From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@redhat.com,
jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-devel@nongnu.org, brueckner@linux.ibm.com
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com
Subject: [PATCH v7 27/29] tests/functional/s390x: Add secure IPL functional test
Date: Mon, 8 Dec 2025 16:32:44 -0500 [thread overview]
Message-ID: <20251208213247.702569-28-zycai@linux.ibm.com> (raw)
In-Reply-To: <20251208213247.702569-1-zycai@linux.ibm.com>
Add functional test for secure IPL.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
---
tests/functional/s390x/meson.build | 2 +
tests/functional/s390x/test_secure_ipl.py | 140 ++++++++++++++++++++++
2 files changed, 142 insertions(+)
create mode 100644 tests/functional/s390x/test_secure_ipl.py
diff --git a/tests/functional/s390x/meson.build b/tests/functional/s390x/meson.build
index 70cd36e291..cb050f3c01 100644
--- a/tests/functional/s390x/meson.build
+++ b/tests/functional/s390x/meson.build
@@ -2,6 +2,7 @@
test_s390x_timeouts = {
'ccw_virtio' : 420,
+ 'secure_ipl' : 280,
}
tests_s390x_system_quick = [
@@ -12,6 +13,7 @@ tests_s390x_system_thorough = [
'ccw_virtio',
'pxelinux',
'replay',
+ 'secure_ipl',
'topology',
'tuxrun',
]
diff --git a/tests/functional/s390x/test_secure_ipl.py b/tests/functional/s390x/test_secure_ipl.py
new file mode 100644
index 0000000000..c4c7ec3897
--- /dev/null
+++ b/tests/functional/s390x/test_secure_ipl.py
@@ -0,0 +1,140 @@
+#!/usr/bin/env python3
+#
+# s390x Secure IPL functional test: validates secure-boot verification results
+#
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+import os
+import time
+
+from qemu_test import QemuSystemTest, Asset
+from qemu_test import exec_command_and_wait_for_pattern, exec_command
+from qemu_test import wait_for_console_pattern, skipBigDataTest
+from qemu.utils import kvm_available, tcg_available
+
+class S390xSecureIpl(QemuSystemTest):
+ ASSET_F40_QCOW2 = Asset(
+ ('https://archives.fedoraproject.org/pub/archive/'
+ 'fedora-secondary/releases/40/Server/s390x/images/'
+ 'Fedora-Server-KVM-40-1.14.s390x.qcow2'),
+ '091c232a7301be14e19c76ce9a0c1cbd2be2c4157884a731e1fc4f89e7455a5f')
+
+ # Boot a temporary VM to set up secure IPL image:
+ # - Create certificate
+ # - Sign stage3 binary and kernel
+ # - Run zipl
+ # - Extract certificate
+ # Small delay added to allow the guest prompt/filesystem updates to settle
+ def setup_s390x_secure_ipl(self):
+ temp_vm = self.get_vm(name='sipl_setup')
+ temp_vm.set_machine('s390-ccw-virtio')
+ self.require_accelerator('kvm')
+
+ self.qcow2_path = self.ASSET_F40_QCOW2.fetch()
+
+ temp_vm.set_console()
+ temp_vm.add_args('-nographic',
+ '-accel', 'kvm',
+ '-m', '1024',
+ '-drive',
+ f'id=drive0,if=none,format=qcow2,file={self.qcow2_path}',
+ '-device', 'virtio-blk-ccw,drive=drive0,bootindex=1')
+ temp_vm.launch()
+
+ # Initial root account setup (Fedora first boot screen)
+ self.root_password = 'fedora40password'
+ wait_for_console_pattern(self, 'Please make a selection from the above',
+ vm=temp_vm)
+ exec_command_and_wait_for_pattern(self, '4', 'Password:', vm=temp_vm)
+ exec_command_and_wait_for_pattern(self, self.root_password,
+ 'Password (confirm):', vm=temp_vm)
+ exec_command_and_wait_for_pattern(self, self.root_password,
+ 'Please make a selection from the above',
+ vm=temp_vm)
+
+ # Login as root
+ exec_command_and_wait_for_pattern(self, 'c', 'localhost login:', vm=temp_vm)
+ exec_command_and_wait_for_pattern(self, 'root', 'Password:', vm=temp_vm)
+ exec_command_and_wait_for_pattern(self, self.root_password,
+ '[root@localhost ~]#', vm=temp_vm)
+
+ # Certificate generation
+ time.sleep(1)
+ exec_command_and_wait_for_pattern(self,
+ 'openssl version', 'OpenSSL 3.2.1 30',
