Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196093/?format=api
{ "id": 2196093, "url": "http://patchwork.ozlabs.org/api/patches/2196093/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260212204352.1044699-26-zycai@linux.ibm.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260212204352.1044699-26-zycai@linux.ibm.com>", "list_archive_url": null, "date": "2026-02-12T20:43:46", "name": "[v8,25/30] pc-bios/s390-ccw: Handle true secure IPL mode", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "6414b52a79bb12fd94d73a874b21243cd03e3859", "submitter": { "id": 90643, "url": "http://patchwork.ozlabs.org/api/people/90643/?format=api", "name": "Zhuoying Cai", "email": "zycai@linux.ibm.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260212204352.1044699-26-zycai@linux.ibm.com/mbox/", "series": [ { "id": 492021, "url": "http://patchwork.ozlabs.org/api/series/492021/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=492021", "date": "2026-02-12T20:43:36", "name": "Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices", "version": 8, "mbox": "http://patchwork.ozlabs.org/series/492021/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196093/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196093/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=Ih/Fs46A;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fBnSR3XpRz1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 13 Feb 2026 07:48:07 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vqdYn-0001fY-UO; Thu, 12 Feb 2026 15:45:13 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1vqdYl-0001di-U7; Thu, 12 Feb 2026 15:45:11 -0500", "from mx0a-001b2d01.pphosted.com ([148.163.156.1])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1vqdYk-0008Eq-4x; Thu, 12 Feb 2026 15:45:11 -0500", "from pps.filterd (m0360083.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 61CIJ0xE462104; Thu, 12 Feb 2026 20:44:46 GMT", "from ppma13.dal12v.mail.ibm.com\n (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4c696ur7xy-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 12 Feb 2026 20:44:46 +0000 (GMT)", "from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1])\n by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 61CHRXX3019336;\n Thu, 12 Feb 2026 20:44:45 GMT", "from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71])\n by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 4c6hxkbyww-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 12 Feb 2026 20:44:45 +0000", "from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com\n [10.39.53.233])\n by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 61CKih2w41222676\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 12 Feb 2026 20:44:43 GMT", "from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 5ED035804E;\n Thu, 12 Feb 2026 20:44:43 +0000 (GMT)", "from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 8C3C858054;\n Thu, 12 Feb 2026 20:44:41 +0000 (GMT)", "from fedora-workstation.ibmuc.com (unknown [9.61.112.15])\n by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 12 Feb 2026 20:44:41 +0000 (GMT)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=sJlDmEVzqk18K10Pp\n AMkOQDM7T7FDhqU6WidqRyAs+M=; b=Ih/Fs46AquMlH0Sf1vL82CNRpM0kvPq4Q\n 9iS4SYzVOtAxM5m4c+wbQng+gx7XkEs9VZ/o813hWrHeVnUrTEkyjUmiaEOBxrSu\n 7fC0/ZMCgDtz+aXKmh0uTHf88O6KPj8lQGv+QyuF0nVg+3GzJFYWvCCnhFOQVhOB\n AiUZfkzAtysGxAKh84+XnM7a8+K4mRPvDWu3LnKrGIrJ3eZ7dYBqePhs/EUkeefi\n