On 1/21/26 4:29 PM, Zhuoying Cai wrote: > > > On 1/15/26 4:34 PM, Collin Walling wrote: >> On 12/8/25 16:32, Zhuoying Cai wrote: >>> The IPL information report block (IIRB) contains information used >>> to locate IPL records and to report the results of signature verification >>> of one or more secure components of the load device. >>> >>> IIRB is stored immediately following the IPL Parameter Block. Results on >>> component verification in any case (failure or success) are stored. >>> >>> Signed-off-by: Zhuoying Cai <[email protected]> >>> --- >>> docs/specs/s390x-secure-ipl.rst | 13 +++++++ >>> pc-bios/s390-ccw/iplb.h | 62 +++++++++++++++++++++++++++++++++ >>> 2 files changed, 75 insertions(+) >>> >>> diff --git a/docs/specs/s390x-secure-ipl.rst >>> b/docs/specs/s390x-secure-ipl.rst >>> index be98dc143d..29c5d59b99 100644 >>> --- a/docs/specs/s390x-secure-ipl.rst >>> +++ b/docs/specs/s390x-secure-ipl.rst >>> @@ -86,3 +86,16 @@ Subcode 1 - perform signature verification >>> * ``0x0302``: PKCS#7 format signature is invalid >>> * ``0x0402``: signature-verification failed >>> * ``0x0502``: length of Diag508SigVerifBlock is invalid >>> + >>> +IPL Information Report Block >>> +---------------------------- >>> + >>> +The IPL Parameter Block (IPLPB), utilized for IPL operation, is extended >>> with an >>> +IPL Information Report Block (IIRB), which contains the results from >>> secure IPL >>> +operations such as: >>> + >>> +* component data >>> +* verification results >>> +* certificate data >>> + >>> +The guest kernel will inspect the IIRB and build the keyring. >> >> This needs more elaboration. Is the data listed above used in >> the keyring? Maybe rewording to "The guest's kernel will use this data >> in the IIRB when building its keyring." ? >> > > Thanks for pointing this out. The data in the IIRB is not used to build > the keyring. I'll update the text as: > > "When secure boot is enabled, the guest kernel will inspect the IIRB." > > [...] >
Apologies for my previous reply. I reviewed my notes and realized that the guest kernel uses the certificate data in the IIRB to build the keyring. I'll update the documentation accordingly.
