pool/s390-tools
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory
rpm:devel
..
compare: rpm:devel
Branches Tags
rpm:factory
rpm:devel
pool:factory
pool:devel

No commits in common. "factory" and "devel" have entirely different histories.
factory ... devel

21 changed files with 1113 additions and 312 deletions
Show Stats Expand all files Collapse all files

14
ctc_configure
View File

@ -44,14 +44,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} <read channel> <write channel> <online> [<protocol>]"
echo " read/write channel = x.y.ssss where"
@ -120,9 +112,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CTC_READ_CHAN},${CTC_WRITE_CHAN}"
else remove_cio_channel "${CTC_READ_CHAN}"
remove_cio_channel "${CTC_WRITE_CHAN}"
fi

13
dasd_configure.opensuse
View File

@ -43,14 +43,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo
@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then
fi
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode}

13
dasd_configure.suse
View File

@ -43,14 +43,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo
@ -165,9 +157,4 @@ elif [ ${ON_OFF} == 1 ]; then
fi
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode}

5
pkey.conf
View File

@ -1,10 +1,7 @@
#
# Copyright (c) 2018-2024 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
# All rights reserved.
#
# load pkey module at boot time
pkey
pkey_cca
pkey_ep11
pkey_pckmo

15
qeth_configure
View File

@ -48,14 +48,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} [options] <read chan> <write chan> <data chan> <online>"
echo " -i Configure IP takeover"
@ -165,10 +157,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${QETH_READ_CHAN},${QETH_WRITE_CHAN},${QETH_DATA_CHAN}"
else remove_cio_channel "${QETH_READ_CHAN}"
remove_cio_channel "${QETH_WRITE_CHAN}"
remove_cio_channel "${QETH_DATA_CHAN}"
fi

67
s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
View File

@ -1,67 +0,0 @@
From 2d26a63806d2847f549c06276070a636a61bcb80 Mon Sep 17 00:00:00 2001
From: Eduard Shishkin <edward6@linux.ibm.com>
Date: Wed, 4 Dec 2024 13:37:46 +0100
Subject: [PATCH s390-tools] zipl_helper.device-mapper: add missed step in
logical device resolution
This fixes 670bf3e
Preparing a loop device for IPL by zipl tool, using its partition as
zipl target, leads to inconsistent installation setup. The problem is in
a missed step in the procedure of logical device resolution performed
by the script zipl_helper.device-mapper:
\# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 5G 0 loop
|-loop0p1 253:15 0 128M 0 part
`-loop0p2 253:16 0 4.9G 0 part /mnt
\# ./zipl_helper.device-mapper 253:16
Expected result:
targetbase=7:0
targettype=SCSI
targetblocksize=4096
targetoffset=32784
Actual result:
targetbase=253:16
targettype=SCSI
targetblocksize=4096
targetoffset=32784
The fixup adds a missed resolution step.
Reference-ID: LTC210771
Signed-off-by: Eduard Shishkin <edward6@linux.ibm.com>
---
zipl/src/zipl_helper.device-mapper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/zipl/src/zipl_helper.device-mapper.c b/zipl/src/zipl_helper.device-mapper.c
index aca52be1..918c5aba 100644
--- a/zipl/src/zipl_helper.device-mapper.c
+++ b/zipl/src/zipl_helper.device-mapper.c
@@ -1306,13 +1306,13 @@ static int complete_physical_device(struct physical_device *pd, dev_t *base_dev)
*base_dev = base_entry->dev.dev;
} else {
/*
- * In this case base device is the uppermost logical
+ * In this case base device is the uppermost
* device which provides access to boot sectors
*/
base_entry = find_base_entry(pd->dmpath, dc->bootsectors);
if (!base_entry)
return -1;
- *base_dev = base_entry->dev.dev;
+ *base_dev = first_device_by_target_data(base_entry->target);
}
/* Check for valid offset of filesystem */
if ((pd->offset % (dc->blocksize / SECTOR_SIZE)) != 0) {
--
2.39.0

