From: Zhuoying Cai <zycai@linux.ibm.com>
To: qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Cc: jrossi@linux.ibm.com, cohuck@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@kernel.org,
walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com, brueckner@linux.ibm.com,
pierrick.bouvier@oss.qualcomm.com, jdaley@linux.ibm.com
Subject: [PATCH v13 09/33] s390x/diag: Implement DIAG 320 subcode 2
Date: Thu, 2 Jul 2026 22:29:07 -0400 [thread overview]
Message-ID: <20260703022933.1805010-10-zycai@linux.ibm.com> (raw)
In-Reply-To: <20260703022933.1805010-1-zycai@linux.ibm.com>
DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the
certificate store. Only X509 certificates in DER format and SHA-256 hash
type are recognized.
The subcode value is denoted by setting the second-left-most bit
of an 8-byte field.
The Verification Certificate Block (VCB) contains the output data
when the operation completes successfully. It includes a common
header followed by zero or more Verification Certificate Entries (VCEs),
depending on the VCB input length and the VC range (from the first VC
index to the last VC index) in the certificate store.
Each VCE contains information about a certificate retrieved from
the S390IPLCertificateStore, such as the certificate name, key type,
key ID length, hash length, and the raw certificate data.
The key ID and hash are extracted from the raw certificate by the crypto API.
Note: SHA2-256 VC hash type is required for retrieving the hash
(fingerprint) of the certificate.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
Reviewed-by: Eric Farman <farman@linux.ibm.com>
---
docs/specs/s390x-secure-ipl.rst | 24 +++
include/hw/s390x/ipl/diag320.h | 38 ++++
target/s390x/diag.c | 316 +++++++++++++++++++++++++++++++-
3 files changed, 377 insertions(+), 1 deletion(-)
diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst
index d5d4c3a24d..a17bb0ab55 100644
--- a/docs/specs/s390x-secure-ipl.rst
+++ b/docs/specs/s390x-secure-ipl.rst
@@ -42,3 +42,27 @@ Subcode 1 - query verification certificate storage information
The output is returned in the verification-certificate-storage-size block
(VCSSB). A VCSSB length of 4 indicates that no certificates are available
in the CS.
+
+Subcode 2 - store verification certificates
+ Provides VCs that are in the certificate store.
+
+ The output is provided in a VCB, which includes a common header followed by
+ zero or more verification-certificate entries (VCEs).
+
+ The instruction expects the cert store to maintain an origin of 1 for the
+ index (i.e. a retrieval of the first certificate in the store should be
+ denoted by setting first-VC to 1).
+
+ The first-VC and last-VC fields of the VCB specify the index range of
+ VCs to be stored in the VCB. Certs are stored sequentially, starting
+ with first-VC index. As each cert is stored, a "stored count" is
+ incremented. If there is not enough space to store all certs requested
+ by the index range, a "remaining count" will be recorded and no more
+ certificates will be stored.
+
+ Each VCE contains a header followed by information extracted from a
+ certificate within the certificate store. The information includes:
+ key-id, hash, and certificate data. This information is stored
+ contiguously in a VCE (with zero-padding). Following the header, the
+ key-id is immediately stored. The hash and certificate data follow and
+ may be accessed via the respective offset fields stored in the VCE.
diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h
index d37d8eaa86..7fda2d44fd 100644
--- a/include/hw/s390x/ipl/diag320.h
+++ b/include/hw/s390x/ipl/diag320.h
@@ -12,19 +12,45 @@
#define DIAG_320_SUBC_QUERY_ISM 0
#define DIAG_320_SUBC_QUERY_VCSI 1
+#define DIAG_320_SUBC_STORE_VC 2
#define DIAG_320_RC_OK 0x0001
#define DIAG_320_RC_NOT_SUPPORTED 0x0102
#define DIAG_320_RC_INVAL_VCSSB_LEN 0x0202
+#define DIAG_320_RC_INVAL_VCB_LEN 0x0204
+#define DIAG_320_RC_BAD_RANGE 0x0302
#define DIAG_320_ISM_QUERY_SUBCODES 0x80000000
#define DIAG_320_ISM_QUERY_VCSI 0x40000000
+#define DIAG_320_ISM_STORE_VC 0x20000000
#define VCSSB_NO_VC 4
#define VCSSB_LEN_VALID 128
#define CERT_NAME_MAX_LEN 64
+/*
+ * If the VCE flags indicate an invalid certificate,
+ * the VCE length is set to 72, containing only the
+ * first five fields of VCEntry.
