forked from pool/s390-tools
Accepting request 648783 from home:markkp:branches:Base:System
Lots of features implemented for SLES15 SP1. OBS-URL: https://build.opensuse.org/request/show/648783 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=57
This commit is contained in:
parent
9528578d29
commit
a7f8ed0265
@ -1,3 +1,4 @@
|
|||||||
addFilter("statically-linked-binary /usr/lib/s390-tools/.*")
|
addFilter("statically-linked-binary /usr/lib/s390-tools/.*")
|
||||||
addFilter("statically-linked-binary /usr/bin/read_values")
|
addFilter("statically-linked-binary /usr/bin/read_values")
|
||||||
addFilter("systemd-service-without-service_.* *@.service")
|
addFilter("systemd-service-without-service_.* *@.service")
|
||||||
|
addFilter("position-independent-executable-suggested ")
|
||||||
|
@ -0,0 +1,506 @@
|
|||||||
|
Subject: zkey: Add properties file handling routines
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: 340da73bb7f06a9fc2aecfe4e33f1f3a17b3568d
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add properties file handling routines
|
||||||
|
|
||||||
|
In preparation for a new feature, introduce property file
|
||||||
|
handling routines. A property file stores key value pairs
|
||||||
|
in a text file. Optionally a hash of all keys and values
|
||||||
|
contained in the properties file can be generated to
|
||||||
|
ensure integrity of the properties file and to detect
|
||||||
|
manual modifications.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/Makefile | 5
|
||||||
|
zkey/properties.c | 409 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
zkey/properties.h | 36 ++++
|
||||||
|
3 files changed, 448 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -1,15 +1,16 @@
|
||||||
|
include ../common.mak
|
||||||
|
|
||||||
|
CPPFLAGS += -I../include
|
||||||
|
-LDLIBS += -ldl
|
||||||
|
+LDLIBS += -ldl -lcrypto
|
||||||
|
|
||||||
|
all: zkey
|
||||||
|
|
||||||
|
libs = $(rootdir)/libutil/libutil.a
|
||||||
|
|
||||||
|
zkey.o: zkey.c pkey.h misc.h
|
||||||
|
+properties.o: properties.c properties.h
|
||||||
|
|
||||||
|
-zkey: zkey.o $(libs)
|
||||||
|
+zkey: zkey.o properties.o $(libs)
|
||||||
|
|
||||||
|
install: all
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zkey/properties.c
|
||||||
|
@@ -0,0 +1,409 @@
|
||||||
|
+/*
|
||||||
|
+ * zkey - Generate, re-encipher, and validate secure keys
|
||||||
|
+ *
|
||||||
|
+ * Properties file handling functions
|
||||||
|
+ *
|
||||||
|
+ * Copyright IBM Corp. 2018
|
||||||
|
+ *
|
||||||
|
+ * s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <stdio.h>
|
||||||
|
+#include <stdlib.h>
|
||||||
|
+#include <string.h>
|
||||||
|
+
|
||||||
|
+#include <openssl/evp.h>
|
||||||
|
+
|
||||||
|
+#include "lib/util_libc.h"
|
||||||
|
+#include "lib/util_list.h"
|
||||||
|
+#include "lib/util_panic.h"
|
||||||
|
+
|
||||||
|
+#include "properties.h"
|
||||||
|
+
|
||||||
|
+struct properties {
|
||||||
|
+ struct util_list list;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct property {
|
||||||
|
+ struct util_list_node node;
|
||||||
|
+ char *name;
|
||||||
|
+ char *value;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+#define SHA256_DIGEST_LEN 32
|
||||||
|
+#define INTEGRITY_KEY_NAME "__hash__"
|
||||||
|
+
|
||||||
|
+#define RESTRICTED_PROPERTY_NAME_CHARS "=\n"
|
||||||
|
+#define RESTRICTED_PROPERTY_VALUE_CHARS "\n"
|
||||||
|
+
|
||||||
|
+static int openssl_initialized;
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Allocate and initialize a SHA-256 context
|
||||||
|
+ *
|
||||||
|
+ * @returns a SHA context
|
||||||
|
+ */
|
||||||
|
+static EVP_MD_CTX *sha256_init(void)
|
||||||
|
+{
|
||||||
|
+ EVP_MD_CTX *ctx;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ if (!openssl_initialized) {
|
||||||
|
+ OpenSSL_add_all_algorithms();
|
||||||
|
+ openssl_initialized = 1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ ctx = EVP_MD_CTX_create();
|
||||||
|
+ util_assert(ctx != NULL,
|
||||||
|
+ "Internal error: OpenSSL MD context allocation failed");
|
||||||
|
+
|
||||||
|
+ rc = EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
|
||||||
|
+ util_assert(rc == 1, "Internal error: SHA-256 digest init failed");
|
||||||
|
+
|
||||||
|
+ return ctx;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Add data to the SHA-256 context
|
||||||
|
+ *
|
||||||
|
+ * @parm[in] ctx the SHA context
|
||||||
|
+ * @parm[in] data the data to be hashed
|
||||||
|
+ * @parm[in] data_len the length of the data
|
||||||
|
+ */
|
||||||
|
+static void sha256_update(EVP_MD_CTX *ctx,
|
||||||
|
+ const char *data, unsigned int data_len)
|
||||||
|
+{
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
|
||||||
|
+ util_assert(data != NULL || data_len == 0,
|
||||||
|
+ "Internal error: data is NULL");
|
||||||
|
+
|
||||||
|
+ rc = EVP_DigestUpdate(ctx, data, data_len);
|
||||||
|
+
|
||||||
|
+ util_assert(rc == 1, "Internal error: SHA-256 digest udpdate failed");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Produce the digest for the SHA-256 context and free the context
|
||||||
|
+ *
|
||||||
|
+ * @parm[in] ctx the SHA context
|
||||||
|
+ * @parm[out] digest a buffer where the digest is stored
|
||||||
|
+ * @parm[in/out] digest_len on entry, *digest_len contains the size of the
|
||||||
|
+ * digest buffer, which must be large enough to hold
|
||||||
|
+ * a SHA-256 digest (32 bytes),
|
||||||
|
+ * on exit it contains the size of the digest
|
||||||
|
+ * returned in the buffer.
|
||||||
|
+ */
|
||||||
|
+static void sha256_final(EVP_MD_CTX *ctx,
|
||||||
|
+ unsigned char *digest, unsigned int *digest_len)
|
||||||
|
+{
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
|
||||||
|
+
|
||||||
|
+ if (digest != NULL && digest_len != NULL) {
|
||||||
|
+ util_assert(*digest_len >= (unsigned int)EVP_MD_CTX_size(ctx),
|
||||||
|
+ "Internal error: digest_len is too small");
|
||||||
|
+
|
||||||
|
+ rc = EVP_DigestFinal_ex(ctx, digest, digest_len);
|
||||||
|
+ util_assert(rc == 1,
|
||||||
|
+ "Internal error: SHA-256 digest final failed");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ EVP_MD_CTX_destroy(ctx);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Allocates a new properties object
|
||||||
|
+ *
|
||||||
|
+ * @returns the properties object
|
||||||
|
+ */
|
||||||
|
+struct properties *properties_new(void)
|
||||||
|
+{
|
||||||
|
+ struct properties *properties;
|
||||||
|
+
|
||||||
|
+ properties = util_zalloc(sizeof(struct properties));
|
||||||
|
+
|
||||||
|
+ util_list_init_offset(&properties->list,
|
||||||
|
+ offsetof(struct property, node));
|
||||||
|
+ return properties;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Frees a properties object with all its properties
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ */
|
||||||
|
+void properties_free(struct properties *properties)
|
||||||
|
+{
|
||||||
|
+ struct property *property;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+
|
||||||
|
+ while ((property = util_list_start(&properties->list)) != NULL) {
|
||||||
|
+ free(property->name);
|
||||||
|
+ free(property->value);
|
||||||
|
+ util_list_remove(&properties->list, property);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(properties);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Find a property by its name in the list iof properties
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] name the name of the property to find
|
||||||
|
+ *
|
||||||
|
+ * @returns a pointer to the proerty when it has been found, or NULL if not
|
||||||
|
+ */
|
||||||
|
+static struct property *properties_find(struct properties *properties,
|
||||||
|
+ const char *name)
|
||||||
|
+{
|
||||||
|
+ struct property *property;
|
||||||
|
+
|
||||||
|
+ property = util_list_start(&properties->list);
|
||||||
|
+ while (property != NULL) {
|
||||||
|
+ if (strcmp(property->name, name) == 0)
|
||||||
|
+ return property;
|
||||||
|
+ property = util_list_next(&properties->list, property);
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Adds or updates a property
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] name the name of the property
|
||||||
|
+ * @param[in] value the value of the property
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 on success,
|
||||||
|
+ * -EINVAL if the name or value contains invalid characters
|
||||||
|
+ */
|
||||||
|
+int properties_set(struct properties *properties,
|
||||||
|
+ const char *name, const char *value)
|
||||||
|
+{
|
||||||
|
+ struct property *property;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+ util_assert(name != NULL, "Internal error: name is NULL");
|
||||||
|
+ util_assert(value != NULL, "Internal error: value is NULL");
|
||||||
|
+
|
||||||
|
+ if (strpbrk(name, RESTRICTED_PROPERTY_NAME_CHARS) != NULL)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+ if (strpbrk(value, RESTRICTED_PROPERTY_VALUE_CHARS) != NULL)
|
||||||
|
+ return -EINVAL;
|
||||||
|
+
|
||||||
|
+ property = properties_find(properties, name);
|
||||||
|
+ if (property != NULL) {
|
||||||
|
+ free(property->value);
|
||||||
|
+ property->value = util_strdup(value);
|
||||||
|
+ } else {
|
||||||
|
+ property = util_zalloc(sizeof(struct property));
|
||||||
|
+ property->name = util_strdup(name);
|
||||||
|
+ property->value = util_strdup(value);
|
||||||
|
+ util_list_add_tail(&properties->list, property);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Gets a property
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] name the name of the property
|
||||||
|
+ *
|
||||||
|
+ * @returns a string containing the property value, or NULL if the property
|
||||||
|
+ * was not found.
|
||||||
|
+ * Note: The returned string must be freed via free() by the caller.
|
||||||
|
+ */
|
||||||
|
+char *properties_get(struct properties *properties, const char *name)
|
||||||
|
+{
|
||||||
|
+ struct property *property;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+ util_assert(name != NULL, "Internal error: name is NULL");
|
||||||
|
+
|
||||||
|
+ property = properties_find(properties, name);
|
||||||
|
+ if (property == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ return util_strdup(property->value);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Removes a property
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] name the name of the property
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 on success, -ENOENT if the property was not found.
|
||||||
|
+ */
|
||||||
|
+int properties_remove(struct properties *properties, const char *name)
|
||||||
|
+{
|
||||||
|
+ struct property *property;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+ util_assert(name != NULL, "Internal error: name is NULL");
|
||||||
|
+
|
||||||
|
+ property = properties_find(properties, name);
|
||||||
|
+ if (property == NULL)
|
||||||
|
+ return -ENOENT;
|
||||||
|
+
|
||||||
|
+ free(property->name);
|
||||||
|
+ free(property->value);
|
||||||
|
+ util_list_remove(&properties->list, property);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Saves the properties to a file
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] filename the file name
|
||||||
|
+ * @param[in] check_integrity if TRUE, an hash of the key and values is
|
||||||
|
+ * stored as part of the file.
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 on success, -EIO the file could not be created
|
||||||
|
+ */
|
||||||
|
+int properties_save(struct properties *properties, const char *filename,
|
||||||
|
+ bool check_integrity)
|
||||||
|
+{
|
||||||
|
+ char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
|
||||||
|
+ unsigned char digest[SHA256_DIGEST_LEN];
|
||||||
|
+ unsigned int digest_len = sizeof(digest);
|
||||||
|
+ struct property *property;
|
||||||
|
+ EVP_MD_CTX *ctx = NULL;
|
||||||
|
+ unsigned int i;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+ util_assert(filename != NULL, "Internal error: filename is NULL");
|
||||||
|
+
|
||||||
|
+ fp = fopen(filename, "w");
|
||||||
|
+ if (fp == NULL)
|
||||||
|
+ return -EIO;
|
||||||
|
+
|
||||||
|
+ if (check_integrity)
|
||||||
|
+ ctx = sha256_init();
|
||||||
|
+
|
||||||
|
+ property = util_list_start(&properties->list);
|
||||||
|
+ while (property != NULL) {
|
||||||
|
+ fprintf(fp, "%s=%s\n", property->name, property->value);
|
||||||
|
+
|
||||||
|
+ if (check_integrity) {
|
||||||
|
+ sha256_update(ctx, property->name,
|
||||||
|
+ strlen(property->name));
|
||||||
|
+ sha256_update(ctx, property->value,
|
||||||
|
+ strlen(property->value));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ property = util_list_next(&properties->list, property);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (check_integrity) {
|
||||||
|
+ sha256_final(ctx, digest, &digest_len);
|
||||||
|
+ util_assert(digest_len <= SHA256_DIGEST_LEN,
|
||||||
|
+ "Internal error: digest length too long");
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < digest_len; i++)
|
||||||
|
+ sprintf(&digest_hex[i * 2], "%02x", digest[i]);
|
||||||
|
+ digest_hex[digest_len * 2] = '\0';
|
||||||
|
+
|
||||||
|
+ fprintf(fp, "%s=%s\n", INTEGRITY_KEY_NAME, digest_hex);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Loads the properties from a file
|
||||||
|
+ *
|
||||||
|
+ * @param[in] properties the properties object
|
||||||
|
+ * @param[in] filename the file name
|
||||||
|
+ * @param[in] check_integrity if TRUE, an hash of the key and values is
|
||||||
|
+ * compared with the hash stored as part of the file.
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 on success, -EIO the file could not be created,
|
||||||
|
+ * -EPERM in case of a syntax error or an integrity error
|
||||||
|
+ */
|
||||||
|
+int properties_load(struct properties *properties, const char *filename,
|
||||||
|
+ bool check_integrity)
|
||||||
|
+{
|
||||||
|
+ char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
|
||||||
|
+ unsigned char digest[SHA256_DIGEST_LEN];
|
||||||
|
+ unsigned int digest_len = sizeof(digest);
|
||||||
|
+ char *digest_read = NULL;
|
||||||
|
+ EVP_MD_CTX *ctx = NULL;
|
||||||
|
+ char line[4096];
|
||||||
|
+ unsigned int len, i;
|
||||||
|
+ int rc = 0;
|
||||||
|
+ char *ch;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ util_assert(properties != NULL, "Internal error: properties is NULL");
|
||||||
|
+ util_assert(filename != NULL, "Internal error: filename is NULL");
|
||||||
|
+
|
||||||
|
+ fp = fopen(filename, "r");
|
||||||
|
+ if (fp == NULL)
|
||||||
|
+ return -EIO;
|
||||||
|
+
|
||||||
|
+ if (check_integrity)
|
||||||
|
+ ctx = sha256_init();
|
||||||
|
+
|
||||||
|
+ while (fgets(line, sizeof(line), fp) != NULL) {
|
||||||
|
+ len = strlen(line);
|
||||||
|
+ if (line[len-1] == '\n')
|
||||||
|
+ line[len-1] = '\0';
|
||||||
|
+ ch = strchr(line, '=');
|
||||||
|
+ if (ch == NULL) {
|
||||||
|
+ rc = -EPERM;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ *ch = '\0';
|
||||||
|
+ ch++;
|
||||||
|
+
|
||||||
|
+ if (check_integrity) {
|
||||||
|
+ if (strcmp(line, INTEGRITY_KEY_NAME) == 0) {
|
||||||
|
+ digest_read = util_strdup(ch);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ sha256_update(ctx, line, strlen(line));
|
||||||
|
+ sha256_update(ctx, ch, strlen(ch));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ properties_set(properties, line, ch);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (check_integrity) {
|
||||||
|
+ sha256_final(ctx, digest, &digest_len);
|
||||||
|
+ ctx = NULL;
|
||||||
|
+ util_assert(digest_len <= SHA256_DIGEST_LEN,
|
||||||
|
+ "Internal error: digest length too long");
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < digest_len; i++)
|
||||||
|
+ sprintf(&digest_hex[i * 2], "%02x", digest[i]);
|
||||||
|
+ digest_hex[digest_len * 2] = '\0';
|
||||||
|
+
|
||||||
|
+ if (digest_read == NULL ||
|
||||||
|
+ strcmp(digest_hex, digest_read) != 0) {
|
||||||
|
+ rc = -EPERM;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ if (ctx != NULL)
|
||||||
|
+ sha256_final(ctx, NULL, NULL);
|
||||||
|
+ if (digest_read != NULL)
|
||||||
|
+ free(digest_read);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zkey/properties.h
|
||||||
|
@@ -0,0 +1,36 @@
|
||||||
|
+/*
|
||||||
|
+ * zkey - Generate, re-encipher, and validate secure keys
|
||||||
|
+ *
|
||||||
|
+ * Properties file handling functions
|
||||||
|
+ *
|
||||||
|
+ * Copyright IBM Corp. 2018
|
||||||
|
+ *
|
||||||
|
+ * s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifndef PROPFILE_H
|
||||||
|
+#define PROPFILE_H
|
||||||
|
+
|
||||||
|
+#include <stdbool.h>
|
||||||
|
+
|
||||||
|
+struct properties;
|
||||||
|
+
|
||||||
|
+struct properties *properties_new(void);
|
||||||
|
+
|
||||||
|
+void properties_free(struct properties *properties);
|
||||||
|
+
|
||||||
|
+int properties_set(struct properties *properties,
|
||||||
|
+ const char *name, const char *value);
|
||||||
|
+
|
||||||
|
+char *properties_get(struct properties *properties, const char *name);
|
||||||
|
+
|
||||||
|
+int properties_remove(struct properties *properties, const char *name);
|
||||||
|
+
|
||||||
|
+int properties_save(struct properties *properties, const char *filename,
|
||||||
|
+ bool check_integrity);
|
||||||
|
+
|
||||||
|
+int properties_load(struct properties *properties, const char *filename,
|
||||||
|
+ bool check_integrity);
|
||||||
|
+
|
||||||
|
+#endif
|
@ -0,0 +1,89 @@
|
|||||||
|
Subject: zkey: Add build dependency to OpenSSL (libcrypto)
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: 5e24f74fdefc5fe7d315df080832f1b059485f0f
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add build dependency to OpenSSL (libcrypto)
|
||||||
|
|
||||||
|
The integrity support for the properties file routines use
|
||||||
|
SHA-256 to build a hash of the keys and values of a property file.
|
||||||
|
The codes uses the EVP_DigestInit_ex, EVP_DigestUpdate, and
|
||||||
|
EVP_DigestFinal from the libcrypto library (OpenSSL).
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
README.md | 6 ++++++
|
||||||
|
zkey/Makefile | 21 ++++++++++++++++++++-
|
||||||
|
2 files changed, 26 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -263,6 +263,7 @@ build options:
|
||||||
|
| ncurses | `HAVE_NCURSES` | hyptop |
|
||||||
|
| pfm | `HAVE_PFM` | cpacfstats |
|
||||||
|
| net-snmp | `HAVE_SNMP` | osasnmpd |
|
||||||
|
+| openssl | `HAVE_OPENSSL` | zkey |
|
||||||
|
|
||||||
|
This table lists additional build or install options:
|
||||||
|
|
||||||
|
@@ -365,3 +366,8 @@ the different tools are provided:
|
||||||
|
For running znetconf these programs are required:
|
||||||
|
- modprobe (kmod)
|
||||||
|
- vmcp (s390-tools)
|
||||||
|
+
|
||||||
|
+* zkey:
|
||||||
|
+ For building the zkey tools you need openssl version 0.9.7 or newer installed
|
||||||
|
+ (openssl-devel.rpm). Tip: you may skip the zkey build by adding
|
||||||
|
+ `HAVE_OPENSSL=0` to the make invocation.
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -1,9 +1,26 @@
|
||||||
|
include ../common.mak
|
||||||
|
|
||||||
|
+ifeq (${HAVE_OPENSSL},0)
|
||||||
|
+
|
||||||
|
+all:
|
||||||
|
+ $(SKIP) HAVE_OPENSSL=0
|
||||||
|
+
|
||||||
|
+install:
|
||||||
|
+ $(SKIP) HAVE_OPENSSL=0
|
||||||
|
+
|
||||||
|
+else
|
||||||
|
+
|
||||||
|
+check_dep:
|
||||||
|
+ $(call check_dep, \
|
||||||
|
+ "zkey", \
|
||||||
|
+ "openssl/evp.h", \
|
||||||
|
+ "openssl-devel", \
|
||||||
|
+ "HAVE_OPENSSL=0")
|
||||||
|
+
|
||||||
|
CPPFLAGS += -I../include
|
||||||
|
LDLIBS += -ldl -lcrypto
|
||||||
|
|
||||||
|
-all: zkey
|
||||||
|
+all: check_dep zkey
|
||||||
|
|
||||||
|
libs = $(rootdir)/libutil/libutil.a
|
||||||
|
|
||||||
|
@@ -18,6 +35,8 @@ install: all
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
|
||||||
|
+endif
|
||||||
|
+
|
||||||
|
clean:
|
||||||
|
rm -f *.o zkey
|
||||||
|
|
@ -0,0 +1,276 @@
|
|||||||
|
Subject: zkey: Add helper functions for comma separated string handling
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: a090a1ffe8bc780059ebed99f19d32a2a6a3426d
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add helper functions for comma separated string handling
|
||||||
|
|
||||||
|
Comma separated strings are used in property values to store
|
||||||
|
multiple values in one property. These helper functions allow to
|
||||||
|
work with such comma separated strings.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/properties.c | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
zkey/properties.h | 12 +++
|
||||||
|
2 files changed, 226 insertions(+)
|
||||||
|
|
||||||
|
--- a/zkey/properties.c
|
||||||
|
+++ b/zkey/properties.c
|
||||||
|
@@ -38,6 +38,8 @@ struct property {
|
||||||
|
#define RESTRICTED_PROPERTY_NAME_CHARS "=\n"
|
||||||
|
#define RESTRICTED_PROPERTY_VALUE_CHARS "\n"
|
||||||
|
|
||||||
|
+#define RESTRICTED_STR_LIST_CHARS ",\n"
|
||||||
|
+
|
||||||
|
static int openssl_initialized;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -407,3 +409,215 @@ out:
|
||||||
|
fclose(fp);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Combines a list of strings into one comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @param[in] strings zero terminated array of pointers to C-strings
|
||||||
|
+ *
|
||||||
|
+ * @returns a new string. This must be freed by the caller when no longer used.
|
||||||
|
+ * returns NULL if a string contains an invalid character.
|
||||||
|
+ */
|
||||||
|
+char *str_list_combine(const char **strings)
|
||||||
|
+{
|
||||||
|
+ unsigned int i, size;
|
||||||
|
+ char *str;
|
||||||
|
+
|
||||||
|
+ util_assert(strings != NULL, "Internal error: strings is NULL");
|
||||||
|
+
|
||||||
|
+ for (i = 0, size = 0; strings[i] != NULL; i++) {
|
||||||
|
+ if (strpbrk(strings[i], RESTRICTED_STR_LIST_CHARS) != NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ if (i > 0)
|
||||||
|
+ size += 1;
|
||||||
|
+ size += strlen(strings[i]);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ str = util_zalloc(size + 1);
|
||||||
|
+ for (i = 0, size = 0; strings[i] != NULL; i++) {
|
||||||
|
+ if (i > 0)
|
||||||
|
+ strcat(str, ",");
|
||||||
|
+ strcat(str, strings[i]);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return str;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Splits a comma separated string into its parts
|
||||||
|
+ *
|
||||||
|
+ * @param[in] str_list the comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @returns a zero terminated array of pointers to C-strings. This array
|
||||||
|
+ * and all individual C-Strings need to be freed bay the caller when
|
||||||
|
+ * no longer used. This can be done using str_list_free_string_array().
|
||||||
|
+ */
|
||||||
|
+char **str_list_split(const char *str_list)
|
||||||
|
+{
|
||||||
|
+ unsigned int i, count;
|
||||||
|
+ char **list;
|
||||||
|
+ char *copy;
|
||||||
|
+ char *tok;
|
||||||
|
+
|
||||||
|
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
|
||||||
|
+
|
||||||
|
+ count = str_list_count(str_list);
|
||||||
|
+ list = util_zalloc((count + 1) * sizeof(char *));
|
||||||
|
+
|
||||||
|
+ copy = util_strdup(str_list);
|
||||||
|
+ tok = strtok(copy, ",");
|
||||||
|
+ i = 0;
|
||||||
|
+ while (tok != NULL) {
|
||||||
|
+ list[i] = util_strdup(tok);
|
||||||
|
+ i++;
|
||||||
|
+ tok = strtok(NULL, ",");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free(copy);
|
||||||
|
+ return list;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Count the number of parts a comma separated string contains
|
||||||
|
+ *
|
||||||
|
+ * param[in] str_list the comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @returns the number of parts
|
||||||
|
+ */
|
||||||
|
+unsigned int str_list_count(const char *str_list)
|
||||||
|
+{
|
||||||
|
+ unsigned int i, count;
|
||||||
|
+
|
||||||
|
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
|
||||||
|
+
|
||||||
|
+ if (strlen(str_list) == 0)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ for (i = 0, count = 1; str_list[i] != '\0'; i++)
|
||||||
|
+ if (str_list[i] == ',')
|
||||||
|
+ count++;
|
||||||
|
+ return count;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Find a string in a comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @param str_list the comma separated string.
|
||||||
|
+ * @param str the string to find
|
||||||
|
+ *
|
||||||
|
+ * @returns a pointer to the string within the comma separated string,
|
||||||
|
+ * or NULL if the string was not found
|
||||||
|
+ *
|
||||||
|
+ */
|
||||||
|
+static char *str_list_find(const char *str_list, const char *str)
|
||||||
|
+{
|
||||||
|
+ char *before;
|
||||||
|
+ char *after;
|
||||||
|
+ char *ch;
|
||||||
|
+
|
||||||
|
+ ch = strstr(str_list, str);
|
||||||
|
+ if (ch == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ if (ch != str_list) {
|
||||||
|
+ before = ch - 1;
|
||||||
|
+ if (*before != ',')
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ after = ch + strlen(str);
|
||||||
|
+ if (*after != ',' && *after != '\0')
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ return ch;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Appends a string to a comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @param str_list the comma separated string.
|
||||||
|
+ * @param str the string to add
|
||||||
|
+ *
|
||||||
|
+ * @returns a new comma separated string. This must be freed by the caller when
|
||||||
|
+ * no longer used. If the string to add is already contained in the
|
||||||
|
+ * comma separated list, it is not added and NULL is returned.
|
||||||
|
+ * If the string to be added contains a comma, NULL is returned.
|
||||||
|
+ */
|
||||||
|
+char *str_list_add(const char *str_list, const char *str)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+
|
||||||
|
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
|
||||||
|
+ util_assert(str != NULL, "Internal error: str is NULL");
|
||||||
|
+
|
||||||
|
+ if (strpbrk(str, RESTRICTED_STR_LIST_CHARS) != NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ if (str_list_find(str_list, str))
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ ret = util_zalloc(strlen(str_list) + 1 + strlen(str) + 1);
|
||||||
|
+ strcpy(ret, str_list);
|
||||||
|
+ if (strlen(str_list) > 0)
|
||||||
|
+ strcat(ret, ",");
|
||||||
|
+ strcat(ret, str);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Removes a string from a comma separated string
|
||||||
|
+ *
|
||||||
|
+ * @param str_list the comma separated string.
|
||||||
|
+ * @param str the string to remove
|
||||||
|
+ *
|
||||||
|
+ * @returns a new comma separated string. This must be freed by the caller when
|
||||||
|
+ * no longer used. If the string to remove is not found in the
|
||||||
|
+ * comma separated string, NULL is returned
|
||||||
|
+ */
|
||||||
|
+char *str_list_remove(const char *str_list, const char *str)
|
||||||
|
+{
|
||||||
|
+ char *after;
|
||||||
|
+ char *ret;
|
||||||
|
+ char *ch;
|
||||||
|
+
|
||||||
|
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
|
||||||
|
+ util_assert(str != NULL, "Internal error: str is NULL");
|
||||||
|
+
|
||||||
|
+ ch = str_list_find(str_list, str);
|
||||||
|
+ if (ch == NULL)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
+ after = ch + strlen(str);
|
||||||
|
+ if (*after == ',') {
|
||||||
|
+ /* there are more parts after the one to remove */
|
||||||
|
+ ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
|
||||||
|
+ strncpy(ret, str_list, ch - str_list);
|
||||||
|
+ strcat(ret, after + 1);
|
||||||
|
+ } else if (ch == str_list) {
|
||||||
|
+ /* removing the one and only part -> empty string */
|
||||||
|
+ ret = util_zalloc(1);
|
||||||
|
+ } else {
|
||||||
|
+ /* there are no more parts after the one to remove */
|
||||||
|
+ ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
|
||||||
|
+ strncpy(ret, str_list, ch - 1 - str_list);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Frees a string array (as produced by str_list_split())
|
||||||
|
+ *
|
||||||
|
+ * @param strings a NULL terminated array of pointers to C-Strings.
|
||||||
|
+ */
|
||||||
|
+void str_list_free_string_array(char **strings)
|
||||||
|
+{
|
||||||
|
+ util_assert(strings != NULL, "Internal error: strings is NULL");
|
||||||
|
+
|
||||||
|
+ while (*strings != NULL) {
|
||||||
|
+ free((void *)*strings);
|
||||||
|
+ strings++;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
--- a/zkey/properties.h
|
||||||
|
+++ b/zkey/properties.h
|
||||||
|
@@ -33,4 +33,16 @@ int properties_save(struct properties *p
|
||||||
|
int properties_load(struct properties *properties, const char *filename,
|
||||||
|
bool check_integrity);
|
||||||
|
|
||||||
|
+char *str_list_combine(const char **strings);
|
||||||
|
+
|
||||||
|
+char **str_list_split(const char *str_list);
|
||||||
|
+
|
||||||
|
+unsigned int str_list_count(const char *str_list);
|
||||||
|
+
|
||||||
|
+char *str_list_add(const char *str_list, const char *str);
|
||||||
|
+
|
||||||
|
+char *str_list_remove(const char *str_list, const char *str);
|
||||||
|
+
|
||||||
|
+void str_list_free_string_array(char **strings);
|
||||||
|
+
|
||||||
|
#endif
|
File diff suppressed because it is too large
Load Diff
3427
s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
Normal file
3427
s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
Normal file
File diff suppressed because it is too large
Load Diff
1418
s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
Normal file
1418
s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,40 @@
|
|||||||
|
Subject: zkey: Create key repository and group during make install
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: 6a2f4fd3760420e11b23db13f8b736f87764d409
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Create key repository and group during make install
|
||||||
|
|
||||||
|
Create the default keystore directory '/etc/zkey/repository'
|
||||||
|
and the user group 'zkeyadm' during make install.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/Makefile | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -36,6 +36,9 @@ install: all
|
||||||
|
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
+ getent group zkeyadm >/dev/null || groupadd -r zkeyadm
|
||||||
|
+ $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
|
||||||
|
+ $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
1023
s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
Normal file
1023
s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,38 @@
|
|||||||
|
Subject: zkey: let packaging create the zkeyadm group and permission setup
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: 3eb9af9c97c98e9f9665af1c5e671266400aaafc
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: let packaging create the zkeyadm group and permission setup
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/Makefile | 5 ++---
|
||||||
|
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -36,9 +36,8 @@ install: all
|
||||||
|
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
- getent group zkeyadm >/dev/null || groupadd -r zkeyadm
|
||||||
|
- $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
|
||||||
|
- $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
|
||||||
|
+ $(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
|
||||||
|
+ $(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
|
||||||
|
|
||||||
|
endif
|
||||||
|
|
@ -0,0 +1,34 @@
|
|||||||
|
Subject: zkey: Update README to add info about packaging requirements
|
||||||
|
From: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Add support of protected key crypto for dm-crypt.
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
plain format by providing a tool to manage a key repository
|
||||||
|
allowing to associate secure keys with disk partitions or logical
|
||||||
|
volumes.
|
||||||
|
Upstream-ID: 80b66da1d81793232646d2504c4d4c0ec94170f1
|
||||||
|
Problem-ID: SEC1800
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Update README to add info about packaging requirements
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
|
||||||
|
---
|
||||||
|
README.md | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -371,3 +371,7 @@ the different tools are provided:
|
||||||
|
For building the zkey tools you need openssl version 0.9.7 or newer installed
|
||||||
|
(openssl-devel.rpm). Tip: you may skip the zkey build by adding
|
||||||
|
`HAVE_OPENSSL=0` to the make invocation.
|
||||||
|
+ A new group 'zkeyadm' needs to be created and all users intending to use the
|
||||||
|
+ tool must be added to this group. The owner of the default key repository
|
||||||
|
+ '/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
|
||||||
|
+ for this group.
