SHA256
1
0
forked from pool/s390-tools
s390-tools/s390-tools-sles15sp2-02-zkey-Move-utility-functions-into-separate-source-fil.patch

298 lines
7.3 KiB
Diff
Raw Normal View History

Accepting request 750974 from home:markkp:branches:Base:System - Upgraded to version 2.11.0 (jsc#7831) - Updated the cputype script and read_values program to recognize machine types up through the new z15. - Added the following patches (bsc#1151859) * s390-tools-sles15sp2-01-zkey-Separate-and-rework-CCA-host-library-loading.patch * s390-tools-sles15sp2-02-zkey-Move-utility-functions-into-separate-source-fil.patch * s390-tools-sles15sp2-03-zkey-Add-utility-function-to-get-the-serial-number-o.patch * s390-tools-sles15sp2-04-zkey-Add-utility-function-to-get-the-mkvp-of-a-crypt.patch * s390-tools-sles15sp2-05-zkey-add-function-to-iterate-over-all-available-CCA-.patch * s390-tools-sles15sp2-06-zkey-Add-function-to-print-the-MKVPs-of-APQNs.patch * s390-tools-sles15sp2-07-zkey-Add-function-to-cross-check-APQNs-for-valid-mas.patch * s390-tools-sles15sp2-08-zkey-Add-function-to-obtain-the-mkvp-of-a-secure-key.patch * s390-tools-sles15sp2-09-zkey-Display-MKVP-when-validating-a-secure-key.patch * s390-tools-sles15sp2-10-zkey-Cross-check-APQNs-when-generating-secure-keys.patch * s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch * s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-when-importing-secure-keys.patch * s390-tools-sles15sp2-13-zkey-Cross-check-APQNs-when-changing-APQN-associatio.patch * s390-tools-sles15sp2-14-zkey-Add-function-to-select-a-specific-CCA-adapter.patch * s390-tools-sles15sp2-15-zkey-Add-function-to-select-a-CCA-adapter-by-mkvp.patch * s390-tools-sles15sp2-16-zkey-Select-CCA-adapter-when-re-enciphering.patch * s390-tools-sles15sp2-17-zkey-cryptsetup-Add-to-new-and-from-old-options.patch - Added the following patches (bsc#1151858) * s390-tools-sles15sp2-18-zkey-Display-key-type-with-list-and-validate-command.patch * s390-tools-sles15sp2-19-zkey-Allow-to-filter-list-output-by-key-type.patch * s390-tools-sles15sp2-20-zkey-Allow-to-specify-the-key-type-with-the-generate.patch * s390-tools-sles15sp2-21-zkey-Preparations-for-introducing-a-new-key-type.patch * s390-tools-sles15sp2-22-zkey-Introduce-the-CCA-AESCIPHER-key-type.patch * s390-tools-sles15sp2-23-zkey-Add-wrappers-for-the-new-IOCTLs-with-fallback-t.patch * s390-tools-sles15sp2-24-zkey-Add-helper-functions-to-build-lists-of-APQNs.patch * s390-tools-sles15sp2-25-zkey-Add-support-for-generating-AES-CIPHER-keys.patch * s390-tools-sles15sp2-26-zkey-Add-support-for-validating-AES-CIPHER-keys.patch * s390-tools-sles15sp2-27-zkey-Add-support-for-re-enciphering-AES-CIPHER-keys.patch * s390-tools-sles15sp2-28-zkey-Check-crypto-card-level-during-APQN-cross-check.patch * s390-tools-sles15sp2-29-zkey-Add-helper-function-to-query-the-CCA-firmware-v.patch * s390-tools-sles15sp2-30-zkey-Add-helper-function-to-convert-secure-keys-betw.patch * s390-tools-sles15sp2-31-zkey-Add-helper-function-to-restrict-export-of-secur.patch * s390-tools-sles15sp2-32-zkey-Add-helper-function-to-check-an-AES-CIPHER-key.patch * s390-tools-sles15sp2-33-zkey-Add-key-checks-when-importing-a-CCA-AESCIPHER-k.patch * s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys-from-one-ty.patch * s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch - Added the following patches (bsc#1153757) * s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch * s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch - Added s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch - Forward-ported the following patches to work with the restructuring IBM did for this version * dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch * s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch * s390-tools-sles15-Allow-multiple-device-arguments.patch * s390-tools-sles15-Format-devices-in-parallel.patch * s390-tools-sles15-Implement-f-for-backwards-compability.patch * s390-tools-sles15-Implement-Y-yast_mode.patch - Removed the following obsolete patches: * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch * s390-tools-sles15-4-lsluns-fix-to-prevent-error-messages-if-there-are-no.patch * s390-tools-sles15-5-lstape-fix-to-prevent-error-messages-if-there-are-no.patch * s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-filter-f.patch * s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch * s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch * s390-tools-sles15-cpi-add-unit-install-section.patch * s390-tools-sles15-cpuplugd-Improve-systemctl-start-error-handling.patch * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch * s390-tools-sles15-Drop-device_id-parameter.patch * s390-tools-sles15-Fix-truncation-warning.patch * s390-tools-sles15-Fixup-dasdfmt_get_volser.patch * s390-tools-sles15-Fixup-device-name-handling.patch * s390-tools-sles15-hmcdrvfs-fix-parsing-of-link-count.patch * s390-tools-sles15-iucvterm-include-ctype-for-toupper.patch * s390-tools-sles15-lsluns-clarify-discovery-use-case-relation-to-NPIV-a.patch * s390-tools-sles15-lsluns-complement-alternative-tools-with-lszdev.patch * s390-tools-sles15-lsluns-document-restriction-to-zfcp-only-systems.patch * s390-tools-sles15-lsluns-do-not-print-confusing-messages-when-a-filter.patch * s390-tools-sles15-lsluns-do-not-scan-all-if-filters-match-nothing.patch * s390-tools-sles15-lsluns-enhance-usage-statement-and-man-page.patch * s390-tools-sles15-lsluns-fix-flawed-formatting-of-man-page.patch * s390-tools-sles15-lsluns-point-out-IBM-Storwize-configuration-requirem.patch * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch * s390-tools-sles15-mon_tools-Improve-systemctl-start-error-handling.patch * s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch * s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch * s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch * s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch * s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch * s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch * s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch * s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch * s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch * s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch * s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch * s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch * s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch * s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch * s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch * s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch * s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch * s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch * s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch * s390-tools-sles15sp1-01-chzcrypt-Corrections-at-the-chzcrypt-man-page.patch * s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch * s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch * s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch * s390-tools-sles15sp1-01-zcryptctl-new-tool-zcryptctl-for-multiple-zcrypt-node.patch * s390-tools-sles15sp1-01-zdev-use-libutil-provided-path-functions.patch * s390-tools-sles15sp1-01-zkey-Include-sbin-into-PATH-when-executing-commands.patch * s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch * s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch * s390-tools-sles15sp1-02-lszcrypt-support-for-alternate-zcrypt-device-drivers.patch * s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch * s390-tools-sles15sp1-02-zdev-Prepare-for-firmware-configuration-file-support.patch * s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch * s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch * s390-tools-sles15sp1-03-zdev-Add-support-for-reading-firmware-configuration-.patch * s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch * s390-tools-sles15sp1-04-zdev-Implement-no-settle.patch * s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch * s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch * s390-tools-sles15sp1-05-zdev-Write-zfcp-lun-udev-rules-to-separate-files.patch * s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch * s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch * s390-tools-sles15sp1-06-zdev-Add-support-for-handling-auto-configuration-dat.patch * s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch * s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch * s390-tools-sles15sp1-07-zdev-Integrate-firmware-auto-configuration-with-drac.patch * s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch * s390-tools-sles15sp1-08-zdev-Integrate-firmware-auto-configuration-with-init.patch * s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch * s390-tools-sles15sp1-09-zdev-Implement-internal-device-attributes.patch * s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch * s390-tools-sles15sp1-10-zdev-Implement-support-for-early-device-configuratio.patch * s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch * s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch * s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch * s390-tools-sles15sp1-qethqoat-add-OSA-Express7S-support.patch * s390-tools-sles15sp1-zcrypt-refine-lszcrypt-man-page.patch * s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch * s390-tools-sles15sp1-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch * s390-tools-sles15sp1-zkey-Enhance-error-message-about-missing-CCA-library.patch * s390-tools-sles15-zdev-Enable-running-chzdev-from-unknown-root-devices.patch * s390-tools-sles15-zdev-Fix-zdev-dracut-module-aborting-on-unknown-root.patch * s390-tools-sles15-zdev-Use-correct-path-to-vmcp-binary.patch * s390-tools-sles15-ziomon-re-add-missing-line.patch * s390-tools-sles15-zipl-remove-invalid-dasdview-command-line-option.patch - Added s390-tools-sles15sp1-ziomon-fix-utilization-data-recording-with-multi-dig.patch ziomon: fix utilization recording with multi-digit scsi hosts (bsc#1141876) OBS-URL: https://build.opensuse.org/request/show/750974 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=83
2019-11-26 10:42:09 +01:00
Subject: zkey: Move utility functions into separate source file
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: check master key consistency
Description: Enhances the zkey tool to perform a cross check whether the
APQNs associated with a secure key have the same master key.