63
s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
View File

@ -1,63 +0,0 @@
From 592a016a1095fa9813f0bae8256433ba5af4ab9b Mon Sep 17 00:00:00 2001
From: Eduard Shishkin <edward6@linux.ibm.com>
Date: Sat, 7 Dec 2024 12:48:12 +0100
Subject: [PATCH s390-tools 2/2] zipl/src: fix imprecise check that file is on
specified device
This fixes c0f02d2
The check that file is on specified disk is imprecise: In case when
target parameters are specified by user, the check compares a logical
device with a base disk, which is incorrect.
The fixup makes the check compare base disks (a specified one with
the base disk determined by disk_get_info() procedure).
Signed-off-by: Eduard Shishkin <edward6@linux.ibm.com>
---
zipl/src/bootmap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c
index 7d340156..880b93ce 100644
--- a/zipl/src/bootmap.c
+++ b/zipl/src/bootmap.c
@@ -299,14 +299,15 @@ create_component_header(void* buffer, component_header_type type)
}
/*
- * Not precise check that the file FILENAME locates on specified physical DISK.
+ * Not precise check that the file FILENAME locates on the physical
+ * disk specified by WHERE.
*
* Try to auto-detect parameters of the disk which the file locates on
* and compare found device-ID with DISK.
* Return 0, if auto-detection succeeded, and it is proven that the
* file does NOT locate on DISK. Otherwise, return 1.
*/
-static int file_is_on_disk(const char *filename, dev_t disk)
+static int file_is_on_disk(const char *filename, struct disk_info *where)
{
/*
* Retrieve info of the underlying disk without any user hints
@@ -331,7 +332,7 @@ static int file_is_on_disk(const char *filename, dev_t disk)
"Warning: Preparing a logical device for boot might fail\n");
return 1;
}
- if (info->device != disk) {
+ if (info->basedisks[0] != where->basedisks[0]) {
disk_free_info(info);
return 0;
}
@@ -378,7 +379,7 @@ static int add_component_file_range(struct install_set *bis,
return -1;
}
} else {
- if (!file_is_on_disk(filename, bis->info->device)) {
+ if (!file_is_on_disk(filename, bis->info)) {
error_reason("File is not on target device");
return -1;
}
--
2.39.0

BIN
s390-tools-2.31.0.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

51
s390-tools-2.34-Fix-Rust-compilation-errors.patch Normal file
View File

@ -0,0 +1,51 @@
From 6a55d0c2e57952600164822dd100e8247b4b010f Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Fri, 23 Aug 2024 09:16:26 +0200
Subject: [PATCH] rust/pv: Lower most lints to warn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Lower the lint level to warn for the styling lints.
This avoids compile issues during packaging for newer tooling with
potential more lint findings.
Still deny compiling if a public symbol has no documentation.
Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/173
Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
rust/pv/src/lib.rs | 4 ++--
rust/pv_core/src/lib.rs | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rust/pv/src/lib.rs b/rust/pv/src/lib.rs
index 9a647617..1084f8e8 100644
--- a/rust/pv/src/lib.rs
+++ b/rust/pv/src/lib.rs
@@ -2,8 +2,8 @@
//
// Copyright IBM Corp. 2023, 2024
-#![deny(
- missing_docs,
+#![deny(missing_docs)]
+#![warn(
missing_debug_implementations,
trivial_numeric_casts,
unstable_features,
diff --git a/rust/pv_core/src/lib.rs b/rust/pv_core/src/lib.rs
index 1356c1b7..b617b8f9 100644
--- a/rust/pv_core/src/lib.rs
+++ b/rust/pv_core/src/lib.rs
@@ -1,8 +1,8 @@
// SPDX-License-Identifier: MIT
//
// Copyright IBM Corp. 2023, 2024
-#![deny(
- missing_docs,
+#![deny(missing_docs)]
+#![warn(
missing_debug_implementations,
trivial_numeric_casts,
unstable_features,

3
s390-tools-2.34.0.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ea4758c4e460d7f7e040e6aedf68b1be32d63fecb733358b08182f6b9b7440a2
size 2114507

