Re: [PATCH v6 10/28] s390x/diag: Introduce DIAG 508 for secure IPL operations

Sat, 18 Oct 2025 08:48:37 -0700 

On 18/09/2025 01.21, Zhuoying Cai wrote:

From: Collin Walling <[email protected]>

In order to support secure IPL (aka secure boot) for the s390-ccw BIOS,
a new s390 DIAGNOSE instruction is introduced to leverage QEMU for
handling operations such as signature verification and certificate
retrieval.

Currently, only subcode 0 is supported with this patch, which is used to
query a bitmap of which subcodes are supported.

Signed-off-by: Collin Walling <[email protected]>
---
  docs/specs/s390x-secure-ipl.rst | 18 ++++++++++++++++++
  include/hw/s390x/ipl/diag508.h  | 15 +++++++++++++++
  target/s390x/diag.c             | 27 +++++++++++++++++++++++++++
  target/s390x/kvm/kvm.c          | 14 ++++++++++++++
  target/s390x/s390x-internal.h   |  2 ++
  target/s390x/tcg/misc_helper.c  |  7 +++++++
  6 files changed, 83 insertions(+)
  create mode 100644 include/hw/s390x/ipl/diag508.h

diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst
index e28f0b40d7..0919425e9a 100644
--- a/docs/specs/s390x-secure-ipl.rst
+++ b/docs/specs/s390x-secure-ipl.rst
@@ -48,3 +48,21 @@ Subcode 2 - store verification certificates
      storage specified in the VCB input length field.
VCE contains various information of a VC from the CS. 
+
+
+Secure IPL Data Structures, Facilities, and Functions
+=====================================================
+
+DIAGNOSE function code 'X'508' - KVM IPL extensions
+---------------------------------------------------
+
+DIAGNOSE 'X'508' is reserved for KVM guest use in order to facilitate
+communication of additional IPL operations that cannot be handled by userspace,
+such as signature verification for secure IPL.
+
+If the function code specifies 0x508, KVM IPL extension functions are 
performed.
+These functions are meant to provide extended functionality for s390 guest boot
+that requires assistance from QEMU.
+
+Subcode 0 - query installed subcodes
+    Returns a 64-bit mask indicating which subcodes are supported.
Technically, this works also without KVM, right? In that case, I'd maybe avoid the term "KVM" here, and just talk about "IPL extensions" and "guest", to avoid the confusion about whether this feature can be used with TCG, too, or not. 

 Thomas

Reply via email to