pool/s390-tools
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1133714 from home:ngueorguiev:branches:Base:System

Browse Source 
- Updated the .spec file to use gcc13 (bsc#1217838) 
- Amended read_values for '-S' option (bsc#1217923)
- Upgrade s390-tools to version 2.30
    (jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604, 
     jsc#PED-6649, jsc#PED-7138 )
- Amended the SUSE patches for version 2.30
- Revendored vendor.tar.gz
- Provide s390-tools on x86_64 to enable Secure Execution in the Cloud
    (jsc#PED-578, jsc#PED-7136, and jsc#PED-7138)
  * Selected tools from the s390-tools package need to be made available on x86_64.

OBS-URL: https://build.opensuse.org/request/show/1133714
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=185
This commit is contained in:
Nikolay Gueorguiev 2023-12-17 06:32:28 +00:00 committed by Git OBS Bridge
parent 37aa81f763
commit 8d7553371c
21 changed files with 269 additions and 850 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
_service
View File

@ -2,10 +2,6 @@
<service name="cargo_vendor" mode="manual">
<param name="srctar">s390-tools-2.29.0.tar.gz</param>
<param name="compression">zst</param>
<param name="cargotoml">s390-tools/rust/pv/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/pv/openssl_extentions/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/utils/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/pvsecret/Cargo.toml</param>
<param name="update">true</param>
</service>
<service name="cargo_audit" mode="manual" />

155
read_values.c
View File

@ -1,7 +1,7 @@
/********************************************************************************/
/* */
/* Copyright (C) 2014-2015, 2019-2023 SUSE LLC */
/* */
/* */
/* Copyright (C) 2014-2015, 2019-2023 SUSE LLC */
/* */
/* All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
@ -37,9 +37,9 @@ enum datatypes {
#define WITHOUT_KEY 0
#define WITH_KEY 1
static char *versionstring = "Version 1.0.3 2023-02-16 17:00";
static char *versionstring = "Version 1.0.4 2023-12-17 06:58";
static char *version = "1.0.3";
static char *version = "1.0.4";
void *configuration_handle = NULL;
int layers = -1;
@ -85,18 +85,18 @@ struct machinetype {
int debug = 0;
/******************************************************************************/
/* */
/* Print the program version */
/* */
/* */
/* Print the program version */
/* */
/******************************************************************************/
void print_version()
{
printf("Version: %s\n", version);
}
/******************************************************************************/
/* */
/* Look for one attribute and print it */
/* */
/* */
/* Look for one attribute and print it */
/* */
/******************************************************************************/
void print_attribute(char *user_string, int level, enum qc_attr_id attribute, enum datatypes type, int print_key)
{
@ -121,7 +121,7 @@ float result_float = 0.0;
}
if (erg == 1) {
if (print_key == WITH_KEY) {
printf("%s: ",(user_string == NULL? "NULL": user_string));
printf("%s : ",(user_string == NULL? "NULL": user_string));
} /* endif */
switch (type)
{
@ -139,15 +139,22 @@ float result_float = 0.0;
}
} /* endif */
else {
printf("Error: erg = %d, result_string = %s \n", erg, (result_string == NULL? "NULL": result_string));
if ( erg == 0 ) {
/* printf("%s : Attribute exists, but is not set. \n", (user_string == NULL? "NULL": user_string)); */
} /* endif */
else if ( erg < 0) {
printf("%s: An error occurred retrieving the attribute. Error: erg = %d, result_string = %s \n", user_string, erg, (result_string == NULL? "NULL": result_string));
} /* end else if */
/* */
/* TODO qc_get_attribute_string returned error */
/* */
}
} /* print_attribute */
/********************************************************************************/
/* */
/* Open the lib and get the handle */
/* */
/* */
/* Open the lib and get the handle */
/* */
/********************************************************************************/
int read_sysinfo()
{
@ -175,10 +182,10 @@ int return_code;
} /* read_sysinfo */
/********************************************************************************/
/* */
/* Look at the type of machine we're running on and print out a user */
/* friendly string */
/* */
/* */
/* Look at the type of machine we're running on and print out a user */
/* friendly string */
/* */
/********************************************************************************/
void print_cputype()
{
@ -217,26 +224,26 @@ Please file a bug report with this output:\n" , cpu_type);
} /* print_cputype */
/********************************************************************************/
/* */
/* Print out the values for SCC */
/* */
/* To uniquely identify a machine the following information is used: */
/* */
/* Type */
/* Sequence code */
/* CPUs total */
/* CPUs IFL */
/* LPAR Number */
/* LPAR Characteristics: */
/* LPAR CPUs */
/* LPAR IFLs */
/* */
/* Optional: */
/* */
/* VM00 Name */
/* VM00 Control Programm */
/* VM00 CPUs */
/* */
/* */
/* Print out the values for SCC */
/* */
/* To uniquely identify a machine the following information is used: */
/* */
/* Type */
/* Sequence code */
/* CPUs total */
/* CPUs IFL */
/* LPAR Number */
/* LPAR Characteristics: */
/* LPAR CPUs */
/* LPAR IFLs */
/* */
/* Optional: */
/* */
/* VM00 Name */
/* VM00 Control Programm */
/* VM00 CPUs */
/* */
/********************************************************************************/
void print_scc()
{
@ -288,18 +295,18 @@ int check_model (const char *cpu) {
for ( i = 0; i < models; i++) {
if ( !strcmp(cpu,types[i]) ) {
return 1;
};
if ( !strcmp(cpu,types[i]) ) {
return 1;
};
}
return 0;
} /* check_model */
/******************************************************************************/
/* */
/* print out whether secure boot is enabled */
/* */
/* */
/* print out whether secure boot is enabled */
/* */
/******************************************************************************/
void print_secure_mode()
{
@ -308,6 +315,9 @@ int release_major;
int release_sub;
int release_minor;
const char *cpu_type = NULL;
int cpu_okay = 0;
int Layer = 0;
int i = 0;
/*
* First we have to check whether we have the appropriate kernel Level (>= 5.3)
*/
@ -346,35 +356,40 @@ struct utsname uts;
printf("Print_secure called\n");
#endif
/*
* Only the following machines support secure boot: z14, z14 ZR1, z15, z16
* Only the following machines support secure boot:
* z14, z15, z16
* 3906, 3907, 8561, 8562, 3931, 3932
*/
erg = qc_get_attribute_string(configuration_handle, qc_type, 0, &cpu_type);
if (erg == 1 && cpu_type != NULL) {
if ( !check_model(cpu_type) ) {
cpu_okay = check_model(cpu_type);
if ( cpu_okay == 0 ) {
goto return_does_not_exist;
} /* endif */
} /* endif */
print_attribute("Secure mode on", 1, qc_has_secure, integer, WITH_KEY);
print_attribute("Secure mode used", 1, qc_secure, integer, WITH_KEY);
for ( i = 0; i < 8; i++) {
erg = qc_get_attribute_int(configuration_handle, qc_layer_type_num, i, &Layer);
if (erg == 1) {
print_attribute("Secure mode on ", i, qc_has_secure, integer, WITH_KEY);
print_attribute("Secure mode used", i, qc_secure, integer, WITH_KEY);
} /* endif */
} /* endfor */
return;
return_does_not_exist:
/*
* Software or hardware does not support secure boot.
*/
puts("Secure mode on: 0\nSecure mode used: 0");
puts("Secure mode on : 0\nSecure mode used : 0");
return;
} /* print_secure_mode */
/******************************************************************************/
/* */
/* print out the uuid for this machine */
/* */
/* */
/* */
/* */
/* print out the uuid for this machine */
/* */
/******************************************************************************/
int print_uuid()
{
@ -417,9 +432,9 @@ int print_uuid()
} /* print_uuid */
/******************************************************************************/
/* */
/* print out the list of valid / found symbols */
/* */
/* */
/* print out the list of valid / found symbols */
/* */
/******************************************************************************/
void list(char * list_attribute_param)
{
@ -427,9 +442,9 @@ return;
} /* list */
/******************************************************************************/
/* */
/* print out the requested attribute */
/* */
/* */
/* print out the requested attribute */
/* */
/******************************************************************************/
void print_user_attribute(char *key, char *attribute_param, int layer)
{
@ -438,9 +453,9 @@ return;
/******************************************************************************/
/* */
/* Help Function */
/* */
/* */
/* Help Function */
/* */
/******************************************************************************/
void help()
{
@ -470,9 +485,9 @@ Valid values for debug:\n\
} /* help */
/******************************************************************************/
/* */
/* Main */
/* */
/* */
/* Main */
/* */
/******************************************************************************/
int main(int argc, char **argv, char **envp)
{
@ -569,7 +584,7 @@ void *configuration_handle_tmp = NULL;
fputs("Only one of the options a, c, L, s, S or u can be specified.\n",stderr);
return 1;
} /* endif */
/* still not im[plemented thatfore set to zero */
/* still not implemented thatfore set to zero */
list_attr = print_attr = 0;
if (print_attr != 0) {
print_user_attribute(NULL, print_attribute_param, layers);

