On 9/22/25 19:48, Zhuoying Cai wrote: > On 9/18/25 4:38 AM, Daniel P. Berrangé wrote:
[...] > > Thank you for the comments. > > Since Secure IPL on s390x is supported in QEMU, I would like to begin > drafting the corresponding Libvirt interface and seek feedback before > proceeding with the implementation. > > While Libvirt already provides a secure boot interface > (https://libvirt.org/kbase/secureboot.html), it appears to be primarily > intended for x86 systems, where secure boot is configured using the > <firmware>, <loader>, and <nvram> tags. > > <os firmware='efi'> > <firmware> > <feature enabled='yes' name='enrolled-keys'/> > <feature enabled='yes' name='secure-boot'/> > </firmware> > <loader secure='yes' type='pflash'>...</loader> > <nvram template='...'>...</nvram> > </os> > > For s390x, some of these existing tags may be reused, but additional > elements will be needed. > > Below is my initial proposal for the secure boot interface in Libvirt: > > <!-- New s390-ccw-bios firmware value --> > <os firmware='s390-ccw-bios'> > <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type> > <firmware> > <!-- To enable secure boot --> > <feature enabled='yes' name='secure-boot'/> > </firmware> > <!-- To provide boot certificates for secure boot --> > <boot-certs path='/path/to/cert.pem' /> > <boot-certs path='/path/to/cert-dir' /> > <boot dev='hd'/> > </os> > > I would be greatly appreciate any suggestions or feedback on this > proposal, and I am open to refining the design to better align with > existing Libvirt structures. > > Best regards, > Joy > You should post an RFC to the libvirt list -- no code needed. I suggest posting what you wrote above while also giving an example of the QEMU commandline. Lastly, give a short background of what you've been working on and provide a link to these patches for a more detail. CC those who have been involved in review as well as Boris, please. Thanks! [...] -- Regards, Collin
