Accepting request 648783 from home:markkp:branches:Base:System

Lots of features implemented for SLES15 SP1.

OBS-URL: https://build.opensuse.org/request/show/648783
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=57

s390-tools-rpmlintrc

@@ -1,3 +1,4 @@
 addFilter("statically-linked-binary /usr/lib/s390-tools/.*")
 addFilter("statically-linked-binary /usr/bin/read_values")
 addFilter("systemd-service-without-service_.* *@.service")
+addFilter("position-independent-executable-suggested ")

s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch

@@ -0,0 +1,506 @@
+Subject: zkey: Add properties file handling routines
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: 340da73bb7f06a9fc2aecfe4e33f1f3a17b3568d
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: Add properties file handling routines
+
+             In preparation for a new feature, introduce property file
+             handling routines. A property file stores key value pairs
+             in a text file. Optionally a hash of all keys and values
+             contained in the properties file can be generated to
+             ensure integrity of the properties file and to detect
+             manual modifications.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ zkey/Makefile     |    5 
+ zkey/properties.c |  409 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ zkey/properties.h |   36 ++++
+ 3 files changed, 448 insertions(+), 2 deletions(-)
+
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -1,15 +1,16 @@
+ include ../common.mak
+ 
+ CPPFLAGS += -I../include
+-LDLIBS += -ldl
++LDLIBS += -ldl -lcrypto
+ 
+ all: zkey
+ 
+ libs = $(rootdir)/libutil/libutil.a
+ 
+ zkey.o: zkey.c pkey.h misc.h
++properties.o: properties.c properties.h
+ 
+-zkey: zkey.o $(libs)
++zkey: zkey.o properties.o $(libs)
+ 
+ install: all
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
+--- /dev/null
++++ b/zkey/properties.c
+@@ -0,0 +1,409 @@
++/*
++ * zkey - Generate, re-encipher, and validate secure keys
++ *
++ * Properties file handling functions
++ *
++ * Copyright IBM Corp. 2018
++ *
++ * s390-tools is free software; you can redistribute it and/or modify
++ * it under the terms of the MIT license. See LICENSE for details.
++ */
++
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include <openssl/evp.h>
++
++#include "lib/util_libc.h"
++#include "lib/util_list.h"
++#include "lib/util_panic.h"
++
++#include "properties.h"
++
++struct properties {
++	struct util_list list;
++};
++
++struct property {
++	struct util_list_node node;
++	char *name;
++	char *value;
++};
++
++#define SHA256_DIGEST_LEN	32
++#define INTEGRITY_KEY_NAME      "__hash__"
++
++#define RESTRICTED_PROPERTY_NAME_CHARS   "=\n"
++#define RESTRICTED_PROPERTY_VALUE_CHARS  "\n"
++
++static int openssl_initialized;
++
++/**
++ * Allocate and initialize a SHA-256 context
++ *
++ * @returns a SHA context
++ */
++static EVP_MD_CTX *sha256_init(void)
++{
++	EVP_MD_CTX *ctx;
++	int rc;
++
++	if (!openssl_initialized) {
++		OpenSSL_add_all_algorithms();
++		openssl_initialized = 1;
++	}
++
++	ctx = EVP_MD_CTX_create();
++	util_assert(ctx != NULL,
++		    "Internal error: OpenSSL MD context allocation failed");
++
++	rc = EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
++	util_assert(rc == 1, "Internal error: SHA-256 digest init failed");
++
++	return ctx;
++}
++
++/**
++ * Add data to the SHA-256 context
++ *
++ * @parm[in]    ctx        the SHA context
++ * @parm[in]    data       the data to be hashed
++ * @parm[in]    data_len   the length of the data
++ */
++static void sha256_update(EVP_MD_CTX *ctx,
++			  const char *data, unsigned int data_len)
++{
++	int rc;
++
++	util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
++	util_assert(data != NULL || data_len == 0,
++		    "Internal error: data is NULL");
++
++	rc = EVP_DigestUpdate(ctx, data, data_len);
++
++	util_assert(rc == 1, "Internal error: SHA-256 digest udpdate failed");
++}
++
++/**
++ * Produce the digest for the SHA-256 context and free the context
++ *
++ * @parm[in]     ctx          the SHA context
++ * @parm[out]    digest       a buffer where the digest is stored
++ * @parm[in/out] digest_len   on entry, *digest_len contains the size of the
++ *                            digest buffer, which must be large enough to hold
++ *                            a SHA-256 digest (32 bytes),
++ *                            on exit it contains the size of the digest
++ *                            returned in the buffer.
++ */
++static void sha256_final(EVP_MD_CTX *ctx,
++			 unsigned char *digest, unsigned int *digest_len)
++{
++	int rc;
++
++	util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
++
++	if (digest != NULL && digest_len != NULL) {
++		util_assert(*digest_len >= (unsigned int)EVP_MD_CTX_size(ctx),
++			    "Internal error: digest_len is too small");
++
++		rc = EVP_DigestFinal_ex(ctx, digest, digest_len);
++		util_assert(rc == 1,
++			    "Internal error: SHA-256 digest final failed");
++	}
++
++	EVP_MD_CTX_destroy(ctx);
++}
++
++/**
++ * Allocates a new properties object
++ *
++ * @returns the properties object
++ */
++struct properties *properties_new(void)
++{
++	struct properties *properties;
++
++	properties = util_zalloc(sizeof(struct properties));
++
++	util_list_init_offset(&properties->list,
++			      offsetof(struct property, node));
++	return properties;
++}
++
++/**
++ * Frees a properties object with all its properties
++ *
++ * @param[in]  properties    the properties object
++ */
++void properties_free(struct properties *properties)
++{
++	struct property *property;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++
++	while ((property = util_list_start(&properties->list)) != NULL) {
++		free(property->name);
++		free(property->value);
++		util_list_remove(&properties->list, property);
++	}
++
++	free(properties);
++}
++
++/**
++ * Find a property by its name in the list iof properties
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  name          the name of the property to find
++ *
++ * @returns a pointer to the proerty when it has been found, or NULL if not
++ */
++static struct property *properties_find(struct properties *properties,
++					const char *name)
++{
++	struct property *property;
++
++	property = util_list_start(&properties->list);
++	while (property != NULL) {
++		if (strcmp(property->name, name) == 0)
++			return property;
++		property = util_list_next(&properties->list, property);
++	}
++	return NULL;
++}
++
++/**
++ * Adds or updates a property
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  name          the name of the property
++ * @param[in]  value         the value of the property
++ *
++ * @returns 0 on success,
++ *          -EINVAL if the name or value contains invalid characters
++ */
++int properties_set(struct properties *properties,
++		   const char *name, const char *value)
++{
++	struct property *property;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++	util_assert(name != NULL, "Internal error: name is NULL");
++	util_assert(value != NULL, "Internal error: value is NULL");
++
++	if (strpbrk(name, RESTRICTED_PROPERTY_NAME_CHARS) != NULL)
++		return -EINVAL;
++	if (strpbrk(value, RESTRICTED_PROPERTY_VALUE_CHARS) != NULL)
++		return -EINVAL;
++
++	property = properties_find(properties, name);
++	if (property != NULL) {
++		free(property->value);
++		property->value = util_strdup(value);
++	} else {
++		property = util_zalloc(sizeof(struct property));
++		property->name = util_strdup(name);
++		property->value = util_strdup(value);
++		util_list_add_tail(&properties->list, property);
++	}
++	return 0;
++}
++
++/**
++ * Gets a property
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  name          the name of the property
++ *
++ * @returns a string containing the property value, or NULL if the property
++ *          was not found.
++ *          Note: The returned string must be freed via free() by the caller.
++ */
++char *properties_get(struct properties *properties, const char *name)
++{
++	struct property *property;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++	util_assert(name != NULL, "Internal error: name is NULL");
++
++	property = properties_find(properties, name);
++	if (property == NULL)
++		return NULL;
++
++	return util_strdup(property->value);
++}
++
++/**
++ * Removes a property
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  name          the name of the property
++ *
++ * @returns 0 on success, -ENOENT if the property was not found.
++ */
++int properties_remove(struct properties *properties, const char *name)
++{
++	struct property *property;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++	util_assert(name != NULL, "Internal error: name is NULL");
++
++	property = properties_find(properties, name);
++	if (property == NULL)
++		return -ENOENT;
++
++	free(property->name);
++	free(property->value);
++	util_list_remove(&properties->list, property);
++	return 0;
++}
++
++/**
++ * Saves the properties to a file
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  filename      the file name
++ * @param[in]  check_integrity if TRUE, an hash of the key and values is
++ *                           stored as part of the file.
++ *
++ * @returns 0 on success, -EIO the file could not be created
++ */
++int properties_save(struct properties *properties, const char *filename,
++		    bool check_integrity)
++{
++	char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
++	unsigned char digest[SHA256_DIGEST_LEN];
++	unsigned int digest_len = sizeof(digest);
++	struct property *property;
++	EVP_MD_CTX *ctx = NULL;
++	unsigned int i;
++	FILE *fp;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++	util_assert(filename != NULL, "Internal error: filename is NULL");
++
++	fp = fopen(filename, "w");
++	if (fp == NULL)
++		return -EIO;
++
++	if (check_integrity)
++		ctx = sha256_init();
++
++	property = util_list_start(&properties->list);
++	while (property != NULL) {
++		fprintf(fp, "%s=%s\n", property->name, property->value);
++
++		if (check_integrity) {
++			sha256_update(ctx, property->name,
++				      strlen(property->name));
++			sha256_update(ctx, property->value,
++				      strlen(property->value));
++		}
++
++		property = util_list_next(&properties->list, property);
++	}
++
++	if (check_integrity) {
++		sha256_final(ctx, digest, &digest_len);
++		util_assert(digest_len <= SHA256_DIGEST_LEN,
++			    "Internal error: digest length too long");
++
++		for (i = 0; i < digest_len; i++)
++			sprintf(&digest_hex[i * 2], "%02x", digest[i]);
++		digest_hex[digest_len * 2] = '\0';
++
++		fprintf(fp, "%s=%s\n", INTEGRITY_KEY_NAME, digest_hex);
++	}
++
++	fclose(fp);
++	return 0;
++}
++
++/**
++ * Loads the properties from a file
++ *
++ * @param[in]  properties    the properties object
++ * @param[in]  filename      the file name
++ * @param[in]  check_integrity if TRUE, an hash of the key and values is
++ *                           compared with the hash stored as part of the file.
++ *
++ * @returns 0 on success, -EIO the file could not be created,
++ *          -EPERM in case of a syntax error or an integrity error
++ */
++int properties_load(struct properties *properties, const char *filename,
++		    bool check_integrity)
++{
++	char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
++	unsigned char digest[SHA256_DIGEST_LEN];
++	unsigned int digest_len = sizeof(digest);
++	char *digest_read = NULL;
++	EVP_MD_CTX *ctx = NULL;
++	char line[4096];
++	unsigned int len, i;
++	int rc = 0;
++	char *ch;
++	FILE *fp;
++
++	util_assert(properties != NULL, "Internal error: properties is NULL");
++	util_assert(filename != NULL, "Internal error: filename is NULL");
++
++	fp = fopen(filename, "r");
++	if (fp == NULL)
++		return -EIO;
++
++	if (check_integrity)
++		ctx = sha256_init();
++
++	while (fgets(line, sizeof(line), fp) != NULL) {
++		len = strlen(line);
++		if (line[len-1] == '\n')
++			line[len-1] = '\0';
++		ch = strchr(line, '=');
++		if (ch == NULL) {
++			rc = -EPERM;
++			goto out;
++		}
++
++		*ch = '\0';
++		ch++;
++
++		if (check_integrity) {
++			if (strcmp(line, INTEGRITY_KEY_NAME) == 0) {
++				digest_read = util_strdup(ch);
++				continue;
++			}
++
++			sha256_update(ctx, line, strlen(line));
++			sha256_update(ctx, ch, strlen(ch));
++		}
++
++		properties_set(properties, line, ch);
++	}
++
++	if (check_integrity) {
++		sha256_final(ctx, digest, &digest_len);
++		ctx = NULL;
++		util_assert(digest_len <= SHA256_DIGEST_LEN,
++			    "Internal error: digest length too long");
++
++		for (i = 0; i < digest_len; i++)
++			sprintf(&digest_hex[i * 2], "%02x", digest[i]);
++		digest_hex[digest_len * 2] = '\0';
++
++		if (digest_read == NULL ||
++		    strcmp(digest_hex, digest_read) != 0) {
++			rc = -EPERM;
++			goto out;
++		}
++	}
++
++out:
++	if (ctx != NULL)
++		sha256_final(ctx, NULL, NULL);
++	if (digest_read != NULL)
++		free(digest_read);
++	fclose(fp);
++	return rc;
++}
+--- /dev/null
++++ b/zkey/properties.h
+@@ -0,0 +1,36 @@
++/*
++ * zkey - Generate, re-encipher, and validate secure keys
++ *
++ * Properties file handling functions
++ *
++ * Copyright IBM Corp. 2018
++ *
++ * s390-tools is free software; you can redistribute it and/or modify
++ * it under the terms of the MIT license. See LICENSE for details.
++ */
++
++#ifndef PROPFILE_H
++#define PROPFILE_H
++
++#include <stdbool.h>
++
++struct properties;
++
++struct properties *properties_new(void);
++
++void properties_free(struct properties *properties);
++
++int properties_set(struct properties *properties,
++		   const char *name, const char *value);
++
++char *properties_get(struct properties *properties, const char *name);
++
++int properties_remove(struct properties *properties, const char *name);
++
++int properties_save(struct properties *properties, const char *filename,
++		    bool check_integrity);
++
++int properties_load(struct properties *properties, const char *filename,
++		    bool check_integrity);
++
++#endif

s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch

@@ -0,0 +1,89 @@
+Subject: zkey: Add build dependency to OpenSSL (libcrypto)
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: 5e24f74fdefc5fe7d315df080832f1b059485f0f
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: Add build dependency to OpenSSL (libcrypto)
+
+             The integrity support for the properties file routines use
+             SHA-256 to build a hash of the keys and values of a property file.
+             The codes uses the EVP_DigestInit_ex, EVP_DigestUpdate, and
+             EVP_DigestFinal from the libcrypto library (OpenSSL).
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ README.md     |    6 ++++++
+ zkey/Makefile |   21 ++++++++++++++++++++-
+ 2 files changed, 26 insertions(+), 1 deletion(-)
+
+--- a/README.md
++++ b/README.md
+@@ -263,6 +263,7 @@ build options:
+ | ncurses    | `HAVE_NCURSES` | hyptop                                |
+ | pfm        | `HAVE_PFM`     | cpacfstats                            |
+ | net-snmp   | `HAVE_SNMP`    | osasnmpd                              |
++| openssl    | `HAVE_OPENSSL` | zkey                                  |
+ 
+ This table lists additional build or install options:
+ 
+@@ -365,3 +366,8 @@ the different tools are provided:
+   For running znetconf these programs are required:
+   - modprobe (kmod)
+   - vmcp (s390-tools)
++
++* zkey:
++  For building the zkey tools you need openssl version 0.9.7 or newer installed
++  (openssl-devel.rpm). Tip: you may skip the zkey build by adding
++  `HAVE_OPENSSL=0` to the make invocation.
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -1,9 +1,26 @@
+ include ../common.mak
+ 
++ifeq (${HAVE_OPENSSL},0)
++
++all:
++	$(SKIP) HAVE_OPENSSL=0
++
++install:
++	$(SKIP) HAVE_OPENSSL=0
++
++else
++
++check_dep:
++	$(call check_dep, \
++		"zkey", \
++		"openssl/evp.h", \
++		"openssl-devel", \
++		"HAVE_OPENSSL=0")
++
+ CPPFLAGS += -I../include
+ LDLIBS += -ldl -lcrypto
+ 
+-all: zkey
++all: check_dep zkey
+ 
+ libs = $(rootdir)/libutil/libutil.a
+ 
+@@ -18,6 +35,8 @@ install: all
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+ 
++endif
++
+ clean:
+ 	rm -f *.o zkey
+ 

s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch

@@ -0,0 +1,276 @@
+Subject: zkey: Add helper functions for comma separated string handling
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: a090a1ffe8bc780059ebed99f19d32a2a6a3426d
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: Add helper functions for comma separated string handling
+
+             Comma separated strings are used in property values to store
+             multiple values in one property. These helper functions allow to
+             work with such comma separated strings.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ zkey/properties.c |  214 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ zkey/properties.h |   12 +++
+ 2 files changed, 226 insertions(+)
+
+--- a/zkey/properties.c
++++ b/zkey/properties.c
+@@ -38,6 +38,8 @@ struct property {
+ #define RESTRICTED_PROPERTY_NAME_CHARS   "=\n"
+ #define RESTRICTED_PROPERTY_VALUE_CHARS  "\n"
+ 
++#define RESTRICTED_STR_LIST_CHARS        ",\n"
++
+ static int openssl_initialized;
+ 
+ /**
+@@ -407,3 +409,215 @@ out:
+ 	fclose(fp);
+ 	return rc;
+ }
++
++/**
++ * Combines a list of strings into one comma separated string
++ *
++ * @param[in] strings    zero terminated array of pointers to C-strings
++ *
++ * @returns a new string. This must be freed by the caller when no longer used.
++ *          returns NULL if a string contains an invalid character.
++ */
++char *str_list_combine(const char **strings)
++{
++	unsigned int i, size;
++	char *str;
++
++	util_assert(strings != NULL, "Internal error: strings is NULL");
++
++	for (i = 0, size = 0; strings[i] != NULL; i++) {
++		if (strpbrk(strings[i], RESTRICTED_STR_LIST_CHARS) != NULL)
++			return NULL;
++
++		if (i > 0)
++			size += 1;
++		size += strlen(strings[i]);
++	}
++
++	str = util_zalloc(size + 1);
++	for (i = 0, size = 0; strings[i] != NULL; i++) {
++		if (i > 0)
++			strcat(str, ",");
++		strcat(str, strings[i]);
++	}
++
++	return str;
++}
++
++/**
++ * Splits a comma separated string into its parts
++ *
++ * @param[in] str_list   the comma separated string
++ *
++ * @returns a zero terminated array of pointers to C-strings. This array
++ *          and all individual C-Strings need to be freed bay the caller when
++ *          no longer used. This can be done using str_list_free_string_array().
++ */
++char **str_list_split(const char *str_list)
++{
++	unsigned int i, count;
++	char **list;
++	char *copy;
++	char *tok;
++
++	util_assert(str_list != NULL, "Internal error: str_list is NULL");
++
++	count = str_list_count(str_list);
++	list = util_zalloc((count + 1) * sizeof(char *));
++
++	copy = util_strdup(str_list);
++	tok = strtok(copy, ",");
++	i = 0;
++	while (tok != NULL) {
++		list[i] = util_strdup(tok);
++		i++;
++		tok = strtok(NULL, ",");
++	}
++
++	free(copy);
++	return list;
++}
++
++/**
++ * Count the number of parts a comma separated string contains
++ *
++ * param[in] str_list   the comma separated string
++ *
++ * @returns the number of parts
++ */
++unsigned int str_list_count(const char *str_list)
++{
++	unsigned int i, count;
++
++	util_assert(str_list != NULL, "Internal error: str_list is NULL");
++
++	if (strlen(str_list) == 0)
++		return 0;
++
++	for (i = 0, count = 1; str_list[i] != '\0'; i++)
++		if (str_list[i] == ',')
++			count++;
++	return count;
++}
++
++/**
++ * Find a string in a comma separated string
++ *
++ * @param str_list     the comma separated string.
++ * @param str          the string to find
++ *
++ * @returns a pointer to the string within the comma separated string,
++ *          or NULL if the string was not found
++ *
++ */
++static char *str_list_find(const char *str_list, const char *str)
++{
++	char *before;
++	char *after;
++	char *ch;
++
++	ch = strstr(str_list, str);
++	if (ch == NULL)
++		return NULL;
++
++	if (ch != str_list) {
++		before = ch - 1;
++		if (*before != ',')
++			return NULL;
++	}
++
++	after = ch + strlen(str);
++	if (*after != ',' && *after != '\0')
++		return NULL;
++
++	return ch;
++}
++
++/**
++ * Appends a string to a comma separated string
++ *
++ * @param str_list     the comma separated string.
++ * @param str          the string to add
++ *
++ * @returns a new comma separated string. This must be freed by the caller when
++ *          no longer used. If the string to add is already contained in the
++ *          comma separated list, it is not added and NULL is returned.
++ *          If the string to be added contains a comma, NULL is returned.
++ */
++char *str_list_add(const char *str_list, const char *str)
++{
++	char *ret;
++
++	util_assert(str_list != NULL, "Internal error: str_list is NULL");
++	util_assert(str != NULL, "Internal error: str is NULL");
++
++	if (strpbrk(str, RESTRICTED_STR_LIST_CHARS) != NULL)
++		return NULL;
++
++	if (str_list_find(str_list, str))
++		return NULL;
++
++	ret = util_zalloc(strlen(str_list) + 1 + strlen(str) + 1);
++	strcpy(ret, str_list);
++	if (strlen(str_list) > 0)
++		strcat(ret, ",");
++	strcat(ret, str);
++
++	return ret;
++}
++
++/**
++ * Removes a string from a comma separated string
++ *
++ * @param str_list     the comma separated string.
++ * @param str          the string to remove
++ *
++ * @returns a new comma separated string. This must be freed by the caller when
++ *          no longer used. If the string to remove is not found in the
++ *          comma separated string, NULL is returned
++ */
++char *str_list_remove(const char *str_list, const char *str)
++{
++	char *after;
++	char *ret;
++	char *ch;
++
++	util_assert(str_list != NULL, "Internal error: str_list is NULL");
++	util_assert(str != NULL, "Internal error: str is NULL");
++
++	ch = str_list_find(str_list, str);
++	if (ch == NULL)
++		return NULL;
++
++	after = ch + strlen(str);
++	if (*after == ',') {
++		/* there are more parts after the one to remove */
++		ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
++		strncpy(ret, str_list, ch - str_list);
++		strcat(ret, after + 1);
++	} else if (ch == str_list) {
++		/* removing the one and only part -> empty string */
++		ret = util_zalloc(1);
++	} else {
++		/* there are no more parts after the one to remove */
++		ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
++		strncpy(ret, str_list, ch - 1 - str_list);
++	}
++
++	return ret;
++}
++
++/**
++ * Frees a string array (as produced by str_list_split())
++ *
++ * @param strings a NULL terminated array of pointers to C-Strings.
++ */
++void str_list_free_string_array(char **strings)
++{
++	util_assert(strings != NULL, "Internal error: strings is NULL");
++
++	while (*strings != NULL) {
++		free((void *)*strings);
++		strings++;
++	}
++}
+--- a/zkey/properties.h
++++ b/zkey/properties.h
+@@ -33,4 +33,16 @@ int properties_save(struct properties *p
+ int properties_load(struct properties *properties, const char *filename,
+ 		    bool check_integrity);
+ 
++char *str_list_combine(const char **strings);
++
++char **str_list_split(const char *str_list);
++
++unsigned int str_list_count(const char *str_list);
++
++char *str_list_add(const char *str_list, const char *str);
++
++char *str_list_remove(const char *str_list, const char *str);
++
++void str_list_free_string_array(char **strings);
++
+ #endif

