnz1Aq7CGGHh5q70giU9rhCZXLzTUYUeKdv0B33IbimnzMZAwdlMeTZtCXvNJJqR6a/wzls1I9urg+ZSVbD6a0Qy0EuYvRngEtisVqpOZYESo6tyI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168262643899.7502538847781; Thu, 2 Apr 2026 15:17:42 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK5-0000om-1U; Thu, 02 Apr 2026 18:15:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK3-0000o4-UZ; Thu, 02 Apr 2026 18:15:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK1-0004oA-Vi; Thu, 02 Apr 2026 18:15:31 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632DOdNx4194039; Thu, 2 Apr 2026 22:15:26 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtfx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:26 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632K8PfQ021713; Thu, 2 Apr 2026 22:15:25 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6sasv37h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:25 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFOHX29295118 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:24 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7B8925806B; Thu, 2 Apr 2026 22:15:24 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 04A935805D; Thu, 2 Apr 2026 22:15:23 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=LX1Olh/npG89T/DAS BPIzEI0pH8oE5W2ilQaiFHLgBo=; b=J2bivI4PSnyQzhGVEXWzePYoJ0a9qOc// XutH5Qx8REa0S4zQcbVBvqownM48Aze+3lCqib2Wi4tdG+ZIIlzUZz8Z9yhBO0BY Cuj/mMgVw9Cu0lm/YmS0sN+Jen5drAavTr4a1T8lmFndlUlsV+uPA3H8Ww/iUSku /fVVopQiSFwseufnA2YUPhlIPSQjVOpokluMfCQAK8zPy26EhcajK7htIvQaEUDA CVhbf5P8g1xpBAifCkxPuEkUpeqfDRR8eVLETB3Xo6pPo71hrDdwHhxscgH11WWr YPUaEjPgovdxCmxCgrWKSnuKHwcX9Lx7mSi7cFasbcwdn76skavFg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 12/30] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Date: Thu, 2 Apr 2026 18:14:34 -0400 Message-ID: <20260402221453.1602899-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea7e cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=K66z3tz1c1WH2lCF3KIA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX8f9OsIOzC1CG Mi0aQC4/+v8AAw1797NCMFEbvz/YQ6JMfMG8Kv/79gSmQhNdM8akiO/6dPLTc0ld4w6t1B9H1GZ omDVh2Lgi0io9ZzN/7LGpFN9CfABggB0c5GgcXqP9/bEoQ/HJNlWqB6uJ4mpNR6LXVuqmx5vEL8 6c/fumpTe4kAG7oYelhNU3eDanTDhV6c2uuSJw2660Dztax5LRCsFQ4Ooi6xQWLiIhKtzZK6o4z yKERGLqpORP57a6THNB1lkyry3ug+XzbXFxbgv34J1wXZSh0XzUSjkrx4Sev/WTK/QD6ijtr/Gu pL5ywywhmiTo+0CNnafmsfKNJnX7kePvgvUqcyVY2q/PUAt/NQJgTSV6bEUyiQPlSrslf26iryf QrZ5Qb44XmOSNSmsZIVr+bwDSJzF6DVtxNJnFb52sMhR9yRkyk6H3isuPEqbeAhz2GbbWAfJ7mg Bw2kYVSQg7pPp6ZN4Qw== X-Proofpoint-GUID: kc4o_cTgbMvmu2OluGjlJ_e38Lk0adMi X-Proofpoint-ORIG-GUID: kc4o_cTgbMvmu2OluGjlJ_e38Lk0adMi X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168264392154100 Content-Type: text/plain; charset="utf-8" From: Collin Walling DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format= ), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: no certificates are available in the store 0x0202: component data is invalid 0x0302: PKCS#7 format signature is invalid 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 17 +++++ include/hw/s390x/ipl/diag508.h | 30 +++++++++ target/s390x/diag.c | 111 +++++++++++++++++++++++++++++++- 3 files changed, 157 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 83feb5d6b5..0ea4522894 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -80,3 +80,20 @@ that requires assistance from QEMU. =20 Subcode 0 - query installed subcodes Returns a 64-bit mask indicating which subcodes are supported. + +Subcode 1 - perform signature verification + Perform signature-verification on a signed component, using certificat= es + from the certificate store and leveraging qcrypto libraries to perform + this operation. + + Note: verification of initrd is not supported. + + A return code of 1 indicates success, and the index and length of the + corresponding certificate will be set in the Diag508SigVerifBlock. + The following values indicate failure: + + * ``0x0102``: no certificates are available in the store + * ``0x0202``: component data is invalid + * ``0x0302``: PKCS#7 format signature is invalid + * ``0x0402``: signature-verification failed + * ``0x0502``: length of Diag508SigVerifBlock is invalid diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 6281ad8299..8a147f32a0 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -11,5 +11,35 @@ #define S390X_DIAG508_H =20 #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x8000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0202 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0302 +#define DIAG_508_RC_FAIL_VERIF 0x0402 +#define DIAG_508_RC_INVAL_LEN 0x0502 + +/* + * Maximum componenet and signature sizes for current secure boot implemen= tation + * Not architecturally defined and may need to revisit if increased + */ +#define DIAG_508_MAX_COMP_LEN 0x10000000 +#define DIAG_508_MAX_SIG_LEN 4096 + +struct Diag508SigVerifBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved[2]; + uint8_t cert_store_index; + uint8_t reserved1[7]; + uint64_t cert_len; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +}; +typedef struct Diag508SigVerifBlock Diag508SigVerifBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 343a1fa584..26b88926a9 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -637,9 +637,110 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1,= uint64_t r3, uintptr_t ra) } } =20 +static bool diag_508_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size) +{ + g_autofree uint8_t *sig_pem =3D NULL; + size_t sig_size_pem; + int rc; + + /* + * PKCS#7 signature with DER format + * Convert to PEM format for signature verification + * + * Ignore errors during qcrypto signature format conversion and verifi= cation + * Return false on any error, treating it as a verification failure + */ + rc =3D qcrypto_pkcs7_convert_sig_pem(sig, sig_size, &sig_pem, &sig_siz= e_pem, NULL); + if (rc < 0) { + return false; + } + + rc =3D qcrypto_x509_verify_sig(cert, cert_size, + comp, comp_size, + sig_pem, sig_size_pem, NULL); + if (rc < 0) { + return false; + } + + return true; +} + +static int handle_diag508_sig_verif(uint64_t addr) +{ + int verified; + uint32_t svb_len; + uint64_t comp_len, comp_addr; + uint64_t sig_len, sig_addr; + g_autofree uint8_t *comp =3D NULL; + g_autofree uint8_t *sig =3D NULL; + g_autofree Diag508SigVerifBlock *svb =3D NULL; + size_t svb_size =3D sizeof(Diag508SigVerifBlock); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); + + if (!cs->count) { + return DIAG_508_RC_NO_CERTS; + } + + svb =3D g_new0(Diag508SigVerifBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + + svb_len =3D be32_to_cpu(svb->length); + if (svb_len !=3D svb_size) { + return DIAG_508_RC_INVAL_LEN; + } + + comp_len =3D be64_to_cpu(svb->comp_len); + comp_addr =3D be64_to_cpu(svb->comp_addr); + sig_len =3D be64_to_cpu(svb->sig_len); + sig_addr =3D be64_to_cpu(svb->sig_addr); + + if (!comp_len || !comp_addr || comp_len > DIAG_508_MAX_COMP_LEN) { + if (comp_len > DIAG_508_MAX_COMP_LEN) { + warn_report("DIAG 0x508: component length %lu exceeds current = maximum %u", + comp_len, DIAG_508_MAX_COMP_LEN); + } + return DIAG_508_RC_INVAL_COMP_DATA; + } + + if (!sig_len || !sig_addr || sig_len > DIAG_508_MAX_SIG_LEN) { + if (sig_len > DIAG_508_MAX_SIG_LEN) { + warn_report("DIAG 0x508: signature length %lu exceeds current = maximum %u", + sig_len, DIAG_508_MAX_SIG_LEN); + } + return DIAG_508_RC_INVAL_PKCS7_SIG; + } + + comp =3D g_malloc0(comp_len); + cpu_physical_memory_read(comp_addr, comp, comp_len); + + sig =3D g_malloc0(sig_len); + cpu_physical_memory_read(sig_addr, sig, sig_len); + + for (int i =3D 0; i < cs->count; i++) { + verified =3D diag_508_verify_sig(cs->certs[i].raw, + cs->certs[i].size, + comp, comp_len, + sig, sig_len); + if (verified) { + svb->cert_store_index =3D i; + svb->cert_len =3D cpu_to_be64(cs->certs[i].der_size); + cpu_physical_memory_write(addr, svb, svb_size); + return DIAG_508_RC_OK; + } + } + + return DIAG_508_RC_FAIL_VERIF; +} + +QEMU_BUILD_BUG_MSG(sizeof(Diag508SigVerifBlock) !=3D 64, + "size of Diag508SigVerifBlock is wrong"); + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { @@ -654,7 +755,15 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc =3D 0; + rc =3D DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + if (!diag_parm_addr_valid(addr, sizeof(Diag508SigVerifBlock), true= )) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag508_sig_verif(addr); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168182; cv=none; d=zohomail.com; s=zohoarc; b=fJiJbu0KHC7m6HWNfSb0JZI+4kRqAI/OOi5V0/g1nMRVRz0Cz2tvygZPI2udXBAs99aT0srdvGfMLxqcMO2d9mu7J7iqyikC+L4vHhoqtzC1tkfY9/bXwVPBIuvmk+AmtEM1DPnHIQ234oNoJVhIA7bedDYTUMpXHnJinjukJuI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168182; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=tGJnk21zM7+6e1mlclJsRkNicDbXkU5+lfrniVbZ4rk=; b=HeHfMyfIBcm0JQNR6Nc3RUelqJH0Ob+oHCxmdO7xSc3svC3ae9KXjG+eJI01scp/d44oTBdyoZusjbPVOlenp8yTcP8/yN398M2ckzl8+C2jX2nyPcpjPug3O4BJv0Ie+ygHjDhQfCOHqdLFsHBIOwHKAVcc/U1gvY+OKGkk0Nw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168182129214.96340704376576; Thu, 2 Apr 2026 15:16:22 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QK8-0000q8-Jz; Thu, 02 Apr 2026 18:15:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK6-0000pX-Gm; Thu, 02 Apr 2026 18:15:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK4-0004oV-OL; Thu, 02 Apr 2026 18:15:34 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EjTuh290829; Thu, 2 Apr 2026 22:15:29 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66q3es9n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:28 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632KsFQ8022266; Thu, 2 Apr 2026 22:15:27 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbw7d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:27 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFQAw37683754 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:26 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 124ED5806B; Thu, 2 Apr 2026 22:15:26 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A4D565805D; Thu, 2 Apr 2026 22:15:24 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=tGJnk2 1zM7+6e1mlclJsRkNicDbXkU5+lfrniVbZ4rk=; b=pKyBbg7btKmjq4GyhdBsjV T590UkXNfG9jsDjgV3UG+LxLiGN5BTpfBuDS3oNFJDB4nSchTagZYKrY3w8DBnQt +248s6hqmfSYt34l9FY+w+9enrdcnBdEiXOS4K+g5tjBXNL7+l60roDmPRFbGZQ1 kfTxmEgW9QpLayr233umgXx0qL6csMAlDmrBjmEVsi/+sbIVCjdTSJoJamHhHA2E KeN/I6JMaq+a1asbqNGLsZHxRmmvVI8znd6hF2zf6A+NRuxrdT/fcVmX0Uyfr7/H bo1/efEyZApkMJqPWJUrtCnf46OFizGeRtkJ/7Mg4HUc0w/ThtXtzF/282yrFiSA == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 13/30] s390x/ipl: Introduce IPL Information Report Block (IIRB) Date: Thu, 2 Apr 2026 18:14:35 -0400 Message-ID: <20260402221453.1602899-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 3zHkXglPsMe4_GuI3J5yQ4RmHGz9SqoG X-Authority-Analysis: v=2.4 cv=frzRpV4f c=1 sm=1 tr=0 ts=69ceea80 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=1NTGDykL02WXTEG3Jz0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-ORIG-GUID: 3zHkXglPsMe4_GuI3J5yQ4RmHGz9SqoG X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXzHrIWDENPgkw /8Kl7ZKRsHlRIiGh5lUkK8TuGrlSHASgaJAhe0D7Qo2+PIj77Am6Dv9AKdS7zYy7l30j9Mnak2v 4nbpwGugJurvCfcujx1rAiw2U1JxXSbbdA0dkkQjH0tikdjJT8+87ac+9IsWSONC5QK0e4mIbnh 1Wja17p8h8KG1XOulh+qK92qBiMYj1M8RP/rPANoivxKEYAphaFi6Tr+YlLr9/Hwys9sZG2h+NN eISWfwulgQ2HzqhBHMMYL9UtVclcdX9u8CvNuH7lN5c9dz8rrvvCjanLQDK+/v/SEMc61+Ce5DV XFzg9Em+iZC6g5JBQCwd5ptjkCcKRysDwAV6gunix/Z1SBfzE8Qt+XGh1B056QjSgiqYPsvXnPO 4zW4V81SnbdOjjRYW9XddQ9TzQ3cOgT5G53CdGKBTJrPw3JhHdUL2A2Q2oq9Os9Z5CPfnGTGITF DjqsYyDjyBCOKh/C2eQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 priorityscore=1501 malwarescore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168182356158501 The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. The IIRB data is reserved and protected by the guest kernel during early boot to prevent it from being overwritten before the certificate data is permanently saved. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 21 ++++++++++++ include/hw/s390x/ipl/qipl.h | 59 +++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 0ea4522894..d82fb97d5d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -97,3 +97,24 @@ Subcode 1 - perform signature verification * ``0x0302``: PKCS#7 format signature is invalid * ``0x0402``: signature-verification failed * ``0x0502``: length of Diag508SigVerifBlock is invalid + +IPL Information Report Block +---------------------------- + +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended w= ith an +IPL Information Report Block (IIRB), which contains the results from secur= e IPL +operations such as: + +* component data +* verification results +* certificate data + +During early boot, the guest kernel reserves the memory region +containing the IIRB. This preserves the data while the guest kernel is +operating and during re-IPL. + +The guest kernel uses the contents in the IIRB for: + +* Boot logging: reports which components were loaded and verified. +* kexec operations: builds the next kernel=E2=80=99s IPL report from the e= xisting one. +* Keying: installs IPL certificates into the platform trusted keyring. diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index ed1a91182a..7f91270255 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -146,4 +146,63 @@ union IplParameterBlock { } QEMU_PACKED; typedef union IplParameterBlock IplParameterBlock; =20 +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t flags; + uint8_t reserved1[11]; +}; +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t type; + uint8_t reserved1[11]; +}; +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplInfoBlockType { + IPL_INFO_BLOCK_TYPE_CERTIFICATES =3D 1, + IPL_INFO_BLOCK_TYPE_COMPONENTS =3D 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +}; +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +}; +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_DEV_COMP_FLAG_SC 0x80 +#define S390_IPL_DEV_COMP_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +}; +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_CERTIFICATES]; +}; +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +}; +typedef struct IplInfoReportBlock IplInfoReportBlock; + #endif --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168183; cv=none; d=zohomail.com; s=zohoarc; b=EaO+uwdIVuJKet4/iPr2o7DHllNH2r5HnSpX9kS/B9kYUHzreZd5L7CdG0vQhPoYYr17RrcfizBzbAuzRxKmxtJ8/5Ldi3d5/EDK2JDZxlybs7hD4pQVpiLjoUf1DmRAMZzcfat+PJpeM1TkT9XxmqT6OkuISV+rafafpx7/Bss= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168183; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FxZ30VdtqzblhY5nE2mToW5TbMN+L8uSZ3wZSAxyypA=; b=l5EK9hQP0l7PPVDvYm1zRi9fagB6i7hrLbm1YHQ8ASqov+OgnhA2pzHmNlhfS9kxPJgi1kk2fWWj1pmy5KERMugSWNBD/xNni2P4SpkVOG9sdWUqJ4ee/KS6kthR+PGa4olvczvoZFlPMrRbxtUiBQkOOcBUq2lzAFytbGA+vM4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177516818398026.0905596134254; Thu, 2 Apr 2026 15:16:23 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKS-0000s3-Pr; Thu, 02 Apr 2026 18:15:58 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK8-0000q7-DZ; Thu, 02 Apr 2026 18:15:36 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK6-0004oi-IE; Thu, 02 Apr 2026 18:15:36 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EdjOd442944; Thu, 2 Apr 2026 22:15:30 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66g26vd8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:30 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JLDgW021631; Thu, 2 Apr 2026 22:15:29 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6sasv37u-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:29 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFRVY32506470 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:28 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 82CB558067; Thu, 2 Apr 2026 22:15:27 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3833258056; Thu, 2 Apr 2026 22:15:26 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:26 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FxZ30VdtqzblhY5nE 2mToW5TbMN+L8uSZ3wZSAxyypA=; b=TFaAlb8sU+RZ70+yXvtRLFFhklki87aoE aIR/sC5AoODs/sEHOGCNhxb5QLvcMxyhQKbOC8P2TDadCzZ2O4n5f5EUroWnp9EG DdKE72nGUBVN6+RDn9h+xK1nttC2hhbp+VHlEA0dfRsM0ZRdrO5dk1BP0LF8HvF6 /QL3bxloi66FpcQGlKMtOyC6+wOXIUtfnHsW0n/tmGWYQB3kVlxWWRfCg+fQze/a MS/Lio8q+HfQm/5mMV0fDsWEIUfADhlrk3LLeTuMwVVwPzXpipWCiMJkd+unD1zq CegR/PRSbSBzh4sa2yMpDSeieAGPg2r6zwFA9ZXDBb8i8kX+c4uZA== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 14/30] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Thu, 2 Apr 2026 18:14:36 -0400 Message-ID: <20260402221453.1602899-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Fdo6BZ+6 c=1 sm=1 tr=0 ts=69ceea82 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=_GZQR2ZoBes7ElOevS0A:9 X-Proofpoint-ORIG-GUID: H0D0TQVnJdX3n2dUANQqTgN05xwrOUlw X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX8/7Pq/itIwMk vYPIdpCtRZBFJpdnPjSmKRHp1UGPLU8DHZSD6Xh+ZLMVvSOmzQ+ub0p5a2xUcm78mcnHOixhztF bQQCt8QF2FoDNBGSEHQbuvsXcFomboj3SuppSEspz0gD1a2MLC8w4Qr3FGUaBrlWzkliFN5lwV7 YtG4brgKFDzwIfn4bwJ1/e/wUfk04r0bIjav64+QJx6YX1S8d+aFM8dpUO9Kqp3A2xt7FI7QKtl YwOHZdiUj8vyxMyTbmObgl/hyoix0ReHoCLliyx6N9W/zejYTOgT4d86tqNGbyn4VpBaW7Udm4Y gbUAybz7f4Ve+nDC5TjqZop2qpyVAqVaGHsWix3GNUZ012rvQIYtZwvFb+fqLtCG8IqHjY2bF+D PSi60igE9HDye2AgM6Yqd3Ku/MU5dxfUpuCV6kYhe5iZeI/KncicBxMIjcMX1D2+ke+GRG27OL5 B4xRVu6tePR24eelc9g== X-Proofpoint-GUID: H0D0TQVnJdX3n2dUANQqTgN05xwrOUlw X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 bulkscore=0 suspectscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168186588158500 Content-Type: text/plain; charset="utf-8" Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory sp= ace. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- include/hw/s390x/ipl/qipl.h | 6 ++++++ pc-bios/s390-ccw/iplb.h | 5 +++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 5 files changed, 35 insertions(+), 24 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 7f91270255..b46e787259 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -205,4 +205,10 @@ struct IplInfoReportBlock { }; typedef struct IplInfoReportBlock IplInfoReportBlock; =20 +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +}; +typedef struct IplBlocks IplBlocks; + #endif diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 926e8eed5d..c828466f51 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,8 +20,9 @@ #include =20 extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; +extern IplBlocks ipl_data; =20 static inline bool manage_iplb(IplParameterBlock *iplb, bool store) { @@ -61,7 +62,7 @@ static inline bool load_next_iplb(void) =20 qipl.index++; next_iplb =3D (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); =20 qipl.chain_len--; qipl.next_iplb =3D qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. = The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno =3D qipl.index; + if (iplb->pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno =3D qipl.index; } =20 - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 26287cfd81..e6d4105786 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -24,7 +24,9 @@ static SubChannelId blk_schid =3D { .one =3D 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -53,7 +55,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype =3D=3D CU_TYPE_VIRTIO && virtio_get_device_type() !=3D VIRT= IO_ID_NET) { - lowcore->ptr_iplb =3D ptr2u32(&iplb); + lowcore->ptr_iplb =3D ptr2u32(iplb); } } =20 @@ -213,14 +215,14 @@ static void boot_setup(void) char lpmsg[] =3D "LOADPARM=3D[________]\n"; VDev *vdev =3D virtio_get_device(); =20 - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) !=3D= 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN= ); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != =3D 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LE= N); } else { sclp_get_loadparm_ascii(loadparm_str); } =20 if (have_iplb) { - vdev->ipl_type =3D iplb.pbt; + vdev->ipl_type =3D iplb->pbt; menu_setup(vdev); } else { vdev->ipl_type =3D QEMU_DEFAULT_IPL; @@ -244,21 +246,21 @@ static bool find_boot_device(void) switch (vdev->ipl_type) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected =3D false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid =3D iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found =3D find_subch(iplb.ccw.devno); + found =3D find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected =3D true; - vdev->selected_scsi_device.channel =3D iplb.scsi.channel; - vdev->selected_scsi_device.target =3D iplb.scsi.target; - vdev->selected_scsi_device.lun =3D iplb.scsi.lun; - blk_schid.ssid =3D iplb.scsi.ssid & 0x3; - found =3D find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel =3D iplb->scsi.channel; + vdev->selected_scsi_device.target =3D iplb->scsi.target; + vdev->selected_scsi_device.lun =3D iplb->scsi.lun; + blk_schid.ssid =3D iplb->scsi.ssid & 0x3; + found =3D find_subch(iplb->scsi.devno); break; case S390_IPL_TYPE_PCI: - found =3D find_fid(iplb.pci.fid); + found =3D find_fid(iplb->pci.fid); break; default: puts("Unsupported IPLB"); @@ -377,10 +379,12 @@ static void probe_boot_device(void) =20 void main(void) { + iplb =3D &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb =3D store_iplb(&iplb); + have_iplb =3D store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index 651cedf6ef..9b4dfd4638 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -528,11 +528,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); =20 - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expect= ed"); - dev_no =3D iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expec= ted"); + dev_no =3D iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid =3D iplb.ccw.ssid & 0x3; + net_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found =3D find_net_dev(&schib, dev_no); } else { --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168223; cv=none; d=zohomail.com; s=zohoarc; b=OywYLIryco5UQULulEUvUjmC8tWO04x2to0XkBPiQdIfMMbheG5gu4WqfPiGlABl1oMvzmBcI05Xsr696JFodT2tKvK2M68Pd+kv+P4lJZd+k/ZADCuRUk5vSm7VmGG+jRtbpV17GuIgpNgAEeAVNJb2DnfI/h3tl+N/2SOvWM0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168223; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=QWJ+p/PnLTNcH3dmic0pDtwru29QTT0WnUHB8ttErdI=; b=lLBOgYqLo1eMN7jXzXvvMjFPtCOR2jKpsBJsmicWjQ3UgxC9eJlkyuVNG/K5NBrG9yHtydIuW+rYGyQ8MWAwoTAb1UkyFhLn3fa/cKe7XMmNA+v8yPqUm2DluWUHu8QkKjrQ5m/ylX4VFmtz3QrkdK+6WLXpBvX4bUa/GBO+jNg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168223904432.168301155235; Thu, 2 Apr 2026 15:17:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKw-0001el-TC; Thu, 02 Apr 2026 18:16:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKC-0000r8-GA; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK7-0004ov-Ri; Thu, 02 Apr 2026 18:15:37 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632CIYKP016485; Thu, 2 Apr 2026 22:15:32 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66nnxs90-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:31 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LSNVr013932; Thu, 2 Apr 2026 22:15:30 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6ttkuusx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:30 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFT4224773142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:29 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3A5AD5806D; Thu, 2 Apr 2026 22:15:29 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A8DC95805D; Thu, 2 Apr 2026 22:15:27 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:27 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=QWJ+p/PnLTNcH3dmi c0pDtwru29QTT0WnUHB8ttErdI=; b=VfxQjJ+A29vVQZPuUiV5zDFaeU6/5eAse QmLHZLZOyiCewO1ZNo1QMyhLGyDjEx2bpSF7o4rRyt/ca1JH2d7G0fRJ0DuZTqNN waL/yZDQX/AmrnXPXXXaTCCUFmdW3XofvZR0oV/PXQzX8zL1c8AX/vGhk4HdyoCR u1JjxXvHH2pWU8CofvfsNWJRMwaImDS0aPnOZcq3z923B7y9d54L4tqBF0/Na6sH ctnyiSfGvy1bJrb8LCWtauOzUPEHyiRQwmRvtvo3GSpF9iYfHmyiynz7zcA6/tIU /Greb512pxPL9YQbpsnSWa128ZNXfNQHnDS2Cm+B18qYQnKePPsxw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 15/30] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Thu, 2 Apr 2026 18:14:37 -0400 Message-ID: <20260402221453.1602899-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: qdxbpcM7jmABO1XIcWAtGaFHLSg_Oi6U X-Authority-Analysis: v=2.4 cv=KslAGGWN c=1 sm=1 tr=0 ts=69ceea84 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=0RU0I6ilb4cTaI3NU4AA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX2k8f7/DX/81W g3AnBKgWt0XbEBJF8wprOcD87jNBi2SfIuwmRaeq/Xq4ymkcArd9CO7t3xKitgXGuDl6Jx0UaUf q6+/6k0T/sMf1T7TXhQc9t53w+jhyYG6wtgeoQiokF6stQ21CzUbxK3sigB6VcrTEtMoqFMIGlK 9fD0Yh3xyJ7ypnBnekGw6qWVdeX+HyRQjIEzk2Ra3xQIiv3B3ZC9A9pICYX8bVuWFUPxAVptV9H 56h2taUi8fwZTcqZfBG9SuCjExn+LU773alsCMsIo2NNYGi+d5HzLm6vVNMeC01gkOUceXLXjbu 8iQ2Mczx+T8YRnMqsYdpKFirhR2ZWfTMC0YCSwVpjJRHN0uteeBVk8zVU7VmWP5pRPh002UW1YB aP09Aa2OEy2UOUjVvVFqxHTGMmbhqFoa5d2o171iPplnGqmMKggoBu1z+lQlIqujTIHmOduhCKB NTWdKCPezShMOqGduFQ== X-Proofpoint-ORIG-GUID: qdxbpcM7jmABO1XIcWAtGaFHLSg_Oi6U X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 clxscore=1015 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168224481158500 Content-Type: text/plain; charset="utf-8" Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Move DIAG308 flags to a separated header file and add flags for secure IPL. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 21 +++++++++++++++++++++ hw/s390x/ipl.h | 21 +++++---------------- include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 5 ++++- 4 files changed, 64 insertions(+), 17 deletions(-) create mode 100644 include/hw/s390x/ipl/diag308.h diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index fbef46aee5..f4311f6d62 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -461,6 +461,13 @@ S390IPLCertificateStore *s390_ipl_get_certificate_stor= e(void) return &ipl->cert_store; } =20 +static bool s390_has_certificate(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -517,6 +524,20 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } + return true; } =20 diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 57f6a072a0..6967ecaf6e 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -23,7 +23,6 @@ #include "qom/object.h" #include "target/s390x/kvm/pv.h" =20 -#define DIAG308_FLAGS_LP_VALID 0x80 #define MAX_BOOT_DEVS 8 /* Max number of devices that may have a bootindex= */ =20 void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp); @@ -90,21 +89,10 @@ struct S390IPLState { }; QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wr= ong"); =20 -#define DIAG_308_RC_OK 0x0001 -#define DIAG_308_RC_NO_CONF 0x0102 -#define DIAG_308_RC_INVALID 0x0402 -#define DIAG_308_RC_NO_PV_CONF 0x0902 -#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - -#define DIAG308_RESET_MOD_CLR 0 -#define DIAG308_RESET_LOAD_NORM 1 -#define DIAG308_LOAD_CLEAR 3 -#define DIAG308_LOAD_NORMAL_DUMP 4 -#define DIAG308_SET 5 -#define DIAG308_STORE 6 -#define DIAG308_PV_SET 8 -#define DIAG308_PV_STORE 9 -#define DIAG308_PV_START 10 +#define S390_IPL_TYPE_FCP 0x00 +#define S390_IPL_TYPE_CCW 0x02 +#define S390_IPL_TYPE_PV 0x05 +#define S390_IPL_TYPE_QEMU_SCSI 0xff =20 #define S390_IPLB_HEADER_LEN 8 #define S390_IPLB_MIN_PV_LEN 148 @@ -112,6 +100,7 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "a= lignment of iplb wrong"); #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_PCI_LEN 376 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 =20 static inline bool iplb_valid_len(IplParameterBlock *iplb) { diff --git a/include/hw/s390x/ipl/diag308.h b/include/hw/s390x/ipl/diag308.h new file mode 100644 index 0000000000..6e62f29215 --- /dev/null +++ b/include/hw/s390x/ipl/diag308.h @@ -0,0 +1,34 @@ +/* + * S/390 DIAGNOSE 308 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG308_H +#define S390X_DIAG308_H + +#define DIAG_308_RC_OK 0x0001 +#define DIAG_308_RC_NO_CONF 0x0102 +#define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 +#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 + +#define DIAG308_RESET_MOD_CLR 0 +#define DIAG308_RESET_LOAD_NORM 1 +#define DIAG308_LOAD_CLEAR 3 +#define DIAG308_LOAD_NORMAL_DUMP 4 +#define DIAG308_SET 5 +#define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 + +#define DIAG308_FLAGS_LP_VALID 0x80 + +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + +#endif diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index b46e787259..dcb84f729a 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -12,6 +12,8 @@ #ifndef S390X_QIPL_H #define S390X_QIPL_H =20 +#include "diag308.h" + /* Boot Menu flags */ #define QIPL_FLAG_BM_OPTS_CMD 0x80 #define QIPL_FLAG_BM_OPTS_ZIPL 0x40 @@ -122,7 +124,8 @@ typedef struct IplBlockPci IplBlockPci; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168224; cv=none; d=zohomail.com; s=zohoarc; b=hkxvO4Am7bJKm8sdvX6wS5KaPiuKqxyHPsj449Z+oROPFpf/lO5SgDxR+LzwhVVD/7Lk8FEKDZDo2Q8ThJ0zf7PxsMIgE/TJfOT0tBvhF6u6Gk1WE5ODyzg7xfYUu+sQSOdJBC8V3S/U41kpaucrZUAOSt948iPRoWQ4U/m0RXU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168224; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ZBv08pQ05NR1iOEpFCdnkOz8FE6Qof7cX46vh8HxqFU=; b=LUyRldBTph+YKwfTcsBfW8U1Xb2MpJydQHEcNIEtKUBQtK+DTwXcJank9UWLleWXYiknAmWzF+dr5eFx8wI0XY/sINVhfcemfPTj2TKK+eSEE8LTD2SWdSR/31BH63d9cNcSRFYFO7Z3w+tkrSJgliqR+K4Xft6UrIvCKOoQD34= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168224920655.0684509595344; Thu, 2 Apr 2026 15:17:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKb-0000zB-5h; Thu, 02 Apr 2026 18:16:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKC-0000r9-Hu; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QK8-0004p5-Mj; Thu, 02 Apr 2026 18:15:38 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632BiTem4172385; Thu, 2 Apr 2026 22:15:33 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvfk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:33 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632K924n022210; Thu, 2 Apr 2026 22:15:32 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbw84-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:32 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFUab19202722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:31 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D01775806D; Thu, 2 Apr 2026 22:15:30 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 588B758068; Thu, 2 Apr 2026 22:15:29 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:29 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=ZBv08pQ05NR1iOEpF CdnkOz8FE6Qof7cX46vh8HxqFU=; b=tl5+2CxBwqedDSotNp4WWlQDyQe1DcIvA ggF1OX0d+sdcHLGaagMiIqmfLs4u/7SbnW8XpzifAowBU+gLf+0ZghRuvruVGwQ5 MnYtz+Ys20SxPVy0NAC9Qs+o7/IOg2dmvqlcZ3JXJkTfADPqY+An4C5dKe1fFO3L 6C0lQrfBrAnuVYjaolUlpPjWc4I1uQl+70nVxLgdSXpZ7PLU/4WUfm2LK5wruqre OAl7zuToZIZs+omod/E7X0bn40uqIWlHPe4lG8i1dzPVM6htCQv9369sjOxRZiZx H21AQIpd+b+PUDo335hyYHvvIWBx/LzNfbRRZJ3ttwDJamRoyCI1Q== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 16/30] s390x: Guest support for Secure-IPL Facility Date: Thu, 2 Apr 2026 18:14:38 -0400 Message-ID: <20260402221453.1602899-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea85 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Bichc5AjJS213ZhIJUEA:9 X-Proofpoint-GUID: 1LN-9eSNNbgAT3czvm-EhP6vss6dzzQZ X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX6503xnRkNMxE 3NDYlqCYYFrTGYRp+XcSERZUOr7xVuirOpBJhPQMSH/hye8lcPk3LRi7RA9zkUmcdJ83NujhsQo R9uwKLcUvO+/Uz1OsK+ar4qyz2LBq7APs8TdzYIpEYhnFtKWsof1zastgsdJJRRO0ZubFgNdpWg bx9eW73uf3ki082C3jqPJQ6dulykRJePh3zIEGkQoxISzTTVTk5aY12j111g/74XnuXPZMlYskG J8WEIW03XK72CwP3DPJjI+iJP0z+0rPN4mKnr41/gSt/uHG3M6GckDb8OSvPnIu66U+rBnnw7vP TuHYi+9MbUrAdsDqJs0z14jKmcvF8XQKxayCMc0qMtWZ+iJEnoff+ZICfyWlWiBnjUrsIyIoiPz CyqJDKWV180tB9Ap8DE8Br49lM0rFed4+BJREsMny9BqHbJxXWfXdExO27e+4USIfiMTqtGJuEQ PC1h0X/oLVAAekP/mcw== X-Proofpoint-ORIG-GUID: 1LN-9eSNNbgAT3czvm-EhP6vss6dzzQZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 clxscore=1015 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168226496158500 Content-Type: text/plain; charset="utf-8" Introduce Secure-IPL (SIPL) facility. Use fac_ipl to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. Byte 136's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Secure IPL is not available for guests under protected virtualization. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Thomas Huth --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 4 ++++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index b9c3983df1..666bae33f0 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -146,6 +146,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC_IPL, + read_info->fac_ipl); } =20 read_info->facilities =3D cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index ddc61f1c21..a9595d8007 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t fac_ipl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 138]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 436471f4b4..200bd8c15b 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -119,6 +119,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * Some facilities are not available for CPUs in protected mode: * - All SIE facilities because SIE is not available * - DIAG318 + * - Secure IPL Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -149,6 +150,9 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; + case S390_FEAT_TYPE_SCLP_FAC_IPL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..b038198555 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_FAC_IPL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 2976ecd0ee..bcf8a666e4 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 962f135f42..a52e34aa95 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 6c20c3a862..bd2060ab93 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -721,6 +721,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -922,6 +923,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_PRNO_TRNG, S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index cba431688b..40197cca7a 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2518,6 +2518,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 set_bit(S390_FEAT_CERT_STORE, model->features); =20 + /* Some Secure IPL facilities are emulated by QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168256; cv=none; d=zohomail.com; s=zohoarc; b=fBigm1NHFZSnjy74l1dnINcAcUa5YH8+Bjqw4WZf2qt83JjpY+pTXhMXIUxgCJ7KG5L4yPhCrEVUHsLaZT46h5kspH+YF29HqfS1w22ZVzy4yopR1+ybVoz02PuoHQvLPEHIRrvrOzlfIs24puSnkrAeP09f8dALCgjcQcCvNfM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168256; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=YZlqWCoJeWW9tmUyMXnvsje1S5lvKQ59QXsYaPFmduo=; b=OStAjZnUTen4kDOpgc/zY1bXPke5/9KVTv/Dvd8JUNHRa6BPEI/rciMLb5+kENMHNw6pR2KXxN2BHNy4OWmP/3wL3AZSet5/RmQOgUO89q+/ZEW6F43kMxMwHmZkMl7F1WZ0GtK0e3+2QEfwZIyCjDLawkKwSsrd1364a5culIc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168256072398.1059823068571; Thu, 2 Apr 2026 15:17:36 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKf-00010Z-Av; Thu, 02 Apr 2026 18:16:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKF-0000rE-DZ; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKC-0004pI-H1; Thu, 02 Apr 2026 18:15:43 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632BYPdY3721094; Thu, 2 Apr 2026 22:15:34 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66g26vdb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:34 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632KqepW030990; Thu, 2 Apr 2026 22:15:33 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rnp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:33 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFWab52167022 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:32 