|
34
s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
Normal file
34
s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
Subject: zkey: Typo in message
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: dec58c349e794f6333771457d9dcb9c0768fe28e
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Typo in message
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/keystore.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/zkey/keystore.c
|
||||||
|
+++ b/zkey/keystore.c
|
||||||
|
@@ -2319,7 +2319,7 @@ static int _keystore_process_reencipher(
|
||||||
|
|
||||||
|
if (params.complete) {
|
||||||
|
if (!_keystore_reencipher_key_exists(file_names)) {
|
||||||
|
- warnx("Staged re-enciphering in not pending for key "
|
||||||
|
+ warnx("Staged re-enciphering is not pending for key "
|
||||||
|
"'%s', skipping",
|
||||||
|
name);
|
||||||
|
info->num_skipped++;
|
102
s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
Normal file
102
s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
Subject: zkey: Fix memory leak
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: d6a96f07c1a0ba9b1a559561698f82f5a19829ff
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Fix memory leak
|
||||||
|
|
||||||
|
The APQN check routine as well as the properties helper functions
|
||||||
|
do not free all memory that they allocated.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/keystore.c | 22 +++++++++++++++-------
|
||||||
|
zkey/properties.c | 5 +++++
|
||||||
|
2 files changed, 20 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
--- a/zkey/keystore.c
|
||||||
|
+++ b/zkey/keystore.c
|
||||||
|
@@ -981,25 +981,33 @@ static int _keystore_apqn_check(const ch
|
||||||
|
rc = regexec(®_buf, apqn, (size_t) 1, pmatch, 0);
|
||||||
|
if (rc != 0) {
|
||||||
|
warnx("the APQN '%s' is not valid", apqn);
|
||||||
|
- return -EINVAL;
|
||||||
|
+ rc = -EINVAL;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (sscanf(apqn, "%x.%x", &card, &domain) != 2)
|
||||||
|
- return -EINVAL;
|
||||||
|
+ if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
|
||||||
|
+ rc = -EINVAL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
util_asprintf(normalized, "%02x.%04x", card, domain);
|
||||||
|
|
||||||
|
- if (remove)
|
||||||
|
- return 0;
|
||||||
|
+ if (remove) {
|
||||||
|
+ rc = 0;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
rc = _keystore_is_apqn_online(card, domain);
|
||||||
|
if (rc != 1) {
|
||||||
|
warnx("The APQN %02x.%04x is %s", card, domain,
|
||||||
|
rc == -1 ? "not a CCA card" : "not online");
|
||||||
|
- return -EIO;
|
||||||
|
+ rc = -EIO;
|
||||||
|
+ goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return 0;
|
||||||
|
+out:
|
||||||
|
+ regfree(®_buf);
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
--- a/zkey/properties.c
|
||||||
|
+++ b/zkey/properties.c
|
||||||
|
@@ -149,6 +149,7 @@ void properties_free(struct properties *
|
||||||
|
free(property->name);
|
||||||
|
free(property->value);
|
||||||
|
util_list_remove(&properties->list, property);
|
||||||
|
+ free(property);
|
||||||
|
}
|
||||||
|
|
||||||
|
free(properties);
|
||||||
|
@@ -259,6 +260,7 @@ int properties_remove(struct properties
|
||||||
|
free(property->name);
|
||||||
|
free(property->value);
|
||||||
|
util_list_remove(&properties->list, property);
|
||||||
|
+ free(property);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -614,10 +616,13 @@ char *str_list_remove(const char *str_li
|
||||||
|
*/
|
||||||
|
void str_list_free_string_array(char **strings)
|
||||||
|
{
|
||||||
|
+ char **list = strings;
|
||||||
|
+
|
||||||
|
util_assert(strings != NULL, "Internal error: strings is NULL");
|
||||||
|
|
||||||
|
while (*strings != NULL) {
|
||||||
|
free((void *)*strings);
|
||||||
|
strings++;
|
||||||
|
}
|
||||||
|
+ free(list);
|
||||||
|
}
|
@ -0,0 +1,47 @@
|
|||||||
|
Subject: zkey: Fix APQN validation routine
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: 344965bd296f434ccbd9ad5b16427590b988d480
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Fix APQN validation routine
|
||||||
|
|
||||||
|
When a zkey generate or change command is used to associate one
|
||||||
|
or multiple APQNs the command succeeds, but no key is generated
|
||||||
|
and no APQNs are associated, because the return code returned by
|
||||||
|
_keystore_apqn_check() is wrong.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/keystore.c | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
--- a/zkey/keystore.c
|
||||||
|
+++ b/zkey/keystore.c
|
||||||
|
@@ -986,6 +986,7 @@ static int _keystore_apqn_check(const ch
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
|
||||||
|
+ warnx("the APQN '%s' is not valid", apqn);
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
@@ -1003,6 +1004,8 @@ static int _keystore_apqn_check(const ch
|
||||||
|
rc == -1 ? "not a CCA card" : "not online");
|
||||||
|
rc = -EIO;
|
||||||
|
goto out;
|
||||||
|
+ } else {
|
||||||
|
+ rc = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
out:
|
@ -0,0 +1,47 @@
|
|||||||
|
Subject: zkey: Fix generate and import leaving key in an inconsistent state
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: 672548ce30f61e94c8465a560a54a4a8fe568c06
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Fix generate and import leaving key in an inconsistent state
|
||||||
|
|
||||||
|
When a volume or APQN association is made while generating or
|
||||||
|
importing a key, and a duplicate association is detected, then
|
||||||
|
this may leave the key in an inconsistent state.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/keystore.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/zkey/keystore.c
|
||||||
|
+++ b/zkey/keystore.c
|
||||||
|
@@ -1534,7 +1534,7 @@ int keystore_generate_key(struct keystor
|
||||||
|
out_free_props:
|
||||||
|
if (key_props != NULL)
|
||||||
|
properties_free(key_props);
|
||||||
|
- if (rc != 0 && rc != -EEXIST)
|
||||||
|
+ if (rc != 0)
|
||||||
|
remove(file_names.skey_filename);
|
||||||
|
out_free_key_filenames:
|
||||||
|
_keystore_free_key_filenames(&file_names);
|
||||||
|
@@ -1617,7 +1617,7 @@ int keystore_import_key(struct keystore
|
||||||
|
out_free_props:
|
||||||
|
if (key_props != NULL)
|
||||||
|
properties_free(key_props);
|
||||||
|
- if (rc != 0 && rc != -EEXIST)
|
||||||
|
+ if (rc != 0)
|
||||||
|
remove(file_names.skey_filename);
|
||||||
|
out_free_key_filenames:
|
||||||
|
_keystore_free_key_filenames(&file_names);
|
2584
s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
Normal file
2584
s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,443 @@
|
|||||||
|
Subject: zkey: Add man page for zkey-cryptsetup
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: 5e65df7375aec81d9348a57cdcbccb89a65422c3
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add man page for zkey-cryptsetup
|
||||||
|
|
||||||
|
Add documentation for the new zkey-cryptsetup tool
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/Makefile | 1
|
||||||
|
zkey/zkey-cryptsetup.1 | 403 +++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
2 files changed, 404 insertions(+)
|
||||||
|
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -42,6 +42,7 @@ install: all
|
||||||
|
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
+ $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
|
||||||
|
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
|
||||||
|
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zkey/zkey-cryptsetup.1
|
||||||
|
@@ -0,0 +1,403 @@
|
||||||
|
+.\" Copyright IBM Corp. 2018
|
||||||
|
+.\" s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+.\" it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+.\"
|
||||||
|
+.TH ZKEY\-CRYPTSETUP 1 "May 2018" "s390-tools"
|
||||||
|
+.SH NAME
|
||||||
|
+zkey\-cryptsetup \- Manage secure AES volume keys of volumes encrypted with
|
||||||
|
+\fBLUKS2\fP and the \fBpaes\fP cipher
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH SYNOPSIS
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.I command
|
||||||
|
+.I device
|
||||||
|
+.RI [ OPTIONS ]
|
||||||
|
+.
|
||||||
|
+.PP
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.RI [ command ]
|
||||||
|
+.BR \-\-help | \-h
|
||||||
|
+.br
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.BR \-\-version | \-v
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+Use \fBzkey\-cryptsetup\fP to validate and re-encipher secure AES
|
||||||
|
+volume keys of volumes encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher.
|
||||||
|
+These secure AES volume keys are enciphered with a master key of an IBM
|
||||||
|
+cryptographic adapter in CCA coprocessor mode.
|
||||||
|
+.PP
|
||||||
|
+To encrypt a volume using \fBLUKS2\fP and the \fBpaes\fP cipher, generate a
|
||||||
|
+secure AES key using \fBzkey\fP: \fB'zkey generate luks.key --xts'\fP.
|
||||||
|
+Then format the device with \fBcryptsetup\fP using the just generated secure
|
||||||
|
+AES key from file luks.key: \fB'cryptsetup luksFormat <device> --type luks2
|
||||||
|
+--cipher paes-xts-plain64 --master-key-file luks.key --key-size 1024'\fP. For
|
||||||
|
+more details about \fBzkey\fP or \fBcryptsetup\fP see the
|
||||||
|
+corresponding man pages.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH COMMANDS
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "Validate secure AES volume keys"
|
||||||
|
+.
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.BR validate | val
|
||||||
|
+.I device
|
||||||
|
+.RB [ \-\-key\-file | \-d
|
||||||
|
+.IR file-name ]
|
||||||
|
+.RB [ \-\-keyfile\-offset | \-o
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-keyfile\-size | \-l
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-tries | \-T
|
||||||
|
+.IR number ]
|
||||||
|
+.RB [ \-\-verbose | \-V ]
|
||||||
|
+.RB [ \-\-debug | \-D ]
|
||||||
|
+.PP
|
||||||
|
+Use the
|
||||||
|
+.B validate
|
||||||
|
+command to validate a secure AES volume key of a volume encrypted with
|
||||||
|
+\fBLUKS2\fP and the \fBpaes\fP cipher.
|
||||||
|
+It checks if the LUKS2 header of the volume contains a valid secure key.
|
||||||
|
+It also displays the attributes of the secure key, such as key size, whether
|
||||||
|
+it is a secure key that can be used for the XTS cipher mode, and the master key
|
||||||
|
+register (CURRENT or OLD) with which the secure key is enciphered.
|
||||||
|
+For further information about master key registers, see the
|
||||||
|
+\fBreencipher\fP command.
|
||||||
|
+.PP
|
||||||
|
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
|
||||||
|
+required. You are prompted for the passphrase, unless option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified. Option
|
||||||
|
+.B \-\-tries
|
||||||
|
+specifies how often a passphrase can be re-entered. When option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified, the passphrase is read from the specified file. You can specify
|
||||||
|
+options
|
||||||
|
+.B \-\-keyfile\-offset
|
||||||
|
+and
|
||||||
|
+.B \-\-keyfile\-size
|
||||||
|
+to control which part of the key file is used as passphrase. These options
|
||||||
|
+behave in the same way as with \fBcryptsetup\fP.
|
||||||
|
+.
|
||||||
|
+.SS "Re-encipher secure AES volume keys"
|
||||||
|
+.
|
||||||
|
+.PP
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.BR reencipher | re
|
||||||
|
+.I device
|
||||||
|
+.RB [ \-\-staged | \-s ]
|
||||||
|
+.RB [ \-\-in\-place | \-i ]
|
||||||
|
+.RB [ \-\-complete | \-c ]
|
||||||
|
+.RB [ \-\-key\-file | \-d
|
||||||
|
+.IR file-name ]
|
||||||
|
+.RB [ \-\-keyfile\-offset | \-o
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-keyfile\-size | \-l
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-tries | \-T
|
||||||
|
+.IR number ]
|
||||||
|
+.RB [ \-\-verbose | \-V ]
|
||||||
|
+.RB [ \-\-debug | \-D ]
|
||||||
|
+.PP
|
||||||
|
+Use the
|
||||||
|
+.B reencipher
|
||||||
|
+command to re-encipher a secure AES volume key of a volume encrypted with
|
||||||
|
+\fBLUKS2\fP and the \fBpaes\fP cipher. A secure AES volume key must be
|
||||||
|
+re-enciphered when the master key of the cryptographic adapter in CCA
|
||||||
|
+coprocessor mode changes.
|
||||||
|
+.PP
|
||||||
|
+The cryptographic adapter in CCA coprocessor mode has three different registers
|
||||||
|
+to store master keys:
|
||||||
|
+.RS 2
|
||||||
|
+.IP "\(bu" 2
|
||||||
|
+The \fBCURRENT\fP register contains the current master key.
|
||||||
|
+.
|
||||||
|
+.IP "\(bu" 2
|
||||||
|
+The \fBOLD\fP register contains the previously used master key.
|
||||||
|
+Secure keys enciphered with the master key contained in the \fBOLD\fP
|
||||||
|
+register can still be used until the master key is changed again.
|
||||||
|
+.
|
||||||
|
+.IP "\(bu" 2
|
||||||
|
+The \fBNEW\fP register contains the new master key to be set.
