From 9d48c28feedb3cc75e8e389fed509e01d50d5ecfd431ae4650ab848abbd3c7e4 Mon Sep 17 00:00:00 2001
From: Mark Post <mpost@suse.com>
Date: Wed, 19 Feb 2020 19:16:44 +0000
Subject: [PATCH] Accepting request 777411 from
 home:markkp:branches:Base:System

- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
  (bsc#1163002).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
  (bsc#1163570).
- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  from an IBM patch to a SUSE-maintained patch. (bsc#1162840)
- sign the stage3.bin bootloader stage (bsc#1163524)
- Added s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
  (bsc#1160373).
- Added s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  (bsc#1162840).
- Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
  (bsc#1162996).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
  (bsc#1163003).

OBS-URL: https://build.opensuse.org/request/show/777411
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=88
---
 ...-of-XTS-attribute-for-validate-comma.patch | 54 +++++++++++++++++++
 ...-of-clear-key-size-for-CCA-AESCIPHER.patch | 48 +++++++++++++++++
 s390-tools.changes                            | 12 ++++-
 s390-tools.spec                               | 10 ++--
 4 files changed, 119 insertions(+), 5 deletions(-)
 create mode 100644 s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
 create mode 100644 s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch

diff --git a/s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch b/s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
new file mode 100644
index 0000000..c825b87
--- /dev/null
+++ b/s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
@@ -0,0 +1,54 @@
+Subject: [PATCH] [BZ 183669] zkey: Fix display of XTS attribute for validate command
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Description:   zkey: Fix display of XTS attribute for validate command
+Symptom:       The 'zkey validate' command shows an invalid value for
+               the XTS attribute.
+Problem:       Due to a use after free of the secure key, the XTS attribute
+               is not determined correctly, and is displayed incorrectly.
+               Function is_xts_key() is called with a secure key that has
+               already been freed and thus most likely returns false.
+               This bug has been introduced with feature SEC1717 "Cipher
+               key support" with commit 298fab68fee8 "zkey: Preparations for
+               introducing a new key type"
+Solution:      Free the secure key only after the last use.
+Reproduction:  Generate an XTS key of type CCA-AESDATA or CCA-AESCIPHER
+               and then run 'zkey validate'.
+Upstream-ID:   f75f4aff8f6e4ae148bde858ee1cb7f1066f5f23
+Problem-ID:    183669
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -2516,7 +2516,7 @@ static int _keystore_process_validate(st
+ 	size_t clear_key_bitsize;
+ 	size_t secure_key_size;
+ 	char *apqns = NULL;
+-	u8 *secure_key;
++	u8 *secure_key = NULL;
+ 	int is_old_mk;
+ 	int rc, valid;
+ 	u64 mkvp;
+@@ -2550,8 +2550,7 @@ static int _keystore_process_validate(st
+ 
+ 	rc = get_master_key_verification_pattern(secure_key, secure_key_size,
+ 						 &mkvp, keystore->verbose);
+-	free(secure_key);
+-	if (rc)
++	if (rc != 0)
+ 		goto out;
+ 
+ 	_keystore_print_record(info->rec, name, properties, 1,
+@@ -2577,6 +2576,8 @@ static int _keystore_process_validate(st
+ 		info->num_warnings++;
+ 
+ out:
++	if (secure_key != NULL)
++		free(secure_key);
+ 	if (apqns != NULL)
+ 		free(apqns);
+ 	if (apqn_list != NULL)
diff --git a/s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch b/s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
new file mode 100644
index 0000000..80714c5
--- /dev/null
+++ b/s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
@@ -0,0 +1,48 @@
+Subject: [PATCH] [BZ 183875] zkey: Fix display of clear key size for CCA-AESCIPHER keys
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Description:   zkey: Fix display of clear key size for CCA-AESCIPHER keys
+Symptom:       The 'zkey list' command shows bogus values for the
+               keys 'Clear key size' for keys of type CCA-AESCIPHER.
+Problem:       Secure keys of type CCA-AESCIPHER are variable length,
+               dependent on the effective key size (e.g. 128, 192, or 256
+               bits). However, the key blob stored is padded to a fixed 
+               length, so that all key blobs of type CCA-AESCIPHER are
+               the same size, regardless of the effective key bit size.
+               To code to display the clear key bitsize does not correctly
+               handle the padding and may treat a non-XTS key like an XTS
+               key and thus reads past the end of the key blob. This 
+               results in bogus values reported as clear key size.
+               This bug has been introduced with feature SEC1717 "Cipher
+               key support" with commit ddde3f354f35 ("zkey: Introduce th
+               CCA-AESCIPHER key type").
+Solution:      Correct the handling of key of type CCA-AESCIPHER.
+Reproduction:  Generate a key of type CCA-AESCIPHER and then run 
+               'zkey list'.
+Upstream-ID:   49cbaba302f002aa7f148631a76fc21a3069bc25
+Problem-ID:    183875
+
+Upstream-Description:
+
+              zkey: Fix display of clear key size for CCA-AESCIPHER keys
+
+              Fixes: ddde3f354f35 ("zkey: Introduce the CCA-AESCIPHER key type")
+              Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+--- a/zkey/pkey.c
++++ b/zkey/pkey.c
+@@ -1600,9 +1600,9 @@ int get_key_bit_size(const u8 *key, size
+ 			*bitsize = cipherkey->pl - 384;
+ 		else
+ 			*bitsize = 0; /* Unknown */
+-		if (key_size > cipherkey->length) {
++		if (key_size == 2 * AESCIPHER_KEY_SIZE) {
+ 			cipherkey = (struct aescipherkeytoken *)(key +
+-					cipherkey->length);
++					AESCIPHER_KEY_SIZE);
+ 			if (cipherkey->pfv == 0x00) /* V0 payload */
+ 				*bitsize += cipherkey->pl - 384;
+ 		}
diff --git a/s390-tools.changes b/s390-tools.changes
index ca4beeb..9b010a3 100644
--- a/s390-tools.changes
+++ b/s390-tools.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Feb 18 20:10:50 UTC 2020 - Mark Post <mpost@suse.com>
+
+- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
+  (bsc#1163002).
+- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
+  (bsc#1163570).
+- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
+  from an IBM patch to a SUSE-maintained patch. (bsc#1162840)
+
 -------------------------------------------------------------------
 Thu Feb 13 13:50:55 UTC 2020 - Marcus Meissner <meissner@suse.com>
 
