SLFO-pool/s390-tools
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main s390-tools revision ca6e8fd2e5ddbe310b053b103d70157f

Browse Source
This commit is contained in:
Adrian Schröter 2024-11-28 10:28:50 +01:00
parent afbbc8f565
commit aa2121ba34
23 changed files with 1179 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ctc_configure
View File

@ -44,14 +44,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} <read channel> <write channel> <online> [<protocol>]"
echo " read/write channel = x.y.ssss where"
@ -120,9 +112,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CTC_READ_CHAN},${CTC_WRITE_CHAN}"
else remove_cio_channel "${CTC_READ_CHAN}"
remove_cio_channel "${CTC_WRITE_CHAN}"
fi

13
dasd_configure.opensuse
View File

@ -43,14 +43,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo
@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then
fi
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode}

13
dasd_configure.suse
View File

@ -43,14 +43,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo
@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then
fi
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode}

15
qeth_configure
View File

@ -48,14 +48,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [options] <read chan> <write chan> <data chan> <online>"
echo " -i Configure IP takeover"
@ -165,10 +157,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${QETH_READ_CHAN},${QETH_WRITE_CHAN},${QETH_DATA_CHAN}"
else remove_cio_channel "${QETH_READ_CHAN}"
remove_cio_channel "${QETH_WRITE_CHAN}"
remove_cio_channel "${QETH_DATA_CHAN}"
fi

BIN
s390-tools-2.31.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

BIN
s390-tools-2.35.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

22
s390-tools-ALP-zdev-live.patch
View File

@ -5,8 +5,10 @@
zdev/dracut/Makefile | 15 ++++++++++--
4 files changed, 92 insertions(+), 2 deletions(-)
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
===================================================================
--- /dev/null
+++ b/zdev/dracut/96zdev-live/module-setup.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
@ -40,8 +42,10 @@
+ inst_hook cleanup 41 "$moddir/write-udev-live.sh"
+ inst_multiple chzdev
+}
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
===================================================================
--- /dev/null
+++ b/zdev/dracut/96zdev-live/parse-zdev-live.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
@ -79,8 +83,10 @@
+ fi
+done
+
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
===================================================================
--- /dev/null
+++ b/zdev/dracut/96zdev-live/write-udev-live.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
@ -93,9 +99,11 @@
+if [ -w /sysroot/etc/udev/rules.d ]; then
+ cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d
+fi
--- a/zdev/dracut/Makefile
+++ b/zdev/dracut/Makefile
@@ -3,17 +3,23 @@
Index: s390-tools-2.30.0/zdev/dracut/Makefile
===================================================================
--- s390-tools-2.30.0.orig/zdev/dracut/Makefile
+++ s390-tools-2.30.0/zdev/dracut/Makefile
@@ -3,17 +3,23 @@ include ../../common.mak
ZDEVDIR := 95zdev
ZDEVKDUMPDIR := 95zdev-kdump
@ -121,7 +129,7 @@
ifeq ($(HAVE_DRACUT),1)
install:
$(INSTALL) -m 755 -d $(DESTDIR)$(DRACUTMODDIR)/
@@ -29,4 +35,9 @@
@@ -25,4 +31,9 @@ install:
$(INSTALL) -m 755 -d $(DESTDIR)$(DRACUTMODDIR)/$(ZDEVKDUMPDIR)
$(INSTALL) -m 755 $(ZDEVKDUMPDIR)/module-setup.sh \
$(DESTDIR)$(DRACUTMODDIR)/$(ZDEVKDUMPDIR)/

124
s390-tools-sles15-sysconfig-compatible-dumpconf.patch
View File

@ -1,27 +1,34 @@
---
etc/sysconfig/dumpconf | 133 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 133 insertions(+)
--- a/etc/sysconfig/dumpconf
+++ b/etc/sysconfig/dumpconf
@@ -1,3 +1,4 @@
+###########################################################################################
#
# s390 dump config
#
@@ -78,3 +79,135 @@
# dumpconf becomes active immediately during system startup.
#
# ON_PANIC=reipl
+
+############################ Begin Definitions ###########################################
Index: s390-tools-2.30.0/etc/sysconfig/dumpconf
===================================================================
--- s390-tools-2.30.0.orig/etc/sysconfig/dumpconf
+++ s390-tools-2.30.0/etc/sysconfig/dumpconf
@@ -1,71 +1,137 @@
+## Path: System/Dumpconf
+## Description: Configures the actions which should be performed after a kernel panic
+## Type: list(stop,dump,vmcmd,reipl,dump_reipl)
+## Default: "stop"
+## ServiceRestart: dumpconf
+#
#
-# s390 dump config
-#
-# Configures the actions which should be performed after a kernel panic
-# and on PSW restart.
+# Define the action that should be taken if a kernel panic happens.
#
# The following actions are supported:
#
-# * stop: Stop Linux (default)
-# * dump: Dump Linux with stand-alone dump tool
-# * vmcmd: Issue z/VM CP commands
-# * reipl: Re-IPL Linux using setting under /sys/firmware/reipl
-# * dump_reipl: First dump Linux with stand-alone dump tool, then re-IPL Linux
-# using setting under /sys/firmware/reipl
+# * stop: Stop Linux (default)
+# * dump: Dump Linux
+# * vmcmd: Issue z/VM CP commands
+# * reipl: Re-IPL Linux using setting under /sys/firmware/reipl
+# * dump_reipl: First dump Linux, then re-IPL Linux using setting under
+# /sys/firmware/reipl
+#
+ON_PANIC="stop"
+
@ -55,10 +62,14 @@
+# Define the device id for a DASD or SCSI over zFCP dump device.
+#
+# For example (DASD and SCSI over zFCP have the same structure): DEVICE=0.0.4711
+#
#
+DEVICE=""
+
+# Type: string
-# For the actions "reipl" and "dump_reipl" the DELAY_MINUTES keyword may
-# be used to delay the activation of dumpconf.
-# Thus potential reipl loops caused by kernel panics
-# which persistently occur early in the boot process can be prevented.
+## Type: string
+## Default: ""
+## ServiceRestart: dumpconf
+#
@ -67,40 +78,62 @@
+# For example: WWPN=0x5005076303004711
+#
+WWPN=""
+
-# Dump on CCW device (DASD) and re-IPL after dump is complete.
-# The re-IPL device, as specified under "/sys/firmware/reipl", is used.
-# The activation of dumpconf is delayed by 5 minutes.
+## Type: string
+## Default: ""
+## ServiceRestart: dumpconf
+#
#
-# ON_PANIC=dump_reipl
-# DUMP_TYPE=ccw
-# DEVICE=0.0.4e13
-# DELAY_MINUTES=5
+# Define the LUN for a zFCP dump device.
+#
+# For example: LUN=0x4711000000000000
+#
+LUN=""
+
+## Type: integer(0:30)
+## Default: "0"
+## ServiceRestart: dumpconf
+#
+# Define the Boot program selector for a zFCP dump device.
+#
#
-# Dump on fcp device (SCSI Disk)
+# A decimal value between 0 and 30 specifying the program to be loaded from
+# the FCP-I/O device.
+#
#
-# ON_PANIC=dump
-# DUMP_TYPE=fcp
-# DEVICE=0.0.4711
-# WWPN=0x5005076303004711
-# LUN=0x4711000000000000
-# BOOTPROG=0
-# BR_LBA=0
+BOOTPROG="0"
+
+## Type: string
+## Default: "0"
+## ServiceRestart: dumpconf
+#
#
-# Dump on nvme device (NVMe Disk)
+# Define the Boot record logical block address for a zFCP dump device.
+#
#
-# ON_PANIC=dump
-# DUMP_TYPE=nvme
-# FID=0x00000300
-# NSID=0x00000001
-# BOOTPROG=3
-# BR_LBA=0
+# The hexadecimal digits designating the logical-block address of the boot record of the FCP-I/O device.
+# It must be a value from 0-FFFFFFFF FFFFFFFF. For values longer than 8 hex characters at least one separator
+# blank is required after the 8th character.
+#
+BR_LBA="0"
+
+## Type: string
+## Default: ""
+## ServiceRestart: dumpconf
@ -108,11 +141,16 @@
+# Define the Function ID for NVMe dump device.
+#
+# The hexadecimal digits designating the Function ID for the NMVe disk.
+#
#
-# Use VMDUMP
+# For example: FID=0x00000300
+#
#
-# ON_PANIC=vmcmd
-# VMCMD_1="MESSAGE * Starting VMDUMP"
-# VMCMD_2="VMDUMP"
-# VMCMD_3="IPL 4711"
+FID=""
+
+## Type: string
+## Default: ""
+## ServiceRestart: dumpconf
@ -120,21 +158,28 @@
+# Define the Namespace ID for the NVMe dump device
+#
+# The hexadecimal digits designating the Namespace ID for the NMVe disk.
+#
#
-# Stop Linux (default)
+# For example: NSID=0x00000001
+#
#
-# ON_PANIC=stop
+NSID=""
+
+## Type: string
+## Default: ""
+## ServiceRestart: dumpconf
+#
#
-# Re-IPL Linux
-# The re-IPL device, as specified under "/sys/firmware/reipl", is used.
-# Since the DELAY_MINUTES keyword is omitted, there is no delay and
-# dumpconf becomes active immediately during system startup.
+# VMCMD_<X>
+# Specifies a CP command, <X> is a number from one to eight. You can
+# specify up to eight CP commands that are executed in case of a kernel
+# panic. Note that VM commands, device adresses, and VM guest names
+# must be uppercase.
+#
#
-# ON_PANIC=reipl
+VMCMD_1=""
+VMCMD_2=""
+VMCMD_3=""
@ -143,6 +188,3 @@
+VMCMD_6=""
+VMCMD_7=""
+VMCMD_8=""
+
+############################### End Definitions ##############################################
\ No newline at end of file

