Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2219374/?format=api
{ "id": 2219374, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2219374/?format=api", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.0/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260402221453.1602899-2-zycai@linux.ibm.com>", "date": "2026-04-02T22:14:23", "name": "[v10,01/30] Add boot-certs to s390-ccw-virtio machine type option", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "c5bf908d282d26802aeda76292499a6676f26bcc", "submitter": { "id": 90643, "url": "http://patchwork.ozlabs.org/api/1.0/people/90643/?format=api", "name": "Zhuoying Cai", "email": "zycai@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-2-zycai@linux.ibm.com/mbox/", "series": [ { "id": 498557, "url": "http://patchwork.ozlabs.org/api/1.0/series/498557/?format=api", "date": "2026-04-02T22:14:35", "name": "Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices", "version": 10, "mbox": "http://patchwork.ozlabs.org/series/498557/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219374/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=gpV4xHLb;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx664QgBz1yDH\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 09:16:46 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w8QJs-0000eY-M0; Thu, 02 Apr 2026 18:15:20 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QJr-0000dX-3D; Thu, 02 Apr 2026 18:15:19 -0400", "from mx0a-001b2d01.pphosted.com ([148.163.156.1])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QJp-0004lH-1Q; Thu, 02 Apr 2026 18:15:18 -0400", "from pps.filterd (m0353729.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 6328WI1m2903666; Thu, 2 Apr 2026 22:15:11 GMT", "from ppma22.wdc07v.mail.ibm.com\n (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66nnxs7w-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:10 +0000 (GMT)", "from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1])\n by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632Jwg7O006362;\n Thu, 2 Apr 2026 22:15:09 GMT", "from smtprelay01.wdc07v.mail.ibm.com ([172.16.1.68])\n by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0uh-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:09 +0000", "from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay01.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MF8oi1442646\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:08 GMT", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id DBC9058052;\n Thu, 2 Apr 2026 22:15:07 +0000 (GMT)", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 741D358056;\n Thu, 2 Apr 2026 22:15:06 +0000 (GMT)", "from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 2 Apr 2026 22:15:06 +0000 (GMT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=Cxez5btC+vurzFGzs\n 5j5X6Y1MNMQUB/QklmmfxkWO+Q=; b=gpV4xHLbdv479TklsryybI7hX8OiJjc1J\n UzxqKW8WYt8TBJ+lu6zxKxQn1ZBT/EWxhfPKsVCweh0cxGjKq2v0KtQLdHXsi91t\n s3t3I7IYIaiDEWQlIXSpJl1C+mrFsxv4QvOKOTjsbZWr2h39EyuNvSWM5p7LcpB5\n PXcnmjJKeXw2OFLY5rEkKMmE5ZMxZ8Gtx83+j1uEwDwYnwm3O27w/cZ/6JJ6tPmH\n MbP68ZD0eM3BM5PFFIAnXiFoVm304b2ZMnxEKK0P4P+0qV0VdXazQr9GpEy2wWZ4\n yTSgK7zLqz572FyPwzx9/6mLVKxZjEATYLjUiD1WW+4nQ+2Q9uovA==", "From": "Zhuoying Cai <zycai@linux.ibm.com>", "To": "qemu-s390x@nongnu.org, qemu-devel@nongnu.org", "Cc": "jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com", "Subject": "[PATCH v10 01/30] Add boot-certs to s390-ccw-virtio machine type\n option", "Date": "Thu, 2 Apr 2026 18:14:23 -0400", "Message-ID": "<20260402221453.1602899-2-zycai@linux.ibm.