Ana Guerrero 2023-12-17 20:33:37 +00:00 committed by Git OBS Bridge
commit c43bec7f6f
21 changed files with 271 additions and 850 deletions

View File

@ -2,10 +2,6 @@
<service name="cargo_vendor" mode="manual"> <service name="cargo_vendor" mode="manual">
<param name="srctar">s390-tools-2.29.0.tar.gz</param> <param name="srctar">s390-tools-2.29.0.tar.gz</param>
<param name="compression">zst</param> <param name="compression">zst</param>
<param name="cargotoml">s390-tools/rust/pv/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/pv/openssl_extentions/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/utils/Cargo.toml</param>
<param name="cargotoml">s390-tools/rust/pvsecret/Cargo.toml</param>
<param name="update">true</param> <param name="update">true</param>
</service> </service>
<service name="cargo_audit" mode="manual" /> <service name="cargo_audit" mode="manual" />

View File

@ -37,9 +37,9 @@ enum datatypes {
#define WITHOUT_KEY 0 #define WITHOUT_KEY 0
#define WITH_KEY 1 #define WITH_KEY 1
static char *versionstring = "Version 1.0.3 2023-02-16 17:00"; static char *versionstring = "Version 1.0.4 2023-12-17 06:58";
static char *version = "1.0.3"; static char *version = "1.0.4";
void *configuration_handle = NULL; void *configuration_handle = NULL;
int layers = -1; int layers = -1;
@ -121,7 +121,7 @@ float result_float = 0.0;
} }
if (erg == 1) { if (erg == 1) {
if (print_key == WITH_KEY) { if (print_key == WITH_KEY) {
printf("%s: ",(user_string == NULL? "NULL": user_string)); printf("%s : ",(user_string == NULL? "NULL": user_string));
} /* endif */ } /* endif */
switch (type) switch (type)
{ {
@ -139,8 +139,15 @@ float result_float = 0.0;
} }
} /* endif */ } /* endif */
else { else {
printf("Error: erg = %d, result_string = %s \n", erg, (result_string == NULL? "NULL": result_string)); if ( erg == 0 ) {
/* printf("%s : Attribute exists, but is not set. \n", (user_string == NULL? "NULL": user_string)); */
} /* endif */
else if ( erg < 0) {
printf("%s: An error occurred retrieving the attribute. Error: erg = %d, result_string = %s \n", user_string, erg, (result_string == NULL? "NULL": result_string));
} /* end else if */
/* */
/* TODO qc_get_attribute_string returned error */ /* TODO qc_get_attribute_string returned error */
/* */
} }
} /* print_attribute */ } /* print_attribute */
@ -308,6 +315,9 @@ int release_major;
int release_sub; int release_sub;
int release_minor; int release_minor;
const char *cpu_type = NULL; const char *cpu_type = NULL;
int cpu_okay = 0;
int Layer = 0;
int i = 0;
/* /*
* First we have to check whether we have the appropriate kernel Level (>= 5.3) * First we have to check whether we have the appropriate kernel Level (>= 5.3)
*/ */
@ -346,25 +356,32 @@ struct utsname uts;
printf("Print_secure called\n"); printf("Print_secure called\n");
#endif #endif
/* /*
* Only the following machines support secure boot: z14, z14 ZR1, z15, z16 * Only the following machines support secure boot:
* z14, z15, z16
* 3906, 3907, 8561, 8562, 3931, 3932 * 3906, 3907, 8561, 8562, 3931, 3932
*/ */
erg = qc_get_attribute_string(configuration_handle, qc_type, 0, &cpu_type); erg = qc_get_attribute_string(configuration_handle, qc_type, 0, &cpu_type);
if (erg == 1 && cpu_type != NULL) { if (erg == 1 && cpu_type != NULL) {
cpu_okay = check_model(cpu_type);
if ( !check_model(cpu_type) ) { if ( cpu_okay == 0 ) {
goto return_does_not_exist; goto return_does_not_exist;
} /* endif */ } /* endif */
} /* endif */ } /* endif */
print_attribute("Secure mode on", 1, qc_has_secure, integer, WITH_KEY);
print_attribute("Secure mode used", 1, qc_secure, integer, WITH_KEY); for ( i = 0; i < 8; i++) {
erg = qc_get_attribute_int(configuration_handle, qc_layer_type_num, i, &Layer);
if (erg == 1) {
print_attribute("Secure mode on ", i, qc_has_secure, integer, WITH_KEY);
print_attribute("Secure mode used", i, qc_secure, integer, WITH_KEY);
} /* endif */
} /* endfor */
return; return;
return_does_not_exist: return_does_not_exist:
/* /*
* Software or hardware does not support secure boot. * Software or hardware does not support secure boot.
*/ */
puts("Secure mode on: 0\nSecure mode used: 0"); puts("Secure mode on : 0\nSecure mode used : 0");
return; return;
} /* print_secure_mode */ } /* print_secure_mode */
@ -373,8 +390,6 @@ return;
/* */ /* */
/* print out the uuid for this machine */ /* print out the uuid for this machine */
/* */ /* */
/* */
/* */
/******************************************************************************/ /******************************************************************************/
int print_uuid() int print_uuid()
{ {
@ -569,7 +584,7 @@ void *configuration_handle_tmp = NULL;
fputs("Only one of the options a, c, L, s, S or u can be specified.\n",stderr); fputs("Only one of the options a, c, L, s, S or u can be specified.\n",stderr);
return 1; return 1;
} /* endif */ } /* endif */
/* still not im[plemented thatfore set to zero */ /* still not implemented thatfore set to zero */
list_attr = print_attr = 0; list_attr = print_attr = 0;
if (print_attr != 0) { if (print_attr != 0) {
print_user_attribute(NULL, print_attribute_param, layers); print_user_attribute(NULL, print_attribute_param, layers);

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:849ff400dc6c1eb7eebe4aa3e7a4871721c25bcee6cfdd0535a056a038fd3ab0
size 1950182

