From 5b6d7a467dc342c9c25a0af72b2d5546798cdc94 Mon Sep 17 00:00:00 2001 From: Marc Hartmayer Date: Thu, 12 Dec 2024 20:19:56 +0100 Subject: [PATCH] rust/pvimg: Add '--cck ' command line option and make '--comm-key' an alias MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add '--cck ' as an command line option and make '--comm-key' an alias of it. This makes the command line more similar to the other Secure Execution related PV-tools (e.g. pvattest and pvsecret). Suggested-by: Reinhard Bündgen Reviewed-by: Steffen Eiden Signed-off-by: Marc Hartmayer Signed-off-by: Jan Höppner --- rust/pvimg/man/genprotimg.1 | 11 +++++------ rust/pvimg/man/pvimg-create.1 | 11 +++++------ rust/pvimg/src/cli.rs | 14 ++++++++------ rust/pvimg/src/cmd/create.rs | 3 +-- 4 files changed, 19 insertions(+), 20 deletions(-) Index: s390-tools-2.36.0/rust/pvimg/man/genprotimg.1 =================================================================== --- s390-tools-2.36.0.orig/rust/pvimg/man/genprotimg.1 +++ s390-tools-2.36.0/rust/pvimg/man/genprotimg.1 @@ -123,7 +123,7 @@ Overwrite an existing Secure Execution b .RE .RE .PP -\-\-comm\-key +\-\-cck, \-\-comm\-key .RS 4 Use the content of FILE as the customer\-communication key (CCK). The file must contain exactly 32 bytes of data. @@ -133,7 +133,7 @@ contain exactly 32 bytes of data. \-\-enable\-dump .RS 4 Enable Secure Execution guest dump support. This option requires the -\fB\-\-comm\-key\fR option. +\fB\-\-cck\fR option. .RE .RE .PP @@ -146,8 +146,7 @@ Disable Secure Execution guest dump supp \-\-enable\-cck\-extension\-secret .RS 4 Add\-secret requests must provide an extension secret that matches the -CCK\-derived extension secret. This option requires the \fB\-\-comm\-key\fR -option. +CCK\-derived extension secret. This option requires the \fB\-\-cck\fR option. .RE .RE .PP @@ -268,7 +267,7 @@ Generate an IBM Secure Execution image: Generate an IBM Secure Execution image with Secure Execution guest dump support: .PP -.B genprotimg \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-comm\-key \fI\,comm-key\fR +.B genprotimg \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-cck \fI\,comm-key\fR .SH NOTES .IP "1." 4 The \fBgenprotimg\fR(1) command is a symbolic link to the \fBpvimg-create\fR(1) command. Index: s390-tools-2.36.0/rust/pvimg/man/pvimg-create.1 =================================================================== --- s390-tools-2.36.0.orig/rust/pvimg/man/pvimg-create.1 +++ s390-tools-2.36.0/rust/pvimg/man/pvimg-create.1 @@ -122,7 +122,7 @@ Overwrite an existing Secure Execution b .RE .RE .PP -\-\-comm\-key +\-\-cck, \-\-comm\-key .RS 4 Use the content of FILE as the customer\-communication key (CCK). The file must contain exactly 32 bytes of data. @@ -132,7 +132,7 @@ contain exactly 32 bytes of data. \-\-enable\-dump .RS 4 Enable Secure Execution guest dump support. This option requires the -\fB\-\-comm\-key\fR option. +\fB\-\-cck\fR option. .RE .RE .PP @@ -145,8 +145,7 @@ Disable Secure Execution guest dump supp \-\-enable\-cck\-extension\-secret .RS 4 Add\-secret requests must provide an extension secret that matches the -CCK\-derived extension secret. This option requires the \fB\-\-comm\-key\fR -option. +CCK\-derived extension secret. This option requires the \fB\-\-cck\fR option. .RE .RE .PP @@ -249,7 +248,7 @@ Generate an IBM Secure Execution image: Generate an IBM Secure Execution image with Secure Execution guest dump support: .PP -.B pvimg create \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-comm\-key \fI\,comm-key\fR +.B pvimg create \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-cck \fI\,comm-key\fR .SH NOTES .IP "1." 4 The \fBgenprotimg\fR(1) command is a symbolic link to the \fBpvimg-create\fR(1) command. Index: s390-tools-2.36.0/rust/pvimg/src/cli.rs =================================================================== --- s390-tools-2.36.0.orig/rust/pvimg/src/cli.rs +++ s390-tools-2.36.0/rust/pvimg/src/cli.rs @@ -96,8 +96,8 @@ pub struct ComponentPaths { #[command(group(ArgGroup::new("header-flags").multiple(true).conflicts_with_all(["x_pcf", "x_scf"])))] pub struct CreateBootImageLegacyFlags { /// Enable Secure Execution guest dump support. This option requires the - /// '--comm-key' option. - #[arg(long, action = clap::ArgAction::SetTrue, requires="comm_key", group="header-flags")] + /// '--cck' option. + #[arg(long, action = clap::ArgAction::SetTrue, requires="cck", group="header-flags")] pub enable_dump: Option, /// Disable Secure Execution guest dump support (default). @@ -105,9 +105,9 @@ pub struct CreateBootImageLegacyFlags { pub disable_dump: Option, /// Add-secret requests must provide an extension secret that matches the - /// CCK-derived extension secret. This option requires the '--comm-key' + /// CCK-derived extension secret. This option requires the '--cck' /// option. - #[arg(long, action = clap::ArgAction::SetTrue, requires="comm_key", group="header-flags")] + #[arg(long, action = clap::ArgAction::SetTrue, requires="cck", group="header-flags")] pub enable_cck_extension_secret: Option, /// Add-secret requests don't have to provide the CCK-derived extension @@ -328,8 +328,8 @@ pub struct CreateBootImageArgs { /// Use the content of FILE as the customer-communication key (CCK). /// /// The file must contain exactly 32 bytes of data. - #[arg(long, value_name = "FILE")] - pub comm_key: Option, + #[arg(long, value_name = "FILE", visible_alias = "comm-key")] + pub cck: Option, #[clap(flatten)] pub legacy_flags: CreateBootImageLegacyFlags, @@ -482,6 +482,8 @@ mod test { flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]), CliOption::new("comm-key", ["--comm-key", "/dev/null"])])), flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]), + CliOption::new("comm-key", ["--cck", "/dev/null"])])), + flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]), CliOption::new("comm-key", ["--comm-key", "/dev/null"])])), flat_map_collect(insert(mvca.clone(), vec![CliOption::new("x-pcf", ["--x-pcf", "0x0"]), CliOption::new("x-scf", ["--x-scf", "0x0"])])), Index: s390-tools-2.36.0/rust/pvimg/src/cmd/create.rs =================================================================== --- s390-tools-2.36.0.orig/rust/pvimg/src/cmd/create.rs +++ s390-tools-2.36.0/rust/pvimg/src/cmd/create.rs @@ -137,8 +137,7 @@ pub fn create(opt: &CreateBootImageArgs) let verified_host_keys = opt .certificate_args .get_verified_hkds("Secure Execution image")?; - let user_provided_keys = - read_user_provided_keys(opt.comm_key.as_deref(), &opt.experimental_args)?; + let user_provided_keys = read_user_provided_keys(opt.cck.as_deref(), &opt.experimental_args)?; let (plaintext_flags, secret_flags) = parse_flags(opt)?; if plaintext_flags.is_set(PcfV1::NoComponentEncryption) {