From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012445; cv=none; d=zohomail.com; s=zohoarc; b=kdj9BXLh9UFFXbUKxT3sz5PGhzNDQsRNCC+xtw14mOIVaoR398PCa/nGn6sU/5mZ3/1o6J5y3ub7a9hVxnfmBV9eEaPAzSNGB2Qs6XBGFLFyIt9CLrlxuCuIWU7QOJSVXLuKtZQ7CQyq/wZ6l6ZWLG8OsTi9JzgCP6cu73J68WE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012445; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FH9YMjs2LnAMmsimAXm7jTSMqCKiAke2Y6vT8NTHwWY=; b=aco8hRjSsHfQOR9o595CBpUJrti33fTwFEkgCa4jnKSeXcz1OsYoiWlQ+VJZL/tjVCcB7jIgy8oUC8LfE3ASMgxhGEieb0PzfEY501R4jxkOSsQNTxNxtyP/iNo4mht7LLYDGqOfQLhAX4DcSMKAA7TJTW8jqkC/KS1hjO5js1A= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012445786380.044894594001; Tue, 5 May 2026 13:20:45 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEm-0007S9-AK; Tue, 05 May 2026 16:19:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEk-0007Qh-E2; Tue, 05 May 2026 16:19:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEh-00007S-Jj; Tue, 05 May 2026 16:19:22 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645CklHT851433; Tue, 5 May 2026 20:19:12 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n70k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:12 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Trr029225; Tue, 5 May 2026 20:19:11 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwuyw3de6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:11 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJAOq33292916 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:10 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 675A95805B; Tue, 5 May 2026 20:19:10 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BEA0058059; Tue, 5 May 2026 20:19:08 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:08 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FH9YMjs2LnAMmsimA Xm7jTSMqCKiAke2Y6vT8NTHwWY=; b=fpOW6gB6IfMZbHM/0lhkUoVHKBrQixewu 5Im6zQJfZoMzg3AFBSsJCbRtmQ86gj/BfusCIGsEhjL8/i+XMWUxlRzRjn0DMZ76 EcfuLCoyvjAAP+i32e3kQZI3Q91pILSJDTSTA7UclXsHS9FQcFCrBsurRylfkpgC 4BM+pWDRr6JXDyl+yClhXIcIpKJP1HC+9VJdzjxsHKbGmx7ZwOYfRV6dyoeXlhTH HEfiXhe8JsJ6kG+L1VEoBQlTTIGa4ReuoItEpjOkZfTWLpsjQXn7giD1RB7eCJ4S OtwJwgXTmnoYyksIyCLOB7rUCX5SahrpdrxfrUE8DXFwlcc7UK7gw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 01/32] Add boot-certs to s390-ccw-virtio machine type option Date: Tue, 5 May 2026 16:18:33 -0400 Message-ID: <20260505201905.997996-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXxA0xDIhdu4lh GvrsPthx9/mtZKA8L0Piay8MCDUGjFX5P56lrUnbNDSmGLStF/t0OzmRG8Bph6FAoFwLsycB8hM M4LHmQQAlZQtYN10vsDf9J75K7LYYFrCSj3JE6IIXNAFcQ1A+ZLB9MCgCy9OP2rwrWCrq6UGIzI WGSDOICl2yOyrr/8d9/si1sfYMsQjOBtVXophmG56Zmn8L6FGVr/ueRMJspKqJuDPD+X3xLRa2Q ahzwEiCcnQN8bF03exKwWhl4x+B2CvkF14RJ2CG/lS6HZ5Uh6F9aPgoPwjM1P0BAP1BmmfXD+gU 7663aIlAoAT1Mir5joLUFTUiBWwiSyZOVqJN/WgbYFA8HKoImMofq2WCCbB7CmvPWBxDmTYs7yf KWd8jNgG0tvx3o/PPxgW2I+4JlizQDPumncuXVkOr9nJUVJvEbmUtOZ5BCmdTtQM8w8uswRbQ03 lfkcerrzEBSZr8mCh7w== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50c0 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=pOjPfhpiL-oY2_FcObYA:9 X-Proofpoint-GUID: CEHvzik0AxH2perrUwje_DZsmb7Q-HkL X-Proofpoint-ORIG-GUID: CEHvzik0AxH2perrUwje_DZsmb7Q-HkL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012447825154100 Content-Type: text/plain; charset="utf-8" Introduce a new `boot-certs` machine type option for the s390-ccw-virtio machine. This allows users to specify one or more certificate file paths or directories to be used during secure boot. Each entry is specified using the syntax: boot-certs..path=3D/path/to/cert.pem Multiple paths can be specify using array properties: boot-certs.0.path=3D/path/to/cert.pem, boot-certs.1.path=3D/path/to/cert-dir, boot-certs.2.path=3D/path/to/another-dir... Signed-off-by: Zhuoying Cai Acked-by: Markus Armbruster --- docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++++++ docs/system/target-s390x.rst | 1 + hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 2 ++ qapi/machine-s390x.json | 23 +++++++++++++++++++++++ qapi/pragma.json | 1 + qemu-options.hx | 6 +++++- 7 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 docs/system/s390x/secure-ipl.rst diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst new file mode 100644 index 0000000000..88df52ce2f --- /dev/null +++ b/docs/system/s390x/secure-ipl.rst @@ -0,0 +1,20 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +Secure IPL Command Line Options +------------------------------- + +The s390-ccw-virtio machine type supports secure IPL. These parameters all= ow +users to provide certificates and enable secure IPL directly via the comma= nd +line. + +Providing Certificates +^^^^^^^^^^^^^^^^^^^^^^ + +The certificate store can be populated by supplying a list of X.509 certif= icate +file paths or directories containing certificate files on the command-line: + +Note: certificate files must have a .pem extension. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/docs/system/target-s390x.rst b/docs/system/target-s390x.rst index 94c981e732..8938a13d10 100644 --- a/docs/system/target-s390x.rst +++ b/docs/system/target-s390x.rst @@ -35,3 +35,4 @@ Architectural features s390x/bootdevices s390x/protvirt s390x/cpu-topology + s390x/secure-ipl diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index 4d35f9b10b..39adb69cfd 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -44,6 +44,7 @@ #include "target/s390x/kvm/pv.h" #include "migration/blocker.h" #include "qapi/visitor.h" +#include "qapi/qapi-visit-machine-s390x.h" #include "hw/s390x/cpu-topology.h" #include "kvm/kvm_s390x.h" #include "hw/virtio/virtio-md-pci.h" @@ -788,6 +789,30 @@ static void machine_set_loadparm(Object *obj, Visitor = *v, g_free(val); } =20 +static void machine_get_boot_certs(Object *obj, Visitor *v, + const char *name, void *opaque, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList **certs =3D &ms->boot_certs; + + visit_type_BootCertificatesList(v, name, certs, errp); +} + +static void machine_set_boot_certs(Object *obj, Visitor *v, const char *na= me, + void *opaque, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + BootCertificatesList *cert_list =3D NULL; + + visit_type_BootCertificatesList(v, name, &cert_list, errp); + if (!cert_list) { + return; + } + + ms->boot_certs =3D cert_list; +} + /* * S390x-specific global compatibility properties. * @@ -856,6 +881,11 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) "Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars conve= rted" " to upper case) to pass to machine loader, boot manager," " and guest kernel"); + + object_class_property_add(oc, "boot-certs", "BootCertificatesList", + machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); + object_class_property_set_description(oc, "boot-certs", + "provide paths to a directory and/or a certificate file for se= cure boot"); } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index f1f06119d6..5ad1ea2f24 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -14,6 +14,7 @@ #include "hw/core/boards.h" #include "qom/object.h" #include "hw/s390x/sclp.h" +#include "qapi/qapi-types-machine-s390x.h" =20 #define TYPE_S390_CCW_MACHINE "s390-ccw-machine" =20 @@ -31,6 +32,7 @@ struct S390CcwMachineState { uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; + BootCertificatesList *boot_certs; =20 SCLPDevice *sclp; }; diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json index ea430e1b88..bbe3646e91 100644 --- a/qapi/machine-s390x.json +++ b/qapi/machine-s390x.json @@ -140,3 +140,26 @@ { 'event': 'SCLP_CPI_INFO_AVAILABLE', 'features': [ 'unstable' ] } + +## +# @BootCertificates: +# +# Boot certificates for secure IPL. +# +# @path: path to an X.509 certificate file or a directory containing +# certificate files. +# +# Since: 11.1 +## +{ 'struct': 'BootCertificates', + 'data': {'path': 'str'} } + +## +# @DummyBootCertificates: +# +# Not used by QMP; hack to let us use BootCertificatesList internally. +# +# Since: 11.1 +## +{ 'struct': 'DummyBootCertificates', + 'data': {'unused-boot-certs': ['BootCertificates'] } } diff --git a/qapi/pragma.json b/qapi/pragma.json index 24aebbe8f5..342cedc42e 100644 --- a/qapi/pragma.json +++ b/qapi/pragma.json @@ -49,6 +49,7 @@ 'DisplayProtocol', 'DriveBackupWrapper', 'DummyBlockCoreForceArrays', + 'DummyBootCertificates', 'DummyForceArrays', 'DummyVirtioForceArrays', 'HotKeyMod', diff --git a/qemu-options.hx b/qemu-options.hx index 83a3aa9f0b..7f97a0d07e 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend=3D'backend-id' specifies explicitly pr= ovided backend for main RAM (default=3Dnone)\n" " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" - " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n", + " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -209,6 +210,9 @@ SRST :: =20 -machine smp-cache.0.cache=3Dl1d,smp-cache.0.topology=3Dcore,s= mp-cache.1.cache=3Dl1i,smp-cache.1.topology=3Dcore + + ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` + Provide paths to a directory and/or a certificate file on the host= [s390x only]. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012432; cv=none; d=zohomail.com; s=zohoarc; b=CdsxnRvapZ18rrEnbMq0rWBL5m0vDhKsajSAuRG+E643Nau72WR5ZWWHpLXSFSGC1hpP3pd3e08EgqVUNMATwLEFmduhmgWRBQg/tdeEGA9Ok+RyhruLljWa8pLKpR9Nspk1fCmIMmoIBD+IghSFtd8Jp56Ml05T3FTjBhspVEg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012432; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=SRItF3Rpj3r/qWUSqrHn8Lr/8FzyN807OwVIui3tyWE=; b=DDVkhYd83ny8EQ96cxq+fYdEjnNERcbvyfK+HhDt+an4oE22VagbJUqe0k7d+ZmyIGHAc7H/OUjSwvKXv/XfTRxTK4Wskn9XSSM5LuGim4t9vOVtdJ8WuQKDJ9jQtyH9jeU0C+uhJ4yqvGPd2qbQl7/3cQPnuZL0MQOIMJrWzXU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17780124324621006.238640584615; Tue, 5 May 2026 13:20:32 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEl-0007Rn-LL; Tue, 05 May 2026 16:19:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEj-0007QD-64; Tue, 05 May 2026 16:19:21 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEh-00007R-AD; Tue, 05 May 2026 16:19:20 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645JuB7N3826217; Tue, 5 May 2026 20:19:14 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n70n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:14 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Sxb002880; Tue, 5 May 2026 20:19:13 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9un-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:13 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJCOL32178890 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:12 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 303CF5805B; Tue, 5 May 2026 20:19:12 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 89A9058059; Tue, 5 May 2026 20:19:10 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:10 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=SRItF3 Rpj3r/qWUSqrHn8Lr/8FzyN807OwVIui3tyWE=; b=NTDXT1B7cq7XAe7FWeuS/6 x7fAwC/mvtnsfF4VTBs9u3gyOplIygOLkGQUT0ElLKesV0l7FTtUbW+k4YfrOQ4T mhW7zfDK9cPSwlEel/YmMLVPnFmu70B2Od4I58hVjEYp6EzPRyRKKNc894ePyROb QcAni1eBklzO/ZDD8zpmVn7Z5rTeC7c/0HOv/jKVgf0lwBwrElN/65NEAxT9NteE G7zMRknvjERwDr32i4I7WmvztfAJo9N8ewjdfrTYBoO5WLVg5FrZTqbptOTOKRSz W/JOpSoqeMKcJCLq+q0uEBMeS+n9Y8ASH6gUOGfBVL4cvWmHN425YQjZNbHGlrEg == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 02/32] crypto/x509-utils: Refactor with GNUTLS fallback Date: Tue, 5 May 2026 16:18:34 -0400 Message-ID: <20260505201905.997996-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX8aPR+EJ4GxcP T2aXd9hpKXXHwC/kbVtH1WNSbtNHDJnIh8CKi8/FeduXBWegqdFBTqFZMiIPDtkCYheKkVfbUcd eNXBZ5INMVcWtKDXZJgZjHJhrRn2/GV5DHDc9gs9oF2ui0JMijUu9rbdPZ5EApD+fSyf3ZwdHo8 bhXbrsnvZ2jjZZp77btgAwvG1tqExv8Mat/tJRIc5Fvs7Jm5OMPJnCZOh1yPI8fOTsO4UNGV2WO EbPFw1wCJv/pqxp6knk9PUUN978dtFEw6JUF+Fk2yDX7egqSPZ5dvfm/EcAu2DGqEfnlJi/iIMg j/p7c5jiIZzlAjBpb64TtmDD0gxyXHWqOWMRR1yEc3KFsBxiJ9TqHiyUnEGCEmFBZPZTJEqLwSi O/JvmlLkH0XQClRqMoGXpLibljiUivySY5LqiQPl77evMbGXv/opLPu923Oy+XZBQbHlfUz9Zpp gIo2IKdTfaP1ZMC0w7g== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50c2 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=FUyA0-9y5A7gcD0mOlIA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: i6OZQkfixzjqjDPnJ_FLDvKbMk0Usaf- X-Proofpoint-ORIG-GUID: i6OZQkfixzjqjDPnJ_FLDvKbMk0Usaf- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1011 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012433624154100 Always compile x509-utils.c and add a fallback when GNUTLS is unavailable. These functions will be needed in the s390x code regardless of whether GNUTLS is available. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/meson.build | 2 +- crypto/x509-utils.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/crypto/meson.build b/crypto/meson.build index b51597a879..fda85543de 100644 --- a/crypto/meson.build +++ b/crypto/meson.build @@ -22,12 +22,12 @@ crypto_ss.add(files( 'tlscredsx509.c', 'tlssession.c', 'rsakey.c', + 'x509-utils.c', )) =20 if gnutls.found() crypto_ss.add(files( 'tlscredsbox.c', - 'x509-utils.c', )) endif =20 diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 39bb6d4d8c..6176a88653 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -11,6 +11,8 @@ #include "qemu/osdep.h" #include "qapi/error.h" #include "crypto/x509-utils.h" + +#ifdef CONFIG_GNUTLS #include #include #include @@ -78,3 +80,17 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, gnutls_x509_crt_deinit(crt); return ret; } + +#else /* ! CONFIG_GNUTLS */ + +int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, + QCryptoHashAlgo hash, + uint8_t *result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get fingerprint"); + return -1; +} + +#endif /* ! CONFIG_GNUTLS */ --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012523; cv=none; d=zohomail.com; s=zohoarc; b=crfinCBWRQFWSBO90VtMrGHt5g/iIvVYPzk5P08cPN6IGmai1JASUbAHcZxscLktoCDiTYZhFAPVkdzMPFmcYSpnPGp2D5OWSUIUV/Gibq7IqOIXYOWIMhs3uALCfo9YWb3pYc/nKeHBw8kTIafAtfY4cLUtbf3F2Xu8m589cpo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012523; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=/3eqHNbv4aXfd+u4AnT0IFpGYmbYJdEcHut8ZRCL9ww=; b=jJbqPM0TsgwMLJ2FG4r5Vi/Qlmwy/9/OwF9/THT97UjiyB2zkeSruKde/fdvSQKmSwxjApu2Uv/wgrfmXp7pDiXXwBfopHtaEslYdF6J1m2z8FiAoqf6s0Fl/RqsRtCqw5KLB1rSZhzgv+689xImjCNbMpDUUYQscVLvHRIQl0U= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012523435848.2253593701552; Tue, 5 May 2026 13:22:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEt-0007YJ-6E; Tue, 05 May 2026 16:19:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEk-0007Qv-Tb; Tue, 05 May 2026 16:19:22 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEj-00008s-6K; Tue, 05 May 2026 16:19:22 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645GUWbp2100626; Tue, 5 May 2026 20:19:16 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9x4njqp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:16 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9S9t029220; Tue, 5 May 2026 20:19:15 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwuyw3dec-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:15 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJE7S29884952 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:14 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EDF995805B; Tue, 5 May 2026 20:19:13 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 523A758059; Tue, 5 May 2026 20:19:12 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:12 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=/3eqHN bv4aXfd+u4AnT0IFpGYmbYJdEcHut8ZRCL9ww=; b=hztTa15OF7T/BfzuLlN4f1 UlURmPvWBA4/ZZ+nQw8T3jdfRuPnjETz0faeO2W8VHrf5/iHgxuGMu884KyajSBC vzwP0KnXc4MYC/iqD+SqBH6n0mVaiQL7xedBJQKiz0pvWmSYfM6ujLubdtJB67+/ gxzj3d9FiwNj6UqDnFeT06f1j1YOaNJtnoCbWur4b6EJ5vgYnRKye1uYzJDn1uQB 4+JdJVVrUTujnob2sSSiH/Gi+5Ha2Ed/x2qXyqFY05A8uDKEuW0d1YUPYLu8dNKy x543e7sYYX3DTxP2wdhmGeX7CGsZAgpexgBP3ICuagDgZW5gl9vVOPB5eTHCi6XQ == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 03/32] crypto/x509-utils: Add helper functions for certificate store Date: Tue, 5 May 2026 16:18:35 -0400 Message-ID: <20260505201905.997996-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX51eSfTyfKaYc zHCdVaQ7vA/h5CVYIsfs1At+TGCfeOtP8cR1A6lED/dO0kMtNvKP1wSU3Y5HvuZQoqSqywhQWzO jOR4wmW04/HA4pUKIkM9R1vopnNZhie4ogVYlQwzaJnbLHce07pS9BAQqJ0UaWWNnO2pgBYrutm esjwOXPcpiccsJgWrAYNbUWHm6vmBKlQ8fEi0eoPnujxzUv6v+59XaK7wbhJNaLluwKwQRht0sw ZJ+w2VXHjAT46ia1OwJTkSQ1ZD/dcIoeMcmd8goIuaDXF9DH6st1RT6KIThv0MQmoOzDb4A3JCN eGCmNvo+kt07UwZhcnK//bUqdvPL74HaS0iwIyrQXjbU1skpH7Y1GO+JhCH1dKWIscMPAQFsWhO xXzoQ8wPx0yvN0UYkT6J8ftPtZyf6UeA2fWioroVSzTauu3T4AZy3QZEbP1OSeHOsRzhOC9icb9 vYGBSSYXISB/bciLBRw== X-Proofpoint-ORIG-GUID: tiyU23ejIg4cquI2I55IvR5G0ZuemywZ X-Proofpoint-GUID: tiyU23ejIg4cquI2I55IvR5G0ZuemywZ X-Authority-Analysis: v=2.4 cv=W7UIkxWk c=1 sm=1 tr=0 ts=69fa50c4 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=GX81FK21qHpjiM7aGUoA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1011 phishscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012524420158500 Introduce new helper functions for x509 certificate, which will be used by the certificate store: qcrypto_x509_convert_cert_der() - converts a certificate from PEM to DER fo= rmat These functions provide support for certificate format conversion. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 49 +++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 21 ++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 6176a88653..68cf008938 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -81,6 +81,46 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, return ret; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_datum_t datum_der =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_export2(crt, GNUTLS_X509_FMT_DER, &datum_der); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert certificate to DER format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D datum_der.size; + *result =3D g_memdup2(datum_der.data, datum_der.size); + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + g_free(datum_der.data); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -93,4 +133,13 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, si= ze_t size, return -1; } =20 +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export X.509 certificate"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 1e99661a71..91ae79fb03 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -19,4 +19,25 @@ int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, siz= e_t size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_convert_cert_der + * @cert: pointer to the raw certificate data in PEM format + * @size: size of the certificate + * @result: output location for the allocated buffer for the certificate + * in DER format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer (will be updated with the + * actual size of the DER-encoded certificate) + * @errp: error pointer + * + * Convert the given @cert from PEM to DER format. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t size, + uint8_t **result, + size_t *resultlen, + Error **errp); + #endif --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012402; cv=none; d=zohomail.com; s=zohoarc; b=jn7t5WvDkNaNqRRMrdyYa3Eak6bcmfDtdfu+RBzIzdqBQ9IxGrT07wXx6iYmSMTnbLUy4TM8SErLv/75cm2fIHd/yrEAJlfli3BjGKVjRgC3C4F6jDW7j86cLGODaPKTJX2sVRtl+zceYL0HyrHfFmRpsiC72GLxDKB5Svr3pYY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012402; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=pOXwa/C5Ccxd1Ft32dfLPhKxEnVCMg/9jORuZ+/oVwM=; b=HWIe/wwb4WeoTgW/omTd+yLRjlqH+YqdsqWB2iMzE1FlwyBDlMWv9CloZDkKwNQlE8L20Zxz62w1q/G6jqjFsvvQoFJYfOxaloHxQMtTzqM9mhxEbLijBt762WAKyTKkbNzjW+UTuAa37VZGIiER5AANfsMPclU4t+Dnjn0Y0Lc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012402528991.8839428727687; Tue, 5 May 2026 13:20:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEr-0007Ux-1P; Tue, 05 May 2026 16:19:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEn-0007Sd-3n; Tue, 05 May 2026 16:19:25 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEk-0000AR-FQ; Tue, 05 May 2026 16:19:24 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645K6qFX2808530; Tue, 5 May 2026 20:19:18 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y1dm5t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:17 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9QnA015555; Tue, 5 May 2026 20:19:17 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb23q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:17 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJFei18023072 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:16 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B7B535805B; Tue, 5 May 2026 20:19:15 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1BF5358059; Tue, 5 May 2026 20:19:14 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:14 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=pOXwa/C5Ccxd1Ft32 dfLPhKxEnVCMg/9jORuZ+/oVwM=; b=bO1shbbiUPQSHGBuFikMSeykR6i91xWcU GK5vfF1xgjMY47iQsceNfKEXoCdn4K28shggbFo8dmXet5biTN3TBlvLq3qVAIHz u+WQ+I1C44Lf3ufwwbcR6N85ntXfbFV6MSv8cuhbbEn4cwk4X44mUnqmZrb6NE67 VYidp1ASc5Gg1mwwQo+nWiau6dfQg2a74+mZqjU66YLsn/hqc4k0zgTPCsRMKfsH wTHzYNzVzbstVCTM4gG2h8qEjVq6fw4CBM7HWVToY0WhOvQ5JnmN7czfkcMVyV2Q WQlQCM20XudRVXEtrT/D1iGKcz9REQVOmmSUC1lsV5x3qUYW3GIcw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 04/32] hw/s390x/ipl: Create certificate store Date: Tue, 5 May 2026 16:18:36 -0400 Message-ID: <20260505201905.997996-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: soDwgNC0BJvmqaCqbXgCKOkieEO2wSPX X-Proofpoint-GUID: soDwgNC0BJvmqaCqbXgCKOkieEO2wSPX X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXxeIHNPFPZ/4i FYC1b+YAuLW8isQIyNw5avLjyzuc2oOgVHuQq4RRBlgbTN3H14uDKZXk4bCZhKhNa1LCx7IW4Ef 8xSZG8HRHvH4IZfSvVAY1vkwqdURLjeoHipK0wyihJ/9VH5bc8WkD0GTWE/ZhOctuyYdtiegALX K+z4UaqPU4oixhR9qMzKPI8+ik3vrqgVRr13+fGJtjCorNX7cNbqRCm9tGTyu4yLVi/wSSO62ok ErV7mBIQ3CTeotqw9aGrT6CaH630fjH0lqg3hHZxq6wi0c0CfT3DZsX1gYURBDw0X8QmP+5bH2t MeLQn9WKLJJ7C13vBHUynMjoOi3aO7tlNXH4N1F74rzlPBcGUAA4X74CYwoa7Cf9eUisZIb7XAR fqoQtZfAFptNejOo4Z/xcdvuQHJZzRRS7H54oF2c0AyWwL+bhctZtnwLWh5Uo4CfKNY7pScITcH v3yHxqxV/1592BVdQOA== X-Authority-Analysis: v=2.4 cv=UbFhjqSN c=1 sm=1 tr=0 ts=69fa50c5 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=6ph8WD7lSjxTzuMCr3kA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012404090158500 Content-Type: text/plain; charset="utf-8" Create a certificate store for boot certificates used for secure IPL. Load certificates from the `boot-certs` parameter of s390-ccw-virtio machine type option into the cert store. Currently, only X.509 certificates in PEM format are supported, as the QEMU command line accepts certificates in PEM format only. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali --- docs/specs/index.rst | 1 + docs/specs/s390x-secure-ipl.rst | 16 +++ hw/s390x/cert-store.c | 221 ++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 39 ++++++ hw/s390x/ipl.c | 10 ++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 2 + 8 files changed, 293 insertions(+) create mode 100644 docs/specs/s390x-secure-ipl.rst create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/docs/specs/index.rst b/docs/specs/index.rst index b7909a108a..76d439782c 100644 --- a/docs/specs/index.rst +++ b/docs/specs/index.rst @@ -40,3 +40,4 @@ guest hardware that is specific to QEMU. riscv-aia aspeed-intc iommu-testdev + s390x-secure-ipl diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst new file mode 100644 index 0000000000..1cdf19783f --- /dev/null +++ b/docs/specs/s390x-secure-ipl.rst @@ -0,0 +1,16 @@ +.. SPDX-License-Identifier: GPL-2.0-or-later + +s390 Certificate Store and Functions +------------------------------------ + +s390 Certificate Store +^^^^^^^^^^^^^^^^^^^^^^ + +A certificate store is implemented for s390-ccw guests to retain within +memory all certificates provided by the user via the command-line, which +are expected to be stored somewhere on the host's file system. The store +will keep track of the number of certificates, their respective size, +and a summation of the sizes. + +Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate +store. diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..a4f15627e9 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,221 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qapi/error.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" +#include "qapi/qapi-types-machine-s390x.h" + +static BootCertificatesList *s390_get_boot_certs(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; +} + +static S390IPLCertificate *init_cert(char *path, Error **errp) +{ + int rc; + char *buf; + size_t size; + size_t der_len; + char name[CERT_NAME_MAX_LEN]; + g_autofree gchar *filename =3D NULL; + S390IPLCertificate *cert =3D NULL; + g_autofree uint8_t *cert_der =3D NULL; + Error *local_err =3D NULL; + + filename =3D g_path_get_basename(path); + + if (!g_file_get_contents(path, &buf, &size, NULL)) { + error_setg(errp, "Failed to load certificate: %s", path); + return NULL; + } + + rc =3D qcrypto_x509_convert_cert_der((uint8_t *)buf, size, + &cert_der, &der_len, &local_err); + if (rc !=3D 0) { + error_propagate_prepend(errp, local_err, + "Failed to initialize certificate: %s: ", = path); + g_free(buf); + return NULL; + } + + cert =3D g_new0(S390IPLCertificate, 1); + cert->size =3D size; + /* + * Store DER length only - reused for size calculation. + * cert_der is discarded because DER certificate data will be used once + * and can be regenerated from cert->raw. + */ + cert->der_size =3D der_len; + /* store raw pointer - ownership transfers to cert */ + cert->raw =3D (uint8_t *)buf; + + /* + * Left justified certificate name with padding on the right with blan= ks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(name, CERT_NAME_MAX_LEN, filename, ' '); + ebcdic_put(cert->name, name, CERT_NAME_MAX_LEN); + + return cert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *cert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size =3D ROUND_UP(CERT_KEY_ID_LEN, 4); + hash_buf_size =3D ROUND_UP(CERT_HASH_LEN, 4); + cert_buf_size =3D ROUND_UP(cert->der_size, 4); + data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->largest_cert_size < data_buf_size) { + cert_store->largest_cert_size =3D data_buf_size; + } + + g_assert(cert_store->count < MAX_CERTIFICATES); + + cert_store->certs[cert_store->count] =3D *cert; + cert_store->total_bytes +=3D data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(Error **errp) +{ + struct stat st; + BootCertificatesList *path_list =3D NULL; + BootCertificatesList *list =3D NULL; + gchar *cert_path; + GDir *dir =3D NULL; + const gchar *filename; + bool is_empty; + g_autoptr(GError) err =3D NULL; + g_autoptr(GPtrArray) cert_path_builder =3D g_ptr_array_new_full(0, g_f= ree); + + path_list =3D s390_get_boot_certs(); + + for (list =3D path_list; list; list =3D list->next) { + cert_path =3D list->value->path; + + if (g_strcmp0(cert_path, "") =3D=3D 0) { + error_setg(errp, "Empty path in certificate path list is not a= llowed"); + goto fail; + } + + if (stat(cert_path, &st) !=3D 0) { + error_setg(errp, "Failed to stat path '%s': %s", + cert_path, g_strerror(errno)); + goto fail; + } + + if (S_ISREG(st.st_mode)) { + if (!g_str_has_suffix(cert_path, ".pem")) { + error_setg(errp, "Certificate file '%s' must have a .pem e= xtension", + cert_path); + goto fail; + } + + g_ptr_array_add(cert_path_builder, g_strdup(cert_path)); + } else if (S_ISDIR(st.st_mode)) { + dir =3D g_dir_open(cert_path, 0, &err); + if (dir =3D=3D NULL) { + error_setg(errp, "Failed to open directory '%s': %s", + cert_path, err->message); + + goto fail; + } + + is_empty =3D true; + while ((filename =3D g_dir_read_name(dir))) { + is_empty =3D false; + + if (g_str_has_suffix(filename, ".pem")) { + g_ptr_array_add(cert_path_builder, + g_build_filename(cert_path, filename, = NULL)); + } else { + warn_report("skipping '%s': not a .pem file", filename= ); + } + } + + if (is_empty) { + warn_report("'%s' directory is empty", cert_path); + } + + g_dir_close(dir); + } else { + error_setg(errp, "Path '%s' is neither a file nor a directory"= , cert_path); + goto fail; + } + } + + qapi_free_BootCertificatesList(path_list); + return g_steal_pointer(&cert_path_builder); + +fail: + qapi_free_BootCertificatesList(path_list); + return NULL; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + Error *err =3D NULL; + + /* If cert store is already populated, then no work to do */ + if (cert_store->count) { + return; + } + + cert_path_builder =3D get_cert_paths(&err); + if (cert_path_builder =3D=3D NULL) { + error_report_err(err); + exit(1); + } + + if (cert_path_builder->len =3D=3D 0) { + g_ptr_array_free(cert_path_builder, TRUE); + return; + } + + if (cert_path_builder->len > MAX_CERTIFICATES) { + error_report("Cert store exceeds maximum of %d certificates", MAX_= CERTIFICATES); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + cert_store->largest_cert_size =3D 0; + cert_store->total_bytes =3D 0; + + for (int i =3D 0; i < cert_path_builder->len; i++) { + g_autofree S390IPLCertificate *cert =3D + init_cert((char *) cert_path_builder->pdata[i], + &err); + if (!cert) { + error_report_err(err); + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } + + update_cert_store(cert_store, cert); + } + + g_ptr_array_free(cert_path_builder, TRUE); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..7fc9503cb9 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,39 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define CERT_NAME_MAX_LEN 64 + +#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 +#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 + +struct S390IPLCertificate { + uint8_t name[CERT_NAME_MAX_LEN]; + size_t size; + size_t der_size; + uint8_t *raw; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t largest_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +}; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 1babcd2b7d..fbef46aee5 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -38,6 +38,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" =20 #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -453,6 +454,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t= *ebcdic_lp) } } =20 +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return &ipl->cert_store; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -771,6 +779,8 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->start_addr; cpu->env.psw.mask =3D IPL_PSW_MASK; =20 + s390_ipl_create_cert_store(&ipl->cert_store); + if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index fac30763df..f5a49a4431 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H =20 +#include "cert-store.h" #include "target/s390x/cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); =20 enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -63,6 +65,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 57cc2a6be3..6b39ad012f 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 8d3c83a80b..ed1a91182a 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -31,6 +31,8 @@ typedef enum S390IplType S390IplType; =20 #define QEMU_DEFAULT_IPL S390_IPL_TYPE_CCW =20 +#define MAX_CERTIFICATES 64 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012390; cv=none; d=zohomail.com; s=zohoarc; b=Ido4lNssNoMvd8DOuYRs/UAhC8FzQZ5NsnT+RGcqYCoi3ZrssY9jQfKAQkx+/ZNLaC/BZh2NFk7u3xyjqYGGd11+zexaRX3y//kQc3StO/SOamkUTTUaM7ZPt1LI7q7DDfQRxVWToYcRTwcnp+1UdDfwPm2r5yv5spaNRWK+kqA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012390; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=DxjckIyVHiz+QY+Z1axnW4aN4XGxW3Cwu1IBQoBgiQE=; b=MJKFoJGU2FAXedQDXRaSanayglJsgXANGrQq/L7vDnniw2vfRs8e/d1eROQgodNRAarb6QRcGY+K33fjO4baXFQo2g+PfyVwJxPpRGvjSR/h4ZTpXnZvZbBK41xIf1lAszQUuPmdnxlh2JeTwfDof78yx47W4VN/W6XBV7V7TUs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012390877589.7850649727427; Tue, 5 May 2026 13:19:50 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEt-0007aM-Qb; Tue, 05 May 2026 16:19:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEp-0007Ut-Qp; Tue, 05 May 2026 16:19:28 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEm-0000BS-DV; Tue, 05 May 2026 16:19:26 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645IAITl2510470; Tue, 5 May 2026 20:19:20 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9x4njqv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:20 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9U13026693; Tue, 5 May 2026 20:19:19 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dww3h38hc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:19 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJHQA32965196 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:17 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 77B9E5805D; Tue, 5 May 2026 20:19:17 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DA06C58059; Tue, 5 May 2026 20:19:15 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:15 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=DxjckIyVHiz+QY+Z1 axnW4aN4XGxW3Cwu1IBQoBgiQE=; b=D/zbz45M3c1UvrG7ywY9mzkQ14yeMuAWC 6uvnipFvtjxKYALRWIvko6s6Nm5TIu0t1uCvIMhbzsb8ioq2SdkKsD0tFotrHnR1 JaCDucD30vYY+B+sDLwYCyOi4pguuV8SusRbFgb7AVvZJZSEfOQSf5fVNTBiJXLZ Tem+25WcPzd4SfslSeeE2FyOYGFjztRk38Lo8Kw8DM7CtPhPd9q4/N3g9KXmE1KL sDHzI1wLrUcrKbIPBYQJCoaQ76VNZi3L6biCByTPcN6ofZqV6AuLO6pN0A1NpU8b BQC0R7XUYvlMbKZIlQP7Hj9ST0vygIOZr0aFV6rJyEeJGiW+ezRPQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 05/32] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Date: Tue, 5 May 2026 16:18:37 -0400 Message-ID: <20260505201905.997996-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXw4d3ONJWJy+W v9UEP2qOhuonpEM0lyiK2UOw885UBuBwkR3IM9gAWXUIWhtEHUeo3LFng6QgSaqkVjoiXLOldrA kZploXsIQLLowTX7GpX8VFaO9Rm/abYnXByPiHYT8aSFk6U6WReA/5K5vvwJjv2EryRCBFE0SOJ 9wfFsjCdTUzdiUMHkYy7JNDWQ1SFnVt4lB7+3clwjo66xNquixB413iTd9gehCiUKIH3BgN0K7Q HKGDmgRpr9zHthDjENIMTfijdnmjZNnhXfC7GgMf1O5QaHonJ3BY94hkifAK+PMZR8dL/hMOQy7 HXfXB7q1Pp87CGicfkFVKo+vbA+UW/t0UGIyNgytc1rRs14fi3uw4LtppjAgXsHISKbFg1fuIaF 2Njj05df3aASaAkw49TOUlYtiKntIms2UfE7P3Ygj3/AGPjkt1FpDv+W21hFzBLBupXna2SjS0d 9lu5HrrEr/hEgEobUvQ== X-Proofpoint-ORIG-GUID: fSPMdfNw0SZ9jgd5uzYT66FKmLqt8Hqv X-Proofpoint-GUID: fSPMdfNw0SZ9jgd5uzYT66FKmLqt8Hqv X-Authority-Analysis: v=2.4 cv=W7UIkxWk c=1 sm=1 tr=0 ts=69fa50c8 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=mM8oulnVqnlOJU-pfAMA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1011 phishscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012392232158500 Content-Type: text/plain; charset="utf-8" DIAGNOSE 320 is introduced to support Certificate Store (CS) Facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query the Installed Subcodes Mask (ISM). This subcode is only supported when the CS facility is enabled. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Byte 134's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Note: secure IPL is not available for Secure Execution (SE) guests, as their images are already integrity protected, and an additional protection of the kernel by secure IPL is not necessary. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 12 +++++++++ include/hw/s390x/ipl/diag320.h | 20 ++++++++++++++ target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/diag.c | 42 +++++++++++++++++++++++++++++ target/s390x/gen-features.c | 3 +++ target/s390x/kvm/kvm.c | 16 +++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++ 10 files changed, 106 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 1cdf19783f..5f7b5bf559 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -14,3 +14,15 @@ and a summation of the sizes. =20 Note: A maximum of 64 certificates are allowed to be stored in the certifi= cate store. + +DIAGNOSE function code 'X'320' - Certificate Store Facility +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +DIAGNOSE 'X'320' is used to provide support for guest code to directly +query the s390 certificate store. Guest code may be the s390-ccw BIOS or +the guest kernel. + +Subcode 0 - query installed subcodes + Returns a 256-bit installed subcodes mask (ISM) stored in the installed + subcodes block (ISB). This mask indicates which subcodes are currently + installed and available for use. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..aa04b699c6 --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,20 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOT_SUPPORTED 0x0102 + +#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 + +#endif diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..436471f4b4 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index c017bffcdc..2976ecd0ee 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s =20 /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relativ= e to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") +DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 0b88868289..962f135f42 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_CERT_STORE: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/diag.c b/target/s390x/diag.c index da44b0133e..6373544bb2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -18,6 +18,7 @@ #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" #include "hw/s390x/ipl.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -192,3 +193,44 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + S390CPU *cpu =3D env_archcpu(env); + uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (!s390_has_feat(S390_FEAT_CERT_STORE) || + (subcode & ~0x000ffULL) || + (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + /* + * The Installed Subcode Block (ISB) can be up 8 words in size, + * but the current set of subcodes can fit within a single word + * for now. + */ + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + env->regs[r1 + 1] =3D DIAG_320_RC_OK; + break; + default: + env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; + break; + } +} diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 8218e6470e..6c20c3a862 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_PAIE, S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, + S390_FEAT_CERT_STORE, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_KIMD_SHA_512, S390_FEAT_KLMD_SHA_512, S390_FEAT_PRNO_TRNG, + S390_FEAT_EXTENDED_LENGTH_SCCB, + S390_FEAT_CERT_STORE, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 2e4f435c53..a5411859a8 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -99,6 +99,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 =20 @@ -1531,6 +1532,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm= _run *run) } } =20 +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1561,6 +1572,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r =3D handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); @@ -2462,6 +2476,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } =20 + set_bit(S390_FEAT_CERT_STORE, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 40850bcdc4..b16490bce6 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -388,6 +388,8 @@ int mmu_translate_real(CPUS390XState *env, hwaddr raddr= , int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 1fd900fbbf..4d73475d95 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) /* time bomb (watchdog) */ r =3D handle_diag_288(env, r1, r3); break; + case 0x320: + /* cert store */ + bql_lock(); + handle_diag_320(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012551; cv=none; d=zohomail.com; s=zohoarc; b=d0dF4l5q1CDCeJ5j+jLennICf8USZZxV32kGFJWLi0Y3yJpFtuv2DL2N+Xy7idNLJMhgNikWAbTfdTix8HJcMuVBwu4PdzEF1aUktCTUIz7mrAPnWERZ7K2Q2PNR8VR1Ql3ac5cncsUhcYtBBDgm/eK5Anlv3+YIpqxdB9cNF0U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012551; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=tvtfr74wkw/Lg/VqL+CKXfMty2R0apkHvo7zbUmO+tw=; b=LjwOttM62VrYFxYewp2JUEOTEWd6wWzih49JodAmaCOBJ0kVEf31sTMsoFnxIlGCEirPMAws9dXOiPPwKZPSk6H8pXAWX4m/nvRfv8gMtumTWp4/D1s4c/n46SIr+R4/voxe/3pLCFl8J5AFcHUShO+1mp+uKPbSQhJTjQU0A8Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012551771752.0240162677986; Tue, 5 May 2026 13:22:31 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEu-0007bP-AO; Tue, 05 May 2026 16:19:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEp-0007Us-Qz; Tue, 05 May 2026 16:19:28 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEn-0000C4-Lu; Tue, 05 May 2026 16:19:26 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645JkhQD3254680; Tue, 5 May 2026 20:19:22 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6pe-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:21 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9aoK030299; Tue, 5 May 2026 20:19:20 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwwtgb51x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:20 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJJWZ4260620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:19 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 38F955805C; Tue, 5 May 2026 20:19:19 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 99F0958059; Tue, 5 May 2026 20:19:17 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:17 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=tvtfr74wkw/Lg/VqL +CKXfMty2R0apkHvo7zbUmO+tw=; b=lIlsFLpWaJJKg9sp8QwmIzbj0llYM2lZd KDwIYrVLsYRn7j8QMyvCa2P0ivvHQc7cCgXKXXkCQuBAmP2nFUJ3udsdvDsCj9eu emVvu5sREn4bcg8dewdPrhBnalsVlrBgzKCEzcIFsRjfncYkqriRVBCcFSODiYN1 fnTjKDmkBBvXnb5HuPsZfNKx3u654pFDaA86LKVvkNHPDwSQpzly2WQnaJUv0IHS 3fmMp5sd8xDZo2zm/H/g1Kf6arZ2dz6aSUa2rZMsFLtvWCEyeS8P/2GtxWZOotsS 9cQMHwkJp5rRiNylPy/QhvwLuDckw8x3/f9pZeVylWqjL8qCqeKIA== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 06/32] s390x/diag: Refactor address validation check from diag308_parm_check Date: Tue, 5 May 2026 16:18:38 -0400 Message-ID: <20260505201905.997996-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50c9 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=130TwiEZxdn8fhqcL5YA:9 X-Proofpoint-ORIG-GUID: PjR2kMF8vi2YyAlKmGbRO9-gDBGhVwhn X-Proofpoint-GUID: PjR2kMF8vi2YyAlKmGbRO9-gDBGhVwhn X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX2n5G16eadA5U tkaU6oEf9AsKX2GF22A+PFSjGzZTXvH+lZJN5MbWAi5JkcGgjL8rd+bUKS8OBZhYoNSixzMrcpL fEzm00c5Zf2mFSBJXT+S9BMmR93PCIEU2dPvpBO75HkKI1hqbXuAR4jfsUZV2neITT9LurYz+/p xzJ2pgvMLwFIjM2ccF5wfYJ+A2IDLjuAZ0f8S+I230h2y2bA7xApbaMQVnEJ1XwNxdXw2kndK8L eYTEoNLoSMb9G4iv1wdE6guJAn9mHYiSpvErkDc8krt6b8/r0FxnI0v0gcJeE5YrhhrLOHckhp8 pSOPFihdhZ/uQyrwsTYgbKajqvmG6Tgud4RmA+wvZI3PshS5T+6VpDcHVKnSgHTY/+ds7oRTO4b BrqYmor88R7aRkMWZ4r4ZXi4Qmmf3PEa1zIscG8FuVZusqdQCo1nrbkuSMM5O03RtUkCLOSesL+ JcwG+gRjok0Hb5+z9KA== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012552544158500 Content-Type: text/plain; charset="utf-8" Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling Reviewed-by: Hendrik Brueckner Reviewed-by: Thomas Huth --- target/s390x/diag.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 6373544bb2..8ab40437a2 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -26,6 +26,12 @@ #include "qemu/error-report.h" =20 =20 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) { uint64_t func =3D env->regs[r1]; @@ -65,9 +71,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_= t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012610; cv=none; d=zohomail.com; s=zohoarc; b=K8gL4EPyltW43WqTwKqy4zLj97jdR8181fIduI03oTPfpbGUbD9Q8C4A/8OH4qKzv8rdvGq7HGEoZudtJWIq7AgcFh98BNS36k1x+9ZtAM6ZIjhFA2wTCrQrgD42IzEOU2FuwtmesavJMpvZan2mOpUqk1+FNX9ruELBZwMTZ/8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012610; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=dpz8+JqiT29Nsi3jqEgwLpBXkyi+/DfQXhbX28XLKKc=; b=P9+UHvSZek4TbDKxknLE02eCDVZMrLK4QmwLF/k7TfPhijLG7T7nwiowWtt9hLcc9ISBPCiP5hpHfnIzIWqrSBZbAI6cuSCUFliO2OscRNoBq0Q2bTZ0YQcChLdUiIU4ceV6a4yq7E1WvZI7mrYwT9Bpxn0RW9hZowoDOXbnxl8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012610215145.93176484375272; Tue, 5 May 2026 13:23:30 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEu-0007cC-Fz; Tue, 05 May 2026 16:19:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEr-0007Vb-Fz; Tue, 05 May 2026 16:19:29 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEo-0000Co-Ka; Tue, 05 May 2026 16:19:29 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645IaiFA3183452; Tue, 5 May 2026 20:19:23 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6pk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:22 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Trw029225; Tue, 5 May 2026 20:19:22 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwuyw3dev-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:22 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KIrlT29557344 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:18:53 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 07E8A5805B; Tue, 5 May 2026 20:19:21 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5B6C158059; Tue, 5 May 2026 20:19:19 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:19 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=dpz8+JqiT29Nsi3jq EgwLpBXkyi+/DfQXhbX28XLKKc=; b=gOYrQm3Hwx0OXc7FlO4XsakvZF7rleBl0 U/ggZygewLNhc7qzdH4FMY31yxVsmo6tf7tMuqABxPN6S0ynDro9P+OQm+IapiVq 6LK0V1htKDKwzkKwN5lgmKQdtKExVYTcUaHAm7RI73krxRjkrWAlzzYh+eX9T8/a 4p3LTDi4MGvDUb8i0DiHV1UxQucE67VJUQ6HiwtomNRiv+/FgHHx0PawoRM0bVRY l57RmSE/DHeLzNntIc0xG7MCnmoM81d6zG4DZdMu3P/SReClaT58yq7X/iMsTBAk aIppqQcLk8wTukCsLC5bqjTe+kh+ru/2CQVq7NxgqquDkxCZvOfsQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 07/32] s390x/diag: Implement DIAG 320 subcode 1 Date: Tue, 5 May 2026 16:18:39 -0400 Message-ID: <20260505201905.997996-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50ca cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=MguaJt8dR91BFOVN_IAA:9 X-Proofpoint-ORIG-GUID: 8kRbaZpaa10nVcQwKOwhQRaBFBj55-2D X-Proofpoint-GUID: 8kRbaZpaa10nVcQwKOwhQRaBFBj55-2D X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX77RdVkqEosXt D2KwVEwmmv5oqpY94J10fz6zZc0qBl/YKtddvexWGTX4QnTf/EIDmmlac1CYrHm6mD4A9QJKqQz 7/i48rNkZcwho9JeVtc5/GsCquAh/eADP+ygwkzPkwUlIKRnxlasxpOh8gBBuZTqo0gd6u8qC3Q MNs+fUtDBYVdMq9xYHla/QgoizfH6x4sSRFIYDdUWppJSzLq1BNjn5kbP+e3QW1vix6UOf6RyX4 SYt3jBe4eOdUQeYKPnuGF3LuAPPa4xn+8I4S1UbqsC/xNP2Q6qDa8BXTL7ZyjVHbA7piWkUJYgO v3+Lx5UxZ/NbKP97Gk0u8cqO2iCfNYOD/SmxqRfIV9L2b4AuOH9T0gREq5sUhFpGgeKTZ3cpuuF 3CI9Ck5H5wgB/+/Av1oUmsKGSPejqbgIW1jncOvwIofW1uOyycv7X0Uu9SCZroTVmQUP3ba5Mzx PS9QiE2YG9r14YuyF4g== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012610914158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates from the certificate store. Upon successful completion, this subcode returns information of the current cert store, such as the number of certificates stored and allowed in the ce= rt store, amount of space may need to be allocate to store a certificate, etc for verification-certificate blocks (VCBs). The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. A VCSSB length of 4 indicates that no certificate are available in the cert store. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 12 ++++++ hw/s390x/cert-store.h | 3 +- include/hw/s390x/ipl/diag320.h | 57 +++++++++++++++++++++++++++++ target/s390x/diag.c | 65 ++++++++++++++++++++++++++++++++- 4 files changed, 134 insertions(+), 3 deletions(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 5f7b5bf559..807a8ae393 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -26,3 +26,15 @@ Subcode 0 - query installed subcodes Returns a 256-bit installed subcodes mask (ISM) stored in the installed subcodes block (ISB). This mask indicates which subcodes are currently installed and available for use. + +Subcode 1 - query verification certificate storage information + Provides the information required to determine the amount of memory ne= eded + to store one or more verification-certificates (VCs) from the certific= ate + store (CS). + + Upon successful completion, this subcode returns various storage size = values + for verification-certificate blocks (VCBs). + + The output is returned in the verification-certificate-storage-size bl= ock + (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble + in the CS. diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h index 7fc9503cb9..6f5ee63177 100644 --- a/hw/s390x/cert-store.h +++ b/hw/s390x/cert-store.h @@ -11,10 +11,9 @@ #define HW_S390_CERT_STORE_H =20 #include "hw/s390x/ipl/qipl.h" +#include "hw/s390x/ipl/diag320.h" #include "crypto/x509-utils.h" =20 -#define CERT_NAME_MAX_LEN 64 - #define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 #define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256 =20 diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index aa04b699c6..90797728d8 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -11,10 +11,67 @@ #define S390X_DIAG320_H =20 #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 +#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 +#define DIAG_320_ISM_QUERY_VCSI 0x40000000 + +#define VCSSB_NO_VC 4 +#define VCSSB_MIN_LEN 128 + +#define CERT_NAME_MAX_LEN 64 + +struct VCStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t total_vc_ct; + uint16_t max_vc_ct; + uint32_t reserved3[11]; + uint32_t max_single_vcb_len; + uint32_t total_vcb_len; + uint32_t reserved4[10]; +}; +typedef struct VCStorageSizeBlock VCStorageSizeBlock; + +struct VCEntryHeader { + uint32_t len; + uint8_t flags; + uint8_t key_type; + uint16_t cert_idx; + uint8_t name[CERT_NAME_MAX_LEN]; + uint8_t format; + uint8_t reserved0; + uint16_t keyid_len; + uint8_t reserved1; + uint8_t hash_type; + uint16_t hash_len; + uint32_t reserved2; + uint32_t cert_len; + uint32_t reserved3[2]; + uint16_t hash_offset; + uint16_t cert_offset; + uint32_t reserved4[7]; +}; +typedef struct VCEntryHeader VCEntryHeader; + +struct VCBlockHeader { + uint32_t in_len; + uint32_t reserved0; + uint16_t first_vc_index; + uint16_t last_vc_index; + uint32_t reserved1[5]; + uint32_t out_len; + uint8_t reserved2[4]; + uint16_t stored_ct; + uint16_t remain_ct; + uint32_t reserved3[5]; +}; +typedef struct VCBlockHeader VCBlockHeader; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 8ab40437a2..f531ce9d82 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -198,11 +198,56 @@ out: } } =20 +static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t= r1, + uintptr_t ra, S390IPLCertificateStore= *cs) +{ + g_autofree VCStorageSizeBlock *vcssb =3D NULL; + + vcssb =3D g_new0(VCStorageSizeBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcssb, sizeof(*vcssb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + if (be32_to_cpu(vcssb->length) > sizeof(*vcssb)) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (be32_to_cpu(vcssb->length) < VCSSB_MIN_LEN) { + return DIAG_320_RC_INVAL_VCSSB_LEN; + } + + if (!cs->count) { + vcssb->length =3D cpu_to_be32(VCSSB_NO_VC); + } else { + vcssb->version =3D 0; + vcssb->total_vc_ct =3D cpu_to_be16(cs->count); + vcssb->max_vc_ct =3D cpu_to_be16(MAX_CERTIFICATES); + vcssb->max_single_vcb_len =3D cpu_to_be32(sizeof(VCBlockHeader) + + sizeof(VCEntryHeader) + + cs->largest_cert_size); + vcssb->total_vcb_len =3D cpu_to_be32(sizeof(VCBlockHeader) + + cs->count * sizeof(VCEntryHeade= r) + + cs->total_bytes); + } + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcssb, be32_to_cpu(vcssb->l= ength))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + return DIAG_320_RC_OK; +} + +QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, + "size of VCStorageSizeBlock is wrong"); + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { S390CPU *cpu =3D env_archcpu(env); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); uint64_t subcode =3D env->regs[r3]; uint64_t addr =3D env->regs[r1]; + int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { s390_program_interrupt(env, PGM_PRIVILEGED, ra); @@ -224,7 +269,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * but the current set of subcodes can fit within a single word * for now. */ - uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES); + uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | + DIAG_320_ISM_QUERY_VCSI); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -233,6 +279,23 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 env->regs[r1 + 1] =3D DIAG_320_RC_OK; break; + case DIAG_320_SUBC_QUERY_VCSI: + if (addr & 0x7) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + if (!diag_parm_addr_valid(addr, sizeof(VCStorageSizeBlock), true))= { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag320_query_vcsi(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012413; cv=none; d=zohomail.com; s=zohoarc; b=I+9On66Ysdge16n6AqBVAFmnep9DVpSAeY9AQrdezbYyEnjytr5x2k4rUZDGtFOfbY2TZOSP+Pqf/CUKa9V6XFBFOfXzKsHW/GVbSkMu7U2ShmWGhD1ibrsknln6JFo6iKmvtuY2pj1/dh7hVKUsqZnltJgL7Eh+/KJVi95QNSw= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012413; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=slu57RhsP9V5y/w105doFgjQg0HKAF2KwZnOyZHw+J4=; b=hx/nnh3fr0A6ZRxPugpDdcAsFo4CLR8ZzkRU0PpFd8jUDpCiqGRslJTqcPqfJG865950TPDrpj7+rl5zZxdNgebX2u8uiIq3gWYC+SwHHIF83oT/76hJFxZugH/AUB2/QFgHAjCs15h068/7NqOeRCEM/eg/7tPvvsd0Q77oNiU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012413271560.8177411917178; Tue, 5 May 2026 13:20:13 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEy-0007em-5y; Tue, 05 May 2026 16:19:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEt-0007Z6-BN; Tue, 05 May 2026 16:19:31 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEr-0000DC-7O; Tue, 05 May 2026 16:19:31 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645Adpuh1590574; Tue, 5 May 2026 20:19:25 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9xxn50g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:25 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Q0x015549; Tue, 5 May 2026 20:19:24 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb249-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:24 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJMIN43319790 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:22 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C29935805C; Tue, 5 May 2026 20:19:22 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2A51A58059; Tue, 5 May 2026 20:19:21 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:21 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=slu57R hsP9V5y/w105doFgjQg0HKAF2KwZnOyZHw+J4=; b=tl9er4/PE+OUhBxUz5Nb3T tHW0w01n1qk/kgTY9a1pkoifDBx4K7Zr1M8KAaxREHdG5SHTD6e6U/aE25TdnsXA UH/JHJj4lVvWq+Xne4c7Tn9i/k9hvzzyzd2EWw6NO27jGSqoiW/Eu5Fr31tGrh18 PeNH+0jebEaX9uk6ovZEnKjZnEN+iXBNOPnLtmT+1+cd0Wy+uIWl7EwihaKvqaf5 jSH6VhYv+Xu2aIhOpsSxvZJwAAQkuEX+DQcS4EDvni3E0K9vN0CRjsyGhSgNnoHW lk3k3w+VgVSNv/SKw9VCWr8SzVmpC9Ou50XhwJmN1RKzbflkPvUiiUgfjmQbuK4Q == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 08/32] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Date: Tue, 5 May 2026 16:18:40 -0400 Message-ID: <20260505201905.997996-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXyEfxHxgdBzZf r/Diixi54Ogg3cfcdRuNgVKT4dndFSer6D/CN2lwqqnzoQVSj3jCnFza/LW+L0z8W4A97cWnRDM TvkdqB/TK1AQRzPXN7MG+pA7fghEcdmdcz4psa+puQPWM8+U7Aq8oEKtcakRhn5tV6cxj8oiRdV +EJHqT50coFmNzbzYVvbvz95ndEHQ7HnkHnPPSPgY3MC2MFhGpTXniOnk10jFdrY7WbxSjiiQyL ya8fh7MnDLvGfiNVzsq5R+eo2CIr5OxZaS45l7qjbP7QEO9todi8CdgHxzWh21DKbLsN8NR6XoT v9j0DlCSnt1Kl9Nk4NZTW0w4i3wRfldyi5Ep/ZAd6+MRIdKfJnREFs8kJpUX7rGZGWXvwnasK9P FlkHTXGhXC/9agS+XZyCWk2wWbFpxjglP89iRPEZ+vcQKhCLroOpqSA61OHc5ZI54XdbRdq7oez Q2hVnvAxMC5NDPF2pZg== X-Proofpoint-ORIG-GUID: 1f7QwPYqiH9DEALzjYGiQDWCmdy7_ojx X-Proofpoint-GUID: 1f7QwPYqiH9DEALzjYGiQDWCmdy7_ojx X-Authority-Analysis: v=2.4 cv=ctWrVV4i c=1 sm=1 tr=0 ts=69fa50cd cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=cx8EP_J7U0ANkHmDKVUA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 clxscore=1011 suspectscore=0 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012415566154100 Introduce new helper functions to extract certificate metadata: qcrypto_x509_check_cert_times() - validates the certificate's validity peri= od against the current time qcrypto_x509_get_cert_key_id() - extracts the key ID from the certificate qcrypto_x509_check_ecc_curve_p521() - determines the ECC public key algorit= hm uses P-521 curve These functions provide support for metadata extraction and validity checki= ng for X.509 certificates. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali --- crypto/x509-utils.c | 236 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 51 ++++++++ 2 files changed, 287 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 68cf008938..7dd8d1a0e9 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -27,6 +27,16 @@ static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_= HASH_ALGO__MAX] =3D { [QCRYPTO_HASH_ALGO_RIPEMD160] =3D GNUTLS_DIG_RMD160, }; =20 +static const int qcrypto_to_gnutls_keyid_flags_map[] =3D { + [QCRYPTO_HASH_ALGO_MD5] =3D -1, + [QCRYPTO_HASH_ALGO_SHA1] =3D GNUTLS_KEYID_USE_SHA1, + [QCRYPTO_HASH_ALGO_SHA224] =3D -1, + [QCRYPTO_HASH_ALGO_SHA256] =3D GNUTLS_KEYID_USE_SHA256, + [QCRYPTO_HASH_ALGO_SHA384] =3D -1, + [QCRYPTO_HASH_ALGO_SHA512] =3D GNUTLS_KEYID_USE_SHA512, + [QCRYPTO_HASH_ALGO_RIPEMD160] =3D -1, +}; + int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, QCryptoHashAlgo alg, uint8_t *result, @@ -121,6 +131,210 @@ cleanup: return ret; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + time_t now =3D time(NULL); + time_t exp_time; + time_t act_time; + + if (now =3D=3D ((time_t)-1)) { + error_setg_errno(errp, errno, "Cannot get current time"); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + exp_time =3D gnutls_x509_crt_get_expiration_time(crt); + if (exp_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate expiration time"); + goto cleanup; + } + if (exp_time < now) { + error_setg(errp, "The certificate has expired"); + goto cleanup; + } + + act_time =3D gnutls_x509_crt_get_activation_time(crt); + if (act_time =3D=3D ((time_t)-1)) { + error_setg(errp, "Failed to get certificate activation time"); + goto cleanup; + } + if (act_time > now) { + error_setg(errp, "The certificate is not yet active"); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_pk_algorithm(uint8_t *cert, size_t size, Error= **errp) +{ + int rc; + int ret =3D -1; + unsigned int bits; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_algorithm(crt, &bits); + if (rc < 0) { + error_setg(errp, "Unknown public key algorithm %d", rc); + goto cleanup; + } + + ret =3D rc; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { + error_setg(errp, "Unknown hash algorithm %d", hash_alg); + return ret; + } + + if (hash_alg >=3D G_N_ELEMENTS(qcrypto_to_gnutls_keyid_flags_map) || + qcrypto_to_gnutls_keyid_flags_map[hash_alg] =3D=3D -1) { + error_setg(errp, "Unsupported key id flag %d", hash_alg); + return ret; + } + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + *resultlen =3D gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[hash= _alg]); + if (*resultlen =3D=3D 0) { + error_setg(errp, "Failed to get hash algorithn length: %s", gnutls= _strerror(rc)); + goto cleanup; + } + + *result =3D g_malloc0(*resultlen); + if (gnutls_x509_crt_get_key_id(crt, + qcrypto_to_gnutls_keyid_flags_map[hash_= alg], + *result, resultlen) !=3D 0) { + error_setg(errp, "Failed to get key ID from certificate"); + g_clear_pointer(result, g_free); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + return ret; +} + +static int qcrypto_x509_get_ecc_curve(uint8_t *cert, size_t size, Error **= errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt; + gnutls_datum_t datum =3D {.data =3D cert, .size =3D size}; + gnutls_ecc_curve_t curve_id; + gnutls_datum_t x =3D {.data =3D NULL, .size =3D 0}; + gnutls_datum_t y =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + return ret; + } + + rc =3D gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_get_pk_ecc_raw(crt, &curve_id, &x, &y); + if (rc !=3D 0) { + error_setg(errp, "Failed to get ECC public key curve: %s", gnutls_= strerror(rc)); + goto cleanup; + } + + ret =3D curve_id; + +cleanup: + gnutls_x509_crt_deinit(crt); + g_free(x.data); + g_free(y.data); + return ret; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + int algo; + int curve_id; + + algo =3D qcrypto_x509_get_pk_algorithm(cert, size, errp); + if (algo !=3D GNUTLS_PK_ECDSA) { + return 0; + } + + curve_id =3D qcrypto_x509_get_ecc_curve(cert, size, errp); + if (curve_id =3D=3D -1) { + error_setg(errp, "Failed to get ECC curve"); + return -1; + } + + if (curve_id =3D=3D GNUTLS_ECC_CURVE_INVALID) { + error_setg(errp, "Invalid ECC curve"); + return -1; + } + + return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -142,4 +356,26 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_= t size, return -1; } =20 +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp) +{ + error_setg(errp, "GNUTLS is required to get certificate times"); + return -1; +} + +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to get key ID"); + return -1; +} + +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp) +{ + error_setg(errp, "GNUTLS is required to determine ecc curve"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 91ae79fb03..6040894a46 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -40,4 +40,55 @@ int qcrypto_x509_convert_cert_der(uint8_t *cert, size_t = size, size_t *resultlen, Error **errp); =20 +/** + * qcrypto_x509_check_cert_times + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Check whether the activation and expiration times of @cert + * are valid at the current time. + * + * Returns: 0 if the certificate times are valid, + * -1 on error. + */ +int qcrypto_x509_check_cert_times(uint8_t *cert, size_t size, Error **errp= ); + +/** + * qcrypto_x509_get_cert_key_id + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @hash_alg: the hash algorithm flag + * @result: output location for the allocated buffer for key ID + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of key id) + * @errp: error pointer + * + * Retrieve the key ID from the @cert based on the specified @flag. + * + * Returns: 0 if key ID was successfully stored in @result, + * -1 on error. + */ +int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t size, + QCryptoHashAlgo hash_alg, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_check_ecc_curve_p521 + * @cert: pointer to the raw certificate data + * @size: size of the certificate + * @errp: error pointer + * + * Determine whether the ECC public key in the given certificate uses the = P-521 + * curve. + * + * Returns: 0 if ECC public key does not use P521 curve. + * 1 if ECC public key uses P521 curve. + * -1 on error. + */ +int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); + #endif --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012444; cv=none; d=zohomail.com; s=zohoarc; b=hABXOvC2egY+A6x2xporZQzX7LH/4l3cWlBV+lKAIEPaT6KVdsR+bnyhIZ+H6bAzep8YlJbNCcY+u8Uz6+d4Y2UYM+tF7u9HPk+dGN7UPE9mXPaCfXhqUi02ojrwblqcQbTBJ5adUzJgPn0VMmo0FLwtjUkLD5lTbAv/4uPnujk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012444; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=pSxZV4YngD2Ka/1RML4BatA4qSjz0l8JrlwWkTzlY6Q=; b=TqtTjz2rnyya+ePXOrcseP1XH5ywqfS9hwBbnzgSSAMTMHU4qnqBkBwgkg0etA8/w3PJyWC1L/1Y76GZUaakKlkV1gBsv+INzS0A0AkTctoGLh8S7uE082bYMwJPXF9zCLfsrJCK5+bFAVRMkL7gkQfEipt+7XAg1UauONs3ZQA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012444589275.72952246266516; Tue, 5 May 2026 13:20:44 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMEz-0007g8-4Z; Tue, 05 May 2026 16:19:37 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEx-0007eF-Qv; Tue, 05 May 2026 16:19:35 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEt-0000Df-BV; Tue, 05 May 2026 16:19:33 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645I22Oj2791324; Tue, 5 May 2026 20:19:27 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y1dm6k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:26 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9R3H002877; Tue, 5 May 2026 20:19:25 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9vc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:25 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJO1v3474034 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:24 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 939DA58059; Tue, 5 May 2026 20:19:24 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E4E835805B; Tue, 5 May 2026 20:19:22 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:22 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=pSxZV4YngD2Ka/1RM L4BatA4qSjz0l8JrlwWkTzlY6Q=; b=A+5AbmIYkxBWIdaNyyEqI7zrYIAli50vH A4+lO1NNB8JtjyYHVEgTtLs/g4XADvB99nfxrfs+tnOoUgyYy+6jAcQxIbFXooqr 5iAJlosW1zzClofprPI1rldPd1b2aC11TSK+bR6iWQb196Mf4ORu7bAK808cqF0L kI8Ipb1DiRGIGIZKDC7d0Gd4E9K0wV69s1YevZB0PwvWVR4/SNBck/5bFl0e0XsF c1b9Ba2Zkqs4/u6FRo3hYcSD5xRdIc3cvieZxaucBY5/3SMXgw1YZWFEjGIj0LMy m3kikmq782Gj6BccpfW1rLO/gjEW1Occwc1Ln3/ArH00mcqMWR6hw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 09/32] s390x/diag: Implement DIAG 320 subcode 2 Date: Tue, 5 May 2026 16:18:41 -0400 Message-ID: <20260505201905.997996-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: qoOixAvjGnHa6hnB1GFZd2SjgVAqDyno X-Proofpoint-GUID: qoOixAvjGnHa6hnB1GFZd2SjgVAqDyno X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX7xvX0nhlzeEp RPiaPD7dlpg3q8g5CVJXGDqTqERNbyRYq8fXeVCWCLXkZM3aoze6H6JwCTU+22KIBmi1MiK8nwi mKW/kASZkV7y48YCx4knsWmiIqyljbapI+LkibpqkSoxgnbZSJ68c+5oixAj3WBuZNkQMcJPldU PMRjbLh9ShrwXWaXkpWYFCpkCdk/cxvV0YE0wDicEN9L+djCMnxHkgRDA+3I+xSs9IzfTY9isgi kkkqtuXqaOYTVqhD2Vo1Y8az5Io01eYH75IPKtwpXVABpXjSTAVpZr0Pe5AGcVL8NBKEk2eBmG9 q9hCJzeOf0ZTE0O4VcPumWwpoyI05ZcV3UcEhaWa92cBNyIOXTtzXNS2u5U+zqcdBcyIW0dfKnU 9fUMoSU/MHW1cxsT19wiXUiNoy7rEK5eil9/bXBmWs4/J3pIGiilirNztAZhVHjPprFCqrN3wYh VRLl1WWa3kavlOalFpw== X-Authority-Analysis: v=2.4 cv=UbFhjqSN c=1 sm=1 tr=0 ts=69fa50cf cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=yb4F8fGd1MjoyQfLk7gA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012446218158500 Content-Type: text/plain; charset="utf-8" DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the certificate store. Only X509 certificates in DER format and SHA-256 hash type are recognized. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The Verification Certificate Block (VCB) contains the output data when the operation completes successfully. It includes a common header followed by zero or more Verification Certificate Entries (VCEs), depending on the VCB input length and the VC range (from the first VC index to the last VC index) in the certificate store. Each VCE contains information about a certificate retrieved from the S390IPLCertificateStore, such as the certificate name, key type, key ID length, hash length, and the raw certificate data. The key ID and hash are extracted from the raw certificate by the crypto AP= I. Note: SHA2-256 VC hash type is required for retrieving the hash (fingerprint) of the certificate. Signed-off-by: Zhuoying Cai --- docs/specs/s390x-secure-ipl.rst | 24 +++ include/hw/s390x/ipl/diag320.h | 29 +++ target/s390x/diag.c | 339 +++++++++++++++++++++++++++++++- 3 files changed, 391 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 807a8ae393..d9c5c24ec7 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -38,3 +38,27 @@ Subcode 1 - query verification certificate storage infor= mation The output is returned in the verification-certificate-storage-size bl= ock (VCSSB). A VCSSB length of 4 indicates that no certificates are availa= ble in the CS. + +Subcode 2 - store verification certificates + Provides VCs that are in the certificate store. + + The output is provided in a VCB, which includes a common header follow= ed by + zero or more verification-certificate entries (VCEs). + + The instruction expects the cert store to maintain an origin of 1 for = the + index (i.e. a retrieval of the first certificate in the store should be + denoted by setting first-VC to 1). + + The first-VC and last-VC fields of the VCB specify the index range of + VCs to be stored in the VCB. Certs are stored sequentially, starting + with first-VC index. As each cert is stored, a "stored count" is + incremented. If there is not enough space to store all certs requested + by the index range, a "remaining count" will be recorded and no more + certificates will be stored. + + Each VCE contains a header followed by information extracted from a + certificate within the certificate store. The information includes: + key-id, hash, and certificate data. This information is stored + contiguously in a VCE (with zero-padding). Following the header, the + key-id is immediately stored. The hash and certificate data follow and + may be accessed via the respective offset fields stored in the VCE. diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 90797728d8..35c652ff56 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -12,19 +12,36 @@ =20 #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 =20 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOT_SUPPORTED 0x0102 #define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 =20 #define DIAG_320_ISM_QUERY_SUBCODES 0x80000000 #define DIAG_320_ISM_QUERY_VCSI 0x40000000 +#define DIAG_320_ISM_STORE_VC 0x20000000 =20 #define VCSSB_NO_VC 4 #define VCSSB_MIN_LEN 128 =20 #define CERT_NAME_MAX_LEN 64 =20 +/* + * If the VCE flags indicate an invalid certificate, + * the VCE length is set to 72, containing only the + * first five fields of VCEntry. + */ +#define VCE_INVALID_LEN 72 + +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_KEYTYPE_ECDSA_P521 1 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 + struct VCStorageSizeBlock { uint32_t length; uint8_t reserved0[3]; @@ -60,6 +77,12 @@ struct VCEntryHeader { }; typedef struct VCEntryHeader VCEntryHeader; =20 +struct VCEntry { + VCEntryHeader vce_hdr; + uint8_t cert_buf[]; +}; +typedef struct VCEntry VCEntry; + struct VCBlockHeader { uint32_t in_len; uint32_t reserved0; @@ -74,4 +97,10 @@ struct VCBlockHeader { }; typedef struct VCBlockHeader VCBlockHeader; =20 +struct VCBlock { + VCBlockHeader vcb_hdr; + uint8_t vce_buf[]; +}; +typedef struct VCBlock VCBlock; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index f531ce9d82..0645fe39dc 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,13 +17,16 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" #include "target/s390x/kvm/pv.h" +#include "qapi/error.h" #include "qemu/error-report.h" +#include "crypto/x509-utils.h" =20 =20 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool w= rite) @@ -238,8 +241,329 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, ui= nt64_t addr, uint64_t r1, return DIAG_320_RC_OK; } =20 +static bool is_cert_valid(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_cert_times(cert->raw, cert->size, &err); + if (rc !=3D 0) { + error_report_err(err); + return false; + } + + return true; +} + +static int handle_key_id(VCEntry *vce, const S390IPLCertificate *cert) +{ + int rc; + g_autofree unsigned char *key_id_data =3D NULL; + size_t key_id_len; + Error *err =3D NULL; + + rc =3D qcrypto_x509_get_cert_key_id(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + &key_id_data, &key_id_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + if (sizeof(VCEntryHeader) + key_id_len > be32_to_cpu(vce->vce_hdr.len)= ) { + error_report("Unable to write key ID: exceeds buffer bounds"); + return -1; + } + + vce->vce_hdr.keyid_len =3D cpu_to_be16(key_id_len); + + memcpy(vce->cert_buf, key_id_data, key_id_len); + + return 0; +} + +static int handle_hash(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t keyid_field_len) +{ + int rc; + uint16_t hash_offset; + g_autofree void *hash_data =3D NULL; + size_t hash_len; + Error *err =3D NULL; + + hash_len =3D CERT_HASH_LEN; + hash_data =3D g_malloc0(hash_len); + rc =3D qcrypto_get_x509_cert_fingerprint(cert->raw, cert->size, + QCRYPTO_HASH_ALGO_SHA256, + hash_data, &hash_len, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + hash_offset =3D sizeof(VCEntryHeader) + keyid_field_len; + if (hash_offset + hash_len > be32_to_cpu(vce->vce_hdr.len)) { + error_report("Unable to write hash: exceeds buffer bounds"); + return -1; + } + + vce->vce_hdr.hash_len =3D cpu_to_be16(hash_len); + vce->vce_hdr.hash_type =3D DIAG_320_VCE_HASHTYPE_SHA2_256; + vce->vce_hdr.hash_offset =3D cpu_to_be16(hash_offset); + + memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len); + + return 0; +} + +static int handle_cert(VCEntry *vce, const S390IPLCertificate *cert, + uint16_t hash_field_len) +{ + int rc; + uint16_t cert_offset; + g_autofree uint8_t *cert_der =3D NULL; + size_t der_size; + Error *err =3D NULL; + + rc =3D qcrypto_x509_convert_cert_der(cert->raw, cert->size, + &cert_der, &der_size, &err); + if (rc < 0) { + error_report_err(err); + return -1; + } + + cert_offset =3D be16_to_cpu(vce->vce_hdr.hash_offset) + hash_field_len; + if (cert_offset + der_size > be32_to_cpu(vce->vce_hdr.len)) { + error_report("Unable to write certificate: exceeds buffer bounds"); + return -1; + } + + vce->vce_hdr.format =3D DIAG_320_VCE_FORMAT_X509_DER; + vce->vce_hdr.cert_len =3D cpu_to_be32(der_size); + vce->vce_hdr.cert_offset =3D cpu_to_be16(cert_offset); + + memcpy((uint8_t *)vce + cert_offset, cert_der, der_size); + + return 0; +} + +static int get_key_type(const S390IPLCertificate *cert) +{ + int rc; + Error *err =3D NULL; + + rc =3D qcrypto_x509_check_ecc_curve_p521(cert->raw, cert->size, &err); + if (rc =3D=3D -1) { + error_report_err(err); + return -1; + } + + return (rc =3D=3D 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 : + DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; +} + +static int build_vce_header(VCEntry *vce, const S390IPLCertificate *cert, = int idx) +{ + int key_type; + + vce->vce_hdr.len =3D cpu_to_be32(sizeof(VCEntryHeader)); + vce->vce_hdr.cert_idx =3D cpu_to_be16(idx + 1); + memcpy(vce->vce_hdr.name, cert->name, CERT_NAME_MAX_LEN); + + key_type =3D get_key_type(cert); + if (key_type =3D=3D -1) { + return -1; + } + vce->vce_hdr.key_type =3D key_type; + + return 0; +} + +static int build_vce_data(VCEntry *vce, const S390IPLCertificate *cert) +{ + uint16_t keyid_field_len; + uint16_t hash_field_len; + uint32_t cert_field_len; + uint32_t vce_len; + int rc; + + rc =3D handle_key_id(vce, cert); + if (rc) { + return -1; + } + keyid_field_len =3D ROUND_UP(be16_to_cpu(vce->vce_hdr.keyid_len), 4); + + rc =3D handle_hash(vce, cert, keyid_field_len); + if (rc) { + return -1; + } + hash_field_len =3D ROUND_UP(be16_to_cpu(vce->vce_hdr.hash_len), 4); + + rc =3D handle_cert(vce, cert, hash_field_len); + if (rc || !is_cert_valid(cert)) { + return -1; + } + cert_field_len =3D ROUND_UP(be32_to_cpu(vce->vce_hdr.cert_len), 4); + + vce_len =3D sizeof(VCEntryHeader) + keyid_field_len + hash_field_len += cert_field_len; + if (vce_len > be32_to_cpu(vce->vce_hdr.len)) { + return -1; + } + + vce->vce_hdr.flags |=3D DIAG_320_VCE_FLAGS_VALID; + + /* Update vce length to reflect the actual size used by vce */ + vce->vce_hdr.len =3D cpu_to_be32(vce_len); + + return 0; +} + +static VCEntry *diag_320_build_vce(const S390IPLCertificate *cert, int idx) +{ + g_autofree VCEntry *vce =3D NULL; + uint32_t vce_max_size; + int rc; + + /* + * Each field of the VCE is word-aligned. + * Allocate enough space for the largest possible size for this VCE. + * As the certificate fields (key-id, hash, data) are parsed, the + * VCE's length field will be updated accordingly. + */ + vce_max_size =3D sizeof(VCEntryHeader) + + ROUND_UP(CERT_KEY_ID_LEN, 4) + + ROUND_UP(CERT_HASH_LEN, 4) + + ROUND_UP(cert->der_size, 4); + + vce =3D g_malloc0(vce_max_size); + rc =3D build_vce_header(vce, cert, idx); + if (rc) { + /* + * Error occurs - VCE does not contain a valid certificate. + * Bit 0 of the VCE flags is 0 and the VCE length is set. + */ + vce->vce_hdr.len =3D cpu_to_be32(VCE_INVALID_LEN); + goto out; + } + + vce->vce_hdr.len =3D cpu_to_be32(vce_max_size); + rc =3D build_vce_data(vce, cert); + if (rc) { + vce->vce_hdr.len =3D cpu_to_be32(VCE_INVALID_LEN); + } + +out: + return g_steal_pointer(&vce); +} + +static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r= 1, uintptr_t ra, + S390IPLCertificateStore *cs) +{ + g_autofree VCBlock *vcb =3D NULL; + size_t remaining_space; + uint16_t first_vc_index; + uint16_t last_vc_index; + int cs_start_index; + int cs_end_index; + uint32_t in_len; + + vcb =3D g_new0(VCBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + in_len =3D be32_to_cpu(vcb->vcb_hdr.in_len); + first_vc_index =3D be16_to_cpu(vcb->vcb_hdr.first_vc_index); + last_vc_index =3D be16_to_cpu(vcb->vcb_hdr.last_vc_index); + + if (in_len % TARGET_PAGE_SIZE !=3D 0) { + return DIAG_320_RC_INVAL_VCB_LEN; + } + + if (first_vc_index > last_vc_index) { + return DIAG_320_RC_BAD_RANGE; + } + + vcb->vcb_hdr.out_len =3D sizeof(VCBlockHeader); + + /* + * DIAG 320 subcode 2 expects to query a certificate store that + * maintains an index origin of 1. However, the S390IPLCertificateStore + * maintains an index origin of 0. Thus, the indices must be adjusted + * for correct access into the cert store. A couple of special cases + * must also be accounted for. + */ + + /* Both indices are 0; return header with no certs */ + if (first_vc_index =3D=3D 0 && last_vc_index =3D=3D 0) { + goto out; + } + + /* Normalize indices */ + cs_start_index =3D (first_vc_index =3D=3D 0) ? 0 : first_vc_index - 1; + cs_end_index =3D last_vc_index - 1; + + /* Requested range is outside the cert store; return header with no ce= rts */ + if (cs_start_index >=3D cs->count || cs_end_index >=3D cs->count) { + goto out; + } + + remaining_space =3D in_len - sizeof(VCBlockHeader); + + for (int i =3D cs_start_index; i <=3D cs_end_index; i++) { + VCEntry *vce; + const S390IPLCertificate *cert =3D &cs->certs[i]; + + /* + * Bit 0 of the VCE flags indicates whether the certificate is val= id. + * The caller of DIAG320 subcode 2 is responsible for verifying th= at + * the VCE contains a valid certificate. + */ + vce =3D diag_320_build_vce(cert, i); + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < vce->vce_hdr.len) { + vcb->vcb_hdr.remain_ct =3D cpu_to_be16(last_vc_index - i); + g_free(vce); + break; + } + + /* Write VCE */ + if (s390_cpu_virt_mem_write(cpu, addr + vcb->vcb_hdr.out_len, r1, + vce, vce->vce_hdr.len)) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + g_free(vce); + return -1; + } + + vcb->vcb_hdr.out_len +=3D vce->vce_hdr.len; + remaining_space -=3D vce->vce_hdr.len; + vcb->vcb_hdr.stored_ct++; + + g_free(vce); + } + vcb->vcb_hdr.stored_ct =3D cpu_to_be16(vcb->vcb_hdr.stored_ct); + +out: + vcb->vcb_hdr.out_len =3D cpu_to_be32(vcb->vcb_hdr.out_len); + + if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb, sizeof(VCBlockHeader))= ) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return -1; + } + + return DIAG_320_RC_OK; +} + QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) !=3D VCSSB_MIN_LEN, "size of VCStorageSizeBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCBlock) !=3D 64, "size of VCBlock is wrong"); +QEMU_BUILD_BUG_MSG(sizeof(VCEntry) !=3D 128, "size of VCEntry is wrong"); =20 void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { @@ -270,7 +594,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra) * for now. */ uint32_t ism_word0 =3D cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES | - DIAG_320_ISM_QUERY_VCSI); + DIAG_320_ISM_QUERY_VCSI | + DIAG_320_ISM_STORE_VC); =20 if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_= word0))) { s390_cpu_virt_mem_handle_exc(cpu, ra); @@ -296,6 +621,18 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] =3D rc; break; + case DIAG_320_SUBC_STORE_VC: + if (addr & ~TARGET_PAGE_MASK) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + rc =3D handle_diag320_store_vc(cpu, addr, r1, ra, cs); + if (rc =3D=3D -1) { + return; + } + env->regs[r1 + 1] =3D rc; + break; default: env->regs[r1 + 1] =3D DIAG_320_RC_NOT_SUPPORTED; break; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012464; cv=none; d=zohomail.com; s=zohoarc; b=JyZ7XSJ67xJssqfahI/QIk0UkUK2qd5TbU6l0ZZZMPUgFOyU/9X6S94g8gGgYH9A//zLSDxlTNwWA424lyc6TP4fBAEUBV9n8HssaTvrGV54CaQygJ/3BGMwlSgk5Adck9BOQ0RspeDsg1kPlmQ02iEktGWyuY5vOnIU2NiXKqg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012464; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=FOo4Z3llJv7TuAf19ikt7Nbygl/fu/XQK/Vkc32Qpbg=; b=XzV9baFjc0kH9iGbpslx4eHNLujdAF1EwdsBNL1zvgZXxc/RlHXZcLbrJIvtfYBqKZlrDeO1j4GwFjLjTSEKudDx69S2P2U24fJX2FHMq+sjzGjqsKxCe1M1cUafTjBz1zqdYpxmxyIhD421K7yFnWHNSukU8n8ELxtqyJCJl9Y= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012464632855.086753334583; Tue, 5 May 2026 13:21:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF2-0007gZ-7D; Tue, 05 May 2026 16:19:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEv-0007d2-J8; Tue, 05 May 2026 16:19:33 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEt-0000Dp-NU; Tue, 05 May 2026 16:19:33 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645GQor42269289; Tue, 5 May 2026 20:19:28 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n71j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:28 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9RNk002871; Tue, 5 May 2026 20:19:27 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9vh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:27 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJQ2U31130318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:26 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 53FD358059; Tue, 5 May 2026 20:19:26 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B5A5B5805B; Tue, 5 May 2026 20:19:24 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:24 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FOo4Z3llJv7TuAf19 ikt7Nbygl/fu/XQK/Vkc32Qpbg=; b=kxcAi/i8iw2ktE35kN7alvMwbvEemKDzB 2zCzk+g7cgtIkoisvq8M4npQMGpTqUioLwpwVK/2lftri/675YKwB0ynSuthR+ch mTNuT/3LmRTnWprk3ZxT6sz2H4PKoAcDJE+fJxJcpWsQoFN1jH2yXsghwW//MqNc 66qgfGTbPeDmYbC7QXD8W+eT49sQ3jLe+tKAVOBxYkSewbcIUTyb2mtyCSQ8BiUH MzTn7PL08H2H8ywmcfpuIadsYWltqjnIsxa1SdepQcL2WbhW5yXzaFhDIyfw5T4g QBwAPCzUqFXm0oIrRQsPu/SwIQRXbsLKt6nG15kEMqmyXjFm7LEEQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 10/32] hw/s390x: Define finite size for single entry VCEntry Date: Tue, 5 May 2026 16:18:42 -0400 Message-ID: <20260505201905.997996-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX5j7BJYKxDem4 C5CJyHkeUrIVltHBWj/xz7uNjrHI1gTQ2SC80blIdY689cdvHNdI2sPpCvSbnD47/icov5JYV8y 7hvclfhyN9u3qQA3R/j2ZnEMeQCeLnqtRoyzfQ2m5DMB//9h6Nxga0TinORJ5uwASY7tYDOa9Ue uxwF/t1RN4PNoJ8AuKWDJ8x92vXpHOk3p4wq5RGd/S61qxu2Uml/85aGxcUMPx4myoyHAfuslhc XqmmDfKK03kfcu6246arQSE57KAcVRzVeh8GLUAjbRQuOGEluJ4A7YUDN/aQBBiL9sDfDTqCOIg bRH9XusSHP4QYje9aEZTU1JeS3VpvLtWmrwZUVmrZIkfjXN7jIP4Bpp/kTgH8wy2Uy0+VSvo3ft lQD11cggqOVsJsZFZHT+go4U0Cm5t25ga2kA0B9UeqgiSUywNt/OdDgsf+f7yrHxQumCKcn+S4r MRlfHWPkqrXK7NtD7HQ== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50d0 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=b9XrvJAKYeRg4TRbuU0A:9 X-Proofpoint-GUID: WVkSFdY3QNjXwQ4Mpt2VHagVYbSIUWiv X-Proofpoint-ORIG-GUID: WVkSFdY3QNjXwQ4Mpt2VHagVYbSIUWiv X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012466194158500 Content-Type: text/plain; charset="utf-8" Define MAX_ENTRY_SIZE (8KB) and CERT_BUF_MAX_LEN to establish a finite size for a single entry VCEntry. Add validation in update_cert_store() to ensure certificate data does not exceed this limit. This finite size definition is needed for proper memory allocation and will be used in a later commit to handle VCEntry structures with known size constraints. Signed-off-by: Zhuoying Cai --- hw/s390x/cert-store.c | 15 +++++++++++++-- include/hw/s390x/ipl/diag320.h | 3 +++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c index a4f15627e9..221267781b 100644 --- a/hw/s390x/cert-store.c +++ b/hw/s390x/cert-store.c @@ -73,7 +73,7 @@ static S390IPLCertificate *init_cert(char *path, Error **= errp) return cert; } =20 -static void update_cert_store(S390IPLCertificateStore *cert_store, +static int update_cert_store(S390IPLCertificateStore *cert_store, S390IPLCertificate *cert) { size_t data_buf_size; @@ -87,6 +87,12 @@ static void update_cert_store(S390IPLCertificateStore *c= ert_store, cert_buf_size =3D ROUND_UP(cert->der_size, 4); data_buf_size =3D keyid_buf_size + hash_buf_size + cert_buf_size; =20 + if (data_buf_size > CERT_BUF_MAX_LEN) { + error_report("Certificate data size %zu exceeds maximum buffer siz= e %ld", + data_buf_size, CERT_BUF_MAX_LEN); + return -1; + } + if (cert_store->largest_cert_size < data_buf_size) { cert_store->largest_cert_size =3D data_buf_size; } @@ -96,6 +102,8 @@ static void update_cert_store(S390IPLCertificateStore *c= ert_store, cert_store->certs[cert_store->count] =3D *cert; cert_store->total_bytes +=3D data_buf_size; cert_store->count++; + + return 0; } =20 static GPtrArray *get_cert_paths(Error **errp) @@ -214,7 +222,10 @@ void s390_ipl_create_cert_store(S390IPLCertificateStor= e *cert_store) exit(1); } =20 - update_cert_store(cert_store, cert); + if (update_cert_store(cert_store, cert)) { + g_ptr_array_free(cert_path_builder, TRUE); + exit(1); + } } =20 g_ptr_array_free(cert_path_builder, TRUE); diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index 35c652ff56..75065d2fe4 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -83,6 +83,9 @@ struct VCEntry { }; typedef struct VCEntry VCEntry; =20 +#define MAX_ENTRY_SIZE (8 * 1024) +#define CERT_BUF_MAX_LEN (MAX_ENTRY_SIZE - sizeof(VCEntryHeader)) + struct VCBlockHeader { uint32_t in_len; uint32_t reserved0; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012532; cv=none; d=zohomail.com; s=zohoarc; b=NCGbU6c13VQPCBPvpq63u2j9nCYDf/4oI95PtXXztMcNNdzRk79EdR2TCyXkGAagIWQW5hISHwQsnyl5yInBIr6Qrs7YiEIhdtsraUm37Lhy+Luxit0Qbd5lX5UCL/d+lNBT5KsH8qSId/yXAvgjidPv0NGRZL81Q/a1xkotUAY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012532; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=GOw7F0Orf7CHYqChZdjOxmqV36P4/I+0nJIam4l+HaM=; b=fLoHwdhiwWbSyKRiiShqE2e1cvqsXs6D6EixrBvKHJxuhU2tmUwHIjj9rcpNDFkOADxkgPRl6yLqKTdkaBp0tivEnQm/FHQJAYnQv8ePtYTRkFD8brUyga6lnxD65EWslDFLg7w9MYTKaVrER7fuvFZo/rQgXqpfoRr5GfVc7FY= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012532613229.08097661415854; Tue, 5 May 2026 13:22:12 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF6-0007nH-Kc; Tue, 05 May 2026 16:19:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEz-0007gG-B8; Tue, 05 May 2026 16:19:37 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEv-0000EP-Qw; Tue, 05 May 2026 16:19:37 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645K7ESw3351555; Tue, 5 May 2026 20:19:30 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6q2-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:30 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9SMZ026683; Tue, 5 May 2026 20:19:29 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dww3h38j8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:29 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJSWS30278178 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:28 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 278C758059; Tue, 5 May 2026 20:19:28 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 763C45805B; Tue, 5 May 2026 20:19:26 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:26 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=GOw7F0Orf7CHYqChZ djOxmqV36P4/I+0nJIam4l+HaM=; b=EhU+3TpSWUHs/WybkwRVbQY1jleKXveEQ y84gNDHYu3vVpz+ayXISeyI67pRv2AypmR+mnATixS9vISvcKo5yl0FAlCqfJ/pZ M/uk6WFanHMyufz7xO91vBjCf84ux38J6QdrwuBzWcyBNeekn4PfPdA06RQVUjWZ Td26yDDG4yfIezcDplMzNvkHCq1UwJZ+N/AQMr0IPtDF1UDbu2T3Hi9Lv5HbB4+D 4xiZ25WBAke24DuUPOJ0lKIBA+nAvXEehqrEnO+oYdHQREf8lQoDz5uq8LsfdTvG +VrPb3J9uPLv9CAjxMA4QNkEx6dKDj2fyWp1CkYWEyYDz2tvI/0Pg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 11/32] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Tue, 5 May 2026 16:18:43 -0400 Message-ID: <20260505201905.997996-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50d2 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=hXQcL9AfcS-IPDpH2m0A:9 X-Proofpoint-ORIG-GUID: pQibc-ojBSXirh76yQ3PC3k125tF4qsi X-Proofpoint-GUID: pQibc-ojBSXirh76yQ3PC3k125tF4qsi X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX7Ani8arbPrRk iNyWPM0Fela2A+BMGGS1vpBi0JNMq596cKo/HFHgy6mTw2H9ygrFhvumbVihjyiBZGvVasVK2Le 4UWzde1hkdNmmTZSrgZBP27g2y8b8/8v1l3Ie/wETnpd51TL22GL4eDQqrxVEYKNGs0klFXk2c4 GvUCmcb/IACPBAN8dZHX78jdxTl701azbq9iCCfp59n1pr7jJFKbxx3s0SM+OdnUaYfPzVYrIJM dSPN0sH1LX6JHb6Xmk30uxDTpHoHqMY/XfI5Ax7GNue5hYj+cBm0asn86PyLpOvUcDerWoauz6U WO5YkzkKzEjxDsHcXiXepNnrff8ZGfptq7rBDZ+WxiaS5t5p0B+eLdqkeqqBYhdjKlmsEK5nEey DVqeVHhS7C/KeamZuYtMIXG0n6mSpLRCDVE1aqk+X1tzkorkOJpcBpHIWtXS5hdF7tiFGRD6gn8 fJKo/YYkOP/sv92+2Qg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012534491158500 Content-Type: text/plain; charset="utf-8" From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ target/s390x/diag.c | 27 +++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ target/s390x/tcg/misc_helper.c | 7 +++++++ 6 files changed, 83 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index d9c5c24ec7..488981339d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -62,3 +62,21 @@ Subcode 2 - store verification certificates contiguously in a VCE (with zero-padding). Following the header, the key-id is immediately stored. The hash and certificate data follow and may be accessed via the respective offset fields stored in the VCE. + + +Secure IPL Data Structures, Facilities, and Functions +----------------------------------------------------- + +DIAGNOSE function code 'X'508' - IPL extensions +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +DIAGNOSE 'X'508' is reserved for guest use in order to facilitate communic= ation +of additional IPL operations that cannot be handled by guest code, such as +signature verification for secure IPL. + +If the function code specifies 0x508, IPL extension functions are performe= d. +These functions are meant to provide extended functionality for s390 guest= boot +that requires assistance from QEMU. + +Subcode 0 - query installed subcodes + Returns a 64-bit mask indicating which subcodes are supported. diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..6281ad8299 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,15 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 0645fe39dc..390a543ede 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -20,6 +20,7 @@ #include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" #include "kvm/kvm_s390x.h" @@ -638,3 +639,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) break; } } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) +{ + uint64_t subcode =3D env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc =3D 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] =3D rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index a5411859a8..82f7fed9ec 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -102,6 +102,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 =20 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1542,6 +1543,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct= kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } =20 +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 =3D (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 =3D run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff =20 static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1575,6 +1586,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *= run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index b16490bce6..367df65970 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -390,6 +390,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, u= int64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); =20 =20 /* translate.c */ diff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c index 4d73475d95..562dde9cb3 100644 --- a/target/s390x/tcg/misc_helper.c +++ b/target/s390x/tcg/misc_helper.c @@ -149,6 +149,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uin= t32_t r3, uint32_t num) bql_unlock(); r =3D 0; break; + case 0x508: + /* secure ipl operations */ + bql_lock(); + handle_diag_508(env, r1, r3, GETPC()); + bql_unlock(); + r =3D 0; + break; default: r =3D -1; break; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012573; cv=none; d=zohomail.com; s=zohoarc; b=XrIEUp/ji6cA1XBKUrRZgbfgTV6EnGIu+F6DK9BP/JpF+rKHJE1hfLdK+g2GzaZEgJILEmLjHZ7vJcmNoP9DUeuEnpNUfbpfYbN9eyGMYdI1/JTb/Z/pgeZpurU7eDX3+3/EEzkteQPVWGqKOUrQI0vrw960JPW2Kyvj4Pw8r7k= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012573; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=rWDrdOJ1VLbOcNYdbi58zuCC+jjoXNi7DjSnWYZjlHI=; b=ZQzZPfapc4Ot0LxA0Z24JNaABGwOHqFShUmKwH+LXDfw3/vanBMde6pYw0p7xE1NxkA7Q3vzovDRvamZTTYJhjjjM9ArMbHp0iDn8Qmtsf6kbJUlQ3uQmFYydA4Vf6rq/B5UM8qFZznAS5Hq/olE3930oyQ9YaS2uhWA+ZBKdwg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012573240312.73413943651553; Tue, 5 May 2026 13:22:53 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF7-0007nc-2S; Tue, 05 May 2026 16:19:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEz-0007gQ-Tf; Tue, 05 May 2026 16:19:38 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEx-0000Ee-Tm; Tue, 05 May 2026 16:19:37 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645IkEnw3116567; Tue, 5 May 2026 20:19:32 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6q6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:32 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9d15002968; Tue, 5 May 2026 20:19:31 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9vx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:31 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJU3R29950464 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:30 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id F3A035805C; Tue, 5 May 2026 20:19:29 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 49D745805B; Tue, 5 May 2026 20:19:28 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:28 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=rWDrdO J1VLbOcNYdbi58zuCC+jjoXNi7DjSnWYZjlHI=; b=NkDUphE3IBMoopH2w2G9Jd TdkC0MJA3yzq4ojypTYCtwHb73sRFTPM+7Vyi6mnp4FRFx6zSZrKiaPxMGuk/VLY 4g2Z0gcrXGdQrlDgVZxJDVqiCqWB1tBbXPOtnt7qA6+E12mV47+rj5jYV79bUx/K 8Ycfls4xB/7Ex8f0sTaxa7CLnIC6KbhAuoKIi6Qz2as1PzN5soFK8Ud16+u1WXHc lFuPFHkWf5Fz6528Sip0hY7cqK0Kk44xFw7H23HYv5byud2UHwz63Tr33yubAAUW um6uat5FxZnOPQaLVgi1Isxwd0Zgy/nqqf+qFHPC3GXGQ60z8ZV01hXzEiS69Lgw == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 12/32] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Date: Tue, 5 May 2026 16:18:44 -0400 Message-ID: <20260505201905.997996-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50d4 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Ehcw9bocbOASTidboh8A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-ORIG-GUID: eQSuV1I99DFzHbNLL6qUfWU29dASzqom X-Proofpoint-GUID: eQSuV1I99DFzHbNLL6qUfWU29dASzqom X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX12R2s9mqSBX4 yooUVj+LNKYzUGZ2hqdU6vLhAzIPnPGp2thPdICt9C8w2rc1nw/18THk44ftf2gs7dV3JCLsviP Uvmc09jgzxfMPSQZYLssKqfp4Me1eM4IDDQtL5a6pNakKqUWWav2CK6EWalv4YWrGUbQwNipG7E c2ac0vCWBsj4TPzP1YsWeoRlBwgnrSJPHovPitkydRdBXgjoD8Fu7OxCi6b8hQWPhMljcGIjcXF jD9MXGQD456vdBmlWZNF9YpjYLS26uUv+9b+49YFLEFPGDqMrTu86ZG0tAznyqX6M8U/Yacoi7z dtFrgu/Z5iwiwQURVNbMqoQmbqkJeSgye3SbXlUMSKyRHO0DdeqWaW3obHCMeuWWoWu2iYaRxUs UlS3AHX6R1WxCwORGRfT6b65V2qVXqFKm9jCx82WG4o09kSnJSdpSx7X4F1HtDVpbmitz2Xjv/c FDLDDgwjQ5IAFRW5RgQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012574726158500 Introduce helper functions to support signature verification required by DIAG 508 subcode 1: qcrypto_pkcs7_convert_sig_pem() =E2=80=93 converts a signature from DER to = PEM format qcrypto_x509_verify_sig() =E2=80=93 verifies the provided data against the = given signature These functions enable basic signature verification support. Signed-off-by: Zhuoying Cai Acked-by: Daniel P. Berrang=C3=A9 Reviewed-by: Daniel P. Berrang=C3=A9 Reviewed-by: Farhan Ali Reviewed-by: Thomas Huth --- crypto/x509-utils.c | 108 ++++++++++++++++++++++++++++++++++++ include/crypto/x509-utils.h | 41 ++++++++++++++ 2 files changed, 149 insertions(+) diff --git a/crypto/x509-utils.c b/crypto/x509-utils.c index 7dd8d1a0e9..738f3c95af 100644 --- a/crypto/x509-utils.c +++ b/crypto/x509-utils.c @@ -16,6 +16,7 @@ #include #include #include +#include =20 static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALGO__MAX] = =3D { [QCRYPTO_HASH_ALGO_MD5] =3D GNUTLS_DIG_MD5, @@ -335,6 +336,96 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return curve_id =3D=3D GNUTLS_ECC_CURVE_SECP521R1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, size_t *resultlen, + Error **errp) +{ + int ret =3D -1; + int rc; + gnutls_pkcs7_t signature; + gnutls_datum_t sig_datum_der =3D {.data =3D sig, .size =3D sig_size}; + gnutls_datum_t sig_datum_pem =3D {.data =3D NULL, .size =3D 0}; + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + return ret; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum_der, GNUTLS_X509_FMT_= DER); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_export2(signature, GNUTLS_X509_FMT_PEM, &sig_datum= _pem); + if (rc !