From: Zhuoying Cai <zycai@linux.ibm.com>
To: Jared Rossi <jrossi@linux.ibm.com>,
Farhan Ali <alifm@linux.ibm.com>,
thuth@redhat.com, berrange@redhat.com,
richard.henderson@linaro.org, david@redhat.com,
qemu-s390x@nongnu.org, qemu-devel@nongnu.org
Cc: walling@linux.ibm.com, jjherne@linux.ibm.com,
pasic@linux.ibm.com, borntraeger@linux.ibm.com,
farman@linux.ibm.com, mjrosato@linux.ibm.com, iii@linux.ibm.com,
eblake@redhat.com, armbru@redhat.com
Subject: Re: [PATCH v5 04/29] hw/s390x/ipl: Create certificate store
Date: Tue, 2 Sep 2025 13:55:35 -0400 [thread overview]
Message-ID: <e3c840c5-3549-471f-92b5-d82b9b5a53a5@linux.ibm.com> (raw)
In-Reply-To: <2b0476e1-97e1-4592-b70e-4f27f8695833@linux.ibm.com>
On 9/2/25 11:15 AM, Jared Rossi wrote:
>
>
> On 8/28/25 10:46 AM, Zhuoying Cai wrote:
>> On 8/27/25 7:14 PM, Farhan Ali wrote:
>>> [snip...]
>>>
>>> +
>>> +static S390IPLCertificate *init_cert_x509(size_t size, uint8_t *raw, Error **errp)
>>> +{
>>> + S390IPLCertificate *q_cert = NULL;
>>> + g_autofree uint8_t *cert_der = NULL;
>>> + size_t der_len = size;
>>> + int rc;
>>> +
>>> + rc = qcrypto_x509_convert_cert_der(raw, size, &cert_der, &der_len, errp);
>>> + if (rc != 0) {
>>> + return NULL;
>>> + }
>>> +
>>> + q_cert = g_new0(S390IPLCertificate, 1);
>>> + q_cert->size = size;
>>> + q_cert->der_size = der_len;
>>> + q_cert->key_id_size = QCRYPTO_HASH_DIGEST_LEN_SHA256;
>>> + q_cert->hash_size = QCRYPTO_HASH_DIGEST_LEN_SHA256;
>>> + q_cert->raw = raw;
>>> +
>>> + return q_cert;
>>> +}
>>> +
>>> +static S390IPLCertificate *init_cert(char *path)
>>> +{
>>> + char *buf;
>>> + size_t size;
>>> + char vc_name[VC_NAME_LEN_BYTES];
>>> + g_autofree gchar *filename = NULL;
>>> + S390IPLCertificate *qcert = NULL;
>>> + Error *local_err = NULL;
>>> +
>>> + filename = g_path_get_basename(path);
>>> +
>>> + size = cert2buf(path, &buf);
>>> + if (size == 0) {
>>> + error_report("Failed to load certificate: %s", path);
>>> + return NULL;
>>> + }
>>> +
>>> + qcert = init_cert_x509(size, (uint8_t *)buf, &local_err);
>>> + if (qcert == NULL) {
>>> + error_reportf_err(local_err, "Failed to initialize certificate: %s: ", path);
>>> + g_free(buf);
>>> + return NULL;
>>> + }
>>> +
>>> + /*
>>> + * Left justified certificate name with padding on the right with blanks.
>>> + * Convert certificate name to EBCDIC.
>>> + */
>>> + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' ');
>>> + ebcdic_put(qcert->vc_name, vc_name, VC_NAME_LEN_BYTES);
>>> +
>>> + return qcert;
>>> +}
>>> +
>>> +static void update_cert_store(S390IPLCertificateStore *cert_store,
>>> + S390IPLCertificate *qcert)
>>> +{
>>> + size_t data_buf_size;
>>> + size_t keyid_buf_size;
>>> + size_t hash_buf_size;
>>> + size_t cert_buf_size;
>>> +
>>> + /* length field is word aligned for later DIAG use */
>>> + keyid_buf_size = ROUND_UP(qcert->key_id_size, 4);
>>> + hash_buf_size = ROUND_UP(qcert->hash_size, 4);
>>> + cert_buf_size = ROUND_UP(qcert->der_size, 4);
>>> + data_buf_size = keyid_buf_size + hash_buf_size + cert_buf_size;
>>> +
>>> + if (cert_store->max_cert_size < data_buf_size) {
>>> + cert_store->max_cert_size = data_buf_size;
>>> + }
>>> +
>>> + cert_store->certs[cert_store->count] = *qcert;
>>> + cert_store->total_bytes += data_buf_size;
>>> + cert_store->count++;
>>> +}
>>> +
>>> Do we need to free qcert here after we copied the contents to
>>> cert_store->certs[cert_store->count]? Also AFAIU we copy the certificate
>>> file contents into QEMU memory, but don't free it. Just wanted to
>>> clarify, do we need the file contents in QEMU memory for ccw-bios and
>>> guest kernel use? Thanks Farhan
>>>
>>>
>> Yes, the file contents need to remain in QEMU memory for both ccw-bios
>> and guest kernel use.
>>
>> * ccw-bios: The certificate used to verify the component is retrieved in
>> the BIOS via DIAG320, with its address stored in the IPL Information
>> Report Block.
>>
>> * guest kernel: Certificates can also be retrieved via DIAG320 and made
>> available to the guest kernel keyring.
>> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8cf57d7217c32133d25615324c0ab4aaacf4d9c4
> Something still doesn't seem right to me. As far as I can tell the cert
> store will be reinitialized each time the guest reboots, which sounds
> like it will cause problems if there is no corresponding free somewhere.
>
> What is the expected behavior during a reboot? Should the guest A)
> parse the cert paths again and reinitialize, or B) read the entries in
> the previously created cert store?
>
> If A, then the cert store needs to be cleared/freed in some way each time.
>
> If B, then the cert store should not be reinitialized.
>
>> [snip...]
> Regards,
> Jared Rossi
I think option B sounds more accurate. Since the cert store can't be
modified during reboot, it's reasonable to read from the previously
created cert store.
next prev parent reply other threads:[~2025-09-02 17:56 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-18 21:42 [PATCH v5 00/29] Secure IPL Support for SCSI Scheme of virtio-blk/virtio-scsi Devices Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 01/29] Add boot-certs to s390-ccw-virtio machine type option Zhuoying Cai
2025-09-11 7:24 ` Markus Armbruster
2025-09-11 19:03 ` Zhuoying Cai
2025-09-12 6:42 ` Markus Armbruster
2025-09-12 18:05 ` Zhuoying Cai
2025-09-15 6:44 ` Markus Armbruster
2025-09-15 16:14 ` Zhuoying Cai
2025-09-15 17:18 ` Daniel P. Berrangé
2025-09-16 5:59 ` Markus Armbruster
2025-08-18 21:42 ` [PATCH v5 02/29] crypto/x509-utils: Refactor with GNUTLS fallback Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 03/29] crypto/x509-utils: Add helper functions for certificate store Zhuoying Cai
2025-08-27 17:28 ` Daniel P. Berrangé
2025-08-27 20:13 ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 04/29] hw/s390x/ipl: Create " Zhuoying Cai
2025-08-26 13:40 ` Jared Rossi
2025-08-28 14:31 ` Zhuoying Cai
2025-08-27 23:14 ` Farhan Ali
2025-08-28 14:46 ` Zhuoying Cai
2025-09-02 15:15 ` Jared Rossi
2025-09-02 17:55 ` Zhuoying Cai [this message]
2025-09-09 0:54 ` Collin Walling
2025-09-10 20:43 ` Zhuoying Cai
2025-08-18 21:42 ` [PATCH v5 05/29] s390x/diag: Introduce DIAG 320 for Certificate Store Facility Zhuoying Cai
2025-09-09 14:42 ` Collin Walling
2025-08-18 21:42 ` [PATCH v5 06/29] s390x/diag: Refactor address validation check from diag308_parm_check Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 07/29] s390x/diag: Implement DIAG 320 subcode 1 Zhuoying Cai
2025-08-26 22:30 ` Jared Rossi
2025-08-27 14:35 ` Zhuoying Cai
2025-08-27 18:14 ` Collin Walling
2025-08-27 21:49 ` Farhan Ali
2025-08-27 22:01 ` Thomas Huth
2025-08-18 21:43 ` [PATCH v5 08/29] crypto/x509-utils: Add helper functions for DIAG 320 subcode 2 Zhuoying Cai
2025-08-27 17:36 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 09/29] s390x/diag: Implement " Zhuoying Cai
2025-08-27 14:35 ` Jared Rossi
2025-08-28 15:12 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 10/29] s390x/diag: Introduce DIAG 508 for secure IPL operations Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 11/29] crypto/x509-utils: Add helper functions for DIAG 508 subcode 1 Zhuoying Cai
2025-08-27 17:44 ` Daniel P. Berrangé
2025-08-18 21:43 ` [PATCH v5 12/29] s390x/diag: Implement DIAG 508 subcode 1 for signature verification Zhuoying Cai
2025-08-27 14:55 ` Jared Rossi
2025-08-27 18:08 ` Collin Walling
2025-08-27 22:18 ` Farhan Ali
2025-08-28 15:01 ` Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 13/29] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 14/29] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 15/29] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Zhuoying Cai
2025-08-27 16:30 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 16/29] hw/s390x/ipl: Set iplb->len to maximum length of " Zhuoying Cai
2025-08-27 16:33 ` Jared Rossi
2025-08-18 21:43 ` [PATCH v5 17/29] s390x: Guest support for Secure-IPL Facility Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 18/29] pc-bios/s390-ccw: Refactor zipl_run() Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 19/29] pc-bios/s390-ccw: Rework zipl_load_segment function Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 20/29] pc-bios/s390-ccw: Add signature verification for secure IPL in audit mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 21/29] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 22/29] pc-bios/s390-ccw: Add additional security checks for secure boot Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 23/29] Add secure-boot to s390-ccw-virtio machine type option Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 24/29] hw/s390x/ipl: Set IPIB flags for secure IPL Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 25/29] pc-bios/s390-ccw: Handle true secure IPL mode Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 26/29] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 27/29] hw/s390x/ipl: Handle secure boot without specifying a boot device Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 28/29] docs/specs: Add secure IPL documentation Zhuoying Cai
2025-08-18 21:43 ` [PATCH v5 29/29] docs/system/s390x: " Zhuoying Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3c840c5-3549-471f-92b5-d82b9b5a53a5@linux.ibm.com \
--to=zycai@linux.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=armbru@redhat.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=david@redhat.com \
--cc=eblake@redhat.com \
--cc=farman@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=jjherne@linux.ibm.com \
--cc=jrossi@linux.ibm.com \
--cc=mjrosato@linux.ibm.com \
--cc=pasic@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
--cc=walling@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).