+ */
+#define VCE_INVALID_LEN 72
+
+#define DIAG_320_VCE_FLAGS_VALID 0x80
+
+typedef enum Diag320VceKeyType {
+ DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING = 0,
+ DIAG_320_VCE_KEYTYPE_ECDSA_P521 = 1,
+} Diag320VceKeyType;
+
+typedef enum Diag320VceFormat {
+ DIAG_320_VCE_FORMAT_X509_DER = 1,
+} Diag320VceFormat;
+
+typedef enum Diag320VceHashType {
+ DIAG_320_VCE_HASHTYPE_SHA2_256 = 1,
+} Diag320VceHashType;
+
struct VCStorageSizeBlock {
uint32_t length;
uint8_t reserved0[3];
@@ -60,6 +86,12 @@ struct VCEntryHeader {
};
typedef struct VCEntryHeader VCEntryHeader;
+struct VCEntry {
+ VCEntryHeader vce_hdr;
+ uint8_t cert_buf[];
+};
+typedef struct VCEntry VCEntry;
+
struct VCBlockHeader {
uint32_t in_len;
uint32_t reserved0;
@@ -74,4 +106,10 @@ struct VCBlockHeader {
};
typedef struct VCBlockHeader VCBlockHeader;
+struct VCBlock {
+ VCBlockHeader vcb_hdr;
+ uint8_t vce_buf[];
+};
+typedef struct VCBlock VCBlock;
+
#endif
diff --git a/target/s390x/diag.c b/target/s390x/diag.c
index 228956ab13..c072daca3a 100644
--- a/target/s390x/diag.c
+++ b/target/s390x/diag.c
@@ -17,13 +17,16 @@
#include "s390x-internal.h"
#include "hw/watchdog/wdt_diag288.h"
#include "system/cpus.h"
+#include "hw/s390x/cert-store.h"
#include "hw/s390x/ipl.h"
#include "hw/s390x/ipl/diag320.h"
#include "hw/s390x/s390-virtio-ccw.h"
#include "system/kvm.h"
#include "kvm/kvm_s390x.h"
#include "target/s390x/kvm/pv.h"
+#include "qapi/error.h"
#include "qemu/error-report.h"
+#include "crypto/x509-utils.h"
static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool write)
@@ -241,8 +244,306 @@ static int handle_diag320_query_vcsi(S390CPU *cpu, uint64_t addr, uint64_t r1,
return DIAG_320_RC_OK;
}
+static bool is_cert_valid(const S390IPLCertificate *cert)
+{
+ int rc;
+ Error *err = NULL;
+
+ rc = qcrypto_x509_check_cert_times(cert->raw, cert->size, &err);
+ if (rc != 0) {
+ error_report_err(err);
+ return false;
+ }
+
+ return true;
+}
+
+static int handle_key_id(VCEntry *vce, const S390IPLCertificate *cert)
+{
+ int rc;
+ g_autofree unsigned char *key_id_data = NULL;
+ size_t key_id_len;
+ Error *err = NULL;
+
+ rc = qcrypto_x509_get_cert_key_id(cert->raw, cert->size,
+ QCRYPTO_HASH_ALGO_SHA256,
+ &key_id_data, &key_id_len, &err);
+ if (rc < 0) {
+ error_report_err(err);
+ return 0;
+ }
+
+ if (sizeof(VCEntryHeader) + key_id_len > be32_to_cpu(vce->vce_hdr.len)) {
+ error_report("Unable to write key ID: exceeds buffer bounds");
+ return 0;
+ }
+
+ vce->vce_hdr.keyid_len = cpu_to_be16(key_id_len);
+
+ memcpy(vce->cert_buf, key_id_data, key_id_len);
+
+ return ROUND_UP(key_id_len, 4);
+}
+
+static int handle_hash(VCEntry *vce, const S390IPLCertificate *cert,
+ uint16_t keyid_field_len)
+{
+ int rc;
+ uint16_t hash_offset;
+ g_autofree void *hash_data = NULL;
+ size_t hash_len;
+ Error *err = NULL;
+
+ hash_len = CERT_HASH_LEN;
+ hash_data = g_malloc0(hash_len);
+ rc = qcrypto_get_x509_cert_fingerprint(cert->raw, cert->size,
