Sync from SUSE:SLFO:Main s390-tools revision fd067ff42f0d3083f252865b3a02dc64

s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch

@@ -0,0 +1,286 @@
+Index: s390-tools-service/rust/pv/src/verify.rs
+===================================================================
+--- s390-tools-service.orig/rust/pv/src/verify.rs
++++ s390-tools-service/rust/pv/src/verify.rs
+@@ -3,10 +3,11 @@
+ // Copyright IBM Corp. 2023
+ 
+ use core::slice;
+-use log::debug;
++use log::{debug, trace};
++use openssl::error::ErrorStack;
+ use openssl::stack::Stack;
+ use openssl::x509::store::X509Store;
+-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509};
++use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509};
+ use openssl_extensions::crl::StackableX509Crl;
+ use openssl_extensions::crl::X509StoreContextExtension;
+ 
+@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier {
+         if verified_crls.is_empty() {
+             bail_hkd_verify!(NoCrl);
+         }
+-        for crl in &verified_crls {
+-            match crl.get_by_cert(&hkd.to_owned()) {
++        for crl in verified_crls {
++            match crl.get_by_serial(hkd.serial_number()) {
+                 CrlStatus::NotRevoked => (),
+                 _ => bail_hkd_verify!(HdkRevoked),
+             }
+@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier {
+ }
+ 
+ impl CertVerifier {
++    fn quirk_crls(
++        ctx: &mut X509StoreContextRef,
++        subject: &X509NameRef,
++    ) -> Result<Stack<StackableX509Crl>, ErrorStack> {
++        match ctx.crls(subject) {
++            Ok(ret) if !ret.is_empty() => return Ok(ret),
++            _ => (),
++        }
++
++        // Armonk/Poughkeepsie fixup
++        trace!("quirk_crls: Try Locality");
++        if let Some(locality_subject) = helper::armonk_locality_fixup(subject) {
++            match ctx.crls(&locality_subject) {
++                Ok(ret) if !ret.is_empty() => return Ok(ret),
++                _ => (),
++            }
++
++            // reorder
++            trace!("quirk_crls: Try Locality+Reorder");
++            if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) {
++                match ctx.crls(&locality_ordered_subject) {
++                    Ok(ret) if !ret.is_empty() => return Ok(ret),
++                    _ => (),
++                }
++            }
++        }
++
++        // reorder unchanged loaciliy subject
++        trace!("quirk_crls: Try Reorder");
++        if let Ok(ordered_subject) = helper::reorder_x509_names(subject) {
++            match ctx.crls(&ordered_subject) {
++                Ok(ret) if !ret.is_empty() => return Ok(ret),
++                _ => (),
++            }
++        }
++        // nothing found, return empty stack
++        Stack::new()
++    }
++
+     ///Download the CLRs that a HKD refers to.
+     pub fn hkd_crls(&self, hkd: &X509Ref) -> Result<Stack<StackableX509Crl>> {
+         let mut ctx = X509StoreContext::new()?;
+         // Unfortunately we cannot use a dedicated function here and have to use a closure (E0434)
+         // Otherwise, we cannot refer to self
++        // Search for local CRLs
+         let mut crls = ctx.init_opt(&self.store, None, None, |ctx| {
+             let subject = self.ibm_z_sign_key.subject_name();
+-            match ctx.crls(subject) {
+-                Ok(crls) => Ok(crls),
+-                _ => {
+-                    // reorder the name and try again
+-                    let broken_subj = helper::reorder_x509_names(subject)?;
+-                    ctx.crls(&broken_subj).or_else(helper::stack_err_hlp)
+-                }
+-            }
++            Self::quirk_crls(ctx, subject)
+         })?;
+ 
+         if !self.offline {
+Index: s390-tools-service/rust/pv/src/verify/helper.rs
+===================================================================
+--- s390-tools-service.orig/rust/pv/src/verify/helper.rs
++++ s390-tools-service/rust/pv/src/verify/helper.rs
+@@ -13,7 +13,7 @@ use openssl::{
+     error::ErrorStack,
+     nid::Nid,
+     ssl::SslFiletype,
+-    stack::{Stack, Stackable},
++    stack::Stack,
+     x509::{
+         store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef},
+         verify::{X509VerifyFlags, X509VerifyParam},
+@@ -25,6 +25,7 @@ use openssl_extensions::{
+     akid::{AkidCheckResult, AkidExtension},
+     crl::X509StoreExtension,
+ };
++use std::str::from_utf8;
+ use std::{cmp::Ordering, ffi::c_int, time::Duration, usize};
+ 
+ /// Minimum security level for the keys/certificates used to establish a chain of
+@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2;
+ /// verifies that the HKD
+ /// * has enough security bits
+ /// * is inside its validity period
+-/// * issuer name is the subject name of the [`sign_key`]
+ /// * the Authority Key ID matches the Signing Key ID of the  [`sign_key`]
+ pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> {
+     let hk_pkey = hkd.public_key()?;
+@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref,
+     // verify that the hkd is still valid
+     check_validity_period(hkd.not_before(), hkd.not_after())?;
+ 
+-    // check if hkd.issuer_name == issuer.subject
+-    check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?;
+-
+     // verify that the AKID of the hkd matches the SKID of the issuer
+     if let Some(akid) = hkd.akid() {
+         if akid.check(sign_key) != AkidCheckResult::OK {
+@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu
+             return None;
+         }
+     }
+-
+-    check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?;
+-
+     match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? {
+         true => Some(()),
+         false => None,
+@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: &
+ //Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter
+ const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
+ const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US";
+-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie";
++const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie";
++const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk";
+ const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service";
+ const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
+ const IBM_Z_STATE: &[u8; 8usize] = b"New York";
+@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b
+     if subj.entries().count() != IMB_Z_ENTRY_COUNT
+         || !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME)
+         || !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE)
+-        || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME)
++        || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE)
++            || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK))
+         || !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME)
+         || !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME)
+     {
+@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As
+     }
+ }
+ 
+-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> {
+-    if lhs.entries().count() != rhs.entries().count() {
+-        bail_hkd_verify!(IssuerMismatch);
+-    }
+-
+-    for l in lhs.entries() {
+-        // search for the matching value in the rhs names
+-        // found none? -> names are not equal
+-        if !rhs
+-            .entries()
+-            .any(|r| l.data().as_slice() == r.data().as_slice())
+-        {
+-            bail_hkd_verify!(IssuerMismatch);
+-        }
+-    }
+-    Ok(())
+-}
+-
+ const NIDS_CORRECT_ORDER: [Nid; 6] = [
+     Nid::COUNTRYNAME,
+     Nid::ORGANIZATIONNAME,
+@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509
+     Ok(correct_subj.build())
+ }
+ 
+-pub fn stack_err_hlp<T: Stackable>(
+-    e: ErrorStack,
+-) -> std::result::Result<Stack<T>, openssl::error::ErrorStack> {
+-    match e.errors().len() {
+-        0 => Stack::<T>::new(),
+-        _ => Err(e),
++/**
++* Workaround for potential locality mismatches between CRLs and Certs
++* # Return
++* fixed subject or none if locality was not Armonk or any OpenSSL error
++*/
++pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option<X509Name> {
++    if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) {
++        return None;
++    }
++
++    let mut ret = X509Name::builder().ok()?;
++    for entry in subject.entries() {
++        match entry.object().nid() {
++            nid @ Nid::LOCALITYNAME => ret
++                .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?)
++                .ok()?,
++            _ => {
++                ret.append_entry(entry).ok()?;
++            }
++        }
+     }
++    Some(ret.build())
+ }
+ 
+ #[cfg(test)]
+@@ -451,20 +444,6 @@ mod test {
+         ));
+     }
+ 
+-    #[test]
+-    fn x509_name_equal() {
+-        let sign_crt = load_gen_cert("ibm.crt");
+-        let hkd = load_gen_cert("host.crt");
+-        let other = load_gen_cert("inter_ca.crt");
+-
+-        assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),);
+-
+-        assert!(matches!(
+-            super::check_x509_name_equal(other.subject_name(), hkd.subject_name()),
+-            Err(Error::HkdVerify(IssuerMismatch))
+-        ));
+-    }
+-
+     #[test]
+     fn is_ibm_z_sign_key() {
+         let ibm_crt = load_gen_cert("ibm.crt");
+Index: s390-tools-service/rust/pv/src/verify/test.rs
+===================================================================
+--- s390-tools-service.orig/rust/pv/src/verify/test.rs
++++ s390-tools-service/rust/pv/src/verify/test.rs
+@@ -84,7 +84,6 @@ fn verify_online() {
+     let inter_crt = get_cert_asset_path_string("inter_ca.crt");
+     let ibm_crt = get_cert_asset_path_string("ibm.crt");
+     let hkd_revoked = load_gen_cert("host_rev.crt");
+-    let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
+     let hkd_exp = load_gen_cert("host_crt_expired.crt");
+     let hkd = load_gen_cert("host.crt");
+ 
+@@ -112,11 +111,6 @@ fn verify_online() {
+     ));
+ 
+     assert!(matches!(
+-        verifier.verify(&hkd_inv),
+-        Err(Error::HkdVerify(IssuerMismatch))
+-    ));
+-
+-    assert!(matches!(
+         verifier.verify(&hkd_exp),
+         Err(Error::HkdVerify(AfterValidity))
+     ));
+@@ -130,7 +124,6 @@ fn verify_offline() {
+     let ibm_crt = get_cert_asset_path_string("ibm.crt");
+     let ibm_crl = get_cert_asset_path_string("ibm.crl");
+     let hkd_revoked = load_gen_cert("host_rev.crt");
+-    let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
+     let hkd_exp = load_gen_cert("host_crt_expired.crt");
+     let hkd = load_gen_cert("host.crt");
+ 
+@@ -149,11 +142,6 @@ fn verify_offline() {
+     ));
+ 
+     assert!(matches!(
+-        verifier.verify(&hkd_inv),
+-        Err(Error::HkdVerify(IssuerMismatch))
+-    ));
+-
+-    assert!(matches!(
+         verifier.verify(&hkd_exp),
+         Err(Error::HkdVerify(AfterValidity))
+     ));