=3D 0) { + error_setg(errp, "Failed to convert signature to PEM format: %s", + gnutls_strerror(rc)); + goto cleanup; + } + + *resultlen =3D sig_datum_pem.size; + *result =3D g_memdup2(sig_datum_pem.data, sig_datum_pem.size); + + ret =3D 0; + +cleanup: + gnutls_pkcs7_deinit(signature); + g_free(sig_datum_pem.data); + return ret; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + int rc; + int ret =3D -1; + gnutls_x509_crt_t crt =3D NULL; + gnutls_pkcs7_t signature =3D NULL; + gnutls_datum_t cert_datum =3D {.data =3D cert, .size =3D cert_size}; + gnutls_datum_t data_datum =3D {.data =3D comp, .size =3D comp_size}; + gnutls_datum_t sig_datum =3D {.data =3D sig, .size =3D sig_size}; + + rc =3D gnutls_x509_crt_init(&crt); + if (rc < 0) { + error_setg(errp, "Failed to initialize certificate: %s", gnutls_st= rerror(rc)); + goto cleanup; + } + + rc =3D gnutls_x509_crt_import(crt, &cert_datum, GNUTLS_X509_FMT_PEM); + if (rc !=3D 0) { + error_setg(errp, "Failed to import certificate: %s", gnutls_strerr= or(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_init(&signature); + if (rc < 0) { + error_setg(errp, "Failed to initialize pkcs7 data: %s", gnutls_str= error(rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_import(signature, &sig_datum , GNUTLS_X509_FMT_PEM= ); + if (rc !=3D 0) { + error_setg(errp, "Failed to import signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + rc =3D gnutls_pkcs7_verify_direct(signature, crt, 0, &data_datum, 0); + if (rc !=3D 0) { + error_setg(errp, "Failed to verify signature: %s", gnutls_strerror= (rc)); + goto cleanup; + } + + ret =3D 0; + +cleanup: + gnutls_x509_crt_deinit(crt); + gnutls_pkcs7_deinit(signature); + return ret; +} + #else /* ! CONFIG_GNUTLS */ =20 int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, @@ -378,4 +469,21 @@ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, s= ize_t size, Error **errp) return -1; } =20 +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp) +{ + error_setg(errp, "GNUTLS is required to export pkcs7 signature"); + return -1; +} + +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp) +{ + error_setg(errp, "GNUTLS is required for signature-verification suppor= t"); + return -1; +} + #endif /* ! CONFIG_GNUTLS */ diff --git a/include/crypto/x509-utils.h b/include/crypto/x509-utils.h index 6040894a46..02e937b14a 100644 --- a/include/crypto/x509-utils.h +++ b/include/crypto/x509-utils.h @@ -91,4 +91,45 @@ int qcrypto_x509_get_cert_key_id(uint8_t *cert, size_t s= ize, */ int qcrypto_x509_check_ecc_curve_p521(uint8_t *cert, size_t size, Error **= errp); =20 +/** + * qcrypto_pkcs7_convert_sig_pem + * @sig: pointer to the PKCS#7 signature in DER format + * @sig_size: size of the signature + * @result: output location for the allocated buffer for the signature in + * PEM format + * (the function allocates memory which must be freed by the call= er) + * @resultlen: pointer to the size of the buffer + * (will be updated with the actual size of the PEM-encoded + * signature) + * @errp: error pointer + * + * Convert given PKCS#7 @sig from DER to PEM format. + * + * Returns: 0 if PEM-encoded signature was successfully stored in @result, + * -1 on error. + */ +int qcrypto_pkcs7_convert_sig_pem(uint8_t *sig, size_t sig_size, + uint8_t **result, + size_t *resultlen, + Error **errp); + +/** + * qcrypto_x509_verify_sig + * @cert: pointer to the raw certificate data + * @cert_size: size of the certificate + * @comp: pointer to the component to be verified + * @comp_size: size of the component + * @sig: pointer to the signature + * @sig_size: size of the signature + * @errp: error pointer + * + * Verify the provided @comp against the @sig and @cert. + * + * Returns: 0 on success, + * -1 on error. + */ +int qcrypto_x509_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size, Error **errp); + #endif --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012418; cv=none; d=zohomail.com; s=zohoarc; b=UXgerW2aXAmkgFtmDClpBU6Nd0kAuV9KEM5hHWWHSCVe0khYkPdhG+z824HnkSDO6Te6klnlXq6Iyn+dhQ7JTbQ750HfS+FcJXLXBje8Sy8ujMpDZmzbZDA9IXYJRRXba1hWq/dl93zdWPtIWPRrabSCQMgtx6lqPwAwLxKUHUA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012418; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=vEjX0uqKl3hz8mPPcTDZNOTid7nDNNw6UHC3uqxRGFo=; b=EpwS3oB5heIMivQFjUYtoUnHbfohNei9+xUsjH25zJMIztrmJ/u1+z32EfiOcQE4d+AaxeOy90ec+zw5mmg4pc8e/kUBXduy9M0FjRiXjbfvKvGMMuIF0shNDW5OvvgNKK545wnBsjhrtBmfsf76f/uRwdbZgtjM9D5pLBt3Uvc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012418413904.4790142229773; Tue, 5 May 2026 13:20:18 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF4-0007l2-6n; Tue, 05 May 2026 16:19:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF2-0007hE-0j; Tue, 05 May 2026 16:19:40 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMEz-0000FS-Ug; Tue, 05 May 2026 16:19:39 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645J1Znq3330886; Tue, 5 May 2026 20:19:34 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dnnm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:33 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9ah8031779; Tue, 5 May 2026 20:19:33 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbftd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:33 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJVbP24838828 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:32 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B29F25805B; Tue, 5 May 2026 20:19:31 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 215BF5805E; Tue, 5 May 2026 20:19:30 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:30 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=vEjX0uqKl3hz8mPPc TDZNOTid7nDNNw6UHC3uqxRGFo=; b=nQQDueBAhdeNhmYYiFHLMM3Dc+307BEWv TwlCVqQT3MSveZKb+jQ/AaAKi1mLosLaf7BVJbOUXp3r2PKv5/JIR5O8OtW9V/py FTrSZPwBLkQ4ANcK6fMmKFe3W9GebcLsg7oLN+Kbz8hv8T3olGs34ALCmn7nZPRV 9Q6ALkbN7LQMDwbjsWRmWn5m2DkQmbAJNr7LfrAjZIB145HN8pBm/Uazt51M1FfA lNxl5G10pbjnvLJp0cdMcfCoe4T3M1ptRf0dr6Rr0MDEwYYmHSJM5vbtFDP4ZlA/ fkR55mAJO6mwBc1c+IvI96tx9xyAb+zYReJjVK59S6xledYwPL+Ag== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 13/32] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Date: Tue, 5 May 2026 16:18:45 -0400 Message-ID: <20260505201905.997996-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX4vUBEn9zp59o IDNWINq6r49t3A1LWD/RFsHWnMREH3p7tdYQ79lk5u2+L5ORMp+lUvezdhNcztU3x5T7inD8ljI ps/VP1EwajRFQVDjjEgMPbkFbG3N1oNoLirDTPmYQoabS9YAZXV6ntMnEcF+zY3lSixdZ2O3DRr Oi1sfDhEh1vQ+dabHYBw7ftTlDyDobCbqK9A8hoh5AjwBVRF0+IVs1GgYoGsrwpWvEfNRL88xO1 8rAyidVnEkAPlzyoQpjE496HCPsuY450tqoPcgi1m0ApCaMwg3FaV33yKrmlpbDcKMRO9ioKbsK oeYYDOgPXBlFuI3oVP09q9CfikUdQAUFdlEBPEfICKuaB1Wq4UgLrgBnW86GwIgIYF7VbjSWRd+ de57uzeB7xuJvWpA7RNc4pe4+Wstf0orL9xTv8UPtDQlWIB83WzJKExmm83pmNedgmhQsryXI1v J0PmomVRmRbUqjjFI5Q== X-Proofpoint-GUID: yDGFDFLe-IvdYVFUJCaHvj2JrgYj2QC3 X-Proofpoint-ORIG-GUID: yDGFDFLe-IvdYVFUJCaHvj2JrgYj2QC3 X-Authority-Analysis: v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50d5 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=K66z3tz1c1WH2lCF3KIA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1011 adultscore=0 suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012419468154100 Content-Type: text/plain; charset="utf-8" From: Collin Walling DIAG 508 subcode 1 performs signature-verification on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 DER format= ), and their respective lengths. All of this data should be encapsulated within a Diag508SigVerifBlock. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the Diag508SigVerifBlock. The following values indicate failure: 0x0102: no certificates are available in the store 0x0202: component data is invalid 0x0302: PKCS#7 format signature is invalid 0x0402: signature-verification failed 0x0502: length of Diag508SigVerifBlock is invalid Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Farhan Ali --- docs/specs/s390x-secure-ipl.rst | 17 +++++ include/hw/s390x/ipl/diag508.h | 30 +++++++++ target/s390x/diag.c | 111 +++++++++++++++++++++++++++++++- 3 files changed, 157 insertions(+), 1 deletion(-) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 488981339d..f35e868e4c 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -80,3 +80,20 @@ that requires assistance from QEMU. =20 Subcode 0 - query installed subcodes Returns a 64-bit mask indicating which subcodes are supported. + +Subcode 1 - perform signature verification + Perform signature-verification on a signed component, using certificat= es + from the certificate store and leveraging qcrypto libraries to perform + this operation. + + Note: verification of initrd is not supported. + + A return code of 1 indicates success, and the index and length of the + corresponding certificate will be set in the Diag508SigVerifBlock. + The following values indicate failure: + + * ``0x0102``: no certificates are available in the store + * ``0x0202``: component data is invalid + * ``0x0302``: PKCS#7 format signature is invalid + * ``0x0402``: signature-verification failed + * ``0x0502``: length of Diag508SigVerifBlock is invalid diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 6281ad8299..8a147f32a0 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -11,5 +11,35 @@ #define S390X_DIAG508_H =20 #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x8000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0202 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0302 +#define DIAG_508_RC_FAIL_VERIF 0x0402 +#define DIAG_508_RC_INVAL_LEN 0x0502 + +/* + * Maximum componenet and signature sizes for current secure boot implemen= tation + * Not architecturally defined and may need to revisit if increased + */ +#define DIAG_508_MAX_COMP_LEN 0x10000000 +#define DIAG_508_MAX_SIG_LEN 4096 + +struct Diag508SigVerifBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved[2]; + uint8_t cert_store_index; + uint8_t reserved1[7]; + uint64_t cert_len; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +}; +typedef struct Diag508SigVerifBlock Diag508SigVerifBlock; =20 #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 390a543ede..0d548fadd9 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -640,9 +640,110 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1,= uint64_t r3, uintptr_t ra) } } =20 +static bool diag_508_verify_sig(uint8_t *cert, size_t cert_size, + uint8_t *comp, size_t comp_size, + uint8_t *sig, size_t sig_size) +{ + g_autofree uint8_t *sig_pem =3D NULL; + size_t sig_size_pem; + int rc; + + /* + * PKCS#7 signature with DER format + * Convert to PEM format for signature verification + * + * Ignore errors during qcrypto signature format conversion and verifi= cation + * Return false on any error, treating it as a verification failure + */ + rc =3D qcrypto_pkcs7_convert_sig_pem(sig, sig_size, &sig_pem, &sig_siz= e_pem, NULL); + if (rc < 0) { + return false; + } + + rc =3D qcrypto_x509_verify_sig(cert, cert_size, + comp, comp_size, + sig_pem, sig_size_pem, NULL); + if (rc < 0) { + return false; + } + + return true; +} + +static int handle_diag508_sig_verif(uint64_t addr) +{ + int verified; + uint32_t svb_len; + uint64_t comp_len, comp_addr; + uint64_t sig_len, sig_addr; + g_autofree uint8_t *comp =3D NULL; + g_autofree uint8_t *sig =3D NULL; + g_autofree Diag508SigVerifBlock *svb =3D NULL; + size_t svb_size =3D sizeof(Diag508SigVerifBlock); + S390IPLCertificateStore *cs =3D s390_ipl_get_certificate_store(); + + if (!cs->count) { + return DIAG_508_RC_NO_CERTS; + } + + svb =3D g_new0(Diag508SigVerifBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + + svb_len =3D be32_to_cpu(svb->length); + if (svb_len !=3D svb_size) { + return DIAG_508_RC_INVAL_LEN; + } + + comp_len =3D be64_to_cpu(svb->comp_len); + comp_addr =3D be64_to_cpu(svb->comp_addr); + sig_len =3D be64_to_cpu(svb->sig_len); + sig_addr =3D be64_to_cpu(svb->sig_addr); + + if (!comp_len || !comp_addr || comp_len > DIAG_508_MAX_COMP_LEN) { + if (comp_len > DIAG_508_MAX_COMP_LEN) { + warn_report("DIAG 0x508: component length %lu exceeds current = maximum %u", + comp_len, DIAG_508_MAX_COMP_LEN); + } + return DIAG_508_RC_INVAL_COMP_DATA; + } + + if (!sig_len || !sig_addr || sig_len > DIAG_508_MAX_SIG_LEN) { + if (sig_len > DIAG_508_MAX_SIG_LEN) { + warn_report("DIAG 0x508: signature length %lu exceeds current = maximum %u", + sig_len, DIAG_508_MAX_SIG_LEN); + } + return DIAG_508_RC_INVAL_PKCS7_SIG; + } + + comp =3D g_malloc0(comp_len); + cpu_physical_memory_read(comp_addr, comp, comp_len); + + sig =3D g_malloc0(sig_len); + cpu_physical_memory_read(sig_addr, sig, sig_len); + + for (int i =3D 0; i < cs->count; i++) { + verified =3D diag_508_verify_sig(cs->certs[i].raw, + cs->certs[i].size, + comp, comp_len, + sig, sig_len); + if (verified) { + svb->cert_store_index =3D i; + svb->cert_len =3D cpu_to_be64(cs->certs[i].der_size); + cpu_physical_memory_write(addr, svb, svb_size); + return DIAG_508_RC_OK; + } + } + + return DIAG_508_RC_FAIL_VERIF; +} + +QEMU_BUILD_BUG_MSG(sizeof(Diag508SigVerifBlock) !=3D 64, + "size of Diag508SigVerifBlock is wrong"); + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr= _t ra) { uint64_t subcode =3D env->regs[r3]; + uint64_t addr =3D env->regs[r1]; int rc; =20 if (env->psw.mask & PSW_MASK_PSTATE) { @@ -657,7 +758,15 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, = uint64_t r3, uintptr_t ra) =20 switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc =3D 0; + rc =3D DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + if (!diag_parm_addr_valid(addr, sizeof(Diag508SigVerifBlock), true= )) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + rc =3D handle_diag508_sig_verif(addr); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012455; cv=none; d=zohomail.com; s=zohoarc; b=MoveoXpVOUDFJu6etlgcHOmMus09Gxp00jsO935jPz4G/YuQLsnoIhyG331T6vVD9FUcHHRrinItxV9mz9oRvicADpbw8FigGpzkKDCInOSXQku9z0fgAsBsG/hlIiy/AQ38uGjKuITZ8ZToxhagGYkDcxWcnppcyHxJ/dLhPK8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012455; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=p2lWYcQj09rovlfJi1pd/B+GTn7Bripb2R74MBKZsj4=; b=gKCDZ9Pz0tkc+ZFNH1uleDnfRdNqe11aOyJyYxciw/Nxb2veqlr58fXhPnbBeqZjNcONE5lur21sVdXazlquYelawUcYcqFYlYhd1FL5Ws9M+RkqYg0dUJo3qC0IMwlb4qU4xC8w3Rs82YFkfHwBZmovh7T3FXKOLtC3em3fVpg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012455846474.19750097849476; Tue, 5 May 2026 13:20:55 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF5-0007mk-Jm; Tue, 05 May 2026 16:19:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF3-0007kG-P1; Tue, 05 May 2026 16:19:41 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF1-0000Fr-Ve; Tue, 05 May 2026 16:19:41 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645HKrvF2578306; Tue, 5 May 2026 20:19:36 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n721-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:35 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Q12015549; Tue, 5 May 2026 20:19:35 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb253-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:35 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJXJp26280568 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:33 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7CE2558059; Tue, 5 May 2026 20:19:33 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D44DF5805E; Tue, 5 May 2026 20:19:31 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=p2lWYc Qj09rovlfJi1pd/B+GTn7Bripb2R74MBKZsj4=; b=E0TfN4n6d99i4jaLvt8kF4 oAerY/ikLYA4Rl3koCw+JfLLK0KiEaFo1CHk7OQQYSqcxHXBPe1gY5DEW9USB3z4 bBq4w4cl3UyzuuZa4pTKD4I+3H3VmLw7WlWrQ795D0R9ocsTh2eu1VYd3gUGksbk +moUsg6ug5gSpt49xp1Y0B3ZyrkIEmHlZ1QFiThlpjyfz82HFiuo2z28d1uvUuwy b42haPEXxHXkmEjY/DECg/sSh8CBCdyj7OJOtqH+ICmSuigRGlLc+sFggnYrWERw e9VDrL8EU9Dpi5uw2f5zVT9noZP+pI+Cn1DeBsdqWn0CVf0CKRqwg+OZKnRCyi/A == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 14/32] s390x/ipl: Introduce IPL Information Report Block (IIRB) Date: Tue, 5 May 2026 16:18:46 -0400 Message-ID: <20260505201905.997996-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX2C31Sw0eemjj Lu2nduQMi+MMIpjoEDvZTBJ0UFoS8cShYfWQWBAM07sRidUQ0J5U1c1865NRkoHvgzuV+i99jyO zOOA++8PvWWnGI91HSYB0Dc+Jpw9nqzpXJRtq0ukEdRJpOnWHWSkH0NjFzVRKhEn4IwuGj1xCkF woHGUgvm2Q/ikM4fTg+jehyCIPFoe3P5QEYnODAiUO6glD0oXdh5/GuDXYVU5PMGIFBDszCtzs6 Z4R3qN9PujxowFubdkaAetv4jg//VJloqJ6WuMewqxCR2fyWjkX8988aR7iacxfHuILlUfRX+6R g/pCAFj/Rd46Iy9Id6TqWMozdojJKPEh1jiXxwTpIlvLixMrK5LLFvvou3DWONQd/cud9hTZDfr CUanE3FEZqkBl6niZfTvqcoXFPVdBC9OmNrbvD6XWAbr5FCMu32zQdvLJbdn+uig8yCjIEzKQ0Y ZIVIe4y4iFKkgbcJnBQ== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50d7 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=1NTGDykL02WXTEG3Jz0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: vRIdOLX0cdx8qBlhl3TVTYhW1c9bqF2K X-Proofpoint-ORIG-GUID: vRIdOLX0cdx8qBlhl3TVTYhW1c9bqF2K X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012457939154100 The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. The IIRB data is reserved and protected by the guest kernel during early boot to prevent it from being overwritten before the certificate data is permanently saved. Signed-off-by: Zhuoying Cai Reviewed-by: Farhan Ali Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 21 +++++++++++ include/hw/s390x/ipl/qipl.h | 62 +++++++++++++++++++++++++++++++++ 2 files changed, 83 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index f35e868e4c..c858d5b74b 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -97,3 +97,24 @@ Subcode 1 - perform signature verification * ``0x0302``: PKCS#7 format signature is invalid * ``0x0402``: signature-verification failed * ``0x0502``: length of Diag508SigVerifBlock is invalid + +IPL Information Report Block +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended w= ith an +IPL Information Report Block (IIRB), which contains the results from secur= e IPL +operations such as: + +* component data +* verification results +* certificate data + +During early boot, the guest kernel reserves the memory region +containing the IIRB. This preserves the data while the guest kernel is +operating and during re-IPL. + +The guest kernel uses the contents in the IIRB for: + +* Boot logging: reports which components were loaded and verified. +* kexec operations: builds the next kernel=E2=80=99s IPL report from the e= xisting one. +* Keying: installs IPL certificates into the platform trusted keyring. diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index ed1a91182a..45d25264f4 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -32,6 +32,9 @@ typedef enum S390IplType S390IplType; #define QEMU_DEFAULT_IPL S390_IPL_TYPE_CCW =20 #define MAX_CERTIFICATES 64 +/* largest supported block size - same as VIRTIO_DASD_DEFAULT_BLOCK_SIZE */ +#define VIRTIO_MAX_BLOCK_SIZE 4096 +#define MAX_COMP_ENTRIES ((VIRTIO_MAX_BLOCK_SIZE - 32) / 32) =20 /* * The QEMU IPL Parameters will be stored at absolute address @@ -146,4 +149,63 @@ union IplParameterBlock { } QEMU_PACKED; typedef union IplParameterBlock IplParameterBlock; =20 +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t flags; + uint8_t reserved1[11]; +}; +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t type; + uint8_t reserved1[11]; +}; +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplInfoBlockType { + IPL_INFO_BLOCK_TYPE_CERTIFICATES =3D 1, + IPL_INFO_BLOCK_TYPE_COMPONENTS =3D 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +}; +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +}; +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_DEV_COMP_FLAG_SC 0x80 +#define S390_IPL_DEV_COMP_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +}; +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_COMP_ENTRIES]; +}; +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +}; +typedef struct IplInfoReportBlock IplInfoReportBlock; + #endif --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012608; cv=none; d=zohomail.com; s=zohoarc; b=mpYMKoMnmQVAx6dZsJMtyJvXgoDi4hV/rIDhmeguqvpyRp9CrMd7XLb/Fr+TGU18P/nTNMmKCBEoTC1R4WYv3kflsiEArmlMnkxiEVKT2KRM6ZP7TMoRsi04ZxfVV3fVLcUTkxFJ4N81CK/NbL4I0Rff1GshSx1EdAxA2jagfpM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012608; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=cMxAlHK7rC0yRgIISrOWIjuyy2vv/rGpiMnaRglU9lI=; b=Yx5IPqOtlN7lt7n3l2mozudlByHh6b/unL4VPIMOjruumeXuyC07wexnwmb1L4FJd7NJkqe+//98tge2hF/CLnH0kwdNaA2pstm5rtL0iom/ufuOh1pOVWD+k8PWueQwU3PZlfTpeUb0BURY7PbqEJ6W8Vm283ya/zoRfRO3YcE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012608550884.1985728157196; Tue, 5 May 2026 13:23:28 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMF7-0007od-OY; Tue, 05 May 2026 16:19:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF5-0007mX-7G; Tue, 05 May 2026 16:19:43 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF3-0000GM-DX; Tue, 05 May 2026 16:19:42 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645K7ESx3351555; Tue, 5 May 2026 20:19:37 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6qk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:37 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Q9l031250; Tue, 5 May 2026 20:19:36 GMT Received: from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbftj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:36 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJZ6P22938150 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:35 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 43AA258059; Tue, 5 May 2026 20:19:35 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9E7D45805B; Tue, 5 May 2026 20:19:33 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:33 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=cMxAlHK7rC0yRgIIS rOWIjuyy2vv/rGpiMnaRglU9lI=; b=gV0zQ2fdadb3MrZFoHqzfA+Hg+VxgS5dk W53A75IGj6KHbhfCfHS2/OYiYeH9ilakg4+jexS59lzijWTCDnMIpzhr2h9whis9 ipTJy9aKOFRCOrJ/U8VJbVURxTfxJMw1SZ+kj5ahU5oQ/dNPvtSgHUPMLc+/9Aso bmCUZ9NHrZoaYKDaDA3obdzXZqwaMrim1QQiBh7xpwDutnvohIAZlYfw3nHzn3CC LAOgFhzxvY4HPaP1nygo1o8NRVGHTu5bQKxeV8ZVTYfFOAzB0l6dVLLlblJl/N2H 20iWN2Pc8/uFXo8ddlPgtdhay+ujJIQTpCNpCc16poA1X0aiq4ksg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 15/32] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Tue, 5 May 2026 16:18:47 -0400 Message-ID: <20260505201905.997996-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50d9 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=_GZQR2ZoBes7ElOevS0A:9 X-Proofpoint-ORIG-GUID: XYzzPAifZFMA-Lnd_YDgwQ6v1wa6Skby X-Proofpoint-GUID: XYzzPAifZFMA-Lnd_YDgwQ6v1wa6Skby X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX/STOm2fmgnj4 R7nQ2tSzDc73pqe0T7mUuVzIcpPXja52Hre1xip9eyfs+HM+MTXPmiMhMLSNgE7gsa3cvy+3RyG BAY9CD16iBpIemEtHVgTKTOsz9XV6itkcbWzjZEEYV86C5aaHjk0qq376yZ+Asss3+YVXYAf9Po 9x7dSwFnfbNcsbKNxalTwLRkVAwYIoM6LRLqaEybqfIJ4+Nz3ETSBJxLt9eFSP30+d9UQlNILzf sQpjh+1Z+XPgUeEIYSW8rb10Zx6vu6mIQD/pmmuyZ4KueXeE/tuJYzy4zqXo5L7DcBd3x2ebB3v XlRkxGpqm4z8WhjJ6nwysBNBsvP0G8qsqO/p1EtLb9myUGBWRzaORvWui7cUEB68AQLMrDynnoF XMGFV5oj4ZstLrY7fzgJMgXbx47n3ezEXcDbPPZAHyY8jj/NygYvomTpZm34HnDLQ6uk1qFutqd o1nO8fxM1HDbWnop7aQ== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012610307154100 Content-Type: text/plain; charset="utf-8" Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory sp= ace. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Farhan Ali --- include/hw/s390x/ipl/qipl.h | 6 ++++++ pc-bios/s390-ccw/iplb.h | 5 +++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 5 files changed, 35 insertions(+), 24 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 45d25264f4..9940f1457c 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -208,4 +208,10 @@ struct IplInfoReportBlock { }; typedef struct IplInfoReportBlock IplInfoReportBlock; =20 +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +}; +typedef struct IplBlocks IplBlocks; + #endif diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 926e8eed5d..c828466f51 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,8 +20,9 @@ #include =20 extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; +extern IplBlocks ipl_data; =20 static inline bool manage_iplb(IplParameterBlock *iplb, bool store) { @@ -61,7 +62,7 @@ static inline bool load_next_iplb(void) =20 qipl.index++; next_iplb =3D (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); =20 qipl.chain_len--; qipl.next_iplb =3D qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. = The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno =3D qipl.index; + if (iplb->pbt =3D=3D S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno =3D qipl.index; } =20 - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } =20 diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 26287cfd81..e6d4105786 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -24,7 +24,9 @@ static SubChannelId blk_schid =3D { .one =3D 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -53,7 +55,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype =3D=3D CU_TYPE_VIRTIO && virtio_get_device_type() !=3D VIRT= IO_ID_NET) { - lowcore->ptr_iplb =3D ptr2u32(&iplb); + lowcore->ptr_iplb =3D ptr2u32(iplb); } } =20 @@ -213,14 +215,14 @@ static void boot_setup(void) char lpmsg[] =3D "LOADPARM=3D[________]\n"; VDev *vdev =3D virtio_get_device(); =20 - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) !=3D= 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN= ); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != =3D 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LE= N); } else { sclp_get_loadparm_ascii(loadparm_str); } =20 if (have_iplb) { - vdev->ipl_type =3D iplb.pbt; + vdev->ipl_type =3D iplb->pbt; menu_setup(vdev); } else { vdev->ipl_type =3D QEMU_DEFAULT_IPL; @@ -244,21 +246,21 @@ static bool find_boot_device(void) switch (vdev->ipl_type) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected =3D false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid =3D iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found =3D find_subch(iplb.ccw.devno); + found =3D find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected =3D true; - vdev->selected_scsi_device.channel =3D iplb.scsi.channel; - vdev->selected_scsi_device.target =3D iplb.scsi.target; - vdev->selected_scsi_device.lun =3D iplb.scsi.lun; - blk_schid.ssid =3D iplb.scsi.ssid & 0x3; - found =3D find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel =3D iplb->scsi.channel; + vdev->selected_scsi_device.target =3D iplb->scsi.target; + vdev->selected_scsi_device.lun =3D iplb->scsi.lun; + blk_schid.ssid =3D iplb->scsi.ssid & 0x3; + found =3D find_subch(iplb->scsi.devno); break; case S390_IPL_TYPE_PCI: - found =3D find_fid(iplb.pci.fid); + found =3D find_fid(iplb->pci.fid); break; default: puts("Unsupported IPLB"); @@ -377,10 +379,12 @@ static void probe_boot_device(void) =20 void main(void) { + iplb =3D &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb =3D store_iplb(&iplb); + have_iplb =3D store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index 651cedf6ef..9b4dfd4638 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -528,11 +528,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); =20 - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expect= ed"); - dev_no =3D iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt =3D=3D S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expec= ted"); + dev_no =3D iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid =3D iplb.ccw.ssid & 0x3; + net_schid.ssid =3D iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found =3D find_net_dev(&schib, dev_no); } else { --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012443; cv=none; d=zohomail.com; s=zohoarc; b=Ob8VrdV8iVzNttnGFXDFAUkAn9AODICwkCy3AyUdnQtRx7h8hxGN9+UyydOc6RBmDgvRkLdF3F5uj32GzdwaMWf5GvleVgTJFwk/48MdicRZHgbTIcrN/h039P/EIk+R0eb01Ij/rfRcodrsKBa7NiVn82Q7MySjkGzdbMp/28o= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012443; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=8MsBCYamusRb6ayShR97acnW2ypJ1xMoaXcX0D/i+9E=; b=d6ukv2MijJlKEkU4lVyPpDtxwAopsrXov15WtL4mA5CREev1Uv8UXaoxZBfab2GkpkTJo0KDKSv4u/ZGNeP00ve05b68G98z35qr5gAOUljx6fyJQzVyHNt5J8glPIyLDAysmQtHfsCm6NXSk52DcMlWYkxaKNONm5XiJBQvKqE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012443500784.0693755882577; Tue, 5 May 2026 13:20:43 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFS-00087d-EG; Tue, 05 May 2026 16:20:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF7-0007ou-PW; Tue, 05 May 2026 16:19:45 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF5-0000Gk-U9; Tue, 05 May 2026 16:19:45 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645I4k3W2437018; Tue, 5 May 2026 20:19:40 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y1dm7b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:39 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9RNm002871; Tue, 5 May 2026 20:19:38 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9we-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:38 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJbjE27918856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:37 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0B5705805B; Tue, 5 May 2026 20:19:37 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 65CF05805C; Tue, 5 May 2026 20:19:35 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:35 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=8MsBCYamusRb6aySh R97acnW2ypJ1xMoaXcX0D/i+9E=; b=hFyQ9J0fk9TLLB3OGXlQLpW+36zUTdCdM 3whkkLELyNlUZ30ewTQYtI9jnUd2C/VKMC1xBvyE1w44yF/5y2Nly385a3bxK88D /5WE8HQwDsts/8Mw2XYHaL3J5rQj3+Db7Ozvv6LrWYROf5ozohuOrhopNI3xnijd 7YzyyaUzM9vd530yrQOrOMaLorpdwml8eYt4yQW9/d8ihaSo9RhBHMSqQkpbcZkt zJxAMMmprbppUQfgNlH9Tw/4kEdrXcznIY+o2qi4ozHmrNtJRrtrhK4NkJAcYDas iJ9Rv1dRY0NVUUOYwyFpzZxc4SRnG5VrVp4ZWeUj7iX0OAss12xSw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 16/32] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Tue, 5 May 2026 16:18:48 -0400 Message-ID: <20260505201905.997996-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: vR03YgvmqD71TeovCAOKOsCmfrHZYrXg X-Proofpoint-GUID: vR03YgvmqD71TeovCAOKOsCmfrHZYrXg X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX6lC1f+lBAPIM xKHFkBe4M6a5GO/fcB/KSqqiYo6/QIcg1/Y0H38xo7WxUgimBr+K9bYs9XmPyZzI5cF3iLb6RXj lBy+uUZOCiQ82dYeqhnC1zbXT15J2i8ZqbHTW5Z/r1Ag6KKSPlpSLve5vV4GrNUbJdvytW8M2sh qC0mwpYPQ0VjEYXghuyeKbfB0DdlWvXZD1gi9CGtF5DCBZjKOt6olDJyExtIxOdoTmQm7ct4QC8 QJufNTr+YYc9b+JgJ1hXOhaAFF5KEehB6fMs+Yr430VfmcZ4Wj1wXGPX0hK/i6yx/i375tXS59x Sbvck2gmO3cFFcrbROh7oVLWL6nOgD4zOx+XI7GFj53ja4X1ctjm/9CZMm5SHdbYKA/ir10QcCM t7zT2t7Esvvu6SHRAhzOrrlUVqxz7iXvSqcIFOXZcMMCXa1x1zPKaFiTS0aqa9dmfNAlfvVvvWU ZDiZlDXDhyJo9tDWcyQ== X-Authority-Analysis: v=2.4 cv=UbFhjqSN c=1 sm=1 tr=0 ts=69fa50db cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=ZDXLRS20C3ackK2NFGcA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012445763154100 Content-Type: text/plain; charset="utf-8" Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Move DIAG308 flags to a separated header file and add flags for secure IPL. Move IPLB length related definitions to include/hw/s390x/ipl/qipl.h and add a maximum length constant to support secure IPL. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Collin Walling --- hw/s390x/ipl.c | 21 +++++++++++++++++++++ hw/s390x/ipl.h | 24 ------------------------ include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 13 ++++++++++++- 4 files changed, 67 insertions(+), 25 deletions(-) create mode 100644 include/hw/s390x/ipl/diag308.h diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index fbef46aee5..f4311f6d62 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -461,6 +461,13 @@ S390IPLCertificateStore *s390_ipl_get_certificate_stor= e(void) return &ipl->cert_store; } =20 +static bool s390_has_certificate(void) +{ + S390IPLState *ipl =3D get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -517,6 +524,20 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } + return true; } =20 diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index f5a49a4431..9807ef18f2 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -23,7 +23,6 @@ #include "qom/object.h" #include "target/s390x/kvm/pv.h" =20 -#define DIAG308_FLAGS_LP_VALID 0x80 #define MAX_BOOT_DEVS 8 /* Max number of devices that may have a bootindex= */ =20 void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp); @@ -90,29 +89,6 @@ struct S390IPLState { }; QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wr= ong"); =20 -#define DIAG_308_RC_OK 0x0001 -#define DIAG_308_RC_NO_CONF 0x0102 -#define DIAG_308_RC_INVALID 0x0402 -#define DIAG_308_RC_NO_PV_CONF 0x0902 -#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 - -#define DIAG308_RESET_MOD_CLR 0 -#define DIAG308_RESET_LOAD_NORM 1 -#define DIAG308_LOAD_CLEAR 3 -#define DIAG308_LOAD_NORMAL_DUMP 4 -#define DIAG308_SET 5 -#define DIAG308_STORE 6 -#define DIAG308_PV_SET 8 -#define DIAG308_PV_STORE 9 -#define DIAG308_PV_START 10 - -#define S390_IPLB_HEADER_LEN 8 -#define S390_IPLB_MIN_PV_LEN 148 -#define S390_IPLB_MIN_CCW_LEN 200 -#define S390_IPLB_MIN_FCP_LEN 384 -#define S390_IPLB_MIN_PCI_LEN 376 -#define S390_IPLB_MIN_QEMU_SCSI_LEN 200 - static inline bool iplb_valid_len(IplParameterBlock *iplb) { return be32_to_cpu(iplb->len) <=3D sizeof(IplParameterBlock); diff --git a/include/hw/s390x/ipl/diag308.h b/include/hw/s390x/ipl/diag308.h new file mode 100644 index 0000000000..6e62f29215 --- /dev/null +++ b/include/hw/s390x/ipl/diag308.h @@ -0,0 +1,34 @@ +/* + * S/390 DIAGNOSE 308 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef S390X_DIAG308_H +#define S390X_DIAG308_H + +#define DIAG_308_RC_OK 0x0001 +#define DIAG_308_RC_NO_CONF 0x0102 +#define DIAG_308_RC_INVALID 0x0402 +#define DIAG_308_RC_NO_PV_CONF 0x0902 +#define DIAG_308_RC_INVAL_FOR_PV 0x0a02 + +#define DIAG308_RESET_MOD_CLR 0 +#define DIAG308_RESET_LOAD_NORM 1 +#define DIAG308_LOAD_CLEAR 3 +#define DIAG308_LOAD_NORMAL_DUMP 4 +#define DIAG308_SET 5 +#define DIAG308_STORE 6 +#define DIAG308_PV_SET 8 +#define DIAG308_PV_STORE 9 +#define DIAG308_PV_START 10 + +#define DIAG308_FLAGS_LP_VALID 0x80 + +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + +#endif diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 9940f1457c..a2180719b1 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -12,6 +12,8 @@ #ifndef S390X_QIPL_H #define S390X_QIPL_H =20 +#include "diag308.h" + /* Boot Menu flags */ #define QIPL_FLAG_BM_OPTS_CMD 0x80 #define QIPL_FLAG_BM_OPTS_ZIPL 0x40 @@ -31,6 +33,14 @@ typedef enum S390IplType S390IplType; =20 #define QEMU_DEFAULT_IPL S390_IPL_TYPE_CCW =20 +#define S390_IPLB_HEADER_LEN 8 +#define S390_IPLB_MIN_PV_LEN 148 +#define S390_IPLB_MIN_CCW_LEN 200 +#define S390_IPLB_MIN_FCP_LEN 384 +#define S390_IPLB_MIN_PCI_LEN 376 +#define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 + #define MAX_CERTIFICATES 64 /* largest supported block size - same as VIRTIO_DASD_DEFAULT_BLOCK_SIZE */ #define VIRTIO_MAX_BLOCK_SIZE 4096 @@ -125,7 +135,8 @@ typedef struct IplBlockPci IplBlockPci; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012469; cv=none; d=zohomail.com; s=zohoarc; b=fee/4sS+dlLj9zR2lrnym6GIMe+9i4OjkT46axq54zNwJzrAZBaEDoIy3AveJZWc4JyN5DGNaYj0PIk50x6u/vrYzb/aMpCWzfYL9esTzD9QwH/DKjarAJd5c3DSVEKmC7IB0cI8EJqBcH045PEAwKV9kscUYBfGGQN2G/R9R1U= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012469; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=B+Ba3Fa4RnSTasA5cS1wbcjhnavMPIVADbhF1Y3kmcE=; b=F3QSBa0PUZLCNMY6T5xfUaZ1Nig94pdYECUDTZikb+e+i3axVLHSDf6WiEvfXpr7ckGwDONT8dxwzg+Nmq2U1P8e9lAKdQ/c5ZjC/LOceih/t9TeujEdjz2FVCZkZ5/wzV2PhNDi2/DvGGpcMBhwMUAjT8jQJIT5njfCzvQOuEk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012469227621.5841563847364; Tue, 5 May 2026 13:21:09 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFZ-0000BR-00; Tue, 05 May 2026 16:20:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF9-0007pW-CM; Tue, 05 May 2026 16:19:47 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMF6-0000HD-M3; Tue, 05 May 2026 16:19:47 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645HUTMP2715883; Tue, 5 May 2026 20:19:41 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n72c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:41 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9aki030312; Tue, 5 May 2026 20:19:40 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwwtgb530-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:40 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJcfI18285226 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:38 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C93EB5805D; Tue, 5 May 2026 20:19:38 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2D36958059; Tue, 5 May 2026 20:19:37 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:37 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=B+Ba3Fa4RnSTasA5c S1wbcjhnavMPIVADbhF1Y3kmcE=; b=QTmt2VXYyCes+s5YuaQn0JkgQASXoOuDR snJLs3DfqB4ikGaaj4JU6eMb+yd57A1f5wGNpH/5hp9Tj/SAFifnObqaGp4tYBM5 9RXKy8lZg6qEL3JkCiMq58UL8AJZSNk86m7ky4VeLQbRL+rl6/btU+hDZWxoN2tp Hi0kvAvBXwy/URGuS0HKFsU/vyrSh+92EgEwxN656U9PbFdoCTuKkdYIuv6h/8a+ fi7TBpcqcf5hW2KHv5vL/EfTo1TaYlGOcaG0W+7IkuD/dSkU9gOobXqAmKhwM5p1 s7M8jzFYocS63ECRNDNJv5DSmyC/N4CJt4NiB4ZZ78LzOInle5HSw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 17/32] s390x: Guest support for Secure-IPL Facility Date: Tue, 5 May 2026 16:18:49 -0400 Message-ID: <20260505201905.997996-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX5J8ER6uiWhur EFobLOsze69yiqWH66vqUnXUyP69ff3orfkWPurFvzUpYNuqRH21Ak8SdDjYoGfO+I06u63ljFv kxp7OI9FOf2noYlgnE/IRy4G0aEtlETdtvbuGyuV+KdpmR0MvHZtng0YImrez6sOsl7vQJ+5eHB arlm0NnRJwivc5ztaEDXVpkDAonbeB0IVD9LQjtUGg5K7niOjZisI+phcR3xIWP87Nb9FCFKI4v TU1QPwFfLyfXNS8IfQbHXhDrpawpcepl9OLQ5oOxgt19s2mUUKeDATTpBUYAHClbUEVYhWaz2ih xvGiKfkZESgA4j/OHDJ0uZjA3OnT169hhQNPycdVByyzAwSOkTNTYTAZv7/Bq4JVGStF0ruAFBE d6hZJh2QjBrWZYrTREzVdcSozrjP5X71b9YuSZflJxSigYnMOIeD+agacWhzfqPsx1SqVVEj6Z1 Xbtem6XWwJP2Se6uAGA== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50dd cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Bichc5AjJS213ZhIJUEA:9 X-Proofpoint-GUID: o5ivVNFqQ4xf-7nEa1vjlXYh_mMPFxOH X-Proofpoint-ORIG-GUID: o5ivVNFqQ4xf-7nEa1vjlXYh_mMPFxOH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012470223154100 Content-Type: text/plain; charset="utf-8" Introduce Secure-IPL (SIPL) facility. Use fac_ipl to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. Byte 136's facilities cannot be represented without the availability of the extended-length-SCCB, so add it as a check for consistency. Secure IPL is not available for guests under protected virtualization. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling Reviewed-by: Thomas Huth --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 4 ++++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 20 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index b9c3983df1..666bae33f0 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -146,6 +146,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC_IPL, + read_info->fac_ipl); } =20 read_info->facilities =3D cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index ddc61f1c21..a9595d8007 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t fac_ipl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 138]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 436471f4b4..200bd8c15b 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -119,6 +119,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * Some facilities are not available for CPUs in protected mode: * - All SIE facilities because SIE is not available * - DIAG318 + * - Secure IPL Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -149,6 +150,9 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data); break; + case S390_FEAT_TYPE_SCLP_FAC_IPL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..b038198555 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_FAC_IPL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index 2976ecd0ee..bcf8a666e4 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: = Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and ve= rsion codes") DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certificate Store function= s") =20 +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 962f135f42..a52e34aa95 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 6c20c3a862..bd2060ab93 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -721,6 +721,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP, S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -922,6 +923,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_PRNO_TRNG, S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, + S390_FEAT_SIPL, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 82f7fed9ec..e76ff37cc3 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2492,6 +2492,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 set_bit(S390_FEAT_CERT_STORE, model->features); =20 + /* Some Secure IPL facilities are emulated by QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); =20 --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012501; cv=none; d=zohomail.com; s=zohoarc; b=OkSyFwOgUb3bkpmW6yq/XYqH9IXgyDxCEUTjXKOHqSvDIVBRlQjXC5thMbTKP/Ry7i5GkPMoGY+yvittMKZxaUqG4ZRV6tckaYAtpYQXP0yEsILa0Qr43VeR038XGZAXJ3nWgjGC72gtJAZEda+69/GhZZ2bmQJN5CNEcci1c7M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012501; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=+WTGPElbA7RaHJ7n383N6fnBzrO/oftvylUSARSdFOM=; b=YGCouLu2mn/7irAqvgVypdyeLOYJ5OBwysqT8EoAPwRDikYMIk4TOjQLKqJV4qNY19OOY+7fjqt58ipTNDavOIflVUA/WtOkqvEKw44/RC7IpmCL0klTlnWyvkt52STE4TX9y0sKCISWZ8wLROA8Xf0fuvm8ygENHm/sIsFTcxc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012501047149.75283925765393; Tue, 5 May 2026 13:21:41 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFh-0000xe-B6; Tue, 05 May 2026 16:20:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFU-0008G1-3b; Tue, 05 May 2026 16:20:09 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFS-0000Hj-37; Tue, 05 May 2026 16:20:07 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645Ia1EZ3104130; Tue, 5 May 2026 20:19:42 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6qw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:42 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Ts0029225; Tue, 5 May 2026 20:19:42 GMT Received: from smtprelay03.dal12v.mail.ibm.com ([172.16.1.5]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwuyw3dg0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:42 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJerA25494152 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:40 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 912055805B; Tue, 5 May 2026 20:19:40 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EAE5E58059; Tue, 5 May 2026 20:19:38 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:38 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=+WTGPElbA7RaHJ7n3 83N6fnBzrO/oftvylUSARSdFOM=; b=oO6EV/C6m3RcD03nY/+tt4YsfaB8iayAm xBQF6zVcwV+hJZ94ls9So9lrsewTIfPFs3M38krWHbEqQOev34vU4kBpmwYV1zfg +h34SpvSd01KwB/xlA6ZVFyYy2Nc4hQGLMvsIcjf4MDE60Pl6Oaj1c+FjfsGNyoP I5v0djcJ5NKUZOZvLMM1TkOMn06nBcvnEIoJg4sieYa28qs0BjR8/1pZ53ZkzvYS v+KJRrn7Elp6p6tF3H26TCHhvqfBNNyNnByRjvh9Z++Q11pgArI2qApXFjCbcqwq ku+Av7fytv4B+qMgLjNoY1BBIUv6jaXBOLr8ukihL0R/DYRbgKCGw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 18/32] pc-bios/s390-ccw: Refactor zipl_run() Date: Tue, 5 May 2026 16:18:50 -0400 Message-ID: <20260505201905.997996-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50de cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=se3WwofzMRKbtILPOyIA:9 X-Proofpoint-ORIG-GUID: _Cn6cRe_ixgaptEnGP0VU9OGoCpPyNUX X-Proofpoint-GUID: _Cn6cRe_ixgaptEnGP0VU9OGoCpPyNUX X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX0ZIoFoRve1fj //Rli1j6aLUPkeUe7VEXFIgbaBYLKDPCnskFzQBXSLPJHe18QZXPNhrJG27KPU4f5oWuqRlnjuE Fpk3CzSW8LNR+mdRm05NcIPvQ0ddgUMjxW7FdtxMmZG0wiWgsOnvTy6xrX9Rm8Elr4wSqZq5mV3 x9AlFidwGsR9Ab55szZFet9uY3fet0xcBc3ulWzx6kvvCCy+arN8TJLEeX2O+Rk/wwQ2pnO/Y/3 I66y4F0JBrMu/7lf/qz+6ToQ8L2Jyey5K2RYygTY45t0OwOPNthNEqhjpaxqRSK/Y9Ko6Vu12BX PF8JYbJ/QNS3gCoMf7/BURWCXl+Muh9REkXC0cn3tZay6pL6pNs4Gq2NP5KfJyv3Z+A0/5nHF+s aU0BUYbo66YwEf+J7eYVxwsB2ePERxFE6zBa7rc8Vz0LKdp7oPaP3YyCAAJJazoEIVYvuLftCEM UbdGdxEdT7V16MuBqrg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012502458158500 Content-Type: text/plain; charset="utf-8" Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Jared Rossi Reviewed-by: Collin Walling --- pc-bios/s390-ccw/bootmap.c | 51 ++++++++++++++++++++++++-------------- 1 file changed, 33 insertions(+), 18 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 420ee32eff..b9ba004cfc 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,12 +674,42 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } =20 +static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + ComponentEntry *entry =3D *entry_ptr; + + while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || + entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)&entry[1] > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + *entry_ptr =3D entry; + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { ComponentHeader *header; ComponentEntry *entry; uint8_t tmp_sec[MAX_SECTOR_SIZE]; + int rc; =20 if (virtio_read(pte->blockno, tmp_sec)) { puts("Cannot read header"); @@ -700,25 +730,10 @@ static int zipl_run(ScsiBlockPtr *pte) =20 /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); - while (entry->component_type =3D=3D ZIPL_COMP_ENTRY_LOAD || - entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries = */ - if (entry->component_type =3D=3D ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } - - if (zipl_load_segment(entry)) { - return -1; - } =20 - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } + rc =3D zipl_run_normal(&entry, tmp_sec); + if (rc) { + return rc; } =20 if (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012604; cv=none; d=zohomail.com; s=zohoarc; b=Joewf0/nvJWPpIkHuKajoqQxdzszUjzt3fMrpBaYmMlU/r6OYEjOI3KyRtLVAILSjLN4lM+XkU/0XK9RR42OsZcAziml5A+mwxYot1ogoP/dovkKRtjJn3cdi1XXdMEeL3y0fW/9ekTreH7sDd+rCrdavtFZuHvjofEdo3MgndM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012604; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=JD9U2mJnMjZx75H2bb5F56hmODq/EHbwq+ESAYx1DW4=; b=m4+vK0EzR2NmleMuNBYqTdAxztTa5YfRmb7YpdgTigZyI8tm0WqdDOpbpLIAlZrjSKJ1Ne+BXZI0/tArDh4Xc5EVsTttGmBngzW/PinMpdzau3lrkkfzp9UweDOYDMaZvupRsopq3df7oznhVkjhoYYlo7T2/i764SdGsYJlIr0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012604435957.9605665570092; Tue, 5 May 2026 13:23:24 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFX-0008RJ-FS; Tue, 05 May 2026 16:20:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFC-0007yB-8A; Tue, 05 May 2026 16:19:50 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFA-0000IN-CG; Tue, 05 May 2026 16:19:49 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645H4cMS2217751; Tue, 5 May 2026 20:19:44 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9x4njtw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:44 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9WDR015588; Tue, 5 May 2026 20:19:43 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb25w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:43 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJgdA30540330 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:42 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4D0D25805B; Tue, 5 May 2026 20:19:42 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AB57258059; Tue, 5 May 2026 20:19:40 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:40 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=JD9U2mJnMjZx75H2b b5F56hmODq/EHbwq+ESAYx1DW4=; b=KFjZr/L/R838cqMF8v/i3ndmeB8y5jgJ4 2X6v31GqaluX1lufHNTKh01qjSKilwBWha+vpUaqE64kb+YoizkXApMZzhtqm2Aa +ezBOhgjiaHztnURxptZuf66WXTnNv33V7HEvsqeL63s/07h8uIYbA4u/80HRteQ 4rybBbhRTPdwMyc7fzPbC1EYprp83DLRQWNYg0ymx08WOOsjLdk6rBzRcXlx8bIF HxzXFIdVOKLEXKABNL2JNuy4XZXjJpGDL4YxGqK5s6C2NKhdqQmKw1pF/vlUgFFM rXWVLCIqCR5y4FzYamTaBjArYfRRQYS4DM3eiNgyRUupntstTLrLw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 19/32] pc-bios/s390-ccw: Rework zipl_load_segment function Date: Tue, 5 May 2026 16:18:51 -0400 Message-ID: <20260505201905.997996-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX1p0du8F4DKOS /Io1Anl8sq8Vg8eozI79pwJQazSMGypUgIdyhhLRP2RDvlXPR0SoUU1WyrCBPh4b8YgVSTRk+iD 5VN1/b30lVsygPoI9CtfJZXPVIrdDavmEj7GSSk8jTQqLPDjAjYH9dm0bjreTKewOX/tJNYi8tB LzUenfwYu9TnXSzhWavp0d91hT2K8M46dNaKejEOEOBrQrBbTXzGqVv8gclOgo9pLPO1VJaf/IM dAtPg/yPmbbLM5erSJm6NCGWTVijft685Gi9eH9JT3iiwyEyhK1nSH+nCfoOlXF/P7uMzHHp0Fp dfF+jWJzF7m2bj+2DTdQWQ4D8xCIsoncfNDewotTegmHW3o2MgXl7iTrt9W3lo0AeuSdhyI1fnr htiNRtSnGXVbYMkW4svJhA6z/lYG5yw+uVov5Rx5M2eSyquZkNVM1OaCo11V3BuZ9xqYCsBOuWV w3hZOUj5M4QTQRbbalg== X-Proofpoint-ORIG-GUID: mSuADmtexPORRGJzUZdv9iDdGKkmha6F X-Proofpoint-GUID: mSuADmtexPORRGJzUZdv9iDdGKkmha6F X-Authority-Analysis: v=2.4 cv=W7UIkxWk c=1 sm=1 tr=0 ts=69fa50e0 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=uL_FI9FW9AP7juJAwn4A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1015 phishscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012604828158500 Content-Type: text/plain; charset="utf-8" Change zipl_load_segment() to accept explicit blockno and address parameters instead of ComponentEntry pointer and return segment length. Modify this function to allow the caller to specify a memory address where segment data should be loaded into. seg_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Remove static qualifier and add function declaration to bootmap.h to make it accessible to other modules. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Collin Walling --- pc-bios/s390-ccw/bootmap.c | 18 ++++++++++-------- pc-bios/s390-ccw/bootmap.h | 2 ++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index b9ba004cfc..b19981feb1 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,19 @@ static int ipl_eckd(void) * IPL a SCSI disk */ =20 -static int zipl_load_segment(ComponentEntry *entry) +/* + * Returns: length of the segment on success, + * negative value on error. + */ +int zipl_load_segment(block_number_t blockno, uint64_t address) { const int max_entries =3D (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs =3D (void *)sec; const int bprs_size =3D sizeof(sec); - block_number_t blockno; - uint64_t address; int i; char err_msg[] =3D "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no =3D &err_msg[30]; /* where to print blockno in (those ZZs= ) */ - - blockno =3D entry->data.blockno; - address =3D entry->compdat.load_addr; + int seg_len =3D 0; =20 debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -668,10 +668,12 @@ static int zipl_load_segment(ComponentEntry *entry) puts("zIPL load segment failed"); return -EIO; } + + seg_len +=3D bprs->size * (bprs[i].blockct + 1); } } while (blockno); =20 - return 0; + return seg_len; } =20 static int zipl_run_normal(ComponentEntry **entry_ptr, uint8_t *tmp_sec) @@ -687,7 +689,7 @@ static int zipl_run_normal(ComponentEntry **entry_ptr, = uint8_t *tmp_sec) continue; } =20 - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry->data.blockno, entry->compdat.load_add= r) < 0) { return -1; } =20 diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..8d61ac383c 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -113,6 +113,8 @@ typedef struct ScsiMbr { ScsiBlockPtr pt; /* block pointer to program table */ } __attribute__ ((packed)) ScsiMbr; =20 +int zipl_load_segment(block_number_t blockno, uint64_t address); + #define ZIPL_MAGIC "zIPL" #define ZIPL_MAGIC_EBCDIC "\xa9\xc9\xd7\xd3" #define IPL1_MAGIC "\xc9\xd7\xd3\xf1" /* =3D=3D "IPL1" in EBCDIC */ --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012514; cv=none; d=zohomail.com; s=zohoarc; b=gkxAydXDbsphhNS4y8Oqlh1CLcuoe43hA1U1p/MgXlYNKyXfr5VeqpwMKgNu592WJ0hm0VryCrkiTiFjvRJdTPWhsjgMZnWE7Be3jZZuC3nkx3seOAFdl7Xinhnc5gHf+tPzR1/wYJgOIa/9oUPOc6SSwUGvDR9Ej1OPqY8RPGA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012514; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=iJLWvidALTZbMI4OKS/H5fVA5cAjEQcmSHJMOXxAJrM=; b=UB2QtXkSccCs7U2f98Su+OdodYoD9R9Jmi/QSvm7oVCk0zVJm0Nspd8DtNSJQWmNALzWy4uJPpouKbCMNbFghhgoU+uRQR4Bx5CQ+jcwBSC4PksViLU1AHayFeqTZ70ZH/QZcut/ykn2lIdsAhktDzEXwFRfuUNH95WbRIdJP2s= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012514895379.21488690187823; Tue, 5 May 2026 13:21:54 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFb-0000M4-4f; Tue, 05 May 2026 16:20:15 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFF-00080U-1s; Tue, 05 May 2026 16:19:53 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFC-0000In-MY; Tue, 05 May 2026 16:19:52 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645E2erA1880225; Tue, 5 May 2026 20:19:47 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dnq6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:46 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9R3M002877; Tue, 5 May 2026 20:19:45 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9wv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:45 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJi0g12124926 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:44 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 173695805B; Tue, 5 May 2026 20:19:44 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F1F958059; Tue, 5 May 2026 20:19:42 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:42 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=iJLWvidALTZbMI4OK S/H5fVA5cAjEQcmSHJMOXxAJrM=; b=AcqQBuhCucihrLoEq3TvObOFB4odMy77p Jxha9m9cq2vmX4PIHtlof8Ulf821DGqdGaCGDrCBYpF374PJp5DRkkLF8M7uRZdz kB12M3/CKYSC+yhnPiJelpq7C+KYKEmF4fDwLA9SpJxyMKjw/lGZLKeYQcfGR5+M QP9GuR40YvkIBVML6a1l2253mcCSCSjDR0mt/ldmouDXi7o10ChtMrZ+F+KvbQcr k8hAcm2glBF9lca8NuPH0YGu/kfxfaN0kO6BUyIpsTdWKDq3leZKszkfNSSJeEaE pY3UHnKU6oI6wQYgcbIF2QOR0EEGtzwZNcATpOFui7dxutz1GsBOg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 20/32] pc-bios/s390-ccw: Introduce ZiplBootMode enum for IPL mode selection Date: Tue, 5 May 2026 16:18:52 -0400 Message-ID: <20260505201905.997996-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX2aKN+55hc8D8 i0ZkSkYC7o5VBa9peYcnELzwyi+8A4q7GfnOWKSB12IxdZBIJZs7Pkx9/V2dwzWmhqce/qlF7Qx LoWDiFixiM9afu7DI+jd7FTEzC1RTdTucVqb18B+g5jZToLT/ZRegyc2sBzdWpfxbxl+RLYKsHo PakzzTPKqVgy/L8SKOTsmmudWjdJ9XE69NULyM1pREjkef2hP++s/jQYLBlksXOdkP+3k0/rQ06 sjp6ob8IqWYSUjLmpRl2ZXDBgoOgBIl/kiWCh3+XS9vrAc3k/ASBotdfJEmYxJzW5UuKIJviVPb 9wz70DcB4G/r+2NkUJqMR6opsOmw++9wdApKgI2gwu1W0VHTK0XJ3+xVBUPSso+zqI6hK0lvdqQ FMn7I0l60R22V90L5ljoIeDmX7dnoWMzTriydvjlA2VaHt48jKmCt+v/XeOiEYvQhd9Cs5JEabM zQ6fNkr71qe5Zhn+QKA== X-Proofpoint-GUID: vNyWhMDxA42RO3Ee1KoKmS0LPUA02kY1 X-Proofpoint-ORIG-GUID: vNyWhMDxA42RO3Ee1KoKmS0LPUA02kY1 X-Authority-Analysis: v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50e2 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=OEmD_Q5Wy55prwwHBkMA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012516847154100 Content-Type: text/plain; charset="utf-8" Add ZiplBootMode enumeration to support multiple IPL boot configurations. Boot modes differentiate between normal boot and secure IPL operations, enabled based on boot certificates specified via the boot-certs option. Normal Mode: IPL when no certificates are provided. No signature verification is performed. This prepares for future secure IPL modes requiring signature verification. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/system/s390x/secure-ipl.rst | 21 +++++++++++++++++++++ pc-bios/s390-ccw/bootmap.c | 16 +++++++++++++++- pc-bios/s390-ccw/main.c | 6 ++++++ pc-bios/s390-ccw/s390-ccw.h | 6 ++++++ 4 files changed, 48 insertions(+), 1 deletion(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 88df52ce2f..9d7d33f5ed 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -18,3 +18,24 @@ Note: certificate files must have a .pem extension. .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +IPL Modes +--------- + +Multiple IPL modes are available to differentiate between the various IPL +configurations. These modes are mutually exclusive and enabled based on the +``boot-certs`` option on the QEMU command line. + +Normal Mode +^^^^^^^^^^^ + +The absence of certificates will attempt to IPL a guest without secure IPL +operations. No checks are performed, and no warnings/errors are reported. +This is the default mode. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index b19981feb1..667a69f80d 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -733,7 +733,14 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry =3D (ComponentEntry *)(&header[1]); =20 - rc =3D zipl_run_normal(&entry, tmp_sec); + switch (boot_mode) { + case ZIPL_BOOT_MODE_NORMAL: + rc =3D zipl_run_normal(&entry, tmp_sec); + break; + default: + panic("Unknown boot mode"); + } + if (rc) { return rc; } @@ -1105,12 +1112,16 @@ void zipl_load(void) VDev *vdev =3D virtio_get_device(); =20 if (vdev->is_cdrom) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot from ISO image is not supported!"); ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } =20 if (virtio_get_device_type() =3D=3D VIRTIO_ID_NET) { + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Virtio net boot device does not support secure boot!"= ); netmain(); puts("Failed to IPL from this network!"); return; @@ -1121,6 +1132,9 @@ void zipl_load(void) return; } =20 + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Secure boot with the ECKD scheme is not supported!"); + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index e6d4105786..66544f75f5 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -30,6 +30,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +ZiplBootMode boot_mode; =20 #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -303,6 +304,9 @@ static void ipl_ccw_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), + "Passthrough (vfio) CCW device does not support secure= boot!"); + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -390,6 +394,8 @@ void main(void) probe_boot_device(); } =20 + boot_mode =3D ZIPL_BOOT_MODE_NORMAL; + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 1e1f71775e..5420443ad2 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -69,6 +69,12 @@ int sclp_read(char *str, size_t count); /* bootmap.c */ void zipl_load(void); =20 +typedef enum ZiplBootMode { + ZIPL_BOOT_MODE_NORMAL =3D 0, +} ZiplBootMode; + +extern ZiplBootMode boot_mode; + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012446; cv=none; d=zohomail.com; s=zohoarc; b=KlmQaxI3rZo3GLLYqYWwWWFdxcl/xm4Dkvwuq3QjGBpQR1Z3PTKcTovdP43+vAeNRWXYdz8T9a6aZ0UyArdz3BptkNvXiJ2xxO/NjdtqRSMIBv6EGrSgtluscN7dmGhi5lgGAWqEqG3PCMZ4yQOQoZxE6CgPfn3RYEXAWnUvWWQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012446; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=BCOkrBfNZexpqPiziKemnH35bGj2vU5rLn/7Htx18F0=; b=Xcvlhxvth0wBXbcdBpstMVD3UH95qxeZO5N0dwF//xrDXr7KeS4D2i7HXtr27Pid3fJe+Kpfv5fZTS97dxrvUyhuLlBUnFaoCV3LG+WVvTZzOPNYPz0lm6f8AffR/YX2sNUNljZovD8VH+sd75+92TE/ZwQUxYhqiC6YyT+t/W4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012446569436.83011803195564; Tue, 5 May 2026 13:20:46 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFf-0000nb-Qx; Tue, 05 May 2026 16:20:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFc-0000XD-IU; Tue, 05 May 2026 16:20:16 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFY-0000JN-SS; Tue, 05 May 2026 16:20:16 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645AEZ6c144785; Tue, 5 May 2026 20:19:48 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n72q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:48 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Q9o031250; Tue, 5 May 2026 20:19:47 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbfu3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:47 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJj2V4653998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:46 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CD6295805B; Tue, 5 May 2026 20:19:45 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3A2CE58059; Tue, 5 May 2026 20:19:44 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:44 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=BCOkrBfNZexpqPizi KemnH35bGj2vU5rLn/7Htx18F0=; b=cZ8R+ozTPBCCN6Fhv1TWM1/n4JHPL8RBw v7VZnv4ZZbkBKCFO0JLIIsM0hd1ZKMg7V4wpjAznLp3ygmSPPcgMLk4u5EKJ27fM KsH9rbErRxxOhOpdhFqrj2Vrx/h4qs+DtG74T/0SxrbCG5oZwmVrgERfXrJXLcCC kml/rVCEmMlQG1FehPh7cDuJPK0Ix6PXvUyAm5gaksNotuxl/pfmRSWxIXKy6VAh izRZL670cs6L7MfNKPAyyeA5Fi/M3nfDbPC9Lv5g0n59FIGlAktiMDRCi/HvQXPL 6RP81yz49JOSUBRaYqUdG0RmrQBg8Kfabvibu8yMJB3wVb5zJeegg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 21/32] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Date: Tue, 5 May 2026 16:18:53 -0400 Message-ID: <20260505201905.997996-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX9ByqhxFBXiBY goTIQS30hf4bjcWBQ8DktMjHHYdRulRwAydRAJ0c4EOaYUSlMKFFTerz4l6QHRM+b5urw7ZMovd P+5ZmyLquvngPhP0ddnap4qqI4vyxwz0cO9dr9exbm0HSVJ2XtbC/WwXrpNLDpG3rxnHW16gLFJ 7DoVwboP/ZhVXbYSzJwghrQiLJorXMdscOBwiurxCkfAu6ISNoecnSxNTOUfyzEG1FRxSwqw022 6k1+OxKAZH4VCOvzBauxgzIPI3UX8v0E2pU54zvGLDDAoMuVGDsWMmzEolJJ9kce9VgKD1riJvQ 0FiHwFfIkg4A4sGKo/9wzdtfRmVLegwnKcZ4r7BNw1Am6GIUFS/c57JrfX36JLKGN6usr6ICWVp tXHTPCXs6KPn1UBA3BKtqd2yOHrjzP9kidg4+NSI06MEZ/V6JFW6cEqlMkegqt+QimUphFOJ8C3 elzkrxNoaOp7NE4s0Cw== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50e4 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=ae5O-m4cEUc7-qk3VwEA:9 X-Proofpoint-GUID: alDxQC5EfdgTfmQaM63ZLxaP4mf5oQMK X-Proofpoint-ORIG-GUID: alDxQC5EfdgTfmQaM63ZLxaP4mf5oQMK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012448154158500 Content-Type: text/plain; charset="utf-8" Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- docs/system/s390x/secure-ipl.rst | 15 ++ pc-bios/s390-ccw/Makefile | 2 +- pc-bios/s390-ccw/bootmap.c | 16 ++ pc-bios/s390-ccw/bootmap.h | 9 + pc-bios/s390-ccw/main.c | 10 +- pc-bios/s390-ccw/s390-ccw.h | 24 ++ pc-bios/s390-ccw/sclp.c | 27 +++ pc-bios/s390-ccw/sclp.h | 6 + pc-bios/s390-ccw/secure-ipl.c | 364 +++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 113 ++++++++++ 10 files changed, 584 insertions(+), 2 deletions(-) create mode 100644 pc-bios/s390-ccw/secure-ipl.c create mode 100644 pc-bios/s390-ccw/secure-ipl.h diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 9d7d33f5ed..cf6ccf5d57 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -39,3 +39,18 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio ... + +Audit Mode +^^^^^^^^^^ + +When the certificate store is populated with at least one certificate +and no additional secure IPL parameters are provided on the command +line, then secure IPL will proceed in "audit mode". All secure IPL +operations will be performed with signature verification errors reported +as non-disruptive warnings. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/Makefile b/pc-bios/s390-ccw/Makefile index 3e5dfb64d5..2109d16781 100644 --- a/pc-bios/s390-ccw/Makefile +++ b/pc-bios/s390-ccw/Makefile @@ -35,7 +35,7 @@ QEMU_DGFLAGS =3D -MMD -MP -MT $@ -MF $(@D)/$(*F).d =20 OBJECTS =3D start.o main.o bootmap.o jump2ipl.o sclp.o menu.o netmain.o \ virtio.o virtio-net.o virtio-scsi.o virtio-blkdev.o cio.o dasd-ipl.o \ - virtio-ccw.o clp.o pci.o virtio-pci.o + virtio-ccw.o clp.o pci.o virtio-pci.o secure-ipl.o =20 SLOF_DIR :=3D $(SRC_PATH)/../../roms/SLOF =20 diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 667a69f80d..a300fba8cd 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -15,6 +15,7 @@ #include "bootmap.h" #include "virtio.h" #include "bswap.h" +#include "secure-ipl.h" =20 #ifdef DEBUG /* #define DEBUG_FALLBACK */ @@ -737,6 +738,9 @@ static int zipl_run(ScsiBlockPtr *pte) case ZIPL_BOOT_MODE_NORMAL: rc =3D zipl_run_normal(&entry, tmp_sec); break; + case ZIPL_BOOT_MODE_SECURE_AUDIT: + rc =3D zipl_run_secure(&entry, tmp_sec); + break; default: panic("Unknown boot mode"); } @@ -1107,6 +1111,18 @@ static int zipl_load_vscsi(void) * IPL starts here */ =20 +ZiplBootMode get_boot_mode(uint8_t hdr_flags) +{ + bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; + bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + + if (!sipl_set && iplir_set) { + return ZIPL_BOOT_MODE_SECURE_AUDIT; + } + + return ZIPL_BOOT_MODE_NORMAL; +} + void zipl_load(void) { VDev *vdev =3D virtio_get_device(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 8d61ac383c..1e00454a1f 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; =20 +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; =20 typedef struct ComponentEntry { diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 66544f75f5..0bcd32b059 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -394,7 +394,15 @@ void main(void) probe_boot_device(); } =20 - boot_mode =3D ZIPL_BOOT_MODE_NORMAL; + boot_mode =3D get_boot_mode(iplb->hdr_flags); + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + if (!secure_ipl_supported()) { + panic("Unable to boot in audit mode"); + } + default: + break; + } =20 while (have_iplb) { boot_setup(); diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 5420443ad2..b66a9b50bf 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -40,6 +40,22 @@ typedef unsigned long long u64; ((b) =3D=3D 0 ? (a) : (MIN(a, b)))) #endif =20 +/* + * Round number down to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_DOWN +#define ROUND_DOWN(n, d) ((n) & -(0 ? (n) : (d))) +#endif + +/* + * Round number up to multiple. Requires that d be a power of 2. + * Works even if d is a smaller type than n. + */ +#ifndef ROUND_UP +#define ROUND_UP(n, d) ROUND_DOWN((n) + (d) - 1, (d)) +#endif + #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) =20 #include "cio.h" @@ -64,6 +80,8 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_fac_ipl_flag_on(uint16_t fac_ipl_flag); int sclp_read(char *str, size_t count); =20 /* bootmap.c */ @@ -71,10 +89,16 @@ void zipl_load(void); =20 typedef enum ZiplBootMode { ZIPL_BOOT_MODE_NORMAL =3D 0, + ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; =20 +ZiplBootMode get_boot_mode(uint8_t hdr_flags); + +/* secure-ipl.c */ +bool secure_ipl_supported(void); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..48bdfedf1f 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,33 @@ void sclp_get_loadparm_ascii(char *loadparm) } } =20 +bool sclp_is_diag320_on(void) +{ + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + return sccb->fac134 & SCCB_FAC134_DIAG320_BIT; + } + + return 0; +} + +/* check if specified IPL facility flag is enabled */ +bool sclp_is_fac_ipl_flag_on(uint16_t fac_ipl_flag) +{ + ReadInfo *sccb =3D (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length =3D SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + return sccb->fac_ipl & fac_ipl_flag; + } + + return 0; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb =3D (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..a8a41cd004 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; =20 #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_FAC_IPL_SIPL_BIT 0x4000 =20 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t fac_ipl; } __attribute__((packed)) ReadInfo; =20 typedef struct SCCB { diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c new file mode 100644 index 0000000000..6e943446a7 --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -0,0 +1,364 @@ +/* + * S/390 Secure IPL + * + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, + * signature verification, and certificate handling). + * + * For secure IPL overview: docs/system/s390x/secure-ipl.rst + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include +#include +#include +#include "bootmap.h" +#include "s390-ccw.h" +#include "sclp.h" +#include "secure-ipl.h" + +static VCStorageSizeBlock vcssb __attribute__((__aligned__(8))); + +VCStorageSizeBlock *zipl_secure_get_vcssb(void) +{ + /* avoid retrieving vcssb multiple times */ + if (vcssb.length =3D=3D VCSSB_MIN_LEN) { + return &vcssb; + } + + vcssb.length =3D VCSSB_MIN_LEN; + if (_diag320(&vcssb, DIAG_320_SUBC_QUERY_VCSI) !=3D DIAG_320_RC_OK) { + vcssb.length =3D 0; + return NULL; + } + + return &vcssb; +} + +static uint32_t get_total_certs_length(void) +{ + if (zipl_secure_get_vcssb() =3D=3D NULL) { + return 0; + } + + return vcssb.total_vcb_len - sizeof(VCBlockHeader) - + vcssb.total_vc_ct * sizeof(VCEntryHeader); +} + +static uint32_t request_certificate(uint8_t *cert_buf, uint8_t index) +{ + VCEntryHeader *vce_hdr; + struct vcb { + VCBlockHeader vcb_hdr; + struct vce { + VCEntryHeader vce_hdr; + uint8_t cert_buf[CERT_BUF_MAX_LEN]; + } vce; + } __attribute__((__aligned__(4096))) vcb =3D { 0 }; + + /* Get Verification Certificate Storage Size block with DIAG320 subcod= e 1 */ + if (zipl_secure_get_vcssb() =3D=3D NULL) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + * + * First and last index must be equal because only one + * VCE per VCB is currently supported + */ + vcb.vcb_hdr.in_len =3D ROUND_UP(vcssb.max_single_vcb_len, PAGE_SIZE); + vcb.vcb_hdr.first_vc_index =3D index; + vcb.vcb_hdr.last_vc_index =3D index; + + if (_diag320(&vcb, DIAG_320_SUBC_STORE_VC) !=3D DIAG_320_RC_OK) { + return 0; + } + + if (vcb.vcb_hdr.out_len =3D=3D sizeof(VCBlockHeader)) { + puts("No certificate entry"); + return 0; + } + + if (vcb.vcb_hdr.remain_ct !=3D 0) { + panic("Not enough memory to store all requested certificates"); + } + + vce_hdr =3D &vcb.vce.vce_hdr; + if (!(vce_hdr->flags & DIAG_320_VCE_FLAGS_VALID)) { + puts("Invalid certificate"); + return 0; + } + + memcpy(cert_buf, (uint8_t *)&vcb.vce + vce_hdr->cert_offset, vce_hdr->= cert_len); + + return vce_hdr->cert_len; +} + +static int cert_list_add(IplSignatureCertificateList *cert_list, + uint8_t *cert_buf, uint64_t cert_len) +{ + static bool warned; + int cert_entry_idx; + + cert_entry_idx =3D (cert_list->ipl_info_header.len - sizeof(IplInfoBlo= ckHeader)) / + sizeof(IplSignatureCertificateEntry); + if (cert_entry_idx > MAX_CERTIFICATES - 1) { + if (!warned) { + printf("Warning: only %d cert entries are supported;" + " additional entries are ignored\n", + MAX_CERTIFICATES); + warned =3D true; + } + return cert_entry_idx; + } + + cert_list->cert_entries[cert_entry_idx].addr =3D (uint64_t)cert_buf; + cert_list->cert_entries[cert_entry_idx].len =3D cert_len; + cert_list->ipl_info_header.len +=3D sizeof(IplSignatureCertificateEntr= y); + + return cert_entry_idx; +} + +static void comp_list_add(IplDeviceComponentList *comp_list, + SecureIplCompEntryInfo comp_entry_info) +{ + int comp_entry_idx; + + comp_entry_idx =3D (comp_list->ipl_info_header.len - sizeof(IplInfoBlo= ckHeader)) / + sizeof(IplDeviceComponentEntry); + if (comp_entry_idx > MAX_COMP_ENTRIES - 1) { + printf("Warning: only %d component entries are supported\n", + MAX_COMP_ENTRIES); + panic("The device component list has reached its maximum capacity"= ); + } + + comp_list->device_entries[comp_entry_idx].addr =3D comp_entry_info.add= r; + comp_list->device_entries[comp_entry_idx].len =3D comp_entry_info.len; + comp_list->device_entries[comp_entry_idx].flags =3D comp_entry_info.fl= ags; + /* cert index field is meaningful only when S390_IPL_DEV_COMP_FLAG_SC = is set */ + if (comp_entry_info.flags & S390_IPL_DEV_COMP_FLAG_SC) { + comp_list->device_entries[comp_entry_idx].cert_index =3D + comp_entry_info.cert_ind= ex; + } + comp_list->ipl_info_header.len +=3D sizeof(IplDeviceComponentEntry); +} + +static void update_iirb(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *iirb_comps; + IplSignatureCertificateList *iirb_certs; + uint32_t iirb_hdr_len; + uint32_t comps_len; + uint32_t certs_len; + + if (iplb->len % 8 !=3D 0) { + panic("IPL parameter block length field value is not multiple of 8= bytes"); + } + + iirb_hdr_len =3D sizeof(IplInfoReportBlockHeader); + comps_len =3D comp_list->ipl_info_header.len; + certs_len =3D cert_list->ipl_info_header.len; + if ((comps_len + certs_len + iirb_hdr_len) > sizeof(IplInfoReportBlock= )) { + panic("Not enough space to hold all components and certificates in= IIRB"); + } + + /* IIRB immediately follows IPLB */ + iirb =3D &ipl_data.iirb; + iirb->hdr.len =3D iirb_hdr_len; + + /* Copy IPL device component list after IIRB Header */ + iirb_comps =3D (IplDeviceComponentList *) iirb->info_blks; + memcpy(iirb_comps, comp_list, comps_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D comps_len; + + /* Copy IPL sig cert list after IPL device component list */ + iirb_certs =3D (IplSignatureCertificateList *) (iirb->info_blks + + iirb_comps->ipl_info_hea= der.len); + memcpy(iirb_certs, cert_list, certs_len); + + /* Update IIRB length */ + iirb->hdr.len +=3D certs_len; +} + +bool secure_ipl_supported(void) +{ + if (!sclp_is_fac_ipl_flag_on(SCCB_FAC_IPL_SIPL_BIT)) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_signature_verif_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!is_cert_store_facility_supported()) { + puts("Certificate Store Facility is not supported by the hyperviso= r!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comp_list, + IplSignatureCertificateList *cert_list) +{ + comp_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_COMPONENTS; + comp_list->ipl_info_header.len =3D sizeof(IplInfoBlockHeader); + + cert_list->ipl_info_header.type =3D IPL_INFO_BLOCK_TYPE_CERTIFICATES; + cert_list->ipl_info_header.len =3D sizeof(IplInfoBlockHeader); +} + +static int zipl_load_signature(ComponentEntry *entry, uint64_t sig) +{ + if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return -1; + } + + if (zipl_load_segment(entry->data.blockno, sig) < 0) { + return -1; + } + + return entry->compdat.sig_info.sig_len; +} + +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec) +{ + IplDeviceComponentList comp_list =3D { 0 }; + IplSignatureCertificateList cert_list =3D { 0 }; + SecureIplCompEntryInfo sig_entry_info =3D { 0 }; + SecureIplCompEntryInfo comp_entry_info; + ComponentEntry *entry =3D *entry_ptr; + uint8_t *cert_buf =3D NULL; + int sig_len =3D 0; + int comp_len; + int cert_entry_idx; + uint64_t comp_addr; + uint64_t cert_len; + uint8_t cert_table_idx; + bool verified; + /* + * Keep track of which certificate store indices correspond to the + * certificate data entries within the IplSignatureCertificateList to + * prevent allocating space for the same certificate multiple times. + * + * The array index corresponds to the certificate's cert-store index. + * + * The array value corresponds to the certificate's entry within the + * IplSignatureCertificateList (with a value of -1 denoting no entry + * exists for the certificate). + */ + int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + int signed_count =3D 0; + + init_lists(&comp_list, &cert_list); + cert_buf =3D malloc(get_total_certs_length()); + sig_entry_info.addr =3D (uint64_t)malloc(MAX_SECTOR_SIZE); + + while (entry->component_type !=3D ZIPL_COMP_ENTRY_EXEC) { + switch (entry->component_type) { + case ZIPL_COMP_ENTRY_SIGNATURE: + if (sig_entry_info.len) { + goto out; + } + + sig_len =3D zipl_load_signature(entry, sig_entry_info.addr); + if (sig_len < 0) { + goto out; + } + + sig_entry_info.len =3D sig_len; + break; + case ZIPL_COMP_ENTRY_LOAD: + comp_addr =3D entry->compdat.load_addr; + comp_len =3D zipl_load_segment(entry->data.blockno, comp_addr); + if (comp_len < 0) { + goto out; + } + + comp_entry_info =3D (SecureIplCompEntryInfo){ 0 }; + comp_entry_info.addr =3D comp_addr; + comp_entry_info.len =3D (uint64_t)comp_len; + + /* no signature present (unsigned component) */ + if (!sig_entry_info.len) { + break; + } + + /* + * Initialize with SC flag (signed component) + * CSV flag set upon successful verification + */ + comp_entry_info.flags =3D S390_IPL_DEV_COMP_FLAG_SC; + + verified =3D verify_signature(comp_entry_info, sig_entry_info, + &cert_len, &cert_table_idx); + + if (verified) { + if (cert_list_table[cert_table_idx] =3D=3D -1) { + if (!request_certificate(cert_buf, cert_table_idx)) { + puts("Could not get certificate"); + goto out; + } + + cert_entry_idx =3D cert_list_add(&cert_list, cert_buf,= cert_len); + /* map cert-store index to cert-list entry index */ + cert_list_table[cert_table_idx] =3D cert_entry_idx; + /* increment for the next certificate */ + cert_buf +=3D cert_len; + } + + comp_entry_info.cert_index =3D cert_list_table[cert_table_= idx]; + comp_entry_info.flags |=3D S390_IPL_DEV_COMP_FLAG_CSV; + puts("Verified component"); + } else { + zipl_secure_error("Could not verify component"); + } + + comp_list_add(&comp_list, comp_entry_info); + + signed_count +=3D 1; + /* After a signature is used another new one can be accepted */ + sig_entry_info.len =3D 0; + break; + default: + puts("Unknown component entry type"); + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > tmp_sec + MAX_SECTOR_SIZE) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (signed_count =3D=3D 0) { + zipl_secure_error("Secure boot is on, but components are not signe= d"); + } + + update_iirb(&comp_list, &cert_list); + + *entry_ptr =3D entry; + free((void *)sig_entry_info.addr); + + return 0; +out: + free(cert_buf); + free((void *)sig_entry_info.addr); + + return -1; +} diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h new file mode 100644 index 0000000000..cc0302f56b --- /dev/null +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -0,0 +1,113 @@ +/* + * S/390 Secure IPL + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef _PC_BIOS_S390_CCW_SECURE_IPL_H +#define _PC_BIOS_S390_CCW_SECURE_IPL_H + +#include +#include + +VCStorageSizeBlock *zipl_secure_get_vcssb(void); +int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); + +/* Custom struct for secure IPL component entry information */ +typedef struct SecureIplCompEntryInfo { + uint64_t addr; + uint64_t len; + uint16_t cert_index; + uint8_t flags; +} SecureIplCompEntryInfo; + +static inline void zipl_secure_error(const char *message) +{ + switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE_AUDIT: + printf("AUDIT MODE WARNING: %s\n", message); + break; + default: + break; + } +} + +static inline uint64_t _diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint32_t d320_ism; + + if (!sclp_is_diag320_on()) { + return false; + } + + if (_diag320(&d320_ism, DIAG_320_SUBC_QUERY_ISM) !=3D DIAG_320_RC_OK) { + return false; + } + + return d320_ism & (DIAG_320_ISM_QUERY_VCSI | DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") =3D (unsigned long)data; + register unsigned long rc asm("1") =3D 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline bool is_signature_verif_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes =3D _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(SecureIplCompEntryInfo comp_entry_info, + SecureIplCompEntryInfo sig_entry_info, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SigVerifBlock svb; + + svb.length =3D sizeof(Diag508SigVerifBlock); + svb.version =3D 0; + svb.comp_len =3D comp_entry_info.len; + svb.comp_addr =3D comp_entry_info.addr; + svb.sig_len =3D sig_entry_info.len; + svb.sig_addr =3D sig_entry_info.addr; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) =3D=3D DIAG_508_RC_OK) { + *cert_len =3D svb.cert_len; + /* + * DIAG 508 utilizes an index origin of 0 when indexing the cert s= tore. + * The cert_idx will be used for DIAG 320 data structures, which e= xpects + * an index origin of 1. Account for the offset here so it's easie= r to + * manage later. + */ + *cert_idx =3D svb.cert_store_index + 1; + return true; + } + + return false; +} + +#endif /* _PC_BIOS_S390_CCW_SECURE_IPL_H */ --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012523; cv=none; d=zohomail.com; s=zohoarc; b=ab4LoOYvdCwZEyhuqu/B6htinLUbqhNzbylCeE5PvKP08kK7mFL5y13Rwe7A5W/80Zo4ww0oDYKVEAiaKeXTOb+YePVX8XJh4AHVGctf1iouxAn9EZJcBI/kgba37lM1JHRcCL8KDac322AqjrM37NmOwV+L5JBainHfhQ4dCSo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012523; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=HNYxZnCJCo9ZIXZpGKs+l+hALoNGl093Esyq4xS6QDg=; b=DtUAzigJ/2cTZ0E/biSQFw2CK18obxl7+0t8tTEmtjmkVmbcpG36oD9Ua+7lR+6pr3k9jr9b53PSUvALCIpYPRAi4NxCO3ntA8/jNPEoxLGR5caHwXiR5SgKilvSHgOg8wL1PcZ3Lcq9fHhsVd6bDWfnbpzS2SfBwLkmYYsRAQ4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012523857896.1763045668129; Tue, 5 May 2026 13:22:03 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFi-00010x-5D; Tue, 05 May 2026 16:20:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFc-0000YG-T0; Tue, 05 May 2026 16:20:16 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFa-0000Jl-P1; Tue, 05 May 2026 16:20:16 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645EYhBe1105811; Tue, 5 May 2026 20:19:50 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n72t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:49 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9dGT030408; Tue, 5 May 2026 20:19:49 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwwtgb53r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:49 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJK3l17302126 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:20 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8E5715805C; Tue, 5 May 2026 20:19:47 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EF25958059; Tue, 5 May 2026 20:19:45 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=HNYxZnCJCo9ZIXZpG Ks+l+hALoNGl093Esyq4xS6QDg=; b=L19YUfszlfXu/GEd2GVS0JUDJ4TrGmUxE 8TQTl4ZuYr1owDtQBPuVSl8r6mQfHKQ+YgYfot9mGflVRqy33gNt17Nzo+cA7rYW /ArAZdnn8GQIhdi6JqTxxNZ5+fhgJBkfBW4sVViTwrqpDdO7bukANCBXmgH7soDh RvHieYM8arfvPZwp46amCf3sUJpu1BqUK5Ai8mb+/tR9Kwc51uf6YuwP0tSW9Zyz /HZ8tF053wZ4sSwmO9qyAoAekJfKtDWk+69+bVam5mENmthIatpUkMpTB9yi1OZX DEQPVKFp/vFUhf0uJ5AHOfSb6fQYxI5iy2eBgGpBFPqvKMLIWFOZQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 22/32] pc-bios/s390-ccw: Add signed component address overlap checks Date: Tue, 5 May 2026 16:18:54 -0400 Message-ID: <20260505201905.997996-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX6tM6nnQ6tlgE 5tpaMnzK8lxf4M2oca25NqSjlUmNgdvgb/rLwxAYztJZAfU0qXIk5tTGFAKz0DnZaB35pghBG1j idRZPONgZq5MoyhFXM4+q3FH1KIih2maeNPI5I7LU94halnHzCZVIld+vSIxRU9G6JadDBpOGwk B5t0TcSubG/557RVmfOVoFqfljS6V+oBs1gvRMlU7NY/aTGsc/tr5zQoVulMKic1dRb1p+EQrCl LCMm4LeE0wnBEuiPSzsBK/AN+pHNvNrLmBXWfqDxp2vFrfnrSj4TX0en8gOXiVJznYbfLcyX/QD w/kzUbQHo7Cgoh1IEcHcse3ZLMekQWTGMxSXGzXqdnxjWUybc5lwC6CpBnVYSvK2xMPotiJIz9E ozRUQIP3gnf/UV47lffj3a0G7nYQvx7aMr6wdvGsSZiX+WEST/O4juP4dT7kxYFxS9Zqpeo5Btu ccyAvKRd9sJW8AujpHA== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50e6 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=id9pkdgl0szQWdF34qoA:9 X-Proofpoint-GUID: yhyLgwM0mj0WYkxINw1xsKaUoPT0Yqa1 X-Proofpoint-ORIG-GUID: yhyLgwM0mj0WYkxINw1xsKaUoPT0Yqa1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012524426158500 Content-Type: text/plain; charset="utf-8" Add address range tracking and overlap checks to ensure that no component overlaps with a signed component during secure IPL. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/secure-ipl.c | 49 +++++++++++++++++++++++++++++++++++ pc-bios/s390-ccw/secure-ipl.h | 15 +++++++++++ 2 files changed, 64 insertions(+) diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index 6e943446a7..fdac74aa97 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -220,6 +220,51 @@ static void init_lists(IplDeviceComponentList *comp_li= st, cert_list->ipl_info_header.len =3D sizeof(IplInfoBlockHeader); } =20 +static void check_comp_overlap(SecureIplCompAddrRangeList *range_list, + SecureIplCompEntryInfo comp_entry_info) +{ + uint64_t start_addr; + uint64_t end_addr; + + start_addr =3D comp_entry_info.addr; + end_addr =3D comp_entry_info.addr + comp_entry_info.len; + + /* + * Check component's address range does not overlap with any + * signed component's address range. + */ + for (int i =3D 0; i < range_list->num; i++) { + if (range_list->comp_addr_range[i].is_signed && + (range_list->comp_addr_range[i].start_addr < end_addr && + start_addr < range_list->comp_addr_range[i].end_addr)) { + zipl_secure_error("Component addresses overlap"); + } + } +} + +static void comp_addr_range_add(SecureIplCompAddrRangeList *range_list, + SecureIplCompEntryInfo comp_entry_info, + bool is_signed) +{ + uint64_t start_addr; + uint64_t end_addr; + + start_addr =3D comp_entry_info.addr; + end_addr =3D comp_entry_info.addr + comp_entry_info.len; + + if (range_list->num >=3D MAX_COMP_ENTRIES) { + zipl_secure_error("Component address range update failed due to ou= t-of-range" + " index; Overlapping validation cannot be guaran= teed"); + return; + } + + range_list->comp_addr_range[range_list->num].is_signed =3D is_signed; + range_list->comp_addr_range[range_list->num].start_addr =3D start_addr; + range_list->comp_addr_range[range_list->num].end_addr =3D end_addr; + + range_list->num +=3D 1; +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig) { if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { @@ -261,6 +306,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) * exists for the certificate). */ int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; + SecureIplCompAddrRangeList range_list =3D { 0 }; int signed_count =3D 0; =20 init_lists(&comp_list, &cert_list); @@ -292,6 +338,9 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) comp_entry_info.addr =3D comp_addr; comp_entry_info.len =3D (uint64_t)comp_len; =20 + check_comp_overlap(&range_list, comp_entry_info); + comp_addr_range_add(&range_list, comp_entry_info, !!sig_len); + /* no signature present (unsigned component) */ if (!sig_entry_info.len) { break; diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index cc0302f56b..29bbf65c6c 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -24,6 +24,21 @@ typedef struct SecureIplCompEntryInfo { uint8_t flags; } SecureIplCompEntryInfo; =20 +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + +/* + * Custom struct for managing a list of secure IPL component address range= s. + * Tracks up to MAX_COMP_ENTRIES address ranges with an num counter. + */ +typedef struct SecureIplCompAddrRangeList { + SecureIplCompAddrRange comp_addr_range[MAX_COMP_ENTRIES]; + int num; +} SecureIplCompAddrRangeList; + static inline void zipl_secure_error(const char *message) { switch (boot_mode) { --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012526; cv=none; d=zohomail.com; s=zohoarc; b=HvWMz7sC4xSErPWrFT1sNjaDZ1d8NeLSeNwItxMXDxnzkhrcxHfqsK5ICHBFs1s1pEdH1mDMRpoW/TT1UQawDPQMrr7eSKLNG+V1cRvPa3fEwmUKenTQmk+Z7UFoIgPAW0UQt1SZpEEzjAxSFUyRptnP/m/Nt2QpulmD8RaM40I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012526; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=MEYpTY7jWNlc+J0rTGX1o0obC6qojnLZrejtfpPutr4=; b=R8+2lTdfMi3WvqSNEGVaUzT0c+IKCxYtnX0qcH2ThQ3+C9uqzfqbRJkU2F0BEAwyoS3HbNhXqcmANshkWvouNgzUEX0dliYo06Pvb68fPOCMCPY1iIB133NnPtCP+F6G8etEQGB8HB5REJKzatb0D9RR2bG3NUgGxysEnMvp7Es= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012526303234.02505820105273; Tue, 5 May 2026 13:22:06 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFh-0000yq-Or; Tue, 05 May 2026 16:20:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFe-0000hW-Lw; Tue, 05 May 2026 16:20:18 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFb-0000Jr-BQ; Tue, 05 May 2026 16:20:17 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645DxNDj1011760; Tue, 5 May 2026 20:19:51 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y4n72w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:51 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Y8Z026723; Tue, 5 May 2026 20:19:50 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dww3h38km-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:50 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJnqV11469476 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:49 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5645F5805C; Tue, 5 May 2026 20:19:49 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B02B458059; Tue, 5 May 2026 20:19:47 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:47 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=MEYpTY 7jWNlc+J0rTGX1o0obC6qojnLZrejtfpPutr4=; b=ANWLxErCmnFvLDTKBunFAo GM+bzwQJy21EDEa+I5AHHNUt+9nonzM6W735YR9IJeyPdZUoTBhRSK+ZbwFAmaoY kf7GzosPPMyb97L1ItQfzChytB8RuBpKARY4mAw06e2MWsWkiMIt5odHnCWfkGTr 3OvmFDtHEetSwwrZPC+TrlG+wo1u5zYMMAF1MYfFToOKKUkzAbOGNKP+BWVxaA8J NW/yW2hqWaBv1e7FgfZC5RDehryr9sUOfVkywVraiEcOjcpJoShhDh7nF4+7PF1l HjwX7dznwgq+IvwpatTtHAOwD9J5UoDZneKf/BbDZHAJTyRjOS+j8rTKSt5QCcGw == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 23/32] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Tue, 5 May 2026 16:18:55 -0400 Message-ID: <20260505201905.997996-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX1Qxn6zpjXMU/ zB+Pm71djfrfWhMn5r9nsfgOXonNhJ6rBMRtaZ4CbSleVi0Z3TaLrCmiF6vKzohbIqbYyXy8RcF 7Ezb8e/tCAlTSMlenZlr2OYLC3ChRqWofny35RuYgkzNMjyHVrqmzlO0zPsEJYh7Lgcig1uFZqT Cfku+1ZQirwnUm/1XLpPe4+FqsfpY8iYrRtPM6RI3EC7GqyXoTxWIvOdMzwGd3XSlpjN7W8NAmM sekts+fHMgZdTHLW8xZldSX0gZYVhFxvKAci74INcMpgbUbHyTJYA+f/QSCbdrpi2gsBS/DFyWB zcNjs+l/WG6PiiAwC5MLJm9xj8Q4TG00EKkWKk0o8LRF20YK46faoyX33vXCwMk5F5FhDn0FTIX P0Xy2V9XFmCRyjVtcoldgHqeuYN16ovj5lcrXLb80W8qOqvUpmEnoW8N3rZHK7ydxwrJRVZd/eQ b4lCKsTo2vlrIGbLl/w== X-Authority-Analysis: v=2.4 cv=J4GaKgnS c=1 sm=1 tr=0 ts=69fa50e7 cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=RzCfie-kr_QcCd8fBx8p:22 a=VnNF1IyMAAAA:8 a=s2GHSiDfQs-ooOV4uGMA:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 X-Proofpoint-GUID: rqCorioFzfWSuTLsmZgm9uGyP9cRHhzY X-Proofpoint-ORIG-GUID: rqCorioFzfWSuTLsmZgm9uGyP9cRHhzY X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 clxscore=1015 malwarescore=0 bulkscore=0 suspectscore=0 priorityscore=1501 spamscore=0 phishscore=0 adultscore=0 lowpriorityscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012526507158500 The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during secure IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. This feature is available starting with the gen16 CPU model. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ target/s390x/cpu_features.c | 2 ++ target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 3 +++ target/s390x/gen-features.c | 2 ++ target/s390x/kvm/kvm.c | 1 + 6 files changed, 27 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index c858d5b74b..5fc15be99c 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -118,3 +118,21 @@ The guest kernel uses the contents in the IIRB for: * Boot logging: reports which components were loaded and verified. * kexec operations: builds the next kernel=E2=80=99s IPL report from the e= xisting one. * Keying: installs IPL certificates into the platform trusted keyring. + +Secure Code Loading Attributes Facility +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The Secure Code Loading Attributes Facility (SCLAF) enhances system securi= ty +during the IPL by enforcing additional verification rules. + +When SCLAF is available, its behavior depends on the IPL mode. It introduc= es +verification of both signed and unsigned components to help ensure that on= ly +authorized code is loaded during the IPL process. Any errors detected by S= CLAF +are reported in the IIRB. + +Unsigned components are restricted to load addresses at or above absolute +storage address ``0x2000``. + +Signed components must include a Secure Code Loading Attribute Block (SCLA= B), +which is appended at the very end of the component. The SCLAB defines secu= rity +attributes for handling the signed code. diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 200bd8c15b..29ea3bfec2 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, * - All SIE facilities because SIE is not available * - DIAG318 * - Secure IPL Facility + * - Secure IPL Code Loading Attributes Facility * * As VMs can move in and out of protected mode the CPU model * doesn't protect us from that problem because it is only @@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features= , S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC_IPL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_feature= s_def.h.inc index bcf8a666e4..f6ba9e87e1 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Certifi= cate Store functions") =20 /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers r= elative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attribu= tes facility") =20 /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtua= l SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index a52e34aa95..7de727a256 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_SIPL }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index bd2060ab93..c3e0c6ceff 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] =3D { S390_FEAT_UV_FEAT_AP_INTR, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 static uint16_t full_GEN17_GA1[] =3D { @@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] =3D { S390_FEAT_EXTENDED_LENGTH_SCCB, S390_FEAT_CERT_STORE, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; =20 /****** END FEATURE DEFS ******/ diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index e76ff37cc3..5417eb9b09 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2494,6 +2494,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,= Error **errp) =20 /* Some Secure IPL facilities are emulated by QEMU */ set_bit(S390_FEAT_SIPL, model->features); + set_bit(S390_FEAT_SCLAF, model->features); =20 /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012517; cv=none; d=zohomail.com; s=zohoarc; b=kqeS5E9WioKN7YCFduvJg+jecrawzkTJMf5M4Agn8EeYoKeNwNn3NngIDw2yWIkoy2KXNRdhsGPk7RJF2dfqrCEZ4I+ODbh4p0Kf/Pc5yQTrS2YCzdi6d2DQxWUujBLhx4ZvYqohmIaHyU2+/Jy20D2hNCsS0VjO/RAPz8Ga43c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012517; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Zz7EiADkthVdJEbU39QqR4utmQM/3sce6PdtmXWyb0U=; b=JMJrljZ4qVk/4WKQ9K/iFE1I/fCqQ2Ln6NUoypJ3kOcay9wluT/19V1RGpF16KV9fwFb2WzENhkCyr8dFW60GzP4snaGvzDCmxoo5j9RnmlmN7GC5TGFqEKIUAADuJLTvfu71R3BWKz87k4q/E37Wos1sSbafU4qiQPmftlWQ0Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012517777723.6624117782617; Tue, 5 May 2026 13:21:57 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFl-00012w-1Z; Tue, 05 May 2026 16:20:25 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFg-0000rX-7r; Tue, 05 May 2026 16:20:20 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFd-0000K7-F2; Tue, 05 May 2026 16:20:19 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645Ia1Ea3104130; Tue, 5 May 2026 20:19:53 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6rf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:53 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Q9p031250; Tue, 5 May 2026 20:19:52 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbfut-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:52 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJp4t18481782 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:51 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 18E635805B; Tue, 5 May 2026 20:19:51 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7883658059; Tue, 5 May 2026 20:19:49 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:49 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Zz7EiADkthVdJEbU3 9QqR4utmQM/3sce6PdtmXWyb0U=; b=bljmqm0hWOXk+hw7QEl9mO8R9jsAq7sRa witSz1AHEJihhP9wxELuWUkxfLZFCLNr0vDFRjZ8PUQrp+dTWjlBn8UE7o1GtN2m sfNQJjPLbtGvD6RtQ2mKx0124QCnVArFRCtNph2J3j93wWzJxEYzAxTqxzbpaDmt vKrMmU31QF3BYwiXj0wNYSmJobM3eiijHezdraw8o8n9hAq6MngqoJ5Yafztz9Ei qK6PrR3jd8Y2YDr+LkdLPEJ7eZt0xbSSyub+2WInVYYmJa0sMU4+Pht7M8r2F2k/ jrBEv3syqjZFI4+1kj/2Xq+6Ij9out/ACB5vy9zSz1yZ+Qqxv2dTg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 24/32] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Tue, 5 May 2026 16:18:56 -0400 Message-ID: <20260505201905.997996-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50e9 cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=AiDkTBMeNQRD_TXbAJEA:9 X-Proofpoint-ORIG-GUID: GG8mZ0644LlYa05usLazY6Jzg-4jqLIr X-Proofpoint-GUID: GG8mZ0644LlYa05usLazY6Jzg-4jqLIr X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX/EIoAzLc+gJ/ 0wNumIgvFru91n2HXCWBfudRJXvzAZt4sZTA+ClpxN/0pMfWiw2c/hL08+ScKqz3Cf3iWvnvbjF 82zc1emisP8e5xswrdRK2SA/L30PkVYGsV2X1ryFQfu89o6bxs/tLd26bK04Q5KZReNbXyfJYqU WCf0qmC8HW0aLTdp9s5cvtwZjBdviAgeapfCt+FzvRRh4bv6hVa4vSz4Kw1Sn9VVMoFg/i2TKy2 c/qteDUi/i528nv5r/2lMvRBXCB++TPG6mXt6SolKAcfKvQQzTWoYEgOgf03DDE5oZoDXk7VVAg bxp/K+2kTqhrSAvFxrdslsrsop/jE12AY9Ajhl3n0jDfvKI8/PzqdPqavFii84Kl7hsjOotm5PS A+IzjXKy1hl3uEXA06p0ZBWRdj6J0E2i7hw0BNgPpona8ta5Rr09C6OlyT9OPmGWux6vkw6MkpQ zGIWAHxtgM8JWlJIZ0Q== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012518496158500 Content-Type: text/plain; charset="utf-8" Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- include/hw/s390x/ipl/qipl.h | 29 ++++- pc-bios/s390-ccw/sclp.h | 1 + pc-bios/s390-ccw/secure-ipl.c | 210 +++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/secure-ipl.h | 62 ++++++++++ 4 files changed, 296 insertions(+), 6 deletions(-) diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index a2180719b1..2a3ae6b9f5 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -167,10 +167,20 @@ struct IplInfoReportBlockHeader { }; typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; =20 +/* IPL Info Error Indicators */ +#define S390_IIEI_NO_SIGNED_COMP 0x8000 /* bit 0 */ +#define S390_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ +#define S390_IIEI_FOUND_UNSIGNED_COMP 0x800 /* bit 4 */ +#define S390_IIEI_MORE_SIGNED_COMP 0x400 /* bit 5 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t type; - uint8_t reserved1[11]; + uint8_t reserved1[3]; + uint16_t iiei; + uint8_t reserved2[6]; }; typedef struct IplInfoBlockHeader IplInfoBlockHeader; =20 @@ -194,13 +204,28 @@ typedef struct IplSignatureCertificateList IplSignatu= reCertificateList; #define S390_IPL_DEV_COMP_FLAG_SC 0x80 #define S390_IPL_DEV_COMP_FLAG_CSV 0x40 =20 +/* IPL Device Component Error Indicators */ +#define S390_CEI_INVALID_SCLAB 0x80000000 /* bit 0 */ +#define S390_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit 1 */ +#define S390_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit 2 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit 3 */ +#define S390_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit 4 */ +#define S390_CEI_INVALID_LOAD_PSW 0x4000000 /* bit 5 */ +#define S390_CEI_NUC_NOT_IN_GLOBAL_SCLAB 0x2000000 /* bit 6 */ +#define S390_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit 7 */ +#define S390_CEI_SC_NOT_IN_GLOBAL_SCLAB 0x800000 /* bit 8 */ +#define S390_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit 9 */ +#define S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit 10 */ +#define S390_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; }; typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; =20 diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index a8a41cd004..cae65b29b5 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_FAC_IPL_SIPL_BIT 0x4000 +#define SCCB_FAC_IPL_SCLAF_BIT 0x1000 =20 typedef struct ReadInfo { SCCBHeader h; diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c index fdac74aa97..9c992149ee 100644 --- a/pc-bios/s390-ccw/secure-ipl.c +++ b/pc-bios/s390-ccw/secure-ipl.c @@ -140,6 +140,7 @@ static void comp_list_add(IplDeviceComponentList *comp_= list, =20 comp_list->device_entries[comp_entry_idx].addr =3D comp_entry_info.add= r; comp_list->device_entries[comp_entry_idx].len =3D comp_entry_info.len; + comp_list->device_entries[comp_entry_idx].cei =3D comp_entry_info.cei; comp_list->device_entries[comp_entry_idx].flags =3D comp_entry_info.fl= ags; /* cert index field is meaningful only when S390_IPL_DEV_COMP_FLAG_SC = is set */ if (comp_entry_info.flags & S390_IPL_DEV_COMP_FLAG_SC) { @@ -207,6 +208,12 @@ bool secure_ipl_supported(void) return false; } =20 + if (!sclp_is_fac_ipl_flag_on(SCCB_FAC_IPL_SCLAF_BIT)) { + puts("Secure IPL Code Loading Attributes Facility is not supported= by" + " the hypervisor!"); + return false; + } + return true; } =20 @@ -265,6 +272,179 @@ static void comp_addr_range_add(SecureIplCompAddrRang= eList *range_list, range_list->num +=3D 1; } =20 +static void check_sclab_opsw(SclaBlock *sclab, SecureIplSclabInfo *sclab_i= nfo, + uint32_t *cei_flags) +{ + if (!