30232e2023
- Added the following patches for bsc#1166850 zipl: fix secure boot config handling: * s390-tools-sles15sp2-01-zipl-Add-missing-options-to-help-output.patch * s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch * s390-tools-sles15sp2-03-zipl-correct-secure-boot-config-handling.patch * s390-tools-sles15sp2-04-zipl-fix-zipl.conf-man-page-example-for-secure-boot.patch - Modified the spec file so that the kernel used for the SCSI dump tool is named zfcpdump-image instead of zfcpdump_part.image. This is to match the new version of zipl that expects this new file name. (bsc#1166851) - Added the following patches to implement jsc#SLE-7471, Enhanced tooling for kvm guest images (bsc#1165549): * s390-tools-sles15sp2-01-zipl-fix-Wdiscarded-qualifiers.patch * s390-tools-sles15sp2-02-zipl-fix-Waddress-of-packed-member.patch * s390-tools-sles15sp2-03-zipl-remove-some-useless-__packed___-attributes.patch * s390-tools-sles15sp2-04-zipl-Fix-entry-point-for-stand-alone-kdump.patch * s390-tools-sles15sp2-05-zipl-Fix-dependency-generation-in-zipl-boot.patch * s390-tools-sles15sp2-06-zipl-Make-use-of-__packed-macro.patch * s390-tools-sles15sp2-07-zipl-define-__section-macro-and-make-use-of-it.patch * s390-tools-sles15sp2-08-zipl-Make-use-of-__noreturn-macro.patch * s390-tools-sles15sp2-09-zipl-Define-__noinline-macro-and-make-use-of-it.patch * s390-tools-sles15sp2-10-zipl-stage3-Mark-start_kernel-__noreturn.patch * s390-tools-sles15sp2-11-zipl-sclp-Remove-duplicate-macros.patch * s390-tools-sles15sp2-12-zipl-Make-address-size-mask-macros-UL.patch * s390-tools-sles15sp2-13-zipl-libc-Use-stdint.h-instead-of-self-defined-macro.patch * s390-tools-sles15sp2-14-zipl-Consolidate-IMAGE-macros.patch * s390-tools-sles15sp2-15-zipl-Consolidate-STAGE-2-3-macros.patch * s390-tools-sles15sp2-16-zipl-stfle-use-uint64_t-instead-of-u64.patch * s390-tools-sles15sp2-17-zipl-boot-fix-comment-in-stage3.lds.patch * s390-tools-sles15sp2-18-lib-zt_common-add-STATIC_ASSERT-macro.patch * s390-tools-sles15sp2-19-zipl-use-STATIC_ASSERT-macro-for-no-padding-verifica.patch * s390-tools-sles15sp2-20-Support-lib-zt_common.h-to-be-used-in-assembler-and-.patch * s390-tools-sles15sp2-21-zipl-move-IPL-related-definitions-into-separate-head.patch * s390-tools-sles15sp2-22-zipl-move-SIGP-related-functions-and-definitions-int.patch * s390-tools-sles15sp2-23-zipl-add-SIGP_SET_ARCHITECTURE-to-sigp.h-and-use-it.patch * s390-tools-sles15sp2-24-zipl-stage3-make-IPL_DEVICE-definition-consistent-wi.patch * s390-tools-sles15sp2-25-zipl-move-Linux-layout-definitions-into-separate-hea.patch * s390-tools-sles15sp2-26-zipl-tape0-use-constants-defined-in-linux_layout.h.patch * s390-tools-sles15sp2-27-zipl-use-STAGE3_ENTRY-for-STAGE3_LOAD_ADDRESS.patch * s390-tools-sles15sp2-28-zipl-move-loaders-layout-definitions-into-separate-h.patch * s390-tools-sles15sp2-29-zipl-s390.h-rename-inline-macro-into-__always_inline.patch * s390-tools-sles15sp2-30-zipl-move-__always_inline-barrier-__pa32-pa-to-zt_co.patch * s390-tools-sles15sp2-31-zipl-make-BLK_PWRT-unsigned-int.patch * s390-tools-sles15sp2-32-Consolidate-MIN-and-MAX-macros.patch * s390-tools-sles15sp2-33-zipl-remove-libc.h-include-in-s390.h.patch * s390-tools-sles15sp2-34-zipl-move-s390.h-to-include-boot-s390.h.patch * s390-tools-sles15sp2-35-zipl-libc-include-s390.h.patch * s390-tools-sles15sp2-36-include-boot-s390.h-move-panic-and-panic_notify-to-l.patch * s390-tools-sles15sp2-37-include-boot-s390.h-fixes-for-Werror-sign-conversion.patch * s390-tools-sles15sp2-38-zipl-refactor-all-EBCDIC-code-into-separate-files.patch * s390-tools-sles15sp2-39-zipl-sclp-add-macros-for-the-control-program-masks.patch * s390-tools-sles15sp2-40-zipl-sclp-add-sclp_print_ascii.patch * s390-tools-sles15sp2-41-zipl-libc-printf-print-on-linemode-and-ASCII-console.patch * s390-tools-sles15sp2-42-Consolidate-ALIGN-__ALIGN_MASK-ARRAY_SIZE-macros.patch * s390-tools-sles15sp2-43-genprotimg-boot-initial-bootloader-support.patch * s390-tools-sles15sp2-44-genprotimg-boot-use-C-pre-processor-for-linker-scrip.patch * s390-tools-sles15sp2-45-genprotimg-add-relocator-for-stage3b.patch * s390-tools-sles15sp2-46-README.md-remove-useless-empty-line.patch * s390-tools-sles15sp2-47-include-boot-s390.h-add-guard-for-struct-__vector128.patch * s390-tools-sles15sp2-48-genprotimg-introduce-new-tool-for-the-creation-of-PV.patch - Added a BuildRequires for glib2-devel to support the new feature. - Added a %dir entry for /usr/share/s390-tools/genprotimg OBS-URL: https://build.opensuse.org/request/show/786614 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=92
188 lines
6.1 KiB
Diff
188 lines
6.1 KiB
Diff
Subject: [PATCH] [BZ 184396] zipl: correct secure boot config handling
|
|
From: Stefan Haberland <sth@linux.ibm.com>
|
|
|
|
Description: zipl: fix secure boot config handling
|
|
Symptom: The config file parsing for secure boot worked not as
|
|
it was expected to be. For example a config section
|
|
setting was not evaluated properly.
|
|
It is not possible to specify command line option -S
|
|
without other options.
|
|
Additionally the man page showed an invalid example.
|
|
Problem: The config file parsing was not implemented properly.
|
|
Solution: The hierarchy of the secure boot settings in the config
|
|
file is:
|
|
defaultboot > menu > section
|
|
Allow that --secure or -S is specified on command line
|
|
without the need to allow all options on the command
|
|
line. Also ensure that the command line option
|
|
overrules the config option and correctly ensure that
|
|
secure boot is only set for SCSI devices.
|
|
Fix man page example.
|
|
Reproduction: Run zipl with a secure= setting in a configuration
|
|
section or specify -S on command line.
|
|
Upstream-ID: 6f9337d1016e00f360cf4a81d39a42df5184b3a2
|
|
Problem-ID: 184396
|
|
|
|
Upstream-Description:
|
|
|
|
zipl: correct secure boot config handling
|
|
|
|
The hierarchy of the secure boot settings in the config file should be:
|
|
|
|
defaultboot > menu > section
|
|
|
|
This patch implements this hierarchy and adds a check if a valid option is
|
|
specified and prints an error message otherwise.
|
|
|
|
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
|
|
Reviewed-by: Philipp Rudo <prudo@linux.ibm.com>
|
|
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
|
|
|
|
|
|
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
|
|
---
|
|
zipl/include/job.h | 1 +
|
|
zipl/include/zipl.h | 1 +
|
|
zipl/src/bootmap.c | 8 +++++++-
|
|
zipl/src/job.c | 29 ++++++++++++++++++++++++++---
|
|
4 files changed, 35 insertions(+), 4 deletions(-)
|
|
|
|
--- a/zipl/include/job.h
|
|
+++ b/zipl/include/job.h
|
|
@@ -94,6 +94,7 @@ struct job_menu_entry {
|
|
char* name;
|
|
enum job_id id;
|
|
union job_menu_entry_data data;
|
|
+ int is_secure;
|
|
};
|
|
|
|
struct job_menu_data {
|
|
--- a/zipl/include/zipl.h
|
|
+++ b/zipl/include/zipl.h
|
|
@@ -57,6 +57,7 @@
|
|
|
|
#define MAX_DUMP_VOLUMES 32
|
|
|
|
+#define SECURE_BOOT_UNDEFINED -1
|
|
#define SECURE_BOOT_DISABLED 0
|
|
#define SECURE_BOOT_ENABLED 1
|
|
#define SECURE_BOOT_AUTO 2
|
|
--- a/zipl/src/bootmap.c
|
|
+++ b/zipl/src/bootmap.c
|
|
@@ -945,6 +945,7 @@ build_program_table(int fd, struct job_d
|
|
{
|
|
disk_blockptr_t* table;
|
|
int entries, component_header;
