From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0DE61E9B357 for ; Mon, 2 Mar 2026 10:49:08 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vx0pQ-0001Fo-3E; Mon, 02 Mar 2026 05:48:45 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vx0pK-0001Eh-AT for qemu-devel@nongnu.org; Mon, 02 Mar 2026 05:48:38 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.129.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vx0pI-0003Lj-9k for qemu-devel@nongnu.org; Mon, 02 Mar 2026 05:48:38 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1772448515; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=JsJGEUug4RjrYFckffTRX0dqIUa3quvxleieDF+iGGI=; b=BETPSsaP9Or4hpucPEaNTgDZgGdkeW8s7/tH2ho+J27EdM2DdXhY88u76fvfnC/Pc30fd0 bMuJMGX8+3iKfKlm2jXYz1xFFcM5higMSraHYopEGdLsQ1iAs/Yloe4eNDv1tydAzxBMmj zO1Hsf4ctMYjypS66FrmRZ1fA/gkVeY= Received: from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-549-ydmdrY7wNS2kc5pF1ON3Cw-1; Mon, 02 Mar 2026 05:48:32 -0500 X-MC-Unique: ydmdrY7wNS2kc5pF1ON3Cw-1 X-Mimecast-MFC-AGG-ID: ydmdrY7wNS2kc5pF1ON3Cw_1772448510 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F19911800464; Mon, 2 Mar 2026 10:48:29 +0000 (UTC) Received: from [10.45.224.162] (unknown [10.45.224.162]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 81F881800666; Mon, 2 Mar 2026 10:48:23 +0000 (UTC) Message-ID: <735836e5-c13f-46ee-8af2-d4d0effe281e@redhat.com> Date: Mon, 2 Mar 2026 11:48:21 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v8 19/30] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode To: Zhuoying Cai , berrange@redhat.com, richard.henderson@linaro.org, jrossi@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org Cc: david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com, eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com, brueckner@linux.ibm.com References: <20260212204352.1044699-1-zycai@linux.ibm.com> <20260212204352.1044699-20-zycai@linux.ibm.com> From: Thomas Huth Content-Language: en-US Autocrypt: addr=thuth@redhat.com; keydata= xsFNBFH7eUwBEACzyOXKU+5Pcs6wNpKzrlJwzRl3VGZt95VCdb+FgoU9g11m7FWcOafrVRwU yYkTm9+7zBUc0sW5AuPGR/dp3pSLX/yFWsA/UB4nJsHqgDvDU7BImSeiTrnpMOTXb7Arw2a2 4CflIyFqjCpfDM4MuTmzTjXq4Uov1giGE9X6viNo1pxyEpd7PanlKNnf4PqEQp06X4IgUacW tSGj6Gcns1bCuHV8OPWLkf4hkRnu8hdL6i60Yxz4E6TqlrpxsfYwLXgEeswPHOA6Mn4Cso9O 0lewVYfFfsmokfAVMKWzOl1Sr0KGI5T9CpmRfAiSHpthhHWnECcJFwl72NTi6kUcUzG4se81 O6n9d/kTj7pzTmBdfwuOZ0YUSqcqs0W+l1NcASSYZQaDoD3/SLk+nqVeCBB4OnYOGhgmIHNW 0CwMRO/GK+20alxzk//V9GmIM2ACElbfF8+Uug3pqiHkVnKqM7W9/S1NH2qmxB6zMiJUHlTH gnVeZX0dgH27mzstcF786uPcdEqS0KJuxh2kk5IvUSL3Qn3ZgmgdxBMyCPciD/1cb7/Ahazr 3ThHQXSHXkH/aDXdfLsKVuwDzHLVSkdSnZdt5HHh75/NFHxwaTlydgfHmFFwodK8y/TjyiGZ zg2Kje38xnz8zKn9iesFBCcONXS7txENTzX0z80WKBhK+XSFJwARAQABzR5UaG9tYXMgSHV0 aCA8dGh1dGhAcmVkaGF0LmNvbT7CwXgEEwECACIFAlVgX6oCGwMGCwkIBwMCBhUIAgkKCwQW AgMBAh4BAheAAAoJEC7Z13T+cC21EbIP/ii9cvT2HHGbFRl8HqGT6+7Wkb+XLMqJBMAIGiQK QIP3xk1HPTsLfVG0ao4hy/oYkGNOP8+ubLnZen6Yq3zAFiMhQ44lvgigDYJo3Ve59gfe99KX EbtB+X95ODARkq0McR6OAsPNJ7gpEUzfkQUUJTXRDQXfG/FX303Gvk+YU0spm2tsIKPl6AmV 1CegDljzjycyfJbk418MQmMu2T82kjrkEofUO2a24ed3VGC0/Uz//XCR2ZTo+vBoBUQl41BD eFFtoCSrzo3yPFS+w5fkH9NT8ChdpSlbNS32NhYQhJtr9zjWyFRf0Zk+T/1P7ECn6gTEkp5k ofFIA4MFBc/fXbaDRtBmPB0N9pqTFApIUI4vuFPPO0JDrII9dLwZ6lO9EKiwuVlvr1wwzsgq zJTPBU3qHaUO4d/8G+gD7AL/6T4zi8Jo/GmjBsnYaTzbm94lf0CjXjsOX3seMhaE6WAZOQQG tZHAO1kAPWpaxne+wtgMKthyPLNwelLf+xzGvrIKvLX6QuLoWMnWldu22z2ICVnLQChlR9d6 WW8QFEpo/FK7omuS8KvvopFcOOdlbFMM8Y/8vBgVMSsK6fsYUhruny/PahprPbYGiNIhKqz7 