{"id":2219372,"url":"http://patchwork.ozlabs.org/api/1.0/patches/2219372/?format=json","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.0/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":""},"msgid":"<20260402221453.1602899-6-zycai@linux.ibm.com>","date":"2026-04-02T22:14:27","name":"[v10,05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d1b52e2c4d25535cea63d5acd61785a7435db420","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.0/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260402221453.1602899-6-zycai@linux.ibm.com/mbox/","series":[{"id":498557,"url":"http://patchwork.ozlabs.org/api/1.0/series/498557/?format=json","date":"2026-04-02T22:14:35","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":10,"mbox":"http://patchwork.ozlabs.org/series/498557/mbox/"}],"check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2219372/checks/","tags":{},"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=j6v7M2CT;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fmx636HLdz1xtJ\n\tfor ; Fri, 03 Apr 2026 09:16:43 +1100 (AEDT)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1w8QJw-0000jD-8x; Thu, 02 Apr 2026 18:15:24 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1w8QJv-0000iH-0F; Thu, 02 Apr 2026 18:15:23 -0400","from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1w8QJs-0004m7-RO; Thu, 02 Apr 2026 18:15:22 -0400","from pps.filterd (m0353725.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 632CCbUj3661500; Thu, 2 Apr 2026 22:15:16 GMT","from ppma22.wdc07v.mail.ibm.com\n (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4d65dcnvev-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:16 +0000 (GMT)","from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1])\n by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id\n 632JqSA8005947;\n Thu, 2 Apr 2026 22:15:15 GMT","from smtprelay04.wdc07v.mail.ibm.com ([172.16.1.71])\n by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4d6spyc0v7-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Thu, 02 Apr 2026 22:15:15 +0000","from smtpav05.dal12v.mail.ibm.com (smtpav05.dal12v.mail.ibm.com\n [10.241.53.104])\n by smtprelay04.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 632MFEF656427000\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Thu, 2 Apr 2026 22:15:14 GMT","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id D81BE58056;\n Thu, 2 Apr 2026 22:15:13 +0000 (GMT)","from smtpav05.dal12v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 842E458052;\n Thu, 2 Apr 2026 22:15:12 +0000 (GMT)","from fedora-workstation.ibmuc.com (unknown [9.61.183.185])\n by smtpav05.dal12v.mail.ibm.com (Postfix) with ESMTP;\n Thu, 2 Apr 2026 22:15:12 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=wBtiu3IvJuZ7qxAOJ\n Tq4p8fSjzGtEdWxM1fpf9vt0YU=; b=j6v7M2CTH+F1IR42JAb4RIno9axzrL4qF\n RZBiQl6r80a0xIcU+IzAdY8Kqo1AAZ3VLdRYFtax70DNhl04sVZxYdtGulkmzwqN\n 4Rlilxb4OUwMtGVLavPJKXPVoTsap1NfE9AcZXOVFOVd/zamB0t8cUWsO9RgROx7\n tWIfHE8k7vZiJOEwjuCaiE9KS89wMXlxJCsSawoSObssCKl17U843umIJw24c30X\n kKuIkAYUTMLZ4Ak3CVFMx8pZfIAo0WRo09PonS+Y9Z6f2Ta+Ady7nfIpajfUCSjk\n xu+CKkXV2rVBYKergssPo4OZkvrGttcVdpKnS9yZjBijVOffqqWUg==","From":"Zhuoying Cai ","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, pierrick.bouvier@linaro.org,\n david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,\n pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com,\n mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com,\n armbru@redhat.com, zycai@linux.ibm.com, alifm@linux.ibm.com,\n brueckner@linux.ibm.com, jdaley@linux.ibm.com","Subject":"[PATCH v10 05/30] s390x/diag: Introduce DIAG 320 for Certificate\n Store Facility","Date":"Thu, 2 Apr 2026 18:14:27 -0400","Message-ID":"<20260402221453.1602899-6-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<20260402221453.1602899-1-zycai@linux.ibm.com>","References":"<20260402221453.1602899-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Authority-Analysis":"v=2.4 cv=RsjI7SmK c=1 sm=1 tr=0 ts=69ceea74 cx=c_pps\n a=5BHTudwdYE3Te8bg5FgnPg==:117 a=5BHTudwdYE3Te8bg5FgnPg==:17\n a=A5OVakUREuEA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8 a=20KFwNOVAAAA:8\n a=mM8oulnVqnlOJU-pfAMA:9","X-Proofpoint-GUID":"BcbBwqYMYi5m2PVxUyzwZNwAbsP1s5O2","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNDAyMDE5NSBTYWx0ZWRfXwRvpLscanFow\n Qz/4LlBtU8wtYeR0s97vgpCP45Yg0IVHkqaEa4pb2yEdRkX17Wfgjv9yBw+IwheiNK4a+IyBtjh\n K8XhqMtJgHO4VKmEOBQvDvyXtGTay5h5b7A4CIPDYxgqOaA/MQMYKHOoaGYmrrY6rSGJek1vpP2\n xC6gEpxEcZ6z1zkKhrzKdtF1exaHcMgFzHflh21D2HsJnBmZcXWNZFraggHmScn53QSBdGindum\n Iuja+WAzUXi8ua76AjWlsLFtL0sy3SKIuFwUj5TBxEYQdGNxxRRhqGiHglkUgTptri4YPQzfNuk\n Cc80iOaqn9DOn2IdpmwpJVr+DHavJHjz1SE2dKEkiRGl+ya7yYcKdzJwOhAxg0GF4ELYZswWE30\n +b2eI4cmoLyeg8636RxYtgog5R1/CW2LFen7CKR5rBivfWYbmXYC5JcPg/ZU89v+i/zXSCth0G8\n rIDeFM4zMwmYLLXD4CQ==","X-Proofpoint-ORIG-GUID":"BcbBwqYMYi5m2PVxUyzwZNwAbsP1s5O2","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-04-02_04,2026-04-02_05,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n impostorscore=0 bulkscore=0 priorityscore=1501 lowpriorityscore=0\n suspectscore=0 malwarescore=0 spamscore=0 clxscore=1011 phishscore=0\n adultscore=0 classifier=typeunknown authscore=0 authtc= authcc=\n route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2603050001\n definitions=main-2604020195","Received-SPF":"pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,\n RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001,\n SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"DIAGNOSE 320 is introduced to support Certificate Store (CS)\nFacility, which includes operations such as query certificate\nstorage information and provide certificates in the certificate\nstore.\n\nCurrently, only subcode 0 is supported with this patch, which is\nused to query the Installed Subcodes Mask (ISM).\n\nThis subcode is only supported when the CS facility is enabled.\n\nAvailability of CS facility is determined by byte 134 bit 5 of the\nSCLP Read Info block. Byte 134's facilities cannot be represented\nwithout the availability of the extended-length-SCCB, so add it as\na check for consistency.\n\nNote: secure IPL is not available for Secure Execution (SE) guests,\nas their images are already integrity protected, and an additional\nprotection of the kernel by secure IPL is not necessary.\n\nThis feature is available starting with the gen16 CPU model.\n\nSigned-off-by: Zhuoying Cai \nReviewed-by: Collin Walling \nReviewed-by: Farhan Ali \nReviewed-by: Thomas Huth \n---\n docs/specs/s390x-secure-ipl.rst | 12 +++++++++\n include/hw/s390x/ipl/diag320.h | 20 ++++++++++++++\n target/s390x/cpu_features.c | 1 +\n target/s390x/cpu_features_def.h.inc | 1 +\n target/s390x/cpu_models.c | 2 ++\n target/s390x/diag.c | 42 +++++++++++++++++++++++++++++\n target/s390x/gen-features.c | 3 +++\n target/s390x/kvm/kvm.c | 16 +++++++++++\n target/s390x/s390x-internal.h | 2 ++\n target/s390x/tcg/misc_helper.c | 7 +++++\n 10 files changed, 106 insertions(+)\n create mode 100644 include/hw/s390x/ipl/diag320.h","diff":"diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst\nindex 7ddac98a37..96a8d0fb83 100644\n--- a/docs/specs/s390x-secure-ipl.rst\n+++ b/docs/specs/s390x-secure-ipl.rst\n@@ -14,3 +14,15 @@ and a summation of the sizes.\n \n Note: A maximum of 64 certificates are allowed to be stored in the certificate\n store.\n+\n+DIAGNOSE function code 'X'320' - Certificate Store Facility\n+-----------------------------------------------------------\n+\n+DIAGNOSE 'X'320' is used to provide support for guest code to directly\n+query the s390 certificate store. Guest code may be the s390-ccw BIOS or\n+the guest kernel.