On 12/02/2026 21.43, Zhuoying Cai wrote:
When secure boot is enabled (-secure-boot on) and certificate(s) are
provided, the boot operates in True Secure IPL mode.
Any verification error during True Secure IPL mode will cause the
entire boot process to terminate.
Secure IPL in audit mode requires at least one certificate provided in
the key store along with necessary facilities. If secure boot is enabled
but no certificate is provided, the boot process will also terminate, as
this is not a valid secure boot configuration.
Note: True Secure IPL mode is implemented for the SCSI scheme of
virtio-blk/virtio-scsi devices.
Signed-off-by: Zhuoying Cai <[email protected]>
---
...
diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
index 43a661325f..699ef981e2 100644
--- a/pc-bios/s390-ccw/bootmap.c
+++ b/pc-bios/s390-ccw/bootmap.c
@@ -738,12 +738,16 @@ static int zipl_run(ScsiBlockPtr *pte)
entry = (ComponentEntry *)(&header[1]);
switch (boot_mode) {
+ case ZIPL_BOOT_MODE_SECURE:
case ZIPL_BOOT_MODE_SECURE_AUDIT:
rc = zipl_run_secure(&entry, tmp_sec);
break;
case ZIPL_BOOT_MODE_NORMAL:
rc = zipl_run_normal(&entry, tmp_sec);
break;
+ case ZIPL_BOOT_MODE_INVALID:
+ rc = -1;
+ break;
boot_mode can never be set to ZIPL_BOOT_MODE_INVALID invalid (see below), so
I suggest to drop this "case" again (and let the default case catch it in
case this ever changes - at least that one prints a message).
default:
puts("Unknown boot mode");
rc = -1;
...
diff --git a/pc-bios/s390-ccw/main.c b/pc-bios/s390-ccw/main.c
index 106cdf9dec..1678ede8fb 100644
--- a/pc-bios/s390-ccw/main.c
+++ b/pc-bios/s390-ccw/main.c
@@ -329,6 +329,9 @@ void main(void)
}
boot_mode = get_boot_mode(iplb->hdr_flags);
+ if (boot_mode == ZIPL_BOOT_MODE_INVALID) {
+ panic("Need at least one certificate for secure boot!");
+ }
Here you make sure that boot_mode can never be set to INVALID afterwards.
Thomas
