pool/s390-tools
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
s390-tools/s390-tools-05-zkey-Reject-key-generation-and-APQN-association-for-PVSECRET-AES-keys.patch

138 lines
4.5 KiB
Diff
Raw Permalink Normal View History

- Upgrade s390-tools to 2.37 (jsc#PED-9591, jsc#PED-10303, jesc#PED-11870 (jsc#IBM-1062)) * Changes of existing tools: dbginfo.sh: Add details on CPU-measurement dbginfo.sh: Add new crypto command dbginfo.sh: Add overview commands and crypto update dbginfo.sh: Adding kdump info dbginfo.sh: Removing outdated email references dbginfo.sh: Rework network section dbginfo.sh: Update copyright 2nd year pvimg: Add '--(enable|disable)-image-encryption' flags to 'pvimg create' pvimg: Add '--cck ' command line option and make '--comm-key' an alias pvimg: Add '--hdr-key' command line option to 'pvimg create' pvimg: Rename '--key' into '--hdr-key' and use '--key' as an alias (for 'pvimg info') pvsecret: Add support for retrievable secrets ziorep_config: Add PCHID field to adapter report ziorep_traffic: Add DEVBUSID column to traffic report ziorep_utilization: Add --fcp-device parameter to print virtual adapter report ziorep_utilization: Add PCHID column to physical adapter report ziorep_utilization: Now prints only physical adapter report by default ziorep_utilization: Swap Bus-ID and CHPID columns in virtual adapter report zipl/boot: Increase section size for eckd_mv dumper zkey: Add support for listing and importing protected virtualization secrets * Bug Fixes: chpstat: Fix invalid utilization data on older kernels opticsmon: Fix runaway loop in on_link_change() zipl: Update inline assembly for GCC 15 zipl_helper.device-mapper: Add missed step in logical device resolution - Revendored vendor.tar.gz - Removed obsolete patches: * s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch * s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch * s390-tools-General-update-01.patch * s390-tools-General-update-02.patch * s390-tools-General-update-03.patch * s390-tools-General-update-04.patch * s390-tools-General-update-05.patch * s390-tools-General-update-06.patch * s390-tools-General-update-07.patch * s390-tools-General-update-08.patch * s390-tools-General-update-09.patch * s390-tools-General-update-10.patch * s390-tools-General-update-11.patch * s390-tools-General-update-12.patch * s390-tools-Additional-update-01.patch * s390-tools-Additional-update-02.patch * s390-tools-pvimg-info-command-01.patch * s390-tools-pvimg-info-command-02.patch * s390-tools-pvimg-info-command-03.patch * s390-tools-Support-unencrypted-SE-images-01.patch * s390-tools-pvimg-info-command-04.patch * s390-tools-pvimg-additional-01.patch * s390-tools-01-zkey-Add-support-for-retrieving-a-list-of-ultravisor-secrets.patch * s390-tools-02-zkey-Add-the--pvsecrets-list-command.patch * s390-tools-03-zkey-Add-PVSECRETS-AES-key-type.patch * s390-tools-04-zkey-Add-the-pvsecrets-import-command.patch * s390-tools-05-zkey-Reject-key-generation-and-APQN-association-for-PVSECRET-AES-keys.patch * s390-tools-06-zkey-Reject-re-enciphering-of-PVSECRET-AES-keys.patch * s390-tools-07-zkey-Support-validation-of-key-of-type-PVSECRET-AES.patch * s390-tools-08-rust-pvimg-Fix-flag-parsing-for-allowing-dump.patch * s390-tools-09-rust-pvimg-Document-the-change-from--comm-key-to--cck.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=249
2025-02-10 08:51:00 +00:00
From 5276d408fd10669b3d8e623455778a675e8dc149 Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 19 Feb 2024 10:21:06 +0100
Subject: [PATCH] zkey: Reject key generation and APQN association for
PVSECRET-AES keys
Keys of type PVSECRET-AES can not be generated using 'zkey generate'.