s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch

@@ -0,0 +1,97 @@
+From 3ea6d6dfd2eb120ffee4c44ff51b7e9e7a9097a6 Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Thu, 28 Mar 2024 13:32:46 +0100
+Subject: [PATCH] parse ipl device for activation
+
+ported from dracut modules
+---
+ zdev/dracut/95zdev/parse-dasd.sh | 15 ++++++++---
+ zdev/dracut/95zdev/parse-zfcp.sh | 46 +++++++++++++++++++-------------
+ 2 files changed, 39 insertions(+), 22 deletions(-)
+
+diff --git a/zdev/dracut/95zdev/parse-dasd.sh b/zdev/dracut/95zdev/parse-dasd.sh
+index a97801f..eb2fa64 100644
+--- a/zdev/dracut/95zdev/parse-dasd.sh
++++ b/zdev/dracut/95zdev/parse-dasd.sh
+@@ -27,9 +27,18 @@ zdev_vinfo() {
+ 
+ zdev_parse_rd_dasd() {
+     local _zdev_dasd _zdev_dasd_list
+-    for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
+-        _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
+-    done
++    # autodetect active bootdev from zipl device
++    if ! getargbool 0 'rd.dasd' \
++        && [[ -f /sys/firmware/ipl/ipl_type ]] \
++        && [[ $(< /sys/firmware/ipl/ipl_type) == "ccw" ]]; then
++        read -r _ccw < /sys/firmware/ipl/device
++
++        chzdev --offline --existing --enable --active dasd "$_ccw"
++    else
++        for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
++            _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
++        done
++    fi
+     echo "$_zdev_dasd_list"
+ }
+ 
+diff --git a/zdev/dracut/95zdev/parse-zfcp.sh b/zdev/dracut/95zdev/parse-zfcp.sh
+index 715aa00..6279beb 100644
+--- a/zdev/dracut/95zdev/parse-zfcp.sh
++++ b/zdev/dracut/95zdev/parse-zfcp.sh
+@@ -12,25 +12,33 @@
+ 
+ zdev_zfcp_base_args="--no-settle --yes --no-root-update --force"
+ 
+-for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
+-    (
+-        IFS_SAVED="$IFS"
+-        IFS="," # did not work in front of built-in set command below
+-        # shellcheck disable=SC2086
+-        set -- $zdev_zfcp_arg
+-        IFS=":" args="$*"
+-        IFS="$IFS_SAVED"
+-        echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
+-        if [ "$#" -eq 1 ]; then
++# autodetect active bootdev from zipl device
++if ! getargbool 0 'rd.zfcp' \
++    && [[ -f /sys/firmware/ipl/ipl_type ]] \
++    && [[ $(< /sys/firmware/ipl/ipl_type) == "fcp" ]]; then
++        chzdev --offline --existing --enable --active zfcp-host 2>&1 | zdev_vinfo
++else
++    for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
++        (
++            IFS_SAVED="$IFS"
++            IFS="," # did not work in front of built-in set command below
+             # shellcheck disable=SC2086
+-            chzdev --enable --persistent $zdev_zfcp_base_args \
+-                   zfcp-host "$args" 2>&1 | zdev_vinfo
+-        else
+-            # shellcheck disable=SC2086
+-            chzdev --enable --persistent $zdev_zfcp_base_args \
+-                   zfcp-lun "$args" 2>&1 | zdev_vinfo
+-        fi
+-    )
+-done
++            set -- $zdev_zfcp_arg
++            IFS=":" args="$*"
++            IFS="$IFS_SAVED"
++            echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
++            if [ "$#" -eq 1 ]; then
++                # shellcheck disable=SC2086
++                chzdev --enable --persistent $zdev_zfcp_base_args \
++                       zfcp-host "$args" 2>&1 | zdev_vinfo
++            else
++                # shellcheck disable=SC2086
++                chzdev --enable --persistent $zdev_zfcp_base_args \
++                       zfcp-lun "$args" 2>&1 | zdev_vinfo
++            fi
++        )
++    done
++fi
++
+ unset zdev_zfcp_arg
+ unset zdev_zfcp_base_args
+-- 
+2.44.0
+

