On 9/18/25 4:38 AM, Daniel P. Berrangé wrote: > On Thu, Sep 18, 2025 at 08:56:39AM +0200, Markus Armbruster wrote: >> Zhuoying Cai <[email protected]> writes: >> >>> Introduce a new `boot-certs` machine type option for the s390-ccw-virtio >>> machine. This allows users to specify one or more certificate file paths >>> or directories to be used during secure boot. >>> >>> Each entry is specified using the syntax: >>> boot-certs.<index>.path=/path/to/cert.pem >>> >>> Multiple paths can be specify using array properties: >>> boot-certs.0.path=/path/to/cert.pem, >>> boot-certs.1.path=/path/to/cert-dir, >>> boot-certs.2.path=/path/to/another-dir... >> >> Given we can specifiy a directory containing any number of certificate >> files, is the ability to specify multiple paths worth the additional >> complexity? > > The typical scenario would be point to somewhere in /etc/pki > for some globally provided certs, and then also point to > somewhere local ($HOME) for custom extra certs. So IMHO it > is reasonable to want multiple paths, to avoid copying around > certs from different locations. >
Thank you for the comments. Since Secure IPL on s390x is supported in QEMU, I would like to begin drafting the corresponding Libvirt interface and seek feedback before proceeding with the implementation. While Libvirt already provides a secure boot interface (https://libvirt.org/kbase/secureboot.html), it appears to be primarily intended for x86 systems, where secure boot is configured using the <firmware>, <loader>, and <nvram> tags. <os firmware='efi'> <firmware> <feature enabled='yes' name='enrolled-keys'/> <feature enabled='yes' name='secure-boot'/> </firmware> <loader secure='yes' type='pflash'>...</loader> <nvram template='...'>...</nvram> </os> For s390x, some of these existing tags may be reused, but additional elements will be needed. Below is my initial proposal for the secure boot interface in Libvirt: <!-- New s390-ccw-bios firmware value --> <os firmware='s390-ccw-bios'> <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type> <firmware> <!-- To enable secure boot --> <feature enabled='yes' name='secure-boot'/> </firmware> <!-- To provide boot certificates for secure boot --> <boot-certs path='/path/to/cert.pem' /> <boot-certs path='/path/to/cert-dir' /> <boot dev='hd'/> </os> I would be greatly appreciate any suggestions or feedback on this proposal, and I am open to refining the design to better align with existing Libvirt structures. Best regards, Joy >> >>> Signed-off-by: Zhuoying Cai <[email protected]> >> >> [...] >> >>> diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json >>> index 966dbd61d2..51bf791fe6 100644 >>> --- a/qapi/machine-s390x.json >>> +++ b/qapi/machine-s390x.json >>> @@ -119,3 +119,25 @@ >>> { 'command': 'query-s390x-cpu-polarization', 'returns': >>> 'CpuPolarizationInfo', >>> 'features': [ 'unstable' ] >>> } >>> + >>> +## >>> +# @BootCertificate: >>> +# >>> +# Boot certificate for secure IPL. >>> +# >>> +# @path: path to an X.509 certificate file or a directory containing >>> certificate files. >>> +# >>> +# Since: 10.2 >>> +## >>> +{ 'struct': 'BootCertificate', >>> + 'data': {'path': 'str'} } >> >> I'd call this BootCertificates (plural), because it can pull in any >> number, not just than one. >> >>> + >>> +## >>> +# @DummyBootCertificates: >>> +# >>> +# Not used by QMP; hack to let us use BootCertificateList internally. >>> +# >>> +# Since: 10.2 >>> +## >>> +{ 'struct': 'DummyBootCertificates', >>> + 'data': {'unused-boot-certs': ['BootCertificate'] } } >>> diff --git a/qapi/pragma.json b/qapi/pragma.json >>> index 023a2ef7bc..66401837ad 100644 >>> --- a/qapi/pragma.json >>> +++ b/qapi/pragma.json >>> @@ -49,6 +49,7 @@ >>> 'DisplayProtocol', >>> 'DriveBackupWrapper', >>> 'DummyBlockCoreForceArrays', >>> + 'DummyBootCertificates', >>> 'DummyForceArrays', >>> 'DummyVirtioForceArrays', >>> 'HotKeyMod', >> > > With regards, > Daniel
