On 4/11/25 9:28 AM, Thomas Huth wrote:
> On 08/04/2025 17.55, Zhuoying Cai wrote:
>> DIAG 320 is supported when the certificate-store (CS) facility
>> is installed.
>>
>> Availability of CS facility is determined by byte 134 bit 5 of the
>> SCLP Read Info block.
>>
>> Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
>> ---
> ...
>> diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c
>> index 4b5be6798e..99089ab3f5 100644
>> --- a/target/s390x/cpu_features.c
>> +++ b/target/s390x/cpu_features.c
>> @@ -147,6 +147,7 @@ void s390_fill_feat_block(const S390FeatBitmap features,
>> S390FeatType type,
>> break;
>> case S390_FEAT_TYPE_SCLP_FAC134:
>> clear_be_bit(s390_feat_def(S390_FEAT_DIAG_318)->bit, data);
>> + clear_be_bit(s390_feat_def(S390_FEAT_DIAG_320)->bit, data);
>> break;
>> default:
>> return;
>> diff --git a/target/s390x/cpu_features_def.h.inc
>> b/target/s390x/cpu_features_def.h.inc
>> index e23e603a79..65d38f546d 100644
>> --- a/target/s390x/cpu_features_def.h.inc
>> +++ b/target/s390x/cpu_features_def.h.inc
>> @@ -138,6 +138,7 @@ DEF_FEAT(SIE_IBS, "ibs", SCLP_CONF_CHAR_EXT, 10, "SIE:
>> Interlock-and-broadcast-s
>>
>> /* Features exposed via SCLP SCCB Facilities byte 134 (bit numbers
>> relative to byte-134) */
>> DEF_FEAT(DIAG_318, "diag318", SCLP_FAC134, 0, "Control program name and
>> version codes")
>> +DEF_FEAT(DIAG_320, "diag320", SCLP_FAC134, 5, "Provide Certificate Store
>> functions")
>>
>> /* Features exposed via SCLP CPU info. */
>> DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2
>> (Virtual SIE)")
>> diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c
>> index 93a05e43d7..7d65c40bd1 100644
>> --- a/target/s390x/cpu_models.c
>> +++ b/target/s390x/cpu_models.c
>> @@ -248,6 +248,7 @@ bool s390_has_feat(S390Feat feat)
>> if (s390_is_pv()) {
>> switch (feat) {
>> case S390_FEAT_DIAG_318:
>> + case S390_FEAT_DIAG_320:
>
> So secure IPL is not available with secure execution? That's surprising.
> Could you add a comment to the patch description why this is the case?
>
Secure IPL is not available for Secure Execution (SE) guests, as their
images are already integrity protected, and an additional protection of
the kernel by secure IPL is not necessary.
I'll provide more context in the patch description for the next iteration.
>> case S390_FEAT_HPMA2:
>> case S390_FEAT_SIE_F2:
>> case S390_FEAT_SIE_SKEY:
>> @@ -505,6 +506,7 @@ static void check_consistency(const S390CPUModel *model)
>> { S390_FEAT_PTFF_STOUE, S390_FEAT_MULTIPLE_EPOCH },
>> { S390_FEAT_AP_QUEUE_INTERRUPT_CONTROL, S390_FEAT_AP },
>> { S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB },
>> + { S390_FEAT_DIAG_320, S390_FEAT_EXTENDED_LENGTH_SCCB },
>
> Please also add a comment to the patch description why this feature needs
> S390_FEAT_EXTENDED_LENGTH_SCCB.
>
>> { S390_FEAT_NNPA, S390_FEAT_VECTOR },
>> { S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING },
>> { S390_FEAT_UV_FEAT_AP, S390_FEAT_AP },
>> diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
>> index 41840677ce..52c649adcd 100644
>> --- a/target/s390x/gen-features.c
>> +++ b/target/s390x/gen-features.c
>> @@ -696,6 +696,7 @@ static uint16_t full_GEN14_GA1[] = {
>> S390_FEAT_HPMA2,
>> S390_FEAT_SIE_KSS,
>> S390_FEAT_GROUP_MULTIPLE_EPOCH_PTFF,
>> + S390_FEAT_DIAG_320,
>
> Is it available with the z14 already?
> https://www.ibm.com/docs/en/linux-on-systems?topic=linux-secure-boot seems
> to indicate a z15 instead??
>
>> };
>>
>> #define full_GEN14_GA2 EmptyFeat
>> diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
>> index 4d56e653dd..d07ca879a3 100644
>> --- a/target/s390x/kvm/kvm.c
>> +++ b/target/s390x/kvm/kvm.c
>> @@ -2487,6 +2487,8 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,
>> Error **errp)
>> set_bit(S390_FEAT_DIAG_318, model->features);
>> }
>>
>> + set_bit(S390_FEAT_DIAG_320, model->features);
>> +
>> /* Test for Ultravisor features that influence secure guest behavior */
>> query_uv_feat_guest(model->features);
>
> Thomas
>
