From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@redhat.com,
jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-devel@nongnu.org, brueckner@linux.ibm.com
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com
Subject: [PATCH v7 22/29] Add secure-boot to s390-ccw-virtio machine type option
Date: Mon, 8 Dec 2025 16:32:39 -0500 [thread overview]
Message-ID: <20251208213247.702569-23-zycai@linux.ibm.com> (raw)
In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com>
Add secure-boot as a parameter of s390-ccw-virtio machine type option.
The `secure-boot=on|off` parameter is implemented to enable secure IPL.
By default, secure-boot is set to false if not specified in
the command line.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++-----
hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++
include/hw/s390x/s390-virtio-ccw.h | 1 +
qemu-options.hx | 6 +++++-
4 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
index 8958a51f0b..675724d324 100644
--- a/docs/system/s390x/secure-ipl.rst
+++ b/docs/system/s390x/secure-ipl.rst
@@ -19,19 +19,31 @@ Note: certificate files must have a .pem extension.
qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...
+Enabling Secure IPL
+-------------------
+
+Secure IPL is enabled by explicitly setting ``secure-boot=on``; if not
+specified, secure boot is considered off.
+
+.. code-block:: shell
+
+ qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on|off
+
IPL Modes
=========
Multiple IPL modes are available to differentiate between the various IPL
-configurations. These modes are mutually exclusive and enabled based on the
-``boot-certs`` option on the QEMU command line.
+configurations. These modes are mutually exclusive and enabled based on specific
+combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU
+command line.
Normal Mode
-----------
-The absence of certificates will attempt to IPL a guest without secure IPL
-operations. No checks are performed, and no warnings/errors are reported.
-This is the default mode.
+The absence of both certificates and the ``secure-boot`` option will attempt to
+IPL a guest without secure IPL operations. No checks are performed, and no
+warnings/errors are reported. This is the default mode, and can be explicitly
+enabled with ``secure-boot=off``.
Configuration:
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index d880613fe7..7957dae1b0 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -803,6 +803,21 @@ static void machine_set_boot_certs(Object *obj, Visitor *v, const char *name,
ms->boot_certs = cert_list;
}
+static inline bool machine_get_secure_boot(Object *obj, Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ return ms->secure_boot;
+}
+
+static inline void machine_set_secure_boot(Object *obj, bool value,
+ Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ ms->secure_boot = value;
+}
+
static void ccw_machine_class_init(ObjectClass *oc, const void *data)
{
MachineClass *mc = MACHINE_CLASS(oc);
@@ -861,6 +876,13 @@ static void ccw_machine_class_init(ObjectClass *oc, const void *data)
machine_get_boot_certs, machine_set_boot_certs, NULL, NULL);
object_class_property_set_description(oc, "boot-certs",
"provide paths to a directory and/or a certificate file for secure boot");
+
+ object_class_property_add_bool(oc, "secure-boot",
+ machine_get_secure_boot,
+ machine_set_secure_boot);
+ object_class_property_set_description(oc, "secure-boot",
+ "enable/disable secure boot");
+
}
static inline void s390_machine_initfn(Object *obj)
diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h
index 7c30ba22cb..4e9c08d9d9 100644
--- a/include/hw/s390x/s390-virtio-ccw.h
+++ b/include/hw/s390x/s390-virtio-ccw.h
@@ -29,6 +29,7 @@ struct S390CcwMachineState {
bool aes_key_wrap;
bool dea_key_wrap;
bool pv;
+ bool secure_boot;
uint8_t loadparm[8];
uint64_t memory_limit;
uint64_t max_pagesize;
diff --git a/qemu-options.hx b/qemu-options.hx
index 06ce35e58b..23bccb9a3c 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
" memory-backend='backend-id' specifies explicitly provided backend for main RAM (default=none)\n"
" cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtarget,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granularity]\n"
" smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\n"
- " boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\n",
+ " boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\n"
+ " secure-boot=on|off enable/disable secure boot (default=off) \n",
QEMU_ARCH_ALL)
SRST
``-machine [type=]name[,prop=value[,...]]``
@@ -209,6 +210,9 @@ SRST
``boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file``
Provide paths to a directory and/or a certificate file on the host [s390x only].
+
+ ``secure-boot=on|off``
+ Enables or disables secure boot on s390-ccw guest. The default is off.
ERST
DEF("M", HAS_ARG, QEMU_OPTION_M,
--
2.51.1
next prev parent reply other threads:[~2025-12-08 21:37 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-08 21:32 [PATCH v7 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 09/29] s390x/diag: Implement " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 16/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 17/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 18/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 19/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 20/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 21/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-12-08 21:32 ` Zhuoying Cai [this message]
2025-12-08 21:32 ` [PATCH v7 23/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 24/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 25/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 27/29] tests/functional/s390x: Add secure IPL functional test Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251208213247.702569-23-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).