BIN
s390-tools-2.36.0.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

286
s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,286 @@
Index: s390-tools-service/rust/pv/src/verify.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify.rs
+++ s390-tools-service/rust/pv/src/verify.rs
@@ -3,10 +3,11 @@
// Copyright IBM Corp. 2023
use core::slice;
-use log::debug;
+use log::{debug, trace};
+use openssl::error::ErrorStack;
use openssl::stack::Stack;
use openssl::x509::store::X509Store;
-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509};
+use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509};
use openssl_extensions::crl::StackableX509Crl;
use openssl_extensions::crl::X509StoreContextExtension;
@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier {
if verified_crls.is_empty() {
bail_hkd_verify!(NoCrl);
}
- for crl in &verified_crls {
- match crl.get_by_cert(&hkd.to_owned()) {
+ for crl in verified_crls {
+ match crl.get_by_serial(hkd.serial_number()) {
CrlStatus::NotRevoked => (),
_ => bail_hkd_verify!(HdkRevoked),
}
@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier {
}
impl CertVerifier {
+ fn quirk_crls(
+ ctx: &mut X509StoreContextRef,
+ subject: &X509NameRef,
+ ) -> Result<Stack<StackableX509Crl>, ErrorStack> {
+ match ctx.crls(subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // Armonk/Poughkeepsie fixup
+ trace!("quirk_crls: Try Locality");
+ if let Some(locality_subject) = helper::armonk_locality_fixup(subject) {
+ match ctx.crls(&locality_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // reorder
+ trace!("quirk_crls: Try Locality+Reorder");
+ if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) {
+ match ctx.crls(&locality_ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ }
+
+ // reorder unchanged loaciliy subject
+ trace!("quirk_crls: Try Reorder");
+ if let Ok(ordered_subject) = helper::reorder_x509_names(subject) {
+ match ctx.crls(&ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ // nothing found, return empty stack
+ Stack::new()
+ }
+
///Download the CLRs that a HKD refers to.
pub fn hkd_crls(&self, hkd: &X509Ref) -> Result<Stack<StackableX509Crl>> {
let mut ctx = X509StoreContext::new()?;
// Unfortunately we cannot use a dedicated function here and have to use a closure (E0434)
// Otherwise, we cannot refer to self
+ // Search for local CRLs
let mut crls = ctx.init_opt(&self.store, None, None, |ctx| {
let subject = self.ibm_z_sign_key.subject_name();
- match ctx.crls(subject) {
- Ok(crls) => Ok(crls),
- _ => {
- // reorder the name and try again
- let broken_subj = helper::reorder_x509_names(subject)?;
- ctx.crls(&broken_subj).or_else(helper::stack_err_hlp)
- }
- }
+ Self::quirk_crls(ctx, subject)
})?;
if !self.offline {
Index: s390-tools-service/rust/pv/src/verify/helper.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/helper.rs
+++ s390-tools-service/rust/pv/src/verify/helper.rs
@@ -13,7 +13,7 @@ use openssl::{
error::ErrorStack,
nid::Nid,
ssl::SslFiletype,
- stack::{Stack, Stackable},
+ stack::Stack,
x509::{
store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef},
verify::{X509VerifyFlags, X509VerifyParam},
@@ -25,6 +25,7 @@ use openssl_extensions::{
akid::{AkidCheckResult, AkidExtension},
crl::X509StoreExtension,
};
+use std::str::from_utf8;
use std::{cmp::Ordering, ffi::c_int, time::Duration, usize};
/// Minimum security level for the keys/certificates used to establish a chain of
@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2;
/// verifies that the HKD
/// * has enough security bits
/// * is inside its validity period
-/// * issuer name is the subject name of the [`sign_key`]
/// * the Authority Key ID matches the Signing Key ID of the [`sign_key`]
pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> {
let hk_pkey = hkd.public_key()?;
@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref,
// verify that the hkd is still valid
check_validity_period(hkd.not_before(), hkd.not_after())?;
- // check if hkd.issuer_name == issuer.subject
- check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?;
-
// verify that the AKID of the hkd matches the SKID of the issuer
if let Some(akid) = hkd.akid() {
if akid.check(sign_key) != AkidCheckResult::OK {
@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu
return None;
}
}
-
- check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?;
-
match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? {
true => Some(()),
false => None,
@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: &
//Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter
const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US";
-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk";
const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service";
const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_STATE: &[u8; 8usize] = b"New York";
@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b
if subj.entries().count() != IMB_Z_ENTRY_COUNT
|| !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME)
|| !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE)
- || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME)
+ || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE)
+ || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK))
|| !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME)
|| !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME)
{
@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As
}
}
-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> {
- if lhs.entries().count() != rhs.entries().count() {
- bail_hkd_verify!(IssuerMismatch);
- }
-
- for l in lhs.entries() {
- // search for the matching value in the rhs names
- // found none? -> names are not equal
- if !rhs
- .entries()
- .any(|r| l.data().as_slice() == r.data().as_slice())
- {
- bail_hkd_verify!(IssuerMismatch);
- }
- }
- Ok(())
-}
-
const NIDS_CORRECT_ORDER: [Nid; 6] = [
Nid::COUNTRYNAME,
Nid::ORGANIZATIONNAME,
@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509
Ok(correct_subj.build())
}
-pub fn stack_err_hlp<T: Stackable>(
- e: ErrorStack,
-) -> std::result::Result<Stack<T>, openssl::error::ErrorStack> {
- match e.errors().len() {
- 0 => Stack::<T>::new(),
- _ => Err(e),
+/**
+* Workaround for potential locality mismatches between CRLs and Certs
+* # Return
+* fixed subject or none if locality was not Armonk or any OpenSSL error
+*/
+pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option<X509Name> {
+ if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) {
+ return None;
+ }
+
+ let mut ret = X509Name::builder().ok()?;
+ for entry in subject.entries() {
+ match entry.object().nid() {
+ nid @ Nid::LOCALITYNAME => ret
+ .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?)
+ .ok()?,
+ _ => {
+ ret.append_entry(entry).ok()?;
+ }
+ }
}
+ Some(ret.build())
}
#[cfg(test)]
@@ -451,20 +444,6 @@ mod test {
));
}
- #[test]
- fn x509_name_equal() {
- let sign_crt = load_gen_cert("ibm.crt");
- let hkd = load_gen_cert("host.crt");
- let other = load_gen_cert("inter_ca.crt");
-
- assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),);
-
- assert!(matches!(
- super::check_x509_name_equal(other.subject_name(), hkd.subject_name()),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
- }
-
#[test]
fn is_ibm_z_sign_key() {
let ibm_crt = load_gen_cert("ibm.crt");
Index: s390-tools-service/rust/pv/src/verify/test.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/test.rs
+++ s390-tools-service/rust/pv/src/verify/test.rs
@@ -84,7 +84,6 @@ fn verify_online() {
let inter_crt = get_cert_asset_path_string("inter_ca.crt");
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -112,11 +111,6 @@ fn verify_online() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));
@@ -130,7 +124,6 @@ fn verify_offline() {
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let ibm_crl = get_cert_asset_path_string("ibm.crl");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -149,11 +142,6 @@ fn verify_offline() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));

