Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2219388/?format=api
{ "id": 2219388, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2219388/?format=api", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.0/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260402221453.1602899-29-zycai@linux.ibm.com>", "date": "2026-04-02T22:14:50", "name": "[v10,28/30] tests/functional/s390x: Add secure IPL functional test", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "3e66310b014c9b4623d5d053b3db333d37dcd59d", "submitter": { "id": 90643, "url": "http://patchwork.ozlabs.org/api/1.0/people/90643/?format=api", "name": "Zhuoying Cai", "email": "zycai@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-29-zycai@linux.ibm.com/mbox/", "series": [ { "id": 498557, "url": "http://patchwork.ozlabs.org/api/1.0/series/498557/?format=api", "date": "2026-04-02T22:14:35", "name": "Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices", "version": 10, "mbox": "http://patchwork.ozlabs.org/series/498557/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219388/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=saUG9ksU;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx6r5L31z1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 09:17:24 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w8QL4-0002lq-5x; Thu, 02 Apr 2026 18:16:34 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QKt-0001PB-HM; Thu, 02 Apr 2026 18:16:25 -0400", "from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QKl-0004sP-2k; Thu, 02 Apr 2026 18:16:16 -0400", "from pps.filterd (m0360072.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 632HiwKS346198; Thu, 2 Apr 2026 22:15:51 GMT", "from ppma12.dal12v.mail.ibm.com\n (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66msdtgr-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:51 +0000 (GMT)", "from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1])\n by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632JAPs4021659;\n Thu, 2 Apr 2026 22:15:50 GMT", "from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6])\n by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6sasv3ac-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:50 +0000", "from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MFneY17105446\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:49 GMT", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id A9ADE58069;\n Thu, 2 Apr 2026 22:15:49 +0000 (GMT)", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 4429D58071;\n Thu, 2 Apr 2026 22:15:48 +0000 (GMT)", "from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 2 Apr 2026 22:15:48 +0000 (GMT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=fgo/QArjjHRRP4aPD\n LJUfA8TArlKTIxtYJFlrYdfzKI=; b=saUG9ksUe1stHJEtTdoC/4fbQZoxiMQkx\n oszptS258gnJ1UM01WLaKFamC5FavRlhQ7QrnoPDXj56hWp2brInC4YapVaP9uju\n kMArUhdKpVgh8mJ7nk08MSEaHFX7E/s9lq8wgSv2cA7TKnO1iT0CfHhZU187KINj\n mMsDLQSzc23aVYCypOS8YvbuLzqEWv7/H+pS/eHKVtME6waVwRgymBRIPSBuFtsB\n fCx+Dk1McHiS24WPnvWcTZ3Uj6OdfagSJ7EnpNB/sDmR5FWrUQsdZHWJDlTx40aL\n BsiqX5r9XXHtxmZq+726geMIRl2G397vXlbBD2RNLmChsh+GkcE3g==", "From": "Zhuoying Cai <zycai@linux.ibm.com>", "To": "qemu-s390x@nongnu.org, qemu-devel@nongnu.org", "Cc": "jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com", "Subject": "[PATCH v10 28/30] tests/functional/s390x: Add secure IPL functional\n test", "Date": "Thu, 2 Apr 2026 18:14:50 -0400", "Message-ID": "<20260402221453.1602899-29-zycai@linux.ibm.