{"id":2219370,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2219370/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260402221453.1602899-14-zycai@linux.ibm.com>","date":"2026-04-02T22:14:35","name":"[v10,13/30] s390x/ipl: Introduce IPL Information Report Block (IIRB)","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"6b006964f409e99e1817d994ad447393e3a2f67d","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.0/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-14-zycai@linux.ibm.com/mbox/","series":[{"id":498557,"url":"http://patchwork.ozlabs.org/api/1.0/series/498557/?format=json","date":"2026-04-02T22:14:35","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":10,"mbox":"http://patchwork.ozlabs.org/series/498557/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219370/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=pKyBbg7b;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx5g33VXz1xtJ\n\tfor ; Fri, 03 Apr 2026 09:16:23 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1w8QK8-0000q8-Jz; Thu, 02 Apr 2026 18:15:36 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1w8QK6-0000pX-Gm; Thu, 02 Apr 2026 18:15:34 -0400","from mx0a-001b2d01.pphosted.com ([148.163.156.1])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1w8QK4-0004oV-OL; Thu, 02 Apr 2026 18:15:34 -0400","from pps.filterd (m0356517.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 632EjTuh290829; Thu, 2 Apr 2026 22:15:29 GMT","from ppma21.wdc07v.mail.ibm.com\n (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d66q3es9n-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:28 +0000 (GMT)","from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1])\n by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632KsFQ8022266;\n Thu, 2 Apr 2026 22:15:27 GMT","from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71])\n by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6tanbw7d-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:27 +0000","from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MFQAw37683754\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:26 GMT","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 124ED5806B;\n Thu, 2 Apr 2026 22:15:26 +0000 (GMT)","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id A4D565805D;\n Thu, 2 Apr 2026 22:15:24 +0000 (GMT)","from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 2 Apr 2026 22:15:24 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:content-type:date:from:in-reply-to\n :message-id:mime-version:references:subject:to; s=pp1; bh=tGJnk2\n 1zM7+6e1mlclJsRkNicDbXkU5+lfrniVbZ4rk=; b=pKyBbg7btKmjq4GyhdBsjV\n T590UkXNfG9jsDjgV3UG+LxLiGN5BTpfBuDS3oNFJDB4nSchTagZYKrY3w8DBnQt\n +248s6hqmfSYt34l9FY+w+9enrdcnBdEiXOS4K+g5tjBXNL7+l60roDmPRFbGZQ1\n kfTxmEgW9QpLayr233umgXx0qL6csMAlDmrBjmEVsi/+sbIVCjdTSJoJamHhHA2E\n KeN/I6JMaq+a1asbqNGLsZHxRmmvVI8znd6hF2zf6A+NRuxrdT/fcVmX0Uyfr7/H\n bo1/efEyZApkMJqPWJUrtCnf46OFizGeRtkJ/7Mg4HUc0w/ThtXtzF/282yrFiSA\n ==","From":"Zhuoying Cai ","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com","Subject":"[PATCH v10 13/30] s390x/ipl: Introduce IPL Information Report Block\n (IIRB)","Date":"Thu, 2 Apr 2026 18:14:35 -0400","Message-ID":"<20260402221453.1602899-14-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260402221453.1602899-1-zycai@linux.ibm.com>","References":"<20260402221453.1602899-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-GUID":"3zHkXglPsMe4_GuI3J5yQ4RmHGz9SqoG","X-Authority-Analysis":"v=2.4 cv=frzRpV4f c=1 sm=1 tr=0 ts=69ceea80 cx=c_pps\n a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17\n a=IkcTkHD0fZMA:10 a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22\n a=RnoormkPH1_aCDwRdu11:22 a=U7nrCbtTmkRpXpFmAIza:22 a=VnNF1IyMAAAA:8\n a=1NTGDykL02WXTEG3Jz0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10","X-Proofpoint-ORIG-GUID":"3zHkXglPsMe4_GuI3J5yQ4RmHGz9SqoG","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXzHrIWDENPgkw\n /8Kl7ZKRsHlRIiGh5lUkK8TuGrlSHASgaJAhe0D7Qo2+PIj77Am6Dv9AKdS7zYy7l30j9Mnak2v\n 4nbpwGugJurvCfcujx1rAiw2U1JxXSbbdA0dkkQjH0tikdjJT8+87ac+9IsWSONC5QK0e4mIbnh\n 1Wja17p8h8KG1XOulh+qK92qBiMYj1M8RP/rPANoivxKEYAphaFi6Tr+YlLr9/Hwys9sZG2h+NN\n eISWfwulgQ2HzqhBHMMYL9UtVclcdX9u8CvNuH7lN5c9dz8rrvvCjanLQDK+/v/SEMc61+Ce5DV\n XFzg9Em+iZC6g5JBQCwd5ptjkCcKRysDwAV6gunix/Z1SBfzE8Qt+XGh1B056QjSgiqYPsvXnPO\n 4zW4V81SnbdOjjRYW9XddQ9TzQ3cOgT5G53CdGKBTJrPw3JhHdUL2A2Q2oq9Os9Z5CPfnGTGITF\n