On 4/16/25 6:11 PM, Collin Walling wrote:
On 4/8/25 11:55 AM, Zhuoying Cai wrote:
If secure boot in audit mode or True Secure IPL mode is enabled without
specifying a boot device, the boot process will terminate with an error.
Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
---
hw/s390x/ipl.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/hw/s390x/ipl.c b/hw/s390x/ipl.c
index 60bafcbd2e..0510f16a7d 100644
--- a/hw/s390x/ipl.c
+++ b/hw/s390x/ipl.c
@@ -767,6 +767,16 @@ void s390_ipl_prepare_cpu(S390CPU *cpu)
s390_ipl_create_cert_store(&ipl->cert_store);
if (!ipl->iplb_valid) {
ipl->iplb_valid = s390_init_all_iplbs(ipl);
+
+ /*
+ * Secure IPL without specifying a boot device.
+ * IPLB is not generated if no boot device is defined.
+ */
+ if ((s390_has_certificate() || s390_secure_boot_enabled()) &&
+ !ipl->iplb_valid) {
+ error_report("No boot devicie defined for Secure IPL");
+ exit(1);
+ }
I'm confused why this check is needed. If there is no valid iplb, won't
boot just fail outright anyway?
No. If there is no IPLB (e.g. no device has been assigned a boot
index), we have a rudimentary probing routine that will examine if a
device is potentially bootable, and, if so, try to boot from it.
This check is basically stating that boot device probing is not
supported when using secure IPL, so at least one device must be defined
with a boot index.
} else {
ipl->qipl.chain_len = 0;
}