(sclab->flags & S390_SCLAB_OPSW)) { + /* OPSW =3D 0 - Load PSW field in SCLAB must contain zeros */ + zipl_secure_validate(sclab->load_psw =3D=3D 0, cei_flags, + S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO, + "Load PSW is not zero when Override PSW bit i= s zero"); + } else { + /* OPSW =3D 1 indicating global SCLAB */ + sclab_info->global_count +=3D 1; + if (sclab_info->global_count =3D=3D 1) { + sclab_info->global_load_psw =3D sclab->load_psw; + sclab_info->global_flags =3D sclab->flags; + } + + /* override load address flag must set to one */ + zipl_secure_validate(sclab->flags & S390_SCLAB_OLA, cei_flags, + S390_CEI_SCLAB_LOAD_PSW_NOT_ZERO, + "OLA flag is not set to one in the global SCL= AB"); + } +} + +static void check_sclab_ola(SclaBlock *sclab, uint64_t load_addr, uint32_t= *cei_flags) +{ + if (!(sclab->flags & S390_SCLAB_OLA)) { + /* OLA =3D 0 - Load address field in SCLAB must contain zeros */ + zipl_secure_validate(sclab->load_addr =3D=3D 0, cei_flags, + S390_CEI_SCLAB_LOAD_ADDR_NOT_ZERO, + "Load Address is not zero when OLA flag is ze= ro"); + } else { + /* OLA =3D 1 - Load address field must match storage address of th= e component */ + zipl_secure_validate(sclab->load_addr =3D=3D load_addr, cei_flags, + S390_CEI_UNMATCHED_SCLAB_LOAD_ADDR, + "Load Address does not match with component l= oad address"); + } +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRangeList *range_l= ist) +{ + uint32_t addr =3D psw & 0x7fffffff; + + /* PSW points within a signed binary code component */ + for (int i =3D 0; i < range_list->num; i++) { + if (range_list->comp_addr_range[i].is_signed && + addr >=3D range_list->comp_addr_range[i].start_addr && + addr <=3D range_list->comp_addr_range[i].end_addr - 2) { + return true; + } + } + return false; +} + +static void check_load_psw(SecureIplCompAddrRangeList *range_list, + uint64_t sclab_load_psw, + SecureIplCompEntryInfo *comp_entry_info) +{ + uint64_t load_psw; + + load_psw =3D comp_entry_info->addr; + zipl_secure_validate(is_psw_valid(sclab_load_psw, range_list) && + is_psw_valid(load_psw, range_list), + &comp_entry_info->cei, S390_CEI_INVALID_LOAD_PSW,= "Invalid PSW"); + + /* compare load PSW with the PSW specified in component */ + zipl_secure_validate(sclab_load_psw =3D=3D load_psw, &comp_entry_info-= >cei, + S390_CEI_UNMATCHED_SCLAB_LOAD_PSW, + "Load PSW does not match with PSW in component"); +} + +static void check_no_unsigned_comp(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + bool is_nuc_set; + + is_nuc_set =3D sclab_info.global_flags & S390_SCLAB_NUC; + if (is_nuc_set && sclab_info.unsigned_count > 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_FOUND_UNSIGNED_COMP; + zipl_secure_error("Unsigned components are not allowed"); + } +} + +static void check_single_comp(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + bool is_sc_set; + + is_sc_set =3D sclab_info.global_flags & S390_SCLAB_SC; + if (is_sc_set && + sclab_info.signed_count !=3D 1 && + sclab_info.unsigned_count >=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_SIGNED_COMP; + zipl_secure_error("Only one signed component is allowed"); + } +} + +void check_global_sclab(SecureIplSclabInfo sclab_info, + IplDeviceComponentList *comp_list) +{ + if (sclab_info.count =3D=3D 0) { + return; + } + + if (sclab_info.global_count =3D=3D 0) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_NO_GLOBAL_SCLAB; + zipl_secure_error("Global SCLAB does not exists"); + return; + } + + if (sclab_info.global_count > 1) { + comp_list->ipl_info_header.iiei |=3D S390_IIEI_MORE_GLOBAL_SCLAB; + zipl_secure_error("More than one global SCLAB"); + return; + } + + if (sclab_info.global_flags) { + /* Unsigned components are not allowed if NUC flag is set in the g= lobal SCLAB */ + check_no_unsigned_comp(sclab_info, comp_list); + + /* Only one signed component is allowed is SC flag is set in the g= lobal SCLAB */ + check_single_comp(sclab_info, comp_list); + } +} + +static void check_sclab(SecureIplCompEntryInfo *comp_entry_info, + SecureIplSclabInfo *sclab_info) +{ + SclabOriginLocator *sclab_locator; + SclaBlock *sclab; + + /* sclab locator is located at the last 8 bytes of the signed comp */ + sclab_locator =3D (SclabOriginLocator *)(comp_entry_info->addr + + comp_entry_info->len - 8); + + /* return early if sclab does not exist */ + zipl_secure_validate(magic_match(sclab_locator->magic, ZIPL_MAGIC), + &comp_entry_info->cei, S390_CEI_INVALID_SCLAB, + "Magic does not match. SCLAB does not exist"); + + if (comp_entry_info->cei & S390_CEI_INVALID_SCLAB) { + return; + } + + zipl_secure_validate(sclab_locator->len >=3D S390_SCLAB_MIN_LEN, &comp= _entry_info->cei, + S390_CEI_INVALID_SCLAB_LEN | S390_CEI_INVALID_SCL= AB, + "Invalid SCLAB length"); + + /* return early if sclab is invalid */ + if (comp_entry_info->cei & S390_CEI_INVALID_SCLAB) { + return; + } + + sclab_info->count +=3D 1; + sclab =3D (SclaBlock *)(comp_entry_info->addr + comp_entry_info->len - + sclab_locator->len); + + zipl_secure_validate(sclab->format =3D=3D 0, &comp_entry_info->cei, + S390_CEI_INVALID_SCLAB_FORMAT, + "Format-0 SCLAB is not being used"); + + check_sclab_opsw(sclab, sclab_info, &comp_entry_info->cei); + check_sclab_ola(sclab, comp_entry_info->addr, &comp_entry_info->cei); + + zipl_secure_validate(~sclab->flags & S390_SCLAB_NUC || sclab->flags & = S390_SCLAB_OPSW, + &comp_entry_info->cei, S390_CEI_NUC_NOT_IN_GLOBAL= _SCLAB, + "NUC bit is set, but not in the global SCLAB"); + + zipl_secure_validate(~sclab->flags & S390_SCLAB_SC || sclab->flags & S= 390_SCLAB_OPSW, + &comp_entry_info->cei, S390_CEI_SC_NOT_IN_GLOBAL_= SCLAB, + "SC bit is set, but not in the global SCLAB"); + +} + static int zipl_load_signature(ComponentEntry *entry, uint64_t sig) { if (entry->compdat.sig_info.format !=3D DER_SIGNATURE_FORMAT) { @@ -307,7 +487,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) */ int cert_list_table[MAX_CERTIFICATES] =3D { [0 ... MAX_CERTIFICATES - = 1] =3D -1 }; SecureIplCompAddrRangeList range_list =3D { 0 }; - int signed_count =3D 0; + SecureIplSclabInfo sclab_info =3D { 0 }; =20 init_lists(&comp_list, &cert_list); cert_buf =3D malloc(get_total_certs_length()); @@ -343,6 +523,13 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_= t *tmp_sec) =20 /* no signature present (unsigned component) */ if (!sig_entry_info.len) { + zipl_secure_validate(comp_entry_info.addr >=3D S390_UNSIGN= ED_MIN_ADDR, + &comp_entry_info.cei, S390_CEI_INVALI= D_UNSIGNED_ADDR, + "Load address is less than 0x2000"); + + comp_list_add(&comp_list, comp_entry_info); + + sclab_info.unsigned_count +=3D 1; break; } =20 @@ -352,6 +539,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) */ comp_entry_info.flags =3D S390_IPL_DEV_COMP_FLAG_SC; =20 + check_sclab(&comp_entry_info, &sclab_info); verified =3D verify_signature(comp_entry_info, sig_entry_info, &cert_len, &cert_table_idx); =20 @@ -378,7 +566,7 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t= *tmp_sec) =20 comp_list_add(&comp_list, comp_entry_info); =20 - signed_count +=3D 1; + sclab_info.signed_count +=3D 1; /* After a signature is used another new one can be accepted */ sig_entry_info.len =3D 0; break; @@ -395,10 +583,24 @@ int zipl_run_secure(ComponentEntry **entry_ptr, uint8= _t *tmp_sec) } } =20 - if (signed_count =3D=3D 0) { - zipl_secure_error("Secure boot is on, but components are not signe= d"); + /* validate load PSW with PSW specified in the final entry */ + if (sclab_info.global_load_psw) { + comp_entry_info =3D (SecureIplCompEntryInfo){ 0 }; + comp_entry_info.addr =3D entry->compdat.load_psw; + + check_load_psw(&range_list, sclab_info.global_load_psw, &comp_entr= y_info); + comp_list_add(&comp_list, comp_entry_info); } =20 + zipl_secure_validate(sclab_info.signed_count > 0, + &comp_list.ipl_info_header.iiei, S390_IIEI_NO_SIG= NED_COMP, + "Secure boot is on, but components are not signed= "); + + zipl_secure_validate(sclab_info.count > 0, &comp_list.ipl_info_header.= iiei, + S390_IIEI_NO_SCLAB, "No recognizable SCLAB"); + + check_global_sclab(sclab_info, &comp_list); + update_iirb(&comp_list, &cert_list); =20 *entry_ptr =3D entry; diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 29bbf65c6c..950cd45b3c 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -16,10 +16,48 @@ VCStorageSizeBlock *zipl_secure_get_vcssb(void); int zipl_run_secure(ComponentEntry **entry_ptr, uint8_t *tmp_sec); =20 +#define S390_SCLAB_OPSW 0x8000 /* override PSW flag */ +#define S390_SCLAB_OLA 0x4000 /* override load address flag */ +#define S390_SCLAB_NUC 0x2000 /* no unsigned components flag */ +#define S390_SCLAB_SC 0x1000 /* single component flag */ + +#define S390_SCLAB_MIN_LEN 32 +#define S390_UNSIGNED_MIN_ADDR 0x2000 + +/* Secure Code Loading Attributes Block */ +struct SclaBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SclaBlock SclaBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + +/* Custom struct used to consolidate SCLAB overhead */ +typedef struct SecureIplSclabInfo { + int count; + int global_count; + int signed_count; + int unsigned_count; + uint64_t global_load_psw; + uint16_t global_flags; +} SecureIplSclabInfo; + /* Custom struct for secure IPL component entry information */ typedef struct SecureIplCompEntryInfo { uint64_t addr; uint64_t len; + uint32_t cei; uint16_t cert_index; uint8_t flags; } SecureIplCompEntryInfo; @@ -50,6 +88,30 @@ static inline void zipl_secure_error(const char *message) } } =20 +static inline void zipl_secure_validate_u16(bool condition, uint16_t *flag= s, + uint16_t flag, const char *mes= sage) +{ + if (!condition) { + *flags |=3D flag; + zipl_secure_error(message); + } +} + +static inline void zipl_secure_validate_u32(bool condition, uint32_t *flag= s, + uint32_t flag, const char *mes= sage) +{ + if (!condition) { + *flags |=3D flag; + zipl_secure_error(message); + } +} + +#define zipl_secure_validate(condition, flags, flag, message) \ + _Generic((flags), \ + uint16_t * : zipl_secure_validate_u16, \ + uint32_t * : zipl_secure_validate_u32 \ + )(condition, flags, flag, message) + static inline uint64_t _diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") =3D (unsigned long)data; --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012544; cv=none; d=zohomail.com; s=zohoarc; b=i0H7L+QStrtHAuSwK177L1RFb9WdZeCarvKIzE2CGXXZVB7nDOyk6PB9qIk4O1plf7I6Vx49eoFwX3/KZP/+BznP4bk5u0NN/Nb7CW9iRsHOxs39JTuJvCtOWJCIxlMs7edFR2by5nzoFDCC7W+JXQVIgf902j6xj4fvk29tNp8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012544; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=xcYZRMw3kwKTUihKVL3CgoXnRLyJwXGjKT0mGBoPo5Y=; b=McxfH2+KQkATuHGpIJR1kXdnXt3h4z0ISjKTT1TEfucyXuK8z9E0xSOHznq+4XkLWCyDi+2Yw1gYudDx00A8uIE6QCU7JuxHa8ZnP4TzDF0WgvFyeAuvu6eMIpQ81ltwCWjIRM62am2vTYIG7J24GcjuiidQGsbxJY/Y40rKIiQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177801254427056.47669098247127; Tue, 5 May 2026 13:22:24 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFc-0000SU-1B; Tue, 05 May 2026 16:20:16 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFN-00085u-P1; Tue, 05 May 2026 16:20:05 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFL-0000Ka-HW; Tue, 05 May 2026 16:20:01 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645IUffX2236368; Tue, 5 May 2026 20:19:56 GMT Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9y1dm8e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:55 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9U1A026693; Tue, 5 May 2026 20:19:54 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dww3h38m0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:54 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJrev25100940 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:53 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E121A58060; Tue, 5 May 2026 20:19:52 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3AB8558059; Tue, 5 May 2026 20:19:51 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:51 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=xcYZRMw3kwKTUihKV L3CgoXnRLyJwXGjKT0mGBoPo5Y=; b=NP1NybILPM64NOhdaonp9rCCYrlAfy5yM 4W5UNxkrXdTdFQ5OFK1F9Bobd9VmqRp0SF+F7uDv6B23dTyO8oIHXkZaaie8nbWn y9l4VMMI6gY8EJwlGuiIOWVi6FiCgQAyxQnWCj1teS4bi+cBLaERiDutybdT2G8L xJDpQKIo5gRtPFKGEL8ZjfIQTBvky8jpHXqbwYGzmoHd6l23JIaXlxpTmu2Ipub+ 45wqQABQCIgbpQ3ZIEEbRELIq2AKLpb2un/VMUDILr/bUYmkviOX8CY1d3Zw0Bsp vTGhkxd/GMCiVK2GtcBFm/mRSHSickf3a37gdcG3A88iBVO0EJisg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 25/32] Add secure-boot to s390-ccw-virtio machine type option Date: Tue, 5 May 2026 16:18:57 -0400 Message-ID: <20260505201905.997996-26-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: -Yn7LhDSmYyV5OiyfTjWlrWJBEOi6rpB X-Proofpoint-GUID: -Yn7LhDSmYyV5OiyfTjWlrWJBEOi6rpB X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX8AqPXKPkobWW 41ioDpGczy3ZSvvP0zqqNvJJcwhmYVv9ohj+IkUWOIyeJBQ5FlnmOg/TX0abELkixqmUj5pK980 ZN+j+rVmPTY5GB1NtJcw7qwPQEtj9PdDFfU0DZKdsdr27jNEabYP+I/8hP4wpeufd5uofj7GV2m etqI0Yov1w6jmcw4xNYGEhyEnBfHwfjh9fv5CwqVQqzP9IxOl+IlWMOdAU8nAzdzC4KHkS9POc0 FsRjvLIopZE/i7YGlyetVv2ZwQzs6cqW/x/NDTOtmyLe/wGI0ClzvgWiaKw2661x6F3eIxx/YyD Nh+Ee8/f0pRwceSlqC0NIGo846p9II8NmcnS4nyRWomGYYmwU1mwEBkwxKgbp8sd0og2o+bYso3 ABPULYqm62XO0TD7GPHvn65ZuuSz2Sl0GhGbJTSjKRtVW67eo9ZMK4FE0+UtF+n/aBhfHpjgdeu jLrASIj3LAcywrrAH6Q== X-Authority-Analysis: v=2.4 cv=UbFhjqSN c=1 sm=1 tr=0 ts=69fa50eb cx=c_pps a=3Bg1Hr4SwmMryq2xdFQyZA==:117 a=3Bg1Hr4SwmMryq2xdFQyZA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=uyvjcAWwEQu1yBn7KtoA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1015 spamscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 adultscore=0 priorityscore=1501 bulkscore=0 phishscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012544535158500 Content-Type: text/plain; charset="utf-8" Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=3Don|off` parameter is implemented to enable secure IPL. By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Collin Walling --- docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++----- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index cf6ccf5d57..9e3955f8fc 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,20 +19,32 @@ Note: certificate files must have a .pem extension. =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... =20 +Enabling Secure IPL +^^^^^^^^^^^^^^^^^^^ + +Secure IPL is enabled by explicitly setting ``secure-boot=3Don``; if not +specified, secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don|off + =20 IPL Modes --------- =20 Multiple IPL modes are available to differentiate between the various IPL -configurations. These modes are mutually exclusive and enabled based on the -``boot-certs`` option on the QEMU command line. +configurations. These modes are mutually exclusive and enabled based on sp= ecific +combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU +command line. =20 Normal Mode ^^^^^^^^^^^ =20 -The absence of certificates will attempt to IPL a guest without secure IPL -operations. No checks are performed, and no warnings/errors are reported. -This is the default mode. +The absence of both certificates and the ``secure-boot`` option will attem= pt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explic= itly +enabled with ``secure-boot=3Doff``. =20 Configuration: =20 diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index 39adb69cfd..4f429a72ac 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -813,6 +813,21 @@ static void machine_set_boot_certs(Object *obj, Visito= r *v, const char *name, ms->boot_certs =3D cert_list; } =20 +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms =3D S390_CCW_MACHINE(obj); + + ms->secure_boot =3D value; +} + /* * S390x-specific global compatibility properties. * @@ -886,6 +901,13 @@ static void ccw_machine_class_init(ObjectClass *oc, co= nst void *data) machine_get_boot_certs, machine_set_boot_cer= ts, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for se= cure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } =20 static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-vir= tio-ccw.h index 5ad1ea2f24..93a4c0ccad 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -29,6 +29,7 @@ struct S390CcwMachineState { bool aes_key_wrap; bool dea_key_wrap; bool pv; + bool secure_boot; uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; diff --git a/qemu-options.hx b/qemu-options.hx index 7f97a0d07e..342c913c30 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -46,7 +46,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " cxl-fmw.0.targets.0=3Dfirsttarget,cxl-fmw.0.targets.1= =3Dsecondtarget,cxl-fmw.0.size=3Dsize[,cxl-fmw.0.interleave-granularity=3Dg= ranularity]\n" " sgx-epc.0.memdev=3Dmemid,sgx-epc.0.node=3Dnumaid\n" " smp-cache.0.cache=3Dcachename,smp-cache.0.topology=3D= topologylevel\n" - " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=3D/path/directory,boot-certs.1.path= =3D/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=3Don|off enable/disable secure boot (defa= ult=3Doff) \n", QEMU_ARCH_ALL) SRST ``-machine [type=3D]name[,prop=3Dvalue[,...]]`` @@ -213,6 +214,9 @@ SRST =20 ``boot-certs.0.path=3D/path/directory,boot-certs.1.path=3D/path/file`` Provide paths to a directory and/or a certificate file on the host= [s390x only]. + + ``secure-boot=3Don|off`` + Enables or disables secure boot on s390-ccw guest. The default is = off. ERST =20 DEF("M", HAS_ARG, QEMU_OPTION_M, --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012585; cv=none; d=zohomail.com; s=zohoarc; b=iWz0f538FhzP+gqzJvR0ir5rC+LPOzdDICHl+9tthEiZxwBois/3dKnYIM8gcceuf7NrsNpwBRo1YmjPkriKaaSl4cXtmrnD+W+AkpvT0RiIc0X2GFvxB90qt6a/OWs4ykMUN/vsYTO/b5VfE0lAexzlzcz8BI8FZPCvPFS/5mY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012585; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=Bgyq104mrphet7nANWLHEuSdqvbcalxtebGqiXGB5Qk=; b=njhtADs05bzaiBLLm+atQhTUWd5doen9YdWxBUuny3a8ygiXsXAgKb7CrQre2AX7zToqfLmhaRrH6RN4RoHKgudDKM5yMd0yml6alYO83EQNF7blR3bEKg3moyfemh7u4VmGrr2U01FLCU1YC+3rstB/FQDnPdfs/p8pZUxwl+I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012585139289.03119437139526; Tue, 5 May 2026 13:23:05 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFr-0001Fl-1y; Tue, 05 May 2026 16:20:31 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFh-00010f-WF; Tue, 05 May 2026 16:20:22 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFg-0000Kt-CR; Tue, 05 May 2026 16:20:21 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645F4lOO2204349; Tue, 5 May 2026 20:19:56 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6rp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:56 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Qra015552; Tue, 5 May 2026 20:19:55 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb272-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:55 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJsA327132646 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:55 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A1A9C58059; Tue, 5 May 2026 20:19:54 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0F3A05805C; Tue, 5 May 2026 20:19:53 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:52 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Bgyq104mrphet7nAN WLHEuSdqvbcalxtebGqiXGB5Qk=; b=bpNP4kTdLvPNun6nfArXSc9n11FlpCjN5 3Gn4v0uGZ98u5cVKW0xhD0CIZrX2xS1GU0+pHt3VtYpSGKReZu5VSTjh2Fo3oUpZ dvRaa2UWQ0KZxJM5BBNWbm8p2zHQHz8zIt7tigTpqwQX2m/EQKA2kZpaoU51Sqve ZE1nxI/Cxw7bxJcW+c/b9poR852uxm+GHYEpKjeRwVPwlybuHsoMDxbYRaVKN4KA TuWKmpADYzTQ2fdt2mP3kfTBB18iKaIUdU67Cm+Tlny85A8qiKhVvx6/QFUKtkNq xS2o3rGMrqcN9vxa8Vvq/4Uns/1Sd6bSx8GyqQI86DH2NKADx2vcQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 26/32] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Tue, 5 May 2026 16:18:58 -0400 Message-ID: <20260505201905.997996-27-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50ec cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=MUQpW0jNMHjpGy_Q9scA:9 X-Proofpoint-ORIG-GUID: Ywa-zkVj39GO9M8X6BuUWukAYiJYHEId X-Proofpoint-GUID: Ywa-zkVj39GO9M8X6BuUWukAYiJYHEId X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX1YYR47QrZq/R DfO6bHDp+gOw5scE7ZF3Onlu6z3+hyCgAU6HNA0u2i5bziQ4ls+9uLaJyiV0NGPIlLKWbqlki8S eLsquXKSe0QEzlK//A0bUmOAkCRTPNqP18U0QM+MGZt2sYCu1lSjxTwxOveg0UEQrQiKfuS/Pc6 H+UgfiejpahD4/16xWNB2YaTM5jGPLUzOZk1pFh4ISjVg2RVKW5W86ORpIE54uKNNsO3exPqveh 4g6+Y9XdBLcSl/jlJk3gSNzdjq1gzBH9LPq2ZsVIszj+OJeGXzTiM8a2JoxbqBYfDkkxwW2qyp9 OYby29KkCbRoISpAuVWCqdfQVum09ajkkD2ePckNbyqS+fE5QPb+MwAkm/0gQ5F0hrxw2Ue2AAV Z92ytX/c6BkmISCSFDltkve5lA+bFooZt2OoUlkJUz+R6j3Z/a5n0xlnjObLt0GBcY2wIIwiK2Z 1ZQaOsN1R6PH9wWYEag== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012586720158500 Content-Type: text/plain; charset="utf-8" If `-M secure-boot=3Don` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth Reviewed-by: Collin Walling --- hw/s390x/ipl.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index f4311f6d62..67e8231c76 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -468,6 +468,11 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } =20 +static bool s390_secure_boot_enabled(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -524,6 +529,18 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 + /* + * If secure-boot is enabled, then toggle the secure IPL flags to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure b= oot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -533,7 +550,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPar= ameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); } --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012521; cv=none; d=zohomail.com; s=zohoarc; b=Px626gQEoDajAY4kjxZioT6d8BuwD9yqDe3nryvfuK6AX3Vq4lptHKHKfDNVYBFJ0HAiwu/Gcy1bnD5yxOV+dY0/0nxjSonK+l+g15kuZKgu/0qBt6loxfSW5/K6Md0l6CewK+UeOqS1/Sl18WY6fSIRjOj3fqeRapUcL+n56MM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012521; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=R9+lU0rzsphPgouYg2Kq9dCR8T/LK5k6C1YAXto2kE0=; b=hroibpYcelWhVeWNMzxjp/5Vg7Ag/QXgKN7hXCwMXdPRuVK5aE5MtniUBfA3/N93o6K02HWdeDsopxbaKPbtpdWc4btxe0gqIZPs7wPbzmB7Hyx4rXU9jdNi+6DHYTaJunQyzWoj4Aaaq4Rl2Lu1Ho9m6O0bWB4jXLU1yis5yZw= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 17780125214121018.9231346895424; Tue, 5 May 2026 13:22:01 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFa-0000IH-L1; Tue, 05 May 2026 16:20:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFQ-00088y-DY; Tue, 05 May 2026 16:20:06 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFO-0000LJ-En; Tue, 05 May 2026 16:20:04 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645CSNT81362084; Tue, 5 May 2026 20:19:58 GMT Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dnrc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:58 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9QFP031244; Tue, 5 May 2026 20:19:57 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbfv7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:57 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJumJ32965230 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:56 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F31058059; Tue, 5 May 2026 20:19:56 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C3CF75805B; Tue, 5 May 2026 20:19:54 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:54 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=R9+lU0rzsphPgouYg 2Kq9dCR8T/LK5k6C1YAXto2kE0=; b=fgQcz+6nP4d0GqyC5osM3bDC62qb6Ml1w 3ZQuihAjqkn6xeauUPx9EsvusT/52+BRnNH7n+gaUMihgK0sO2vA722yIF5hPMY5 +fkSQN7Stl5dcL3yAo8OE2fgYUfklov8OPXb4rsxuFBPX/g4U7CBZSgJsodj0sEt 7J+Uj42WaYKwuUPxbY7whRIwWYLf9raR8vRv81tndaqUeK7jNWvsi8mQ9W3yDI3Y xGchl3ECUbEFfpRynFJ84zjywRdM5cGsonrywVTTBlCt6uuch6ryRF3nSETLv3Ak JgijFk31L9qdrAmqvQ1FUjTUZN+WVZHcfhKvt0gVnBYYlrU8SfvHg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 27/32] pc-bios/s390-ccw: Handle true secure IPL mode Date: Tue, 5 May 2026 16:18:59 -0400 Message-ID: <20260505201905.997996-28-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXy7KEr4d8a9qD aKE2OLJMyQVdMMjk4EWQiQJuPC7rKWs+fMgg2sJwIFuj0mxgUUy/gE2+ALLS6O7nWe4/ff8yaki UAaP/Alh/6ZXByGD727nwCruWpWhr0a1aWU9p/sGawjc+yXcSJv3SHb4anVPgYpRLmiLgCH/vHZ FT2Os5ouKzavmdgR9jsZEeZrvH+nKclW3f5BL67UoNO5xEssGmkFAggyLXmhgL3MbifQU0WeNj6 aKgjVgdXkWp1QTfWjK1ACNG0GItBLA7SLrDDPx7NB4qbZ3QKjdallurov7Aq1rnTxtEUfsAftgq bb1AWORD0EkGs+aDgFughVC/WuMzJ7DQmYXsPAuqmU0aolgvy6iXCNxmBS9yOORvXQR6aETvzUp NYX1vwkjs6Am41H/i1pCmxgD3p6cq+UgwnJ0opWXZuP8MmD4icSQDyhNSOX6cJDgrZk0YvTg955 Ebv8hQIkD/4d31x1J2w== X-Proofpoint-GUID: 5KhH9f-sWjEKZLR4Y3F1XAOPi_cdG0AO X-Proofpoint-ORIG-GUID: 5KhH9f-sWjEKZLR4Y3F1XAOPi_cdG0AO X-Authority-Analysis: v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50ee cx=c_pps a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012522417158500 Content-Type: text/plain; charset="utf-8" When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai Reviewed-by: Collin Walling --- docs/system/s390x/secure-ipl.rst | 13 +++++++++++++ pc-bios/s390-ccw/bootmap.c | 8 ++++++++ pc-bios/s390-ccw/main.c | 3 ++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/secure-ipl.h | 3 +++ 5 files changed, 27 insertions(+), 1 deletion(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index 9e3955f8fc..c8fb887ac0 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -66,3 +66,16 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=3D/.../qe= mu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + +Secure Mode +^^^^^^^^^^^ + +When the ``secure-boot=3Don`` option is set and certificates are provided, +a secure boot is performed with error reporting enabled. The boot process = aborts +if any error occurs. + +Configuration: + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index a300fba8cd..8f54c15144 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte) case ZIPL_BOOT_MODE_NORMAL: rc =3D zipl_run_normal(&entry, tmp_sec); break; + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: rc =3D zipl_run_secure(&entry, tmp_sec); break; @@ -1115,9 +1116,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags) { bool sipl_set =3D hdr_flags & DIAG308_IPIB_FLAGS_SIPL; bool iplir_set =3D hdr_flags & DIAG308_IPIB_FLAGS_IPLIR; + VCStorageSizeBlock *vcssb; =20 if (!sipl_set && iplir_set) { return ZIPL_BOOT_MODE_SECURE_AUDIT; + } else if (sipl_set && iplir_set) { + vcssb =3D zipl_secure_get_vcssb(); + if (vcssb =3D=3D NULL || vcssb->length =3D=3D VCSSB_NO_VC) { + panic("Need at least one certificate for secure boot!"); + } + return ZIPL_BOOT_MODE_SECURE; } =20 return ZIPL_BOOT_MODE_NORMAL; diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 0bcd32b059..e34179a05f 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -396,9 +396,10 @@ void main(void) =20 boot_mode =3D get_boot_mode(iplb->hdr_flags); switch (boot_mode) { + case ZIPL_BOOT_MODE_SECURE: case ZIPL_BOOT_MODE_SECURE_AUDIT: if (!secure_ipl_supported()) { - panic("Unable to boot in audit mode"); + panic("Unable to boot in secure/audit mode"); } default: break; diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index b66a9b50bf..7a7bf7720b 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -90,6 +90,7 @@ void zipl_load(void); typedef enum ZiplBootMode { ZIPL_BOOT_MODE_NORMAL =3D 0, ZIPL_BOOT_MODE_SECURE_AUDIT =3D 1, + ZIPL_BOOT_MODE_SECURE =3D 2, } ZiplBootMode; =20 extern ZiplBootMode boot_mode; diff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h index 950cd45b3c..723612b9ea 100644 --- a/pc-bios/s390-ccw/secure-ipl.h +++ b/pc-bios/s390-ccw/secure-ipl.h @@ -83,6 +83,9 @@ static inline void zipl_secure_error(const char *message) case ZIPL_BOOT_MODE_SECURE_AUDIT: printf("AUDIT MODE WARNING: %s\n", message); break; + case ZIPL_BOOT_MODE_SECURE: + panic(message); + break; default: break; } --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012582; cv=none; d=zohomail.com; s=zohoarc; b=BVoct6JOmPpbBArLCBrtvUkwPLjfvVEtepVqC4cIkLciMkU4SdvMz4/57DD6WJkWA0mQKIzpNxM1oYBnj8DPDi0NMVQxJxqr9Ag/6gv0FAPb4shMCwcKNK+5qlhb6wKGvEGEhoVrh3XRXMEpoZxpNUgEXQWIZSQOI1jo7D5uEoE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012582; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=UzFmr+Z1cTX3u+oHgQ+RffurjL9ZEVu2B/U9rP1LcBU=; b=VM2pDTaBIEl25ChM7DMPeiWq4pj0zGeAmYQvC4+3NThiykl6jA8tnVaeTq01OEzj19QsptOR9He2Y5PZ1LilZeFe1t7YWsfXwndautLuIvenq3l5KiG4YRjcAPjpVSrVtzy/tiqVayxt0fSmLUnkUTIvAVTHvztWtBWpOguO28E= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177801258222142.21069217842842; Tue, 5 May 2026 13:23:02 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFs-0001LO-9h; Tue, 05 May 2026 16:20:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFl-00016d-KQ; Tue, 05 May 2026 16:20:25 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFj-0000Rs-Sn; Tue, 05 May 2026 16:20:25 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645HRnil2769341; Tue, 5 May 2026 20:20:00 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9w6d6ry-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:00 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9RrL002872; Tue, 5 May 2026 20:19:59 GMT Received: from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9xn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:19:59 