s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch

@@ -0,0 +1,40 @@
+Subject: zkey: Create key repository and group during make install
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: 6a2f4fd3760420e11b23db13f8b736f87764d409
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: Create key repository and group during make install
+
+             Create the default keystore directory '/etc/zkey/repository'
+             and the user group 'zkeyadm' during make install.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ zkey/Makefile |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -36,6 +36,9 @@ install: all
+ 	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
++	getent group zkeyadm >/dev/null || groupadd -r zkeyadm
++	$(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
++	$(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
+ 
+ endif
+ 

s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch

@@ -0,0 +1,38 @@
+Subject: zkey: let packaging create the zkeyadm group and permission setup
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: 3eb9af9c97c98e9f9665af1c5e671266400aaafc
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: let packaging create the zkeyadm group and permission setup
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ zkey/Makefile |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -36,9 +36,8 @@ install: all
+ 	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+-	getent group zkeyadm >/dev/null || groupadd -r zkeyadm
+-	$(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
+-	$(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
++	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
++	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
+ 
+ endif
+ 

s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch

@@ -0,0 +1,34 @@
+Subject: zkey: Update README to add info about packaging requirements
+From: Philipp Rudo <prudo@linux.ibm.com>
+
+Summary:     zkey: Add support of protected key crypto for dm-crypt.
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             plain format by providing a tool to manage a key repository
+             allowing to associate secure keys with disk partitions or logical
+             volumes.
+Upstream-ID: 80b66da1d81793232646d2504c4d4c0ec94170f1
+Problem-ID:  SEC1800
+
+Upstream-Description:
+
+             zkey: Update README to add info about packaging requirements
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
+---
+ README.md |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/README.md
++++ b/README.md
+@@ -371,3 +371,7 @@ the different tools are provided:
+   For building the zkey tools you need openssl version 0.9.7 or newer installed
+   (openssl-devel.rpm). Tip: you may skip the zkey build by adding
+   `HAVE_OPENSSL=0` to the make invocation.
++  A new group 'zkeyadm' needs to be created and all users intending to use the
++  tool must be added to this group. The owner of the default key repository
++  '/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
++  for this group.

s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch

@@ -0,0 +1,34 @@
+Subject: zkey: Typo in message
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: dec58c349e794f6333771457d9dcb9c0768fe28e
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Typo in message
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -2319,7 +2319,7 @@ static int _keystore_process_reencipher(
+ 
+ 	if (params.complete) {
+ 		if (!_keystore_reencipher_key_exists(file_names)) {
+-			warnx("Staged re-enciphering in not pending for key "
++			warnx("Staged re-enciphering is not pending for key "
+ 			      "'%s', skipping",
+ 			      name);
+ 			info->num_skipped++;

s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch

@@ -0,0 +1,102 @@
+Subject: zkey: Fix memory leak
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: d6a96f07c1a0ba9b1a559561698f82f5a19829ff
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Fix memory leak
+
+             The APQN check routine as well as the properties helper functions
+             do not free all memory that they allocated.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c   |   22 +++++++++++++++-------
+ zkey/properties.c |    5 +++++
+ 2 files changed, 20 insertions(+), 7 deletions(-)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -981,25 +981,33 @@ static int _keystore_apqn_check(const ch
+ 	rc = regexec(&reg_buf, apqn, (size_t) 1, pmatch, 0);
+ 	if (rc != 0) {
+ 		warnx("the APQN '%s' is not valid", apqn);
+-		return -EINVAL;
++		rc = -EINVAL;
++		goto out;
+ 	}
+ 
+-	if (sscanf(apqn, "%x.%x", &card, &domain) != 2)
+-		return -EINVAL;
++	if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
++		rc = -EINVAL;
++		goto out;
++	}
+ 
+ 	util_asprintf(normalized, "%02x.%04x", card, domain);
+ 
+-	if (remove)
+-		return 0;
++	if (remove) {
++		rc = 0;
++		goto out;
++	}
+ 
+ 	rc = _keystore_is_apqn_online(card, domain);
+ 	if (rc != 1) {
+ 		warnx("The APQN %02x.%04x is %s", card, domain,
+ 		      rc == -1 ? "not a CCA card" : "not online");
+-		return -EIO;
++		rc = -EIO;
++		goto out;
+ 	}
+ 
+-	return 0;
++out:
++	regfree(&reg_buf);
++	return rc;
+ }
+ 
+ 
+--- a/zkey/properties.c
++++ b/zkey/properties.c
+@@ -149,6 +149,7 @@ void properties_free(struct properties *
+ 		free(property->name);
+ 		free(property->value);
+ 		util_list_remove(&properties->list, property);
++		free(property);
+ 	}
+ 
+ 	free(properties);
+@@ -259,6 +260,7 @@ int properties_remove(struct properties
+ 	free(property->name);
+ 	free(property->value);
+ 	util_list_remove(&properties->list, property);
++	free(property);
+ 	return 0;
+ }
+ 
+@@ -614,10 +616,13 @@ char *str_list_remove(const char *str_li
+  */
+ void str_list_free_string_array(char **strings)
+ {
++	char **list = strings;
++
+ 	util_assert(strings != NULL, "Internal error: strings is NULL");
+ 
+ 	while (*strings != NULL) {
+ 		free((void *)*strings);
+ 		strings++;
+ 	}
++	free(list);
+ }

s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch

@@ -0,0 +1,47 @@
+Subject: zkey: Fix APQN validation routine
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: 344965bd296f434ccbd9ad5b16427590b988d480
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Fix APQN validation routine
+
+             When a zkey generate or change command is used to associate one
+             or multiple APQNs the command succeeds, but no key is generated
+             and no APQNs are associated, because the return code returned by
+             _keystore_apqn_check() is wrong.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -986,6 +986,7 @@ static int _keystore_apqn_check(const ch
+ 	}
+ 
+ 	if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
++		warnx("the APQN '%s' is not valid", apqn);
+ 		rc = -EINVAL;
+ 		goto out;
+ 	}
+@@ -1003,6 +1004,8 @@ static int _keystore_apqn_check(const ch
+ 		      rc == -1 ? "not a CCA card" : "not online");
+ 		rc = -EIO;
+ 		goto out;
++	} else {
++		rc = 0;
+ 	}
+ 
+ out:

s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch

@@ -0,0 +1,47 @@
+Subject: zkey: Fix generate and import leaving key in an inconsistent state
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: 672548ce30f61e94c8465a560a54a4a8fe568c06
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Fix generate and import leaving key in an inconsistent state
+
+             When a volume or APQN association is made while generating or
+             importing a key, and a duplicate association is detected, then
+             this may leave the key in an inconsistent state.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -1534,7 +1534,7 @@ int keystore_generate_key(struct keystor
+ out_free_props:
+ 	if (key_props != NULL)
+ 		properties_free(key_props);
+-	if (rc != 0 && rc != -EEXIST)
++	if (rc != 0)
+ 		remove(file_names.skey_filename);
+ out_free_key_filenames:
+ 	_keystore_free_key_filenames(&file_names);
+@@ -1617,7 +1617,7 @@ int keystore_import_key(struct keystore
+ out_free_props:
+ 	if (key_props != NULL)
+ 		properties_free(key_props);
+-	if (rc != 0 && rc != -EEXIST)
++	if (rc != 0)
+ 		remove(file_names.skey_filename);
+ out_free_key_filenames:
+ 	_keystore_free_key_filenames(&file_names);

s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch

@@ -0,0 +1,443 @@
+Subject: zkey: Add man page for zkey-cryptsetup
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: 5e65df7375aec81d9348a57cdcbccb89a65422c3
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Add man page for zkey-cryptsetup
+
+             Add documentation for the new zkey-cryptsetup tool
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/Makefile          |    1 
+ zkey/zkey-cryptsetup.1 |  403 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 404 insertions(+)
+
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -42,6 +42,7 @@ install: all
+ 	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
++	$(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
+ 	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
+ 
+--- /dev/null
++++ b/zkey/zkey-cryptsetup.1
+@@ -0,0 +1,403 @@
++.\" Copyright IBM Corp. 2018
++.\" s390-tools is free software; you can redistribute it and/or modify
++.\" it under the terms of the MIT license. See LICENSE for details.
++.\"
++.TH ZKEY\-CRYPTSETUP 1 "May 2018" "s390-tools"
++.SH NAME
++zkey\-cryptsetup \- Manage secure AES volume keys of volumes encrypted with
++\fBLUKS2\fP and the \fBpaes\fP cipher
++.
++.
++.SH SYNOPSIS
++.B zkey\-cryptsetup
++.I command
++.I device
++.RI [ OPTIONS ]
++.
++.PP
++.B zkey\-cryptsetup
++.RI [ command ]
++.BR \-\-help | \-h
++.br
++.B zkey\-cryptsetup
++.BR \-\-version | \-v
++.
++.
++.
++.SH DESCRIPTION
++Use \fBzkey\-cryptsetup\fP to validate and re-encipher secure AES
++volume keys of volumes encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher.
++These secure AES volume keys are enciphered with a master key of an IBM
++cryptographic adapter in CCA coprocessor mode.
++.PP
++To encrypt a volume using \fBLUKS2\fP and the \fBpaes\fP cipher, generate a
++secure AES key using \fBzkey\fP: \fB'zkey generate luks.key --xts'\fP.
++Then format the device with \fBcryptsetup\fP using the just generated secure
++AES key from file luks.key: \fB'cryptsetup luksFormat <device> --type luks2
++--cipher paes-xts-plain64 --master-key-file luks.key --key-size 1024'\fP. For
++more details about \fBzkey\fP or \fBcryptsetup\fP see the
++corresponding man pages.
++.
++.
++.
++.SH COMMANDS
++.
++.
++.SS "Validate secure AES volume keys"
++.
++.B zkey\-cryptsetup
++.BR validate | val
++.I device
++.RB [ \-\-key\-file | \-d
++.IR file-name ]
++.RB [ \-\-keyfile\-offset | \-o
++.IR bytes ]
++.RB [ \-\-keyfile\-size | \-l
++.IR bytes ]
++.RB [ \-\-tries | \-T
++.IR number ]
++.RB [ \-\-verbose | \-V ]
++.RB [ \-\-debug | \-D ]
++.PP
++Use the
++.B validate
++command to validate a secure AES volume key of a volume encrypted with
++\fBLUKS2\fP and the \fBpaes\fP cipher.
++It checks if the LUKS2 header of the volume contains a valid secure key.
++It also displays the attributes of the secure key, such as key size, whether
++it is a secure key that can be used for the XTS cipher mode, and the master key
++register (CURRENT or OLD) with which the secure key is enciphered.
++For further information about master key registers, see the
++\fBreencipher\fP command.
++.PP
++To open a key slot contained in the LUKS2 header of the volume, a passphrase is
++required. You are prompted for the passphrase, unless option
++.B \-\-key\-file
++is specified. Option
++.B \-\-tries
++specifies how often a passphrase can be re-entered. When option
++.B \-\-key\-file
++is specified, the passphrase is read from the specified file. You can specify
++options
++.B \-\-keyfile\-offset
++and
++.B \-\-keyfile\-size
++to control which part of the key file is used as passphrase. These options
++behave in the same way as with \fBcryptsetup\fP.
++.
++.SS "Re-encipher secure AES volume keys"
++.
++.PP
++.B zkey\-cryptsetup
++.BR reencipher | re
++.I device
++.RB [ \-\-staged | \-s ]
++.RB [ \-\-in\-place | \-i ]
++.RB [ \-\-complete | \-c ]
++.RB [ \-\-key\-file | \-d
++.IR file-name ]
++.RB [ \-\-keyfile\-offset | \-o
++.IR bytes ]
++.RB [ \-\-keyfile\-size | \-l
++.IR bytes ]
++.RB [ \-\-tries | \-T
++.IR number ]
++.RB [ \-\-verbose | \-V ]
++.RB [ \-\-debug | \-D ]
++.PP
++Use the
++.B reencipher
++command to re-encipher a secure AES volume key of a volume encrypted with
++\fBLUKS2\fP and the \fBpaes\fP cipher. A secure AES volume key must be
++re-enciphered when the master key of the cryptographic adapter in CCA
++coprocessor mode changes.
++.PP
++The cryptographic adapter in CCA coprocessor mode has three different registers
++to store master keys:
++.RS 2
++.IP "\(bu" 2
++The \fBCURRENT\fP register contains the current master key.
++.
++.IP "\(bu" 2
++The \fBOLD\fP register contains the previously used master key.
++Secure keys enciphered with the master key contained in the \fBOLD\fP
++register can still be used until the master key is changed again.
++.
++.IP "\(bu" 2
++The \fBNEW\fP register contains the new master key to be set.
++The master key in the \fBNEW\fP register cannot be used until it is made
++the current master key. You can pro-actively re-encipher a secure key with the
++\fBNEW\fP master key before this key is made the \fBCURRENT\fP key.
++.RE
++.PP
++\fBzkey\-cryptsetup\fP automatically detects whether the secure volume key
++is currently enciphered with the master key in the \fBOLD\fP register or with
++the master key in the \fBCURRENT\fP register. If currently enciphered with the
++master key in the \fBOLD\fP register, it is re-enciphered with the master key
++in the \fBCURRENT\fP register. If it is currently enciphered with the master
++key in the \fBCURRENT\fP register, it is re-enciphered with the master key in
++the \fBNEW\fP register. If for this case the \fBNEW\fP register does not
++contain a valid master key, then the re-encipher operation fails.
++.PP
++Re-enciphering a secure volume key of a volume encrypted with
++\fBLUKS2\fP and the \fBpaes\fP cipher can be performed \fBin-place\fP, or in
++\fBstaged\fP mode.
++.PP
++\fB"In-place"\fP immediately replaces the secure volume key in the LUKS2
++header of the encrypted volume with the re-enciphered secure volume key.
++Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
++default. You can use option \fB--in-place\fP to force an in-place
++re-enciphering for the \fBCURRENT\fP to \fBNEW\fP case. Be aware that
++an encrypted volume with a secure volume key that was re-enciphered in-place
++from \fBCURRENT\fP to \fBNEW\fP is no longer usable, until the new CCA master
++key has been made the current one.
++.PP
++\fBStaged\fP mode means that the re-enciphered secure volume key is stored in a
++separate (unbound) key slot in the LUKS2 header of the encrypted volume. Thus
++all key slots containing the current secure volume key are still valid at this
++point. Once the new CCA master key has been set (made active), you must rerun
++the reencipher command with option \fB--complete\fP to complete the staged
++re-enciphering. When completing the staged re-enciphering, the (unbound) key
++slot containing the re-enciphered secure volume key becomes the active
++key slot and, optionally, all key slots containing the old secure volume key
++are removed.
++Re-enciphering from \fBCURRENT\fP to \fBNEW\fP is performed in staged mode per
++default. You can use option \fB--staged\fP to force a staged re-enciphering for
++the \fBOLD\fP to \fBCURRENT\fP case.
++.PP
++To open a key slot contained in the LUKS2 header of the volume, a passphrase is
++required. You are prompted for the passphrase, unless option
++.B \-\-key\-file
++is specified. Option
++.B \-\-tries
++specifies how often a passphrase can be re-entered. When option
++.B \-\-key\-file
++is specified, the passphrase is read from the specified file. You can specify
++options
++.B \-\-keyfile\-offset
++and
++.B \-\-keyfile\-size
++to control which part of the key file is used as passphrase. These options
++behave in the same way as with \fBcryptsetup\fP.
++.PP
++.B Note:
++The \fBreencipher\fP command requires the CCA host library (libcsulcca.so)
++to be installed.
++.
++.
++.
++.SS "Set a verification pattern of the secure AES volume key"
++.
++.B zkey\-cryptsetup
++.BR setvp | setv
++.I device
++.RB [ \-\-key\-file | \-d
++.IR file-name ]
++.RB [ \-\-keyfile\-offset | \-o
++.IR bytes ]
++.RB [ \-\-keyfile\-size | \-l
++.IR bytes ]
++.RB [ \-\-tries | \-T
++.IR number ]
++.RB [ \-\-verbose | \-V ]
++.RB [ \-\-debug | \-D ]
++.PP
++Use the
++.B setvp
++command to set a verification pattern of the secure AES volume key of a volume
++encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher. The verification pattern
++identifies the effective key used to encrypt the volume's data.
++The verification pattern is stored in a token named
++\fBpaes-verification-pattern\fP in the LUKS2 header.
++.PP
++.B Note:
++Set the verification pattern right after formatting the volume using
++\fB'cryptsetup luksFormat'\fP.
++.PP
++To open a key slot contained in the LUKS2 header of the volume, a passphrase is
++required. You are prompted for the passphrase, unless option
++.B \-\-key\-file
++is specified. Option
++.B \-\-tries
++specifies how often a passphrase can be re-entered. When option
++.B \-\-key\-file
++is specified, the passphrase is read from the specified file. You can specify
++options
++.B \-\-keyfile\-offset
++and
++.B \-\-keyfile\-size
++to control which part of the key file is used as passphrase. These options
++behave in the same way as with \fBcryptsetup\fP.
++.
++.
++.
++.SS "Set a new secure AES volume key for a volume"
++.
++.B zkey\-cryptsetup
++.BR setkey | setk
++.I device
++.BR \-\-master\-key\-file | \-m
++.IR file-name
++.RB [ \-\-key\-file | \-d
++.IR file-name ]
++.RB [ \-\-keyfile\-offset | \-o
++.IR bytes ]
++.RB [ \-\-keyfile\-size | \-l
++.IR bytes ]
++.RB [ \-\-tries | \-T
++.IR number ]
++.RB [ \-\-verbose | \-V ]
++.RB [ \-\-debug | \-D ]
++.PP
++Use the
++.B setkey
++command to set a new secure AES volume key for a volume encrypted with
++\fBLUKS2\fP and the \fBpaes\fP cipher. Use this command to recover from an
++invalid secure AES volume key contained in the LUKS2 header.
++A secure AES volume key contained in the LUKS2 header can become invalid when
++the CCA master key is changed without re-enciphering the secure volume key.
++.PP
++You can recover the secure volume key only if you have a copy of the secure key
++in a file, and this copy was re-enciphered when the CCA master key has been
++changed. Thus, the copy of the secure key must be currently enciphered with the
++CCA master key in the CURRENT or OLD master key register.
++Specify the secure key file with option
++.B \-\-master\-key\-file
++to set this secure key as the new volume key.
++.PP
++In case the LUKS2 header of the volume contains a verification pattern token,
++it is used to ensure that the new volume key contains the same effective key.
++If no verification pattern token is available, then you are prompted to confirm
++that the specified secure key is the correct one.
++.B ATTENTION:
++If you set a wrong secure key you will loose all the data on the encrypted
++volume!
++.PP
++To open a key slot contained in the LUKS2 header of the volume, a passphrase is
++required. You are prompted for the passphrase, unless option
++.B \-\-key\-file
++is specified. Option
++.B \-\-tries
++specifies how often a passphrase can be re-entered. When option
++.B \-\-key\-file
++is specified, the passphrase is read from the specified file. You can specify
++options
++.B \-\-keyfile\-offset
++and
++.B \-\-keyfile\-size
++to control which part of the key file is used as passphrase. These options
++behave in the same way the same as with \fBcryptsetup\fP.
++.
++.
++.
++.
++.SH OPTIONS
++.
++.SS "Options for the reencipher command"
++.TP
++.BR \-i ", " \-\-in-place
++Forces an in-place re-enciphering of a secure volume key in the LUKS2
++header. This option immediately replaces the secure volume key in the LUKS2
++header of the encrypted volume with the re-enciphered secure volume key.
++Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
++default.
++.TP
++.BR \-s ", " \-\-staged
++Forces that the re-enciphering of a secure volume key in the LUKS2
++header is performed in staged mode. Staged mode means that the re-enciphered
++secure volume key is stored in a separate (unbound) key slot in the LUKS2
++header of the encrypted volume. Thus all key slots containing the current
++secure volume key are still valid at this point. Once the new CCA master key
++has been set (made active), you must rerun the reencipher command with option
++\fB--complete\fP to complete the staged re-enciphering. Re-enciphering from
++\fBCURRENT\fP to \fBNEW\fP is performed in staged mode per default.
++.TP
++.BR \-p ", " \-\-complete
++Completes a staged re-enciphering. Use this option after the new CCA master key
++has been set (made active). When completing the staged re-enciphering, the
++(unbound) key slot containing the re-enciphered secure volume key becomes
++the active key slot and, optionally, all key slots containing the old secure
++volume key are removed.
++.
++.
++.
++.SS "Options for the setkey command"
++.TP
++.BR \-m ", " \-\-master\-key\-file\~\fIfile\-name\fP
++Specifies the name of a file containing the secure AES key that is set as the
++new volume key.
++.
++.
++.
++.SS "Options for supplying the passphrase"
++.TP
++.BR \-d ", " \-\-key\-file\~\fIfile\-name\fP
++Reads the passphrase from the specified file. If this option is omitted,
++or if the file\-name is \fI-\fP (a dash), then you are prompted to enter the
++passphrase interactively.
++.TP
++.BR \-o ", " \-\-keyfile\-offset\~\fIbytes\fP
++Specifies the number of bytes to skip before starting to read in the file
++specified with option \fB\-\-key\-file\fP. If omitted, the file is read
++from the beginning. When option \fB\-\-key\-file\fP is not specified, this
++option is ignored.
++.TP
++.BR \-l ", " \-\-keyfile\-size\~\fIbytes\fP
++Specifies the number of bytes to be read from the beginning of the file
++specified with option \fB\-\-key\-file\fP. If omitted, the file is read
++until the end. When \fB\-\-keyfile\-offset\fP is also specified, reading starts
++at the offset. When option \fB\-\-key\-file\fP is not specified, this option is
++ignored.
++.TP
++.BR \-T ", " \-\-tries\~\fInumber\fP
++Specifies how often the interactive input of the passphrase can be re-entered.
++The default is 3 times. When option \fB\-\-key\-file\fP is specified, this
++option is ignored, and the passphrase is read only once from the file.
++.
++.
++.
++.SS "General options"
++.TP
++.BR \-V ", " \-\-verbose
++Displays additional information messages during processing.
++.TP
++.BR \-D ", " \-\-debug
++Displays additional debugging messages during processing. This option also
++implies \fB\-\-verbose\fP.
++.TP
++.BR \-h ", " \-\-help
++Displays help text and exits.
++.TP
++.BR \-v ", " \-\-version
++Displays version information and exits.
++.
++.
++.
++.SH EXAMPLES
++.TP
++.B zkey-cryptsetup reencipher /dev/dasdd1
++Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1.
++.TP
++.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-staged
++Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
++staged mode.
++.TP
++.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-complete
++Completes re-enciphers the secure volume key of the encrypted
++volume /dev/dasdd1.
++.TP
++.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-in\-place
++Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
++in-place mode.
++.TP
++.B zkey-cryptsetup validate /dev/dasdd1
++Validates the secure volume key of the encrypted volume /dev/dasdd1 and
++displays its attributes.
++.TP
++.B zkey-cryptsetup setvp /dev/dasdd1
++Sets the verification pattern of the secure volume key of the encrypted
++volume /dev/dasdd1.
++.TP
++.B zkey-cryptsetup setkey /dev/dasdd1 --master-key-file seckey.key
++Sets the secure key contained in file seckey.key as the new volume key
++for the encrypted volume /dev/dasdd1.