84
s390-tools-sles15sp3-Allow-multiple-device-arguments.patch
View File

@ -7,32 +7,36 @@ Allow the user to specify several devices as arguments to dasdfmt.
Signed-off-by: Hannes Reinecke <hare@suse.com>
---
dasdfmt/dasdfmt.8 | 6 -
dasdfmt/dasdfmt.c | 197 +++++++++++++++++++++++++++++++-----------------------
2 files changed, 119 insertions(+), 84 deletions(-)
dasdfmt/dasdfmt.8 | 5 +-
dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------
2 files changed, 100 insertions(+), 80 deletions(-)
--- a/dasdfmt/dasdfmt.8
+++ b/dasdfmt/dasdfmt.8
@@ -11,14 +11,14 @@
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br
[\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR]
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
.br
- [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR
+ [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR [\fIdevice\fR]
- [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR
+ [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR [\fIdevice\fR]
.SH DESCRIPTION
-\fBdasdfmt\fR formats a DASD (ECKD) disk drive to prepare it
+\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive(s) to prepare them
+\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive to prepare it
for usage with Linux for S/390.
The \fIdevice\fR is the node of the device (e.g. '/dev/dasda').
Any device node created by udev for kernel 2.6 can be used
-(e.g. '/dev/dasd/0.0.b100/disc').
+(e.g. '/dev/dasd/0.0.b100/disc'). It is possible to specify up to 512 devices.
(e.g. '/dev/dasd/0.0.b100/disc').
+It is possible to specify up to 512 devices.
.br
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
--- a/dasdfmt/dasdfmt.c
+++ b/dasdfmt/dasdfmt.c
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -25,6 +25,8 @@
#include "dasdfmt.h"
@ -42,7 +46,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
#define BUSIDSIZE 8
#define SEC_PER_DAY (60 * 60 * 24)
#define SEC_PER_HOUR (60 * 60)
@@ -57,7 +59,9 @@
@@ -57,7 +59,9 @@ static const struct util_prg prg = {
static struct dasdfmt_globals {
dasd_information2_t dasd_info;
char *dev_path; /* device path entered by user */
@ -52,7 +56,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
int verbosity;
int testmode;
int withoutprompt;
@@ -484,15 +488,15 @@
@@ -484,15 +488,15 @@ static void program_interrupt_signal(int
program_interrupt_in_progress = 1;
if (disk_disabled) {
@ -71,7 +75,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
} else {
printf("Exiting...\n");
}
@@ -512,9 +516,6 @@
@@ -512,9 +516,6 @@ static void get_device_name(int optind,
unsigned int maj, min;
struct stat dev_stat;
@ -81,7 +85,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
if (optind >= argc)
error("No device specified!");
@@ -610,10 +611,10 @@
@@ -610,10 +611,10 @@ static void check_disk(void)
error("the ioctl call to retrieve read/write status information failed: %s",
strerror(err));
if (ro)
@ -94,7 +98,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
}
if (strncmp(g.dasd_info.type, "ECKD", 4) != 0) {
warnx("Unsupported disk type");
@@ -700,7 +701,7 @@
@@ -700,7 +701,7 @@ static void set_geo(unsigned int *cylind
struct dasd_eckd_characteristics *characteristics;
if (g.verbosity > 0)
@ -103,7 +107,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
characteristics = (struct dasd_eckd_characteristics *)
&g.dasd_info.characteristics;
@@ -728,13 +729,13 @@
@@ -728,13 +729,13 @@ static void set_label(volume_label_t *vl
"Cylinders above this limit will not be"
" accessible as a linux partition!\n"
"Type \"yes\" to continue, no will leave"
@ -120,7 +124,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
return;
}
}
@@ -872,7 +873,7 @@
@@ -872,7 +873,7 @@ static void check_disk_format(unsigned i
check_params->start_unit = 0;
check_params->stop_unit = (cylinders * heads) - 1;
@ -129,7 +133,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
if (g.testmode) {
printf("Test mode active, omitting ioctl.\n");
@@ -896,7 +897,7 @@
@@ -896,7 +897,7 @@ static void check_disk_format(unsigned i
if (process_tracks(cylinders, heads, check_params))
error("Use --mode=full to perform a clean format.");
@ -138,7 +142,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
}
/*
@@ -946,8 +947,8 @@
@@ -946,8 +947,8 @@ static void dasdfmt_print_info(volume_la
printf("Device Type: %s Provisioned\n",
g.ese ? "Thinly" : "Fully");
@ -149,7 +153,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
printf(" Device number of device : 0x%x\n", g.dasd_info.devno);
printf(" Labelling device : %s\n",
(g.writenolabel) ? "no" : "yes");
@@ -1012,7 +1013,7 @@
@@ -1012,7 +1013,7 @@ static void dasdfmt_write_labels(volume_
int ipl1_record_len, ipl2_record_len;
if (g.verbosity > 0)
@ -158,7 +162,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
get_blocksize(&blksize);
@@ -1030,7 +1031,7 @@
@@ -1030,7 +1031,7 @@ static void dasdfmt_write_labels(volume_
/* write empty bootstrap (initial IPL records) */
if (g.verbosity > 0)
@ -167,7 +171,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
/*
* Note: ldl labels do not contain the key field
@@ -1089,7 +1090,7 @@
@@ -1089,7 +1090,7 @@ static void dasdfmt_write_labels(volume_
label_position = g.dasd_info.label_block * blksize;
if (g.verbosity > 0)
@ -176,7 +180,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
rc = lseek(fd, label_position, SEEK_SET);
if (rc != label_position) {
@@ -1120,7 +1121,7 @@
@@ -1120,7 +1121,7 @@ static void dasdfmt_write_labels(volume_
}
if (g.verbosity > 0)
@ -185,16 +189,16 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
label_position = (VTOC_START_CC * heads + VTOC_START_HH) *
geo.sectors * blksize;
@@ -1242,7 +1243,7 @@
@@ -1242,7 +1243,7 @@ static int dasdfmt_release_space(void)
if (!g.ese || g.no_discard)
return;
return 0;
- printf("Releasing space for the entire device...\n");
+ printf("Releasing space for the entire %s device...\n", g.dev_path);
err = dasd_release_space(g.dev_node, &r);
if (err)
error("Could not release space: %s", strerror(err));
@@ -1261,20 +1262,21 @@
/*
* Warn or Error on failing RAS depending on QUICK mode set explicitly or automatically
@@ -1270,20 +1271,21 @@ static void dasdfmt_prepare_and_format(u
int err;
if (!(g.withoutprompt && g.verbosity < 1))
@ -221,7 +225,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
/* except track 0 from standard formatting procss */
p->start_unit = 1;
@@ -1282,19 +1284,19 @@
@@ -1291,19 +1293,19 @@ static void dasdfmt_prepare_and_format(u
process_tracks(cylinders, heads, p);
if (g.verbosity > 0)
@ -244,7 +248,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
disk_enable();
}
@@ -1306,18 +1308,18 @@
@@ -1315,18 +1317,18 @@ static void dasdfmt_expand_format(unsign
format_data_t *p)
{
if (!(g.withoutprompt && g.verbosity < 1))
@ -267,7 +271,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
if (g.verbosity > 0)
printf("Re-accessing the device...\n");
@@ -1426,16 +1428,16 @@
@@ -1435,16 +1437,16 @@ static void do_format_dasd(volume_label_
if (!g.withoutprompt) {
printf("\n");
if (mode != EXPAND)
@ -288,7 +292,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
return;
}
}
@@ -1453,12 +1455,12 @@
@@ -1466,12 +1468,12 @@ static void do_format_dasd(volume_label_
break;
}
@ -303,7 +307,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
err = dasd_reread_partition_table(g.dev_node, 5);
if (err != 0) {
ERRMSG("%s: error during rereading the partition "
@@ -1472,7 +1474,7 @@
@@ -1485,7 +1487,7 @@ static void do_format_dasd(volume_label_
static void eval_format_mode(void)
{
if (!g.force && g.mode_specified && g.ese && mode == EXPAND) {
@ -312,7 +316,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
warnx("Format mode 'expand' is not feasible.");
error("Use --mode=full or --mode=quick to perform a clean format");
}
@@ -1495,20 +1497,70 @@
@@ -1508,20 +1510,70 @@ static void set_prog_name(char *s)
prog_name = p + 1;
}
@ -387,7 +391,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
/* Establish a handler for interrupt signals. */
signal(SIGTERM, program_interrupt_signal);
@@ -1644,6 +1696,9 @@
@@ -1657,6 +1709,9 @@ int main(int argc, char *argv[])
break; /* exit loop if finished */
}
@ -397,7 +401,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
CHECK_SPEC_MAX_ONCE(g.blksize_specified, "blocksize");
CHECK_SPEC_MAX_ONCE(g.labelspec, "label");
CHECK_SPEC_MAX_ONCE(g.writenolabel, "omit-label-writing flag");
@@ -1662,48 +1717,28 @@
@@ -1675,48 +1730,28 @@ int main(int argc, char *argv[])
if (g.print_hashmarks)
PARSE_PARAM_INTO(g.hashstep, hashstep_str, 10, "hashstep");

