From patchwork Tue Apr 8 15:55:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043364 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C584FC369A2 for ; Tue, 8 Apr 2025 16:19:47 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdq-0006ow-0u; Tue, 08 Apr 2025 12:17:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIZ-0005T3-C4; Tue, 08 Apr 2025 11:55:39 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIX-0005qw-EE; Tue, 08 Apr 2025 11:55:39 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5388p8Ig025971; Tue, 8 Apr 2025 15:55:34 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=0a36/rsg5pTVH+f2g SG7LvlEPILNLWKTAThg3/tw4+Q=; b=bWtMvt0ubbV+CD/HQttpk8aesg3a7Mqu5 jK3eCbf8TqJG7OQbv5IFHOtLDeAPJfQ1mME7tT2gxw86jyJSWJ65bc4zgyDrdGvT UYhMWZPzFPzvoKZ9MttbFvgJ8yhmDI/Y4cBUXFQwdQBQ+eu9NEu4LB9kQHz2Y4yD BmUtT8h4vdXdpVo7Y8wxKvj/XffxYcQMqoqJKgcGVsqflgfis9gj2ydnLQDDzkke aZVD98pmtdky2tYZQXoyY//bF4F/PT0f9GbIBhVik9grBFK1L3Ty08Sfpl4gCDry FGiqKMSoXGbyOGnnsp2ZLa+5G0o6BcYUg+7MOeg+0oET4+yb0lYSw== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnvq4hw0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:33 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538DBG2a018567; Tue, 8 Apr 2025 15:55:33 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uh2kk5b3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:33 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtTCr18350630 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:29 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D8CD5804E; Tue, 8 Apr 2025 15:55:31 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 28E2F5803F; Tue, 8 Apr 2025 15:55:30 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:30 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 01/24] Add -boot-certificates /path/dir:/path/file option in QEMU command line Date: Tue, 8 Apr 2025 11:55:03 -0400 Message-ID: <20250408155527.123341-2-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 1KHO5AMehCMwO6nHBUwKFhKUvN11n2XI X-Proofpoint-ORIG-GUID: 1KHO5AMehCMwO6nHBUwKFhKUvN11n2XI X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=493 malwarescore=0 priorityscore=1501 clxscore=1011 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The `-boot-certificates /path/dir:/path/file` option is implemented to provide path to either a directory or a single certificate. Multiple paths can be delineated using a colon. Signed-off-by: Zhuoying Cai --- qemu-options.hx | 11 +++++++++++ system/vl.c | 22 ++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/qemu-options.hx b/qemu-options.hx index dc694a99a3..b460c63490 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1251,6 +1251,17 @@ SRST Set system UUID. ERST +DEF("boot-certificates", HAS_ARG, QEMU_OPTION_boot_certificates, + "-boot-certificates /path/directory:/path/file\n" + " Provide a path to a directory or a boot certificate.\n" + " A colon may be used to delineate multiple paths.\n", + QEMU_ARCH_S390X) +SRST +``-boot-certificates /path/directory:/path/file`` + Provide a path to a directory or a boot certificate. + A colon may be used to delineate multiple paths. +ERST + DEFHEADING() DEFHEADING(Block device options:) diff --git a/system/vl.c b/system/vl.c index ec93988a03..bd6197c887 100644 --- a/system/vl.c +++ b/system/vl.c @@ -510,6 +510,20 @@ static QemuOptsList qemu_action_opts = { }, }; +static QemuOptsList qemu_boot_certificates_opts = { + .name = "boot-certificates", + .implied_opt_name = "boot-certificates", + .merge_lists = true, + .head = QTAILQ_HEAD_INITIALIZER(qemu_boot_certificates_opts.head), + .desc = { + { + .name = "boot-certificates", + .type = QEMU_OPT_STRING, + }, + { /* end of list */} + }, +}; + const char *qemu_get_vm_name(void) { return qemu_name; @@ -2879,6 +2893,7 @@ void qemu_init(int argc, char **argv) qemu_add_opts(&qemu_semihosting_config_opts); qemu_add_opts(&qemu_fw_cfg_opts); qemu_add_opts(&qemu_action_opts); + qemu_add_opts(&qemu_boot_certificates_opts); qemu_add_run_with_opts(); module_call_init(MODULE_INIT_OPTS); @@ -3024,6 +3039,13 @@ void qemu_init(int argc, char **argv) case QEMU_OPTION_boot: machine_parse_property_opt(qemu_find_opts("boot-opts"), "boot", optarg); break; + case QEMU_OPTION_boot_certificates: + opts = qemu_opts_parse_noisily(qemu_find_opts("boot-certificates"), + optarg, true); + if (!opts) { + exit(1); + } + break; case QEMU_OPTION_fda: case QEMU_OPTION_fdb: drive_add(IF_FLOPPY, popt->index - QEMU_OPTION_fda, From patchwork Tue Apr 8 15:55:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043352 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 513A5C369A6 for ; Tue, 8 Apr 2025 16:18:09 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdq-0006ox-0P; Tue, 08 Apr 2025 12:17:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIb-0005Tl-1U; Tue, 08 Apr 2025 11:55:41 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIY-0005rP-9n; Tue, 08 Apr 2025 11:55:40 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CS1sa017173; Tue, 8 Apr 2025 15:55:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=ovmlXm7ClsfXbt/dK D7g5N9R734cctuQU1guVoEJlUk=; b=hEQL6x72hiLuY2H6oxs7jvsPjRmm5xitm 2QaFXvEtRc5agi1HJURZpOcklw8Zq4KaaKqLDHKqBSZd12huuNUyNlgvC5MN9JV5 GJof/FThNU9ld6xV75ytUMVdz/FhBtWFh3TJCnsO2/VJW8YXjpgWUmVNyFoLgleV vqNayCH/MX+ibgL8wvWU2+i32C3/oEdkuBtY6oGPVvsscTlsEX0GPblHxK05J948 KzUg9vQbOYaFZkSRAWmUHNgvipG63fJjXAFDxWm+yI5ax96ueR070Zum/EF6OoSa b6CYGj1T90Hnq+/YO8LsxdGa8cAyMornhm6dZQq46ZR0ai0+evEUQ== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w3u3122t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:35 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CBO1R013925; Tue, 8 Apr 2025 15:55:34 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkb9k-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:34 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtXtV17695246 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:33 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 44EAA5803F; Tue, 8 Apr 2025 15:55:33 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C779B5804E; Tue, 8 Apr 2025 15:55:31 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:31 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 02/24] hw/s390x/ipl: Create certificate store Date: Tue, 8 Apr 2025 11:55:04 -0400 Message-ID: <20250408155527.123341-3-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: RFPq93mGWkidBa_TUaSisaHwFKV8eLQs X-Proofpoint-ORIG-GUID: RFPq93mGWkidBa_TUaSisaHwFKV8eLQs X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Create a certificate store for boot certificates used for secure IPL. Load certificates from the -boot-certificate option into the cert store. Currently, only x509 certificates in DER format and uses SHA-256 hashing algorithm are supported, as these are the types required for secure boot on s390. Signed-off-by: Zhuoying Cai --- hw/s390x/cert-store.c | 249 ++++++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 50 ++++++++ hw/s390x/ipl.c | 9 ++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 3 + 6 files changed, 315 insertions(+) create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..1aa8aea040 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,249 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "qemu/cutils.h" +#include "cert-store.h" + +#ifdef CONFIG_GNUTLS +#include +#include +#endif /* #define CONFIG_GNUTLS */ + +static const char *s390_get_boot_certificates(void) +{ + QemuOpts *opts; + const char *path; + + opts = qemu_find_opts_singleton("boot-certificates"); + path = qemu_opt_get(opts, "boot-certificates"); + + return path; +} + +static size_t cert2buf(char *path, size_t max_size, char **cert_buf) +{ + size_t size; + g_autofree char *buf; + buf = g_malloc(max_size); + + if (!g_file_get_contents(path, &buf, &size, NULL) || + size == 0 || size > max_size) { + return 0; + } + + *cert_buf = g_steal_pointer(&buf); + + return size; +} + +#ifdef CONFIG_GNUTLS +int g_init_cert(uint8_t *raw_cert, size_t cert_size, gnutls_x509_crt_t *g_cert) +{ + int rc; + + if (gnutls_x509_crt_init(g_cert) < 0) { + return -1; + } + + gnutls_datum_t datum_cert = {raw_cert, cert_size}; + rc = gnutls_x509_crt_import(*g_cert, &datum_cert, GNUTLS_X509_FMT_DER); + if (rc) { + gnutls_x509_crt_deinit(*g_cert); + return rc; + } + + return 0; +} +#endif /* CONFIG_GNUTLS */ + +static int init_cert_x509_der(size_t size, char *raw, S390IPLCertificate **qcert) +{ +#ifdef CONFIG_GNUTLS + gnutls_x509_crt_t g_cert = NULL; + g_autofree S390IPLCertificate *q_cert; + size_t key_id_size; + size_t hash_size; + int rc; + + rc = g_init_cert((uint8_t *)raw, size, &g_cert); + if (rc) { + if (rc == GNUTLS_E_ASN1_TAG_ERROR) { + error_report("The certificate is not in DER format"); + } + return -1; + } + + rc = gnutls_x509_crt_get_key_id(g_cert, GNUTLS_KEYID_USE_SHA256, NULL, &key_id_size); + if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) { + error_report("Failed to get certificate key ID size"); + goto out; + } + + rc = gnutls_x509_crt_get_fingerprint(g_cert, GNUTLS_DIG_SHA256, NULL, &hash_size); + if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) { + error_report("Failed to get certificate hash size"); + goto out; + } + + q_cert = g_malloc(sizeof(*q_cert)); + q_cert->size = size; + q_cert->key_id_size = key_id_size; + q_cert->hash_size = hash_size; + q_cert->raw = raw; + q_cert->format = GNUTLS_X509_FMT_DER; + *qcert = g_steal_pointer(&q_cert); + + gnutls_x509_crt_deinit(g_cert); + + return 0; +out: + gnutls_x509_crt_deinit(g_cert); + return -1; +#else + error_report("Cryptographic library is not enabled") + return -1; +#endif /* #define CONFIG_GNUTLS */ +} + +static int check_path_type(const char *path) +{ + struct stat path_stat; + + stat(path, &path_stat); + + if (S_ISDIR(path_stat.st_mode)) { + return S_IFDIR; + } else if (S_ISREG(path_stat.st_mode)) { + return S_IFREG; + } else { + return -1; + } +} + +static int init_cert(char *paths, S390IPLCertificate **qcert) +{ + char *buf; + char vc_name[VC_NAME_LEN_BYTES]; + const gchar *filename; + size_t size; + + filename = g_path_get_basename(paths); + + size = cert2buf(paths, CERT_MAX_SIZE, &buf); + if (size == 0) { + error_report("Failed to load certificate: %s", paths); + return -1; + } + + if (init_cert_x509_der(size, buf, qcert) < 0) { + error_report("Failed to initialize certificate: %s", paths); + return -1; + } + + /* + * Left justified certificate name with padding on the right with blanks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' '); + ebcdic_put((*qcert)->vc_name, vc_name, VC_NAME_LEN_BYTES); + + return 0; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *qcert) +{ + size_t data_size; + + data_size = qcert->size + qcert->key_id_size + qcert->hash_size; + + if (cert_store->max_cert_size < data_size) { + cert_store->max_cert_size = data_size; + } + + cert_store->certs[cert_store->count] = *qcert; + cert_store->total_bytes += data_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(void) +{ + const char *path; + gchar **paths; + int path_type; + GDir *dir = NULL; + const gchar *filename; + GPtrArray *cert_path_builder; + + cert_path_builder = g_ptr_array_new(); + + path = s390_get_boot_certificates(); + if (path == NULL) { + return cert_path_builder; + } + + paths = g_strsplit(path, ":", -1); + while (*paths) { + /* skip empty certificate path */ + if (!strcmp(*paths, "")) { + paths += 1; + continue; + } + + path_type = check_path_type(*paths); + if (path_type == S_IFREG) { + g_ptr_array_add(cert_path_builder, (gpointer) *paths); + } else if (path_type == S_IFDIR) { + dir = g_dir_open(*paths, 0, NULL); + + while ((filename = g_dir_read_name(dir))) { + gchar *cert_path = NULL; + cert_path = g_build_filename(*paths, filename, NULL); + g_ptr_array_add(cert_path_builder, (gpointer) cert_path); + } + + g_dir_close(dir); + } + + paths += 1; + } + + return cert_path_builder; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + + cert_path_builder = get_cert_paths(); + if (cert_path_builder->len == 0) { + g_ptr_array_free(cert_path_builder, true); + return; + } + + cert_store->max_cert_size = 0; + cert_store->total_bytes = 0; + + for (int i = 0; i < cert_path_builder->len; i++) { + S390IPLCertificate *qcert = NULL; + if (init_cert((char *) cert_path_builder->pdata[i], &qcert) < 0) { + continue; + } + + update_cert_store(cert_store, qcert); + } + + g_ptr_array_free(cert_path_builder, true); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..80141c07da --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,50 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * This work is licensed under the terms of the GNU GPL, version 2 or (at + * your option) any later version. See the COPYING file in the top-level + * directory. + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" + +#ifdef CONFIG_GNUTLS +#include +#include +#endif /* #define CONFIG_GNUTLS */ + +#define VC_NAME_LEN_BYTES 64 + +struct S390IPLCertificate { + uint8_t vc_name[VC_NAME_LEN_BYTES]; + size_t size; + size_t key_id_size; + size_t hash_size; + char *raw; +#ifdef CONFIG_GNUTLS + gnutls_x509_crt_fmt_t format; +#endif /* #define CONFIG_GNUTLS */ +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t max_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +} QEMU_PACKED; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +#ifdef CONFIG_GNUTLS +int g_init_cert(uint8_t *raw_cert, size_t cert_size, gnutls_x509_crt_t *g_cert); +#endif /* #define CONFIG_GNUTLS */ + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index ce6f6078d7..b0810c9191 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -36,6 +36,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -423,6 +424,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp) } } +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl = get_ipl_device(); + + return &ipl->cert_store; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev = NULL; @@ -716,6 +724,7 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr = ipl->bios_start_addr; + s390_ipl_create_cert_store(&ipl->cert_store); if (!ipl->iplb_valid) { ipl->iplb_valid = s390_init_all_iplbs(ipl); } else { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 8e3882d506..8c2a442255 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H +#include "cert-store.h" #include "cpu.h" #include "exec/address-spaces.h" #include "hw/qdev-core.h" @@ -31,6 +32,7 @@ int s390_ipl_pv_unpack(void); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -59,6 +61,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 610b29bf76..8f0cfaa056 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -16,6 +16,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 6824391111..b8e7d1da71 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -20,6 +20,9 @@ #define LOADPARM_LEN 8 #define NO_LOADPARM "\0\0\0\0\0\0\0\0" +#define MAX_CERTIFICATES 64 +#define CERT_MAX_SIZE (1024 * 8) + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not From patchwork Tue Apr 8 15:55:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043381 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B496DC369A4 for ; Tue, 8 Apr 2025 16:24:28 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be5-0006sM-1K; Tue, 08 Apr 2025 12:17:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIa-0005Ta-JT; Tue, 08 Apr 2025 11:55:40 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIY-0005ra-Kp; Tue, 08 Apr 2025 11:55:40 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5386cJc4005911; Tue, 8 Apr 2025 15:55:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=FJnO2dqRlCaTjkBm+ G7APP1JvRrPE8M1ijhbxvIAyg0=; b=MkmmdviCLUKZwKMKcfxbcuE5vAwpe8mzz eMpjYW28SVTprEu1wmFywS3KfVyve7YsgF/AHbSNzLKMLwo8j0yV2bolvFM8jrfb m3X8SlZGNIRwru5kTgfLP0AGHEsQDHLF4lfgIKxD4rIdaVNorcsZdkaacHqTZ0eb GccFDFjLYimJWo2QizOaCMuvoH6i74zHFZDr6GHqaPddTYIgY+Z884i1d46+v/jF Nx2f8Jb5+kqI8wqItaYT9xz+OBhLXFKNrVaOrifldjN+kT2TqXrqjnUoJKx4Ik0n HJIb52f+ZuXIUNbeGkSuwN6zw53MjOpqrR9X0fEAniVZ20YWfw5aA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vjvxnbsn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:36 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CJVQs013860; Tue, 8 Apr 2025 15:55:36 GMT Received: from smtprelay06.wdc07v.mail.ibm.com ([172.16.1.73]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkb9p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:36 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay06.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtYFh25625102 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:35 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E06DB5803F; Tue, 8 Apr 2025 15:55:34 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6F0225804E; Tue, 8 Apr 2025 15:55:33 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:33 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 03/24] s390x: Guest support for Certificate Store Facility (CS) Date: Tue, 8 Apr 2025 11:55:05 -0400 Message-ID: <20250408155527.123341-4-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: xd9UICR7suTnfYsWS0c-MrD_-eN3lwTZ X-Proofpoint-GUID: xd9UICR7suTnfYsWS0c-MrD_-eN3lwTZ X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org DIAG 320 is supported when the certificate-store (CS) facility is installed. Availability of CS facility is determined by byte 134 bit 5 of the SCLP Read Info block. Signed-off-by: Zhuoying Cai --- target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 1 + target/s390x/kvm/kvm.c | 2 ++ 5 files changed, 7 insertions(+) diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 4b5be6798e..99089ab3f5 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type, break; case S390_FEAT_TYPE_SCLP_FAC134: clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_DIAG_320)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_features_def.h.inc index e23e603a79..65d38f546d 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: Interlock-and-broadcast-s /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers relative to byte-134) */ DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and version codes") +DEF_FEAT(DIAG_320, "diag320", SCLP_FAC134, 5, "Provide Certificate Store functions") /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtual SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 93a05e43d7..7d65c40bd1 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat) if (s390_is_pv()) { switch (feat) { case S390_FEAT_DIAG_318: + case S390_FEAT_DIAG_320: case S390_FEAT_HPMA2: case S390_FEAT_SIE_F2: case S390_FEAT_SIE_SKEY: @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH }, { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_DIAG_320, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 41840677ce..52c649adcd 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -696,6 +696,7 @@ static uint16_t full_GEN14_GA1[] = { S390_FEAT_HPMA2, S390_FEAT_SIE_KSS, S390_FEAT_GROUP_MULTIPLE_EPOCH_PTFF, + S390_FEAT_DIAG_320, }; #define full_GEN14_GA2 EmptyFeat diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index 4d56e653dd..d07ca879a3 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2487,6 +2487,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp) set_bit(S390_FEAT_DIAG_318, model->features); } + set_bit(S390_FEAT_DIAG_320, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); From patchwork Tue Apr 8 15:55:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043385 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id EC8F1C369A2 for ; Tue, 8 Apr 2025 16:26:03 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be2-0006sJ-DG; Tue, 08 Apr 2025 12:17:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIc-0005UJ-2M; Tue, 08 Apr 2025 11:55:43 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIa-0005s0-7v; Tue, 08 Apr 2025 11:55:41 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538A6jfd029373; Tue, 8 Apr 2025 15:55:38 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=4Eb3DyixIvPG6SlUX tBXVlVG9B6zCRiscUROQhYTVM8=; b=AQ/xA5It5bnYspkeT0XgebsEpiiNlIzZb CNqJTzY+vtJ1D1fpjDzN+pIW07E7TYnZDrMOmW6WFCPpZFyopiFvHIxT9LDDzsAh 54PzVWPuP0Yu4gIHtGWXlgkTLkPaojZ0icCHqqaiXEz9si80aX7xN83IMOxT3bm6 soi31zv/CAzXQb+lmJFSXL4eMQhbZLaRX+rPQONORaQscBgmAjcUOMM2hX2oQZOU 7Fc4fbyDIPDU29riHN2Mw2iokECvo2lLjnMnuXsl40wf+AqS7hK2/vaDh5UiIy1q Nz9aism6/DBVD7WWIsJP+2jgkeBOaHGv4vsoqxTwbe9D6ivmAdtkQ== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnx0mhg1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:38 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538E1j8j018873; Tue, 8 Apr 2025 15:55:37 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uhj2b1bh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:37 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtaYL21037724 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:36 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8A2A25804E; Tue, 8 Apr 2025 15:55:36 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 144275803F; Tue, 8 Apr 2025 15:55:35 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:34 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 04/24] s390x/diag: Introduce DIAG 320 for certificate store facility Date: Tue, 8 Apr 2025 11:55:06 -0400 Message-ID: <20250408155527.123341-5-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: AzDDmquHJbIlmRXLUpgpi60DgWqtqbT9 X-Proofpoint-ORIG-GUID: AzDDmquHJbIlmRXLUpgpi60DgWqtqbT9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=960 lowpriorityscore=0 phishscore=0 priorityscore=1501 clxscore=1015 malwarescore=0 mlxscore=0 adultscore=0 spamscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Collin Walling DIAGNOSE 320 is introduced to support certificate store facility, which includes operations such as query certificate storage information and provide certificates in the certificate store. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.h | 1 + include/hw/s390x/ipl/diag320.h | 19 ++++++++++++++++++ target/s390x/diag.c | 36 ++++++++++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 +++++++++++++ target/s390x/s390x-internal.h | 2 ++ 5 files changed, 72 insertions(+) create mode 100644 include/hw/s390x/ipl/diag320.h diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 8c2a442255..1bd73b4dc1 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -17,6 +17,7 @@ #include "cpu.h" #include "exec/address-spaces.h" #include "hw/qdev-core.h" +#include "hw/s390x/ipl/diag320.h" #include "hw/s390x/ipl/qipl.h" #include "qom/object.h" diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h new file mode 100644 index 0000000000..d6f70c65df --- /dev/null +++ b/include/hw/s390x/ipl/diag320.h @@ -0,0 +1,19 @@ +/* + * S/390 DIAGNOSE 320 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai + * + * This work is licensed under the terms of the GNU GPL, version 2 or (at + * your option) any later version. See the COPYING file in the top-level + * directory. + */ + +#ifndef S390X_DIAG320_H +#define S390X_DIAG320_H + +#define DIAG_320_SUBC_QUERY_ISM 0 + +#define DIAG_320_RC_OK 0x0001 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index da44b0133e..cb840e4b97 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -192,3 +192,39 @@ out: break; } } + +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) +{ + S390CPU *cpu = env_archcpu(env); + uint64_t subcode = env->regs[r3]; + uint64_t addr = env->regs[r1]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if (r1 & 1) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_320_SUBC_QUERY_ISM: + uint64_t ism = 0; + + if (s390_cpu_virt_mem_write(cpu, addr, (uint8_t)r1, &ism, + be64_to_cpu(sizeof(ism)))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + rc = DIAG_320_RC_OK; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] = rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index d07ca879a3..b013751478 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -98,6 +98,7 @@ #define DIAG_TIMEREVENT 0x288 #define DIAG_IPL 0x308 #define DIAG_SET_CONTROL_PROGRAM_CODES 0x318 +#define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 @@ -1561,6 +1562,16 @@ static void handle_diag_318(S390CPU *cpu, struct kvm_run *run) } } +static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 = (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 = run->s390_sieic.ipa & 0x000f; + + handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1591,6 +1602,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) case DIAG_KVM_BREAKPOINT: r = handle_sw_breakpoint(cpu, run); break; + case DIAG_CERT_STORE: + kvm_handle_diag_320(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index a4ba6227ab..86a652f833 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -400,6 +400,8 @@ int mmu_translate_real(CPUS390XState *env, target_ulong raddr, int rw, int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3); void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); /* translate.c */ From patchwork Tue Apr 8 15:55:07 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043359 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id C714FC369A2 for ; Tue, 8 Apr 2025 16:19:02 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be2-0006sL-VK; Tue, 08 Apr 2025 12:17:51 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIf-0005VV-3T; Tue, 08 Apr 2025 11:55:45 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BId-0005se-Fq; Tue, 08 Apr 2025 11:55:44 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538D4iJW005761; Tue, 8 Apr 2025 15:55:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=y59yHsdD9HnYWIUlR pBWECylzu6zQA0zTw9hn4BZD1c=; b=GRg9LPH0SCT7+rKrsPEVTpDxZib4j7whZ aD029zNVCaTw8YoBQNOwbUkOvNEc4AexEqsvfcO4UvNgKyPkkiLUq2n9AB+BZtJF ov68GYEvtf4on7K4XGRWdJSQSFFCj817dxqzbGnW6AVdqiGp23ivVjMbeg6B42/f VwUq4QTdXj88P4cIclJvoXty6ktLakBjhuo5IDLnpBvIGRi9RXiHpr3Bh1TVrM2h f+Ex1JwdUy2e9WZyKWNG91y0mf8J6cDEy6V3w+qieLFEW+EJWvH+a35C+HZvvFFp zeSoNc+Fuk0n+/Wd95YF/UwBUBWgf3L91dAt4RNJu5iFu0dHEcQaA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vjvxnbsw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:40 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538Cg1CB013858; Tue, 8 Apr 2025 15:55:39 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkb9t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:39 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtcXd23527948 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:38 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2F72D5803F; Tue, 8 Apr 2025 15:55:38 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B459458054; Tue, 8 Apr 2025 15:55:36 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:36 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 05/24] s390x/diag: Refactor address validation check from diag308_parm_check Date: Tue, 8 Apr 2025 11:55:07 -0400 Message-ID: <20250408155527.123341-6-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: vRbSMGc1nVAZcymP9u1YnGMP9zOmJNTc X-Proofpoint-GUID: vRbSMGc1nVAZcymP9u1YnGMP9zOmJNTc X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 bulkscore=0 mlxlogscore=842 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 clxscore=1011 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Collin Walling Create a function to validate the address parameter of DIAGNOSE. Refactor the function for reuse in the next patch, which allows address validation in read or write operation of DIAGNOSE. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.h | 6 ++++++ target/s390x/diag.c | 4 +--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 1bd73b4dc1..822535ad76 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -114,6 +114,12 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool write) +{ + return address_space_access_valid(&address_space_memory, addr, + size, write, MEMTXATTRS_UNSPECIFIED); +} + static inline bool iplb_valid_len(IplParameterBlock *iplb) { return be32_to_cpu(iplb->len) <= sizeof(IplParameterBlock); diff --git a/target/s390x/diag.c b/target/s390x/diag.c index cb840e4b97..c64b935c87 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -64,9 +64,7 @@ static int diag308_parm_check(CPUS390XState *env, uint64_t r1, uint64_t addr, s390_program_interrupt(env, PGM_SPECIFICATION, ra); return -1; } - if (!address_space_access_valid(&address_space_memory, addr, - sizeof(IplParameterBlock), write, - MEMTXATTRS_UNSPECIFIED)) { + if (!diag_parm_addr_valid(addr, sizeof(IplParameterBlock), write)) { s390_program_interrupt(env, PGM_ADDRESSING, ra); return -1; } From patchwork Tue Apr 8 15:55:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043386 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 0D5C8C369A5 for ; Tue, 8 Apr 2025 16:26:06 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be5-0006sR-3P; Tue, 08 Apr 2025 12:17:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIh-0005Vk-51; Tue, 08 Apr 2025 11:55:48 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIf-0005t1-48; Tue, 08 Apr 2025 11:55:46 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538Dn7HD029659; Tue, 8 Apr 2025 15:55:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=KhcpAoFLb3PigqirD OeQhntYaXygDToANiKBmIsrRos=; b=Hjr+auVy6FQ6/j+bVlhO0Lz8oKK3EJQ1L RUs+AvIq2H1iCr2oErBdD01D9mkdK8fZTTpuW9pvkiDRt8KS0RBBCWl0kLactUdD OPBQfvlxarfeJrJSFFSl3J95ffP2oy90E6sJ2nDidcYqQ755Twg598QgWPV9MHD9 x7SDFUcq3buiaNpeuHyjvSokUp6LeybhEfaK4YaQE4KdRe000f8DqLmMJxygOS6R CuoeGVkr6HegudvbpBACLO8M+Jlkzg7bImXrbOVXWs64r9SKTFlNJJVQabU/oRog LhPugJHEQc/nunzpNU9MfdOXBxcLMdhX8kPxllK6uZWjtdB8aBXNg== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3amd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:42 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538FIOrJ011326; Tue, 8 Apr 2025 15:55:41 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45uf7ykgpc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:41 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtdmL26346174 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:40 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C11065803F; Tue, 8 Apr 2025 15:55:39 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 570B55804E; Tue, 8 Apr 2025 15:55:38 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:38 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 06/24] s390x/diag: Implement DIAG 320 subcode 1 Date: Tue, 8 Apr 2025 11:55:08 -0400 Message-ID: <20250408155527.123341-7-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: hf5_e_3w1wZFP0z3nJs2zvAQflC7UyIA X-Proofpoint-GUID: hf5_e_3w1wZFP0z3nJs2zvAQflC7UyIA X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1011 suspectscore=0 bulkscore=0 mlxlogscore=951 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org DIAG 320 subcode 1 provides information needed to determine the amount of storage to store one or more certificates. The subcode value is denoted by setting the left-most bit of an 8-byte field. The verification-certificate-storage-size block (VCSSB) contains the output data when the operation completes successfully. Signed-off-by: Zhuoying Cai --- include/hw/s390x/ipl/diag320.h | 25 ++++++++++++++++++++++ target/s390x/diag.c | 39 +++++++++++++++++++++++++++++++++- 2 files changed, 63 insertions(+), 1 deletion(-) diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index d6f70c65df..ded336df25 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -13,7 +13,32 @@ #define S390X_DIAG320_H #define DIAG_320_SUBC_QUERY_ISM 0 +#define DIAG_320_SUBC_QUERY_VCSI 1 #define DIAG_320_RC_OK 0x0001 +#define DIAG_320_RC_NOMEM 0x0202 + +#define VCSSB_MAX_LEN 128 +#define VCE_HEADER_LEN 128 +#define VCB_HEADER_LEN 64 + +#define DIAG_320_ISM_QUERY_VCSI 0x4000000000000000 + +struct VerificationCertificateStorageSizeBlock { + uint32_t length; + uint8_t reserved0[3]; + uint8_t version; + uint32_t reserved1[6]; + uint16_t totalvc; + uint16_t maxvc; + uint32_t reserved3[7]; + uint32_t maxvcelen; + uint32_t reserved4[3]; + uint32_t largestvcblen; + uint32_t totalvcblen; + uint32_t reserved5[10]; +} QEMU_PACKED; +typedef struct VerificationCertificateStorageSizeBlock \ +VerificationCertificateStorageSizeBlock; #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index c64b935c87..cc639819ec 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -194,6 +194,7 @@ out: void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) { S390CPU *cpu = env_archcpu(env); + S390IPLCertificateStore *qcs = s390_ipl_get_certificate_store(); uint64_t subcode = env->regs[r3]; uint64_t addr = env->regs[r1]; int rc; @@ -210,7 +211,7 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) switch (subcode) { case DIAG_320_SUBC_QUERY_ISM: - uint64_t ism = 0; + uint64_t ism = DIAG_320_ISM_QUERY_VCSI; if (s390_cpu_virt_mem_write(cpu, addr, (uint8_t)r1, &ism, be64_to_cpu(sizeof(ism)))) { @@ -218,6 +219,42 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) return; } + rc = DIAG_320_RC_OK; + break; + case DIAG_320_SUBC_QUERY_VCSI: + VerificationCertificateStorageSizeBlock vcssb; + + if (!diag_parm_addr_valid(addr, sizeof(VerificationCertificateStorageSizeBlock), + true)) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + if (!qcs || !qcs->count) { + vcssb.length = 4; + } else { + vcssb.length = VCSSB_MAX_LEN; + vcssb.version = 0; + vcssb.totalvc = qcs->count; + vcssb.maxvc = MAX_CERTIFICATES; + vcssb.maxvcelen = VCE_HEADER_LEN + qcs->max_cert_size; + vcssb.largestvcblen = VCB_HEADER_LEN + vcssb.maxvcelen; + vcssb.totalvcblen = VCB_HEADER_LEN + qcs->count * VCE_HEADER_LEN + + qcs->total_bytes; + } + + if (vcssb.length < 128) { + rc = DIAG_320_RC_NOMEM; + break; + } + + if (s390_cpu_virt_mem_write(cpu, addr, (uint8_t)r1, &vcssb, + be64_to_cpu( + sizeof(VerificationCertificateStorageSizeBlock) + ))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } rc = DIAG_320_RC_OK; break; default: From patchwork Tue Apr 8 15:55:09 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043366 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1A359C369A2 for ; Tue, 8 Apr 2025 16:21:17 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdq-0006p6-Uy; Tue, 08 Apr 2025 12:17:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIj-0005Vz-3H; Tue, 08 Apr 2025 11:55:50 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIg-0005tI-Pc; Tue, 08 Apr 2025 11:55:48 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538E0270028245; Tue, 8 Apr 2025 15:55:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=0ABvkjyLIBjEGrfnV 63GsR9H9yligSh3cdqmq76173g=; b=OVipzHtyci5bJyxBTj7LeCq5xGyRKPNFL 4uu7uGqLt6XuzXgrCf8q7v1Fc1sgDfdutGjg1e2UVYb1QoKL6olEqkOG9hmV5K7p tchr59x7PatzA3QiNwtShxCWXb5TNeRSpEbOAXEw7OyqIsPWG5k/bIFz8W64RLmR plQLBgdAHfm0Kv94nTP9xdgZgDw+zDEdsG8KCO8/E5hBOUxW8JdvHWmq9WcxXhQZ gyg+RkDwIVQXozmbm4/mnqjOOohiOv33UZfBi70hSC4LyJq8rZGlVyAMEVAmZ+Ig 45pYJnOqGYOKJ43QTil0BoAmqaadrda/IUm62Jz45xSgdtNNBPjRg== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3amf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:44 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CBO1S013925; Tue, 8 Apr 2025 15:55:43 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkb9y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:42 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Ftfgi30409274 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:41 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 734185804E; Tue, 8 Apr 2025 15:55:41 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EA5CD58054; Tue, 8 Apr 2025 15:55:39 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:39 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 07/24] s390x/diag: Implement DIAG 320 subcode 2 Date: Tue, 8 Apr 2025 11:55:09 -0400 Message-ID: <20250408155527.123341-8-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 514Xlc-YbLKOwrfgG1YYB8fACBAB00XO X-Proofpoint-GUID: 514Xlc-YbLKOwrfgG1YYB8fACBAB00XO X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1011 suspectscore=0 bulkscore=0 mlxlogscore=865 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org DIAG 320 subcode 2 provides certificates that are in the certificate store. The subcode value is denoted by setting the second-left-most bit of an 8-byte field. The verification-certificate-block (VCB) contains the output data when the operation completes successfully. VCB includes a common header followed by zero or more verification-certificate entries (VCEs). Signed-off-by: Zhuoying Cai --- include/hw/s390x/ipl/diag320.h | 59 +++++++++ target/s390x/diag.c | 227 ++++++++++++++++++++++++++++++++- 2 files changed, 285 insertions(+), 1 deletion(-) diff --git a/include/hw/s390x/ipl/diag320.h b/include/hw/s390x/ipl/diag320.h index ded336df25..32b6914b3b 100644 --- a/include/hw/s390x/ipl/diag320.h +++ b/include/hw/s390x/ipl/diag320.h @@ -14,15 +14,24 @@ #define DIAG_320_SUBC_QUERY_ISM 0 #define DIAG_320_SUBC_QUERY_VCSI 1 +#define DIAG_320_SUBC_STORE_VC 2 #define DIAG_320_RC_OK 0x0001 #define DIAG_320_RC_NOMEM 0x0202 +#define DIAG_320_RC_INVAL_VCB_LEN 0x0204 +#define DIAG_320_RC_BAD_RANGE 0x0302 #define VCSSB_MAX_LEN 128 #define VCE_HEADER_LEN 128 #define VCB_HEADER_LEN 64 #define DIAG_320_ISM_QUERY_VCSI 0x4000000000000000 +#define DIAG_320_ISM_STORE_VC 0x2000000000000000 + +#define DIAG_320_VCE_FLAGS_VALID 0x80 +#define DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING 0 +#define DIAG_320_VCE_FORMAT_X509_DER 1 +#define DIAG_320_VCE_HASHTYPE_SHA2_256 1 struct VerificationCertificateStorageSizeBlock { uint32_t length; @@ -41,4 +50,54 @@ struct VerificationCertificateStorageSizeBlock { typedef struct VerificationCertificateStorageSizeBlock \ VerificationCertificateStorageSizeBlock; +struct vcb_header { + uint32_t vcbinlen; + uint32_t reserved0; + uint16_t fvci; + uint16_t lvci; + uint32_t reserved1; + uint32_t cstoken; + uint32_t reserved2[3]; + uint32_t vcboutlen; + uint8_t reserved3[3]; + uint8_t version; + uint16_t svcc; + uint16_t rvcc; + uint32_t reserved4[5]; +} QEMU_PACKED; +typedef struct vcb_header vcb_header; + +struct VerficationCertificateBlock { + vcb_header vcb_hdr; + uint8_t vcb_buf[]; +} QEMU_PACKED; +typedef struct VerficationCertificateBlock VerficationCertificateBlock; + +struct vce_header { + uint32_t len; + uint8_t flags; + uint8_t keytype; + uint16_t certidx; + uint32_t name[16]; + uint8_t format; + uint8_t reserved0; + uint16_t keyidlen; + uint8_t reserved1; + uint8_t hashtype; + uint16_t hashlen; + uint32_t reserved2; + uint32_t certlen; + uint32_t reserved3[2]; + uint16_t hashoffset; + uint16_t certoffset; + uint32_t reserved4[7]; +} QEMU_PACKED; +typedef struct vce_header vce_header; + +struct VerificationCertificateEntry { + vce_header vce_hdr; + uint8_t cert_data_buf[]; +} QEMU_PACKED; +typedef struct VerificationCertificateEntry VerificationCertificateEntry; + #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index cc639819ec..82e4dc9e1e 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -17,6 +17,7 @@ #include "s390x-internal.h" #include "hw/watchdog/wdt_diag288.h" #include "system/cpus.h" +#include "hw/s390x/cert-store.h" #include "hw/s390x/ipl.h" #include "hw/s390x/s390-virtio-ccw.h" #include "system/kvm.h" @@ -191,6 +192,94 @@ out: } } +#ifdef CONFIG_GNUTLS +static bool diag_320_is_cert_valid(gnutls_x509_crt_t cert) +{ + time_t now; + + if (gnutls_x509_crt_get_version(cert) < 0) { + return false; + } + + now = time(0); + if (!