s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch

@@ -0,0 +1,304 @@
+Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h
+===================================================================
+--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h
++++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h
+@@ -17,7 +17,8 @@
+ /* IBM signing key subject */
+ #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
+ #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
+-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE	   "Poughkeepsie"
++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK		   "Armonk"
+ #define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service"
+ #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
+ #define PV_IBM_Z_SUBJECT_STATE "New York"
+Index: s390-tools-service/genprotimg/src/utils/crypto.c
+===================================================================
+--- s390-tools-service.orig/genprotimg/src/utils/crypto.c
++++ s390-tools-service/genprotimg/src/utils/crypto.c
+@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq
+ 	return memcmp(data, y, data_len) == 0;
+ }
+ 
+-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x,
+-					  const X509_NAME_ENTRY *y)
+-{
+-	const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x);
+-	const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x);
+-	const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y);
+-	const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y);
+-	gint x_len = ASN1_STRING_length(x_data);
+-	gint y_len = ASN1_STRING_length(y_data);
+-
+-	if (x_len < 0 || x_len != y_len)
+-		return FALSE;
+-
+-	/* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also
+-	 * compares the type, which is sometimes different.
+-	 */
+-	return OBJ_cmp(x_obj, y_obj) == 0 &&
+-		memcmp(ASN1_STRING_get0_data(x_data),
+-		       ASN1_STRING_get0_data(y_data),
+-		       (unsigned long)x_len) == 0;
+-}
+-
+-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y)
+-{
+-	gint x_count = X509_NAME_entry_count(x);
+-	gint y_count = X509_NAME_entry_count(y);
+-
+-	if (x != y && (!x || !y))
+-		return FALSE;
+-
+-	if (x_count != y_count)
+-		return FALSE;
+-
+-	for (gint i = 0; i < x_count; i++) {
+-		const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i);
+-		gboolean entry_found = FALSE;
+-
+-		for (gint j = 0; j < y_count; j++) {
+-			const X509_NAME_ENTRY *entry_j =
+-				X509_NAME_get_entry(y, j);
+-
+-			if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) {
+-				entry_found = TRUE;
+-				break;
+-			}
+-		}
+-
+-		if (!entry_found)
+-			return FALSE;
+-	}
+-	return TRUE;
+-}
+-
+ /* Checks whether the subject of @cert is a IBM signing key subject. For this we
+  * must check that the subject is equal to: 'C = US, ST = New York, L =
+- * Poughkeepsie, O = International Business Machines Corporation, CN =
++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
+  * International Business Machines Corporation' and the organization unit (OUT)
+  * must end with the suffix ' Key Signing Service'.
+  */
+@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject(
+ 					 PV_IBM_Z_SUBJECT_STATE))
+ 		return FALSE;
+ 
+-	if (!x509_name_data_by_nid_equal(subject, NID_localityName,
+-					 PV_IBM_Z_SUBJECT_LOCALITY_NAME))
++	if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
++					  PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
++	      x509_name_data_by_nid_equal(subject, NID_localityName,
++					  PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
+ 		return FALSE;
+ 
+ 	if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
+@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr
+ 	return g_steal_pointer(&ret);
+ }
+ 
++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
++ *  `NULL`.
++ */
++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
++{
++	g_autoptr(X509_NAME) ret = NULL;
++	int pos;
++
++	/* Check if ``L=Armonk`` */
++	if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
++					 PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
++		return NULL;
++
++	ret = X509_NAME_dup(name);
++	if (!ret)
++		g_abort();
++
++	pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
++	if (pos == -1)
++		return NULL;
++
++	X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
++
++	/* Create a new name entry at the same position as before */
++	if (X509_NAME_add_entry_by_NID(
++		    ret, NID_localityName, MBSTRING_UTF8,
++		    (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
++		    sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
++		return NULL;
++
++	return g_steal_pointer(&ret);
++}
++
+ /* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory
+  * ordered. The problem is that our certificates are not consistent in the order
+  * (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details).
+@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam
+ 	return X509_NAME_dup((X509_NAME *)name);
+ }
+ 
+-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
++/* Verify that SKID(issuer) == AKID(crl) if available */
+ static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err)
+ {
+-	const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
+-	const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
+-	AUTHORITY_KEYID *akid = NULL;
+-
+-	if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
+-		g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject,
+-									NULL, 0);
+-		g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0);
+-
+-		g_set_error(err, PV_CRYPTO_ERROR,
+-			    PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
