From 58a98591242079832f14979943aa7da49b5376911a1faf4ca03dd43e6d5ee07e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Wed, 12 Jun 2024 22:21:56 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main s390-tools revision fd067ff42f0d3083f252865b3a02dc64 --- ...rt-Armonk-in-IBM-signing-key-subject.patch | 286 ++++++++++++++++ ...6-01-parse-ipl-device-for-activation.patch | 97 ++++++ ...rt-Armonk-in-IBM-signing-key-subject.patch | 304 ++++++++++++++++++ ...rt-Armonk-in-IBM-signing-key-subject.patch | 224 +++++++++++++ ...5sp6-04-pvattest-Fix-root-ca-parsing.patch | 25 ++ ...-tools-sles15sp6-genprotimg-makefile.patch | 92 ++++++ s390-tools.changes | 57 ++++ s390-tools.spec | 71 +++- 8 files changed, 1141 insertions(+), 15 deletions(-) create mode 100644 s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch create mode 100644 s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch create mode 100644 s390-tools-sles15sp6-genprotimg-makefile.patch diff --git a/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..e4704df --- /dev/null +++ b/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,286 @@ +Index: s390-tools-service/rust/pv/src/verify.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify.rs ++++ s390-tools-service/rust/pv/src/verify.rs +@@ -3,10 +3,11 @@ + // Copyright IBM Corp. 2023 + + use core::slice; +-use log::debug; ++use log::{debug, trace}; ++use openssl::error::ErrorStack; + use openssl::stack::Stack; + use openssl::x509::store::X509Store; +-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509}; ++use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509}; + use openssl_extensions::crl::StackableX509Crl; + use openssl_extensions::crl::X509StoreContextExtension; + +@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier { + if verified_crls.is_empty() { + bail_hkd_verify!(NoCrl); + } +- for crl in &verified_crls { +- match crl.get_by_cert(&hkd.to_owned()) { ++ for crl in verified_crls { ++ match crl.get_by_serial(hkd.serial_number()) { + CrlStatus::NotRevoked => (), + _ => bail_hkd_verify!(HdkRevoked), + } +@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier { + } + + impl CertVerifier { ++ fn quirk_crls( ++ ctx: &mut X509StoreContextRef, ++ subject: &X509NameRef, ++ ) -> Result, ErrorStack> { ++ match ctx.crls(subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ ++ // Armonk/Poughkeepsie fixup ++ trace!("quirk_crls: Try Locality"); ++ if let Some(locality_subject) = helper::armonk_locality_fixup(subject) { ++ match ctx.crls(&locality_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ ++ // reorder ++ trace!("quirk_crls: Try Locality+Reorder"); ++ if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) { ++ match ctx.crls(&locality_ordered_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ } ++ } ++ ++ // reorder unchanged loaciliy subject ++ trace!("quirk_crls: Try Reorder"); ++ if let Ok(ordered_subject) = helper::reorder_x509_names(subject) { ++ match ctx.crls(&ordered_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ } ++ // nothing found, return empty stack ++ Stack::new() ++ } ++ + ///Download the CLRs that a HKD refers to. + pub fn hkd_crls(&self, hkd: &X509Ref) -> Result> { + let mut ctx = X509StoreContext::new()?; + // Unfortunately we cannot use a dedicated function here and have to use a closure (E0434) + // Otherwise, we cannot refer to self ++ // Search for local CRLs + let mut crls = ctx.init_opt(&self.store, None, None, |ctx| { + let subject = self.ibm_z_sign_key.subject_name(); +- match ctx.crls(subject) { +- Ok(crls) => Ok(crls), +- _ => { +- // reorder the name and try again +- let broken_subj = helper::reorder_x509_names(subject)?; +- ctx.crls(&broken_subj).or_else(helper::stack_err_hlp) +- } +- } ++ Self::quirk_crls(ctx, subject) + })?; + + if !self.offline { +Index: s390-tools-service/rust/pv/src/verify/helper.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify/helper.rs ++++ s390-tools-service/rust/pv/src/verify/helper.rs +@@ -13,7 +13,7 @@ use openssl::{ + error::ErrorStack, + nid::Nid, + ssl::SslFiletype, +- stack::{Stack, Stackable}, ++ stack::Stack, + x509::{ + store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef}, + verify::{X509VerifyFlags, X509VerifyParam}, +@@ -25,6 +25,7 @@ use openssl_extensions::{ + akid::{AkidCheckResult, AkidExtension}, + crl::X509StoreExtension, + }; ++use std::str::from_utf8; + use std::{cmp::Ordering, ffi::c_int, time::Duration, usize}; + + /// Minimum security level for the keys/certificates used to establish a chain of +@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2; + /// verifies that the HKD + /// * has enough security bits + /// * is inside its validity period +-/// * issuer name is the subject name of the [`sign_key`] + /// * the Authority Key ID matches the Signing Key ID of the [`sign_key`] + pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> { + let hk_pkey = hkd.public_key()?; +@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref, + // verify that the hkd is still valid + check_validity_period(hkd.not_before(), hkd.not_after())?; + +- // check if hkd.issuer_name == issuer.subject +- check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?; +- + // verify that the AKID of the hkd matches the SKID of the issuer + if let Some(akid) = hkd.akid() { + if akid.check(sign_key) != AkidCheckResult::OK { +@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu + return None; + } + } +- +- check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?; +- + match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? { + true => Some(()), + false => None, +@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: & + //Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter + const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation"; + const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US"; +-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie"; ++const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie"; ++const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk"; + const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service"; + const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation"; + const IBM_Z_STATE: &[u8; 8usize] = b"New York"; +@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b + if subj.entries().count() != IMB_Z_ENTRY_COUNT + || !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME) + || !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE) +- || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME) ++ || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE) ++ || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK)) + || !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME) + || !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME) + { +@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As + } + } + +-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> { +- if lhs.entries().count() != rhs.entries().count() { +- bail_hkd_verify!(IssuerMismatch); +- } +- +- for l in lhs.entries() { +- // search for the matching value in the rhs names +- // found none? -> names are not equal +- if !rhs +- .entries() +- .any(|r| l.data().as_slice() == r.data().as_slice()) +- { +- bail_hkd_verify!(IssuerMismatch); +- } +- } +- Ok(()) +-} +- + const NIDS_CORRECT_ORDER: [Nid; 6] = [ + Nid::COUNTRYNAME, + Nid::ORGANIZATIONNAME, +@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509 + Ok(correct_subj.build()) + } + +-pub fn stack_err_hlp( +- e: ErrorStack, +-) -> std::result::Result, openssl::error::ErrorStack> { +- match e.errors().len() { +- 0 => Stack::::new(), +- _ => Err(e), ++/** ++* Workaround for potential locality mismatches between CRLs and Certs ++* # Return ++* fixed subject or none if locality was not Armonk or any OpenSSL error ++*/ ++pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option { ++ if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) { ++ return None; ++ } ++ ++ let mut ret = X509Name::builder().ok()?; ++ for entry in subject.entries() { ++ match entry.object().nid() { ++ nid @ Nid::LOCALITYNAME => ret ++ .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?) ++ .ok()?, ++ _ => { ++ ret.append_entry(entry).ok()?; ++ } ++ } + } ++ Some(ret.build()) + } + + #[cfg(test)] +@@ -451,20 +444,6 @@ mod test { + )); + } + +- #[test] +- fn x509_name_equal() { +- let sign_crt = load_gen_cert("ibm.crt"); +- let hkd = load_gen_cert("host.crt"); +- let other = load_gen_cert("inter_ca.crt"); +- +- assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),); +- +- assert!(matches!( +- super::check_x509_name_equal(other.subject_name(), hkd.subject_name()), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- } +- + #[test] + fn is_ibm_z_sign_key() { + let ibm_crt = load_gen_cert("ibm.crt"); +Index: s390-tools-service/rust/pv/src/verify/test.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify/test.rs ++++ s390-tools-service/rust/pv/src/verify/test.rs +@@ -84,7 +84,6 @@ fn verify_online() { + let inter_crt = get_cert_asset_path_string("inter_ca.crt"); + let ibm_crt = get_cert_asset_path_string("ibm.crt"); + let hkd_revoked = load_gen_cert("host_rev.crt"); +- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt"); + let hkd_exp = load_gen_cert("host_crt_expired.crt"); + let hkd = load_gen_cert("host.crt"); + +@@ -112,11 +111,6 @@ fn verify_online() { + )); + + assert!(matches!( +- verifier.verify(&hkd_inv), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- +- assert!(matches!( + verifier.verify(&hkd_exp), + Err(Error::HkdVerify(AfterValidity)) + )); +@@ -130,7 +124,6 @@ fn verify_offline() { + let ibm_crt = get_cert_asset_path_string("ibm.crt"); + let ibm_crl = get_cert_asset_path_string("ibm.crl"); + let hkd_revoked = load_gen_cert("host_rev.crt"); +- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt"); + let hkd_exp = load_gen_cert("host_crt_expired.crt"); + let hkd = load_gen_cert("host.crt"); + +@@ -149,11 +142,6 @@ fn verify_offline() { + )); + + assert!(matches!( +- verifier.verify(&hkd_inv), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- +- assert!(matches!