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJwOB7734018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:58 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 52C005805D; Tue, 5 May 2026 20:19:58 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 91B135805B; Tue, 5 May 2026 20:19:56 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:56 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=UzFmr+Z1cTX3u+oHg Q+RffurjL9ZEVu2B/U9rP1LcBU=; b=oHVjlxEkVVfIj5sNAACOsmayNt8uazvHq +NbOXBQZmOSPAMx/SAAWmxfYYfMi4cJOLwgDutp9KjLI//X+h+N8JfSqWP7kjvwS CvprEJNWdwWQ5eIkZyqXlVlOq7QoC/2YA9THI1nGy02UJrUrndaiAsFD8oQHfhZf LIsoIWxDU9R/TxXwbNgYp6qpJcGPbP+0+E49g+QUe7z2uYQpa+C2ilztnZB20hAW 82+7bfL0JlPIgCF2qkvoTHxPw8CgBq8y+s15umYkPbL1qWb7TcPmPhIaAP9fnM6F TKhMADKJo5cMTXhY1LdkyFsYOTT0rA5YhykzbC7pq5F+MSFhW0XuQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 28/32] hw/s390x/ipl: Handle secure boot with multiple boot devices Date: Tue, 5 May 2026 16:19:00 -0400 Message-ID: <20260505201905.997996-29-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Authority-Analysis: v=2.4 cv=XPQAjwhE c=1 sm=1 tr=0 ts=69fa50f0 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=Q8-XYP680VqNmkEzHFAA:9 X-Proofpoint-ORIG-GUID: 95mjMQxC87Ic_UBUifsXFoGXKakfv60L X-Proofpoint-GUID: 95mjMQxC87Ic_UBUifsXFoGXKakfv60L X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX3vRQgLwvox7P JpUkILrtH1b9rgAxahMhgayJh3AHa3+IH4Qluf3FkPhoQdBjobHeWiVApf6LfPXmp0V1CUXpv/y NHvfuXhALnvHlzIRjbIkbxkZxuUwvifXfxVfPM/e4np2VaSFmySuA/sdkKP6lRAp9vhZwiNFojv liDPRCFMhoUwtOoYZTlPhdOF4HcxJvOeBNQIj+sRRvzjZgIrDtyKXdqsoKwd28Wg5tzYrbsfVYP r4cxu7hdjux3/kWhqfqmqnH+fZhzUEJTg/i/QGoy3ajntmCR8l1P39S2Tl8X7GzI8ln6xH3t4ON yz55FAKMbLmWLLRCrkUq188t2qPcXoxu1AAZUli6umMUDzMYQ4JULXWDP9NFuuYDI+jfK4xXP2L LPFqgS+9UykAizWdX9ybo0exL/l7Dhqvfzl063cPeyqE4lKlFekpMQHmvefPfx6mpR7cQNFRowR eWN8bx7mvLyD7xWJ1tg== X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 lowpriorityscore=0 suspectscore=0 adultscore=0 spamscore=0 priorityscore=1501 impostorscore=0 phishscore=0 malwarescore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012582733158500 Content-Type: text/plain; charset="utf-8" The current approach to enable secure boot relies on providing secure-boot and boot-certs parameters of s390-ccw-virtio machine type option, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 79 ++++++++++++++++++++++++++++------------- pc-bios/s390-ccw/main.c | 3 -- 2 files changed, 54 insertions(+), 28 deletions(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 67e8231c76..52f953fd32 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -473,6 +473,58 @@ static bool s390_secure_boot_enabled(void) return S390_CCW_MACHINE(qdev_get_machine())->secure_boot; } =20 +static bool s390_validate_secure_boot_device(int devtype, Error **errp) +{ + switch (devtype) { + case CCW_DEVTYPE_VFIO: + error_setg(errp, "Passthrough (vfio) CCW device does not support se= cure boot!"); + return false; + case CCW_DEVTYPE_VIRTIO_NET: + error_setg(errp, "Virtio net boot device does not support secure bo= ot!"); + return false; + default: + return true; + } +} + +static void s390_apply_secure_boot(IplParameterBlock *iplb, int devtype, + bool secure_boot, bool audit_mode) +{ + Error *local_error =3D NULL; + + if (!secure_boot && !audit_mode) { + return; + } + + if (!s390_validate_secure_boot_device(devtype, &local_error)) { + error_report_err(local_error); + exit(1); + } + + /* + * If secure-boot is enabled, then toggle the secure IPL flags (SIPL) = to + * trigger secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure boot. + */ + if (secure_boot) { + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_SIPL; + } + + /* + * For both secure boot and audit mode, enable the IPL Information + * Report (IPLIR) flag so that the firmware generates an IPL + * Information Report Block (IIRB). + * + * Results of secure boot will be stored in IIRB. + * + * Extend the IPL parameter block to its maximum length to ensure + * sufficient space for the BIOS to populate the IIRB. + */ + iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; + iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev =3D NULL; @@ -529,31 +581,8 @@ static bool s390_build_iplb(DeviceState *dev_st, IplPa= rameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |=3D DIAG308_FLAGS_LP_VALID; =20 - /* - * If secure-boot is enabled, then toggle the secure IPL flags to - * trigger secure boot in the s390 BIOS. - * - * Boot process will terminate if any error occurs during secure b= oot. - * - * If SIPL is on, IPLIR must also be on. - */ - if (s390_secure_boot_enabled()) { - iplb->hdr_flags |=3D (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_F= LAGS_IPLIR); - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } - /* - * Secure boot in audit mode will perform - * if certificate(s) exist in the key store. - * - * IPL Information Report Block (IIRB) will exist - * for secure boot in audit mode. - * - * Results of secure boot will be stored in IIRB. - */ - else if (s390_has_certificate()) { - iplb->hdr_flags |=3D DIAG308_IPIB_FLAGS_IPLIR; - iplb->len =3D cpu_to_be32(S390_IPLB_MAX_LEN); - } + s390_apply_secure_boot(iplb, devtype, s390_secure_boot_enabled(), + s390_has_certificate()); =20 return true; } diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index e34179a05f..2db3b704ab 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -304,9 +304,6 @@ static void ipl_ccw_device(void) switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - IPL_assert((boot_mode =3D=3D ZIPL_BOOT_MODE_NORMAL), - "Passthrough (vfio) CCW device does not support secure= boot!"); - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012530; cv=none; d=zohomail.com; s=zohoarc; b=j4pOUMae9fniQQR/CR1jLdVlEYB630D0ooSrCuNRQPZSx1V7eJ0nqN/YwTKsEUkv3+18tAAoVy6VR9h6Pge5nVrqoGR9Qq3cezHu9PJT56JTNBRX+j8F4ZzsIGcrdV+wVBmekoxFxjf4Qx+jCbk9RBBvROnRp4Vp09MdPJph8g4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012530; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=0WHfMkxccvBPJeH7YRNIAzgL9xsm/zLNmwGY/ozAiBk=; b=YGE8JJHTBgDqVzV/jEQ5zptkP3rSe/2ibon335weoKnKBOS1WnWcdTPzzEhnwEKQYIpXMPL09to/uaoemzD82q3geR/DL4JSWxsFIGBn1jMJ1NlzORZvRqGg2rtj5v3WUZgTcvdI6qWnr2BWBvNSMOFjz4JXlRhDGUZcYqc20OM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012530798645.9546619713093; Tue, 5 May 2026 13:22:10 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFs-0001JY-3V; Tue, 05 May 2026 16:20:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFp-0001Ao-AX; Tue, 05 May 2026 16:20:29 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFm-0000Xv-GS; Tue, 05 May 2026 16:20:28 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645FFBAJ2228785; Tue, 5 May 2026 20:20:02 GMT Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9xxn53b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:01 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Ts9029225; Tue, 5 May 2026 20:20:01 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwuyw3dhc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:01 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KJWW928771002 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:19:32 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 21BA758059; Tue, 5 May 2026 20:20:00 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7498F5805B; Tue, 5 May 2026 20:19:58 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:19:58 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=0WHfMkxccvBPJeH7Y RNIAzgL9xsm/zLNmwGY/ozAiBk=; b=O2FKcMU5BcG5u6Q26bQOxxXlz50/h0HZk kqpE9E2u9EUn/ZoHlyFmk2Ma8jsAzjUh/QZLe7J+S1oKTu+6QaiKr/83fJ1h2QeZ SYKF+4g9BpasQkBpEhCAM91+BMc8FjZvv8y82mrJR9MNZMlBFfJuxGhvBx/zrpW3 owyTl6FA/G4Zda2zsfx0F8IN9iDbJvwhriUkqzibCodqjcp1RjOhUKganQnTVjKi cP12hiwpdx21sN0gcQafokC5DzRxm+NgiAnTGGOMaIf9Yjs+9+kET8WlbBXMQ96r 2VTPldYXCxerU3rKTyodCQn4ZjvlMbNCK1OHlzMQ9O0gtzmqdJ/Nw== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 29/32] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Tue, 5 May 2026 16:19:01 -0400 Message-ID: <20260505201905.997996-30-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXxwaDLR9t5EKY drbYv9DgnYtqcdZDUd41NFkhLK62pi0k+4Xhx9Ylx8tPU6CNtkqCOtiQs3fcSN9Ukuj/qASkUFF enS17pyh1LlZTLqqEVTr/ry+iSNMEL2HdVZriksCgDt8u02bJ56m8EKadlwle1ZO1otQ+OPSlCI 4oPSMAOddBS64GXNDypDvnXKb1KHy5CH3PDCN2NavZabAVbnTT1sXsbWatMdtB/vmBzT5Zk6XIo aCW0LKFOu4qtG5u9qnbSpBLo6h8VyxBwaqwe+FU88DO3zQz9D49aTVyHWETKDaHOZzBpVvZ5s1W /yW7yTK60nKBc+x1XNDU2HSErmMFHLZZGr13PfomHkzMpUV6AAQXZRBZ4TNlMT0fxwJEb3lVal6 OTH+8qT0B8bZLaKIkhzAf4Q5DYDPJLvfPGLmSeeaPVCfkCpQZNGlzzXFW7cRM8Skgm7lhxWK826 5hWw34WBomKaaRO+BZw== X-Proofpoint-ORIG-GUID: 4cZLPg6OSIx4eaQ6N_HKavrOi1CCSdX5 X-Proofpoint-GUID: 4cZLPg6OSIx4eaQ6N_HKavrOi1CCSdX5 X-Authority-Analysis: v=2.4 cv=ctWrVV4i c=1 sm=1 tr=0 ts=69fa50f2 cx=c_pps a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8 a=98YBU2wH__9RKlX8yukA:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 clxscore=1015 suspectscore=0 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012533035154100 Content-Type: text/plain; charset="utf-8" If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai Reviewed-by: Thomas Huth --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 52f953fd32..2eb3b4643b 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -852,6 +852,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) cpu->env.psw.addr =3D ipl->bios_start_addr; if (!ipl->iplb_valid) { ipl->iplb_valid =3D s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot device defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len =3D 0; } --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012610; cv=none; d=zohomail.com; s=zohoarc; b=nl+aNf4OYN2ZT7e3zq5ERBuxjVGM7GXEbY8p56Rji03zmIdGZViJMxv2yG1pOgFns995oXvxIDkguGYUTD3uxnwnUfW7QIIVy+l4pRz2/0A3pL7zSeZZTMtI05GI4ia2ZwT1Ns+KHu/YnAuH3f8kLtAS5Crj1VTegrXc+5X+zGY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012610; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=sDmhpjpdou13j9EjzugpRrCAl8dBwSWYAuEHRMoYaN0=; b=JeWshWwAjb+xOOhi171aC8nJycMlX6jVqJa1ZNSmJ6Y0WVJ4IJzO6wwUdcnrCW8JqFyA1raGF4mmhD44pfS721dP4Hkdz7yNjWtOEpF9xUMm+sngvtFuJqSiXemCraBtcRT6A1lU9J9Wu6kPN9T6BGCo2g7tA2gqY115ILvRrxU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 177801261080076.74114299261817; Tue, 5 May 2026 13:23:30 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFd-0000ZL-5o; Tue, 05 May 2026 16:20:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFX-0008Vn-Ng; Tue, 05 May 2026 16:20:12 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFU-0000ai-P2; Tue, 05 May 2026 16:20:10 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645ETBh61446669; Tue, 5 May 2026 20:20:04 GMT Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dns6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:04 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Vj1002900; Tue, 5 May 2026 20:20:03 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9xv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:03 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KK24929557388 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:20:02 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E9B4458059; Tue, 5 May 2026 20:20:01 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 43F295805B; Tue, 5 May 2026 20:20:00 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:20:00 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=sDmhpjpdou13j9Ejz ugpRrCAl8dBwSWYAuEHRMoYaN0=; b=pCDUMaCXQ5EGy91HiQv+72+XojF/3iu20 6QFtg3Qlu7H4nb68h7TwJB2dNzR0RU+eNnnpRXmuR9vDmlnu8Vlc50mjXf8B8Ugx MU82F9vbQWPpP+PjH79a1xKePnKYNrvULMLqlDMshqApXvNEStLWEVK5vQTZpTEi SR5EQOQ7DNjTefZWD1eK+uHc9jODWPXrT4uzmyvopCBNfkWyg6Bv8GR394vUEdj0 U99zl+kW3oxbLQcweUxhGWPOopU32IG1bpZdfj/Mm35VddSYKfasDcZknampQJYl AB/noDKEc3EFwg/ZgcY82LD1DJPzDbQHvVpp4fCzoVmuM1zF8G/zg== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 30/32] tests/functional/s390x: Add secure IPL functional test Date: Tue, 5 May 2026 16:19:02 -0400 Message-ID: <20260505201905.997996-31-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXx6BgQG2mv+rj 1jcc059s5wgTY10rpbHr4hTqS1Z5F0GkLDcuJMD/nN7e57mLo9oPPEOZBbl+uQTpLoBoT5XIG3W qsXG/Zdk9I7HCm9eGUFlJ/VCgSO3bkzTv7IkbI0tOc+zU1B/L33CgzZw2QbupmGxGkeBZv8gP9d r3Oc3t3hrk5Q0PKnEzHETiSGxr9XTdPoPCQrngjvzEt6leiBEMewENbh92972lkJ23Gm4CheJZ9 TGJZguaJMZrzLt6DoFRtvVTZ7ssgig/Lfm9uVltRASHPhI+BJVsczcH8Q2MeB+mdmSWbCsblTtO nXPKLNtQgMUrHjR1AjajgykWN8V1fVivlwG6URYOOqq7K/LZpNEtqhQIOmBPLdvBJSgNnLsrcda oAuFmTDtj9Shd81CocR4jrkcjCdi9dB2kSEbL53VEcTIz6LfqscH9WVXFoTY2YiB6z34XZK5E9N BQXqJ+qDqWZ4mOQkLuQ== X-Proofpoint-GUID: w8NKe1_GKcCgE0btgIt-0pJPe5OZgVdu X-Proofpoint-ORIG-GUID: w8NKe1_GKcCgE0btgIt-0pJPe5OZgVdu X-Authority-Analysis: v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50f4 cx=c_pps a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=iQ6ETzBq9ecOQQE5vZCe:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8 a=gSyHUACR81Cq5hz7ILYA:9 a=t8Kx07QrZZTALmIZmm-o:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0 suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012612323154100 Content-Type: text/plain; charset="utf-8" Add functional test for secure IPL. Signed-off-by: Zhuoying Cai --- tests/functional/s390x/meson.build | 2 + tests/functional/s390x/test_secure_ipl.py | 148 ++++++++++++++++++++++ 2 files changed, 150 insertions(+) create mode 100755 tests/functional/s390x/test_secure_ipl.py diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/me= son.build index b065b666bc..01cb2d1d4c 100644 --- a/tests/functional/s390x/meson.build +++ b/tests/functional/s390x/meson.build @@ -2,6 +2,7 @@ =20 test_s390x_timeouts =3D { 'ccw_virtio' : 420, + 'secure_ipl' : 280, } =20 tests_s390x_system_quick =3D [ @@ -14,6 +15,7 @@ tests_s390x_system_thorough =3D [ 'ccw_virtio', 'pxelinux', 'replay', + 'secure_ipl', 'topology', 'tuxrun', ] diff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s= 390x/test_secure_ipl.py new file mode 100755 index 0000000000..0980daace1 --- /dev/null +++ b/tests/functional/s390x/test_secure_ipl.py @@ -0,0 +1,148 @@ +#!/usr/bin/env python3 +# +# s390x Secure IPL functional test: validates secure-boot verification res= ults +# +# SPDX-License-Identifier: GPL-2.0-or-later + +from subprocess import check_call, DEVNULL + +from qemu_test import QemuSystemTest, Asset, get_qemu_img +from qemu_test import exec_command_and_wait_for_pattern, exec_command +from qemu_test import wait_for_console_pattern, skipBigDataTest + +class S390xSecureIpl(QemuSystemTest): + ASSET_F40_QCOW2 =3D Asset( + ('https://archives.fedoraproject.org/pub/archive/' + 'fedora-secondary/releases/40/Server/s390x/images/' + 'Fedora-Server-KVM-40-1.14.s390x.qcow2'), + '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f') + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.root_password =3D None + self.qcow2_path =3D None + self.cert_path =3D None + self.prompt =3D None + + # Boot a temporary VM to set up secure IPL image: + # - Create certificate + # - Sign stage3 binary and kernel + # - Run zipl + # - Extract certificate + def setup_s390x_secure_ipl(self): + temp_vm =3D self.get_vm(name=3D'sipl_setup') + temp_vm.set_machine('s390-ccw-virtio') + + asset_path =3D self.ASSET_F40_QCOW2.fetch() + self.qcow2_path =3D self.scratch_file('f40.qcow2') + qemu_img =3D get_qemu_img(self) + check_call([qemu_img, 'create', '-f', 'qcow2', '-b', asset_path, + '-F', 'qcow2', self.qcow2_path], stdout=3DDEVNULL, std= err=3DDEVNULL) + + temp_vm.set_console() + temp_vm.add_args('-nographic', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive0,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive0,bootind= ex=3D1') + temp_vm.launch() + + # Initial root account setup (Fedora first boot screen) + self.root_password =3D 'fedora40password' + wait_for_console_pattern(self, 'Please make a selection from the a= bove', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=3Dtem= p_vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Password (confirm):', vm=3Dtemp= _vm) + exec_command_and_wait_for_pattern(self, self.root_password, + 'Please make a selection from the abov= e', + vm=3Dtemp_vm) + + # Login as root + self.prompt =3D '[root@localhost ~]#' + exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', v= m=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=3D= temp_vm) + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt, + vm=3Dtemp_vm) + + # Certificate generation + exec_command_and_wait_for_pattern(self, + 'openssl version', 'OpenSSL 3.2.= 1 30', + vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'openssl req -new -x509 -newkey rsa:2048 ' + '-keyout mykey.pem -outform PEM -out mycert.pe= m ' + '-days 36500 -subj "/CN=3DMy Name/" -nodes -ve= rbose', + 'Writing private key to \'mykey.pem\'', vm=3Dt= emp_vm) + + # Install kernel-devel (needed for sign-file) + exec_command_and_wait_for_pattern(self, + 'sudo dnf install kernel-devel-$(uname -r)= -y', + 'Complete!', vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command_and_wait_for_pattern(self, + 'ls /usr/src/kernels/$(uname -r)/scrip= ts/', + 'sign-file', vm=3Dtemp_vm) + + # Sign stage3 binary and kernel + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bi= n', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file= ' + 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)= ', + vm=3Dtemp_vm) + wait_for_console_pattern(self, self.prompt, vm=3Dtemp_vm) + + # Run zipl to prepare for secure boot + exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Do= ne.', + vm=3Dtemp_vm) + + # Extract certificate to host + out =3D exec_command_and_wait_for_pattern(self, 'cat mycert.pem', + '-----END CERTIFICATE-----= ', + vm=3Dtemp_vm) + # strip first line to avoid console echo artifacts + cert =3D "\n".join(out.decode("utf-8").splitlines()[1:]) + self.log.info("%s", cert) + + self.cert_path =3D self.scratch_file("mycert.pem") + + with open(self.cert_path, 'w', encoding=3D"utf-8") as file_object: + file_object.write(cert) + + # Shutdown temp vm + temp_vm.shutdown() + + @skipBigDataTest() + def test_s390x_secure_ipl(self): + self.require_accelerator('kvm') + self.setup_s390x_secure_ipl() + + self.set_machine('s390-ccw-virtio') + + self.vm.set_console() + self.vm.add_args('-nographic', + '-machine', 's390-ccw-virtio,secure-boot=3Don,' + f'boot-certs.0.path=3D{self.cert_path}', + '-accel', 'kvm', + '-m', '1024', + '-drive', + f'id=3Ddrive1,if=3Dnone,format=3Dqcow2,file=3D{se= lf.qcow2_path}', + '-device', 'virtio-blk-ccw,drive=3Ddrive1,bootind= ex=3D1') + self.vm.launch() + + # Expect two verified components + verified_output =3D "Verified component" + wait_for_console_pattern(self, verified_output) + wait_for_console_pattern(self, verified_output) + + # Login and verify the vm is booted using secure boot + wait_for_console_pattern(self, 'localhost login:') + exec_command_and_wait_for_pattern(self, 'root', 'Password:') + exec_command_and_wait_for_pattern(self, self.root_password, self.p= rompt) + exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/sec= ure', '1') + +if __name__ =3D=3D '__main__': + QemuSystemTest.main() --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012467; cv=none; d=zohomail.com; s=zohoarc; b=Nc+8C2wQ4yx8xgTVN5dYgv0UACf74vnW+HSogEFck/8Gi8llN0dPJl7vDchEsTv1/JCjdmn+iPM280U2uEyxVmVx+u/rx251WLITbkEAbzkZ9fsob11ywFtFmMR9bNXj6wMDHTg/whrCY3hvTMy/qIQaK7Ii+OhboHY799BgzJI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012467; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=ecN475uDNdBhFMSYdKmY4pVZOuDT/f2QCkIZnAYyMFc=; b=W4l+4/bTsaybVaM+1C82MYaya4Gck2ysMe5tjCXgB9Q2+mcd3nncnNxm6WKeqa6sGCAyT4t7KDEjHurAgcEbQYqnM0WkiD1yfmwqiYlpQjJ1TDSmY+nyTBkBndz0wgm3nhkC+y5u08S/zrMUjRtsONR6p/0yTh4EN0xkYwruSKU= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012467329208.58641998011115; Tue, 5 May 2026 13:21:07 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFe-0000hV-Qy; Tue, 05 May 2026 16:20:19 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFY-00005J-3i; Tue, 05 May 2026 16:20:12 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFW-0000dh-98; Tue, 05 May 2026 16:20:11 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645ELoUX1496151; Tue, 5 May 2026 20:20:06 GMT Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9x4njwh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:06 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9Zbb030295; Tue, 5 May 2026 20:20:05 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwwtgb55j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:05 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KK3Jh24249036 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:20:03 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A8EEB5805C; Tue, 5 May 2026 20:20:03 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1794C5805D; Tue, 5 May 2026 20:20:02 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:20:01 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=ecN475uDNdBhFMSYd KmY4pVZOuDT/f2QCkIZnAYyMFc=; b=nlD8SOnCBwtmFca8Mx+xk4qMPHSa5fD5H MTwK9v2y0UEtEb5/AocNfp2+R20Ywnawo2HA38je8xSNhvV9pU7YXkbX0V659PNQ Sz8ycSebEG1ao3WCEqtnSNK5pamuMRBEFoMIlWCtGODQ7xlYNv6p1h419fkdoHQb Tw9Q9TLJKZrOGojxJu1iaChDubE5ptep8CAfj9CJmloxPACAKrRl1RKOx0BogDCm 3d7mIs6X7V0+4+uzIJL4zncoZJ+or100pLfRg2Vtb4lZc8Rdi+iCCqXviK7oGkN+ NcBWu5AQQtz3FSlZmiTWGfI4D98gniJXI54w7IwKPPmfnk0Y4osPQ== From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 31/32] docs/specs: Add secure IPL documentation Date: Tue, 5 May 2026 16:19:03 -0400 Message-ID: <20260505201905.997996-32-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX8L5xrS7SzinX GIUYeSNPSw6gJkHEYpHQi98FBoT1K11/OsOXCJpaZrm2CUXwCF8jYubQD2ydO/vmu33FYqL/zjP UI5bXjZAsnVP7LyijIt2XLra4xITpJqSyK7R8LntKJ+AuItWUGkzneaURQDWnhYJ9Sg+z6Sz1YL puGJEc9EfkmlhwPKWnlX8/WkmBAoFX1BDLy41ZWKeclMKLGJ+1lrodDd5gcCU8C+KTJBViYomfN IqMhE8Bn3JM478r9A9qGhbVzhlqzAblsr7Xbe1V4fPVQCzUS2kjRx3HzHVLgSW9gaKm9/EROTlY uZfBSQAjJXeFwg6G+FaEdwZef5q0cp30/cgTEo0igv0S9DMz+YiyQR9xoqbIbIWsfP50RREgz0Q uDm1mftEhBfq1gByv0oA9inP853ekRR1RRyAJR4MA72IZS8lEVmnihK/DLwa43rlPB0/2fgb1i8 EcwwWu9aDcZ+Lo/rCJg== X-Proofpoint-ORIG-GUID: joKRfmGZfRsFjZCG23MhVuHco1stSaJA X-Proofpoint-GUID: joKRfmGZfRsFjZCG23MhVuHco1stSaJA X-Authority-Analysis: v=2.4 cv=W7UIkxWk c=1 sm=1 tr=0 ts=69fa50f6 cx=c_pps a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=XijvyHP8Q_8UnoOVIU8A:9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 adultscore=0 lowpriorityscore=0 malwarescore=0 suspectscore=0 spamscore=0 clxscore=1015 phishscore=0 bulkscore=0 impostorscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012468168158500 Content-Type: text/plain; charset="utf-8" Add documentation for secure IPL Signed-off-by: Collin Walling --- docs/specs/s390x-secure-ipl.rst | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.= rst index 5fc15be99c..f4602fe19d 100644 --- a/docs/specs/s390x-secure-ipl.rst +++ b/docs/specs/s390x-secure-ipl.rst @@ -1,5 +1,60 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL (a.k.a. secure boot) enables s390-ccw virtual machines to +leverage qcrypto libraries and z/Architecture emulations to verify the +integrity of signed kernels. The qcrypto libraries are used to perform +certificate validation and signature-verification, whereas the +z/Architecture emulations are used to ensure secure IPL data has not +been tampered with, convey data between QEMU and guest code, and set up +the relevant secure IPL data structures with verification results. + +To find out more about using this feature, see +:doc:`documentation `. + +Note that "guest code" will refer to the s390-ccw BIOS unless stated +otherwise. + +Both QEMU and guest code work in cooperation to perform secure IPL. The Se= cure +Loading Attributes Facility (SCLAF) is used to check the Secure Code +Loading Attribute Block (SCLAB) and ensure that secure IPL data has not +been tampered with. DIAGNOSE 'X'320' is invoked by guest code to query +the certificate store info and retrieve specific certificates from QEMU. +DIAGNOSE 'X'508' is used by guest code to leverage qcrypto libraries to +perform signature-verification in QEMU. Lastly, guest code generates and +appends an IPL Information Report Block (IIRB) at the end of the IPL +Parameter Block, which is used by the kernel to store signed and +verified entries. + +The logical steps are as follows: + +- guest code reads data payload from disk (e.g. stage3 boot loader, kernel) +- guest code checks the validity of the SCLAB +- guest code invokes DIAG 508 subcode 1 and provides it the payload +- QEMU handles DIAG 508 request by reading the payload and retrieving the + certificate store +- QEMU DIAG 508 utilizes qcrypto libraries to perform signature-verificati= on on + the payload, attempting with each cert in the store (until success or + exhausted) +- QEMU DIAG 508 returns: + + - success: index of cert used to verify payload + - failure: error code + +- guest code responds to this operation: + + - success: retrieves cert from store via DIAG 320 using returned index + - failure: reports with warning (audit mode), aborts with error (secure = mode) + +- guest code appends IIRB at the end of the IPLB +- guest code kicks off IPL + +More information regarding the respective DIAGNOSE commands and IPL data +structures are outlined within this document. + + s390 Certificate Store and Functions ------------------------------------ =20 --=20 2.54.0 From nobody Sat May 30 14:52:40 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=reject dis=none) header.from=linux.ibm.com ARC-Seal: i=1; a=rsa-sha256; t=1778012464; cv=none; d=zohomail.com; s=zohoarc; b=SVPYhf+ffZFOF0NcyB6ItP66/cUJ2EeuGwqGdtgoC9B1PuIQpnMVMB/xZBlzV33EXPZt/yyPAPi52XaAqBcxsgmOyxMlXAaHdTX8fobjlr3bQjl9xb4SzvD+gm4IPb+Y8Jnr0SmA6P9e6DHg6yE1wok7axJnCscICNkiNJUOEmE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1778012464; h=Content-Type:Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=r6xmiT0ccSvkG5afSK6wU6kM02EflUZKe6oYaWMcyIk=; b=ZUhMtM+mh1UTsF+w7mOsyPlEth0O/ZgpiEIzhFadL2+XZ30SRSyHk9hiUbGcuamvnAJNzRYksnvCukwiy65b4RZh17TNPpggfmEwAQ+HEOsLwhQGFtL44OrHNa7wIt4r/fOTSwKLp/r057C6kLOLXbP3DU/FcQxUsT830MdcO10= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1778012464236140.86664621148395; Tue, 5 May 2026 13:21:04 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists1p.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1wKMFw-0001dH-7E; Tue, 05 May 2026 16:20:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFt-0001TU-LO; Tue, 05 May 2026 16:20:33 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1wKMFr-0000fI-P6; Tue, 05 May 2026 16:20:33 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 645Adpul1590574; Tue, 5 May 2026 20:20:07 GMT Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9xxn549-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:07 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id 645K9RJ1015575; Tue, 5 May 2026 20:20:06 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb27t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 May 2026 20:20:06 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com [10.39.53.229]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 645KK57027329208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 5 May 2026 20:20:05 GMT Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6703F58059; Tue, 5 May 2026 20:20:05 +0000 (GMT) Received: from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CA6815805D; Tue, 5 May 2026 20:20:03 +0000 (GMT) Received: from fedora-workstation.pok.ibm.com (unknown [9.12.79.241]) by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 5 May 2026 20:20:03 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to; s=pp1; bh=r6xmiT 0ccSvkG5afSK6wU6kM02EflUZKe6oYaWMcyIk=; b=bhx5B9zfPnN/wMIlmleQu+ DDps8/PaFEIaRfcMgWHM0H/ZEi5SvwJH4LL+Oj4RpQSBJpYfDh/jvlUUqZeWTQ6x nILVbjysloet8ZtrstPDc/onDmZzENeMNf+94voqBE4gCRWrtfnrVnxSSOCk8PxM tZAdXQLC2/Sv1Om5vMkRDKFHaTCeAg8pQULHavlaHT/AATJU/4jIpCFiEewuA1sy IOPXPhON5S6qFutmEQQeXtJieemg3vDboXZwymZBtDq0T3TK7DYzaU1m0Awww6tX kiaE7iyKnbrSrsnKXaqAdgr7GJVbgecVmeZztNhQkg4FNdO9UOQOgHaSX+Za89FQ == From: Zhuoying Cai To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com, richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com, brueckner@linux.ibm.com, pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com Subject: [PATCH v11 32/32] docs/system/s390x: Add secure IPL documentation Date: Tue, 5 May 2026 16:19:04 -0400 Message-ID: <20260505201905.997996-33-zycai@linux.ibm.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260505201905.997996-1-zycai@linux.ibm.com> References: <20260505201905.997996-1-zycai@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-TM-AS-GCONF: 00 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX5Wx5TifY54rQ QxhbhDwWh6XzvwKucd0hGbVilRWx6U9wFzpNWIOGMRiRJtCfOPNEKj1w/kRhBdRLlPj/eydill2 jJgate5pz0wIeoRkvntbsF8rFcIWWVlO6tMpaF+gQdZyVZNxN5uba+0ZYvXXUy2EB8OVbLMw0gj vPYnh4JUPbSfUqPhP9Lk7eFRLSuZEBoOe3PCir0a8YIh2RYljx3W8pbwtNZKkIwUdKL8rcrcj59 7VpTwfkJdSazQqnhB+3TZIAuiGVcTL/8cGj45hXcAzA9Vn2C7F+231z0Ywg6rgdjuHG9y3m4sf8 YplNG1BovbwgtU4n8nSj5GHDr1+wwOpJzRlEkjirAb4KXsutg5OBrbimYmOoBsJrmoyA57ARB0z r3mcDebZVKxhRTd0jEBnfzsB61YouwL0z0APKjP4pg23WBiyego2W7EBbNHugOuO/7qXpUwuDdA cICM4B6IzcxTCFnlCTg== X-Proofpoint-ORIG-GUID: ctlU46yDGFeuk4n_7L_TWOxtmjYufUZ8 X-Proofpoint-GUID: ctlU46yDGFeuk4n_7L_TWOxtmjYufUZ8 X-Authority-Analysis: v=2.4 cv=ctWrVV4i c=1 sm=1 tr=0 ts=69fa50f7 cx=c_pps a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17 a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=q5T4S90kAAAA:8 a=xOmL8MRHFtDrr2fuNQ0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10 a=LnBBZQxPVJ0Z7KJyRdxh:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 lowpriorityscore=0 adultscore=0 clxscore=1015 suspectscore=0 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0 bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists1p.gnu.org; Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @ibm.com) X-ZM-MESSAGEID: 1778012466048154100 Add documentation for secure IPL Signed-off-by: Collin Walling Signed-off-by: Zhuoying Cai Reviewed-by: Joshua Daley --- docs/system/s390x/secure-ipl.rst | 100 +++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ip= l.rst index c8fb887ac0..b9123a72a0 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -1,5 +1,22 @@ .. SPDX-License-Identifier: GPL-2.0-or-later =20 +s390 Secure IPL +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +Secure IPL, also known as secure boot, enables s390-ccw virtual machines to +verify the integrity of guest kernels. + +For technical details of this feature, see the +:doc:`specs document `. + +This document explains how to use secure IPL with s390x in QEMU. It covers +the command line options for providing certificates and enabling secure IP= L, +the different IPL modes (Normal, Audit, and Secure), and system requiremen= ts. + +A quickstart guide is provided to demonstrate how to generate certificates, +sign images, and start a guest in Secure Mode. + + Secure IPL Command Line Options ------------------------------- =20 @@ -79,3 +96,86 @@ Configuration: .. code-block:: shell =20 qemu-system-s390x -machine s390-ccw-virtio,secure-boot=3Don,boot-certs= .0.path=3D/.../qemu/certs,boot-certs.1.path=3D/another/path/cert.pem ... + + +Constraints +----------- + +The following constraints apply when attempting to boot an s390x guest in = secure +mode: + +- z16 or "qemu" CPU model +- certificates must be in X.509 PEM format +- only support for SCSI scheme of virtio-blk/virtio-scsi devices +- a boot device must be specified +- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e= .g., + network) will cause the entire boot process terminating early with an er= ror + logged to the console. + + +Secure IPL Quickstart +--------------------- + +Build QEMU with gnutls enabled +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. code-block:: shell + + ./configure =E2=80=A6 --enable-gnutls + +Generate certificate (e.g. via certtool) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A private key is required before generating a certificate. This key must b= e kept +secure and confidential. + +Use an RSA private key for signing. + +.. code-block:: shell + + certtool --generate-privkey > key.pem + +A self-signed certificate requires the organization name. Use the ``cert.i= nfo`` +template to pre-fill values and avoid interactive prompts from certtool. + +.. code-block:: shell + + cat > cert.info <