From nobody Tue Apr 7 11:18:48 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1775168297; cv=none; d=zohomail.com; s=zohoarc; b=YncxSuEMCr4C2x51i43IPpbzWoIG3IT5hNtBhrWnpp02A8Y5d1eNIrP+uV/LYKlq4sJ1dFxqv6o+rKU4SH3pcs7gNpLZaKHGRMZX+xVr7Q/KH/FS7N6GbhUxA00Yj1PMwNl4kCDoAiIWvh8lsYjEd7hbdj23vc+Yc4PtmZc+khE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1775168297; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=xD0NyiOEYKfeeAkZSBVAcIMf1mTeU2WRvnVkItdTzEY=; b=NxURUq0pUpJu0LG6n1b/Uk9S6c9jcjkhehYVUKzSY1a1C6ILCNl7mBmzKBkBvvUZYAFrvmvNaF64A2vhLn3O+mUjKMujNhQPDEEWNc1lRPRNr4m3JeH2tlVoHlEBYXdLM/sLM9wXAEnGdSFlL+XaT32zgXptpz2tzlpGJs+oqfU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1775168297446742.6683962055756; Thu, 2 Apr 2026 15:18:17 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1w8QL0-0002CJ-9B; Thu, 02 Apr 2026 18:16:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKh-00011i-Pe; Thu, 02 Apr 2026 18:16:14 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1w8QKg-0004rP-5Y; Thu, 02 Apr 2026 18:16:11 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 632HZ2lg197973; Thu, 2 Apr 2026 22:15:47 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:46 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 632LjYda008698; Thu, 2 Apr 2026 22:15:46 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6v11upqu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 02 Apr 2026 22:15:46 +0000 Received: from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com [10.241.53.104]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 632MFjt816974386 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 2 Apr 2026 22:15:45 GMT Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0E3E158068; Thu, 2 Apr 2026 22:15:45 +0000 (GMT) Received: from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF52D5805D; Thu, 2 Apr 2026 22:15:43 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.183.185]) by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP; Thu, 2 Apr 2026 22:15:43 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=xD0NyiOEYKfeeAkZS BVAcIMf1mTeU2WRvnVkItdTzEY=; b=XFE7Q3XbmYE/rZPl4AUwXagFgIu5ZxUUA w2iuE5h8qZhXxXROhwJTQhF56TBQ1FH+63YExqL4tQZd+TmX/Pv9/IKV6QH5bz3M RlY+MCyqS1dBGCP2BlzANGBZL7TfyJlDR37uksR5ScNLhQ/DbruR9d0+ZoAl8Xf3 A5wXeksFlAGF1anJ+9vYuX6t4vJSPRywU48rQoclF+7+pi+ZSoRtl3dhVqBSrs8V av7TNuCLZ4yqAaagxdmS7g+IdgLnPpV7pQt3Lh/Icd1Nke7PlNfANHsEeNNm3P7S 3LFgJbAOEuPjRbvYCsq+Up0Slhd9h7eP3wAIXjQESi2hznkMktbzw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, pierrick.bouvier@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, jdaley@linux.ibm.com Subject: [PATCH v10 25/30] pc-bios/s390-ccw: Handle true secure IPL mode Date: Thu, 2 Apr 2026 18:14:47 -0400 Message-ID: <20260402221453.1602899-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260402221453.1602899-1-zycai@linux.ibm.com> References: <20260402221453.1602899-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX47q3isLOiyi2 QqRr9bwlHKrfz1NbqWJGfjtKB1TtHn4giwpuzpsxvFhgKIN8SV9g1RbjUA7fgg3e6IKVnapUpHb ZZS47MQWDTO324QZCphwg5NwqfvvQmtRCU51XWuCDTD5/YaY62gvl3j3Be0MpkAFxnI6p59xHKj RtBeo7Sffrh02M1dkaMvRwfhEc6MZ6nUZJvG10JYWtD0W44O//KGFMzC4Trx2pvfgXb1H1esPsm xiKWhepNb9zXinzMQar25F+cIA0g+RJnPZ2xfBK5ZiNDP4pQykuiWTx7thePhZ5lJSdEefcvI48 3edyBPE4W3RLaSknPIMXvvqNbY/s58zziE8j4zV2Y00Ln7jmZaXmgGUouCl6Jj7zZKWWvmydryD bQnc0Oyn3dQmt3Frnngl41wV97UMxr/N9D0yP7LwnDOfgITHHqzstfJfV2PTsemqRu5DI8qHdNI e5MMgOnQNg3OJWTh6Sw== X-Authority-Analysis: v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea93 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9 X-Proofpoint-GUID: RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay X-Proofpoint-ORIG-GUID: RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015 spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1775168298846154100 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/system/s390x/secure-ipl.rst | 13 +++++++++++++ pc-bios/s390-ccw/bootmap.c | 8 ++++++++ pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 4 ++++ pc-bios/s390-ccw/secure-ipl.h | 3 +++ 5 files changed, 29 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 2465f8b26d..e0af086c38 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -65,3 +65,16 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + +Secure Mode +----------- + +When the ``secure-boot=3Don`` option is set and certificates are provided, +a secure boot is performed with error reporting enabled. The boot process = aborts +if any error occurs. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 1873a35511..bf8eee5ae0 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte) entry =3D (ComponentEntry *)(&header[1]); =20 switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: rc =3D zipl_run_secure(&entry, tmp_sec); break; @@ -1120,9 +1121,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + panic("Need at least one certificate for secure boot!"); + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index e1a8097c95..8538663bd5 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -91,6 +91,7 @@ void zipl_load(void); typedef enum ZiplBootMode { ZIPL_BOOT_MODE_NORMAL =3D 0, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, + ZIPL_BOOT_MODE_SECURE =3D 2, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index d4e455ed0c..0befa6a8b3 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -280,6 +280,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic,= uint32_t *cei_flags) *cei_flags |=3D S390_CEI_INVALID_SCLAB; =20 /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode =3D=3D ZIPL_BOOT_MODE_SECURE) { + zipl_secure_handle("Magic does not match. SCLAB does not exist"); + } + return false; } =20 diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 75d1c8e046..039fcec516 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -82,6 +82,9 @@ static inline void zipl_secure_handle(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: IPL_check(false, message); break; + case ZIPL_BOOT_MODE_SECURE: + panic(message); + break; default: break; } --=20 2.53.0