3
s390-tools-2.29.0.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:849ff400dc6c1eb7eebe4aa3e7a4871721c25bcee6cfdd0535a056a038fd3ab0
size 1950182

BIN
s390-tools-2.30.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

20
s390-tools-ALP-zdev-live.patch
View File

@ -5,10 +5,10 @@
zdev/dracut/Makefile | 15 ++++++++++--
4 files changed, 92 insertions(+), 2 deletions(-)
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
===================================================================
--- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
@ -42,10 +42,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
+ inst_hook cleanup 41 "$moddir/write-udev-live.sh"
+ inst_multiple chzdev
+}
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
===================================================================
--- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+#
@ -83,10 +83,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
+ fi
+done
+
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
===================================================================
--- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
+++ s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
@ -99,10 +99,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
+if [ -w /sysroot/etc/udev/rules.d ]; then
+ cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d
+fi
Index: s390-tools-2.29.0/zdev/dracut/Makefile
Index: s390-tools-2.30.0/zdev/dracut/Makefile
===================================================================
--- s390-tools-2.29.0.orig/zdev/dracut/Makefile
+++ s390-tools-2.29.0/zdev/dracut/Makefile
--- s390-tools-2.30.0.orig/zdev/dracut/Makefile
+++ s390-tools-2.30.0/zdev/dracut/Makefile
@@ -3,17 +3,23 @@ include ../../common.mak
ZDEVDIR := 95zdev
@ -137,5 +137,5 @@ Index: s390-tools-2.29.0/zdev/dracut/Makefile
+ $(INSTALL) -m 755 $(ZDEVLIVEDIR)/module-setup.sh \
+ $(ZDEVLIVEDIR)/parse-zdev-live.sh \
+ $(ZDEVLIVEDIR)/write-udev-live.sh \
+ $(DESTDIR)$(DRACUTMODDIR)/$(ZDEVLIVEDIR)/
+ $(DESTDIR)$(DRACUTMODDIR)/$(ZDEVLIVEDIR)/
endif

6
s390-tools-sles12-create-filesystem-links.patch
View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
===================================================================
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
--- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
@@ -15,7 +15,7 @@ KERNEL=="dasd*[!0-9]", ENV{ID_XUID}=="?*
LABEL="dasd_block_end"

6
s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
View File

@ -15,10 +15,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
fdasd/fdasd.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
Index: s390-tools-2.29.0/fdasd/fdasd.c
Index: s390-tools-2.30.0/fdasd/fdasd.c
===================================================================
--- s390-tools-2.29.0.orig/fdasd/fdasd.c
+++ s390-tools-2.29.0/fdasd/fdasd.c
--- s390-tools-2.30.0.orig/fdasd/fdasd.c
+++ s390-tools-2.30.0/fdasd/fdasd.c
@@ -1231,10 +1231,12 @@ static int fdasd_get_volser(fdasd_anchor
*/
static void fdasd_reread_partition_table(fdasd_anchor_t *anc)

6
s390-tools-sles12-update-by_id-links-on-change-and-add-action.patch.suse
View File