53
s390-tools-sles15sp3-Format-devices-in-parallel.patch
View File

@ -7,34 +7,37 @@ Allow dasdfmt to run in parallel when several devices are specified.
Signed-off-by: Hannes Reinecke <hare@suse.com>
---
dasdfmt/dasdfmt.8 | 16 +++++++++++++-
dasdfmt/dasdfmt.c | 58 ++++++++++++++++++++++++++++++++++++++++++------------
2 files changed, 60 insertions(+), 14 deletions(-)
dasdfmt/dasdfmt.8 | 16 ++++++++++++++--
dasdfmt/dasdfmt.c | 50 +++++++++++++++++++++++++++++++++++++++++++-------
dasdfmt/dasdfmt.h | 1 +
3 files changed, 58 insertions(+), 9 deletions(-)
--- a/dasdfmt/dasdfmt.8
+++ b/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives.
.SH SYNOPSIS
-\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-P] [\-m \fIstep\fR]
+\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-m \fIstep\fR]
-\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-P] [-m \fIstep\fR]
+\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-m \fIstep\fR]
.br
[\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR]
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
.br
@@ -95,7 +95,7 @@
@@ -96,7 +96,7 @@ Do not use this option if you are using
running in background or redirecting the output to a file.
.TP
-\fB\-P\fR or \fB\-\-percentage\fR
+\fB\-Q\fR or \fB\-\-percentage\fR
-\fB-P\fR or \fB--percentage\fR
+\fB-Q\fR or \fB--percentage\fR
Print one line for each formatted cylinder showing the number of the
cylinder and percentage of formatting process.
Intended to be used by higher level interfaces.
@@ -164,6 +164,18 @@
@@ -164,6 +164,18 @@ Specify blocksize to be used. \fIblksize
and always be a power of two. The recommended blocksize is 4096 bytes.
.TP
\fB\-l\fR \fIvolser\fR or \fB\-\-label\fR=\fIvolser\fR
+\fB-P\fR \fInumdisks\fR or \fB--max_parallel\fR=\fInumdisks\fR
+Specify the number of disks to be formatted in parallel.
+\fInumdisks\fR specifies the number of formatting processed,
@ -47,11 +50,13 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
+.br
+
+.TP
\fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR
Specify the volume serial number or volume identifier to be written
to disk after formatting. If no label is specified, a sensible default
is used. \fIvolser\fR is interpreted as ASCII string and is automatically
--- a/dasdfmt/dasdfmt.c
+++ b/dasdfmt/dasdfmt.c
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -13,6 +13,7 @@
#include <sys/sysmacros.h>
#include <sys/time.h>
@ -60,7 +65,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
#include "lib/dasd_base.h"
#include "lib/dasd_sys.h"
@@ -81,6 +82,7 @@
@@ -81,6 +82,7 @@ static struct dasdfmt_globals {
int mode_specified;
int ese;
int no_discard;
@ -68,7 +73,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
} g = {
.dasd_info = { 0 },
};
@@ -105,6 +107,11 @@
@@ -105,6 +107,11 @@ static struct util_opt opt_vec[] = {
.desc = "Perform complete format check on device",
.flags = UTIL_OPT_FLAG_NOSHORT,
},
@ -80,7 +85,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
UTIL_OPT_SECTION("FORMAT OPTIONS"),
{
.option = { "blocksize", required_argument, NULL, 'b' },
@@ -162,7 +169,7 @@
@@ -162,7 +169,7 @@ static struct util_opt opt_vec[] = {
.desc = "Show a progressbar",
},
{
@ -89,7 +94,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
.desc = "Show progress in percent",
},
UTIL_OPT_SECTION("MISC"),
@@ -311,7 +318,7 @@
@@ -311,7 +318,7 @@ static void draw_progress(int cyl, unsig
}
if (g.print_hashmarks && (cyl / g.hashstep - hashcount) != 0) {
@ -98,7 +103,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
fflush(stdout);
hashcount++;
}
@@ -1560,7 +1567,11 @@
@@ -1573,7 +1580,11 @@ int main(int argc, char *argv[])
char *reqsize_param_str = NULL;
char *hashstep_str = NULL;
@ -111,7 +116,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
/* Establish a handler for interrupt signals. */
signal(SIGTERM, program_interrupt_signal);
@@ -1623,7 +1634,7 @@
@@ -1636,7 +1647,7 @@ int main(int argc, char *argv[])
g.print_hashmarks = 1;
}
break;
@ -120,7 +125,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
if (!(g.print_hashmarks || g.print_progressbar))
g.print_percentage = 1;
break;
@@ -1682,6 +1693,9 @@
@@ -1695,6 +1706,9 @@ int main(int argc, char *argv[])
case OPT_NODISCARD:
g.no_discard = 1;
break;
@ -130,7 +135,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
case OPT_CHECK:
g.check = 1;
break;
@@ -1733,15 +1747,35 @@
@@ -1746,15 +1760,35 @@ int main(int argc, char *argv[])
if (numdev > 1 && g.labelspec)
error("Specifying a volser to be written doesn't make sense when formatting multiple DASD volumes.");