97
s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch Normal file
View File

@ -0,0 +1,97 @@
From 3ea6d6dfd2eb120ffee4c44ff51b7e9e7a9097a6 Mon Sep 17 00:00:00 2001
From: Thomas Blume <Thomas.Blume@suse.com>
Date: Thu, 28 Mar 2024 13:32:46 +0100
Subject: [PATCH] parse ipl device for activation
ported from dracut modules
---
zdev/dracut/95zdev/parse-dasd.sh | 15 ++++++++---
zdev/dracut/95zdev/parse-zfcp.sh | 46 +++++++++++++++++++-------------
2 files changed, 39 insertions(+), 22 deletions(-)
diff --git a/zdev/dracut/95zdev/parse-dasd.sh b/zdev/dracut/95zdev/parse-dasd.sh
index a97801f..eb2fa64 100644
--- a/zdev/dracut/95zdev/parse-dasd.sh
+++ b/zdev/dracut/95zdev/parse-dasd.sh
@@ -27,9 +27,18 @@ zdev_vinfo() {
zdev_parse_rd_dasd() {
local _zdev_dasd _zdev_dasd_list
- for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
- _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
- done
+ # autodetect active bootdev from zipl device
+ if ! getargbool 0 'rd.dasd' \
+ && [[ -f /sys/firmware/ipl/ipl_type ]] \
+ && [[ $(< /sys/firmware/ipl/ipl_type) == "ccw" ]]; then
+ read -r _ccw < /sys/firmware/ipl/device
+
+ chzdev --offline --existing --enable --active dasd "$_ccw"
+ else
+ for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
+ _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
+ done
+ fi
echo "$_zdev_dasd_list"
}
diff --git a/zdev/dracut/95zdev/parse-zfcp.sh b/zdev/dracut/95zdev/parse-zfcp.sh
index 715aa00..6279beb 100644
--- a/zdev/dracut/95zdev/parse-zfcp.sh
+++ b/zdev/dracut/95zdev/parse-zfcp.sh
@@ -12,25 +12,33 @@
zdev_zfcp_base_args="--no-settle --yes --no-root-update --force"
-for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
- (
- IFS_SAVED="$IFS"
- IFS="," # did not work in front of built-in set command below
- # shellcheck disable=SC2086
- set -- $zdev_zfcp_arg
- IFS=":" args="$*"
- IFS="$IFS_SAVED"
- echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
- if [ "$#" -eq 1 ]; then
+# autodetect active bootdev from zipl device
+if ! getargbool 0 'rd.zfcp' \
+ && [[ -f /sys/firmware/ipl/ipl_type ]] \
+ && [[ $(< /sys/firmware/ipl/ipl_type) == "fcp" ]]; then
+ chzdev --offline --existing --enable --active zfcp-host 2>&1 | zdev_vinfo
+else
+ for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
+ (
+ IFS_SAVED="$IFS"
+ IFS="," # did not work in front of built-in set command below
# shellcheck disable=SC2086
- chzdev --enable --persistent $zdev_zfcp_base_args \
- zfcp-host "$args" 2>&1 | zdev_vinfo
- else
- # shellcheck disable=SC2086
- chzdev --enable --persistent $zdev_zfcp_base_args \
- zfcp-lun "$args" 2>&1 | zdev_vinfo
- fi
- )
-done
+ set -- $zdev_zfcp_arg
+ IFS=":" args="$*"
+ IFS="$IFS_SAVED"
+ echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
+ if [ "$#" -eq 1 ]; then
+ # shellcheck disable=SC2086
+ chzdev --enable --persistent $zdev_zfcp_base_args \
+ zfcp-host "$args" 2>&1 | zdev_vinfo
+ else
+ # shellcheck disable=SC2086
+ chzdev --enable --persistent $zdev_zfcp_base_args \
+ zfcp-lun "$args" 2>&1 | zdev_vinfo
+ fi
+ )
+ done
+fi
+
unset zdev_zfcp_arg
unset zdev_zfcp_base_args
--
2.44.0

