From aa2121ba349467272f4f333c15272e8cef112e5176d08408ba1c98fb2734fd08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Thu, 28 Nov 2024 10:28:50 +0100 Subject: [PATCH] Sync from SUSE:SLFO:Main s390-tools revision ca6e8fd2e5ddbe310b053b103d70157f --- ctc_configure | 14 - dasd_configure.opensuse | 13 - dasd_configure.suse | 13 - qeth_configure | 15 - s390-tools-2.31.0.tar.gz | 3 + s390-tools-2.35.0.tar.gz | 3 - s390-tools-ALP-zdev-live.patch | 22 +- ...sles15-sysconfig-compatible-dumpconf.patch | 124 ++++--- ...5sp3-Allow-multiple-device-arguments.patch | 84 ++--- ...sles15sp3-Format-devices-in-parallel.patch | 53 +-- ...ools-sles15sp3-Implement-Y-yast_mode.patch | 51 +-- ...mplement-f-for-backwards-compability.patch | 47 +-- ...rt-Armonk-in-IBM-signing-key-subject.patch | 286 ++++++++++++++++ ...es15sp5-remove-no-pie-link-arguments.patch | 12 +- ...rt-Armonk-in-IBM-signing-key-subject.patch | 304 ++++++++++++++++++ ...rt-Armonk-in-IBM-signing-key-subject.patch | 224 +++++++++++++ ...5sp6-04-pvattest-Fix-root-ca-parsing.patch | 25 ++ ...-tools-sles15sp6-genprotimg-makefile.patch | 92 ++++++ ...p6-kdump-initrd-59-zfcp-compat-rules.patch | 10 +- s390-tools.changes | 81 ----- s390-tools.spec | 18 +- vendor.tar.gz | 4 +- zfcp_host_configure | 13 - 23 files changed, 1179 insertions(+), 332 deletions(-) create mode 100644 s390-tools-2.31.0.tar.gz delete mode 100644 s390-tools-2.35.0.tar.gz create mode 100644 s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch create mode 100644 s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch create mode 100644 s390-tools-sles15sp6-genprotimg-makefile.patch diff --git a/ctc_configure b/ctc_configure index 3d4ee1f..1634b93 100644 --- a/ctc_configure +++ b/ctc_configure @@ -44,14 +44,6 @@ debug_mesg () { esac } -add_cio_channel() { - echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt -} - -remove_cio_channel() { - [ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt -} - usage(){ echo "Usage: ${0} []" echo " read/write channel = x.y.ssss where" @@ -120,9 +112,3 @@ RC=${?} if [ ${RC} -ne 0 ]; then exit ${RC} fi - -if [ ${ON_OFF} == 1 ]; then - add_cio_channel "${CTC_READ_CHAN},${CTC_WRITE_CHAN}" -else remove_cio_channel "${CTC_READ_CHAN}" - remove_cio_channel "${CTC_WRITE_CHAN}" -fi diff --git a/dasd_configure.opensuse b/dasd_configure.opensuse index a04fcde..6f135ee 100644 --- a/dasd_configure.opensuse +++ b/dasd_configure.opensuse @@ -43,14 +43,6 @@ debug_mesg () { esac } -add_cio_channel() { - echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt -} - -remove_cio_channel() { - [ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt -} - usage(){ echo "Usage: ${0} [-f -t ] [use_diag]" echo @@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then fi fi -if [ ${ON_OFF} == 1 ]; then - add_cio_channel "${CCW_CHAN_ID}" -else remove_cio_channel "${CCW_CHAN_ID}" -fi - exit ${exitcode} diff --git a/dasd_configure.suse b/dasd_configure.suse index 1aae177..6b453b2 100644 --- a/dasd_configure.suse +++ b/dasd_configure.suse @@ -43,14 +43,6 @@ debug_mesg () { esac } -add_cio_channel() { - echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt -} - -remove_cio_channel() { - [ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt -} - usage(){ echo "Usage: ${0} [-f -t ] [use_diag]" echo @@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then fi fi -if [ ${ON_OFF} == 1 ]; then - add_cio_channel "${CCW_CHAN_ID}" -else remove_cio_channel "${CCW_CHAN_ID}" -fi - exit ${exitcode} diff --git a/qeth_configure b/qeth_configure index 8e883ab..bf30117 100644 --- a/qeth_configure +++ b/qeth_configure @@ -48,14 +48,6 @@ debug_mesg () { esac } -add_cio_channel() { - echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt -} - -remove_cio_channel() { - [ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt -} - usage(){ echo "Usage: ${0} [options] " echo " -i Configure IP takeover" @@ -165,10 +157,3 @@ RC=${?} if [ ${RC} -ne 0 ]; then exit ${RC} fi - -if [ ${ON_OFF} == 1 ]; then - add_cio_channel "${QETH_READ_CHAN},${QETH_WRITE_CHAN},${QETH_DATA_CHAN}" -else remove_cio_channel "${QETH_READ_CHAN}" - remove_cio_channel "${QETH_WRITE_CHAN}" - remove_cio_channel "${QETH_DATA_CHAN}" -fi diff --git a/s390-tools-2.31.0.tar.gz b/s390-tools-2.31.0.tar.gz new file mode 100644 index 0000000..3f5dfab --- /dev/null +++ b/s390-tools-2.31.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:83550c05f4fdb631376ad980df058de84292a9e5fbbce631ba3de5749c4f1c5e +size 2059068 diff --git a/s390-tools-2.35.0.tar.gz b/s390-tools-2.35.0.tar.gz deleted file mode 100644 index 99e5cfb..0000000 --- a/s390-tools-2.35.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2b00d49d2fd649308ad385a80da4cfdfacc1fa642b6949431adf41689ac4848a -size 2125787 diff --git a/s390-tools-ALP-zdev-live.patch b/s390-tools-ALP-zdev-live.patch index 5d45a79..fee9f2b 100644 --- a/s390-tools-ALP-zdev-live.patch +++ b/s390-tools-ALP-zdev-live.patch @@ -5,8 +5,10 @@ zdev/dracut/Makefile | 15 ++++++++++-- 4 files changed, 92 insertions(+), 2 deletions(-) +Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh +=================================================================== --- /dev/null -+++ b/zdev/dracut/96zdev-live/module-setup.sh ++++ s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh @@ -0,0 +1,32 @@ +#!/bin/bash + @@ -40,8 +42,10 @@ + inst_hook cleanup 41 "$moddir/write-udev-live.sh" + inst_multiple chzdev +} +Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh +=================================================================== --- /dev/null -+++ b/zdev/dracut/96zdev-live/parse-zdev-live.sh ++++ s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# @@ -79,8 +83,10 @@ + fi +done + +Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh +=================================================================== --- /dev/null -+++ b/zdev/dracut/96zdev-live/write-udev-live.sh ++++ s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh @@ -0,0 +1,11 @@ +#!/bin/sh +# @@ -93,9 +99,11 @@ +if [ -w /sysroot/etc/udev/rules.d ]; then + cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d +fi ---- a/zdev/dracut/Makefile -+++ b/zdev/dracut/Makefile -@@ -3,17 +3,23 @@ +Index: s390-tools-2.30.0/zdev/dracut/Makefile +=================================================================== +--- s390-tools-2.30.0.orig/zdev/dracut/Makefile ++++ s390-tools-2.30.0/zdev/dracut/Makefile +@@ -3,17 +3,23 @@ include ../../common.mak ZDEVDIR := 95zdev ZDEVKDUMPDIR := 95zdev-kdump @@ -121,7 +129,7 @@ ifeq ($(HAVE_DRACUT),1) install: $(INSTALL) -m 755 -d $(DESTDIR)$(DRACUTMODDIR)/ -@@ -29,4 +35,9 @@ +@@ -25,4 +31,9 @@ install: $(INSTALL) -m 755 -d $(DESTDIR)$(DRACUTMODDIR)/$(ZDEVKDUMPDIR) $(INSTALL) -m 755 $(ZDEVKDUMPDIR)/module-setup.sh \ $(DESTDIR)$(DRACUTMODDIR)/$(ZDEVKDUMPDIR)/ diff --git a/s390-tools-sles15-sysconfig-compatible-dumpconf.patch b/s390-tools-sles15-sysconfig-compatible-dumpconf.patch index 61e9f97..49cd4ab 100644 --- a/s390-tools-sles15-sysconfig-compatible-dumpconf.patch +++ b/s390-tools-sles15-sysconfig-compatible-dumpconf.patch @@ -1,27 +1,34 @@ ---- - etc/sysconfig/dumpconf | 133 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 133 insertions(+) - ---- a/etc/sysconfig/dumpconf -+++ b/etc/sysconfig/dumpconf -@@ -1,3 +1,4 @@ -+########################################################################################### - # - # s390 dump config - # -@@ -78,3 +79,135 @@ - # dumpconf becomes active immediately during system startup. - # - # ON_PANIC=reipl -+ -+############################ Begin Definitions ########################################### +Index: s390-tools-2.30.0/etc/sysconfig/dumpconf +=================================================================== +--- s390-tools-2.30.0.orig/etc/sysconfig/dumpconf ++++ s390-tools-2.30.0/etc/sysconfig/dumpconf +@@ -1,71 +1,137 @@ +## Path: System/Dumpconf +## Description: Configures the actions which should be performed after a kernel panic +## Type: list(stop,dump,vmcmd,reipl,dump_reipl) +## Default: "stop" +## ServiceRestart: dumpconf -+# + # +-# s390 dump config +-# +-# Configures the actions which should be performed after a kernel panic +-# and on PSW restart. +# Define the action that should be taken if a kernel panic happens. + # + # The following actions are supported: + # +-# * stop: Stop Linux (default) +-# * dump: Dump Linux with stand-alone dump tool +-# * vmcmd: Issue z/VM CP commands +-# * reipl: Re-IPL Linux using setting under /sys/firmware/reipl +-# * dump_reipl: First dump Linux with stand-alone dump tool, then re-IPL Linux +-# using setting under /sys/firmware/reipl ++# * stop: Stop Linux (default) ++# * dump: Dump Linux ++# * vmcmd: Issue z/VM CP commands ++# * reipl: Re-IPL Linux using setting under /sys/firmware/reipl ++# * dump_reipl: First dump Linux, then re-IPL Linux using setting under ++# /sys/firmware/reipl +# +ON_PANIC="stop" + @@ -55,10 +62,14 @@ +# Define the device id for a DASD or SCSI over zFCP dump device. +# +# For example (DASD and SCSI over zFCP have the same structure): DEVICE=0.0.4711 -+# + # +DEVICE="" -+ -+# Type: string + +-# For the actions "reipl" and "dump_reipl" the DELAY_MINUTES keyword may +-# be used to delay the