On 2/27/26 7:41 AM, Thomas Huth wrote: > On 12/02/2026 21.43, Zhuoying Cai wrote: >> DIAGNOSE 320 is introduced to support Certificate Store (CS) >> Facility, which includes operations such as query certificate >> storage information and provide certificates in the certificate >> store. >> >> Currently, only subcode 0 is supported with this patch, which is >> used to query the Installed Subcodes Mask (ISM). >> >> This subcode is only supported when the CS facility is enabled. >> >> Availability of CS facility is determined by byte 134 bit 5 of the >> SCLP Read Info block. Byte 134's facilities cannot be represented >> without the availability of the extended-length-SCCB, so add it as >> a check for consistency. >> >> Note: secure IPL is not available for Secure Execution (SE) guests, >> as their images are already integrity protected, and an additional >> protection of the kernel by secure IPL is not necessary. >> >> This feature is available starting with the gen16 CPU model. >> >> Signed-off-by: Zhuoying Cai <[email protected]> >> Reviewed-by: Collin Walling <[email protected]> >> Reviewed-by: Farhan Ali <[email protected]> >> --- >> docs/specs/s390x-secure-ipl.rst | 12 +++++++++ >> include/hw/s390x/ipl/diag320.h | 20 ++++++++++++++ >> target/s390x/cpu_features.c | 1 + >> target/s390x/cpu_features_def.h.inc | 1 + >> target/s390x/cpu_models.c | 2 ++ >> target/s390x/diag.c | 42 +++++++++++++++++++++++++++++ >> target/s390x/gen-features.c | 3 +++ >> target/s390x/kvm/kvm.c | 16 +++++++++++ >> target/s390x/s390x-internal.h | 2 ++ >> target/s390x/tcg/misc_helper.c | 7 +++++ >> 10 files changed, 106 insertions(+) >> create mode 100644 include/hw/s390x/ipl/diag320.h >> >> diff --git a/docs/specs/s390x-secure-ipl.rst >> b/docs/specs/s390x-secure-ipl.rst >> index 7ddac98a37..c2e8f7aba5 100644 >> --- a/docs/specs/s390x-secure-ipl.rst >> +++ b/docs/specs/s390x-secure-ipl.rst >> @@ -14,3 +14,15 @@ and a summation of the sizes. >> >> Note: A maximum of 64 certificates are allowed to be stored in the >> certificate >> store. >> + >> +DIAGNOSE function code 'X'320' - Certificate Store Facility >> +----------------------------------------------------------- >> + >> +DIAGNOSE 'X'320' is used to provide support for userspace to directly >> +query the s390 certificate store. Userspace may be the s390-ccw BIOS or >> +the guest kernel. > I think I'd rather say "guest code" instead of "userspace" in the above two > sentences, to avoid confusion. "userspace" is normally everything that does > not belong to the kernel, so the term sounds rather misleading here. > > Anyway, with that confusion fixed: > Reviewed-by: Thomas Huth <[email protected]> >
Will do. Thanks for the review!
