On 9/17/2025 4:21 PM, Zhuoying Cai wrote:
Add IPIB flags to IPL Parameter Block to determine if IPL needs to
perform securely and if IPL Information Report Block (IIRB) exists.
Move DIAG308 flags to a separated header file and add flags for secure IPL.
Secure boot in audit mode will perform if certificate(s) exist in the
key store. IIRB will exist and results of verification will be stored in
IIRB.
To ensure proper alignment of the IIRB and prevent overlap, set
iplb->len to the maximum length of the IPLB, allowing alignment
constraints to be determined based on its size.
Signed-off-by: Zhuoying Cai <[email protected]>
---
hw/s390x/ipl.c | 17 +++++++++++++++++
hw/s390x/ipl.h | 18 +-----------------
include/hw/s390x/ipl/diag308.h | 34 ++++++++++++++++++++++++++++++++++
include/hw/s390x/ipl/qipl.h | 5 ++++-
4 files changed, 56 insertions(+), 18 deletions(-)
create mode 100644 include/hw/s390x/ipl/diag308.h
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 917166ba31..c1360905c4 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -494,6 +494,23 @@ static bool s390_build_iplb(DeviceState *dev_st,
IplParameterBlock *iplb)
s390_ipl_convert_loadparm((char *)lp, iplb->loadparm);
iplb->flags |= DIAG308_FLAGS_LP_VALID;
+ /*
+ * Secure boot in audit mode will perform
+ * if certificate(s) exist in the key store.
+ *
+ * IPL Information Report Block (IIRB) will exist
+ * for secure boot in audit mode.
+ *
+ * Results of secure boot will be stored in IIRB.
+ */
+ if (s390_has_certificate()) {
+ iplb->hdr_flags |= DIAG308_IPIB_FLAGS_IPLIR;
+ }
+
+ if (iplb->hdr_flags & DIAG308_IPIB_FLAGS_IPLIR) {
+ iplb->len = cpu_to_be32(S390_IPLB_MAX_LEN);
+ }
+
Can we move the setting of iplb->len to if block that checks for
certificates? I am not if we really need the if block as we only set the
hdr_flags to DIAG308_IPIB_FLAGS_IPLIR only when we have certificates?
Thanks Farhan