|
||||||
|
+The master key in the \fBNEW\fP register cannot be used until it is made
|
||||||
|
+the current master key. You can pro-actively re-encipher a secure key with the
|
||||||
|
+\fBNEW\fP master key before this key is made the \fBCURRENT\fP key.
|
||||||
|
+.RE
|
||||||
|
+.PP
|
||||||
|
+\fBzkey\-cryptsetup\fP automatically detects whether the secure volume key
|
||||||
|
+is currently enciphered with the master key in the \fBOLD\fP register or with
|
||||||
|
+the master key in the \fBCURRENT\fP register. If currently enciphered with the
|
||||||
|
+master key in the \fBOLD\fP register, it is re-enciphered with the master key
|
||||||
|
+in the \fBCURRENT\fP register. If it is currently enciphered with the master
|
||||||
|
+key in the \fBCURRENT\fP register, it is re-enciphered with the master key in
|
||||||
|
+the \fBNEW\fP register. If for this case the \fBNEW\fP register does not
|
||||||
|
+contain a valid master key, then the re-encipher operation fails.
|
||||||
|
+.PP
|
||||||
|
+Re-enciphering a secure volume key of a volume encrypted with
|
||||||
|
+\fBLUKS2\fP and the \fBpaes\fP cipher can be performed \fBin-place\fP, or in
|
||||||
|
+\fBstaged\fP mode.
|
||||||
|
+.PP
|
||||||
|
+\fB"In-place"\fP immediately replaces the secure volume key in the LUKS2
|
||||||
|
+header of the encrypted volume with the re-enciphered secure volume key.
|
||||||
|
+Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
|
||||||
|
+default. You can use option \fB--in-place\fP to force an in-place
|
||||||
|
+re-enciphering for the \fBCURRENT\fP to \fBNEW\fP case. Be aware that
|
||||||
|
+an encrypted volume with a secure volume key that was re-enciphered in-place
|
||||||
|
+from \fBCURRENT\fP to \fBNEW\fP is no longer usable, until the new CCA master
|
||||||
|
+key has been made the current one.
|
||||||
|
+.PP
|
||||||
|
+\fBStaged\fP mode means that the re-enciphered secure volume key is stored in a
|
||||||
|
+separate (unbound) key slot in the LUKS2 header of the encrypted volume. Thus
|
||||||
|
+all key slots containing the current secure volume key are still valid at this
|
||||||
|
+point. Once the new CCA master key has been set (made active), you must rerun
|
||||||
|
+the reencipher command with option \fB--complete\fP to complete the staged
|
||||||
|
+re-enciphering. When completing the staged re-enciphering, the (unbound) key
|
||||||
|
+slot containing the re-enciphered secure volume key becomes the active
|
||||||
|
+key slot and, optionally, all key slots containing the old secure volume key
|
||||||
|
+are removed.
|
||||||
|
+Re-enciphering from \fBCURRENT\fP to \fBNEW\fP is performed in staged mode per
|
||||||
|
+default. You can use option \fB--staged\fP to force a staged re-enciphering for
|
||||||
|
+the \fBOLD\fP to \fBCURRENT\fP case.
|
||||||
|
+.PP
|
||||||
|
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
|
||||||
|
+required. You are prompted for the passphrase, unless option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified. Option
|
||||||
|
+.B \-\-tries
|
||||||
|
+specifies how often a passphrase can be re-entered. When option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified, the passphrase is read from the specified file. You can specify
|
||||||
|
+options
|
||||||
|
+.B \-\-keyfile\-offset
|
||||||
|
+and
|
||||||
|
+.B \-\-keyfile\-size
|
||||||
|
+to control which part of the key file is used as passphrase. These options
|
||||||
|
+behave in the same way as with \fBcryptsetup\fP.
|
||||||
|
+.PP
|
||||||
|
+.B Note:
|
||||||
|
+The \fBreencipher\fP command requires the CCA host library (libcsulcca.so)
|
||||||
|
+to be installed.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "Set a verification pattern of the secure AES volume key"
|
||||||
|
+.
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.BR setvp | setv
|
||||||
|
+.I device
|
||||||
|
+.RB [ \-\-key\-file | \-d
|
||||||
|
+.IR file-name ]
|
||||||
|
+.RB [ \-\-keyfile\-offset | \-o
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-keyfile\-size | \-l
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-tries | \-T
|
||||||
|
+.IR number ]
|
||||||
|
+.RB [ \-\-verbose | \-V ]
|
||||||
|
+.RB [ \-\-debug | \-D ]
|
||||||
|
+.PP
|
||||||
|
+Use the
|
||||||
|
+.B setvp
|
||||||
|
+command to set a verification pattern of the secure AES volume key of a volume
|
||||||
|
+encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher. The verification pattern
|
||||||
|
+identifies the effective key used to encrypt the volume's data.
|
||||||
|
+The verification pattern is stored in a token named
|
||||||
|
+\fBpaes-verification-pattern\fP in the LUKS2 header.
|
||||||
|
+.PP
|
||||||
|
+.B Note:
|
||||||
|
+Set the verification pattern right after formatting the volume using
|
||||||
|
+\fB'cryptsetup luksFormat'\fP.
|
||||||
|
+.PP
|
||||||
|
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
|
||||||
|
+required. You are prompted for the passphrase, unless option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified. Option
|
||||||
|
+.B \-\-tries
|
||||||
|
+specifies how often a passphrase can be re-entered. When option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified, the passphrase is read from the specified file. You can specify
|
||||||
|
+options
|
||||||
|
+.B \-\-keyfile\-offset
|
||||||
|
+and
|
||||||
|
+.B \-\-keyfile\-size
|
||||||
|
+to control which part of the key file is used as passphrase. These options
|
||||||
|
+behave in the same way as with \fBcryptsetup\fP.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "Set a new secure AES volume key for a volume"
|
||||||
|
+.
|
||||||
|
+.B zkey\-cryptsetup
|
||||||
|
+.BR setkey | setk
|
||||||
|
+.I device
|
||||||
|
+.BR \-\-master\-key\-file | \-m
|
||||||
|
+.IR file-name
|
||||||
|
+.RB [ \-\-key\-file | \-d
|
||||||
|
+.IR file-name ]
|
||||||
|
+.RB [ \-\-keyfile\-offset | \-o
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-keyfile\-size | \-l
|
||||||
|
+.IR bytes ]
|
||||||
|
+.RB [ \-\-tries | \-T
|
||||||
|
+.IR number ]
|
||||||
|
+.RB [ \-\-verbose | \-V ]
|
||||||
|
+.RB [ \-\-debug | \-D ]
|
||||||
|
+.PP
|
||||||
|
+Use the
|
||||||
|
+.B setkey
|
||||||
|
+command to set a new secure AES volume key for a volume encrypted with
|
||||||
|
+\fBLUKS2\fP and the \fBpaes\fP cipher. Use this command to recover from an
|
||||||
|
+invalid secure AES volume key contained in the LUKS2 header.
|
||||||
|
+A secure AES volume key contained in the LUKS2 header can become invalid when
|
||||||
|
+the CCA master key is changed without re-enciphering the secure volume key.
|
||||||
|
+.PP
|
||||||
|
+You can recover the secure volume key only if you have a copy of the secure key
|
||||||
|
+in a file, and this copy was re-enciphered when the CCA master key has been
|
||||||
|
+changed. Thus, the copy of the secure key must be currently enciphered with the
|
||||||
|
+CCA master key in the CURRENT or OLD master key register.
|
||||||
|
+Specify the secure key file with option
|
||||||
|
+.B \-\-master\-key\-file
|
||||||
|
+to set this secure key as the new volume key.
|
||||||
|
+.PP
|
||||||
|
+In case the LUKS2 header of the volume contains a verification pattern token,
|
||||||
|
+it is used to ensure that the new volume key contains the same effective key.
|
||||||
|
+If no verification pattern token is available, then you are prompted to confirm
|
||||||
|
+that the specified secure key is the correct one.
|
||||||
|
+.B ATTENTION:
|
||||||
|
+If you set a wrong secure key you will loose all the data on the encrypted
|
||||||
|
+volume!
|
||||||
|
+.PP
|
||||||
|
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
|
||||||
|
+required. You are prompted for the passphrase, unless option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified. Option
|
||||||
|
+.B \-\-tries
|
||||||
|
+specifies how often a passphrase can be re-entered. When option
|
||||||
|
+.B \-\-key\-file
|
||||||
|
+is specified, the passphrase is read from the specified file. You can specify
|
||||||
|
+options
|
||||||
|
+.B \-\-keyfile\-offset
|
||||||
|
+and
|
||||||
|
+.B \-\-keyfile\-size
|
||||||
|
+to control which part of the key file is used as passphrase. These options
|
||||||
|
+behave in the same way the same as with \fBcryptsetup\fP.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH OPTIONS
|
||||||
|
+.
|
||||||
|
+.SS "Options for the reencipher command"
|
||||||
|
+.TP
|
||||||
|
+.BR \-i ", " \-\-in-place
|
||||||
|
+Forces an in-place re-enciphering of a secure volume key in the LUKS2
|
||||||
|
+header. This option immediately replaces the secure volume key in the LUKS2
|
||||||
|
+header of the encrypted volume with the re-enciphered secure volume key.
|
||||||
|
+Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
|
||||||
|
+default.
|
||||||
|
+.TP
|
||||||
|
+.BR \-s ", " \-\-staged
|
||||||
|
+Forces that the re-enciphering of a secure volume key in the LUKS2
|
||||||
|
+header is performed in staged mode. Staged mode means that the re-enciphered
|
||||||
|
+secure volume key is stored in a separate (unbound) key slot in the LUKS2
|
||||||
|
+header of the encrypted volume. Thus all key slots containing the current
|
||||||
|
+secure volume key are still valid at this point. Once the new CCA master key
|
||||||
|
+has been set (made active), you must rerun the reencipher command with option
|
||||||
|
+\fB--complete\fP to complete the staged re-enciphering. Re-enciphering from
|
||||||
|
+\fBCURRENT\fP to \fBNEW\fP is performed in staged mode per default.
|
||||||
|
+.TP
|
||||||
|
+.BR \-p ", " \-\-complete
|
||||||
|
+Completes a staged re-enciphering. Use this option after the new CCA master key
|
||||||
|
+has been set (made active). When completing the staged re-enciphering, the
|
||||||
|
+(unbound) key slot containing the re-enciphered secure volume key becomes
|
||||||
|
+the active key slot and, optionally, all key slots containing the old secure
|
||||||
|
+volume key are removed.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "Options for the setkey command"
|
||||||
|
+.TP
|
||||||
|
+.BR \-m ", " \-\-master\-key\-file\~\fIfile\-name\fP
|
||||||
|
+Specifies the name of a file containing the secure AES key that is set as the
|
||||||
|
+new volume key.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "Options for supplying the passphrase"
|
||||||
|
+.TP
|
||||||
|
+.BR \-d ", " \-\-key\-file\~\fIfile\-name\fP
|
||||||
|
+Reads the passphrase from the specified file. If this option is omitted,
|
||||||
|
+or if the file\-name is \fI-\fP (a dash), then you are prompted to enter the
|
||||||
|
+passphrase interactively.
|
||||||
|
+.TP
|
||||||
|
+.BR \-o ", " \-\-keyfile\-offset\~\fIbytes\fP
|
||||||
|
+Specifies the number of bytes to skip before starting to read in the file
|
||||||
|
+specified with option \fB\-\-key\-file\fP. If omitted, the file is read
|
||||||
|
+from the beginning. When option \fB\-\-key\-file\fP is not specified, this
|
||||||
|
+option is ignored.