+ vm=temp_vm)
+ exec_command_and_wait_for_pattern(self,
+ 'openssl req -new -x509 -newkey rsa:2048 '
+ '-keyout mykey.pem -outform PEM -out mycert.pem '
+ '-days 36500 -subj "/CN=My Name/" -nodes -verbose',
+ 'Writing private key to \'mykey.pem\'', vm=temp_vm)
+
+ # Install kernel-devel (needed for sign-file)
+ exec_command_and_wait_for_pattern(self,
+ 'sudo dnf install kernel-devel-$(uname -r) -y',
+ 'Complete!', vm=temp_vm)
+ time.sleep(1)
+ exec_command_and_wait_for_pattern(self,
+ 'ls /usr/src/kernels/$(uname -r)/scripts/',
+ 'sign-file', vm=temp_vm)
+
+ # Sign stage3 binary and kernel
+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '
+ 'sha256 mykey.pem mycert.pem /lib/s390-tools/stage3.bin',
+ vm=temp_vm)
+ time.sleep(1)
+ exec_command(self, '/usr/src/kernels/$(uname -r)/scripts/sign-file '
+ 'sha256 mykey.pem mycert.pem /boot/vmlinuz-$(uname -r)',
+ vm=temp_vm)
+ time.sleep(1)
+
+ # Run zipl to prepare for secure boot
+ exec_command_and_wait_for_pattern(self, 'zipl --secure 1 -VV', 'Done.',
+ vm=temp_vm)
+
+ # Extract certificate to host
+ out = exec_command_and_wait_for_pattern(self, 'cat mycert.pem',
+ '-----END CERTIFICATE-----',
+ vm=temp_vm)
+ # strip first line to avoid console echo artifacts
+ cert = "\n".join(out.decode("utf-8").splitlines()[1:])
+ self.log.info("%s", cert)
+
+ self.cert_path = self.scratch_file("mycert.pem")
+
+ with open(self.cert_path, 'w') as file_object:
+ file_object.write(cert)
+
+ # Shutdown temp vm
+ temp_vm.shutdown()
+
+ @skipBigDataTest()
+ def test_s390x_secure_ipl(self):
+ self.setup_s390x_secure_ipl()
+
+ self.set_machine('s390-ccw-virtio')
+
+ self.vm.set_console()
+ self.vm.add_args('-nographic',
+ '-machine', 's390-ccw-virtio,secure-boot=on,'
+ f'boot-certs.0.path={self.cert_path}',
+ '-accel', 'kvm',
+ '-m', '1024',
+ '-drive',
+ f'id=drive1,if=none,format=qcow2,file={self.qcow2_path}',
+ '-device', 'virtio-blk-ccw,drive=drive1,bootindex=1')
+ self.vm.launch()
+
+ # Expect two verified components
+ verified_output = "Verified component"
+ wait_for_console_pattern(self, verified_output);
+ wait_for_console_pattern(self, verified_output);
+
+ # Login and verify the vm is booted using secure boot
+ wait_for_console_pattern(self, 'localhost login:')
+ exec_command_and_wait_for_pattern(self, 'root', 'Password:')
+ exec_command_and_wait_for_pattern(self, self.root_password,'[root@localhost ~]#')
+ exec_command_and_wait_for_pattern(self, 'cat /sys/firmware/ipl/secure', '1')
+
+if __name__ == '__main__':
+ QemuSystemTest.main()
--
2.51.1
next prev parent reply other threads:[~2025-12-08 21:36 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-08 21:32 [PATCH v7 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 09/29] s390x/diag: Implement " Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 16/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 17/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 18/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 19/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 20/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 21/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 22/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 23/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 24/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 25/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 26/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-12-08 21:32 ` Zhuoying Cai [this message]
2025-12-08 21:32 ` [PATCH v7 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-12-08 21:32 ` [PATCH v7 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251208213247.702569-28-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).