Re: [PATCH v5 01/29] Add boot-certs to s390-ccw-virtio machine type option

["Daniel P. Berrangé" <berrange@redhat.com>]

On Mon, Sep 15, 2025 at 12:14:50PM -0400, Zhuoying Cai wrote:
> On 9/15/25 2:44 AM, Markus Armbruster wrote:
> > Zhuoying Cai <zycai@linux.ibm.com> writes:
> > 
> >> On 9/12/25 2:42 AM, Markus Armbruster wrote:
> >>> Zhuoying Cai <zycai@linux.ibm.com> writes:
> >>>
> >>>> Thanks for the feedback.
> >>>>
> >>>> On 9/11/25 3:24 AM, Markus Armbruster wrote:
> >>>>> Zhuoying Cai <zycai@linux.ibm.com> writes:
> >>>>>
> >>>>>> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
> >>>>>> machine. This allows users to specify one or more certificate file paths
> >>>>>> or directories to be used during secure boot.
> >>>>>>
> >>>>>> Each entry is specified using the syntax:
> >>>>>> 	boot-certs.<index>.path=/path/to/cert.pem
> >>>>>>
> >>>>>> Multiple paths can be specify using array properties:
> >>>>>> 	boot-certs.0.path=/path/to/cert.pem,
> >>>>>> 	boot-certs.1.path=/path/to/cert-dir,
> >>>>>> 	boot-certs.2.path=/path/to/another-dir...
> >>>>>>
> >>>>>> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> >>>>>> ---
> >>>>>>  docs/system/s390x/secure-ipl.rst   | 20 ++++++++++++++++++++
> >>>>>>  hw/s390x/s390-virtio-ccw.c         | 30 ++++++++++++++++++++++++++++++
> >>>>>>  include/hw/s390x/s390-virtio-ccw.h |  2 ++
> >>>>>>  qapi/machine-s390x.json            | 24 ++++++++++++++++++++++++
> >>>>>>  qemu-options.hx                    |  6 +++++-
> >>>>>>  5 files changed, 81 insertions(+), 1 deletion(-)
> >>>>>>  create mode 100644 docs/system/s390x/secure-ipl.rst
> >>>>>>
> >>>>>> diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
> >>>>>> new file mode 100644
> >>>>>> index 0000000000..9b3fd25cc4
> >>>>>> --- /dev/null
> >>>>>> +++ b/docs/system/s390x/secure-ipl.rst
> >>>>>> @@ -0,0 +1,20 @@
> >>>>>> +.. SPDX-License-Identifier: GPL-2.0-or-later
> >>>>>> +
> >>>>>> +Secure IPL Command Line Options
> >>>>>> +===============================
> >>>>>> +
> >>>>>> +New parameters have been introduced to s390-ccw-virtio machine type option
> >>>>>> +to support secure IPL. These parameters allow users to provide certificates
> >>>>>> +and enable secure IPL directly via the command line.
> >>>>>
> >>>>> All too soon these parameters will no longer be new.  Consider something
> >>>>> like "The s390-ccw-virtio machine type supports secure TPL.  To enable
> >>>>> it, you need to provide certificates."
> >>>>>
> >>>>>> +
> >>>>>> +Providing Certificates
> >>>>>> +----------------------
> >>>>>> +
> >>>>>> +The certificate store can be populated by supplying a list of certificate file
> >>>>>> +paths or directories on the command-line:
> >>>>>
> >>>>> File is clear enough (use the certificate found in the file).  What does
> >>>>> directory do?
> >>>>
> >>>> A directory contains a list of certificate files, and allowing both
> >>>> files and directories could make the CLI more flexible.
> >>>
> >>> I figure when @path names a file, it's an error when the file doesn't
> >>> contain a valid cetificate.
> >>>
> >>> What is @path names a directory, and one of the directory's files
> >>> doesn't contain a valid certificate?
> >>>
> >>> Can a single file contain multiple certificates?
> >>
> >> A certificate file path is expected to contain exactly one certificate.
> >>
> >> Certificates provided through the CLI, whether as individual files or
> >> within a directory, are validated before use. If a certificate is
> >> invalid (e.g., unsupported format), it will be skipped and not added to
> >> the S390 certificate store.
> > 
> > Hmm.  What exactly happens when I configure a certificate file like
> > 
> >     -machine s390-ccw-virtio,boot-certs.0.path=/dev/null
> > 
> > or some other file that doesn't contain a valud certificate?  Is it
> > silently ignored, or is it an error?
> > 
> >> When iterating through the provided paths, the program will terminate on
> >> fatal configuration errors, such as when a specified path is neither a
> >> file nor a directory.
> > 
> 
> If /dev/null is provided, the program will report an error and terminates.
> 
>    qemu-system-s390x: Path '/dev/null' is neither a file nor a directory
> 
> If a file exists but doesn't contain a valid certificate, the program
> will report the error but continues validating other remaining
> certificates. For example, providing a certificate in DER format
> (cert.pem) is not supported; only PEM format certificates are accepted:
> 
>    -machine s390-ccw-virtio,boot-certs.0.path=/root/cert.pem, \
>                             boot-certs.1.path=/root/pem-test/rsa.pem, \
>                             boot-certs.2.path=/root/pem-test/rsa-oaep.pem
> 
>    qemu-system-s390x: Failed to initialize certificate: /root/cert.pem:
> Failed to import certificate: Base64 unexpected header error.
> Using virtio-blk.
> SCSI boot device supports secure boot.
> LOADPARM=[        ]
> 
> Using virtio-blk.
> Using SCSI scheme.
> ....Verified component
> ...Verified component
> ...
> 
> In summary, QEMU first collects a list of .pem files from the CLI, and
> then validate each certificate in that list.
> 
> More specifically, QEMU first checks and normalizes the certificate
> paths - each path must be a non-empty string, must exist, and must be
> either a regular file or a directory. An invalid path will be reported
> and cause the program to terminate. Regular files with a .pem suffix, as
> well as .pem files inside directories, are added to the list.

IMHO we should be a bit more strict than this

 * If pointing to a file - loading must succeed; errors must be fatal
 * If pointing to a dir - the dir must exist, any file NOT ending in
   .pem should be ignored, any file ending in .pem must succeed, errors
   must be fatal
 * If pointing to neither a file, nor dir - must be fatal

ie we should be assuming that the configuration is expected to work, and
thus errors when loading are liable to be admin config mistakes that should
be fatal.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|