UvgyZVl4pBFjTaz/SbimTk210vIlkDyy1WuS8Zsn0htv4+jQPgo9rqFE4mipJjy/iboDzsFN BFH7eUwBEAC2nzfUeeI8dv0C4qrfCPze6NkryUflEut9WwHhfXCLjtvCjnoGqFelH/PE9NF4 4VPSCdvD1SSmFVzu6T9qWdcwMSaC+e7G/z0/AhBfqTeosAF5XvKQlAb9ZPkdDr7YN0a1XDfa +NgA+JZB4ROyBZFFAwNHT+HCnyzy0v9Sh3BgJJwfpXHH2l3LfncvV8rgFv0bvdr70U+On2XH 5bApOyW1WpIG5KPJlDdzcQTyptOJ1dnEHfwnABEfzI3dNf63rlxsGouX/NFRRRNqkdClQR3K gCwciaXfZ7ir7fF0u1N2UuLsWA8Ei1JrNypk+MRxhbvdQC4tyZCZ8mVDk+QOK6pyK2f4rMf/ WmqxNTtAVmNuZIwnJdjRMMSs4W4w6N/bRvpqtykSqx7VXcgqtv6eqoDZrNuhGbekQA0sAnCJ VPArerAZGArm63o39me/bRUQeQVSxEBmg66yshF9HkcUPGVeC4B0TPwz+HFcVhheo6hoJjLq knFOPLRj+0h+ZL+D0GenyqD3CyuyeTT5dGcNU9qT74bdSr20k/CklvI7S9yoQje8BeQAHtdV cvO8XCLrpGuw9SgOS7OP5oI26a0548M4KldAY+kqX6XVphEw3/6U1KTf7WxW5zYLTtadjISB X9xsRWSU+Yqs3C7oN5TIPSoj9tXMoxZkCIHWvnqGwZ7JhwARAQABwsFfBBgBAgAJBQJR+3lM AhsMAAoJEC7Z13T+cC21hPAQAIsBL9MdGpdEpvXs9CYrBkd6tS9mbaSWj6XBDfA1AEdQkBOn ZH1Qt7HJesk+qNSnLv6+jP4VwqK5AFMrKJ6IjE7jqgzGxtcZnvSjeDGPF1h2CKZQPpTw890k fy18AvgFHkVk2Oylyexw3aOBsXg6ukN44vIFqPoc+YSU0+0QIdYJp/XFsgWxnFIMYwDpxSHS 5fdDxUjsk3UBHZx+IhFjs2siVZi5wnHIqM7eK9abr2cK2weInTBwXwqVWjsXZ4tq5+jQrwDK cvxIcwXdUTLGxc4/Z/VRH1PZSvfQxdxMGmNTGaXVNfdFZjm4fz0mz+OUi6AHC4CZpwnsliGV ODqwX8Y1zic9viSTbKS01ZNp175POyWViUk9qisPZB7ypfSIVSEULrL347qY/hm9ahhqmn17 Ng255syASv3ehvX7iwWDfzXbA0/TVaqwa1YIkec+/8miicV0zMP9siRcYQkyTqSzaTFBBmqD oiT+z+/E59qj/EKfyce3sbC9XLjXv3mHMrq1tKX4G7IJGnS989E/fg6crv6NHae9Ckm7+lSs IQu4bBP2GxiRQ+NV3iV/KU3ebMRzqIC//DCOxzQNFNJAKldPe/bKZMCxEqtVoRkuJtNdp/5a yXFZ6TfE1hGKrDBYAm4vrnZ4CXFSBDllL59cFFOJCkn4Xboj/aVxxJxF30bn In-Reply-To: <20260212204352.1044699-20-zycai@linux.ibm.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Received-SPF: pass client-ip=170.10.129.124; envelope-from=thuth@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -8 X-Spam_score: -0.9 X-Spam_bar: / X-Spam_report: (-0.9 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.012, RCVD_IN_VALIDITY_RPBL_BLOCKED=1.188, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org On 12/02/2026 21.43, Zhuoying Cai wrote: > Enable secure IPL in audit mode, which performs signature verification, > but any error does not terminate the boot process. Only warnings will be > logged to the console instead. > > Add a comp_len variable to store the length of a segment in > zipl_load_segment. comp_len variable is necessary to store the > calculated segment length and is used during signature verification. > Return the length on success, or a negative return code on failure. > > Secure IPL in audit mode requires at least one certificate provided in > the key store along with necessary facilities (Secure IPL Facility, > Certificate Store Facility and secure IPL extension support). > > Note: Secure IPL in audit mode is implemented for the SCSI scheme of > virtio-blk/virtio-scsi devices. > > Signed-off-by: Zhuoying Cai > --- ... > diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h > index b1dc35cded..1b43817af9 100644 > --- a/pc-bios/s390-ccw/s390-ccw.h > +++ b/pc-bios/s390-ccw/s390-ccw.h > @@ -39,6 +39,9 @@ typedef unsigned long long u64; > #define MIN_NON_ZERO(a, b) ((a) == 0 ? (b) : \ > ((b) == 0 ? (a) : (MIN(a, b)))) > #endif > +#ifndef ROUND_UP > +#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) > +#endif That reason for the "0 ?" is quite hard to understand without any comments ... it would be nice if you could add a similar remark here as we have it already in osdep.h for the corresponding macro. > #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) > > @@ -64,6 +67,8 @@ void sclp_print(const char *string); > void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); > void sclp_setup(void); > void sclp_get_loadparm_ascii(char *loadparm); > +bool sclp_is_diag320_on(void); > +bool sclp_is_sipl_on(void); > int sclp_read(char *str, size_t count); > > /* virtio.c */ > @@ -76,6 +81,15 @@ int virtio_read(unsigned long sector, void *load_addr); > /* bootmap.c */ > void zipl_load(void); > > +typedef enum ZiplBootMode { > + ZIPL_BOOT_MODE_NORMAL = 0, > + ZIPL_BOOT_MODE_SECURE_AUDIT = 1, > +} ZiplBootMode; > + > +extern ZiplBootMode boot_mode; > + > +ZiplBootMode get_boot_mode(uint8_t hdr_flags); > + > /* jump2ipl.c */ > void write_reset_psw(uint64_t psw); > int jump_to_IPL_code(uint64_t address); > diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c > index 4a07de018d..f7514b0245 100644 > --- a/pc-bios/s390-ccw/sclp.c > +++ b/pc-bios/s390-ccw/sclp.c > @@ -113,6 +113,49 @@ void sclp_get_loadparm_ascii(char *loadparm) > } > } > > +static void sclp_get_fac134(uint8_t *fac134) > +{ > + ReadInfo *sccb = (void *)_sccb; > + > + memset((char *)_sccb, 0, sizeof(ReadInfo)); > + sccb->h.length = SCCB_SIZE; > + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { > + *fac134 = sccb->fac134; > + } > +} > + > +bool sclp_is_diag320_on(void) > +{ > + uint8_t fac134 = 0; > + > + sclp_get_fac134(&fac134); > + return fac134 & SCCB_FAC134_DIAG320_BIT; > +} Unless you want to use sclp_get_fac134() later in other spots, too, I'd maybe merge its code directly into the sclp_is_diag320_on() function instead. ... > diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c > new file mode 100644 > index 0000000000..1d5c2d40ce > --- /dev/null > +++ b/pc-bios/s390-ccw/secure-ipl.c > @@ -0,0 +1,356 @@ > +/* > + * S/390 Secure IPL > + * > + * Functions to support IPL in secure boot mode (DIAG 320, DIAG 508, > + * signature verification, and certificate handling). > + * > + * For secure IPL overview: docs/system/s390x/secure-ipl.rst > + * For secure IPL technical: docs/specs/s390x-secure-ipl.rst > + * > + * Copyright 2025 IBM Corp. > + * Author(s): Zhuoying Cai > + * > + * SPDX-License-Identifier: GPL-2.0-or-later > + */ > + > +#include > +#include > +#include > +#include "bootmap.h" > +#include "s390-ccw.h" > +#include "secure-ipl.h" > + > +uint8_t vcssb_data[VCSSB_MIN_LEN] __attribute__((__aligned__(PAGE_SIZE))); Please mark the array as "static" unless you want to use it from another file later. > +VCStorageSizeBlock *zipl_secure_get_vcssb(void) > +{ > + VCStorageSizeBlock *vcssb; > + > + vcssb = (VCStorageSizeBlock *)vcssb_data; > + /* avoid retrieving vcssb multiple times */ > + if (vcssb->length >= VCSSB_MIN_LEN) { So in case we find VCSSB_MIN_LEN, we assume that it is ok ... > + return vcssb; > + } > + > + if (!is_cert_store_facility_supported()) { > + puts("Certificate Store Facility is not supported by the hypervisor!"); > + return NULL; > + } > + > + vcssb->length = VCSSB_MIN_LEN; ... and here we set VCSSB_MIN_LEN ... > + if (diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI) != DIAG_320_RC_OK) { ... but in case of errors, we leave the VCSSB_MIN_LEN in the buffer, so the next time this function gets called we will assume the buffer is fine, though the initialization failed for the first time. ==> I think you need to reset vcssb->length here or add some different logic to avoid this situation. > + return NULL; > + } > + > + return vcssb; > +} Thomas