@ -13,10 +13,10 @@ Signed-off-by: Robert Milasan <rmilasan@suse.de>
etc/udev/rules.d/59-dasd.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
===================================================================
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules
--- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
@@ -6,7 +6,7 @@
SUBSYSTEM!="block", GOTO="dasd_symlinks_end"
KERNEL!="dasd*", GOTO="dasd_symlinks_end"

6
s390-tools-sles12-zipl_boot_msg.patch
View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/zipl/boot/menu.c
Index: s390-tools-2.30.0/zipl/boot/menu.c
===================================================================
--- s390-tools-2.29.0.orig/zipl/boot/menu.c
+++ s390-tools-2.29.0/zipl/boot/menu.c
--- s390-tools-2.30.0.orig/zipl/boot/menu.c
+++ s390-tools-2.30.0/zipl/boot/menu.c
@@ -168,8 +168,11 @@ int menu(void)
/* print config list */
menu_list();

6
s390-tools-sles15-sysconfig-compatible-dumpconf.patch
View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/etc/sysconfig/dumpconf
Index: s390-tools-2.30.0/etc/sysconfig/dumpconf
===================================================================
--- s390-tools-2.29.0.orig/etc/sysconfig/dumpconf
+++ s390-tools-2.29.0/etc/sysconfig/dumpconf
--- s390-tools-2.30.0.orig/etc/sysconfig/dumpconf
+++ s390-tools-2.30.0/etc/sysconfig/dumpconf
@@ -1,71 +1,137 @@
+## Path: System/Dumpconf
+## Description: Configures the actions which should be performed after a kernel panic

6
s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
View File

@ -35,10 +35,10 @@ Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
zdev/src/zdev-root-update.dracut | 6 ------
1 file changed, 6 deletions(-)
Index: s390-tools-2.29.0/zdev/src/zdev-root-update.dracut
Index: s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
===================================================================
--- s390-tools-2.29.0.orig/zdev/src/zdev-root-update.dracut
+++ s390-tools-2.29.0/zdev/src/zdev-root-update.dracut
--- s390-tools-2.30.0.orig/zdev/src/zdev-root-update.dracut
+++ s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
@@ -20,10 +20,4 @@ dracut -f || {
exit 1
}

20
s390-tools-sles15sp3-Allow-multiple-device-arguments.patch
View File

@ -11,10 +11,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------
2 files changed, 100 insertions(+), 80 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
@ -25,18 +25,18 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
.SH DESCRIPTION
-\fBdasdfmt\fR formats a DASD (ECKD) disk drive to prepare it
+\fBdasdfmt\fR formats one or several DASD (ECKD) disk drive to prepare it
for usage with Linux for S/390.
for usage with Linux for S/390.
The \fIdevice\fR is the node of the device (e.g. '/dev/dasda').
Any device node created by udev for kernel 2.6 can be used
Any device node created by udev for kernel 2.6 can be used
(e.g. '/dev/dasd/0.0.b100/disc').
+It is possible to specify up to 512 devices.
.br
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -25,6 +25,8 @@
#include "dasdfmt.h"
@ -461,7 +461,7 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
+ for (i = 0; i < numdev; i++)
+ {
+ strncpy(g.dev_path, g.dev_path_array[i], strlen(g.dev_path_array[i])+1);
+ strncpy(g.dev_node, g.dev_node_array[i], strlen(g.dev_node_array[i])+1);
+ strncpy(g.dev_node, g.dev_node_array[i], strlen(g.dev_node_array[i])+1);
+ process_dasd(&vlabel, format_params);
+ }

18
s390-tools-sles15sp3-Format-devices-in-parallel.patch
View File

@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.h | 1 +
3 files changed, 58 insertions(+), 9 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives.
@ -51,12 +51,12 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
+
+.TP
\fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR
Specify the volume serial number or volume identifier to be written
to disk after formatting. If no label is specified, a sensible default
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
Specify the volume serial number or volume identifier to be written
to disk after formatting. If no label is specified, a sensible default
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -13,6 +13,7 @@
#include <sys/sysmacros.h>
#include <sys/time.h>
@ -142,7 +142,7 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
- for (i = 0; i < numdev; i++)
- {
- strncpy(g.dev_path, g.dev_path_array[i], strlen(g.dev_path_array[i])+1);
- strncpy(g.dev_node, g.dev_node_array[i], strlen(g.dev_node_array[i])+1);
- strncpy(g.dev_node, g.dev_node_array[i], strlen(g.dev_node_array[i])+1);
- process_dasd(&vlabel, format_params);
+ for (numproc = 0; numproc < numdev; numproc++) {
+ chpid = fork();

12
s390-tools-sles15sp3-Implement-Y-yast_mode.patch
View File

@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.h | 1 +
3 files changed, 27 insertions(+), 8 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives.
@ -37,10 +37,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
\fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR
Specify the \fImode\fR to be used to format the device. Valid modes are:
.RS
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -83,6 +83,7 @@ static struct dasdfmt_globals {
int ese;
int no_discard;

14
s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch
View File

@ -13,10 +13,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.c | 8 ++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
@ -34,13 +34,13 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
+Specify device to format. For backwards compability only.
+
+.TP
\fB-y\fR
\fB-y\fR
Start formatting without further user-confirmation.
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = {
.desc = "Format devices in parallel",
.flags = UTIL_OPT_FLAG_NOLONG,

6
s390-tools-sles15sp3-dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch
View File

@ -19,10 +19,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
dasdfmt/dasdfmt.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c
Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c
--- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -621,7 +621,7 @@ static void check_layout(unsigned int in
*/
static void check_disk(void)

6
s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/common.mak
Index: s390-tools-2.30.0/common.mak
===================================================================
--- s390-tools-2.29.0.orig/common.mak
+++ s390-tools-2.29.0/common.mak
--- s390-tools-2.30.0.orig/common.mak
+++ s390-tools-2.30.0/common.mak
@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \
LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS

691
s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
View File

@ -1,691 +0,0 @@
---
zkey/ep11.c | 48 +++++++++++-----
zkey/keystore.c | 4 +
zkey/kmip/zkey-kmip.c | 74 +++++++++++++++++++++----
zkey/kms.c | 9 ++-
zkey/pkey.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++--
zkey/pkey.h | 45 +++++++++++----
zkey/zkey-cryptsetup.c | 15 ++++-
zkey/zkey.c | 8 ++
8 files changed, 294 insertions(+), 50 deletions(-)
--- a/zkey/ep11.c
+++ b/zkey/ep11.c
@@ -365,8 +365,9 @@ int select_ep11_apqn_by_mkvp(struct ep11
* @param[in] target the target handle to use for the re-encipher operation
* @param[in] card the card that corresponds to the target handle
* @param[in] domain the domain that corresponds to the target handle
- * @param[in/out] ep11key the EP11 key token to reencipher. The re-enciphered
- * secure key will be returned in this buffer.
+ * @param[in/out] ep11key_blob the EP11 key token to reencipher. The
+ * re-enciphered secure key will be returned in this
+ * buffer.
* @param[in] ep11key_size the size of the secure key
* @param[in] verbose if true, verbose messages are printed
*
@@ -374,21 +375,29 @@ int select_ep11_apqn_by_mkvp(struct ep11
*/
static int ep11_adm_reencrypt(struct ep11_lib *ep11, target_t target,
unsigned int card, unsigned int domain,
- struct ep11keytoken *ep11key,
+ u8 *ep11key_blob,
unsigned int ep11key_size, bool verbose)
{
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)ep11key_blob;
+ struct ep11keytoken *ep11key;
CK_BYTE resp[MAX_BLOBSIZE];
CK_BYTE req[MAX_BLOBSIZE];
- char ep11_token_header[sizeof(ep11key->head)];
+ char ep11_token_header[sizeof(ep11key->head)] = { 0 };
struct XCPadmresp lrb;
struct XCPadmresp rb;
+ bool with_header;
size_t resp_len;
size_t blob_len;
long req_len;
CK_RV rv;
int rc;
- blob_len = ep11key->head.length;
+ with_header = is_ep11_aes_key_with_header(ep11key_blob, ep11key_size);
+ ep11key = (struct ep11keytoken *)(with_header ?
+ ep11key_blob + sizeof(struct ep11kblob_header) :
+ ep11key_blob);
+ blob_len = with_header ? hdr->len - sizeof(struct ep11kblob_header) :
+ ep11key->head.len;
if (blob_len > ep11key_size) {
pr_verbose(verbose, "Blob length larger than secure key size");
return -EINVAL;
@@ -397,9 +406,14 @@ static int ep11_adm_reencrypt(struct ep1
rb.domain = domain;
lrb.domain = domain;
- /* The token header is an overlay over the (all zero) session field */
- memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
- memset(ep11key->session, 0, sizeof(ep11key->session));
+ if (!with_header) {
+ /*
+ * The token header is an overlay over the (all zero) session
+ * field
+ */
+ memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
+ memset(ep11key->session, 0, sizeof(ep11key->session));
+ }
resp_len = sizeof(resp);
req_len = ep11->dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
@@ -446,7 +460,8 @@ static int ep11_adm_reencrypt(struct ep1
}
memcpy(ep11key, lrb.payload, blob_len);
- memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
+ if (!with_header)
+ memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
return 0;
}
@@ -469,7 +484,6 @@ int reencipher_ep11_key(struct ep11_lib
unsigned int card, unsigned int domain, u8 *secure_key,
unsigned int secure_key_size, bool verbose)
{
- struct ep11keytoken *ep11key = (struct ep11keytoken *)secure_key;
CK_IBM_DOMAIN_INFO dinf;
CK_ULONG dinf_len = sizeof(dinf);
CK_RV rv;
@@ -493,17 +507,21 @@ int reencipher_ep11_key(struct ep11_lib
return -ENODEV;
}
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
secure_key_size, verbose);
if (rc != 0)
return rc;
if (is_xts_key(secure_key, secure_key_size)) {
- secure_key += EP11_KEY_SIZE;
- secure_key_size -= EP11_KEY_SIZE;
- ep11key = (struct ep11keytoken *)secure_key;
+ if (is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
+ secure_key += EP11_AES_KEY_SIZE;
+ secure_key_size -= EP11_AES_KEY_SIZE;
+ } else {
+ secure_key += EP11_KEY_SIZE;
+ secure_key_size -= EP11_KEY_SIZE;
+ }
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
secure_key_size, verbose);
if (rc != 0)
return rc;
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -3398,7 +3398,9 @@ static int _keystore_perform_reencipher(
"CURRENT master key", name);
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}
--- a/zkey/kmip/zkey-kmip.c
+++ b/zkey/kmip/zkey-kmip.c
@@ -5278,9 +5278,11 @@ static int _ep11_unwrap_key_rsa(struct p
m_UnwrapKey_t dll_m_UnwrapKey;
const unsigned char *key_blob;
struct ep11keytoken *ep11key;
+ struct ep11kblob_header *hdr;
CK_MECHANISM mech = { 0 };
CK_BYTE csum[7] = { 0 };
CK_BBOOL ck_true = true;
+ int pkey_fd, rc;
CK_RV rv;
CK_ATTRIBUTE template[] = {
@@ -5306,7 +5308,8 @@ static int _ep11_unwrap_key_rsa(struct p
pr_verbose(&ph->pd, "Wrap hashing algorithm: %d",
ph->profile->wrap_hashing_algo);
- if (*unwrapped_key_len < sizeof(struct ep11keytoken)) {
+ if (*unwrapped_key_len < sizeof(struct ep11kblob_header) +
+ sizeof(struct ep11keytoken)) {
_set_error(ph, "Key buffer is too small");
return -EINVAL;
}
@@ -5381,19 +5384,68 @@ static int _ep11_unwrap_key_rsa(struct p
256 * 256 * csum[csum_len - 3] +
256 * 256 * 256 * csum[csum_len - 4];
