SHA256
1
0
forked from pool/s390-tools
s390-tools/s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch

171 lines
5.4 KiB
Diff
Raw Normal View History

Accepting request 786614 from home:markkp:branches:Base:System - Added the following patches for bsc#1166850 zipl: fix secure boot config handling: * s390-tools-sles15sp2-01-zipl-Add-missing-options-to-help-output.patch * s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch * s390-tools-sles15sp2-03-zipl-correct-secure-boot-config-handling.patch * s390-tools-sles15sp2-04-zipl-fix-zipl.conf-man-page-example-for-secure-boot.patch - Modified the spec file so that the kernel used for the SCSI dump tool is named zfcpdump-image instead of zfcpdump_part.image. This is to match the new version of zipl that expects this new file name. (bsc#1166851) - Added the following patches to implement jsc#SLE-7471, Enhanced tooling for kvm guest images (bsc#1165549): * s390-tools-sles15sp2-01-zipl-fix-Wdiscarded-qualifiers.patch * s390-tools-sles15sp2-02-zipl-fix-Waddress-of-packed-member.patch * s390-tools-sles15sp2-03-zipl-remove-some-useless-__packed___-attributes.patch * s390-tools-sles15sp2-04-zipl-Fix-entry-point-for-stand-alone-kdump.patch * s390-tools-sles15sp2-05-zipl-Fix-dependency-generation-in-zipl-boot.patch * s390-tools-sles15sp2-06-zipl-Make-use-of-__packed-macro.patch * s390-tools-sles15sp2-07-zipl-define-__section-macro-and-make-use-of-it.patch * s390-tools-sles15sp2-08-zipl-Make-use-of-__noreturn-macro.patch * s390-tools-sles15sp2-09-zipl-Define-__noinline-macro-and-make-use-of-it.patch * s390-tools-sles15sp2-10-zipl-stage3-Mark-start_kernel-__noreturn.patch * s390-tools-sles15sp2-11-zipl-sclp-Remove-duplicate-macros.patch * s390-tools-sles15sp2-12-zipl-Make-address-size-mask-macros-UL.patch * s390-tools-sles15sp2-13-zipl-libc-Use-stdint.h-instead-of-self-defined-macro.patch * s390-tools-sles15sp2-14-zipl-Consolidate-IMAGE-macros.patch * s390-tools-sles15sp2-15-zipl-Consolidate-STAGE-2-3-macros.patch * s390-tools-sles15sp2-16-zipl-stfle-use-uint64_t-instead-of-u64.patch * s390-tools-sles15sp2-17-zipl-boot-fix-comment-in-stage3.lds.patch * s390-tools-sles15sp2-18-lib-zt_common-add-STATIC_ASSERT-macro.patch * s390-tools-sles15sp2-19-zipl-use-STATIC_ASSERT-macro-for-no-padding-verifica.patch * s390-tools-sles15sp2-20-Support-lib-zt_common.h-to-be-used-in-assembler-and-.patch * s390-tools-sles15sp2-21-zipl-move-IPL-related-definitions-into-separate-head.patch * s390-tools-sles15sp2-22-zipl-move-SIGP-related-functions-and-definitions-int.patch * s390-tools-sles15sp2-23-zipl-add-SIGP_SET_ARCHITECTURE-to-sigp.h-and-use-it.patch * s390-tools-sles15sp2-24-zipl-stage3-make-IPL_DEVICE-definition-consistent-wi.patch * s390-tools-sles15sp2-25-zipl-move-Linux-layout-definitions-into-separate-hea.patch * s390-tools-sles15sp2-26-zipl-tape0-use-constants-defined-in-linux_layout.h.patch * s390-tools-sles15sp2-27-zipl-use-STAGE3_ENTRY-for-STAGE3_LOAD_ADDRESS.patch * s390-tools-sles15sp2-28-zipl-move-loaders-layout-definitions-into-separate-h.patch * s390-tools-sles15sp2-29-zipl-s390.h-rename-inline-macro-into-__always_inline.patch * s390-tools-sles15sp2-30-zipl-move-__always_inline-barrier-__pa32-pa-to-zt_co.patch * s390-tools-sles15sp2-31-zipl-make-BLK_PWRT-unsigned-int.patch * s390-tools-sles15sp2-32-Consolidate-MIN-and-MAX-macros.patch * s390-tools-sles15sp2-33-zipl-remove-libc.h-include-in-s390.h.patch * s390-tools-sles15sp2-34-zipl-move-s390.h-to-include-boot-s390.h.patch * s390-tools-sles15sp2-35-zipl-libc-include-s390.h.patch * s390-tools-sles15sp2-36-include-boot-s390.h-move-panic-and-panic_notify-to-l.patch * s390-tools-sles15sp2-37-include-boot-s390.h-fixes-for-Werror-sign-conversion.patch * s390-tools-sles15sp2-38-zipl-refactor-all-EBCDIC-code-into-separate-files.patch * s390-tools-sles15sp2-39-zipl-sclp-add-macros-for-the-control-program-masks.patch * s390-tools-sles15sp2-40-zipl-sclp-add-sclp_print_ascii.patch * s390-tools-sles15sp2-41-zipl-libc-printf-print-on-linemode-and-ASCII-console.patch * s390-tools-sles15sp2-42-Consolidate-ALIGN-__ALIGN_MASK-ARRAY_SIZE-macros.patch * s390-tools-sles15sp2-43-genprotimg-boot-initial-bootloader-support.patch * s390-tools-sles15sp2-44-genprotimg-boot-use-C-pre-processor-for-linker-scrip.patch * s390-tools-sles15sp2-45-genprotimg-add-relocator-for-stage3b.patch * s390-tools-sles15sp2-46-README.md-remove-useless-empty-line.patch * s390-tools-sles15sp2-47-include-boot-s390.h-add-guard-for-struct-__vector128.patch * s390-tools-sles15sp2-48-genprotimg-introduce-new-tool-for-the-creation-of-PV.patch - Added a BuildRequires for glib2-devel to support the new feature. - Added a %dir entry for /usr/share/s390-tools/genprotimg OBS-URL: https://build.opensuse.org/request/show/786614 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=92
2020-03-19 23:52:46 +01:00
Subject: [PATCH] [BZ 184396] zipl: allow stand alone secure option on command line
From: Stefan Haberland <sth@linux.ibm.com>
Description: zipl: fix secure boot config handling
Symptom: The config file parsing for secure boot worked not as
it was expected to be. For example a config section
setting was not evaluated properly.
It is not possible to specify command line option -S
without other options.
Additionally the man page showed an invalid example.
Problem: The config file parsing was not implemented properly.
Solution: The hierarchy of the secure boot settings in the config
file is:
defaultboot > menu > section
Allow that --secure or -S is specified on command line
without the need to allow all options on the command
line. Also ensure that the command line option
overrules the config option and correctly ensure that
secure boot is only set for SCSI devices.
Fix man page example.
Reproduction: Run zipl with a secure= setting in a configuration
section or specify -S on command line.
Upstream-ID: 27f6c0a167da8d08f7f3343360528528f85d661f
Problem-ID: 184396
Upstream-Description:
zipl: allow stand alone secure option on command line
Allow that --secure or -S is specified on command line without the need to
allow all options on the command line.
Also ensure that the command line option overrules the config option and
correctly ensure that secure boot is only set for SCSI devices.