304
s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,304 @@
Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h
+++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h
@@ -17,7 +17,8 @@
/* IBM signing key subject */
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/genprotimg/src/utils/crypto.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.c
+++ s390-tools-service/genprotimg/src/utils/crypto.c
@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq
return memcmp(data, y, data_len) == 0;
}
-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x,
- const X509_NAME_ENTRY *y)
-{
- const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x);
- const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x);
- const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y);
- const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y);
- gint x_len = ASN1_STRING_length(x_data);
- gint y_len = ASN1_STRING_length(y_data);
-
- if (x_len < 0 || x_len != y_len)
- return FALSE;
-
- /* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also
- * compares the type, which is sometimes different.
- */
- return OBJ_cmp(x_obj, y_obj) == 0 &&
- memcmp(ASN1_STRING_get0_data(x_data),
- ASN1_STRING_get0_data(y_data),
- (unsigned long)x_len) == 0;
-}
-
-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y)
-{
- gint x_count = X509_NAME_entry_count(x);
- gint y_count = X509_NAME_entry_count(y);
-
- if (x != y && (!x || !y))
- return FALSE;
-
- if (x_count != y_count)
- return FALSE;
-
- for (gint i = 0; i < x_count; i++) {
- const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i);
- gboolean entry_found = FALSE;
-
- for (gint j = 0; j < y_count; j++) {
- const X509_NAME_ENTRY *entry_j =
- X509_NAME_get_entry(y, j);
-
- if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) {
- entry_found = TRUE;
- break;
- }
- }
-
- if (!entry_found)
- return FALSE;
- }
- return TRUE;
-}
-
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject(
PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName,
- PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr
return g_steal_pointer(&ret);
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
/* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory
* ordered. The problem is that our certificates are not consistent in the order
* (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details).
@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam
return X509_NAME_dup((X509_NAME *)name);
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) if available */
static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject,
- NULL, 0);
- g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0);
-
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"),
- issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL *
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, err) < 0)
return -1;
@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL *
return 0;
}
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_
return NULL;
}
- ret = X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = c2b_name(subject);
-
- ret = X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL,
- _("no CRL found"));
- return NULL;
- }
- }
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (gint i = 0; i < sk_X509_CRL_num(ret); i++) {
@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err)
{
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
- AUTHORITY_KEYID *akid = NULL;
-
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str =
- X509_NAME_oneline(issuer_subject, NULL, 0);
- g_autofree char *cert_issuer_str =
- X509_NAME_oneline(cert_issuer, NULL, 0);
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"),
- issuer_subject_str, cert_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
Index: s390-tools-service/genprotimg/src/utils/crypto.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.h
+++ s390-tools-service/genprotimg/src/utils/crypto.h
@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair);
/* Register auto cleanup functions */
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free)
+WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free)