s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch

@@ -0,0 +1,188 @@
+Subject: zkey: Add build dependency for libcryptsetup and json-c
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: 818ffbc4b05783851cc12682d3d8ad6b99312d63
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Add build dependency for libcryptsetup and json-c
+
+             The zkey-cryptsetup tool has a build dependency to
+             libcryptsetup version 2.0.3 or later, and json-c.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ README.md     |    9 ++++--
+ common.mak    |    3 +-
+ zkey/Makefile |   84 +++++++++++++++++++++++++++++++++++++++++++---------------
+ 3 files changed, 72 insertions(+), 24 deletions(-)
+
+--- a/README.md
++++ b/README.md
+@@ -264,6 +264,8 @@ build options:
+ | pfm        | `HAVE_PFM`     | cpacfstats                            |
+ | net-snmp   | `HAVE_SNMP`    | osasnmpd                              |
+ | openssl    | `HAVE_OPENSSL` | zkey                                  |
++| cryptsetup | `HAVE_CRYPTSETUP2` | zkey-cryptsetup                   |
++| json-c     | `HAVE_JSONC`   | zkey-cryptsetup                       |
+ 
+ This table lists additional build or install options:
+ 
+@@ -369,8 +371,11 @@ the different tools are provided:
+ 
+ * zkey:
+   For building the zkey tools you need openssl version 0.9.7 or newer installed
+-  (openssl-devel.rpm). Tip: you may skip the zkey build by adding
+-  `HAVE_OPENSSL=0` to the make invocation.
++  (openssl-devel.rpm). Also required are cryptsetup version 2.0.3 or newer
++  (cryptsetup-devel.rpm), and json-c version 0.12 or newer (json-c-devel.rpm).
++  Tip: you may skip the zkey build by adding `HAVE_OPENSSL=0`, and you may
++  may skip the zkey-cryptsetup build by adding `HAVE_CRYPTSETUP2=0`, or
++  `HAVE_JSONC=0` to the make invocation.
+   A new group 'zkeyadm' needs to be created and all users intending to use the
+   tool must be added to this group. The owner of the default key repository
+   '/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
+--- a/common.mak
++++ b/common.mak
+@@ -113,9 +113,10 @@ DEFAULT_LDFLAGS = -rdynamic
+ # $2: Name of include file to check
+ # $3: Name of required devel package
+ # $4: Option to skip build (e.g. HAVE_FUSE=0)
++# $5: Additional compiler & linker options (optional)
+ #
+ check_dep=\
+-printf "\#include <%s>" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) -c -o /dev/null -xc - ) > /dev/null 2>&1; \
++printf "\#include <%s>\n int main(void) {return 0;}" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) $5 -o /dev/null -xc - ) > /dev/null 2>&1; \
+ if [ $$? != 0 ]; \
+ then \
+ 	printf "  REQCHK  %s (%s)\n" $1 $2; \
+--- a/zkey/Makefile
++++ b/zkey/Makefile
+@@ -1,54 +1,96 @@
+ include ../common.mak
+ 
+-ifeq (${HAVE_OPENSSL},0)
++ifneq (${HAVE_OPENSSL},0)
++	BUILD_TARGETS += zkey
++	INSTALL_TARGETS += install-zkey
++else
++	BUILD_TARGETS += zkey-skip
++	INSTALL_TARGETS += zkey-skip
++endif
+ 
+-all:
+-	$(SKIP) HAVE_OPENSSL=0
++ifneq (${HAVE_CRYPTSETUP2},0)
++	ifneq (${HAVE_JSONC},0)
++		BUILD_TARGETS += zkey-cryptsetup
++		INSTALL_TARGETS += install-zkey-cryptsetup
++	else
++		BUILD_TARGETS += zkey-cryptsetup-skip-jsonc
++		INSTALL_TARGETS += zkey-cryptsetup-skip-jsonc
++	endif
++else
++	BUILD_TARGETS += zkey-cryptsetup-skip-cryptsetup2
++	INSTALL_TARGETS += zkey-cryptsetup-skip-cryptsetup2
++endif
+ 
+-install:
+-	$(SKIP) HAVE_OPENSSL=0
++CPPFLAGS += -I../include
++LIBS = $(rootdir)/libutil/libutil.a
+ 
+-else
++detect-libcryptsetup.h:
++	echo "#include <libcryptsetup.h>" > detect-libcryptsetup.h
++	echo "#ifndef CRYPT_LUKS2" >> detect-libcryptsetup.h
++	echo "  #error libcryptsetup version 2.0.3 is required" >> detect-libcryptsetup.h
++	echo "#endif" >> detect-libcryptsetup.h
++	echo "int i = CRYPT_SLOT_UNBOUND;" >> detect-libcryptsetup.h
+ 
+-check_dep:
++check-dep-zkey:
+ 	$(call check_dep, \
+ 		"zkey", \
+ 		"openssl/evp.h", \
+ 		"openssl-devel", \
+ 		"HAVE_OPENSSL=0")
+ 
+-CPPFLAGS += -I../include
++check-dep-zkey-cryptsetup: detect-libcryptsetup.h
++	$(call check_dep, \
++		"zkey-cryptsetup", \
++		"detect-libcryptsetup.h", \
++		"cryptsetup-devel version 2.0.3", \
++		"HAVE_CRYPTSETUP2=0", \
++		"-I.")
++	$(call check_dep, \
++		"zkey-cryptsetup", \
++		"json-c/json.h", \
++		"json-c-devel", \
++		"HAVE_JSONC=0")
++
++zkey-skip:
++	echo "  SKIP    zkey due to HAVE_OPENSSL=0"
++
++zkey-cryptsetup-skip-cryptsetup2:
++	echo "  SKIP    zkey-cryptsetup due to HAVE_CRYPTSETUP2=0"
+ 
+-all: check_dep zkey zkey-cryptsetup
++zkey-cryptsetup-skip-jsonc:
++	echo "  SKIP    zkey-cryptsetup due to HAVE_JSONC=0"
+ 
+-libs = $(rootdir)/libutil/libutil.a
++all: $(BUILD_TARGETS)
+ 
+ zkey.o: zkey.c pkey.h misc.h
+ pkey.o: pkey.c pkey.h
+-properties.o: properties.c properties.h
++properties.o: check-dep-zkey properties.c properties.h
+ keystore.o: keystore.c keystore.h properties.h
+-zkey-cryptsetup.o: zkey-cryptsetup.c pkey.h misc.h
++zkey-cryptsetup.o: check-dep-zkey-cryptsetup zkey-cryptsetup.c pkey.h misc.h
+ 
+ zkey: LDLIBS = -ldl -lcrypto
+-zkey: zkey.o pkey.o properties.o keystore.o $(libs)
++zkey: zkey.o pkey.o properties.o keystore.o $(LIBS)
+ 
+ zkey-cryptsetup: LDLIBS = -ldl -lcryptsetup -ljson-c
+-zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(libs)
++zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(LIBS)
+ 
+-
+-install: all
++install-common:
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
+-	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
+-	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
+ 	$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
++
++install-zkey:
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
+ 	$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+-	$(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
+ 	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
+ 	$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
+ 
+-endif
++install-zkey-cryptsetup:
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
++	$(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
++
++install: all install-common $(INSTALL_TARGETS)
+ 
+ clean:
+-	rm -f *.o zkey zkey-cryptsetup
++	rm -f *.o zkey zkey-cryptsetup detect-libcryptsetup.h
+ 
+ .PHONY: all install clean