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9F4C65806F; Thu, 2 Apr 2026 22:15:32 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F04D858065; Thu, 2 Apr 2026 22:15:30 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=YZlqWCoJeWW9tmUyM Xnvsje1S5lvKQ59QXsYaPFmduo=; b=XD+2f/ee5QG1TEBC2H/3sE9WQHx/rx/F/ mTYPr3gFdFmcF5ahT5TEVq+rwCeAUjCzks5HE51DvuLSFHI1D4NnQfpL/Jvhof+M ST9FSpswQjvUnkjo9+7+Yn/umHk3DV+4LVk6aRA0yUPC5F+V8enigwhS37tSmYUa H6fsGvBrCZwLKPswiPqt+Kr7J7RSoFLbKUd2KXssImLebJ+Ss/NOn9uq/M6ZZyll iB2SjaYRpcHE3bNTTCSC7x/tBnEeQ94bWW7v9+/1L5pd/S9a/X7+NwjoVGctlNDB VSy2ruDYOvI1SOfnHaeL6FwNs3jmjrwSom6GI0+x45KGSujryoHEw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 17/30] pc-bios/s390-ccw: Refactor zipl_run() Date: Thu, 2 Apr 2026 18:14:39 -0400 Message-ID: <20260402221453.1602899-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Fdo6BZ+6 c=1 sm=1 tr=0 ts=69ceea86 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=se3WwofzMRKbtILPOyIA:9 X-Proofpoint-ORIG-GUID: SBnI66O81p1S8GTullF3ck0WJ0crU6-R X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX5AmJ5k0QzWRh osRc1ZaenZ2lS36u8a9k909Q/WQPTyIm9fjxGSZCMI8zzMuWQCiFSpyThJUhdLRTT95N6r6UpyR YxeOVlldTfjn8LkgYm/VHuDfJYlRlY4ldIaw2Scm9SpH3tDyonSUBx7+J6huxJtRJ+S8DTEko7l 2uWFx2qJquLYILdil4ZM/dQmEbekAJ2YzCW+xNv4KRrL8XqcuDMUHVm4/D1t25KumA1yBDMp0st RTBVerOQyg16ZyxFdZ6b6afm5/nXvFGUSsY0nM0RXvOAYbojYWXwE4J2G5K3BVwbdA/NQf5d7/5 eTEQno2c0igIWb7KRXm3LGlQWg9tJguA+/ihunKKtpVQoy+kbAJzi4f5jngBRljqmHj6cMFFwsS 2V782XxUq6kW9xxuz+38kJbuT1Db87Mh+h+1Tzo1B/jfOQL6SteDNS4OMahWyL5yquZdomFToLD OjDPyoUnmhdfmiBJnjA== X-Proofpoint-GUID: SBnI66O81p1S8GTullF3ck0WJ0crU6-R X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 bulkscore=0 suspectscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168256579158500 Content-Type: text/plain; charset="utf-8" Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 51 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 420ee32eff..b9ba004cfc 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,12 +674,42 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } =20 +static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + ComponentEntry *entry =3D *entry_ptr; + + while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || + entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)&entry[1] > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + *entry_ptr =3D entry; + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { ComponentHeader *header; ComponentEntry *entry; uint8_t tmp_sec[MAX_SECTOR_SIZE]; + int rc; =20 if (virtio_read(pte->blockno, tmp_sec)) { puts("Cannot read header"); @@ -700,25 +730,10 @@ static int zipl_run(ScsiBlockPtr *pte) =20 /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); - while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || - entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries = */ - if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } - - if (zipl_load_segment(entry)) { - return -1; - } =20 - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } + rc =3D zipl_run_normal(&entry, tmp_sec); + if (rc) { + return rc; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168261; cv=none; d=zohomail.com; s=zohoarc; b=LK7iE+csREknDWEg1mvnxmjXQy/WyG78YAx8nlN5NDBF3dSywVjv7dh/i+bFG6tYy92P6oVIaVxrJBKdSAtiw7TWGM3IhiQDCHy8uaaW5pISS5DWpW4YqSLJolR34fM8U4gkGzMZ3+XRJIDBxq4W9Jxse00O/0Iv8dek9FK014g= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168261; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=T4Hwil79IzLV+vm7C/ZGGZAXlEgi1EAAjGckzYxphIE=; b=jpFhnmgypyQEv5XX3mvG7pJap6uVZtZqi34e/l85+FPG5JJpBX5VzMsOAE7aRfwT/MJyCbb9uvI8jh5M87c46KoVEJzH2etqidleuuon6QUiYHYbKd9RocLhD3cnXtSSCiqgOEW88P3XARTckID1kV8i5eXpgFnC+guca6Wz1qU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168261026755.9452814540261; Thu, 2 Apr 2026 15:17:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKv-00017V-D2; Thu, 02 Apr 2026 18:16:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKF-0000rF-G3; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKC-0004pe-Qn; Thu, 02 Apr 2026 18:15:43 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632Eig1A064853; Thu, 2 Apr 2026 22:15:37 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66q3esa5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:37 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LBqcB013897; Thu, 2 Apr 2026 22:15:36 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6ttkuuth-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:36 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFYY21901068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:34 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 357E35806E; Thu, 2 Apr 2026 22:15:34 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C9B1958065; Thu, 2 Apr 2026 22:15:32 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:32 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=T4Hwil79IzLV+vm7C /ZGGZAXlEgi1EAAjGckzYxphIE=; b=ecvixRa8hEMBJNTzzCUmbNvf85CNp1paA zoiB6zasKSC5AronMP9XCWGU57YJKtDdhmuuQp3ctcVUEQj8krSGjVii5p8cQKp1 x6RBESjeNXZAW60Zyn5lcPuknSHFkZyGK0FScoRz0lbjKEIkuh2cw+TlZWgMQMtz 9TBwWpbPOOmbI+0c4rNQRNxSKOGaA25gKYeK710Y9bLxrHLOYxWIrbWCSo4hmEKc Ww2NOkZeYNhPG2+0+VuoGD6gBgO7CuXPCa5GlR7sg6IPK51NhucZN1mfApOUYW4Z qXs+g2nJ3q8XycSMgmiz5gXdkA/RmK+3nQLU8f8eSHZDhcmqcTPhw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 18/30] pc-bios/s390-ccw: Rework zipl_load_segment function Date: Thu, 2 Apr 2026 18:14:40 -0400 Message-ID: <20260402221453.1602899-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: MykF-lLGoTeFDItFdg0R5wBWSc_07971 X-Authority-Analysis: v=2.4 cv=frzRpV4f c=1 sm=1 tr=0 ts=69ceea89 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=wVZWP19Ib8Popp5rDVAA:9 X-Proofpoint-ORIG-GUID: MykF-lLGoTeFDItFdg0R5wBWSc_07971 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX6FRPtfh9i4zk PR33C9DDgCDhOYk5gSi2iCrLFgh90oeahr4/wmL5CHQJhjFVtKWQD8seOv4dHe5L/w/xxlnGI4V uBBCoyQ39F3PDt25yhHyiFkGnyiLc0/6R4xfMsZOjTO0t8oZN1Qs7GLwUpZgY9IPMGrFXWvgy8Z sV10vMpauH6X64e9vM0EPOfbbGd2seJTLapUbzI5YZsSYtLLkqkZO4WAbkhZVM2gxGtryTjFirk FeL7t0aEOVe0doJPGSLSBaWLDoD4ypY9TdiyPM6d73HrE9l3zhuBtnsfOxdSWhxTWfpMNEmNS7s HrbWdz1AkR2y3ipAWD94FlNouSyBk+fMKIEVh1TWFEYfBfBT5fn4IwbrKAe61SgGkI6qW6MVaTj QKFoB8z03C7r92e4ofLBJMZeySsxy+HBcclTOF6/JPslFh5YHvrwptECi68iCmU6pntnaMjA8tF Tl1eIrjNPL76eWDH74w== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 priorityscore=1501 malwarescore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168262269154100 Content-Type: text/plain; charset="utf-8" Make the address variable a parameter of zipl_load_segment and return segment length. Modify this function to allow the caller to specify a memory address where segment data should be loaded into. seg_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- pc-bios/s390-ccw/bootmap.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index b9ba004cfc..d17a6576ff 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,22 @@ static int ipl_eckd(void) * IPL a SCSI disk */ =20 -static int zipl_load_segment(ComponentEntry *entry) +/* + * Returns: length of the segment on success, + * negative value on error. + */ +static int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; const int bprs_size =3D sizeof(sec); block_number_t blockno; - uint64_t address; int i; char err_msg[] =3D "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no =3D &err_msg[30]; /* where to print blockno in (those ZZs= ) */ + int seg_len =3D 0; =20 blockno =3D entry->data.blockno; - address =3D entry->compdat.load_addr; =20 debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -668,10 +671,12 @@ static int zipl_load_segment(ComponentEntry *entry) puts("zIPL load segment failed"); return -EIO; } + + seg_len +=3D bprs->size * (bprs[i].blockct + 1); } } while (blockno); =20 - return 0; + return seg_len; } =20 static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) @@ -687,7 +692,7 @@ static int zipl_run_normal(ComponentEntry **entry_ptr, = uint8_t *tmp_sec) continue; } =20 - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry, entry->compdat.load_addr) < 0) { return -1; } =20 --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168221; cv=none; d=zohomail.com; s=zohoarc; b=KWDvJ92ZXS8au5uv43jPN+bZgU5lqOypDPZ0ZF+NoAdI72UO0PJJ3NnC+Q59y4ZHEZkOhqYOCaQojJ7M6EwgUPSJ16LXFiv6f1TX8Z6qI71ZsMjflrK4eUIlKsu3UIhrYL3qMUrLHhTlpp2TpNpQ0EDto+MhttATk7xcroDl8aQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168221; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=EhXDquJer356aoL7E1L7BrMWFNZtsks9dvAf0cs/sY4=; b=miRwdfx/T93Xx9QHGI7gbJl6CJyP8+wTVwBotVNV2JR6z7aEQ0ekgpZgv+j9cZBfU08g2jF532H+/SsePw/SfpRS4e3Wh7PdnvG0YiDJ2chrmogSjgdAvt/iokwHsTjbnLwg9x4mNtTRuXig9rqMiku/tdw0/imR0F/CGfk336I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168221602435.7357805241097; Thu, 2 Apr 2026 15:17:01 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKz-00022B-W4; Thu, 02 Apr 2026 18:16:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKI-0000rP-7z; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKE-0004q1-55; Thu, 02 Apr 2026 18:15:45 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632ATbD23127127; Thu, 2 Apr 2026 22:15:38 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvfq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:37 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632K2NG2005973; Thu, 2 Apr 2026 22:15:37 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0yg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:37 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFZ8l7209480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:35 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AED1C58068; Thu, 2 Apr 2026 22:15:35 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51D9B5805D; Thu, 2 Apr 2026 22:15:34 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:34 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=EhXDquJer356aoL7E 1L7BrMWFNZtsks9dvAf0cs/sY4=; b=OjlFX3a6sbBjxZ6zLA6hQBx47RFPog+gm yFWn+4xqgITmmA326jPTzLga8SP6kmouv7ST7yaP65AU2Y0Er2yX/vr+d68VnbHG eX9TTz9/qC0j7K2HQRk6odB6ZGPtnXHtrLadarIoHlQjazHAZ/F4slZ4aEhZVX6a WfL/PmzBt5Xg5rJ4vmE/MTUIOugu/q0FX0qxHzg4G3Nlt9RHBFDYZ17vsLbhfCsA A72lxL4ydTn1VqwDKpDDzrFPOZSMIpN+/rpIzxdDCbUCuzsnAruTsqpKQbax/lnV YSwZ73htjMlmM66826VM/FEGLxLk1RBo0c6KISt7W+dWgLZsrLIfw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 19/30] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Date: Thu, 2 Apr 2026 18:14:41 -0400 Message-ID: <20260402221453.1602899-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea89 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=ENuQ1b-6CJzQt3C2bHgA:9 X-Proofpoint-GUID: i90cYw-pOgZ0HmAIRLPPfkaTjtVUFlBr X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX9dzeTA9IvYFM 69o5Za69xekccExp7u92jCrE+5n7S44dtRA3YOWfPjTo6qJeFC5AoCJ3CgMcRw3OC4y96qEkPeb mjBNDKsGYslb9AuFjP+g+z3OvLOfIEJLFh1IOH/B3Bu30dH8Z2MqdSTq2gM7SBVl70a7UCOpHya Y2KriNG+JtB1e6TiPheEy2osqW2eRkeaP2yNyixi19Dg5XHwVykBYHELrus4igQNKnLDzfWOjVX EUq2PtgW8dg6DcI9Pm0gJj0vD7EnQFykSzZ15bvlUoyOCvnOAIPFq3on+j9Bi3WHGS2cptFrya/ OFvldov/Vvi78V6mri0y46H7bllkxPVGV43MbjW/nxPGs7URzfag2q59ltAkVU7T8r7u25j2MYW fLNSHxPaC0+UYjzLEJwfOPQMl/qBMru4xmCifhinljGUN9R0vUf7yoZvSr41nfVUS+Bz5DUUNc6 k8oQPNl7DBSsj6R+Zlw== X-Proofpoint-ORIG-GUID: i90cYw-pOgZ0HmAIRLPPfkaTjtVUFlBr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 clxscore=1015 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168223817154100 Content-Type: text/plain; charset="utf-8" Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 35 +++ pc-bios/s390-ccw/Makefile | 2 +- pc-bios/s390-ccw/bootmap.c | 36 +++- pc-bios/s390-ccw/bootmap.h | 11 + pc-bios/s390-ccw/main.c | 6 + pc-bios/s390-ccw/s390-ccw.h | 27 +++ pc-bios/s390-ccw/sclp.c | 37 ++++ pc-bios/s390-ccw/sclp.h | 6 + pc-bios/s390-ccw/secure-ipl.c | 359 +++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 110 ++++++++++ 10 files changed, 626 insertions(+), 3 deletions(-) create mode 100644 pc-bios/s390-ccw/secure-ipl.c create mode 100644 pc-bios/s390-ccw/secure-ipl.h diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 0a02f171b4..3a19b72085 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -18,3 +18,38 @@ Note: certificate files must have a .pem extension. .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +IPL Modes +=3D=3D=3D=3D=3D=3D=3D=3D=3D +Multiple IPL modes are available to differentiate between the various IPL +configurations. These modes are mutually exclusive and enabled based on the +``boot-certs`` option on the QEMU command line. + +Normal Mode +----------- + +The absence of certificates will attempt to IPL a guest without secure IPL +operations. No checks are performed, and no warnings/errors are reported. +This is the default mode. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio ... + +Audit Mode +---------- + +When the certificate store is populated with at least one certificate +and no additional secure IPL parameters are provided on the command +line, then secure IPL will proceed in "audit mode". All secure IPL +operations will be performed with signature verification errors reported +as non-disruptive warnings. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/Makefile b/pc-bios/s390-ccw/Makefile index 3e5dfb64d5..2109d16781 100644 --- a/pc-bios/s390-ccw/Makefile +++ b/pc-bios/s390-ccw/Makefile @@ -35,7 +35,7 @@ QEMU_DGFLAGS =3D -MMD -MP -MT $@ -MF $(@D)/$(*F).d =20 OBJECTS =3D start.o main.o bootmap.o jump2ipl.o sclp.o menu.o netmain.o \ virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o \ - virtio-ccw.o clp.o pci.o virtio-pci.o + virtio-ccw.o clp.o pci.o virtio-pci.o secure-ipl.o =20 SLOF_DIR :=3D $(SRC_PATH)/../../roms/SLOF =20 diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index d17a6576ff..1873a35511 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -15,6 +15,7 @@ #include "bootmap.h" #include "virtio.h" #include "bswap.h" +#include "secure-ipl.h" =20 #ifdef DEBUG /* #define DEBUG_FALLBACK */ @@ -617,7 +618,7 @@ static int ipl_eckd(void) * Returns: length of the segment on success, * negative value on error. */ -static int zipl_load_segment(ComponentEntry *entry, uint64_t address) +int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; @@ -736,7 +737,19 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); =20 - rc =3D zipl_run_normal(&entry, tmp_sec); + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + rc =3D zipl_run_secure(&entry, tmp_sec); + break; + case ZIPL_BOOT_MODE_NORMAL: + rc =3D zipl_run_normal(&entry, tmp_sec); + break; + default: + puts("Unknown boot mode"); + rc =3D -1; + break; + } + if (rc) { return rc; } @@ -1103,17 +1116,33 @@ static int zipl_load_vscsi(void) * IPL starts here */ =20 +ZiplBootMode get_boot_mode(uint8_t hdr_flags) +{ + bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; + bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + + if (!sipl_set && iplir_set) { + return ZIPL_BOOT_MODE_SECURE_AUDIT; + } + + return ZIPL_BOOT_MODE_NORMAL; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot from ISO image is not supported!"); ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Virtio net boot device does not support secure boot!"= ); netmain(); puts("Failed to IPL from this network!"); return; @@ -1124,6 +1153,9 @@ void zipl_load(void) return; } =20 + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot with the ECKD scheme is not supported!"); + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..dc2783faa2 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; =20 +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; =20 typedef struct ComponentEntry { @@ -113,6 +122,8 @@ typedef struct ScsiMbr { ScsiBlockPtr pt; /* block pointer to program table */ } __attribute__ ((packed)) ScsiMbr; =20 +int zipl_load_segment(ComponentEntry *entry, uint64_t address); + #define ZIPL_MAGIC "zIPL" #define ZIPL_MAGIC_EBCDIC "\xa9\xc9\xd7\xd3" #define IPL1_MAGIC "\xc9\xd7\xd3\xf1" /* =3D=3D "IPL1" in EBCDIC */ diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index e6d4105786..93d22fc77c 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -30,6 +30,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +ZiplBootMode boot_mode; =20 #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -303,6 +304,9 @@ static void ipl_ccw_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Passthrough (vfio) CCW device does not support secure= boot!"); + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -390,6 +394,8 @@ void main(void) probe_boot_device(); } =20 + boot_mode =3D get_boot_mode(iplb->hdr_flags); + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 1e1f71775e..1b09aed8b1 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -40,6 +40,22 @@ typedef unsigned long long u64; ((b) =3D=3D 0 ? (a) : (MIN(a, b)))) #endif =20 +/* + * Round number down to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_DOWN +#define ROUND_DOWN(n, d) ((n) & -(0 ? (n) : (d))) +#endif + +/* + * Round number up to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_UP +#define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d)) +#endif + #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) =20 #include "cio.h" @@ -64,11 +80,22 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_sipl_on(void); int sclp_read(char *str, size_t count); =20 /* bootmap.c */ void zipl_load(void); =20 +typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_NORMAL =3D 0, + ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, +} ZiplBootMode; + +extern ZiplBootMode boot_mode; + +ZiplBootMode get_boot_mode(uint8_t hdr_flags); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..6283ae71bc 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,43 @@ void sclp_get_loadparm_ascii(char *loadparm) } } =20 +bool sclp_is_diag320_on(void) +{ + ReadInfo *sccb =3D (void *)_sccb; + uint8_t fac134 =3D 0; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + fac134 =3D sccb->fac134; + } + + return fac134 & SCCB_FAC134_DIAG320_BIT; +} + +/* + * Get fac_ipl (byte 136 and byte 137 of the SCLP Read Info block) + * for IPL device facilities. + */ +static void sclp_get_fac_ipl(uint16_t *fac_ipl) +{ + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac_ipl =3D sccb->fac_ipl; + } +} + +bool sclp_is_sipl_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..cf147f4634 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; =20 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_FAC_IPL_SIPL_BIT 0x4000 =20 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t fac_ipl; } __attribute__((packed)) ReadInfo; =20 typedef struct SCCB { diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c new file mode 100644 index 0000000000..b66ca9ca7e --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -0,0 +1,359 @@ +/* + * S/390 Secure IPL + * + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, + * signature verification, and certificate handling). + * + * For secure IPL overview: docs/system/s390x/secure-ipl.rst + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include "bootmap.h" +#include "s390-ccw.h" +#include "secure-ipl.h" + +static uint8_t vcb_data[MAX_SECTOR_SIZE * 4] __attribute__((__aligned__(PA= GE_SIZE))); +static uint8_t vcssb_data[VCSSB_MIN_LEN] __attribute__((__aligned__(8))); + +VCStorageSizeBlock *zipl_secure_get_vcssb(void) +{ + VCStorageSizeBlock *vcssb; + + vcssb =3D (VCStorageSizeBlock *)vcssb_data; + /* avoid retrieving vcssb multiple times */ + if (vcssb->length >=3D VCSSB_MIN_LEN) { + return vcssb; + } + + if (!is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return NULL; + } + + vcssb->length =3D VCSSB_MIN_LEN; + if (diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI) !