51
s390-tools-sles15sp3-Implement-Y-yast_mode.patch
View File

@ -7,22 +7,25 @@ Implement an option '-Y' to suppress most output.
Signed-off-by: Hannes Reinecke <hare@suse.com>
---
dasdfmt/dasdfmt.8 | 7 ++++-
dasdfmt/dasdfmt.c | 73 ++++++++++++++++++++++++++++++++++++++++++++++++------
2 files changed, 72 insertions(+), 8 deletions(-)
dasdfmt/dasdfmt.8 | 7 ++++++-
dasdfmt/dasdfmt.c | 27 ++++++++++++++++++++-------
dasdfmt/dasdfmt.h | 1 +
3 files changed, 27 insertions(+), 8 deletions(-)
--- a/dasdfmt/dasdfmt.8
+++ b/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives.
.SH SYNOPSIS
-\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-m \fIstep\fR]
+\fBdasdfmt\fR [\-h] [\-t] [\-v] [\-y] [\-p] [\-Q] [\-P] [\-Y] [\-m \fIstep\fR]
-\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-m \fIstep\fR]
+\fBdasdfmt\fR [-h] [-t] [-v] [-y] [-p] [-Q] [-P] [-Y] [-m \fIstep\fR]
.br
[\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR]
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
.br
@@ -112,6 +112,11 @@
@@ -113,6 +113,11 @@ The value will be at least as big as the
.br
.TP
@ -31,12 +34,14 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
+.br
+
+.TP
\fB\-M\fR \fImode\fR or \fB\-\-mode\fR=\fImode\fR
\fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR
Specify the \fImode\fR to be used to format the device. Valid modes are:
.RS
--- a/dasdfmt/dasdfmt.c
+++ b/dasdfmt/dasdfmt.c
@@ -83,6 +83,7 @@
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -83,6 +83,7 @@ static struct dasdfmt_globals {
int ese;
int no_discard;
int procnum;
@ -44,7 +49,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
} g = {
.dasd_info = { 0 },
};
@@ -172,6 +173,10 @@
@@ -172,6 +173,10 @@ static struct util_opt opt_vec[] = {
.option = { "percentage", no_argument, NULL, 'Q' },
.desc = "Show progress in percent",
},
@ -55,7 +60,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
UTIL_OPT_SECTION("MISC"),
{
.option = { "check_host_count", no_argument, NULL, 'C' },
@@ -318,7 +323,9 @@
@@ -318,7 +323,9 @@ static void draw_progress(int cyl, unsig
}
if (g.print_hashmarks && (cyl / g.hashstep - hashcount) != 0) {
@ -66,7 +71,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
fflush(stdout);
hashcount++;
}
@@ -392,7 +399,7 @@
@@ -392,7 +399,7 @@ static void evaluate_format_error(format
unsigned int kl = 0;
int blksize = cdata->expect.blksize;
@ -75,7 +80,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
printf("\n");
/*
@@ -780,8 +787,9 @@
@@ -780,8 +787,9 @@ static void check_hashmarks(void)
g.hashstep = 10;
}
@ -87,7 +92,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
}
}
@@ -1462,17 +1470,19 @@
@@ -1475,17 +1483,19 @@ static void do_format_dasd(volume_label_
break;
}
@ -110,7 +115,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
printf("ok\n");
}
}
@@ -1548,6 +1558,7 @@
@@ -1561,6 +1571,7 @@ void process_dasd(volume_label_t *orig_v
error("%s", str);
set_geo(&cylinders, &heads);
@ -118,7 +123,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
set_label(&vlabel, &format_params, cylinders);
if (g.check)
@@ -1557,6 +1568,29 @@
@@ -1570,6 +1581,29 @@ void process_dasd(volume_label_t *orig_v
}
@ -148,7 +153,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
int main(int argc, char *argv[])
{
volume_label_t vlabel;
@@ -1693,6 +1727,10 @@
@@ -1706,6 +1740,10 @@ int main(int argc, char *argv[])
case OPT_NODISCARD:
g.no_discard = 1;
break;
@ -159,7 +164,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
case 'P':
max_parallel = atoi(optarg);
break;
@@ -1728,6 +1766,21 @@
@@ -1741,6 +1779,21 @@ int main(int argc, char *argv[])
reqsize = DEFAULT_REQUESTSIZE;
}
@ -181,7 +186,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
if (g.print_hashmarks)
PARSE_PARAM_INTO(g.hashstep, hashstep_str, 10, "hashstep");
@@ -1747,6 +1800,12 @@
@@ -1760,6 +1813,12 @@ int main(int argc, char *argv[])
if (numdev > 1 && g.labelspec)
error("Specifying a volser to be written doesn't make sense when formatting multiple DASD volumes.");

47
s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch
View File

@ -9,34 +9,39 @@ version of YaST we should accept this option, too.
Signed-off-by: Hannes Reinecke <hare@suse.com>
---
dasdfmt/dasdfmt.8 | 5 ++++-
dasdfmt/dasdfmt.c | 10 ++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
dasdfmt/dasdfmt.8 | 6 +++++-
dasdfmt/dasdfmt.c | 8 ++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
--- a/dasdfmt/dasdfmt.8
+++ b/dasdfmt/dasdfmt.8
@@ -11,7 +11,7 @@
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br
[\-r \fIcylinder\fR] [\-b \fIblksize\fR] [\-l \fIvolser\fR] [\-d \fIlayout\fR]
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
.br
- [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] \fIdevice\fR [\fIdevice\fR]
+ [\-L] [\-V] [\-F] [\-k] [\-C] [\-M \fImode\fR] [-f \fIdevice\fR] [\fIdevice\fR]
- [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] \fIdevice\fR [\fIdevice\fR]
+ [-L] [-V] [-F] [-k] [-C] [-M \fImode\fR] [-f \fIdevice\fR] [\fIdevice\fR]
.SH DESCRIPTION
\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive(s) to prepare them
@@ -39,6 +39,9 @@
.TP
\fB\-v\fR
\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive to prepare it
@@ -42,6 +42,10 @@ out, what it \fBwould\fR do.
Increases verbosity.
+.TP
+\fB-f\fR \fIdevice\fR or \fB--device\fR=\fIdevice\fR
+Specify device to format. For backwards compability only.
.TP
\fB\-y\fR
--- a/dasdfmt/dasdfmt.c
+++ b/dasdfmt/dasdfmt.c
@@ -113,6 +113,10 @@
+\fB-f\fR \fIdevice\fR or \fB--device\fR=\fIdevice\fR
+Specify device to format. For backwards compability only.
+
+.TP
\fB-y\fR
Start formatting without further user-confirmation.
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = {
.desc = "Format devices in parallel",
.flags = UTIL_OPT_FLAG_NOLONG,
},
@ -47,7 +52,7 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
UTIL_OPT_SECTION("FORMAT OPTIONS"),
{
.option = { "blocksize", required_argument, NULL, 'b' },
@@ -1649,6 +1653,12 @@
@@ -1662,6 +1666,12 @@ int main(int argc, char *argv[])
}
g.layout_specified = 1;
break;

