The secure-IPL-code-loading-attributes facility (SCLAF)
provides additional security during IPL.
Availability of SCLAF is determined by byte 136 bit 3 of the
SCLP Read Info block.
Signed-off-by: Zhuoying Cai <zy...@linux.ibm.com>
Reviewed-by: Collin Walling <wall...@linux.ibm.com>
---
docs/specs/s390x-secure-ipl.rst | 25 +++++++++++++++++++++++++
target/s390x/cpu_features.c | 2 ++
target/s390x/cpu_features_def.h.inc | 1 +
target/s390x/cpu_models.c | 3 +++
target/s390x/gen-features.c | 2 ++
target/s390x/kvm/kvm.c | 1 +
6 files changed, 34 insertions(+)
diff --git a/docs/specs/s390x-secure-ipl.rst b/docs/specs/s390x-secure-ipl.rst
index 4bc330c399..72ab901014 100644
--- a/docs/specs/s390x-secure-ipl.rst
+++ b/docs/specs/s390x-secure-ipl.rst
@@ -83,3 +83,28 @@ operations such as:
* certificate data
The guest kernel will inspect the IIRB and build the keyring.
+
+
+Secure Code Loading Attributes Facility
+---------------------------------
+
+The Secure Code Loading Attributes Facility (SCLAF) enhances system security
during the
+IPL by enforcing additional verification rules.
+
+When SCLAF is available, its behavior depends on the IPL mode. It introduces
verification
+of both signed and unsigned components to help ensure that only authorized
code is loaded
+during the IPL process. Any errors detected by SCLAF are reported in the IIRB.
+
+Unsigned components are restricted to load addresses at or above absolute
storage address
+``0x2000``.
+
+Signed components must include a Secure Code Loading Attribute Block (SCLAB),
which is
+appended at the very end of the component. The SCLAB defines security
attributes for
+handling the signed code. Specifically, it may:
+
+* Provide direction on how to process the rest of the component.
+
+* Provide further validation of information on where to load the signed binary
code
+ from the load device.
+
+* Specify where to start the execution of the loaded OS code.
diff --git a/target/s390x/cpu_features.c b/target/s390x/cpu_features.c
index 200bd8c15b..29ea3bfec2 100644
--- a/target/s390x/cpu_features.c
+++ b/target/s390x/cpu_features.c
@@ -120,6 +120,7 @@ void s390_fill_feat_block(const S390FeatBitmap features,
S390FeatType type,
* - All SIE facilities because SIE is not available
* - DIAG318
* - Secure IPL Facility
+ * - Secure IPL Code Loading Attributes Facility
*
* As VMs can move in and out of protected mode the CPU model
* doesn't protect us from that problem because it is only
@@ -152,6 +153,7 @@ void s390_fill_feat_block(const S390FeatBitmap features,
S390FeatType type,
break;
case S390_FEAT_TYPE_SCLP_FAC_IPL:
clear_be_bit(s390_feat_def(S390_FEAT_SIPL)->bit, data);
+ clear_be_bit(s390_feat_def(S390_FEAT_SCLAF)->bit, data);
break;
default:
return;
diff --git a/target/s390x/cpu_features_def.h.inc
b/target/s390x/cpu_features_def.h.inc
index 55eef618b8..ecfca0faef 100644
--- a/target/s390x/cpu_features_def.h.inc
+++ b/target/s390x/cpu_features_def.h.inc
@@ -142,6 +142,7 @@ DEF_FEAT(CERT_STORE, "cstore", SCLP_FAC134, 5, "Provide
Certificate Store functi
/* Features exposed via SCLP SCCB Facilities byte 136 - 137 (bit numbers
relative to byte-136) */
DEF_FEAT(SIPL, "sipl", SCLP_FAC_IPL, 1, "Secure-IPL facility")
+DEF_FEAT(SCLAF, "sclaf", SCLP_FAC_IPL, 3, "Secure-IPL-code-loading-attributes
facility")
/* Features exposed via SCLP CPU info. */
DEF_FEAT(SIE_F2, "sief2", SCLP_CPU, 4, "SIE: interception format 2 (Virtual
SIE)")
diff --git a/target/s390x/cpu_models.c b/target/s390x/cpu_models.c
index f99536ef9a..7d214b5f72 100644
--- a/target/s390x/cpu_models.c
+++ b/target/s390x/cpu_models.c
@@ -264,6 +264,7 @@ bool s390_has_feat(S390Feat feat)
case S390_FEAT_SIE_PFMFI:
case S390_FEAT_SIE_IBS:
case S390_FEAT_SIPL:
+ case S390_FEAT_SCLAF:
case S390_FEAT_CONFIGURATION_TOPOLOGY:
return false;
break;
@@ -509,6 +510,8 @@ static void check_consistency(const S390CPUModel *model)
{ S390_FEAT_DIAG_318, S390_FEAT_EXTENDED_LENGTH_SCCB },
{ S390_FEAT_CERT_STORE, S390_FEAT_EXTENDED_LENGTH_SCCB },
{ S390_FEAT_SIPL, S390_FEAT_EXTENDED_LENGTH_SCCB },
+ { S390_FEAT_SCLAF, S390_FEAT_EXTENDED_LENGTH_SCCB },
+ { S390_FEAT_SCLAF, S390_FEAT_SIPL },
{ S390_FEAT_NNPA, S390_FEAT_VECTOR },
{ S390_FEAT_RDP, S390_FEAT_LOCAL_TLB_CLEARING },
{ S390_FEAT_UV_FEAT_AP, S390_FEAT_AP },
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index bd2060ab93..c3e0c6ceff 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -722,6 +722,7 @@ static uint16_t full_GEN16_GA1[] = {
S390_FEAT_UV_FEAT_AP_INTR,
S390_FEAT_CERT_STORE,
S390_FEAT_SIPL,
+ S390_FEAT_SCLAF,
};
static uint16_t full_GEN17_GA1[] = {
@@ -924,6 +925,7 @@ static uint16_t qemu_MAX[] = {
S390_FEAT_EXTENDED_LENGTH_SCCB,
S390_FEAT_CERT_STORE,
S390_FEAT_SIPL,
+ S390_FEAT_SCLAF,
};
/****** END FEATURE DEFS ******/
diff --git a/target/s390x/kvm/kvm.c b/target/s390x/kvm/kvm.c
index 31bd574dec..2ed11fab52 100644
--- a/target/s390x/kvm/kvm.c
+++ b/target/s390x/kvm/kvm.c
@@ -2522,6 +2522,7 @@ bool kvm_s390_get_host_cpu_model(S390CPUModel *model,
Error **errp)
/* Some Secure IPL facilities are emulated by QEMU */
set_bit(S390_FEAT_SIPL, model->features);
+ set_bit(S390_FEAT_SCLAF, model->features);
/* Test for Ultravisor features that influence secure guest behavior */
query_uv_feat_guest(model->features);
--
2.50.1
