From: Zhuoying Cai <zycai@linux.ibm.com>
To: thuth@redhat.com, berrange@redhat.com, jrossi@linux.ibm.com,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Cc: richard.henderson@linaro.org, pierrick.bouvier@linaro.org,
david@kernel.org, walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, zycai@linux.ibm.com,
alifm@linux.ibm.com, brueckner@linux.ibm.com,
jdaley@linux.ibm.com
Subject: [PATCH v9 26/30] hw/s390x/ipl: Handle secure boot with multiple boot devices
Date: Thu, 5 Mar 2026 17:41:41 -0500 [thread overview]
Message-ID: <20260305224146.664053-27-zycai@linux.ibm.com> (raw)
In-Reply-To: <20260305224146.664053-1-zycai@linux.ibm.com>
The current approach to enable secure boot relies on providing
secure-boot and boot-certs parameters of s390-ccw-virtio machine
type option, which apply to all boot devices.
With the possibility of multiple boot devices, secure boot expects all
provided devices to be supported and eligible (e.g.,
virtio-blk/virtio-scsi using the SCSI scheme).
If multiple boot devices are provided and include an unsupported (e.g.,
ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will
terminate with an error logged to the console.
Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
Reviewed-by: Thomas Huth <thuth@redhat.com>
---
hw/s390x/ipl.c | 79 ++++++++++++++++++++++++++++-------------
pc-bios/s390-ccw/main.c | 3 --
2 files changed, 54 insertions(+), 28 deletions(-)
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index f8dd50f69d..e46e655ef1 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -445,6 +445,58 @@ static bool s390_secure_boot_enabled(void)
return S390_CCW_MACHINE(qdev_get_machine())->secure_boot;
}
+static bool s390_validate_secure_boot_device(int devtype, Error **errp)
+{
+ switch (devtype) {
+ case CCW_DEVTYPE_VFIO:
+ error_setg(errp, "Passthrough (vfio) CCW device does not support secure boot!");
+ return false;
+ case CCW_DEVTYPE_VIRTIO_NET:
+ error_setg(errp, "Virtio net boot device does not support secure boot!");
+ return false;
+ default:
+ return true;
+ }
+}
+
+static void s390_apply_secure_boot(IplParameterBlock *iplb, int devtype,
+ bool secure_boot, bool audit_mode)
+{
+ Error *local_error = NULL;
+
+ if (!secure_boot && !audit_mode) {
+ return;
+ }
+
+ if (!s390_validate_secure_boot_device(devtype, &local_error)) {
+ error_report_err(local_error);
+ exit(1);
+ }
+
+ /*
+ * If secure-boot is enabled, then toggle the secure IPL flags (SIPL) to
+ * trigger secure boot in the s390 BIOS.
+ *
+ * Boot process will terminate if any error occurs during secure boot.
+ */
+ if (secure_boot) {
+ iplb->hdr_flags |= DIAG308_IPIB_FLAGS_SIPL;
+ }
+
+ /*
+ * For both secure boot and audit mode, enable the IPL Information
+ * Report (IPLIR) flag so that the firmware generates an IPL
+ * Information Report Block (IIRB).
+ *
+ * Results of secure boot will be stored in IIRB.
+ *
+ * Extend the IPL parameter block to its maximum length to ensure
+ * sufficient space for the BIOS to populate the IIRB.
+ */
+ iplb->hdr_flags |= DIAG308_IPIB_FLAGS_IPLIR;
+ iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN);
+}
+
static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb)
{
CcwDevice *ccw_dev = NULL;
@@ -502,31 +554,8 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb)
s390_ipl_convert_loadparm((char *)lp, iplb->loadparm);
iplb->flags |= DIAG308_FLAGS_LP_VALID;
- /*
- * If secure-boot is enabled, then toggle the secure IPL flags to
- * trigger secure boot in the s390 BIOS.
- *
- * Boot process will terminate if any error occurs during secure boot.
- *
- * If SIPL is on, IPLIR must also be on.
- */
- if (s390_secure_boot_enabled()) {
- iplb->hdr_flags |= (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_FLAGS_IPLIR);
- iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN);
- }
- /*
- * Secure boot in audit mode will perform
- * if certificate(s) exist in the key store.
- *
- * IPL Information Report Block (IIRB) will exist
- * for secure boot in audit mode.
- *
- * Results of secure boot will be stored in IIRB.
- */
- else if (s390_has_certificate()) {
- iplb->hdr_flags |= DIAG308_IPIB_FLAGS_IPLIR;
- iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN);
- }
+ s390_apply_secure_boot(iplb, devtype, s390_secure_boot_enabled(),
+ s390_has_certificate());
return true;
}
diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
index 1678ede8fb..6633a2cbaf 100644
--- a/pc-bios/s390-ccw/main.c
+++ b/pc-bios/s390-ccw/main.c
@@ -276,9 +276,6 @@ static void ipl_boot_device(void)
switch (cutype) {
case CU_TYPE_DASD_3990:
case CU_TYPE_DASD_2107:
- IPL_assert((boot_mode == ZIPL_BOOT_MODE_NORMAL),
- "Passthrough (vfio) CCW device does not support secure boot!");
-
dasd_ipl(blk_schid, cutype);
break;
case CU_TYPE_VIRTIO:
--
2.53.0
next prev parent reply other threads:[~2026-03-05 22:45 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-05 22:41 [PATCH v9 00/30] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 01/30] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 02/30] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 03/30] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 04/30] hw/s390x/ipl: Create " Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 06/30] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 07/30] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 08/30] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 09/30] s390x/diag: Implement " Zhuoying Cai
2026-03-13 19:58 ` Collin Walling
2026-03-16 18:04 ` Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 10/30] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 11/30] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 12/30] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 13/30] s390x/ipl: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2026-03-13 20:00 ` Collin Walling
2026-03-05 22:41 ` [PATCH v9 14/30] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 15/30] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 16/30] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 17/30] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 18/30] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 19/30] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2026-03-17 3:41 ` Collin Walling
2026-03-25 19:11 ` Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 20/30] pc-bios/s390-ccw: Add signed component address overlap checks Zhuoying Cai
2026-03-17 4:25 ` Collin Walling
2026-03-05 22:41 ` [PATCH v9 21/30] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 22/30] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2026-03-17 6:54 ` Collin Walling
2026-03-05 22:41 ` [PATCH v9 23/30] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 24/30] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 25/30] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2026-03-17 7:02 ` Collin Walling
2026-03-05 22:41 ` Zhuoying Cai [this message]
2026-03-05 22:41 ` [PATCH v9 27/30] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 28/30] tests/functional/s390x: Add secure IPL functional test Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 29/30] docs/specs: Add secure IPL documentation Zhuoying Cai
2026-03-05 22:41 ` [PATCH v9 30/30] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260305224146.664053-27-zycai@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=brueckner@linux.ibm.com \
--cc=david@kernel.org \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jdaley@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pierrick.bouvier@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox