{"id":2233206,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2233206/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-31-zycai@linux.ibm.com/","project":{"id":14,"url":"http://patchwork.ozlabs.org/api/1.2/projects/14/?format=json","name":"QEMU Development","link_name":"qemu-devel","list_id":"qemu-devel.nongnu.org","list_email":"qemu-devel@nongnu.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260505201905.997996-31-zycai@linux.ibm.com>","list_archive_url":null,"date":"2026-05-05T20:19:02","name":"[v11,30/32] tests/functional/s390x: Add secure IPL functional test","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"3e66310b014c9b4623d5d053b3db333d37dcd59d","submitter":{"id":90643,"url":"http://patchwork.ozlabs.org/api/1.2/people/90643/?format=json","name":"Zhuoying Cai","email":"zycai@linux.ibm.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/qemu-devel/patch/20260505201905.997996-31-zycai@linux.ibm.com/mbox/","series":[{"id":502896,"url":"http://patchwork.ozlabs.org/api/1.2/series/502896/?format=json","web_url":"http://patchwork.ozlabs.org/project/qemu-devel/list/?series=502896","date":"2026-05-05T20:18:37","name":"Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices","version":11,"mbox":"http://patchwork.ozlabs.org/series/502896/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2233206/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2233206/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256\n header.s=pp1 header.b=pCDUMaCX;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists1p.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists1p.gnu.org (lists1p.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g992D3B07z1yJx\n\tfor ; Wed, 06 May 2026 06:23:32 +1000 (AEST)","from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists1p.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from )\n\tid 1wKMFd-0000ZL-5o; Tue, 05 May 2026 16:20:17 -0400","from eggs.gnu.org ([2001:470:142:3::10])\n by lists1p.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wKMFX-0008Vn-Ng; Tue, 05 May 2026 16:20:12 -0400","from mx0a-001b2d01.pphosted.com ([148.163.156.1])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from )\n id 1wKMFU-0000ai-P2; Tue, 05 May 2026 16:20:10 -0400","from pps.filterd (m0360083.ppops.net [127.0.0.1])\n by mx0a-001b2d01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id\n 645ETBh61446669; Tue, 5 May 2026 20:20:04 GMT","from ppma21.wdc07v.mail.ibm.com\n (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91])\n by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 4dw9v7dns6-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:20:04 +0000 (GMT)","from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1])\n by ppma21.wdc07v.mail.ibm.com (8.18.1.7/8.18.1.7) with ESMTP id\n 645K9Vj1002900;\n Tue, 5 May 2026 20:20:03 GMT","from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72])\n by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 4dwvkju9xv-1\n (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);\n Tue, 05 May 2026 20:20:03 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (smtpav02.wdc07v.mail.ibm.com\n [10.39.53.229])\n by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id\n 645KK24929557388\n (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);\n Tue, 5 May 2026 20:20:02 GMT","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id