((gnutls_x509_crt_get_activation_time(cert) < now) && + (gnutls_x509_crt_get_expiration_time(cert) > now))) { + return false; + } + + return true; +} +#endif /* CONFIG_GNUTLS */ + +static int diag_320_get_cert_info(VerificationCertificateEntry *vce, + S390IPLCertificate qcert, bool *is_valid, + unsigned char **key_id_data, void **hash_data) +{ +#ifdef CONFIG_GNUTLS + unsigned int algo; + unsigned int bits; + int hash_type; + int rc; + + gnutls_x509_crt_t g_cert = NULL; + if (g_init_cert((uint8_t *)qcert.raw, qcert.size, &g_cert)) { + return -1; + } + + /* VCE flag (validity) */ + *is_valid = diag_320_is_cert_valid(g_cert); + + /* key-type */ + algo = gnutls_x509_crt_get_pk_algorithm(g_cert, &bits); + if (algo == GNUTLS_PK_RSA) { + vce->vce_hdr.keytype = DIAG_320_VCE_KEYTYPE_SELF_DESCRIBING; + } + + /* VC format */ + if (qcert.format == GNUTLS_X509_FMT_DER) { + vce->vce_hdr.format = DIAG_320_VCE_FORMAT_X509_DER; + } + + /* key id and key id len */ + *key_id_data = g_malloc0(qcert.key_id_size); + rc = gnutls_x509_crt_get_key_id(g_cert, GNUTLS_KEYID_USE_SHA256, + *key_id_data, &qcert.key_id_size); + if (rc < 0) { + error_report("Fail to retrieve certificate key ID"); + goto out; + } + vce->vce_hdr.keyidlen = (uint16_t)qcert.key_id_size; + + /* hash type */ + hash_type = gnutls_x509_crt_get_signature_algorithm(g_cert); + if (hash_type == GNUTLS_SIGN_RSA_SHA256) { + vce->vce_hdr.hashtype = DIAG_320_VCE_HASHTYPE_SHA2_256; + } + + /* hash and hash len */ + *hash_data = g_malloc0(qcert.hash_size); + rc = gnutls_x509_crt_get_fingerprint(g_cert, GNUTLS_DIG_SHA256, + *hash_data, &qcert.hash_size); + if (rc < 0) { + error_report("Fail to retrieve certificate hash"); + goto out; + } + vce->vce_hdr.hashlen = (uint16_t)qcert.hash_size; + + gnutls_x509_crt_deinit(g_cert); + + return 0; +out: + gnutls_x509_crt_deinit(g_cert); + g_free(*key_id_data); + g_free(*hash_data); + + return -1; +#else + return -1; +#endif /* CONFIG_GNUTLS */ +} + void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) { S390CPU *cpu = env_archcpu(env); @@ -211,7 +300,7 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) switch (subcode) { case DIAG_320_SUBC_QUERY_ISM: - uint64_t ism = DIAG_320_ISM_QUERY_VCSI; + uint64_t ism = DIAG_320_ISM_QUERY_VCSI | DIAG_320_ISM_STORE_VC; if (s390_cpu_virt_mem_write(cpu, addr, (uint8_t)r1, &ism, be64_to_cpu(sizeof(ism)))) { @@ -257,6 +346,142 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) } rc = DIAG_320_RC_OK; break; + case DIAG_320_SUBC_STORE_VC: + VerficationCertificateBlock *vcb; + size_t vce_offset = VCB_HEADER_LEN; + size_t remaining_space; + size_t vce_hdr_offset; + int i; + + unsigned char *key_id_data = NULL; + void *hash_data = NULL; + bool is_valid = false; + + vcb = g_new0(VerficationCertificateBlock, 1); + if (s390_cpu_virt_mem_read(cpu, addr, (uint8_t)r1, vcb, sizeof(*vcb))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + if (vcb->vcb_hdr.vcbinlen % 4096 != 0) { + rc = DIAG_320_RC_INVAL_VCB_LEN; + g_free(vcb); + break; + } + + if (1 > vcb->vcb_hdr.fvci || vcb->vcb_hdr.fvci > vcb->vcb_hdr.lvci) { + rc = DIAG_320_RC_BAD_RANGE; + g_free(vcb); + break; + } + + vcb->vcb_hdr.vcboutlen = VCB_HEADER_LEN; + vcb->vcb_hdr.version = 0; + vcb->vcb_hdr.svcc = 0; + vcb->vcb_hdr.rvcc = 0; + + remaining_space = vcb->vcb_hdr.vcbinlen - VCB_HEADER_LEN; + + for (i = vcb->vcb_hdr.fvci - 1; i < vcb->vcb_hdr.lvci; i++) { + VerificationCertificateEntry vce; + S390IPLCertificate qcert; + + /* + * If cert index goes beyond the highest cert + * store index (count - 1), then exit early + */ + if (i >= qcs->count) { + break; + } + + qcert = qcs->certs[i]; + + /* + * If there is no more space to store the cert, + * set the remaining verification cert count and + * break early. + */ + if (remaining_space < qcert.size) { + vcb->vcb_hdr.rvcc = vcb->vcb_hdr.lvci - i; + break; + } + + /* Construct VCE */ + vce.vce_hdr.len = VCE_HEADER_LEN; + vce.vce_hdr.certidx = i + 1; + vce.vce_hdr.certlen = qcert.size; + + strncpy((char *)vce.vce_hdr.name, (char *)qcert.vc_name, VC_NAME_LEN_BYTES); + + rc = diag_320_get_cert_info(&vce, qcert, &is_valid, &key_id_data, &hash_data); + if (rc) { + continue; + } + + vce.vce_hdr.len += vce.vce_hdr.keyidlen; + vce.vce_hdr.len += vce.vce_hdr.hashlen; + vce.vce_hdr.len += vce.vce_hdr.certlen; + + vce.vce_hdr.hashoffset = VCE_HEADER_LEN + vce.vce_hdr.keyidlen; + vce.vce_hdr.certoffset = VCE_HEADER_LEN + vce.vce_hdr.keyidlen + + vce.vce_hdr.hashlen; + + vce_hdr_offset = vce_offset; + vce_offset += VCE_HEADER_LEN; + + /* Write Key ID */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_offset, (uint8_t)r1, key_id_data, + be16_to_cpu(vce.vce_hdr.keyidlen))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + vce_offset += vce.vce_hdr.keyidlen; + + /* Write Hash key */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_offset, (uint8_t)r1, hash_data, + be16_to_cpu(vce.vce_hdr.hashlen))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + vce_offset += vce.vce_hdr.hashlen; + + /* Write VCE cert data */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_offset, (uint8_t)r1, qcert.raw, + be32_to_cpu(vce.vce_hdr.certlen))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + vce_offset += qcert.size; + + /* The certificate is valid and VCE contains the certificate */ + if (is_valid) { + vce.vce_hdr.flags |= DIAG_320_VCE_FLAGS_VALID; + } + + /* Write VCE Header */ + if (s390_cpu_virt_mem_write(cpu, addr + vce_hdr_offset, (uint8_t)r1, &vce, + be32_to_cpu(VCE_HEADER_LEN))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + + vcb->vcb_hdr.vcboutlen += vce.vce_hdr.len; + remaining_space -= vce.vce_hdr.len; + vcb->vcb_hdr.svcc++; + + g_free(key_id_data); + g_free(hash_data); + } + + /* Finally, write the header */ + if (s390_cpu_virt_mem_write(cpu, addr, (uint8_t)r1, vcb, + be32_to_cpu(VCB_HEADER_LEN))) { + s390_cpu_virt_mem_handle_exc(cpu, ra); + return; + } + rc = DIAG_320_RC_OK; + g_free(vcb); + break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); return; From patchwork Tue Apr 8 15:55:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043363 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DFFCDC369A5 for ; Tue, 8 Apr 2025 16:19:45 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdt-0006pB-09; Tue, 08 Apr 2025 12:17:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIn-0005XC-8K; Tue, 08 Apr 2025 11:55:55 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIl-0005u4-AZ; Tue, 08 Apr 2025 11:55:52 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538E39d6013856; Tue, 8 Apr 2025 15:55:48 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=9usmbva3RcXyJXBXB +SlmSXPo9062uECSIZMgZFgyFw=; b=DxOFSvadKQMJS3hhFvM0V8NbpJ48GXRbw mSl3G50SkeDxgs2Qofzs4GLQwssQEZDGxtUAo6X1EdnOY4MOeGueyF9rOUyKySkv Tmdmx1+WeLe+d7BRoWdK1UN8Tj6U7qm88Sp7SefuM/by5XdqiGU5Jen1HhwFwVuz PiS6Xfj7+5a+lZ7DSAl2mzR8CMXdAGq7dnMyZ4iQeW2DN5E22mWkYLA8OS7uKv8Q qpFFd0sNprL7l7I2TxnKMIUSsxuC5msHi3jvqRZUeSRf8X2pccxn7fNMSTCIjv49 uFPlca550gbSF8jqUJiQqwRo1Yumcx+SF3QGDA25vvFKn3AV24Pcg== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w57prkvw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:47 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538DA81E018432; Tue, 8 Apr 2025 15:55:44 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uh2kk5bh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:44 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FthB020775622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:43 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C2645803F; Tue, 8 Apr 2025 15:55:43 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9D36758055; Tue, 8 Apr 2025 15:55:41 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:41 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 08/24] s390x/diag: Introduce DIAG 508 for secure IPL operations Date: Tue, 8 Apr 2025 11:55:10 -0400 Message-ID: <20250408155527.123341-9-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ReabiHjhRYRiPOfJ6bnhKLNstPXVoZXv X-Proofpoint-GUID: ReabiHjhRYRiPOfJ6bnhKLNstPXVoZXv X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 spamscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 priorityscore=1501 malwarescore=0 impostorscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Collin Walling In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, a new s390 DIAGNOSE instruction is introduced to leverage QEMU for handling operations such as signature verification and certificate retrieval. Currently, only subcode 0 is supported with this patch, which is used to query a bitmap of which subcodes are supported. Signed-off-by: Collin Walling --- hw/s390x/ipl.h | 1 + include/hw/s390x/ipl/diag508.h | 17 +++++++++++++++++ target/s390x/diag.c | 26 ++++++++++++++++++++++++++ target/s390x/kvm/kvm.c | 14 ++++++++++++++ target/s390x/s390x-internal.h | 2 ++ 5 files changed, 60 insertions(+) create mode 100644 include/hw/s390x/ipl/diag508.h diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 822535ad76..e9ef8ddccd 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -18,6 +18,7 @@ #include "exec/address-spaces.h" #include "hw/qdev-core.h" #include "hw/s390x/ipl/diag320.h" +#include "hw/s390x/ipl/diag508.h" #include "hw/s390x/ipl/qipl.h" #include "qom/object.h" diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h new file mode 100644 index 0000000000..83c4439cb2 --- /dev/null +++ b/include/hw/s390x/ipl/diag508.h @@ -0,0 +1,17 @@ +/* + * S/390 DIAGNOSE 508 definitions and structures + * + * Copyright 2025 IBM Corp. + * Author(s): Collin Walling + * + * This work is licensed under the terms of the GNU GPL, version 2 or (at + * your option) any later version. See the COPYING file in the top-level + * directory. + */ + +#ifndef S390X_DIAG508_H +#define S390X_DIAG508_H + +#define DIAG_508_SUBC_QUERY_SUBC 0x0000 + +#endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index 82e4dc9e1e..ad7f4b5025 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -488,3 +488,29 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) } env->regs[r1 + 1] = rc; } + +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) +{ + uint64_t subcode = env->regs[r3]; + int rc; + + if (env->psw.mask & PSW_MASK_PSTATE) { + s390_program_interrupt(env, PGM_PRIVILEGED, ra); + return; + } + + if ((subcode & ~0x0ffffULL) || (r1 & 1)) { + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + + switch (subcode) { + case DIAG_508_SUBC_QUERY_SUBC: + rc = 0; + break; + default: + s390_program_interrupt(env, PGM_SPECIFICATION, ra); + return; + } + env->regs[r1 + 1] = rc; +} diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index b013751478..a5c5150c04 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -101,6 +101,7 @@ #define DIAG_CERT_STORE 0x320 #define DIAG_KVM_HYPERCALL 0x500 #define DIAG_KVM_BREAKPOINT 0x501 +#define DIAG_SECURE_IPL 0x508 #define ICPT_INSTRUCTION 0x04 #define ICPT_PROGRAM 0x08 @@ -1572,6 +1573,16 @@ static void kvm_handle_diag_320(S390CPU *cpu, struct kvm_run *run) handle_diag_320(&cpu->env, r1, r3, RA_IGNORED); } +static void kvm_handle_diag_508(S390CPU *cpu, struct kvm_run *run) +{ + uint64_t r1, r3; + + r1 = (run->s390_sieic.ipa & 0x00f0) >> 4; + r3 = run->s390_sieic.ipa & 0x000f; + + handle_diag_508(&cpu->env, r1, r3, RA_IGNORED); +} + #define DIAG_KVM_CODE_MASK 0x000000000000ffff static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) @@ -1605,6 +1616,9 @@ static int handle_diag(S390CPU *cpu, struct kvm_run *run, uint32_t ipb) case DIAG_CERT_STORE: kvm_handle_diag_320(cpu, run); break; + case DIAG_SECURE_IPL: + kvm_handle_diag_508(cpu, run); + break; default: trace_kvm_insn_diag(func_code); kvm_s390_program_interrupt(cpu, PGM_SPECIFICATION); diff --git a/target/s390x/s390x-internal.h b/target/s390x/s390x-internal.h index 86a652f833..df0973266a 100644 --- a/target/s390x/s390x-internal.h +++ b/target/s390x/s390x-internal.h @@ -402,6 +402,8 @@ void handle_diag_308(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra); +void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, + uintptr_t ra); /* translate.c */ From patchwork Tue Apr 8 15:55:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043355 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9591CC369A5 for ; Tue, 8 Apr 2025 16:18:39 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be8-0006tC-9x; Tue, 08 Apr 2025 12:18:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIl-0005WT-Ke; Tue, 08 Apr 2025 11:55:52 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIi-0005tf-9w; Tue, 08 Apr 2025 11:55:50 -0400 Received: from pps.filterd (m0353725.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538949sm027934; Tue, 8 Apr 2025 15:55:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=6pq9Lvlmwqtcz4GlA LMZ/+/z/EgXjfSx8wparw3lgY0=; b=arfeNgYnJw0mAHL3OqpirKBNSsTCA8o2E qsq6Bbgu0+qhLOPFycB3/0Oz0We6AYLpfHYtNMhX+FMn+H6jDSlx6AvGoneewDJn rCWhsXTnwvSKWE9IE8BqoXwSFc7bKfPUr0toGJYiPlVXYEk1+9xDBYLAzuzEFdxJ Eoe5DBHxKvLOPNq/N+Pl36h4jlgtHZst+sbNMrlRXtrIOyq4L37XuGtywX1KbIDD wewRoLdBX6Hk2Wb6erPnCUiWJjX2eHelFd8oDV8nLmiJ/faVaafn9poTDBcsQ9Kv 2OdcR45vIOHvmLKBhDfePZB3W515qzpE0tQAKWP5jmNIJVSIxYm7w== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnx0mhgd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:46 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538Bt00G011062; Tue, 8 Apr 2025 15:55:46 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45uf7ykgph-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:45 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtgVA18285222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:42 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BB09D58054; Tue, 8 Apr 2025 15:55:44 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 462E45804E; Tue, 8 Apr 2025 15:55:43 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:43 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 09/24] s390x/diag: Implement DIAG 508 subcode 2 for signature verification Date: Tue, 8 Apr 2025 11:55:11 -0400 Message-ID: <20250408155527.123341-10-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: XDYgGftlhZ3kvl49EX5ICVDtrTMi22dg X-Proofpoint-ORIG-GUID: XDYgGftlhZ3kvl49EX5ICVDtrTMi22dg X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 impostorscore=0 mlxlogscore=999 lowpriorityscore=0 phishscore=0 priorityscore=1501 clxscore=1015 malwarescore=0 mlxscore=0 adultscore=0 spamscore=0 bulkscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org From: Collin Walling DIAG 508 subcode 2 performs signature-verfication on signed components. A signed component may be a Linux kernel image, or any other signed binary. **Verification of initrd is not supported.** The instruction call expects two item-pairs: an address of a device component, an address of the analogous signature file (in PKCS#7 format), and their respective lengths. All of this data should be encapsulated within a Diag508SignatureVerificationBlock, with the CertificateStoreInfo fields ignored. The DIAG handler will read from the provided addresses to retrieve the necessary data, parse the signature file, then perform the signature-verification. Because there is no way to correlate a specific certificate to a component, each certificate in the store is tried until either verification succeeds, or all certs have been exhausted. The subcode value is denoted by setting the second-to-left-most bit of a 2-byte field. A return code of 1 indicates success, and the index and length of the corresponding certificate will be set in the CertificateStoreInfo portion of the SigVerifBlock. The following values indicate failure: 0x0402: component data is invalid 0x0502: certificate is not in x509 format 0x0602: signature is not in PKCS#7 format 0x0702: signature-verification failed Signed-off-by: Collin Walling --- include/hw/s390x/ipl/diag508.h | 25 +++++++ target/s390x/diag.c | 131 ++++++++++++++++++++++++++++++++- 2 files changed, 155 insertions(+), 1 deletion(-) diff --git a/include/hw/s390x/ipl/diag508.h b/include/hw/s390x/ipl/diag508.h index 83c4439cb2..f8f4b6398e 100644 --- a/include/hw/s390x/ipl/diag508.h +++ b/include/hw/s390x/ipl/diag508.h @@ -13,5 +13,30 @@ #define S390X_DIAG508_H #define DIAG_508_SUBC_QUERY_SUBC 0x0000 +#define DIAG_508_SUBC_SIG_VERIF 0x4000 + +#define DIAG_508_RC_OK 0x0001 +#define DIAG_508_RC_NO_CERTS 0x0102 +#define DIAG_508_RC_CERT_NOT_FOUND 0x0202 +#define DIAG_508_RC_NO_MEM_FOR_CERT 0x0302 +#define DIAG_508_RC_INVAL_COMP_DATA 0x0402 +#define DIAG_508_RC_INVAL_X509_CERT 0x0502 +#define DIAG_508_RC_INVAL_PKCS7_SIG 0x0602 +#define DIAG_508_RC_FAIL_VERIF 0x0702 + +struct Diag508CertificateStoreInfo { + uint8_t idx; + uint64_t len; +} QEMU_PACKED; +typedef struct Diag508CertificateStoreInfo Diag508CertificateStoreInfo; + +struct Diag508SignatureVerificationBlock { + Diag508CertificateStoreInfo csi; + uint64_t comp_len; + uint64_t comp_addr; + uint64_t sig_len; + uint64_t sig_addr; +} QEMU_PACKED; +typedef struct Diag508SignatureVerificationBlock Diag508SignatureVerificationBlock; #endif diff --git a/target/s390x/diag.c b/target/s390x/diag.c index ad7f4b5025..cecb8bf130 100644 --- a/target/s390x/diag.c +++ b/target/s390x/diag.c @@ -25,6 +25,11 @@ #include "target/s390x/kvm/pv.h" #include "qemu/error-report.h" +#ifdef CONFIG_GNUTLS +#include +#include +#include +#endif /* CONFIG_GNUTLS */ int handle_diag_288(CPUS390XState *env, uint64_t r1, uint64_t r3) { @@ -489,9 +494,67 @@ void handle_diag_320(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) env->regs[r1 + 1] = rc; } +#ifdef CONFIG_GNUTLS +#define datum_init(datum, data, size) \ + datum = (gnutls_datum_t){data, size} + +static int diag_508_init_comp(gnutls_datum_t *comp, + Diag508SignatureVerificationBlock *svb) +{ + uint8_t *svb_comp = NULL; + + if (!svb->comp_len || !svb->comp_addr) { + error_report("No component data."); + return -1; + } + + /* + * corrupted size vs. prev_size in fastbins, occurs during 2nd iteration, + * allocating 1mil bytes. + */ + svb_comp = g_malloc0(svb->comp_len); + cpu_physical_memory_read(svb->comp_addr, svb_comp, svb->comp_len); + + /* + * Component data is not written back to the caller, + * so no need to do a deep copy. Comp is freed when + * svb is freed. + */ + datum_init(*comp, svb_comp, svb->comp_len); + return 0; +} + +static int diag_508_init_signature(gnutls_pkcs7_t *sig, + Diag508SignatureVerificationBlock *svb) +{ + gnutls_datum_t datum_sig; + uint8_t *svb_sig = NULL; + + if (!svb->sig_len || !svb->sig_addr) { + error_report("No signature data"); + return -1; + } + + svb_sig = g_malloc0(svb->sig_len); + cpu_physical_memory_read(svb->sig_addr, svb_sig, svb->sig_len); + + if (gnutls_pkcs7_init(sig) < 0) { + error_report("Failed to initalize pkcs7 data."); + return -1; + } + + datum_init(datum_sig, svb_sig, svb->sig_len); + return gnutls_pkcs7_import(*sig, &datum_sig, GNUTLS_X509_FMT_DER); + +} +#endif /* CONFIG_GNUTLS */ + void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) { + S390IPLCertificateStore *qcs = s390_ipl_get_certificate_store(); + size_t csi_size = sizeof(Diag508CertificateStoreInfo); uint64_t subcode = env->regs[r3]; + uint64_t addr = env->regs[r1]; int rc; if (env->psw.mask & PSW_MASK_PSTATE) { @@ -506,7 +569,73 @@ void handle_diag_508(CPUS390XState *env, uint64_t r1, uint64_t r3, uintptr_t ra) switch (subcode) { case DIAG_508_SUBC_QUERY_SUBC: - rc = 0; + rc = DIAG_508_SUBC_SIG_VERIF; + break; + case DIAG_508_SUBC_SIG_VERIF: + size_t svb_size = sizeof(Diag508SignatureVerificationBlock); + Diag508SignatureVerificationBlock *svb; + + if (!qcs || !qcs->count) { + error_report("No certificates in cert store."); + rc = DIAG_508_RC_NO_CERTS; + break; + } + + if (!diag_parm_addr_valid(addr, svb_size, false) || + !diag_parm_addr_valid(addr, csi_size, true)) { + s390_program_interrupt(env, PGM_ADDRESSING, ra); + return; + } + + svb = g_new0(Diag508SignatureVerificationBlock, 1); + cpu_physical_memory_read(addr, svb, svb_size); + +#ifdef CONFIG_GNUTLS + gnutls_pkcs7_t sig = NULL; + gnutls_datum_t comp; + int i; + + if (diag_508_init_comp(&comp, svb) < 0) { + rc = DIAG_508_RC_INVAL_COMP_DATA; + g_free(svb); + break; + } + + if (diag_508_init_signature(&sig, svb) < 0) { + rc = DIAG_508_RC_INVAL_PKCS7_SIG; + gnutls_pkcs7_deinit(sig); + g_free(svb); + break; + } + + rc = DIAG_508_RC_FAIL_VERIF; + /* + * It is uncertain which certificate contains + * the analogous key to verify the signed data + */ + for (i = 0; i < qcs->count; i++) { + gnutls_x509_crt_t g_cert = NULL; + if (g_init_cert((uint8_t *)qcs->certs[i].raw, qcs->certs[i].size, &g_cert)) { + continue; + } + + if (gnutls_pkcs7_verify_direct(sig, g_cert, 0, &comp, 0) == 0) { + svb->csi.idx = i; + svb->csi.len = qcs->certs[i].size; + cpu_physical_memory_write(addr, &svb->csi, + be32_to_cpu(csi_size)); + rc = DIAG_508_RC_OK; + break; + } + + gnutls_x509_crt_deinit(g_cert); + } + + gnutls_pkcs7_deinit(sig); +#else + rc = DIAG_508_RC_FAIL_VERIF; +#endif /* CONFIG_GNUTLS */ + g_free(svb); break; default: s390_program_interrupt(env, PGM_SPECIFICATION, ra); From patchwork Tue Apr 8 15:55:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043354 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 4F831C369A4 for ; Tue, 8 Apr 2025 16:18:38 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2BeJ-0006v7-8e; Tue, 08 Apr 2025 12:18:13 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ2-0005cM-LM; Tue, 08 Apr 2025 11:56:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIy-0005xS-2H; Tue, 08 Apr 2025 11:56:07 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CS4ku017794; Tue, 8 Apr 2025 15:56:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=+jx38PsgWXjFgnLG5 5CCmZLbTK/w2RDIZ1ATVyhkEVQ=; b=IjHvD0zsSjnScnn513XaAT7Hcw2GZdqGF thVzNNlJOjvqNiF/UhspdhHDHXaLBVSj0ppOUpn3IaZVzqqntheC0PWUTfx2ubuO oFsO+Wj36KGzDSK35K552m2c1CFK9rGDgzELlFGEyatQ5Xg9t+G6bSBsWRTX1uRr bZqEN/kyvzr/5pCoJKl87k5KNmDVnytDwDpxsbM9ecsCtysH8Twkvo1gKj485jff yfzmcdTlJe7/2g+DsHY2962XiD29+A/Cc5hj5+bTstMy+AEg+7k8S2PeFGnSlBXF 5sj7hqWBDlvU6J48WrOlMhc4zqQzj6uPiHzE+QWtG2q2xqtfuofPg== Received: from ppma11.dal12v.mail.ibm.com (db.9e.1632.ip4.static.sl-reverse.com [50.22.158.219]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w3u3124b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:49 +0000 (GMT) Received: from pps.filterd (ppma11.dal12v.mail.ibm.com [127.0.0.1]) by ppma11.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538E44Ic018863; Tue, 8 Apr 2025 15:55:47 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma11.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uhj2b1bs-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:47 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Ftkfr29688446 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:46 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5CFA35803F; Tue, 8 Apr 2025 15:55:46 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E46495804E; Tue, 8 Apr 2025 15:55:44 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:44 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 10/24] pc-bios/s390-ccw: Introduce IPL Information Report Block (IIRB) Date: Tue, 8 Apr 2025 11:55:12 -0400 Message-ID: <20250408155527.123341-11-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: LiQ_sSq5sV690JsVG--U_ABGrW27k29a X-Proofpoint-ORIG-GUID: LiQ_sSq5sV690JsVG--U_ABGrW27k29a X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The IPL information report block (IIRB) contains information used to locate IPL records and to report the results of signature verification of one or more secure components of the load device. IIRB is stored immediately following the IPL Parameter Block. Results on component verification in any case (failure or success) are stored. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 62 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 08f259ff31..bdbc733e16 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -23,6 +23,68 @@ extern QemuIplParameters qipl; extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); extern bool have_iplb; +struct IplInfoReportBlockHeader { + uint32_t len; + uint8_t iirb_flags; + uint8_t reserved1[2]; + uint8_t version; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; + +struct IplInfoBlockHeader { + uint32_t len; + uint8_t ibt; + uint8_t reserved1[3]; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplInfoBlockHeader IplInfoBlockHeader; + +enum IplIbt { + IPL_IBT_CERTIFICATES = 1, + IPL_IBT_COMPONENTS = 2, +}; + +struct IplSignatureCertificateEntry { + uint64_t addr; + uint64_t len; +} __attribute__ ((packed)); +typedef struct IplSignatureCertificateEntry IplSignatureCertificateEntry; + +struct IplSignatureCertificateList { + IplInfoBlockHeader ipl_info_header; + IplSignatureCertificateEntry cert_entries[MAX_CERTIFICATES]; +} __attribute__ ((packed)); +typedef struct IplSignatureCertificateList IplSignatureCertificateList; + +#define S390_IPL_COMPONENT_FLAG_SC 0x80 +#define S390_IPL_COMPONENT_FLAG_CSV 0x40 + +struct IplDeviceComponentEntry { + uint64_t addr; + uint64_t len; + uint8_t flags; + uint8_t reserved1[5]; + uint16_t cert_index; + uint8_t reserved2[8]; +} __attribute__ ((packed)); +typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; + +struct IplDeviceComponentList { + IplInfoBlockHeader ipl_info_header; + IplDeviceComponentEntry device_entries[MAX_CERTIFICATES]; +} __attribute__ ((packed)); +typedef struct IplDeviceComponentList IplDeviceComponentList; + +#define COMP_LIST_MAX sizeof(IplDeviceComponentList) +#define CERT_LIST_MAX sizeof(IplSignatureCertificateList) + +struct IplInfoReportBlock { + IplInfoReportBlockHeader hdr; + uint8_t info_blks[COMP_LIST_MAX + CERT_LIST_MAX]; +} __attribute__ ((packed)); +typedef struct IplInfoReportBlock IplInfoReportBlock; + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff From patchwork Tue Apr 8 15:55:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043388 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 86417C369A2 for ; Tue, 8 Apr 2025 16:27:24 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdv-0006q2-2e; Tue, 08 Apr 2025 12:17:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIn-0005Xp-Qa; Tue, 08 Apr 2025 11:55:55 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIl-0005uJ-SH; Tue, 08 Apr 2025 11:55:53 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5387mmuF025540; Tue, 8 Apr 2025 15:55:50 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=wXkwnjygOgNEG6ukN KGeJabOsYlLjnGqed+uwV8xHMo=; b=taaPFHq69uwJdE+L3CaX91g9mam7jCqdJ tSjR1ab6mYLYP1RGrG8XGzNXG2qlgjYXkZe8bZ6nwm0iTSdl/ePLOII+/1owAb+C 92EAVzodxSLL12T/iD99LGRPMuDSxm4yZqfqeN9DEhMoCBBHlET3J1EfSrYewGH5 fB8+UPQJp/POUYquUf8jgsdenxy6N9O5ZhRj4Dl5MEW8Td+7UgxRA9wXAkyhwsue Abj+ODy44OKx3fruCYbQv5nYIc5vl0OhJd4QaIKFVBurc1YtfAhnoeex8tm5qZEN ZQ6JoyL0KAp3cXip+KcCVBljIUcYNkZoYJuqSxDtM6G0wbw7tMguA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnvq4hwt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:49 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538C4qlG014404; Tue, 8 Apr 2025 15:55:49 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkba6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:49 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtmWa33948310 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:48 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06FB558054; Tue, 8 Apr 2025 15:55:48 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 84CFF5804E; Tue, 8 Apr 2025 15:55:46 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:46 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 11/24] pc-bios/s390-ccw: Define memory for IPLB and convert IPLB to pointers Date: Tue, 8 Apr 2025 11:55:13 -0400 Message-ID: <20250408155527.123341-12-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: 8acnsMnrRcY4ZDzXqjK5qGdqo14u-JsN X-Proofpoint-ORIG-GUID: 8acnsMnrRcY4ZDzXqjK5qGdqo14u-JsN X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org This patch is necessary because of the architectural design of IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB). IIRB will be introduced in the next patch. Define a memory space for both IPL Parameter Block (IPLB) and IPL Information Report Block (IIRB) since IIRB is stored immediately following IPLB. Convert IPLB to pointer and it points to the start of the defined memory space. IIRB points to the end of IPLB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/iplb.h | 12 ++++++++++-- pc-bios/s390-ccw/jump2ipl.c | 6 +++--- pc-bios/s390-ccw/main.c | 34 +++++++++++++++++++--------------- pc-bios/s390-ccw/netmain.c | 8 ++++---- 4 files changed, 36 insertions(+), 24 deletions(-) diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index bdbc733e16..11302e004d 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -20,7 +20,7 @@ #include extern QemuIplParameters qipl; -extern IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +extern IplParameterBlock *iplb; extern bool have_iplb; struct IplInfoReportBlockHeader { @@ -85,6 +85,14 @@ struct IplInfoReportBlock { } __attribute__ ((packed)); typedef struct IplInfoReportBlock IplInfoReportBlock; +struct IplBlocks { + IplParameterBlock iplb; + IplInfoReportBlock iirb; +} __attribute__ ((packed)); +typedef struct IplBlocks IplBlocks; + +extern IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff @@ -127,7 +135,7 @@ static inline bool load_next_iplb(void) qipl.index++; next_iplb = (IplParameterBlock *) qipl.next_iplb; - memcpy(&iplb, next_iplb, sizeof(IplParameterBlock)); + memcpy(iplb, next_iplb, sizeof(IplParameterBlock)); qipl.chain_len--; qipl.next_iplb = qipl.next_iplb + sizeof(IplParameterBlock); diff --git a/pc-bios/s390-ccw/jump2ipl.c b/pc-bios/s390-ccw/jump2ipl.c index 86321d0f46..fa2ca5cbe1 100644 --- a/pc-bios/s390-ccw/jump2ipl.c +++ b/pc-bios/s390-ccw/jump2ipl.c @@ -43,11 +43,11 @@ int jump_to_IPL_code(uint64_t address) * The IPLB for QEMU SCSI type devices must be rebuilt during re-ipl. The * iplb.devno is set to the boot position of the target SCSI device. */ - if (iplb.pbt == S390_IPL_TYPE_QEMU_SCSI) { - iplb.devno = qipl.index; + if (iplb->pbt == S390_IPL_TYPE_QEMU_SCSI) { + iplb->devno = qipl.index; } - if (have_iplb && !set_iplb(&iplb)) { + if (have_iplb && !set_iplb(iplb)) { panic("Failed to set IPLB"); } diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 76bf743900..c9328f1c51 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -22,7 +22,9 @@ static SubChannelId blk_schid = { .one = 1 }; static char loadparm_str[LOADPARM_LEN + 1]; QemuIplParameters qipl; -IplParameterBlock iplb __attribute__((__aligned__(PAGE_SIZE))); +/* Ensure that IPLB and IIRB are page aligned and sequential in memory */ +IplBlocks ipl_data; +IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ @@ -51,7 +53,7 @@ void write_subsystem_identification(void) void write_iplb_location(void) { if (cutype == CU_TYPE_VIRTIO && virtio_get_device_type() != VIRTIO_ID_NET) { - lowcore->ptr_iplb = ptr2u32(&iplb); + lowcore->ptr_iplb = ptr2u32(iplb); } } @@ -162,7 +164,7 @@ static void menu_setup(void) return; } - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: case S390_IPL_TYPE_QEMU_SCSI: menu_set_parms(qipl.qipl_flags & BOOT_MENU_FLAG_MASK, @@ -191,8 +193,8 @@ static void boot_setup(void) { char lpmsg[] = "LOADPARM=[________]\n"; - if (have_iplb && memcmp(iplb.loadparm, NO_LOADPARM, LOADPARM_LEN) != 0) { - ebcdic_to_ascii((char *) iplb.loadparm, loadparm_str, LOADPARM_LEN); + if (have_iplb && memcmp(iplb->loadparm, NO_LOADPARM, LOADPARM_LEN) != 0) { + ebcdic_to_ascii((char *) iplb->loadparm, loadparm_str, LOADPARM_LEN); } else { sclp_get_loadparm_ascii(loadparm_str); } @@ -216,21 +218,21 @@ static bool find_boot_device(void) VDev *vdev = virtio_get_device(); bool found = false; - switch (iplb.pbt) { + switch (iplb->pbt) { case S390_IPL_TYPE_CCW: vdev->scsi_device_selected = false; - debug_print_int("device no. ", iplb.ccw.devno); - blk_schid.ssid = iplb.ccw.ssid & 0x3; + debug_print_int("device no. ", iplb->ccw.devno); + blk_schid.ssid = iplb->ccw.ssid & 0x3; debug_print_int("ssid ", blk_schid.ssid); - found = find_subch(iplb.ccw.devno); + found = find_subch(iplb->ccw.devno); break; case S390_IPL_TYPE_QEMU_SCSI: vdev->scsi_device_selected = true; - vdev->selected_scsi_device.channel = iplb.scsi.channel; - vdev->selected_scsi_device.target = iplb.scsi.target; - vdev->selected_scsi_device.lun = iplb.scsi.lun; - blk_schid.ssid = iplb.scsi.ssid & 0x3; - found = find_subch(iplb.scsi.devno); + vdev->selected_scsi_device.channel = iplb->scsi.channel; + vdev->selected_scsi_device.target = iplb->scsi.target; + vdev->selected_scsi_device.lun = iplb->scsi.lun; + blk_schid.ssid = iplb->scsi.ssid & 0x3; + found = find_subch(iplb->scsi.devno); break; default: puts("Unsupported IPLB"); @@ -311,10 +313,12 @@ static void probe_boot_device(void) void main(void) { + iplb = &ipl_data.iplb; + copy_qipl(); sclp_setup(); css_setup(); - have_iplb = store_iplb(&iplb); + have_iplb = store_iplb(iplb); if (!have_iplb) { boot_setup(); probe_boot_device(); diff --git a/pc-bios/s390-ccw/netmain.c b/pc-bios/s390-ccw/netmain.c index 719a547ada..49afd9100d 100644 --- a/pc-bios/s390-ccw/netmain.c +++ b/pc-bios/s390-ccw/netmain.c @@ -488,11 +488,11 @@ static bool virtio_setup(void) */ enable_mss_facility(); - if (have_iplb || store_iplb(&iplb)) { - IPL_assert(iplb.pbt == S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expected"); - dev_no = iplb.ccw.devno; + if (have_iplb || store_iplb(iplb)) { + IPL_assert(iplb->pbt == S390_IPL_TYPE_CCW, "IPL_TYPE_CCW expected"); + dev_no = iplb->ccw.devno; debug_print_int("device no. ", dev_no); - net_schid.ssid = iplb.ccw.ssid & 0x3; + net_schid.ssid = iplb->ccw.ssid & 0x3; debug_print_int("ssid ", net_schid.ssid); found = find_net_dev(&schib, dev_no); } else { From patchwork Tue Apr 8 15:55:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043365 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1D1CFC369A2 for ; Tue, 8 Apr 2025 16:20:33 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bds-0006p7-9X; Tue, 08 Apr 2025 12:17:40 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIs-0005Z4-5a; Tue, 08 Apr 2025 11:55:59 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIp-0005vI-6T; Tue, 08 Apr 2025 11:55:57 -0400 Received: from pps.filterd (m0356517.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538E3D2C013944; Tue, 8 Apr 2025 15:55:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=dbcORQsC9s7zSsT9c LAhUqLVVmz2ZpTnYQ2EPMisjU0=; b=HUGXT+GRZq5vaQKrZSCwvH3XvCygrbCjt writs/wkV2G6WHRhK7pxhzv8PpR131EnbRLd32LTGSn2anVak35bRHSJbcjWAxUD iJXioetHcA7T63NALVglgcIJB4E65w/gRKPs4/UivRE3DDBxtNh8e7uNyGHGAnMx lHuSkKLBbfWf3asoW24JlH1HQoVy6fTTKPHDjKiNpGT6xpRNYY/RgMr7t3CIaX8M kCUAAwvqmR8XMmbg1XDe7Frs78MHIZUHuZFH0NqVuSTJs73Q6iSsTpLAjmgMTnQd 7n7hFBVboYG8Nn7IpS8WPS4DIAYaNb+VO5l2NKhkc22UxcD8dEDkA== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w57prkw7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:52 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538DQGA2017826; Tue, 8 Apr 2025 15:55:50 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uh2kk5bp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:50 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Ftnui32572110 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:50 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9C33F5803F; Tue, 8 Apr 2025 15:55:49 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3080058054; Tue, 8 Apr 2025 15:55:48 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:48 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 12/24] hw/s390x/ipl: Add IPIB flags to IPL Parameter Block Date: Tue, 8 Apr 2025 11:55:14 -0400 Message-ID: <20250408155527.123341-13-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: cCqaywM2Ue_kdoXHwvnvv7-Jvux69UQ9 X-Proofpoint-GUID: cCqaywM2Ue_kdoXHwvnvv7-Jvux69UQ9 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 clxscore=1015 spamscore=0 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=821 priorityscore=1501 malwarescore=0 impostorscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:33 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Add IPIB flags to IPL Parameter Block to determine if IPL needs to perform securely and if IPL Information Report Block (IIRB) exists. Secure boot in audit mode will perform if certificate(s) exist in the key store. IIRB will exist and results of verification will be stored in IIRB. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 20 ++++++++++++++++++++ include/hw/s390x/ipl/qipl.h | 6 +++++- 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index b0810c9191..59ec81181d 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -431,6 +431,13 @@ S390IPLCertificateStore *s390_ipl_get_certificate_store(void) return &ipl->cert_store; } +static bool s390_has_certificate(void) +{ + S390IPLState *ipl = get_ipl_device(); + + return ipl->cert_store.count > 0; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev = NULL; @@ -488,6 +495,19 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |= DIAG308_FLAGS_LP_VALID; + /* + * Secure boot in audit mode will perform + * if certificate(s) exist in the key store. + * + * IPL Information Report Block (IIRB) will exist + * for secure boot in audit mode. + * + * Results of secure boot will be stored in IIRB. + */ + if (s390_has_certificate()) { + iplb->hdr_flags |= DIAG308_IPIB_FLAGS_IPLIR; + } + return true; } diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index b8e7d1da71..2355fcecbb 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -23,6 +23,9 @@ #define MAX_CERTIFICATES 64 #define CERT_MAX_SIZE (1024 * 8) +#define DIAG308_IPIB_FLAGS_SIPL 0x40 +#define DIAG308_IPIB_FLAGS_IPLIR 0x20 + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not @@ -104,7 +107,8 @@ typedef struct IplBlockQemuScsi IplBlockQemuScsi; union IplParameterBlock { struct { uint32_t len; - uint8_t reserved0[3]; + uint8_t hdr_flags; + uint8_t reserved0[2]; uint8_t version; uint32_t blk0_len; uint8_t pbt; From patchwork Tue Apr 8 15:55:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043387 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9AD62C369A4 for ; Tue, 8 Apr 2025 16:26:06 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2BeI-0006ud-9t; Tue, 08 Apr 2025 12:18:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIs-0005Z5-6U; Tue, 08 Apr 2025 11:55:59 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIp-0005vK-U8; Tue, 08 Apr 2025 11:55:57 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5389oxrv028227; Tue, 8 Apr 2025 15:55:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=BUP7neRrCncynrZrL jMRLmMfniVK5rLsaOz6/kQQFOA=; b=ddGP3o1/Cvdkkq6bj0O56STGix21g8Bzq wBiwU9D2Z8E0m1UX+++fGjc9MI3UFBo6eZlcgNw47ifrKdBs+BVV427QzuzqPPwr Fnwim+e99ku0E85fM3JLKAEfVDFclTKtYuZTyA+ejo0bIT3QSl4KPiHFz4zry/56 vZ0ozp9nJpHeJTxYcIB0NXOLLkK8v72tDHViifx5xXA/rEGV2I3/0iZvMoRLUCAV 5GLTJydKJKEB5A4zK5SXF3uWdrjawjTsQ9XDiUrNkdLDm6rqDNWlvpQyAsRrAzd8 tFZs47RaxrcPdSsP4xJ0cja/viS5obs7TpENWE3hnTPitKKIskYaQ== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnvq4hwy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:53 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538FlaKw024590; Tue, 8 Apr 2025 15:55:52 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 45ueutbjjj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:52 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtpXG19857982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:51 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3C8E758056; Tue, 8 Apr 2025 15:55:51 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C434058054; Tue, 8 Apr 2025 15:55:49 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:49 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 13/24] hw/s390x/ipl: Set iplb->len to maximum length of IPL Parameter Block Date: Tue, 8 Apr 2025 11:55:15 -0400 Message-ID: <20250408155527.123341-14-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: R4s0gf-HfsRbdKut1hYgdP9L90X1kv9Q X-Proofpoint-ORIG-GUID: R4s0gf-HfsRbdKut1hYgdP9L90X1kv9Q X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=824 malwarescore=0 priorityscore=1501 clxscore=1015 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:34 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The IPL Information Report Block (IIRB) immediately follows the IPL Parameter Block (IPLB). The IPLB struct is allocated 4KB in memory, and iplb->len indicates the amount of memory currently used by the IPLB. To ensure proper alignment of the IIRB and prevent overlap, set iplb->len to the maximum length of the IPLB, allowing alignment constraints to be determined based on its size. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 6 +++--- hw/s390x/ipl.h | 1 + 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 59ec81181d..b646fcc74e 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -460,7 +460,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) if (scsi_lp && strlen(scsi_lp) > 0) { lp = scsi_lp; } - iplb->len = cpu_to_be32(S390_IPLB_MIN_QEMU_SCSI_LEN); + iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN); iplb->blk0_len = cpu_to_be32(S390_IPLB_MIN_QEMU_SCSI_LEN - S390_IPLB_HEADER_LEN); iplb->pbt = S390_IPL_TYPE_QEMU_SCSI; @@ -471,14 +471,14 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) iplb->scsi.ssid = ccw_dev->sch->ssid & 3; break; case CCW_DEVTYPE_VFIO: - iplb->len = cpu_to_be32(S390_IPLB_MIN_CCW_LEN); + iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN); iplb->pbt = S390_IPL_TYPE_CCW; iplb->ccw.devno = cpu_to_be16(ccw_dev->sch->devno); iplb->ccw.ssid = ccw_dev->sch->ssid & 3; break; case CCW_DEVTYPE_VIRTIO_NET: case CCW_DEVTYPE_VIRTIO: - iplb->len = cpu_to_be32(S390_IPLB_MIN_CCW_LEN); + iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN); iplb->blk0_len = cpu_to_be32(S390_IPLB_MIN_CCW_LEN - S390_IPLB_HEADER_LEN); iplb->pbt = S390_IPL_TYPE_CCW; diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index e9ef8ddccd..c05f238753 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -114,6 +114,7 @@ QEMU_BUILD_BUG_MSG(offsetof(S390IPLState, iplb) & 3, "alignment of iplb wrong"); #define S390_IPLB_MIN_CCW_LEN 200 #define S390_IPLB_MIN_FCP_LEN 384 #define S390_IPLB_MIN_QEMU_SCSI_LEN 200 +#define S390_IPLB_MAX_LEN 4096 static inline bool diag_parm_addr_valid(uint64_t addr, size_t size, bool write) { From patchwork Tue Apr 8 15:55:16 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043367 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 48E3EC369A4 for ; Tue, 8 Apr 2025 16:23:31 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdq-0006p5-UR; Tue, 08 Apr 2025 12:17:38 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIv-0005an-GH; Tue, 08 Apr 2025 11:56:02 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIs-0005vo-56; Tue, 08 Apr 2025 11:56:01 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5387AJJU025620; Tue, 8 Apr 2025 15:55:55 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=q9ITA/ZDY0jkmCvNe rWmpSZFl8oHnVVkm84JR8hJLDo=; b=d6vUW6pfGT7wIwwb3YHRhPRHsYkIue505 X8T1dFTHehi1JE9Uk19ybhjC1/ET3gNAP3sORIglfa2adFXrOxPFzKEdun87gje8 6k5WaCdEDziAwG+8sAyU4ZcGxjdxdMkX1nTIu5t/py+iTd3llY2U6gNiMmwbqKF1 xmn3lsDR3xXdPa7aJPtnYesZBFEtR/2lQ7iCNmwGxtoejPuSqRpcieDOQNePllhn AOYgjV0utGRivrAcEtce5u59dzzCP80rXjZbFBpbPFKueovEz1vl2gI4A9bO1+Oj Jwxy54OyW4alcHqJJqcN5w7IV7ubgb1aZp8pE6+zJL+RJLKFtiakA== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnvq4hx3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:54 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CTfrx025522; Tue, 8 Apr 2025 15:55:54 GMT Received: from smtprelay05.dal12v.mail.ibm.com ([172.16.1.7]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ugbku9vk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:54 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay05.