Thanks for the review! On 3/13/26 3:58 PM, Collin Walling wrote: > On 3/5/26 17:41, Zhuoying Cai wrote: >> DIAG 320 subcode 2 provides verification-certificates (VCs) that are in the >> certificate store. Only X509 certificates in DER format and SHA-256 hash >> type are recognized. >> >> The subcode value is denoted by setting the second-left-most bit >> of an 8-byte field. >> >> The Verification Certificate Block (VCB) contains the output data >> when the operation completes successfully. It includes a common >> header followed by zero or more Verification Certificate Entries (VCEs), >> depending on the VCB input length and the VC range (from the first VC >> index to the last VC index) in the certificate store. >> >> Each VCE contains information about a certificate retrieved from >> the S390IPLCertificateStore, such as the certificate name, key type, >> key ID length, hash length, and the raw certificate data. >> The key ID and hash are extracted from the raw certificate by the crypto API. >> >> Note: SHA2-256 VC hash type is required for retrieving the hash >> (fingerprint) of the certificate. >> >> Signed-off-by: Zhuoying Cai <[email protected]> > > Functionally, this looks fine. I've noted a few nits below, but I don't > think they're worth dragging things out. > > The important thing to address: > - documentation rewording > - CERT_NAME_MAX_LEN change > > The rest are inconsequential. > >> --- >> docs/specs/s390x-secure-ipl.rst | 22 ++ >> hw/s390x/cert-store.h | 3 +- >> include/hw/s390x/ipl/diag320.h | 55 +++++ >> target/s390x/diag.c | 343 +++++++++++++++++++++++++++++++- >> 4 files changed, 420 insertions(+), 3 deletions(-) >> >> diff --git a/docs/specs/s390x-secure-ipl.rst >> b/docs/specs/s390x-secure-ipl.rst >> index 52661fab00..708253ac91 100644 >> --- a/docs/specs/s390x-secure-ipl.rst >> +++ b/docs/specs/s390x-secure-ipl.rst >> @@ -38,3 +38,25 @@ Subcode 1 - query verification certificate storage >> information >> The output is returned in the verification-certificate-storage-size >> block >> (VCSSB). A VCSSB length of 4 indicates that no certificates are >> available >> in the CS. >> + >> +Subcode 2 - store verification certificates >> + Provides VCs that are in the certificate store. >> + >> + The output is provided in a VCB, which includes a common header >> followed by >> + zero or more verification-certificate entries (VCEs). >> + >> + The instruction expects the cert store to >> + maintain an origin of 1 for the index (i.e. a retrieval of the first >> + certificate in the store should be denoted by setting first-VC to 1). > > Nit: early newline after "...cert store to". There is space for a few > more characters on that line. > >> + >> + The first-VC index and last-VC index fields of VCB specify the range of >> VCs >> + to be stored by subcode 2. Stored count and remained count fields >> specify >> + the number of VCs stored and could not be stored in the VCB due to >> + insufficient storage specified in the VCB input length field. >> + > > This might read better. It makes it more clear how they're used. > > """ > The first-VC and last-VC fields of the VCB specify the index range of > VCs to be stored in the VCB. Certs are stored sequentially, starting > with first-VC index. As each cert is stored, a "stored count" is > incremented. If there is not enough space to store all certs requested > by the index range, a "remaining count" will be recorded and no more > certificates will be stored. > """ > >> + Each VCE contains a header followed by information extracted from a >> + certificate within the certificate store. The information includes: >> + key-id, hash, and certificate data. This information is stored >> + contiguously in a VCE (with zero-padding). Following the header, the >> + key-id is immediately stored. The hash and certificate data follow and >> + may be accessed via the respective offset fields stored in the VCE. >> diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h >> index 7fc9503cb9..6f5ee63177 100644 >> --- a/hw/s390x/cert-store.h >> +++ b/hw/s390x/cert-store.h >> @@ -11,10 +11,9 @@ >> #define HW_S390_CERT_STORE_H >> >> #include "hw/s390x/ipl/qipl.h" >> +#include "hw/s390x/ipl/diag320.h" >> #include "crypto/x509-utils.h" >> >> -#define CERT_NAME_MAX_LEN 64 >> - > > Is there a reason why this was moved to diag320.h? >
It was moved to diag320.h because the same value is used by both S390IPLCertificate and VCEntry from DIAG320. Since diag320.h is shared by both QEMU and the BIOS, defining it there keeps the definition in a single header and avoids duplication across multiple headers. [...]