|
||||||
|
+.TP
|
||||||
|
+.BR \-l ", " \-\-keyfile\-size\~\fIbytes\fP
|
||||||
|
+Specifies the number of bytes to be read from the beginning of the file
|
||||||
|
+specified with option \fB\-\-key\-file\fP. If omitted, the file is read
|
||||||
|
+until the end. When \fB\-\-keyfile\-offset\fP is also specified, reading starts
|
||||||
|
+at the offset. When option \fB\-\-key\-file\fP is not specified, this option is
|
||||||
|
+ignored.
|
||||||
|
+.TP
|
||||||
|
+.BR \-T ", " \-\-tries\~\fInumber\fP
|
||||||
|
+Specifies how often the interactive input of the passphrase can be re-entered.
|
||||||
|
+The default is 3 times. When option \fB\-\-key\-file\fP is specified, this
|
||||||
|
+option is ignored, and the passphrase is read only once from the file.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SS "General options"
|
||||||
|
+.TP
|
||||||
|
+.BR \-V ", " \-\-verbose
|
||||||
|
+Displays additional information messages during processing.
|
||||||
|
+.TP
|
||||||
|
+.BR \-D ", " \-\-debug
|
||||||
|
+Displays additional debugging messages during processing. This option also
|
||||||
|
+implies \fB\-\-verbose\fP.
|
||||||
|
+.TP
|
||||||
|
+.BR \-h ", " \-\-help
|
||||||
|
+Displays help text and exits.
|
||||||
|
+.TP
|
||||||
|
+.BR \-v ", " \-\-version
|
||||||
|
+Displays version information and exits.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH EXAMPLES
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup reencipher /dev/dasdd1
|
||||||
|
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-staged
|
||||||
|
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
|
||||||
|
+staged mode.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-complete
|
||||||
|
+Completes re-enciphers the secure volume key of the encrypted
|
||||||
|
+volume /dev/dasdd1.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-in\-place
|
||||||
|
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
|
||||||
|
+in-place mode.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup validate /dev/dasdd1
|
||||||
|
+Validates the secure volume key of the encrypted volume /dev/dasdd1 and
|
||||||
|
+displays its attributes.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup setvp /dev/dasdd1
|
||||||
|
+Sets the verification pattern of the secure volume key of the encrypted
|
||||||
|
+volume /dev/dasdd1.
|
||||||
|
+.TP
|
||||||
|
+.B zkey-cryptsetup setkey /dev/dasdd1 --master-key-file seckey.key
|
||||||
|
+Sets the secure key contained in file seckey.key as the new volume key
|
||||||
|
+for the encrypted volume /dev/dasdd1.
|
@ -0,0 +1,188 @@
|
|||||||
|
Subject: zkey: Add build dependency for libcryptsetup and json-c
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: 818ffbc4b05783851cc12682d3d8ad6b99312d63
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add build dependency for libcryptsetup and json-c
|
||||||
|
|
||||||
|
The zkey-cryptsetup tool has a build dependency to
|
||||||
|
libcryptsetup version 2.0.3 or later, and json-c.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
README.md | 9 ++++--
|
||||||
|
common.mak | 3 +-
|
||||||
|
zkey/Makefile | 84 +++++++++++++++++++++++++++++++++++++++++++---------------
|
||||||
|
3 files changed, 72 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
--- a/README.md
|
||||||
|
+++ b/README.md
|
||||||
|
@@ -264,6 +264,8 @@ build options:
|
||||||
|
| pfm | `HAVE_PFM` | cpacfstats |
|
||||||
|
| net-snmp | `HAVE_SNMP` | osasnmpd |
|
||||||
|
| openssl | `HAVE_OPENSSL` | zkey |
|
||||||
|
+| cryptsetup | `HAVE_CRYPTSETUP2` | zkey-cryptsetup |
|
||||||
|
+| json-c | `HAVE_JSONC` | zkey-cryptsetup |
|
||||||
|
|
||||||
|
This table lists additional build or install options:
|
||||||
|
|
||||||
|
@@ -369,8 +371,11 @@ the different tools are provided:
|
||||||
|
|
||||||
|
* zkey:
|
||||||
|
For building the zkey tools you need openssl version 0.9.7 or newer installed
|
||||||
|
- (openssl-devel.rpm). Tip: you may skip the zkey build by adding
|
||||||
|
- `HAVE_OPENSSL=0` to the make invocation.
|
||||||
|
+ (openssl-devel.rpm). Also required are cryptsetup version 2.0.3 or newer
|
||||||
|
+ (cryptsetup-devel.rpm), and json-c version 0.12 or newer (json-c-devel.rpm).
|
||||||
|
+ Tip: you may skip the zkey build by adding `HAVE_OPENSSL=0`, and you may
|
||||||
|
+ may skip the zkey-cryptsetup build by adding `HAVE_CRYPTSETUP2=0`, or
|
||||||
|
+ `HAVE_JSONC=0` to the make invocation.
|
||||||
|
A new group 'zkeyadm' needs to be created and all users intending to use the
|
||||||
|
tool must be added to this group. The owner of the default key repository
|
||||||
|
'/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
|
||||||
|
--- a/common.mak
|
||||||
|
+++ b/common.mak
|
||||||
|
@@ -113,9 +113,10 @@ DEFAULT_LDFLAGS = -rdynamic
|
||||||
|
# $2: Name of include file to check
|
||||||
|
# $3: Name of required devel package
|
||||||
|
# $4: Option to skip build (e.g. HAVE_FUSE=0)
|
||||||
|
+# $5: Additional compiler & linker options (optional)
|
||||||
|
#
|
||||||
|
check_dep=\
|
||||||
|
-printf "\#include <%s>" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) -c -o /dev/null -xc - ) > /dev/null 2>&1; \
|
||||||
|
+printf "\#include <%s>\n int main(void) {return 0;}" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) $5 -o /dev/null -xc - ) > /dev/null 2>&1; \
|
||||||
|
if [ $$? != 0 ]; \
|
||||||
|
then \
|
||||||
|
printf " REQCHK %s (%s)\n" $1 $2; \
|
||||||
|
--- a/zkey/Makefile
|
||||||
|
+++ b/zkey/Makefile
|
||||||
|
@@ -1,54 +1,96 @@
|
||||||
|
include ../common.mak
|
||||||
|
|
||||||
|
-ifeq (${HAVE_OPENSSL},0)
|
||||||
|
+ifneq (${HAVE_OPENSSL},0)
|
||||||
|
+ BUILD_TARGETS += zkey
|
||||||
|
+ INSTALL_TARGETS += install-zkey
|
||||||
|
+else
|
||||||
|
+ BUILD_TARGETS += zkey-skip
|
||||||
|
+ INSTALL_TARGETS += zkey-skip
|
||||||
|
+endif
|
||||||
|
|
||||||
|
-all:
|
||||||
|
- $(SKIP) HAVE_OPENSSL=0
|
||||||
|
+ifneq (${HAVE_CRYPTSETUP2},0)
|
||||||
|
+ ifneq (${HAVE_JSONC},0)
|
||||||
|
+ BUILD_TARGETS += zkey-cryptsetup
|
||||||
|
+ INSTALL_TARGETS += install-zkey-cryptsetup
|
||||||
|
+ else
|
||||||
|
+ BUILD_TARGETS += zkey-cryptsetup-skip-jsonc
|
||||||
|
+ INSTALL_TARGETS += zkey-cryptsetup-skip-jsonc
|
||||||
|
+ endif
|
||||||
|
+else
|
||||||
|
+ BUILD_TARGETS += zkey-cryptsetup-skip-cryptsetup2
|
||||||
|
+ INSTALL_TARGETS += zkey-cryptsetup-skip-cryptsetup2
|
||||||
|
+endif
|
||||||
|
|
||||||
|
-install:
|
||||||
|
- $(SKIP) HAVE_OPENSSL=0
|
||||||
|
+CPPFLAGS += -I../include
|
||||||
|
+LIBS = $(rootdir)/libutil/libutil.a
|
||||||
|
|
||||||
|
-else
|
||||||
|
+detect-libcryptsetup.h:
|
||||||
|
+ echo "#include <libcryptsetup.h>" > detect-libcryptsetup.h
|
||||||
|
+ echo "#ifndef CRYPT_LUKS2" >> detect-libcryptsetup.h
|
||||||
|
+ echo " #error libcryptsetup version 2.0.3 is required" >> detect-libcryptsetup.h
|
||||||
|
+ echo "#endif" >> detect-libcryptsetup.h
|
||||||
|
+ echo "int i = CRYPT_SLOT_UNBOUND;" >> detect-libcryptsetup.h
|
||||||
|
|
||||||
|
-check_dep:
|
||||||
|
+check-dep-zkey:
|
||||||
|
$(call check_dep, \
|
||||||
|
"zkey", \
|
||||||
|
"openssl/evp.h", \
|
||||||
|
"openssl-devel", \
|
||||||
|
"HAVE_OPENSSL=0")
|
||||||
|
|
||||||
|
-CPPFLAGS += -I../include
|
||||||
|
+check-dep-zkey-cryptsetup: detect-libcryptsetup.h
|
||||||
|
+ $(call check_dep, \
|
||||||
|
+ "zkey-cryptsetup", \
|
||||||
|
+ "detect-libcryptsetup.h", \
|
||||||
|
+ "cryptsetup-devel version 2.0.3", \
|
||||||
|
+ "HAVE_CRYPTSETUP2=0", \
|
||||||
|
+ "-I.")