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtqsC31588872 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:53 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D00745804E; Tue, 8 Apr 2025 15:55:52 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6417458054; Tue, 8 Apr 2025 15:55:51 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:51 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 14/24] s390x: Guest support for Secure-IPL Facility Date: Tue, 8 Apr 2025 11:55:16 -0400 Message-ID: <20250408155527.123341-15-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: ztkjSVmxrfV5C6LPH767uRjViLhcSFC1 X-Proofpoint-ORIG-GUID: ztkjSVmxrfV5C6LPH767uRjViLhcSFC1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:34 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Introduce Secure-IPL (SIPL) facility. Use the abbreviation CBL (Consolidated-Boot-Loader facility at bit 0 of byte 136) to represent bytes 136 and 137 for IPL device facilities of the SCLP Read Info block. Availability of SIPL facility is determined by byte 136 bit 1 of the SCLP Read Info block. When SIPL facility is installed, the IPL Parameter Block length must contains value that is multiple of 8 bytes. Signed-off-by: Zhuoying Cai --- hw/s390x/sclp.c | 2 ++ include/hw/s390x/sclp.h | 4 +++- target/s390x/cpu_features.c | 3 +++ target/s390x/cpu_features.h | 1 + target/s390x/cpu_features_def.h.inc | 3 +++ target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 1 + target/s390x/kvm/kvm.c | 3 +++ 8 files changed, 18 insertions(+), 1 deletion(-) diff --git a/hw/s390x/sclp.c b/hw/s390x/sclp.c index 5945c9b1d8..bab65955b7 100644 --- a/hw/s390x/sclp.c +++ b/hw/s390x/sclp.c @@ -145,6 +145,8 @@ static void read_SCP_info(SCLPDevice *sclp, SCCB *sccb) if (s390_has_feat(S390_FEAT_EXTENDED_LENGTH_SCCB)) { s390_get_feat_block(S390_FEAT_TYPE_SCLP_FAC134, &read_info->fac134); + s390_get_feat_block(S390_FEAT_TYPE_SCLP_CBL, + read_info->cbl); } read_info->facilities = cpu_to_be64(SCLP_HAS_CPU_INFO | diff --git a/include/hw/s390x/sclp.h b/include/hw/s390x/sclp.h index d32f6180e0..97af95a78d 100644 --- a/include/hw/s390x/sclp.h +++ b/include/hw/s390x/sclp.h @@ -136,7 +136,9 @@ typedef struct ReadInfo { uint32_t hmfai; uint8_t _reserved7[134 - 128]; /* 128-133 */ uint8_t fac134; - uint8_t _reserved8[144 - 135]; /* 135-143 */ + uint8_t _reserved8; + uint8_t cbl[2]; /* 136-137 */ + uint8_t _reserved9[144 - 137]; /* 138-143 */ struct CPUEntry entries[]; /* * When the Extended-Length SCCB (ELS) feature is enabled the diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index 99089ab3f5..e9371569cc 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -149,6 +149,9 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type, clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data); clear_be_bit(s390_feat_def(S390_FEAT_DIAG_320)->bit, data); break; + case S390_FEAT_TYPE_SCLP_CBL: + clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + break; default: return; } diff --git a/target/s390x/cpu_features.h b/target/s390x/cpu_features.h index 5635839d03..823fcf8b90 100644 --- a/target/s390x/cpu_features.h +++ b/target/s390x/cpu_features.h @@ -24,6 +24,7 @@ typedef enum { S390_FEAT_TYPE_SCLP_CONF_CHAR, S390_FEAT_TYPE_SCLP_CONF_CHAR_EXT, S390_FEAT_TYPE_SCLP_FAC134, + S390_FEAT_TYPE_SCLP_CBL, S390_FEAT_TYPE_SCLP_CPU, S390_FEAT_TYPE_MISC, S390_FEAT_TYPE_PLO, diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_features_def.h.inc index 65d38f546d..f874b9da6f 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -140,6 +140,9 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE: Interlock-and-broadcast-s DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and version codes") DEF_FEAT(DIAG_320, "diag320", SCLP_FAC134, 5, "Provide Certificate Store functions") +/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers relative to byte-136) */ +DEF_FEAT(SIPL, "sipl", SCLP_CBL, 1, "Seucre-IPL facility") + /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtual SIE)") DEF_FEAT(SIE_SKEY, "skey", SCLP_CPU, 5, "SIE: Storage-key facility") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index 7d65c40bd1..a83c27dcb8 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -263,6 +263,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_CMMA: case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: + case S390_FEAT_SIPL: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -507,6 +508,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP }, { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_DIAG_320, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index 52c649adcd..d973efbf72 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -697,6 +697,7 @@ static uint16_t full_GEN14_GA1[] = { S390_FEAT_SIE_KSS, S390_FEAT_GROUP_MULTIPLE_EPOCH_PTFF, S390_FEAT_DIAG_320, + S390_FEAT_SIPL, }; #define full_GEN14_GA2 EmptyFeat diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index a5c5150c04..f418102b7f 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2517,6 +2517,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp) set_bit(S390_FEAT_DIAG_320, model->features); + /* Secure-IPL facility is handled entirely within QEMU */ + set_bit(S390_FEAT_SIPL, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); From patchwork Tue Apr 8 15:55:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043362 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id B0CF9C369A2 for ; Tue, 8 Apr 2025 16:19:44 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdx-0006r2-0z; Tue, 08 Apr 2025 12:17:45 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJK-0005iE-Ug; Tue, 08 Apr 2025 11:56:27 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJG-000613-Qo; Tue, 08 Apr 2025 11:56:24 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CSXp9018121; Tue, 8 Apr 2025 15:56:19 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=tzajt4atNmLGsvtvU Yh3f45q2X92miJ9mnh4j6XyCpg=; b=JCM1jlbQvrPWLmgIUNGg2zGRwWQwCwHKi 768o7uEeOAGaUfS/a1Phik5LYqhJY4DwTbBHKPt2Bc0u5tCU2OE2EezI+mf66MdV eD44blTcDYFId/GY+VXkc8WfCHZTi5Rxd21qJhrenkgdHzQn+aMmnm2UO/wutpFM a/GQA/t5O7yOKChcWMUlpgb0b69XtKeDoowXBvCW7Xz5gOSwDxl9BnUYJ8xThliM j/wSD2GalG+W6Qeqt1OzV3c4VkNTdTPHZXo1vgh+f4YYqW7XiBPRGpFJRO5VvDSp 25z74ntwNkVKOSRbwLW+/zah+rT3hA7pRm1DA0UteHNRfKEQVTHwA== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w3u3125a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:18 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538DQGA5017826; Tue, 8 Apr 2025 15:55:55 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uh2kk5c3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:55 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtsK916777826 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:54 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 76DEC5804E; Tue, 8 Apr 2025 15:55:54 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0560E5803F; Tue, 8 Apr 2025 15:55:53 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:52 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 15/24] pc-bios/s390-ccw: Refactor zipl_run() Date: Tue, 8 Apr 2025 11:55:17 -0400 Message-ID: <20250408155527.123341-16-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: TTrIdDISqhBkvdlDzmqNJpwvocvTkMUs X-Proofpoint-ORIG-GUID: TTrIdDISqhBkvdlDzmqNJpwvocvTkMUs X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Refactor to enhance readability before enabling secure IPL in later patches. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 58 ++++++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 24 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 0f8baa0198..485b55f1bf 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -674,6 +674,38 @@ static int zipl_load_segment(ComponentEntry *entry) return 0; } +static int zipl_run_normal(ComponentEntry *entry, uint8_t *tmp_sec) +{ + while (entry->component_type == ZIPL_COMP_ENTRY_LOAD || + entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { + + /* Secure boot is off, so we skip signature entries */ + if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { + entry++; + continue; + } + + if (zipl_load_segment(entry)) { + return -1; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (entry->component_type != ZIPL_COMP_ENTRY_EXEC) { + puts("No EXEC entry"); + return -EINVAL; + } + + write_reset_psw(entry->compdat.load_psw); + return 0; +} + /* Run a zipl program */ static int zipl_run(ScsiBlockPtr *pte) { @@ -700,34 +732,12 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry = (ComponentEntry *)(&header[1]); - while (entry->component_type == ZIPL_COMP_ENTRY_LOAD || - entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { - - /* We don't support secure boot yet, so we skip signature entries */ - if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { - entry++; - continue; - } - - if (zipl_load_segment(entry)) { - return -1; - } - entry++; - - if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { - puts("Wrong entry value"); - return -EINVAL; - } - } - - if (entry->component_type != ZIPL_COMP_ENTRY_EXEC) { - puts("No EXEC entry"); - return -EINVAL; + if (zipl_run_normal(entry, tmp_sec)) { + return -1; } /* should not return */ - write_reset_psw(entry->compdat.load_psw); jump_to_IPL_code(0); return -1; } From patchwork Tue Apr 8 15:55:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043358 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 479DCC369A4 for ; Tue, 8 Apr 2025 16:18:48 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdt-0006pC-0Z; Tue, 08 Apr 2025 12:17:41 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIw-0005bR-Uy; Tue, 08 Apr 2025 11:56:03 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIt-0005wh-UG; Tue, 08 Apr 2025 11:56:02 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538D4iJX005761; Tue, 8 Apr 2025 15:55:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=5nsen3UTzOz4zIgA1 rf6Cj8VIwwLMQdgh+my5EObUsQ=; b=lmWjdFHMSxYMKG1nya9OjZsq9qoTGDGqZ Nmw5Je7bMiUsmlUils8ZCCjEjz28+AQAl63eOz8oI9UWsqjerh11xxdY+fc4r9nO OKEFZuWfJMqYKy7A9VJuT80CYERBMvQlePvCTIi2Kob/+5BE+wikUfCr+TrV2lG3 7t49uJ/7Yzuf/r5R55seRhEZRCslTD5SqiFP6C3Kg+VxgEt6VdqNazchOZ/YqX2t 5eD6z4uT8SpacUeT230kv3jDRKc6pLSkrfbljl+3EPa3rYM2AGk2nnAJSZIKIsaX U8tN7PbVa1R246c5UBz5GNErKQ3olHg7ZDEooz+fPlt6pwajQ7NBg== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vjvxnbtq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:58 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CmdpU025510; Tue, 8 Apr 2025 15:55:57 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ugbku9vx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:57 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtuwN27198194 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:56 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C1B85804E; Tue, 8 Apr 2025 15:55:56 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9EB305803F; Tue, 8 Apr 2025 15:55:54 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:54 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 16/24] pc-bios/s390-ccw: Refactor zipl_load_segment function Date: Tue, 8 Apr 2025 11:55:18 -0400 Message-ID: <20250408155527.123341-17-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: Ln_lzqDkBAgtvdtWJxQaa9CE7DQLUz0B X-Proofpoint-GUID: Ln_lzqDkBAgtvdtWJxQaa9CE7DQLUz0B X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Make the address variable a parameter of zipl_load_segment. Modify this function for reuse in the next patch, which allows loading segment or signature data to the destination memory address. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 485b55f1bf..4fb3e99f4b 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -613,19 +613,17 @@ static int ipl_eckd(void) * IPL a SCSI disk */ -static int zipl_load_segment(ComponentEntry *entry) +static int zipl_load_segment(ComponentEntry *entry, uint64_t address) { const int max_entries = (MAX_SECTOR_SIZE / sizeof(ScsiBlockPtr)); ScsiBlockPtr *bprs = (void *)sec; const int bprs_size = sizeof(sec); block_number_t blockno; - uint64_t address; int i; char err_msg[] = "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no = &err_msg[30]; /* where to print blockno in (those ZZs) */ blockno = entry->data.blockno; - address = entry->compdat.load_addr; debug_print_int("loading segment at block", blockno); debug_print_int("addr", address); @@ -685,7 +683,7 @@ static int zipl_run_normal(ComponentEntry *entry, uint8_t *tmp_sec) continue; } - if (zipl_load_segment(entry)) { + if (zipl_load_segment(entry, entry->compdat.load_addr)) { return -1; } From patchwork Tue Apr 8 15:55:19 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043382 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 9A887C369A2 for ; Tue, 8 Apr 2025 16:25:20 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be1-0006sG-A4; Tue, 08 Apr 2025 12:17:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ0-0005c5-J3; Tue, 08 Apr 2025 11:56:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIx-0005xK-Em; Tue, 08 Apr 2025 11:56:06 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538ErGqs029542; Tue, 8 Apr 2025 15:56:01 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=7sp4hyMvbpJYkl4UB MpLKKNNX6HWUcqxa5XUlON1KFk=; b=E363ZyzDK/a8EiUVw+NylWg+jHXDDu47L ptVJQl8OBLcr2bendB8jwTs19sZzIL2LBMtvZb3wlBhdI1RvWGS4mJPUXshhFbL1 zhkNrN8RnNugKRuPfEFpapvhnHtjCMG2gKZSA3bPWp6BgEl4KsxynxdqSYnxaG6/ kDknaF5PAiMtyNkxeW2wA85hP/GOhLwvhaC5V9b+EmQlqUpvnVnPQXNu/sGGeeDT bRbt0JNSooK9IRjq4gnrm3yTtjAYl46klyviLyO85bpKW0SqpSXxiC7jD6lRa3NB J+w/djxxEuYkEZMffbkAx8mXQnYr8wMIL0VfnR/aNDbVXtQAUBI3w== Received: from ppma13.dal12v.mail.ibm.com (dd.9e.1632.ip4.static.sl-reverse.com [50.22.158.221]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3an8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:00 +0000 (GMT) Received: from pps.filterd (ppma13.dal12v.mail.ibm.com [127.0.0.1]) by ppma13.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538DQGA7017826; Tue, 8 Apr 2025 15:55:59 GMT Received: from smtprelay03.wdc07v.mail.ibm.com ([172.16.1.70]) by ppma13.dal12v.mail.ibm.com (PPS) with ESMTPS id 45uh2kk5cd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:55:59 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay03.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FttFJ22676018 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:55 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C46A158055; Tue, 8 Apr 2025 15:55:57 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 45DAC5803F; Tue, 8 Apr 2025 15:55:56 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:56 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 17/24] pc-bios/s390-ccw: Add signature verification for secure boot in audit mode Date: Tue, 8 Apr 2025 11:55:19 -0400 Message-ID: <20250408155527.123341-18-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: E69SUxGPs-dvfD_6QMyLWXzTpZnmyTJk X-Proofpoint-GUID: E69SUxGPs-dvfD_6QMyLWXzTpZnmyTJk X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1015 suspectscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Enable secure IPL in audit mode, which performs signature verification, but any error does not terminate the boot process. Only warnings will be logged to the console instead. Add a comp_len variable to store the length of a segment in zipl_load_segment. comp_len variable is necessary to store the calculated segment length and is used during signature verification. Return the length on success, or a negative return code on failure. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities (Secure IPL Facility, Certificate Store Facility and secure IPL extension support). Note: Secure IPL in audit mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 344 +++++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/bootmap.h | 9 + pc-bios/s390-ccw/iplb.h | 68 +++++++ pc-bios/s390-ccw/main.c | 9 + pc-bios/s390-ccw/s390-ccw.h | 10 ++ pc-bios/s390-ccw/sclp.c | 43 +++++ pc-bios/s390-ccw/sclp.h | 6 + 7 files changed, 486 insertions(+), 3 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 4fb3e99f4b..bdbd6ccd96 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -30,6 +30,13 @@ /* Scratch space */ static uint8_t sec[MAX_SECTOR_SIZE*4] __attribute__((__aligned__(PAGE_SIZE))); +/* sector for storing certificates */ +static uint8_t certs_sec[CERT_MAX_SIZE * MAX_CERTIFICATES]; +/* sector for storing signatures */ +static uint8_t sig_sec[MAX_SECTOR_SIZE] __attribute__((__aligned__(PAGE_SIZE))); + +uint8_t vcb_data[MAX_SECTOR_SIZE * 4] __attribute__((__aligned__(PAGE_SIZE))); +uint8_t vcssb_data[VCSSB_MAX_LEN] __attribute__((__aligned__(PAGE_SIZE))); const uint8_t el_torito_magic[] = "EL TORITO SPECIFICATION" "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; @@ -622,6 +629,7 @@ static int zipl_load_segment(ComponentEntry *entry, uint64_t address) int i; char err_msg[] = "zIPL failed to read BPRS at 0xZZZZZZZZZZZZZZZZ"; char *blk_no = &err_msg[30]; /* where to print blockno in (those ZZs) */ + int comp_len = 0; blockno = entry->data.blockno; @@ -660,6 +668,9 @@ static int zipl_load_segment(ComponentEntry *entry, uint64_t address) */ break; } + + comp_len += (uint64_t)bprs->size * ((uint64_t)bprs[i].blockct + 1); + address = virtio_load_direct(cur_desc[0], cur_desc[1], 0, (void *)address); if (!address) { @@ -669,6 +680,305 @@ static int zipl_load_segment(ComponentEntry *entry, uint64_t address) } } while (blockno); + return comp_len; +} + +int get_vcssb(VerificationCertificateStorageSizeBlock *vcssb) +{ + int rc; + + /* avoid retrieving vcssb multiple times */ + if (vcssb->length == VCSSB_MAX_LEN) { + return 0; + } + + rc = diag320(vcssb, DIAG_320_SUBC_QUERY_VCSI); + if (rc != DIAG_320_RC_OK) { + return -1; + } + + return 0; +} + +static inline uint32_t request_certificate(uint64_t *cert, uint8_t index) +{ + VerificationCertificateStorageSizeBlock *vcssb; + VerficationCertificateBlock *vcb; + VerificationCertificateEntry *vce; + uint64_t rc = 0; + uint32_t cert_len = 0; + + vcssb = (VerificationCertificateStorageSizeBlock *)vcssb_data; + vcb = (VerficationCertificateBlock *)vcb_data; + + /* Get Verification Certificate Storage Size block with DIAG320 subcode 1 */ + if (get_vcssb(vcssb)) { + return 0; + } + + /* + * Request single entry + * Fill input fields of single-entry VCB + */ + vcb->vcb_hdr.vcbinlen = ROUND_UP(vcssb->largestvcblen, PAGE_SIZE); + vcb->vcb_hdr.fvci = index + 1; + vcb->vcb_hdr.lvci = index + 1; + + rc = diag320(vcb, DIAG_320_SUBC_STORE_VC); + if (rc == DIAG_320_RC_OK) { + vce = (VerificationCertificateEntry *)vcb->vcb_buf; + cert_len = vce->vce_hdr.certlen; + memcpy(cert, (uint8_t *)vce + vce->vce_hdr.certoffset, vce->vce_hdr.certlen); + /* clear out region for next cert(s) */ + memcpy(vcb_data, 0, sizeof(vcb_data)); + } + + return cert_len; +} + +static int cert_table_add(uint64_t **cert_table, uint64_t **cert, + uint64_t cert_len, uint8_t cert_idx) +{ + if (request_certificate(*cert, cert_idx)) { + /* save certificate address to cert_table */ + cert_table[cert_idx] = *cert; + /* update cert address for the next certificate */ + *cert += cert_len; + } else { + puts("Could not get certificate"); + return -1; + } + + return 0; +} + +static void cert_list_add(IplSignatureCertificateList *certs, int cert_index, + uint64_t *cert, uint64_t cert_len) +{ + if (cert_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring cert entry [%d] because it's over 64 entires\n", + cert_index + 1); + return; + } + + certs->cert_entries[cert_index].addr = (uint64_t)cert; + certs->cert_entries[cert_index].len = cert_len; + certs->ipl_info_header.len += sizeof(certs->cert_entries[cert_index]); +} + +static void comp_list_add(IplDeviceComponentList *comps, int comp_index, + int cert_index, uint64_t comp_addr, + uint64_t comp_len, uint8_t flags) +{ + if (comp_index > MAX_CERTIFICATES - 1) { + printf("Warning: Ignoring comp entry [%d] because it's over 64 entires\n", + comp_index + 1); + return; + } + + comps->device_entries[comp_index].addr = comp_addr; + comps->device_entries[comp_index].len = comp_len; + comps->device_entries[comp_index].flags = flags; + comps->device_entries[comp_index].cert_index = cert_index; + comps->ipl_info_header.len += sizeof(comps->device_entries[comp_index]); +} + +static int update_iirb(IplDeviceComponentList *comps, IplSignatureCertificateList *certs) +{ + IplInfoReportBlock *iirb; + IplDeviceComponentList *comp_list; + IplSignatureCertificateList *cert_list; + + if (iplb->len % 8 != 0) { + puts("IPL parameter block length field value is not multiple of 8 bytes"); + return -1; + } + + /* IIRB immediately follows IPLB */ + iirb = &ipl_data.iirb; + iirb->hdr.len = sizeof(IplInfoReportBlockHeader); + + /* Copy IPL device component list after IIRB Header */ + comp_list = (IplDeviceComponentList *) iirb->info_blks; + memcpy(comp_list, comps, comps->ipl_info_header.len); + + /* Update IIRB length */ + iirb->hdr.len += comps->ipl_info_header.len; + + /* Copy IPL sig cert list after IPL device component list */ + cert_list = (IplSignatureCertificateList *) (iirb->info_blks + + comp_list->ipl_info_header.len); + memcpy(cert_list, certs, certs->ipl_info_header.len); + + /* Update IIRB length */ + iirb->hdr.len += certs->ipl_info_header.len; + + return 0; +} + +static bool secure_ipl_supported(void) +{ + if (!sclp_is_sipl_on()) { + puts("Secure IPL Facility is not supported by the hypervisor!"); + return false; + } + + if (!is_secure_ipl_extension_supported()) { + puts("Secure IPL extensions are not supported by the hypervisor!"); + return false; + } + + if (!