From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@redhat.com,
jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-devel@nongnu.org, brueckner@linux.ibm.com
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com
Subject: [PATCH v7 25/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices
Date: Mon, 8 Dec 2025 16:32:42 -0500 [thread overview]
Message-ID: <20251208213247.702569-26-zycai@linux.ibm.com> (raw)
In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com>
The current approach to enable secure boot relies on providing
secure-boot and boot-certs parameters of s390-ccw-virtio machine
type option, which apply to all boot devices.
With the possibility of multiple boot devices, secure boot expects all
provided devices to be supported and eligible (e.g.,
virtio-blk/virtio-scsi using the SCSI scheme).
If multiple boot devices are provided and include an unsupported (e.g.,
ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will
terminate with an error logged to the console.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
pc-bios/s390-ccw/bootmap.c | 31 +++++++++-------
pc-bios/s390-ccw/main.c | 73 ++++++++++++++++++++++++++++++++++---
pc-bios/s390-ccw/s390-ccw.h | 1 +
3 files changed, 86 insertions(+), 19 deletions(-)
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index cc9a8cec6a..e3c12697e0 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -1139,25 +1139,35 @@ ZiplBootMode zipl_mode(uint8_t hdr_flags)
return ZIPL_BOOT_MODE_NORMAL;
}
+int zipl_check_scsi_mbr_magic(void)
+{
+ ScsiMbr *mbr = (void *)sec;
+
+ /* Grab the MBR */
+ memset(sec, FREE_SPACE_FILLER, sizeof(sec));
+ if (virtio_read(0, mbr)) {
+ puts("Cannot read block 0");
+ return -EIO;
+ }
+
+ if (!magic_match(mbr->magic, ZIPL_MAGIC)) {
+ return -1;
+ }
+
+ return 0;
+}
+
void zipl_load(void)
{
VDev *vdev = virtio_get_device();
if (vdev->is_cdrom) {
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
- boot_mode == ZIPL_BOOT_MODE_SECURE) {
- panic("Secure boot from ISO image is not supported!");
- }
ipl_iso_el_torito();
puts("Failed to IPL this ISO image!");
return;
}
if (virtio_get_device_type() == VIRTIO_ID_NET) {
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
- boot_mode == ZIPL_BOOT_MODE_SECURE) {
- panic("Virtio net boot device does not support secure boot!");
- }
netmain();
puts("Failed to IPL from this network!");
return;
@@ -1168,11 +1178,6 @@ void zipl_load(void)
return;
}
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
- boot_mode == ZIPL_BOOT_MODE_SECURE) {
- panic("ECKD boot device does not support secure boot!");
- }
-
switch (virtio_get_device_type()) {
case VIRTIO_ID_BLOCK:
zipl_load_vblk();
diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
index 5cea9d3ac7..7ce4761d34 100644
--- a/pc-bios/s390-ccw/main.c
+++ b/pc-bios/s390-ccw/main.c
@@ -271,8 +271,43 @@ static int virtio_setup(void)
return ret;
}
-static void ipl_boot_device(void)
+static void validate_secure_boot_device(void)
+{
+ switch (cutype) {
+ case CU_TYPE_DASD_3990:
+ case CU_TYPE_DASD_2107:
+ panic("Passthrough (vfio) CCW device does not support secure boot!");
+ break;
+ case CU_TYPE_VIRTIO:
+ if (virtio_setup() == 0) {
+ VDev *vdev = virtio_get_device();
+
+ if (vdev->is_cdrom) {
+ panic("Secure boot from ISO image is not supported!");
+ }
+
+ if (virtio_get_device_type() == VIRTIO_ID_NET) {
+ panic("Virtio net boot device does not support secure boot!");
+ }
+
+ if (zipl_check_scsi_mbr_magic()) {
+ panic("ECKD boot device does not support secure boot!");
+ }
+ }
+ break;
+ default:
+ panic("Secure boot from unexpected device type is not supported!");
+ }
+
+ printf("SCSI boot device supports secure boot.\n");
+}
+
+static void check_secure_boot_support(void)
{
+ bool have_iplb_copy;
+ IplParameterBlock *iplb_copy;
+ QemuIplParameters qipl_copy;
+
if (boot_mode == ZIPL_BOOT_MODE_UNSPECIFIED) {
boot_mode = zipl_mode(iplb->hdr_flags);
}
@@ -281,14 +316,38 @@ static void ipl_boot_device(void)
panic("Need at least one certificate for secure boot!");
}
+ if (boot_mode == ZIPL_BOOT_MODE_NORMAL) {
+ return;
+ }
+
+ /*
+ * Store copies of have_iplb, iplb and qipl.
+ * They will be updated in load_next_iplb().
+ */
+ have_iplb_copy = have_iplb;
+ iplb_copy = malloc(sizeof(IplParameterBlock));
+
+ memcpy(&qipl_copy, &qipl, sizeof(QemuIplParameters));
+ memcpy(iplb_copy, iplb, sizeof(IplParameterBlock));
+
+ while (have_iplb_copy) {
+ if (have_iplb_copy && find_boot_device()) {
+ validate_secure_boot_device();
+ }
+ have_iplb_copy = load_next_iplb();
+ }
+
+ memcpy(&qipl, &qipl_copy, sizeof(QemuIplParameters));
+ memcpy(iplb, iplb_copy, sizeof(IplParameterBlock));
+
+ free(iplb_copy);
+}
+
+static void ipl_boot_device(void)
+{
switch (cutype) {
case CU_TYPE_DASD_3990:
case CU_TYPE_DASD_2107:
- if (boot_mode == ZIPL_BOOT_MODE_SECURE_AUDIT ||
- boot_mode == ZIPL_BOOT_MODE_SECURE) {
- panic("Passthrough (vfio) CCW device does not support secure boot!");
- }
-
dasd_ipl(blk_schid, cutype);
break;
case CU_TYPE_VIRTIO:
@@ -338,6 +397,8 @@ void main(void)
probe_boot_device();
}
+ check_secure_boot_support();
+
while (have_iplb) {
boot_setup();
if (have_iplb && find_boot_device()) {
diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h
index 389cc8ea7c..3009104686 100644
--- a/pc-bios/s390-ccw/s390-ccw.h
+++ b/pc-bios/s390-ccw/s390-ccw.h
@@ -93,6 +93,7 @@ typedef enum ZiplBootMode {
extern ZiplBootMode boot_mode;
ZiplBootMode zipl_mode(uint8_t hdr_flags);
+int zipl_check_scsi_mbr_magic(void);
/* jump2ipl.c */
void write_reset_psw(uint64_t psw);
--
2.51.1
next prev parent reply other threads:[~2025-12-08 21:36 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-08 21:32 [PATCH v7 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 09/29] s390x/diag: Implement " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 16/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 17/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 18/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 19/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 20/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 21/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 22/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 23/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 24/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-12-08 21:32 ` Zhuoying Cai [this message]
2025-12-08 21:32 ` [PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 27/29] tests/functional/s390x: Add secure IPL functional test Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251208213247.702569-26-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).