BIN
s390-tools-2.30.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -5,10 +5,10 @@
zdev/dracut/Makefile | 15 ++++++++++-- zdev/dracut/Makefile | 15 ++++++++++--
4 files changed, 92 insertions(+), 2 deletions(-) 4 files changed, 92 insertions(+), 2 deletions(-)
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh +++ s390-tools-2.30.0/zdev/dracut/96zdev-live/module-setup.sh
@@ -0,0 +1,32 @@ @@ -0,0 +1,32 @@
+#!/bin/bash +#!/bin/bash
+ +
@ -42,10 +42,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/module-setup.sh
+ inst_hook cleanup 41 "$moddir/write-udev-live.sh" + inst_hook cleanup 41 "$moddir/write-udev-live.sh"
+ inst_multiple chzdev + inst_multiple chzdev
+} +}
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh +++ s390-tools-2.30.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
@@ -0,0 +1,36 @@ @@ -0,0 +1,36 @@
+#!/bin/bash +#!/bin/bash
+# +#
@ -83,10 +83,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/parse-zdev-live.sh
+ fi + fi
+done +done
+ +
Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh Index: s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
=================================================================== ===================================================================
--- /dev/null --- /dev/null
+++ s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh +++ s390-tools-2.30.0/zdev/dracut/96zdev-live/write-udev-live.sh
@@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
+#!/bin/sh +#!/bin/sh
+# +#
@ -99,10 +99,10 @@ Index: s390-tools-2.29.0/zdev/dracut/96zdev-live/write-udev-live.sh
+if [ -w /sysroot/etc/udev/rules.d ]; then +if [ -w /sysroot/etc/udev/rules.d ]; then
+ cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d + cp -p /etc/udev/rules.d/41-* /sysroot/etc/udev/rules.d
+fi +fi
Index: s390-tools-2.29.0/zdev/dracut/Makefile Index: s390-tools-2.30.0/zdev/dracut/Makefile
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/zdev/dracut/Makefile --- s390-tools-2.30.0.orig/zdev/dracut/Makefile
+++ s390-tools-2.29.0/zdev/dracut/Makefile +++ s390-tools-2.30.0/zdev/dracut/Makefile
@@ -3,17 +3,23 @@ include ../../common.mak @@ -3,17 +3,23 @@ include ../../common.mak
ZDEVDIR := 95zdev ZDEVDIR := 95zdev

View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules --- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules +++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
@@ -15,7 +15,7 @@ KERNEL=="dasd*[!0-9]", ENV{ID_XUID}=="?* @@ -15,7 +15,7 @@ KERNEL=="dasd*[!0-9]", ENV{ID_XUID}=="?*
LABEL="dasd_block_end" LABEL="dasd_block_end"

View File

@ -15,10 +15,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
fdasd/fdasd.c | 13 ++++++++----- fdasd/fdasd.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-) 1 file changed, 8 insertions(+), 5 deletions(-)
Index: s390-tools-2.29.0/fdasd/fdasd.c Index: s390-tools-2.30.0/fdasd/fdasd.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/fdasd/fdasd.c --- s390-tools-2.30.0.orig/fdasd/fdasd.c
+++ s390-tools-2.29.0/fdasd/fdasd.c +++ s390-tools-2.30.0/fdasd/fdasd.c
@@ -1231,10 +1231,12 @@ static int fdasd_get_volser(fdasd_anchor @@ -1231,10 +1231,12 @@ static int fdasd_get_volser(fdasd_anchor
*/ */
static void fdasd_reread_partition_table(fdasd_anchor_t *anc) static void fdasd_reread_partition_table(fdasd_anchor_t *anc)

View File

@ -13,10 +13,10 @@ Signed-off-by: Robert Milasan <rmilasan@suse.de>
etc/udev/rules.d/59-dasd.rules | 2 +- etc/udev/rules.d/59-dasd.rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-) 1 file changed, 1 insertion(+), 1 deletion(-)
Index: s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules Index: s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/etc/udev/rules.d/59-dasd.rules --- s390-tools-2.30.0.orig/etc/udev/rules.d/59-dasd.rules
+++ s390-tools-2.29.0/etc/udev/rules.d/59-dasd.rules +++ s390-tools-2.30.0/etc/udev/rules.d/59-dasd.rules
@@ -6,7 +6,7 @@ @@ -6,7 +6,7 @@
SUBSYSTEM!="block", GOTO="dasd_symlinks_end" SUBSYSTEM!="block", GOTO="dasd_symlinks_end"
KERNEL!="dasd*", GOTO="dasd_symlinks_end" KERNEL!="dasd*", GOTO="dasd_symlinks_end"

View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/zipl/boot/menu.c Index: s390-tools-2.30.0/zipl/boot/menu.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/zipl/boot/menu.c --- s390-tools-2.30.0.orig/zipl/boot/menu.c
+++ s390-tools-2.29.0/zipl/boot/menu.c +++ s390-tools-2.30.0/zipl/boot/menu.c
@@ -168,8 +168,11 @@ int menu(void) @@ -168,8 +168,11 @@ int menu(void)
/* print config list */ /* print config list */
menu_list(); menu_list();

View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/etc/sysconfig/dumpconf Index: s390-tools-2.30.0/etc/sysconfig/dumpconf
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/etc/sysconfig/dumpconf --- s390-tools-2.30.0.orig/etc/sysconfig/dumpconf
+++ s390-tools-2.29.0/etc/sysconfig/dumpconf +++ s390-tools-2.30.0/etc/sysconfig/dumpconf
@@ -1,71 +1,137 @@ @@ -1,71 +1,137 @@
+## Path: System/Dumpconf +## Path: System/Dumpconf
+## Description: Configures the actions which should be performed after a kernel panic +## Description: Configures the actions which should be performed after a kernel panic

View File

@ -35,10 +35,10 @@ Signed-off-by: Peter Oberparleiter <oberpar@linux.ibm.com>
zdev/src/zdev-root-update.dracut | 6 ------ zdev/src/zdev-root-update.dracut | 6 ------
1 file changed, 6 deletions(-) 1 file changed, 6 deletions(-)
Index: s390-tools-2.29.0/zdev/src/zdev-root-update.dracut Index: s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/zdev/src/zdev-root-update.dracut --- s390-tools-2.30.0.orig/zdev/src/zdev-root-update.dracut
+++ s390-tools-2.29.0/zdev/src/zdev-root-update.dracut +++ s390-tools-2.30.0/zdev/src/zdev-root-update.dracut
@@ -20,10 +20,4 @@ dracut -f || { @@ -20,10 +20,4 @@ dracut -f || {
exit 1 exit 1
} }

View File

@ -11,10 +11,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------ dasdfmt/dasdfmt.c | 175 ++++++++++++++++++++++++++++++------------------------
2 files changed, 100 insertions(+), 80 deletions(-) 2 files changed, 100 insertions(+), 80 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8 Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8 --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8 +++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis @@ -11,14 +11,15 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br .br
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
@ -33,10 +33,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
.br .br
\fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in \fBWARNING\fR: Careless usage of \fBdasdfmt\fR can result in
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c +++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -25,6 +25,8 @@ @@ -25,6 +25,8 @@
#include "dasdfmt.h" #include "dasdfmt.h"

