Re: [PATCH v8 05/30] s390x/diag: Introduce DIAG 320 for Certificate Store Facility

Fri, 27 Feb 2026 04:42:36 -0800 

On 12/02/2026 21.43, Zhuoying Cai wrote:

DIAGNOSE 320 is introduced to support Certificate Store (CS)
Facility, which includes operations such as query certificate
storage information and provide certificates in the certificate
store.

Currently, only subcode 0 is supported with this patch, which is
used to query the Installed Subcodes Mask (ISM).

This subcode is only supported when the CS facility is enabled.

Availability of CS facility is determined by byte 134 bit 5 of the
SCLP Read Info block. Byte 134's facilities cannot be represented
without the availability of the extended-length-SCCB, so add it as
a check for consistency.

Note: secure IPL is not available for Secure Execution (SE) guests,
as their images are already integrity protected, and an additional
protection of the kernel by secure IPL is not necessary.

This feature is available starting with the gen16 CPU model.

Signed-off-by: Zhuoying Cai <[email protected]>
Reviewed-by: Collin Walling <[email protected]>
Reviewed-by: Farhan Ali <[email protected]>
---
  docs/specs/s390x-secure-ipl.rst     | 12 +++++++++
  include/hw/s390x/ipl/diag320.h      | 20 ++++++++++++++
  target/s390x/cpu_features.c         |  1 +
  target/s390x/cpu_features_def.h.inc |  1 +
  target/s390x/cpu_models.c           |  2 ++
  target/s390x/diag.c                 | 42 +++++++++++++++++++++++++++++
  target/s390x/gen-features.c         |  3 +++
  target/s390x/kvm/kvm.c              | 16 +++++++++++
  target/s390x/s390x-internal.h       |  2 ++
  target/s390x/tcg/misc_helper.c      |  7 +++++
  10 files changed, 106 insertions(+)
  create mode 100644 include/hw/s390x/ipl/diag320.h

diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst
index 7ddac98a37..c2e8f7aba5 100644
--- a/docs/specs/s390x-secure-ipl.rst
+++ b/docs/specs/s390x-secure-ipl.rst
@@ -14,3 +14,15 @@ and a summation of the sizes.
Note: A maximum of 64 certificates are allowed to be stored in the certificate 
  store.
+
+DIAGNOSE function code 'X'320' - Certificate Store Facility
+-----------------------------------------------------------
+
+DIAGNOSE 'X'320' is used to provide support for userspace to directly
+query the s390 certificate store. Userspace may be the s390-ccw BIOS or
+the guest kernel.
I think I'd rather say "guest code" instead of "userspace" in the above two sentences, to avoid confusion. "userspace" is normally everything that does not belong to the kernel, so the term sounds rather misleading here. 

Anyway, with that confusion fixed:
Reviewed-by: Thomas Huth <[email protected]>

Reply via email to