\n+\n+Subcode 0 - query installed subcodes\n+ Returns a 256-bit installed subcodes mask (ISM) stored in the installed\n+ subcodes block (ISB). This mask indicates which subcodes are currently\n+ installed and available for use.\ndiff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h\nnew file mode 100644\nindex 0000000000..aa04b699c6\n--- /dev/null\n+++ b/include/hw/s390x/ipl/diag320.h\n@@ -0,0 +1,20 @@\n+/*\n+ * S/390 DIAGNOSE 320 definitions and structures\n+ *\n+ * Copyright 2025 IBM Corp.\n+ * Author(s): Zhuoying Cai \n+ *\n+ * SPDX-License-Identifier: GPL-2.0-or-later\n+ */\n+\n+#ifndef S390X_DIAG320_H\n+#define S390X_DIAG320_H\n+\n+#define DIAG_320_SUBC_QUERY_ISM 0\n+\n+#define DIAG_320_RC_OK 0x0001\n+#define DIAG_320_RC_NOT_SUPPORTED 0x0102\n+\n+#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000\n+\n+#endif\ndiff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c\nindex 4b5be6798e..436471f4b4 100644\n--- a/target/s390x/cpu_features.c\n+++ b/target/s390x/cpu_features.c\n@@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type,\n break;\n case S390_FEAT_TYPE_SCLP_FAC134:\n clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data);\n+ clear_be_bit(s390_feat_def(S390_FEAT_CERT_STORE)->bit, data);\n break;\n default:\n return;\ndiff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_features_def.h.inc\nindex c017bffcdc..2976ecd0ee 100644\n--- a/target/s390x/cpu_features_def.h.inc\n+++ b/target/s390x/cpu_features_def.h.inc\n@@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, \"ibs\", SCLP_CONF_CHAR_EXT, 10, \"SIE: Interlock-and-broadcast-s\n \n /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relative to byte-134) */\n DEF_FEAT(DIAG_318, \"diag318\", SCLP_FAC134, 0, \"Control program name and version codes\")\n+DEF_FEAT(CERT_STORE, \"cstore\", SCLP_FAC134, 5, \"Certificate Store functions\")\n \n /* Features exposed via SCLP CPU info. */\n DEF_FEAT(SIE_F2, \"sief2\", SCLP_CPU, 4, \"SIE: interception format 2 (Virtual SIE)\")\ndiff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c\nindex 0b88868289..962f135f42 100644\n--- a/target/s390x/cpu_models.c\n+++ b/target/s390x/cpu_models.c\n@@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat)\n if (s390_is_pv()) {\n switch (feat) {\n case S390_FEAT_DIAG_318:\n+ case S390_FEAT_CERT_STORE:\n case S390_FEAT_HPMA2:\n case S390_FEAT_SIE_F2:\n case S390_FEAT_SIE_SKEY:\n@@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model)\n { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH },\n { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP },\n { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB },\n+ { S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB },\n { S390_FEAT_NNPA, S390_FEAT_VECTOR },\n { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING },\n { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP },\ndiff --git a/target/s390x/diag.c b/target/s390x/diag.c\nindex da44b0133e..6373544bb2 100644\n--- a/target/s390x/diag.c\n+++ b/target/s390x/diag.c\n@@ -18,6 +18,7 @@\n #include \"hw/watchdog/wdt_diag288.h\"\n #include \"system/cpus.h\"\n #include \"hw/s390x/ipl.h\"\n+#include \"hw/s390x/ipl/diag320.h\"\n #include \"hw/s390x/s390-virtio-ccw.h\"\n #include \"system/kvm.h\"\n #include \"kvm/kvm_s390x.h\"\n@@ -192,3 +193,44 @@ out:\n break;\n }\n }\n+\n+void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)\n+{\n+ S390CPU *cpu = env_archcpu(env);\n+ uint64_t subcode = env->regs[r3];\n+ uint64_t addr = env->regs[r1];\n+\n+ if (env->psw.mask & PSW_MASK_PSTATE) {\n+ s390_program_interrupt(env, PGM_PRIVILEGED, ra);\n+ return;\n+ }\n+\n+ if (!s390_has_feat(S390_FEAT_CERT_STORE) ||\n+ (subcode & ~0x000ffULL) ||\n+ (r1 & 1)) {\n+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);\n+ return;\n+ }\n+\n+\n+ switch (subcode) {\n+ case DIAG_320_SUBC_QUERY_ISM:\n+ /*\n+ * The Installed Subcode Block (ISB) can be up 8 words in size,\n+ * but the current set of subcodes can fit within a single word\n+ * for now.