activation of dumpconf. +-# Thus potential reipl loops caused by kernel panics +-# which persistently occur early in the boot process can be prevented. ++## Type: string +## Default: "" +## ServiceRestart: dumpconf +# @@ -67,40 +78,62 @@ +# For example: WWPN=0x5005076303004711 +# +WWPN="" -+ + +-# Dump on CCW device (DASD) and re-IPL after dump is complete. +-# The re-IPL device, as specified under "/sys/firmware/reipl", is used. +-# The activation of dumpconf is delayed by 5 minutes. +## Type: string +## Default: "" +## ServiceRestart: dumpconf -+# + # +-# ON_PANIC=dump_reipl +-# DUMP_TYPE=ccw +-# DEVICE=0.0.4e13 +-# DELAY_MINUTES=5 +# Define the LUN for a zFCP dump device. +# +# For example: LUN=0x4711000000000000 +# +LUN="" -+ + +## Type: integer(0:30) +## Default: "0" +## ServiceRestart: dumpconf +# +# Define the Boot program selector for a zFCP dump device. -+# + # +-# Dump on fcp device (SCSI Disk) +# A decimal value between 0 and 30 specifying the program to be loaded from +# the FCP-I/O device. -+# + # +-# ON_PANIC=dump +-# DUMP_TYPE=fcp +-# DEVICE=0.0.4711 +-# WWPN=0x5005076303004711 +-# LUN=0x4711000000000000 +-# BOOTPROG=0 +-# BR_LBA=0 +BOOTPROG="0" -+ + +## Type: string +## Default: "0" +## ServiceRestart: dumpconf -+# + # +-# Dump on nvme device (NVMe Disk) +# Define the Boot record logical block address for a zFCP dump device. -+# + # +-# ON_PANIC=dump +-# DUMP_TYPE=nvme +-# FID=0x00000300 +-# NSID=0x00000001 +-# BOOTPROG=3 +-# BR_LBA=0 +# The hexadecimal digits designating the logical-block address of the boot record of the FCP-I/O device. +# It must be a value from 0-FFFFFFFF FFFFFFFF. For values longer than 8 hex characters at least one separator +# blank is required after the 8th character. +# +BR_LBA="0" -+ + +## Type: string +## Default: "" +## ServiceRestart: dumpconf @@ -108,11 +141,16 @@ +# Define the Function ID for NVMe dump device. +# +# The hexadecimal digits designating the Function ID for the NMVe disk. -+# + # +-# Use VMDUMP +# For example: FID=0x00000300 -+# + # +-# ON_PANIC=vmcmd +-# VMCMD_1="MESSAGE * Starting VMDUMP" +-# VMCMD_2="VMDUMP" +-# VMCMD_3="IPL 4711" +FID="" -+ + +## Type: string +## Default: "" +## ServiceRestart: dumpconf @@ -120,21 +158,28 @@ +# Define the Namespace ID for the NVMe dump device +# +# The hexadecimal digits designating the Namespace ID for the NMVe disk. -+# + # +-# Stop Linux (default) +# For example: NSID=0x00000001 -+# + # +-# ON_PANIC=stop +NSID="" -+ + +## Type: string +## Default: "" +## ServiceRestart: dumpconf -+# + # +-# Re-IPL Linux +-# The re-IPL device, as specified under "/sys/firmware/reipl", is used. +-# Since the DELAY_MINUTES keyword is omitted, there is no delay and +-# dumpconf becomes active immediately during system startup. +# VMCMD_ +# Specifies a CP command, is a number from one to eight. You can +# specify up to eight CP commands that are executed in case of a kernel +# panic. Note that VM commands, device adresses, and VM guest names +# must be uppercase. -+# + # +-# ON_PANIC=reipl +VMCMD_1="" +VMCMD_2="" +VMCMD_3="" @@ -143,6 +188,3 @@ +VMCMD_6="" +VMCMD_7="" +VMCMD_8="" -+ -+############################### End Definitions ############################################## -\ No newline at end of file diff --git a/s390-tools-sles15sp3-Allow-multiple-device-arguments.patch b/s390-tools-sles15sp3-Allow-multiple-device-arguments.patch index a68246f..9f8c579 100644 --- a/s390-tools-sles15sp3-Allow-multiple-device-arguments.patch +++ b/s390-tools-sles15sp3-Allow-multiple-device-arguments.patch @@ -7,32 +7,36 @@ Allow the user to specify several devices as arguments to dasdfmt. Signed-off-by: Hannes Reinecke --- - dasdfmt/dasdfmt.8 | 6 - - dasdfmt/dasdfmt.c | 197 +++++++++++++++++++++++++++++++----------------------- - 2 files changed, 119 insertions(+), 84 deletions(-) + dasdfmt/dasdfmt.8 | 5 +- + dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------ + 2 files changed, 100 insertions(+), 80 deletions(-) ---- a/dasdfmt/dasdfmt.8 -+++ b/dasdfmt/dasdfmt.8 -@@ -11,14 +11,14 @@ +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8 +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8 ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.8 +@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis .br - [\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR] + [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] .br -- [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR -+ [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR [\fIdevice\fR] +- [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR ++ [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR [\fIdevice\fR] .SH DESCRIPTION -\fBdasdfmt\fR formats a DASD (ECKD) disk drive to prepare it -+\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive(s) to prepare them ++\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive to prepare it for usage with Linux for S/390. The \fIdevice\fR is the node of the device (e.g. '/dev/dasda'). Any device node created by udev for kernel 2.6 can be used --(e.g. '/dev/dasd/0.0.b100/disc'). -+(e.g. '/dev/dasd/0.0.b100/disc'). It is possible to specify up to 512 devices. + (e.g. '/dev/dasd/0.0.b100/disc'). ++It is possible to specify up to 512 devices. .br \fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in ---- a/dasdfmt/dasdfmt.c -+++ b/dasdfmt/dasdfmt.c +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.c @@ -25,6 +25,8 @@ #include "dasdfmt.h" @@ -42,7 +46,7 @@ Signed-off-by: Hannes Reinecke #define BUSIDSIZE 8 #define SEC_PER_DAY (60 * 60 * 24) #define SEC_PER_HOUR (60 * 60) -@@ -57,7 +59,9 @@ +@@ -57,7 +59,9 @@ static const struct util_prg prg = { static struct dasdfmt_globals { dasd_information2_t dasd_info; char *dev_path; /* device path entered by user */ @@ -52,7 +56,7 @@ Signed-off-by: Hannes Reinecke int verbosity; int testmode; int withoutprompt; -@@ -484,15 +488,15 @@ +@@ -484,15 +488,15 @@ static void program_interrupt_signal(int program_interrupt_in_progress = 1; if (disk_disabled) { @@ -71,7 +75,7 @@ Signed-off-by: Hannes Reinecke } else { printf("Exiting...\n"); } -@@ -512,9 +516,6 @@ +@@ -512,9 +516,6 @@ static void get_device_name(int optind, unsigned int maj, min; struct stat dev_stat; @@ -81,7 +85,7 @@ Signed-off-by: Hannes Reinecke if (optind >= argc) error("No device specified!"); -@@ -610,10 +611,10 @@ +@@ -610,10 +611,10 @@ static void check_disk(void) error("the ioctl call to retrieve read/write status information failed: %s", strerror(err)); if (ro) @@ -94,7 +98,7 @@ Signed-off-by: Hannes Reinecke } if (strncmp(g.dasd_info.type, "ECKD", 4) != 0) { warnx("Unsupported disk type"); -@@ -700,7 +701,7 @@ +@@ -700,7 +701,7 @@ static void set_geo(unsigned int *cylind struct dasd_eckd_characteristics *characteristics; if (g.verbosity > 0) @@ -103,7 +107,7 @@ Signed-off-by: Hannes Reinecke characteristics = (struct dasd_eckd_characteristics *) &g.dasd_info.characteristics; -@@ -728,13 +729,13 @@ +@@ -728,13 +729,13 @@ static void set_label(volume_label_t *vl "Cylinders above this limit will not be" " accessible as a linux partition!\n" "Type \"yes\" to continue, no will leave" @@ -120,7 +124,7 @@ Signed-off-by: Hannes Reinecke return; } } -@@ -872,7 +873,7 @@ +@@ -872,7 +873,7 @@ static void check_disk_format(unsigned i check_params->start_unit = 0; check_params->stop_unit = (cylinders * heads) - 1; @@ -129,7 +133,7 @@ Signed-off-by: Hannes Reinecke if (g.testmode) { printf("Test mode active, omitting ioctl.\n"); -@@ -896,7 +897,7 @@ +@@ -896,7 +897,7 @@ static void check_disk_format(unsigned i if (process_tracks(cylinders, heads, check_params)) error("Use --mode=full to perform a clean format."); @@ -138,7 +142,7 @@ Signed-off-by: Hannes Reinecke } /* -@@ -946,8 +947,8 @@ +@@ -946,8 +947,8 @@ static void dasdfmt_print_info(volume_la printf("Device Type: %s Provisioned\n", g.ese ? "Thinly" : "Fully"); @@ -149,7 +153,7 @@ Signed-off-by: Hannes Reinecke printf(" Device number of device : 0x%x\n", g.dasd_info.devno); printf(" Labelling device : %s\n", (g.writenolabel) ? "no" : "yes"); -@@ -1012,7 +1013,7 @@ +@@ -1012,7 +1013,7 @@ static void dasdfmt_write_labels(volume_ int ipl1_record_len, ipl2_record_len; if (g.verbosity > 0) @@ -158,7 +162,7 @@ Signed-off-by: Hannes Reinecke get_blocksize(&blksize); -@@ -1030,7 +1031,7 @@ +@@ -1030,7 +1031,7 @@ static void dasdfmt_write_labels(volume_ /* write empty bootstrap (initial IPL records) */ if (g.verbosity > 0) @@ -167,7 +171,7 @@ Signed-off-by: Hannes Reinecke /* * Note: ldl labels do not contain the key field -@@ -1089,7 +1090,7 @@ +@@ -1089,7 +1090,7 @@ static void dasdfmt_write_labels(volume_ label_position = g.dasd_info.label_block * blksize; if (g.verbosity > 0) @@ -176,7 +180,7 @@ Signed-off-by: Hannes Reinecke rc = lseek(fd, label_position, SEEK_SET); if (rc != label_position) { -@@ -1120,7 +1121,7 @@ +@@ -1120,7 +1121,7 @@ static void dasdfmt_write_labels(volume_ } if (g.verbosity > 0) @@ -185,16 +189,16 @@ Signed-off-by: Hannes Reinecke label_position = (VTOC_START_CC * heads + VTOC_START_HH) * geo.sectors * blksize; -@@ -1242,7 +1243,7 @@ +@@ -1242,7 +1243,7 @@ static int dasdfmt_release_space(void) if (!g.ese || g.no_discard) - return; + return 0; - printf("Releasing space for the entire device...