Hi, I have been working on support for Secure IPL on s390x in QEMU, which includes signature verification and other security checks to ensure system integrity. For more context, here is the latest patch series: https://lists.gnu.org/archive/html/qemu-s390x/2025-09/msg00136.html
Since Secure IPL on s390x is supported in QEMU, I would like to begin drafting the corresponding Libvirt interface and seek feedback before proceeding with the implementation. New parameters have been added to the s390-ccw-virtio machine type to enable Secure IPL and provide certificates for signature verification. This parameter enables or disables Secure IPL/boot. If not specified, it defaults to off. (https://lists.gnu.org/archive/html/qemu-s390x/2025-09/msg00150.html) qemu-system-s390x -machine s390-ccw-virtio,secure-boot=on|off This parameter specifies one or more paths to boot certificates, used for signature verification. You can provide a single certificate file or a directory. (https://lists.gnu.org/archive/html/qemu-s390x/2025-09/msg00138.html) qemu-system-s390x -machine s390-ccw-virtio, \ boot-certs.0.path=/.../qemu/certs, \ boot-certs.1.path=/another/path/cert.pem While Libvirt already provides a secure boot interface (https://libvirt.org/kbase/secureboot.html), it appears to be primarily intended for x86 systems, where secure boot is configured using the <firmware>, <loader>, and <nvram> tags. <os firmware='efi'> <firmware> <feature enabled='yes' name='enrolled-keys'/> <feature enabled='yes' name='secure-boot'/> </firmware> <loader secure='yes' type='pflash'>...</loader> <nvram template='...'>...</nvram> </os> For s390x, some of these existing tags may be reused, but additional elements will be needed. Below is my initial proposal for the secure boot interface in Libvirt: <!-- New s390-ccw-bios firmware value --> <os firmware='s390-ccw-bios'> <type arch='s390x' machine='s390-ccw-virtio-9.2'>hvm</type> <firmware> <!-- To enable secure boot --> <feature enabled='yes' name='secure-boot'/> </firmware> <!-- To provide boot certificates for secure boot --> <boot-certs path='/path/to/cert.pem' /> <boot-certs path='/path/to/cert-dir' /> <boot dev='hd'/> </os> Below is an example of the corresponding QEMU command line: qemu-system-s390x -machine s390-ccw-virtio, secure-boot=on, \ boot-certs.0.path=/path/to/cert.pem, \ boot-certs.1.path=/path/to/cert-dir ... I would be greatly appreciate any suggestions or feedback on this proposal, and I am open to refining the design to better align with existing Libvirt structures. Best regards, Joy