=3D DIAG_320_RC_OK) { + vcssb->length =3D 0; + return NULL; + } + + return vcssb; +} + +static uint32_t get_total_certs_length(void) +{ + VCStorageSizeBlock *vcssb; + + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + return vcssb->total_vcb_len - VCB_HEADER_LEN - vcssb->total_vc_ct * VC= E_HEADER_LEN; +} + +static uint32_t request_certificate(uint8_t *cert_addr, uint8_t index) +{ + VCStorageSizeBlock *vcssb; + VCBlock *vcb; + VCEntry *vce; + uint32_t cert_len =3D 0; + + /* Get Verification Certificate Storage Size block with DIAG320 subcod= e 1 */ + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + */ + vcb =3D (VCBlock *)vcb_data; + vcb->in_len =3D ROUND_UP(vcssb->max_single_vcb_len, PAGE_SIZE); + vcb->first_vc_index =3D index; + vcb->last_vc_index =3D index; + + if (diag320(vcb, DIAG_320_SUBC_STORE_VC) !=3D DIAG_320_RC_OK) { + goto out; + } + + if (vcb->out_len =3D=3D VCB_HEADER_LEN) { + puts("No certificate entry"); + goto out; + } + + if (vcb->remain_ct !=3D 0) { + puts("Not enough memory to store all requested certificates"); + goto out; + } + + vce =3D (VCEntry *)vcb->vce_buf; + if (!(vce->flags & DIAG_320_VCE_FLAGS_VALID)) { + puts("Invalid certificate"); + goto out; + } + + cert_len =3D vce->cert_len; + memcpy(cert_addr, (uint8_t *)vce + vce->cert_offset, vce->cert_len); + +out: + memset(vcb_data, 0, sizeof(vcb_data)); + return cert_len; +} + +static void cert_list_add(IplSignatureCertificateList *cert_list, int cert= _entry_idx, + uint8_t *cert_addr, uint64_t cert_len) +{ + if (cert_entry_idx > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring cert entry #%d because only %d entries a= re supported\n", + cert_entry_idx + 1, MAX_CERTIFICATES); + return; + } + + cert_list->cert_entries[cert_entry_idx].addr =3D (uint64_t)cert_addr; + cert_list->cert_entries[cert_entry_idx].len =3D cert_len; + cert_list->ipl_info_header.len +=3D sizeof(cert_list->cert_entries[cer= t_entry_idx]); +} + +static void comp_list_add(IplDeviceComponentList *comp_list, int comp_entr= y_idx, + SecureIplCompEntryInfo comp_entry_info) +{ + if (comp_entry_idx > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring comp entry #%d because only %d entries a= re supported\n", + comp_entry_idx + 1, MAX_CERTIFICATES); + return; + } + + comp_list->device_entries[comp_entry_idx].addr =3D comp_entry_info.add= r; + comp_list->device_entries[comp_entry_idx].len =3D comp_entry_info.len; + comp_list->device_entries[comp_entry_idx].flags =3D comp_entry_info.fl= ags; + /* cert index field is meaningful only when S390_IPL_DEV_COMP_FLAG_SC = is set */ + comp_list->device_entries[comp_entry_idx].cert_index =3D comp_entry_in= fo.cert_index; + comp_list->ipl_info_header.len +=3D sizeof(comp_list->device_entries[c= omp_entry_idx]); +} + +static void update_iirb(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *iirb_comps; + IplSignatureCertificateList *iirb_certs; + uint32_t iirb_hdr_len; + uint32_t comps_len; + uint32_t certs_len; + + if (iplb->len % 8 !=3D 0) { + panic("IPL parameter block length field value is not multiple of 8= bytes"); + } + + iirb_hdr_len =3D sizeof(IplInfoReportBlockHeader); + comps_len =3D comp_list->ipl_info_header.len; + certs_len =3D cert_list->ipl_info_header.len; + if ((comps_len + certs_len + iirb_hdr_len) > sizeof(IplInfoReportBlock= )) { + panic("Not enough space to hold all components and certificates in= IIRB"); + } + + /* IIRB immediately follows IPLB */ + iirb =3D &ipl_data.iirb; + iirb->hdr.len =3D iirb_hdr_len; + + /* Copy IPL device component list after IIRB Header */ + iirb_comps =3D (IplDeviceComponentList *) iirb->info_blks; + memcpy(iirb_comps, comp_list, comps_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D comps_len; + + /* Copy IPL sig cert list after IPL device component list */ + iirb_certs =3D (IplSignatureCertificateList *) (iirb->info_blks + + iirb_comps->ipl_info_hea= der.len); + memcpy(iirb_certs, cert_list, certs_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D certs_len; +} + +static bool secure_ipl_supported(void) +{ + if (!sclp_is_sipl_on()) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_signature_verif_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + comp_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_COMPONENTS; + comp_list->ipl_info_header.len =3D sizeof(comp_list->ipl_info_header); + + cert_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_CERTIFICATES; + cert_list->ipl_info_header.len =3D sizeof(cert_list->ipl_info_header); +} + +static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) +{ + if (zipl_load_segment(entry, sig_sec) < 0) { + return -1; + } + + if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return -1; + } + + return entry->compdat.sig_info.sig_len; +} + +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + IplDeviceComponentList comp_list =3D { 0 }; + IplSignatureCertificateList cert_list =3D { 0 }; + SecureIplCompEntryInfo comp_entry_info; + ComponentEntry *entry =3D *entry_ptr; + uint8_t *cert_addr =3D NULL; + uint64_t *sig =3D NULL; + int cert_entry_idx =3D 0; + int comp_entry_idx =3D 0; + int sig_len =3D 0; + int comp_len; + uint64_t comp_addr; + uint64_t cert_len; + uint8_t cert_table_idx; + bool verified; + /* + * Keep track of which certificate store indices correspond to the + * certificate data entries within the IplSignatureCertificateList to + * prevent allocating space for the same certificate multiple times. + * + * The array index corresponds to the certificate's cert-store index. + * + * The array value corresponds to the certificate's entry within the + * IplSignatureCertificateList (with a value of -1 denoting no entry + * exists for the certificate). + */ + int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + int signed_count =3D 0; + + if (!secure_ipl_supported()) { + panic("Unable to boot in secure/audit mode"); + } + + init_lists(&comp_list, &cert_list); + cert_addr =3D malloc(get_total_certs_length()); + sig =3D malloc(MAX_SECTOR_SIZE); + + while (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { + switch (entry->component_type) { + case ZIPL_COMP_ENTRY_SIGNATURE: + if (sig_len) { + goto out; + } + + sig_len =3D zipl_load_signature(entry, (uint64_t)sig); + if (sig_len < 0) { + goto out; + } + break; + case ZIPL_COMP_ENTRY_LOAD: + comp_addr =3D entry->compdat.load_addr; + comp_len =3D zipl_load_segment(entry, comp_addr); + if (comp_len < 0) { + goto out; + } + + if (!sig_len) { + break; + } + + comp_entry_info =3D (SecureIplCompEntryInfo){ 0 }; + comp_entry_info.addr =3D comp_addr; + comp_entry_info.len =3D (uint64_t)comp_len; + + verified =3D verify_signature(comp_entry_info, + sig_len, (uint64_t)sig, + &cert_len, &cert_table_idx); + + /* default flags for unverified component */ + comp_entry_info.flags |=3D S390_IPL_DEV_COMP_FLAG_SC; + + if (verified) { + if (cert_list_table[cert_table_idx] =3D=3D -1) { + if (!request_certificate(cert_addr, cert_table_idx)) { + puts("Could not get certificate"); + goto out; + } + + cert_list_table[cert_table_idx] =3D cert_entry_idx; + cert_list_add(&cert_list, cert_entry_idx, cert_addr, c= ert_len); + + /* increment for the next certificate */ + cert_entry_idx++; + cert_addr +=3D cert_len; + } + + puts("Verified component"); + comp_entry_info.cert_index =3D cert_list_table[cert_table_= idx]; + comp_entry_info.flags |=3D S390_IPL_DEV_COMP_FLAG_CSV; + } + + comp_list_add(&comp_list, comp_entry_idx, comp_entry_info); + + if (!verified) { + zipl_secure_handle("Could not verify component"); + } + + comp_entry_idx++; + signed_count +=3D 1; + /* After a signature is used another new one can be accepted */ + sig_len =3D 0; + break; + default: + puts("Unknown component entry type"); + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (signed_count =3D=3D 0) { + zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + } + + update_iirb(&comp_list, &cert_list); + + *entry_ptr =3D entry; + free(sig); + + return 0; +out: + free(cert_addr); + free(sig); + + return -1; +} diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h new file mode 100644 index 0000000000..6d65cd5596 --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -0,0 +1,110 @@ +/* + * S/390 Secure IPL + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef _PC_BIOS_S390_CCW_SECURE_IPL_H +#define _PC_BIOS_S390_CCW_SECURE_IPL_H + +#include +#include + +VCStorageSizeBlock *zipl_secure_get_vcssb(void); +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); + +/* Custom struct for secure IPL component entry information */ +typedef struct SecureIplCompEntryInfo { + uint64_t addr; + uint64_t len; + uint16_t cert_index; + uint8_t flags; +} SecureIplCompEntryInfo; + +static inline void zipl_secure_handle(const char *message) +{ + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + IPL_check(false, message); + break; + default: + break; + } +} + +static inline uint64_t diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint32_t d320_ism; + + if (!sclp_is_diag320_on()) { + return false; + } + + diag320(&d320_ism, DIAG_320_SUBC_QUERY_ISM); + return d320_ism & (DIAG_320_ISM_QUERY_VCSI | DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_signature_verif_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes =3D _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(SecureIplCompEntryInfo comp_entry_info, + uint64_t sig_len, uint64_t sig_addr, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SigVerifBlock svb; + + svb.length =3D sizeof(Diag508SigVerifBlock); + svb.version =3D 0; + svb.comp_len =3D comp_entry_info.len; + svb.comp_addr =3D comp_entry_info.addr; + svb.sig_len =3D sig_len; + svb.sig_addr =3D sig_addr; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) =3D=3D DIAG_508_RC_OK) { + *cert_len =3D svb.cert_len; + /* + * DIAG 508 utilizes an index origin of 0 when indexing the cert s= tore. + * The cert_idx will be used for DIAG 320 data structures, which e= xpects + * an index origin of 1. Account for the offset here so it's easie= r to + * manage later. + */ + *cert_idx =3D svb.cert_store_index + 1; + return true; + } + + return false; +} + +#endif /* _PC_BIOS_S390_CCW_SECURE_IPL_H */ --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168240; cv=none; d=zohomail.com; s=zohoarc; b=IWY7HTZa23p0hsxW5C4tifc8YDe/OXnIB/teU2QEFvCaAR1D+cTOQJ8NDWTQ7FbDQLtv/8otx7MeofdwoBpUzoBMMJTqANmw2sKzYQROLrMY/pwjN/omjjFww2tlijQ0YbL0LMIUgwfW8g+ukv7VkuE/rs//FpyxcGea8Tj4L1o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168240; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=d8WRo04U2I5tc2ohSqBiyORmKOI9BWAEVb4AE66V5Q4=; b=QIW0CW3CiB2/CIfiyP2HfZ1YwroYfm4JHAtdslW3kdgIQ6RKpLHTpzIhUfiGzciXPQKxX10hvQj8Uug3OKXKH1S5Sf3gUHu5+fTwN2hPx+o+YHD3/zJGLhSS3omS/pne4ah7eu5LGPZDRM/TiAdp/hD/Cxwyy3Pqz0UlFAzfWMY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168240846696.0431038786403; Thu, 2 Apr 2026 15:17:20 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKY-0000xw-TE; Thu, 02 Apr 2026 18:16:04 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKH-0000rL-2B; Thu, 02 Apr 2026 18:15:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKF-0004q7-8j; Thu, 02 Apr 2026 18:15:44 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632LPfAp3092382; Thu, 2 Apr 2026 22:15:40 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66nnxs9b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:39 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632K2NG3005973; Thu, 2 Apr 2026 22:15:38 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0ym-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:38 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFbem26870214 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:37 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 51E4A58067; Thu, 2 Apr 2026 22:15:37 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CF95858056; Thu, 2 Apr 2026 22:15:35 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:35 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=d8WRo04U2I5tc2ohS qBiyORmKOI9BWAEVb4AE66V5Q4=; b=bFSqP6AqBpdkH5K+Rq0Zknsm4fT9u3AO0 npHcWD4Tl3fzfnq/TEhN8KWSEsCdmx0MU8gq1LjzSBepwKeaX001BUqN8YzvHIQl 0sfdAcurk2R4mqANTnV2uom3URWWOpCb8ZMGQ6uBpTkPgTP5W+6dh64rESZPTwwu C7x1z4z/6XkqbHccY1vukLjqgjiyv4jnn4KyKYAydZih8BM61xL8JxRfMi/AmZ0/ 4DuiFylElwEQ5KXfgSXD0jptihpQgIcJ8HYXqAwWGIbnUxNQNJPWo5pbMZocdfYE GoiXJNxmIldangMxIJIJX7N0iUQ9RZuT5iLehK/+Kixo80lLG1R4Q== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 20/30] pc-bios/s390-ccw: Add signed component address overlap checks Date: Thu, 2 Apr 2026 18:14:42 -0400 Message-ID: <20260402221453.1602899-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: W7GSplnZ2R6YcF0dhtEadSNNoWSUb556 X-Authority-Analysis: v=2.4 cv=KslAGGWN c=1 sm=1 tr=0 ts=69ceea8b cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=id9pkdgl0szQWdF34qoA:9 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX2MvMoL+m3A2+ vsWADu7xeVK/YgtqMK8KlEQmS2o7oRcf1ApkX1B2SVLkpjS2d0vwV6hAVr9ucC/Zo8uo+fLfboS zb36mnoxT7AkGzINjxLOqA3aDh9tYVFRG21dow1aWlhWBFtVODvzpxPJlZ73dyTt/AlbuCkqbls MChg8UrsgSplOXTTFVhnyx8Sp2SYMbn7CIqoyCGwwrjO/zExioXb1fpizQ0vxuowfcPhz+xJmuS CKObG+1vfyZqLE+7LRlGv7SlafAoseWwvLy/IZpqodNA+Xg4DQI+J80qi2U8ECwPIUbC57JuQA0 XSTRB1S5c52g+UlemIbBdjelasldsm2Pcxo5Qw8+EFaGhIQYrBVtjWoniyO2WVFMaJp83f6HyPJ SQPBMlzwBqBLrNbLQre+LH27jpVUil0LjfE9VFwzC1vvYhMYJBoC0/P7ZIYYh2aXjPG8BVYGw/X a7Dh7pKOMvJT01llzDg== X-Proofpoint-ORIG-GUID: W7GSplnZ2R6YcF0dhtEadSNNoWSUb556 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 clxscore=1015 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168242002154100 Content-Type: text/plain; charset="utf-8" Add address range tracking and overlap checks to ensure that no component overlaps with a signed component during secure IPL. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/secure-ipl.c | 58 ++++++++++++++++++++++++++++++++--- pc-bios/s390-ccw/secure-ipl.h | 15 +++++++++ 2 files changed, 69 insertions(+), 4 deletions(-) diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index b66ca9ca7e..d2079e19bc 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -211,6 +211,49 @@ static void init_lists(IplDeviceComponentList *comp_li= st, cert_list->ipl_info_header.len =3D sizeof(cert_list->ipl_info_header); } =20 +static bool is_comp_overlap(SecureIplCompAddrRangeList *range_list, + SecureIplCompEntryInfo comp_entry_info) +{ + uint64_t start_addr; + uint64_t end_addr; + + start_addr =3D comp_entry_info.addr; + end_addr =3D comp_entry_info.addr + comp_entry_info.len; + + /* + * Check component's address range does not overlap with any + * signed component's address range. + */ + for (int i =3D 0; i < range_list->index; i++) { + if ((range_list->comp_addr_range[i].start_addr < end_addr && + start_addr < range_list->comp_addr_range[i].end_addr) && + range_list->comp_addr_range[i].is_signed) { + return true; + } + } + return false; +} + +static void comp_addr_range_add(SecureIplCompAddrRangeList *range_list, + SecureIplCompEntryInfo comp_entry_info, + bool is_signed) +{ + uint64_t start_addr; + uint64_t end_addr; + + start_addr =3D comp_entry_info.addr; + end_addr =3D comp_entry_info.addr + comp_entry_info.len; + + if (range_list->index >=3D MAX_CERTIFICATES) { + zipl_secure_handle("Component address range update failed due to o= ut-of-range" + " index; Overlapping validation cannot be guara= nteed"); + } + + range_list->comp_addr_range[range_list->index].is_signed =3D is_signed; + range_list->comp_addr_range[range_list->index].start_addr =3D start_ad= dr; + range_list->comp_addr_range[range_list->index].end_addr =3D end_addr; +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) { if (zipl_load_segment(entry, sig_sec) < 0) { @@ -253,6 +296,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) * exists for the certificate). */ int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + SecureIplCompAddrRangeList range_list =3D { 0 }; int signed_count =3D 0; =20 if (!secure_ipl_supported()) { @@ -282,14 +326,20 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) goto out; } =20 - if (!sig_len) { - break; - } - comp_entry_info =3D (SecureIplCompEntryInfo){ 0 }; comp_entry_info.addr =3D comp_addr; comp_entry_info.len =3D (uint64_t)comp_len; =20 + if (is_comp_overlap(&range_list, comp_entry_info)) { + zipl_secure_handle("Component addresses overlap"); + } + comp_addr_range_add(&range_list, comp_entry_info, !!sig_len); + range_list.index +=3D 1; + + if (!sig_len) { + break; + } + verified =3D verify_signature(comp_entry_info, sig_len, (uint64_t)sig, &cert_len, &cert_table_idx); diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 6d65cd5596..c625ac2e3a 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -24,6 +24,21 @@ typedef struct SecureIplCompEntryInfo { uint8_t flags; } SecureIplCompEntryInfo; =20 +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + +/* + * Custom struct for managing a list of secure IPL component address range= s. + * Tracks up to MAX_CERTIFICATES address ranges with an index counter. + */ +typedef struct SecureIplCompAddrRangeList { + SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; + int index; +} SecureIplCompAddrRangeList; + static inline void zipl_secure_handle(const char *message) { switch (boot_mode) { --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168336; cv=none; d=zohomail.com; s=zohoarc; b=chr6fC/Jcu/Ld5+UHU8AEqOo0qQbTq90hQ0V0plkVDepPriJje9A3yNcwwr3ScMituwqSXw/mq5TFPhSnMJcixSVbazG9HQPJKEJ7h67dZaIn4iPXUKk0zYt4lEf+d1E8ZmfvrPbqb2Zm2Jj/dgEakj+/T9o2l3Md/EttPdo5H0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168336; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7zX/XqzcDmyiBxYFgEav1Dbsdut6KXzGOwr0CnsSLWM=; b=EMG8mzvgxSqu3XZhUfSnWMDouFbvOEpTKeh9eDppQrOYvb8YBd0U8cid0iDdYyfvTBSTXPvuhLPh9y62SssM2Bw5NN2OCCwK+jxU7hoiT5paoAboVEAHue2LRVHhPEOVy1UOAFj++9OU6ZtfBsMUS6I2Vav+FKGTc7X02ompHxo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168336296183.2630004422997; Thu, 2 Apr 2026 15:18:56 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKy-0001wj-Il; Thu, 02 Apr 2026 18:16:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKJ-0000s2-96; Thu, 02 Apr 2026 18:15:56 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKH-0004qU-Cm; Thu, 02 Apr 2026 18:15:47 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632ERdHa033664; Thu, 2 Apr 2026 22:15:42 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0ru-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:41 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632L0Mnx031034; Thu, 2 Apr 2026 22:15:40 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rpd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:40 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFdF958065194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:39 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 01F6958069; Thu, 2 Apr 2026 22:15:39 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 753FF58067; Thu, 2 Apr 2026 22:15:37 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=7zX/Xq zcDmyiBxYFgEav1Dbsdut6KXzGOwr0CnsSLWM=; b=lPEIS+aJdB2Sw+y7h4UB6h XqBJENhvysCjlqgz1Y0koM1GNndcyArSklcq8j8ATH3yUWnVBwDlsYGf0y3Jfy4a F54P2qBiVGBWqd4EccqHX7OY6ok7CHpnivETtq6y5B/IF9nJHWAaB9xvywN/Y+HC UfpJ0PVbDxTyaJjSQKUMANTDplsdyvk0sktMiTvHbalZHGrkadjhGVA9Ypd5I+t1 zLOfVICt+gAwiu7uO3DTXLVhwnoO84oN3ppQwzoEaa3zs+RWFKi8FTs21P1nuLIG 52pu4nilSdQHvXK2YmzV4CVlFV5zNvwimjNH2WbyFV8MPzB8ywVRcSEZHOsZ3UiA == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 21/30] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Thu, 2 Apr 2026 18:14:43 -0400 Message-ID: <20260402221453.1602899-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX6oQPdwjJ/qrd bE0nq2D/xTPFSCKMIpWDS87AZq8h5OWOoVs0xBMRsUWTnH06EoFYaytdhfNFk10hH0F8waBK7eN eAG16ufxcgHejhQ/Z+3oeK7Zda0xAPszGDNCRcKdkXLN8hLxTkh/2iYNcHEf1+9ln3Nyl9dAtZ0 jGHaqAyVAi/AHtsRLf/0Uxw5TG8A0J1BukwzZy4uPaR5UXieRoLai8jvpFpiobljqPUAbEOWNF4 pKF7c1D+6m1l7mzGtbM0aWnn8IazJDaNQ63aZllIASk31YcUg7uPLXVBozjKCLkdH8Z9n7ndTlb sCd/lCRzk99tzD/seLrGaLRZ3JWjywjfnYQbmvMjNPmQ1b0LC/xgaJRHcMr4H0doxgrdUVdtULf R7d2WtWVaxQ+9M7x6RkVMm5+O3NDNrLXPra90hTXvH5ZtGqwmCT0oqeOumBzTK1gTy78DcTlgr3 eHRry6QhDJA4fhhubgQ== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea8d cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=s2GHSiDfQs-ooOV4uGMA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: Lb8wds_gHwIwokHcIqe1Y8EOsjHB9qqG X-Proofpoint-ORIG-GUID: Lb8wds_gHwIwokHcIqe1Y8EOsjHB9qqG X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168337407154100 The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during secure IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ target/s390x/cpu_features.c | 2 ++ target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 3 +++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 1 + 6 files changed, 27 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index d82fb97d5d..756246c45a 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -118,3 +118,21 @@ The guest kernel uses the contents in the IIRB for: * Boot logging: reports which components were loaded and verified. * kexec operations: builds the next kernel=E2=80=99s IPL report from the e= xisting one. * Keying: installs IPL certificates into the platform trusted keyring. + +Secure Code Loading Attributes Facility +--------------------------------------- + +The Secure Code Loading Attributes Facility (SCLAF) enhances system securi= ty +during the IPL by enforcing additional verification rules. + +When SCLAF is available, its behavior depends on the IPL mode. It introduc= es +verification of both signed and unsigned components to help ensure that on= ly +authorized code is loaded during the IPL process. Any errors detected by S= CLAF +are reported in the IIRB. + +Unsigned components are restricted to load addresses at or above absolute +storage address ``0x2000``. + +Signed components must include a Secure Code Loading Attribute Block (SCLA= B), +which is appended at the very end of the component. The SCLAB defines secu= rity +attributes for handling the signed code. diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 200bd8c15b..29ea3bfec2 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * - All SIE facilities because SIE is not available * - DIAG318 * - Secure IPL Facility + * - Secure IPL Code Loading Attributes Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC_IPL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index bcf8a666e4..f6ba9e87e1 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certifi= cate Store functions") =20 /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attribu= tes facility") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index a52e34aa95..7de727a256 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_SIPL }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index bd2060ab93..c3e0c6ceff 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 40197cca7a..6b7c606742 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2520,6 +2520,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 /* Some Secure IPL facilities are emulated by QEMU */ set_bit(S390_FEAT_SIPL, model->features); + set_bit(S390_FEAT_SCLAF, model->features); =20 /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168281; cv=none; d=zohomail.com; s=zohoarc; b=JxCFSehmxofkygg2F/5dyu2BQPixDaOHrK/f7o9sWUADizXiHCajcRAGOUzSPoh6NLfnuNJ0Kk7pgcD2CPzw7HRIErjvGl/zl86JfOinyGT9W9Q6MpOue6TRsLkWnWn2Uk+xEGVshACKJyJlD7heJjRSOt+cyjQv9Ujz+HiwHeQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168281; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=/h3e2EEmgdBV+1Ms370RkH5JlFVr4wpF6ShRXqrv5LI=; b=Ywgu1YaYdxsv/bL0sz0lslXU7GcuZdfQcQaUjELy2V0Mwcf2/Z2SHGKJTKrSjU3XQcnWypqkvmiZEP1Ph+UIbJhdSjfyNKqyjnWEtBXImky7K+xEMAGPAmw8LYgLtrWUCPjOLdUoXIpTwh0Kzk53hM0MPIhzd5vVFV4nGgr+rO0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168281835893.5161326157395; Thu, 2 Apr 2026 15:18:01 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL0-0002Fn-Jh; Thu, 02 Apr 2026 18:16:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKf-000115-G6; Thu, 02 Apr 2026 18:16:09 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKc-0004qk-PK; Thu, 02 Apr 2026 18:16:09 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632BiTeo4172385; Thu, 2 Apr 2026 22:15:43 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvfw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:42 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632KHlZI013936; Thu, 2 Apr 2026 22:15:42 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6ttkuuu7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:42 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFedT27001392 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:41 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 99B5C5805D; Thu, 2 Apr 2026 22:15:40 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 232F358068; Thu, 2 Apr 2026 22:15:39 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:39 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=/h3e2EEmgdBV+1Ms3 70RkH5JlFVr4wpF6ShRXqrv5LI=; b=FsZ5JBGOCOW6UEf7rhibP/1c6Uz/12msX vto2B8RvTmm74kRMZSWbq1mJC0g2zPJXIlOUJTZ5NUskrFychbRnCli13+QntJcd w1Q6K0glHlhefLOLWII117EV9MOc6YoGdPccnQKDvB6so+tHs/1ESuomSwN9LHqm KNLQSAgIlYeFxczEyv+77LSiTeLpqb3VYWk3TCgdMvHKWNfqme4anMIlyMMsFvbo N5Rm/UZtVboD9LZgj8yXz0zVXLt0um91lw0+dx6Q5Cgodi7QnFGp0HZeEnjIiMK9 G3NTUMPvU9YCTCm0Rd+VxylatZyFRfYUvn6XYpJ6yrWg3wEgcPvtw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 22/30] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Thu, 2 Apr 2026 18:14:44 -0400 Message-ID: <20260402221453.1602899-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea8e cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=v9_7xbZuii4DBXc9P7YA:9 X-Proofpoint-GUID: 0-YAqcpDkWoCa5ArTNxyHoYJFiMyOhle X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX+p7JWJcXTECN ns+8ljjrMz+HIDVY32i6lp+5rwBlJu6oFQhhyrwt33ic6elUPfXyXZ8H2IlbCNdODgQZ0+2W2wU 8AsuLdtxn5uxwjxWfUaIMMDF2U+AH6v+nXOGuU+jVNi+1z5lc5/yIOPlT3YibKph0AxRHXGCBPa G7KDcR+8zx54wROvP/XwqpJsso/IrLYWt7QxSiyHsmgg/tsZOWTc+Aj8VFE766WatueibnCK4NV VfCdy9ZkdH1leEKT60m2VLRFPXASbgbdJMqPqsDXOcGaFUSUWhKGAgoJ6cCWsvJguFB4zzCUHwL xzK4Uq9KlOBaED0G8ZyZVHw5Rzw+VpnLgzp9VY+uQ6MKkHKWo6nhWxCJOApNWHKPVu4hkQyqK1y yYdFkNFfVcr6m7gL1lmrM/Q1D/nXsO9jaSJmDhTJkh5f4G+v6NXNFbxJLDwL1fxDTbREw0UFpN6 EewGM6aXiv9MPhNoApQ== X-Proofpoint-ORIG-GUID: 0-YAqcpDkWoCa5ArTNxyHoYJFiMyOhle X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0 suspectscore=0 malwarescore=0 spamscore=0 clxscore=1015 phishscore=0 adultscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168284707154100 Content-Type: text/plain; charset="utf-8" Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. However, a missing SCLAB will not be reported in audit mode. The SCALB checking will be skipped in this case. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- include/hw/s390x/ipl/qipl.h | 29 +++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/sclp.c | 8 + pc-bios/s390-ccw/sclp.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 283 +++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/secure-ipl.h | 49 ++++++ 6 files changed, 365 insertions(+), 6 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index dcb84f729a..ea9bd8bf8b 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -156,10 +156,20 @@ struct IplInfoReportBlockHeader { }; typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; =20 +/* IPL Info Error Indicators */ +#define S390_IIEI_NO_SIGNED_COMP 0x8000 /* bit 0 */ +#define S390_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ +#define S390_IIEI_FOUND_UNSIGNED_COMP 0x800 /* bit 4 */ +#define S390_IIEI_MORE_SIGNED_COMP 0x400 /* bit 5 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t type; - uint8_t reserved1[11]; + uint8_t reserved1[3]; + uint16_t iiei; + uint8_t reserved2[6]; }; typedef struct IplInfoBlockHeader IplInfoBlockHeader; =20 @@ -183,13 +193,28 @@ typedef struct IplSignatureCertificateList IplSignatu= reCertificateList; #define S390_IPL_DEV_COMP_FLAG_SC 0x80 #define S390_IPL_DEV_COMP_FLAG_CSV 0x40 =20 +/* IPL Device Component Error Indicators */ +#define S390_CEI_INVALID_SCLAB 0x80000000 /* bit 0 */ +#define S390_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit 1 */ +#define S390_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit 2 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit 3 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit 4 */ +#define S390_CEI_INVALID_LOAD_PSW 0x4000000 /* bit 5 */ +#define S390_CEI_NUC_NOT_IN_GLOBAL_SCLA 0x2000000 /* bit 6 */ +#define S390_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit 7 */ +#define S390_CEI_SC_NOT_IN_GLOBAL_SCLAB 0x800000 /* bit 8 */ +#define S390_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit 9 */ +#define S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit 10 */ +#define S390_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; }; typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; =20 diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 1b09aed8b1..e1a8097c95 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -82,6 +82,7 @@ void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); bool sclp_is_diag320_on(void); bool sclp_is_sipl_on(void); +bool sclp_is_sclaf_on(void); int sclp_read(char *str, size_t count); =20 /* bootmap.c */ diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 6283ae71bc..be6055bb40 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -150,6 +150,14 @@ bool sclp_is_sipl_on(void) return fac_ipl & SCCB_FAC_IPL_SIPL_BIT; } =20 +bool sclp_is_sclaf_on(void) +{ + uint16_t fac_ipl =3D 0; + + sclp_get_fac_ipl(&fac_ipl); + return fac_ipl & SCCB_FAC_IPL_SCLAF_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index cf147f4634..3441020d6b 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_FAC_IPL_SIPL_BIT 0x4000 +#define SCCB_FAC_IPL_SCLAF_BIT 0x1000 =20 typedef struct ReadInfo { SCCBHeader h; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index d2079e19bc..d4e455ed0c 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -134,6 +134,7 @@ static void comp_list_add(IplDeviceComponentList *comp_= list, int comp_entry_idx, =20 comp_list->device_entries[comp_entry_idx].addr =3D comp_entry_info.add= r; comp_list->device_entries[comp_entry_idx].len =3D comp_entry_info.len; + comp_list->device_entries[comp_entry_idx].cei =3D comp_entry_info.cei; comp_list->device_entries[comp_entry_idx].flags =3D comp_entry_info.fl= ags; /* cert index field is meaningful only when S390_IPL_DEV_COMP_FLAG_SC = is set */ comp_list->device_entries[comp_entry_idx].cert_index =3D comp_entry_in= fo.cert_index; @@ -198,6 +199,12 @@ static bool secure_ipl_supported(void) return false; } =20 + if (!sclp_is_sclaf_on()) { + puts("Secure IPL Code Loading Attributes Facility is not supported= by" + " the hypervisor!"); + return false; + } + return true; } =20 @@ -254,6 +261,259 @@ static void comp_addr_range_add(SecureIplCompAddrRang= eList *range_list, range_list->comp_addr_range[range_list->index].end_addr =3D end_addr; } =20 +static void check_unsigned_addr(SecureIplCompEntryInfo *comp_entry_info) +{ + /* unsigned load address must be greater than or equal to 0x2000 */ + comp_entry_info->cei |=3D validate_comp_condition( + comp_entry_info->addr >=3D S390_SECURE_IPL_UNSIGNED_MI= N_ADDR, + S390_CEI_INVALID_UNSIGNED_ADDR, + "Load address is less than 0x2000"); +} + +static bool check_sclab_presence(uint8_t *sclab_magic, uint32_t *cei_flags) +{ + /* identifies the presence of SCLAB */ + if (magic_match(sclab_magic, ZIPL_MAGIC)) { + return true; + } + + *cei_flags |=3D S390_CEI_INVALID_SCLAB; + + /* a missing SCLAB will not be reported in audit mode */ + return false; +} + +static void check_sclab_length(uint16_t sclab_len, uint32_t *cei_flags) +{ + *cei_flags |=3D validate_comp_condition(sclab_len >=3D S390_SECURE_IPL= _SCLAB_MIN_LEN, + S390_CEI_INVALID_SCLAB_LEN | + S390_CEI_INVALID_SCLAB, + "Invalid SCLAB length"); +} + +static void check_sclab_format(uint8_t sclab_format, uint32_t *cei_flags) +{ + /* SCLAB format must set to zero, indicating a format-0 SCLAB being us= ed */ + *cei_flags |=3D validate_comp_condition(sclab_format =3D=3D 0, + S390_CEI_INVALID_SCLAB_FORMAT, + "Format-0 SCLAB is not being use= d"); +} + +static void check_sclab_opsw(SecureCodeLoadingAttributesBlock *sclab, + SecureIplSclabInfo *sclab_info, uint32_t *cei= _flags) +{ + const char *msg; + + if (!(sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW)) { + /* OPSW =3D 0 - Load PSW field in SCLAB must contain zeros */ + msg =3D "Load PSW is not zero when Override PSW bit is zero"; + *cei_flags |=3D validate_comp_condition(sclab->load_psw =3D=3D 0, + S390_CEI_SCLAB_LOAD_PSW_NOT_= ZERO, + msg); + + } else { + /* OPSW =3D 1 indicating global SCLAB */ + sclab_info->global_count +=3D 1; + if (sclab_info->global_count =3D=3D 1) { + sclab_info->global_load_psw =3D sclab->load_psw; + sclab_info->global_flags =3D sclab->flags; + } + + /* OLA must set to one */ + msg =3D "Override Load Address bit is not set to one in the global= SCLAB"; + *cei_flags |=3D validate_comp_condition( + sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OLA, + S390_CEI_SCLAB_OLA_NOT_ONE, msg); + } +} + +static void check_sclab_ola(SecureCodeLoadingAttributesBlock *sclab, + uint64_t load_addr, uint32_t *cei_flags) +{ + const char *msg; + + if (!