On 1/8/26 7:28 AM, Thomas Huth wrote: > On 08/12/2025 22.32, Zhuoying Cai wrote: >> Create a certificate store for boot certificates used for secure IPL. >> >> Load certificates from the `boot-certs` parameter of s390-ccw-virtio >> machine type option into the cert store. >> >> Currently, only X.509 certificates in PEM format are supported, as the >> QEMU command line accepts certificates in PEM format only. >> >> Signed-off-by: Zhuoying Cai <[email protected]> >> --- > ... >> diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c >> new file mode 100644 >> index 0000000000..cf16911d09 >> --- /dev/null >> +++ b/hw/s390x/cert-store.c >> @@ -0,0 +1,211 @@ >> +/* >> + * S390 certificate store implementation >> + * >> + * Copyright 2025 IBM Corp. >> + * Author(s): Zhuoying Cai <[email protected]> >> + * >> + * SPDX-License-Identifier: GPL-2.0-or-later >> + */ >> + >> +#include "qemu/osdep.h" >> +#include "cert-store.h" >> +#include "qapi/error.h" >> +#include "qemu/error-report.h" >> +#include "qemu/option.h" >> +#include "qemu/config-file.h" >> +#include "hw/s390x/ebcdic.h" >> +#include "hw/s390x/s390-virtio-ccw.h" >> +#include "qemu/cutils.h" >> +#include "crypto/x509-utils.h" >> +#include "qapi/qapi-types-machine-s390x.h" >> + >> +static BootCertificatesList *s390_get_boot_certs(void) >> +{ >> + return S390_CCW_MACHINE(qdev_get_machine())->boot_certs; >> +} >> + >> +static S390IPLCertificate *init_cert_x509(size_t size, uint8_t *raw, Error >> **errp) >> +{ >> + S390IPLCertificate *cert = NULL; >> + g_autofree uint8_t *cert_der = NULL; >> + size_t der_len = size; >> + int rc; >> + >> + rc = qcrypto_x509_convert_cert_der(raw, size, &cert_der, &der_len, >> errp); >> + if (rc != 0) { >> + return NULL; >> + } >> + >> + cert = g_new0(S390IPLCertificate, 1); >> + cert->size = size; >> + cert->der_size = der_len; > > Why is only der_len stored here, but cert_der is silently discarded? Could > you please add a comment explaining this? >
Sure, I will add comments to explain this. To elaborate, cert_der is only used once in handle_cert() (target/s390x/diag.c) when populating the Verification Certificate Entry (VCE), and it can be easily regenerated by calling qcrypto_x509_convert_cert_der(). Most other operations on the certificate can be performed using the raw certificate in PEM format. For this reason, storing cert_der in S390IPLCertificate seemed unnecessary, whereas der_len is required in several places during certificate store setup, including when calculating the total size of S390IPLCertificateStore and the VCE length. >> + /* store raw pointer - ownership transfers to cert */ >> + cert->raw = raw; >> + >> + return cert; >> +} >> + [...] Thanks for the feedback!
