From 6ea645b3453264a0f1a60955c4476dab54035f88 Mon Sep 17 00:00:00 2001
From: Stefan Haberland <sth@linux.ibm.com>
Date: Fri, 26 Apr 2019 15:16:28 +0200
Subject: [PATCH] zipl: add secure boot man page updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add zipl and zipl.conf man page updates.

The zipl man page will look like:

       -S <SWITCH> or --secure <SWITCH>
               Control the zIPL secure boot support.  <SWITCH> can take one of three values:

                 auto (default)
                   Write signatures if available and supported by the system.
                 1
                   Signatures are written independent of support indicated by the local
                   system. Also missing signatures for stage 3 and kernel IPL files
                   will result in an error.
                 0
                   No signatures will be written.

The zipl.conf man page will look like:

       secure = auto/1/0 (configuration only)

              Configuration section:
              Control the zIPL secure boot support.  Set this option to one of the following:

                -  auto: Write signatures if available and supported by the system.

                -  1: Signatures are written independent of support indicated by the local system.
		   Also missing signatures for stage 3 and kernel IPL files will result in an error.

                -  0: No signatures will be written.

                   The default value for 'secure' is auto.

Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Acked-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
 zipl/man/zipl.8      | 15 +++++++++++++++
 zipl/man/zipl.conf.5 | 27 +++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/zipl/man/zipl.8 b/zipl/man/zipl.8
index 79e6fe872..a95b76a80 100644
--- a/zipl/man/zipl.8
+++ b/zipl/man/zipl.8
@@ -352,6 +352,21 @@ whether they contain a dump signature or not.
 This option can only be used together with
 .BR \-\-mvdump .
 
+.TP
+.BR "\-S <SWITCH>" " or " "\-\-secure <SWITCH>"
+Control the zIPL secure boot support.
+<SWITCH> can take one of three values:
+
+  auto (default)
+    Write signatures if available and supported by the system.
+  1
+    Signatures are written independent of support indicated by the local
+    system. Also missing signatures for stage 3 and kernel IPL files
+    will result in an error.
+  0
+    No signatures will be written.
+
+
 .SH EXAMPLE
 1. Scenario: prepare disk for booting a Linux kernel image using the
 following parameters:
diff --git a/zipl/man/zipl.conf.5 b/zipl/man/zipl.conf.5
index d4877d884..f947dd08b 100644
--- a/zipl/man/zipl.conf.5
+++ b/zipl/man/zipl.conf.5
@@ -82,6 +82,8 @@ below).
 .br
 defaultmenu = menu1
 .br
+secure = auto
+.br
 
 [linux]
 .br
@@ -517,6 +519,31 @@ An optional hexadecimal address may be provided to load the kernel to a
 non-default memory location.
 .PP
 
+.B secure
+=
+.IR auto / 1 / 0
+(configuration only)
+.IP
+.B Configuration section:
+.br
+Control the zIPL secure boot support.
+Set this option to one of the following:
+.IP "         - " 12
+.BR auto:
+Write signatures if available and supported by the system.
+.IP "         - " 12
+.BR 1:
+Signatures are written independent of support indicated by the local system. 
+Also missing signatures for stage 3 and kernel IPL files will result in an error.
+.IP "         - " 12
+.BR 0:
+No signatures will be written.
+
+The default value for
+.B 'secure'
+is auto.
+.PP
+
 .B segment
 =
 .IR segment\-file , address