View File

@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.h | 1 + dasdfmt/dasdfmt.h | 1 +
3 files changed, 58 insertions(+), 9 deletions(-) 3 files changed, 58 insertions(+), 9 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8 Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8 --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8 +++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@ @@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives. dasdfmt \- formatting of DASD (ECKD) disk drives.
@ -53,10 +53,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
\fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR \fB-l\fR \fIvolser\fR or \fB--label\fR=\fIvolser\fR
Specify the volume serial number or volume identifier to be written Specify the volume serial number or volume identifier to be written
to disk after formatting. If no label is specified, a sensible default to disk after formatting. If no label is specified, a sensible default
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c +++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -13,6 +13,7 @@ @@ -13,6 +13,7 @@
#include <sys/sysmacros.h> #include <sys/sysmacros.h>
#include <sys/time.h> #include <sys/time.h>

View File

@ -12,10 +12,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.h | 1 + dasdfmt/dasdfmt.h | 1 +
3 files changed, 27 insertions(+), 8 deletions(-) 3 files changed, 27 insertions(+), 8 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8 Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8 --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8 +++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -7,7 +7,7 @@ @@ -7,7 +7,7 @@
dasdfmt \- formatting of DASD (ECKD) disk drives. dasdfmt \- formatting of DASD (ECKD) disk drives.
@ -37,10 +37,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
\fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR \fB-M\fR \fImode\fR or \fB--mode\fR=\fImode\fR
Specify the \fImode\fR to be used to format the device. Valid modes are: Specify the \fImode\fR to be used to format the device. Valid modes are:
.RS .RS
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c +++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -83,6 +83,7 @@ static struct dasdfmt_globals { @@ -83,6 +83,7 @@ static struct dasdfmt_globals {
int ese; int ese;
int no_discard; int no_discard;

View File

@ -13,10 +13,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.com>
dasdfmt/dasdfmt.c | 8 ++++++++ dasdfmt/dasdfmt.c | 8 ++++++++
2 files changed, 13 insertions(+), 1 deletion(-) 2 files changed, 13 insertions(+), 1 deletion(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8 Index: s390-tools-2.30.0/dasdfmt/dasdfmt.8
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.8 --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.8
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.8 +++ s390-tools-2.30.0/dasdfmt/dasdfmt.8
@@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis @@ -11,7 +11,7 @@ dasdfmt \- formatting of DASD (ECKD) dis
.br .br
[-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR] [-r \fIcylinder\fR] [-b \fIblksize\fR] [-l \fIvolser\fR] [-d \fIlayout\fR]
@ -37,10 +37,10 @@ Index: s390-tools-2.29.0/dasdfmt/dasdfmt.8
\fB-y\fR \fB-y\fR
Start formatting without further user-confirmation. Start formatting without further user-confirmation.
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c +++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = { @@ -113,6 +113,10 @@ static struct util_opt opt_vec[] = {
.desc = "Format devices in parallel", .desc = "Format devices in parallel",
.flags = UTIL_OPT_FLAG_NOLONG, .flags = UTIL_OPT_FLAG_NOLONG,

View File

@ -19,10 +19,10 @@ Signed-off-by: Hannes Reinecke <hare@suse.de>
dasdfmt/dasdfmt.c | 21 ++++++++++++++++++--- dasdfmt/dasdfmt.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-) 1 file changed, 18 insertions(+), 3 deletions(-)
Index: s390-tools-2.29.0/dasdfmt/dasdfmt.c Index: s390-tools-2.30.0/dasdfmt/dasdfmt.c
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/dasdfmt/dasdfmt.c --- s390-tools-2.30.0.orig/dasdfmt/dasdfmt.c
+++ s390-tools-2.29.0/dasdfmt/dasdfmt.c +++ s390-tools-2.30.0/dasdfmt/dasdfmt.c
@@ -621,7 +621,7 @@ static void check_layout(unsigned int in @@ -621,7 +621,7 @@ static void check_layout(unsigned int in
*/ */
static void check_disk(void) static void check_disk(void)

View File

@ -1,7 +1,7 @@
Index: s390-tools-2.29.0/common.mak Index: s390-tools-2.30.0/common.mak
=================================================================== ===================================================================
--- s390-tools-2.29.0.orig/common.mak --- s390-tools-2.30.0.orig/common.mak
+++ s390-tools-2.29.0/common.mak +++ s390-tools-2.30.0/common.mak
@@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \ @@ -338,8 +338,8 @@ export INSTALL CFLAGS CXXFLAGS \
LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS LDFLAGS CPPFLAGS ALL_CFLAGS ALL_CXXFLAGS ALL_LDFLAGS ALL_CPPFLAGS