s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch

@@ -0,0 +1,349 @@
+Subject: zkey: Add key verification pattern property
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+
+Summary: zkey: Support CCA master key change with LUKS2 volumes using paes     
+Description: Support the usage of protected key crypto for dm-crypt disks in
+             LUKS2 format by providing a tool allowing to re-encipher a 
+             secure LUKS2 volume key when the CCA master key is changed
+Upstream-ID: 512b47c0042a3cdedafce8d46dcc76053298116c
+Problem-ID:  SEC1424.1
+
+Upstream-Description:
+
+             zkey: Add key verification pattern property
+
+             Store a verification pattern in the properties file along
+             with the secure key. The verification pattern allows to identify
+             the inner key even when the secure key is no longer valid.
+
+             Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ zkey/keystore.c |  132 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
+ zkey/zkey.1     |    4 -
+ zkey/zkey.c     |   27 +++++++++--
+ 3 files changed, 145 insertions(+), 18 deletions(-)
+
+--- a/zkey/keystore.c
++++ b/zkey/keystore.c
+@@ -58,6 +58,7 @@ struct key_filenames {
+ #define PROP_NAME_CREATION_TIME	"creation-time"
+ #define PROP_NAME_CHANGE_TIME	"update-time"
+ #define PROP_NAME_REENC_TIME	"reencipher-time"
++#define PROP_NAME_KEY_VP	"verification-pattern"
+ 
+ #define IS_XTS(secure_key_size) (secure_key_size > SECURE_KEY_SIZE ? 1 : 0)
+ 
+@@ -75,6 +76,7 @@ struct key_filenames {
+ #define REC_CREATION_TIME	"Created"
+ #define REC_CHANGE_TIME		"Changed"
+ #define REC_REENC_TIME		"Re-enciphered"
++#define REC_KEY_VP		"Verification pattern"
+ 
+ #define pr_verbose(keystore, fmt...)	do {				\
+ 						if (keystore->verbose)	\
+@@ -1270,6 +1272,77 @@ struct keystore *keystore_new(const char
+ }
+ 
+ /**
++ * Generate the key verification pattern from the specified secure key file
++ *
++ * @param[in] keystore    the key store
++ * @param[in} keyfile     the key file
++ * @param[in] vp          buffer filled with the verification pattern
++ * @param[in] vp_len      length of the buffer. Must be at
++ *                        least VERIFICATION_PATTERN_LEN bytes in size.
++ *
++ * @returns 0 for success or a negative errno in case of an error
++ */
++static int _keystore_generate_verification_pattern(struct keystore *keystore,
++						  const char *keyfile,
++						  char *vp, size_t vp_len)
++{
++	size_t key_size;
++	u8 *key;
++	int rc;
++
++	util_assert(keystore != NULL, "Internal error: keystore is NULL");
++	util_assert(keyfile != NULL, "Internal error: keyfile is NULL");
++	util_assert(vp != NULL, "Internal error: vp is NULL");
++
++	key = read_secure_key(keyfile, &key_size, keystore->verbose);
++	if (key == NULL)
++		return -EIO;
++
++	rc = generate_key_verification_pattern((const char *)key, key_size,
++					       vp, vp_len, keystore->verbose);
++
++	free(key);
++	return rc;
++}
++
++/**
++ * Checks if the key verification pattern property exists. If not, then it is
++ * created from the secure key.
++ *
++ * @param[in] keystore    the key store
++ * @param[in] file_names  the file names of the key
++ * @param[in] key_props   the properties of the key
++ *
++ *  @returns 0 for success or a negative errno in case of an error
++ */
++static int _keystore_ensure_vp_exists(struct keystore *keystore,
++				      const struct key_filenames *file_names,
++				      struct properties *key_props)
++{
++	char vp[VERIFICATION_PATTERN_LEN];
++	char *temp;
++	int rc;
++
++	temp = properties_get(key_props, PROP_NAME_KEY_VP);
++	if (temp != NULL) {
++		free(temp);
++		return 0;
++	}
++
++	rc = _keystore_generate_verification_pattern(keystore,
++						     file_names->skey_filename,
++						     vp, sizeof(vp));
++	if (rc != 0)
++		return rc;
++
++	rc = properties_set(key_props, PROP_NAME_KEY_VP, vp);
++	if (rc != 0)
++		return rc;
++
++	return 0;
++}
++
++/**
+  * Sets a timestamp to be used as creation/update/reencipher time into
+  * the specified property
+  *
+@@ -1348,7 +1421,7 @@ static int _keystore_set_default_propert
+  */
+ static int _keystore_create_info_file(struct keystore *keystore,
+ 				      const char *name,
+-				      const char *info_filename,
++				      const struct key_filenames *filenames,
+ 				      const char *description,
+ 				      const char *volumes, const char *apqns,
+ 				      size_t sector_size)
+@@ -1396,17 +1469,26 @@ static int _keystore_create_info_file(st
+ 		goto out;
+ 	}
+ 
+-	rc = properties_save(key_props, info_filename, 1);
++	rc = _keystore_ensure_vp_exists(keystore, filenames, key_props);
++	if (rc != 0) {
++		warnx("Failed to generate the key verification pattern: %s",
++		      strerror(-rc));
++		warnx("Make sure that kernel module 'paes_s390' is loaded and "
++		      "that the 'paes' cipher is available");
++		return rc;
++	}
++
++	rc = properties_save(key_props, filenames->info_filename, 1);
+ 	if (rc != 0) {
+ 		pr_verbose(keystore,
+ 			   "Key info file '%s' could not be written: %s",
+-			   info_filename, strerror(-rc));
++			   filenames->info_filename, strerror(-rc));
+ 		goto out;
+ 	}
+ 
+-	rc = _keystore_set_file_permission(keystore, info_filename);
++	rc = _keystore_set_file_permission(keystore, filenames->info_filename);
+ 	if (rc != 0) {
+-		remove(info_filename);
++		remove(filenames->info_filename);
+ 		goto out;
+ 	}
+ 
+@@ -1519,8 +1601,7 @@ int keystore_generate_key(struct keystor
+ 	if (rc != 0)
+ 		goto out_free_props;
+ 
+-	rc = _keystore_create_info_file(keystore, name,
+-					file_names.info_filename,
++	rc = _keystore_create_info_file(keystore, name, &file_names,
+ 					description, volumes, apqns,
+ 					sector_size);
+ 	if (rc != 0)
+@@ -1603,8 +1684,7 @@ int keystore_import_key(struct keystore
+ 	if (rc != 0)
+ 		goto out_free_props;
+ 
+-	rc = _keystore_create_info_file(keystore, name,
+-					file_names.info_filename,
++	rc = _keystore_create_info_file(keystore, name, &file_names,
+ 					description, volumes, apqns,
+ 					sector_size);
+ 	if (rc != 0)
+@@ -1723,6 +1803,9 @@ int keystore_change_key(struct keystore
+ 		}
+ 	}
+ 
++	rc = _keystore_ensure_vp_exists(keystore, &file_names, key_props);
++	/* ignore return code, vp generation might fail if key is not valid */
++
+ 	rc = _keystore_set_timestamp_property(key_props, PROP_NAME_CHANGE_TIME);
+ 	if (rc != 0)
+ 		goto out;
+@@ -1838,7 +1921,7 @@ static struct util_rec *_keystore_setup_
+ {
+ 	struct util_rec *rec;
+ 
+-	rec = util_rec_new_long("-", ":", REC_KEY, 23, 54);
++	rec = util_rec_new_long("-", ":", REC_KEY, 28, 54);
+ 	util_rec_def(rec, REC_KEY, UTIL_REC_ALIGN_LEFT, 54, REC_KEY);
+ 	if (validation)
+ 		util_rec_def(rec, REC_STATUS, UTIL_REC_ALIGN_LEFT, 54,
+@@ -1858,6 +1941,7 @@ static struct util_rec *_keystore_setup_
+ 	util_rec_def(rec, REC_KEY_FILE, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_FILE);
+ 	util_rec_def(rec, REC_SECTOR_SIZE, UTIL_REC_ALIGN_LEFT, 54,
+ 		     REC_SECTOR_SIZE);
++	util_rec_def(rec, REC_KEY_VP, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_VP);
+ 	util_rec_def(rec, REC_CREATION_TIME, UTIL_REC_ALIGN_LEFT, 54,
+ 		     REC_CREATION_TIME);
+ 	util_rec_def(rec, REC_CHANGE_TIME, UTIL_REC_ALIGN_LEFT, 54,
+@@ -1876,6 +1960,7 @@ static void _keystore_print_record(struc
+ 				   size_t clear_key_bitsize, bool valid,
+ 				   bool is_old_mk, bool reenc_pending)
+ {
++	char temp_vp[VERIFICATION_PATTERN_LEN + 2];
+ 	char *volumes_argz = NULL;
+ 	size_t volumes_argz_len;
+ 	char *apqns_argz = NULL;
+@@ -1888,6 +1973,8 @@ static void _keystore_print_record(struc
+ 	char *change;
+ 	char *apqns;
+ 	char *temp;
++	char *vp;
++	int len;
+ 
+ 	description = properties_get(properties, PROP_NAME_DESCRIPTION);
+ 	volumes = properties_get(properties, PROP_NAME_VOLUMES);
+@@ -1913,6 +2000,7 @@ static void _keystore_print_record(struc
+ 	creation = properties_get(properties, PROP_NAME_CREATION_TIME);
+ 	change = properties_get(properties, PROP_NAME_CHANGE_TIME);
+ 	reencipher = properties_get(properties, PROP_NAME_REENC_TIME);
++	vp = properties_get(properties, PROP_NAME_KEY_VP);
+ 
+ 	util_rec_set(rec, REC_KEY, name);
+ 	if (validation)
+@@ -1951,6 +2039,15 @@ static void _keystore_print_record(struc
+ 	else
+ 		util_rec_set(rec, REC_SECTOR_SIZE, "%lu bytes",
+ 			     sector_size);
++	if (vp != NULL) {
++		len = sprintf(temp_vp, "%.*s%c%.*s",
++			      VERIFICATION_PATTERN_LEN / 2, vp,
++			      '\0', VERIFICATION_PATTERN_LEN / 2,
++			      &vp[VERIFICATION_PATTERN_LEN / 2]);
++		util_rec_set_argz(rec, REC_KEY_VP, temp_vp, len + 1);
++	} else {
++		util_rec_set(rec, REC_KEY_VP, "(not available)");
++		}
+ 	util_rec_set(rec, REC_CREATION_TIME, creation);
+ 	util_rec_set(rec, REC_CHANGE_TIME,
+ 		     change != NULL ? change : "(never)");
+@@ -1976,6 +2073,8 @@ static void _keystore_print_record(struc
+ 		free(change);
+ 	if (reencipher != NULL)
+ 		free(reencipher);
++	if (vp != NULL)
++		free(vp);
+ }
+ 
+ struct validate_info {
+@@ -2404,6 +2503,17 @@ static int _keystore_process_reencipher(
+ 		if (rc != 0)
+ 			goto out;
+ 
++		rc = _keystore_ensure_vp_exists(keystore, file_names,
++						properties);
++		if (rc != 0) {
++			warnx("Failed to generate the key verification pattern "
++			      "for key '%s': %s", file_names->skey_filename,
++			      strerror(-rc));
++			warnx("Make sure that kernel module 'paes_s390' is loaded and "
++			      "that the 'paes' cipher is available");
++			goto out;
++		}
++
+ 		rc = properties_save(properties, file_names->info_filename, 1);
+ 		if (rc != 0) {
+ 			pr_verbose(keystore,
+@@ -3040,7 +3150,7 @@ static int _keystore_process_crypttab(st
+ 			"At the time this utility was developed, systemd's "
+ 			"support of crypttab did not support to specify a "
+ 			"sector size with plain dm-crypt devices. The generated "
+-			"crypttab entry may or may not work, and may need "
++			"crypttab entry might or might not work, and might need "
+ 			"manual adoptions.", volume, sector_size);
+ 		util_print_indented(temp, 0);
+ 	}
+--- a/zkey/zkey.1
++++ b/zkey/zkey.1
+@@ -361,8 +361,8 @@ The
+ command displays the attributes of the secure keys, such as key sizes,
+ whether it is a secure key that can be used for the XTS cipher mode, the textual
+ description, associated cryptographic adapters (APQNs) and volumes, the
+-sector size, and timestamps for key creation, last modification and last
+-re-encipherment.
++sector size, the key verification pattern, and timestamps for key creation, last
++modification and last re-encipherment.
+ .
+ .SS "Remove existing AES secure keys from the secure key repository"
+ .
+--- a/zkey/zkey.c
++++ b/zkey/zkey.c
+@@ -1057,6 +1057,7 @@ static int command_reencipher(void)
+  */
+ static int command_validate_file(void)
+ {
++	char vp[VERIFICATION_PATTERN_LEN];
+ 	size_t secure_key_size;
+ 	size_t clear_key_size;
+ 	u8 *secure_key;
+@@ -1089,14 +1090,30 @@ static int command_validate_file(void)
+ 		goto out;
+ 	}
+ 
++	rc = generate_key_verification_pattern((char *)secure_key,
++					       secure_key_size, vp, sizeof(vp),
++					       g.verbose);
++	if (rc != 0) {
++		warnx("Failed to generate the verification pattern: %s",
++		      strerror(-rc));
++		warnx("Make sure that kernel module 'paes_s390' is loaded and "
++		      "that the 'paes' cipher is available");
++		rc = EXIT_FAILURE;
++		goto out;
++	}
++
+ 	printf("Validation of secure key in file '%s':\n", g.pos_arg);
+-	printf("  Status:          Valid\n");
+-	printf("  Secure key size: %lu bytes\n", secure_key_size);
+-	printf("  Clear key size:  %lu bits\n", clear_key_size);
+-	printf("  XTS type key:    %s\n",
++	printf("  Status:                Valid\n");
++	printf("  Secure key size:       %lu bytes\n", secure_key_size);
++	printf("  Clear key size:        %lu bits\n", clear_key_size);
++	printf("  XTS type key:          %s\n",
+ 	       secure_key_size > SECURE_KEY_SIZE ? "Yes" : "No");
+-	printf("  Encrypted with:  %s CCA master key\n",
++	printf("  Enciphered with:       %s CCA master key\n",
+ 	       is_old_mk ? "OLD" : "CURRENT");
++	printf("  Verification pattern:  %.*s\n", VERIFICATION_PATTERN_LEN / 2,
++	       vp);
++	printf("                         %.*s\n", VERIFICATION_PATTERN_LEN / 2,
++	       &vp[VERIFICATION_PATTERN_LEN / 2]);
+ 
+ out:
+ 	free(secure_key);

s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch

@@ -0,0 +1,361 @@
+Subject: cpumf: Add extended counter defintion files for IBM z14
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: 57f18c5f59766832822a74cc029a8d3b60e3ba0f
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf: Add extended counter defintion files for IBM z14
+
+             Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+             [brueckner: Prefer plural for counter names]
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/Makefile                      |    2 
+ cpumf/bin/cpumf_helper.in           |    1 
+ cpumf/data/cpum-cf-extended-z14.ctr |  303 ++++++++++++++++++++++++++++++++++++
+ cpumf/data/cpum-cf-hw-counter.map   |    1 
+ 4 files changed, 306 insertions(+), 1 deletion(-)
+
+--- a/cpumf/Makefile
++++ b/cpumf/Makefile
+@@ -7,7 +7,7 @@ CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
+ DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
+              cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
+ 	     cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
+-	     cpum-cf-extended-z13.ctr
++	     cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
+ LIB_FILES = bin/cpumf_helper
+ USRBIN_SCRIPTS = bin/lscpumf
+ USRSBIN_SCRIPTS = bin/chcpumf
+--- a/cpumf/bin/cpumf_helper.in
++++ b/cpumf/bin/cpumf_helper.in
+@@ -210,6 +210,7 @@ my $system_z_hwtype_map = {
+ 	2828		=> 'IBM zEnterprise BC12',
+ 	2964		=> 'IBM z13',
+ 	2965		=> 'IBM z13s',
++	3906		=> 'IBM z14',
+ };
+ 
+ sub get_hardware_type()
+--- /dev/null
++++ b/cpumf/data/cpum-cf-extended-z14.ctr
+@@ -0,0 +1,303 @@
++# Counter decriptions for the
++#	IBM z14 extended counter and MT-diagnostic counter set
++#
++# Notes for transactional-execution mode symbolic names:
++#	TX .. transactional-execution mode
++#	NC .. nonconstrained
++#	 C .. constrained
++#
++# Undefined counters in the extended counter set:
++#	142
++#	158-161
++#	176-223
++#	227-231
++#	233-242
++#	246-255
++# Undefined counters in the MT-diagnostic counter set:
++#	450-495
++#
++#
++# Extended Counter Set
++# ---------------------------------------------------------------------
++Counter:128	Name:L1D_WRITES_RO_EXCL
++A directory write to the Level-1 Data cache where the line was
++originally in a Read-Only state in the cache but has been updated
++to be in the Exclusive state that allows stores to the cache line
++.
++Counter:129	Name:DTLB2_WRITES
++Description:
++A translation has been written into The Translation Lookaside
++Buffer 2 (TLB2) and the request was made by the data cache
++.
++Counter:130	Name:DTLB2_MISSES
++Description:
++A TLB2 miss is in progress for a request made by the data cache.
++Incremented by one for every TLB2 miss in progress for the Level-1
++Data cache on this cycle
++.
++Counter:131	Name:DTLB2_HPAGE_WRITES
++Description:
++A translation entry was written into the Combined Region and Segment
++Table Entry array in the Level-2 TLB for a one-megabyte page or a
++Last Host Translation was done
++.
++Counter:132	Name:DTLB2_GPAGE_WRITES
++Description:
++A translation entry for a two-gigabyte page was written into the
++Level-2 TLB
++.
++Counter:133	Name:L1D_L2D_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the
++returned cache line was sourced from the Level-2 Data cache
++.
++Counter:134	Name:ITLB2_WRITES
++Description:
++A translation entry has been written into the Translation Lookaside
++Buffer 2 (TLB2) and the request was made by the instruction cache
++.
++Counter:135	Name:ITLB2_MISSES
++Description:
++A TLB2 miss is in progress for a request made by the instruction cache.
++Incremented by one for every TLB2 miss in progress for the Level-1
++Instruction cache in a cycle
++.
++Counter:136	Name:L1I_L2I_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from the Level-2 Instruction cache
++.
++Counter:137	Name:TLB2_PTE_WRITES
++Description:
++A translation entry was written into the Page Table Entry array in the
++Level-2 TLB
++.
++Counter:138	Name:TLB2_CRSTE_WRITES
++Description:
++Translation entries were written into the Combined Region and Segment
++Table Entry array and the Page Table Entry array in the Level-2 TLB
++.
++Counter:139	Name:TLB2_ENGINES_BUSY
++Description:
++The number of Level-2 TLB translation engines busy in a cycle
++.
++Counter:140	Name:TX_C_TEND
++Description:
++A TEND instruction has completed in a constrained transactional-execution
++mode
++.
++Counter:141	Name:TX_NC_TEND
++Description:
++A TEND instruction has completed in a non-constrained
++transactional-execution mode
++.
++Counter:143	Name:L1C_TLB2_MISSES
++Description:
++Increments by one for any cycle where a level-1 cache or level-2 TLB miss
++is in progress
++.
++Counter:144	Name:L1D_ONCHIP_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an On-Chip Level-3 cache without intervention
++.
++Counter:145	Name:L1D_ONCHIP_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from On-Chip memory
++.
++Counter:146	Name:L1D_ONCHIP_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an On-Chip Level-3 cache with intervention
++.
++Counter:147	Name:L1D_ONCLUSTER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from On-Cluster Level-3 cache withountervention
++.
++Counter:148	Name:L1D_ONCLUSTER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an On-Cluster memory
++.
++Counter:149	Name:L1D_ONCLUSTER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an On-Cluster Level-3 cache with intervention
++.
++Counter:150	Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an Off-Cluster Level-3 cache without
++intervention
++.
++Counter:151	Name:L1D_OFFCLUSTER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from Off-Cluster memory
++.
++Counter:152	Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an Off-Cluster Level-3 cache with intervention
++.
++Counter:153	Name:L1D_OFFDRAWER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an Off-Drawer Level-3 cache without
++intervention
++.
++Counter:154	Name:L1D_OFFDRAWER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from Off-Drawer memory
++.
++Counter:155	Name:L1D_OFFDRAWER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from an Off-Drawer Level-3 cache with intervention
++.
++Counter:156	Name:L1D_ONDRAWER_L4_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from On-Drawer Level-4 cache
++.
++Counter:157	Name:L1D_OFFDRAWER_L4_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from Off-Drawer Level-4 cache
++.
++Counter:158	Name:L1D_ONCHIP_L3_SOURCED_WRITES_RO
++Description:
++A directory write to the Level-1 Data cache directory where the returned
++cache line was sourced from On-Chip L3 but a read-only invalidate was
++done to remove other copies of the cache line
++.
++Counter:162	Name:L1I_ONCHIP_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache ine was sourced from an On-Chip Level-3 cache without
++intervention
++.
++Counter:163	Name:L1I_ONCHIP_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache ine was sourced from On-Chip memory
++.
++Counter:164	Name:L1I_ONCHIP_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache ine was sourced from an On-Chip Level-3 cache with
++intervention
++.
++Counter:165	Name:L1I_ONCLUSTER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an On-Cluster Level-3 cache without
++intervention
++.
++Counter:166	Name:L1I_ONCLUSTER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an On-Cluster memory
++.
++Counter:167	Name:L1I_ONCLUSTER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from On-Cluster Level-3 cache with
++intervention
++.
++Counter:168	Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an Off-Cluster Level-3 cache without
++intervention
++.
++Counter:169	Name:L1I_OFFCLUSTER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from Off-Cluster memory
++.
++Counter:170	Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an Off-Cluster Level-3 cache with
++intervention
++.
++Counter:171	Name:L1I_OFFDRAWER_L3_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an Off-Drawer Level-3 cache without
++intervention
++.
++Counter:172	Name:L1I_OFFDRAWER_MEMORY_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from Off-Drawer memory
++.
++Counter:173	Name:L1I_OFFDRAWER_L3_SOURCED_WRITES_IV
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from an Off-Drawer Level-3 cache with
++intervention
++.
++Counter:174	Name:L1I_ONDRAWER_L4_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from On-Drawer Level-4 cache
++.
++Counter:175	Name:L1I_OFFDRAWER_L4_SOURCED_WRITES
++Description:
++A directory write to the Level-1 Instruction cache directory where the
++returned cache line was sourced from Off-Drawer Level-4 cache
++.
++Counter:224	Name:BCD_DFP_EXECUTION_SLOTS
++Description:
++Count of floating point execution slots used for finished Binary Coded
++Decimal to Decimal Floating Point conversions. Instructions: CDZT,
++CXZT, CZDT, CZXT
++.
++Counter:225	Name:VX_BCD_EXECUTION_SLOTS
++Description:
++Count of floating point execution slots used for finished vector arithmetic
++Binary Coded Decimal instructions. Instructions: VAP, VSP, VMPVMSP, VDP,
++VSDP, VRP, VLIP, VSRP, VPSOPVCP, VTP, VPKZ, VUPKZ, VCVB, VCVBG, VCVDVCVDG
++.
++Counter:226	Name:DECIMAL_INSTRUCTIONS
++Description:
++Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
++EDMK, MP, SRP, SP, ZAP
++.
++Counter:233	Name:LAST_HOST_TRANSLATIONS
++Description:
++Last Host Translation done
++.
++Counter:243	Name:TX_NC_TABORT
++Description:
++A transaction abort has occurred in a non-constrained
++transactional-execution mode
++.
++Counter:244	Name:TX_C_TABORT_NO_SPECIAL
++Description:
++A transaction abort has occurred in a constrained transactional-execution
++mode and the CPU is not using any special logic to allow the transaction
++to complete
++.
++Counter:245	Name:TX_C_TABORT_SPECIAL
++Description:
++A transaction abort has occurred in a constrained transactional-execution
++mode and the CPU is using special logic to allow the transaction to
++complete
++.
++#
++# MT-diagnostic counter set
++# ---------------------------------------------------------------------
++Counter:448	Name:MT_DIAG_CYCLES_ONE_THR_ACTIVE
++Description:
++Cycle count with one thread active
++.
++Counter:449	Name:MT_DIAG_CYCLES_TWO_THR_ACTIVE
++Description:
++Cycle count with two threads active
++.
+--- a/cpumf/data/cpum-cf-hw-counter.map
++++ b/cpumf/data/cpum-cf-hw-counter.map
+@@ -14,4 +14,5 @@
+ 	2828		=> 'cpum-cf-extended-zEC12.ctr',
+ 	2964		=> 'cpum-cf-extended-z13.ctr',
+ 	2965		=> 'cpum-cf-extended-z13.ctr',
++	3906		=> 'cpum-cf-extended-z14.ctr',
+ };

s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch

@@ -0,0 +1,124 @@
+Subject: lszcrypt: CEX6S exploitation
+From: Harald Freudenberger <freude@linux.vnet.ibm.com>
+
+Summary:     s390-tools: Exploitation Support for CEX6S
+Description: Exploitation Support for CEX6S
+Upstream-ID: 31866fbfa4bd89606af2a313427ca06d230e20dc
+Problem-ID:  SEC1519
+
+Upstream-Description:
+
+             lszcrypt: CEX6S exploitation
+
+             With z14 there comes a new crypto card 'CEX6S'.
+
+             This patch introduces the s390-tools changes needed
+             to list the new card and show the capabilities correctly.
+
+             Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+             Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+
+Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+---
+ zconf/zcrypt/lszcrypt.8 |    6 ++++++
+ zconf/zcrypt/lszcrypt.c |   37 ++++++++++++++++++++++++++++---------
+ 2 files changed, 34 insertions(+), 9 deletions(-)
+
+--- a/zconf/zcrypt/lszcrypt.8
++++ b/zconf/zcrypt/lszcrypt.8
+@@ -85,6 +85,12 @@ EP11 Secure Key
+ .IP "o"
+ Long RNG
+ .RE
++
++.RS 8
++The CCA Secure Key capability may be limited by a hypervisor
++layer. The remarks 'full function set' or 'restricted function set' may
++reflect this. For details about these limitations please check the
++hypervisor documentation.
+ .TP 8
+ .B -d, --domains
+ Shows the usage and control domains of the cryptographic devices.
+--- a/zconf/zcrypt/lszcrypt.c
++++ b/zconf/zcrypt/lszcrypt.c
+@@ -42,11 +42,19 @@ struct lszcrypt_l *lszcrypt_l = &l;
+ /*
+  * Card types
+  */
+-#define MASK_APSC	0x80000000
+-#define MASK_RSA4K	0x60000000
+-#define MASK_COPRO	0x10000000
+-#define MASK_ACCEL	0x08000000
+-#define MASK_EP11	0x04000000
++#define MASK_APSC	    0x80000000
++#define MASK_RSA4K	    0x60000000
++#define MASK_COPRO	    0x10000000
++#define MASK_ACCEL	    0x08000000
++#define MASK_EP11	    0x04000000
++
++/*
++ * Classification
++ */
++#define MASK_CLASS_FULL	      0x00800000
++#define CLASS_FULL            "full function set"
++#define MASK_CLASS_STATELESS  0x00400000
++#define CLASS_STATELESS       "restricted function set"
+ 
+ /*
+  * Program configuration
+@@ -226,7 +234,7 @@ static void show_capability(const char *
+ {
+ 	unsigned long func_val;
+ 	long hwtype, id;
+-	char *p, *ap, *dev, card[16];
++	char *p, *ap, *dev, card[16], cbuf[256];
+ 
+ 	/* check if ap driver is available */
+ 	ap = util_path_sysfs("bus/ap");
+@@ -250,6 +258,11 @@ static void show_capability(const char *
+ 		printf("Detailed capability information for %s (hardware type %ld) is not available.\n", card, hwtype);
+ 		return;
+ 	}
++	cbuf[0] = '\0';
++	if (func_val & MASK_CLASS_FULL)
++		snprintf(cbuf, sizeof(cbuf), "%s", CLASS_FULL);
++	else if (func_val & MASK_CLASS_STATELESS)
++		snprintf(cbuf, sizeof(cbuf), "%s", CLASS_STATELESS);
+ 	printf("%s provides capability for:\n", card);
+ 	switch (hwtype) {
+ 	case 6:
+@@ -262,11 +275,15 @@ static void show_capability(const char *
+ 	case 7:
+ 	case 9:
+ 		printf("%s\n", CAP_RSA4K);
+-		printf("%s\n", CAP_CCA);
++		if (cbuf[0])
++			printf("%s (%s)\n", CAP_CCA, cbuf);
++		else
++			printf("%s\n", CAP_CCA);
+ 		printf("%s", CAP_RNG);
+ 		break;
+ 	case 10:
+ 	case 11:
++	case 12:
+ 		if (func_val & MASK_ACCEL) {
+ 			if (func_val & MASK_RSA4K)
+ 				printf("%s", CAP_RSA4K);
+@@ -274,12 +291,14 @@ static void show_capability(const char *
+ 				printf("%s", CAP_RSA2K);
+ 		} else if (func_val & MASK_COPRO) {
+ 			printf("%s\n", CAP_RSA4K);
+-			printf("%s\n", CAP_CCA);
++			if (cbuf[0])
++				printf("%s (%s)\n", CAP_CCA, cbuf);
++			else
++				printf("%s\n", CAP_CCA);
+ 			printf("%s", CAP_RNG);
+ 		} else if (func_val & MASK_EP11) {
+ 			printf("%s", CAP_EP11);
+ 		} else {
+-
+ 			printf("Detailed capability information for %s (hardware type %ld) is not available.", card, hwtype);
+ 		}
+ 		break;

s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch

@@ -0,0 +1,55 @@
+Subject: util_path: add function to check if a path exists
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: df133846b5889a7698ac09f00284c1be54926b59
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             util_path: add function to check if a path exists
+
+             GitHub-ID: #20
+
+             Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
+             Acked-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+             Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ include/lib/util_path.h |    1 +
+ libutil/util_path.c     |   12 ++++++++++++
+ 2 files changed, 13 insertions(+)
+
+--- a/include/lib/util_path.h
++++ b/include/lib/util_path.h
+@@ -20,5 +20,6 @@ bool util_path_is_readable(const char *f
+ bool util_path_is_writable(const char *fmt, ...);
+ bool util_path_is_dir(const char *fmt, ...);
+ bool util_path_is_reg_file(const char *fmt, ...);
++bool util_path_exists(const char *fmt, ...);
+ 
+ #endif /** LIB_UTIL_PATH_H @} */
+--- a/libutil/util_path.c
++++ b/libutil/util_path.c
+@@ -194,3 +194,15 @@ free_str:
+ 	free(path);
+ 	return rc;
+ }
++
++bool util_path_exists(const char *fmt, ...)
++{
++	va_list ap;
++	char *path;
++	bool rc;
++
++	UTIL_VASPRINTF(&path, fmt, ap);
++	rc = access(path, F_OK) == 0;
++	free(path);
++	return rc;
++}

s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch

@@ -0,0 +1,382 @@
+Subject: cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: d121ffa3f01e08d2cc53140444dfcab830319012
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
+
+             With z14, the counters in the problem-state are reduced resulting
+             in an increased first version number of the CPUM CF.  To adapt to
+             this change, split the counter sets according to their counter
+             first and second version number.  The second version number controls
+             the crypto-activity and extended counter set.  Treat the crypto-activity
+             counter set as generic, as the extended counter set is already handled
+             based on hardware models.
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/Makefile                      |    4 -
+ cpumf/data/cpum-cf-cfvn-1.ctr       |   48 +++++++++++++
+ cpumf/data/cpum-cf-cfvn-3.ctr       |   32 ++++++++
+ cpumf/data/cpum-cf-csvn-generic.ctr |   84 ++++++++++++++++++++++
+ cpumf/data/cpum-cf-generic.ctr      |  132 ------------------------------------
+ cpumf/data/cpum-cf-hw-counter.map   |   15 +++-
+ 6 files changed, 180 insertions(+), 135 deletions(-)
+
+--- a/cpumf/Makefile
++++ b/cpumf/Makefile
+@@ -4,7 +4,9 @@ include ../common.mak
+ 
+ 
+ CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
+-DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
++DATA_FILES = cpum-cf-hw-counter.map \
++	     cpum-cf-cfvn-1.ctr cpum-cf-cfvn-3.ctr \
++	     cpum-cf-csvn-generic.ctr \
+              cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
+ 	     cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
+ 	     cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
+--- /dev/null
++++ b/cpumf/data/cpum-cf-cfvn-1.ctr
+@@ -0,0 +1,48 @@
++Counter:   0	Name:CPU_CYCLES
++Description:
++Cycle Count
++.
++Counter:   1	Name:INSTRUCTIONS
++Description:
++Instruction Count
++.
++Counter:   2	Name:L1I_DIR_WRITES
++Description:
++Level-1 I-Cache Directory Write Count
++.
++Counter:   3	Name:L1I_PENALTY_CYCLES
++Description:
++Level-1 I-Cache Penalty Cycle Count
++.
++Counter:   4	Name:L1D_DIR_WRITES
++Description:
++Level-1 D-Cache Directory Write Count
++.
++Counter:   5	Name:L1D_PENALTY_CYCLES
++Description:
++Level-1 D-Cache Penalty Cycle Count
++.
++Counter:  32	Name:PROBLEM_STATE_CPU_CYCLES
++Description:
++Problem-State Cycle Count
++.
++Counter:  33	Name:PROBLEM_STATE_INSTRUCTIONS
++Description:
++Problem-State Instruction Count
++.
++Counter:  34	Name:PROBLEM_STATE_L1I_DIR_WRITES
++Description:
++Problem-State Level-1 I-Cache Directory Write Count
++.
++Counter:  35	Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
++Description:
++Problem-State Level-1 I-Cache Penalty Cycle Count
++.
++Counter:  36	Name:PROBLEM_STATE_L1D_DIR_WRITES
++Description:
++Problem-State Level-1 D-Cache Directory Write Count
++.
++Counter:  37	Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
++Description:
++Problem-State Level-1 D-Cache Penalty Cycle Count
++.
+--- /dev/null
++++ b/cpumf/data/cpum-cf-cfvn-3.ctr
+@@ -0,0 +1,32 @@
++Counter:   0	Name:CPU_CYCLES
++Description:
++Cycle Count
++.
++Counter:   1	Name:INSTRUCTIONS
++Description:
++Instruction Count
++.
++Counter:   2	Name:L1I_DIR_WRITES
++Description:
++Level-1 I-Cache Directory Write Count
++.
++Counter:   3	Name:L1I_PENALTY_CYCLES
++Description:
++Level-1 I-Cache Penalty Cycle Count
++.
++Counter:   4	Name:L1D_DIR_WRITES
++Description:
++Level-1 D-Cache Directory Write Count
++.
++Counter:   5	Name:L1D_PENALTY_CYCLES
++Description:
++Level-1 D-Cache Penalty Cycle Count
++.
++Counter:  32	Name:PROBLEM_STATE_CPU_CYCLES
++Description:
++Problem-State Cycle Count
++.
++Counter:  33	Name:PROBLEM_STATE_INSTRUCTIONS
++Description:
++Problem-State Instruction Count
++.
+--- /dev/null
++++ b/cpumf/data/cpum-cf-csvn-generic.ctr
+@@ -0,0 +1,84 @@
++Counter:  64	Name:PRNG_FUNCTIONS
++Description:
++Total number of the PRNG functions issued by the CPU
++.
++Counter:  65	Name:PRNG_CYCLES
++Description:
++Total number of CPU cycles when the DEA/AES coprocessor is busy
++performing PRNG functions issued by the CPU
++.
++Counter:  66	Name:PRNG_BLOCKED_FUNCTIONS
++Description:
++Total number of the PRNG functions that are issued by the CPU and are
++blocked because the DEA/AES coprocessor is busy performing a function
++issued by another CPU
++.
++Counter:  67	Name:PRNG_BLOCKED_CYCLES
++Description:
++Total number of CPU cycles blocked for the PRNG functions issued by
++the CPU because the DEA/AES coprocessor is busy performing a function
++issued by another CPU
++.
++Counter:  68	Name:SHA_FUNCTIONS
++Description:
++Total number of SHA functions issued by the CPU
++.
++Counter:  69	Name:SHA_CYCLES
++Description:
++Total number of CPU cycles when the SHA coprocessor is busy performing
++the SHA functions issued by the CPU
++.
++Counter:  70	Name:SHA_BLOCKED_FUNCTIONS
++Description:
++Total number of the SHA functions that are issued by the CPU and are
++blocked because the SHA coprocessor is busy performing a function issued
++by another CPU
++.
++Counter:  71	Name:SHA_BLOCKED_CYCLES
++Description:
++Total number of CPU cycles blocked for the SHA functions issued by the
++CPU because the SHA coprocessor is busy performing a function issued
++by another CPU
++.
++Counter:  72	Name:DEA_FUNCTIONS
++Description:
++Total number of the DEA functions issued by the CPU
++.
++Counter:  73	Name:DEA_CYCLES
++Description:
++Total number of CPU cycles when the DEA/AES coprocessor is busy
++performing the DEA functions issued by the CPU
++.
++Counter:  74	Name:DEA_BLOCKED_FUNCTIONS
++Description:
++Total number of the DEA functions that are issued by the CPU and are
++blocked because the DEA/AES coprocessor is busy performing a function
++issued by another CPU
++.
++Counter:  75	Name:DEA_BLOCKED_CYCLES
++Description:
++Total number of CPU cycles blocked for the DEA functions issued by the
++CPU because the DEA/AES coprocessor is busy performing a function issued
++by another CPU
++.
++Counter:  76	Name:AES_FUNCTIONS
++Description:
++Total number of AES functions issued by the CPU
++.
++Counter:  77	Name:AES_CYCLES
++Description:
++Total number of CPU cycles when the DEA/AES coprocessor is busy
++performing the AES functions issued by the CPU
++.
++Counter:  78	Name:AES_BLOCKED_FUNCTIONS
++Description:
++Total number of AES functions that are issued by the CPU and are blocked
++because the DEA/AES coprocessor is busy performing a function issued
++by another CPU
++.
++Counter:  79	Name:AES_BLOCKED_CYCLES
++Description:
++Total number of CPU cycles blocked for the AES functions issued by the
++CPU because the DEA/AES coprocessor is busy performing a function issued
++by another CPU
++.
+--- a/cpumf/data/cpum-cf-generic.ctr
++++ /dev/null
+@@ -1,132 +0,0 @@
+-Counter:   0	Name:CPU_CYCLES
+-Description:
+-Cycle Count
+-.
+-Counter:   1	Name:INSTRUCTIONS
+-Description:
+-Instruction Count
+-.
+-Counter:   2	Name:L1I_DIR_WRITES
+-Description:
+-Level-1 I-Cache Directory Write Count
+-.
+-Counter:   3	Name:L1I_PENALTY_CYCLES
+-Description:
+-Level-1 I-Cache Penalty Cycle Count
+-.
+-Counter:   4	Name:L1D_DIR_WRITES
+-Description:
+-Level-1 D-Cache Directory Write Count
+-.
+-Counter:   5	Name:L1D_PENALTY_CYCLES
+-Description:
+-Level-1 D-Cache Penalty Cycle Count
+-.
+-Counter:  32	Name:PROBLEM_STATE_CPU_CYCLES
+-Description:
+-Problem-State Cycle Count
+-.
+-Counter:  33	Name:PROBLEM_STATE_INSTRUCTIONS
+-Description:
+-Problem-State Instruction Count
+-.
+-Counter:  34	Name:PROBLEM_STATE_L1I_DIR_WRITES
+-Description:
+-Problem-State Level-1 I-Cache Directory Write Count
+-.
+-Counter:  35	Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
+-Description:
+-Problem-State Level-1 I-Cache Penalty Cycle Count
+-.
+-Counter:  36	Name:PROBLEM_STATE_L1D_DIR_WRITES
+-Description:
+-Problem-State Level-1 D-Cache Directory Write Count
+-.
+-Counter:  37	Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
+-Description:
+-Problem-State Level-1 D-Cache Penalty Cycle Count
+-.
+-Counter:  64	Name:PRNG_FUNCTIONS
+-Description:
+-Total number of the PRNG functions issued by the CPU
+-.
+-Counter:  65	Name:PRNG_CYCLES
+-Description:
+-Total number of CPU cycles when the DEA/AES coprocessor is busy
+-performing PRNG functions issued by the CPU
+-.
+-Counter:  66	Name:PRNG_BLOCKED_FUNCTIONS
+-Description:
+-Total number of the PRNG functions that are issued by the CPU and are
+-blocked because the DEA/AES coprocessor is busy performing a function
+-issued by another CPU
+-.
+-Counter:  67	Name:PRNG_BLOCKED_CYCLES
+-Description:
+-Total number of CPU cycles blocked for the PRNG functions issued by
+-the CPU because the DEA/AES coprocessor is busy performing a function
+-issued by another CPU
+-.
+-Counter:  68	Name:SHA_FUNCTIONS
+-Description:
+-Total number of SHA functions issued by the CPU
+-.
+-Counter:  69	Name:SHA_CYCLES
+-Description:
+-Total number of CPU cycles when the SHA coprocessor is busy performing
+-the SHA functions issued by the CPU
+-.
+-Counter:  70	Name:SHA_BLOCKED_FUNCTIONS
+-Description:
+-Total number of the SHA functions that are issued by the CPU and are
+-blocked because the SHA coprocessor is busy performing a function issued
+-by another CPU
+-.
+-Counter:  71	Name:SHA_BLOCKED_CYCLES
+-Description:
+-Total number of CPU cycles blocked for the SHA functions issued by the
+-CPU because the SHA coprocessor is busy performing a function issued
+-by another CPU
+-.
+-Counter:  72	Name:DEA_FUNCTIONS
+-Description:
+-Total number of the DEA functions issued by the CPU
+-.
+-Counter:  73	Name:DEA_CYCLES
+-Description:
+-Total number of CPU cycles when the DEA/AES coprocessor is busy
+-performing the DEA functions issued by the CPU
+-.
+-Counter:  74	Name:DEA_BLOCKED_FUNCTIONS
+-Description:
+-Total number of the DEA functions that are issued by the CPU and are
+-blocked because the DEA/AES coprocessor is busy performing a function
+-issued by another CPU
+-.
+-Counter:  75	Name:DEA_BLOCKED_CYCLES
+-Description:
+-Total number of CPU cycles blocked for the DEA functions issued by the
+-CPU because the DEA/AES coprocessor is busy performing a function issued
+-by another CPU
+-.
+-Counter:  76	Name:AES_FUNCTIONS
+-Description:
+-Total number of AES functions issued by the CPU
+-.
+-Counter:  77	Name:AES_CYCLES
+-Description:
+-Total number of CPU cycles when the DEA/AES coprocessor is busy
+-performing the AES functions issued by the CPU
+-.
+-Counter:  78	Name:AES_BLOCKED_FUNCTIONS
+-Description:
+-Total number of AES functions that are issued by the CPU and are blocked
+-because the DEA/AES coprocessor is busy performing a function issued
+-by another CPU
+-.
+-Counter:  79	Name:AES_BLOCKED_CYCLES
+-Description:
+-Total number of CPU cycles blocked for the AES functions issued by the
+-CPU because the DEA/AES coprocessor is busy performing a function issued
+-by another CPU
+-.
+--- a/cpumf/data/cpum-cf-hw-counter.map
++++ b/cpumf/data/cpum-cf-hw-counter.map
+@@ -1,11 +1,22 @@
+ # CPU-measurement facilities
+ #
+-# Mapping of IBM System z hardware types to extended counter set defintions
++# Mapping of:
++#   1. CPU-MF counter first/second version numbers to "generic" counter
++#      definitions
++#   2. IBM z Systems hardware to respective extended counter set definitions
+ #
+ #
+ {
+ 	# Definition	   # File name
+-	   0		=> 'cpum-cf-generic.ctr',
++
++	# CFVN
++	'cfvn-1'      	=> 'cpum-cf-cfvn-1.ctr',
++	'cfvn-3'	=> 'cpum-cf-cfvn-3.ctr',
++
++	# CSVN
++	'csvn-generic'	=> 'cpum-cf-csvn-generic.ctr',
++
++	# Extended counters
+ 	2097		=> 'cpum-cf-extended-z10.ctr',
+ 	2098		=> 'cpum-cf-extended-z10.ctr',
+ 	2817		=> 'cpum-cf-extended-z196.ctr',

s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch

@@ -0,0 +1,56 @@
+Subject: lszcrypt: fix date and wrong indentation
+From: Harald Freudenberger <freude@linux.vnet.ibm.com>
+
+Summary:     s390-tools: Exploitation Support for CEX6S
+Description: Exploitation Support for CEX6S
+Upstream-ID: 4ad5e29f2f02e02c772ca4707b9f10253b1e5692
+Problem-ID:  SEC1519
+
+Upstream-Description:
+
+             lszcrypt: fix date and wrong indentation
+
+             The man page date was AUG 2008. Changed to OCT 2017.
+             A previous commit had a wrong indentation on following
+             options text for lszcrypt. Fixed.
+
+             Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
+---
+ zconf/zcrypt/chzcrypt.8 |    2 +-
+ zconf/zcrypt/lszcrypt.8 |    3 ++-
+ 2 files changed, 3 insertions(+), 2 deletions(-)
+
+--- a/zconf/zcrypt/chzcrypt.8
++++ b/zconf/zcrypt/chzcrypt.8
+@@ -2,7 +2,7 @@
+ .\" s390-tools is free software; you can redistribute it and/or modify
+ .\" it under the terms of the MIT license. See LICENSE for details.
+ .\"
+-.TH CHZCRYPT 8 "AUG 2008" "s390-tools"
++.TH CHZCRYPT 8 "OCT 2017" "s390-tools"
+ .SH NAME
+ chzcrypt \- modify zcrypt configuration
+ .SH SYNOPSIS
+--- a/zconf/zcrypt/lszcrypt.8
++++ b/zconf/zcrypt/lszcrypt.8
+@@ -10,7 +10,7 @@
+ .\"   nroff -man lszcrypt.8
+ .\" to process this source
+ .\"
+-.TH LSZCRYPT 8 "AUG 2008" "s390-tools"
++.TH LSZCRYPT 8 "OCT 2017" "s390-tools"
+ .SH NAME
+ lszcrypt \- display zcrypt device and configuration information
+ .SH SYNOPSIS
+@@ -91,6 +91,7 @@ The CCA Secure Key capability may be lim
+ layer. The remarks 'full function set' or 'restricted function set' may
+ reflect this. For details about these limitations please check the
+ hypervisor documentation.
++.RE
+ .TP 8
+ .B -d, --domains
+ Shows the usage and control domains of the cryptographic devices.