+-			    _("issuer mismatch:\n%s\n%s"),
+-			    issuer_subject_str, crl_issuer_str);
+-		return -1;
+-	}
++	g_autoptr(AUTHORITY_KEYID) akid = NULL;
+ 
+ 	/* If AKID(@crl) is specified it must match with SKID(@issuer) */
+ 	akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
+@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL *
+ 		return -1;
+ 	}
+ 
+-	/* check that the @crl issuer matches with the subject name of @cert*/
+ 	if (check_crl_issuer(crl, cert, err) < 0)
+ 		return -1;
+ 
+@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL *
+ 	return 0;
+ }
+ 
++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
++ * issues.
++ */
++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
++							 const X509_NAME *subject, GError **err)
++{
++	g_autoptr(X509_NAME) fixed_subject = NULL;
++	g_autoptr(STACK_OF_X509_CRL) ret = NULL;
++
++	ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
++	if (ret && sk_X509_CRL_num(ret) > 0)
++		return g_steal_pointer(&ret);
++
++	/* Workaround to fix the mismatch between issuer name of the * IBM
++	 * signing CRLs and the IBM signing key subject name. Locality name has
++	 * changed from Poughkeepsie to Armonk.
++	 */
++	fixed_subject = x509_armonk_locality_fixup(subject);
++	/* Was the locality replaced? */
++	if (fixed_subject) {
++		X509_NAME *tmp;
++
++		sk_X509_CRL_free(ret);
++		ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++		if (ret && sk_X509_CRL_num(ret) > 0)
++			return g_steal_pointer(&ret);
++
++		/* Workaround to fix the ordering mismatch between issuer name
++		 * of the IBM signing CRLs and the IBM signing key subject name.
++		 */
++		tmp = fixed_subject;
++		fixed_subject = c2b_name(fixed_subject);
++		X509_NAME_free(tmp);
++		sk_X509_CRL_free(ret);
++		ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++		if (ret && sk_X509_CRL_num(ret) > 0)
++			return g_steal_pointer(&ret);
++		X509_NAME_free(fixed_subject);
++		fixed_subject = NULL;
++	}
++
++	/* Workaround to fix the ordering mismatch between issuer name of the
++	 * IBM signing CRLs and the IBM signing key subject name.
++	 */
++	fixed_subject = c2b_name(subject);
++	sk_X509_CRL_free(ret);
++	ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++	if (ret && sk_X509_CRL_num(ret) > 0)
++		return g_steal_pointer(&ret);
++
++	g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found"));
++	return NULL;
++}
++
+ /* Given a certificate @cert try to find valid revocation lists in @ctx. If no
+  * valid CRL was found NULL is returned.
+  */
+@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_
+ 		return NULL;
+ 	}
+ 
+-	ret = X509_STORE_CTX_get1_crls(ctx, subject);
+-	if (!ret) {
+-		/* Workaround to fix the mismatch between issuer name of the
+-		 * IBM Z signing CRLs and the IBM Z signing key subject name.
+-		 */
+-		g_autoptr(X509_NAME) broken_subject = c2b_name(subject);
+-
+-		ret = X509_STORE_CTX_get1_crls(ctx, broken_subject);
+-		if (!ret) {
+-			g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL,
+-				    _("no CRL found"));
+-			return NULL;
+-		}
+-	}
++	ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err);
++	if (!ret)
++		return NULL;
+ 
+ 	/* Filter out non-valid CRLs for @cert */
+ 	for (gint i = 0; i < sk_X509_CRL_num(ret); i++) {
+@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_
+ 
+ /* It's almost the same as X509_check_issed from OpenSSL does except that we
+  * don't check the key usage of the potential issuer. This means we check:
+- * 1. issuer_name(cert) == subject_name(issuer)
+- * 2. Check whether the akid(cert) (if available) matches the issuer skid
+- * 3. Check that the cert algrithm matches the subject algorithm
+- * 4. Verify the signature of certificate @cert is using the public key of
++ * 1. Check whether the akid(cert) (if available) matches the issuer skid
++ * 2. Check that the cert algrithm matches the subject algorithm
++ * 3. Verify the signature of certificate @cert is using the public key of
+  *    @issuer.
+  */
+ static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err)
+ {
+-	const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
+-	const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
+-	AUTHORITY_KEYID *akid = NULL;
+-
+-	/* We cannot use X509_NAME_cmp() because it considers the order of the
+-	 * X509_NAME_Entries.
+-	 */
+-	if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
+-		g_autofree char *issuer_subject_str =
+-			X509_NAME_oneline(issuer_subject, NULL, 0);
+-		g_autofree char *cert_issuer_str =
+-			X509_NAME_oneline(cert_issuer, NULL, 0);
+-		g_set_error(err, PV_CRYPTO_ERROR,
+-			    PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
+-			    _("Subject issuer mismatch:\n'%s'\n'%s'"),
+-			    issuer_subject_str, cert_issuer_str);
+-		return -1;
+-	}
++	g_autoptr(AUTHORITY_KEYID) akid = NULL;
+ 
+ 	akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
+ 	if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
+Index: s390-tools-service/genprotimg/src/utils/crypto.h
+===================================================================
+--- s390-tools-service.orig/genprotimg/src/utils/crypto.h
++++ s390-tools-service/genprotimg/src/utils/crypto.h
+@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair);
+ /* Register auto cleanup functions */
+ WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free)
+ WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free)
++WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
+ WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free)
+ WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all)
+ WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free)