Display the master key verification pattern of a secure key
during the zkey validate command. This helps to better identify
which master key is the correct one, in case of master key
inconsistencies.
Select an appropriate APQN when re-enciphering a secure key.
Re-enciphering is done using the CCA host library. Special
handling is required to select an appropriate APQN for use with
the CCA host library.
Upstream-ID: 696e8458f0c117e3a084e1a083de89ec19baaff9
Problem-ID: SEC1916
Upstream-Description:
zkey: Move utility functions into separate source file
As preparation for future changes, move a sysfs specific functions
into a separate source file (utils.c).
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/Makefile | 5 +-
zkey/keystore.c | 69 +----------------------------------
zkey/utils.c | 109 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
zkey/utils.h | 21 ++++++++++
4 files changed, 136 insertions(+), 68 deletions(-)
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -67,12 +67,13 @@ all: $(BUILD_TARGETS)
zkey.o: zkey.c pkey.h cca.h misc.h
pkey.o: pkey.c pkey.h
cca.o: cca.c cca.h pkey.h
+utils.o: utils.h
properties.o: check-dep-zkey properties.c properties.h
-keystore.o: keystore.c keystore.h properties.h pkey.h cca.h
+keystore.o: keystore.c keystore.h properties.h pkey.h cca.h utils.h
zkey-cryptsetup.o: check-dep-zkey-cryptsetup zkey-cryptsetup.c pkey.h cca.h misc.h
zkey: LDLIBS = -ldl -lcrypto
-zkey: zkey.o pkey.o cca.o properties.o keystore.o $(libs)
+zkey: zkey.o pkey.o cca.o properties.o keystore.o utils.o $(libs)
$(LINK) $(ALL_LDFLAGS) $^ $(LDLIBS) -o $@
zkey-cryptsetup: LDLIBS = -ldl -lcryptsetup -ljson-c
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -25,7 +25,6 @@
#include <sys/types.h>
#include "lib/util_base.h"
-#include "lib/util_file.h"
#include "lib/util_libc.h"
#include "lib/util_panic.h"
#include "lib/util_path.h"
@@ -35,6 +34,7 @@
#include "pkey.h"
#include "cca.h"
#include "properties.h"
+#include "utils.h"
struct key_filenames {
char *skey_filename;
@@ -1010,69 +1010,6 @@ free:
return rc;
}
-/**
- * Checks if the specified APQN is of type CCA and is online
- *
- * @param[in] card card number
- * @param[in] domain the domain
- *
- * @returns 1 if its a CCA card and is online, 0 if offline and -1 if its
- * not a CCA card.