DjqsYyDjyBCOKh/C2eQ==","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n impostorscore=0 spamscore=0 priorityscore=1501 malwarescore=0 clxscore=1015\n lowpriorityscore=0 bulkscore=0 adultscore=0 suspectscore=0 phishscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2603050001 definitions=main-2604020195","Received-SPF":"pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com;\n helo=mx0a-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"The IPL information report block (IIRB) contains information used\nto locate IPL records and to report the results of signature verification\nof one or more secure components of the load device.\n\nIIRB is stored immediately following the IPL Parameter Block. Results on\ncomponent verification in any case (failure or success) are stored.\n\nThe IIRB data is reserved and protected by the guest kernel during early\nboot to prevent it from being overwritten before the certificate data is\npermanently saved.\n\nSigned-off-by: Zhuoying Cai \nReviewed-by: Farhan Ali\nReviewed-by: Collin Walling \n---\n docs/specs/s390x-secure-ipl.rst | 21 ++++++++++++\n include/hw/s390x/ipl/qipl.h | 59 +++++++++++++++++++++++++++++++++\n 2 files changed, 80 insertions(+)","diff":"diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst\nindex 0ea4522894..d82fb97d5d 100644\n--- a/docs/specs/s390x-secure-ipl.rst\n+++ b/docs/specs/s390x-secure-ipl.rst\n@@ -97,3 +97,24 @@ Subcode 1 - perform signature verification\n * ``0x0302``: PKCS#7 format signature is invalid\n * ``0x0402``: signature-verification failed\n * ``0x0502``: length of Diag508SigVerifBlock is invalid\n+\n+IPL Information Report Block\n+----------------------------\n+\n+The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended with an\n+IPL Information Report Block (IIRB), which contains the results from secure IPL\n+operations such as:\n+\n+* component data\n+* verification results\n+* certificate data\n+\n+During early boot, the guest kernel reserves the memory region\n+containing the IIRB. This preserves the data while the guest kernel is\n+operating and during re-IPL.\n+\n+The guest kernel uses the contents in the IIRB for:\n+\n+* Boot logging: reports which components were loaded and verified.\n+* kexec operations: builds the next kernel’s IPL report from the existing one.\n+* Keying: installs IPL certificates into the platform trusted keyring.\ndiff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h\nindex ed1a91182a..7f91270255 100644\n--- a/include/hw/s390x/ipl/qipl.h\n+++ b/include/hw/s390x/ipl/qipl.h\n@@ -146,4 +146,63 @@ union IplParameterBlock {\n } QEMU_PACKED;\n typedef union IplParameterBlock IplParameterBlock;\n \n+struct IplInfoReportBlockHeader {\n+ uint32_t len;\n+ uint8_t flags;\n+ uint8_t reserved1[11];\n+};\n+typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader;\n+\n+struct IplInfoBlockHeader {\n+ uint32_t len;\n+ uint8_t type;\n+ uint8_t reserved1[11];\n+};\n+typedef struct IplInfoBlockHeader IplInfoBlockHeader;\n+\n+enum IplInfoBlockType {\n+ IPL_INFO_BLOCK_TYPE_CERTIFICATES = 1,\n+ IPL_INFO_BLOCK_TYPE_COMPONENTS = 2,\n+};\n+\n+struct IplSignatureCertificateEntry {\n+ uint64_t addr;\n+ uint64_t len;\n+};\n+typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry;\n+\n+struct IplSignatureCertificateList {\n+ IplInfoBlockHeader ipl_info_header;\n+ IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES];\n+};\n+typedef struct IplSignatureCertificateList IplSignatureCertificateList;\n+\n+#define S390_IPL_DEV_COMP_FLAG_SC 0x80\n+#define S390_IPL_DEV_COMP_FLAG_CSV 0x40\n+\n+struct IplDeviceComponentEntry {\n+ uint64_t addr;\n+ uint64_t len;\n+ uint8_t flags;\n+ uint8_t reserved1[5];\n+ uint16_t cert_index;\n+ uint8_t reserved2[8];\n+};\n+typedef struct IplDeviceComponentEntry IplDeviceComponentEntry;\n+\n+struct IplDeviceComponentList {\n+ IplInfoBlockHeader ipl_info_header;\n+ IplDeviceComponentEntry device_entries[MAX_CERTIFICATES];\n+};\n+typedef struct IplDeviceComponentList IplDeviceComponentList;\n+\n+#define COMP_LIST_MAX sizeof(IplDeviceComponentList)\n+#define CERT_LIST_MAX sizeof(IplSignatureCertificateList)\n+\n+struct IplInfoReportBlock {\n+ IplInfoReportBlockHeader hdr;\n+ uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX];\n+};\n+typedef struct IplInfoReportBlock IplInfoReportBlock;\n+\n #endif\n","prefixes":["v10","13/30"]}