On 08/12/2025 22.32, Zhuoying Cai wrote:
Add additional checks to ensure that components do not overlap with
signed components when loaded into memory.
Add additional checks to ensure the load addresses of unsigned components
are greater than or equal to 0x2000.
When the secure IPL code loading attributes facility (SCLAF) is installed,
all signed components must contain a secure code loading attributes block
(SCLAB).
The SCLAB provides further validation of information on where to load the
signed binary code from the load device, and where to start the execution
of the loaded OS code.
When SCLAF is installed, its content must be evaluated during secure IPL.
However, a missing SCLAB will not be reported in audit mode. The SCALB
checking will be skipped in this case.
Add IPL Information Error Indicators (IIEI) and Component Error
Indicators (CEI) for IPL Information Report Block (IIRB).
When SCLAF is installed, additional secure boot checks are performed
during zipl and store results of verification into IIRB.
Signed-off-by: Zhuoying Cai <[email protected]>
---
...
diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c
index c1c5bc682a..8733254cfb 100644
--- a/pc-bios/s390-ccw/secure-ipl.c
+++ b/pc-bios/s390-ccw/secure-ipl.c
@@ -206,6 +206,12 @@ static bool secure_ipl_supported(void)
return false;
}
+ if (!sclp_is_sclaf_on()) {
+ puts("Secure IPL Code Loading Attributes Facility is not supported by"
+ " the hypervisor!");
+ return false;
+ }
+
return true;
}
@@ -218,6 +224,402 @@ static void init_lists(IplDeviceComponentList *comps, IplSignatureCertificateLis
certs->ipl_info_header.len = sizeof(certs->ipl_info_header);
}
+static bool is_comp_overlap(SecureIplCompAddrRange *comp_addr_range,
+ int addr_range_index,
+ uint64_t start_addr, uint64_t end_addr)
+{
+ /* neither a signed nor an unsigned component can overlap with a signed
component */
+ for (int i = 0; i < addr_range_index; i++) {
+ if ((comp_addr_range[i].start_addr <= end_addr - 1 &&
+ start_addr <= comp_addr_range[i].end_addr - 1) &&
Instead of comparing with "<= end_addr - 1", please simply compare with "<
end_addr" instead. That's easier to read and avoids bugs like wrong
comparisons in case of end_addr accidentally being 0 (so you would get a
wrap-around when subtracting 1).
+ comp_addr_range[i].is_signed) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static void comp_addr_range_add(SecureIplCompAddrRange *comp_addr_range,
+ int addr_range_index, bool is_signed,
+ uint64_t start_addr, uint64_t end_addr)
+{
+ if (addr_range_index > MAX_CERTIFICATES - 1) {
">= MAX_CERTIFICATES" without the "- 1"
Thomas
