From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, jrossi@linux.ibm.com,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Cc: david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com, brueckner@linux.ibm.com
Subject: [PATCH v8 04/30] hw/s390x/ipl: Create certificate store
Date: Thu, 12 Feb 2026 15:43:25 -0500 [thread overview]
Message-ID: <20260212204352.1044699-5-zycai@linux.ibm.com> (raw)
In-Reply-To: <20260212204352.1044699-1-zycai@linux.ibm.com>
Create a certificate store for boot certificates used for secure IPL.
Load certificates from the `boot-certs` parameter of s390-ccw-virtio
machine type option into the cert store.
Currently, only X.509 certificates in PEM format are supported, as the
QEMU command line accepts certificates in PEM format only.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
docs/specs/s390x-secure-ipl.rst | 16 +++
hw/s390x/cert-store.c | 221 ++++++++++++++++++++++++++++++++
hw/s390x/cert-store.h | 41 ++++++
hw/s390x/ipl.c | 10 ++
hw/s390x/ipl.h | 3 +
hw/s390x/meson.build | 1 +
include/hw/s390x/ipl/qipl.h | 2 +
7 files changed, 294 insertions(+)
create mode 100644 docs/specs/s390x-secure-ipl.rst
create mode 100644 hw/s390x/cert-store.c
create mode 100644 hw/s390x/cert-store.h
diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst
new file mode 100644
index 0000000000..7ddac98a37
--- /dev/null
+++ b/docs/specs/s390x-secure-ipl.rst
@@ -0,0 +1,16 @@
+.. SPDX-License-Identifier: GPL-2.0-or-later
+
+s390 Certificate Store and Functions
+====================================
+
+s390 Certificate Store
+----------------------
+
+A certificate store is implemented for s390-ccw guests to retain within
+memory all certificates provided by the user via the command-line, which
+are expected to be stored somewhere on the host's file system. The store
+will keep track of the number of certificates, their respective size,
+and a summation of the sizes.
+
+Note: A maximum of 64 certificates are allowed to be stored in the certificate
+store.
diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c
new file mode 100644
index 0000000000..f642d50795
--- /dev/null
+++ b/hw/s390x/cert-store.c
@@ -0,0 +1,221 @@
+/*
+ * S390 certificate store implementation
+ *
+ * Copyright 2025 IBM Corp.
+ * Author(s): Zhuoying Cai <zycai@linux.ibm.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "cert-store.h"
+#include "qapi/error.h"
+#include "qemu/error-report.h"
+#include "qemu/option.h"
+#include "qemu/config-file.h"
+#include "hw/s390x/ebcdic.h"
+#include "hw/s390x/s390-virtio-ccw.h"
+#include "qemu/cutils.h"
+#include "crypto/x509-utils.h"
+#include "qapi/qapi-types-machine-s390x.h"
+
+static BootCertificatesList *s390_get_boot_certs(void)
+{
+ return S390_CCW_MACHINE(qdev_get_machine())->boot_certs;
+}
+
+static S390IPLCertificate *init_cert(char *path, Error **errp)
+{
+ int rc;
+ char *buf;
+ size_t size;
+ size_t der_len;
+ char name[CERT_NAME_MAX_LEN];
+ g_autofree gchar *filename = NULL;
+ S390IPLCertificate *cert = NULL;
+ g_autofree uint8_t *cert_der = NULL;
+ Error *local_err = NULL;
+
+ filename = g_path_get_basename(path);
+
+ if (!g_file_get_contents(path, &buf, &size, NULL)) {
+ error_setg(errp, "Failed to load certificate: %s", path);
+ return NULL;
+ }
+
+ rc = qcrypto_x509_convert_cert_der((uint8_t *)buf, size,
+ &cert_der, &der_len, &local_err);
+ if (rc != 0) {
+ error_propagate_prepend(errp, local_err,
+ "Failed to initialize certificate: %s: ", path);
+ g_free(buf);
+ return NULL;
+ }
+
+ cert = g_new0(S390IPLCertificate, 1);
+ cert->size = size;
+ /*
+ * Store DER length only - reused for size calculation.
+ * cert_der is discarded because DER certificate data will be used once
+ * and can be regenerated from cert->raw.
+ */
+ cert->der_size = der_len;
+ /* store raw pointer - ownership transfers to cert */
+ cert->raw = (uint8_t *)buf;
+
+ /*
+ * Left justified certificate name with padding on the right with blanks.