286
s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,286 @@
Index: s390-tools-service/rust/pv/src/verify.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify.rs
+++ s390-tools-service/rust/pv/src/verify.rs
@@ -3,10 +3,11 @@
// Copyright IBM Corp. 2023
use core::slice;
-use log::debug;
+use log::{debug, trace};
+use openssl::error::ErrorStack;
use openssl::stack::Stack;
use openssl::x509::store::X509Store;
-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509};
+use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509};
use openssl_extensions::crl::StackableX509Crl;
use openssl_extensions::crl::X509StoreContextExtension;
@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier {
if verified_crls.is_empty() {
bail_hkd_verify!(NoCrl);
}
- for crl in &verified_crls {
- match crl.get_by_cert(&hkd.to_owned()) {
+ for crl in verified_crls {
+ match crl.get_by_serial(hkd.serial_number()) {
CrlStatus::NotRevoked => (),
_ => bail_hkd_verify!(HdkRevoked),
}
@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier {
}
impl CertVerifier {
+ fn quirk_crls(
+ ctx: &mut X509StoreContextRef,
+ subject: &X509NameRef,
+ ) -> Result<Stack<StackableX509Crl>, ErrorStack> {
+ match ctx.crls(subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // Armonk/Poughkeepsie fixup
+ trace!("quirk_crls: Try Locality");
+ if let Some(locality_subject) = helper::armonk_locality_fixup(subject) {
+ match ctx.crls(&locality_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // reorder
+ trace!("quirk_crls: Try Locality+Reorder");
+ if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) {
+ match ctx.crls(&locality_ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ }
+
+ // reorder unchanged loaciliy subject
+ trace!("quirk_crls: Try Reorder");
+ if let Ok(ordered_subject) = helper::reorder_x509_names(subject) {
+ match ctx.crls(&ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ // nothing found, return empty stack
+ Stack::new()
+ }
+
///Download the CLRs that a HKD refers to.
pub fn hkd_crls(&self, hkd: &X509Ref) -> Result<Stack<StackableX509Crl>> {
let mut ctx = X509StoreContext::new()?;
// Unfortunately we cannot use a dedicated function here and have to use a closure (E0434)
// Otherwise, we cannot refer to self
+ // Search for local CRLs
let mut crls = ctx.init_opt(&self.store, None, None, |ctx| {
let subject = self.ibm_z_sign_key.subject_name();
- match ctx.crls(subject) {
- Ok(crls) => Ok(crls),
- _ => {
- // reorder the name and try again
- let broken_subj = helper::reorder_x509_names(subject)?;
- ctx.crls(&broken_subj).or_else(helper::stack_err_hlp)
- }
- }
+ Self::quirk_crls(ctx, subject)
})?;
if !self.offline {
Index: s390-tools-service/rust/pv/src/verify/helper.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/helper.rs
+++ s390-tools-service/rust/pv/src/verify/helper.rs
@@ -13,7 +13,7 @@ use openssl::{
error::ErrorStack,
nid::Nid,
ssl::SslFiletype,
- stack::{Stack, Stackable},
+ stack::Stack,
x509::{
store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef},
verify::{X509VerifyFlags, X509VerifyParam},
@@ -25,6 +25,7 @@ use openssl_extensions::{
akid::{AkidCheckResult, AkidExtension},
crl::X509StoreExtension,
};
+use std::str::from_utf8;
use std::{cmp::Ordering, ffi::c_int, time::Duration, usize};
/// Minimum security level for the keys/certificates used to establish a chain of
@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2;
/// verifies that the HKD
/// * has enough security bits
/// * is inside its validity period
-/// * issuer name is the subject name of the [`sign_key`]
/// * the Authority Key ID matches the Signing Key ID of the [`sign_key`]
pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> {
let hk_pkey = hkd.public_key()?;
@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref,
// verify that the hkd is still valid
check_validity_period(hkd.not_before(), hkd.not_after())?;
- // check if hkd.issuer_name == issuer.subject
- check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?;
-
// verify that the AKID of the hkd matches the SKID of the issuer
if let Some(akid) = hkd.akid() {
if akid.check(sign_key) != AkidCheckResult::OK {
@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu
return None;
}
}
-
- check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?;
-
match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? {
true => Some(()),
false => None,
@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: &
//Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter
const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US";
-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk";
const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service";
const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_STATE: &[u8; 8usize] = b"New York";
@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b
if subj.entries().count() != IMB_Z_ENTRY_COUNT
|| !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME)
|| !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE)
- || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME)
+ || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE)
+ || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK))
|| !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME)
|| !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME)
{
@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As
}
}
-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> {
- if lhs.entries().count() != rhs.entries().count() {
- bail_hkd_verify!(IssuerMismatch);
- }
-
- for l in lhs.entries() {
- // search for the matching value in the rhs names
- // found none? -> names are not equal
- if !rhs
- .entries()
- .any(|r| l.data().as_slice() == r.data().as_slice())
- {
- bail_hkd_verify!(IssuerMismatch);
- }
- }
- Ok(())
-}
-
const NIDS_CORRECT_ORDER: [Nid; 6] = [
Nid::COUNTRYNAME,
Nid::ORGANIZATIONNAME,
@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509
Ok(correct_subj.build())
}
-pub fn stack_err_hlp<T: Stackable>(
- e: ErrorStack,
-) -> std::result::Result<Stack<T>, openssl::error::ErrorStack> {
- match e.errors().len() {
- 0 => Stack::<T>::new(),
- _ => Err(e),
+/**
+* Workaround for potential locality mismatches between CRLs and Certs
+* # Return
+* fixed subject or none if locality was not Armonk or any OpenSSL error
+*/
+pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option<X509Name> {
+ if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) {
+ return None;
+ }
+
+ let mut ret = X509Name::builder().ok()?;
+ for entry in subject.entries() {
+ match entry.object().nid() {
+ nid @ Nid::LOCALITYNAME => ret
+ .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?)
+ .ok()?,
+ _ => {
+ ret.append_entry(entry).ok()?;
+ }
+ }
}
+ Some(ret.build())
}
#[cfg(test)]
@@ -451,20 +444,6 @@ mod test {
));
}
- #[test]
- fn x509_name_equal() {
- let sign_crt = load_gen_cert("ibm.crt");
- let hkd = load_gen_cert("host.crt");
- let other = load_gen_cert("inter_ca.crt");
-
- assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),);
-
- assert!(matches!(
- super::check_x509_name_equal(other.subject_name(), hkd.subject_name()),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
- }
-
#[test]
fn is_ibm_z_sign_key() {
let ibm_crt = load_gen_cert("ibm.crt");
Index: s390-tools-service/rust/pv/src/verify/test.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/test.rs
+++ s390-tools-service/rust/pv/src/verify/test.rs
@@ -84,7 +84,6 @@ fn verify_online() {
let inter_crt = get_cert_asset_path_string("inter_ca.crt");
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -112,11 +111,6 @@ fn verify_online() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));
@@ -130,7 +124,6 @@ fn verify_offline() {
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let ibm_crl = get_cert_asset_path_string("ibm.crl");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -149,11 +142,6 @@ fn verify_offline() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));

12
s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
View File

@ -1,10 +1,8 @@
---
common.mak | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/common.mak
+++ b/common.mak
@@ -338,8 +338,8 @@
Index: s390-tools-2.30.0/common.mak
===================================================================
--- s390-tools-2.30.0.orig/common.mak
+++ s390-tools-2.30.0/common.mak
@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \
LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS
ifneq ($(shell $(CC_SILENT) -dumpspecs 2>/dev/null | grep -e '[^f]no-pie'),)

