On 08/12/2025 22.32, Zhuoying Cai wrote:
If secure boot in audit mode or True Secure IPL mode is enabled without
specifying a boot device, the boot process will terminate with an error.
Signed-off-by: Zhuoying Cai <[email protected]>
---
hw/s390x/ipl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index bfac156afe..2809fb718d 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -771,6 +771,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
}
if (!ipl->iplb_valid) {
ipl->iplb_valid = s390_init_all_iplbs(ipl);
+
+ /*
+ * Secure IPL without specifying a boot device.
+ * IPLB is not generated if no boot device is defined.
+ */
+ if ((s390_has_certificate() || s390_secure_boot_enabled()) &&
+ !ipl->iplb_valid) {
+ error_report("No boot device defined for Secure IPL");
+ exit(1);
+ }
} else {
ipl->qipl.chain_len = 0;
}
Reviewed-by: Thomas Huth <[email protected]>