224
s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch Normal file
View File

@ -0,0 +1,224 @@
Index: s390-tools-service/include/libpv/cert.h
===================================================================
--- s390-tools-service.orig/include/libpv/cert.h
+++ s390-tools-service/include/libpv/cert.h
@@ -16,7 +16,8 @@
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/libpv/cert.c
===================================================================
--- s390-tools-service.orig/libpv/cert.c
+++ s390-tools-service/libpv/cert.c
@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject(
if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error)
@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c
const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
g_autoptr(AUTHORITY_KEYID) akid = NULL;
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str,
- cert_issuer_str);
- return -1;
- }
-
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH,
@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx,
return 0;
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) */
static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, error) < 0)
return -1;
@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC
return 0;
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = pv_c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = pv_c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val
return NULL;
}
- ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject);
-
- ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
- g_info("ERROR: %s", (*error)->message);
- return NULL;
- }
- }
-
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (int i = 0; i < sk_X509_CRL_num(ret); i++) {
X509_CRL *crl = sk_X509_CRL_value(ret, i);

25
s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch Normal file
View File

@ -0,0 +1,25 @@
Index: s390-tools-service/pvattest/src/argparse.c
===================================================================
--- s390-tools-service.orig/pvattest/src/argparse.c
+++ s390-tools-service/pvattest/src/argparse.c
@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char
}
/* NOTE REQUIRED */
-#define _entry_root_ca(__arg_data, __indent) \
- { \
- .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
- .arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data, \
- .description = "Use FILE as the trusted root CA instead the\n" __indent \
- "root CAs that are installed on the system (optional).\n", \
- .arg_description = "FILE", \
+#define _entry_root_ca(__arg_data, __indent) \
+ { \
+ .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
+ .arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data, \
+ .description = "Use FILE as the trusted root CA instead the\n" __indent \
+ "root CAs that are installed on the system (optional).\n", \
+ .arg_description = "FILE", \
}
/* NOTE REQUIRED */

92
s390-tools-sles15sp6-genprotimg-makefile.patch Normal file
View File

@ -0,0 +1,92 @@
From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Tue, 12 Mar 2024 09:33:19 +0000
Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs
Fix the support for staged installs. The Makefile variable `PKGDATADIR`
uses `DESTDIR` for all Makefile target, but actually it should only be
used for the `install*` and `uninstall*` targets. [1] Fix this by using
`DESTDIR` only for `install*` targets - uninstall* targets are not
supported by s390-tools.
Before this change, if `DESTDIR` was set for staged installs,
`genprotimg` has tried to find the bootloader binaries at the temporary
installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of
`$(TOOLS_DATADIR)/genprotimg`.
[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html
Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
genprotimg/Makefile | 6 +++---
genprotimg/boot/Makefile | 8 ++++----
genprotimg/src/Makefile | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/genprotimg/Makefile b/genprotimg/Makefile
index 8c9f7048..6a2e37e4 100644
--- a/genprotimg/Makefile
+++ b/genprotimg/Makefile
@@ -3,7 +3,7 @@ include ../common.mak
.DEFAULT_GOAL := all
-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg"
TESTS :=
SUBDIRS := boot src man
RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
all: all-recursive
install: install-recursive
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)"
clean: clean-recursive
diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile
index 799df9cc..73f3c9a8 100644
--- a/genprotimg/boot/Makefile
+++ b/genprotimg/boot/Makefile
@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES))
ifeq ($(HOST_ARCH),s390x)
ZIPL_DIR := $(rootdir)/zipl
ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot
-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg
+PKGDATADIR := $(TOOLS_DATADIR)/genprotimg
INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include
INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS))
@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS)
@chmod a-x $@
install: stage3a.bin stage3b_reloc.bin
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)"
else
# Don't generate the dependency files (see `common.mak` for the
diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
index 08734bff..d447e6cf 100644
--- a/genprotimg/src/Makefile
+++ b/genprotimg/src/Makefile
@@ -3,7 +3,7 @@ include ../../common.mak
bin_PROGRAM = genprotimg
-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg"
SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
TOP_SRCDIR := $(SRC_DIR)/../
ROOT_DIR = $(TOP_SRC_DIR)/../../