- /* Setup the EP11 token header */
- ep11key = (struct ep11keytoken *)unwrapped_key;
- memset(&ep11key->session, 0, sizeof(ep11key->session));
- ep11key->head.type = TOKEN_TYPE_NON_CCA;
- ep11key->head.length = *unwrapped_key_len;
- ep11key->head.version = TOKEN_VERSION_EP11_AES;
- ep11key->head.keybitlen = bit_len;
+ /* Prepend and setup the EP11 token header */
+ hdr = (struct ep11kblob_header *)unwrapped_key;
+ ep11key = (struct ep11keytoken *)
+ (unwrapped_key + sizeof(struct ep11kblob_header));
+ memmove(ep11key, unwrapped_key, *unwrapped_key_len);
+ *unwrapped_key_len += sizeof(struct ep11kblob_header);
+ memset(hdr, 0, sizeof(struct ep11kblob_header));
+ hdr->type = TOKEN_TYPE_NON_CCA;
+ hdr->hver = 0;
+ hdr->len = *unwrapped_key_len;
+ hdr->version = TOKEN_VERSION_EP11_AES_WITH_HEADER;
+ hdr->bitlen = bit_len;
- pr_verbose(&ph->pd, "unwrapped bit length: %u",
- ep11key->head.keybitlen);
+ pr_verbose(&ph->pd, "unwrapped bit length: %u", hdr->bitlen);
/* return full length, blob is already zero padded */
- *unwrapped_key_len = sizeof(struct ep11keytoken);
+ *unwrapped_key_len =
+ sizeof(struct ep11kblob_header) + sizeof(struct ep11keytoken);
+
+ /*
+ * Check if the pkey module supports keys of type
+ * TOKEN_VERSION_EP11_AES_WITH_HEADER, older kernels may not support
+ * such keys. If it does not support such keys, convert the key to
+ * TOKEN_VERSION_EP11_AES type, if its session field is all zero
+ * (i.e. the key is not session bound).
+ */
+ pkey_fd = open_pkey_device(ph->pd.verbose);
+ if (pkey_fd < 0) {
+ _set_error(ph, "Failed to open pkey device");
+ return -EIO;
+ }
+
+ rc = validate_secure_key(pkey_fd, unwrapped_key, *unwrapped_key_len,
+ NULL, NULL, NULL, ph->pd.verbose);
+ close(pkey_fd);
+ if (rc == -EINVAL || rc == -ENODEV) {
+ pr_verbose(&ph->pd, "The pkey kernel module does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ if (is_ep11_key_session_bound(unwrapped_key,
+ *unwrapped_key_len)) {
+ _set_error(ph, "The unwrapped key is session bound. "
+ "Kernel support is required for such keys");
+ return -EIO;
+ }
+
+ key_blob_len = hdr->len;
+ *unwrapped_key_len -= sizeof(struct ep11kblob_header);
+ memmove(unwrapped_key,
+ unwrapped_key + sizeof(struct ep11kblob_header),
+ *unwrapped_key_len);
+ ep11key = (struct ep11keytoken *)unwrapped_key;
+ memset(&ep11key->session, 0, sizeof(ep11key->session));
+ ep11key->head.type = TOKEN_TYPE_NON_CCA;
+ ep11key->head.len = key_blob_len -
+ sizeof(struct ep11kblob_header);
+ ep11key->head.version = TOKEN_VERSION_EP11_AES;
+ ep11key->head.bitlen = bit_len;
+ } else if (rc != 0) {
+ _set_error(ph, "Failed to validate unwrapped key");
+ return rc;
+ }
return 0;
}
--- a/zkey/kms.c
+++ b/zkey/kms.c
@@ -2175,7 +2175,7 @@ int generate_kms_key(struct kms_info *km
else if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
key_size = AESCIPHER_KEY_SIZE;
else if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
- key_size = EP11_KEY_SIZE;
+ key_size = EP11_AES_KEY_SIZE;
else
return -ENOTSUP;
@@ -2248,6 +2248,9 @@ int generate_kms_key(struct kms_info *km
if (verbose)
util_hexdump_grp(stderr, NULL, key_blob, 4, key_blob_size, 0);
+ if (is_ep11_aes_key(key_blob, key_blob_size))
+ key_size = EP11_KEY_SIZE;
+
/* Save ID and label of 1st key */
rc = properties_set(key_props, xts ? PROP_NAME_KMS_XTS_KEY1_ID :
PROP_NAME_KMS_KEY_ID, key1_id);
@@ -3132,6 +3135,8 @@ int import_kms_key(struct kms_info *kms_
key_size = AESCIPHER_KEY_SIZE;
else if (is_ep11_aes_key(key_blob, key_blob_size))
key_size = EP11_KEY_SIZE;
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
+ key_size = EP11_AES_KEY_SIZE;
if (key_size == 0 || key_blob_size > key_size) {
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
@@ -3366,6 +3371,8 @@ int refresh_kms_key(struct kms_info *kms
key_size = AESCIPHER_KEY_SIZE;
else if (is_ep11_aes_key(key_blob, key_blob_size))
key_size = EP11_KEY_SIZE;
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
+ key_size = EP11_AES_KEY_SIZE;
if (key_size == 0 || key_blob_size > key_size) {
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
--- a/zkey/pkey.c
+++ b/zkey/pkey.c
@@ -858,7 +858,7 @@ static enum pkey_key_type key_type_to_pk
if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
return PKEY_TYPE_CCA_CIPHER;
if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
- return PKEY_TYPE_EP11;
+ return PKEY_TYPE_EP11_AES;
return 0;
}
@@ -879,6 +879,8 @@ static size_t key_size_for_type(enum pke
return AESCIPHER_KEY_SIZE;
case PKEY_TYPE_EP11:
return EP11_KEY_SIZE;
+ case PKEY_TYPE_EP11_AES:
+ return EP11_AES_KEY_SIZE;
default:
return 0;
}
@@ -924,6 +926,7 @@ int generate_secure_key_random(int pkey_
return -ENOTSUP;
}
+retry:
genseck2.size = keybits_to_keysize(keybits);
if (genseck2.size == 0) {
warnx("Invalid value for '--keybits'/'-c': '%lu'", keybits);
@@ -957,10 +960,33 @@ int generate_secure_key_random(int pkey_
genseck2.keylen = size;
rc = pkey_genseck2(pkey_fd, &genseck2, verbose);
+ if (rc == -EINVAL && genseck2.type == PKEY_TYPE_EP11_AES) {
+ /*
+ * Older kernels may not support gensek2 with key type
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