|
||||||
|
+ $(call check_dep, \
|
||||||
|
+ "zkey-cryptsetup", \
|
||||||
|
+ "json-c/json.h", \
|
||||||
|
+ "json-c-devel", \
|
||||||
|
+ "HAVE_JSONC=0")
|
||||||
|
+
|
||||||
|
+zkey-skip:
|
||||||
|
+ echo " SKIP zkey due to HAVE_OPENSSL=0"
|
||||||
|
+
|
||||||
|
+zkey-cryptsetup-skip-cryptsetup2:
|
||||||
|
+ echo " SKIP zkey-cryptsetup due to HAVE_CRYPTSETUP2=0"
|
||||||
|
|
||||||
|
-all: check_dep zkey zkey-cryptsetup
|
||||||
|
+zkey-cryptsetup-skip-jsonc:
|
||||||
|
+ echo " SKIP zkey-cryptsetup due to HAVE_JSONC=0"
|
||||||
|
|
||||||
|
-libs = $(rootdir)/libutil/libutil.a
|
||||||
|
+all: $(BUILD_TARGETS)
|
||||||
|
|
||||||
|
zkey.o: zkey.c pkey.h misc.h
|
||||||
|
pkey.o: pkey.c pkey.h
|
||||||
|
-properties.o: properties.c properties.h
|
||||||
|
+properties.o: check-dep-zkey properties.c properties.h
|
||||||
|
keystore.o: keystore.c keystore.h properties.h
|
||||||
|
-zkey-cryptsetup.o: zkey-cryptsetup.c pkey.h misc.h
|
||||||
|
+zkey-cryptsetup.o: check-dep-zkey-cryptsetup zkey-cryptsetup.c pkey.h misc.h
|
||||||
|
|
||||||
|
zkey: LDLIBS = -ldl -lcrypto
|
||||||
|
-zkey: zkey.o pkey.o properties.o keystore.o $(libs)
|
||||||
|
+zkey: zkey.o pkey.o properties.o keystore.o $(LIBS)
|
||||||
|
|
||||||
|
zkey-cryptsetup: LDLIBS = -ldl -lcryptsetup -ljson-c
|
||||||
|
-zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(libs)
|
||||||
|
+zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(LIBS)
|
||||||
|
|
||||||
|
-
|
||||||
|
-install: all
|
||||||
|
+install-common:
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
|
||||||
|
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
|
||||||
|
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
|
||||||
|
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
+
|
||||||
|
+install-zkey:
|
||||||
|
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
|
||||||
|
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
- $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
|
||||||
|
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
|
||||||
|
|
||||||
|
-endif
|
||||||
|
+install-zkey-cryptsetup:
|
||||||
|
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
|
||||||
|
+ $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
|
||||||
|
+
|
||||||
|
+install: all install-common $(INSTALL_TARGETS)
|
||||||
|
|
||||||
|
clean:
|
||||||
|
- rm -f *.o zkey zkey-cryptsetup
|
||||||
|
+ rm -f *.o zkey zkey-cryptsetup detect-libcryptsetup.h
|
||||||
|
|
||||||
|
.PHONY: all install clean
|
@ -0,0 +1,349 @@
|
|||||||
|
Subject: zkey: Add key verification pattern property
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
|
||||||
|
Description: Support the usage of protected key crypto for dm-crypt disks in
|
||||||
|
LUKS2 format by providing a tool allowing to re-encipher a
|
||||||
|
secure LUKS2 volume key when the CCA master key is changed
|
||||||
|
Upstream-ID: 512b47c0042a3cdedafce8d46dcc76053298116c
|
||||||
|
Problem-ID: SEC1424.1
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zkey: Add key verification pattern property
|
||||||
|
|
||||||
|
Store a verification pattern in the properties file along
|
||||||
|
with the secure key. The verification pattern allows to identify
|
||||||
|
the inner key even when the secure key is no longer valid.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zkey/keystore.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
|
||||||
|
zkey/zkey.1 | 4 -
|
||||||
|
zkey/zkey.c | 27 +++++++++--
|
||||||
|
3 files changed, 145 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
--- a/zkey/keystore.c
|
||||||
|
+++ b/zkey/keystore.c
|
||||||
|
@@ -58,6 +58,7 @@ struct key_filenames {
|
||||||
|
#define PROP_NAME_CREATION_TIME "creation-time"
|
||||||
|
#define PROP_NAME_CHANGE_TIME "update-time"
|
||||||
|
#define PROP_NAME_REENC_TIME "reencipher-time"
|
||||||
|
+#define PROP_NAME_KEY_VP "verification-pattern"
|
||||||
|
|
||||||
|
#define IS_XTS(secure_key_size) (secure_key_size > SECURE_KEY_SIZE ? 1 : 0)
|
||||||
|
|
||||||
|
@@ -75,6 +76,7 @@ struct key_filenames {
|
||||||
|
#define REC_CREATION_TIME "Created"
|
||||||
|
#define REC_CHANGE_TIME "Changed"
|
||||||
|
#define REC_REENC_TIME "Re-enciphered"
|
||||||
|
+#define REC_KEY_VP "Verification pattern"
|
||||||
|
|
||||||
|
#define pr_verbose(keystore, fmt...) do { \
|
||||||
|
if (keystore->verbose) \
|
||||||
|
@@ -1270,6 +1272,77 @@ struct keystore *keystore_new(const char
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
+ * Generate the key verification pattern from the specified secure key file
|
||||||
|
+ *
|
||||||
|
+ * @param[in] keystore the key store
|
||||||
|
+ * @param[in} keyfile the key file
|
||||||
|
+ * @param[in] vp buffer filled with the verification pattern
|
||||||
|
+ * @param[in] vp_len length of the buffer. Must be at
|
||||||
|
+ * least VERIFICATION_PATTERN_LEN bytes in size.
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 for success or a negative errno in case of an error
|
||||||
|
+ */
|
||||||
|
+static int _keystore_generate_verification_pattern(struct keystore *keystore,
|
||||||
|
+ const char *keyfile,
|
||||||
|
+ char *vp, size_t vp_len)
|
||||||
|
+{
|
||||||
|
+ size_t key_size;
|
||||||
|
+ u8 *key;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ util_assert(keystore != NULL, "Internal error: keystore is NULL");
|
||||||
|
+ util_assert(keyfile != NULL, "Internal error: keyfile is NULL");
|
||||||
|
+ util_assert(vp != NULL, "Internal error: vp is NULL");
|
||||||
|
+
|
||||||
|
+ key = read_secure_key(keyfile, &key_size, keystore->verbose);
|
||||||
|
+ if (key == NULL)
|
||||||
|
+ return -EIO;
|
||||||
|
+
|
||||||
|
+ rc = generate_key_verification_pattern((const char *)key, key_size,
|
||||||
|
+ vp, vp_len, keystore->verbose);
|
||||||
|
+
|
||||||
|
+ free(key);
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
+ * Checks if the key verification pattern property exists. If not, then it is
|
||||||
|
+ * created from the secure key.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] keystore the key store
|
||||||
|
+ * @param[in] file_names the file names of the key
|
||||||
|
+ * @param[in] key_props the properties of the key
|
||||||
|
+ *
|
||||||
|
+ * @returns 0 for success or a negative errno in case of an error
|
||||||
|
+ */
|
||||||
|
+static int _keystore_ensure_vp_exists(struct keystore *keystore,
|
||||||
|
+ const struct key_filenames *file_names,
|
||||||
|
+ struct properties *key_props)
|
||||||
|
+{
|
||||||
|
+ char vp[VERIFICATION_PATTERN_LEN];
|
||||||
|
+ char *temp;
|
||||||
|
+ int rc;
|
||||||
|
+
|
||||||
|
+ temp = properties_get(key_props, PROP_NAME_KEY_VP);
|
||||||
|
+ if (temp != NULL) {
|
||||||
|
+ free(temp);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = _keystore_generate_verification_pattern(keystore,
|
||||||
|
+ file_names->skey_filename,
|
||||||
|
+ vp, sizeof(vp));
|
||||||
|
+ if (rc != 0)
|
||||||
|
+ return rc;
|
||||||
|
+
|
||||||
|
+ rc = properties_set(key_props, PROP_NAME_KEY_VP, vp);
|
||||||
|
+ if (rc != 0)
|
||||||
|
+ return rc;
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
* Sets a timestamp to be used as creation/update/reencipher time into
|
||||||
|
* the specified property
|
||||||
|
*
|
||||||
|
@@ -1348,7 +1421,7 @@ static int _keystore_set_default_propert
|
||||||
|
*/
|
||||||
|
static int _keystore_create_info_file(struct keystore *keystore,
|
||||||
|
const char *name,
|
||||||
|
- const char *info_filename,
|
||||||
|
+ const struct key_filenames *filenames,
|
||||||
|
const char *description,
|
||||||
|
const char *volumes, const char *apqns,
|
||||||
|
size_t sector_size)
|
||||||
|
@@ -1396,17 +1469,26 @@ static int _keystore_create_info_file(st
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = properties_save(key_props, info_filename, 1);
|
||||||
|
+ rc = _keystore_ensure_vp_exists(keystore, filenames, key_props);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ warnx("Failed to generate the key verification pattern: %s",
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
|
||||||
|
+ "that the 'paes' cipher is available");
|
||||||
|
+ return rc;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = properties_save(key_props, filenames->info_filename, 1);
|
||||||
|
if (rc != 0) {
|
||||||
|
pr_verbose(keystore,
|
||||||
|
"Key info file '%s' could not be written: %s",
|
||||||
|
- info_filename, strerror(-rc));
|
||||||
|
+ filenames->info_filename, strerror(-rc));
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- rc = _keystore_set_file_permission(keystore, info_filename);
|
||||||
|
+ rc = _keystore_set_file_permission(keystore, filenames->info_filename);
|
||||||
|
if (rc != 0) {
|
||||||
|
- remove(info_filename);
|
||||||
|
+ remove(filenames->info_filename);
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1519,8 +1601,7 @@ int keystore_generate_key(struct keystor
|
||||||
|
if (rc != 0)
|
||||||
|
goto out_free_props;
|
||||||
|
|
||||||
|
- rc = _keystore_create_info_file(keystore, name,
|
||||||
|
- file_names.info_filename,
|
||||||
|
+ rc = _keystore_create_info_file(keystore, name, &file_names,
|
||||||
|
description, volumes, apqns,
|
||||||
|
sector_size);
|
||||||
|
if (rc != 0)
|
||||||
|
@@ -1603,8 +1684,7 @@ int keystore_import_key(struct keystore
|
||||||
|
if (rc != 0)
|
||||||
|
goto out_free_props;
|
||||||
|
|
||||||
|
- rc = _keystore_create_info_file(keystore, name,
|
||||||
|
- file_names.info_filename,
|
||||||
|
+ rc = _keystore_create_info_file(keystore, name, &file_names,
|
||||||
|
description, volumes, apqns,
|
||||||
|
sector_size);
|
||||||
|
if (rc != 0)
|
||||||
|
@@ -1723,6 +1803,9 @@ int keystore_change_key(struct keystore
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = _keystore_ensure_vp_exists(keystore, &file_names, key_props);
|
||||||
|
+ /* ignore return code, vp generation might fail if key is not valid */
|
||||||
|
+
|
||||||
|
rc = _keystore_set_timestamp_property(key_props, PROP_NAME_CHANGE_TIME);
|
||||||
|
if (rc != 0)
|
||||||
|
goto out;
|
||||||
|
@@ -1838,7 +1921,7 @@ static struct util_rec *_keystore_setup_
|
||||||
|
{
|
||||||
|
struct util_rec *rec;
|
||||||
|
|
||||||
|
- rec = util_rec_new_long("-", ":", REC_KEY, 23, 54);
|
||||||
|
+ rec = util_rec_new_long("-", ":", REC_KEY, 28, 54);
|
||||||
|
util_rec_def(rec, REC_KEY, UTIL_REC_ALIGN_LEFT, 54, REC_KEY);
|
||||||
|
if (validation)
|
||||||
|
util_rec_def(rec, REC_STATUS, UTIL_REC_ALIGN_LEFT, 54,
|
||||||
|
@@ -1858,6 +1941,7 @@ static struct util_rec *_keystore_setup_
|
||||||
|
util_rec_def(rec, REC_KEY_FILE, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_FILE);
|
||||||
|
util_rec_def(rec, REC_SECTOR_SIZE, UTIL_REC_ALIGN_LEFT, 54,
|
||||||
|
REC_SECTOR_SIZE);
|
||||||
|