E9B4458059;\n Tue, 5 May 2026 20:20:01 +0000 (GMT)","from smtpav02.wdc07v.mail.ibm.com (unknown [127.0.0.1])\n by IMSVA (Postfix) with ESMTP id 43F295805B;\n Tue, 5 May 2026 20:20:00 +0000 (GMT)","from fedora-workstation.pok.ibm.com (unknown [9.12.79.241])\n by smtpav02.wdc07v.mail.ibm.com (Postfix) with ESMTP;\n Tue, 5 May 2026 20:20:00 +0000 (GMT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc\n :content-transfer-encoding:date:from:in-reply-to:message-id\n :mime-version:references:subject:to; s=pp1; bh=sDmhpjpdou13j9Ejz\n ugpRrCAl8dBwSWYAuEHRMoYaN0=; b=pCDUMaCXQ5EGy91HiQv+72+XojF/3iu20\n 6QFtg3Qlu7H4nb68h7TwJB2dNzR0RU+eNnnpRXmuR9vDmlnu8Vlc50mjXf8B8Ugx\n MU82F9vbQWPpP+PjH79a1xKePnKYNrvULMLqlDMshqApXvNEStLWEVK5vQTZpTEi\n SR5EQOQ7DNjTefZWD1eK+uHc9jODWPXrT4uzmyvopCBNfkWyg6Bv8GR394vUEdj0\n U99zl+kW3oxbLQcweUxhGWPOopU32IG1bpZdfj/Mm35VddSYKfasDcZknampQJYl\n AB/noDKEc3EFwg/ZgcY82LD1DJPzDbQHvVpp4fCzoVmuM1zF8G/zg==","From":"Zhuoying Cai ","To":"qemu-s390x@nongnu.org, qemu-devel@nongnu.org","Cc":"jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,\n richard.henderson@linaro.org, david@kernel.org, walling@linux.ibm.com,\n jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com,\n farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,\n eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,\n alifm@linux.ibm.com, brueckner@linux.ibm.com,\n pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com","Subject":"[PATCH v11 30/32] tests/functional/s390x: Add secure IPL functional\n test","Date":"Tue, 5 May 2026 16:19:02 -0400","Message-ID":"<20260505201905.997996-31-zycai@linux.ibm.com>","X-Mailer":"git-send-email 2.54.0","In-Reply-To":"<20260505201905.997996-1-zycai@linux.ibm.com>","References":"<20260505201905.997996-1-zycai@linux.ibm.com>","MIME-Version":"1.0","Content-Transfer-Encoding":"8bit","X-TM-AS-GCONF":"00","X-Proofpoint-Spam-Details-Enc":"AW1haW4tMjYwNTA1MDE5NSBTYWx0ZWRfXx6BgQG2mv+rj\n 1jcc059s5wgTY10rpbHr4hTqS1Z5F0GkLDcuJMD/nN7e57mLo9oPPEOZBbl+uQTpLoBoT5XIG3W\n qsXG/Zdk9I7HCm9eGUFlJ/VCgSO3bkzTv7IkbI0tOc+zU1B/L33CgzZw2QbupmGxGkeBZv8gP9d\n r3Oc3t3hrk5Q0PKnEzHETiSGxr9XTdPoPCQrngjvzEt6leiBEMewENbh92972lkJ23Gm4CheJZ9\n TGJZguaJMZrzLt6DoFRtvVTZ7ssgig/Lfm9uVltRASHPhI+BJVsczcH8Q2MeB+mdmSWbCsblTtO\n nXPKLNtQgMUrHjR1AjajgykWN8V1fVivlwG6URYOOqq7K/LZpNEtqhQIOmBPLdvBJSgNnLsrcda\n oAuFmTDtj9Shd81CocR4jrkcjCdi9dB2kSEbL53VEcTIz6LfqscH9WVXFoTY2YiB6z34XZK5E9N\n BQXqJ+qDqWZ4mOQkLuQ==","X-Proofpoint-GUID":"w8NKe1_GKcCgE0btgIt-0pJPe5OZgVdu","X-Proofpoint-ORIG-GUID":"w8NKe1_GKcCgE0btgIt-0pJPe5OZgVdu","X-Authority-Analysis":"v=2.4 cv=eu/vCIpX c=1 sm=1 tr=0 ts=69fa50f4 cx=c_pps\n a=GFwsV6G8L6GxiO2Y/PsHdQ==:117 a=GFwsV6G8L6GxiO2Y/PsHdQ==:17\n a=NGcC8JguVDcA:10 a=VkNPw1HP01LnGYTKEx00:22 a=RnoormkPH1_aCDwRdu11:22\n a=iQ6ETzBq9ecOQQE5vZCe:22 a=vTr9H3xdAAAA:8 a=VnNF1IyMAAAA:8 a=WP5zsaevAAAA:8\n a=gSyHUACR81Cq5hz7ILYA:9 a=t8Kx07QrZZTALmIZmm-o:22","X-Proofpoint-Virus-Version":"vendor=baseguard\n engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49\n definitions=2026-05-05_02,2026-04-30_02,2025-10-01_01","X-Proofpoint-Spam-Details":"rule=outbound_notspam policy=outbound score=0\n priorityscore=1501 phishscore=0 lowpriorityscore=0 clxscore=1015 adultscore=0\n suspectscore=0 malwarescore=0 bulkscore=0 impostorscore=0 spamscore=0\n classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0\n reason=mlx scancount=1 engine=8.22.0-2604200000 