304
s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,304 @@
Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h
+++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h
@@ -17,7 +17,8 @@
/* IBM signing key subject */
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/genprotimg/src/utils/crypto.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.c
+++ s390-tools-service/genprotimg/src/utils/crypto.c
@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq
return memcmp(data, y, data_len) == 0;
}
-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x,
- const X509_NAME_ENTRY *y)
-{
- const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x);
- const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x);
- const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y);
- const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y);
- gint x_len = ASN1_STRING_length(x_data);
- gint y_len = ASN1_STRING_length(y_data);
-
- if (x_len < 0 || x_len != y_len)
- return FALSE;
-
- /* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also
- * compares the type, which is sometimes different.
- */
- return OBJ_cmp(x_obj, y_obj) == 0 &&
- memcmp(ASN1_STRING_get0_data(x_data),
- ASN1_STRING_get0_data(y_data),
- (unsigned long)x_len) == 0;
-}
-
-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y)
-{
- gint x_count = X509_NAME_entry_count(x);
- gint y_count = X509_NAME_entry_count(y);
-
- if (x != y && (!x || !y))
- return FALSE;
-
- if (x_count != y_count)
- return FALSE;
-
- for (gint i = 0; i < x_count; i++) {
- const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i);
- gboolean entry_found = FALSE;
-
- for (gint j = 0; j < y_count; j++) {
- const X509_NAME_ENTRY *entry_j =
- X509_NAME_get_entry(y, j);
-
- if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) {
- entry_found = TRUE;
- break;
- }
- }
-
- if (!entry_found)
- return FALSE;
- }
- return TRUE;
-}
-
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject(
PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName,
- PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr
return g_steal_pointer(&ret);
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
/* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory
* ordered. The problem is that our certificates are not consistent in the order
* (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details).
@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam
return X509_NAME_dup((X509_NAME *)name);
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) if available */
static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject,
- NULL, 0);
- g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0);
-
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"),
- issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL *
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, err) < 0)
return -1;
@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL *
return 0;
}
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_
return NULL;
}
- ret = X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = c2b_name(subject);
-
- ret = X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL,
- _("no CRL found"));
- return NULL;
- }
- }
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (gint i = 0; i < sk_X509_CRL_num(ret); i++) {
@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err)
{
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
- AUTHORITY_KEYID *akid = NULL;
-
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str =
- X509_NAME_oneline(issuer_subject, NULL, 0);
- g_autofree char *cert_issuer_str =
- X509_NAME_oneline(cert_issuer, NULL, 0);
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"),
- issuer_subject_str, cert_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
Index: s390-tools-service/genprotimg/src/utils/crypto.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.h
+++ s390-tools-service/genprotimg/src/utils/crypto.h
@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair);
/* Register auto cleanup functions */
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free)
+WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free)

224
s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,224 @@
Index: s390-tools-service/include/libpv/cert.h
===================================================================
--- s390-tools-service.orig/include/libpv/cert.h
+++ s390-tools-service/include/libpv/cert.h
@@ -16,7 +16,8 @@
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/libpv/cert.c
===================================================================
--- s390-tools-service.orig/libpv/cert.c
+++ s390-tools-service/libpv/cert.c
@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject(
if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error)
@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c
const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
g_autoptr(AUTHORITY_KEYID) akid = NULL;
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str,
- cert_issuer_str);
- return -1;
- }
-
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH,
@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx,
return 0;
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) */
static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, error) < 0)
return -1;
@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC
return 0;
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = pv_c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = pv_c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val
return NULL;
}
- ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject);
-
- ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
- g_info("ERROR: %s", (*error)->message);
- return NULL;
- }
- }
-
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (int i = 0; i < sk_X509_CRL_num(ret); i++) {
X509_CRL *crl = sk_X509_CRL_value(ret, i);

25
s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch Normal file
View File

@ -0,0 +1,25 @@
Index: s390-tools-service/pvattest/src/argparse.c
===================================================================
--- s390-tools-service.orig/pvattest/src/argparse.c
+++ s390-tools-service/pvattest/src/argparse.c
@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char
}
/* NOTE REQUIRED */
-#define _entry_root_ca(__arg_data, __indent) \
- { \
- .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
- .arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data, \
- .description = "Use FILE as the trusted root CA instead the\n" __indent \
- "root CAs that are installed on the system (optional).\n", \
- .arg_description = "FILE", \
+#define _entry_root_ca(__arg_data, __indent) \
+ { \
+ .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
+ .arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data, \
+ .description = "Use FILE as the trusted root CA instead the\n" __indent \
+ "root CAs that are installed on the system (optional).\n", \
+ .arg_description = "FILE", \
}
/* NOTE REQUIRED */

92
s390-tools-sles15sp6-genprotimg-makefile.patch Normal file
View File

@ -0,0 +1,92 @@
From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Tue, 12 Mar 2024 09:33:19 +0000
Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs
Fix the support for staged installs. The Makefile variable `PKGDATADIR`
uses `DESTDIR` for all Makefile target, but actually it should only be
used for the `install*` and `uninstall*` targets. [1] Fix this by using
`DESTDIR` only for `install*` targets - uninstall* targets are not
supported by s390-tools.
Before this change, if `DESTDIR` was set for staged installs,
`genprotimg` has tried to find the bootloader binaries at the temporary
installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of
`$(TOOLS_DATADIR)/genprotimg`.
[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html
Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
genprotimg/Makefile | 6 +++---
genprotimg/boot/Makefile | 8 ++++----
genprotimg/src/Makefile | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/genprotimg/Makefile b/genprotimg/Makefile
index 8c9f7048..6a2e37e4 100644
--- a/genprotimg/Makefile
+++ b/genprotimg/Makefile
@@ -3,7 +3,7 @@ include ../common.mak
.DEFAULT_GOAL := all
-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg"
TESTS :=
SUBDIRS := boot src man
RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
all: all-recursive
install: install-recursive
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)"
clean: clean-recursive
diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile
index 799df9cc..73f3c9a8 100644
--- a/genprotimg/boot/Makefile
+++ b/genprotimg/boot/Makefile
@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES))
ifeq ($(HOST_ARCH),s390x)
ZIPL_DIR := $(rootdir)/zipl
ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot
-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg
+PKGDATADIR := $(TOOLS_DATADIR)/genprotimg
INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include
INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS))
@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS)
@chmod a-x $@
install: stage3a.bin stage3b_reloc.bin
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)"
else
# Don't generate the dependency files (see `common.mak` for the
diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
index 08734bff..d447e6cf 100644
--- a/genprotimg/src/Makefile
+++ b/genprotimg/src/Makefile
@@ -3,7 +3,7 @@ include ../../common.mak
bin_PROGRAM = genprotimg
-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg"
SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
TOP_SRCDIR := $(SRC_DIR)/../
ROOT_DIR = $(TOP_SRC_DIR)/../../

