{"id":2233192,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233192/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-28-zycai@linux.ibm.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260505201905.997996-28-zycai@linux.ibm.com>","list_archive_url":null,"date":"2026-05-05T20:18:59","name":"[v11,27/32] pc-bios/s390-ccw: Handle true secure IPL mode","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"ff89085d4aa080a42e68bc1cbcf23677872acd43","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.2/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-28-zycai@linux.ibm.com/mbox/","series":[{"id":502896,"url":"http://patchwork.ozlabs.org/api/1.2/series/502896/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502896","date":"2026-05-05T20:18:37","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":11,"mbox":"http://patchwork.ozlabs.org/series/502896/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233192/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233192/checks/","tags":{},"related":[],"headers":{"Return-Path":"<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=fgQcz+6n;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g990V4CTqz1yJx\n\tfor <incoming@patchwork.ozlabs.org>; Wed, 06 May 2026 06:22:02 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1wKMFa-0000IH-L1; Tue, 05 May 2026 16:20:14 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMFQ-00088y-DY; Tue, 05 May 2026 16:20:06 -0400","from mx0a-001b2d01.pphosted.com ([148.163.156.1])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <zycai@linux.ibm.com>)\n id 1wKMFO-0000LJ-En; Tue, 05 May 2026 16:20:04 -0400","from pps.filterd (m0360083.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 645CSNT81362084; Tue, 5 May 2026 20:19:58 GMT","from ppma12.dal12v.mail.ibm.com\n (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dnrc-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:19:58 +0000 (GMT)","from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1])\n by ppma12.dal12v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id\n 645K9QFP031244;\n Tue, 5 May 2026 20:19:57 GMT","from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8])\n by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 4dwukqbfv7-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:19:57 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com\n [10.39.53.229])\n by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 645KJumJ32965230\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Tue, 5 May 2026 20:19:56 GMT","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 6F31058059;\n Tue,  5 May 2026 20:19:56 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id C3CF75805B;\n Tue,  5 May 2026 20:19:54 +0000 (GMT)","from fedora-workstation.pok.ibm.com (unknown [9.12.79.241])\n by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;\n Tue,  5 May 2026 20:19:54 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=R9+lU0rzsphPgouYg\n 2Kq9dCR8T/LK5k6C1YAXto2kE0=; b=fgQcz+6nP4d0GqyC5osM3bDC62qb6Ml1w\n 3ZQuihAjqkn6xeauUPx9EsvusT/52+BRnNH7n+gaUMihgK0sO2vA722yIF5hPMY5\n +fkSQN7Stl5dcL3yAo8OE2fgYUfklov8OPXb4rsxuFBPX/g4U7CBZSgJsodj0sEt\n 7J+Uj42WaYKwuUPxbY7whRIwWYLf9raR8vRv81tndaqUeK7jNWvsi8mQ9W3yDI3Y\n xGchl3ECUbEFfpRynFJ84zjywRdM5cGsonrywVTTBlCt6uuch6ryRF3nSETLv3Ak\n JgijFk31L9qdrAmqvQ1FUjTUZN+WVZHcfhKvt0gVnBYYlrU8SfvHg==","From":"Zhuoying Cai <zycai@linux.ibm.com>","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com,\n jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com,\n farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,\n eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,\n alifm@linux.ibm.com, brueckner@linux.ibm.com,\n pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com","Subject":"[PATCH v11 27/32] pc-bios/s390-ccw: Handle true secure IPL mode","Date":"Tue,  5 May 2026 16:18:59 -0400","Message-ID":"<20260505201905.997996-28-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260505201905.997996-1-zycai@linux.ibm.com>","References":"<20260505201905.997996-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXy7KEr4d8a9qD\n aKE2OLJMyQVdMMjk4EWQiQJuPC7rKWs+fMgg2sJwIFuj0mxgUUy/gE2+ALLS6O7nWe4/ff8yaki\n UAaP/Alh/6ZXByGD727nwCruWpWhr0a1aWU9p/sGawjc+yXcSJv3SHb4anVPgYpRLmiLgCH/vHZ\n FT2Os5ouKzavmdgR9jsZEeZrvH+nKclW3f5BL67UoNO5xEssGmkFAggyLXmhgL3MbifQU0WeNj6\n aKgjVgdXkWp1QTfWjK1ACNG0GItBLA7SLrDDPx7NB4qbZ3QKjdallurov7Aq1rnTxtEUfsAftgq\n bb1AWORD0EkGs+aDgFughVC/WuMzJ7DQmYXsPAuqmU0aolgvy6iXCNxmBS9yOORvXQR6aETvzUp\n NYX1vwkjs6Am41H/i1pCmxgD3p6cq+UgwnJ0opWXZuP8MmD4icSQDyhNSOX6cJDgrZk0YvTg955\n Ebv8hQIkD/4d31x1J2w==","X-Proofpoint-GUID":"5KhH9f-sWjEKZLR4Y3F1XAOPi_cdG0AO","X-Proofpoint-ORIG-GUID":"5KhH9f-sWjEKZLR4Y3F1XAOPi_cdG0AO","X-Authority-Analysis":"v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50ee cx=c_pps\n a=bLidbwmWQ0KltjZqbj+ezA==:117 a=bLidbwmWQ0KltjZqbj+ezA==:17\n