\n"); + printf("Releasing space for the entire %s device...\n", g.dev_path); err = dasd_release_space(g.dev_node, &r); - if (err) - error("Could not release space: %s", strerror(err)); -@@ -1261,20 +1262,21 @@ + /* + * Warn or Error on failing RAS depending on QUICK mode set explicitly or automatically +@@ -1270,20 +1271,21 @@ static void dasdfmt_prepare_and_format(u int err; if (!(g.withoutprompt && g.verbosity < 1)) @@ -221,7 +225,7 @@ Signed-off-by: Hannes Reinecke /* except track 0 from standard formatting procss */ p->start_unit = 1; -@@ -1282,19 +1284,19 @@ +@@ -1291,19 +1293,19 @@ static void dasdfmt_prepare_and_format(u process_tracks(cylinders, heads, p); if (g.verbosity > 0) @@ -244,7 +248,7 @@ Signed-off-by: Hannes Reinecke disk_enable(); } -@@ -1306,18 +1308,18 @@ +@@ -1315,18 +1317,18 @@ static void dasdfmt_expand_format(unsign format_data_t *p) { if (!(g.withoutprompt && g.verbosity < 1)) @@ -267,7 +271,7 @@ Signed-off-by: Hannes Reinecke if (g.verbosity > 0) printf("Re-accessing the device...\n"); -@@ -1426,16 +1428,16 @@ +@@ -1435,16 +1437,16 @@ static void do_format_dasd(volume_label_ if (!g.withoutprompt) { printf("\n"); if (mode != EXPAND) @@ -288,7 +292,7 @@ Signed-off-by: Hannes Reinecke return; } } -@@ -1453,12 +1455,12 @@ +@@ -1466,12 +1468,12 @@ static void do_format_dasd(volume_label_ break; } @@ -303,7 +307,7 @@ Signed-off-by: Hannes Reinecke err = dasd_reread_partition_table(g.dev_node, 5); if (err != 0) { ERRMSG("%s: error during rereading the partition " -@@ -1472,7 +1474,7 @@ +@@ -1485,7 +1487,7 @@ static void do_format_dasd(volume_label_ static void eval_format_mode(void) { if (!g.force && g.mode_specified && g.ese && mode == EXPAND) { @@ -312,7 +316,7 @@ Signed-off-by: Hannes Reinecke warnx("Format mode 'expand' is not feasible."); error("Use --mode=full or --mode=quick to perform a clean format"); } -@@ -1495,20 +1497,70 @@ +@@ -1508,20 +1510,70 @@ static void set_prog_name(char *s) prog_name = p + 1; } @@ -387,7 +391,7 @@ Signed-off-by: Hannes Reinecke /* Establish a handler for interrupt signals. */ signal(SIGTERM, program_interrupt_signal); -@@ -1644,6 +1696,9 @@ +@@ -1657,6 +1709,9 @@ int main(int argc, char *argv[]) break; /* exit loop if finished */ } @@ -397,7 +401,7 @@ Signed-off-by: Hannes Reinecke CHECK_SPEC_MAX_ONCE(g.blksize_specified, "blocksize"); CHECK_SPEC_MAX_ONCE(g.labelspec, "label"); CHECK_SPEC_MAX_ONCE(g.writenolabel, "omit-label-writing flag"); -@@ -1662,48 +1717,28 @@ +@@ -1675,48 +1730,28 @@ int main(int argc, char *argv[]) if (g.print_hashmarks) PARSE_PARAM_INTO(g.hashstep, hashstep_str, 10, "hashstep"); diff --git a/s390-tools-sles15sp3-Format-devices-in-parallel.patch b/s390-tools-sles15sp3-Format-devices-in-parallel.patch index 8ec3f2e..ab53115 100644 --- a/s390-tools-sles15sp3-Format-devices-in-parallel.patch +++ b/s390-tools-sles15sp3-Format-devices-in-parallel.patch @@ -7,34 +7,37 @@ Allow dasdfmt to run in parallel when several devices are specified. Signed-off-by: Hannes Reinecke --- - dasdfmt/dasdfmt.8 | 16 +++++++++++++- - dasdfmt/dasdfmt.c | 58 ++++++++++++++++++++++++++++++++++++++++++------------ - 2 files changed, 60 insertions(+), 14 deletions(-) + dasdfmt/dasdfmt.8 | 16 ++++++++++++++-- + dasdfmt/dasdfmt.c | 50 +++++++++++++++++++++++++++++++++++++++++++------- + dasdfmt/dasdfmt.h | 1 + + 3 files changed, 58 insertions(+), 9 deletions(-) ---- a/dasdfmt/dasdfmt.8 -+++ b/dasdfmt/dasdfmt.8 +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8 +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8 ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.8 @@ -7,7 +7,7 @@ dasdfmt \- formatting of DASD (ECKD) disk drives. .SH SYNOPSIS --\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-P] [\-m \fIstep\fR] -+\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-m \fIstep\fR] +-\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-P] [-m \fIstep\fR] ++\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-m \fIstep\fR] .br - [\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR] + [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] .br -@@ -95,7 +95,7 @@ +@@ -96,7 +96,7 @@ Do not use this option if you are using running in background or redirecting the output to a file. .TP --\fB\-P\fR or \fB\-\-percentage\fR -+\fB\-Q\fR or \fB\-\-percentage\fR +-\fB-P\fR or \fB--percentage\fR ++\fB-Q\fR or \fB--percentage\fR Print one line for each formatted cylinder showing the number of the cylinder and percentage of formatting process. Intended to be used by higher level interfaces. -@@ -164,6 +164,18 @@ +@@ -164,6 +164,18 @@ Specify blocksize to be used. \fIblksize + and always be a power of two. The recommended blocksize is 4096 bytes. .TP - \fB\-l\fR \fIvolser\fR or \fB\-\-label\fR=\fIvolser\fR +\fB-P\fR \fInumdisks\fR or \fB--max_parallel\fR=\fInumdisks\fR +Specify the number of disks to be formatted in parallel. +\fInumdisks\fR specifies the number of formatting processed, @@ -47,11 +50,13 @@ Signed-off-by: Hannes Reinecke +.br + +.TP + \fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR Specify the volume serial number or volume identifier to be written to disk after formatting. If no label is specified, a sensible default - is used. \fIvolser\fR is interpreted as ASCII string and is automatically ---- a/dasdfmt/dasdfmt.c -+++ b/dasdfmt/dasdfmt.c +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.c @@ -13,6 +13,7 @@ #include #include @@ -60,7 +65,7 @@ Signed-off-by: Hannes Reinecke #include "lib/dasd_base.h" #include "lib/dasd_sys.h" -@@ -81,6 +82,7 @@ +@@ -81,6 +82,7 @@ static struct dasdfmt_globals { int mode_specified; int ese; int no_discard; @@ -68,7 +73,7 @@ Signed-off-by: Hannes Reinecke } g = { .dasd_info = { 0 }, }; -@@ -105,6 +107,11 @@ +@@ -105,6 +107,11 @@ static struct util_opt opt_vec[] = { .desc = "Perform complete format check on device", .flags = UTIL_OPT_FLAG_NOSHORT, }, @@ -80,7 +85,7 @@ Signed-off-by: Hannes Reinecke UTIL_OPT_SECTION("FORMAT OPTIONS"), { .option = { "blocksize", required_argument, NULL, 'b' }, -@@ -162,7 +169,7 @@ +@@ -162,7 +169,7 @@ static struct util_opt opt_vec[] = { .desc = "Show a progressbar", }, { @@ -89,7 +94,7 @@ Signed-off-by: Hannes Reinecke .desc = "Show progress in percent", }, UTIL_OPT_SECTION("MISC"), -@@ -311,7 +318,7 @@ +@@ -311,7 +318,7 @@ static void draw_progress(int cyl, unsig } if (g.print_hashmarks && (cyl / g.hashstep - hashcount) != 0) { @@ -98,7 +103,7 @@ Signed-off-by: Hannes Reinecke fflush(stdout); hashcount++; } -@@ -1560,7 +1567,11 @@ +@@ -1573,7 +1580,11 @@ int main(int argc, char *argv[]) char *reqsize_param_str = NULL; char *hashstep_str = NULL; @@ -111,7 +116,7 @@ Signed-off-by: Hannes Reinecke /* Establish a handler for interrupt signals. */ signal(SIGTERM, program_interrupt_signal); -@@ -1623,7 +1634,7 @@ +@@ -1636,7 +1647,7 @@ int main(int argc, char *argv[]) g.print_hashmarks = 1; } break; @@ -120,7 +125,7 @@ Signed-off-by: Hannes Reinecke if (!(g.print_hashmarks || g.print_progressbar)) g.print_percentage = 1; break; -@@ -1682,6 +1693,9 @@ +@@ -1695,6 +1706,9 @@ int main(int argc, char *argv[]) case OPT_NODISCARD: g.no_discard = 1; break; @@ -130,7 +135,7 @@ Signed-off-by: Hannes Reinecke case OPT_CHECK: g.check = 1; break; -@@ -1733,15 +1747,35 @@ +@@ -1746,15 +1760,35 @@ int main(int argc, char *argv[]) if (numdev > 1 && g.labelspec) error("Specifying a volser to be written doesn't make sense when formatting multiple DASD volumes."); diff --git a/s390-tools-sles15sp3-Implement-Y-yast_mode.patch b/s390-tools-sles15sp3-Implement-Y-yast_mode.patch index 39f4dd4..ac0d6c5 100644 --- a/s390-tools-sles15sp3-Implement-Y-yast_mode.patch +++ b/s390-tools-sles15sp3-Implement-Y-yast_mode.patch @@ -7,22 +7,25 @@ Implement an option '-Y' to suppress most output. Signed-off-by: Hannes Reinecke --- - dasdfmt/dasdfmt.8 | 7 ++++- - dasdfmt/dasdfmt.