Re: [PATCH v7 01/29] Add boot-certs to s390-ccw-virtio machine type option

Thu, 08 Jan 2026 02:46:35 -0800 

On 08/12/2025 22.32, Zhuoying Cai wrote:

Introduce a new `boot-certs` machine type option for the s390-ccw-virtio
machine. This allows users to specify one or more certificate file paths
or directories to be used during secure boot.

Each entry is specified using the syntax:
        boot-certs.<index>.path=/path/to/cert.pem

Multiple paths can be specify using array properties:
        boot-certs.0.path=/path/to/cert.pem,
        boot-certs.1.path=/path/to/cert-dir,
        boot-certs.2.path=/path/to/another-dir...

Signed-off-by: Zhuoying Cai <[email protected]>
Acked-by: Markus Armbruster <[email protected]>
---
  docs/system/s390x/secure-ipl.rst   | 20 ++++++++++++++++++++
  hw/s390x/s390-virtio-ccw.c         | 30 ++++++++++++++++++++++++++++++
  include/hw/s390x/s390-virtio-ccw.h |  2 ++
  qapi/machine-s390x.json            | 23 +++++++++++++++++++++++
  qapi/pragma.json                   |  1 +
  qemu-options.hx                    |  6 +++++-
  6 files changed, 81 insertions(+), 1 deletion(-)
  create mode 100644 docs/system/s390x/secure-ipl.rst

diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
new file mode 100644
index 0000000000..0a02f171b4
--- /dev/null
+++ b/docs/system/s390x/secure-ipl.rst
@@ -0,0 +1,20 @@
+.. SPDX-License-Identifier: GPL-2.0-or-later
+
+Secure IPL Command Line Options
+===============================
+
+The s390-ccw-virtio machine type supports secure IPL. These parameters allow
+users to provide certificates and enable secure IPL directly via the command
+line.
+
+Providing Certificates
+----------------------
+
+The certificate store can be populated by supplying a list of X.509 certificate
+file paths or directories containing certificate files on the command-line:
+
+Note: certificate files must have a .pem extension.
+
+.. code-block:: shell
+
+    qemu-system-s390x -machine 
s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem
 ...


Maybe use "-M" instead of "-machine" to shorten the line a little bit?
... just an idea, feel free to keep "-machine" if you prefer it.


diff --git a/qapi/machine-s390x.json b/qapi/machine-s390x.json
index ea430e1b88..0103fc91cd 100644
--- a/qapi/machine-s390x.json
+++ b/qapi/machine-s390x.json
@@ -140,3 +140,26 @@
  { 'event': 'SCLP_CPI_INFO_AVAILABLE',
    'features': [ 'unstable' ]
  }
+
+##
+# @BootCertificates:
+#
+# Boot certificate for secure IPL.
+#
+# @path: path to an X.509 certificate file or a directory containing
+# certificate files.
+#
+# Since: 10.2


This needs to be updated to 11.0 now.


+##
+{ 'struct': 'BootCertificates',
+  'data': {'path': 'str'} }
+
+##
+# @DummyBootCertificates:
+#
+# Not used by QMP; hack to let us use BootCertificatesList internally.
+#
+# Since: 10.2


dito.

 Thomas

Reply via email to