|
|
+ int is_secure;
|
|
int i;
|
|
int rc;
|
|
|
|
@@ -1016,13 +1017,18 @@ build_program_table(int fd, struct job_d
|
|
component_header_ipl;
|
|
printf("\n");
|
|
}
|
|
+ if (job->is_secure != SECURE_BOOT_UNDEFINED)
|
|
+ is_secure = job->is_secure;
|
|
+ else
|
|
+ is_secure =
|
|
+ job->data.menu.entry[i].is_secure;
|
|
rc = add_ipl_program(fd,
|
|
&job->data.menu.entry[i].data.ipl,
|
|
&table[job->data.menu.entry[i].pos],
|
|
verbose || job->command_line,
|
|
job->add_files, component_header,
|
|
info, &job->target,
|
|
- job->is_secure);
|
|
+ is_secure);
|
|
break;
|
|
case job_print_usage:
|
|
case job_print_version:
|
|
--- a/zipl/src/job.c
|
|
+++ b/zipl/src/job.c
|
|
@@ -119,6 +119,7 @@ get_command_line(int argc, char* argv[],
|
|
memset((void *) &cmdline, 0, sizeof(struct command_line));
|
|
cmdline.type = section_invalid;
|
|
is_keyword = 0;
|
|
+ cmdline.is_secure = SECURE_BOOT_UNDEFINED;
|
|
/* Process options */
|
|
do {
|
|
opt = getopt_long(argc, argv, option_string, options, NULL);
|
|
@@ -1055,6 +1056,21 @@ check_job_mvdump_data(struct job_mvdump_
|
|
return 0;
|
|
}
|
|
|
|
+static int
|
|
+check_secure_boot(struct job_data *job)
|
|
+{
|
|
+ switch (job->is_secure) {
|
|
+ case SECURE_BOOT_UNDEFINED:
|
|
+ case SECURE_BOOT_DISABLED:
|
|
+ case SECURE_BOOT_ENABLED:
|
|
+ case SECURE_BOOT_AUTO:
|
|
+ return 0;
|
|
+ default:
|
|
+ error_reason("Invalid secure boot setting '%d'",
|
|
+ job->is_secure);
|
|
+ return -1;
|
|
+ }
|
|
+}
|
|
|
|
static int
|
|
check_job_data(struct job_data* job)
|
|
@@ -1099,6 +1115,8 @@ check_job_data(struct job_data* job)
|
|
case job_mvdump:
|
|
rc = check_job_mvdump_data(&job->data.mvdump, job->name);
|
|
}
|
|
+ if (!rc)
|
|
+ rc = check_secure_boot(job);
|
|
return rc;
|
|
}
|
|
|
|
@@ -1594,6 +1612,7 @@ get_menu_job(struct scan_token* scan, ch
|
|
sizeof(struct job_menu_entry) * job->data.menu.num);
|
|
/* Fill in data */
|
|
current = 0;
|
|
+ job->data.menu.entry->is_secure = SECURE_BOOT_UNDEFINED;
|
|
for (i=index+1; (scan[i].id != scan_id_empty) &&
|
|
(scan[i].id != scan_id_section_heading) &&
|
|
(scan[i].id != scan_id_menu_heading); i++) {
|
|
@@ -1625,6 +1644,7 @@ get_menu_job(struct scan_token* scan, ch
|
|
if (temp_job == NULL)
|
|
return -1;
|
|
memset((void *) temp_job, 0, sizeof(struct job_data));
|
|
+ temp_job->is_secure = SECURE_BOOT_UNDEFINED;
|
|
rc = get_job_from_section_data(data, temp_job,
|
|
job->data.menu.entry[current].name);
|
|
if (rc) {
|
|
@@ -1637,6 +1657,8 @@ get_menu_job(struct scan_token* scan, ch
|
|
job->data.menu.entry[current].id = job_ipl;
|
|
job->data.menu.entry[current].data.ipl =
|
|
temp_job->data.ipl;
|
|
+ job->data.menu.entry[current].is_secure =
|
|
+ temp_job->is_secure;
|
|
memset((void *) &temp_job->data.ipl, 0,
|
|
sizeof(struct job_ipl_data));
|
|
break;
|
|
@@ -1874,6 +1896,7 @@ job_get(int argc, char* argv[], struct j
|
|
job->add_files = cmdline.add_files;
|
|
job->data.mvdump.force = cmdline.force;
|
|
job->dry_run = cmdline.dry_run;
|
|
+ job->is_secure = SECURE_BOOT_UNDEFINED;
|
|
/* Get job data from user input */
|
|
if (cmdline.help) {
|
|
job->command_line = 1;
|
|
@@ -1892,10 +1915,10 @@ job_get(int argc, char* argv[], struct j
|
|
job_free(job);
|
|
return rc;
|
|
}
|
|
- if (cmdline.is_secure)
|
|
+ if (cmdline.is_secure != SECURE_BOOT_UNDEFINED)
|
|
job->is_secure = cmdline.is_secure;
|
|
- else
|
|
- job->is_secure = job->is_secure ? : SECURE_BOOT_AUTO;
|
|
+ else if (job->id != job_menu && job->is_secure == SECURE_BOOT_UNDEFINED)
|
|
+ job->is_secure = SECURE_BOOT_AUTO;
|
|
|
|
/* Check job data for validity */
|
|
rc = check_job_data(job);
|