s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch

@@ -0,0 +1,43 @@
+Subject: util_path: Add description for util_path_exists()
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: d0e2caf0ffb195568bba89a95549a5a4f026a4e6
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             util_path: Add description for util_path_exists()
+
+             Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ libutil/util_path.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/libutil/util_path.c
++++ b/libutil/util_path.c
+@@ -195,6 +195,17 @@ free_str:
+ 	return rc;
+ }
+ 
++/**
++ * Test if path to directory or file exists
++ *
++ * This function has the same semantics as "-e path" in bash.
++ *
++ * @param[in] fmt   Format string for path to test
++ * @param[in] ...   Variable arguments for format string
++ *
++ * @returns   true  Path exists
++ *            false Otherwise
++ */
+ bool util_path_exists(const char *fmt, ...)
+ {
+ 	va_list ap;

s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch

@@ -0,0 +1,107 @@
+Subject: cpumf/cpumf_helper: read split counter sets (part 2/2)
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: 1064e5b9cc3bdeb5731c2e152ce146dfdad27e6f
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf/cpumf_helper: read split counter sets (part 2/2)
+
+             Update the cpumf helper program to read the split counter set
+             definition files.  Changes to higher-level program like lscpumf
+             are not necessary.
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/bin/cpumf_helper.in |   50 ++++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 42 insertions(+), 8 deletions(-)
+
+--- a/cpumf/bin/cpumf_helper.in
++++ b/cpumf/bin/cpumf_helper.in
+@@ -229,6 +229,28 @@ sub get_hardware_type()
+ 	return $type;
+ }
+ 
++sub get_cpum_cf_version()
++{
++	my $SL;
++
++	my $v = {
++		cfvn  => 0,
++		csvn  => 0,
++	};
++
++	return $v unless open($SL, '<', $SERVICE_LEVELS);
++	while (my $line = <$SL>) {
++		# CPU-MF: Counter facility: version=3.5
++		if ($line =~ m/^CPU-MF: Counter facility: version=(\d+)\.(\d+)/) {
++			$v->{cfvn} = $1;  # Counter First Version Number
++			$v->{csvn} = $2;  # Counter Second Version Number
++			last;
++		}
++	}
++	close($SL);
++	return $v
++}
++
+ sub cpumf_load_ctrdef($;$)
+ {
+ 	my $hw_type = shift();
+@@ -237,10 +259,20 @@ sub cpumf_load_ctrdef($;$)
+ 	my $ctrmap = cpumf_hardware_counter_map();
+ 	return unless $ctrmap;
+ 
++	# Obtain CPU-MF counter facility versions
++	my $version = get_cpum_cf_version();
++
++	# List of "generic" counter sets
++	my @def = ();
++	push @def, "cfvn-" . $version->{cfvn};
++	push @def, "csvn-generic";
++
+ 	my $h = {};
+-	# Load generic counter sets
+-	cpumf_parse_ctrdef($ctrmap->{0}, $h) or
+-		croak "Failed to read generic counter definition: $!\n";
++	# Load counter set definition
++	foreach my $ent (@def) {
++		cpumf_parse_ctrdef($ctrmap->{$ent}, $h) or
++			croak "Failed to read counter definition for $ent: $!\n";
++	}
+ 	# Load hardware model specific counter set(s)
+ 	if ($hw_type && $ctrmap->{$hw_type}) {
+ 		# Hardware-model specific counter sets are:
+@@ -323,7 +355,7 @@ sub cpumf_helper_main()
+ 	GetOptions(
+ 		"i|info"	=> \$conf->{opt_info},
+ 		"c|counter=i"	=> \$conf->{opt_ctr},
+-		"ctr-def=i"	=> \$conf->{opt_ctrdef},
++		"ctr-def=s"	=> \$conf->{opt_ctrdef},
+ 		"hardware-type"	=> \$conf->{opt_hwtype},
+ 		"ctr-set-names"	=> \$conf->{opt_ctrset_names},
+ 		"ctr-set-ids"	=> \$conf->{opt_ctrset_ids},
+@@ -428,11 +460,13 @@ B<--ctr-def> option and specify the Syst
+ 
+ Displays the System z hardware type.
+ 
+-=item B<--ctr-def> I<hardware_type>
++=item B<--ctr-def> I<ctr-definition>
+ 
+-Displays detailed information about a particular counter set for the specified
+-System z hardware type, I<hardware_type>.  If you specify zero for
+-I<hardware_type>, type-independent counter sets are displayed.
++Displays detailed information about the specified counter definition.
++Valid counter definitions start with C<cfvn-> or <csvn-> followed by
++the counter first/second version number of the CPU-Measurement Counter
++Facility.  To display counter information of model-specific counter
++sets, specify the System z hardware type for I<ctr-definition>.
+ 
+ =item B<--ctr-set-names>
+ 

s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch

@@ -0,0 +1,34 @@
+Subject: util_path: Make true/false handling consistent with other functions
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: 2b92bc4c087fd7a2275ba8fd5608cf3c86cdcc98
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             util_path: Make true/false handling consistent with other functions
+
+             Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ libutil/util_path.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/libutil/util_path.c
++++ b/libutil/util_path.c
+@@ -213,7 +213,7 @@ bool util_path_exists(const char *fmt, .
+ 	bool rc;
+ 
+ 	UTIL_VASPRINTF(&path, fmt, ap);
+-	rc = access(path, F_OK) == 0;
++	rc = access(path, F_OK) == 0 ? true : false;
+ 	free(path);
+ 	return rc;
+ }

s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch

@@ -0,0 +1,32 @@
+Subject: cpumf: correct z14 counter number
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: 144bddbf5bce749549a289acbeb49337edaaea45
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf: correct z14 counter number
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/data/cpum-cf-extended-z14.ctr |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/cpumf/data/cpum-cf-extended-z14.ctr
++++ b/cpumf/data/cpum-cf-extended-z14.ctr
+@@ -269,7 +269,7 @@ Description:
+ Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
+ EDMK, MP, SRP, SP, ZAP
+ .
+-Counter:233	Name:LAST_HOST_TRANSLATIONS
++Counter:232	Name:LAST_HOST_TRANSLATIONS
+ Description:
+ Last Host Translation done
+ .

s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch

@@ -0,0 +1,603 @@
+Subject: zpcictl: Introduce new tool zpcictl
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: 177cf8cfeb83f85bc164c462b5534f93be3bd979
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Introduce new tool zpcictl
+
+             zpcictl is used to manage PCI devices on z Systems. In this first
+             version it is mainly used to handle erroneous PCI devices by changing
+             their state and make those changes known to the SE. Log data, such as
+             S.M.A.R.T. data for NVMe devices, is sent alongside those state changes.
+
+             The state change is issued by sending data via the PCI 'report_error'
+             sysfs attribute. It's a binary attribute which will cause the host to
+             send an Adapter Notification Event.
+
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ .gitignore        |    1 
+ Makefile          |    2 
+ zpcictl/Makefile  |   18 ++
+ zpcictl/zpcictl.8 |   80 +++++++++++
+ zpcictl/zpcictl.c |  378 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ zpcictl/zpcictl.h |   60 ++++++++
+ 6 files changed, 538 insertions(+), 1 deletion(-)
+
+--- a/.gitignore
++++ b/.gitignore
+@@ -87,3 +87,4 @@ zipl/boot/data.h
+ zipl/src/chreipl_helper.device-mapper
+ zipl/src/zipl
+ zkey/zkey
++zpcictl/zpcictl
+--- a/Makefile
++++ b/Makefile
+@@ -8,7 +8,7 @@ TOOL_DIRS = zipl zdump fdasd dasdfmt das
+ 	   tape390 osasnmpd qetharp ip_watcher qethconf scripts zconf \
+ 	   vmconvert vmcp man mon_tools dasdinfo vmur cpuplugd ipl_tools \
+ 	   ziomon iucvterm hyptop cmsfs-fuse qethqoat zfcpdump zdsfs cpumf \
+-	   systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot
++	   systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot zpcictl
+ SUB_DIRS = $(LIB_DIRS) $(TOOL_DIRS)
+ 
+ all: $(TOOL_DIRS)
+--- /dev/null
++++ b/zpcictl/Makefile
+@@ -0,0 +1,18 @@
++include ../common.mak
++
++all: zpcictl
++
++libs =	$(rootdir)/libutil/libutil.a
++
++zpcictl: zpcictl.o $(libs)
++
++install: all
++	$(INSTALL) -d -m 755 $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man8
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zpcictl $(DESTDIR)$(BINDIR)
++	$(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 zpcictl.8 \
++		$(DESTDIR)$(MANDIR)/man8
++
++clean:
++	rm -f *.o *~ zpcictl core
++
++.PHONY: all install clean
+--- /dev/null
++++ b/zpcictl/zpcictl.8
+@@ -0,0 +1,80 @@
++.\" Copyright 2017 IBM Corp.
++.\" s390-tools is free software; you can redistribute it and/or modify
++.\" it under the terms of the MIT license. See LICENSE for details.
++.\"
++.\" Macro for inserting an option description prologue.
++.\" .OD <long> [<short>] [args]
++.de OD
++.  ds args "
++.  if !'\\$3'' .as args \fI\\$3\fP
++.  if !'\\$4'' .as args \\$4
++.  if !'\\$5'' .as args \fI\\$5\fP
++.  if !'\\$6'' .as args \\$6
++.  if !'\\$7'' .as args \fI\\$7\fP
++.  PD 0
++.  if !'\\$2'' .IP "\fB\-\\$2\fP \\*[args]" 4
++.  if !'\\$1'' .IP "\fB\-\-\\$1\fP \\*[args]" 4
++.  PD
++..
++.
++.TH zpcictl 8 "Oct 2018" s390-tools zpcictl
++.
++.SH NAME
++zpcictl - Manage PCI devices on z Systems
++.
++.
++.SH SYNOPSIS
++.B "zpcictl"
++.I "OPTIONS"
++.I "DEVICE"
++.
++.
++.SH DESCRIPTION
++.B zpcictl
++is a tool for managing PCI devices on the IBM z Systems platform. It is
++especially used for reporting errorneous PCI devices to the service element.
++
++.B Note:
++For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
++with any error handling action. The smartmontools are required to be installed
++for this to work.
++.PP
++.
++.
++.SH DEVICE
++.B DEVICE
++can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
++of an NVMe device (e.g. /dev/nvme0).
++.
++.
++.SH OPTIONS
++.SS Error Handling
++.OD reset "" "DEVICE"
++Reset
++.I DEVICE
++and initiate a re-initialisation of the adapter.
++.PP
++.
++.OD deconfigure "" "DEVICE"
++De-configure
++.I DEVICE
++and prepare for any repair action. This action will move the
++PCI device from a configured to a reserved state.
++.PP
++.
++.OD report-error "" "DEVICE"
++Report any device error for
++.IR DEVICE .
++The
++.I DEVICE
++is marked as erroneous and no further action is initiated on it.
++.PP
++.
++.SS Misc
++.OD help "h" ""
++Print usage information, then exit.
++.PP
++.
++.OD version "v" ""
++Print version information, then exit.
++.PP
+--- /dev/null
++++ b/zpcictl/zpcictl.c
+@@ -0,0 +1,378 @@
++/*
++ * zpcictl - Manage PCI devices on z Systems
++ *
++ * Copyright IBM Corp. 2018
++ *
++ * s390-tools is free software; you can redistribute it and/or modify
++ * it under the terms of the MIT license. See LICENSE for details.
++ */
++
++#include <errno.h>
++#include <fcntl.h>
++#include <sys/stat.h>
++#include <time.h>
++
++#include "lib/util_base.h"
++#include "lib/util_libc.h"
++#include "lib/util_opt.h"
++#include "lib/util_path.h"
++#include "lib/util_prg.h"
++#include "lib/util_proc.h"
++#include "lib/util_rec.h"
++#include "lib/util_scandir.h"
++
++#include "zpcictl.h"
++
++#define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
++
++static const struct util_prg prg = {
++	.desc = "Use zpcictl to manage PCI devices on s390\n"
++		"DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
++	.args = "DEVICE",
++	.copyright_vec = {
++		{
++			.owner = "IBM Corp.",
++			.pub_first = 2018,
++			.pub_last = 2018,
++		},
++		UTIL_PRG_COPYRIGHT_END
++	}
++};
++
++/* Defines for options with no short command */
++#define OPT_RESET	128
++#define OPT_DECONF	129
++#define OPT_REPORT_ERR	130
++
++static struct util_opt opt_vec[] = {
++	UTIL_OPT_SECTION("ERROR HANDLING"),
++	{
++		.option = { "reset", no_argument, NULL, OPT_RESET },
++		.desc = "Reset device",
++		.flags = UTIL_OPT_FLAG_NOSHORT,
++	},
++	{
++		.option = { "deconfigure", no_argument, NULL, OPT_DECONF },
++		.desc = "De-configure device and prepare for any repair action",
++		.flags = UTIL_OPT_FLAG_NOSHORT,
++	},
++	{
++		.option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
++		.desc = "Report device error to service element (SE)",
++		.flags = UTIL_OPT_FLAG_NOSHORT,
++	},
++	UTIL_OPT_SECTION("MISC"),
++	UTIL_OPT_HELP,
++	UTIL_OPT_VERSION,
++	UTIL_OPT_END
++};
++
++static int is_char_dev(const char *dev)
++{
++	struct stat s;
++
++	if (stat(dev, &s))
++		return 0;
++
++	return S_ISCHR(s.st_mode);
++}
++
++static int is_blk_dev(const char *dev)
++{
++	struct stat s;
++
++	if (stat(dev, &s))
++		return 0;
++
++	return S_ISBLK(s.st_mode);
++}
++
++static void fopen_err(char *path)
++{
++	warnx("Could not open file %s: %s", path, strerror(errno));
++	free(path);
++	exit(EXIT_FAILURE);
++}
++
++#define READ_CHUNK_SIZE		512
++
++static char *collect_smart_data(struct zpci_device *pdev)
++{
++	char *buffer = NULL;
++	size_t count = 0;
++	char *cmd;
++	FILE *fd;
++
++	util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
++	fd = popen(cmd, "r");
++	if (!fd)
++		goto out;
++
++	while (!feof(fd)) {
++		buffer = realloc(buffer, count + READ_CHUNK_SIZE);
++		if (!buffer) {
++			warnx("Could not collect S.M.A.R.T. data");
++			goto out;
++		}
++		count += fread(&buffer[count], 1, READ_CHUNK_SIZE, fd);
++		if (ferror(fd)) {
++			free(buffer);
++			buffer = NULL;
++			goto out;
++		}
++	}
++
++	buffer = realloc(buffer, count);
++	if (!buffer && count > 0)
++		warnx("Could not collect S.M.A.R.T. data");
++	if (buffer)
++		buffer[count] = '\0';
++
++out:
++	pclose(fd);
++	free(cmd);
++
++	return buffer;
++}
++
++static unsigned int sysfs_read_value(struct zpci_device *pdev, const char *attr)
++{
++	unsigned int val;
++	char *path;
++	FILE *fp;
++
++	path = util_path_sysfs("bus/pci/devices/%s/%s", pdev->slot, attr);
++	fp = fopen(path, "r");
++	if (!fp)
++		fopen_err(path);
++	fscanf(fp, "%x", &val);
++	fclose(fp);
++	free(path);
++
++	return val;
++}
++
++static void sysfs_write_data(struct zpci_report_error *report, char *slot)
++{
++	char *path;
++	int fd, rc;
++
++	path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
++	fd = open(path, O_WRONLY);
++	if (!fd)
++		fopen_err(path);
++	rc = write(fd, report, sizeof(*report));
++	if (rc == -1)
++		warnx("Could not write to file: %s: %s", path, strerror(errno));
++	if (close(fd))
++		warnx("Could not close file: %s: %s", path, strerror(errno));
++	free(path);
++}
++
++static void sysfs_get_slot_addr(const char *dev, char *slot)
++{
++	unsigned int major, minor;
++	struct stat dev_stat;
++	char addr[13];
++	char *path;
++	FILE *fp;
++
++	if (stat(dev, &dev_stat) != 0) {
++		errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
++		     dev, strerror(errno));
++	}
++	major = major(dev_stat.st_rdev);
++	minor = minor(dev_stat.st_rdev);
++
++	path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
++	fp = fopen(path, "r");
++	if (!fp)
++		fopen_err(path);
++	fscanf(fp, "%s", addr);
++	fclose(fp);
++	free(path);
++
++	strcpy(slot, addr);
++}
++
++static void get_device_node(struct zpci_device *pdev)
++{
++	struct dirent **de_vec;
++	char *path, *dev;
++	char slot[13];
++	int count, i;
++
++	path = util_path_sysfs("bus/pci/devices/%s/nvme", pdev->slot);
++	count = util_scandir(&de_vec, alphasort, path, "nvme*");
++	if (count == -1) {
++		warnx("Could not read directory %s: %s", path, strerror(errno));
++		free(path);
++		exit(EXIT_FAILURE);
++	}
++
++	for (i = 0; i < count; i++) {
++		util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
++		sysfs_get_slot_addr(dev, slot);
++		if (strcmp(slot, pdev->slot) == 0) {
++			pdev->device = dev;
++			break;
++		}
++	}
++
++	util_scandir_free(de_vec, count);
++	free(path);
++}
++
++static int device_exists(char *dev)
++{
++	char *path;
++	int rc = 0;
++
++	path = util_path_sysfs("bus/pci/devices/%s", dev);
++	if (util_path_exists(path) || util_path_exists(dev))
++		rc = 1;
++	free(path);
++
++	return rc;
++}
++
++static void get_device_info(struct zpci_device *pdev, char *dev)
++{
++	if (!device_exists(dev))
++		errx(EXIT_FAILURE, "Device %s not found", dev);
++	if (is_blk_dev(dev))
++		errx(EXIT_FAILURE, "Unsupported device type %s", dev);
++	if (is_char_dev(dev)) {
++		sysfs_get_slot_addr(dev, pdev->slot);
++		pdev->device = dev;
++	} else {
++		strcpy(pdev->slot, dev);
++	}
++
++	pdev->class = sysfs_read_value(pdev, "class");
++	pdev->fid = sysfs_read_value(pdev, "function_id");
++	pdev->pchid = sysfs_read_value(pdev, "pchid");
++
++	/* In case a slot address was specified, we still need to figure out
++	 * the device node for NVMe devices. Otherwise we won't be able to
++	 * collect S.M.A.R.T. data at a later point.
++	 */
++	if (!pdev->device && pdev->class == PCI_CLASS_NVME)
++		get_device_node(pdev);
++}
++
++/*
++ * Issue an SCLP Adapter Error Notification event with a specific action
++ * qualifier.
++ *
++ * Collect additional information when possible (e.g. S.M.A.R.T. data for NVMe
++ * devices).
++ */
++static void sclp_issue_action(struct zpci_device *pdev, int action)
++{
++	struct zpci_report_error report = {
++		.header = { 0 },
++		.data = { 0 }
++	};
++	char *sdata = NULL;
++
++	report.header.version = 1;
++	report.header.action = action;
++	report.header.length = sizeof(report.data);
++	report.data.timestamp = (__u64)time(NULL);
++	report.data.err_log_id = 0x4713;
++
++	if (pdev->class == PCI_CLASS_NVME)
++		sdata = collect_smart_data(pdev);
++	if (sdata) {
++		strncpy(report.data.log_data, sdata, sizeof(report.data.log_data));
++		free(sdata);
++	}
++	sysfs_write_data(&report, pdev->slot);
++}
++
++/*
++ * Reset the PCI device and initiate a re-initialization.
++ */
++static void sclp_reset_device(struct zpci_device *pdev)
++{
++	sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_RESET);
++}
++
++/*
++ * De-Configure/repair PCI device. Moves the device from configured
++ * to reserved state.
++ */
++static void sclp_deconfigure(struct zpci_device *pdev)
++{
++	sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_DECONF);
++}
++
++/*
++ * Report an error to the SE.
++ */
++static void sclp_report_error(struct zpci_device *pdev)
++{
++	sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_REPORT_ERR);
++}
++
++static void parse_cmdline(int argc, char *argv[], struct options *opts)
++{
++	int cmd;
++
++	util_prg_init(&prg);
++	util_opt_init(opt_vec, NULL);
++
++	do {
++		cmd = util_opt_getopt_long(argc, argv);
++
++		switch (cmd) {
++		case OPT_RESET:
++			opts->reset = 1;
++			break;
++		case OPT_DECONF:
++			opts->deconfigure = 1;
++			break;
++		case OPT_REPORT_ERR:
++			opts->report = 1;
++			break;
++		case 'h':
++			util_prg_print_help();
++			util_opt_print_help();
++			exit(EXIT_SUCCESS);
++		case 'v':
++			util_prg_print_version();
++			exit(EXIT_SUCCESS);
++		case -1:
++			/* End of options string */
++			if (argc == 1) {
++				errx(EXIT_FAILURE,
++				     "Use '%s --help' for more information",
++				     argv[0]);
++			}
++			break;
++		}
++	} while (cmd != -1);
++}
++
++int main(int argc, char *argv[])
++{
++	struct zpci_device pdev = { 0 };
++	struct options opts = { 0 };
++
++	parse_cmdline(argc, argv, &opts);
++
++	if (optind >= argc)
++		errx(EXIT_FAILURE, "No device specified");
++
++	get_device_info(&pdev, argv[optind]);
++
++	if (opts.reset)
++		sclp_reset_device(&pdev);
++	else if (opts.deconfigure)
++		sclp_deconfigure(&pdev);
++	else if (opts.report)
++		sclp_report_error(&pdev);
++
++	return 0;
++}
+--- /dev/null
++++ b/zpcictl/zpcictl.h
+@@ -0,0 +1,60 @@
++/*
++ * zpcictl - Manage PCI devices on z Systems
++ *
++ * Copyright IBM Corp. 2018
++ *
++ * s390-tools is free software; you can redistribute it and/or modify
++ * it under the terms of the MIT license. See LICENSE for details.
++ */
++
++#ifndef ZPCICTL_H
++#define ZPCICTL_H
++
++#include <linux/types.h>
++#include "lib/zt_common.h"
++
++#define SCLP_ERRNOTIFY_AQ_RESET			0
++#define SCLP_ERRNOTIFY_AQ_DECONF		1
++#define SCLP_ERRNOTIFY_AQ_REPORT_ERR		2
++
++#define PCI_CLASS_UNCLASSIFIED	0x000000U
++#define PCI_CLASS_NVME		0x010802U
++#define PCI_CLASS_NETWORK	0x020000U
++
++struct options {
++	unsigned int reset;
++	unsigned int deconfigure;
++	unsigned int report;
++};
++
++struct zpci_device {
++	u16 fid;
++	u16 pchid;
++	u32 class;
++	char slot[13];
++	char *device;
++};
++
++struct zpci_report_error_header {
++	__u8 version;	/* Interface version byte */
++	__u8 action;	/* Action qualifier byte
++			 * 0: Adapter Reset Request
++			 * 1: Deconfigure and repair action requested
++			 * 2: Informational Report
++			 */
++	__u16 length;	/* Length of Subsequent Data (up to 4K – SCLP header) */
++	__u8 data[0];	/* Subsequent Data passed verbatim to SCLP ET 24 */
++};
++
++struct zpci_report_error_data {
++	__u64 timestamp;
++	__u64 err_log_id;
++	char log_data[4054]; /* We cannot exceed a total of 4074 bytes (header + data) */
++};
++
++struct zpci_report_error {
++	struct zpci_report_error_header header;
++	struct zpci_report_error_data data;
++} __packed;
++
++#endif /* ZPCICTL_H */