+ * Convert certificate name to EBCDIC.
+ */
+ strpadcpy(name, CERT_NAME_MAX_LEN, filename, ' ');
+ ebcdic_put(cert->name, name, CERT_NAME_MAX_LEN);
+
+ return cert;
+}
+
+static void update_cert_store(S390IPLCertificateStore *cert_store,
+ S390IPLCertificate *cert)
+{
+ size_t data_buf_size;
+ size_t keyid_buf_size;
+ size_t hash_buf_size;
+ size_t cert_buf_size;
+
+ /* length field is word aligned for later DIAG use */
+ keyid_buf_size = ROUND_UP(CERT_KEY_ID_LEN, 4);
+ hash_buf_size = ROUND_UP(CERT_HASH_LEN, 4);
+ cert_buf_size = ROUND_UP(cert->der_size, 4);
+ data_buf_size = keyid_buf_size + hash_buf_size + cert_buf_size;
+
+ if (cert_store->largest_cert_size < data_buf_size) {
+ cert_store->largest_cert_size = data_buf_size;
+ }
+
+ g_assert(cert_store->count < MAX_CERTIFICATES);
+
+ cert_store->certs[cert_store->count] = *cert;
+ cert_store->total_bytes += data_buf_size;
+ cert_store->count++;
+}
+
+static GPtrArray *get_cert_paths(Error **errp)
+{
+ struct stat st;
+ BootCertificatesList *path_list = NULL;
+ BootCertificatesList *list = NULL;
+ gchar *cert_path;
+ GDir *dir = NULL;
+ const gchar *filename;
+ bool is_empty;
+ g_autoptr(GError) err = NULL;
+ g_autoptr(GPtrArray) cert_path_builder = g_ptr_array_new_full(0, g_free);
+
+ path_list = s390_get_boot_certs();
+
+ for (list = path_list; list; list = list->next) {
+ cert_path = list->value->path;
+
+ if (g_strcmp0(cert_path, "") == 0) {
+ error_setg(errp, "Empty path in certificate path list is not allowed");
+ goto fail;
+ }
+
+ if (stat(cert_path, &st) != 0) {
+ error_setg(errp, "Failed to stat path '%s': %s",
+ cert_path, g_strerror(errno));
+ goto fail;
+ }
+
+ if (S_ISREG(st.st_mode)) {
+ if (!g_str_has_suffix(cert_path, ".pem")) {
+ error_setg(errp, "Certificate file '%s' must have a .pem extension",
+ cert_path);
+ goto fail;
+ }
+
+ g_ptr_array_add(cert_path_builder, g_strdup(cert_path));
+ } else if (S_ISDIR(st.st_mode)) {
+ dir = g_dir_open(cert_path, 0, &err);
+ if (dir == NULL) {
+ error_setg(errp, "Failed to open directory '%s': %s",
+ cert_path, err->message);
+
+ goto fail;
+ }
+
+ is_empty = true;
+ while ((filename = g_dir_read_name(dir))) {
+ is_empty = false;
+
+ if (g_str_has_suffix(filename, ".pem")) {
+ g_ptr_array_add(cert_path_builder,
+ g_build_filename(cert_path, filename, NULL));
+ } else {
+ warn_report("skipping '%s': not a .pem file", filename);
+ }
+ }
+
+ if (is_empty) {
+ warn_report("'%s' directory is empty", cert_path);
+ }
+
+ g_dir_close(dir);
+ } else {
+ error_setg(errp, "Path '%s' is neither a file nor a directory", cert_path);
+ goto fail;
+ }
+ }
+
+ qapi_free_BootCertificatesList(path_list);
+ return g_steal_pointer(&cert_path_builder);
+
+fail:
+ qapi_free_BootCertificatesList(path_list);
+ return NULL;
+}
+
+void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store)
+{
+ GPtrArray *cert_path_builder;
+ Error *err = NULL;
+
+ /* If cert store is already populated, then no work to do */
+ if (cert_store->count) {
+ return;
+ }
+
+ cert_path_builder = get_cert_paths(&err);
+ if (cert_path_builder == NULL) {
+ error_report_err(err);
+ exit(1);
+ }
+
+ if (cert_path_builder->len == 0) {
+ g_ptr_array_free(cert_path_builder, TRUE);
+ return;
+ }
+
+ if (cert_path_builder->len > MAX_CERTIFICATES - 1) {
+ error_report("Cert store exceeds maximum of %d certificates", MAX_CERTIFICATES);
+ g_ptr_array_free(cert_path_builder, TRUE);
+ exit(1);
+ }
+
+ cert_store->largest_cert_size = 0;
+ cert_store->total_bytes = 0;
+
+ for (int i = 0; i < cert_path_builder->len; i++) {
+ g_autofree S390IPLCertificate *cert = init_cert(
+ (char *) cert_path_builder->pdata[i],
+ &err);
+ if (!cert) {
+ error_report_err(err);
+ g_ptr_array_free(cert_path_builder, TRUE);
+ exit(1);
+ }
+
+ update_cert_store(cert_store, cert);
+ }
+
+ g_ptr_array_free(cert_path_builder, TRUE);
+}
diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h
new file mode 100644
index 0000000000..50e36e2389
--- /dev/null
+++ b/hw/s390x/cert-store.h
@@ -0,0 +1,41 @@
+/*
+ * S390 certificate store
+ *
+ * Copyright 2025 IBM Corp.
+ * Author(s): Zhuoying Cai <zycai@linux.ibm.com>
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef HW_S390_CERT_STORE_H
+#define HW_S390_CERT_STORE_H
+
+#include "hw/s390x/ipl/qipl.h"
+#include "crypto/x509-utils.h"
+
+#define CERT_NAME_MAX_LEN 64
+
+#define CERT_KEY_ID_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256
+#define CERT_HASH_LEN QCRYPTO_HASH_DIGEST_LEN_SHA256
+
+struct S390IPLCertificate {
+ uint8_t name[CERT_NAME_MAX_LEN];
+ size_t size;
+ size_t der_size;
+ uint8_t *raw;
+};
+typedef struct S390IPLCertificate S390IPLCertificate;
+
+struct S390IPLCertificateStore {
+ uint16_t count;
+ size_t largest_cert_size;
+ size_t total_bytes;
+ S390IPLCertificate certs[MAX_CERTIFICATES];
+};
+typedef struct S390IPLCertificateStore S390IPLCertificateStore;
+QEMU_BUILD_BUG_MSG(sizeof(S390IPLCertificateStore) != 5656,
+ "size of S390IPLCertificateStore is wrong");
+
+void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store);
+
+#endif
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index d34adb5522..ea108fe370 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -36,6 +36,7 @@
#include "qemu/option.h"
#include "qemu/ctype.h"
#include "standard-headers/linux/virtio_ids.h"
+#include "cert-store.h"
#define KERN_IMAGE_START 0x010000UL
#define LINUX_MAGIC_ADDR 0x010008UL
@@ -425,6 +426,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp)
}
}
+S390IPLCertificateStore *s390_ipl_get_certificate_store(void)
+{
+ S390IPLState *ipl = get_ipl_device();
+
+ return &ipl->cert_store;
+}
+
static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb)
{
CcwDevice *ccw_dev = NULL;
@@ -718,6 +726,8 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
cpu->env.psw.addr = ipl->start_addr;
cpu->env.psw.mask = IPL_PSW_MASK;
+ s390_ipl_create_cert_store(&ipl->cert_store);
+
if (!ipl->kernel || ipl->iplb_valid) {
cpu->env.psw.addr = ipl->bios_start_addr;
if (!ipl->iplb_valid) {
diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
index 85be03de1b..0c773ac8ce 100644
--- a/hw/s390x/ipl.h
+++ b/hw/s390x/ipl.h
@@ -13,6 +13,7 @@
#ifndef HW_S390_IPL_H
#define HW_S390_IPL_H
+#include "cert-store.h"
#include "cpu.h"
#include "exec/target_page.h"
#include "system/address-spaces.h"
@@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp);
void s390_ipl_prepare_cpu(S390CPU *cpu);
IplParameterBlock *s390_ipl_get_iplb(void);
IplParameterBlock *s390_ipl_get_iplb_pv(void);
+S390IPLCertificateStore *s390_ipl_get_certificate_store(void);
enum s390_reset {
/* default is a reset not triggered by a CPU e.g. issued by QMP */
@@ -64,6 +66,7 @@ struct S390IPLState {
IplParameterBlock iplb;
IplParameterBlock iplb_pv;
QemuIplParameters qipl;
+ S390IPLCertificateStore cert_store;
uint64_t start_addr;
uint64_t compat_start_addr;
uint64_t bios_start_addr;
diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build
index 8866012ddc..80d3d4a74d 100644
--- a/hw/s390x/meson.build
+++ b/hw/s390x/meson.build
@@ -17,6 +17,7 @@ s390x_ss.add(files(
'sclpcpu.c',
'sclpquiesce.c',
'tod.c',
+ 'cert-store.c',
))
s390x_ss.add(when: 'CONFIG_KVM', if_true: files(
'tod-kvm.c',
diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h
index 6824391111..e505f44020 100644
--- a/include/hw/s390x/ipl/qipl.h
+++ b/include/hw/s390x/ipl/qipl.h
@@ -20,6 +20,8 @@
#define LOADPARM_LEN 8
#define NO_LOADPARM "\0\0\0\0\0\0\0\0"
+#define MAX_CERTIFICATES 64
+
/*
* The QEMU IPL Parameters will be stored at absolute address
* 204 (0xcc) which means it is 32-bit word aligned but not
--
2.52.0
next prev parent reply other threads:[~2026-02-12 20:48 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-12 20:43 [PATCH v8 00/30] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 01/30] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2026-02-17 8:30 ` Markus Armbruster
2026-02-12 20:43 ` [PATCH v8 02/30] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 03/30] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2026-02-12 20:43 ` Zhuoying Cai [this message]
2026-02-26 16:02 ` [PATCH v8 04/30] hw/s390x/ipl: Create " Thomas Huth
2026-02-28 1:45 ` Zhuoying Cai
2026-03-05 21:34 ` Farhan Ali
2026-02-12 20:43 ` [PATCH v8 05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2026-02-27 12:41 ` Thomas Huth
2026-02-28 1:47 ` Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 06/30] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2026-02-27 12:46 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 07/30] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2026-02-27 12:58 ` Thomas Huth
2026-02-28 2:15 ` Zhuoying Cai
2026-02-28 12:51 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 08/30] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2026-02-28 13:43 ` Thomas Huth
2026-03-03 21:02 ` Zhuoying Cai
2026-03-04 7:26 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 09/30] s390x/diag: Implement " Zhuoying Cai
2026-02-17 8:18 ` Markus Armbruster
2026-02-17 21:29 ` Zhuoying Cai
2026-02-28 2:25 ` Zhuoying Cai
2026-02-28 14:07 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 10/30] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 11/30] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 12/30] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2026-03-03 20:22 ` Farhan Ali
2026-02-12 20:43 ` [PATCH v8 13/30] s390x/ipl: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2026-03-03 20:38 ` Farhan Ali
2026-02-12 20:43 ` [PATCH v8 14/30] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2026-03-02 9:56 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 15/30] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 16/30] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2026-03-02 10:03 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 17/30] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 18/30] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 19/30] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2026-03-02 10:48 ` Thomas Huth
2026-03-03 21:46 ` Farhan Ali
2026-03-04 22:17 ` Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 20/30] pc-bios/s390-ccw: Add signed component address overlap checks Zhuoying Cai
2026-03-02 11:01 ` Thomas Huth
2026-03-03 22:07 ` Farhan Ali
2026-03-03 22:36 ` Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 21/30] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2026-02-17 8:06 ` Markus Armbruster
2026-02-17 8:19 ` Markus Armbruster
2026-02-12 20:43 ` [PATCH v8 22/30] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2026-03-02 11:24 ` Thomas Huth
2026-03-03 21:17 ` Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 23/30] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 24/30] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2026-03-02 11:34 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 25/30] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2026-03-02 12:53 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 26/30] hw/s390x/ipl: Handle secure boot with multiple boot devices Zhuoying Cai
2026-03-02 12:59 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 27/30] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 28/30] tests/functional/s390x: Add secure IPL functional test Zhuoying Cai
2026-03-02 13:35 ` Thomas Huth
2026-03-03 22:07 ` Zhuoying Cai
2026-02-12 20:43 ` [PATCH v8 29/30] docs/specs: Add secure IPL documentation Zhuoying Cai
2026-03-02 13:45 ` Thomas Huth
2026-02-12 20:43 ` [PATCH v8 30/30] docs/system/s390x: " Zhuoying Cai
2026-02-17 8:06 ` Markus Armbruster
2026-02-17 8:20 ` Markus Armbruster
2026-02-17 20:29 ` Zhuoying Cai
2026-03-02 16:24 ` Thomas Huth
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260212204352.1044699-5-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=david@kernel.org \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.