All of lore.kernel.org
 help / color / mirror / Atom feed
From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com,
	pbonzini@redhat.com
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
	jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com,
	borntraeger@linux.ibm.com, farman@linux.ibm.com,
	iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
	zycai@linux.ibm.com
Subject: [PATCH v2 23/25] pc-bios/s390-ccw: Handle secure boot with multiple boot devices
Date: Thu,  8 May 2025 18:50:39 -0400	[thread overview]
Message-ID: <20250508225042.313672-24-zycai@linux.ibm.com> (raw)
In-Reply-To: <20250508225042.313672-1-zycai@linux.ibm.com>

The current approach to enabling secure boot relies on providing
-secure-boot and -boot-certificates options, which apply to all boot
devices.

With the possibility of multiple boot devices, secure boot expects all
provided devices to be supported and eligible (e.g.,
virtio-blk/virtio-scsi using the SCSI scheme).

If multiple boot devices are provided and include an unsupported (e.g.,
ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will
terminate with an error logged to the console.

Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
 pc-bios/s390-ccw/bootmap.c  | 28 +++++++++-----
 pc-bios/s390-ccw/main.c     | 74 ++++++++++++++++++++++++++++++++++---
 pc-bios/s390-ccw/s390-ccw.h |  1 +
 3 files changed, 88 insertions(+), 15 deletions(-)

diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 395d52c65c..bff9c75c49 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -1323,23 +1323,35 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags)
     return ZIPL_NORMAL_MODE;
 }
 
+int zipl_check_scsi_mbr_magic(void)
+{
+    ScsiMbr *mbr = (void *)sec;
+
+    /* Grab the MBR */
+    memset(sec, FREE_SPACE_FILLER, sizeof(sec));
+    if (virtio_read(0, mbr)) {
+        puts("Cannot read block 0");
+        return -EIO;
+    }
+
+    if (!magic_match(mbr->magic, ZIPL_MAGIC)) {
+        return -1;
+    }
+
+    return 0;
+}
+
 void zipl_load(void)
 {
     VDev *vdev = virtio_get_device();
 
     if (vdev->is_cdrom) {
-        if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) {
-            panic("Secure boot from ISO image is not supported!");
-        }
         ipl_iso_el_torito();
         puts("Failed to IPL this ISO image!");
         return;
     }
 
     if (virtio_get_device_type() == VIRTIO_ID_NET) {
-        if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) {
-            panic("Virtio net boot device does not support secure boot!");
-        }
         netmain();
         puts("Failed to IPL from this network!");
         return;
@@ -1350,10 +1362,6 @@ void zipl_load(void)
         return;
     }
 
-    if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) {
-        panic("ECKD boot device does not support secure boot!");
-    }
-
     switch (virtio_get_device_type()) {
     case VIRTIO_ID_BLOCK:
         zipl_load_vblk();
diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
index 3e17550854..ffb87e264b 100644
--- a/pc-bios/s390-ccw/main.c
+++ b/pc-bios/s390-ccw/main.c
@@ -271,8 +271,43 @@ static int virtio_setup(void)
     return ret;
 }
 
-static void ipl_boot_device(void)
+static void validate_secure_boot_device(void)
+{
+    switch (cutype) {
+    case CU_TYPE_DASD_3990:
+    case CU_TYPE_DASD_2107:
+        panic("Passthrough (vfio) device does not support secure boot!");
+        break;
+    case CU_TYPE_VIRTIO:
+        if (virtio_setup() == 0) {
+            VDev *vdev = virtio_get_device();
+
+            if (vdev->is_cdrom) {
+                panic("Secure boot from ISO image is not supported!");
+            }
+
+            if (virtio_get_device_type() == VIRTIO_ID_NET) {
+                panic("Virtio net boot device does not support secure boot!");
+            }
+
+            if (zipl_check_scsi_mbr_magic()) {
+                panic("ECKD boot device does not support secure boot!");
+            }
+        }
+        break;
+    default:
+        panic("Secure boot from unexpected device type is not supported!");
+    }
+
+    printf("SCSI boot device supports secure boot.\n");
+}
+
+static void check_secure_boot_support(void)
 {
+    bool have_iplb_copy;
+    IplParameterBlock *iplb_copy;
+    QemuIplParameters *qipl_copy;
+
     if (boot_mode == 0) {
         boot_mode = zipl_mode(iplb->hdr_flags);
     }
@@ -281,13 +316,40 @@ static void ipl_boot_device(void)
         panic("Need at least one certificate for secure boot!");
     }
 
