d7162287c1
* Changes of existing tools:
dbginfo.sh: Add details on CPU-measurement
dbginfo.sh: Add new crypto command
dbginfo.sh: Add overview commands and crypto update
dbginfo.sh: Adding kdump info
dbginfo.sh: Removing outdated email references
dbginfo.sh: Rework network section
dbginfo.sh: Update copyright 2nd year
pvimg: Add '--(enable|disable)-image-encryption' flags to 'pvimg create'
pvimg: Add '--cck ' command line option and make '--comm-key' an alias
pvimg: Add '--hdr-key' command line option to 'pvimg create'
pvimg: Rename '--key' into '--hdr-key' and use '--key' as an alias (for 'pvimg info')
pvsecret: Add support for retrievable secrets
ziorep_config: Add PCHID field to adapter report
ziorep_traffic: Add DEVBUSID column to traffic report
ziorep_utilization: Add --fcp-device parameter to print virtual adapter report
ziorep_utilization: Add PCHID column to physical adapter report
ziorep_utilization: Now prints only physical adapter report by default
ziorep_utilization: Swap Bus-ID and CHPID columns in virtual adapter report
zipl/boot: Increase section size for eckd_mv dumper
zkey: Add support for listing and importing protected virtualization secrets
* Bug Fixes:
chpstat: Fix invalid utilization data on older kernels
opticsmon: Fix runaway loop in on_link_change()
zipl: Update inline assembly for GCC 15
zipl_helper.device-mapper: Add missed step in logical device resolution
- Revendored vendor.tar.gz
- Removed obsolete patches:
* s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
* s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
* s390-tools-General-update-01.patch
* s390-tools-General-update-02.patch
* s390-tools-General-update-03.patch
* s390-tools-General-update-04.patch
* s390-tools-General-update-05.patch
* s390-tools-General-update-06.patch
* s390-tools-General-update-07.patch
* s390-tools-General-update-08.patch
* s390-tools-General-update-09.patch
* s390-tools-General-update-10.patch
* s390-tools-General-update-11.patch
* s390-tools-General-update-12.patch
* s390-tools-Additional-update-01.patch
* s390-tools-Additional-update-02.patch
* s390-tools-pvimg-info-command-01.patch
* s390-tools-pvimg-info-command-02.patch
* s390-tools-pvimg-info-command-03.patch
* s390-tools-Support-unencrypted-SE-images-01.patch
* s390-tools-pvimg-info-command-04.patch
* s390-tools-pvimg-additional-01.patch
* s390-tools-01-zkey-Add-support-for-retrieving-a-list-of-ultravisor-secrets.patch
* s390-tools-02-zkey-Add-the--pvsecrets-list-command.patch
* s390-tools-03-zkey-Add-PVSECRETS-AES-key-type.patch
* s390-tools-04-zkey-Add-the-pvsecrets-import-command.patch
* s390-tools-05-zkey-Reject-key-generation-and-APQN-association-for-PVSECRET-AES-keys.patch
* s390-tools-06-zkey-Reject-re-enciphering-of-PVSECRET-AES-keys.patch
* s390-tools-07-zkey-Support-validation-of-key-of-type-PVSECRET-AES.patch
* s390-tools-08-rust-pvimg-Fix-flag-parsing-for-allowing-dump.patch
* s390-tools-09-rust-pvimg-Document-the-change-from--comm-key-to--cck.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=249
146 lines
5.0 KiB
Diff
146 lines
5.0 KiB
Diff
From a8eb2bd4e7e74445c953906b33d450c2ace5223f Mon Sep 17 00:00:00 2001
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Date: Mon, 19 Feb 2024 11:26:41 +0100
|
|
Subject: [PATCH] zkey: Reject re-enciphering of PVSECRET-AES keys
|
|
|
|
Keys of type PVSECRET-AES can not be reenciphered using 'zkey reencipher'
|
|
or 'zkey-cryptsetup reencipher'. Reject that with a proper error message.
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Reviewed-by: Jorg Schmidbauer <jschmidb@de.ibm.com>
|
|
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
|
|
---
|
|
zkey/keystore.c | 9 +++++++++
|
|
zkey/zkey-cryptsetup.1 | 8 ++++++--
|
|
zkey/zkey-cryptsetup.c | 16 ++++++++++++----
|
|
zkey/zkey.1 | 4 ++++
|
|
zkey/zkey.c | 7 +++++++
|
|
5 files changed, 38 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/zkey/keystore.c b/zkey/keystore.c
|
|
index db62e0a6..4f795a28 100644
|
|
--- a/zkey/keystore.c
|
|
+++ b/zkey/keystore.c
|
|
@@ -3567,6 +3567,15 @@ static int _keystore_process_reencipher(struct keystore *keystore,
|
|
goto out;
|
|
}
|
|
|
|
+ if (!is_secure_key(secure_key, secure_key_size)) {
|
|
+ warnx("Key '%s' is of type %s and can not be re-enciphered, "
|
|
+ "skipping", name, get_key_type(secure_key,
|
|
+ secure_key_size));
|
|
+ info->num_skipped++;
|
|
+ rc = 0;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
apqns = properties_get(properties, PROP_NAME_APQNS);
|
|
if (apqns != NULL)
|
|
apqn_list = str_list_split(apqns);
|
|
diff --git a/zkey/zkey-cryptsetup.1 b/zkey/zkey-cryptsetup.1
|
|
index c455f845..185edab9 100644
|
|
--- a/zkey/zkey-cryptsetup.1
|
|
+++ b/zkey/zkey-cryptsetup.1
|
|
@@ -1,8 +1,8 @@
|
|
-.\" Copyright IBM Corp. 2018
|
|
+.\" Copyright IBM Corp. 2018, 2024
|
|
.\" s390-tools is free software; you can redistribute it and/or modify
|
|
.\" it under the terms of the MIT license. See LICENSE for details.