a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=iQ6ETzBq9ecOQQE5vZCe:22 a=VnNF1IyMAAAA:8 a=k4r5r3Nqz0X3HBfsuYAA:9","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0\n suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195","Received-SPF":"pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com;\n helo=mx0a-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development <qemu-devel.nongnu.org>","List-Unsubscribe":"<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>","List-Archive":"<https://lists.nongnu.org/archive/html/qemu-devel>","List-Post":"<mailto:qemu-devel@nongnu.org>","List-Help":"<mailto:qemu-devel-request@nongnu.org?subject=help>","List-Subscribe":"<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"When secure boot is enabled (-secure-boot on) and certificate(s) are\nprovided, the boot operates in True Secure IPL mode.\n\nAny verification error during True Secure IPL mode will cause the\nentire boot process to terminate.\n\nSecure IPL in audit mode requires at least one certificate provided in\nthe key store along with necessary facilities. If secure boot is enabled\nbut no certificate is provided, the boot process will also terminate, as\nthis is not a valid secure boot configuration.\n\nNote: True Secure IPL mode is implemented for the SCSI scheme of\nvirtio-blk/virtio-scsi devices.\n\nSigned-off-by: Zhuoying Cai <zycai@linux.ibm.com>\nReviewed-by: Collin Walling <walling@linux.ibm.com>\n---\n docs/system/s390x/secure-ipl.rst | 13 +++++++++++++\n pc-bios/s390-ccw/bootmap.c       |  8 ++++++++\n pc-bios/s390-ccw/main.c          |  3 ++-\n pc-bios/s390-ccw/s390-ccw.h      |  1 +\n pc-bios/s390-ccw/secure-ipl.h    |  3 +++\n 5 files changed, 27 insertions(+), 1 deletion(-)","diff":"diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst\nindex 9e3955f8fc..c8fb887ac0 100644\n--- a/docs/system/s390x/secure-ipl.rst\n+++ b/docs/system/s390x/secure-ipl.rst\n@@ -66,3 +66,16 @@ Configuration:\n .. code-block:: shell\n \n     qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\n+\n+Secure Mode\n+^^^^^^^^^^^\n+\n+When the ``secure-boot=on`` option is set and certificates are provided,\n+a secure boot is performed with error reporting enabled. The boot process aborts\n+if any error occurs.\n+\n+Configuration:\n+\n+.. code-block:: shell\n+\n+    qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...\ndiff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c\nindex a300fba8cd..8f54c15144 100644\n--- a/pc-bios/s390-ccw/bootmap.c\n+++ b/pc-bios/s390-ccw/bootmap.c\n@@ -738,6 +738,7 @@ static int zipl_run(ScsiBlockPtr *pte)\n     case ZIPL_BOOT_MODE_NORMAL:\n         rc = zipl_run_normal(&entry, tmp_sec);\n         break;\n+    case ZIPL_BOOT_MODE_SECURE:\n     case ZIPL_BOOT_MODE_SECURE_AUDIT:\n         rc = zipl_run_secure(&entry, tmp_sec);\n         break;\n@@ -1115,9 +1116,16 @@ ZiplBootMode get_boot_mode(uint8_t hdr_flags)\n {\n     bool sipl_set = hdr_flags & DIAG308_IPIB_FLAGS_SIPL;\n     bool iplir_set = hdr_flags & DIAG308_IPIB_FLAGS_IPLIR;\n+    VCStorageSizeBlock *vcssb;\n \n     if (!sipl_set && iplir_set) {\n         return ZIPL_BOOT_MODE_SECURE_AUDIT;\n+    } else if (sipl_set && iplir_set) {\n+        vcssb = zipl_secure_get_vcssb();\n+        if (vcssb == NULL || vcssb->length == VCSSB_NO_VC) {\n+            panic(\"Need at least one certificate for secure boot!\");\n+        }\n+        return ZIPL_BOOT_MODE_SECURE;\n     }\n \n     return ZIPL_BOOT_MODE_NORMAL;\ndiff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c\nindex 0bcd32b059..e34179a05f 100644\n--- a/pc-bios/s390-ccw/main.c\n+++ b/pc-bios/s390-ccw/main.c\n@@ -396,9 +396,10 @@ void main(void)\n \n     boot_mode = get_boot_mode(iplb->hdr_flags);\n     switch (boot_mode) {\n+    case ZIPL_BOOT_MODE_SECURE:\n     case ZIPL_BOOT_MODE_SECURE_AUDIT:\n         if (!secure_ipl_supported()) {\n-            panic(\"Unable to boot in audit mode\");\n+            panic(\"Unable to boot in secure/audit mode\");\n         }\n     default:\n         break;\ndiff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h\nindex b66a9b50bf..7a7bf7720b 100644\n--- a/pc-bios/s390-ccw/s390-ccw.h\n+++ b/pc-bios/s390-ccw/s390-ccw.h\n@@ -90,6 +90,7 @@ void zipl_load(void);\n typedef enum ZiplBootMode {\n     ZIPL_BOOT_MODE_NORMAL = 0,\n     ZIPL_BOOT_MODE_SECURE_AUDIT = 1,\n+    ZIPL_BOOT_MODE_SECURE = 2,\n } ZiplBootMode;\n \n extern ZiplBootMode boot_mode;\ndiff --git a/pc-bios/s390-ccw/secure-ipl.h b/pc-bios/s390-ccw/secure-ipl.h\nindex 950cd45b3c..723612b9ea 100644\n--- a/pc-bios/s390-ccw/secure-ipl.h\n+++ b/pc-bios/s390-ccw/secure-ipl.h\n@@ -83,6 +83,9 @@ static inline void zipl_secure_error(const char *message)\n     case ZIPL_BOOT_MODE_SECURE_AUDIT:\n         printf(\"AUDIT MODE WARNING: %s\\n\", message);\n         break;\n+    case ZIPL_BOOT_MODE_SECURE:\n+        panic(message);\n+        break;\n     default:\n         break;\n     }\n","prefixes":["v11","27/32"]}