View File

@ -1,691 +0,0 @@
---
zkey/ep11.c | 48 +++++++++++-----
zkey/keystore.c | 4 +
zkey/kmip/zkey-kmip.c | 74 +++++++++++++++++++++----
zkey/kms.c | 9 ++-
zkey/pkey.c | 141 +++++++++++++++++++++++++++++++++++++++++++++++--
zkey/pkey.h | 45 +++++++++++----
zkey/zkey-cryptsetup.c | 15 ++++-
zkey/zkey.c | 8 ++
8 files changed, 294 insertions(+), 50 deletions(-)
--- a/zkey/ep11.c
+++ b/zkey/ep11.c
@@ -365,8 +365,9 @@ int select_ep11_apqn_by_mkvp(struct ep11
* @param[in] target the target handle to use for the re-encipher operation
* @param[in] card the card that corresponds to the target handle
* @param[in] domain the domain that corresponds to the target handle
- * @param[in/out] ep11key the EP11 key token to reencipher. The re-enciphered
- * secure key will be returned in this buffer.
+ * @param[in/out] ep11key_blob the EP11 key token to reencipher. The
+ * re-enciphered secure key will be returned in this
+ * buffer.
* @param[in] ep11key_size the size of the secure key
* @param[in] verbose if true, verbose messages are printed
*
@@ -374,21 +375,29 @@ int select_ep11_apqn_by_mkvp(struct ep11
*/
static int ep11_adm_reencrypt(struct ep11_lib *ep11, target_t target,
unsigned int card, unsigned int domain,
- struct ep11keytoken *ep11key,
+ u8 *ep11key_blob,
unsigned int ep11key_size, bool verbose)
{
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)ep11key_blob;
+ struct ep11keytoken *ep11key;
CK_BYTE resp[MAX_BLOBSIZE];
CK_BYTE req[MAX_BLOBSIZE];
- char ep11_token_header[sizeof(ep11key->head)];
+ char ep11_token_header[sizeof(ep11key->head)] = { 0 };
struct XCPadmresp lrb;
struct XCPadmresp rb;
+ bool with_header;
size_t resp_len;
size_t blob_len;
long req_len;
CK_RV rv;
int rc;
- blob_len = ep11key->head.length;
+ with_header = is_ep11_aes_key_with_header(ep11key_blob, ep11key_size);
+ ep11key = (struct ep11keytoken *)(with_header ?
+ ep11key_blob + sizeof(struct ep11kblob_header) :
+ ep11key_blob);
+ blob_len = with_header ? hdr->len - sizeof(struct ep11kblob_header) :
+ ep11key->head.len;
if (blob_len > ep11key_size) {
pr_verbose(verbose, "Blob length larger than secure key size");
return -EINVAL;
@@ -397,9 +406,14 @@ static int ep11_adm_reencrypt(struct ep1
rb.domain = domain;
lrb.domain = domain;
- /* The token header is an overlay over the (all zero) session field */
- memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
- memset(ep11key->session, 0, sizeof(ep11key->session));
+ if (!with_header) {
+ /*
+ * The token header is an overlay over the (all zero) session
+ * field
+ */
+ memcpy(ep11_token_header, ep11key, sizeof(ep11_token_header));
+ memset(ep11key->session, 0, sizeof(ep11key->session));
+ }
resp_len = sizeof(resp);
req_len = ep11->dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
@@ -446,7 +460,8 @@ static int ep11_adm_reencrypt(struct ep1
}
memcpy(ep11key, lrb.payload, blob_len);
- memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
+ if (!with_header)
+ memcpy(ep11key, ep11_token_header, sizeof(ep11_token_header));
return 0;
}
@@ -469,7 +484,6 @@ int reencipher_ep11_key(struct ep11_lib
unsigned int card, unsigned int domain, u8 *secure_key,
unsigned int secure_key_size, bool verbose)
{
- struct ep11keytoken *ep11key = (struct ep11keytoken *)secure_key;
CK_IBM_DOMAIN_INFO dinf;
CK_ULONG dinf_len = sizeof(dinf);
CK_RV rv;
@@ -493,17 +507,21 @@ int reencipher_ep11_key(struct ep11_lib
return -ENODEV;
}
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
secure_key_size, verbose);
if (rc != 0)
return rc;
if (is_xts_key(secure_key, secure_key_size)) {
- secure_key += EP11_KEY_SIZE;
- secure_key_size -= EP11_KEY_SIZE;
- ep11key = (struct ep11keytoken *)secure_key;
+ if (is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
+ secure_key += EP11_AES_KEY_SIZE;
+ secure_key_size -= EP11_AES_KEY_SIZE;
+ } else {
+ secure_key += EP11_KEY_SIZE;
+ secure_key_size -= EP11_KEY_SIZE;
+ }
- rc = ep11_adm_reencrypt(ep11, target, card, domain, ep11key,
+ rc = ep11_adm_reencrypt(ep11, target, card, domain, secure_key,
secure_key_size, verbose);
if (rc != 0)
return rc;
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -3398,7 +3398,9 @@ static int _keystore_perform_reencipher(
"CURRENT master key", name);
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}
--- a/zkey/kmip/zkey-kmip.c
+++ b/zkey/kmip/zkey-kmip.c
@@ -5278,9 +5278,11 @@ static int _ep11_unwrap_key_rsa(struct p
m_UnwrapKey_t dll_m_UnwrapKey;
const unsigned char *key_blob;
struct ep11keytoken *ep11key;
+ struct ep11kblob_header *hdr;
CK_MECHANISM mech = { 0 };
CK_BYTE csum[7] = { 0 };
CK_BBOOL ck_true = true;
+ int pkey_fd, rc;
CK_RV rv;
CK_ATTRIBUTE template[] = {
@@ -5306,7 +5308,8 @@ static int _ep11_unwrap_key_rsa(struct p
pr_verbose(&ph->pd, "Wrap hashing algorithm: %d",
ph->profile->wrap_hashing_algo);
- if (*unwrapped_key_len < sizeof(struct ep11keytoken)) {
+ if (*unwrapped_key_len < sizeof(struct ep11kblob_header) +
+ sizeof(struct ep11keytoken)) {
_set_error(ph, "Key buffer is too small");
return -EINVAL;
}
@@ -5381,19 +5384,68 @@ static int _ep11_unwrap_key_rsa(struct p
256 * 256 * csum[csum_len - 3] +
256 * 256 * 256 * csum[csum_len - 4];
- /* Setup the EP11 token header */
- ep11key = (struct ep11keytoken *)unwrapped_key;
- memset(&ep11key->session, 0, sizeof(ep11key->session));