\n+ */\n+ uint32_t ism_word0 = cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES);\n+\n+ if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_word0))) {\n+ s390_cpu_virt_mem_handle_exc(cpu, ra);\n+ return;\n+ }\n+\n+ env->regs[r1 + 1] = DIAG_320_RC_OK;\n+ break;\n+ default:\n+ env->regs[r1 + 1] = DIAG_320_RC_NOT_SUPPORTED;\n+ break;\n+ }\n+}\ndiff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c\nindex 8218e6470e..6c20c3a862 100644\n--- a/target/s390x/gen-features.c\n+++ b/target/s390x/gen-features.c\n@@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] = {\n S390_FEAT_PAIE,\n S390_FEAT_UV_FEAT_AP,\n S390_FEAT_UV_FEAT_AP_INTR,\n+ S390_FEAT_CERT_STORE,\n };\n \n static uint16_t full_GEN17_GA1[] = {\n@@ -919,6 +920,8 @@ static uint16_t qemu_MAX[] = {\n S390_FEAT_KIMD_SHA_512,\n S390_FEAT_KLMD_SHA_512,\n S390_FEAT_PRNO_TRNG,\n+ S390_FEAT_EXTENDED_LENGTH_SCCB,\n+ S390_FEAT_CERT_STORE,\n };\n \n /****** END FEATURE DEFS ******/\ndiff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c\nindex 54d28e37d4..fb7a99f380 100644\n--- a/target/s390x/kvm/kvm.c\n+++ b/target/s390x/kvm/kvm.c\n@@ -98,6 +98,7 @@\n #define DIAG_TIMEREVENT 0x288\n #define DIAG_IPL 0x308\n #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318\n+#define DIAG_CERT_STORE 0x320\n #define DIAG_KVM_HYPERCALL 0x500\n #define DIAG_KVM_BREAKPOINT 0x501\n \n@@ -1560,6 +1561,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm_run *run)\n }\n }\n \n+static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run)\n+{\n+ uint64_t r1, r3;\n+\n+ r1 = (run->s390_sieic.ipa & 0x00f0) >> 4;\n+ r3 = run->s390_sieic.ipa & 0x000f;\n+\n+ handle_diag_320(&cpu->env, r1, r3, RA_IGNORED);\n+}\n+\n #define DIAG_KVM_CODE_MASK 0x000000000000ffff\n \n static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb)\n@@ -1590,6 +1601,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb)\n case DIAG_KVM_BREAKPOINT:\n r = handle_sw_breakpoint(cpu, run);\n break;\n+ case DIAG_CERT_STORE:\n+ kvm_handle_diag_320(cpu, run);\n+ break;\n default:\n trace_kvm_insn_diag(func_code);\n kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION);\n@@ -2488,6 +2502,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)\n set_bit(S390_FEAT_DIAG_318, model->features);\n }\n \n+ set_bit(S390_FEAT_CERT_STORE, model->features);\n+\n /* Test for Ultravisor features that influence secure guest behavior */\n query_uv_feat_guest(model->features);\n \ndiff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h\nindex 40850bcdc4..b16490bce6 100644\n--- a/target/s390x/s390x-internal.h\n+++ b/target/s390x/s390x-internal.h\n@@ -388,6 +388,8 @@ int mmu_translate_real(CPUS390XState *env, hwaddr raddr, int rw,\n int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3);\n void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3,\n uintptr_t ra);\n+void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3,\n+ uintptr_t ra);\n \n \n /* translate.c */\ndiff --git a/target/s390x/tcg/misc_helper.c b/target/s390x/tcg/misc_helper.c\nindex 1fd900fbbf..4d73475d95 100644\n--- a/target/s390x/tcg/misc_helper.c\n+++ b/target/s390x/tcg/misc_helper.c\n@@ -142,6 +142,13 @@ void HELPER(diag)(CPUS390XState *env, uint32_t r1, uint32_t r3, uint32_t num)\n /* time bomb (watchdog) */\n r = handle_diag_288(env, r1, r3);\n break;\n+ case 0x320:\n+ /* cert store */\n+ bql_lock();\n+ handle_diag_320(env, r1, r3, GETPC());\n+ bql_unlock();\n+ r = 0;\n+ break;\n default:\n r = -1;\n break;\n","prefixes":["v10","05/30"]}