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Reviewed-by: Philipp Rudo <prudo@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
---
zipl/src/bootmap.c | 6 ++++++
zipl/src/job.c | 52 +++++++++++++++++++++++++---------------------------
2 files changed, 31 insertions(+), 27 deletions(-)
--- a/zipl/src/bootmap.c
+++ b/zipl/src/bootmap.c
@@ -1133,6 +1133,12 @@ bootmap_create(struct job_data *job, dis
disk_get_type_name(info->type));
goto out_disk_free_info;
}
+ /* Check if secure boot was enabled only for SCSI */
+ if (job->is_secure == SECURE_BOOT_ENABLED &&
+ info->type != disk_type_scsi) {
+ error_reason("Secure boot forced for non-SCSI disk type");
+ goto out_disk_free_info;
+ }
if (verbose) {
printf("Target device information\n");
disk_print_info(info);
--- a/zipl/src/job.c
+++ b/zipl/src/job.c
@@ -72,6 +72,7 @@ struct command_line {
int add_files;
int dry_run;
int force;
+ int is_secure;
enum scan_section_type type;
};
@@ -89,6 +90,22 @@ store_option(struct command_line* cmdlin
return 0;
}
+static int
+set_secure_ipl(char *keyword, int *is_secure)
+{
+ if (strcmp(keyword, "auto") == 0) {
+ *is_secure = SECURE_BOOT_AUTO;
+ } else if (strcmp(keyword, "0") == 0) {
+ *is_secure = SECURE_BOOT_DISABLED;
+ } else if (strcmp(keyword, "1") == 0) {
+ *is_secure = SECURE_BOOT_ENABLED;
+ } else {
+ error_reason("Invalid secure boot setting '%s'",
+ keyword);
+ return -1;
+ }
+ return 0;
+}
static int
get_command_line(int argc, char* argv[], struct command_line* line)
@@ -217,9 +234,7 @@ get_command_line(int argc, char* argv[],
cmdline.menu = optarg;
break;
case 'S':
- is_keyword = 1;
- rc = store_option(&cmdline, scan_keyword_secure,
- optarg);
+ rc = set_secure_ipl(optarg, &cmdline.is_secure);
break;
case 'h':
cmdline.help = 1;
@@ -1270,27 +1285,6 @@ type_from_target(char *target, disk_type
}
static int
-set_secure_ipl(char *keyword, struct job_data *job)
-{
- if (strcmp(keyword, "auto") == 0) {
- job->is_secure = SECURE_BOOT_AUTO;
- } else if (strcmp(keyword, "0") == 0) {
- job->is_secure = SECURE_BOOT_DISABLED;
- } else if (strcmp(keyword, "1") == 0) {
- if (job->target.targettype != disk_type_scsi) {
- error_reason("Secure boot forced for non-SCSI disk type");
- return -1;
- }
- job->is_secure = SECURE_BOOT_ENABLED;
- } else {
- error_reason("Invalid secure boot setting '%s'",
- keyword);
- return -1;
- }
- return 0;
-}
-
-static int
get_job_from_section_data(char* data[], struct job_data* job, char* section)
{
int rc;
@@ -1374,7 +1368,7 @@ get_job_from_section_data(char* data[],
/* Fill in secure boot */
if (data[(int) scan_keyword_secure] != NULL) {
rc = set_secure_ipl(data[(int) scan_keyword_secure],
- job);
+ &job->is_secure);
if (rc)
return rc;
}
@@ -1538,7 +1532,7 @@ get_menu_job(struct scan_token* scan, ch
case scan_keyword_secure:
rc = set_secure_ipl(
scan[i].content.keyword.value,
- job);
+ &job->is_secure);
if (rc)
return rc;
break;
@@ -1880,7 +1874,6 @@ job_get(int argc, char* argv[], struct j
job->add_files = cmdline.add_files;
job->data.mvdump.force = cmdline.force;
job->dry_run = cmdline.dry_run;
- job->is_secure = SECURE_BOOT_AUTO;
/* Get job data from user input */
if (cmdline.help) {
job->command_line = 1;
@@ -1899,6 +1892,11 @@ job_get(int argc, char* argv[], struct j
job_free(job);
return rc;
}
+ if (cmdline.is_secure)
+ job->is_secure = cmdline.is_secure;
+ else
+ job->is_secure = job->is_secure ? : SECURE_BOOT_AUTO;
+
/* Check job data for validity */
rc = check_job_data(job);
if (rc) {