E7bp5vY51nuYJTAuH6AkBjo7p6LG7330UlQlSgPgNep4A/bLxYKFYuv35vvkKuoF\n Iny9m7Dx41MZbdi73ArzUo9b5iN/TdWuLApw5/+NGGPAPWy7Ltj3Q==", "From": "Zhuoying Cai <zycai@linux.ibm.com>", "To": "thuth@redhat.com, berrange@redhat.com, richard.henderson@linaro.org,\n jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org", "Cc": "david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com", "Subject": "[PATCH v8 25/30] pc-bios/s390-ccw: Handle true secure IPL mode", "Date": "Thu, 12 Feb 2026 15:43:46 -0500", "Message-ID": "<20260212204352.1044699-26-zycai@linux.ibm.com>", "X-Mailer": "git-send-email 2.52.0", "In-Reply-To": "<20260212204352.1044699-1-zycai@linux.ibm.com>", "References": "<20260212204352.1044699-1-zycai@linux.ibm.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-TM-AS-GCONF": "00", "X-Authority-Analysis": "v=2.4 cv=KZnfcAYD c=1 sm=1 tr=0 ts=698e3bbe cx=c_pps\n a=AfN7/Ok6k8XGzOShvHwTGQ==:117 a=AfN7/Ok6k8XGzOShvHwTGQ==:17\n a=HzLeVaNsDn8A:10 a=VkNPw1HP01LnGYTKEx00:22 a=Mpw57Om8IfrbqaoTuvik:22\n a=GgsMoib0sEa3-_RKJdDe:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9", "X-Proofpoint-Spam-Details-Enc": "AW1haW4tMjYwMjEyMDE1NyBTYWx0ZWRfX1dITRvjDQjo8\n 4TNKmqlds/G8MvbhpmANuJquuvLeLl2T8x/Ra3hU6O1GlGf+btFHHPItx7hGAvXwbpeqkpphXSd\n rAXkOiQVs69kGQiKu/qNTER+7Ec2BuHIvt/o3phhIHUMp52tfWDIqoj3hjmdRSIuYI8R2Cs98Ar\n oI8gt6u2LmFtE8thJPr07nPba4W2iq6/4pZLG0rPc2c+dkMgXly+dNcvD0mTPVRhk0F4x0NaunE\n Cr17pExU9K+9mF+/ISgQI7Zmqk2cVBCm7BOuioUi6fg0g1+e3VDqdIFp/J59W8059L0ETcaL3Dd\n 9lj54ZSzw2L6btME1yrpXrqLDXgVf/NiQMuw3jQOQxeM5BculNQYaRF28vMnbYNWz9nOmIOU2cG\n 4aA3OT5W5mpCTyAkLD2PzoYK/pDcfRpT+hsNEUZw5StL9uEwwCqhE0SsZkiyw+Z0cQ4WEbPenKr\n f6FrmF6cCR9PPaMInXw==", "X-Proofpoint-ORIG-GUID": "U5UsW-G73wLOf4neOaleb8y8VaqCtZ0m", "X-Proofpoint-GUID": "U5UsW-G73wLOf4neOaleb8y8VaqCtZ0m", "X-Proofpoint-Virus-Version": "vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-02-12_05,2026-02-12_03,2025-10-01_01", "X-Proofpoint-Spam-Details": "rule=outbound_notspam policy=outbound score=0\n spamscore=0 impostorscore=0 bulkscore=0 priorityscore=1501 adultscore=0\n clxscore=1015 suspectscore=0 phishscore=0 malwarescore=0 lowpriorityscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2601150000 definitions=main-2602120157", "Received-SPF": "pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com;\n helo=mx0a-001b2d01.pphosted.com", "X-Spam_score_int": "-19", "X-Spam_score": "-2.0", "X-Spam_bar": "--", "X-Spam_report": "(-2.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "When secure boot is enabled (-secure-boot on) and certificate(s) are\nprovided, the boot operates in True Secure IPL mode.\n\nAny verification error during True Secure IPL mode will cause the\nentire boot process to terminate.\n\nSecure IPL in audit mode requires at least one certificate provided in\nthe key store along with necessary facilities. If secure boot is enabled\nbut no certificate is provided, the boot process will also terminate, as\nthis is not a valid secure boot configuration.\n\nNote: True Secure IPL mode is implemented for the SCSI scheme of\nvirtio-blk/virtio-scsi devices.