s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch

@@ -0,0 +1,224 @@
+Index: s390-tools-service/include/libpv/cert.h
+===================================================================
+--- s390-tools-service.orig/include/libpv/cert.h
++++ s390-tools-service/include/libpv/cert.h
+@@ -16,7 +16,8 @@
+ 
+ #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
+ #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
+-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
+ #define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service"
+ #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
+ #define PV_IBM_Z_SUBJECT_STATE "New York"
+Index: s390-tools-service/libpv/cert.c
+===================================================================
+--- s390-tools-service.orig/libpv/cert.c
++++ s390-tools-service/libpv/cert.c
+@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq
+ 
+ /* Checks whether the subject of @cert is a IBM signing key subject. For this we
+  * must check that the subject is equal to: 'C = US, ST = New York, L =
+- * Poughkeepsie, O = International Business Machines Corporation, CN =
++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
+  * International Business Machines Corporation' and the organization unit (OUT)
+  * must end with the suffix ' Key Signing Service'.
+  */
+@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject(
+ 	if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE))
+ 		return FALSE;
+ 
+-	if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME))
++	if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
++					  PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
++	      x509_name_data_by_nid_equal(subject, NID_localityName,
++					  PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
+ 		return FALSE;
+ 
+ 	if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
+@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co
+ 
+ /* It's almost the same as X509_check_issed from OpenSSL does except that we
+  * don't check the key usage of the potential issuer. This means we check:
+- * 1. issuer_name(cert) == subject_name(issuer)
+- * 2. Check whether the akid(cert) (if available) matches the issuer skid
+- * 3. Check that the cert algrithm matches the subject algorithm
+- * 4. Verify the signature of certificate @cert is using the public key of
++ * 1. Check whether the akid(cert) (if available) matches the issuer skid
++ * 2. Check that the cert algrithm matches the subject algorithm
++ * 3. Verify the signature of certificate @cert is using the public key of
+  *    @issuer.
+  */
+ static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error)
+@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c
+ 	const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
+ 	g_autoptr(AUTHORITY_KEYID) akid = NULL;
+ 
+-	/* We cannot use X509_NAME_cmp() because it considers the order of the
+-	 * X509_NAME_Entries.
+-	 */
+-	if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
+-		g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
+-		g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer);
+-
+-		g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
+-			    _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str,
+-			    cert_issuer_str);
+-		return -1;
+-	}
+-
+ 	akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
+ 	if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
+ 		g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH,
+@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx,
+ 	return 0;
+ }
+ 
+-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
++/* Verify that SKID(issuer) == AKID(crl) */
+ static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error)
+ {
+-	const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
+-	const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
+-	AUTHORITY_KEYID *akid = NULL;
+-
+-	if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
+-		g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
+-		g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer);
+-
+-		g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
+-			    _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str);
+-		return -1;
+-	}
++	g_autoptr(AUTHORITY_KEYID) akid = NULL;
+ 
+ 	/* If AKID(@crl) is specified it must match with SKID(@issuer) */
+ 	akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
+@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c
+ 		return -1;
+ 	}
+ 
+-	/* check that the @crl issuer matches with the subject name of @cert*/
+ 	if (check_crl_issuer(crl, cert, error) < 0)
+ 		return -1;
+ 
+@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC
+ 	return 0;
+ }
+ 
++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
++ *  `NULL`.
++ */
++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
++{
++	g_autoptr(X509_NAME) ret = NULL;
++	int pos;
++
++	/* Check if ``L=Armonk`` */
++	if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
++					 PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
++		return NULL;
++
++	ret = X509_NAME_dup(name);
++	if (!ret)
++		g_abort();
++
++	pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
++	if (pos == -1)
++		return NULL;
++
++	X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
++
++	/* Create a new name entry at the same position as before */
++	if (X509_NAME_add_entry_by_NID(
++		    ret, NID_localityName, MBSTRING_UTF8,
++		    (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
++		    sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
++		return NULL;
++
++	return g_steal_pointer(&ret);
++}
++
++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
++ * issues.
++ */
++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
++							 const X509_NAME *subject, GError **err)
++{
++	g_autoptr(X509_NAME) fixed_subject = NULL;
++	g_autoptr(STACK_OF_X509_CRL) ret = NULL;
++
++	ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
++	if (ret && sk_X509_CRL_num(ret) > 0)
++		return g_steal_pointer(&ret);
++
++	/* Workaround to fix the mismatch between issuer name of the * IBM
++	 * signing CRLs and the IBM signing key subject name. Locality name has
++	 * changed from Poughkeepsie to Armonk.
++	 */
++	fixed_subject = x509_armonk_locality_fixup(subject);
++	/* Was the locality replaced? */
++	if (fixed_subject) {
++		X509_NAME *tmp;
++
++		sk_X509_CRL_free(ret);
++		ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++		if (ret && sk_X509_CRL_num(ret) > 0)
++			return g_steal_pointer(&ret);
++
++		/* Workaround to fix the ordering mismatch between issuer name
++		 * of the IBM signing CRLs and the IBM signing key subject name.
++		 */
++		tmp = fixed_subject;
++		fixed_subject = pv_c2b_name(fixed_subject);
++		X509_NAME_free(tmp);
++		sk_X509_CRL_free(ret);
++		ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++		if (ret && sk_X509_CRL_num(ret) > 0)
++			return g_steal_pointer(&ret);
++		X509_NAME_free(fixed_subject);
++		fixed_subject = NULL;
++	}
++
++	/* Workaround to fix the ordering mismatch between issuer name of the
++	 * IBM signing CRLs and the IBM signing key subject name.
++	 */
++	fixed_subject = pv_c2b_name(subject);
++	sk_X509_CRL_free(ret);
++	ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
++	if (ret && sk_X509_CRL_num(ret) > 0)
++		return g_steal_pointer(&ret);
++
++	g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
++	return NULL;
++}
++
+ /* Given a certificate @cert try to find valid revocation lists in @ctx. If no
+  * valid CRL was found NULL is returned.
+  */
+@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val
+ 		return NULL;
+ 	}
+ 
+-	ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
+-	if (!ret) {
+-		/* Workaround to fix the mismatch between issuer name of the
+-		 * IBM Z signing CRLs and the IBM Z signing key subject name.
+-		 */
+-		g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject);
+-
+-		ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject);
+-		if (!ret) {
+-			g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
+-			g_info("ERROR: %s", (*error)->message);
+-			return NULL;
+-		}
+-	}
+-
++	ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error);
++	if (!ret)
++		return NULL;
+ 	/* Filter out non-valid CRLs for @cert */
+ 	for (int i = 0; i < sk_X509_CRL_num(ret); i++) {
+ 		X509_CRL *crl = sk_X509_CRL_value(ret, i);

s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch

@@ -0,0 +1,25 @@
+Index: s390-tools-service/pvattest/src/argparse.c
+===================================================================
+--- s390-tools-service.orig/pvattest/src/argparse.c
++++ s390-tools-service/pvattest/src/argparse.c
+@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char
+ 	}
+ 
+ /* NOTE REQUIRED */
+-#define _entry_root_ca(__arg_data, __indent)                                              \
+-	{                                                                                 \
+-		.long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE,     \
+-		.arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data,               \
+-		.description = "Use FILE as the trusted root CA instead the\n" __indent   \
+-			       "root CAs that are installed on the system (optional).\n", \
+-		.arg_description = "FILE",                                                \
++#define _entry_root_ca(__arg_data, __indent)                                                       \
++	{                                                                                          \
++		.long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE,              \
++		.arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data,                              \
++		.description = "Use FILE as the trusted root CA instead the\n" __indent            \
++			       "root CAs that are installed on the system (optional).\n",          \
++		.arg_description = "FILE",                                                         \
+ 	}
+ 
+ /* NOTE REQUIRED */