(sclab->flags & S390_SECURE_IPL_SCLAB_FLAG_OLA)) { + /* OLA =3D 0 - Load address field in SCLAB must contain zeros */ + msg =3D "Load Address is not zero when Override Load Address bit i= s zero"; + *cei_flags |=3D validate_comp_condition(sclab->load_addr =3D=3D 0, + S390_CEI_SCLAB_LOAD_ADDR_NOT= _ZERO, + msg); + } else { + /* OLA =3D 1 - Load address field must match storage address of th= e component */ + msg =3D "Load Address does not match with component load address"; + *cei_flags |=3D validate_comp_condition(sclab->load_addr =3D=3D lo= ad_addr, + S390_CEI_UNMATCHED_SCLAB_LOA= D_ADDR, + msg); + } +} + +static void check_sclab_nuc(uint16_t sclab_flags, uint32_t *cei_flags) +{ + const char *msg; + bool is_nuc_set; + bool is_global_sclab; + + is_nuc_set =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_NUC; + is_global_sclab =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW; + msg =3D "No Unsigned Components bit is set, but not in the global SCLA= B"; + *cei_flags |=3D validate_comp_condition(!is_nuc_set || is_global_sclab, + S390_CEI_NUC_NOT_IN_GLOBAL_SCLA,= msg); +} + +static void check_sclab_sc(uint16_t sclab_flags, uint32_t *cei_flags) +{ + const char *msg; + bool is_sc_set; + bool is_global_sclab; + + is_sc_set =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_SC; + is_global_sclab =3D sclab_flags & S390_SECURE_IPL_SCLAB_FLAG_OPSW; + msg =3D "Single Component bit is set, but not in the global SCLAB"; + *cei_flags |=3D validate_comp_condition(!is_sc_set || is_global_sclab, + S390_CEI_SC_NOT_IN_GLOBAL_SCLAB,= msg); +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRangeList *range_l= ist) +{ + uint32_t addr =3D psw & 0x7fffffff; + + /* PSW points within a signed binary code component */ + for (int i =3D 0; i < range_list->index; i++) { + if (range_list->comp_addr_range[i].is_signed && + addr >=3D range_list->comp_addr_range[i].start_addr && + addr <=3D range_list->comp_addr_range[i].end_addr - 2) { + return true; + } + } + return false; +} + +static void check_load_psw(SecureIplCompAddrRangeList *range_list, + uint64_t sclab_load_psw, + SecureIplCompEntryInfo *comp_entry_info) +{ + bool valid; + uint64_t load_psw; + + load_psw =3D comp_entry_info->addr; + valid =3D is_psw_valid(sclab_load_psw, range_list) && + is_psw_valid(load_psw, range_list); + comp_entry_info->cei |=3D validate_comp_condition(valid, + S390_CEI_INVALID_LOAD_= PSW, + "Invalid PSW"); + + /* compare load PSW with the PSW specified in component */ + comp_entry_info->cei |=3D validate_comp_condition(sclab_load_psw =3D= =3D load_psw, + S390_CEI_UNMATCHED_SCLAB_LOAD_PS= W, + "Load PSW does not match with PSW= in component"); +} + +static void check_no_unsigned_comp(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + bool is_nuc_set; + + is_nuc_set =3D sclab_info.global_flags & S390_SECURE_IPL_SCLAB_FLAG_NU= C; + if (is_nuc_set && sclab_info.unsigned_count > 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_FOUND_UNSIGNED_COMP; + zipl_secure_handle("Unsigned components are not allowed"); + } +} + +static void check_single_comp(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + bool is_sc_set; + + is_sc_set =3D sclab_info.global_flags & S390_SECURE_IPL_SCLAB_FLAG_SC; + if (is_sc_set && + sclab_info.signed_count !=3D 1 && + sclab_info.unsigned_count >=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_SIGNED_COMP; + zipl_secure_handle("Only one signed component is allowed"); + } +} + +void check_global_sclab(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + if (sclab_info.count =3D=3D 0) { + return; + } + + if (sclab_info.global_count =3D=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_NO_GLOBAL_SCLAB; + zipl_secure_handle("Global SCLAB does not exists"); + return; + } + + if (sclab_info.global_count > 1) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_GLOBAL_SCLAB; + zipl_secure_handle("More than one global SCLAB"); + return; + } + + if (sclab_info.global_flags) { + /* Unsigned components are not allowed if NUC flag is set in the g= lobal SCLAB */ + check_no_unsigned_comp(sclab_info, comp_list); + + /* Only one signed component is allowed is SC flag is set in the g= lobal SCLAB */ + check_single_comp(sclab_info, comp_list); + } +} + +static void check_has_signed_comp(int signed_count, IplDeviceComponentList= *comp_list) +{ + const char *msg; + + msg =3D "Secure boot is on, but components are not signed"; + comp_list->ipl_info_header.iiei |=3D + validate_comp_condition(signed_count > 0, + S390_IIEI_NO_SIGNED_COMP, msg); + +} + +static void check_sclab_count(int count, IplDeviceComponentList *comp_list) +{ + comp_list->ipl_info_header.iiei |=3D + validate_comp_condition(count > 0, S390_IIEI_NO_SCLAB, + "No recognizable SCLAB"); +} + +static void check_sclab(SecureIplCompEntryInfo *comp_entry_info, + SecureIplSclabInfo *sclab_info) +{ + SclabOriginLocator *sclab_locator; + SecureCodeLoadingAttributesBlock *sclab; + + /* sclab locator is located at the last 8 bytes of the signed comp */ + sclab_locator =3D (SclabOriginLocator *)(comp_entry_info->addr + + comp_entry_info->len - 8); + + /* return early if sclab does not exist */ + if (!check_sclab_presence(sclab_locator->magic, &comp_entry_info->cei)= ) { + return; + } + + check_sclab_length(sclab_locator->len, &comp_entry_info->cei); + + /* return early if sclab is invalid */ + if (comp_entry_info->cei & S390_CEI_INVALID_SCLAB) { + return; + } + + sclab_info->count +=3D 1; + sclab =3D (SecureCodeLoadingAttributesBlock *)(comp_entry_info->addr + + comp_entry_info->len - + sclab_locator->len); + + check_sclab_format(sclab->format, &comp_entry_info->cei); + check_sclab_opsw(sclab, sclab_info, &comp_entry_info->cei); + check_sclab_ola(sclab, comp_entry_info->addr, &comp_entry_info->cei); + check_sclab_nuc(sclab->flags, &comp_entry_info->cei); + check_sclab_sc(sclab->flags, &comp_entry_info->cei); +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig_sec) { if (zipl_load_segment(entry, sig_sec) < 0) { @@ -297,7 +557,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) */ int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; SecureIplCompAddrRangeList range_list =3D { 0 }; - int signed_count =3D 0; + SecureIplSclabInfo sclab_info =3D { 0 }; =20 if (!secure_ipl_supported()) { panic("Unable to boot in secure/audit mode"); @@ -337,9 +597,15 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) range_list.index +=3D 1; =20 if (!sig_len) { + check_unsigned_addr(&comp_entry_info); + comp_list_add(&comp_list, comp_entry_idx, comp_entry_info); + + sclab_info.unsigned_count +=3D 1; + comp_entry_idx++; break; } =20 + check_sclab(&comp_entry_info, &sclab_info); verified =3D verify_signature(comp_entry_info, sig_len, (uint64_t)sig, &cert_len, &cert_table_idx); @@ -374,7 +640,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) } =20 comp_entry_idx++; - signed_count +=3D 1; + sclab_info.signed_count +=3D 1; /* After a signature is used another new one can be accepted */ sig_len =3D 0; break; @@ -391,10 +657,19 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) } } =20 - if (signed_count =3D=3D 0) { - zipl_secure_handle("Secure boot is on, but components are not sign= ed"); + /* validate load PSW with PSW specified in the final entry */ + if (sclab_info.global_load_psw) { + comp_entry_info =3D (SecureIplCompEntryInfo){ 0 }; + comp_entry_info.addr =3D entry->compdat.load_psw; + + check_load_psw(&range_list, sclab_info.global_load_psw, &comp_entr= y_info); + comp_list_add(&comp_list, comp_entry_idx, comp_entry_info); } =20 + check_has_signed_comp(sclab_info.signed_count, &comp_list); + check_sclab_count(sclab_info.count, &comp_list); + check_global_sclab(sclab_info, &comp_list); + update_iirb(&comp_list, &cert_list); =20 *entry_ptr =3D entry; diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index c625ac2e3a..75d1c8e046 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,10 +16,47 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +#define S390_SECURE_IPL_SCLAB_FLAG_OPSW 0x8000 +#define S390_SECURE_IPL_SCLAB_FLAG_OLA 0x4000 +#define S390_SECURE_IPL_SCLAB_FLAG_NUC 0x2000 +#define S390_SECURE_IPL_SCLAB_FLAG_SC 0x1000 + +#define S390_SECURE_IPL_SCLAB_MIN_LEN 32 +#define S390_SECURE_IPL_UNSIGNED_MIN_ADDR 0x2000 + +struct SecureCodeLoadingAttributesBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SecureCodeLoadingAttributesBlock SecureCodeLoadingAttribute= sBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + +/* Custom struct used to consolidate SCLAB overhead */ +typedef struct SecureIplSclabInfo { + int count; + int global_count; + int signed_count; + int unsigned_count; + uint64_t global_load_psw; + uint16_t global_flags; +} SecureIplSclabInfo; + /* Custom struct for secure IPL component entry information */ typedef struct SecureIplCompEntryInfo { uint64_t addr; uint64_t len; + uint32_t cei; uint16_t cert_index; uint8_t flags; } SecureIplCompEntryInfo; @@ -50,6 +87,18 @@ static inline void zipl_secure_handle(const char *messag= e) } } =20 +static inline uint32_t validate_comp_condition(bool condition, uint32_t fl= ag, + const char *message) + +{ + if (condition) { + return 0; + } + + zipl_secure_handle(message); + return flag; +} + static inline uint64_t diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") =3D (unsigned long)data; --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168211; cv=none; d=zohomail.com; s=zohoarc; b=VSpPDVL4udtF2WEmrWUfi4Zo/zSn4QA3OGg7w9McYuNOZr0ZuxCAgFNoyu7syYHfDr5zJ1ZcxdI7fl3VUiyfnKkNPUMI2QErTd0VgjYfyFxMRHuf2/Sqp32yUIdHOsnU7pB3jmgEZi72yDcSSIKFOwTanyCutr8vNw0rRfqzSH8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168211; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FoAsT8jt3Pe/QAvbheyE/t0d2NTnkaPDFEy/Sv0Fq0g=; b=mewQ3QXTcgxU2fACs0aX5u1E/SaizTUXdCp9DtQ7XFRPWqlxZ1FWom7WAjmWG+f0Y3tQZHXqIR/39ILdqo9AHBZ+pXwJ9+SJh1RCl3uIU5akd2JIwlP6u8Y8utu3edY/oOAKNJZpdPLySytZqv7PeZV0ns+SmgQziZJLsyEGOUo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168211715786.091134969394; Thu, 2 Apr 2026 15:16:51 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKp-00017L-Da; Thu, 02 Apr 2026 18:16:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKM-0000sF-JY; Thu, 02 Apr 2026 18:15:56 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKK-0004qy-PJ; Thu, 02 Apr 2026 18:15:50 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632AE4rj3763981; Thu, 2 Apr 2026 22:15:45 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66g26vdp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:44 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JqSAP005947; Thu, 2 Apr 2026 22:15:43 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc10f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:43 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFgYH32965264 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:42 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 18C2758069; Thu, 2 Apr 2026 22:15:42 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B66BD58067; Thu, 2 Apr 2026 22:15:40 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FoAsT8jt3Pe/QAvbh eyE/t0d2NTnkaPDFEy/Sv0Fq0g=; b=CkBhBVS7nnZx4HtOf/D3Fp2MpeONlA6oJ B1KVyfEMQFrXDuKlRqAlSpzv6rXrjEHFuoH8VOhpgWBMHw/sUZgeQNDOc/ITVUta K1fjdeBkbmKrHHYv5p+UfJ/Gn9vfQQc41eWivk00sYNBlTqLLS9AJOZEoif2CXbz VDhE/9JJq+OOKnclO21BvpwJeliq6NrUcDGaIdrMRa8HpknP4GajbyXpmhIp3ZvQ mYvm0VW/49h1txzSy+nIKsgW6w6NPUqRmjX4PZrJGVCsGtfqLRc2BepfAHHmr+of Ixa+Zw5AUHDeRP7ZwyFHBCjz9YWr6nptkvf1EsRgYf1uPrcaRsCYQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 23/30] Add secure-boot to s390-ccw-virtio machine type option Date: Thu, 2 Apr 2026 18:14:45 -0400 Message-ID: <20260402221453.1602899-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=Fdo6BZ+6 c=1 sm=1 tr=0 ts=69ceea90 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=uyvjcAWwEQu1yBn7KtoA:9 X-Proofpoint-ORIG-GUID: GasDZEs_BZw09xygFpCMJTf5nCP_96pg X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX7cd1dbKf6kmc b2a1Nd79FfzfsBhoP8UzWV/5/dn5MpYfHzr8J3NomnTztU+Dg2lQrBot7RIbT6qSBRV+sJfNxYm APLwPaanhuZQ9CmdQY8nDQhNjhelLxDSnQb6hPHYGERkjr3pkmXu7TtNh1+PeO9QTEpRx0vojYj ASvUOEQDceFx200ir8+IKU40rnsd2HwKNwNuxrklRLcJfqB680S4kONvEK18a9tkzISBFMsY4ld 2aabpqpEwIKZdca1OjwgBkH4IKOeStDn6EWtYQu6+7BSxhDO9MbA+mv9bnAOE3G6YA9jUra4Fmw 7AhjHkKNp6dn2Tl4RMrS/ARAu4wuYdC0eqi3q8n6AMvVFuLfxjUpGapV81DHFcT0bzVUG4HozZO br46YUoeaCwW6qjNwPH+IQhGudlNFv7tY3q5tzozXARiRhMGHViVUfyPtr7cPFpE7ypxZ7WnMHr +BpQS4Ehb3tWb4C+hLA== X-Proofpoint-GUID: GasDZEs_BZw09xygFpCMJTf5nCP_96pg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 bulkscore=0 suspectscore=0 priorityscore=1501 adultscore=0 malwarescore=0 phishscore=0 spamscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168213668154101 Content-Type: text/plain; charset="utf-8" Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=3Don|off` parameter is implemented to enable secure IPL. By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++----- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 3a19b72085..2465f8b26d 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,19 +19,31 @@ Note: certificate files must have a .pem extension. =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... =20 +Enabling Secure IPL +------------------- + +Secure IPL is enabled by explicitly setting ``secure-boot=3Don``; if not +specified, secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don|off + =20 IPL Modes =3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple IPL modes are available to differentiate between the various IPL -configurations. These modes are mutually exclusive and enabled based on the -``boot-certs`` option on the QEMU command line. +configurations. These modes are mutually exclusive and enabled based on sp= ecific +combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU +command line. =20 Normal Mode ----------- =20 -The absence of certificates will attempt to IPL a guest without secure IPL -operations. No checks are performed, and no warnings/errors are reported. -This is the default mode. +The absence of both certificates and the ``secure-boot`` option will attem= pt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explic= itly +enabled with ``secure-boot=3Doff``. =20 Configuration: =20 diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index a6f0fc4e00..a24cc14906 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -813,6 +813,21 @@ static void machine_set_boot_certs(Object *obj, Visito= r *v, const char *name, ms->boot_certs =3D cert_list; } =20 +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + ms->secure_boot =3D value; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc =3D MACHINE_CLASS(oc); @@ -871,6 +886,13 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for se= cure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 5ad1ea2f24..93a4c0ccad 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -29,6 +29,7 @@ struct S390CcwMachineState { bool aes_key_wrap; bool dea_key_wrap; bool pv; + bool secure_boot; uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; diff --git a/qemu-options.hx b/qemu-options.hx index 75e6c0f025..e82d78fbb7 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -46,7 +46,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" - " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=3Don|off enable/disable secure boot (defa= ult=3Doff) \n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -213,6 +214,9 @@ SRST =20 ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` Provide paths to a directory and/or a certificate file on the host= [s390x only]. + + ``secure-boot=3Don|off`` + Enables or disables secure boot on s390-ccw guest. The default is = off. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168233; cv=none; d=zohomail.com; s=zohoarc; b=AIx3SqBGKgq8+JggH/LgzucaBuX9TT+chaj3XJPJkIjjQ0cEoSskI5ZusbCxmE/fNaT6qxKS6GLWv//sUxDaPI1OG5XXOpHkUoE3sxdXjNb/AeO2YOXwPWVnI3ZH0xCyIUbQzlTA7dORYwBSS2+V7aTqPmA6sIB/O/sRi18rCBM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168233; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=O1GjkwGOYVwOKFtKL83QQvCA3EfyKBCMMY/G69CcJn0=; b=fiYMOUYqyDOpxchelFZ8qVYCv9Il++3MI6lPMgNnZEziECMmGtkKynXtM3hsyFgl10XJ9szqDgrHpNna0o5Nf6S1oBN5+XsyqXeddatG6d78l8YOsAoYhxFZHMJd+XcN68mx07UkCyZTxZlHPvjurNmopUDuhXJfSdWuccWuA5A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168233246168.82658340546527; Thu, 2 Apr 2026 15:17:13 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QKx-0001ol-OE; Thu, 02 Apr 2026 18:16:27 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKN-0000sG-Eg; Thu, 02 Apr 2026 18:15:56 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKL-0004r7-OV; Thu, 02 Apr 2026 18:15:51 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632CtFnL3518860; Thu, 2 Apr 2026 22:15:46 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66q3esav-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:46 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JqSAQ005947; Thu, 2 Apr 2026 22:15:45 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc10n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:44 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFhcq66388436 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:43 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 94AFF5806B; Thu, 2 Apr 2026 22:15:43 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3616058072; Thu, 2 Apr 2026 22:15:42 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=O1GjkwGOYVwOKFtKL 83QQvCA3EfyKBCMMY/G69CcJn0=; b=IEVyGgIX6NTHyeXmsDgAhi54hfa4W2tqm ipxXphNPcyCMbw1S9Ll79PuKy+LlXGCLlLWJrfsuCtTo819v0IT5Y6AC3rNo5Ml7 nCMyTKzQVxzb06e2eQ3oOa/M+2aRIudnPHL1p9lEhYIOVBORnaQenPZns5RDMnm2 Ga5Zl7dp+qaPa2RPLXqIXKfZZlY7BClPpR6tjeId2OTVYtFhQVfIgVBbYZSzAGRj /OMfypfq7tYHT+oTtomFQIUamFJFPGi5+LdRCgbLxneD/WhfVSczm8S20SOCiYWH +Ze6mpM8GP3TZR6gj+bFyETZ8V6ShN9vSBKtuUOlhaeYAsjULYU5Q== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 24/30] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Thu, 2 Apr 2026 18:14:46 -0400 Message-ID: <20260402221453.1602899-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-GUID: DzguUSVh4QcFQ-W9VrwoXXcsvC4e016q X-Authority-Analysis: v=2.4 cv=frzRpV4f c=1 sm=1 tr=0 ts=69ceea92 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-ORIG-GUID: DzguUSVh4QcFQ-W9VrwoXXcsvC4e016q X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX9bdOaF4Unze4 2l0bK3dnB9rykmZCF+L2M6/o/sZpDbXM+KPbYkAC1pRYHC9eaIFVDCofYuPm/Y+EsFAZJ+QB52g VwgMChN7RXh6ByCo5rNTaW3QJUSvt3LUjHxyOOWo8cyHmswWcdYAayDIWfKXk5HJjclQ8Kxf5vL L2lzd+GgFtHM/fQRR4eayNHIbk17leE3Rh7SzKBlgRbOP/gb3hFSYYOboVI0+OCFm2WwRQB/qa4 mqhtmEKkJ+PHdcTxIJ/0H+FF6p5P+KKqzgcgU323+ZUx3C7gPAzKh66pNogpM7G7KMD1bRL/n8G t/iG2ZOxPuIxNK3owaZEnZzJukD2QaMJvDclHdSaa+V7Rv0fbNGXbNN/BN9G5JbU7I8s8qcflEn NhQOVBM7WpErOiynRNlfhK3K5Pvnqj4ZpcmFwpHxt7bkBZoypNpDzpHVeT9D4H6+G0GBAIU+RBM /ep46jedJ9Hwcg6drPw== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 