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++------ - 2 files changed, 72 insertions(+), 8 deletions(-) + dasdfmt/dasdfmt.8 | 7 ++++++- + dasdfmt/dasdfmt.c | 27 ++++++++++++++++++++------- + dasdfmt/dasdfmt.h | 1 + + 3 files changed, 27 insertions(+), 8 deletions(-) ---- a/dasdfmt/dasdfmt.8 -+++ b/dasdfmt/dasdfmt.8 +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8 +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8 ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.8 @@ -7,7 +7,7 @@ dasdfmt \- formatting of DASD (ECKD) disk drives. .SH SYNOPSIS --\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-m \fIstep\fR] -+\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-Y] [\-m \fIstep\fR] +-\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-m \fIstep\fR] ++\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-Y] [-m \fIstep\fR] .br - [\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR] + [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] .br -@@ -112,6 +112,11 @@ +@@ -113,6 +113,11 @@ The value will be at least as big as the .br .TP @@ -31,12 +34,14 @@ Signed-off-by: Hannes Reinecke +.br + +.TP - \fB\-M\fR \fImode\fR or \fB\-\-mode\fR=\fImode\fR + \fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR Specify the \fImode\fR to be used to format the device. Valid modes are: .RS ---- a/dasdfmt/dasdfmt.c -+++ b/dasdfmt/dasdfmt.c -@@ -83,6 +83,7 @@ +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.c +@@ -83,6 +83,7 @@ static struct dasdfmt_globals { int ese; int no_discard; int procnum; @@ -44,7 +49,7 @@ Signed-off-by: Hannes Reinecke } g = { .dasd_info = { 0 }, }; -@@ -172,6 +173,10 @@ +@@ -172,6 +173,10 @@ static struct util_opt opt_vec[] = { .option = { "percentage", no_argument, NULL, 'Q' }, .desc = "Show progress in percent", }, @@ -55,7 +60,7 @@ Signed-off-by: Hannes Reinecke UTIL_OPT_SECTION("MISC"), { .option = { "check_host_count", no_argument, NULL, 'C' }, -@@ -318,7 +323,9 @@ +@@ -318,7 +323,9 @@ static void draw_progress(int cyl, unsig } if (g.print_hashmarks && (cyl / g.hashstep - hashcount) != 0) { @@ -66,7 +71,7 @@ Signed-off-by: Hannes Reinecke fflush(stdout); hashcount++; } -@@ -392,7 +399,7 @@ +@@ -392,7 +399,7 @@ static void evaluate_format_error(format unsigned int kl = 0; int blksize = cdata->expect.blksize; @@ -75,7 +80,7 @@ Signed-off-by: Hannes Reinecke printf("\n"); /* -@@ -780,8 +787,9 @@ +@@ -780,8 +787,9 @@ static void check_hashmarks(void) g.hashstep = 10; } @@ -87,7 +92,7 @@ Signed-off-by: Hannes Reinecke } } -@@ -1462,17 +1470,19 @@ +@@ -1475,17 +1483,19 @@ static void do_format_dasd(volume_label_ break; } @@ -110,7 +115,7 @@ Signed-off-by: Hannes Reinecke printf("ok\n"); } } -@@ -1548,6 +1558,7 @@ +@@ -1561,6 +1571,7 @@ void process_dasd(volume_label_t *orig_v error("%s", str); set_geo(&cylinders, &heads); @@ -118,7 +123,7 @@ Signed-off-by: Hannes Reinecke set_label(&vlabel, &format_params, cylinders); if (g.check) -@@ -1557,6 +1568,29 @@ +@@ -1570,6 +1581,29 @@ void process_dasd(volume_label_t *orig_v } @@ -148,7 +153,7 @@ Signed-off-by: Hannes Reinecke int main(int argc, char *argv[]) { volume_label_t vlabel; -@@ -1693,6 +1727,10 @@ +@@ -1706,6 +1740,10 @@ int main(int argc, char *argv[]) case OPT_NODISCARD: g.no_discard = 1; break; @@ -159,7 +164,7 @@ Signed-off-by: Hannes Reinecke case 'P': max_parallel = atoi(optarg); break; -@@ -1728,6 +1766,21 @@ +@@ -1741,6 +1779,21 @@ int main(int argc, char *argv[]) reqsize = DEFAULT_REQUESTSIZE; } @@ -181,7 +186,7 @@ Signed-off-by: Hannes Reinecke if (g.print_hashmarks) PARSE_PARAM_INTO(g.hashstep, hashstep_str, 10, "hashstep"); -@@ -1747,6 +1800,12 @@ +@@ -1760,6 +1813,12 @@ int main(int argc, char *argv[]) if (numdev > 1 && g.labelspec) error("Specifying a volser to be written doesn't make sense when formatting multiple DASD volumes."); diff --git a/s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch b/s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch index ee1a9b9..ae8ced6 100644 --- a/s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch +++ b/s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch @@ -9,34 +9,39 @@ version of YaST we should accept this option, too. Signed-off-by: Hannes Reinecke --- - dasdfmt/dasdfmt.8 | 5 ++++- - dasdfmt/dasdfmt.c | 10 ++++++++++ - 2 files changed, 14 insertions(+), 1 deletion(-) + dasdfmt/dasdfmt.8 | 6 +++++- + dasdfmt/dasdfmt.c | 8 ++++++++ + 2 files changed, 13 insertions(+), 1 deletion(-) ---- a/dasdfmt/dasdfmt.8 -+++ b/dasdfmt/dasdfmt.8 -@@ -11,7 +11,7 @@ +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8 +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8 ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.8 +@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis .br - [\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR] + [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] .br -- [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR [\fIdevice\fR] -+ [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] [-f \fIdevice\fR] [\fIdevice\fR] +- [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR [\fIdevice\fR] ++ [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] [-f \fIdevice\fR] [\fIdevice\fR] .SH DESCRIPTION - \fBdasdfmt\fR formats one or several DASD (ECKD) disk drive(s) to prepare them -@@ -39,6 +39,9 @@ - .TP - \fB\-v\fR + \fBdasdfmt\fR formats one or several DASD (ECKD) disk drive to prepare it +@@ -42,6 +42,10 @@ out, what it \fBwould\fR do. Increases verbosity. -+.TP -+\fB-f\fR \fIdevice\fR or \fB--device\fR=\fIdevice\fR -+Specify device to format. For backwards compability only. .TP - \fB\-y\fR ---- a/dasdfmt/dasdfmt.c -+++ b/dasdfmt/dasdfmt.c -@@ -113,6 +113,10 @@ ++\fB-f\fR \fIdevice\fR or \fB--device\fR=\fIdevice\fR ++Specify device to format. For backwards compability only. ++ ++.TP + \fB-y\fR + Start formatting without further user-confirmation. + +Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c +=================================================================== +--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c ++++ s390-tools-2.30.0/dasdfmt/dasdfmt.c +@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = { .desc = "Format devices in parallel", .flags = UTIL_OPT_FLAG_NOLONG, }, @@ -47,7 +52,7 @@ Signed-off-by: Hannes Reinecke UTIL_OPT_SECTION("FORMAT OPTIONS"), { .option = { "blocksize", required_argument, NULL, 'b' }, -@@ -1649,6 +1653,12 @@ +@@ -1662,6 +1666,12 @@ int main(int argc, char *argv[]) } g.layout_specified = 1; break; diff --git a/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..e4704df --- /dev/null +++ b/s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,286 @@ +Index: s390-tools-service/rust/pv/src/verify.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify.rs ++++ s390-tools-service/rust/pv/src/verify.rs +@@ -3,10 +3,11 @@ + // Copyright IBM Corp. 2023 + + use core::slice; +-use log::debug; ++use log::{debug, trace}; ++use openssl::error::ErrorStack; + use openssl::stack::Stack; + use openssl::x509::store::X509Store; +-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509}; ++use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509}; + use openssl_extensions::crl::StackableX509Crl; + use openssl_extensions::crl::X509StoreContextExtension; + +@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier { + if verified_crls.is_empty() { + bail_hkd_verify!(NoCrl); + } +- for crl in &verified_crls { +- match crl.get_by_cert(&hkd.to_owned()) { ++ for crl in verified_crls { ++ match crl.get_by_serial(hkd.serial_number()) { + CrlStatus::NotRevoked => (), + _ => bail_hkd_verify!(HdkRevoked), + } +@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier { + } + + impl CertVerifier { ++ fn quirk_crls( ++ ctx: &mut X509StoreContextRef, ++ subject: &X509NameRef, ++ ) -> Result, ErrorStack> { ++ match ctx.crls(subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ ++ // Armonk/Poughkeepsie fixup ++ trace!("quirk_crls: Try Locality"); ++ if let Some(locality_subject) = helper::armonk_locality_fixup(subject) { ++ match ctx.crls(&locality_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ ++ // reorder ++ trace!("quirk_crls: Try Locality+Reorder"); ++ if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) { ++ match ctx.crls(&locality_ordered_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ } ++ } ++ ++ // reorder unchanged loaciliy subject ++ trace!("quirk_crls: Try Reorder"); ++ if let Ok(ordered_subject) = helper::reorder_x509_names(subject) { ++ match ctx.crls(&ordered_subject) { ++ Ok(ret) if !ret.is_empty() => return Ok(ret), ++ _ => (), ++ } ++ } ++ // nothing found, return empty stack ++ Stack::new() ++ } ++ + ///Download the CLRs that a HKD refers to. + pub fn hkd_crls(&self, hkd: &X509Ref) -> Result> { + let mut ctx = X509StoreContext::new()?; + // Unfortunately we cannot use a dedicated function here and have to use a closure (E0434) + // Otherwise, we cannot refer to self ++ // Search for local CRLs + let mut crls = ctx.init_opt(&self.store, None, None, |ctx| { + let subject = self.ibm_z_sign_key.subject_name(); +- match ctx.crls(subject) { +- Ok(crls) => Ok(crls), +- _ => { +- // reorder the name and try again +- let broken_subj = helper::reorder_x509_names(subject)?; +- ctx.crls(&broken_subj).or_else(helper::stack_err_hlp) +- } +- } ++ Self::quirk_crls(ctx, subject) + })?; + + if !self.offline { +Index: s390-tools-service/rust/pv/src/verify/helper.