Add secure-boot as a parameter of s390-ccw-virtio machine type option. The `secure-boot=on|off` parameter is implemented to enable secure IPL.
By default, secure-boot is set to false if not specified in the command line. Signed-off-by: Zhuoying Cai <[email protected]> --- docs/system/s390x/secure-ipl.rst | 22 +++++++++++++++++----- hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++ include/hw/s390x/s390-virtio-ccw.h | 1 + qemu-options.hx | 6 +++++- 4 files changed, 45 insertions(+), 6 deletions(-) diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst index 8958a51f0b..675724d324 100644 --- a/docs/system/s390x/secure-ipl.rst +++ b/docs/system/s390x/secure-ipl.rst @@ -19,19 +19,31 @@ Note: certificate files must have a .pem extension. qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ... +Enabling Secure IPL +------------------- + +Secure IPL is enabled by explicitly setting ``secure-boot=on``; if not +specified, secure boot is considered off. + +.. code-block:: shell + + qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on|off + IPL Modes ========= Multiple IPL modes are available to differentiate between the various IPL -configurations. These modes are mutually exclusive and enabled based on the -``boot-certs`` option on the QEMU command line. +configurations. These modes are mutually exclusive and enabled based on specific +combinations of the ``secure-boot`` and ``boot-certs`` options on the QEMU +command line. Normal Mode ----------- -The absence of certificates will attempt to IPL a guest without secure IPL -operations. No checks are performed, and no warnings/errors are reported. -This is the default mode. +The absence of both certificates and the ``secure-boot`` option will attempt to +IPL a guest without secure IPL operations. No checks are performed, and no +warnings/errors are reported. This is the default mode, and can be explicitly +enabled with ``secure-boot=off``. Configuration: diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c index d880613fe7..7957dae1b0 100644 --- a/hw/s390x/s390-virtio-ccw.c +++ b/hw/s390x/s390-virtio-ccw.c @@ -803,6 +803,21 @@ static void machine_set_boot_certs(Object *obj, Visitor *v, const char *name, ms->boot_certs = cert_list; } +static inline bool machine_get_secure_boot(Object *obj, Error **errp) +{ + S390CcwMachineState *ms = S390_CCW_MACHINE(obj); + + return ms->secure_boot; +} + +static inline void machine_set_secure_boot(Object *obj, bool value, + Error **errp) +{ + S390CcwMachineState *ms = S390_CCW_MACHINE(obj); + + ms->secure_boot = value; +} + static void ccw_machine_class_init(ObjectClass *oc, const void *data) { MachineClass *mc = MACHINE_CLASS(oc); @@ -861,6 +876,13 @@ static void ccw_machine_class_init(ObjectClass *oc, const void *data) machine_get_boot_certs, machine_set_boot_certs, NULL, NULL); object_class_property_set_description(oc, "boot-certs", "provide paths to a directory and/or a certificate file for secure boot"); + + object_class_property_add_bool(oc, "secure-boot", + machine_get_secure_boot, + machine_set_secure_boot); + object_class_property_set_description(oc, "secure-boot", + "enable/disable secure boot"); + } static inline void s390_machine_initfn(Object *obj) diff --git a/include/hw/s390x/s390-virtio-ccw.h b/include/hw/s390x/s390-virtio-ccw.h index 7c30ba22cb..4e9c08d9d9 100644 --- a/include/hw/s390x/s390-virtio-ccw.h +++ b/include/hw/s390x/s390-virtio-ccw.h @@ -29,6 +29,7 @@ struct S390CcwMachineState { bool aes_key_wrap; bool dea_key_wrap; bool pv; + bool secure_boot; uint8_t loadparm[8]; uint64_t memory_limit; uint64_t max_pagesize; diff --git a/qemu-options.hx b/qemu-options.hx index 06ce35e58b..23bccb9a3c 100644 --- a/qemu-options.hx +++ b/qemu-options.hx @@ -45,7 +45,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \ " memory-backend='backend-id' specifies explicitly provided backend for main RAM (default=none)\n" " cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtarget,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granularity]\n" " smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\n" - " boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\n", + " boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file provides paths to a directory and/or a certificate file\n" + " secure-boot=on|off enable/disable secure boot (default=off) \n", QEMU_ARCH_ALL) SRST ``-machine [type=]name[,prop=value[,...]]`` @@ -209,6 +210,9 @@ SRST ``boot-certs.0.path=/path/directory,boot-certs.1.path=/path/file`` Provide paths to a directory and/or a certificate file on the host [s390x only]. + + ``secure-boot=on|off`` + Enables or disables secure boot on s390-ccw guest. The default is off. ERST DEF("M", HAS_ARG, QEMU_OPTION_M, -- 2.51.1