spamscore=0 priorityscore=1501 malwarescore=0 clxscore=1015 lowpriorityscore=0 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168233910154100 Content-Type: text/plain; charset="utf-8" If `-M secure-boot=3Don` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index f4311f6d62..67e8231c76 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -468,6 +468,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -524,6 +529,18 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -533,7 +550,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); } --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168297; cv=none; d=zohomail.com; s=zohoarc; b=YncxSuEMCr4C2x51i43IPpbzWoIG3IT5hNtBhrWnpp02A8Y5d1eNIrP+uV/LYKlq4sJ1dFxqv6o+rKU4SH3pcs7gNpLZaKHGRMZX+xVr7Q/KH/FS7N6GbhUxA00Yj1PMwNl4kCDoAiIWvh8lsYjEd7hbdj23vc+Yc4PtmZc+khE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168297; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=xD0NyiOEYKfeeAkZSBVAcIMf1mTeU2WRvnVkItdTzEY=; b=NxURUq0pUpJu0LG6n1b/Uk9S6c9jcjkhehYVUKzSY1a1C6ILCNl7mBmzKBkBvvUZYAFrvmvNaF64A2vhLn3O+mUjKMujNhQPDEEWNc1lRPRNr4m3JeH2tlVoHlEBYXdLM/sLM9wXAEnGdSFlL+XaT32zgXptpz2tzlpGJs+oqfU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168297446742.6683962055756; Thu, 2 Apr 2026 15:18:17 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL0-0002CJ-9B; Thu, 02 Apr 2026 18:16:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKh-00011i-Pe; Thu, 02 Apr 2026 18:16:14 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKg-0004rP-5Y; Thu, 02 Apr 2026 18:16:11 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632HZ2lg197973; Thu, 2 Apr 2026 22:15:47 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:46 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LjYda008698; Thu, 2 Apr 2026 22:15:46 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6v11upqu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:46 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFjt816974386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:45 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E3E158068; Thu, 2 Apr 2026 22:15:45 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF52D5805D; Thu, 2 Apr 2026 22:15:43 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=xD0NyiOEYKfeeAkZS BVAcIMf1mTeU2WRvnVkItdTzEY=; b=XFE7Q3XbmYE/rZPl4AUwXagFgIu5ZxUUA w2iuE5h8qZhXxXROhwJTQhF56TBQ1FH+63YExqL4tQZd+TmX/Pv9/IKV6QH5bz3M RlY+MCyqS1dBGCP2BlzANGBZL7TfyJlDR37uksR5ScNLhQ/DbruR9d0+ZoAl8Xf3 A5wXeksFlAGF1anJ+9vYuX6t4vJSPRywU48rQoclF+7+pi+ZSoRtl3dhVqBSrs8V av7TNuCLZ4yqAaagxdmS7g+IdgLnPpV7pQt3Lh/Icd1Nke7PlNfANHsEeNNm3P7S 3LFgJbAOEuPjRbvYCsq+Up0Slhd9h7eP3wAIXjQESi2hznkMktbzw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 25/30] pc-bios/s390-ccw: Handle true secure IPL mode Date: Thu, 2 Apr 2026 18:14:47 -0400 Message-ID: <20260402221453.1602899-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX47q3isLOiyi2 QqRr9bwlHKrfz1NbqWJGfjtKB1TtHn4giwpuzpsxvFhgKIN8SV9g1RbjUA7fgg3e6IKVnapUpHb ZZS47MQWDTO324QZCphwg5NwqfvvQmtRCU51XWuCDTD5/YaY62gvl3j3Be0MpkAFxnI6p59xHKj RtBeo7Sffrh02M1dkaMvRwfhEc6MZ6nUZJvG10JYWtD0W44O//KGFMzC4Trx2pvfgXb1H1esPsm xiKWhepNb9zXinzMQar25F+cIA0g+RJnPZ2xfBK5ZiNDP4pQykuiWTx7thePhZ5lJSdEefcvI48 3edyBPE4W3RLaSknPIMXvvqNbY/s58zziE8j4zV2Y00Ln7jmZaXmgGUouCl6Jj7zZKWWvmydryD bQnc0Oyn3dQmt3Frnngl41wV97UMxr/N9D0yP7LwnDOfgITHHqzstfJfV2PTsemqRu5DI8qHdNI e5MMgOnQNg3OJWTh6Sw== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea93 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9 X-Proofpoint-GUID: RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay X-Proofpoint-ORIG-GUID: RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168298846154100 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/system/s390x/secure-ipl.rst | 13 +++++++++++++ pc-bios/s390-ccw/bootmap.c | 8 ++++++++ pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 5 files changed, 29 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 2465f8b26d..e0af086c38 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -65,3 +65,16 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + +Secure Mode +----------- + +When the ``secure-boot=3Don`` option is set and certificates are provided, +a secure boot is performed with error reporting enabled. The boot process = aborts +if any error occurs. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 1873a35511..bf8eee5ae0 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: rc =3D zipl_run_secure(&entry, tmp_sec); break; @@ -1120,9 +1121,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + panic("Need at least one certificate for secure boot!"); + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index e1a8097c95..8538663bd5 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -91,6 +91,7 @@ void zipl_load(void); typedef enum ZiplBootMode { ZIPL_BOOT_MODE_NORMAL =3D 0, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, + ZIPL_BOOT_MODE_SECURE =3D 2, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index d4e455ed0c..0befa6a8b3 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -280,6 +280,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic,= uint32_t *cei_flags) *cei_flags |=3D S390_CEI_INVALID_SCLAB; =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic does not match. SCLAB does not exist"); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 75d1c8e046..039fcec516 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -82,6 +82,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + panic(message); + break; default: break; } --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168239; cv=none; d=zohomail.com; s=zohoarc; b=NMrwOW1fUQ6zLPv1vN8UMHxEWutH4fggOt44qAyZmu+l3Cm9B4GuOvukkt2cMjlJLF4tEczn2YoKDASQd/J2ugbCSv5ruXqYNO4yk62oE5y8hX/SGeBtZHgSAdcUQJ0NleEBUXNmxGjTdZaDWKWNsbp5kSWlVoT42W4rwBqdiBc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168239; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zohZBaQ3Pchg18/LdXvmfXEUQE71vbMUkT+CsS/Yk6Y=; b=CA5R67P61eZ+MbrUjoh6DA4dJp3YP1ElfGzzkWEH68Ys2PzzxB4c9+XoMHmOyapuuEgwtEeHeSmcu62K8670XXJxeqZb+zxpLPoWJqvU93Uh54SJ5g90e57bMYxRSomNediCOdX1pIle9r2FHVu2fbuQy3nj0PQy+n6OpBT/a20= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168239793739.3214145631788; Thu, 2 Apr 2026 15:17:19 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL3-0002bt-3g; Thu, 02 Apr 2026 18:16:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKl-00017Q-IS; Thu, 02 Apr 2026 18:16:19 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKi-0004s4-VG; Thu, 02 Apr 2026 18:16:14 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EVRIv330917; Thu, 2 Apr 2026 22:15:49 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:49 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632M0qlZ008685; Thu, 2 Apr 2026 22:15:48 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6v11upr5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:48 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFkcM15729052 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:46 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 93F9A58056; Thu, 2 Apr 2026 22:15:46 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 34EC75805D; Thu, 2 Apr 2026 22:15:45 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=zohZBaQ3Pchg18/Ld XvmfXEUQE71vbMUkT+CsS/Yk6Y=; b=Bs3y6Mgf1XXS4GqahhB6JKtLr8bNI6uJ1 3JG5oiZOpzi1Ibcr7TFu2r+jaWWe+Unb1bX0S4z4Q2NWrYRkveH3/WUzCZJoOuG0 TQZGe4cjtIUir39XlzNsJpZIpNuZb2kJpsXkvhtnd2n2IXVaUL9lXN3HAOlTQXWV x8crbIV4YZJaQ+qTBwgrSy8oXOGyXZs23wjKAhW73ScwGFF5lQH6XXIuG2MzxXln nXo0/6atsMbX9fUo1KUoYD8OyzNMxLctoQQnhO9su2vvWZZXkySohvHL4Nf4Pmw2 G5TT0yf3CmRWTVgDqlv5F8H15/+UJmAmtd0eDk4PizTSO2QwZZ7jw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 26/30] hw/s390x/ipl: Handle secure boot with multiple boot devices Date: Thu, 2 Apr 2026 18:14:48 -0400 Message-ID: <20260402221453.1602899-27-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX2g2ppYAr9S7r MSzcrpaMDOiGVuQA2wDbfjJN+d6DvRtXgKZFab/Ccdj5/SDuY6Mn0SCtr7W2wzSBzNVplwtAfTe 5O9Bc3eB1fnPxvAxkCUjJMPoYe5sjmK4mwB/Ru+nbnvkdi1DbLzE2EzLHxhmXnSWFQIxwugyXAX RmoTuBg6UQRUhzubwmp5Apq3orzA26dmHTxT9zJlapPpW8/44qbbvbjAZiRK+4ZiK+LJs1T0rhr EAb0Xi2/iJod3WmU8X6m1v9wy/h0gqp9LVYhB3jKgMd/taR+getqTBuiku14/krRTHKMUZdV6vu pzP+9a0OIw4D93DAsABrgoP+9Hw3F/SBqS8na5MwjpPMYqRq37gFSUpMa2Mx2nnMwNdaOFniQXP 9TLepuS08BAk3LUg9Sff2elDQcovMUhLew1ge9o0OOQ9NDF2NzGT5OrLiXofL9WBojUxmessvhR d7h/LXk/3biJ55LLlKA== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea95 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Q8-XYP680VqNmkEzHFAA:9 X-Proofpoint-GUID: lrjRvEbw3T4PCT70nO3KHtwUiC2dBCyM X-Proofpoint-ORIG-GUID: lrjRvEbw3T4PCT70nO3KHtwUiC2dBCyM X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168240557158500 Content-Type: text/plain; charset="utf-8" The current approach to enable secure boot relies on providing secure-boot and boot-certs parameters of s390-ccw-virtio machine type option, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 79 ++++++++++++++++++++++++++++------------- pc-bios/s390-ccw/main.c | 3 -- 2 files changed, 54 insertions(+), 28 deletions(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 67e8231c76..52f953fd32 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -473,6 +473,58 @@ static bool s390_secure_boot_enabled(void) return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; } =20 +static bool s390_validate_secure_boot_device(int devtype, Error **errp) +{ + switch (devtype) { + case CCW_DEVTYPE_VFIO: + error_setg(errp, "Passthrough (vfio) CCW device does not support se= cure boot!"); + return false; + case CCW_DEVTYPE_VIRTIO_NET: + error_setg(errp, "Virtio net boot device does not support secure bo= ot!"); + return false; + default: + return true; + } +} + +static void s390_apply_secure_boot(IplParameterBlock *iplb, int devtype, + bool secure_boot, bool audit_mode) +{ + Error *local_error =3D NULL; + + if (!secure_boot && !audit_mode) { + return; + } + + if (!s390_validate_secure_boot_device(devtype, &local_error)) { + error_report_err(local_error); + exit(1); + } + + /* + * If secure-boot is enabled, then toggle the secure IPL flags (SIPL) = to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure boot. + */ + if (secure_boot) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_SIPL; + } + + /* + * For both secure boot and audit mode, enable the IPL Information + * Report (IPLIR) flag so that the firmware generates an IPL + * Information Report Block (IIRB). + * + * Results of secure boot will be stored in IIRB. + * + * Extend the IPL parameter block to its maximum length to ensure + * sufficient space for the BIOS to populate the IIRB. + */ + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -529,31 +581,8 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 - /* - * If secure-boot is enabled, then toggle the secure IPL flags to - * trigger secure boot in the s390 BIOS. - * - * Boot process will terminate if any error occurs during secure b= oot. - * - * If SIPL is on, IPLIR must also be on. - */ - if (s390_secure_boot_enabled()) { - iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } - /* - * Secure boot in audit mode will perform - * if certificate(s) exist in the key store. - * - * IPL Information Report Block (IIRB) will exist - * for secure boot in audit mode. - * - * Results of secure boot will be stored in IIRB. - */ - else if (s390_has_certificate()) { - iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } + s390_apply_secure_boot(iplb, devtype, s390_secure_boot_enabled(), + s390_has_certificate()); =20 return true; } diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 93d22fc77c..7233f3db89 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -304,9 +304,6 @@ static void ipl_ccw_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), - "Passthrough (vfio) CCW device does not support secure= boot!"); - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168217; cv=none; d=zohomail.com; s=zohoarc; b=SdOZ5CMi9ej7VPrr07M4UFHpqtoju66R5rbIpLU6BHhQ84aRpNaPpGPASjpw4aVGPc6uII7J5HFN/PVsnQ+xlB8DCDuDknEUIYDF4b8Ama305mBVqsZbYHaDC74X5yJ+XDbBjDFGQ7HLxbc10BASMPea4aKgA/K1scZGgFxQ/Wg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168217; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=iPdAw4yXSDg2XYXgTO6Yscz8/ddWtqGGZcP/b812DKY=; b=PBtKVbTutLFwC3uM5v8FlOKsyqF8Eq2Iy0HbVyzT3m2MStHzj9Kklw/11JHg6AXQzo4RXkYnIcVWSUgd4ZEpd+qtGFBbEHYp1piVV9aMg0kxvSheeQCgG71yX4LVhWUz9gIMTX5QX9O+FSMqwsgk28eSksjOKTTjlewuemOsCtI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168217378788.7561521502719; Thu, 2 Apr 2026 15:16:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL2-0002VC-4j; Thu, 02 Apr 2026 18:16:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKl-00017P-H6; Thu, 02 Apr 2026 18:16:19 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKj-0004s6-60; Thu, 02 Apr 2026 18:16:14 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632BoiUI3661208; Thu, 2 Apr 2026 22:15:50 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:50 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632L4NHw030995; Thu, 2 Apr 2026 22:15:49 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rqh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:49 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFmUR30802538 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:48 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2428C58052; Thu, 2 Apr 2026 22:15:48 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B3BB058072; Thu, 2 Apr 2026 22:15:46 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:46 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=iPdAw4yXSDg2XYXgT O6Yscz8/ddWtqGGZcP/b812DKY=; b=Im+BIJT5PiYQJNxjbSkrHa1dIdlZtGTEM /mw/ew5LjWUfNvldG0uEWSg49WfAHV1fFwCqFpDUOvqkxNoPbRewkvmIhPTTWMbv mAgOVZfvkOCvGCmgC3olqaN68KUGGX/N/J318Nx48Xn3vhMBfgo6feuHd1ArPZk3 4XDRabjiCOk8K4tCwf+4Ll15Za87zGIHEL8tVa6EEcUmKbk31wS7iUT79mDtXg3p LDaRmE08knXjyMSw1RbzEFBl+uC4ig9jdcCeXsALzH1PiBZIi4IFf+c5uO70mh9K WTKBeGg3yqaKCaRqWMTmpRMT5Tch5GuhshzH8VkhGELLK7R+NnLlA== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 27/30] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Thu, 2 Apr 2026 18:14:49 -0400 Message-ID: <20260402221453.1602899-28-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXzFjf4qNAHIiT EKTO7Up4HL7/lisL511vZ7mis65pY97mhl6Bk/6UKCM1nxAMLMkZwP6OrecmELWatHc9v88eJy2 6xkwrfVqnPMP2ueMMKRiuM5ugMjKDeNmb1isnt9w7eVwq3h3v7bebHj8p/3LGNGRwVyD2e9zf1P BVoizYqGpY0ZnZ8bS7SSH5zQgQIbIucC7y7NLwAgeFCEWvdeoksW1pxrXxaYiQCYuhNfXXbfrl7 lUiiDXIbA7mcxl70G299AHkV8SGPWGJFXqUgr02+I4x2akrEVxlWOMz9/Yy9Tx5vm4MgoFOc/rJ ms78CcglUn6wONbq7Fm4GrRjC0RLem6X4Nuw5SmFTiBgTIBVT3Ir11nJl5jvvYpY493Ujei3LHg K4YR+aqoFMea7M6Ox9JXbnmP4RXooHa0ICArhhuxfxODAO1Vob7wKZ3ng1GuIwby3cW34qT1TCM AFZWdtjltMHMvaEYc6w== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea96 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=98YBU2wH__9RKlX8yukA:9 X-Proofpoint-GUID: 3HL3feajPAkE_HC7f8Frl_ujgKnxf0g3 X-Proofpoint-ORIG-GUID: 3HL3feajPAkE_HC7f8Frl_ujgKnxf0g3 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168218410158500 Content-Type: text/plain; charset="utf-8" If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 52f953fd32..2eb3b4643b 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -852,6 +852,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot device defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len =3D 0; } --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168243; cv=none; d=zohomail.com; s=zohoarc; b=FXDjW1PzuZc2Lq8zO1Zg1ogukTqQ6lvh8hp5zpgLZcmAnnA63kbKxwWyW7ZfrvFepUVlxiYbHM5AjCiXOroZLBKo5fg+sPj/30kk98b09c3Ct19CAuxa9Rug4nlZyXLU9PsXKz32kqDK8Ddj5Nm1Y5x4TdJ7W1k0ZjS8BQnv6xY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168243; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=fgo/QArjjHRRP4aPDLJUfA8TArlKTIxtYJFlrYdfzKI=; b=VQgg6LMMbl2Nh6QusoxKh0bFMVxLCZQPvq1IDlOQJNkU538ykApiA0b7K7aSOFwzdz3CiG9wEHLVdx+0SToBYufrABoTPz9LqAczeKsKq2OoDRuqxo3IX3dwlqEYNFwPZuHux3+t5nrN/dqRFxMshh+6eIUzle5gBda6s/aVJ4Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177516824347836.67991676336908; Thu, 2 Apr 2026 15:17:23 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL4-0002lq-5x; Thu, 02 Apr 2026 18:16:34 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKt-0001PB-HM; Thu, 02 Apr 2026 18:16:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKl-0004sP-2k; Thu, 02 Apr 2026 18:16:16 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632HiwKS346198; Thu, 2 Apr 2026 22:15:51 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtgr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:51 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632JAPs4021659; Thu, 2 Apr 2026 22:15:50 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6sasv3ac-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:50 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFneY17105446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:49 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A9ADE58069; Thu, 2 Apr 2026 22:15:49 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4429D58071; Thu, 2 Apr 2026 22:15:48 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:48 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=fgo/QArjjHRRP4aPD LJUfA8TArlKTIxtYJFlrYdfzKI=; b=saUG9ksUe1stHJEtTdoC/4fbQZoxiMQkx oszptS258gnJ1UM01WLaKFamC5FavRlhQ7QrnoPDXj56hWp2brInC4YapVaP9uju kMArUhdKpVgh8mJ7nk08MSEaHFX7E/s9lq8wgSv2cA7TKnO1iT0CfHhZU187KINj mMsDLQSzc23aVYCypOS8YvbuLzqEWv7/H+pS/eHKVtME6waVwRgymBRIPSBuFtsB fCx+Dk1McHiS24WPnvWcTZ3Uj6OdfagSJ7EnpNB/sDmR5FWrUQsdZHWJDlTx40aL BsiqX5r9XXHtxmZq+726geMIRl2G397vXlbBD2RNLmChsh+GkcE3g== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 28/30] tests/functional/s390x: Add secure IPL functional test Date: Thu, 2 Apr 2026 18:14:50 -0400 Message-ID: <20260402221453.1602899-29-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea97 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8 a=gSyHUACR81Cq5hz7ILYA:9 a=t8Kx07QrZZTALmIZmm-o:22 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX0sP/3tODmzhL W2r/PagT4Jvz79IL5bECH3xLlmHrvxUClcw6P7nrhJ7cPVuV84jMBasOQKyemRCc/EytWR0KKM0 tFRiz6epHLi4u5ndEcFs3atQkmMrhzNMiIvO4ggsgAS0hEYUDeBA1RN+BUMBQO+MyiSNoItfIAb RxEkr30JGyWaj27s7y0V3VLs//rL27voX5gQ29i4WDeXAeq91fwO42ok4LpjugEFaZVAu9CECzN +XSVqeFDm0IDlfDMj/lhhhj4Plhb9/nEUG4fUfrv/h3qyP+DrXCu7cme+x09Umn64vDyK3/Wvfs oRh7KrvcUjeYs+03Ti0u0ZQqRgIal6lYmbNbjPCCfd/LnFKmR9OAtP9pPPnYTmX4veSuM8qyGco tScaE45OCXIfj45YwnsCuFXW5pQQFeKUmGc6fiGKvvycIaKWY0K6CnJEL23h5GCtQGwhze65U3I HD7byScXP5rdvMqUB8A== X-Proofpoint-GUID: ZzPZ8HTMbVTaJ8wXhLyr_BUvgoOTwWjU X-Proofpoint-ORIG-GUID: ZzPZ8HTMbVTaJ8wXhLyr_BUvgoOTwWjU X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168244587158500 Content-Type: text/plain; charset="utf-8" Add functional test for secure IPL. Signed-off-by: Zhuoying Cai --- tests/functional/s390x/meson.build | 2 + tests/functional/s390x/test_secure_ipl.py | 148 ++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100755 tests/functional/s390x/test_secure_ipl.py diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/me= son.build index 0f03e1c9db..07191ec996 100644 --- a/tests/functional/s390x/meson.build +++ b/tests/functional/s390x/meson.build @@ -2,6 +2,7 @@ =20 test_s390x_timeouts =3D { 'ccw_virtio' : 420, + 'secure_ipl' : 280, } =20 tests_s390x_system_quick =3D [ @@ -13,6 +14,7 @@ tests_s390x_system_thorough =3D [ 'ccw_virtio', 'pxelinux', 'replay', + 'secure_ipl', 'topology', 'tuxrun', ] diff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s= 390x/test_secure_ipl.py new file mode 100755 index 0000000000..0980daace1 --- /dev/null +++ b/tests/functional/s390x/test_secure_ipl.