definitions=main-2605050195","Received-SPF":"pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com;\n helo=mx0a-001b2d01.pphosted.com","X-Spam_score_int":"-26","X-Spam_score":"-2.7","X-Spam_bar":"--","X-Spam_report":"(-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,\n DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7,\n RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,\n SPF_PASS=-0.001 autolearn=ham autolearn_force=no","X-Spam_action":"no action","X-BeenThere":"qemu-devel@nongnu.org","X-Mailman-Version":"2.1.29","Precedence":"list","List-Id":"qemu development ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org","Sender":"qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org"},"content":"Add functional test for secure IPL.\n\nSigned-off-by: Zhuoying Cai \n---\n tests/functional/s390x/meson.build | 2 +\n tests/functional/s390x/test_secure_ipl.py | 148 ++++++++++++++++++++++\n 2 files changed, 150 insertions(+)\n create mode 100755 tests/functional/s390x/test_secure_ipl.py","diff":"diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/meson.build\nindex b065b666bc..01cb2d1d4c 100644\n--- a/tests/functional/s390x/meson.build\n+++ b/tests/functional/s390x/meson.build\n@@ -2,6 +2,7 @@\n \n test_s390x_timeouts = {\n 'ccw_virtio' : 420,\n+ 'secure_ipl' : 280,\n }\n \n tests_s390x_system_quick = [\n@@ -14,6 +15,7 @@ tests_s390x_system_thorough = [\n 'ccw_virtio',\n 'pxelinux',\n 'replay',\n+ 'secure_ipl',\n 'topology',\n 'tuxrun',\n ]\ndiff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s390x/test_secure_ipl.py\nnew file mode 100755\nindex 0000000000..0980daace1\n--- /dev/null\n+++ b/tests/functional/s390x/test_secure_ipl.py\n@@ -0,0 +1,148 @@\n+#!/usr/bin/env python3\n+#\n+# s390x Secure IPL functional test: validates secure-boot verification results\n+#\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+\n+from subprocess import check_call, DEVNULL\n+\n+from qemu_test import QemuSystemTest, Asset, get_qemu_img\n+from qemu_test import exec_command_and_wait_for_pattern, exec_command\n+from qemu_test import wait_for_console_pattern, skipBigDataTest\n+\n+class S390xSecureIpl(QemuSystemTest):\n+ ASSET_F40_QCOW2 = Asset(\n+ ('https://archives.fedoraproject.org/pub/archive/'\n+ 'fedora-secondary/releases/40/Server/s390x/images/'\n+ 'Fedora-Server-KVM-40-1.14.s390x.qcow2'),\n+ '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f')\n+\n+ def __init__(self, *args, **kwargs):\n+ super().__init__(*args, **kwargs)\n+ self.root_password = None\n+ self.qcow2_path = None\n+ self.cert_path = None\n+ self.prompt = None\n+\n+ # Boot a temporary VM to set up secure IPL image:\n+ # - Create certificate\n+ # - Sign stage3 binary and kernel\n+ # - Run zipl\n+ # - Extract certificate\n+ def setup_s390x_secure_ipl(self):\n+ temp_vm = self.get_vm(name='sipl_setup')\n+ temp_vm.set_machine('s390-ccw-virtio')\n+\n+ asset_path = self.ASSET_F40_QCOW2.fetch()\n+ self.qcow2_path = self.scratch_file('f40.qcow2')\n+ qemu_img = get_qemu_img(self)\n+ check_call([qemu_img, 'create', '-f', 'qcow2', '-b', asset_path,\n+ '-F', 'qcow2', self.qcow2_path], stdout=DEVNULL, stderr=DEVNULL)\n+\n+ temp_vm.set_console()\n+ temp_vm.add_args('-nographic',\n+ '-accel', 'kvm',\n+ '-m', '1024',\n+ '-drive',\n+ f'id=drive0,if=none,format=qcow2,file={self.qcow2_path}',\n+ '-device', 'virtio-blk-ccw,drive=drive0,bootindex=1')\n+ temp_vm.launch()\n+\n+ # Initial root account setup (Fedora first boot screen)\n+ self.root_password = 'fedora40password'\n+ wait_for_console_pattern(self, 'Please make a selection from the above',\n+ vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password,\n+ 'Password (confirm):', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password,\n+ 'Please make a selection from the above',\n+ vm=temp_vm)\n+\n+ # Login as root\n+ self.prompt = '[root@localhost ~]#'\n+ exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self, self.root_password, self.prompt,\n+ vm=temp_vm)\n+\n+ # Certificate generation\n+ exec_command_and_wait_for_pattern(self,\n+ 'openssl version', 'OpenSSL 3.2.1 30',\n+ vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self,\n+ 'openssl req -new -x509 -newkey rsa:2048 '\n+ '-keyout mykey.pem -outform PEM -out mycert.pem '\n+ '-days 36500 -subj \"/CN=My Name/\" -nodes -verbose',\n+ 'Writing private key to \\'mykey.pem\\'', vm=temp_vm)\n+\n+ # Install kernel-devel (needed for sign-file)\n+ exec_command_and_wait_for_pattern(self,\n+ 'sudo dnf install kernel-devel-$(uname -r) -y',\n+ 'Complete!', vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+ exec_command_and_wait_for_pattern(self,\n+ 'ls /usr/src/kernels/$(uname -r)/scripts/',\n+ 'sign-file', vm=temp_vm)\n+\n+ # Sign stage3 binary and kernel\n+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '\n+ 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bin',\n+ vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '\n+ 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)',\n+ vm=temp_vm)\n+ wait_for_console_pattern(self, self.prompt, vm=temp_vm)\n+\n+ # Run zipl to prepare for secure boot\n+ exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Done.',\n+ vm=temp_vm)\n+\n+ # Extract certificate to host\n+ out = exec_command_and_wait_for_pattern(self, 'cat mycert.pem',\n+ '-----END CERTIFICATE-----',\n+ vm=temp_vm)\n+ # strip first line to avoid console echo artifacts\n+ cert = \"\\n\".join(out.decode(\"utf-8\").splitlines()[1:])\n+ self.log.info(\"%s\", cert)\n+\n+ self.cert_path = self.scratch_file(\"mycert.pem\")\n+\n+ with open(self.cert_path, 'w', encoding=\"utf-8\") as file_object:\n+ file_object.write(cert)\n+\n+ # Shutdown temp vm\n+ temp_vm.shutdown()\n+\n+ @skipBigDataTest()\n+ def test_s390x_secure_ipl(self):\n+ self.require_accelerator('kvm')\n+ self.setup_s390x_secure_ipl()\n+\n+ self.set_machine('s390-ccw-virtio')\n+\n+ self.vm.set_console()\n+ self.vm.add_args('-nographic',\n+ '-machine', 's390-ccw-virtio,secure-boot=on,'\n+ f'boot-certs.0.path={self.cert_path}',\n+ '-accel', 'kvm',\n+ '-m', '1024',\n+ '-drive',\n+ f'id=drive1,if=none,format=qcow2,file={self.qcow2_path}',\n+ '-device', 'virtio-blk-ccw,drive=drive1,bootindex=1')\n+ self.vm.launch()\n+\n+ # Expect two verified components\n+ verified_output = \"Verified component\"\n+ wait_for_console_pattern(self, verified_output)\n+ wait_for_console_pattern(self, verified_output)\n+\n+ # Login and verify the vm is booted using secure boot\n+ wait_for_console_pattern(self, 'localhost login:')\n+ exec_command_and_wait_for_pattern(self, 'root', 'Password:')\n+ exec_command_and_wait_for_pattern(self, self.root_password, self.prompt)\n+ exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/secure', '1')\n+\n+if __name__ == '__main__':\n+ QemuSystemTest.main()\n","prefixes":["v11","30/32"]}