From: Thomas Huth <thuth@redhat.com>
To: Zhuoying Cai <zycai@linux.ibm.com>,
richard.henderson@linaro.org, david@redhat.com,
pbonzini@redhat.com
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com,
borntraeger@linux.ibm.com, farman@linux.ibm.com,
iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Subject: Re: [PATCH v2 03/25] s390x: Guest support for Certificate Store Facility (CS)
Date: Wed, 14 May 2025 08:11:30 +0200 [thread overview]
Message-ID: <d67865b8-a9d1-488f-bf2b-bf53eb3ace89@redhat.com> (raw)
In-Reply-To: <20250508225042.313672-4-zycai@linux.ibm.com>
On 09/05/2025 00.50, Zhuoying Cai wrote:
> DIAG 320 is supported when the certificate-store (CS) facility
> is installed.
>
> Availability of CS facility is determined by byte 134 bit 5 of the
> SCLP Read Info block. Byte 134's facilities cannot be represented
> without the availability of the extended-length-SCCB, so add it as
> a check for consistency.
>
> Note: secure IPL is not available for Secure Execution (SE) guests,
> as their images are already integrity protected, and an additional
> protection of the kernel by secure IPL is not necessary.
>
> Signed-off-by: Zhuoying Cai <zycai@linux.ibm.com>
> ---
> target/s390x/cpu_features.c | 1 +
> target/s390x/cpu_features_def.h.inc | 1 +
> target/s390x/cpu_models.c | 2 ++
> target/s390x/gen-features.c | 1 +
> target/s390x/kvm/kvm.c | 2 ++
> 5 files changed, 7 insertions(+)
>
> diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c
> index 4b5be6798e..99089ab3f5 100644
> --- a/target/s390x/cpu_features.c
> +++ b/target/s390x/cpu_features.c
> @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type,
> break;
> case S390_FEAT_TYPE_SCLP_FAC134:
> clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data);
> + clear_be_bit(s390_feat_def(S390_FEAT_DIAG_320)->bit, data);
> break;
> default:
> return;
> diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_features_def.h.inc
> index e23e603a79..65d38f546d 100644
> --- a/target/s390x/cpu_features_def.h.inc
> +++ b/target/s390x/cpu_features_def.h.inc
> @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: Interlock-and-broadcast-s
>
> /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relative to byte-134) */
> DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and version codes")
> +DEF_FEAT(DIAG_320, "diag320", SCLP_FAC134, 5, "Provide Certificate Store functions")
Not sure, but "diag320" does not sound like a very good name for something
related to security that is used in the interface for the users. Maybe
"cert" or "cstore" would be a better name?
...
> diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
> index 41840677ce..3d9fbe62ea 100644
> --- a/target/s390x/gen-features.c
> +++ b/target/s390x/gen-features.c
> @@ -720,6 +720,7 @@ static uint16_t full_GEN16_GA1[] = {
> S390_FEAT_PAIE,
> S390_FEAT_UV_FEAT_AP,
> S390_FEAT_UV_FEAT_AP_INTR,
> + S390_FEAT_DIAG_320,
> };
>
> static uint16_t full_GEN17_GA1[] = {
> diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
> index b9f1422197..6bad1713d2 100644
> --- a/target/s390x/kvm/kvm.c
> +++ b/target/s390x/kvm/kvm.c
> @@ -2487,6 +2487,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp)
> set_bit(S390_FEAT_DIAG_318, model->features);
> }
>
> + set_bit(S390_FEAT_DIAG_320, model->features);
> +
> /* Test for Ultravisor features that influence secure guest behavior */
> query_uv_feat_guest(model->features);
Question: Could this feature be enabled of the TCG max CPU, too? If so, it
might be a good idea to do so, so it could be used in CI tests more easily.
By the way, any chance that you could also add a functional test to this
patch series, so that we can be sure that there are no regressions in the
future?
Thomas
next prev parent reply other threads:[~2025-05-14 6:12 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-08 22:50 [PATCH v2 00/25] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 01/25] Add -boot-certificates to s390-ccw-virtio machine type option Zhuoying Cai
2025-05-13 14:58 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 02/25] hw/s390x/ipl: Create certificate store Zhuoying Cai
2025-05-14 5:43 ` Thomas Huth
2025-05-29 18:49 ` Zhuoying Cai
2025-05-14 9:03 ` Daniel P. Berrangé
2025-05-29 17:51 ` Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 03/25] s390x: Guest support for Certificate Store Facility (CS) Zhuoying Cai
2025-05-14 6:11 ` Thomas Huth [this message]
2025-05-08 22:50 ` [PATCH v2 04/25] s390x/diag: Introduce DIAG 320 for certificate store facility Zhuoying Cai
2025-05-14 8:17 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 05/25] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 06/25] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-05-14 15:32 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 07/25] s390x/diag: Implement DIAG 320 subcode 2 Zhuoying Cai
2025-05-14 16:18 ` Thomas Huth
2025-05-29 19:09 ` Zhuoying Cai
2025-05-30 6:38 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 08/25] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 09/25] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-05-20 6:11 ` Thomas Huth
2025-05-20 8:16 ` Daniel P. Berrangé
2025-05-08 22:50 ` [PATCH v2 10/25] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 11/25] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-05-20 9:24 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 12/25] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 13/25] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 14/25] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 15/25] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-05-20 9:29 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 16/25] pc-bios/s390-ccw: Refactor zipl_load_segment function Zhuoying Cai
2025-05-20 9:39 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 17/25] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-05-20 10:25 ` Thomas Huth
2025-05-29 19:28 ` Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 18/25] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-05-26 14:46 ` Hendrik Brueckner
2025-05-08 22:50 ` [PATCH v2 19/25] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 20/25] Add -secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-05-21 12:14 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 21/25] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-05-21 12:20 ` Thomas Huth
2025-05-08 22:50 ` [PATCH v2 22/25] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 23/25] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 24/25] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-05-08 22:50 ` [PATCH v2 25/25] docs/system/s390x: Add secure IPL documentation Zhuoying Cai
2025-05-21 12:37 ` Thomas Huth
2025-05-23 20:28 ` Collin Walling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d67865b8-a9d1-488f-bf2b-bf53eb3ace89@redhat.com \
--to=thuth@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=farman@linux.ibm.com \
--cc=fiuczy@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=walling@linux.ibm.com \
--cc=zycai@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).