- ep11key->head.type = TOKEN_TYPE_NON_CCA;
- ep11key->head.length = *unwrapped_key_len;
- ep11key->head.version = TOKEN_VERSION_EP11_AES;
- ep11key->head.keybitlen = bit_len;
+ /* Prepend and setup the EP11 token header */
+ hdr = (struct ep11kblob_header *)unwrapped_key;
+ ep11key = (struct ep11keytoken *)
+ (unwrapped_key + sizeof(struct ep11kblob_header));
+ memmove(ep11key, unwrapped_key, *unwrapped_key_len);
+ *unwrapped_key_len += sizeof(struct ep11kblob_header);
+ memset(hdr, 0, sizeof(struct ep11kblob_header));
+ hdr->type = TOKEN_TYPE_NON_CCA;
+ hdr->hver = 0;
+ hdr->len = *unwrapped_key_len;
+ hdr->version = TOKEN_VERSION_EP11_AES_WITH_HEADER;
+ hdr->bitlen = bit_len;
- pr_verbose(&ph->pd, "unwrapped bit length: %u",
- ep11key->head.keybitlen);
+ pr_verbose(&ph->pd, "unwrapped bit length: %u", hdr->bitlen);
/* return full length, blob is already zero padded */
- *unwrapped_key_len = sizeof(struct ep11keytoken);
+ *unwrapped_key_len =
+ sizeof(struct ep11kblob_header) + sizeof(struct ep11keytoken);
+
+ /*
+ * Check if the pkey module supports keys of type
+ * TOKEN_VERSION_EP11_AES_WITH_HEADER, older kernels may not support
+ * such keys. If it does not support such keys, convert the key to
+ * TOKEN_VERSION_EP11_AES type, if its session field is all zero
+ * (i.e. the key is not session bound).
+ */
+ pkey_fd = open_pkey_device(ph->pd.verbose);
+ if (pkey_fd < 0) {
+ _set_error(ph, "Failed to open pkey device");
+ return -EIO;
+ }
+
+ rc = validate_secure_key(pkey_fd, unwrapped_key, *unwrapped_key_len,
+ NULL, NULL, NULL, ph->pd.verbose);
+ close(pkey_fd);
+ if (rc == -EINVAL || rc == -ENODEV) {
+ pr_verbose(&ph->pd, "The pkey kernel module does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ if (is_ep11_key_session_bound(unwrapped_key,
+ *unwrapped_key_len)) {
+ _set_error(ph, "The unwrapped key is session bound. "
+ "Kernel support is required for such keys");
+ return -EIO;
+ }
+
+ key_blob_len = hdr->len;
+ *unwrapped_key_len -= sizeof(struct ep11kblob_header);
+ memmove(unwrapped_key,
+ unwrapped_key + sizeof(struct ep11kblob_header),
+ *unwrapped_key_len);
+ ep11key = (struct ep11keytoken *)unwrapped_key;
+ memset(&ep11key->session, 0, sizeof(ep11key->session));
+ ep11key->head.type = TOKEN_TYPE_NON_CCA;
+ ep11key->head.len = key_blob_len -
+ sizeof(struct ep11kblob_header);
+ ep11key->head.version = TOKEN_VERSION_EP11_AES;
+ ep11key->head.bitlen = bit_len;
+ } else if (rc != 0) {
+ _set_error(ph, "Failed to validate unwrapped key");
+ return rc;
+ }
return 0;
}
--- a/zkey/kms.c
+++ b/zkey/kms.c
@@ -2175,7 +2175,7 @@ int generate_kms_key(struct kms_info *km
else if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
key_size = AESCIPHER_KEY_SIZE;
else if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
- key_size = EP11_KEY_SIZE;
+ key_size = EP11_AES_KEY_SIZE;
else
return -ENOTSUP;
@@ -2248,6 +2248,9 @@ int generate_kms_key(struct kms_info *km
if (verbose)
util_hexdump_grp(stderr, NULL, key_blob, 4, key_blob_size, 0);
+ if (is_ep11_aes_key(key_blob, key_blob_size))
+ key_size = EP11_KEY_SIZE;
+
/* Save ID and label of 1st key */
rc = properties_set(key_props, xts ? PROP_NAME_KMS_XTS_KEY1_ID :
PROP_NAME_KMS_KEY_ID, key1_id);
@@ -3132,6 +3135,8 @@ int import_kms_key(struct kms_info *kms_
key_size = AESCIPHER_KEY_SIZE;
else if (is_ep11_aes_key(key_blob, key_blob_size))
key_size = EP11_KEY_SIZE;
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
+ key_size = EP11_AES_KEY_SIZE;
if (key_size == 0 || key_blob_size > key_size) {
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
@@ -3366,6 +3371,8 @@ int refresh_kms_key(struct kms_info *kms
key_size = AESCIPHER_KEY_SIZE;
else if (is_ep11_aes_key(key_blob, key_blob_size))
key_size = EP11_KEY_SIZE;
+ else if (is_ep11_aes_key_with_header(key_blob, key_blob_size))
+ key_size = EP11_AES_KEY_SIZE;
if (key_size == 0 || key_blob_size > key_size) {
pr_verbose(verbose, "Key '%s' has an unknown or unsupported "
--- a/zkey/pkey.c
+++ b/zkey/pkey.c
@@ -858,7 +858,7 @@ static enum pkey_key_type key_type_to_pk
if (strcasecmp(key_type, KEY_TYPE_CCA_AESCIPHER) == 0)
return PKEY_TYPE_CCA_CIPHER;
if (strcasecmp(key_type, KEY_TYPE_EP11_AES) == 0)
- return PKEY_TYPE_EP11;
+ return PKEY_TYPE_EP11_AES;
return 0;
}
@@ -879,6 +879,8 @@ static size_t key_size_for_type(enum pke
return AESCIPHER_KEY_SIZE;
case PKEY_TYPE_EP11:
return EP11_KEY_SIZE;
+ case PKEY_TYPE_EP11_AES:
+ return EP11_AES_KEY_SIZE;
default:
return 0;
}
@@ -924,6 +926,7 @@ int generate_secure_key_random(int pkey_
return -ENOTSUP;
}
+retry:
genseck2.size = keybits_to_keysize(keybits);
if (genseck2.size == 0) {
warnx("Invalid value for '--keybits'/'-c': '%lu'", keybits);
@@ -957,10 +960,33 @@ int generate_secure_key_random(int pkey_
genseck2.keylen = size;
rc = pkey_genseck2(pkey_fd, &genseck2, verbose);
+ if (rc == -EINVAL && genseck2.type == PKEY_TYPE_EP11_AES) {
+ /*
+ * Older kernels may not support gensek2 with key type
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
+ */
+ pr_verbose(verbose,
+ "ioctl PKEY_GENSECK2 does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ genseck2.type = PKEY_TYPE_EP11;
+ free(genseck2.apqns);
+ genseck2.apqns = NULL;
+ genseck2.apqn_entries = 0;
+ free(secure_key);
+ goto retry;
+ }
if (rc != 0) {
warnx("Failed to generate a secure key: %s", strerror(-rc));