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify/helper.rs ++++ s390-tools-service/rust/pv/src/verify/helper.rs +@@ -13,7 +13,7 @@ use openssl::{ + error::ErrorStack, + nid::Nid, + ssl::SslFiletype, +- stack::{Stack, Stackable}, ++ stack::Stack, + x509::{ + store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef}, + verify::{X509VerifyFlags, X509VerifyParam}, +@@ -25,6 +25,7 @@ use openssl_extensions::{ + akid::{AkidCheckResult, AkidExtension}, + crl::X509StoreExtension, + }; ++use std::str::from_utf8; + use std::{cmp::Ordering, ffi::c_int, time::Duration, usize}; + + /// Minimum security level for the keys/certificates used to establish a chain of +@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2; + /// verifies that the HKD + /// * has enough security bits + /// * is inside its validity period +-/// * issuer name is the subject name of the [`sign_key`] + /// * the Authority Key ID matches the Signing Key ID of the [`sign_key`] + pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> { + let hk_pkey = hkd.public_key()?; +@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref, + // verify that the hkd is still valid + check_validity_period(hkd.not_before(), hkd.not_after())?; + +- // check if hkd.issuer_name == issuer.subject +- check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?; +- + // verify that the AKID of the hkd matches the SKID of the issuer + if let Some(akid) = hkd.akid() { + if akid.check(sign_key) != AkidCheckResult::OK { +@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu + return None; + } + } +- +- check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?; +- + match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? { + true => Some(()), + false => None, +@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: & + //Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter + const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation"; + const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US"; +-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie"; ++const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie"; ++const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk"; + const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service"; + const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation"; + const IBM_Z_STATE: &[u8; 8usize] = b"New York"; +@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b + if subj.entries().count() != IMB_Z_ENTRY_COUNT + || !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME) + || !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE) +- || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME) ++ || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE) ++ || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK)) + || !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME) + || !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME) + { +@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As + } + } + +-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> { +- if lhs.entries().count() != rhs.entries().count() { +- bail_hkd_verify!(IssuerMismatch); +- } +- +- for l in lhs.entries() { +- // search for the matching value in the rhs names +- // found none? -> names are not equal +- if !rhs +- .entries() +- .any(|r| l.data().as_slice() == r.data().as_slice()) +- { +- bail_hkd_verify!(IssuerMismatch); +- } +- } +- Ok(()) +-} +- + const NIDS_CORRECT_ORDER: [Nid; 6] = [ + Nid::COUNTRYNAME, + Nid::ORGANIZATIONNAME, +@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509 + Ok(correct_subj.build()) + } + +-pub fn stack_err_hlp( +- e: ErrorStack, +-) -> std::result::Result, openssl::error::ErrorStack> { +- match e.errors().len() { +- 0 => Stack::::new(), +- _ => Err(e), ++/** ++* Workaround for potential locality mismatches between CRLs and Certs ++* # Return ++* fixed subject or none if locality was not Armonk or any OpenSSL error ++*/ ++pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option { ++ if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) { ++ return None; ++ } ++ ++ let mut ret = X509Name::builder().ok()?; ++ for entry in subject.entries() { ++ match entry.object().nid() { ++ nid @ Nid::LOCALITYNAME => ret ++ .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?) ++ .ok()?, ++ _ => { ++ ret.append_entry(entry).ok()?; ++ } ++ } + } ++ Some(ret.build()) + } + + #[cfg(test)] +@@ -451,20 +444,6 @@ mod test { + )); + } + +- #[test] +- fn x509_name_equal() { +- let sign_crt = load_gen_cert("ibm.crt"); +- let hkd = load_gen_cert("host.crt"); +- let other = load_gen_cert("inter_ca.crt"); +- +- assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),); +- +- assert!(matches!( +- super::check_x509_name_equal(other.subject_name(), hkd.subject_name()), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- } +- + #[test] + fn is_ibm_z_sign_key() { + let ibm_crt = load_gen_cert("ibm.crt"); +Index: s390-tools-service/rust/pv/src/verify/test.rs +=================================================================== +--- s390-tools-service.orig/rust/pv/src/verify/test.rs ++++ s390-tools-service/rust/pv/src/verify/test.rs +@@ -84,7 +84,6 @@ fn verify_online() { + let inter_crt = get_cert_asset_path_string("inter_ca.crt"); + let ibm_crt = get_cert_asset_path_string("ibm.crt"); + let hkd_revoked = load_gen_cert("host_rev.crt"); +- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt"); + let hkd_exp = load_gen_cert("host_crt_expired.crt"); + let hkd = load_gen_cert("host.crt"); + +@@ -112,11 +111,6 @@ fn verify_online() { + )); + + assert!(matches!( +- verifier.verify(&hkd_inv), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- +- assert!(matches!( + verifier.verify(&hkd_exp), + Err(Error::HkdVerify(AfterValidity)) + )); +@@ -130,7 +124,6 @@ fn verify_offline() { + let ibm_crt = get_cert_asset_path_string("ibm.crt"); + let ibm_crl = get_cert_asset_path_string("ibm.crl"); + let hkd_revoked = load_gen_cert("host_rev.crt"); +- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt"); + let hkd_exp = load_gen_cert("host_crt_expired.crt"); + let hkd = load_gen_cert("host.crt"); + +@@ -149,11 +142,6 @@ fn verify_offline() { + )); + + assert!(matches!( +- verifier.verify(&hkd_inv), +- Err(Error::HkdVerify(IssuerMismatch)) +- )); +- +- assert!(matches!( + verifier.verify(&hkd_exp), + Err(Error::HkdVerify(AfterValidity)) + )); diff --git a/s390-tools-sles15sp5-remove-no-pie-link-arguments.patch b/s390-tools-sles15sp5-remove-no-pie-link-arguments.patch index 862f2f9..22cbbb8 100644 --- a/s390-tools-sles15sp5-remove-no-pie-link-arguments.patch +++ b/s390-tools-sles15sp5-remove-no-pie-link-arguments.patch @@ -1,10 +1,8 @@ ---- - common.mak | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/common.mak -+++ b/common.mak -@@ -338,8 +338,8 @@ +Index: s390-tools-2.30.0/common.mak +=================================================================== +--- s390-tools-2.30.0.orig/common.mak ++++ s390-tools-2.30.0/common.mak +@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \ LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS ifneq ($(shell $(CC_SILENT) -dumpspecs 2>/dev/null | grep -e '[^f]no-pie'),) diff --git a/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..8b09d05 --- /dev/null +++ b/s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,304 @@ +Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h ++++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h +@@ -17,7 +17,8 @@ + /* IBM signing key subject */ + #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US" +-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk" + #define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service" + #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_STATE "New York" +Index: s390-tools-service/genprotimg/src/utils/crypto.c +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.c ++++ s390-tools-service/genprotimg/src/utils/crypto.c +@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq + return memcmp(data, y, data_len) == 0; + } + +-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x, +- const X509_NAME_ENTRY *y) +-{ +- const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x); +- const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x); +- const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y); +- const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y); +- gint x_len = ASN1_STRING_length(x_data); +- gint y_len = ASN1_STRING_length(y_data); +- +- if (x_len < 0 || x_len != y_len) +- return FALSE; +- +- /* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also +- * compares the type, which is sometimes different. +- */ +- return OBJ_cmp(x_obj, y_obj) == 0 && +- memcmp(ASN1_STRING_get0_data(x_data), +- ASN1_STRING_get0_data(y_data), +- (unsigned long)x_len) == 0; +-} +- +-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y) +-{ +- gint x_count = X509_NAME_entry_count(x); +- gint y_count = X509_NAME_entry_count(y); +- +- if (x != y && (!x || !y)) +- return FALSE; +- +- if (x_count != y_count) +- return FALSE; +- +- for (gint i = 0; i < x_count; i++) { +- const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i); +- gboolean entry_found = FALSE; +- +- for (gint j = 0; j < y_count; j++) { +- const X509_NAME_ENTRY *entry_j = +- X509_NAME_get_entry(y, j); +- +- if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) { +- entry_found = TRUE; +- break; +- } +- } +- +- if (!entry_found) +- return FALSE; +- } +- return TRUE; +-} +- + /* Checks whether the subject of @cert is a IBM signing key subject. For this we + * must check that the subject is equal to: 'C = US, ST = New York, L = +- * Poughkeepsie, O = International Business Machines Corporation, CN = ++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN = + * International Business Machines Corporation' and the organization unit (OUT) + * must end with the suffix ' Key Signing Service'. + */ +@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject( + PV_IBM_Z_SUBJECT_STATE)) + return FALSE; + +- if (!x509_name_data_by_nid_equal(subject, NID_localityName, +- PV_IBM_Z_SUBJECT_LOCALITY_NAME)) ++ if (!