10
s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch
View File

@ -12,12 +12,8 @@ and the symlink not created in the kdump environment.
Fix this by including 59-zfcp-compat.rules in the kdump initrd.
---
zdev/dracut/95zdev-kdump/module-setup.sh | 1 +
1 file changed, 1 insertion(+)
--- a/zdev/dracut/95zdev-kdump/module-setup.sh
+++ b/zdev/dracut/95zdev-kdump/module-setup.sh
--- a/zdev/dracut/95zdev-kdump/module-setup.sh 2024-02-21 15:57:33.027658387 +0100
+++ b/zdev/dracut/95zdev-kdump/module-setup.sh 2024-02-21 15:57:38.215675799 +0100
@@ -78,6 +78,7 @@
inst_multiple /lib/s390-tools/zdev-from-dasd_mod.dasd
@ -25,4 +21,4 @@ Fix this by including 59-zfcp-compat.rules in the kdump initrd.
+ inst_rules "59-zfcp-compat.rules"
# Obtain kdump target device configuration

81
s390-tools.changes
View File

@ -1,84 +1,3 @@
-------------------------------------------------------------------
Tue Nov 5 15:26:42 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the *_configure scripts to update again the SUSE's specific file
'/boot/zipl/active_devices.txt' (bsc#1232474, bsc#1216257)
* ctc_configure
* dasd_configure
* qeth_configure
* zfcp_host_configure
-------------------------------------------------------------------
Tue Nov 5 13:04:20 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
* Upgrade s390-tools to version 2.35 (jsc#PED-9591, jsc#PED-10303)
* Changes of existing tools:
- cpacfstats: Add support for FULL XTS (MSA 10) and HMAC (MSA 11) PAI counter
- cpuplugd: Make cpuplugd compatible with hiperdispatch
- dbginfo.sh: Add network sockstat info
- pvapconfig: s390x exclusive build
- zdev: Add option to select IPL device
- zdump/dfo_s390: Support s390 DFO for vr-kernel dumps
- zipl: Add support of mirror devices
* Bug Fixes:
- (genprotimg|zipl)/boot: discard .note.package ELF section to save memory
- netboot/mk-s390image: Fix size when argument is a symlink
- ziorep_config: Fix warning message when multipath device is not there.
- zipl: Fix problems when target parameters are specified by user
- zipl: Fix segfault when creating device-based dumps with '--dry-run'
*** v2.34.0
* Changes of existing tools:
- ap_tools/ap-check: Add support for vfio-ap dynamic configuration
- dbginfo.sh: Update/Add additional DASD data collection
- dumpconf: Add new parameter 'SCP_DATA' for SCSI/NVMe/ECKD dump devices
- libutil: Make formatted meta-data configurable
- s390-tools: Replace 'which' with built-in 'command -v'
- zdump/dfi_elf: Support core dumps of vr-kernels
* Bug Fixes:
- chzdev: Fix warning about failed ATTR writes by udev
- rust/pv: Try again if first CRL-URI is invalid
- rust/pvattest: Add short option for --arpk
- zdump: Fix 'zgetdump -i' ioctl error on s390 formatted dump file
*** v2.33.1
* Bug Fixes:
- s390-tools: Fix formatting and typos in README.md
- s390-tools: Fix release string
*** v2.33.0
* Add new tools / libraries:
- chpstat: New tool for displaying channel path statistics
- libutil: Add output format helpers(util_fmt: JSON, JSON-SEQ, CSV, text pairs)
* Changes of existing tools / libraries:
- chzdev: Add --is-owner to identify files created by zdev
- dasdfmt: Change default mode to always use full-format (Note: affects ESE DASD)
- libap: Significantly reduce delay time between file lock retries
- pvattest: Rewrite from C to Rust
- pvattest: Support additional data & user-data
- rust/pv: Support for Attestation
* Bug Fixes:
- chreipl: Improve disk type detection when running under QEMU
- dbginfo.sh: Use POSIX option with uname
- s390-tools: Fix missing hyphen escapes in the man page for many tools
- zipl/src: Fix bugs in disk_get_info() reproducible in corner cases
*** v2.32.0
* Changes of existing tools:
- cpumf/lscpumf: add support for machine type 3932
- genprotimg, pvattest, and pvsecret accept IBM signing key with Armonk as
subject locality
- zdump/zipl: Support for List-Directed dump from ECKD DASD
- zkey: Detect FIPS mode and generate PBKDF for luksFormat according to it
* Bug Fixes:
- dbginfo.sh: dash compatible copy sequence
- rust/pv_core: Fix UvDeviceInfo::get() method
- zipl/src: Fix leak of files if run with a broken configuration
- zkey: Fix convert command to accept only keys of type CCA-AESDATA
* Revendored vendor.tar.gz
* Removed obsolete patches
- s390-tools-sles15sp6-genprotimg-makefile.patch
- s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
- s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
- s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
- s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch
-------------------------------------------------------------------
Thu Jul 11 14:56:34 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

18
s390-tools.spec
View File

@ -33,7 +33,7 @@
%endif
Name: s390-tools
Version: 2.35.0
Version: 2.31.0
Release: 0
Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64)
License: MIT
@ -153,8 +153,13 @@ Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
Patch912: s390-tools-ALP-zdev-live.patch
Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch
### Patch only for SLFO
Patch914: s390-tools-slfo-01-parse-ipl-device-for-activation.patch
Patch914: s390-tools-sles15sp6-genprotimg-makefile.patch
Patch915: s390-tools-slfo-01-parse-ipl-device-for-activation.patch
### SE-tooling: New IBM host-key subject locality (s390-tools)
Patch916: s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
Patch917: s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
Patch918: s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
Patch919: s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch
###
BuildRequires: curl-devel
@ -179,7 +184,6 @@ BuildRequires: zlib-devel-static
### s390x
%ifarch s390x
BuildRequires: kernel-zfcpdump
BuildRequires: perl-Bootloader >= 0.4.15
BuildRequires: qclib-devel-static
%endif
### Cargo
@ -228,11 +232,9 @@ zgetdump - tool to get linux system dumps from DASD
genprotimg - create a protected virtualization image
pvattest - create, perform, and verify protected virtualization attestation measurements
pvsecret - manage secrets for IBM Secure Execution guests.
pvapconfig - used to automatically set up the AP configuration within an IBM Secure Execution guest.
Warning: There is an auxiliary data package - s390-tools-genprotimg-data.
To install s390-tools properly, please use:
'sudo zypper install s390-tools s390-tools-genprotimg-data'
Note: Auxiliary data package - s390-tools-genprotimg-data
%package -n osasnmpd
Summary: OSA-Express SNMP subagent

BIN
vendor.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

13
zfcp_host_configure
View File

@ -38,14 +38,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} <ccwid> <online>"
echo " ccwid = x.y.ssss where"
@ -88,8 +80,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi