Create a certificate store for boot certificates used for secure IPL. Load certificates from the boot-certificate parameter of s390-ccw-virtio machine type option into the cert store.
Currently, only x509 certificates in DER format and uses SHA-256 hashing algorithm are supported, as these are the types required for secure boot on s390. Signed-off-by: Zhuoying Cai <[email protected]> --- hw/s390x/cert-store.c | 247 ++++++++++++++++++++++++++++++++++++ hw/s390x/cert-store.h | 39 ++++++ hw/s390x/ipl.c | 9 ++ hw/s390x/ipl.h | 3 + hw/s390x/meson.build | 1 + include/hw/s390x/ipl/qipl.h | 3 + 6 files changed, 302 insertions(+) create mode 100644 hw/s390x/cert-store.c create mode 100644 hw/s390x/cert-store.h diff --git a/hw/s390x/cert-store.c b/hw/s390x/cert-store.c new file mode 100644 index 0000000000..562fa22241 --- /dev/null +++ b/hw/s390x/cert-store.c @@ -0,0 +1,247 @@ +/* + * S390 certificate store implementation + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai <[email protected]> + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#include "qemu/osdep.h" +#include "cert-store.h" +#include "qemu/error-report.h" +#include "qemu/option.h" +#include "qemu/config-file.h" +#include "hw/s390x/ebcdic.h" +#include "hw/s390x/s390-virtio-ccw.h" +#include "qemu/cutils.h" +#include "crypto/x509-utils.h" + +static const char *s390_get_boot_certificates(void) +{ + return S390_CCW_MACHINE(qdev_get_machine())->boot_certificates; +} + +static size_t cert2buf(char *path, size_t max_size, char **cert_buf) +{ + size_t size; + + /* + * maximum allowed size of the certificate file to avoid consuming excessive memory + * (malformed or maliciously large files) + */ + if (!g_file_get_contents(path, cert_buf, &size, NULL) || + size == 0 || size > max_size) { + return 0; + } + + return size; +} + +static S390IPLCertificate *init_cert_x509_der(size_t size, char *raw) +{ + S390IPLCertificate *q_cert = NULL; + int key_id_size; + int hash_size; + int is_der; + int hash_type; + Error *err = NULL; + + is_der = qcrypto_check_x509_cert_fmt((uint8_t *)raw, size, + QCRYPTO_CERT_FMT_DER, &err); + /* return early if GNUTLS is not enabled */ + if (is_der == -ENOTSUP) { + error_report("GNUTLS is not enabled"); + return NULL; + } + if (is_der != 0) { + error_report("The certificate is not in DER format"); + return NULL; + } + + hash_type = qcrypto_get_x509_signature_algorithm((uint8_t *)raw, size, &err); + if (hash_type != QCRYPTO_SIG_ALGO_RSA_SHA256) { + error_report("The certificate does not use SHA-256 hashing"); + return NULL; + } + + key_id_size = qcrypto_get_x509_keyid_len(QCRYPTO_KEYID_FLAGS_SHA256); + if (key_id_size == 0) { + error_report("Failed to get certificate key ID size"); + return NULL; + } + + hash_size = qcrypto_get_x509_hash_len(QCRYPTO_HASH_ALGO_SHA256); + if (hash_size == 0) { + error_report("Failed to get certificate hash size"); + return NULL; + } + + q_cert = g_new(S390IPLCertificate, 1); + q_cert->size = size; + q_cert->key_id_size = key_id_size; + q_cert->hash_size = hash_size; + q_cert->raw = raw; + q_cert->format = QCRYPTO_CERT_FMT_DER; + q_cert->hash_type = QCRYPTO_SIG_ALGO_RSA_SHA256; + + return q_cert; +} + +static int check_path_type(const char *path) +{ + struct stat path_stat; + + if (stat(path, &path_stat) != 0) { + perror("stat"); + return -1; + } + + if (S_ISDIR(path_stat.st_mode)) { + return S_IFDIR; + } else if (S_ISREG(path_stat.st_mode)) { + return S_IFREG; + } else { + return -1; + } +} + +static S390IPLCertificate *init_cert(char *paths) +{ + char *buf; + char vc_name[VC_NAME_LEN_BYTES]; + g_autofree gchar *filename; + size_t size; + S390IPLCertificate *qcert = NULL; + + filename = g_path_get_basename(paths); + + size = cert2buf(paths, CERT_MAX_SIZE, &buf); + if (size == 0) { + error_report("Failed to load certificate: %s", paths); + g_free(buf); + return NULL; + } + + qcert = init_cert_x509_der(size, buf); + if (qcert == NULL) { + error_report("Failed to initialize certificate: %s", paths); + g_free(buf); + return NULL; + } + + /* + * Left justified certificate name with padding on the right with blanks. + * Convert certificate name to EBCDIC. + */ + strpadcpy(vc_name, VC_NAME_LEN_BYTES, filename, ' '); + ebcdic_put(qcert->vc_name, vc_name, VC_NAME_LEN_BYTES); + + return qcert; +} + +static void update_cert_store(S390IPLCertificateStore *cert_store, + S390IPLCertificate *qcert) +{ + size_t data_buf_size; + size_t keyid_buf_size; + size_t hash_buf_size; + size_t cert_buf_size; + + /* length field is word aligned for later DIAG use */ + keyid_buf_size = ROUND_UP(qcert->key_id_size, 4); + hash_buf_size = ROUND_UP(qcert->hash_size, 4); + cert_buf_size = ROUND_UP(qcert->size, 4); + data_buf_size = keyid_buf_size + hash_buf_size + cert_buf_size; + + if (cert_store->max_cert_size < data_buf_size) { + cert_store->max_cert_size = data_buf_size; + } + + cert_store->certs[cert_store->count] = *qcert; + cert_store->total_bytes += data_buf_size; + cert_store->count++; +} + +static GPtrArray *get_cert_paths(void) +{ + const char *path; + gchar **paths; + gchar **paths_copy; + int path_type; + GDir *dir = NULL; + gchar *cert_path; + const gchar *filename; + GPtrArray *cert_path_builder; + + cert_path_builder = g_ptr_array_new(); + + path = s390_get_boot_certificates(); + if (path == NULL) { + return cert_path_builder; + } + + paths = g_strsplit(path, ":", -1); + /* save the original pointer for freeing later */ + paths_copy = paths; + while (*paths) { + /* skip empty certificate path */ + if (!strcmp(*paths, "")) { + paths += 1; + continue; + } + + cert_path = NULL; + path_type = check_path_type(*paths); + if (path_type == S_IFREG) { + cert_path = g_strdup(*paths); + g_ptr_array_add(cert_path_builder, cert_path); + } else if (path_type == S_IFDIR) { + dir = g_dir_open(*paths, 0, NULL); + + if (dir) { + while ((filename = g_dir_read_name(dir))) { + cert_path = g_build_filename(*paths, filename, NULL); + g_ptr_array_add(cert_path_builder, (gpointer) cert_path); + } + + g_dir_close(dir); + } + } + + paths += 1; + } + + g_strfreev(paths_copy); + return cert_path_builder; +} + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store) +{ + GPtrArray *cert_path_builder; + + cert_path_builder = get_cert_paths(); + if (cert_path_builder->len == 0) { + g_ptr_array_free(cert_path_builder, true); + return; + } + + cert_store->max_cert_size = 0; + cert_store->total_bytes = 0; + + for (int i = 0; i < cert_path_builder->len; i++) { + if (i > MAX_CERTIFICATES - 1) { + printf("Warning: Maximum %d certificates are allowed," + " ignoring certificate #%d and beyond\n", + MAX_CERTIFICATES, i + 1); + break; + } + + S390IPLCertificate *qcert = init_cert((char *) cert_path_builder->pdata[i]); + if (qcert) { + update_cert_store(cert_store, qcert); + } + } + + g_ptr_array_free(cert_path_builder, true); +} diff --git a/hw/s390x/cert-store.h b/hw/s390x/cert-store.h new file mode 100644 index 0000000000..04acc6c2e0 --- /dev/null +++ b/hw/s390x/cert-store.h @@ -0,0 +1,39 @@ +/* + * S390 certificate store + * + * Copyright 2025 IBM Corp. + * Author(s): Zhuoying Cai <[email protected]> + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef HW_S390_CERT_STORE_H +#define HW_S390_CERT_STORE_H + +#include "hw/s390x/ipl/qipl.h" +#include "crypto/x509-utils.h" + +#define VC_NAME_LEN_BYTES 64 + +struct S390IPLCertificate { + uint8_t vc_name[VC_NAME_LEN_BYTES]; + size_t size; + size_t key_id_size; + size_t hash_size; + char *raw; + QCryptoCertFmt format; + QCryptoSigAlgo hash_type; +}; +typedef struct S390IPLCertificate S390IPLCertificate; + +struct S390IPLCertificateStore { + uint16_t count; + size_t max_cert_size; + size_t total_bytes; + S390IPLCertificate certs[MAX_CERTIFICATES]; +} QEMU_PACKED; +typedef struct S390IPLCertificateStore S390IPLCertificateStore; + +void s390_ipl_create_cert_store(S390IPLCertificateStore *cert_store); + +#endif diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c index 2f082396c7..186be923d7 100644 --- a/hw/s390x/ipl.c +++ b/hw/s390x/ipl.c @@ -35,6 +35,7 @@ #include "qemu/option.h" #include "qemu/ctype.h" #include "standard-headers/linux/virtio_ids.h" +#include "cert-store.h" #define KERN_IMAGE_START 0x010000UL #define LINUX_MAGIC_ADDR 0x010008UL @@ -422,6 +423,13 @@ void s390_ipl_convert_loadparm(char *ascii_lp, uint8_t *ebcdic_lp) } } +S390IPLCertificateStore *s390_ipl_get_certificate_store(void) +{ + S390IPLState *ipl = get_ipl_device(); + + return &ipl->cert_store; +} + static bool s390_build_iplb(DeviceState *dev_st, IplParameterBlock *iplb) { CcwDevice *ccw_dev = NULL; @@ -717,6 +725,7 @@ void s390_ipl_prepare_cpu(S390CPU *cpu) if (!ipl->kernel || ipl->iplb_valid) { cpu->env.psw.addr = ipl->bios_start_addr; + s390_ipl_create_cert_store(&ipl->cert_store); if (!ipl->iplb_valid) { ipl->iplb_valid = s390_init_all_iplbs(ipl); } else { diff --git a/hw/s390x/ipl.h b/hw/s390x/ipl.h index 8f83c7da29..bee72dfbb3 100644 --- a/hw/s390x/ipl.h +++ b/hw/s390x/ipl.h @@ -13,6 +13,7 @@ #ifndef HW_S390_IPL_H #define HW_S390_IPL_H +#include "cert-store.h" #include "cpu.h" #include "exec/target_page.h" #include "system/address-spaces.h" @@ -35,6 +36,7 @@ int s390_ipl_pv_unpack(struct S390PVResponse *pv_resp); void s390_ipl_prepare_cpu(S390CPU *cpu); IplParameterBlock *s390_ipl_get_iplb(void); IplParameterBlock *s390_ipl_get_iplb_pv(void); +S390IPLCertificateStore *s390_ipl_get_certificate_store(void); enum s390_reset { /* default is a reset not triggered by a CPU e.g. issued by QMP */ @@ -64,6 +66,7 @@ struct S390IPLState { IplParameterBlock iplb; IplParameterBlock iplb_pv; QemuIplParameters qipl; + S390IPLCertificateStore cert_store; uint64_t start_addr; uint64_t compat_start_addr; uint64_t bios_start_addr; diff --git a/hw/s390x/meson.build b/hw/s390x/meson.build index 11e4e78b85..5b02f47155 100644 --- a/hw/s390x/meson.build +++ b/hw/s390x/meson.build @@ -17,6 +17,7 @@ s390x_ss.add(files( 'sclpcpu.c', 'sclpquiesce.c', 'tod.c', + 'cert-store.c', )) s390x_ss.add(when: 'CONFIG_KVM', if_true: files( 'tod-kvm.c', diff --git a/include/hw/s390x/ipl/qipl.h b/include/hw/s390x/ipl/qipl.h index 6824391111..2232b88049 100644 --- a/include/hw/s390x/ipl/qipl.h +++ b/include/hw/s390x/ipl/qipl.h @@ -20,6 +20,9 @@ #define LOADPARM_LEN 8 #define NO_LOADPARM "\0\0\0\0\0\0\0\0" +#define MAX_CERTIFICATES 64 +#define CERT_MAX_SIZE (1024 * 8) + /* * The QEMU IPL Parameters will be stored at absolute address * 204 (0xcc) which means it is 32-bit word aligned but not -- 2.49.0