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "References": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Authority-Analysis": "v=2.4 cv=J6enLQnS c=1 sm=1 tr=0 ts=69ceea97 cx=c_pps\n a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17\n a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=RzCfie-kr_QcCd8fBx8p:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8\n a=gSyHUACR81Cq5hz7ILYA:9 a=t8Kx07QrZZTALmIZmm-o:22", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX0sP/3tODmzhL\n W2r/PagT4Jvz79IL5bECH3xLlmHrvxUClcw6P7nrhJ7cPVuV84jMBasOQKyemRCc/EytWR0KKM0\n tFRiz6epHLi4u5ndEcFs3atQkmMrhzNMiIvO4ggsgAS0hEYUDeBA1RN+BUMBQO+MyiSNoItfIAb\n RxEkr30JGyWaj27s7y0V3VLs//rL27voX5gQ29i4WDeXAeq91fwO42ok4LpjugEFaZVAu9CECzN\n +XSVqeFDm0IDlfDMj/lhhhj4Plhb9/nEUG4fUfrv/h3qyP+DrXCu7cme+x09Umn64vDyK3/Wvfs\n oRh7KrvcUjeYs+03Ti0u0ZQqRgIal6lYmbNbjPCCfd/LnFKmR9OAtP9pPPnYTmX4veSuM8qyGco\n tScaE45OCXIfj45YwnsCuFXW5pQQFeKUmGc6fiGKvvycIaKWY0K6CnJEL23h5GCtQGwhze65U3I\n HD7byScXP5rdvMqUB8A==", "X-Proofpoint-GUID": "ZzPZ8HTMbVTaJ8wXhLyr_BUvgoOTwWjU", "X-Proofpoint-ORIG-GUID": "ZzPZ8HTMbVTaJ8wXhLyr_BUvgoOTwWjU", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n suspectscore=0 clxscore=1015 adultscore=0 priorityscore=1501 bulkscore=0\n phishscore=0 malwarescore=0 lowpriorityscore=0 spamscore=0 impostorscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195", "Received-SPF": "pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com", "X-Spam_score_int": "-26", "X-Spam_score": "-2.7", "X-Spam_bar": "--", "X-Spam_report": "(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Add functional test for secure IPL.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\n---\n tests/functional/s390x/meson.build | 2 +\n tests/functional/s390x/test_secure_ipl.py | 148 ++++++++++++++++++++++\n 2 files changed, 150 insertions(+)\n create mode 100755 tests/functional/s390x/test_secure_ipl.py", "diff": "diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/meson.build\nindex 0f03e1c9db..07191ec996 100644\n--- a/tests/functional/s390x/meson.build\n+++ b/tests/functional/s390x/meson.build\n@@ -2,6 +2,7 @@\n \n test_s390x_timeouts = {\n 'ccw_virtio' : 420,\n+ 'secure_ipl' : 280,\n }\n \n tests_s390x_system_quick = [\n@@ -13,6 +14,7 @@ tests_s390x_system_thorough = [\n 'ccw_virtio',\n 'pxelinux',\n 'replay',\n+ 'secure_ipl',\n 'topology',\n 'tuxrun',\n ]\ndiff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s390x/test_secure_ipl.py\nnew file mode 100755\nindex 0000000000..0980daace1\n--- /dev/null\n+++ b/tests/functional/s390x/test_secure_ipl.py\n@@ -0,0 +1,148 @@\n+#!/usr/bin/env python3\n+#\n+# s390x Secure IPL functional test: validates secure-boot verification results\n+#\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+\n+from subprocess import check_call, DEVNULL\n+\n+from qemu_test import QemuSystemTest, Asset, get_qemu_img\n+from qemu_test import exec_command_and_wait_for_pattern, exec_command\n+from qemu_test import wait_for_console_pattern, skipBigDataTest\n+\n+class S390xSecureIpl(QemuSystemTest):\n+ ASSET_F40_QCOW2 = Asset(\n+ ('https://archives.fedoraproject.org/pub/archive/'\n+ 'fedora-secondary/releases/40/Server/s390x/images/'\n+ 'Fedora-Server-KVM-40-1.14.s390x.qcow2'),\n+ '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f')\n+\n+ def __init__(self, *args, **kwargs):\n+ super().__init__(*args, **kwargs)\n+ self.root_password = None\n+ self.qcow2_path = None\n+ self.cert_path = None\n+ self.prompt = None\n+\n+ # Boot a temporary VM to set up secure IPL image:\n+ # - Create certificate\n+ # - Sign stage3 binary and kernel\n+ # - Run zipl\n+ # - Extract certificate\n+ def setup_s390x_secure_ipl(self):\n+ temp_vm = self.get_vm(name='sipl_setup')\n+ temp_vm.set_machine('s390-ccw-virtio')\n+\n+ asset_path = self.ASSET_F40_QCOW2.fetch()\n+ self.qcow2_path = self.scratch_file('f40.qcow2')\n+ qemu_img = get_qemu_img(self)\n+ check_call([qemu_img, 'create', '-f', 'qcow2', '-b', asset_path,\n+ '-F', 'qcow2', self.qcow2_path], stdout=DEVNULL, stderr=DEVNULL)\n+\n+ temp_vm.set_console()\n+ temp_vm.add_args('-nographic',\n+ '-accel', 'kvm',\n+ '-m', '1024',\n+ '-drive',\n+ f'id=drive0,if=none,format=qcow2,file={self.qcow2_path}',\n+ '-device', 'virtio-blk-ccw,drive=drive0,bootindex=1')\n+ temp_vm.launch()\n+\n+ # Initial root account setup (Fedora first boot screen)\n+ self.root_password = 'fedora40password'\n+ wait_for_console_pattern(self, 'Please make a selection from the above',\n+ vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password,\n+ 'Password (confirm):', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password,\n+ 'Please make a selection from the above',\n+ vm=temp_vm)\n+\n+ # Login as root\n+ self.prompt = '[root@localhost ~]#'\n+ exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password, self.prompt,\n+ vm=temp_vm)\n+\n+ # Certificate generation\n+ exec_command_and_wait_for_pattern(self,\n+ 'openssl version', 'OpenSSL 3.2.1 30',\n+ vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self,\n+ 'openssl req -new -x509 -newkey rsa:2048 '\n+ '-keyout mykey.pem -outform PEM -out mycert.pem '\n+ '-days 36500 -subj \"/CN=My Name/\" -nodes -verbose',\n+ 'Writing private key to \\'mykey.pem\\'', vm=temp_vm)\n+\n+ # Install kernel-devel (needed for sign-file)\n+ exec_command_and_wait_for_pattern(self,\n+ 'sudo dnf install kernel-devel-$(uname -r) -y',\n+ 'Complete!', vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self,\n+ 'ls /usr/src/kernels/$(uname -r)/scripts/',\n+ 'sign-file', vm=temp_vm)\n+\n+ # Sign stage3 binary and kernel\n+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '\n+ 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bin',\n+ vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '\n+ 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)',\n+ vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+\n+ # Run zipl to prepare for secure boot\n+ exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Done.',\n+ vm=temp_vm)\n+\n+ # Extract certificate to host\n+ out = exec_command_and_wait_for_pattern(self, 'cat mycert.pem',\n+ '-----END CERTIFICATE-----',\n+ vm=temp_vm)\n+ # strip first line to avoid console echo artifacts\n+ cert = \"\\n\".join(out.decode(\"utf-8\").splitlines()[1:])\n+ self.log.info(\"%s\", cert)\n+\n+ self.cert_path = self.scratch_file(\"mycert.pem\")\n+\n+ with open(self.cert_path, 'w', encoding=\"utf-8\") as file_object:\n+ file_object.write(cert)\n+\n+ # Shutdown temp vm\n+ temp_vm.shutdown()\n+\n+ @skipBigDataTest()\n+ def test_s390x_secure_ipl(self):\n+ self.require_accelerator('kvm')\n+ self.setup_s390x_secure_ipl()\n+\n+ self.set_machine('s390-ccw-virtio')\n+\n+ self.vm.set_console()\n+ self.vm.add_args('-nographic',\n+ '-machine', 's390-ccw-virtio,secure-boot=on,'\n+ f'boot-certs.0.path={self.cert_path}',\n+ '-accel', 'kvm',\n+ '-m', '1024',\n+ '-drive',\n+ f'id=drive1,if=none,format=qcow2,file={self.qcow2_path}',\n+ '-device', 'virtio-blk-ccw,drive=drive1,bootindex=1')\n+ self.vm.launch()\n+\n+ # Expect two verified components\n+ verified_output = \"Verified component\"\n+ wait_for_console_pattern(self, verified_output)\n+ wait_for_console_pattern(self, verified_output)\n+\n+ # Login and verify the vm is booted using secure boot\n+ wait_for_console_pattern(self, 'localhost login:')\n+ exec_command_and_wait_for_pattern(self, 'root', 'Password:')\n+ exec_command_and_wait_for_pattern(self, self.root_password, self.prompt)\n+ exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/secure', '1')\n+\n+if __name__ == '__main__':\n+ QemuSystemTest.main()\n", "prefixes": [ "v10", "28/30" ] }