Re: [PATCH v6 01/28] Add boot-certs to s390-ccw-virtio machine type option

Fri, 17 Oct 2025 14:27:09 -0700 

On 30/09/2025 11.37, Daniel P. Berrangé wrote:

On Tue, Sep 30, 2025 at 11:34:23AM +0200, Thomas Huth wrote:

On 18/09/2025 01.21, Zhuoying Cai wrote:

Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
machine. This allows users to specify one or more certificate file paths
or directories to be used during secure boot.

Each entry is specified using the syntax:
        boot-certs.<index>.path=/path/to/cert.pem

Multiple paths can be specify using array properties:
        boot-certs.0.path=/path/to/cert.pem,
        boot-certs.1.path=/path/to/cert-dir,
        boot-certs.2.path=/path/to/another-dir...

Signed-off-by: Zhuoying Cai <[email protected]>
---
   docs/system/s390x/secure-ipl.rst   | 21 +++++++++++++++++++++
   hw/s390x/s390-virtio-ccw.c         | 30 ++++++++++++++++++++++++++++++
   include/hw/s390x/s390-virtio-ccw.h |  2 ++
   qapi/machine-s390x.json            | 22 ++++++++++++++++++++++
   qapi/pragma.json                   |  1 +
   qemu-options.hx                    |  6 +++++-
   6 files changed, 81 insertions(+), 1 deletion(-)
   create mode 100644 docs/system/s390x/secure-ipl.rst

diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
new file mode 100644
index 0000000000..92c1bb2153
--- /dev/null
+++ b/docs/system/s390x/secure-ipl.rst
@@ -0,0 +1,21 @@
+.. SPDX-License-Identifier: GPL-2.0-or-later
+
+Secure IPL Command Line Options
+===============================
+
+The s390-ccw-virtio machine type supports secure IPL. These parameters allow 
users
+to provide certificates and enable secure IPL directly via the command line.
+
+Providing Certificates
+----------------------
+
+The certificate store can be populated by supplying a list of X.509 
certificate file
+paths or directories containing certificate files on the command-line:
+
+Note: certificate files must have a .pem extension.
+
+.. code-block:: shell
+
+    qemu-system-s390x -machine s390-ccw-virtio, \
+                               boot-certs.0.path=/.../qemu/certs, \
+                               boot-certs.1.path=/another/path/cert.pem ...


Using newlines/spaces between parameters does not work, so people cannot
copy-n-paste this example to the shell.

So I think you either have to merge it into one line, or use multiple
"-machine" statements, e.g.:

     qemu-system-s390x -M s390-ccw-virtio \
                       -M boot-certs.0.path=/.../qemu/certs \
                       -M boot-certs.1.path=/another/path/cert.pem ...


The inability to copy+paste is unfortunate, but IMHO the docs are better
in the way they are already expressed. Repeating the -M arg in this way
is not a natural way we'd expect people to configure QEMU, even if it
happens to work in the case of -M/-machine.


Then I'd vote to have it rather in one line instead.

 Thomas

Reply via email to