goto out;
}
+ if (rc == 0 && genseck2.type == PKEY_TYPE_EP11) {
+ if (is_ep11_key_session_bound(secure_key, size)) {
+ warnx("The generated key is session bound. Kernel "
+ "support is required for such keys");
+ goto out;
+ }
+ }
if (xts) {
free(genseck2.apqns);
@@ -1062,6 +1088,7 @@ int generate_secure_key_clear(int pkey_f
return -ENOTSUP;
}
+retry:
clr2seck2.size = keybits_to_keysize(HALF_KEYSIZE_FOR_XTS(
clear_key_size * 8, xts));
if (clr2seck2.size == 0) {
@@ -1096,10 +1123,33 @@ int generate_secure_key_clear(int pkey_f
clr2seck2.keylen = size;
rc = pkey_clr2seck2(pkey_fd, &clr2seck2, verbose);
+ if (rc == -EINVAL && clr2seck2.type == PKEY_TYPE_EP11_AES) {
+ /*
+ * Older kernels may not support clr2seck2 with key type
+ * PKEY_TYPE_EP11_AES, retry with PKEY_TYPE_EP11.
+ */
+ pr_verbose(verbose,
+ "ioctl PKEY_CLR2SECK2 does not support "
+ "PKEY_TYPE_EP11_AES, fall back to PKEY_TYPE_EP11");
+
+ clr2seck2.type = PKEY_TYPE_EP11;
+ free(clr2seck2.apqns);
+ clr2seck2.apqns = NULL;
+ clr2seck2.apqn_entries = 0;
+ free(secure_key);
+ goto retry;
+ }
if (rc != 0) {
warnx("Failed to generate a secure key: %s", strerror(-rc));
goto out;
}
+ if (rc == 0 && clr2seck2.type == PKEY_TYPE_EP11) {
+ if (is_ep11_key_session_bound(secure_key, size)) {
+ warnx("The generated key is session bound. Kernel "
+ "support is required for such keys");
+ goto out;
+ }
+ }
if (xts) {
free(clr2seck2.apqns);
@@ -1486,6 +1536,8 @@ int get_master_key_verification_pattern(
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
+ struct ep11keytoken *ep11key2 =
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
util_assert(key != NULL, "Internal error: secure_key is NULL");
util_assert(mkvp != NULL, "Internal error: mkvp is NULL");
@@ -1497,6 +1549,8 @@ int get_master_key_verification_pattern(
memcpy(mkvp, &cipherkey->kvp, sizeof(cipherkey->kvp));
else if (is_ep11_aes_key(key, key_size))
memcpy(mkvp, &ep11key->wkvp, sizeof(ep11key->wkvp));
+ else if (is_ep11_aes_key_with_header(key, key_size))
+ memcpy(mkvp, &ep11key2->wkvp, sizeof(ep11key2->wkvp));
else
return -EINVAL;
@@ -1593,9 +1647,11 @@ bool is_ep11_aes_key(const u8 *key, size
if (ep11key->head.type != TOKEN_TYPE_NON_CCA)
return false;
+ if (ep11key->head.hver != 0)
+ return false;
if (ep11key->head.version != TOKEN_VERSION_EP11_AES)
return false;
- if (ep11key->head.length > key_size)
+ if (ep11key->head.len > key_size)
return false;
if (ep11key->version != 0x1234)
@@ -1605,6 +1661,65 @@ bool is_ep11_aes_key(const u8 *key, size
}
/**
+ * Check if the specified key is a EP11 AES key token with external header.
+ *
+ * @param[in] key the secure key token
+ * @param[in] key_size the size of the secure key
+ *
+ * @returns true if the key is an EP11 AES token with external header type
+ */
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size)
+{
+ struct ep11kblob_header *header = (struct ep11kblob_header *)key;
+ struct ep11keytoken *ep11key =
+ (struct ep11keytoken *)(key + sizeof(struct ep11kblob_header));
+
+ if (key == NULL || key_size < EP11_AES_KEY_SIZE)
+ return false;
+
+ if (header->type != TOKEN_TYPE_NON_CCA)
+ return false;
+ if (header->hver != 0)
+ return false;
+ if (header->version != TOKEN_VERSION_EP11_AES_WITH_HEADER)
+ return false;
+ if (header->len > key_size)
+ return false;
+
+ if (ep11key->version != 0x1234)
+ return false;
+
+ return true;
+}
+
+/**
+ * Check if the specified EP11 AES key is session bound.
+ *
+ * @param[in] key the secure key token
+ * @param[in] key_size the size of the secure key
+ *
+ * @returns true if the key is an EP11 AES token type
+ */
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size)
+{
+ struct ep11keytoken *ep11key;
+
+ if (is_ep11_aes_key(key, key_size)) {
+ ep11key = (struct ep11keytoken *)key;
+ return memcmp(ep11key->session + sizeof(ep11key->head),
+ ZERO_SESSION, sizeof(ep11key->session) -
+ sizeof(ep11key->head)) != 0;
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ ep11key = (struct ep11keytoken *)
+ (key + sizeof(struct ep11kblob_header));
+ return memcmp(ep11key->session, ZERO_SESSION,
+ sizeof(ep11key->session)) != 0;
+ } else {
+ return false;
+ }
+}
+
+/**
* Check if the specified key is an XTS type key
*
* @param[in] key the secure key token
@@ -1629,6 +1744,11 @@ bool is_xts_key(const u8 *key, size_t ke
is_ep11_aes_key(key + EP11_KEY_SIZE,
key_size - EP11_KEY_SIZE))
return true;
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ if (key_size == 2 * EP11_AES_KEY_SIZE &&
+ is_ep11_aes_key_with_header(key + EP11_AES_KEY_SIZE,
+ key_size - EP11_AES_KEY_SIZE))
+ return true;
}
return false;
@@ -1650,6 +1770,7 @@ int get_key_bit_size(const u8 *key, size
struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key;
struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key;
struct ep11keytoken *ep11key = (struct ep11keytoken *)key;
+ struct ep11kblob_header *hdr = (struct ep11kblob_header *)key;
util_assert(bitsize != NULL, "Internal error: bitsize is NULL");
@@ -1672,10 +1793,17 @@ int get_key_bit_size(const u8 *key, size
*bitsize += cipherkey->pl - 384;
}
} else if (is_ep11_aes_key(key, key_size)) {
- *bitsize = ep11key->head.keybitlen;
+ *bitsize = ep11key->head.bitlen;
if (key_size == 2 * EP11_KEY_SIZE) {
ep11key = (struct ep11keytoken *)(key + EP11_KEY_SIZE);
