From: Zhuoying Cai <zycai@linux.ibm.com>
To: Jared Rossi <jrossi@linux.ibm.com>,
thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@redhat.com,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com
Subject: Re: [PATCH v5 04/29] hw/s390x/ipl: Create certificate store
Date: Thu, 28 Aug 2025 10:31:31 -0400 [thread overview]
Message-ID: <41aa6001-efb4-4cb7-822c-0606ab7673e7@linux.ibm.com> (raw)
In-Reply-To: <9d246121-b9d4-488a-b084-c9dc59868383@linux.ibm.com>
On 8/26/25 9:40 AM, Jared Rossi wrote:
>
>
> On 8/18/25 5:42 PM, Zhuoying Cai wrote:
>> Create a certificate store for boot certificates used for secure IPL.
>>
>> Load certificates from the `boot-certs` parameter of s390-ccw-virtio
>> machine type option into the cert store.
>>
>> Currently, only X.509 certificates in PEM format are supported, as the
>> QEMU command line accepts certificates in PEM format only.
>>
>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
>> ---
>> hw/s390x/cert-store.c | 201 ++++++++++++++++++++++++++++++++++++
>> hw/s390x/cert-store.h | 38 +++++++
>> hw/s390x/ipl.c | 9 ++
>> hw/s390x/ipl.h | 3 +
>> hw/s390x/meson.build | 1 +
>> include/hw/s390x/ipl/qipl.h | 2 +
>> 6 files changed, 254 insertions(+)
>> create mode 100644 hw/s390x/cert-store.c
>> create mode 100644 hw/s390x/cert-store.h
>>
>> diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c
>> new file mode 100644
>> index 0000000000..81e748a912
>> --- /dev/null
>> +++ b/hw/s390x/cert-store.c
>> @@ -0,0 +1,201 @@
>> +/*
>> + * S390 certificate store implementation
>> + *
>> + * Copyright 2025 IBM Corp.
>> + * Author(s): Zhuoying Cai <zycai@linux.ibm.com>
>> + *
>> + * SPDX-License-Identifier: GPL-2.0-or-later
>> + */
>> +
>> +#include "qemu/osdep.h"
>> +#include "cert-store.h"
>> +#include "qapi/error.h"
>> +#include "qemu/error-report.h"
>> +#include "qemu/option.h"
>> +#include "qemu/config-file.h"
>> +#include "hw/s390x/ebcdic.h"
>> +#include "hw/s390x/s390-virtio-ccw.h"
>> +#include "qemu/cutils.h"
>> +#include "crypto/x509-utils.h"
>> +#include "qapi/qapi-types-machine-s390x.h"
>> +
>> +static BootCertPathList *s390_get_boot_certs(void)
>> +{
>> + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs;
>> +}
>> +
>> +static size_t cert2buf(char *path, char **cert_buf)
>> +{
>> + size_t size;
>> +
>> + if (!g_file_get_contents(path, cert_buf, &size, NULL) || size == 0) {
>> + return 0;
>> + }
>> +
>> + return size;
>> +}
>> +
>> +static S390IPLCertificate *init_cert_x509(size_t size, uint8_t *raw, Error **errp)
>> +{
>> + S390IPLCertificate *q_cert = NULL;
>> + g_autofree uint8_t *cert_der = NULL;
>> + size_t der_len = size;
>> + int rc;
>> +
>> + rc = qcrypto_x509_convert_cert_der(raw, size, &cert_der, &der_len, errp);
>> + if (rc != 0) {
>> + return NULL;
>> + }
>> +
>> + q_cert = g_new0(S390IPLCertificate, 1);
>> + q_cert->size = size;
>> + q_cert->der_size = der_len;
>> + q_cert->key_id_size = QCRYPTO_HASH_DIGEST_LEN_SHA256;
>> + q_cert->hash_size = QCRYPTO_HASH_DIGEST_LEN_SHA256;
>> + q_cert->raw = raw;
>> +
>> + return q_cert;
>> +}
>> +
>> +static S390IPLCertificate *init_cert(char *path)
>> +{
>> + char *buf;
>> + size_t size;
>> + char vc_name[VC_NAME_LEN_BYTES];
>> + g_autofree gchar *filename = NULL;
>> + S390IPLCertificate *qcert = NULL;
>> + Error *local_err = NULL;
>> +
>> + filename = g_path_get_basename(path);
>> +
>> + size = cert2buf(path, &buf);
>> + if (size == 0) {
>> + error_report("Failed to load certificate: %s", path);
>> + return NULL;
>> + }
>> +
>> + qcert = init_cert_x509(size, (uint8_t *)buf, &local_err);
>> + if (qcert == NULL) {
>> + error_reportf_err(local_err, "Failed to initialize certificate: %s: ", path);
>> + g_free(buf);
>> + return NULL;
>> + }
>> +
>> + /*
>> + * Left justified certificate name with padding on the right with blanks.
>> + * Convert certificate name to EBCDIC.
>> + */
>> + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' ');
>> + ebcdic_put(qcert->vc_name, vc_name, VC_NAME_LEN_BYTES);
> Missing free?
>
Since the ownership of the buf pointer is transferred to qcert after
init_cert_x509() completes successfully, free() is not necessary here.
I'll add comments here to make things clearer.
>> +
>> + return qcert;
>> +}
>> +
>> +static void update_cert_store(S390IPLCertificateStore *cert_store,
>> + S390IPLCertificate *qcert)
>> +{
>> + size_t data_buf_size;
>> + size_t keyid_buf_size;
>> + size_t hash_buf_size;
>> + size_t cert_buf_size;
>> +
>> + /* length field is word aligned for later DIAG use */
>> + keyid_buf_size = ROUND_UP(qcert->key_id_size, 4);
>> + hash_buf_size = ROUND_UP(qcert->hash_size, 4);
>> + cert_buf_size = ROUND_UP(qcert->der_size, 4);
>> + data_buf_size = keyid_buf_size + hash_buf_size + cert_buf_size;
>> +
>> + if (cert_store->max_cert_size < data_buf_size) {
>> + cert_store->max_cert_size = data_buf_size;
>> + }
>> +
>> + cert_store->certs[cert_store->count] = *qcert;
>> + cert_store->total_bytes += data_buf_size;
>> + cert_store->count++;
>> +}
>> +
>> +static GPtrArray *get_cert_paths(void)
>> +{
>> + BootCertPathList *path_list = NULL;
>> + BootCertPathList *list = NULL;
>> + gchar *cert_path;
>> + GDir *dir = NULL;
>> + const gchar *filename;
>> + g_autoptr(GError) err = NULL;
>> + g_autoptr(GPtrArray) cert_path_builder = g_ptr_array_new_full(0, g_free);
>> +
>> + path_list = s390_get_boot_certs();
>> + if (path_list == NULL) {
>> + return g_steal_pointer(&cert_path_builder);
>> + }
>> +
>> + for (list = path_list; list; list = list->next) {
>> + cert_path = list->value->path;
>> +
>> + if (g_strcmp0(cert_path, "") == 0) {
>> + error_report("Empty path in certificate path list is not allowed");
>> + exit(1);
>> + }
>> +
>> + struct stat st;
>> + if (stat(cert_path, &st) != 0) {
>> + error_report("Failed to stat path '%s': %s", cert_path, g_strerror(errno));
>> + exit(1);
>> + }
>> +
>> + if (S_ISREG(st.st_mode)) {
>> + if (g_str_has_suffix(cert_path, ".pem")) {
>> + g_ptr_array_add(cert_path_builder, g_strdup(cert_path));
>> + }
>> + } else if (S_ISDIR(st.st_mode)) {
>> + dir = g_dir_open(cert_path, 0, &err);
>> + if (dir == NULL) {
>> + error_report("Failed to open directory '%s': %s",
>> + cert_path, err->message);
>> + exit(1);
>> + }
>> +
>> + while ((filename = g_dir_read_name(dir))) {
>> + if (g_str_has_suffix(filename, ".pem")) {
>> + g_ptr_array_add(cert_path_builder,
>> + g_build_filename(cert_path, filename, NULL));
>> + }
>> + }
>> +
>> + g_dir_close(dir);
>> + } else {
>> + error_report("Path '%s' is neither a file nor a directory", cert_path);
> This looks like it should return an error?
>
>> + }
>> + }
>> +
>> + qapi_free_BootCertPathList(path_list);
>> + return g_steal_pointer(&cert_path_builder);
>> +}
>> +
>> +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store)
>> +{
>> + GPtrArray *cert_path_builder;
>> +
>> + cert_path_builder = get_cert_paths();
>> + if (cert_path_builder->len == 0) {
>> + g_ptr_array_free(cert_path_builder, TRUE);
>> + return;
>> + }
>> +
>> + cert_store->max_cert_size = 0;
>> + cert_store->total_bytes = 0;
>> +
>> + for (int i = 0; i < cert_path_builder->len; i++) {
>> + if (i > MAX_CERTIFICATES - 1) {
>> + error_report("Maximum %d certificates are allowed", MAX_CERTIFICATES);
>> + exit(1);
>> + }
> Why not do this check before the loop, using cert_path_builder->len
> directly?
>
> Also, I think there is a missing free in this error case?
>
Thanks for the feedback. I'll address them in the next version.
>> +
>> + S390IPLCertificate *qcert = init_cert((char *) cert_path_builder->pdata[i]);
>> + if (qcert) {
>> + update_cert_store(cert_store, qcert);
>> + }
>> + }
>> +
>> + g_ptr_array_free(cert_path_builder, TRUE);
>> +}
>> diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h
>> new file mode 100644
>> index 0000000000..f030c8846c
>> --- /dev/null
>> +++ b/hw/s390x/cert-store.h
>> @@ -0,0 +1,38 @@
>> +/*
>> + * S390 certificate store
>> + *
>> + * Copyright 2025 IBM Corp.
>> + * Author(s): Zhuoying Cai <zycai@linux.ibm.com>
>> + *
>> + * SPDX-License-Identifier: GPL-2.0-or-later
>> + */
>> +
>> +#ifndef HW_S390_CERT_STORE_H
>> +#define HW_S390_CERT_STORE_H
>> +
>> +#include "hw/s390x/ipl/qipl.h"
>> +#include "crypto/x509-utils.h"
>> +
>> +#define VC_NAME_LEN_BYTES 64
>> +
>> +struct S390IPLCertificate {
>> + uint8_t vc_name[VC_NAME_LEN_BYTES];
>> + size_t size;
>> + size_t der_size;
>> + size_t key_id_size;
>> + size_t hash_size;
>> + uint8_t *raw;
>> +};
>> +typedef struct S390IPLCertificate S390IPLCertificate;
>> +
>> +struct S390IPLCertificateStore {
>> + uint16_t count;
>> + size_t max_cert_size;
>> + size_t total_bytes;
>> + S390IPLCertificate certs[MAX_CERTIFICATES];
>> +} QEMU_PACKED;
>> +typedef struct S390IPLCertificateStore S390IPLCertificateStore;
>> +
>> +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store);
>> +
>> +#endif
>> diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
>> index 2f082396c7..186be923d7 100644
>> --- a/hw/s390x/ipl.c
>> +++ b/hw/s390x/ipl.c
>> @@ -35,6 +35,7 @@
>> #include "qemu/option.h"
>> #include "qemu/ctype.h"
>> #include "standard-headers/linux/virtio_ids.h"
>> +#include "cert-store.h"
>>
>> #define KERN_IMAGE_START 0x010000UL
>> #define LINUX_MAGIC_ADDR 0x010008UL
>> @@ -422,6 +423,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp)
>> }
>> }
>>
>> +S390IPLCertificateStore *s390_ipl_get_certificate_store(void)
>> +{
>> + S390IPLState *ipl = get_ipl_device();
>> +
>> + return &ipl->cert_store;
>> +}
>> +
>> static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb)
>> {
>> CcwDevice *ccw_dev = NULL;
>> @@ -717,6 +725,7 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
>>
>> if (!ipl->kernel || ipl->iplb_valid) {
>> cpu->env.psw.addr = ipl->bios_start_addr;
>> + s390_ipl_create_cert_store(&ipl->cert_store);
>> if (!ipl->iplb_valid) {
>> ipl->iplb_valid = s390_init_all_iplbs(ipl);
>> } else {
>> diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h
>> index 8f83c7da29..bee72dfbb3 100644
>> --- a/hw/s390x/ipl.h
>> +++ b/hw/s390x/ipl.h
>> @@ -13,6 +13,7 @@
>> #ifndef HW_S390_IPL_H
>> #define HW_S390_IPL_H
>>
>> +#include "cert-store.h"
>> #include "cpu.h"
>> #include "exec/target_page.h"
>> #include "system/address-spaces.h"
>> @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp);
>> void s390_ipl_prepare_cpu(S390CPU *cpu);
>> IplParameterBlock *s390_ipl_get_iplb(void);
>> IplParameterBlock *s390_ipl_get_iplb_pv(void);
>> +S390IPLCertificateStore *s390_ipl_get_certificate_store(void);
>>
>> enum s390_reset {
>> /* default is a reset not triggered by a CPU e.g. issued by QMP */
>> @@ -64,6 +66,7 @@ struct S390IPLState {
>> IplParameterBlock iplb;
>> IplParameterBlock iplb_pv;
>> QemuIplParameters qipl;
>> + S390IPLCertificateStore cert_store;
>> uint64_t start_addr;
>> uint64_t compat_start_addr;
>> uint64_t bios_start_addr;
>> diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build
>> index 8866012ddc..80d3d4a74d 100644
>> --- a/hw/s390x/meson.build
>> +++ b/hw/s390x/meson.build
>> @@ -17,6 +17,7 @@ s390x_ss.add(files(
>> 'sclpcpu.c',
>> 'sclpquiesce.c',
>> 'tod.c',
>> + 'cert-store.c',
>> ))
>> s390x_ss.add(when: 'CONFIG_KVM', if_true: files(
>> 'tod-kvm.c',
>> diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h
>> index 6824391111..e505f44020 100644
>> --- a/include/hw/s390x/ipl/qipl.h
>> +++ b/include/hw/s390x/ipl/qipl.h
>> @@ -20,6 +20,8 @@
>> #define LOADPARM_LEN 8
>> #define NO_LOADPARM "\0\0\0\0\0\0\0\0"
>>
>> +#define MAX_CERTIFICATES 64
>> +
>> /*
>> * The QEMU IPL Parameters will be stored at absolute address
>> * 204 (0xcc) which means it is 32-bit word aligned but not
> Regards,
> Jared Rossi
next prev parent reply other threads:[~2025-08-28 17:33 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-18 21:42 [PATCH v5 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-11 7:24 ` Markus Armbruster
2025-09-11 19:03 ` Zhuoying Cai
2025-09-12 6:42 ` Markus Armbruster
2025-09-12 18:05 ` Zhuoying Cai
2025-09-15 6:44 ` Markus Armbruster
2025-09-15 16:14 ` Zhuoying Cai
2025-09-15 17:18 ` Daniel P. Berrangé
2025-09-16 5:59 ` Markus Armbruster
2025-08-18 21:42 ` [PATCH v5 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-08-27 17:28 ` Daniel P. Berrangé
2025-08-27 20:13 ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-08-26 13:40 ` Jared Rossi
2025-08-28 14:31 ` Zhuoying Cai [this message]
2025-08-27 23:14 ` Farhan Ali
2025-08-28 14:46 ` Zhuoying Cai
2025-09-02 15:15 ` Jared Rossi
2025-09-02 17:55 ` Zhuoying Cai
2025-09-09 0:54 ` Collin Walling
2025-09-10 20:43 ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-09-09 14:42 ` Collin Walling
2025-08-18 21:42 ` [PATCH v5 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-08-26 22:30 ` Jared Rossi
2025-08-27 14:35 ` Zhuoying Cai
2025-08-27 18:14 ` Collin Walling
2025-08-27 21:49 ` Farhan Ali
2025-08-27 22:01 ` Thomas Huth
2025-08-18 21:43 ` [PATCH v5 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-08-27 17:36 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 09/29] s390x/diag: Implement " Zhuoying Cai
2025-08-27 14:35 ` Jared Rossi
2025-08-28 15:12 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-08-27 17:44 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-08-27 14:55 ` Jared Rossi
2025-08-27 18:08 ` Collin Walling
2025-08-27 22:18 ` Farhan Ali
2025-08-28 15:01 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-08-27 16:30 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 16/29] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-08-27 16:33 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 17/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 18/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 19/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 20/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 21/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 22/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 23/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 24/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 25/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 26/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 27/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41aa6001-efb4-4cb7-822c-0606ab7673e7@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).