@@ -13,7 +23,7 @@ Sat Feb  8 02:25:58 UTC 2020 - Mark Post <mpost@suse.com>
 - Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
   (bsc#1162996).
 - Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
-  (bsc#1163002).
+  (bsc#1163003).
 
 -------------------------------------------------------------------
 Fri Oct 11 15:30:19 UTC 2019 - Mark Post <mpost@suse.com>
diff --git a/s390-tools.spec b/s390-tools.spec
index 6b562a9..74546bb 100644
--- a/s390-tools.spec
+++ b/s390-tools.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package s390-tools
 #
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2009-2020 SUSE LLC, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -124,9 +124,10 @@ Patch34:        s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys
 Patch35:        s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
 Patch36:        s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
 Patch37:        s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
-Patch38:        s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
-Patch39:        s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
-Patch40:        s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
+Patch38:        s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
+Patch39:        s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
+Patch40:        s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
+Patch41:        s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
 
 # SUSE patches
 Patch900:       s390-tools-sles12-zipl_boot_msg.patch
@@ -142,6 +143,7 @@ Patch909:       59-dasd.rules-wait_for.patch
 Patch910:       s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
 Patch911:       s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch
 Patch912:       s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
+Patch913:       s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
 
 BuildRequires:  dracut
 BuildRequires:  fuse-devel