Add -secure-boot as a parameter of s390-ccw-virtio machine type option.
The `-secure-boot on|off` command line option is implemented
to enable secure IPL.
By default, -secure-boot is set to false if not specified in
the command line.
Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
---
hw/s390x/s390-virtio-ccw.c | 22 ++++++++++++++++++++++
include/hw/s390x/s390-virtio-ccw.h | 1 +
qemu-options.hx | 6 +++++-
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/hw/s390x/s390-virtio-ccw.c b/hw/s390x/s390-virtio-ccw.c
index f82f78255a..8486f19ece 100644
--- a/hw/s390x/s390-virtio-ccw.c
+++ b/hw/s390x/s390-virtio-ccw.c
@@ -840,6 +840,21 @@ static void machine_set_boot_certificates(Object *obj,
const char *str,
ms->boot_certificates = g_strdup(str);
}
+static inline bool machine_get_secure_boot(Object *obj, Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ return ms->secure_boot;
+}
+
+static inline void machine_set_secure_boot(Object *obj, bool value,
+ Error **errp)
+{
+ S390CcwMachineState *ms = S390_CCW_MACHINE(obj);
+
+ ms->secure_boot = value;
+}
+
static void ccw_machine_class_init(ObjectClass *oc, const void *data)
{
MachineClass *mc = MACHINE_CLASS(oc);
@@ -900,6 +915,13 @@ static void ccw_machine_class_init(ObjectClass *oc, const
void *data)
machine_set_boot_certificates);
object_class_property_set_description(oc, "boot-certificates",
"provide path to a direcotry or a single certificate for secure
boot");
+
+ object_class_property_add_bool(oc, "secure-boot",
+ machine_get_secure_boot,
+ machine_set_secure_boot);
+ object_class_property_set_description(oc, "secure-boot",
+ "enable/disable secure boot");
+
}
static inline void s390_machine_initfn(Object *obj)
diff --git a/include/hw/s390x/s390-virtio-ccw.h
b/include/hw/s390x/s390-virtio-ccw.h
index ed25939243..f4f5df010e 100644
--- a/include/hw/s390x/s390-virtio-ccw.h
+++ b/include/hw/s390x/s390-virtio-ccw.h
@@ -32,6 +32,7 @@ struct S390CcwMachineState {
uint64_t memory_limit;
uint64_t max_pagesize;
char *boot_certificates;
+ bool secure_boot;
SCLPDevice *sclp;
};
diff --git a/qemu-options.hx b/qemu-options.hx
index e592f6a757..498320ad21 100644
--- a/qemu-options.hx
+++ b/qemu-options.hx
@@ -44,7 +44,8 @@ DEF("machine", HAS_ARG, QEMU_OPTION_machine, \
" memory-backend='backend-id' specifies explicitly provided
backend for main RAM (default=none)\n"
"
cxl-fmw.0.targets.0=firsttarget,cxl-fmw.0.targets.1=secondtarget,cxl-fmw.0.size=size[,cxl-fmw.0.interleave-granularity=granularity]\n"
"
smp-cache.0.cache=cachename,smp-cache.0.topology=topologylevel\n"
- " boot-certificates='/path/directory:/path/file' provide a
path to a directory or a boot certificate\n",
+ " boot-certificates='/path/directory:/path/file' provide a
path to a directory or a boot certificate\n"
+ " secure-boot=on|off enable/disable secure boot
(default=off) \n",
QEMU_ARCH_ALL)
SRST
``-machine [type=]name[,prop=value[,...]]``
@@ -205,6 +206,9 @@ SRST
``boot-certificates='/path/directory:/path/file'``
Provide a path to a directory or a boot certificate on s390-ccw host.
A colon may be used to delineate multiple paths.
+
+ ``secure-boot=on|off``
+ Enables or disables secure boot on s390-ccw guest. The default is off.
ERST
DEF("M", HAS_ARG, QEMU_OPTION_M,
--
2.49.0