(sclp_is_diag320_on() && is_cert_store_facility_supported())) { + puts("Certificate Store Facility is not supported by the hypervisor!"); + return false; + } + + return true; +} + +static void init_lists(IplDeviceComponentList *comps, IplSignatureCertificateList *certs) +{ + comps->ipl_info_header.ibt = IPL_IBT_COMPONENTS; + comps->ipl_info_header.len = sizeof(comps->ipl_info_header); + + certs->ipl_info_header.ibt = IPL_IBT_CERTIFICATES; + certs->ipl_info_header.len = sizeof(certs->ipl_info_header); +} + +static bool check_sig_entry(ComponentEntry *entry, uint32_t *sig_len) +{ + if ((entry + 1)->component_type != ZIPL_COMP_ENTRY_LOAD) { + puts("Next component does not contain signed binary code"); + return false; + } + + if (zipl_load_segment(entry, (uint64_t)sig_sec) < 0) { + return false; + }; + + if (entry->compdat.sig_info.format != DER_SIGNATURE_FORMAT) { + puts("Signature is not in DER format"); + return false; + } + + *sig_len = entry->compdat.sig_info.sig_len; + return true; +} + +static int perform_sig_verf(uint64_t comp_addr, uint64_t comp_len, uint64_t sig_len, + uint64_t *cert_table[], uint64_t **cert, + IplDeviceComponentList *comps, + IplSignatureCertificateList *certs, + int comp_index, int cert_index, + void (*print_func)(bool, const char *)) +{ + uint64_t cert_len = -1; + uint8_t cert_idx = -1; + bool verified; + + verified = verify_signature(comp_len, comp_addr, sig_len, (uint64_t)sig_sec, + &cert_len, &cert_idx); + + if (verified) { + if (cert_table[cert_idx] == 0) { + if (cert_table_add(cert_table, cert, cert_len, cert_idx)) { + return -1; + } + } + + puts("Verified component"); + cert_list_add(certs, cert_index, cert_table[cert_idx], cert_len); + comp_list_add(comps, comp_index, cert_index, comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC | S390_IPL_COMPONENT_FLAG_CSV); + } else { + comp_list_add(comps, comp_index, -1, comp_addr, comp_len, + S390_IPL_COMPONENT_FLAG_SC); + print_func(verified, "Could not verify component"); + } + + return 0; +} + +static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) +{ + bool found_signature = false; + struct IplDeviceComponentList comps; + struct IplSignatureCertificateList certs; + uint64_t *cert = (uint64_t *)certs_sec; + int cert_index = 0; + int comp_index = 0; + int comp_len; + bool valid_sig; + uint32_t sig_len; + /* + * Store address of certificate to prevent allocating + * the same certificate multiple times. + */ + uint64_t *cert_table[MAX_CERTIFICATES]; + + void (*print_func)(bool, const char *) = NULL; + print_func = &IPL_check; + + if (!secure_ipl_supported()) { + return -1; + } + + init_lists(&comps, &certs); + + valid_sig = false; + while (entry->component_type == ZIPL_COMP_ENTRY_LOAD || + entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { + + if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) { + valid_sig = check_sig_entry(entry, &sig_len); + if (!valid_sig) { + return -1; + } + } else { + comp_len = zipl_load_segment(entry, entry->compdat.load_addr); + if (comp_len < 0) { + return -1; + } + + if (valid_sig) { + perform_sig_verf(entry->compdat.load_addr, comp_len, sig_len, cert_table, + &cert, &comps, &certs, comp_index, cert_index, + print_func); + + cert_index++; + found_signature = true; + /* + * complete signature verification for current component, + * reset variable for the next signature entry. + */ + valid_sig = false; + } + + comp_index++; + } + + entry++; + + if ((uint8_t *)(&entry[1]) > (tmp_sec + MAX_SECTOR_SIZE)) { + puts("Wrong entry value"); + return -EINVAL; + } + } + + if (entry->component_type != ZIPL_COMP_ENTRY_EXEC) { + puts("No EXEC entry"); + return -EINVAL; + } + + if (!found_signature) { + print_func(found_signature, "Secure boot is on, but components are not signed"); + } + + if (update_iirb(&comps, &certs)) { + print_func(false, "Failed to write IPL Information Report Block"); + } + write_reset_psw(entry->compdat.load_psw); + return 0; } @@ -683,7 +993,7 @@ static int zipl_run_normal(ComponentEntry *entry, uint8_t *tmp_sec) continue; } - if (zipl_load_segment(entry, entry->compdat.load_addr)) { + if (zipl_load_segment(entry, entry->compdat.load_addr) < 0) { return -1; } @@ -731,8 +1041,17 @@ static int zipl_run(ScsiBlockPtr *pte) /* Load image(s) into RAM */ entry = (ComponentEntry *)(&header[1]); - if (zipl_run_normal(entry, tmp_sec)) { - return -1; + switch (boot_mode) { + case ZIPL_SECURE_AUDIT_MODE: + if (zipl_run_secure(entry, tmp_sec)) { + return -1; + } + break; + case ZIPL_NORMAL_MODE: + if (zipl_run_normal(entry, tmp_sec)) { + return -1; + } + break; } /* should not return */ @@ -1091,17 +1410,32 @@ static int zipl_load_vscsi(void) * IPL starts here */ +int zipl_mode(void) +{ + uint32_t cert_len; + + cert_len = request_certificate((uint64_t *)certs_sec, 0); + + return (cert_len > 0) ? ZIPL_SECURE_AUDIT_MODE : ZIPL_NORMAL_MODE; +} + void zipl_load(void) { VDev *vdev = virtio_get_device(); if (vdev->is_cdrom) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + panic("Secure boot from ISO image is not supported!"); + } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } if (virtio_get_device_type() == VIRTIO_ID_NET) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + panic("Virtio net boot device does not support secure boot!"); + } netmain(); puts("Failed to IPL from this network!"); return; @@ -1112,6 +1446,10 @@ void zipl_load(void) return; } + if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + panic("ECKD boot device does not support secure boot!"); + } + switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h index 95943441d3..e48823a835 100644 --- a/pc-bios/s390-ccw/bootmap.h +++ b/pc-bios/s390-ccw/bootmap.h @@ -88,9 +88,18 @@ typedef struct BootMapTable { BootMapPointer entry[]; } __attribute__ ((packed)) BootMapTable; +#define DER_SIGNATURE_FORMAT 1 + +typedef struct SignatureInformation { + uint8_t format; + uint8_t reserved[3]; + uint32_t sig_len; +} __attribute__((packed)) SignatureInformation; + typedef union ComponentEntryData { uint64_t load_psw; uint64_t load_addr; + SignatureInformation sig_info; } ComponentEntryData; typedef struct ComponentEntry { diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 11302e004d..8d9fdde30a 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -16,12 +16,15 @@ #define QEMU_PACKED __attribute__((packed)) #endif +#include +#include #include #include extern QemuIplParameters qipl; extern IplParameterBlock *iplb; extern bool have_iplb; +extern int boot_mode; struct IplInfoReportBlockHeader { uint32_t len; @@ -143,4 +146,69 @@ static inline bool load_next_iplb(void) return true; } +static inline uint64_t diag320(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") = (unsigned long)data; + register unsigned long rc asm("1") = 0; + + asm volatile ("diag %0,%2,0x320\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline uint64_t get_320_subcodes(uint64_t *ism) +{ + return diag320(ism, DIAG_320_SUBC_QUERY_ISM); +} + +static inline bool is_cert_store_facility_supported(void) +{ + uint64_t d320_ism; + get_320_subcodes(&d320_ism); + return (d320_ism & DIAG_320_ISM_QUERY_VCSI) && + (d320_ism & DIAG_320_ISM_STORE_VC); +} + +static inline uint64_t _diag508(void *data, unsigned long subcode) +{ + register unsigned long addr asm("0") = (unsigned long)data; + register unsigned long rc asm("1") = 0; + + asm volatile ("diag %0,%2,0x508\n" + : "+d" (addr), "+d" (rc) + : "d" (subcode) + : "memory", "cc"); + return rc; +} + +static inline uint64_t get_508_subcodes(void) +{ + return _diag508(NULL, DIAG_508_SUBC_QUERY_SUBC); +} + +static inline bool is_secure_ipl_extension_supported(void) +{ + uint64_t d508_subcodes; + + d508_subcodes = get_508_subcodes(); + return d508_subcodes & DIAG_508_SUBC_SIG_VERIF; +} + +static inline bool verify_signature(uint64_t comp_len, uint64_t comp_addr, + uint64_t sig_len, uint64_t sig_addr, + uint64_t *cert_len, uint8_t *cert_idx) +{ + Diag508SignatureVerificationBlock svb = {{}, comp_len, comp_addr, + sig_len, sig_addr }; + + if (_diag508(&svb, DIAG_508_SUBC_SIG_VERIF) == DIAG_508_RC_OK) { + *cert_len = svb.csi.len; + *cert_idx = svb.csi.idx; + return true; + } + return false; +} + #endif /* IPLB_H */ diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index c9328f1c51..92004a6f82 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -28,6 +28,7 @@ IplParameterBlock *iplb; bool have_iplb; static uint16_t cutype; LowCore *lowcore; /* Yes, this *is* a pointer to address 0 */ +int boot_mode; #define LOADPARM_PROMPT "PROMPT " #define LOADPARM_EMPTY " " @@ -272,9 +273,17 @@ static int virtio_setup(void) static void ipl_boot_device(void) { + if (boot_mode == 0) { + boot_mode = zipl_mode(); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: + if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + panic("Passthrough (vfio) device does not support secure boot!"); + } + dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 6cdce3e5e5..68ffbf7bc8 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -39,6 +39,9 @@ typedef unsigned long long u64; #define MIN_NON_ZERO(a, b) ((a) == 0 ? (b) : \ ((b) == 0 ? (a) : (MIN(a, b)))) #endif +#ifndef ROUND_UP +#define ROUND_UP(n, d) (((n) + (d) - 1) & -(0 ? (n) : (d))) +#endif #define ARRAY_SIZE(a) (sizeof(a) / sizeof((a)[0])) @@ -64,6 +67,8 @@ void sclp_print(const char *string); void sclp_set_write_mask(uint32_t receive_mask, uint32_t send_mask); void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); +bool sclp_is_diag320_on(void); +bool sclp_is_sipl_on(void); int sclp_read(char *str, size_t count); /* virtio.c */ @@ -76,6 +81,11 @@ int virtio_read(unsigned long sector, void *load_addr); /* bootmap.c */ void zipl_load(void); +#define ZIPL_NORMAL_MODE 1 +#define ZIPL_SECURE_AUDIT_MODE 2 + +int zipl_mode(void); + /* jump2ipl.c */ void write_reset_psw(uint64_t psw); int jump_to_IPL_code(uint64_t address); diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index 4a07de018d..fd25c83387 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -113,6 +113,49 @@ void sclp_get_loadparm_ascii(char *loadparm) } } +static void sclp_get_fac134(uint8_t *fac134) +{ + + ReadInfo *sccb = (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length = SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *fac134 = sccb->fac134; + } +} + +bool sclp_is_diag320_on(void) +{ + uint8_t fac134 = 0; + + sclp_get_fac134(&fac134); + return fac134 & SCCB_FAC134_DIAG320_BIT; +} + +/* + * Get cbl (byte 136 and byte 137 of the SCLP Read Info block) for IPL device facilities. + */ +static void sclp_get_cbl(uint16_t *cbl) +{ + + ReadInfo *sccb = (void *)_sccb; + + memset((char *)_sccb, 0, sizeof(ReadInfo)); + sccb->h.length = SCCB_SIZE; + if (!sclp_service_call(SCLP_CMDW_READ_SCP_INFO, sccb)) { + *cbl = sccb->cbl; + } +} + +bool sclp_is_sipl_on(void) +{ + uint16_t cbl = 0; + + sclp_get_cbl(&cbl); + return cbl & SCCB_CBL_SIPL_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb = (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index 64b53cad29..de4141cb86 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -50,6 +50,8 @@ typedef struct SCCBHeader { } __attribute__((packed)) SCCBHeader; #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) +#define SCCB_FAC134_DIAG320_BIT 0x4 +#define SCCB_CBL_SIPL_BIT 0x4000 typedef struct ReadInfo { SCCBHeader h; @@ -57,6 +59,10 @@ typedef struct ReadInfo { uint8_t rnsize; uint8_t reserved[13]; uint8_t loadparm[LOADPARM_LEN]; + uint8_t reserved1[102]; + uint8_t fac134; + uint8_t reserved2; + uint16_t cbl; } __attribute__((packed)) ReadInfo; typedef struct SCCB { From patchwork Tue Apr 8 15:55:20 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043351 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3C711C369A4 for ; Tue, 8 Apr 2025 16:18:09 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdw-0006qa-KM; Tue, 08 Apr 2025 12:17:44 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ2-0005cN-Le; Tue, 08 Apr 2025 11:56:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIy-0005xb-I1; Tue, 08 Apr 2025 11:56:07 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CU1qI028772; Tue, 8 Apr 2025 15:56:02 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=U5Ea2HNCHmFcLvkkd IgYU6Tq54dQSlrvzT4u2zyAIz0=; b=QEJNflt1VqKPw2z4QWb9KtI+xlUvFpK74 LZqMzI5xjJvGg//6mJklQdjQbp02CEU8FFSmWR4VPDnjy47gS+DoSkJBusxun0F9 OfYA9P1K92OXQ5jOl7+HXioBWuY0u68kudYABLzatmpr/bMFkQ0ugBzO1GihzovR RylY/1uUN9fHWzeE7EI9T6fbb9zCoyd6oWR7iLS3RG3T1/qMQRn2GxWFRS7IckNn DcMXECwrtUx9AEmXFjN26codZEJ8Ei5Nc8idqhlXZkBpIHlF9zOvHYHYoOwY6Jes OrQGW8jBs51+9SuzGEOSDsvuElaHCJ8E3nVoIuy8GRTyC5qWSq+mw== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3and-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:01 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538D0njZ025598; Tue, 8 Apr 2025 15:56:00 GMT Received: from smtprelay05.wdc07v.mail.ibm.com ([172.16.1.72]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ugbku9w3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:00 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay05.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538FtxrT30605856 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:55:59 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 62F3F5804E; Tue, 8 Apr 2025 15:55:59 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EBFB35803F; Tue, 8 Apr 2025 15:55:57 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:57 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 18/24] s390x: Guest support for Secure-IPL Code Loading Attributes Facility (SCLAF) Date: Tue, 8 Apr 2025 11:55:20 -0400 Message-ID: <20250408155527.123341-19-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: OOsdN24Dcm3N-InO_mPM2kc4Q8CWajy2 X-Proofpoint-GUID: OOsdN24Dcm3N-InO_mPM2kc4Q8CWajy2 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1011 suspectscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The secure-IPL-code-loading-attributes facility (SCLAF) provides additional security during IPL. Availability of SCLAF is determined by byte 136 bit 3 of the SCLP Read Info block. Signed-off-by: Zhuoying Cai --- target/s390x/cpu_features.c | 1 + target/s390x/cpu_features_def.h.inc | 1 + target/s390x/cpu_models.c | 2 ++ target/s390x/gen-features.c | 1 + target/s390x/kvm/kvm.c | 3 +++ 5 files changed, 8 insertions(+) diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c index e9371569cc..ee33a4e2a6 100644 --- a/target/s390x/cpu_features.c +++ b/target/s390x/cpu_features.c @@ -151,6 +151,7 @@ void s390_fill_feat_block(const S390FeatBitmap features, S390FeatType type, break; case S390_FEAT_TYPE_SCLP_CBL: clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data); + clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data); break; default: return; diff --git a/target/s390x/cpu_features_def.h.inc b/target/s390x/cpu_features_def.h.inc index f874b9da6f..31e4efb8dc 100644 --- a/target/s390x/cpu_features_def.h.inc +++ b/target/s390x/cpu_features_def.h.inc @@ -142,6 +142,7 @@ DEF_FEAT(DIAG_320, "diag320", SCLP_FAC134, 5, "Provide Certificate Store functio /* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers relative to byte-136) */ DEF_FEAT(SIPL, "sipl", SCLP_CBL, 1, "Seucre-IPL facility") +DEF_FEAT(SCLAF, "sclaf", SCLP_CBL, 3, "Seucre-IPL-code-loading-attributes facility") /* Features exposed via SCLP CPU info. */ DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtual SIE)") diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c index a83c27dcb8..73d2d6247f 100644 --- a/target/s390x/cpu_models.c +++ b/target/s390x/cpu_models.c @@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat) case S390_FEAT_SIE_PFMFI: case S390_FEAT_SIE_IBS: case S390_FEAT_SIPL: + case S390_FEAT_SCLAF: case S390_FEAT_CONFIGURATION_TOPOLOGY: return false; break; @@ -509,6 +510,7 @@ static void check_consistency(const S390CPUModel *model) { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_DIAG_320, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB }, + { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB }, { S390_FEAT_NNPA, S390_FEAT_VECTOR }, { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING }, { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP }, diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c index d973efbf72..1755501fb7 100644 --- a/target/s390x/gen-features.c +++ b/target/s390x/gen-features.c @@ -698,6 +698,7 @@ static uint16_t full_GEN14_GA1[] = { S390_FEAT_GROUP_MULTIPLE_EPOCH_PTFF, S390_FEAT_DIAG_320, S390_FEAT_SIPL, + S390_FEAT_SCLAF, }; #define full_GEN14_GA2 EmptyFeat diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c index f418102b7f..1ecb67f398 100644 --- a/target/s390x/kvm/kvm.c +++ b/target/s390x/kvm/kvm.c @@ -2520,6 +2520,9 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model, Error **errp) /* Secure-IPL facility is handled entirely within QEMU */ set_bit(S390_FEAT_SIPL, model->features); + /* Secure-IPL-code-loading-attributes facility is handled entirely within QEMU */ + set_bit(S390_FEAT_SCLAF, model->features); + /* Test for Ultravisor features that influence secure guest behavior */ query_uv_feat_guest(model->features); From patchwork Tue Apr 8 15:55:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043368 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id E66F6C369A2 for ; Tue, 8 Apr 2025 16:23:40 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2BeH-0006tS-QJ; Tue, 08 Apr 2025 12:18:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ3-0005cQ-DO; Tue, 08 Apr 2025 11:56:15 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BIy-0005xk-KQ; Tue, 08 Apr 2025 11:56:08 -0400 Received: from pps.filterd (m0356516.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 53897Y14025761; Tue, 8 Apr 2025 15:56:03 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=W6uFC1Ag4lY8FMpTw P6Oy8YVgSFhTO2kGzA4DKE8eR4=; b=kvozh6ZlPgAkTKkHS9Tf6qJYBte/7lIts oo34mNZco1GYrUDjvV+F3M4czFN7pJmHdBepMv72v1YunD+Qmq37L9Bh0Oo1mqsL pYTaTo0Xyn+BKz6XB1MQ2kjwRCRhdpR57i8OL+VEzhgPWJ4ZnmAr0GerCZnz7nmo CYfxiGej5f7dy7gt8TCh/tdshL2GzPwelTOulHYcS/NXmfbfbx2oF/rJl6+kuYve BR5SWwVZBXCd98aeS/qWKsa82waM0Mzt7MEEUMataMMQZhxvIBtAaRHIn3HWKFqj 8l40C3qtKC3q8AwiYkjGy0G6eb3Zgy2LmXu4NE6Dqw89DsBgRdcjw== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vnvq4hxh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:02 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538Cg1CG013858; Tue, 8 Apr 2025 15:56:02 GMT Received: from smtprelay07.wdc07v.mail.ibm.com ([172.16.1.74]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkbav-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:02 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu1Um31261290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:01 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0283F5803F; Tue, 8 Apr 2025 15:56:01 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8C62E58055; Tue, 8 Apr 2025 15:55:59 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:55:59 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 19/24] pc-bios/s390-ccw: Add additional security checks for secure boot Date: Tue, 8 Apr 2025 11:55:21 -0400 Message-ID: <20250408155527.123341-20-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: nS6mHauDaxkkYpog2bKXW90ckDFXWAz- X-Proofpoint-ORIG-GUID: nS6mHauDaxkkYpog2bKXW90ckDFXWAz- X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 mlxscore=0 lowpriorityscore=0 adultscore=0 suspectscore=0 mlxlogscore=999 malwarescore=0 priorityscore=1501 clxscore=1015 bulkscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Add additional checks to ensure that components do not overlap with signed components when loaded into memory. Add additional checks to ensure the load addresses of unsigned components are greater than or equal to 0x2000. When the secure IPL code loading attributes facility (SCLAF) is installed, all signed components must contain a secure code loading attributes block (SCLAB). The SCLAB provides further validation of information on where to load the signed binary code from the load device, and where to start the execution of the loaded OS code. When SCLAF is installed, its content must be evaluated during secure IPL. However, a missing SCLAB will not be reported in audit mode. The SCALB checking will be skipped in this case. Add IPL Information Error Indicators (IIEI) and Component Error Indicators (CEI) for IPL Information Report Block (IIRB). When SCLAF is installed, additional secure boot checks are performed during zipl and store results of verification into IIRB. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 281 +++++++++++++++++++++++++++++++++++- pc-bios/s390-ccw/iplb.h | 43 +++++- pc-bios/s390-ccw/s390-ccw.h | 1 + pc-bios/s390-ccw/sclp.c | 8 + pc-bios/s390-ccw/sclp.h | 1 + 5 files changed, 331 insertions(+), 3 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index bdbd6ccd96..4bc6311802 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -683,6 +683,207 @@ static int zipl_load_segment(ComponentEntry *entry, uint64_t address) return comp_len; } +typedef struct SecureIplCompAddrRange { + bool is_signed; + uint64_t start_addr; + uint64_t end_addr; +} SecureIplCompAddrRange; + +static bool is_comp_overlap(SecureIplCompAddrRange *comp_addr_range, int addr_range_index, + uint64_t start_addr, uint64_t end_addr) +{ + /* neither a signed nor an unsigned component can overlap with a signed component */ + for (int i = 0; i < addr_range_index; i++) { + if ((comp_addr_range[i].start_addr <= end_addr && + start_addr <= comp_addr_range[i].end_addr) && + comp_addr_range[i].is_signed) { + return true; + } + } + + return false; +} + +static void comp_addr_range_add(SecureIplCompAddrRange *comp_addr_range, + int addr_range_index, bool is_signed, + uint64_t start_addr, uint64_t end_addr) +{ + comp_addr_range[addr_range_index].is_signed = is_signed; + comp_addr_range[addr_range_index].start_addr = start_addr; + comp_addr_range[addr_range_index].end_addr = end_addr; +} + +static void unsigned_addr_check(uint64_t load_addr, IplDeviceComponentList *comps, + int comp_index, void (*print_func)(bool, const char *)) +{ + bool is_addr_valid; + + is_addr_valid = load_addr >= 0x2000; + if (!is_addr_valid) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR; + print_func(is_addr_valid, "Load address is less than 0x2000"); + } +} + +static void addr_overlap_check(SecureIplCompAddrRange *comp_addr_range, + int *addr_range_index, + uint64_t start_addr, uint64_t end_addr, + bool is_signed, void (*print_func)(bool, const char *)) +{ + bool overlap; + + overlap = is_comp_overlap(comp_addr_range, *addr_range_index, + start_addr, end_addr); + if (!overlap) { + comp_addr_range_add(comp_addr_range, *addr_range_index, is_signed, + start_addr, end_addr); + *addr_range_index += 1; + } else { + print_func(!overlap, "Component addresses overlap"); + } +} + +static void valid_sclab_check(SclabOriginLocator *sclab_locator, + IplDeviceComponentList *comps, int comp_index, + void (*print_func)(bool, const char *)) +{ + bool is_magic_match; + bool is_len_valid; + + /* identifies the presence of SCLAB */ + is_magic_match = magic_match(sclab_locator->magic, ZIPL_MAGIC); + if (!is_magic_match) { + comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_SCLAB; + + /* a missing SCLAB will not be reported in audit mode */ + return; + } + + is_len_valid = sclab_locator->len >= 32; + if (!is_len_valid) { + comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN; + comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_SCLAB; + print_func(is_len_valid, "Invalid SCLAB length"); + } +} + +static void sclab_format_check(SecureCodeLoadingAttributesBlock *sclab, + IplDeviceComponentList *comps, int comp_index, + void (*print_func)(bool, const char *)) +{ + bool valid_format; + + valid_format = sclab->format == 0; + if (!valid_format) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT; + } + print_func(valid_format, "Format-0 SCLAB is not being used"); +} + +static void sclab_opsw_check(SecureCodeLoadingAttributesBlock *sclab, + int *global_sclab_count, uint64_t *sclab_load_psw, + IplDeviceComponentList *comps, int comp_index, + void (*print_func)(bool, const char *)) +{ + bool is_load_psw_zero; + bool is_ola_on; + bool has_one_glob_sclab; + + /* OPSW is zero */ + if (!(sclab->flags & S390_IPL_SCLAB_FLAG_OPSW)) { + is_load_psw_zero = sclab->load_psw == 0; + if (!is_load_psw_zero) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO; + print_func(is_load_psw_zero, + "Load PSW is not zero when Override PSW bit is zero"); + } + } else { + is_ola_on = sclab->flags & S390_IPL_SCLAB_FLAG_OLA; + if (!is_ola_on) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE; + print_func(is_ola_on, + "Override Load Address bit is not set to one in the global SCLAB"); + } + + *global_sclab_count += 1; + if (*global_sclab_count == 1) { + *sclab_load_psw = sclab->load_psw; + } else { + has_one_glob_sclab = false; + comps->ipl_info_header.iiei |= S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB; + print_func(has_one_glob_sclab, "More than one global SCLAB"); + } + } +} + +static void sclab_ola_check(SecureCodeLoadingAttributesBlock *sclab, + uint64_t load_addr, IplDeviceComponentList *comps, + int comp_index, void (*print_func)(bool, const char *)) +{ + bool is_load_addr_zero; + bool is_matched; + + /* OLA is zero */ + if (!(sclab->flags & S390_IPL_SCLAB_FLAG_OLA)) { + is_load_addr_zero = sclab->load_addr == 0; + if (!is_load_addr_zero) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO; + print_func(is_load_addr_zero, + "Load Address is not zero when Override Load Address bit is zero"); + } + } else { + is_matched = sclab->load_addr == load_addr; + if (!is_matched) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR; + print_func(is_matched, + "Load Address does not match with component load address"); + } + } +} + +static bool is_psw_valid(uint64_t psw, SecureIplCompAddrRange *comp_addr_range, + int range_index) +{ + uint32_t addr = psw & 0x3FFFFFFF; + + /* PSW points to the beginning of a signed binary code component */ + for (int i = 0; i < range_index; i++) { + if (comp_addr_range[i].is_signed && comp_addr_range[i].start_addr == addr) { + return true; + } + } + return false; +} + +static void load_psw_check(SecureIplCompAddrRange *comp_addr_range, int addr_range_index, + uint64_t sclab_load_psw, uint64_t load_psw, + IplDeviceComponentList *comps, int comp_index, + void (*print_func)(bool, const char *)) +{ + bool is_valid; + bool is_matched; + + is_valid = is_psw_valid(sclab_load_psw, comp_addr_range, addr_range_index) && + is_psw_valid(load_psw, comp_addr_range, addr_range_index); + if (!is_valid) { + comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW; + print_func(is_valid, "Invalid PSW"); + } + + is_matched = load_psw == sclab_load_psw; + if (!is_matched) { + comps->device_entries[comp_index].cei |= + S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW; + print_func(is_matched, "Load PSW does not match with PSW in component"); + } +} + int get_vcssb(VerificationCertificateStorageSizeBlock *vcssb) { int rc; @@ -833,6 +1034,12 @@ static bool secure_ipl_supported(void) return false; } + if (!sclp_is_sclaf_on()) { + puts("Secure IPL Code Loading Attributes Facility is not supported by" \ + " the hypervisor!"); + return false; + } + return true; } @@ -899,6 +1106,39 @@ static int perform_sig_verf(uint64_t comp_addr, uint64_t comp_len, uint64_t sig_ return 0; } +static void check_unsigned_comp(uint64_t comp_addr, struct IplDeviceComponentList *comps, + int comp_index, int cert_index, uint64_t comp_len, + void (*print_func)(bool, const char *)) +{ + unsigned_addr_check(comp_addr, comps, comp_index, print_func); + + comp_list_add(comps, comp_index, cert_index, comp_addr, comp_len, 0x00); +} + +static void check_sclab(uint64_t comp_addr, struct IplDeviceComponentList *comps, + uint64_t comp_len, int comp_index, int *sclab_count, + uint64_t *sclab_load_psw, int *global_sclab_count, + void (*print_func)(bool, const char *)) +{ + SclabOriginLocator *sclab_locator; + SecureCodeLoadingAttributesBlock *sclab; + + sclab_locator = (SclabOriginLocator *)(comp_addr + comp_len - 8); + valid_sclab_check(sclab_locator, comps, comp_index, print_func); + + if ((comps->device_entries[comp_index].cei & + S390_IPL_COMPONENT_CEI_INVALID_SCLAB) == 0) { + *sclab_count += 1; + sclab = (SecureCodeLoadingAttributesBlock *)(comp_addr + comp_len - + sclab_locator->len); + + sclab_format_check(sclab, comps, comp_index, print_func); + sclab_opsw_check(sclab, global_sclab_count, sclab_load_psw, + comps, comp_index, print_func); + sclab_ola_check(sclab, comp_addr, comps, comp_index, print_func); + } +} + static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) { bool found_signature = false; @@ -916,6 +1156,13 @@ static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) */ uint64_t *cert_table[MAX_CERTIFICATES]; + int sclab_count = 0; + int global_sclab_count = 0; + uint64_t sclab_load_psw = 0; + + SecureIplCompAddrRange comp_addr_range[MAX_CERTIFICATES]; + int addr_range_index = 0; + void (*print_func)(bool, const char *) = NULL; print_func = &IPL_check; @@ -939,8 +1186,19 @@ static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) if (comp_len < 0) { return -1; } + addr_overlap_check(comp_addr_range, &addr_range_index, + entry->compdat.load_addr, + entry->compdat.load_addr + comp_len, valid_sig, + print_func); + + if (!valid_sig) { + check_unsigned_comp(entry->compdat.load_addr, &comps, comp_index, + cert_index, comp_len, print_func); + } else { + check_sclab(entry->compdat.load_addr, &comps, comp_len, comp_index, + &sclab_count, &sclab_load_psw, &global_sclab_count, + print_func); - if (valid_sig) { perform_sig_verf(entry->compdat.load_addr, comp_len, sig_len, cert_table, &cert, &comps, &certs, comp_index, cert_index, print_func); @@ -970,8 +1228,29 @@ static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) return -EINVAL; } + if (sclab_count == 0) { + comps.ipl_info_header.iiei |= S390_IPL_INFO_IIEI_NO_SCLAB; + print_func(false, "No recognizable SCLAB"); + } + if (!found_signature) { + comps.ipl_info_header.iiei |= S390_IPL_INFO_IIEI_NO_SIGED_COMP; print_func(found_signature, "Secure boot is on, but components are not signed"); + } else { + /* Verify PSW from the final component entry with PSW from the global SCLAB. */ + if ((comps.ipl_info_header.iiei & S390_IPL_INFO_IIEI_NO_SCLAB) == 0) { + if (global_sclab_count == 0) { + comps.ipl_info_header.iiei |= S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB; + print_func(false, "Global SCLAB does not exists"); + } else if (global_sclab_count == 1 && sclab_load_psw) { + load_psw_check(comp_addr_range, addr_range_index, + sclab_load_psw, entry->compdat.load_psw, + &comps, comp_index, print_func); + } else { + /* Program will only reach here in audit mode */ + puts("Multiple global SCLABs"); + } + } } if (update_iirb(&comps, &certs)) { diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 8d9fdde30a..42a9e081fe 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -35,11 +35,17 @@ struct IplInfoReportBlockHeader { } __attribute__ ((packed)); typedef struct IplInfoReportBlockHeader IplInfoReportBlockHeader; +#define S390_IPL_INFO_IIEI_NO_SIGED_COMP 0x8000 /* bit 0 */ +#define S390_IPL_INFO_IIEI_NO_SCLAB 0x4000 /* bit 1 */ +#define S390_IPL_INFO_IIEI_NO_GLOBAL_SCLAB 0x2000 /* bit 2 */ +#define S390_IPL_INFO_IIEI_MORE_GLOBAL_SCLAB 0x1000 /* bit 3 */ + struct IplInfoBlockHeader { uint32_t len; uint8_t ibt; uint8_t reserved1[3]; - uint8_t reserved2[8]; + uint16_t iiei; + uint8_t reserved2[6]; } __attribute__ ((packed)); typedef struct IplInfoBlockHeader IplInfoBlockHeader; @@ -63,13 +69,25 @@ typedef struct IplSignatureCertificateList IplSignatureCertificateList; #define S390_IPL_COMPONENT_FLAG_SC 0x80 #define S390_IPL_COMPONENT_FLAG_CSV 0x40 +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB 0x80000000 /* bit 0 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_LEN 0x40000000 /* bit 1 */ +#define S390_IPL_COMPONENT_CEI_INVALID_SCLAB_FORMAT 0x20000000 /* bit 2 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_ADDR 0x10000000 /* bit 3 */ +#define S390_IPL_COMPONENT_CEI_UNMATCHED_SCLAB_LOAD_PSW 0x8000000 /* bit 4 */ +#define S390_IPL_COMPONENT_CEI_INVALID_LOAD_PSW 0x4000000 /* bit 5 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_OLA_NOT_ONE 0x1000000 /* bit 7 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_ADDR_NOT_ZERO 0x400000 /* bit 9 */ +#define S390_IPL_COMPONENT_CEI_SCLAB_LOAD_PSW_NOT_ZERO 0x200000 /* bit 10 */ +#define S390_IPL_COMPONENT_CEI_INVALID_UNSIGNED_ADDR 0x100000 /* bit 11 */ + struct IplDeviceComponentEntry { uint64_t addr; uint64_t len; uint8_t flags; uint8_t reserved1[5]; uint16_t cert_index; - uint8_t reserved2[8]; + uint32_t cei; + uint8_t reserved2[4]; } __attribute__ ((packed)); typedef struct IplDeviceComponentEntry IplDeviceComponentEntry; @@ -96,6 +114,27 @@ typedef struct IplBlocks IplBlocks; extern IplBlocks ipl_data __attribute__((__aligned__(PAGE_SIZE))); +#define S390_IPL_SCLAB_FLAG_OPSW 0x8000 +#define S390_IPL_SCLAB_FLAG_OLA 0x4000 + +struct SecureCodeLoadingAttributesBlock { + uint8_t format; + uint8_t reserved1; + uint16_t flags; + uint8_t reserved2[4]; + uint64_t load_psw; + uint64_t load_addr; + uint64_t reserved3[]; +} __attribute__ ((packed)); +typedef struct SecureCodeLoadingAttributesBlock SecureCodeLoadingAttributesBlock; + +struct SclabOriginLocator { + uint8_t reserved[2]; + uint16_t len; + uint8_t magic[4]; +} __attribute__ ((packed)); +typedef struct SclabOriginLocator SclabOriginLocator; + #define S390_IPL_TYPE_FCP 0x00 #define S390_IPL_TYPE_CCW 0x02 #define S390_IPL_TYPE_QEMU_SCSI 0xff diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 68ffbf7bc8..20d6827a4c 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -69,6 +69,7 @@ void sclp_setup(void); void sclp_get_loadparm_ascii(char *loadparm); bool sclp_is_diag320_on(void); bool sclp_is_sipl_on(void); +bool sclp_is_sclaf_on(void); int sclp_read(char *str, size_t count); /* virtio.c */ diff --git a/pc-bios/s390-ccw/sclp.c b/pc-bios/s390-ccw/sclp.c index fd25c83387..ffdcdd7b16 100644 --- a/pc-bios/s390-ccw/sclp.c +++ b/pc-bios/s390-ccw/sclp.c @@ -156,6 +156,14 @@ bool sclp_is_sipl_on(void) return cbl & SCCB_CBL_SIPL_BIT; } +bool sclp_is_sclaf_on(void) +{ + uint16_t cbl = 0; + + sclp_get_cbl(&cbl); + return cbl & SCCB_CBL_SCLAF_BIT; +} + int sclp_read(char *str, size_t count) { ReadEventData *sccb = (void *)_sccb; diff --git a/pc-bios/s390-ccw/sclp.h b/pc-bios/s390-ccw/sclp.h index de4141cb86..ad34fac20d 100644 --- a/pc-bios/s390-ccw/sclp.h +++ b/pc-bios/s390-ccw/sclp.h @@ -52,6 +52,7 @@ typedef struct SCCBHeader { #define SCCB_DATA_LEN (SCCB_SIZE - sizeof(SCCBHeader)) #define SCCB_FAC134_DIAG320_BIT 0x4 #define SCCB_CBL_SIPL_BIT 0x4000 +#define SCCB_CBL_SCLAF_BIT 0x1000 typedef struct ReadInfo { SCCBHeader h; From patchwork Tue Apr 8 15:55:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043350 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 20F1FC369A2 for ; Tue, 8 Apr 2025 16:18:09 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Be2-0006sF-AX; Tue, 08 Apr 2025 12:17:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ5-0005cX-OP; Tue, 08 Apr 2025 11:56:15 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ3-0005yE-E4; Tue, 08 Apr 2025 11:56:11 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CU1qJ028772; Tue, 8 Apr 2025 15:56:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=BMii2g6Cq3KmZHIyc lvKVLChZ9pjMlONviN6FnGkQ4A=; b=VIt1guAiK+q8jlIQDYAo5XqB7e9CajlB9 0X06Mcemmmmpm34EPwtY95tCPeW3ECiaWvTDBi1V5AbBJpGvZRJQ5lrr7dIwMx6x Ou70/4jfKbIcsUhc1b5qKmr/BFCOf4Zqco8PIXXb5KaQ/m1daOMM/yq5NRnUMObq wSw0S53C5ijouEPfzo1R9zLEyPz76wfCgt5PArw60+WzkSe1ITI9SOF3KDpSMMKF IYkFH8rulqR2lCo8f7/gQYBYMQ2knmZ9/DJqz5mlLIz3SpLobDbkH2oE76/mljxY wtc2fepnp4QFugV3CkqLwICzukCuMVhh5bS4r+hIvpHqqYjfg9Dww== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3anr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:05 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CmdpV025510; Tue, 8 Apr 2025 15:56:04 GMT Received: from smtprelay02.dal12v.mail.ibm.com ([172.16.1.4]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ugbku9wa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:04 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu21g24707620 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:03 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 991F55803F; Tue, 8 Apr 2025 15:56:02 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2A5535804E; Tue, 8 Apr 2025 15:56:01 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:56:01 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 20/24] Add -secure-boot on|off option in QEMU command line Date: Tue, 8 Apr 2025 11:55:22 -0400 Message-ID: <20250408155527.123341-21-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: uB0I5S0lc6S-jLho_xvrLrCy5tpqPub1 X-Proofpoint-GUID: uB0I5S0lc6S-jLho_xvrLrCy5tpqPub1 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1015 suspectscore=0 bulkscore=0 mlxlogscore=741 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The `-secure-boot on|off` command line option is implemented to enable secure IPL. By default, -secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai --- qemu-options.hx | 8 ++++++++ system/vl.c | 21 +++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/qemu-options.hx b/qemu-options.hx index b460c63490..02d2f4d513 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -1262,6 +1262,14 @@ SRST A colon may be used to delineate multiple paths. ERST +DEF("secure-boot", HAS_ARG, QEMU_OPTION_secure_boot, + "-secure-boot on|off\n" + " enable/disable secure boot\n", QEMU_ARCH_S390X) +SRST +``-secure-boot on|off`` + Enable/disable secure boot. Default is off. +ERST + DEFHEADING() DEFHEADING(Block device options:) diff --git a/system/vl.c b/system/vl.c index bd6197c887..5bdc35516c 100644 --- a/system/vl.c +++ b/system/vl.c @@ -524,6 +524,19 @@ static QemuOptsList qemu_boot_certificates_opts = { }, }; +static QemuOptsList qemu_secure_boot_opts = { + .name = "secure-boot", + .implied_opt_name = "secure-boot", + .head = QTAILQ_HEAD_INITIALIZER(qemu_secure_boot_opts.head), + .desc = { + { + .name = "secure-boot", + .type = QEMU_OPT_BOOL, + }, + { /* end of list */ } + }, +}; + const char *qemu_get_vm_name(void) { return qemu_name; @@ -2894,6 +2907,7 @@ void qemu_init(int argc, char **argv) qemu_add_opts(&qemu_fw_cfg_opts); qemu_add_opts(&qemu_action_opts); qemu_add_opts(&qemu_boot_certificates_opts); + qemu_add_opts(&qemu_secure_boot_opts); qemu_add_run_with_opts(); module_call_init(MODULE_INIT_OPTS); @@ -3046,6 +3060,13 @@ void qemu_init(int argc, char **argv) exit(1); } break; + case QEMU_OPTION_secure_boot: + opts = qemu_opts_parse_noisily(qemu_find_opts("secure-boot"), + optarg, true); + if (!opts) { + exit(1); + } + break; case QEMU_OPTION_fda: case QEMU_OPTION_fdb: drive_add(IF_FLOPPY, popt->index - QEMU_OPTION_fda, From patchwork Tue Apr 8 15:55:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043361 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 30A70C369A2 for ; Tue, 8 Apr 2025 16:19:13 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bed-000727-JI; Tue, 08 Apr 2025 12:18:29 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ6-0005cY-Ez; Tue, 08 Apr 2025 11:56:16 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ3-0005yR-Ho; Tue, 08 Apr 2025 11:56:11 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CSAEe017862; Tue, 8 Apr 2025 15:56:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=Vv4ZWz/KaE83+/bV3 EfwYr3GhTt2+uRc0tzY/s2PUlg=; b=c/rmvCTNpWbg8psuXH8I9FWSU3+ZzB5Ua NWb2vxekyNC0L2OBtERLFfDdmaVIbGZoQCStppHzMZCYzfgZXyK0I8qsHbMVreIf tkM7V5A0vqLZVGp1WoDDHKc+MqvdQ2PKaZ8d/oloi0ncSk9K6fLaoSWuXkymD35a 0Hsu3m0EvkQ6Volry5FeaP2wQFmFFp8sEqTO4/Xsp1zItP+jPXCO32vqolYx/KnN Qn5wX3aPM2rbgHgdiFixqBOwqnCLXYGY/IoGkFCRlSZdAQ9vs0Ul7RB4amcHQ/+n PYpELTWnXllzlX6wrF2jXEtiL5tewyErOxxJ3Ytvx6gihhUit690Q== Received: from ppma23.wdc07v.mail.ibm.com (5d.69.3da9.ip4.static.sl-reverse.com [169.61.105.93]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w3u3126j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:07 +0000 (GMT) Received: from pps.filterd (ppma23.wdc07v.mail.ibm.com [127.0.0.1]) by ppma23.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CvAsn025537; Tue, 8 Apr 2025 15:56:05 GMT Received: from smtprelay04.dal12v.mail.ibm.com ([172.16.1.6]) by ppma23.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ugbku9wc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:05 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay04.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu4GM29164272 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:04 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5242E58056; Tue, 8 Apr 2025 15:56:04 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C2FE858055; Tue, 8 Apr 2025 15:56:02 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:56:02 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 21/24] hw/s390x/ipl: Set IPIB flags for secure IPL Date: Tue, 8 Apr 2025 11:55:23 -0400 Message-ID: <20250408155527.123341-22-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: x-8e6yt6Mk2YUVpZU1H0ktCuCmu4FQMD X-Proofpoint-ORIG-GUID: x-8e6yt6Mk2YUVpZU1H0ktCuCmu4FQMD X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=728 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org If `-secure-boot on` is specified on the command line option, indicating true secure IPL enabled, set Secure-IPL bit and IPL-Information-Report bit on in IPIB Flags field, and trigger true secure IPL in the S390 BIOS. Any error that occurs during true secure IPL will cause the IPL to terminate. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index b646fcc74e..60bafcbd2e 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -438,6 +438,15 @@ static bool s390_has_certificate(void) return ipl->cert_store.count > 0; } +static bool s390_secure_boot_enabled(void) +{ + QemuOpts *opts; + + opts = qemu_find_opts_singleton("secure-boot"); + + return qemu_opt_get_bool(opts, "secure-boot", false); +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev = NULL; @@ -495,6 +504,17 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) s390_ipl_convert_loadparm((char *)lp, iplb->loadparm); iplb->flags |= DIAG308_FLAGS_LP_VALID; + /* + * If -secure-boot on, then toggle the secure IPL flags to trigger + * secure boot in the s390 BIOS. + * + * Boot process will terminate if any error occurs during secure boot. + * + * If SIPL is on, IPLIR must also be on. + */ + if (s390_secure_boot_enabled()) { + iplb->hdr_flags |= (DIAG308_IPIB_FLAGS_SIPL | DIAG308_IPIB_FLAGS_IPLIR); + } /* * Secure boot in audit mode will perform * if certificate(s) exist in the key store. @@ -504,7 +524,7 @@ static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) * * Results of secure boot will be stored in IIRB. */ - if (s390_has_certificate()) { + else if (s390_has_certificate()) { iplb->hdr_flags |= DIAG308_IPIB_FLAGS_IPLIR; } From patchwork Tue Apr 8 15:55:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043353 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 8D597C369A4 for ; Tue, 8 Apr 2025 16:18:34 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdu-0006pa-Kp; Tue, 08 Apr 2025 12:17:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ9-0005dR-B5; Tue, 08 Apr 2025 11:56:19 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ5-0005yv-AQ; Tue, 08 Apr 2025 11:56:13 -0400 Received: from pps.filterd (m0360083.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CRbeT029640; Tue, 8 Apr 2025 15:56:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=aP70PiCRGh8Szwjr6 XxBcB7QN57iBHEy4Hyed5JBrLc=; b=sSjsJh2nUDME0Dg1Bl/fs25/uR68oOn10 e8c81o/WtXxsYL0iEGIUNZLO/nPX9X86huAvxoLHizpqkMQ5YG+cDSBM+FA6+lHN qnuh7vgWaUoKWz3PH+bnAXjM/l63Ll/gss6j1ZL4Aidi0CYRhDDBZuSQmz7bCzfd YTG4LC6HYjrnO7itTrWRyxwR+qYB7LNoalugwch7JS9E2wder3/QRoUt5jK5+4w8 CMKfojR3O7M+E3YvVdqig4xSzGCfKmkT4pbmbt8kmScZk7oHvRFRKWLvrldM66aK vbkl6FGebTkk3NeRg/nRwjBmESnDieEuBM3S8phVM4nnqaswPoGMQ== Received: from ppma12.dal12v.mail.ibm.com (dc.9e.1632.ip4.static.sl-reverse.com [50.22.158.220]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vv6a3any-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:08 +0000 (GMT) Received: from pps.filterd (ppma12.dal12v.mail.ibm.com [127.0.0.1]) by ppma12.dal12v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538FMZYA024577; Tue, 8 Apr 2025 15:56:07 GMT Received: from smtprelay06.dal12v.mail.ibm.com ([172.16.1.8]) by ppma12.dal12v.mail.ibm.com (PPS) with ESMTPS id 45ueutbjkc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:07 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay06.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu6Vx26739224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:06 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D2BA58055; Tue, 8 Apr 2025 15:56:06 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7BFE45804E; Tue, 8 Apr 2025 15:56:04 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:56:04 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 22/24] pc-bios/s390-ccw: Handle true secure IPL mode Date: Tue, 8 Apr 2025 11:55:24 -0400 Message-ID: <20250408155527.123341-23-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 4qsuOZz3UhsVt2wvCA-JFfmrv2cS994X X-Proofpoint-GUID: 4qsuOZz3UhsVt2wvCA-JFfmrv2cS994X X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 malwarescore=0 phishscore=0 lowpriorityscore=0 spamscore=0 priorityscore=1501 adultscore=0 clxscore=1015 suspectscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org When secure boot is enabled (-secure-boot on) and certificate(s) are provided, the boot operates in True Secure IPL mode. Any verification error during True Secure IPL mode will cause the entire boot process to terminate. Secure IPL in audit mode requires at least one certificate provided in the key store along with necessary facilities. If secure boot is enabled but no certificate is provided, the boot process will also terminate, as this is not a valid secure boot configuration. Note: True Secure IPL mode is implemented for the SCSI scheme of virtio-blk/virtio-scsi devices. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 25 ++++++++++++++++++++----- pc-bios/s390-ccw/iplb.h | 7 +++++++ pc-bios/s390-ccw/main.c | 6 +++++- pc-bios/s390-ccw/s390-ccw.h | 2 ++ 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index 4bc6311802..a22061e1ad 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -757,6 +757,10 @@ static void valid_sclab_check(SclabOriginLocator *sclab_locator, comps->device_entries[comp_index].cei |= S390_IPL_COMPONENT_CEI_INVALID_SCLAB; /* a missing SCLAB will not be reported in audit mode */ + if (boot_mode == ZIPL_SECURE_MODE) { + print_func(is_magic_match, "Magic is not matched. SCLAB does not exist"); + } + return; } @@ -1164,7 +1168,11 @@ static int zipl_run_secure(ComponentEntry *entry, uint8_t *tmp_sec) int addr_range_index = 0; void (*print_func)(bool, const char *) = NULL; - print_func = &IPL_check; + if (boot_mode == ZIPL_SECURE_MODE) { + print_func = &IPL_assert; + } else if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + print_func = &IPL_check; + } if (!secure_ipl_supported()) { return -1; @@ -1321,6 +1329,7 @@ static int zipl_run(ScsiBlockPtr *pte) entry = (ComponentEntry *)(&header[1]); switch (boot_mode) { + case ZIPL_SECURE_MODE: case ZIPL_SECURE_AUDIT_MODE: if (zipl_run_secure(entry, tmp_sec)) { return -1; @@ -1692,10 +1701,16 @@ static int zipl_load_vscsi(void) int zipl_mode(void) { uint32_t cert_len; + bool secure; cert_len = request_certificate((uint64_t *)certs_sec, 0); + secure = is_secure_boot_on(iplb->hdr_flags); - return (cert_len > 0) ? ZIPL_SECURE_AUDIT_MODE : ZIPL_NORMAL_MODE; + if (secure) { + return (cert_len > 0) ? ZIPL_SECURE_MODE : ZIPL_SECURE_INVALID_MODE; + } else { + return (cert_len > 0) ? ZIPL_SECURE_AUDIT_MODE : ZIPL_NORMAL_MODE; + } } void zipl_load(void) @@ -1703,7 +1718,7 @@ void zipl_load(void) VDev *vdev = virtio_get_device(); if (vdev->is_cdrom) { - if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { panic("Secure boot from ISO image is not supported!"); } ipl_iso_el_torito(); @@ -1712,7 +1727,7 @@ void zipl_load(void) } if (virtio_get_device_type() == VIRTIO_ID_NET) { - if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { panic("Virtio net boot device does not support secure boot!"); } netmain(); @@ -1725,7 +1740,7 @@ void zipl_load(void) return; } - if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { panic("ECKD boot device does not support secure boot!"); } diff --git a/pc-bios/s390-ccw/iplb.h b/pc-bios/s390-ccw/iplb.h index 42a9e081fe..734d049f42 100644 --- a/pc-bios/s390-ccw/iplb.h +++ b/pc-bios/s390-ccw/iplb.h @@ -185,6 +185,13 @@ static inline bool load_next_iplb(void) return true; } +static inline bool is_secure_boot_on(uint8_t hdr_flags) +{ + /* If secure boot is on, SIPL bit and IPLIR bit must be on. */ + return (hdr_flags & DIAG308_IPIB_FLAGS_SIPL) && + (hdr_flags & DIAG308_IPIB_FLAGS_IPLIR); +} + static inline uint64_t diag320(void *data, unsigned long subcode) { register unsigned long addr asm("0") = (unsigned long)data; diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 92004a6f82..6189a5a7ba 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -277,10 +277,14 @@ static void ipl_boot_device(void) boot_mode = zipl_mode(); } + if (boot_mode == ZIPL_SECURE_INVALID_MODE) { + panic("Need at least one certificate for secure boot!"); + } + switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode == ZIPL_SECURE_AUDIT_MODE) { + if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { panic("Passthrough (vfio) device does not support secure boot!"); } diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index 20d6827a4c..e8ff3f7883 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -84,6 +84,8 @@ void zipl_load(void); #define ZIPL_NORMAL_MODE 1 #define ZIPL_SECURE_AUDIT_MODE 2 +#define ZIPL_SECURE_MODE 3 +#define ZIPL_SECURE_INVALID_MODE -1 int zipl_mode(void); From patchwork Tue Apr 8 15:55:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043384 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5F88DC369A4 for ; Tue, 8 Apr 2025 16:25:43 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdv-0006q3-2N; Tue, 08 Apr 2025 12:17:43 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJC-0005ef-1a; Tue, 08 Apr 2025 11:56:20 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ6-0005z0-Fl; Tue, 08 Apr 2025 11:56:15 -0400 Received: from pps.filterd (m0360072.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 5386e1TO005729; Tue, 8 Apr 2025 15:56:10 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=HQ424chTjEYA8EDYR EM6fK9dPPCrR7m64a7UFpakGR4=; b=S33D1SRtLbp0EkNxSCD+yAVHKxmy3lR3e ibkcLmAIlPuK/I/qDCku78PfSSPjOye9l8xbJudnfxsmrI0szMOah1Fam05U0DRo mXSs4f/64QNJ5jkZBsf2nccGv5DO6ilsJfiNG73riSrJz9APK76MPJq9rsFxjLP4 nzqxd7KWN24Pd2t0cAR31d1jCEX/reL4bDMl9Yi7KoJ+tpS5bu53kV/vknKo9RZ5 FbCuFPBW+/5/fPDA/e8eBZ28qQpUVkiMtizXJTrM3O+TBQ7MjLzwshaq+8p8a/nB 0HcbZFZb84puS+eu1o32u4FeeNYDPZCxmC5ABaeVYVS3ug0EQ+fEA== Received: from ppma22.wdc07v.mail.ibm.com (5c.69.3da9.ip4.static.sl-reverse.com [169.61.105.92]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45vjvxnbuc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:09 +0000 (GMT) Received: from pps.filterd (ppma22.wdc07v.mail.ibm.com [127.0.0.1]) by ppma22.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538C9b6m011069; Tue, 8 Apr 2025 15:56:09 GMT Received: from smtprelay07.dal12v.mail.ibm.com ([172.16.1.9]) by ppma22.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45uf7ykgqy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:09 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay07.dal12v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu7Fm65863982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:08 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A87C05804E; Tue, 8 Apr 2025 15:56:07 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3535E5803F; Tue, 8 Apr 2025 15:56:06 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:56:06 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 23/24] pc-bios/s390-ccw: Handle secure boot with multiple boot devices Date: Tue, 8 Apr 2025 11:55:25 -0400 Message-ID: <20250408155527.123341-24-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: ruWR_n0fq3sDlW0dw6vbp6qfxL1zKNsH X-Proofpoint-GUID: ruWR_n0fq3sDlW0dw6vbp6qfxL1zKNsH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 malwarescore=0 mlxscore=0 bulkscore=0 mlxlogscore=999 impostorscore=0 adultscore=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.158.5; envelope-from=zycai@linux.ibm.com; helo=mx0b-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org The current approach to enabling secure boot relies on providing -secure-boot and -boot-certificates options, which apply to all boot devices. With the possibility of multiple boot devices, secure boot expects all provided devices to be supported and eligible (e.g., virtio-blk/virtio-scsi using the SCSI scheme). If multiple boot devices are provided and include an unsupported (e.g., ECKD, VFIO) or a non-eligible (e.g., Net) device, the boot process will terminate with an error logged to the console. Signed-off-by: Zhuoying Cai --- pc-bios/s390-ccw/bootmap.c | 28 +++++++++----- pc-bios/s390-ccw/main.c | 74 ++++++++++++++++++++++++++++++++++--- pc-bios/s390-ccw/s390-ccw.h | 1 + 3 files changed, 88 insertions(+), 15 deletions(-) diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c index a22061e1ad..285aae114f 100644 --- a/pc-bios/s390-ccw/bootmap.c +++ b/pc-bios/s390-ccw/bootmap.c @@ -1713,23 +1713,35 @@ int zipl_mode(void) } } +int zipl_check_scsi_mbr_magic(void) +{ + ScsiMbr *mbr = (void *)sec; + + /* Grab the MBR */ + memset(sec, FREE_SPACE_FILLER, sizeof(sec)); + if (virtio_read(0, mbr)) { + puts("Cannot read block 0"); + return -EIO; + } + + if (!magic_match(mbr->magic, ZIPL_MAGIC)) { + return -1; + } + + return 0; +} + void zipl_load(void) { VDev *vdev = virtio_get_device(); if (vdev->is_cdrom) { - if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { - panic("Secure boot from ISO image is not supported!"); - } ipl_iso_el_torito(); puts("Failed to IPL this ISO image!"); return; } if (virtio_get_device_type() == VIRTIO_ID_NET) { - if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { - panic("Virtio net boot device does not support secure boot!"); - } netmain(); puts("Failed to IPL from this network!"); return; @@ -1740,10 +1752,6 @@ void zipl_load(void) return; } - if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { - panic("ECKD boot device does not support secure boot!"); - } - switch (virtio_get_device_type()) { case VIRTIO_ID_BLOCK: zipl_load_vblk(); diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c index 6189a5a7ba..30cb470ee4 100644 --- a/pc-bios/s390-ccw/main.c +++ b/pc-bios/s390-ccw/main.c @@ -271,8 +271,43 @@ static int virtio_setup(void) return ret; } -static void ipl_boot_device(void) +static void validate_secure_boot_device(void) +{ + switch (cutype) { + case CU_TYPE_DASD_3990: + case CU_TYPE_DASD_2107: + panic("Passthrough (vfio) device does not support secure boot!"); + break; + case CU_TYPE_VIRTIO: + if (virtio_setup() == 0) { + VDev *vdev = virtio_get_device(); + + if (vdev->is_cdrom) { + panic("Secure boot from ISO image is not supported!"); + } + + if (virtio_get_device_type() == VIRTIO_ID_NET) { + panic("Virtio net boot device does not support secure boot!"); + } + + if (zipl_check_scsi_mbr_magic()) { + panic("ECKD boot device does not support secure boot!"); + } + } + break; + default: + panic("Secure boot from unexpected device type is not supported!"); + } + + printf("SCSI boot device supports secure boot.\n"); +} + +static void check_secure_boot_support(void) { + bool have_iplb_copy; + IplParameterBlock *iplb_copy; + QemuIplParameters *qipl_copy; + if (boot_mode == 0) { boot_mode = zipl_mode(); } @@ -281,13 +316,40 @@ static void ipl_boot_device(void) panic("Need at least one certificate for secure boot!"); } + if (boot_mode == ZIPL_NORMAL_MODE) { + return; + } + + /* + * Store copies of have_iplb, iplb and qipl. + * They will be updated in load_next_iplb(). + */ + have_iplb_copy = have_iplb; + iplb_copy = malloc(sizeof(IplParameterBlock)); + qipl_copy = malloc(sizeof(QemuIplParameters)); + + memcpy(qipl_copy, &qipl, sizeof(QemuIplParameters)); + memcpy(iplb_copy, iplb, sizeof(IplParameterBlock)); + + while (have_iplb_copy) { + if (have_iplb_copy && find_boot_device()) { + validate_secure_boot_device(); + } + have_iplb_copy = load_next_iplb(); + } + + memcpy(&qipl, qipl_copy, sizeof(QemuIplParameters)); + memcpy(iplb, iplb_copy, sizeof(IplParameterBlock)); + + free(qipl_copy); + free(iplb_copy); +} + +static void ipl_boot_device(void) +{ switch (cutype) { case CU_TYPE_DASD_3990: case CU_TYPE_DASD_2107: - if (boot_mode == ZIPL_SECURE_AUDIT_MODE || boot_mode == ZIPL_SECURE_MODE) { - panic("Passthrough (vfio) device does not support secure boot!"); - } - dasd_ipl(blk_schid, cutype); break; case CU_TYPE_VIRTIO: @@ -337,6 +399,8 @@ void main(void) probe_boot_device(); } + check_secure_boot_support(); + while (have_iplb) { boot_setup(); if (have_iplb && find_boot_device()) { diff --git a/pc-bios/s390-ccw/s390-ccw.h b/pc-bios/s390-ccw/s390-ccw.h index e8ff3f7883..23b903b9ae 100644 --- a/pc-bios/s390-ccw/s390-ccw.h +++ b/pc-bios/s390-ccw/s390-ccw.h @@ -88,6 +88,7 @@ void zipl_load(void); #define ZIPL_SECURE_INVALID_MODE -1 int zipl_mode(void); +int zipl_check_scsi_mbr_magic(void); /* jump2ipl.c */ void write_reset_psw(uint64_t psw); From patchwork Tue Apr 8 15:55:26 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Zhuoying Cai X-Patchwork-Id: 14043360 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 08067C369A6 for ; Tue, 8 Apr 2025 16:19:03 +0000 (UTC) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u2Bdx-0006r5-25; Tue, 08 Apr 2025 12:17:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJC-0005ek-Gs; Tue, 08 Apr 2025 11:56:19 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u2BJ9-0005zR-DB; Tue, 08 Apr 2025 11:56:18 -0400 Received: from pps.filterd (m0353729.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 538CSN2i018056; Tue, 8 Apr 2025 15:56:12 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=cc :content-transfer-encoding:date:from:in-reply-to:message-id :mime-version:references:subject:to; s=pp1; bh=zzz7gnw6nIjzPxlCG mzjyu6YIbfQyXub9i3kCmT7jS4=; b=R+4oNYmhvVHR3/uKJE9tDSqlkzM/NnrRC lVh1yARMSuTj43b6tdHhcklkA1+mR/GPRBKtAIq5CavlgXBy5NQqYvFcAm03mDjB vLpN8GtRf3qaDryrl7Sp7kw17OtPXOaoCEhiWpS4IS8iNtGY3N/Fy2dwFNlQWiN2 i23PENHCYHTxvFk/lzTB9vfvNLH8DLS4q6bb17SzLNyjhT2qaSWpyNSNUac9oiYQ WpmXV9fZcJCpjkdu1Whq2P6wti/rGIliFzaXX5ZU006DR9L7LOSBvwPDKCghYSLc /ZwVb5/PF1IiUifT5ljMdSNJmwQW8uDJKCYhbCcCnDgxRsHCWRejA== Received: from ppma21.wdc07v.mail.ibm.com (5b.69.3da9.ip4.static.sl-reverse.com [169.61.105.91]) by mx0a-001b2d01.pphosted.com (PPS) with ESMTPS id 45w3u31275-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:11 +0000 (GMT) Received: from pps.filterd (ppma21.wdc07v.mail.ibm.com [127.0.0.1]) by ppma21.wdc07v.mail.ibm.com (8.18.1.2/8.18.1.2) with ESMTP id 538CHhLw013823; Tue, 8 Apr 2025 15:56:10 GMT Received: from smtprelay02.wdc07v.mail.ibm.com ([172.16.1.69]) by ppma21.wdc07v.mail.ibm.com (PPS) with ESMTPS id 45ufunkbb7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 08 Apr 2025 15:56:10 +0000 Received: from smtpav06.wdc07v.mail.ibm.com (smtpav06.wdc07v.mail.ibm.com [10.39.53.233]) by smtprelay02.wdc07v.mail.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 538Fu9tr12059380 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 8 Apr 2025 15:56:09 GMT Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 520CD5804E; Tue, 8 Apr 2025 15:56:09 +0000 (GMT) Received: from smtpav06.wdc07v.mail.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D2B535803F; Tue, 8 Apr 2025 15:56:07 +0000 (GMT) Received: from fedora-workstation.ibmuc.com (unknown [9.61.125.94]) by smtpav06.wdc07v.mail.ibm.com (Postfix) with ESMTP; Tue, 8 Apr 2025 15:56:07 +0000 (GMT) From: Zhuoying Cai To: thuth@redhat.com, richard.henderson@linaro.org, david@redhat.com, pbonzini@redhat.com Cc: walling@linux.ibm.com, jjherne@linux.ibm.com, jrossi@linux.ibm.com, fiuczy@linux.ibm.com, pasic@linux.ibm.com, borntraeger@linux.ibm.com, farman@linux.ibm.com, iii@linux.ibm.com, qemu-s390x@nongnu.org, qemu-devel@nongnu.org, zycai@linux.ibm.com Subject: [PATCH v1 24/24] hw/s390x/ipl: Handle secure boot without specifying a boot device Date: Tue, 8 Apr 2025 11:55:26 -0400 Message-ID: <20250408155527.123341-25-zycai@linux.ibm.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250408155527.123341-1-zycai@linux.ibm.com> References: <20250408155527.123341-1-zycai@linux.ibm.com> MIME-Version: 1.0 X-TM-AS-GCONF: 00 X-Proofpoint-GUID: lKsPhuqTnmov0OKqEtQsMrD-r3eBdOmr X-Proofpoint-ORIG-GUID: lKsPhuqTnmov0OKqEtQsMrD-r3eBdOmr X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1095,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-04-08_06,2025-04-08_03,2024-11-22_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxlogscore=837 bulkscore=0 clxscore=1015 malwarescore=0 mlxscore=0 priorityscore=1501 phishscore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2502280000 definitions=main-2504080107 Received-SPF: pass client-ip=148.163.156.1; envelope-from=zycai@linux.ibm.com; helo=mx0a-001b2d01.pphosted.com X-Spam_score_int: -26 X-Spam_score: -2.7 X-Spam_bar: -- X-Spam_report: (-2.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Tue, 08 Apr 2025 12:17:35 -0400 X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org Sender: qemu-devel-bounces+qemu-devel=archiver.kernel.org@nongnu.org If secure boot in audit mode or True Secure IPL mode is enabled without specifying a boot device, the boot process will terminate with an error. Signed-off-by: Zhuoying Cai --- hw/s390x/ipl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 60bafcbd2e..0510f16a7d 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -767,6 +767,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) s390_ipl_create_cert_store(&ipl->cert_store); if (!ipl->iplb_valid) { ipl->iplb_valid = s390_init_all_iplbs(ipl); + + /* + * Secure IPL without specifying a boot device. + * IPLB is not generated if no boot device is defined. + */ + if ((s390_has_certificate() || s390_secure_boot_enabled()) && + !ipl->iplb_valid) { + error_report("No boot devicie defined for Secure IPL"); + exit(1); + } } else { ipl->qipl.chain_len = 0; }