(x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) || ++ x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))) + return FALSE; + + if (!x509_name_data_by_nid_equal(subject, NID_organizationName, +@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr + return g_steal_pointer(&ret); + } + ++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return ++ * `NULL`. ++ */ ++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name) ++{ ++ g_autoptr(X509_NAME) ret = NULL; ++ int pos; ++ ++ /* Check if ``L=Armonk`` */ ++ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)) ++ return NULL; ++ ++ ret = X509_NAME_dup(name); ++ if (!ret) ++ g_abort(); ++ ++ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1); ++ if (pos == -1) ++ return NULL; ++ ++ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos)); ++ ++ /* Create a new name entry at the same position as before */ ++ if (X509_NAME_add_entry_by_NID( ++ ret, NID_localityName, MBSTRING_UTF8, ++ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE, ++ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1) ++ return NULL; ++ ++ return g_steal_pointer(&ret); ++} ++ + /* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory + * ordered. The problem is that our certificates are not consistent in the order + * (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details). +@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam + return X509_NAME_dup((X509_NAME *)name); + } + +-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */ ++/* Verify that SKID(issuer) == AKID(crl) if available */ + static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err) + { +- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl); +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- AUTHORITY_KEYID *akid = NULL; +- +- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) { +- g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject, +- NULL, 0); +- g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0); +- +- g_set_error(err, PV_CRYPTO_ERROR, +- PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH, +- _("issuer mismatch:\n%s\n%s"), +- issuer_subject_str, crl_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + /* If AKID(@crl) is specified it must match with SKID(@issuer) */ + akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); +@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL * + return -1; + } + +- /* check that the @crl issuer matches with the subject name of @cert*/ + if (check_crl_issuer(crl, cert, err) < 0) + return -1; + +@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL * + return 0; + } + ++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL) ++ * issues. ++ */ ++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx, ++ const X509_NAME *subject, GError **err) ++{ ++ g_autoptr(X509_NAME) fixed_subject = NULL; ++ g_autoptr(STACK_OF_X509_CRL) ret = NULL; ++ ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the mismatch between issuer name of the * IBM ++ * signing CRLs and the IBM signing key subject name. Locality name has ++ * changed from Poughkeepsie to Armonk. ++ */ ++ fixed_subject = x509_armonk_locality_fixup(subject); ++ /* Was the locality replaced? */ ++ if (fixed_subject) { ++ X509_NAME *tmp; ++ ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the ordering mismatch between issuer name ++ * of the IBM signing CRLs and the IBM signing key subject name. ++ */ ++ tmp = fixed_subject; ++ fixed_subject = c2b_name(fixed_subject); ++ X509_NAME_free(tmp); ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ X509_NAME_free(fixed_subject); ++ fixed_subject = NULL; ++ } ++ ++ /* Workaround to fix the ordering mismatch between issuer name of the ++ * IBM signing CRLs and the IBM signing key subject name. ++ */ ++ fixed_subject = c2b_name(subject); ++ sk_X509_CRL_free(ret); ++ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found")); ++ return NULL; ++} ++ + /* Given a certificate @cert try to find valid revocation lists in @ctx. If no + * valid CRL was found NULL is returned. + */ +@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_ + return NULL; + } + +- ret = X509_STORE_CTX_get1_crls(ctx, subject); +- if (!ret) { +- /* Workaround to fix the mismatch between issuer name of the +- * IBM Z signing CRLs and the IBM Z signing key subject name. +- */ +- g_autoptr(X509_NAME) broken_subject = c2b_name(subject); +- +- ret = X509_STORE_CTX_get1_crls(ctx, broken_subject); +- if (!ret) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, +- _("no CRL found")); +- return NULL; +- } +- } ++ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err); ++ if (!ret) ++ return NULL; + + /* Filter out non-valid CRLs for @cert */ + for (gint i = 0; i < sk_X509_CRL_num(ret); i++) { +@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_ + + /* It's almost the same as X509_check_issed from OpenSSL does except that we + * don't check the key usage of the potential issuer. This means we check: +- * 1. issuer_name(cert) == subject_name(issuer) +- * 2. Check whether the akid(cert) (if available) matches the issuer skid +- * 3. Check that the cert algrithm matches the subject algorithm +- * 4. Verify the signature of certificate @cert is using the public key of ++ * 1. Check whether the akid(cert) (if available) matches the issuer skid ++ * 2. Check that the cert algrithm matches the subject algorithm ++ * 3. Verify the signature of certificate @cert is using the public key of + * @issuer. + */ + static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err) + { +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- const X509_NAME *cert_issuer = X509_get_issuer_name(cert); +- AUTHORITY_KEYID *akid = NULL; +- +- /* We cannot use X509_NAME_cmp() because it considers the order of the +- * X509_NAME_Entries. +- */ +- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) { +- g_autofree char *issuer_subject_str = +- X509_NAME_oneline(issuer_subject, NULL, 0); +- g_autofree char *cert_issuer_str = +- X509_NAME_oneline(cert_issuer, NULL, 0); +- g_set_error(err, PV_CRYPTO_ERROR, +- PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH, +- _("Subject issuer mismatch:\n'%s'\n'%s'"), +- issuer_subject_str, cert_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL); + if (akid && X509_check_akid(issuer, akid) != X509_V_OK) { +Index: s390-tools-service/genprotimg/src/utils/crypto.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.h ++++ s390-tools-service/genprotimg/src/utils/crypto.h +@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair); + /* Register auto cleanup functions */ + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free) ++WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all) + WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free) diff --git a/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch b/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch new file mode 100644 index 0000000..b4d41d8 --- /dev/null +++ b/s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch @@ -0,0 +1,224 @@ +Index: s390-tools-service/include/libpv/cert.h +=================================================================== +--- s390-tools-service.orig/include/libpv/cert.h ++++ s390-tools-service/include/libpv/cert.h +@@ -16,7 +16,8 @@ + + #define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US" +-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie" ++#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk" + #define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service" + #define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation" + #define PV_IBM_Z_SUBJECT_STATE "New York" +Index: s390-tools-service/libpv/cert.c +=================================================================== +--- s390-tools-service.orig/libpv/cert.c ++++ s390-tools-service/libpv/cert.c +@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq + + /* Checks whether the subject of @cert is a IBM signing key subject. For this we + * must check that the subject is equal to: 'C = US, ST = New York, L = +- * Poughkeepsie, O = International Business Machines Corporation, CN = ++ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN = + * International Business Machines Corporation' and the organization unit (OUT) + * must end with the suffix ' Key Signing Service'. + */ +@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject( + if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE)) + return FALSE; + +- if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME)) ++ if (!