+ */
+ pr_verbose(verbose,
+ "ioctl PKEY_GENSECK2 does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ genseck2.type = PKEY_TYPE_EP11;
+ free(genseck2.apqns);
+ genseck2.apqns = NULL;
+ genseck2.apqn_entries = 0;
+ free(secure_key);
+ goto retry;
+ }
if (rc != 0) {
warnx("Failed to generate a secure key: %s", strerror(-rc));
goto out;
}
+ if (rc == 0 && genseck2.type == PKEY_TYPE_EP11) {
+ if (is_ep11_key_session_bound(secure_key, size)) {
+ warnx("The generated key is session bound. Kernel "
+ "support is required for such keys");
+ goto out;
+ }
+ }
if (xts) {
free(genseck2.apqns);
@@ -1062,6 +1088,7 @@ int generate_secure_key_clear(int pkey_f
return -ENOTSUP;
}
+retry:
clr2seck2.size = keybits_to_keysize(HALF_KEYSIZE_FOR_XTS(
clear_key_size * 8, xts));
if (clr2seck2.size == 0) {
@@ -1096,10 +1123,33 @@ int generate_secure_key_clear(int pkey_f
clr2seck2.keylen = size;
rc = pkey_clr2seck2(pkey_fd, &clr2seck2, verbose);
+ if (rc == -EINVAL && clr2seck2.type == PKEY_TYPE_EP11_AES) {
+ /*
+ * Older kernels may not support clr2seck2 with key type
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
+ */
+ pr_verbose(verbose,
+ "ioctl PKEY_CLR2SECK2 does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ clr2seck2.type = PKEY_TYPE_EP11;
+ free(clr2seck2.apqns);
+ clr2seck2.apqns = NULL;
+ clr2seck2.apqn_entries = 0;
+ free(secure_key);
+ goto retry;
+ }
if (rc != 0) {
warnx("Failed to generate a secure key: %s", strerror(-rc));
goto out;
}
+ if (rc == 0 && clr2seck2.type == PKEY_TYPE_EP11) {
+ if (is_ep11_key_session_bound(secure_key, size)) {
+ warnx("The generated key is session bound. Kernel "
+ "support is required for such keys");
+ goto out;
+ }
+ }
if (xts) {
free(clr2seck2.apqns);
@@ -1486,6 +1536,8 @@ int get_master_key_verification_pattern(
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
+ struct ep11keytoken *ep11key2 =
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
util_assert(key != NULL, "Internal error: secure_key is NULL");
util_assert(mkvp != NULL, "Internal error: mkvp is NULL");
@@ -1497,6 +1549,8 @@ int get_master_key_verification_pattern(
memcpy(mkvp, &cipherkey->kvp, sizeof(cipherkey->kvp));
else if (is_ep11_aes_key(key, key_size))
memcpy(mkvp, &ep11key->wkvp, sizeof(ep11key->wkvp));
+ else if (is_ep11_aes_key_with_header(key, key_size))
+ memcpy(mkvp, &ep11key2->wkvp, sizeof(ep11key2->wkvp));
else
return -EINVAL;
@@ -1593,9 +1647,11 @@ bool is_ep11_aes_key(const u8 *key, size
if (ep11key->head.type != TOKEN_TYPE_NON_CCA)
return false;
+ if (ep11key->head.hver != 0)
+ return false;
if (ep11key->head.version != TOKEN_VERSION_EP11_AES)
return false;
- if (ep11key->head.length > key_size)
+ if (ep11key->head.len > key_size)
return false;
if (ep11key->version != 0x1234)
@@ -1605,6 +1661,65 @@ bool is_ep11_aes_key(const u8 *key, size
}
/**
+ * Check if the specified key is a EP11 AES key token with external header.
+ *
+ * @param[in] key the secure key token
+ * @param[in] key_size the size of the secure key
+ *
+ * @returns true if the key is an EP11 AES token with external header type
+ */
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size)
+{
+ struct ep11kblob_header *header = (struct ep11kblob_header *)key;
+ struct ep11keytoken *ep11key =
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
+
+ if (key == NULL || key_size < EP11_AES_KEY_SIZE)
+ return false;
+
+ if (header->type != TOKEN_TYPE_NON_CCA)
+ return false;
+ if (header->hver != 0)
+ return false;
+ if (header->version != TOKEN_VERSION_EP11_AES_WITH_HEADER)
+ return false;
+ if (header->len > key_size)
+ return false;
+
+ if (ep11key->version != 0x1234)
+ return false;
+
+ return true;
+}
+
+/**
+ * Check if the specified EP11 AES key is session bound.
+ *
+ * @param[in] key the secure key token
+ * @param[in] key_size the size of the secure key
+ *
+ * @returns true if the key is an EP11 AES token type
+ */
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size)
+{
+ struct ep11keytoken *ep11key;
+
+ if (is_ep11_aes_key(key, key_size)) {
+ ep11key = (struct ep11keytoken *)key;
+ return memcmp(ep11key->session + sizeof(ep11key->head),
+ ZERO_SESSION, sizeof(ep11key->session) -
+ sizeof(ep11key->head)) != 0;
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ ep11key = (struct ep11keytoken *)
+ (key + sizeof(struct ep11kblob_header));
+ return memcmp(ep11key->session, ZERO_SESSION,
+ sizeof(ep11key->session)) != 0;
+ } else {
+ return false;
+ }
+}
+
+/**
* Check if the specified key is an XTS type key
*
* @param[in] key the secure key token
@@ -1629,6 +1744,11 @@ bool is_xts_key(const u8 *key, size_t ke
is_ep11_aes_key(key + EP11_KEY_SIZE,
key_size - EP11_KEY_SIZE))
return true;
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ if (key_size == 2 * EP11_AES_KEY_SIZE &&
+ is_ep11_aes_key_with_header(key + EP11_AES_KEY_SIZE,
+ key_size - EP11_AES_KEY_SIZE))
+ return true;
}
return false;
@@ -1650,6 +1770,7 @@ int get_key_bit_size(const u8 *key, size
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)key;
util_assert(bitsize != NULL, "Internal error: bitsize is NULL");