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# +# s390x Secure IPL functional test: validates secure-boot verification res= ults +# +# SPDX-License-Identifier: GPL-2.0-or-later + +from subprocess import check_call, DEVNULL + +from qemu_test import QemuSystemTest, Asset, get_qemu_img +from qemu_test import exec_command_and_wait_for_pattern, exec_command +from qemu_test import wait_for_console_pattern, skipBigDataTest + +class S390xSecureIpl(QemuSystemTest): + ASSET_F40_QCOW2 =3D Asset( + ('https://archives.fedoraproject.org/pub/archive/' + 'fedora-secondary/releases/40/Server/s390x/images/' + 'Fedora-Server-KVM-40-1.14.s390x.qcow2'), + '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f') + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.root_password =3D None + self.qcow2_path =3D None + self.cert_path =3D None + self.prompt =3D None + + # Boot a temporary VM to set up secure IPL image: + # - Create certificate + # - Sign stage3 binary and kernel + # - Run zipl + # - Extract certificate + def setup_s390x_secure_ipl(self): + temp_vm =3D self.get_vm(name=3D'sipl_setup') + temp_vm.set_machine('s390-ccw-virtio') + + asset_path =3D self.ASSET_F40_QCOW2.fetch() + self.qcow2_path =3D self.scratch_file('f40.qcow2') + qemu_img =3D get_qemu_img(self) + check_call([qemu_img, 'create', '-f', 'qcow2', '-b', asset_path, + '-F', 'qcow2', self.qcow2_path], stdout=3DDEVNULL, std= err=3DDEVNULL) + + temp_vm.set_console() + temp_vm.add_args('-nographic', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive0,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive0,bootind= ex=3D1') + temp_vm.launch() + + # Initial root account setup (Fedora first boot screen) + self.root_password =3D 'fedora40password' + wait_for_console_pattern(self, 'Please make a selection from the a= bove', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=3Dtem= p_vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Password (confirm):', vm=3Dtemp= _vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Please make a selection from the abov= e', + vm=3Dtemp_vm) + + # Login as root + self.prompt =3D '[root@localhost ~]#' + exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', v= m=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=3D= temp_vm) + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt, + vm=3Dtemp_vm) + + # Certificate generation + exec_command_and_wait_for_pattern(self, + 'openssl version', 'OpenSSL 3.2.= 1 30', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'openssl req -new -x509 -newkey rsa:2048 ' + '-keyout mykey.pem -outform PEM -out mycert.pe= m ' + '-days 36500 -subj "/CN=3DMy Name/" -nodes -ve= rbose', + 'Writing private key to \'mykey.pem\'', vm=3Dt= emp_vm) + + # Install kernel-devel (needed for sign-file) + exec_command_and_wait_for_pattern(self, + 'sudo dnf install kernel-devel-$(uname -r)= -y', + 'Complete!', vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'ls /usr/src/kernels/$(uname -r)/scrip= ts/', + 'sign-file', vm=3Dtemp_vm) + + # Sign stage3 binary and kernel + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bi= n', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)= ', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + + # Run zipl to prepare for secure boot + exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Do= ne.', + vm=3Dtemp_vm) + + # Extract certificate to host + out =3D exec_command_and_wait_for_pattern(self, 'cat mycert.pem', + '-----END CERTIFICATE-----= ', + vm=3Dtemp_vm) + # strip first line to avoid console echo artifacts + cert =3D "\n".join(out.decode("utf-8").splitlines()[1:]) + self.log.info("%s", cert) + + self.cert_path =3D self.scratch_file("mycert.pem") + + with open(self.cert_path, 'w', encoding=3D"utf-8") as file_object: + file_object.write(cert) + + # Shutdown temp vm + temp_vm.shutdown() + + @skipBigDataTest() + def test_s390x_secure_ipl(self): + self.require_accelerator('kvm') + self.setup_s390x_secure_ipl() + + self.set_machine('s390-ccw-virtio') + + self.vm.set_console() + self.vm.add_args('-nographic', + '-machine', 's390-ccw-virtio,secure-boot=3Don,' + f'boot-certs.0.path=3D{self.cert_path}', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive1,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive1,bootind= ex=3D1') + self.vm.launch() + + # Expect two verified components + verified_output =3D "Verified component" + wait_for_console_pattern(self, verified_output) + wait_for_console_pattern(self, verified_output) + + # Login and verify the vm is booted using secure boot + wait_for_console_pattern(self, 'localhost login:') + exec_command_and_wait_for_pattern(self, 'root', 'Password:') + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt) + exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/sec= ure', '1') + +if __name__ =3D=3D '__main__': + QemuSystemTest.main() --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168253; cv=none; d=zohomail.com; s=zohoarc; b=nOiS0av2sqUrKoWOFSicJ0OYWUpaixKtGBy09Bbz8rUav19hOZayDmth/w/ykV1ssmjtYmO5Y11XreldLoNzKf+VqF9B+aRmjleg0c/tpq+96K0auO81qjGTBUMJOwOOOVgfR6RFNrw80WAFFZnvpSO0g8No85CjiKXH19JLfPM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168253; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zLaXfFHkTh/EqgQgc5A7NmqeYVrNl3izrBPbA19PmY0=; b=QksHfEq4SXWC2/2jbuK4nannwWMU3UKyRlcZgaNKzR+BMz8aSb7MMppeZqPLZMmn7p7sM+DxrS6cKheQbPzzHeliQ9KQADOSZF+2UlL70cCPfSc4vvEg4vWokG7pdOLMQZrAtyY+6bcvnSdlA7T3D3k2ddWEZ6enMe5LJcFyfYY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168253020130.2384216051189; Thu, 2 Apr 2026 15:17:33 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL3-0002e8-DS; Thu, 02 Apr 2026 18:16:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKt-0001PA-I9; Thu, 02 Apr 2026 18:16:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKn-0004sg-5M; Thu, 02 Apr 2026 18:16:22 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632KGfhV2411380; Thu, 2 Apr 2026 22:15:54 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:53 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LbBDi022217; Thu, 2 Apr 2026 22:15:53 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbwb3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:53 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFR5q24773344 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:27 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 39A335806B; Thu, 2 Apr 2026 22:15:51 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C93F158067; Thu, 2 Apr 2026 22:15:49 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:49 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=zLaXfFHkTh/EqgQgc 5A7NmqeYVrNl3izrBPbA19PmY0=; b=VLwObbf9db6wxZbKJvxSKz2pAWnVUfH7G KzOZVVm93n82oFHjDnRkloRMldsnItHjLYhizNLOLq6TUTlaHn7i/vxL2/HC4B4M 8zYqHCzLkDzZ3B55szqJTKl5yDnEl54AAqiG1JP4zYuQNtSW0RtsReXlmDAQl6qZ o306PA05mRJiB53jUJqhVtTxNYFH94bxcEd1+9jRnlD3WH5UqTGkpdxcrP/V5nLL AaRoLYlfh7mlN+nlwyabzdi8HftGBajtIJq43dKEHH+Wd1ipClBxEEN2FdQ2yy8T Wa1J5CQG0fyGLngpit/P8jP9Ou8+HbI49ugeVK7pLw3BVdRR5L+xg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 29/30] docs/specs: Add secure IPL documentation Date: Thu, 2 Apr 2026 18:14:51 -0400 Message-ID: <20260402221453.1602899-30-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX68XZOKRdm5c6 lFZrKWHcjzVNvlOZEtYtQFmcEg9NnE784zd5LRQzT7Q8etwQe3EI+dgEja28DfYnoarT5a3srwq mhQjLmo660VV2/2zQoX0IDKhstJ7cXWT8HxrSKgb3f8SM3WITAkMMviNoKd5RHDYpPYZQhX7Uyx gpfFpJVvUQriGL+X7eBbm1HKUcz1HWjX/kAB+2VjSGg6nxCuVit41TLhaE2YlJLYU0h9OiysLQ1 cASIksEb5R8eSKyq72xf/l1pm1kp/4allKfy5x6iXDK7mLS4HBcG86IGLrr7rt+N+WvC4Z9L2Qb D2obWx16mca52+ngH0RZg2QVwzvZ4y9ILcua3h/lmjBo3A5rQB5tMw/bky1eV3ZqVEcRS+a7+3s zotTIS1RzDKqbQbarZfMcn/UDn411ogPdyFmi1Ytp/PQ2zuaBIpGziMslGfoRIMw6hb89ntepJW XqPvtc7onZIfIIVUjqA== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea99 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=XijvyHP8Q_8UnoOVIU8A:9 X-Proofpoint-GUID: WAunIMczYav0MmDTI-2DKQkNlNUtDdYc X-Proofpoint-ORIG-GUID: WAunIMczYav0MmDTI-2DKQkNlNUtDdYc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168254547158500 Content-Type: text/plain; charset="utf-8" Add documentation for secure IPL Signed-off-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 756246c45a..2ba54ecc1d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -1,5 +1,60 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL (a.k.a. secure boot) enables s390-ccw virtual machines to +leverage qcrypto libraries and z/Architecture emulations to verify the +integrity of signed kernels. The qcrypto libraries are used to perform +certificate validation and signature-verification, whereas the +z/Architecture emulations are used to ensure secure IPL data has not +been tampered with, convey data between QEMU and guest code, and set up +the relevant secure IPL data structures with verification results. + +To find out more about using this feature, see +``docs/system/s390x/secure-ipl.rst``. + +Note that "guest code" will refer to the s390-ccw BIOS unless stated +otherwise. + +Both QEMU and guest code work in cooperation to perform secure IPL. The Se= cure +Loading Attributes Facility (SCLAF) is used to check the Secure Code +Loading Attribute Block (SCLAB) and ensure that secure IPL data has not +been tampered with. DIAGNOSE 'X'320' is invoked by guest code to query +the certificate store info and retrieve specific certificates from QEMU. +DIAGNOSE 'X'508' is used by guest code to leverage qcrypto libraries to +perform signature-verification in QEMU. Lastly, guest code generates and +appends an IPL Information Report Block (IIRB) at the end of the IPL +Parameter Block, which is used by the kernel to store signed and +verified entries. + +The logical steps are as follows: + +- guest code reads data payload from disk (e.g. stage3 boot loader, kernel) +- guest code checks the validity of the SCLAB +- guest code invokes DIAG 508 subcode 1 and provides it the payload +- QEMU handles DIAG 508 request by reading the payload and retrieving the + certificate store +- QEMU DIAG 508 utilizes qcrypto libraries to perform signature-verificati= on on + the payload, attempting with each cert in the store (until success or + exhausted) +- QEMU DIAG 508 returns: + + - success: index of cert used to verify payload + - failure: error code + +- guest code responds to this operation: + + - success: retrieves cert from store via DIAG 320 using returned index + - failure: reports with warning (audit mode), aborts with error (secure = mode) + +- guest code appends IIRB at the end of the IPLB +- guest code kicks off IPL + +More information regarding the respective DIAGNOSE commands and IPL data +structures are outlined within this document. + + s390 Certificate Store and Functions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =20 --=20 2.53.0 From nobody Tue Apr 7 09:40:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168273; cv=none; d=zohomail.com; s=zohoarc; b=De1exOXkjB5n36gTNW8qqTRYckqHhaGzK4K+R3//5VhIdD6gJCav8VAULf/UG6SYz+oKtxraIYJb0onTFaFdabmoIfUHwg7QWUtdQ7gfd0TMyuO8FdGcDLOP63pH4K6q9mNtToG2QCoulvXTdfez6/BbbYlbbl39aupmylW6OmU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168273; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=7mZHEUlrkDHYcKaVogiTvJFoaCaJTSlKyLQJKyjRluk=; b=SJ6p5AiOtin9vFHLmMA+Bhg2yZhudMFZHEIcua0nmbsz38ms3Dwrr1QYUCuB9pIQaAIfLD/yLyQZIwsNhy0M5Pf6Q++k4BoFaF4sK+E3ylzzWe94bDVTtPezbCurKU5gtXcTN9ySW/yEDbjDkIPEqQEiYnRTkL6bl8K4BLB4uEg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168273017753.629502447751; Thu, 2 Apr 2026 15:17:53 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL1-0002L9-CF; Thu, 02 Apr 2026 18:16:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKu-0001QG-RJ; Thu, 02 Apr 2026 18:16:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKq-0004tA-Oi; Thu, 02 Apr 2026 18:16:24 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632EC8sa3622719; Thu, 2 Apr 2026 22:15:55 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:55 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LTZR2030947; Thu, 2 Apr 2026 22:15:54 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6uhk3rr1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:54 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFq9936045400 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:53 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B44A758067; Thu, 2 Apr 2026 22:15:52 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 56CC35806A; Thu, 2 Apr 2026 22:15:51 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=7mZHEU lrkDHYcKaVogiTvJFoaCaJTSlKyLQJKyjRluk=; b=ppoHWNc+JgOLTsrAjBiop+ GozfJr6LbuvcSM/ZnEbCuumu1hPiwvFB5Kdvy7lPBYLv8zx7z6EdTOZEgM+Wa8B/ 6sJs+yKTYV6jJHrdePeU3hKuI8TmJDNtM2xFOK4szeToHeEg6/6ewjLQZd8ixKix zwWHuwBKAS3dwR7qVxY1uaBsy+vCgFbOwai5zxDWwOAmei+4qW2SgxmtOiQKIs/F CngXRQJwHiO7hSzp2ytB/0izvYTnRdL7iDFndvG+lV1VTHh13EKQDoe+Amht2+C2 tp58OgmulH3K5HSo+iS2PGsxnecpfDucGf9XzqHui/QERg4FG6pz5fK7P82WwsPw == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 30/30] docs/system/s390x: Add secure IPL documentation Date: Thu, 2 Apr 2026 18:14:52 -0400 Message-ID: <20260402221453.1602899-31-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX6+pAAvcTiZfG SbuQ7TSBjznI6DvYP42q4YATDTJ3ln8Yy1kvrSCWa8zH9ZH6OgIAYjrJ2HBMd5A9qTo6Ev3VPKe cuy9x0Aj08tQWL68x+bXTyeK6of1Ay57ixSj4qbmPJGrrJH0qFFQGLxEsZIoJZLnXXfWU4aGpsH /F78hduha1M+xmUgaVoFbUI6GgILjddrSnGdWvssPANj5BKoUvuk/4Yi1qkCIdtm1nIbjMc3xz0 bMzl7tdqEicpVRY1qNyJnP1V4MosrPV9sMywOQmvtAwnE58PhBTCU/b+G4ikvE0kDSnCmIP+Yiv hj+LAJM/ghjt55VaDWt9a8m2HiqktjQoUaOZh2avy4f07hdOyEJy31INOBQccolXCv4dTjRbkxO yGVXYbtieLTvcyEcNZeygxSnz5w9EY9CvBymeV4tORXAfYETMicxz7kFC3hlZ6ZWPCAXXZbUPun 2zgncS8mgp9QoAJo7+g== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea9b cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=q5T4S90kAAAA:8 a=xOmL8MRHFtDrr2fuNQ0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=LnBBZQxPVJ0Z7KJyRdxh:22 X-Proofpoint-GUID: SbPukenCNduPFNF7nxVGQ7f8OJLntv5b X-Proofpoint-ORIG-GUID: SbPukenCNduPFNF7nxVGQ7f8OJLntv5b X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168274819154100 Add documentation for secure IPL Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 97 ++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index e0af086c38..db9fb46fea 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -1,5 +1,21 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL, also known as secure boot, enables s390-ccw virtual machines to +verify the integrity of guest kernels. + +For technical details of this feature, see ``docs/specs/s390x-secure-ipl.r= st``. + +This document explains how to use secure IPL with s390x in QEMU. It covers +the command line options for providing certificates and enabling secure IP= L, +the different IPL modes (Normal, Audit, and Secure), and system requiremen= ts. + +A quickstart guide is provided to demonstrate how to generate certificates, +sign images, and start a guest in Secure Mode. + + Secure IPL Command Line Options =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D =20 @@ -78,3 +94,84 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +Constraints +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The following constraints apply when attempting to boot an s390x guest in = secure +mode: + +- z16 or "qemu" CPU model +- certificates must be in X.509 PEM format +- only support for SCSI scheme of virtio-blk/virtio-scsi devices +- a boot device must be specified +- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e= .g., + network) will cause the entire boot process terminating early with an er= ror + logged to the console. + + +Secure IPL Quickstart +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Build QEMU with gnutls enabled +------------------------------- + +.. code-block:: shell + + ./configure =E2=80=A6 --enable-gnutls + +Generate certificate (e.g. via certtool) +---------------------------------------- + +A private key is required before generating a certificate. This key must b= e kept +secure and confidential. + +Use an RSA private key for signing. + +.. code-block:: shell + + certtool --generate-privkey > key.pem + +A self-signed certificate requires the organization name. Use the ``cert.i= nfo`` +template to pre-fill values and avoid interactive prompts from certtool. + +.. code-block:: shell + + cat > cert.info <