s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch

@@ -0,0 +1,42 @@
+Subject: cpumf: add missing Description: tag for z13/z14/ctr:128
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: a3c746846d86ebcee6cbf36505598b7da367665b
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf: add missing Description: tag for z13/z14/ctr:128
+
+             Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/data/cpum-cf-extended-z13.ctr |    1 +
+ cpumf/data/cpum-cf-extended-z14.ctr |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/cpumf/data/cpum-cf-extended-z13.ctr
++++ b/cpumf/data/cpum-cf-extended-z13.ctr
+@@ -17,6 +17,7 @@
+ # Extended Counter Set
+ # ---------------------------------------------------------------------
+ Counter:128	Name:L1D_WRITES_RO_EXCL
++Description:
+ A directory write to the Level-1 Data cache where the line was
+ originally in a Read-Only state in the cache but has been updated
+ to be in the Exclusive state that allows stores to the cache line.
+--- a/cpumf/data/cpum-cf-extended-z14.ctr
++++ b/cpumf/data/cpum-cf-extended-z14.ctr
+@@ -20,6 +20,7 @@
+ # Extended Counter Set
+ # ---------------------------------------------------------------------
+ Counter:128	Name:L1D_WRITES_RO_EXCL
++Description:
+ A directory write to the Level-1 Data cache where the line was
+ originally in a Read-Only state in the cache but has been updated
+ to be in the Exclusive state that allows stores to the cache line

s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch

@@ -0,0 +1,48 @@
+Subject: zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: f35c5d01fd04ecf019f31c58edc0c5165ad276ad
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
+
+             The minor()/major() function definitions are moved to sys/sysmacros.h
+             and will be removed from sys/types.h.  To correct below warning, simply
+             include sys/sysmacros.h.
+
+               zpcictl.c: In function ‘sysfs_get_slot_addr’:
+               zpcictl.c:184:13: warning: In the GNU C Library, "major" is defined
+                by <sys/sysmacros.h>. For historical compatibility, it is
+                currently defined by <sys/types.h> as well, but we plan to
+                remove this soon. To use "major", include <sys/sysmacros.h>
+                directly. If you did not intend to use a system-defined macro
+                "major", you should undefine it after including <sys/types.h>.
+                 major = major(dev_stat.st_rdev);
+                            ^~~~~~~~~~~~~~~~~~~~~
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -10,6 +10,7 @@
+ #include <errno.h>
+ #include <fcntl.h>
+ #include <sys/stat.h>
++#include <sys/sysmacros.h>
+ #include <time.h>
+ 
+ #include "lib/util_base.h"

s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch

@@ -0,0 +1,44 @@
+Subject: cpumf: correct counter name for z13 and z14
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: 9745e4678adf18869e661d13f2b666a929450fa1
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf: correct counter name for z13 and z14
+
+             Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/data/cpum-cf-extended-z13.ctr |    2 +-
+ cpumf/data/cpum-cf-extended-z14.ctr |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/cpumf/data/cpum-cf-extended-z13.ctr
++++ b/cpumf/data/cpum-cf-extended-z13.ctr
+@@ -16,7 +16,7 @@
+ #
+ # Extended Counter Set
+ # ---------------------------------------------------------------------
+-Counter:128	Name:L1D_WRITES_RO_EXCL
++Counter:128	Name:L1D_RO_EXCL_WRITES
+ Description:
+ A directory write to the Level-1 Data cache where the line was
+ originally in a Read-Only state in the cache but has been updated
+--- a/cpumf/data/cpum-cf-extended-z14.ctr
++++ b/cpumf/data/cpum-cf-extended-z14.ctr
+@@ -19,7 +19,7 @@
+ #
+ # Extended Counter Set
+ # ---------------------------------------------------------------------
+-Counter:128	Name:L1D_WRITES_RO_EXCL
++Counter:128	Name:L1D_RO_EXCL_WRITES
+ Description:
+ A directory write to the Level-1 Data cache where the line was
+ originally in a Read-Only state in the cache but has been updated

s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch

@@ -0,0 +1,91 @@
+Subject: zpcictl: Rephrase man page entries and tool output
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: d03be735366de57be0c642f6f21b06b1f2df6a6e
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Rephrase man page entries and tool output
+
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.8 |   13 ++++++++-----
+ zpcictl/zpcictl.c |    9 +++++----
+ 2 files changed, 13 insertions(+), 9 deletions(-)
+
+--- a/zpcictl/zpcictl.8
++++ b/zpcictl/zpcictl.8
+@@ -1,4 +1,4 @@
+-.\" Copyright 2017 IBM Corp.
++.\" Copyright IBM Corp. 2018
+ .\" s390-tools is free software; you can redistribute it and/or modify
+ .\" it under the terms of the MIT license. See LICENSE for details.
+ .\"
+@@ -30,9 +30,10 @@ zpcictl - Manage PCI devices on z System
+ .
+ .
+ .SH DESCRIPTION
++With
+ .B zpcictl
+-is a tool for managing PCI devices on the IBM z Systems platform. It is
+-especially used for reporting errorneous PCI devices to the service element.
++, you can manage PCI devices on the IBM z Systems platform. It is especially
++used for reporting erroneous PCI devices to the service element.
+ 
+ .B Note:
+ For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
+@@ -44,7 +45,9 @@ for this to work.
+ .SH DEVICE
+ .B DEVICE
+ can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
+-of an NVMe device (e.g. /dev/nvme0).
++of an NVMe device (e.g.
++.I /dev/nvme0
++).
+ .
+ .
+ .SH OPTIONS
+@@ -52,7 +55,7 @@ of an NVMe device (e.g. /dev/nvme0).
+ .OD reset "" "DEVICE"
+ Reset
+ .I DEVICE
+-and initiate a re-initialisation of the adapter.
++and initiate a re-initialization of the PCI device.
+ .PP
+ .
+ .OD deconfigure "" "DEVICE"
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -240,7 +240,7 @@ static int device_exists(char *dev)
+ static void get_device_info(struct zpci_device *pdev, char *dev)
+ {
+ 	if (!device_exists(dev))
+-		errx(EXIT_FAILURE, "Device %s not found", dev);
++		errx(EXIT_FAILURE, "Could not find device %s", dev);
+ 	if (is_blk_dev(dev))
+ 		errx(EXIT_FAILURE, "Unsupported device type %s", dev);
+ 	if (is_char_dev(dev)) {
+@@ -254,9 +254,10 @@ static void get_device_info(struct zpci_
+ 	pdev->fid = sysfs_read_value(pdev, "function_id");
+ 	pdev->pchid = sysfs_read_value(pdev, "pchid");
+ 
+-	/* In case a slot address was specified, we still need to figure out
+-	 * the device node for NVMe devices. Otherwise we won't be able to
+-	 * collect S.M.A.R.T. data at a later point.
++	/*
++	 * In case a slot address was specified, the device node for NVMe
++	 * devices is still needed. Otherwise it won't be possible to collect
++	 * S.M.A.R.T. data at a later point.
+ 	 */
+ 	if (!pdev->device && pdev->class == PCI_CLASS_NVME)
+ 		get_device_node(pdev);

s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch

@@ -0,0 +1,41 @@
+Subject: cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
+From: Hendrik Brueckner <brueckner@linux.ibm.com>
+
+Summary:     cpumf: Add CPU-MF hardware counters for z14
+Description: Add hardware counter definitions for IBM z14.
+Upstream-ID: f642019bcc17370231666e772c7e4cec19f1dfdc
+Problem-ID:  KRN1608
+
+Upstream-Description:
+
+             cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
+
+             Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+---
+ cpumf/bin/cpumf_helper.in         |    1 +
+ cpumf/data/cpum-cf-hw-counter.map |    1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/cpumf/bin/cpumf_helper.in
++++ b/cpumf/bin/cpumf_helper.in
+@@ -211,6 +211,7 @@ my $system_z_hwtype_map = {
+ 	2964		=> 'IBM z13',
+ 	2965		=> 'IBM z13s',
+ 	3906		=> 'IBM z14',
++	3907		=> 'IBM z14 ZR1',
+ };
+ 
+ sub get_hardware_type()
+--- a/cpumf/data/cpum-cf-hw-counter.map
++++ b/cpumf/data/cpum-cf-hw-counter.map
+@@ -26,4 +26,5 @@
+ 	2964		=> 'cpum-cf-extended-z13.ctr',
+ 	2965		=> 'cpum-cf-extended-z13.ctr',
+ 	3906		=> 'cpum-cf-extended-z14.ctr',
++	3907		=> 'cpum-cf-extended-z14.ctr',
+ };

s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch

@@ -0,0 +1,55 @@
+Subject: zpcictl: Use fopen() instead of open() for writes
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: 8f0496b26aae88e206ac9a95b317043e78d147b8
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Use fopen() instead of open() for writes
+
+             Be consistent with the rest of the code and use fopen() rather than
+             open().
+
+             Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.c |   14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -155,17 +155,19 @@ static unsigned int sysfs_read_value(str
+ 
+ static void sysfs_write_data(struct zpci_report_error *report, char *slot)
+ {
++	size_t r_size;
+ 	char *path;
+-	int fd, rc;
++	FILE *fp;
++
++	r_size = sizeof(*report);
+ 
+ 	path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
+-	fd = open(path, O_WRONLY);
+-	if (!fd)
++	fp = fopen(path, "w");
++	if (!fp)
+ 		fopen_err(path);
+-	rc = write(fd, report, sizeof(*report));
+-	if (rc == -1)
++	if (fwrite(report, 1, r_size, fp) != r_size)
+ 		warnx("Could not write to file: %s: %s", path, strerror(errno));
+-	if (close(fd))
++	if (fclose(fp))
+ 		warnx("Could not close file: %s: %s", path, strerror(errno));
+ 	free(path);
+ }

s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch

@@ -0,0 +1,77 @@
+Subject: zpcictl: Read device link to obtain device address
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: e2a8d85916fb77d2a9b41253446973cd97107c42
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Read device link to obtain device address
+
+             The address sysfs attribute might not be present on some older kernel
+             levels. Read the device link instead using readlink() to obtain the
+             address.
+
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.c |   27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -172,13 +172,16 @@ static void sysfs_write_data(struct zpci
+ 	free(path);
+ }
+ 
++/* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
++#define READLINK_SIZE	256
++
+ static void sysfs_get_slot_addr(const char *dev, char *slot)
+ {
++	char device[READLINK_SIZE], *result;
+ 	unsigned int major, minor;
+ 	struct stat dev_stat;
+-	char addr[13];
++	ssize_t len;
+ 	char *path;
+-	FILE *fp;
+ 
+ 	if (stat(dev, &dev_stat) != 0) {
+ 		errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
+@@ -187,15 +190,21 @@ static void sysfs_get_slot_addr(const ch
+ 	major = major(dev_stat.st_rdev);
+ 	minor = minor(dev_stat.st_rdev);
+ 
+-	path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
+-	fp = fopen(path, "r");
+-	if (!fp)
+-		fopen_err(path);
+-	fscanf(fp, "%s", addr);
+-	fclose(fp);
++	path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
++	len = readlink(path, device, READLINK_SIZE - 1);
+ 	free(path);
++	if (len != -1)
++		device[len] = '\0';
++	else
++		errx(EXIT_FAILURE, "Could not read device link for %s", dev);
++
++	result = strrchr(device, '/');
++	if (result)
++		result++;
++	else
++		result = device;
+ 
+-	strcpy(slot, addr);
++	strcpy(slot, result);
+ }
+ 
+ static void get_device_node(struct zpci_device *pdev)

s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch

@@ -0,0 +1,124 @@
+Subject: zpcictl: Make device node for NVMe optional
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: 342c6a3707315514f0f886fabb532f6c8b59b694
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Make device node for NVMe optional
+
+             At the moment, if we specify the slot address of an NVMe device but
+             can't find the corresponding device node, the execution is terminated.
+
+             This is a bit harsh as the device node is rather optional and only
+             necessary to collect S.M.A.R.T. data. We should still be able to issue
+             the error reporting, even if we couldn't determine the device node.
+
+             Therefore, make sure the device node for NVMe devices is optional by
+             changing various error messages to warnings.
+             Change sysfs_get_slot_addr() to have a return value and work with that
+             accordingly.
+             Also make sure, that execution is terminated when a valid device node
+             was specified but no matching slot address was determined. The slot
+             address is necessary to issue the error reporting commands.
+
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.c |   30 ++++++++++++++++++++----------
+ 1 file changed, 20 insertions(+), 10 deletions(-)
+
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -104,6 +104,9 @@ static char *collect_smart_data(struct z
+ 	char *cmd;
+ 	FILE *fd;
+ 
++	if (!pdev->device)
++		return NULL;
++
+ 	util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
+ 	fd = popen(cmd, "r");
+ 	if (!fd)
+@@ -175,7 +178,7 @@ static void sysfs_write_data(struct zpci
+ /* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
+ #define READLINK_SIZE	256
+ 
+-static void sysfs_get_slot_addr(const char *dev, char *slot)
++static int sysfs_get_slot_addr(const char *dev, char *slot)
+ {
+ 	char device[READLINK_SIZE], *result;
+ 	unsigned int major, minor;
+@@ -184,8 +187,9 @@ static void sysfs_get_slot_addr(const ch
+ 	char *path;
+ 
+ 	if (stat(dev, &dev_stat) != 0) {
+-		errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
+-		     dev, strerror(errno));
++		warnx("Could not get stat information for %s: %s",
++		      dev, strerror(errno));
++		return 0;
+ 	}
+ 	major = major(dev_stat.st_rdev);
+ 	minor = minor(dev_stat.st_rdev);
+@@ -193,18 +197,21 @@ static void sysfs_get_slot_addr(const ch
+ 	path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
+ 	len = readlink(path, device, READLINK_SIZE - 1);
+ 	free(path);
+-	if (len != -1)
++	if (len != -1) {
+ 		device[len] = '\0';
+-	else
+-		errx(EXIT_FAILURE, "Could not read device link for %s", dev);
++	} else {
++		warnx("Could not read device link for %s", dev);
++		return 0;
++	}
+ 
+ 	result = strrchr(device, '/');
+ 	if (result)
+ 		result++;
+ 	else
+ 		result = device;
+-
+ 	strcpy(slot, result);
++
++	return 1;
+ }
+ 
+ static void get_device_node(struct zpci_device *pdev)
+@@ -219,12 +226,13 @@ static void get_device_node(struct zpci_
+ 	if (count == -1) {
+ 		warnx("Could not read directory %s: %s", path, strerror(errno));
+ 		free(path);
+-		exit(EXIT_FAILURE);
++		return;
+ 	}
+ 
+ 	for (i = 0; i < count; i++) {
+ 		util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
+-		sysfs_get_slot_addr(dev, slot);
++		if (!sysfs_get_slot_addr(dev, slot))
++			continue;
+ 		if (strcmp(slot, pdev->slot) == 0) {
+ 			pdev->device = dev;
+ 			break;
+@@ -255,7 +263,9 @@ static void get_device_info(struct zpci_
+ 	if (is_blk_dev(dev))
+ 		errx(EXIT_FAILURE, "Unsupported device type %s", dev);
+ 	if (is_char_dev(dev)) {
+-		sysfs_get_slot_addr(dev, pdev->slot);
++		if (!sysfs_get_slot_addr(dev, pdev->slot))
++			errx(EXIT_FAILURE,
++			     "Could not determine slot address for %s", dev);
+ 		pdev->device = dev;
+ 	} else {
+ 		strcpy(pdev->slot, dev);