78
s390-tools.changes
View File

@ -1,81 +1,3 @@
-------------------------------------------------------------------
Mon Dec 9 09:49:52 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade s390-tools to version 2.36 (jsc#PED-10303, jsc#PED-9591)
* s390-tools: Define Rust MSRV as 1.75.0
* Add new tools / libraries:
- cpacfinfo: Tool to provide CPACF information
- opticsmon: Tools to monitor optical modules for directly attached PCI based NICs
- pvimg: Rust rewrite of genprotimg
* Changes of existing tools:
- chpstat: Add data bandwidth utilization column
- chpstat: Add support for full CMCB
- chpstat: Add support for new CMG types
- dbginfo.sh: add overview commands and crypto update
- hyptop: Support for structured output (json, json-seq, csv)
- lszfcp: Add missing fallback marker for non-good fc_host port_state
- lszfcp: Improve speed with many SCSI devices
- pvattest: Add attestation policy check command
- zipl: Add support of partitions of mirror md-devices
* Bug Fixes:
- lszcrypt: Fix wrong state showing up for removed AP queue within SE guest
- lszfcp: Show device names line for zfcp_units without SCSI device
- Revendored vendor.tar.gz
- Applied additional patch (bsc#1233889, bsc#1233079)
* s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
-------------------------------------------------------------------
Thu Dec 5 15:13:49 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1233889)
* s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
- Amended the /usr/lib/modules-load.d/pkey.conf (bsc#1233233). Added
* pkey_cca
* pkey_ep11
* pkey_pckmo
-------------------------------------------------------------------
Tue Nov 5 07:39:58 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the *_configure scripts to update again the SUSE's specific file
'/boot/zipl/active_devices.txt' (bsc#1232474, bsc#1216257)
* ctc_configure
* dasd_configure
* qeth_configure
* zfcp_host_configure
-------------------------------------------------------------------
Tue Oct 8 10:35:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
* Upgrade s390-tools to version 2.35 (jsc#PED-9591, jsc#PED-10303)
* Changes of existing tools:
- cpacfstats: Add support for FULL XTS (MSA 10) and HMAC (MSA 11) PAI counter
- cpuplugd: Make cpuplugd compatible with hiperdispatch
- dbginfo.sh: Add network sockstat info
- pvapconfig: s390x exclusive build
- zdev: Add option to select IPL device
- zdump/dfo_s390: Support s390 DFO for vr-kernel dumps
- zipl: Add support of mirror devices
* Bug Fixes:
- (genprotimg|zipl)/boot: discard .note.package ELF section to save memory
- netboot/mk-s390image: Fix size when argument is a symlink
- ziorep_config: Fix warning message when multipath device is not there.
- zipl: Fix problems when target parameters are specified by user
- zipl: Fix segfault when creating device-based dumps with '--dry-run'
* Removed obsolete patches
- s390-tools-2.34-Fix-Rust-compilation-errors.patch
- s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
- s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
* Revendored vendor.tar.gz
-------------------------------------------------------------------
Mon Sep 16 12:49:55 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
* Applied patches (bsc#1230345)
- zipl/src: add basic support for multiple target base disks
- s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
- s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
-------------------------------------------------------------------
Mon Aug 26 09:17:17 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

52
s390-tools.spec
View File

@ -33,7 +33,7 @@
%endif
Name: s390-tools
Version: 2.36.0
Version: 2.34.0
Release: 0
Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64)
License: MIT
@ -153,23 +153,20 @@ Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
Patch912: s390-tools-ALP-zdev-live.patch
Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch
Patch914: s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
Patch915: s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
###
Patch920: s390-tools-slfo-01-parse-ipl-device-for-activation.patch
Patch914: s390-tools-slfo-01-parse-ipl-device-for-activation.patch
Patch915: s390-tools-2.34-Fix-Rust-compilation-errors.patch
###
BuildRequires: curl-devel
BuildRequires: dracut
BuildRequires: fuse3-devel
BuildRequires: gcc
BuildRequires: gcc-c++
BuildRequires: gcc13
BuildRequires: gcc13-c++
BuildRequires: gettext-tools
BuildRequires: glib2-devel
BuildRequires: glibc-devel-static
BuildRequires: libcryptsetup-devel > 2.0.3
BuildRequires: libjson-c-devel
BuildRequires: libnl3-devel
BuildRequires: libxml2-devel
BuildRequires: mdevctl
BuildRequires: ncurses-devel
@ -228,13 +225,12 @@ zipl - boot loader and dump DASD initializer
zgetdump - tool to get linux system dumps from DASD
- x86_64
pvimg - create a protected virtualization image (genprotimg)
genprotimg - create a protected virtualization image
pvattest - create, perform, and verify protected virtualization attestation measurements
pvsecret - manage secrets for IBM Secure Execution guests.
pvapconfig - used to automatically set up the AP configuration within an IBM Secure Execution guest.
Warning: There is an auxiliary data package - s390-tools-genprotimg-data.
To install s390-tools properly, please use:
'sudo zypper install s390-tools s390-tools-genprotimg-data'
Note: Auxiliary data package - s390-tools-genprotimg-data
%package -n osasnmpd
Summary: OSA-Express SNMP subagent
@ -353,11 +349,11 @@ BuildArch: noarch
Requires(pre): filesystem
%description genprotimg-data
The pvimg (genprotimg) allows preparing and analyzing boot images
The genprotimg allows preparing and analyzing boot images
in the realm of IBM Secure Execution on a trusted environment,
such as the laptop of an admin by limiting the build targets
depending on the defined or detected host architecture.
This package provides auxiliary data used by pvimg(genprotimg).
This package provides auxiliary data used by genprotimg.
### *** s390x ************************************************************************* ###
%ifarch s390x
@ -367,7 +363,7 @@ This package provides auxiliary data used by pvimg(genprotimg).
cp -vi %{SOURCE22} CAUTION
install -D -m 0644 %{SOURCE200} .cargo/config.toml
install -D -m 0644 %{SOURCE200} .cargo/config
tar -xzf %{SOURCE201}
%build
@ -384,9 +380,11 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
HAVE_DRACUT=1 \
CC=gcc-13 \
CXX=g++-13
### all
gcc -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
gcc-13 -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
%install
mkdir -p %{buildroot}/boot/zipl
@ -397,7 +395,9 @@ mkdir -p %{buildroot}%{_sysconfdir}/zkey/repository
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \
HAVE_DRACUT=1
HAVE_DRACUT=1 \
CC=gcc-13 \
CXX=g++-13
### all
# The make install command puts things in /etc/sysconfig and not the
@ -719,6 +719,7 @@ done
%dir %{_prefix}/lib/systemd/scripts
%dir %{_datadir}/s390-tools
%dir %{_datadir}/s390-tools/netboot
%dir %{_datadir}/s390-tools/genprotimg
%dir %{_prefix}/lib/dracut/modules.d/95zdev
%dir %{_prefix}/lib/dracut/modules.d/95zdev-kdump
%dir %{_prefix}/lib/dracut/modules.d/96zdev-live
@ -741,8 +742,8 @@ done
%dir /etc/mdevctl.d/scripts.d/callouts/
###
%exclude /lib/s390-tools/stage3.bin
%exclude %{_datadir}/s390-tools/pvimg/stage3a.bin
%exclude %{_datadir}/s390-tools/pvimg/stage3b_reloc.bin
%exclude %{_datadir}/s390-tools/genprotimg/stage3a.bin
%exclude %{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin
###
%files -n osasnmpd -f %{_builddir}/%{name}.osasnmp
@ -793,9 +794,8 @@ done
### genprotimg
%files genprotimg-data
/lib/s390-tools/stage3.bin
%dir %{_datadir}/s390-tools/pvimg
%{_datadir}/s390-tools/pvimg/stage3a.bin
%{_datadir}/s390-tools/pvimg/stage3b_reloc.bin
%{_datadir}/s390-tools/genprotimg/stage3a.bin
%{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin
### _endif
### *** !s390x ************************************************************************* ###
@ -811,7 +811,6 @@ tar -xzf %{SOURCE201}
%build
export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \
DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \
@ -819,7 +818,6 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
HAVE_DRACUT=1
%install
%make_install \
DISTRELEASE=%{release} \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
@ -830,8 +828,8 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%files
%{_prefix}/bin/*
%dir %{_datadir}/s390-tools
%dir %{_datadir}/s390-tools/pvimg
%{_datadir}/s390-tools/pvimg/check_hostkeydoc
%dir %{_datadir}/s390-tools/genprotimg
%{_datadir}/s390-tools/genprotimg/check_hostkeydoc
%{_mandir}/man1/*
%endif

BIN
vendor.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

13
zfcp_host_configure
View File

@ -38,14 +38,6 @@ debug_mesg () {
esac
}
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){
echo "Usage: ${0} <ccwid> <online>"
echo " ccwid = x.y.ssss where"
@ -88,8 +80,3 @@ RC=${?}
if [ ${RC} -ne 0 ]; then
exit ${RC}
fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi