On 08/12/2025 22.32, Zhuoying Cai wrote:
Create a certificate store for boot certificates used for secure IPL.
Load certificates from the `boot-certs` parameter of s390-ccw-virtio
machine type option into the cert store.
Currently, only X.509 certificates in PEM format are supported, as the
QEMU command line accepts certificates in PEM format only.
Signed-off-by: Zhuoying Cai <[email protected]>
---
Claude just spotted a possible memory leak:
...
+static void update_cert_store(S390IPLCertificateStore *cert_store,
+ S390IPLCertificate *cert)
+{
+ size_t data_buf_size;
+ size_t keyid_buf_size;
+ size_t hash_buf_size;
+ size_t cert_buf_size;
+
+ /* length field is word aligned for later DIAG use */
+ keyid_buf_size = ROUND_UP(CERT_KEY_ID_LEN, 4);
+ hash_buf_size = ROUND_UP(CERT_HASH_LEN, 4);
+ cert_buf_size = ROUND_UP(cert->der_size, 4);
+ data_buf_size = keyid_buf_size + hash_buf_size + cert_buf_size;
+
+ if (cert_store->max_cert_size < data_buf_size) {
+ cert_store->max_cert_size = data_buf_size;
+ }
+
+ cert_store->certs[cert_store->count] = *cert;
This copies the cert by value (instead of storing the pointer only), so the
original buffer is not used anymore afterwards ... (see below)
+ cert_store->total_bytes += data_buf_size;
+ cert_store->count++;
+}
...
+void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store)
+{
+ GPtrArray *cert_path_builder;
+ Error *err = NULL;
+
+ cert_path_builder = get_cert_paths(&err);
+ if (cert_path_builder == NULL) {
+ error_report_err(err);
+ exit(1);
+ }
+
+ if (cert_path_builder->len == 0) {
+ g_ptr_array_free(cert_path_builder, TRUE);
+ return;
+ }
+
+ if (cert_path_builder->len > MAX_CERTIFICATES - 1) {
+ error_report("Cert store exceeds maximum of %d certificates",
MAX_CERTIFICATES);
+ g_ptr_array_free(cert_path_builder, TRUE);
+ exit(1);
+ }
+
+ cert_store->max_cert_size = 0;
+ cert_store->total_bytes = 0;
+
+ for (int i = 0; i < cert_path_builder->len; i++) {
+ S390IPLCertificate *cert = init_cert((char *) cert_path_builder->pdata[i],
&err);
+ if (!cert) {
+ error_report_err(err);
+ g_ptr_array_free(cert_path_builder, TRUE);
+ exit(1);
+ }
+
+ update_cert_store(cert_store, cert);
... so you should free cert here to avoid leaking memory!
+ }
+
+ g_ptr_array_free(cert_path_builder, TRUE);
+}
Thomas
