{"id":2233185,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233185/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-33-zycai@linux.ibm.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260505201905.997996-33-zycai@linux.ibm.com>","list_archive_url":null,"date":"2026-05-05T20:19:04","name":"[v11,32/32] docs/system/s390x: Add secure IPL documentation","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"0d2deb4ab0c7bc6b6cd0b1eb8e8ed76166d67c4e","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.2/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-33-zycai@linux.ibm.com/mbox/","series":[{"id":502896,"url":"http://patchwork.ozlabs.org/api/1.2/series/502896/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502896","date":"2026-05-05T20:18:37","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":11,"mbox":"http://patchwork.ozlabs.org/series/502896/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233185/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233185/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=bhx5B9zf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g98zP5YJhz1yJx\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 06:21:05 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKMFw-0001dH-7E; Tue, 05 May 2026 16:20:36 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMFt-0001TU-LO; Tue, 05 May 2026 16:20:33 -0400","from mx0b-001b2d01.pphosted.com ([148.163.158.5])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMFr-0000fI-P6; Tue, 05 May 2026 16:20:33 -0400","from pps.filterd (m0353725.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 645Adpul1590574; Tue, 5 May 2026 20:20:07 GMT","from ppma11.dal12v.mail.ibm.com\n (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9xxn549-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:20:07 +0000 (GMT)","from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1])\n by ppma11.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id\n 645K9RJ1015575;\n Tue, 5 May 2026 20:20:06 GMT","from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4])\n by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwx9yb27t-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:20:06 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com\n [10.39.53.229])\n by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 645KK57027329208\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Tue, 5 May 2026 20:20:05 GMT","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 6703F58059;\n Tue,  5 May 2026 20:20:05 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id CA6815805D;\n Tue,  5 May 2026 20:20:03 +0000 (GMT)","from fedora-workstation.pok.ibm.com (unknown [9.12.79.241])\n by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;\n Tue,  5 May 2026 20:20:03 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:content-type:date:from:in-reply-to\n :message-id:mime-version:references:subject:to; s=pp1; bh=r6xmiT\n 0ccSvkG5afSK6wU6kM02EflUZKe6oYaWMcyIk=; b=bhx5B9zfPnN/wMIlmleQu+\n DDps8/PaFEIaRfcMgWHM0H/ZEi5SvwJH4LL+Oj4RpQSBJpYfDh/jvlUUqZeWTQ6x\n nILVbjysloet8ZtrstPDc/onDmZzENeMNf+94voqBE4gCRWrtfnrVnxSSOCk8PxM\n tZAdXQLC2/Sv1Om5vMkRDKFHaTCeAg8pQULHavlaHT/AATJU/4jIpCFiEewuA1sy\n IOPXPhON5S6qFutmEQQeXtJieemg3vDboXZwymZBtDq0T3TK7DYzaU1m0Awww6tX\n kiaE7iyKnbrSrsnKXaqAdgr7GJVbgecVmeZztNhQkg4FNdO9UOQOgHaSX+Za89FQ\n ==","From":"Zhuoying Cai <zycai@linux.ibm.com>","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com,\n jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com,\n farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,\n eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,\n alifm@linux.ibm.com, brueckner@linux.ibm.com,\n pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com","Subject":"[PATCH v11 32/32] docs/system/s390x: Add secure IPL documentation","Date":"Tue,  5 May 2026 16:19:04 -0400","Message-ID":"<20260505201905.997996-33-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260505201905.997996-1-zycai@linux.ibm.com>","References":"<20260505201905.997996-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Type":"text/plain; charset=UTF-8","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfX5Wx5TifY54rQ\n QxhbhDwWh6XzvwKucd0hGbVilRWx6U9wFzpNWIOGMRiRJtCfOPNEKj1w/kRhBdRLlPj/eydill2\n jJgate5pz0wIeoRkvntbsF8rFcIWWVlO6tMpaF+gQdZyVZNxN5uba+0ZYvXXUy2EB8OVbLMw0gj\n vPYnh4JUPbSfUqPhP9Lk7eFRLSuZEBoOe3PCir0a8YIh2RYljx3W8pbwtNZKkIwUdKL8rcrcj59\n 7VpTwfkJdSazQqnhB+3TZIAuiGVcTL/8cGj45hXcAzA9Vn2C7F+231z0Ywg6rgdjuHG9y3m4sf8\n YplNG1BovbwgtU4n8nSj5GHDr1+wwOpJzRlEkjirAb4KXsutg5OBrbimYmOoBsJrmoyA57ARB0z\n r3mcDebZVKxhRTd0jEBnfzsB61YouwL0z0APKjP4pg23WBiyego2W7EBbNHugOuO/7qXpUwuDdA\n cICM4B6IzcxTCFnlCTg==","X-Proofpoint-ORIG-GUID":"ctlU46yDGFeuk4n_7L_TWOxtmjYufUZ8","X-Proofpoint-GUID":"ctlU46yDGFeuk4n_7L_TWOxtmjYufUZ8","X-Authority-Analysis":"v=2.4 cv=ctWrVV4i c=1 sm=1 tr=0 ts=69fa50f7 cx=c_pps\n a=aDMHemPKRhS1OARIsFnwRA==:117 a=aDMHemPKRhS1OARIsFnwRA==:17\n a=IkcTkHD0fZMA:10 a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22\n a=RnoormkPH1_aCDwRdu11:22 a=V8glGbnc2Ofi9Qvn3v5h:22 a=VnNF1IyMAAAA:8\n a=q5T4S90kAAAA:8 a=xOmL8MRHFtDrr2fuNQ0A:9 a=3ZKOabzyN94A:10 a=QEXdDO2ut3YA:10\n a=LnBBZQxPVJ0Z7KJyRdxh:22","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n priorityscore=1501 lowpriorityscore=0 adultscore=0 clxscore=1015\n suspectscore=0 impostorscore=0 spamscore=0 malwarescore=0 phishscore=0\n bulkscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound\n adjust=0 reason=mlx scancount=1 engine=8.22.0-2604200000\n definitions=main-2605050195","Received-SPF":"pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com;\n helo=mx0b-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Add documentation for secure IPL\n\nSigned-off-by: Collin Walling <walling@linux.ibm.com>\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\n---\n docs/system/s390x/secure-ipl.rst | 100 +++++++++++++++++++++++++++++++\n 1 file changed, 100 insertions(+)","diff":"diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst\nindex c8fb887ac0..b9123a72a0 100644\n--- a/docs/system/s390x/secure-ipl.rst\n+++ b/docs/system/s390x/secure-ipl.rst\n@@ -1,5 +1,22 @@\n .. SPDX-License-Identifier: GPL-2.0-or-later\n \n+s390 Secure IPL\n+===============\n+\n+Secure IPL, also known as secure boot, enables s390-ccw virtual machines to\n+verify the integrity of guest kernels.\n+\n+For technical details of this feature, see the\n+:doc:`specs document </specs/s390x-secure-ipl>`.\n+\n+This document explains how to use secure IPL with s390x in QEMU. It covers\n+the command line options for providing certificates and enabling secure IPL,\n+the different IPL modes (Normal, Audit, and Secure), and system requirements.\n+\n+A quickstart guide is provided to demonstrate how to generate certificates,\n+sign images, and start a guest in Secure Mode.\n+\n+\n Secure IPL Command Line Options\n -------------------------------\n \n@@ -79,3 +96,86 @@ Configuration:\n .. code-block:: shell\n \n     qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\n+\n+\n+Constraints\n+-----------\n+\n+The following constraints apply when attempting to boot an s390x guest in secure\n+mode:\n+\n+- z16 or \"qemu\" CPU model\n+- certificates must be in X.509 PEM format\n+- only support for SCSI scheme of virtio-blk/virtio-scsi devices\n+- a boot device must be specified\n+- any unsupported devices (e.g., ECKD and VFIO) or non-eligible devices (e.g.,\n+  network) will cause the entire boot process terminating early with an error\n+  logged to the console.\n+\n+\n+Secure IPL Quickstart\n+---------------------\n+\n+Build QEMU with gnutls enabled\n+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n+\n+.. code-block:: shell\n+\n+    ./configure … --enable-gnutls\n+\n+Generate certificate (e.g. via certtool)\n+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n+\n+A private key is required before generating a certificate. This key must be kept\n+secure and confidential.\n+\n+Use an RSA private key for signing.\n+\n+.. code-block:: shell\n+\n+    certtool --generate-privkey > key.pem\n+\n+A self-signed certificate requires the organization name. Use the ``cert.info``\n+template to pre-fill values and avoid interactive prompts from certtool.\n+\n+.. code-block:: shell\n+\n+    cat > cert.info <<EOF\n+    cn = \"My Name\"\n+    expiration_days = 36500\n+    cert_signing_key\n+    EOF\n+\n+    certtool --generate-self-signed \\\n+             --load-privkey key.pem \\\n+             --template cert.info \\\n+             --hash=SHA256 \\\n+             --outfile cert.pem\n+\n+Sign Images (e.g. via sign-file)\n+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n+\n+- signing must be performed on a guest filesystem\n+- sign-file script used in the example below is located within the kernel source\n+  repo\n+\n+.. code-block:: shell\n+\n+    ./sign-file sha256 key.pem cert.pem /boot/vmlinuz-…\n+    ./sign-file sha256 key.pem cert.pem /usr/lib/s390-tools/stage3.bin\n+\n+Run zipl with secure boot enabled\n+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n+\n+- zipl must be performed on a guest filesystem\n+\n+.. code-block:: shell\n+\n+    zipl --secure 1 -V\n+\n+Command line options for starting the guest\n+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n+\n+.. code-block:: shell\n+\n+    qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=cert.pem ...\n","prefixes":["v11","32/32"]}