s390-tools-sles15sp6-genprotimg-makefile.patch

@@ -0,0 +1,92 @@
+From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001
+From: Marc Hartmayer <mhartmay@linux.ibm.com>
+Date: Tue, 12 Mar 2024 09:33:19 +0000
+Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs
+
+Fix the support for staged installs. The Makefile variable `PKGDATADIR`
+uses `DESTDIR` for all Makefile target, but actually it should only be
+used for the `install*` and `uninstall*` targets. [1] Fix this by using
+`DESTDIR` only for `install*` targets - uninstall* targets are not
+supported by s390-tools.
+
+Before this change, if `DESTDIR` was set for staged installs,
+`genprotimg` has tried to find the bootloader binaries at the temporary
+installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of
+`$(TOOLS_DATADIR)/genprotimg`.
+
+[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html
+
+Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images")
+Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
+Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
+Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
+---
+ genprotimg/Makefile      | 6 +++---
+ genprotimg/boot/Makefile | 8 ++++----
+ genprotimg/src/Makefile  | 2 +-
+ 3 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/genprotimg/Makefile b/genprotimg/Makefile
+index 8c9f7048..6a2e37e4 100644
+--- a/genprotimg/Makefile
++++ b/genprotimg/Makefile
+@@ -3,7 +3,7 @@ include ../common.mak
+ 
+ .DEFAULT_GOAL := all
+ 
+-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
++PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg"
+ TESTS :=
+ SUBDIRS := boot src man
+ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
+@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
+ all: all-recursive
+ 
+ install: install-recursive
+-	$(INSTALL) -d -m 755 "$(PKGDATADIR)"
+-	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)"
++	$(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)"
+ 
+ clean: clean-recursive
+ 
+diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile
+index 799df9cc..73f3c9a8 100644
+--- a/genprotimg/boot/Makefile
++++ b/genprotimg/boot/Makefile
+@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES))
+ ifeq ($(HOST_ARCH),s390x)
+ ZIPL_DIR := $(rootdir)/zipl
+ ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot
+-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg
++PKGDATADIR := $(TOOLS_DATADIR)/genprotimg
+ 
+ INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include
+ INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS))
+@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS)
+ 	@chmod a-x $@
+ 
+ install: stage3a.bin stage3b_reloc.bin
+-	$(INSTALL) -d -m 755 "$(PKGDATADIR)"
+-	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)"
+-	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)"
++	$(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)"
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)"
+ 
+ else
+ # Don't generate the dependency files (see `common.mak` for the
+diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
+index 08734bff..d447e6cf 100644
+--- a/genprotimg/src/Makefile
++++ b/genprotimg/src/Makefile
+@@ -3,7 +3,7 @@ include ../../common.mak
+ 
+ bin_PROGRAM = genprotimg
+ 
+-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
++PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg"
+ SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
+ TOP_SRCDIR := $(SRC_DIR)/../
+ ROOT_DIR = $(TOP_SRC_DIR)/../../
+

s390-tools.changes

@@ -1,3 +1,60 @@
+-------------------------------------------------------------------
+Thu Apr 18 11:05:53 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied an updated patch (bsc#1220949,bsc#1221873)
+  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch 
+
+-------------------------------------------------------------------
+Tue Apr 16 16:55:05 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file for x86_64
+  * Recommends: s390-tools-genprotimg-data 
+
+-------------------------------------------------------------------
+Tue Apr 16 07:48:20 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file for s390-tools-genprotimg-data-*.noarch.rpm
+  * Removed the dependency on it on x86_64 platform
+  * Updated the Summary and Description of the *.noarch.rpm (bsc#1222675) 
+
+-------------------------------------------------------------------
+Fri Apr 12 15:28:09 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Updated the .spec file to enable Secure Execution in the Cloud (bsc#1222675)
+  * Creates a s390-tools-genprotimg-data-*.noarch.rpm package which includes
+    s390x bootload binaries for x86_64: 
+    - /lib/s390-tools/stage3.bin
+    - /usr/share/s390-tools/genprotimg/stage3a.bin
+    - /usr/share/s390-tools/genprotimg/stage3b_reloc.bin
+  * Excludes the above binaries from the (main) s390-tools-*.s390x.rpm
+  * Requires: s390-tools-genprotimg-data 
+
+-------------------------------------------------------------------
+Thu Apr  4 03:51:55 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- SE-tooling: New IBM host-key subject locality (s390-tools) (bsc#1222282)
+  * s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
+  * s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch 
+
+-------------------------------------------------------------------
+Tue Apr  2 05:32:45 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Apllied a patch(bsc#1220949,bsc#1221873)
+  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch
+
+-------------------------------------------------------------------
+Fri Mar 15 16:45:58 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1221072) 
+  * s390-tools-sles15sp6-genprotimg-makefile.patch
+
+-------------------------------------------------------------------
+Tue Mar 12 08:46:19 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Amended the .spec file for x86_64 (jsc#PED-7135, jsc#IBM-1309) 
+
 -------------------------------------------------------------------
 Wed Feb 21 17:02:55 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 

s390-tools.spec

@@ -35,7 +35,7 @@
 Name:           s390-tools
 Version:        2.31.0
 Release:        0
-Summary:        S/390 tools like zipl and dasdfmt
+Summary:        S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64)
 License:        MIT
 Group:          System/Kernel
 URL:            https://github.com/ibm-s390-tools/s390-tools
@@ -153,6 +153,13 @@ Patch910:       s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p
 Patch911:       s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
 Patch912:       s390-tools-ALP-zdev-live.patch
 Patch913:       s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch
+Patch914:       s390-tools-sles15sp6-genprotimg-makefile.patch
+Patch915:       s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch
+### SE-tooling: New IBM host-key subject locality (s390-tools)
+Patch916:       s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
+Patch917:       s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
+Patch918:       s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
+Patch919:       s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch
 ###
 