@@ -1672,10 +1793,17 @@ int get_key_bit_size(const u8 *key, size
*bitsize += cipherkey->pl - 384;
}
} else if (is_ep11_aes_key(key, key_size)) {
- *bitsize = ep11key->head.keybitlen;
+ *bitsize = ep11key->head.bitlen;
if (key_size == 2 * EP11_KEY_SIZE) {
ep11key = (struct ep11keytoken *)(key + EP11_KEY_SIZE);
- *bitsize += ep11key->head.keybitlen;
+ *bitsize += ep11key->head.bitlen;
+ }
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ *bitsize = hdr->bitlen;
+ if (key_size == 2 * EP11_AES_KEY_SIZE) {
+ hdr = (struct ep11kblob_header *)
+ (key + EP11_AES_KEY_SIZE);
+ *bitsize += hdr->bitlen;
}
} else {
return -EINVAL;
@@ -1700,6 +1828,8 @@ const char *get_key_type(const u8 *key,
return KEY_TYPE_CCA_AESCIPHER;
if (is_ep11_aes_key(key, key_size))
return KEY_TYPE_EP11_AES;
+ if (is_ep11_aes_key_with_header(key, key_size))
+ return KEY_TYPE_EP11_AES;
return NULL;
}
@@ -2016,7 +2146,8 @@ int reencipher_secure_key(struct ext_lib
return rc;
}
- if (is_ep11_aes_key(secure_key, secure_key_size)) {
+ if (is_ep11_aes_key(secure_key, secure_key_size) ||
+ is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
/* EP11 secure key: need the EP11 host library */
if (lib->ep11->lib_ep11 == NULL) {
rc = load_ep11_library(lib->ep11, verbose);
--- a/zkey/pkey.h
+++ b/zkey/pkey.h
@@ -39,6 +39,8 @@ struct tokenheader {
#define TOKEN_VERSION_PROTECTED_KEY 0x01
#define TOKEN_VERSION_CLEAR_KEY 0x02
#define TOKEN_VERSION_EP11_AES 0x03
+#define TOKEN_VERSION_EP11_AES_WITH_HEADER 0x06
+#define TOKEN_VERSION_EP11_ECC_WITH_HEADER 0x07
struct aesdatakeytoken {
u8 type; /* TOKEN_TYPE_INTERNAL (0x01) for internal key token */
@@ -89,17 +91,20 @@ struct aescipherkeytoken {
u8 varpart[80]; /* variable part */
} __packed;
+struct ep11kblob_header {
+ u8 type; /* always 0x00 */
+ u8 hver; /* header version, currently needs to be 0x00 */
+ u16 len; /* total length in bytes (including this header) */
+ u8 version; /* PKEY_TYPE_EP11_AES or PKEY_TYPE_EP11_ECC */
+ u8 res0; /* unused */
+ u16 bitlen; /* clear key bit len, 0 for unknown */
+ u8 res1[8]; /* unused */
+} __packed;
+
struct ep11keytoken {
union {
u8 session[32];
- struct {
- u8 type; /* TOKEN_TYPE_NON_CCA (0x00) */
- u8 res0; /* unused */
- u16 length; /* length of token */
- u8 version; /* TOKEN_VERSION_EP11_AES (0x03) */
- u8 res1; /* unused */
- u16 keybitlen; /* clear key bit len, 0 for unknown */
- } head;
+ struct ep11kblob_header head;
};
u8 wkvp[16]; /* wrapping key verification pattern */
u64 attr; /* boolean key attributes */
@@ -111,18 +116,29 @@ struct ep11keytoken {
u8 padding[64];
} __packed;
+#define ZERO_SESSION \
+ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+
#define AESDATA_KEY_SIZE sizeof(struct aesdatakeytoken)
#define AESCIPHER_KEY_SIZE sizeof(struct aescipherkeytoken)
#define EP11_KEY_SIZE sizeof(struct ep11keytoken)
+#define EP11_AES_KEY_SIZE (sizeof(struct ep11kblob_header) + \
+ sizeof(struct ep11keytoken))
/* MAX/MIN from zt_common.h produces warnings for variable length arrays */
#define _MIN(a, b) ((a) < (b) ? (a) : (b))
#define _MAX(a, b) ((a) > (b) ? (a) : (b))
-#define MAX_SECURE_KEY_SIZE _MAX(EP11_KEY_SIZE, \
- _MAX(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
-#define MIN_SECURE_KEY_SIZE _MIN(EP11_KEY_SIZE, \
- _MIN(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
+#define MAX_SECURE_KEY_SIZE _MAX( \
+ _MAX(EP11_KEY_SIZE, \
+ EP11_AES_KEY_SIZE), \
+ _MAX(AESDATA_KEY_SIZE, \
+ AESCIPHER_KEY_SIZE))
+#define MIN_SECURE_KEY_SIZE _MIN( \
+ _MIN(EP11_KEY_SIZE, \
+ EP11_AES_KEY_SIZE), \
+ _MIN(AESDATA_KEY_SIZE, \
+ AESCIPHER_KEY_SIZE))
struct pkey_seckey {
u8 seckey[AESDATA_KEY_SIZE]; /* the secure key blob */
@@ -175,6 +191,9 @@ enum pkey_key_type {
PKEY_TYPE_CCA_DATA = (u32) 1,
PKEY_TYPE_CCA_CIPHER = (u32) 2,
PKEY_TYPE_EP11 = (u32) 3,
+ PKEY_TYPE_CCA_ECC = (u32) 0x1f,
+ PKEY_TYPE_EP11_AES = (u32) 6,
+ PKEY_TYPE_EP11_ECC = (u32) 7,
};
enum pkey_key_size {
@@ -321,6 +340,8 @@ int get_master_key_verification_pattern(
bool is_cca_aes_data_key(const u8 *key, size_t key_size);
bool is_cca_aes_cipher_key(const u8 *key, size_t key_size);
bool is_ep11_aes_key(const u8 *key, size_t key_size);
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size);
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size);
bool is_xts_key(const u8 *key, size_t key_size);
int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize);
const char *get_key_type(const u8 *key, size_t key_size);
--- a/zkey/zkey-cryptsetup.c
+++ b/zkey/zkey-cryptsetup.c
@@ -1673,7 +1673,10 @@ static int reencipher_prepare(int token)
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
@@ -1696,7 +1699,10 @@ static int reencipher_prepare(int token)
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
@@ -1836,7 +1842,10 @@ static int reencipher_complete(int token
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1968,7 +1968,9 @@ static int command_reencipher_file(void)
"master key has failed\n");
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}
@@ -1993,7 +1995,9 @@ static int command_reencipher_file(void)
"master key has failed\n");
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}