+ QCRYPTO_HASH_ALGO_SHA256,
+ hash_data, &hash_len, &err);
+ if (rc < 0) {
+ error_report_err(err);
+ return 0;
+ }
+
+ hash_offset = sizeof(VCEntryHeader) + keyid_field_len;
+ if (hash_offset + hash_len > be32_to_cpu(vce->vce_hdr.len)) {
+ error_report("Unable to write hash: exceeds buffer bounds");
+ return 0;
+ }
+
+ vce->vce_hdr.hash_len = cpu_to_be16(hash_len);
+ vce->vce_hdr.hash_type = DIAG_320_VCE_HASHTYPE_SHA2_256;
+ vce->vce_hdr.hash_offset = cpu_to_be16(hash_offset);
+
+ memcpy((uint8_t *)vce + hash_offset, hash_data, hash_len);
+
+ return ROUND_UP(hash_len, 4);
+}
+
+static int handle_cert(VCEntry *vce, const S390IPLCertificate *cert,
+ uint16_t hash_field_len)
+{
+ int rc;
+ uint16_t cert_offset;
+ g_autofree uint8_t *cert_der = NULL;
+ size_t der_size;
+ Error *err = NULL;
+
+ rc = qcrypto_x509_convert_cert_der(cert->raw, cert->size,
+ &cert_der, &der_size, &err);
+ if (rc < 0) {
+ error_report_err(err);
+ return 0;
+ }
+
+ cert_offset = be16_to_cpu(vce->vce_hdr.hash_offset) + hash_field_len;
+ if (cert_offset + der_size > be32_to_cpu(vce->vce_hdr.len)) {
+ error_report("Unable to write certificate: exceeds buffer bounds");
+ return 0;
+ }
+
+ vce->vce_hdr.format = DIAG_320_VCE_FORMAT_X509_DER;
+ vce->vce_hdr.cert_len = cpu_to_be32(der_size);
+ vce->vce_hdr.cert_offset = cpu_to_be16(cert_offset);
+
+ memcpy((uint8_t *)vce + cert_offset, cert_der, der_size);
+
+ return ROUND_UP(der_size, 4);
+}
+
+static int get_key_type(const S390IPLCertificate *cert)
+{
+ int rc;
+ Error *err = NULL;
+
+ rc = qcrypto_x509_check_ecc_curve_p521(cert->raw, cert->size, &err);
+ if (rc == -1) {
+ error_report_err(err);
+ return -1;
+ }
+
+ return (rc == 1) ? DIAG_320_VCE_KEYTYPE_ECDSA_P521 :
+ DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING;
+}
+
+static int build_vce_header(VCEntry *vce, const S390IPLCertificate *cert, int idx)
+{
+ int key_type;
+
+ vce->vce_hdr.len = cpu_to_be32(sizeof(VCEntryHeader));
+ vce->vce_hdr.cert_idx = cpu_to_be16(idx + 1);
+ memcpy(vce->vce_hdr.name, cert->name, CERT_NAME_MAX_LEN);
+
+ if (!is_cert_valid(cert)) {
+ return -1;
+ }
+
+ key_type = get_key_type(cert);
+ if (key_type == -1) {
+ return -1;
+ }
+ vce->vce_hdr.key_type = key_type;
+
+ return 0;
+}
+
+static int build_vce_data(VCEntry *vce, const S390IPLCertificate *cert,
+ uint32_t vce_max_len)
+{
+ uint16_t keyid_field_len;
+ uint16_t hash_field_len;
+ uint32_t cert_field_len;
+ uint32_t vce_len;
+
+ vce->vce_hdr.len = cpu_to_be32(vce_max_len);
+
+ keyid_field_len = handle_key_id(vce, cert);
+ if (!keyid_field_len) {
+ return -1;
+ }
+
+ hash_field_len = handle_hash(vce, cert, keyid_field_len);
+ if (!hash_field_len) {
+ return -1;
+ }
+
+ cert_field_len = handle_cert(vce, cert, hash_field_len);
+ if (!cert_field_len) {
+ return -1;
+ }
+
+ vce_len = sizeof(VCEntryHeader) + keyid_field_len + hash_field_len + cert_field_len;
+ if (vce_len > vce_max_len) {
+ return -1;
+ }
+
+ vce->vce_hdr.flags |= DIAG_320_VCE_FLAGS_VALID;
+