- *bitsize += ep11key->head.keybitlen;
+ *bitsize += ep11key->head.bitlen;
+ }
+ } else if (is_ep11_aes_key_with_header(key, key_size)) {
+ *bitsize = hdr->bitlen;
+ if (key_size == 2 * EP11_AES_KEY_SIZE) {
+ hdr = (struct ep11kblob_header *)
+ (key + EP11_AES_KEY_SIZE);
+ *bitsize += hdr->bitlen;
}
} else {
return -EINVAL;
@@ -1700,6 +1828,8 @@ const char *get_key_type(const u8 *key,
return KEY_TYPE_CCA_AESCIPHER;
if (is_ep11_aes_key(key, key_size))
return KEY_TYPE_EP11_AES;
+ if (is_ep11_aes_key_with_header(key, key_size))
+ return KEY_TYPE_EP11_AES;
return NULL;
}
@@ -2016,7 +2146,8 @@ int reencipher_secure_key(struct ext_lib
return rc;
}
- if (is_ep11_aes_key(secure_key, secure_key_size)) {
+ if (is_ep11_aes_key(secure_key, secure_key_size) ||
+ is_ep11_aes_key_with_header(secure_key, secure_key_size)) {
/* EP11 secure key: need the EP11 host library */
if (lib->ep11->lib_ep11 == NULL) {
rc = load_ep11_library(lib->ep11, verbose);
--- a/zkey/pkey.h
+++ b/zkey/pkey.h
@@ -39,6 +39,8 @@ struct tokenheader {
#define TOKEN_VERSION_PROTECTED_KEY 0x01
#define TOKEN_VERSION_CLEAR_KEY 0x02
#define TOKEN_VERSION_EP11_AES 0x03
+#define TOKEN_VERSION_EP11_AES_WITH_HEADER 0x06
+#define TOKEN_VERSION_EP11_ECC_WITH_HEADER 0x07
struct aesdatakeytoken {
u8 type; /* TOKEN_TYPE_INTERNAL (0x01) for internal key token */
@@ -89,17 +91,20 @@ struct aescipherkeytoken {
u8 varpart[80]; /* variable part */
} __packed;
+struct ep11kblob_header {
+ u8 type; /* always 0x00 */
+ u8 hver; /* header version, currently needs to be 0x00 */
+ u16 len; /* total length in bytes (including this header) */
+ u8 version; /* PKEY_TYPE_EP11_AES or PKEY_TYPE_EP11_ECC */
+ u8 res0; /* unused */
+ u16 bitlen; /* clear key bit len, 0 for unknown */
+ u8 res1[8]; /* unused */
+} __packed;
+
struct ep11keytoken {
union {
u8 session[32];
- struct {
- u8 type; /* TOKEN_TYPE_NON_CCA (0x00) */
- u8 res0; /* unused */
- u16 length; /* length of token */
- u8 version; /* TOKEN_VERSION_EP11_AES (0x03) */
- u8 res1; /* unused */
- u16 keybitlen; /* clear key bit len, 0 for unknown */
- } head;
+ struct ep11kblob_header head;
};
u8 wkvp[16]; /* wrapping key verification pattern */
u64 attr; /* boolean key attributes */
@@ -111,18 +116,29 @@ struct ep11keytoken {
u8 padding[64];
} __packed;
+#define ZERO_SESSION \
+ "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"
+
#define AESDATA_KEY_SIZE sizeof(struct aesdatakeytoken)
#define AESCIPHER_KEY_SIZE sizeof(struct aescipherkeytoken)
#define EP11_KEY_SIZE sizeof(struct ep11keytoken)
+#define EP11_AES_KEY_SIZE (sizeof(struct ep11kblob_header) + \
+ sizeof(struct ep11keytoken))
/* MAX/MIN from zt_common.h produces warnings for variable length arrays */
#define _MIN(a, b) ((a) < (b) ? (a) : (b))
#define _MAX(a, b) ((a) > (b) ? (a) : (b))
-#define MAX_SECURE_KEY_SIZE _MAX(EP11_KEY_SIZE, \
- _MAX(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
-#define MIN_SECURE_KEY_SIZE _MIN(EP11_KEY_SIZE, \
- _MIN(AESDATA_KEY_SIZE, AESCIPHER_KEY_SIZE))
+#define MAX_SECURE_KEY_SIZE _MAX( \
+ _MAX(EP11_KEY_SIZE, \
+ EP11_AES_KEY_SIZE), \
+ _MAX(AESDATA_KEY_SIZE, \
+ AESCIPHER_KEY_SIZE))
+#define MIN_SECURE_KEY_SIZE _MIN( \
+ _MIN(EP11_KEY_SIZE, \
+ EP11_AES_KEY_SIZE), \
+ _MIN(AESDATA_KEY_SIZE, \
+ AESCIPHER_KEY_SIZE))
struct pkey_seckey {
u8 seckey[AESDATA_KEY_SIZE]; /* the secure key blob */
@@ -175,6 +191,9 @@ enum pkey_key_type {
PKEY_TYPE_CCA_DATA = (u32) 1,
PKEY_TYPE_CCA_CIPHER = (u32) 2,
PKEY_TYPE_EP11 = (u32) 3,
+ PKEY_TYPE_CCA_ECC = (u32) 0x1f,
+ PKEY_TYPE_EP11_AES = (u32) 6,
+ PKEY_TYPE_EP11_ECC = (u32) 7,
};
enum pkey_key_size {
@@ -321,6 +340,8 @@ int get_master_key_verification_pattern(
bool is_cca_aes_data_key(const u8 *key, size_t key_size);
bool is_cca_aes_cipher_key(const u8 *key, size_t key_size);
bool is_ep11_aes_key(const u8 *key, size_t key_size);
+bool is_ep11_aes_key_with_header(const u8 *key, size_t key_size);
+bool is_ep11_key_session_bound(const u8 *key, size_t key_size);
bool is_xts_key(const u8 *key, size_t key_size);
int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize);
const char *get_key_type(const u8 *key, size_t key_size);
--- a/zkey/zkey-cryptsetup.c
+++ b/zkey/zkey-cryptsetup.c
@@ -1673,7 +1673,10 @@ static int reencipher_prepare(int token)
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
@@ -1696,7 +1699,10 @@ static int reencipher_prepare(int token)
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
@@ -1836,7 +1842,10 @@ static int reencipher_complete(int token
warnx("Failed to re-encipher the secure volume "
"key for device '%s'\n", g.pos_arg);
if (!selected &&
- !is_ep11_aes_key((u8 *)key, securekeysize))
+ !is_ep11_aes_key((u8 *)key,
+ securekeysize) &&
+ !is_ep11_aes_key_with_header((u8 *)key,
+ securekeysize))
print_msg_for_cca_envvars(
"secure AES volume key");
rc = -EINVAL;
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1968,7 +1968,9 @@ static int command_reencipher_file(void)
"master key has failed\n");
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}
@@ -1993,7 +1995,9 @@ static int command_reencipher_file(void)
"master key has failed\n");
if (!selected &&
!is_ep11_aes_key(secure_key,
- secure_key_size))
+ secure_key_size) &&
+ !is_ep11_aes_key_with_header(secure_key,
+ secure_key_size))
print_msg_for_cca_envvars(
"secure AES key");
}