( + verifier.verify(&hkd_exp), + Err(Error::HkdVerify(AfterValidity)) + )); diff --git a/s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch b/s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch new file mode 100644 index 0000000..b97575b --- /dev/null +++ b/s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch @@ -0,0 +1,97 @@ +From 3ea6d6dfd2eb120ffee4c44ff51b7e9e7a9097a6 Mon Sep 17 00:00:00 2001 +From: Thomas Blume +Date: Thu, 28 Mar 2024 13:32:46 +0100 +Subject: [PATCH] parse ipl device for activation + +ported from dracut modules +--- + zdev/dracut/95zdev/parse-dasd.sh | 15 ++++++++--- + zdev/dracut/95zdev/parse-zfcp.sh | 46 +++++++++++++++++++------------- + 2 files changed, 39 insertions(+), 22 deletions(-) + +diff --git a/zdev/dracut/95zdev/parse-dasd.sh b/zdev/dracut/95zdev/parse-dasd.sh +index a97801f..eb2fa64 100644 +--- a/zdev/dracut/95zdev/parse-dasd.sh ++++ b/zdev/dracut/95zdev/parse-dasd.sh +@@ -27,9 +27,18 @@ zdev_vinfo() { + + zdev_parse_rd_dasd() { + local _zdev_dasd _zdev_dasd_list +- for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do +- _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd" +- done ++ # autodetect active bootdev from zipl device ++ if ! getargbool 0 'rd.dasd' \ ++ && [[ -f /sys/firmware/ipl/ipl_type ]] \ ++ && [[ $(< /sys/firmware/ipl/ipl_type) == "ccw" ]]; then ++ read -r _ccw < /sys/firmware/ipl/device ++ ++ chzdev --offline --existing --enable --active dasd "$_ccw" ++ else ++ for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do ++ _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd" ++ done ++ fi + echo "$_zdev_dasd_list" + } + +diff --git a/zdev/dracut/95zdev/parse-zfcp.sh b/zdev/dracut/95zdev/parse-zfcp.sh +index 715aa00..6279beb 100644 +--- a/zdev/dracut/95zdev/parse-zfcp.sh ++++ b/zdev/dracut/95zdev/parse-zfcp.sh +@@ -12,25 +12,33 @@ + + zdev_zfcp_base_args="--no-settle --yes --no-root-update --force" + +-for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do +- ( +- IFS_SAVED="$IFS" +- IFS="," # did not work in front of built-in set command below +- # shellcheck disable=SC2086 +- set -- $zdev_zfcp_arg +- IFS=":" args="$*" +- IFS="$IFS_SAVED" +- echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo +- if [ "$#" -eq 1 ]; then ++# autodetect active bootdev from zipl device ++if ! getargbool 0 'rd.zfcp' \ ++ && [[ -f /sys/firmware/ipl/ipl_type ]] \ ++ && [[ $(< /sys/firmware/ipl/ipl_type) == "fcp" ]]; then ++ chzdev --offline --existing --enable --active zfcp-host 2>&1 | zdev_vinfo ++else ++ for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do ++ ( ++ IFS_SAVED="$IFS" ++ IFS="," # did not work in front of built-in set command below + # shellcheck disable=SC2086 +- chzdev --enable --persistent $zdev_zfcp_base_args \ +- zfcp-host "$args" 2>&1 | zdev_vinfo +- else +- # shellcheck disable=SC2086 +- chzdev --enable --persistent $zdev_zfcp_base_args \ +- zfcp-lun "$args" 2>&1 | zdev_vinfo +- fi +- ) +-done ++ set -- $zdev_zfcp_arg ++ IFS=":" args="$*" ++ IFS="$IFS_SAVED" ++ echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo ++ if [ "$#" -eq 1 ]; then ++ # shellcheck disable=SC2086 ++ chzdev --enable --persistent $zdev_zfcp_base_args \ ++ zfcp-host "$args" 2>&1 | zdev_vinfo ++ else ++ # shellcheck disable=SC2086 ++ chzdev --enable --persistent $zdev_zfcp_base_args \ ++ zfcp-lun "$args" 2>&1 | zdev_vinfo ++ fi ++ ) ++ done ++fi ++ + unset zdev_zfcp_arg + unset zdev_zfcp_base_args +-- +2.44.0 + diff --git a/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..8b09d05 --- /dev/null +++ b/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,304 @@ +Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h ++++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h +@@ -17,7 +17,8 @@ + /* IBM signing key subject */ + #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US" +-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk" + #define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service" + #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_STATE "New York" +Index: s390-tools-service/genprotimg/src/utils/crypto.c +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.c ++++ s390-tools-service/genprotimg/src/utils/crypto.c +@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq + return memcmp(data, y, data_len) == 0; + } + +-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x, +- const X509_NAME_ENTRY *y) +-{ +- const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x); +- const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x); +- const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y); +- const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y); +- gint x_len = ASN1_STRING_length(x_data); +- gint y_len = ASN1_STRING_length(y_data); +- +- if (x_len < 0 || x_len != y_len) +- return FALSE; +- +- /* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also +- * compares the type, which is sometimes different. +- */ +- return OBJ_cmp(x_obj, y_obj) == 0 && +- memcmp(ASN1_STRING_get0_data(x_data), +- ASN1_STRING_get0_data(y_data), +- (unsigned long)x_len) == 0; +-} +- +-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y) +-{ +- gint x_count = X509_NAME_entry_count(x); +- gint y_count = X509_NAME_entry_count(y); +- +- if (x != y && (!x || !y)) +- return FALSE; +- +- if (x_count != y_count) +- return FALSE; +- +- for (gint i = 0; i < x_count; i++) { +- const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i); +- gboolean entry_found = FALSE; +- +- for (gint j = 0; j < y_count; j++) { +- const X509_NAME_ENTRY *entry_j = +- X509_NAME_get_entry(y, j); +- +- if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) { +- entry_found = TRUE; +- break; +- } +- } +- +- if (!entry_found) +- return FALSE; +- } +- return TRUE; +-} +- + /* Checks whether the subject of @cert is a IBM signing key subject. For this we + * must check that the subject is equal to: 'C = US, ST = New York, L = +- * Poughkeepsie, O = International Business Machines Corporation, CN = ++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN = + * International Business Machines Corporation' and the organization unit (OUT) + * must end with the suffix ' Key Signing Service'. + */ +@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject( + PV_IBM_Z_SUBJECT_STATE)) + return FALSE; + +- if (!x509_name_data_by_nid_equal(subject, NID_localityName, +- PV_IBM_Z_SUBJECT_LOCALITY_NAME)) ++ if (!(x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) || ++ x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))) + return FALSE; + + if (!x509_name_data_by_nid_equal(subject, NID_organizationName, +@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr + return g_steal_pointer(&ret); + } + ++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return ++ * `NULL`. ++ */ ++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name) ++{ ++ g_autoptr(X509_NAME) ret = NULL; ++ int pos; ++ ++ /* Check if ``L=Armonk`` */ ++ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)) ++ return NULL; ++ ++ ret = X509_NAME_dup(name); ++ if (!ret) ++ g_abort(); ++ ++ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1); ++ if (pos == -1) ++ return NULL; ++ ++ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos)); ++ ++ /* Create a new name entry at the same position as before */ ++ if (X509_NAME_add_entry_by_NID( ++ ret, NID_localityName, MBSTRING_UTF8, ++ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE, ++ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1) ++ return NULL; ++ ++ return g_steal_pointer(&ret); ++} ++ + /* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory + * ordered. The problem is that our certificates are not consistent in the order + * (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details). +@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam + return X509_NAME_dup((X509_NAME *)name); + } + +-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */ ++/* Verify that SKID(issuer) == AKID(crl) if available */ + static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err) + { +- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl); +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- AUTHORITY_KEYID *akid = NULL; +- +- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) { +- g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject, +- NULL, 0); +- g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0); +- +- g_set_error(err, PV_CRYPTO_ERROR, +- PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH, +- _("issuer mismatch:\n%s\n%s"), +- issuer_subject_str, crl_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + /* If AKID(@crl) is specified it must match with SKID(@issuer) */ + akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); +@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL * + return -1; + } + +- /* check that the @crl issuer matches with the subject name of @cert*/ + if (check_crl_issuer(crl, cert, err) < 0) + return -1; + +@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL * + return 0; + } + ++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL) ++ * issues. ++ */ ++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx, ++ const X509_NAME *subject, GError **err) ++{ ++ g_autoptr(X509_NAME) fixed_subject = NULL; ++ g_autoptr(STACK_OF_X509_CRL) ret = NULL; ++ ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the mismatch between issuer name of the * IBM ++ * signing CRLs and the IBM signing key subject name. Locality name has ++ * changed from Poughkeepsie to Armonk. ++ */ ++ fixed_subject = x509_armonk_locality_fixup(subject); ++ /* Was the locality replaced? */ ++ if (fixed_subject) { ++ X509_NAME *tmp; ++ ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the ordering mismatch between issuer name ++ * of the IBM signing CRLs and the IBM signing key subject name. ++ */ ++ tmp = fixed_subject; ++ fixed_subject = c2b_name(fixed_subject); ++ X509_NAME_free(tmp); ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ X509_NAME_free(fixed_subject); ++ fixed_subject = NULL; ++ } ++ ++ /* Workaround to fix the ordering mismatch between issuer name of the ++ * IBM signing CRLs and the IBM signing key subject name. ++ */ ++ fixed_subject = c2b_name(subject); ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found")); ++ return NULL; ++} ++ + /* Given a certificate @cert try to find valid revocation lists in @ctx. If no + * valid CRL was found NULL is returned. + */ +@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_ + return NULL; + } + +- ret = X509_STORE_CTX_get1_crls(ctx, subject); +- if (!ret) { +- /* Workaround to fix the mismatch between issuer name of the +- * IBM Z signing CRLs and the IBM Z signing key subject name. +- */ +- g_autoptr(X509_NAME) broken_subject = c2b_name(subject); +- +- ret = X509_STORE_CTX_get1_crls(ctx, broken_subject); +- if (!ret) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, +- _("no CRL found")); +- return NULL; +- } +- } ++ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err); ++ if (!ret) ++ return NULL; + + /* Filter out non-valid CRLs for @cert */ + for (gint i = 0; i < sk_X509_CRL_num(ret); i++) { +@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_ + + /* It's almost the same as X509_check_issed from OpenSSL does except that we + * don't check the key usage of the potential issuer. This means we check: +- * 1. issuer_name(cert) == subject_name(issuer) +- * 2. Check whether the akid(cert) (if available) matches the issuer skid +- * 3. Check that the cert algrithm matches the subject algorithm +- * 4. Verify the signature of certificate @cert is using the public key of ++ * 1. Check whether the akid(cert) (if available) matches the issuer skid ++ * 2. Check that the cert algrithm matches the subject algorithm ++ * 3. Verify the signature of certificate @cert is using the public key of + * @issuer. + */ + static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err) + { +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- const X509_NAME *cert_issuer = X509_get_issuer_name(cert); +- AUTHORITY_KEYID *akid = NULL; +- +- /* We cannot use X509_NAME_cmp() because it considers the order of the +- * X509_NAME_Entries. +- */ +- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) { +- g_autofree char *issuer_subject_str = +- X509_NAME_oneline(issuer_subject, NULL, 0); +- g_autofree char *cert_issuer_str = +- X509_NAME_oneline(cert_issuer, NULL, 0); +- g_set_error(err, PV_CRYPTO_ERROR, +- PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH, +- _("Subject issuer mismatch:\n'%s'\n'%s'"), +- issuer_subject_str, cert_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL); + if (akid && X509_check_akid(issuer, akid) != X509_V_OK) { +Index: s390-tools-service/genprotimg/src/utils/crypto.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.h ++++ s390-tools-service/genprotimg/src/utils/crypto.h +@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair); + /* Register auto cleanup functions */ + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free) ++WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free) diff --git a/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..b4d41d8 --- /dev/null +++ b/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,224 @@ +Index: s390-tools-service/include/libpv/cert.h +=================================================================== +--- s390-tools-service.orig/include/libpv/cert.h ++++ s390-tools-service/include/libpv/cert.h +@@ -16,7 +16,8 @@ + + #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US" +-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk" + #define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service" + #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_STATE "New York" +Index: s390-tools-service/libpv/cert.c +=================================================================== +--- s390-tools-service.orig/libpv/cert.c ++++ s390-tools-service/libpv/cert.c +@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq + + /* Checks whether the subject of @cert is a IBM signing key subject. For this we + * must check that the subject is equal to: 'C = US, ST = New York, L = +- * Poughkeepsie, O = International Business Machines Corporation, CN = ++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN = + * International Business Machines Corporation' and the organization unit (OUT) + * must end with the suffix ' Key Signing Service'. + */ +@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject( + if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE)) + return FALSE; + +- if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME)) ++ if (!(x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) || ++ x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))) + return FALSE; + + if (!x509_name_data_by_nid_equal(subject, NID_organizationName, +@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co + + /* It's almost the same as X509_check_issed from OpenSSL does except that we + * don't check the key usage of the potential issuer. This means we check: +- * 1. issuer_name(cert) == subject_name(issuer) +- * 2. Check whether the akid(cert) (if available) matches the issuer skid +- * 3. Check that the cert algrithm matches the subject algorithm +- * 4. Verify the signature of certificate @cert is using the public key of ++ * 1. Check whether the akid(cert) (if available) matches the issuer skid ++ * 2. Check that the cert algrithm matches the subject algorithm ++ * 3. Verify the signature of certificate @cert is using the public key of + * @issuer. + */ + static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error) +@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c + const X509_NAME *cert_issuer = X509_get_issuer_name(cert); + g_autoptr(AUTHORITY_KEYID) akid = NULL; + +- /* We cannot use X509_NAME_cmp() because it considers the order of the +- * X509_NAME_Entries. +- */ +- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) { +- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject); +- g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer); +- +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH, +- _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str, +- cert_issuer_str); +- return -1; +- } +- + akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL); + if (akid && X509_check_akid(issuer, akid) != X509_V_OK) { + g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH, +@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx, + return 0; + } + +-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */ ++/* Verify that SKID(issuer) == AKID(crl) */ + static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error) + { +- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl); +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- AUTHORITY_KEYID *akid = NULL; +- +- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) { +- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject); +- g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer); +- +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH, +- _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + /* If AKID(@crl) is specified it must match with SKID(@issuer) */ + akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); +@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c + return -1; + } + +- /* check that the @crl issuer matches with the subject name of @cert*/ + if (check_crl_issuer(crl, cert, error) < 0) + return -1; + +@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC + return 0; + } + ++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return ++ * `NULL`. ++ */ ++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name) ++{ ++ g_autoptr(X509_NAME) ret = NULL; ++ int pos; ++ ++ /* Check if ``L=Armonk`` */ ++ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)) ++ return NULL; ++ ++ ret = X509_NAME_dup(name); ++ if (!ret) ++ g_abort(); ++ ++ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1); ++ if (pos == -1) ++ return NULL; ++ ++ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos)); ++ ++ /* Create a new name entry at the same position as before */ ++ if (X509_NAME_add_entry_by_NID( ++ ret, NID_localityName, MBSTRING_UTF8, ++ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE, ++ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1) ++ return NULL; ++ ++ return g_steal_pointer(&ret); ++} ++ ++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL) ++ * issues. ++ */ ++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx, ++ const X509_NAME *subject, GError **err) ++{ ++ g_autoptr(X509_NAME) fixed_subject = NULL; ++ g_autoptr(STACK_OF_X509_CRL) ret = NULL; ++ ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the mismatch between issuer name of the * IBM ++ * signing CRLs and the IBM signing key subject name. Locality name has ++ * changed from Poughkeepsie to Armonk. ++ */ ++ fixed_subject = x509_armonk_locality_fixup(subject); ++ /* Was the locality replaced? */ ++ if (fixed_subject) { ++ X509_NAME *tmp; ++ ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the ordering mismatch between issuer name ++ * of the IBM signing CRLs and the IBM signing key subject name. ++ */ ++ tmp = fixed_subject; ++ fixed_subject = pv_c2b_name(fixed_subject); ++ X509_NAME_free(tmp); ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ X509_NAME_free(fixed_subject); ++ fixed_subject = NULL; ++ } ++ ++ /* Workaround to fix the ordering mismatch between issuer name of the ++ * IBM signing CRLs and the IBM signing key subject name. ++ */ ++ fixed_subject = pv_c2b_name(subject); ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found")); ++ return NULL; ++} ++ + /* Given a certificate @cert try to find valid revocation lists in @ctx. If no + * valid CRL was found NULL is returned. + */ +@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val + return NULL; + } + +- ret = pv_X509_STORE_CTX_get1_crls(ctx, subject); +- if (!ret) { +- /* Workaround to fix the mismatch between issuer name of the +- * IBM Z signing CRLs and the IBM Z signing key subject name. +- */ +- g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject); +- +- ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject); +- if (!ret) { +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found")); +- g_info("ERROR: %s", (*error)->message); +- return NULL; +- } +- } +- ++ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error); ++ if (!ret) ++ return NULL; + /* Filter out non-valid CRLs for @cert */ + for (int i = 0; i < sk_X509_CRL_num(ret); i++) { + X509_CRL *crl = sk_X509_CRL_value(ret, i); diff --git a/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch b/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch new file mode 100644 index 0000000..f584399 --- /dev/null +++ b/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch @@ -0,0 +1,25 @@ +Index: s390-tools-service/pvattest/src/argparse.c +=================================================================== +--- s390-tools-service.orig/pvattest/src/argparse.c ++++ s390-tools-service/pvattest/src/argparse.c +@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char + } + + /* NOTE REQUIRED */ +-#define _entry_root_ca(__arg_data, __indent) \ +- { \ +- .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \ +- .arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data, \ +- .description = "Use FILE as the trusted root CA instead the\n" __indent \ +- "root CAs that are installed on the system (optional).\n", \ +- .arg_description = "FILE", \ ++#define _entry_root_ca(__arg_data, __indent) \ ++ { \ ++ .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \ ++ .arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data, \ ++ .description = "Use FILE as the trusted root CA instead the\n" __indent \ ++ "root CAs that are installed on the system (optional).\n", \ ++ .arg_description = "FILE", \ + } + + /* NOTE REQUIRED */ diff --git a/s390-tools-sles15sp6-genprotimg-makefile.patch b/s390-tools-sles15sp6-genprotimg-makefile.patch new file mode 100644 index 0000000..3d0ad08 --- /dev/null +++ b/s390-tools-sles15sp6-genprotimg-makefile.patch @@ -0,0 +1,92 @@ +From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001 +From: Marc Hartmayer +Date: Tue, 12 Mar 2024 09:33:19 +0000 +Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs + +Fix the support for staged installs. The Makefile variable `PKGDATADIR` +uses `DESTDIR` for all Makefile target, but actually it should only be +used for the `install*` and `uninstall*` targets. [1] Fix this by using +`DESTDIR` only for `install*` targets - uninstall* targets are not +supported by s390-tools. + +Before this change, if `DESTDIR` was set for staged installs, +`genprotimg` has tried to find the bootloader binaries at the temporary +installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of +`$(TOOLS_DATADIR)/genprotimg`. + +[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html + +Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images") +Reviewed-by: Steffen Eiden +Signed-off-by: Marc Hartmayer +Signed-off-by: Steffen Eiden +--- + genprotimg/Makefile | 6 +++--- + genprotimg/boot/Makefile | 8 ++++---- + genprotimg/src/Makefile | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/genprotimg/Makefile b/genprotimg/Makefile +index 8c9f7048..6a2e37e4 100644 +--- a/genprotimg/Makefile ++++ b/genprotimg/Makefile +@@ -3,7 +3,7 @@ include ../common.mak + + .DEFAULT_GOAL := all + +-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg" ++PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg" + TESTS := + SUBDIRS := boot src man + RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive +@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive + all: all-recursive + + install: install-recursive +- $(INSTALL) -d -m 755 "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)" ++ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)" + + clean: clean-recursive + +diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile +index 799df9cc..73f3c9a8 100644 +--- a/genprotimg/boot/Makefile ++++ b/genprotimg/boot/Makefile +@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES)) + ifeq ($(HOST_ARCH),s390x) + ZIPL_DIR := $(rootdir)/zipl + ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot +-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg ++PKGDATADIR := $(TOOLS_DATADIR)/genprotimg + + INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include + INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS)) +@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS) + @chmod a-x $@ + + install: stage3a.bin stage3b_reloc.bin +- $(INSTALL) -d -m 755 "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)" ++ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)" + + else + # Don't generate the dependency files (see `common.mak` for the +diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile +index 08734bff..d447e6cf 100644 +--- a/genprotimg/src/Makefile ++++ b/genprotimg/src/Makefile +@@ -3,7 +3,7 @@ include ../../common.mak + + bin_PROGRAM = genprotimg + +-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg" ++PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg" + SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST)))) + TOP_SRCDIR := $(SRC_DIR)/../ + ROOT_DIR = $(TOP_SRC_DIR)/../../ + diff --git a/s390-tools.changes b/s390-tools.changes index b9c2c0d..58fa738 100644 --- a/s390-tools.changes +++ b/s390-tools.changes @@ -1,3 +1,60 @@ +------------------------------------------------------------------- +Thu Apr 18 11:05:53 UTC 2024 - Nikolay Gueorguiev + +- Applied an updated patch (bsc#1220949,bsc#1221873) + * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch + +------------------------------------------------------------------- +Tue Apr 16 16:55:05 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file for x86_64 + * Recommends: s390-tools-genprotimg-data + +------------------------------------------------------------------- +Tue Apr 16 07:48:20 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file for s390-tools-genprotimg-data-*.noarch.rpm + * Removed the dependency on it on x86_64 platform + * Updated the Summary and Description of the *.noarch.rpm (bsc#1222675) + +------------------------------------------------------------------- +Fri Apr 12 15:28:09 UTC 2024 - Nikolay Gueorguiev + +- Updated the .spec file to enable Secure Execution in the Cloud (bsc#1222675) + * Creates a s390-tools-genprotimg-data-*.noarch.rpm package which includes + s390x bootload binaries for x86_64: + - /lib/s390-tools/stage3.bin + - /usr/share/s390-tools/genprotimg/stage3a.bin + - /usr/share/s390-tools/genprotimg/stage3b_reloc.bin + * Excludes the above binaries from the (main) s390-tools-*.s390x.rpm + * Requires: s390-tools-genprotimg-data + +------------------------------------------------------------------- +Thu Apr 4 03:51:55 UTC 2024 - Nikolay Gueorguiev + +- SE-tooling: New IBM host-key subject locality (s390-tools) (bsc#1222282) + * s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch + * s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch + * s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch + * s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch + +------------------------------------------------------------------- +Tue Apr 2 05:32:45 UTC 2024 - Nikolay Gueorguiev + +- Apllied a patch(bsc#1220949,bsc#1221873) + * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch + +------------------------------------------------------------------- +Fri Mar 15 16:45:58 UTC 2024 - Nikolay Gueorguiev + +- Applied a patch (bsc#1221072) + * s390-tools-sles15sp6-genprotimg-makefile.patch + +------------------------------------------------------------------- +Tue Mar 12 08:46:19 UTC 2024 - Nikolay Gueorguiev + +- Amended the .spec file for x86_64 (jsc#PED-7135, jsc#IBM-1309) + ------------------------------------------------------------------- Wed Feb 21 17:02:55 UTC 2024 - Nikolay Gueorguiev diff --git a/s390-tools.spec b/s390-tools.spec index b9ec7c3..9a419b1 100644 --- a/s390-tools.spec +++ b/s390-tools.spec @@ -35,7 +35,7 @@ Name: s390-tools Version: 2.31.0 Release: 0 -Summary: S/390 tools like zipl and dasdfmt +Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64) License: MIT Group: System/Kernel URL: https://github.com/ibm-s390-tools/s390-tools @@ -153,6 +153,13 @@ Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch Patch912: s390-tools-ALP-zdev-live.patch Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch +Patch914: s390-tools-sles15sp6-genprotimg-makefile.patch +Patch915: s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch +### SE-tooling: New IBM host-key subject locality (s390-tools) +Patch916: s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch +Patch917: s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch +Patch918: s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch +Patch919: s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch ### BuildRequires: curl-devel @@ -174,7 +181,7 @@ BuildRequires: pesign-obs-integration BuildRequires: systemd-devel BuildRequires: tcpd-devel BuildRequires: zlib-devel-static -### x86_64 +### s390x %ifarch s390x BuildRequires: kernel-zfcpdump BuildRequires: qclib-devel-static @@ -188,12 +195,15 @@ BuildRequires: openssl # Don't build with pie to avoid problems with zipl #!BuildIgnore: gcc-PIE Requires: coreutils +Requires: procps +Requires: util-linux +%ifarch s390x Requires: gawk Requires: perl-base -Requires: procps Requires: rsync Requires: tar -Requires: util-linux +Requires: s390-tools-genprotimg-data +%endif Requires(post): %fillup_prereq Requires(post): permissions Requires(pre): shadow @@ -202,17 +212,28 @@ Provides: s390utils:/sbin/dasdfmt Provides: group(cpacfstats) Provides: group(ts-shell) Provides: group(zkeyadm) +%ifarch x86_64 +Recommends: s390-tools-genprotimg-data +%endif +### ExclusiveArch: s390x x86_64 %description -This package contains the tools needed to use Linux on IBM z Systems -and exploit many of the various capabilities of the hardware or z/VM. -For example: +This package contains the tools (s390x, x86_64) needed to use Linux on IBM z Systems +and exploit many of the various capabilities of the hardware or z/VM. For example: + + - s390x dasdfmt - low-level format tool for ECKD DASD fdasd - partitions ECKD DASDs with z/OS compatible disk layout zipl - boot loader and dump DASD initializer zgetdump - tool to get linux system dumps from DASD + - x86_64 +genprotimg - create a protected virtualization image +pvattest - create, perform, and verify protected virtualization attestation measurements + +Note: The package requires - s390-tools-genprotimg-data-*.noarch.rpm - installed + %package -n osasnmpd Summary: OSA-Express SNMP subagent License: GPL-2.0-or-later @@ -322,6 +343,19 @@ unavailable, the toolset checks for operational paths to the same volume. If available, it reconfigures the FCP re-IPL settings to use an operational path. +%package genprotimg-data +Summary: Auxiliary data used by genprotimg +License: MIT +Group: System/Boot +BuildArch: noarch + +%description genprotimg-data +The genprotimg allows preparing and analyzing boot images +in the realm of IBM Secure Execution on a trusted environment, +such as the laptop of an admin by limiting the build targets +depending on the defined or detected host architecture. +This package provides auxiliary data used by genprotimg. + ### *** s390x ************************************************************************* ### %ifarch s390x @@ -342,7 +376,7 @@ tar -xzf %{SOURCE201} export OPT_FLAGS="%{optflags}" export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" -%make_build -v \ +%make_build \ ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \ DISTRELEASE=%{release} \ UDEVRUNDIR=/run/udev \ @@ -351,7 +385,7 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" CC=gcc-13 \ CXX=g++-13 ### all -gcc-13 -v -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc +gcc-13 -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc %install mkdir -p %{buildroot}/boot/zipl @@ -708,6 +742,10 @@ done %dir /etc/mdevctl.d/scripts.d/ %dir /etc/mdevctl.d/scripts.d/callouts/ ### +%exclude /lib/s390-tools/stage3.bin +%exclude %{_datadir}/s390-tools/genprotimg/stage3a.bin +%exclude %{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin +### %files -n osasnmpd -f %{_builddir}/%{name}.osasnmp %{_libexecdir}/net-snmp/agents/osasnmpd @@ -754,6 +792,12 @@ done %{_udevrulesdir}/70-chreipl-fcp-mpath.rules %{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man} +### genprotimg +%files genprotimg-data +/lib/s390-tools/stage3.bin +%{_datadir}/s390-tools/genprotimg/stage3a.bin +%{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin + ### _endif ### *** !s390x ************************************************************************* ### ### _ifarch x86_64 @@ -784,14 +828,11 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" %files %{_prefix}/bin/* -%{_prefix}/share/s390-tools/* -%dir /usr/share/s390-tools +%dir %{_datadir}/s390-tools +%dir %{_datadir}/s390-tools/genprotimg +%{_datadir}/s390-tools/genprotimg/check_hostkeydoc %{_mandir}/man1/* -%files debuginfo -%dir %{_prefix}/lib/debug -%dir %{_prefix}/lib/debug/usr/bin - %endif %changelog