+    if (boot_mode == ZIPL_NORMAL_MODE) {
+        return;
+    }
+
+    /*
+     * Store copies of have_iplb, iplb and qipl.
+     * They will be updated in load_next_iplb().
+     */
+    have_iplb_copy = have_iplb;
+    iplb_copy = malloc(sizeof(IplParameterBlock));
+    qipl_copy = malloc(sizeof(QemuIplParameters));
+
+    memcpy(qipl_copy, &qipl, sizeof(QemuIplParameters));
+    memcpy(iplb_copy, iplb, sizeof(IplParameterBlock));
+
+    while (have_iplb_copy) {
+        if (have_iplb_copy && find_boot_device()) {
+            validate_secure_boot_device();
+        }
+        have_iplb_copy = load_next_iplb();
+    }
+
+    memcpy(&qipl, qipl_copy, sizeof(QemuIplParameters));
+    memcpy(iplb, iplb_copy, sizeof(IplParameterBlock));
+
+    free(qipl_copy);
+    free(iplb_copy);
+}
+
+static void ipl_boot_device(void)
+{
     switch (cutype) {
     case CU_TYPE_DASD_3990:
     case CU_TYPE_DASD_2107:
-        if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) {
-            panic("Passthrough (vfio) device does not support secure boot!");
-        }
-
         dasd_ipl(blk_schid, cutype);
         break;
     case CU_TYPE_VIRTIO:
@@ -337,6 +399,8 @@ void main(void)
         probe_boot_device();
     }
 
+    check_secure_boot_support();
+
     while (have_iplb) {
         boot_setup();
         if (have_iplb && find_boot_device()) {
diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h
index bf20efe88e..a26233afac 100644
--- a/pc-bios/s390-ccw/s390-ccw.h
+++ b/pc-bios/s390-ccw/s390-ccw.h
@@ -92,6 +92,7 @@ typedef enum ZiplBootMode {
 extern ZiplBootMode boot_mode;
 
 ZiplBootMode zipl_mode(uint8_t hdr_flags);
+int zipl_check_scsi_mbr_magic(void);
 
 /* jump2ipl.c */
 void write_reset_psw(uint64_t psw);
-- 
2.49.0



  parent reply	other threads:[~2025-05-08 22:52 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-08 22:50 [PATCH v2 00/25] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 01/25] Add -boot-certificates to s390-ccw-virtio machine type option Zhuoying Cai
2025-05-13 14:58   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 02/25] hw/s390x/ipl: Create certificate store Zhuoying Cai
2025-05-14  5:43   ` Thomas Huth
2025-05-29 18:49     ` Zhuoying Cai
2025-05-14  9:03   ` Daniel P. Berrangé
2025-05-29 17:51     ` Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 03/25] s390x: Guest support for Certificate Store Facility (CS) Zhuoying Cai
2025-05-14  6:11   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 04/25] s390x/diag: Introduce DIAG 320 for certificate store facility Zhuoying Cai
2025-05-14  8:17   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 05/25] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 06/25] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-05-14 15:32   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 07/25] s390x/diag: Implement DIAG 320 subcode 2 Zhuoying Cai
2025-05-14 16:18   ` Thomas Huth
2025-05-29 19:09     ` Zhuoying Cai
2025-05-30  6:38       ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 08/25] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 09/25] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-05-20  6:11   ` Thomas Huth
2025-05-20  8:16   ` Daniel P. Berrangé
2025-05-08 22:50 ` [PATCH v2 10/25] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 11/25] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-05-20  9:24   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 12/25] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 13/25] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 14/25] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 15/25] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-05-20  9:29   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 16/25] pc-bios/s390-ccw: Refactor zipl_load_segment function Zhuoying Cai
2025-05-20  9:39   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 17/25] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-05-20 10:25   ` Thomas Huth
2025-05-29 19:28     ` Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 18/25] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-05-26 14:46   ` Hendrik Brueckner
2025-05-08 22:50 ` [PATCH v2 19/25] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 20/25] Add -secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-05-21 12:14   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 21/25] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-05-21 12:20   ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 22/25] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-05-08 22:50 ` Zhuoying Cai [this message]
2025-05-08 22:50 ` [PATCH v2 24/25] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 25/25] docs/system/s390x: Add secure IPL documentation Zhuoying Cai
2025-05-21 12:37   ` Thomas Huth
2025-05-23 20:28     ` Collin Walling

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250508225042.313672-24-zycai@linux.ibm.com \
    --to=zycai@linux.ibm.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=david@redhat.com \
    --cc=farman@linux.ibm.com \
    --cc=fiuczy@linux.ibm.com \
    --cc=iii@linux.ibm.com \
    --cc=jjherne@linux.ibm.com \
    --cc=jrossi@linux.ibm.com \
    --cc=pasic@linux.ibm.com \
    --cc=pbonzini@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=qemu-s390x@nongnu.org \
    --cc=richard.henderson@linaro.org \
    --cc=thuth@redhat.com \
    --cc=walling@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.