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "References": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Proofpoint-GUID": "13wZKQvDgUeZdZ6BokmdFIaIt-eS3VJf", "X-Authority-Analysis": "v=2.4 cv=KslAGGWN c=1 sm=1 tr=0 ts=69ceea6e cx=c_pps\n a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17\n a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=uAbxVGIbfxUO_5tXvNgY:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8\n a=pOjPfhpiL-oY2_FcObYA:9", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX5VQao+8mfOyB\n rw0EN6ko6gZhzwDHb2H+Nwmxb1iesKNmdCvowtH+nMfgc3HDzjGFORbzRrPXh6oInK1ImqSwKy8\n efPeQd1qwUgPjHHoIvbxLLwsGB4vpBPf5/gSoSFV4a1+MjPIkyts+5FLqOF+aLrlGN1DMJ65y9n\n qFYSeIdcGgcjZnC3LoiGh4hSc/C1vrRUbYk7WZ0wZAaQ0YIQuQIK8Sl5kKnd45fnVB4eg5Bf6/e\n DGGpFLmjH8xh9x6IsIhrbZ5X4lKcQKeYW8AvXbl8XirP096N6pITtacMKHebfqJJ9cS4SUbn58K\n XpZ46JFYmiSdK1QgSPcyqVbQ2IOz5XTWiJ3Dmrlp7JLfHi+LMgBLMnrmSP/E4DV6mblYo7G4qzC\n FMji+Tr4vhOK+sk9Og6TEiqhQlzT2HZA0dqxvHHFfkCDiO+WAANQ0X4AdDD5dhuiNLD/x9h+iqg\n Gr2cYe/ILsEM7nAq6sw==", "X-Proofpoint-ORIG-GUID": "13wZKQvDgUeZdZ6BokmdFIaIt-eS3VJf", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n malwarescore=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0\n phishscore=0 adultscore=0 bulkscore=0 impostorscore=0 clxscore=1011\n spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound\n adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001\n definitions=main-2604020195", "Received-SPF": "pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com;\n helo=mx0a-001b2d01.pphosted.com", "X-Spam_score_int": "-26", "X-Spam_score": "-2.7", "X-Spam_bar": "--", "X-Spam_report": "(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Introduce a new `boot-certs` machine type option for the s390-ccw-virtio\nmachine. This allows users to specify one or more certificate file paths\nor directories to be used during secure boot.\n\nEach entry is specified using the syntax:\n\tboot-certs.<index>.path=/path/to/cert.pem\n\nMultiple paths can be specify using array properties:\n\tboot-certs.0.path=/path/to/cert.pem,\n\tboot-certs.1.path=/path/to/cert-dir,\n\tboot-certs.2.path=/path/to/another-dir...\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\nAcked-by: Markus Armbruster <armbru@redhat.com>\n---\n docs/system/s390x/secure-ipl.rst | 20 ++++++++++++++++++++\n docs/system/target-s390x.rst | 1 +\n hw/s390x/s390-virtio-ccw.c | 30 ++++++++++++++++++++++++++++++\n include/hw/s390x/s390-virtio-ccw.h | 2 ++\n qapi/machine-s390x.json | 23 +++++++++++++++++++++++\n qapi/pragma.json | 1 +\n qemu-options.hx | 6 +++++-\n 7 files changed, 82 insertions(+), 1 deletion(-)\n create mode 100644 docs/system/s390x/secure-ipl.rst", "diff": "diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst\nnew file mode 100644\nindex 0000000000..0a02f171b4\n--- /dev/null\n+++ b/docs/system/s390x/secure-ipl.rst\n@@ -0,0 +1,20 @@\n+.. SPDX-License-Identifier: GPL-2.0-or-later\n+\n+Secure IPL Command Line Options\n+===============================\n+\n+The s390-ccw-virtio machine type supports secure IPL. These parameters allow\n+users to provide certificates and enable secure IPL directly via the command\n+line.\n+\n+Providing Certificates\n+----------------------\n+\n+The certificate store can be populated by supplying a list of X.509 certificate\n+file paths or directories containing certificate files on the command-line:\n+\n+Note: certificate files must have a .pem extension.\n+\n+.. code-block:: shell\n+\n+ qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\ndiff --git a/docs/system/target-s390x.rst b/docs/system/target-s390x.rst\nindex 94c981e732..8938a13d10 100644\n--- a/docs/system/target-s390x.rst\n+++ b/docs/system/target-s390x.rst\n@@ -35,3 +35,4 @@ Architectural features\n s390x/bootdevices\n s390x/protvirt\n s390x/cpu-topology\n+ s390x/secure-ipl\ndiff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c\nindex 3ef009463d..a6f0fc4e00 100644\n--- a/hw/s390x/s390-virtio-ccw.c\n+++ b/hw/s390x/s390-virtio-ccw.c\n@@ -44,6 +44,7 @@\n #include \"target/s390x/kvm/pv.h\"\n #include \"migration/blocker.h\"\n #include \"qapi/visitor.h\"\n+#include \"qapi/qapi-visit-machine-s390x.h\"\n #include \"hw/s390x/cpu-topology.h\"\n #include \"kvm/kvm_s390x.h\"\n #include \"hw/virtio/virtio-md-pci.h\"\n@@ -788,6 +789,30 @@ static void machine_set_loadparm(Object *obj, Visitor *v,\n g_free(val);\n }\n \n+static void machine_get_boot_certs(Object *obj, Visitor *v,\n+ const char *name, void *opaque,\n+ Error **errp)\n+{\n+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);\n+ BootCertificatesList **certs = &ms->boot_certs;\n+\n+ visit_type_BootCertificatesList(v, name, certs, errp);\n+}\n+\n+static void machine_set_boot_certs(Object *obj, Visitor *v, const char *name,\n+ void *opaque, Error **errp)\n+{\n+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);\n+ BootCertificatesList *cert_list = NULL;\n+\n+ visit_type_BootCertificatesList(v, name, &cert_list, errp);\n+ if (!cert_list) {\n+ return;\n+ }\n+\n+ ms->boot_certs = cert_list;\n+}\n+\n static void ccw_machine_class_init(ObjectClass *oc, const void *data)\n {\n MachineClass *mc = MACHINE_CLASS(oc);\n@@ -841,6 +866,11 @@ static void ccw_machine_class_init(ObjectClass *oc, const void *data)\n \"Up to 8 chars in set of [A-Za-z0-9. ] (lower case chars converted\"\n \" to upper case) to pass to machine loader, boot manager,\"\n \" and guest kernel\");\n+\n+ object_class_property_add(oc, \"boot-certs\", \"BootCertificatesList\",\n+ machine_get_boot_certs, machine_set_boot_certs, NULL, NULL);\n+ object_class_property_set_description(oc, \"boot-certs\",\n+ \"provide paths to a directory and/or a certificate file for secure boot\");\n }\n \n static inline void s390_machine_initfn(Object *obj)\ndiff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h\nindex f1f06119d6..5ad1ea2f24 100644\n--- a/include/hw/s390x/s390-virtio-ccw.h\n+++ b/include/hw/s390x/s390-virtio-ccw.h\n@@ -14,6 +14,7 @@\n #include \"hw/core/boards.h\"\n #include \"qom/object.h\"\n #include \"hw/s390x/sclp.h\"\n+#include \"qapi/qapi-types-machine-s390x.h\"\n \n #define TYPE_S390_CCW_MACHINE \"s390-ccw-machine\"\n \n@@ -31,6 +32,7 @@ struct S390CcwMachineState {\n uint8_t loadparm[8];\n uint64_t memory_limit;\n uint64_t max_pagesize;\n+ BootCertificatesList *boot_certs;\n \n SCLPDevice *sclp;\n };\ndiff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json\nindex ea430e1b88..bbe3646e91 100644\n--- a/qapi/machine-s390x.json\n+++ b/qapi/machine-s390x.json\n@@ -140,3 +140,26 @@\n { 'event': 'SCLP_CPI_INFO_AVAILABLE',\n 'features': [ 'unstable' ]\n }\n+\n+##\n+# @BootCertificates:\n+#\n+# Boot certificates for secure IPL.\n+#\n+# @path: path to an X.509 certificate file or a directory containing\n+# certificate files.\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'BootCertificates',\n+ 'data': {'path': 'str'} }\n+\n+##\n+# @DummyBootCertificates:\n+#\n+# Not used by QMP; hack to let us use BootCertificatesList internally.\n+#\n+# Since: 11.1\n+##\n+{ 'struct': 'DummyBootCertificates',\n+ 'data': {'unused-boot-certs': ['BootCertificates'] } }\ndiff --git a/qapi/pragma.json b/qapi/pragma.json\nindex 24aebbe8f5..342cedc42e 100644\n--- a/qapi/pragma.json\n+++ b/qapi/pragma.json\n@@ -49,6 +49,7 @@\n 'DisplayProtocol',\n 'DriveBackupWrapper',\n 'DummyBlockCoreForceArrays',\n+ 'DummyBootCertificates',\n 'DummyForceArrays',\n 'DummyVirtioForceArrays',\n 'HotKeyMod',\ndiff --git a/qemu-options.hx b/qemu-options.hx\nindex 21972f8326..75e6c0f025 100644\n--- a/qemu-options.hx\n+++ b/qemu-options.hx\n@@ -45,7 +45,8 @@ DEF(\"machine\", HAS_ARG, QEMU_OPTION_machine, \\\n \" memory-backend='backend-id' specifies explicitly provided backend for main RAM (default=none)\\n\"\n \" cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtarget,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granularity]\\n\"\n \" sgx-epc.0.memdev=memid,sgx-epc.0.node=numaid\\n\"\n- \" smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\\n\",\n+ \" smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\\n\"\n+ \" boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\\n\",\n QEMU_ARCH_ALL)\n SRST\n ``-machine [type=]name[,prop=value[,...]]``\n@@ -209,6 +210,9 @@ SRST\n ::\n \n -machine smp-cache.0.cache=l1d,smp-cache.0.topology=core,smp-cache.1.cache=l1i,smp-cache.1.topology=core\n+\n+ ``boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file``\n+ Provide paths to a directory and/or a certificate file on the host [s390x only].\n ERST\n \n DEF(\"M\", HAS_ARG, QEMU_OPTION_M,\n", "prefixes": [ "v10", "01/30" ] }