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\n---\n docs/system/s390x/secure-ipl.rst | 13 +++++++++++++\n pc-bios/s390-ccw/bootmap.c | 11 +++++++++++\n pc-bios/s390-ccw/main.c | 3 +++\n pc-bios/s390-ccw/s390-ccw.h | 2 ++\n pc-bios/s390-ccw/secure-ipl.c | 4 ++++\n pc-bios/s390-ccw/secure-ipl.h | 3 +++\n 6 files changed, 36 insertions(+)", "diff": "diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst\nindex 2465f8b26d..e0af086c38 100644\n--- a/docs/system/s390x/secure-ipl.rst\n+++ b/docs/system/s390x/secure-ipl.rst\n@@ -65,3 +65,16 @@ Configuration:\n .. code-block:: shell\n \n qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\n+\n+Secure Mode\n+-----------\n+\n+When the ``secure-boot=on`` option is set and certificates are provided,\n+a secure boot is performed with error reporting enabled. The boot process aborts\n+if any error occurs.\n+\n+Configuration:\n+\n+.. code-block:: shell\n+\n+ qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\ndiff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c\nindex 43a661325f..699ef981e2 100644\n--- a/pc-bios/s390-ccw/bootmap.c\n+++ b/pc-bios/s390-ccw/bootmap.c\n@@ -738,12 +738,16 @@ static int zipl_run(ScsiBlockPtr *pte)\n entry = (ComponentEntry *)(&header[1]);\n \n switch (boot_mode) {\n+ case ZIPL_BOOT_MODE_SECURE:\n case ZIPL_BOOT_MODE_SECURE_AUDIT:\n rc = zipl_run_secure(&entry, tmp_sec);\n break;\n case ZIPL_BOOT_MODE_NORMAL:\n rc = zipl_run_normal(&entry, tmp_sec);\n break;\n+ case ZIPL_BOOT_MODE_INVALID:\n+ rc = -1;\n+ break;\n default:\n puts(\"Unknown boot mode\");\n rc = -1;\n@@ -1120,9 +1124,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags)\n {\n bool sipl_set = hdr_flags & DIAG308_IPIB_FLAGS_SIPL;\n bool iplir_set = hdr_flags & DIAG308_IPIB_FLAGS_IPLIR;\n+ VCStorageSizeBlock *vcssb;\n \n if (!sipl_set && iplir_set) {\n return ZIPL_BOOT_MODE_SECURE_AUDIT;\n+ } else if (sipl_set && iplir_set) {\n+ vcssb = zipl_secure_get_vcssb();\n+ if (vcssb == NULL || vcssb->length == VCSSB_NO_VC) {\n+ return ZIPL_BOOT_MODE_INVALID;\n+ }\n+ return ZIPL_BOOT_MODE_SECURE;\n }\n \n return ZIPL_BOOT_MODE_NORMAL;\ndiff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c\nindex 106cdf9dec..1678ede8fb 100644\n--- a/pc-bios/s390-ccw/main.c\n+++ b/pc-bios/s390-ccw/main.c\n@@ -329,6 +329,9 @@ void main(void)\n }\n \n boot_mode = get_boot_mode(iplb->hdr_flags);\n+ if (boot_mode == ZIPL_BOOT_MODE_INVALID) {\n+ panic(\"Need at least one certificate for secure boot!\");\n+ }\n \n while (have_iplb) {\n boot_setup();\ndiff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h\nindex 8dbfb846d2..4038d5007b 100644\n--- a/pc-bios/s390-ccw/s390-ccw.h\n+++ b/pc-bios/s390-ccw/s390-ccw.h\n@@ -83,8 +83,10 @@ int virtio_read(unsigned long sector, void *load_addr);\n void zipl_load(void);\n \n typedef enum ZiplBootMode {\n+ ZIPL_BOOT_MODE_INVALID = -1,\n ZIPL_BOOT_MODE_NORMAL = 0,\n ZIPL_BOOT_MODE_SECURE_AUDIT = 1,\n+ ZIPL_BOOT_MODE_SECURE = 2,\n } ZiplBootMode;\n \n extern ZiplBootMode boot_mode;\ndiff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c\nindex 54e41ec11c..3dfac62ccf 100644\n--- a/pc-bios/s390-ccw/secure-ipl.c\n+++ b/pc-bios/s390-ccw/secure-ipl.c\n@@ -289,6 +289,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic,\n }\n \n /* a missing SCLAB will not be reported in audit mode */\n+ if (boot_mode == ZIPL_BOOT_MODE_SECURE) {\n+ zipl_secure_handle(\"Magic does not match. SCLAB does not exist\");\n+ }\n+\n return false;\n }\n \ndiff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h\nindex 4e9f4f08b9..1e736d53fe 100644\n--- a/pc-bios/s390-ccw/secure-ipl.h\n+++ b/pc-bios/s390-ccw/secure-ipl.h\n@@ -60,6 +60,9 @@ static inline void zipl_secure_handle(const char *message)\n case ZIPL_BOOT_MODE_SECURE_AUDIT:\n IPL_check(false, message);\n break;\n+ case ZIPL_BOOT_MODE_SECURE:\n+ panic(message);\n+ break;\n default:\n break;\n }\n", "prefixes": [ "v8", "25/30" ] }