50
s390-tools.changes
View File

@ -1,5 +1,53 @@
-------------------------------------------------------------------
Wed Nov 15 07:55:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
Sun Dec 17 05:48:56 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file to use gcc13 (bsc#1217838)
- Amended read_values for '-S' option (bsc#1217923)
-------------------------------------------------------------------
Mon Dec 4 13:34:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade s390-tools to version 2.30
(jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604,
jsc#PED-6649, jsc#PED-7138 )
- Add new tools / libraries:
* lspai: Tool to display PAI counter sets
* s390-tools: Provide a ShellCheck configuration
- Changes of existing tools / libraries:
* cpumf/pai: Add command line option for realtime scheduling
* dbginfo.sh: enhance ethtool collection for ROCE
* libutil/util_lockfile: add routine to return owning pid of file lock
* lszcrypt: Improve lszcrypt output on SE guests
* rust: Use a single workspace for all rust tools
* zdev: limit the derivation of ZDEV_SITE_ID
* zdump/df_s390: Update 'zgetdump -i' output with zlib info
* zdump/dfi_s390: Support reading compressed s390_ext dumps
* zipl/boot: Integrate zlib compression to single volume DASD dumper
* zipl/boot: compile the bootloaders only if HOST_ARCH is s390x
* zipl: Add --no-compress option to zipl command
* zkey: Also check for deconfigured and check-stopped cards
- Bug Fixes:
* ap_tools/ap-check: handle get-attributes between pre and post event
* libutil: fix util_file_read_*() using wrong format specifiers
* rust/pv: fix Invalid write of size
- Amended the SUSE patches for version 2.30
- Revendored vendor.tar.gz
-------------------------------------------------------------------
Fri Nov 24 07:51:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Provide s390-tools on x86_64 to enable Secure Execution in the Cloud
(jsc#PED-578, jsc#PED-7136, and jsc#PED-7138)
* Selected tools from the s390-tools package need to be made available on x86_64.
This will enable the integration of IBM Z machines running Secure Execution in a
cloud environment where users don't necessarily need to have an s390x environment.
- genprotimg - (for building secure images)
- pvsecret -
- pvattest - (for external attestation)
- pvextract-hdr -
-------------------------------------------------------------------
Wed Nov 15 07:31:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Fixed a logic error in read_values.c

77
s390-tools.spec
View File

@ -33,7 +33,7 @@
%endif
Name: s390-tools
Version: 2.29.0
Version: 2.30.0
Release: 0
Summary: S/390 tools like zipl and dasdfmt
License: MIT
@ -152,17 +152,16 @@ Patch909: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl
Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
Patch912: s390-tools-ALP-zdev-live.patch
Patch913: s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
###
BuildRequires: curl-devel
BuildRequires: dracut
BuildRequires: fuse3-devel
BuildRequires: gcc-c++
BuildRequires: gcc13
BuildRequires: gcc13-c++
BuildRequires: gettext-tools
BuildRequires: glib2-devel
BuildRequires: glibc-devel-static
BuildRequires: kernel-zfcpdump
BuildRequires: libcryptsetup-devel > 2.0.3
BuildRequires: libjson-c-devel
BuildRequires: libxml2-devel
@ -171,10 +170,14 @@ BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel
BuildRequires: openssl-devel >= 1.1.1l
BuildRequires: pesign-obs-integration
BuildRequires: qclib-devel-static
BuildRequires: systemd-devel
BuildRequires: tcpd-devel
BuildRequires: zlib-devel-static
### x86_64
%ifarch s390x
BuildRequires: kernel-zfcpdump
BuildRequires: qclib-devel-static
%endif
### Cargo
BuildRequires: rust
BuildRequires: cargo
@ -195,7 +198,7 @@ Requires(post): permissions
Requires(pre): shadow
Recommends: blktrace
Provides: s390utils:/sbin/dasdfmt
ExclusiveArch: s390x
### ExclusiveArch: s390x x86_64
%description
This package contains the tools needed to use Linux on IBM z Systems
@ -315,15 +318,16 @@ unavailable, the toolset checks for operational paths to the same
volume. If available, it reconfigures the FCP re-IPL settings to use an
operational path.
### *** s390x ************************************************************************* ###
%ifarch s390x
%prep
%autosetup -p1
cp -vi %{SOURCE22} CAUTION
###
install -D -m 0644 %{SOURCE200} .cargo/config
tar -xzvf %{SOURCE201}
###
tar -xzf %{SOURCE201}
%build
@ -333,13 +337,17 @@ tar -xzvf %{SOURCE201}
export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \
%make_build -v \
ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \
DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
gcc -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
HAVE_DRACUT=1 \
CC=gcc-13 \
CXX=g++-13
### all
gcc-13 -v -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
%install
mkdir -p %{buildroot}/boot/zipl
@ -350,7 +358,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/zkey/repository
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
HAVE_DRACUT=1 \
CC=gcc-13 \
CXX=g++-13
### all
# The make install command puts things in /etc/sysconfig and not the
# fillup-templates directory. Let's try moving them where they belong
@ -735,4 +746,44 @@ done
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
%{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
### _endif
### *** !s390x ************************************************************************* ###
### _ifarch x86_64
%else
%prep
%autosetup -p1
install -D -m 0644 %{SOURCE200} .cargo/config
tar -xzf %{SOURCE201}
%build
export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \
DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
%install
%make_install \
DISTRELEASE=%{release} \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
%files
%{_prefix}/bin/*
%{_prefix}/share/s390-tools/*
%dir /usr/share/s390-tools
%{_mandir}/man1/*
%files debuginfo
%dir %{_prefix}/lib/debug
%dir %{_prefix}/lib/debug/usr/bin
%endif
%changelog

BIN
vendor.tar.gz (Stored with Git LFS)
View File

Binary file not shown.