 BuildRequires:  curl-devel
@@ -174,7 +181,7 @@ BuildRequires:  pesign-obs-integration
 BuildRequires:  systemd-devel
 BuildRequires:  tcpd-devel
 BuildRequires:  zlib-devel-static
-### x86_64
+### s390x
 %ifarch s390x
 BuildRequires:  kernel-zfcpdump
 BuildRequires:  qclib-devel-static
@@ -188,12 +195,15 @@ BuildRequires:  openssl
 # Don't build with pie to avoid problems with zipl
 #!BuildIgnore:  gcc-PIE
 Requires:       coreutils
+Requires:       procps
+Requires:       util-linux
+%ifarch s390x
 Requires:       gawk
 Requires:       perl-base
-Requires:       procps
 Requires:       rsync
 Requires:       tar
-Requires:       util-linux
+Requires:       s390-tools-genprotimg-data
+%endif
 Requires(post): %fillup_prereq
 Requires(post): permissions
 Requires(pre):  shadow
@@ -202,17 +212,28 @@ Provides:       s390utils:/sbin/dasdfmt
 Provides:       group(cpacfstats)
 Provides:       group(ts-shell)
 Provides:       group(zkeyadm)
+%ifarch x86_64
+Recommends: s390-tools-genprotimg-data
+%endif
+###
 ExclusiveArch:  s390x x86_64
 
 %description
-This package contains the tools needed to use Linux on IBM z Systems
+This package contains the tools (s390x, x86_64) needed to use Linux on IBM z Systems
-and exploit many of the various capabilities of the hardware or z/VM.
+and exploit many of the various capabilities of the hardware or z/VM. For example:
-For example:
+
+ - s390x
 dasdfmt  - low-level format tool for ECKD DASD
 fdasd	 - partitions ECKD DASDs with z/OS compatible disk layout
 zipl     - boot loader and dump DASD initializer
 zgetdump - tool to get linux system dumps from DASD
 
+ - x86_64
+genprotimg - create a protected virtualization image
+pvattest   - create, perform, and verify protected virtualization attestation measurements
+
+Note: The package requires - s390-tools-genprotimg-data-*.noarch.rpm - installed
+
 %package -n osasnmpd
 Summary:        OSA-Express SNMP subagent
 License:        GPL-2.0-or-later
@@ -322,6 +343,19 @@ unavailable, the toolset checks for operational paths to the same
 volume. If available, it reconfigures the FCP re-IPL settings to use an
 operational path.
 
+%package genprotimg-data
+Summary:        Auxiliary data used by genprotimg
+License:        MIT
+Group:          System/Boot
+BuildArch:      noarch
+
+%description genprotimg-data
+The genprotimg allows preparing and analyzing boot images
+in the realm of IBM Secure Execution on a trusted environment,
+such as the laptop of an admin by limiting the build targets 
+depending on the defined or detected host architecture.
+This package provides auxiliary data used by genprotimg.
+
 ### *** s390x ************************************************************************* ###
 %ifarch s390x
 
@@ -342,7 +376,7 @@ tar -xzf %{SOURCE201}
 export OPT_FLAGS="%{optflags}"
 export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
 
-%make_build -v \
+%make_build \
      ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \
      DISTRELEASE=%{release} \
      UDEVRUNDIR=/run/udev \
@@ -351,7 +385,7 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
      CC=gcc-13 \
      CXX=g++-13
 ###     all
-gcc-13 -v -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
+gcc-13 -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
 
 %install
 mkdir -p %{buildroot}/boot/zipl
@@ -708,6 +742,10 @@ done
 %dir /etc/mdevctl.d/scripts.d/
 %dir /etc/mdevctl.d/scripts.d/callouts/
 ###
+%exclude /lib/s390-tools/stage3.bin
+%exclude %{_datadir}/s390-tools/genprotimg/stage3a.bin
+%exclude %{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin
+###
 
 %files -n osasnmpd -f %{_builddir}/%{name}.osasnmp
 %{_libexecdir}/net-snmp/agents/osasnmpd
@@ -754,6 +792,12 @@ done
 %{_udevrulesdir}/70-chreipl-fcp-mpath.rules
 %{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
 
+### genprotimg
+%files genprotimg-data
+/lib/s390-tools/stage3.bin
+%{_datadir}/s390-tools/genprotimg/stage3a.bin
+%{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin
+
 ### _endif
 ### *** !s390x ************************************************************************* ###
 ### _ifarch x86_64
@@ -784,14 +828,11 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
 
 %files
 %{_prefix}/bin/*
-%{_prefix}/share/s390-tools/*
+%dir %{_datadir}/s390-tools
-%dir /usr/share/s390-tools
+%dir %{_datadir}/s390-tools/genprotimg
+%{_datadir}/s390-tools/genprotimg/check_hostkeydoc
 %{_mandir}/man1/*
 
-%files debuginfo
-%dir %{_prefix}/lib/debug
-%dir %{_prefix}/lib/debug/usr/bin
-
 %endif
 
 %changelog