Furthermore, APQNs can not be associated with keys of type PVSECRET-AES
via 'zkey change'. Reject that with a proper error message.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Jorg Schmidbauer <jschmidb@de.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
zkey/keystore.c | 32 +++++++++++++++++++++++---------
zkey/zkey.1 | 7 +++++++
zkey/zkey.c | 5 +++++
3 files changed, 35 insertions(+), 9 deletions(-)
diff --git a/zkey/keystore.c b/zkey/keystore.c
index cde0caf5..db62e0a6 100644
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2009,6 +2009,12 @@ int keystore_generate_key(struct keystore *keystore, const char *name,
return -EINVAL;
}
+ if (!is_secure_key_type(key_type)) {
+ warnx("Keys of type %s can not be generated. Use 'zkey "
+ "pvsecret import' instead", key_type);
+ return -EINVAL;
+ }
+
rc = _keystore_get_key_filenames(keystore, name, &file_names);
if (rc != 0)
goto out_free_key_filenames;
@@ -2535,9 +2541,9 @@ int keystore_change_key(struct keystore *keystore, const char *name,
const char *null_ptr = NULL;
char *upd_volumes = NULL;
size_t secure_key_size;
+ u8 *secure_key = NULL;
u8 mkvp[MKVP_LENGTH];
char sect_size[30];
- u8 *secure_key;
bool kms_bound;
int rc;
@@ -2589,13 +2595,6 @@ int keystore_change_key(struct keystore *keystore, const char *name,
goto out;
}
- rc = _keystore_change_association(key_props, PROP_NAME_APQNS,
- apqns, "APQN",
- _keystore_apqn_check,
- &apqn_check);
- if (rc != 0)
- goto out;
-
secure_key = read_secure_key(file_names.skey_filename,
&secure_key_size,
keystore->verbose);
@@ -2604,11 +2603,24 @@ int keystore_change_key(struct keystore *keystore, const char *name,
goto out;
}
+ if (!is_secure_key(secure_key, secure_key_size)) {
+ warnx("No APQNs can be associated with keys of type %s",
+ get_key_type(secure_key, secure_key_size));
+ rc = -EINVAL;
+ goto out;
+ }
+
+ rc = _keystore_change_association(key_props, PROP_NAME_APQNS,
+ apqns, "APQN",
+ _keystore_apqn_check,
+ &apqn_check);
+ if (rc != 0)
+ goto out;
+
rc = get_master_key_verification_pattern(secure_key,
secure_key_size,
mkvp,
keystore->verbose);
- free(secure_key);
if (rc)
goto out;
@@ -2742,6 +2754,8 @@ int keystore_change_key(struct keystore *keystore, const char *name,
free(upd_volumes);
if (upd_volume_type != NULL)
free(upd_volume_type);
+ if (secure_key != NULL)
+ free(secure_key);
if (rc != 0)
pr_verbose(keystore, "Failed to change key '%s': %s",
diff --git a/zkey/zkey.1 b/zkey/zkey.1
index ba71a839..baaf8478 100644
--- a/zkey/zkey.1
+++ b/zkey/zkey.1
@@ -402,6 +402,9 @@ additional information can be associated with a secure key using the
.B \-\-sector\-size
options.
.PP
+Keys of type \fBPVSECRET\-AES\fP do not use a cryptographic adapter, thus APQNs
+can not be associated with them.
+.PP
.B Note:
The \fBimport\fP command requires the CCA host library (libcsulcca.so)
to be installed when secure keys of type \fBCCA\-AESCIPHER\fP are imported.
@@ -564,6 +567,10 @@ APQNs that are associated with the key management system plugin.
Other associated information is also changed in the key management system when
changed using the change command.
.PP
+For keys of type \fBPVSECRET\-AES\fP you can not change or set the APQN
+association. These keys do not use a cryptographic adapter, thus APQNs can not
+be associated with them.
+.PP
.B Note:
The secure key itself cannot be changed, only information about the secure
key is changed. To rename a secure key, use the \fBrename\fP command.
diff --git a/zkey/zkey.c b/zkey/zkey.c
index 6e9b32af..36bdbcc0 100644
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -2001,6 +2001,11 @@ static int command_generate(void)
return command_generate_repository();
if (g.key_type == NULL)
g.key_type = KEY_TYPE_CCA_AESDATA;
+ if (!is_secure_key_type(g.key_type)) {
+ warnx("Keys of type '%s' can not be generated. Use 'zkey "
+ "pvsecret import' instead", g.key_type);
+ return -EXIT_FAILURE;
+ }
if (g.pos_arg != NULL) {
if (g.volumes != NULL) {
warnx("Option '--volumes|-l' is not valid for "
Reference in New Issue Copy Permalink