On 08/12/2025 22.32, Zhuoying Cai wrote:
When secure boot is enabled (-secure-boot on) and certificate(s) are
provided, the boot operates in True Secure IPL mode.
Any verification error during True Secure IPL mode will cause the
entire boot process to terminate.
Secure IPL in audit mode requires at least one certificate provided in
the key store along with necessary facilities. If secure boot is enabled
but no certificate is provided, the boot process will also terminate, as
this is not a valid secure boot configuration.
Note: True Secure IPL mode is implemented for the SCSI scheme of
virtio-blk/virtio-scsi devices.
Signed-off-by: Zhuoying Cai <[email protected]>
---
docs/system/s390x/secure-ipl.rst | 13 +++++++++++++
pc-bios/s390-ccw/bootmap.c | 19 ++++++++++++++++---
pc-bios/s390-ccw/main.c | 7 ++++++-
pc-bios/s390-ccw/s390-ccw.h | 2 ++
pc-bios/s390-ccw/secure-ipl.c | 4 ++++
pc-bios/s390-ccw/secure-ipl.h | 3 +++
6 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/docs/system/s390x/secure-ipl.rst b/docs/system/s390x/secure-ipl.rst
index 675724d324..a03e59ae14 100644
--- a/docs/system/s390x/secure-ipl.rst
+++ b/docs/system/s390x/secure-ipl.rst
@@ -64,3 +64,16 @@ Configuration:
.. code-block:: shell
qemu-system-s390x -machine s390-ccw-virtio,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem ...
+
+Secure Mode
+-----------
+
+When both certificates are provided and ``secure-boot=on`` option is set,
When I started reading this sentence "When both certificates are provided" I
wondered why two certificates are involved here ... so this sentence is
somewhat hard to digest. Could you please rephrase it?
+a secure boot is performed with error reporting enabled. The boot process
aborts
+if any error occurs.
+
+Configuration:
+
+.. code-block:: shell
+
+ qemu-system-s390x -machine
s390-ccw-virtio,secure-boot=on,boot-certs.0.path=/.../qemu/certs,boot-certs.1.path=/another/path/cert.pem
...
...
diff --git a/pc-bios/s390-ccw/secure-ipl.c b/pc-bios/s390-ccw/secure-ipl.c
index 8733254cfb..bfe021fffe 100644
--- a/pc-bios/s390-ccw/secure-ipl.c
+++ b/pc-bios/s390-ccw/secure-ipl.c
@@ -296,6 +296,10 @@ static bool check_sclab_presence(uint8_t *sclab_magic,
comps->device_entries[comp_index].cei |=
S390_IPL_COMPONENT_CEI_INVALID_SCLAB;
/* a missing SCLAB will not be reported in audit mode */
+ if (boot_mode == ZIPL_BOOT_MODE_SECURE) {
+ zipl_secure_handle("Magic does not matched. SCLAB does not exist");
s/matched/match/
+ }
+
return false;
}
Thomas
