Re: [PATCH v6 01/28] Add boot-certs to s390-ccw-virtio machine type option

Fri, 17 Oct 2025 21:34:24 -0700 

On 9/29/25 2:29 PM, Collin Walling wrote:
> On 9/22/25 19:48, Zhuoying Cai wrote:
>> On 9/18/25 4:38 AM, Daniel P. Berrangé wrote:
> 
> [...]
> 
>>
>> Thank you for the comments.
>>
>> Since Secure IPL on s390x is supported in QEMU, I would like to begin
>> drafting the corresponding Libvirt interface and seek feedback before
>> proceeding with the implementation.
>>
>> While Libvirt already provides a secure boot interface
>> (https://libvirt.org/kbase/secureboot.html), it appears to be primarily
>> intended for x86 systems, where secure boot is configured using the
>> <firmware>, <loader>, and <nvram> tags.
>>
>>      <os firmware='efi'>
>>                  <firmware>
>>              <feature enabled='yes' name='enrolled-keys'/>
>>              <feature enabled='yes' name='secure-boot'/>
>>          </firmware>
>>          <loader secure='yes' type='pflash'>...</loader>
>>          <nvram template='...'>...</nvram>
>>      </os>
>>
>> For s390x, some of these existing tags may be reused, but additional
>> elements will be needed.
>>
>> Below is my initial proposal for the secure boot interface in Libvirt:
>>
>>      <!-- New s390-ccw-bios firmware value -->
>>      <os firmware='s390-ccw-bios'>
>>          <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type>
>>          <firmware>
>>                 <!-- To enable secure boot -->
>>              <feature enabled='yes' name='secure-boot'/>
>>          </firmware>
>>             <!-- To provide boot certificates for secure boot -->
>>          <boot-certs path='/path/to/cert.pem' />
>>             <boot-certs path='/path/to/cert-dir' />
>>          <boot dev='hd'/>
>>      </os>
>>
>> I would be greatly appreciate any suggestions or feedback on this
>> proposal, and I am open to refining the design to better align with
>> existing Libvirt structures.
>>
>> Best regards,
>> Joy
>>
> 
> You should post an RFC to the libvirt list -- no code needed.  I suggest
> posting what you wrote above while also giving an example of the QEMU
> commandline.  Lastly, give a short background of what you've been
> working on and provide a link to these patches for a more detail.
> 
> CC those who have been involved in review as well as Boris, please.  Thanks!
> 

Thank you for the suggestion!

I posted an RFC to the libvirt list
(https://lists.libvirt.org/archives/list/[email protected]/thread/DWCOPLUGJKYZ6BOCX3JWU2FJGFLG7DUF/).

> [...]
>

Reply via email to