s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch

@@ -0,0 +1,143 @@
+Subject: zpcictl: Change wording of man-page and help output
+From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+
+Summary:     zpcictl: Add tool to manage PCI devices
+Description: Use the zpcictl tool to manage PCI devices on the IBM Z
+             platform.  Initial functions include generating firmware
+             error logs, resetting PCI devices, and preparing a device
+             for further repair actions.
+Upstream-ID: aaaebb2030c80151ecac528f22cb9a52752b868c
+Problem-ID:  RAS1703
+
+Upstream-Description:
+
+             zpcictl: Change wording of man-page and help output
+
+             Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+
+
+Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
+---
+ zpcictl/zpcictl.8 |   38 +++++++++++++++-----------------------
+ zpcictl/zpcictl.c |   15 ++++++++-------
+ 2 files changed, 23 insertions(+), 30 deletions(-)
+
+--- a/zpcictl/zpcictl.8
++++ b/zpcictl/zpcictl.8
+@@ -20,7 +20,7 @@
+ .TH zpcictl 8 "Oct 2018" s390-tools zpcictl
+ .
+ .SH NAME
+-zpcictl - Manage PCI devices on z Systems
++zpcictl - Manage PCI devices on IBM Z
+ .
+ .
+ .SH SYNOPSIS
+@@ -30,50 +30,42 @@ zpcictl - Manage PCI devices on z System
+ .
+ .
+ .SH DESCRIPTION
+-With
++Use
+ .B zpcictl
+-, you can manage PCI devices on the IBM z Systems platform. It is especially
+-used for reporting erroneous PCI devices to the service element.
++to manage PCI devices on the IBM Z platform. In particular,
++use this command to report defective PCI devices to the service element.
+ 
+ .B Note:
+ For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
+-with any error handling action. The smartmontools are required to be installed
+-for this to work.
++with any error handling action. For this extendend data collection, the
++smartmontools must be installed.
+ .PP
+ .
+ .
+ .SH DEVICE
+-.B DEVICE
+-can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
+-of an NVMe device (e.g.
++A PCI slot address (e.g. 0000:00:00.0) or the main device node of an NVMe
++device (e.g.
+ .I /dev/nvme0
+ ).
+ .
+ .
+ .SH OPTIONS
+-.SS Error Handling
++.SS Error Handling Options
+ .OD reset "" "DEVICE"
+-Reset
+-.I DEVICE
+-and initiate a re-initialization of the PCI device.
++Reset and re-initialize the PCI device.
+ .PP
+ .
+ .OD deconfigure "" "DEVICE"
+-De-configure
+-.I DEVICE
+-and prepare for any repair action. This action will move the
+-PCI device from a configured to a reserved state.
++Deconfigure the PCI device and prepare for any repair action. This action
++changes the status of the PCI device from configured to reserved.
+ .PP
+ .
+ .OD report-error "" "DEVICE"
+-Report any device error for
+-.IR DEVICE .
+-The
+-.I DEVICE
+-is marked as erroneous and no further action is initiated on it.
++Report any device error for the PCI device.
++The device is marked as defective but no further action is taken.
+ .PP
+ .
+-.SS Misc
++.SS General Options
+ .OD help "h" ""
+ Print usage information, then exit.
+ .PP
+--- a/zpcictl/zpcictl.c
++++ b/zpcictl/zpcictl.c
+@@ -27,8 +27,9 @@
+ #define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
+ 
+ static const struct util_prg prg = {
+-	.desc = "Use zpcictl to manage PCI devices on s390\n"
+-		"DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
++	.desc = "Use zpcictl to manage PCI devices on IBM Z\n"
++		"DEVICE is the slot ID or node of the device "
++		"(e.g. 0000:00:00.0 or /dev/nvme0)",
+ 	.args = "DEVICE",
+ 	.copyright_vec = {
+ 		{
+@@ -46,23 +47,23 @@ static const struct util_prg prg = {
+ #define OPT_REPORT_ERR	130
+ 
+ static struct util_opt opt_vec[] = {
+-	UTIL_OPT_SECTION("ERROR HANDLING"),
++	UTIL_OPT_SECTION("ERROR HANDLING OPTIONS"),
+ 	{
+ 		.option = { "reset", no_argument, NULL, OPT_RESET },
+-		.desc = "Reset device",
++		.desc = "Reset the device",
+ 		.flags = UTIL_OPT_FLAG_NOSHORT,
+ 	},
+ 	{
+ 		.option = { "deconfigure", no_argument, NULL, OPT_DECONF },
+-		.desc = "De-configure device and prepare for any repair action",
++		.desc = "Deconfigure the device to prepare for any repair action",
+ 		.flags = UTIL_OPT_FLAG_NOSHORT,
+ 	},
+ 	{
+ 		.option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
+-		.desc = "Report device error to service element (SE)",
++		.desc = "Report a device error to the service element (SE)",
+ 		.flags = UTIL_OPT_FLAG_NOSHORT,
+ 	},
+-	UTIL_OPT_SECTION("MISC"),
++	UTIL_OPT_SECTION("GENERAL OPTIONS"),
+ 	UTIL_OPT_HELP,
+ 	UTIL_OPT_VERSION,
+ 	UTIL_OPT_END

s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch

@@ -0,0 +1,75 @@
+Subject: dbginfo: gather nvme related data
+From: Sebastian Ott <sebott@linux.ibm.com>
+
+Summary:     s390-tools/dbginfo: Collect NVMe-related debug data
+Description: Collect SMART (Self-Monitoring, Analysis and Reporting Technology)
+             data in dbginfo.sh .
+Upstream-ID: b9e47e356bbfc92e41b758e74606baacbab33ee4
+Problem-ID:  RAS1702
+
+Upstream-Description:
+
+             dbginfo: gather nvme related data
+
+             Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
+             Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
+
+
+Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
+---
+ scripts/dbginfo.sh |   26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+--- a/scripts/dbginfo.sh
++++ b/scripts/dbginfo.sh
+@@ -182,11 +182,14 @@ readonly OUTPUT_FILE_XML="${WORKPATH}dom
+ # File that includes the docker inspect output
+ readonly OUTPUT_FILE_DOCKER="${WORKPATH}docker_inspect.out"
+ 
++# File that includes nvme related information
++readonly OUTPUT_FILE_NVME="${WORKPATH}nvme.out"
++
+ # Mount point of the debug file system
+ readonly MOUNT_POINT_DEBUGFS="/sys/kernel/debug"
+ 
+ # The amount of steps running the whole collections
+-readonly COLLECTION_COUNT=11
++readonly COLLECTION_COUNT=12
+ 
+ # The kernel version (e.g. '2' from 2.6.32 or '3' from 3.2.1)
+ readonly KERNEL_VERSION=$(uname -r 2>/dev/null | cut -d'.' -f1)
+@@ -829,6 +832,25 @@ collect_docker() {
+ }
+ 
+ ########################################
++collect_nvme() {
++    local NVME
++
++    pr_syslog_stdout "11 of ${COLLECTION_COUNT}: Collecting nvme output"
++    call_run_command "nvme list" "${OUTPUT_FILE_NVME}"
++
++    for NVME in /dev/nvme[0-9]*; do
++	if [ -c $NVME ]; then
++	    call_run_command "smartctl -x $NVME" "${OUTPUT_FILE_NVME}"
++	    call_run_command "nvme fw-log $NVME" "${OUTPUT_FILE_NVME}"
++	    call_run_command "nvme smart-log $NVME" "${OUTPUT_FILE_NVME}"
++	    call_run_command "nvme error-log $NVME" "${OUTPUT_FILE_NVME}"
++	fi
++    done
++
++    pr_log_stdout " "
++}
++
++########################################
+ post_processing() {
+     local file_mtime
+     local file_mtime_epoche
+@@ -1120,6 +1142,8 @@ collect_domain_xml
+ 
+ collect_docker
+ 
++collect_nvme
++
+ post_processing
+ 
+ create_package

s390-tools.changes

@@ -1,19 +1,76 @@
 -------------------------------------------------------------------
-Mon Oct 22 19:44:05 UTC 2018 - mpost@suse.com
+Tue Nov 13 19:22:01 UTC 2018 - mpost@suse.com
 
 - Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
-  zdev: qeth BridgePort and VNICC attribute conflict (bsc#1112536)
+  (bsc#1112536)
+  zdev: qeth BridgePort and VNICC attribute conflict
+- Added the following patches for Fate#326376 (bsc#1113321)
+  * s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
+  * s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
+  * s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
+  * s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
+  * s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
+  * s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
+  * s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
+  * s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
+  * s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
+  * s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
+- Added the following patches for Fate#325684 (bsc#1113323)
+  * s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
+  * s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
+  * s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
+  * s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
+  * s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
+  * s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
+  * s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
+  * s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
+  * s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
+  * s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
+- Added the following patches for Fate#326390 (bsc#1113353)
+  * s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
+  * s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
+  * s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
+  * s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
+  * s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
+  * s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
+  * s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
+  * s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
+  * s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
+- Added the following patches for Fate#325691 (bsc#1113324)
+  * s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
+  * s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
+- Added the following patches for Fate#326388 (bsc#1113331)
+  * s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
+  * s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
+  * s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
+  * s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
+  * s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
+  * s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
+  * s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
+- Added the following patch for Fate#326361 (bsc#1113333)
+  * s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
+- Temporarily added "HAVE_CRYPTSETUP2=0" to the make and make install
+  commands, because a couple of Fate requests have not been approved
+  yet, resulting in build failure.
+- Added "Recommends: blktrace" to the spec file (bsc#1112855)
+- Changed remaining insserv references to systemd entries.
+- Changed the Group from the obsolete "System Environment/Base" to
+  "System/Base."
 
 -------------------------------------------------------------------
 Fri Aug 31 18:57:54 UTC 2018 - mpost@suse.com
 
-- Added the following patch for bsc#1094354
+- Added the following patch to remove the call to zipl for bsc#1094354
   * customize-zdev-root-update-script.patch
 - Modified ctc_configure to not pass a "protcol=" parameter when
   configuring LCS devices. (bsc#1096520)
-- Added the following patches for bsc#1098069
-  * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
-  * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
+- Added the following two patches for bsc#1098069
+  * dbginfo.sh: Extend data collection
+    s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
+  * mon_procd: fix parsing of /proc/<pid>/stat
+    s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
+- Added the following patches for "lstape, lsluns: handle non-zfcp;
+  lin_tape multiple paths" (bsc#1098069)
   * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
   * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
   * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch

s390-tools.spec

@@ -40,7 +40,7 @@ BuildRequires:  net-snmp-devel
 BuildRequires:  qclib-devel-static
 BuildRequires:  tcpd-devel
 BuildRequires:  zlib-devel-static
-PreReq:         shadow %insserv_prereq %fillup_prereq dracut permissions
+PreReq:         shadow %fillup_prereq dracut permissions
 Requires:       coreutils
 Requires:       gawk
 Requires:       perl-base
@@ -49,6 +49,7 @@ Requires:       rsync
 Requires:       tar
 Requires:       util-linux
 Provides:       s390utils:/sbin/dasdfmt
+Recommends:     blktrace
 # Don't build with pie to avoid problems with zipl
 #!BuildIgnore: gcc-PIE
 Source:         s390-tools-%{version}.tar.gz
@@ -152,6 +153,45 @@ Patch41:        s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-
 Patch42:        s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
 Patch43:        s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
 Patch44:        s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
+Patch45:        s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
+Patch46:        s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
+Patch47:        s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
+Patch48:        s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
+Patch49:        s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
+Patch50:        s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
+Patch51:        s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
+Patch52:        s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
+Patch53:        s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
+Patch54:        s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
+Patch55:        s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
+Patch56:        s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
+Patch57:        s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
+Patch58:        s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
+Patch59:        s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
+Patch60:        s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
+Patch61:        s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
+Patch62:        s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
+Patch63:        s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
+Patch64:        s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
+Patch65:        s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
+Patch66:        s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
+Patch67:        s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
+Patch68:        s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
+Patch69:        s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
+Patch70:        s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
+Patch71:        s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
+Patch72:        s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
+Patch73:        s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
+Patch74:        s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
+Patch75:        s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
+Patch76:        s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
+Patch77:        s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
+Patch78:        s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
+Patch79:        s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
+Patch80:        s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
+Patch81:        s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
+Patch82:        s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
+Patch83:        s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
 
 Patch999:       customize-zdev-root-update-script.patch
 
@@ -199,7 +239,7 @@ represented as a file in that directory.
 %package hmcdrvfs
 Summary:        HMC drive file system based on FUSE
 License:        GPL-2.0
-Group:          System Environment/Base
+Group:          System/Base
 Requires:       fuse
 
 %description hmcdrvfs
@@ -254,6 +294,45 @@ to list files and directories.
 %patch42 -p1
 %patch43 -p1
 %patch44 -p1
+%patch45 -p1
+%patch46 -p1
+%patch47 -p1
+%patch48 -p1
+%patch49 -p1
+%patch50 -p1
+%patch51 -p1
+%patch52 -p1
+%patch53 -p1
+%patch54 -p1
+%patch55 -p1
+%patch56 -p1
+%patch57 -p1
+%patch58 -p1
+%patch59 -p1
+%patch60 -p1
+%patch61 -p1
+%patch62 -p1
+%patch63 -p1
+%patch64 -p1
+%patch65 -p1
+%patch66 -p1
+%patch67 -p1
+%patch68 -p1
+%patch69 -p1
+%patch70 -p1
+%patch71 -p1
+%patch72 -p1
+%patch73 -p1
+%patch74 -p1
+%patch75 -p1
+%patch76 -p1
+%patch77 -p1
+%patch78 -p1
+%patch79 -p1
+%patch80 -p1
+%patch81 -p1
+%patch82 -p1
+%patch83 -p1
 
 %patch999 -p1
 
@@ -267,12 +346,12 @@ cp -vi %{S:22} CAUTION
 
 export OPT_FLAGS="%{optflags}"
 export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
-make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release}
+make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release} HAVE_CRYPTSETUP2=0
 gcc -static -o read_values ${OPT_FLAGS} %{S:86} -lqc
 
 %install
 mkdir -p %{buildroot}/boot/zipl
-%make_install \
+%make_install HAVE_CRYPTSETUP2=0 \
      ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump \
      DISTRELEASE=%{release} \
      SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
@@ -396,14 +475,18 @@ chmod 755 osasnmpd
 %pre
 # check for ts-shell group or create it
 getent group ts-shell >/dev/null 2>&1 || groupadd -r ts-shell
+%service_add_pre appldata.service
 %service_add_pre cio_ignore.service
 %service_add_pre cpacfstatsd.service
 %service_add_pre cpi.service
 %service_add_pre cpuplugd.service
 %service_add_pre dumpconf.service
+%service_add_pre hsnc.service
 %service_add_pre mon_fsstatd.service
 %service_add_pre mon_procd.service
 %service_add_pre virtsetup.service
+%service_add_pre vmlogrdr.service
+%service_add_pre xpram.service
 
 %post
 read INITPGM < /proc/1/comm
@@ -415,14 +498,18 @@ fi
 %set_permissions /var/log/ts-shell
 
 # Create symbolic links to the scripts from setup and boot directories
+%service_add_post appldata.service
 %service_add_post cio_ignore.service
 %service_add_post cpacfstatsd.service
 %service_add_post cpi.service
 %service_add_post cpuplugd.service
 %service_add_post dumpconf.service
+%service_add_post hsnc.service
 %service_add_post mon_fsstatd.service
 %service_add_post mon_procd.service
 %service_add_post virtsetup.service
+%service_add_post vmlogrdr.service
+%service_add_post xpram.service
 
 # Create the initial versions of the sysconfig files:
 %{fillup_only -n appldata}
@@ -443,33 +530,36 @@ grep -q '^/usr/bin/ts-shell$' /etc/shells \
 %{fillup_only -n osasnmpd}
 
 %preun
-%{stop_on_removal appldata}
-%{stop_on_removal hsnc}
-%{stop_on_removal vmlogrdr}
-%{stop_on_removal xpram}
+%service_del_preun appldata.service
 %service_del_preun cio_ignore.service
 %service_del_preun cpacfstatsd.service
 %service_del_preun cpi.service
 %service_del_preun cpuplugd.service
 %service_del_preun dumpconf.service
+%service_del_preun hsnc.service
 %service_del_preun mon_fsstatd.service
 %service_del_preun mon_procd.service
 %service_del_preun virtsetup.service
+%service_del_preun vmlogrdr.service
+%service_del_preun xpram.service
 
 %postun
-%{restart_on_update appldata}
-%{restart_on_update hsnc}
-%{restart_on_update vmlogrdr}
-%{restart_on_update xpram}
+%service_del_postun appldata.service
 %service_del_postun cio_ignore.service
 %service_del_postun cpacfstatsd.service
 %service_del_postun cpi.service
 %service_del_postun cpuplugd.service
 %service_del_postun dumpconf.service
+%service_del_postun hsnc.service
 %service_del_postun mon_fsstatd.service
 %service_del_postun mon_procd.service
 %service_del_postun virtsetup.service
+%service_del_postun vmlogrdr.service
+%service_del_postun xpram.service
 
+# Even though SLES15+ is systemd based, the build service doesn't
+# run it, so we have to make sure we can safely issue the
+# systemctl command.
 read INITPGM < /proc/1/comm
 if [ "${INITPGM}" == "systemd" ]; then
   echo "Running systemctl daemon-reload."
@@ -480,7 +570,7 @@ if [ ! -x /boot/zipl ]; then
 	echo "Attention, after uninstalling this package,"
 	echo "you will NOT be able to IPL from DASD anymore!!!"
 fi
-%{insserv_cleanup}
+
 if test x$1 = x0; then
 	# remove ts-shell from /etc/shells
 	grep -v '^/usr/bin/ts-shell$' /etc/shells > /etc/shells.ts-new