Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.0/patches/2219399/?format=api
{ "id": 2219399, "url": "http://patchwork.ozlabs.org/api/1.0/patches/2219399/?format=api", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/1.0/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "" }, "msgid": "<20260402221453.1602899-26-zycai@linux.ibm.com>", "date": "2026-04-02T22:14:47", "name": "[v10,25/30] pc-bios/s390-ccw: Handle true secure IPL mode", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "9cb1da8d4fb21b02e60ba190124560f885a1d345", "submitter": { "id": 90643, "url": "http://patchwork.ozlabs.org/api/1.0/people/90643/?format=api", "name": "Zhuoying Cai", "email": "zycai@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-26-zycai@linux.ibm.com/mbox/", "series": [ { "id": 498557, "url": "http://patchwork.ozlabs.org/api/1.0/series/498557/?format=api", "date": "2026-04-02T22:14:35", "name": "Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices", "version": 10, "mbox": "http://patchwork.ozlabs.org/series/498557/mbox/" } ], "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2219399/checks/", "tags": {}, "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=XFE7Q3Xb;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx7v2HSnz1xtJ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 03 Apr 2026 09:18:19 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1w8QL0-0002CJ-9B; Thu, 02 Apr 2026 18:16:30 -0400", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QKh-00011i-Pe; Thu, 02 Apr 2026 18:16:14 -0400", "from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1w8QKg-0004rP-5Y; Thu, 02 Apr 2026 18:16:11 -0400", "from pps.filterd (m0356516.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 632HZ2lg197973; Thu, 2 Apr 2026 22:15:47 GMT", "from ppma11.dal12v.mail.ibm.com\n (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d64dgx0s0-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:46 +0000 (GMT)", "from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1])\n by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632LjYda008698;\n Thu, 2 Apr 2026 22:15:46 GMT", "from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9])\n by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4d6v11upqu-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:46 +0000", "from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MFjt816974386\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:45 GMT", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 0E3E158068;\n Thu, 2 Apr 2026 22:15:45 +0000 (GMT)", "from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id AF52D5805D;\n Thu, 2 Apr 2026 22:15:43 +0000 (GMT)", "from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 2 Apr 2026 22:15:43 +0000 (GMT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=xD0NyiOEYKfeeAkZS\n BVAcIMf1mTeU2WRvnVkItdTzEY=; b=XFE7Q3XbmYE/rZPl4AUwXagFgIu5ZxUUA\n w2iuE5h8qZhXxXROhwJTQhF56TBQ1FH+63YExqL4tQZd+TmX/Pv9/IKV6QH5bz3M\n RlY+MCyqS1dBGCP2BlzANGBZL7TfyJlDR37uksR5ScNLhQ/DbruR9d0+ZoAl8Xf3\n A5wXeksFlAGF1anJ+9vYuX6t4vJSPRywU48rQoclF+7+pi+ZSoRtl3dhVqBSrs8V\n av7TNuCLZ4yqAaagxdmS7g+IdgLnPpV7pQt3Lh/Icd1Nke7PlNfANHsEeNNm3P7S\n 3LFgJbAOEuPjRbvYCsq+Up0Slhd9h7eP3wAIXjQESi2hznkMktbzw==", "From": "Zhuoying Cai <zycai@linux.ibm.com>", "To": "qemu-s390x@nongnu.org, qemu-devel@nongnu.org", "Cc": "jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com", "Subject": "[PATCH v10 25/30] pc-bios/s390-ccw: Handle true secure IPL mode", "Date": "Thu, 2 Apr 2026 18:14:47 -0400", "Message-ID": "<20260402221453.1602899-26-zycai@linux.ibm.com>", "X-Mailer": "git-send-email 2.53.0", "In-Reply-To": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "References": "<20260402221453.1602899-1-zycai@linux.ibm.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfX47q3isLOiyi2\n QqRr9bwlHKrfz1NbqWJGfjtKB1TtHn4giwpuzpsxvFhgKIN8SV9g1RbjUA7fgg3e6IKVnapUpHb\n ZZS47MQWDTO324QZCphwg5NwqfvvQmtRCU51XWuCDTD5/YaY62gvl3j3Be0MpkAFxnI6p59xHKj\n RtBeo7Sffrh02M1dkaMvRwfhEc6MZ6nUZJvG10JYWtD0W44O//KGFMzC4Trx2pvfgXb1H1esPsm\n xiKWhepNb9zXinzMQar25F+cIA0g+RJnPZ2xfBK5ZiNDP4pQykuiWTx7thePhZ5lJSdEefcvI48\n 3edyBPE4W3RLaSknPIMXvvqNbY/s58zziE8j4zV2Y00Ln7jmZaXmgGUouCl6Jj7zZKWWvmydryD\n bQnc0Oyn3dQmt3Frnngl41wV97UMxr/N9D0yP7LwnDOfgITHHqzstfJfV2PTsemqRu5DI8qHdNI\n e5MMgOnQNg3OJWTh6Sw==", "X-Authority-Analysis": "v=2.4 cv=QKZlhwLL c=1 sm=1 tr=0 ts=69ceea93 cx=c_pps\n a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17\n a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=Y2IxJ9c9Rs8Kov3niI8_:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9", "X-Proofpoint-GUID": "RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay", "X-Proofpoint-ORIG-GUID": "RWHRqV86FhhO1wpkP8WmnPfNWq6aaAay", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n lowpriorityscore=0 phishscore=0 adultscore=0 impostorscore=0 clxscore=1015\n spamscore=0 bulkscore=0 priorityscore=1501 suspectscore=0 malwarescore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195", "Received-SPF": "pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com", "X-Spam_score_int": "-26", "X-Spam_score": "-2.7", "X-Spam_bar": "--", "X-Spam_report": "(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "When secure boot is enabled (-secure-boot on) and certificate(s) are\nprovided, the boot operates in True Secure IPL mode.\n\nAny verification error during True Secure IPL mode will cause the\nentire boot process to terminate.\n\nSecure IPL in audit mode requires at least one certificate provided in\nthe key store along with necessary facilities. If secure boot is enabled\nbut no certificate is provided, the boot process will also terminate, as\nthis is not a valid secure boot configuration.\n\nNote: True Secure IPL mode is implemented for the SCSI scheme of\nvirtio-blk/virtio-scsi devices.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\nReviewed-by: Collin Walling <walling@linux.ibm.com>\n---\n docs/system/s390x/secure-ipl.rst | 13 +++++++++++++\n pc-bios/s390-ccw/bootmap.c | 8 ++++++++\n pc-bios/s390-ccw/s390-ccw.h | 1 +\n pc-bios/s390-ccw/secure-ipl.c | 4 ++++\n pc-bios/s390-ccw/secure-ipl.h | 3 +++\n 5 files changed, 29 insertions(+)", "diff": "diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst\nindex 2465f8b26d..e0af086c38 100644\n--- a/docs/system/s390x/secure-ipl.rst\n+++ b/docs/system/s390x/secure-ipl.rst\n@@ -65,3 +65,16 @@ Configuration:\n .. code-block:: shell\n \n qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\n+\n+Secure Mode\n+-----------\n+\n+When the ``secure-boot=on`` option is set and certificates are provided,\n+a secure boot is performed with error reporting enabled. The boot process aborts\n+if any error occurs.\n+\n+Configuration:\n+\n+.. code-block:: shell\n+\n+ qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\ndiff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c\nindex 1873a35511..bf8eee5ae0 100644\n--- a/pc-bios/s390-ccw/bootmap.c\n+++ b/pc-bios/s390-ccw/bootmap.c\n@@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte)\n entry = (ComponentEntry *)(&header[1]);\n \n switch (boot_mode) {\n+ case ZIPL_BOOT_MODE_SECURE:\n case ZIPL_BOOT_MODE_SECURE_AUDIT:\n rc = zipl_run_secure(&entry, tmp_sec);\n break;\n@@ -1120,9 +1121,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags)\n {\n bool sipl_set = hdr_flags & DIAG308_IPIB_FLAGS_SIPL;\n bool iplir_set = hdr_flags & DIAG308_IPIB_FLAGS_IPLIR;\n+ VCStorageSizeBlock *vcssb;\n \n if (!sipl_set && iplir_set) {\n return ZIPL_BOOT_MODE_SECURE_AUDIT;\n+ } else if (sipl_set && iplir_set) {\n+ vcssb = zipl_secure_get_vcssb();\n+ if (vcssb == NULL || vcssb->length == VCSSB_NO_VC) {\n+ panic(\"Need at least one certificate for secure boot!\");\n+ }\n+ return ZIPL_BOOT_MODE_SECURE;\n }\n \n return ZIPL_BOOT_MODE_NORMAL;\ndiff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h\nindex e1a8097c95..8538663bd5 100644\n--- a/pc-bios/s390-ccw/s390-ccw.h\n+++ b/pc-bios/s390-ccw/s390-ccw.h\n@@ -91,6 +91,7 @@ void zipl_load(void);\n typedef enum ZiplBootMode {\n ZIPL_BOOT_MODE_NORMAL = 0,\n ZIPL_BOOT_MODE_SECURE_AUDIT = 1,\n+ ZIPL_BOOT_MODE_SECURE = 2,\n } ZiplBootMode;\n \n extern ZiplBootMode boot_mode;\ndiff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c\nindex d4e455ed0c..0befa6a8b3 100644\n--- a/pc-bios/s390-ccw/secure-ipl.c\n+++ b/pc-bios/s390-ccw/secure-ipl.c\n@@ -280,6 +280,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic, uint32_t *cei_flags)\n *cei_flags |= S390_CEI_INVALID_SCLAB;\n \n /* a missing SCLAB will not be reported in audit mode */\n+ if (boot_mode == ZIPL_BOOT_MODE_SECURE) {\n+ zipl_secure_handle(\"Magic does not match. SCLAB does not exist\");\n+ }\n+\n return false;\n }\n \ndiff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h\nindex 75d1c8e046..039fcec516 100644\n--- a/pc-bios/s390-ccw/secure-ipl.h\n+++ b/pc-bios/s390-ccw/secure-ipl.h\n@@ -82,6 +82,9 @@ static inline void zipl_secure_handle(const char *message)\n case ZIPL_BOOT_MODE_SECURE_AUDIT:\n IPL_check(false, message);\n break;\n+ case ZIPL_BOOT_MODE_SECURE:\n+ panic(message);\n+ break;\n default:\n break;\n }\n", "prefixes": [ "v10", "25/30" ] }