(x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) || ++ x509_name_data_by_nid_equal(subject, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))) + return FALSE; + + if (!x509_name_data_by_nid_equal(subject, NID_organizationName, +@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co + + /* It's almost the same as X509_check_issed from OpenSSL does except that we + * don't check the key usage of the potential issuer. This means we check: +- * 1. issuer_name(cert) == subject_name(issuer) +- * 2. Check whether the akid(cert) (if available) matches the issuer skid +- * 3. Check that the cert algrithm matches the subject algorithm +- * 4. Verify the signature of certificate @cert is using the public key of ++ * 1. Check whether the akid(cert) (if available) matches the issuer skid ++ * 2. Check that the cert algrithm matches the subject algorithm ++ * 3. Verify the signature of certificate @cert is using the public key of + * @issuer. + */ + static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error) +@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c + const X509_NAME *cert_issuer = X509_get_issuer_name(cert); + g_autoptr(AUTHORITY_KEYID) akid = NULL; + +- /* We cannot use X509_NAME_cmp() because it considers the order of the +- * X509_NAME_Entries. +- */ +- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) { +- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject); +- g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer); +- +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH, +- _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str, +- cert_issuer_str); +- return -1; +- } +- + akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL); + if (akid && X509_check_akid(issuer, akid) != X509_V_OK) { + g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH, +@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx, + return 0; + } + +-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */ ++/* Verify that SKID(issuer) == AKID(crl) */ + static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error) + { +- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl); +- const X509_NAME *issuer_subject = X509_get_subject_name(issuer); +- AUTHORITY_KEYID *akid = NULL; +- +- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) { +- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject); +- g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer); +- +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH, +- _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str); +- return -1; +- } ++ g_autoptr(AUTHORITY_KEYID) akid = NULL; + + /* If AKID(@crl) is specified it must match with SKID(@issuer) */ + akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL); +@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c + return -1; + } + +- /* check that the @crl issuer matches with the subject name of @cert*/ + if (check_crl_issuer(crl, cert, error) < 0) + return -1; + +@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC + return 0; + } + ++/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return ++ * `NULL`. ++ */ ++static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name) ++{ ++ g_autoptr(X509_NAME) ret = NULL; ++ int pos; ++ ++ /* Check if ``L=Armonk`` */ ++ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName, ++ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)) ++ return NULL; ++ ++ ret = X509_NAME_dup(name); ++ if (!ret) ++ g_abort(); ++ ++ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1); ++ if (pos == -1) ++ return NULL; ++ ++ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos)); ++ ++ /* Create a new name entry at the same position as before */ ++ if (X509_NAME_add_entry_by_NID( ++ ret, NID_localityName, MBSTRING_UTF8, ++ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE, ++ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1) ++ return NULL; ++ ++ return g_steal_pointer(&ret); ++} ++ ++/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL) ++ * issues. ++ */ ++static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx, ++ const X509_NAME *subject, GError **err) ++{ ++ g_autoptr(X509_NAME) fixed_subject = NULL; ++ g_autoptr(STACK_OF_X509_CRL) ret = NULL; ++ ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the mismatch between issuer name of the * IBM ++ * signing CRLs and the IBM signing key subject name. Locality name has ++ * changed from Poughkeepsie to Armonk. ++ */ ++ fixed_subject = x509_armonk_locality_fixup(subject); ++ /* Was the locality replaced? */ ++ if (fixed_subject) { ++ X509_NAME *tmp; ++ ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ /* Workaround to fix the ordering mismatch between issuer name ++ * of the IBM signing CRLs and the IBM signing key subject name. ++ */ ++ tmp = fixed_subject; ++ fixed_subject = pv_c2b_name(fixed_subject); ++ X509_NAME_free(tmp); ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ X509_NAME_free(fixed_subject); ++ fixed_subject = NULL; ++ } ++ ++ /* Workaround to fix the ordering mismatch between issuer name of the ++ * IBM signing CRLs and the IBM signing key subject name. ++ */ ++ fixed_subject = pv_c2b_name(subject); ++ sk_X509_CRL_free(ret); ++ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject); ++ if (ret && sk_X509_CRL_num(ret) > 0) ++ return g_steal_pointer(&ret); ++ ++ g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found")); ++ return NULL; ++} ++ + /* Given a certificate @cert try to find valid revocation lists in @ctx. If no + * valid CRL was found NULL is returned. + */ +@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val + return NULL; + } + +- ret = pv_X509_STORE_CTX_get1_crls(ctx, subject); +- if (!ret) { +- /* Workaround to fix the mismatch between issuer name of the +- * IBM Z signing CRLs and the IBM Z signing key subject name. +- */ +- g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject); +- +- ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject); +- if (!ret) { +- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found")); +- g_info("ERROR: %s", (*error)->message); +- return NULL; +- } +- } +- ++ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error); ++ if (!ret) ++ return NULL; + /* Filter out non-valid CRLs for @cert */ + for (int i = 0; i < sk_X509_CRL_num(ret); i++) { + X509_CRL *crl = sk_X509_CRL_value(ret, i); diff --git a/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch b/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch new file mode 100644 index 0000000..f584399 --- /dev/null +++ b/s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch @@ -0,0 +1,25 @@ +Index: s390-tools-service/pvattest/src/argparse.c +=================================================================== +--- s390-tools-service.orig/pvattest/src/argparse.c ++++ s390-tools-service/pvattest/src/argparse.c +@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char + } + + /* NOTE REQUIRED */ +-#define _entry_root_ca(__arg_data, __indent) \ +- { \ +- .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \ +- .arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data, \ +- .description = "Use FILE as the trusted root CA instead the\n" __indent \ +- "root CAs that are installed on the system (optional).\n", \ +- .arg_description = "FILE", \ ++#define _entry_root_ca(__arg_data, __indent) \ ++ { \ ++ .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \ ++ .arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data, \ ++ .description = "Use FILE as the trusted root CA instead the\n" __indent \ ++ "root CAs that are installed on the system (optional).\n", \ ++ .arg_description = "FILE", \ + } + + /* NOTE REQUIRED */ diff --git a/s390-tools-sles15sp6-genprotimg-makefile.patch b/s390-tools-sles15sp6-genprotimg-makefile.patch new file mode 100644 index 0000000..3d0ad08 --- /dev/null +++ b/s390-tools-sles15sp6-genprotimg-makefile.patch @@ -0,0 +1,92 @@ +From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001 +From: Marc Hartmayer +Date: Tue, 12 Mar 2024 09:33:19 +0000 +Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs + +Fix the support for staged installs. The Makefile variable `PKGDATADIR` +uses `DESTDIR` for all Makefile target, but actually it should only be +used for the `install*` and `uninstall*` targets. [1] Fix this by using +`DESTDIR` only for `install*` targets - uninstall* targets are not +supported by s390-tools. + +Before this change, if `DESTDIR` was set for staged installs, +`genprotimg` has tried to find the bootloader binaries at the temporary +installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of +`$(TOOLS_DATADIR)/genprotimg`. + +[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html + +Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images") +Reviewed-by: Steffen Eiden +Signed-off-by: Marc Hartmayer +Signed-off-by: Steffen Eiden +--- + genprotimg/Makefile | 6 +++--- + genprotimg/boot/Makefile | 8 ++++---- + genprotimg/src/Makefile | 2 +- + 3 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/genprotimg/Makefile b/genprotimg/Makefile +index 8c9f7048..6a2e37e4 100644 +--- a/genprotimg/Makefile ++++ b/genprotimg/Makefile +@@ -3,7 +3,7 @@ include ../common.mak + + .DEFAULT_GOAL := all + +-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg" ++PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg" + TESTS := + SUBDIRS := boot src man + RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive +@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive + all: all-recursive + + install: install-recursive +- $(INSTALL) -d -m 755 "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)" ++ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)" + + clean: clean-recursive + +diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile +index 799df9cc..73f3c9a8 100644 +--- a/genprotimg/boot/Makefile ++++ b/genprotimg/boot/Makefile +@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES)) + ifeq ($(HOST_ARCH),s390x) + ZIPL_DIR := $(rootdir)/zipl + ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot +-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg ++PKGDATADIR := $(TOOLS_DATADIR)/genprotimg + + INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include + INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS)) +@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS) + @chmod a-x $@ + + install: stage3a.bin stage3b_reloc.bin +- $(INSTALL) -d -m 755 "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)" +- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)" ++ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)" ++ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)" + + else + # Don't generate the dependency files (see `common.mak` for the +diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile +index 08734bff..d447e6cf 100644 +--- a/genprotimg/src/Makefile ++++ b/genprotimg/src/Makefile +@@ -3,7 +3,7 @@ include ../../common.mak + + bin_PROGRAM = genprotimg + +-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg" ++PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg" + SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST)))) + TOP_SRCDIR := $(SRC_DIR)/../ + ROOT_DIR = $(TOP_SRC_DIR)/../../ + diff --git a/s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch b/s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch index 740ced7..ed5f356 100644 --- a/s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch +++ b/s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch @@ -12,12 +12,8 @@ and the symlink not created in the kdump environment. Fix this by including 59-zfcp-compat.rules in the kdump initrd. ---- - zdev/dracut/95zdev-kdump/module-setup.sh | 1 + - 1 file changed, 1 insertion(+) - ---- a/zdev/dracut/95zdev-kdump/module-setup.sh -+++ b/zdev/dracut/95zdev-kdump/module-setup.sh +--- a/zdev/dracut/95zdev-kdump/module-setup.sh 2024-02-21 15:57:33.027658387 +0100 ++++ b/zdev/dracut/95zdev-kdump/module-setup.sh 2024-02-21 15:57:38.215675799 +0100 @@ -78,6 +78,7 @@ inst_multiple /lib/s390-tools/zdev-from-dasd_mod.dasd @@ -25,4 +21,4 @@ Fix this by including 59-zfcp-compat.rules in the kdump initrd. + inst_rules "59-zfcp-compat.rules" # Obtain kdump target device configuration - + diff --git a/s390-tools.changes b/s390-tools.changes index f2a82f2..425aa92 100644 --- a/s390-tools.changes +++ b/s390-tools.changes @@ -1,84 +1,3 @@ -------------------------------------------------------------------- -Tue Nov 5 15:26:42 UTC 2024 - Nikolay Gueorguiev - -- Amended the *_configure scripts to update again the SUSE's specific file - '/boot/zipl/active_devices.txt' (bsc#1232474, bsc#1216257) - * ctc_configure - * dasd_configure - * qeth_configure - * zfcp_host_configure - -------------------------------------------------------------------- -Tue Nov 5 13:04:20 UTC 2024 - Nikolay Gueorguiev - -* Upgrade s390-tools to version 2.35 (jsc#PED-9591, jsc#PED-10303) -* Changes of existing tools: - - cpacfstats: Add support for FULL XTS (MSA 10) and HMAC (MSA 11) PAI counter - - cpuplugd: Make cpuplugd compatible with hiperdispatch - - dbginfo.sh: Add network sockstat info - - pvapconfig: s390x exclusive build - - zdev: Add option to select IPL device - - zdump/dfo_s390: Support s390 DFO for vr-kernel dumps - - zipl: Add support of mirror devices -* Bug Fixes: - - (genprotimg|zipl)/boot: discard .note.package ELF section to save memory - - netboot/mk-s390image: Fix size when argument is a symlink - - ziorep_config: Fix warning message when multipath device is not there. - - zipl: Fix problems when target parameters are specified by user - - zipl: Fix segfault when creating device-based dumps with '--dry-run' -*** v2.34.0 -* Changes of existing tools: - - ap_tools/ap-check: Add support for vfio-ap dynamic configuration - - dbginfo.sh: Update/Add additional DASD data collection - - dumpconf: Add new parameter 'SCP_DATA' for SCSI/NVMe/ECKD dump devices - - libutil: Make formatted meta-data configurable - - s390-tools: Replace 'which' with built-in 'command -v' - - zdump/dfi_elf: Support core dumps of vr-kernels -* Bug Fixes: - - chzdev: Fix warning about failed ATTR writes by udev - - rust/pv: Try again if first CRL-URI is invalid - - rust/pvattest: Add short option for --arpk - - zdump: Fix 'zgetdump -i' ioctl error on s390 formatted dump file -*** v2.33.1 -* Bug Fixes: - - s390-tools: Fix formatting and typos in README.md - - s390-tools: Fix release string -*** v2.33.0 -* Add new tools / libraries: - - chpstat: New tool for displaying channel path statistics - - libutil: Add output format helpers(util_fmt: JSON, JSON-SEQ, CSV, text pairs) -* Changes of existing tools / libraries: - - chzdev: Add --is-owner to identify files created by zdev - - dasdfmt: Change default mode to always use full-format (Note: affects ESE DASD) - - libap: Significantly reduce delay time between file lock retries - - pvattest: Rewrite from C to Rust - - pvattest: Support additional data & user-data - - rust/pv: Support for Attestation -* Bug Fixes: - - chreipl: Improve disk type detection when running under QEMU - - dbginfo.sh: Use POSIX option with uname - - s390-tools: Fix missing hyphen escapes in the man page for many tools - - zipl/src: Fix bugs in disk_get_info() reproducible in corner cases - *** v2.32.0 -* Changes of existing tools: - - cpumf/lscpumf: add support for machine type 3932 - - genprotimg, pvattest, and pvsecret accept IBM signing key with Armonk as - subject locality - - zdump/zipl: Support for List-Directed dump from ECKD DASD - - zkey: Detect FIPS mode and generate PBKDF for luksFormat according to it -* Bug Fixes: - - dbginfo.sh: dash compatible copy sequence - - rust/pv_core: Fix UvDeviceInfo::get() method - - zipl/src: Fix leak of files if run with a broken configuration - - zkey: Fix convert command to accept only keys of type CCA-AESDATA -* Revendored vendor.tar.gz -* Removed obsolete patches - - s390-tools-sles15sp6-genprotimg-makefile.patch - - s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch - - s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch - - s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch - - s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch - ------------------------------------------------------------------- Thu Jul 11 14:56:34 UTC 2024 - Nikolay Gueorguiev diff --git a/s390-tools.spec b/s390-tools.spec index b5bad4a..9b1047e 100644 --- a/s390-tools.spec +++ b/s390-tools.spec @@ -33,7 +33,7 @@ %endif Name: s390-tools -Version: 2.35.0 +Version: 2.31.0 Release: 0 Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64) License: MIT @@ -153,8 +153,13 @@ Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch Patch912: s390-tools-ALP-zdev-live.patch Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch -### Patch only for SLFO -Patch914: s390-tools-slfo-01-parse-ipl-device-for-activation.patch +Patch914: s390-tools-sles15sp6-genprotimg-makefile.patch +Patch915: s390-tools-slfo-01-parse-ipl-device-for-activation.patch +### SE-tooling: New IBM host-key subject locality (s390-tools) +Patch916: s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch +Patch917: s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch +Patch918: s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch +Patch919: s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch ### BuildRequires: curl-devel @@ -179,7 +184,6 @@ BuildRequires: zlib-devel-static ### s390x %ifarch s390x BuildRequires: kernel-zfcpdump -BuildRequires: perl-Bootloader >= 0.4.15 BuildRequires: qclib-devel-static %endif ### Cargo @@ -228,11 +232,9 @@ zgetdump - tool to get linux system dumps from DASD genprotimg - create a protected virtualization image pvattest - create, perform, and verify protected virtualization attestation measurements pvsecret - manage secrets for IBM Secure Execution guests. +pvapconfig - used to automatically set up the AP configuration within an IBM Secure Execution guest. -Warning: There is an auxiliary data package - s390-tools-genprotimg-data. - To install s390-tools properly, please use: - 'sudo zypper install s390-tools s390-tools-genprotimg-data' - +Note: Auxiliary data package - s390-tools-genprotimg-data %package -n osasnmpd Summary: OSA-Express SNMP subagent diff --git a/vendor.tar.gz b/vendor.tar.gz index 4af5458..6a10e06 100644 --- a/vendor.tar.gz +++ b/vendor.tar.gz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:13ce3050d9af81c9d01c73fd54d4932bdcb1d7349336654880a4c9393863e899 -size 43462501 +oid sha256:9ec5f811538c55052a6167b51fa11da135ae2f84db0b927b2a1c2e447ded3fe1 +size 39176578 diff --git a/zfcp_host_configure b/zfcp_host_configure index 047560b..db5036c 100644 --- a/zfcp_host_configure +++ b/zfcp_host_configure @@ -38,14 +38,6 @@ debug_mesg () { esac } -add_cio_channel() { - echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt -} - -remove_cio_channel() { - [ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt -} - usage(){ echo "Usage: ${0} " echo " ccwid = x.y.ssss where" @@ -88,8 +80,3 @@ RC=${?} if [ ${RC} -ne 0 ]; then exit ${RC} fi - -if [ ${ON_OFF} == 1 ]; then - add_cio_channel "${CCW_CHAN_ID}" -else remove_cio_channel "${CCW_CHAN_ID}" -fi