On 10/7/25 05:47, Thomas Huth wrote: > On 18/09/2025 01.21, Zhuoying Cai wrote: >> From: Collin Walling <[email protected]> >> >> In order to support secure IPL (aka secure boot) for the s390-ccw BIOS, >> a new s390 DIAGNOSE instruction is introduced to leverage QEMU for >> handling operations such as signature verification and certificate >> retrieval. >> >> Currently, only subcode 0 is supported with this patch, which is used to >> query a bitmap of which subcodes are supported. >> >> Signed-off-by: Collin Walling <[email protected]> >> --- >> docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++ >> include/hw/s390x/ipl/diag508.h | 15 +++++++++++++++ >> target/s390x/diag.c | 27 +++++++++++++++++++++++++++ >> target/s390x/kvm/kvm.c | 14 ++++++++++++++ >> target/s390x/s390x-internal.h | 2 ++ >> target/s390x/tcg/misc_helper.c | 7 +++++++ >> 6 files changed, 83 insertions(+) >> create mode 100644 include/hw/s390x/ipl/diag508.h >> >> diff --git a/docs/specs/s390x-secure-ipl.rst >> b/docs/specs/s390x-secure-ipl.rst >> index e28f0b40d7..0919425e9a 100644 >> --- a/docs/specs/s390x-secure-ipl.rst >> +++ b/docs/specs/s390x-secure-ipl.rst >> @@ -48,3 +48,21 @@ Subcode 2 - store verification certificates >> storage specified in the VCB input length field. >> >> VCE contains various information of a VC from the CS. >> + >> + >> +Secure IPL Data Structures, Facilities, and Functions >> +===================================================== >> + >> +DIAGNOSE function code 'X'508' - KVM IPL extensions >> +--------------------------------------------------- >> + >> +DIAGNOSE 'X'508' is reserved for KVM guest use in order to facilitate >> +communication of additional IPL operations that cannot be handled by >> userspace, >> +such as signature verification for secure IPL. >> + >> +If the function code specifies 0x508, KVM IPL extension functions are >> performed. >> +These functions are meant to provide extended functionality for s390 guest >> boot >> +that requires assistance from QEMU. >> + >> +Subcode 0 - query installed subcodes >> + Returns a 64-bit mask indicating which subcodes are supported. > > Technically, this works also without KVM, right? In that case, I'd maybe > avoid the term "KVM" here, and just talk about "IPL extensions" and "guest", > to avoid the confusion about whether this feature can be used with TCG, too, > or not. > > Thomas > >
Fair enough. None of the secure IPL code leverages KVM, so we can reword the document a bit. -- Regards, Collin