View File

@ -1,5 +1,55 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Nov 15 07:55:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Sun Dec 17 05:48:56 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Updated the .spec file to use gcc13 (bsc#1217838)
- Amended read_values for '-S' option (bsc#1217923)
-------------------------------------------------------------------
Mon Dec 4 13:34:09 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade s390-tools to version 2.30
(jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604,
jsc#PED-6649, jsc#PED-7138 )
- Add new tools / libraries:
* lspai: Tool to display PAI counter sets
* s390-tools: Provide a ShellCheck configuration
- Changes of existing tools / libraries:
* cpumf/pai: Add command line option for realtime scheduling
* dbginfo.sh: enhance ethtool collection for ROCE
* libutil/util_lockfile: add routine to return owning pid of file lock
* lszcrypt: Improve lszcrypt output on SE guests
* rust: Use a single workspace for all rust tools
* zdev: limit the derivation of ZDEV_SITE_ID
* zdump/df_s390: Update 'zgetdump -i' output with zlib info
* zdump/dfi_s390: Support reading compressed s390_ext dumps
* zipl/boot: Integrate zlib compression to single volume DASD dumper
* zipl/boot: compile the bootloaders only if HOST_ARCH is s390x
* zipl: Add --no-compress option to zipl command
* zkey: Also check for deconfigured and check-stopped cards
- Bug Fixes:
* ap_tools/ap-check: handle get-attributes between pre and post event
* libutil: fix util_file_read_*() using wrong format specifiers
* rust/pv: fix Invalid write of size
- Amended the SUSE patches for version 2.30
- Revendored vendor.tar.gz
- Removed an obsolete patch
* s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
-------------------------------------------------------------------
Fri Nov 24 07:51:10 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Provide s390-tools on x86_64 to enable Secure Execution in the Cloud
(jsc#PED-578, jsc#PED-7136, and jsc#PED-7138)
* Selected tools from the s390-tools package need to be made available on x86_64.
This will enable the integration of IBM Z machines running Secure Execution in a
cloud environment where users don't necessarily need to have an s390x environment.
- genprotimg - (for building secure images)
- pvsecret -
- pvattest - (for external attestation)
- pvextract-hdr -
-------------------------------------------------------------------
Wed Nov 15 07:31:45 UTC 2023 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Fixed a logic error in read_values.c - Fixed a logic error in read_values.c

View File

@ -33,7 +33,7 @@
%endif %endif
Name: s390-tools Name: s390-tools
Version: 2.29.0 Version: 2.30.0
Release: 0 Release: 0
Summary: S/390 tools like zipl and dasdfmt Summary: S/390 tools like zipl and dasdfmt
License: MIT License: MIT
@ -152,17 +152,16 @@ Patch909: s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl
Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
Patch912: s390-tools-ALP-zdev-live.patch Patch912: s390-tools-ALP-zdev-live.patch
Patch913: s390-tools-sles15sp6-zkey-Support-EP11-AES-keys-with-prepended-header-to-.patch
### ###
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: dracut BuildRequires: dracut
BuildRequires: fuse3-devel BuildRequires: fuse3-devel
BuildRequires: gcc-c++ BuildRequires: gcc13
BuildRequires: gcc13-c++
BuildRequires: gettext-tools BuildRequires: gettext-tools
BuildRequires: glib2-devel BuildRequires: glib2-devel
BuildRequires: glibc-devel-static BuildRequires: glibc-devel-static
BuildRequires: kernel-zfcpdump
BuildRequires: libcryptsetup-devel > 2.0.3 BuildRequires: libcryptsetup-devel > 2.0.3
BuildRequires: libjson-c-devel BuildRequires: libjson-c-devel
BuildRequires: libxml2-devel BuildRequires: libxml2-devel
@ -171,10 +170,14 @@ BuildRequires: ncurses-devel
BuildRequires: net-snmp-devel BuildRequires: net-snmp-devel
BuildRequires: openssl-devel >= 1.1.1l BuildRequires: openssl-devel >= 1.1.1l
BuildRequires: pesign-obs-integration BuildRequires: pesign-obs-integration
BuildRequires: qclib-devel-static
BuildRequires: systemd-devel BuildRequires: systemd-devel
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
BuildRequires: zlib-devel-static BuildRequires: zlib-devel-static
### x86_64
%ifarch s390x
BuildRequires: kernel-zfcpdump
BuildRequires: qclib-devel-static
%endif
### Cargo ### Cargo
BuildRequires: rust BuildRequires: rust
BuildRequires: cargo BuildRequires: cargo
@ -195,7 +198,7 @@ Requires(post): permissions
Requires(pre): shadow Requires(pre): shadow
Recommends: blktrace Recommends: blktrace
Provides: s390utils:/sbin/dasdfmt Provides: s390utils:/sbin/dasdfmt
ExclusiveArch: s390x ### ExclusiveArch: s390x x86_64
%description %description
This package contains the tools needed to use Linux on IBM z Systems This package contains the tools needed to use Linux on IBM z Systems
@ -315,15 +318,16 @@ unavailable, the toolset checks for operational paths to the same
volume. If available, it reconfigures the FCP re-IPL settings to use an volume. If available, it reconfigures the FCP re-IPL settings to use an
operational path. operational path.
### *** s390x ************************************************************************* ###
%ifarch s390x
%prep %prep
%autosetup -p1 %autosetup -p1
cp -vi %{SOURCE22} CAUTION cp -vi %{SOURCE22} CAUTION
###
install -D -m 0644 %{SOURCE200} .cargo/config install -D -m 0644 %{SOURCE200} .cargo/config
tar -xzvf %{SOURCE201} tar -xzf %{SOURCE201}
###
%build %build
@ -333,13 +337,17 @@ tar -xzvf %{SOURCE201}
export OPT_FLAGS="%{optflags}" export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \
%make_build -v \
ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \ ZFCPDUMP_DIR=%{_prefix}/lib/s390-tools/zfcpdump \
DISTRELEASE=%{release} \ DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \ UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \ HAVE_CARGO=1 \
HAVE_DRACUT=1 HAVE_DRACUT=1 \
gcc -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc CC=gcc-13 \
CXX=g++-13
### all
gcc-13 -v -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
%install %install
mkdir -p %{buildroot}/boot/zipl mkdir -p %{buildroot}/boot/zipl
@ -350,7 +358,10 @@ mkdir -p %{buildroot}%{_sysconfdir}/zkey/repository
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \ UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \ HAVE_CARGO=1 \
HAVE_DRACUT=1 HAVE_DRACUT=1 \
CC=gcc-13 \
CXX=g++-13
### all
# The make install command puts things in /etc/sysconfig and not the # The make install command puts things in /etc/sysconfig and not the
# fillup-templates directory. Let's try moving them where they belong # fillup-templates directory. Let's try moving them where they belong
@ -735,4 +746,44 @@ done
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules %{_udevrulesdir}/70-chreipl-fcp-mpath.rules
%{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man} %{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
### _endif
### *** !s390x ************************************************************************* ###
### _ifarch x86_64
%else
%prep
%autosetup -p1
install -D -m 0644 %{SOURCE200} .cargo/config
tar -xzf %{SOURCE201}
%build
export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \
DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
%install
%make_install \
DISTRELEASE=%{release} \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
%files
%{_prefix}/bin/*
%{_prefix}/share/s390-tools/*
%dir /usr/share/s390-tools
%{_mandir}/man1/*
%files debuginfo
%dir %{_prefix}/lib/debug
%dir %{_prefix}/lib/debug/usr/bin
%endif
%changelog %changelog

BIN
vendor.tar.gz (Stored with Git LFS)

Binary file not shown.