|
|
.\"
|
|
-.TH ZKEY\-CRYPTSETUP 1 "May 2018" "s390-tools"
|
|
+.TH ZKEY\-CRYPTSETUP 1 "February 2024" "s390-tools"
|
|
.SH NAME
|
|
zkey\-cryptsetup \- Manage secure AES volume keys of volumes encrypted with
|
|
\fBLUKS2\fP and the \fBpaes\fP cipher
|
|
@@ -115,6 +115,10 @@ command to re-encipher a secure AES volume key of a volume encrypted with
|
|
re-enciphered when the master key of the cryptographic adapter in CCA or EP11
|
|
coprocessor mode changes.
|
|
.PP
|
|
+Volume keys of type \fBPVSECRET\-AES\fP can not be re-enciphered. These keys do
|
|
+not use a cryptographic adapter, thus they do not need to be re-enciphered when
|
|
+the master key of a cryptographic adapter changes.
|
|
+.PP
|
|
The cryptographic adapter in CCA coprocessor mode has three different registers
|
|
to store master keys:
|
|
.RS 2
|
|
diff --git a/zkey/zkey-cryptsetup.c b/zkey/zkey-cryptsetup.c
|
|
index 8b55f7d1..2b018a2a 100644
|
|
--- a/zkey/zkey-cryptsetup.c
|
|
+++ b/zkey/zkey-cryptsetup.c
|
|
@@ -2,7 +2,7 @@
|
|
* zkey-cryptsetup - Re-encipher or validate volume keys of volumes
|
|
* encrypted with LUKS2 and the paes cipher.
|
|
*
|
|
- * Copyright IBM Corp. 2018
|
|
+ * Copyright IBM Corp. 2018, 2024
|
|
*
|
|
* s390-tools is free software; you can redistribute it and/or modify
|
|
* it under the terms of the MIT license. See LICENSE for details.
|
|
@@ -82,7 +82,7 @@ static const struct util_prg prg = {
|
|
{
|
|
.owner = "IBM Corp.",
|
|
.pub_first = 2018,
|
|
- .pub_last = 2018,
|
|
+ .pub_last = 2024,
|
|
},
|
|
UTIL_PRG_COPYRIGHT_END
|
|
}
|
|
@@ -1609,14 +1609,22 @@ static int reencipher_prepare(int token)
|
|
if (rc < 0)
|
|
goto out;
|
|
|
|
+ securekeysize = keysize - integrity_keysize;
|
|
+
|
|
+ if (!is_secure_key((u8 *)key, securekeysize)) {
|
|
+ warnx("The volume key of device '%s' is of type %s and can "
|
|
+ "not be re-enciphered", g.pos_arg,
|
|
+ get_key_type((u8 *)key, securekeysize));
|
|
+ rc = -EINVAL;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
reenc_tok.original_keyslot = rc;
|
|
|
|
rc = ensure_is_active_keylot(reenc_tok.original_keyslot);
|
|
if (rc != 0)
|
|
goto out;
|
|
|
|
- securekeysize = keysize - integrity_keysize;
|
|
-
|
|
rc = generate_key_verification_pattern((u8 *)key, securekeysize,
|
|
reenc_tok.verification_pattern,
|
|
sizeof(reenc_tok.verification_pattern),
|
|
diff --git a/zkey/zkey.1 b/zkey/zkey.1
|
|
index baaf8478..316db5f0 100644
|
|
--- a/zkey/zkey.1
|
|
+++ b/zkey/zkey.1
|
|
@@ -266,6 +266,10 @@ command to re-encipher an existing secure key with a new master key.
|
|
A secure key must be re-enciphered when the master key of the CCA or EP11
|
|
cryptographic adapter changes.
|
|
.PP
|
|
+Keys of type \fBPVSECRET\-AES\fP can not be re-enciphered. These keys do not
|
|
+use a cryptographic adapter, thus they do not need to be re-enciphered when the
|
|
+master of a cryptographic adapter changes.
|
|
+.PP
|
|
The CCA cryptographic adapter has three different registers to store
|
|
master keys:
|
|
.RS 2
|
|
diff --git a/zkey/zkey.c b/zkey/zkey.c
|
|
index 36bdbcc0..90b46106 100644
|
|
--- a/zkey/zkey.c
|
|
+++ b/zkey/zkey.c
|
|
@@ -2118,6 +2118,13 @@ static int command_reencipher_file(void)
|
|
if (secure_key == NULL)
|
|
return EXIT_FAILURE;
|
|
|
|
+ if (!is_secure_key(secure_key, secure_key_size)) {
|
|
+ warnx("A key of type %s can not be re-enciphered",
|
|
+ get_key_type(secure_key, secure_key_size));
|
|
+ rc = EXIT_FAILURE;
|
|
+ goto out;
|
|
+ }
|
|
+
|
|
rc = validate_secure_key(g.pkey_fd, secure_key, secure_key_size, NULL,
|
|
&is_old_mk, NULL, g.verbose);
|
|
if (rc != 0) {
|