From: Zhuoying Cai <zycai@linux.ibm.com>
To: Thomas Huth <thuth@redhat.com>,
berrange@redhat.com, richard.henderson@linaro.org,
david@redhat.com, jrossi@linux.ibm.com, qemu-s390x@nongnu.org,
qemu-devel@nongnu.org
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com, alifm@linux.ibm.com
Subject: Re: [PATCH v6 00/28] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices
Date: Tue, 11 Nov 2025 15:17:17 -0500 [thread overview]
Message-ID: <9b157225-ebf1-417f-aa54-3968589b262e@linux.ibm.com> (raw)
In-Reply-To: <2657323b-6172-4795-a3b4-f98f26262daf@redhat.com>
On 11/10/25 6:01 AM, Thomas Huth wrote:
> On 05/11/2025 20.21, Zhuoying Cai wrote:
>> On 9/26/25 8:38 AM, Thomas Huth wrote:
>>> On 18/09/2025 01.21, Zhuoying Cai wrote:
>>> ...
>>>> crypto/meson.build | 5 +-
>>>> crypto/x509-utils.c | 423 +++++++++++++++
>>>> docs/specs/s390x-secure-ipl.rst | 165 ++++++
>>>> docs/system/s390x/secure-ipl.rst | 181 +++++++
>>>> hw/s390x/cert-store.c | 213 ++++++++
>>>> hw/s390x/cert-store.h | 39 ++
>>>> hw/s390x/ipl.c | 62 +++
>>>> hw/s390x/ipl.h | 27 +-
>>>> hw/s390x/meson.build | 1 +
>>>> hw/s390x/s390-virtio-ccw.c | 52 ++
>>>> hw/s390x/sclp.c | 2 +
>>>> include/crypto/x509-utils.h | 131 +++++
>>>> include/hw/s390x/ipl/diag308.h | 34 ++
>>>> include/hw/s390x/ipl/diag320.h | 91 ++++
>>>> include/hw/s390x/ipl/diag508.h | 38 ++
>>>> include/hw/s390x/ipl/qipl.h | 7 +-
>>>> include/hw/s390x/s390-virtio-ccw.h | 3 +
>>>> include/hw/s390x/sclp.h | 4 +-
>>>> pc-bios/s390-ccw/Makefile | 3 +-
>>>> pc-bios/s390-ccw/bootmap.c | 107 +++-
>>>> pc-bios/s390-ccw/bootmap.h | 11 +
>>>> pc-bios/s390-ccw/iplb.h | 96 +++-
>>>> pc-bios/s390-ccw/jump2ipl.c | 6 +-
>>>> pc-bios/s390-ccw/main.c | 111 +++-
>>>> pc-bios/s390-ccw/netmain.c | 8 +-
>>>> pc-bios/s390-ccw/s390-ccw.h | 19 +
>>>> pc-bios/s390-ccw/sclp.c | 52 ++
>>>> pc-bios/s390-ccw/sclp.h | 7 +
>>>> pc-bios/s390-ccw/secure-ipl.c | 781 ++++++++++++++++++++++++++++
>>>> pc-bios/s390-ccw/secure-ipl.h | 212 ++++++++
>>>> qapi/machine-s390x.json | 22 +
>>>> qapi/pragma.json | 1 +
>>>> qemu-options.hx | 10 +-
>>>> target/s390x/cpu_features.c | 7 +
>>>> target/s390x/cpu_features.h | 1 +
>>>> target/s390x/cpu_features_def.h.inc | 5 +
>>>> target/s390x/cpu_models.c | 7 +
>>>> target/s390x/diag.c | 555 +++++++++++++++++++-
>>>> target/s390x/gen-features.c | 7 +
>>>> target/s390x/kvm/kvm.c | 34 ++
>>>> target/s390x/s390x-internal.h | 4 +
>>>> target/s390x/tcg/misc_helper.c | 14 +
>>>> 42 files changed, 3488 insertions(+), 70 deletions(-)
>>>> create mode 100644 docs/specs/s390x-secure-ipl.rst
>>>> create mode 100644 docs/system/s390x/secure-ipl.rst
>>>> create mode 100644 hw/s390x/cert-store.c
>>>> create mode 100644 hw/s390x/cert-store.h
>>>> create mode 100644 include/hw/s390x/ipl/diag308.h
>>>> create mode 100644 include/hw/s390x/ipl/diag320.h
>>>> create mode 100644 include/hw/s390x/ipl/diag508.h
>>>> create mode 100644 pc-bios/s390-ccw/secure-ipl.c
>>>> create mode 100644 pc-bios/s390-ccw/secure-ipl.h
>>>
>>> Hi,
>>>
>>> looking at the file list, there does not seem to be any test in this series
>>> ... could you please add some functional tests to make sure that the feature
>>> is working as expected?
>>
>> I’m currently working on the functional tests for secure IPL and have
>> encountered a few blockers, so I wanted to reach out for some guidance.
>>
>> The main challenge is determining how to provide signed components and
>> signatures within the tests. In a manual secure IPL setup, we would
>> generate certificates, use the sign-file script to sign the components
>> (stage3 binary and kernel), and prepare zipl inside the guest.
>> Additionally, the signed components would include Secure Code Loading
>> Attribute Blocks (SCLABs) appended for further validation. These steps
>> are difficult to reproduce in a functional test environment.
>>
>> Our current idea is to create a bootable image using the SCSI scheme
>> with a minimal boot map that includes fake signed components with
>> hard-coded signatures (and SCLABs if feasible), similar to the approach
>> used in prepare_image() in tests/qtest/cdrom-test.c. However, this
>> approach is more complex than expected, and we are unsure how viable it is.
>>
>> Do you have any suggestions on our current plan or other recommendations
>> for how we might approach testing secure IPL? I’d appreciate your guidance.
>
> Hi,
>
> would it be possible that you create a real small qcow2 image (e.g. with
> buildroot.org), make sure that it gets the right signatures, upload the
> image to your github account (or somewhere else), and then add a functional
> test to tests/functional/s390x that downloads the image and tests the boot
> process with it? I think that would likely be the best solution...?
>
> HTH,
> Thomas
>
I'll look into this approach. Thank you for the suggestion!
prev parent reply other threads:[~2025-11-11 20:18 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-17 23:21 [PATCH v6 00/28] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-09-17 23:21 ` [PATCH v6 01/28] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-18 6:56 ` Markus Armbruster
2025-09-18 8:38 ` Daniel P. Berrangé
2025-09-18 8:51 ` Markus Armbruster
2025-09-23 1:31 ` Zhuoying Cai
2025-09-22 23:48 ` Zhuoying Cai
2025-09-29 18:29 ` Collin Walling
2025-10-08 17:49 ` Zhuoying Cai
2025-09-30 9:34 ` Thomas Huth
2025-09-30 9:37 ` Daniel P. Berrangé
2025-09-30 9:43 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 02/28] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-09-18 18:14 ` Farhan Ali
2025-09-30 9:38 ` Thomas Huth
2025-10-02 13:23 ` Daniel P. Berrangé
2025-09-17 23:21 ` [PATCH v6 03/28] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-09-18 18:24 ` Farhan Ali
2025-09-30 9:43 ` Thomas Huth
2025-10-02 13:24 ` Daniel P. Berrangé
2025-09-17 23:21 ` [PATCH v6 04/28] hw/s390x/ipl: Create " Zhuoying Cai
2025-09-18 19:46 ` Farhan Ali
2025-09-30 10:26 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 05/28] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-09-18 20:07 ` Farhan Ali
2025-09-30 13:08 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 06/28] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-09-18 20:38 ` Farhan Ali
2025-09-30 13:13 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 07/28] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-09-19 17:20 ` Farhan Ali
2025-09-30 13:30 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 08/28] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-09-19 18:02 ` Farhan Ali
2025-10-07 9:34 ` Thomas Huth
2025-10-07 9:38 ` Daniel P. Berrangé
2025-10-07 9:41 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 09/28] s390x/diag: Implement " Zhuoying Cai
2025-09-24 21:53 ` Farhan Ali
2025-09-26 13:42 ` Zhuoying Cai
2025-09-17 23:21 ` [PATCH v6 10/28] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-09-25 20:50 ` Farhan Ali
2025-10-07 9:47 ` Thomas Huth
2025-10-07 19:46 ` Collin Walling
2025-09-17 23:21 ` [PATCH v6 11/28] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-10-07 9:58 ` Thomas Huth
2025-10-07 10:10 ` Daniel P. Berrangé
2025-09-17 23:21 ` [PATCH v6 12/28] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-09-25 21:30 ` Farhan Ali
2025-10-07 10:27 ` Thomas Huth
2025-10-10 16:37 ` Zhuoying Cai
2025-10-10 18:08 ` Thomas Huth
2025-10-07 20:22 ` Collin Walling
2025-09-17 23:21 ` [PATCH v6 13/28] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-09-25 22:02 ` Farhan Ali
2025-09-17 23:21 ` [PATCH v6 14/28] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-09-30 5:17 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 15/28] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-09-29 21:21 ` Farhan Ali
2025-09-17 23:21 ` [PATCH v6 16/28] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-09-17 23:21 ` [PATCH v6 17/28] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-09-26 12:51 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 18/28] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-09-26 13:02 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 19/28] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-09-26 13:10 ` Thomas Huth
2025-09-30 18:42 ` Farhan Ali
2025-10-10 18:00 ` Zhuoying Cai
2025-10-10 19:37 ` Farhan Ali
2025-09-17 23:21 ` [PATCH v6 20/28] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-09-29 12:25 ` Thomas Huth
2025-09-30 13:06 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 21/28] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-09-29 13:30 ` Thomas Huth
2025-09-29 20:43 ` Zhuoying Cai
2025-09-30 5:14 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 22/28] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-29 14:05 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 23/28] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-09-17 23:21 ` [PATCH v6 24/28] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-09-29 15:24 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 25/28] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-09-29 18:11 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 26/28] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-09-17 23:21 ` [PATCH v6 27/28] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-10-07 11:40 ` Thomas Huth
2025-09-17 23:21 ` [PATCH v6 28/28] docs/system/s390x: " Zhuoying Cai
2025-09-29 18:23 ` Thomas Huth
2025-09-26 12:38 ` [PATCH v6 00/28] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Thomas Huth
2025-11-05 19:21 ` Zhuoying Cai
2025-11-10 11:01 ` Thomas Huth
2025-11-11 20:17 ` Zhuoying Cai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b157225-ebf1-417f-aa54-3968589b262e@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).