- */
-static int _keystore_is_apqn_online(int card, int domain)
-{
- long int online;
- char *dev_path;
- char type[20];
- int rc = 1;
-
- dev_path = util_path_sysfs("bus/ap/devices/card%02x", card);
- if (!util_path_is_dir(dev_path)) {
- rc = 0;
- goto out;
- }
- if (util_file_read_l(&online, 10, "%s/online", dev_path) != 0) {
- rc = 0;
- goto out;
- }
- if (online == 0) {
- rc = 0;
- goto out;
- }
- if (util_file_read_line(type, sizeof(type), "%s/type", dev_path) != 0) {
- rc = 0;
- goto out;
- }
- if (strncmp(type, "CEX", 3) != 0 || strlen(type) < 5) {
- rc = 0;
- goto out;
- }
- if (type[4] != 'C') {
- rc = -1;
- goto out;
- }
- free(dev_path);
-
- dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", card,
- card, domain);
- if (!util_path_is_dir(dev_path)) {
- rc = 0;
- goto out;
- }
- if (util_file_read_l(&online, 10, "%s/online", dev_path) != 0) {
- rc = 0;
- goto out;
- }
- if (online == 0) {
- rc = 0;
- goto out;
- }
-
-out:
- free(dev_path);
- return rc;
-}
-
struct apqn_check {
bool noonlinecheck;
bool nomsg;
@@ -1124,7 +1061,7 @@ static int _keystore_apqn_check(const ch
goto out;
}
- rc = _keystore_is_apqn_online(card, domain);
+ rc = sysfs_is_apqn_online(card, domain);
if (rc != 1) {
if (info->nomsg == 0)
warnx("The APQN %02x.%04x is %s", card, domain,
@@ -2329,7 +2266,7 @@ static int _keystore_display_apqn_status
if (sscanf(apqn_list[i], "%x.%x", &card, &domain) != 2)
continue;
- rc = _keystore_is_apqn_online(card, domain);
+ rc = sysfs_is_apqn_online(card, domain);
if (rc != 1) {
printf("WARNING: The APQN %02x.%04x associated with "
"key '%s' is %s\n", card, domain, name,
--- /dev/null
+++ b/zkey/utils.c
@@ -0,0 +1,109 @@
+/*
+ * zkey - Generate, re-encipher, and validate secure keys
+ *
+ * Copyright IBM Corp. 2019
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#include <err.h>
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "lib/util_path.h"
+#include "lib/util_file.h"
+
+#include "utils.h"
+
+/**
+ * Checks if the specified card is of type CCA and is online
+ *
+ * @param[in] card card number
+ *
+ * @returns 1 if its a CCA card and is online, 0 if offline and -1 if its
+ * not a CCA card.
+ */
+int sysfs_is_card_online(int card)
+{
+ long int online;
+ char *dev_path;
+ char type[20];
+ int rc = 1;
+
+ dev_path = util_path_sysfs("bus/ap/devices/card%02x", card);
+ if (!util_path_is_dir(dev_path)) {
+ rc = 0;
+ goto out;
+ }
+ if (util_file_read_l(&online, 10, "%s/online", dev_path) != 0) {
+ rc = 0;
+ goto out;
+ }
+ if (online == 0) {
+ rc = 0;
+ goto out;
+ }
+ if (util_file_read_line(type, sizeof(type), "%s/type", dev_path) != 0) {
+ rc = 0;
+ goto out;
+ }
+ if (strncmp(type, "CEX", 3) != 0 || strlen(type) < 5) {
+ rc = 0;
+ goto out;
+ }
+ if (type[4] != 'C') {
+ rc = -1;
+ goto out;
+ }
+
+out:
+ free(dev_path);
+ return rc;
+}
+
+/**
+ * Checks if the specified APQN is of type CCA and is online
+ *
+ * @param[in] card card number
+ * @param[in] domain the domain
+ *
+ * @returns 1 if its a CCA card and is online, 0 if offline and -1 if its
+ * not a CCA card.
+ */
+int sysfs_is_apqn_online(int card, int domain)
+{
+ long int online;
+ char *dev_path;
+ int rc = 1;
+
+ rc = sysfs_is_card_online(card);
+ if (rc != 1)
+ return rc;
+
+ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", card,
+ card, domain);
+ if (!util_path_is_dir(dev_path)) {
+ rc = 0;
+ goto out;
+ }
+ if (util_file_read_l(&online, 10, "%s/online", dev_path) != 0) {
+ rc = 0;
+ goto out;
+ }
+ if (online == 0) {
+ rc = 0;
+ goto out;
+ }
+
+out:
+ free(dev_path);
+ return rc;
+}
+
--- /dev/null
+++ b/zkey/utils.h
@@ -0,0 +1,21 @@
+/*
+ * zkey - Generate, re-encipher, and validate secure keys
+ *
+ * This header file defines the interface to the CCA host library.
+ *
+ * Copyright IBM Corp. 2019
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#ifndef UTILS_H
+#define UTILS_H
+
+#include "lib/zt_common.h"
+
+int sysfs_is_card_online(int card);
+
+int sysfs_is_apqn_online(int card, int domain);
+
+#endif