+ /* Update vce length to reflect the actual size used by vce */
+ vce->vce_hdr.len = cpu_to_be32(vce_len);
+
+ return 0;
+}
+
+static int handle_diag320_store_vc(S390CPU *cpu, uint64_t addr, uint64_t r1, uintptr_t ra,
+ S390IPLCertificateStore *cs)
+{
+ g_autofree VCBlockHeader *vcb_hdr = NULL;
+ size_t remaining_space;
+ uint16_t first_vc_index;
+ uint16_t last_vc_index;
+ int cs_start_index;
+ int cs_end_index;
+ uint32_t vce_max_len;
+ uint32_t vce_len;
+ uint32_t in_len;
+
+ vcb_hdr = g_new0(VCBlockHeader, 1);
+ if (s390_cpu_virt_mem_read(cpu, addr, r1, vcb_hdr, sizeof(*vcb_hdr))) {
+ s390_cpu_virt_mem_handle_exc(cpu, ra);
+ return -1;
+ }
+
+ in_len = be32_to_cpu(vcb_hdr->in_len);
+ first_vc_index = be16_to_cpu(vcb_hdr->first_vc_index);
+ last_vc_index = be16_to_cpu(vcb_hdr->last_vc_index);
+
+ if (in_len % TARGET_PAGE_SIZE != 0) {
+ return DIAG_320_RC_INVAL_VCB_LEN;
+ }
+
+ if (first_vc_index > last_vc_index) {
+ return DIAG_320_RC_BAD_RANGE;
+ }
+
+ vcb_hdr->out_len = sizeof(VCBlockHeader);
+
+ /*
+ * DIAG 320 subcode 2 expects to query a certificate store that
+ * maintains an index origin of 1. However, the S390IPLCertificateStore
+ * maintains an index origin of 0. Thus, the indices must be adjusted
+ * for correct access into the cert store. A couple of special cases
+ * must also be accounted for.
+ */
+
+ /* Both indices are 0; return header with no certs */
+ if (first_vc_index == 0 && last_vc_index == 0) {
+ goto out;
+ }
+
+ /* Normalize indices */
+ cs_start_index = (first_vc_index == 0) ? 0 : first_vc_index - 1;
+ cs_end_index = last_vc_index - 1;
+
+ /* Requested range is outside the cert store; return header with no certs */
+ if (cs_start_index >= cs->count || cs_end_index >= cs->count) {
+ goto out;
+ }
+
+ remaining_space = in_len - sizeof(VCBlockHeader);
+
+ for (int i = cs_start_index; i <= cs_end_index; i++) {
+ const S390IPLCertificate *cert = &cs->certs[i];
+ /*
+ * Each field of the VCE is word-aligned.
+ * Allocate enough space for the largest possible size for this VCE.
+ * As the certificate fields (key-id, hash, data) are parsed, the
+ * VCE's length field will be updated accordingly.
+ */
+ vce_max_len = sizeof(VCEntryHeader) + ROUND_UP(CERT_KEY_ID_LEN, 4) +
+ ROUND_UP(CERT_HASH_LEN, 4) + ROUND_UP(cert->der_size, 4);
+ g_autofree VCEntry *vce = g_malloc0(vce_max_len);
+
+ /*
+ * Bit 0 of the VCE flags indicates whether the certificate is valid.
+ * The caller of DIAG320 subcode 2 is responsible for verifying that
+ * the VCE contains a valid certificate.
+ */
+ if (build_vce_header(vce, cert, i) || build_vce_data(vce, cert, vce_max_len)) {
+ /*
+ * Error occurs - VCE does not contain a valid certificate.
+ * Bit 0 of the VCE flags is 0 and the VCE length is set.
+ */
+ vce->vce_hdr.len = cpu_to_be32(VCE_INVALID_LEN);
+ }
+ vce_len = be32_to_cpu(vce->vce_hdr.len);
+
+ /*
+ * If there is no more space to store the cert,
+ * set the remaining verification cert count and
+ * break early.
+ */
+ if (remaining_space < vce_len) {
+ vcb_hdr->remain_ct = cpu_to_be16(last_vc_index - i);
+ break;
+ }
+
+ /* Write VCE */
+ if (s390_cpu_virt_mem_write(cpu, addr + vcb_hdr->out_len, r1, vce, vce_len)) {
+ s390_cpu_virt_mem_handle_exc(cpu, ra);
+ return -1;
+ }
+
+ vcb_hdr->out_len += vce_len;
+ remaining_space -= vce_len;
+ vcb_hdr->stored_ct++;
+ }
+ vcb_hdr->stored_ct = cpu_to_be16(vcb_hdr->stored_ct);
+
+out:
+ vcb_hdr->out_len = cpu_to_be32(vcb_hdr->out_len);
+
+ if (s390_cpu_virt_mem_write(cpu, addr, r1, vcb_hdr, sizeof(VCBlockHeader))) {
+ s390_cpu_virt_mem_handle_exc(cpu, ra);
+ return -1;
+ }
+
+ return DIAG_320_RC_OK;
+}
+
QEMU_BUILD_BUG_MSG(sizeof(VCStorageSizeBlock) != VCSSB_LEN_VALID,
"size of VCStorageSizeBlock is wrong");
+QEMU_BUILD_BUG_MSG(sizeof(VCBlock) != 64, "size of VCBlock is wrong");
+QEMU_BUILD_BUG_MSG(sizeof(VCEntry) != 128, "size of VCEntry is wrong");
void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
{
@@ -273,7 +574,8 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
* for now.
*/
uint32_t ism_word0 = cpu_to_be32(DIAG_320_ISM_QUERY_SUBCODES |
- DIAG_320_ISM_QUERY_VCSI);
+ DIAG_320_ISM_QUERY_VCSI |
+ DIAG_320_ISM_STORE_VC);
if (s390_cpu_virt_mem_write(cpu, addr, r1, &ism_word0, sizeof(ism_word0))) {
s390_cpu_virt_mem_handle_exc(cpu, ra);
@@ -299,6 +601,18 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra)
}
env->regs[r1 + 1] = rc;
break;
+ case DIAG_320_SUBC_STORE_VC:
+ if (addr & ~TARGET_PAGE_MASK) {
+ s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ return;
+ }
+
+ rc = handle_diag320_store_vc(cpu, addr, r1, ra, cs);
+ if (rc == -1) {
+ return;
+ }
+ env->regs[r1 + 1] = rc;
+ break;
default:
env->regs[r1 + 1] = DIAG_320_RC_NOT_SUPPORTED;
break;
--
2.54.0
next prev parent reply other threads:[~2026-07-03 2:30 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-03 2:28 [PATCH v13 00/33] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2026-07-03 2:28 ` [PATCH v13 01/33] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2026-07-03 13:24 ` Matthew Rosato
2026-07-03 2:29 ` [PATCH v13 02/33] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 03/33] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 04/33] hw/s390x/ipl: Create " Zhuoying Cai
2026-07-03 16:56 ` Matthew Rosato
2026-07-03 2:29 ` [PATCH v13 05/33] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 06/33] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 07/33] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 08/33] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2026-07-03 2:29 ` Zhuoying Cai [this message]
2026-07-03 2:29 ` [PATCH v13 10/33] hw/s390x: Define finite size for single entry VCEntry Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 11/33] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 12/33] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 13/33] s390x/diag: Generalize s390_ipl_read/write to accept void * Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 14/33] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 15/33] s390x/ipl: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 16/33] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 17/33] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 18/33] hw/s390x/ipl: Rework s390_ipl_map_iplb_chain for certificate storage Zhuoying Cai
2026-07-03 13:47 ` Eric Farman
2026-07-03 2:29 ` [PATCH v13 19/33] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 20/33] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2026-07-03 2:40 ` Philippe Mathieu-Daudé
2026-07-03 2:29 ` [PATCH v13 21/33] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2026-07-03 2:38 ` Philippe Mathieu-Daudé
2026-07-03 14:28 ` Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 22/33] pc-bios/s390-ccw: Introduce ZiplBootMode enum for IPL mode selection Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 23/33] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2026-07-03 11:40 ` Eric Farman
2026-07-03 13:56 ` Zhuoying Cai
2026-07-04 0:43 ` Eric Farman
2026-07-03 13:58 ` Eric Farman
2026-07-03 2:29 ` [PATCH v13 24/33] pc-bios/s390-ccw: Add signed component address overlap checks Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 25/33] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 26/33] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2026-07-03 12:17 ` Eric Farman
2026-07-03 2:29 ` [PATCH v13 27/33] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 28/33] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 29/33] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 30/33] hw/s390x/ipl: Handle secure boot with multiple boot devices Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 31/33] tests/functional/s390x: Add secure IPL functional test Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 32/33] docs/specs: Add secure IPL documentation Zhuoying Cai
2026-07-03 2:29 ` [PATCH v13 33/33] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260703022933.1805010-10-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@kernel.org \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jdaley@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pierrick.bouvier@oss.qualcomm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.