+ util_rec_def(rec, REC_KEY_VP, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_VP);
|
||||||
|
util_rec_def(rec, REC_CREATION_TIME, UTIL_REC_ALIGN_LEFT, 54,
|
||||||
|
REC_CREATION_TIME);
|
||||||
|
util_rec_def(rec, REC_CHANGE_TIME, UTIL_REC_ALIGN_LEFT, 54,
|
||||||
|
@@ -1876,6 +1960,7 @@ static void _keystore_print_record(struc
|
||||||
|
size_t clear_key_bitsize, bool valid,
|
||||||
|
bool is_old_mk, bool reenc_pending)
|
||||||
|
{
|
||||||
|
+ char temp_vp[VERIFICATION_PATTERN_LEN + 2];
|
||||||
|
char *volumes_argz = NULL;
|
||||||
|
size_t volumes_argz_len;
|
||||||
|
char *apqns_argz = NULL;
|
||||||
|
@@ -1888,6 +1973,8 @@ static void _keystore_print_record(struc
|
||||||
|
char *change;
|
||||||
|
char *apqns;
|
||||||
|
char *temp;
|
||||||
|
+ char *vp;
|
||||||
|
+ int len;
|
||||||
|
|
||||||
|
description = properties_get(properties, PROP_NAME_DESCRIPTION);
|
||||||
|
volumes = properties_get(properties, PROP_NAME_VOLUMES);
|
||||||
|
@@ -1913,6 +2000,7 @@ static void _keystore_print_record(struc
|
||||||
|
creation = properties_get(properties, PROP_NAME_CREATION_TIME);
|
||||||
|
change = properties_get(properties, PROP_NAME_CHANGE_TIME);
|
||||||
|
reencipher = properties_get(properties, PROP_NAME_REENC_TIME);
|
||||||
|
+ vp = properties_get(properties, PROP_NAME_KEY_VP);
|
||||||
|
|
||||||
|
util_rec_set(rec, REC_KEY, name);
|
||||||
|
if (validation)
|
||||||
|
@@ -1951,6 +2039,15 @@ static void _keystore_print_record(struc
|
||||||
|
else
|
||||||
|
util_rec_set(rec, REC_SECTOR_SIZE, "%lu bytes",
|
||||||
|
sector_size);
|
||||||
|
+ if (vp != NULL) {
|
||||||
|
+ len = sprintf(temp_vp, "%.*s%c%.*s",
|
||||||
|
+ VERIFICATION_PATTERN_LEN / 2, vp,
|
||||||
|
+ '\0', VERIFICATION_PATTERN_LEN / 2,
|
||||||
|
+ &vp[VERIFICATION_PATTERN_LEN / 2]);
|
||||||
|
+ util_rec_set_argz(rec, REC_KEY_VP, temp_vp, len + 1);
|
||||||
|
+ } else {
|
||||||
|
+ util_rec_set(rec, REC_KEY_VP, "(not available)");
|
||||||
|
+ }
|
||||||
|
util_rec_set(rec, REC_CREATION_TIME, creation);
|
||||||
|
util_rec_set(rec, REC_CHANGE_TIME,
|
||||||
|
change != NULL ? change : "(never)");
|
||||||
|
@@ -1976,6 +2073,8 @@ static void _keystore_print_record(struc
|
||||||
|
free(change);
|
||||||
|
if (reencipher != NULL)
|
||||||
|
free(reencipher);
|
||||||
|
+ if (vp != NULL)
|
||||||
|
+ free(vp);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct validate_info {
|
||||||
|
@@ -2404,6 +2503,17 @@ static int _keystore_process_reencipher(
|
||||||
|
if (rc != 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
+ rc = _keystore_ensure_vp_exists(keystore, file_names,
|
||||||
|
+ properties);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ warnx("Failed to generate the key verification pattern "
|
||||||
|
+ "for key '%s': %s", file_names->skey_filename,
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
|
||||||
|
+ "that the 'paes' cipher is available");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
rc = properties_save(properties, file_names->info_filename, 1);
|
||||||
|
if (rc != 0) {
|
||||||
|
pr_verbose(keystore,
|
||||||
|
@@ -3040,7 +3150,7 @@ static int _keystore_process_crypttab(st
|
||||||
|
"At the time this utility was developed, systemd's "
|
||||||
|
"support of crypttab did not support to specify a "
|
||||||
|
"sector size with plain dm-crypt devices. The generated "
|
||||||
|
- "crypttab entry may or may not work, and may need "
|
||||||
|
+ "crypttab entry might or might not work, and might need "
|
||||||
|
"manual adoptions.", volume, sector_size);
|
||||||
|
util_print_indented(temp, 0);
|
||||||
|
}
|
||||||
|
--- a/zkey/zkey.1
|
||||||
|
+++ b/zkey/zkey.1
|
||||||
|
@@ -361,8 +361,8 @@ The
|
||||||
|
command displays the attributes of the secure keys, such as key sizes,
|
||||||
|
whether it is a secure key that can be used for the XTS cipher mode, the textual
|
||||||
|
description, associated cryptographic adapters (APQNs) and volumes, the
|
||||||
|
-sector size, and timestamps for key creation, last modification and last
|
||||||
|
-re-encipherment.
|
||||||
|
+sector size, the key verification pattern, and timestamps for key creation, last
|
||||||
|
+modification and last re-encipherment.
|
||||||
|
.
|
||||||
|
.SS "Remove existing AES secure keys from the secure key repository"
|
||||||
|
.
|
||||||
|
--- a/zkey/zkey.c
|
||||||
|
+++ b/zkey/zkey.c
|
||||||
|
@@ -1057,6 +1057,7 @@ static int command_reencipher(void)
|
||||||
|
*/
|
||||||
|
static int command_validate_file(void)
|
||||||
|
{
|
||||||
|
+ char vp[VERIFICATION_PATTERN_LEN];
|
||||||
|
size_t secure_key_size;
|
||||||
|
size_t clear_key_size;
|
||||||
|
u8 *secure_key;
|
||||||
|
@@ -1089,14 +1090,30 @@ static int command_validate_file(void)
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ rc = generate_key_verification_pattern((char *)secure_key,
|
||||||
|
+ secure_key_size, vp, sizeof(vp),
|
||||||
|
+ g.verbose);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ warnx("Failed to generate the verification pattern: %s",
|
||||||
|
+ strerror(-rc));
|
||||||
|
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
|
||||||
|
+ "that the 'paes' cipher is available");
|
||||||
|
+ rc = EXIT_FAILURE;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
printf("Validation of secure key in file '%s':\n", g.pos_arg);
|
||||||
|
- printf(" Status: Valid\n");
|
||||||
|
- printf(" Secure key size: %lu bytes\n", secure_key_size);
|
||||||
|
- printf(" Clear key size: %lu bits\n", clear_key_size);
|
||||||
|
- printf(" XTS type key: %s\n",
|
||||||
|
+ printf(" Status: Valid\n");
|
||||||
|
+ printf(" Secure key size: %lu bytes\n", secure_key_size);
|
||||||
|
+ printf(" Clear key size: %lu bits\n", clear_key_size);
|
||||||
|
+ printf(" XTS type key: %s\n",
|
||||||
|
secure_key_size > SECURE_KEY_SIZE ? "Yes" : "No");
|
||||||
|
- printf(" Encrypted with: %s CCA master key\n",
|
||||||
|
+ printf(" Enciphered with: %s CCA master key\n",
|
||||||
|
is_old_mk ? "OLD" : "CURRENT");
|
||||||
|
+ printf(" Verification pattern: %.*s\n", VERIFICATION_PATTERN_LEN / 2,
|
||||||
|
+ vp);
|
||||||
|
+ printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2,
|
||||||
|
+ &vp[VERIFICATION_PATTERN_LEN / 2]);
|
||||||
|
|
||||||
|
out:
|
||||||
|
free(secure_key);
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,361 @@
|
|||||||
|
Subject: cpumf: Add extended counter defintion files for IBM z14
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: 57f18c5f59766832822a74cc029a8d3b60e3ba0f
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf: Add extended counter defintion files for IBM z14
|
||||||
|
|
||||||
|
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
|
||||||
|
[brueckner: Prefer plural for counter names]
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/Makefile | 2
|
||||||
|
cpumf/bin/cpumf_helper.in | 1
|
||||||
|
cpumf/data/cpum-cf-extended-z14.ctr | 303 ++++++++++++++++++++++++++++++++++++
|
||||||
|
cpumf/data/cpum-cf-hw-counter.map | 1
|
||||||
|
4 files changed, 306 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/cpumf/Makefile
|
||||||
|
+++ b/cpumf/Makefile
|
||||||
|
@@ -7,7 +7,7 @@ CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
|
||||||
|
DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
|
||||||
|
cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
|
||||||
|
cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
|
||||||
|
- cpum-cf-extended-z13.ctr
|
||||||
|
+ cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
|
||||||
|
LIB_FILES = bin/cpumf_helper
|
||||||
|
USRBIN_SCRIPTS = bin/lscpumf
|
||||||
|
USRSBIN_SCRIPTS = bin/chcpumf
|
||||||
|
--- a/cpumf/bin/cpumf_helper.in
|
||||||
|
+++ b/cpumf/bin/cpumf_helper.in
|
||||||
|
@@ -210,6 +210,7 @@ my $system_z_hwtype_map = {
|
||||||
|
2828 => 'IBM zEnterprise BC12',
|
||||||
|
2964 => 'IBM z13',
|
||||||
|
2965 => 'IBM z13s',
|
||||||
|
+ 3906 => 'IBM z14',
|
||||||
|
};
|
||||||
|
|
||||||
|
sub get_hardware_type()
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
@@ -0,0 +1,303 @@
|
||||||
|
+# Counter decriptions for the
|
||||||
|
+# IBM z14 extended counter and MT-diagnostic counter set
|
||||||
|
+#
|
||||||
|
+# Notes for transactional-execution mode symbolic names:
|
||||||
|
+# TX .. transactional-execution mode
|
||||||
|
+# NC .. nonconstrained
|
||||||
|
+# C .. constrained
|
||||||
|
+#
|
||||||
|
+# Undefined counters in the extended counter set:
|
||||||
|
+# 142
|
||||||
|
+# 158-161
|
||||||
|
+# 176-223
|
||||||
|
+# 227-231
|
||||||
|
+# 233-242
|
||||||
|
+# 246-255
|
||||||
|
+# Undefined counters in the MT-diagnostic counter set:
|
||||||
|
+# 450-495
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+# Extended Counter Set
|
||||||
|
+# ---------------------------------------------------------------------
|
||||||
|
+Counter:128 Name:L1D_WRITES_RO_EXCL
|
||||||
|
+A directory write to the Level-1 Data cache where the line was
|
||||||
|
+originally in a Read-Only state in the cache but has been updated
|
||||||
|
+to be in the Exclusive state that allows stores to the cache line
|
||||||
|
+.
|
||||||
|
+Counter:129 Name:DTLB2_WRITES
|
||||||
|
+Description:
|
||||||
|
+A translation has been written into The Translation Lookaside
|
||||||
|
+Buffer 2 (TLB2) and the request was made by the data cache
|
||||||
|
+.
|
||||||
|
+Counter:130 Name:DTLB2_MISSES
|
||||||
|
+Description:
|
||||||
|
+A TLB2 miss is in progress for a request made by the data cache.
|
||||||
|
+Incremented by one for every TLB2 miss in progress for the Level-1
|
||||||
|
+Data cache on this cycle
|
||||||
|
+.
|
||||||
|
+Counter:131 Name:DTLB2_HPAGE_WRITES
|
||||||
|
+Description:
|
||||||
|
+A translation entry was written into the Combined Region and Segment
|
||||||
|
+Table Entry array in the Level-2 TLB for a one-megabyte page or a
|
||||||
|
+Last Host Translation was done
|
||||||
|
+.
|
||||||
|
+Counter:132 Name:DTLB2_GPAGE_WRITES
|
||||||
|
+Description:
|
||||||
|
+A translation entry for a two-gigabyte page was written into the
|
||||||
|
+Level-2 TLB
|
||||||
|
+.
|
||||||
|
+Counter:133 Name:L1D_L2D_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the
|
||||||
|
+returned cache line was sourced from the Level-2 Data cache
|
||||||
|
+.
|
||||||
|
+Counter:134 Name:ITLB2_WRITES
|
||||||
|
+Description:
|
||||||
|
+A translation entry has been written into the Translation Lookaside
|
||||||
|
+Buffer 2 (TLB2) and the request was made by the instruction cache
|
||||||
|
+.
|
||||||
|
+Counter:135 Name:ITLB2_MISSES
|
||||||
|
+Description:
|
||||||
|
+A TLB2 miss is in progress for a request made by the instruction cache.
|
||||||
|
+Incremented by one for every TLB2 miss in progress for the Level-1
|
||||||
|
+Instruction cache in a cycle
|
||||||
|
+.
|
||||||
|
+Counter:136 Name:L1I_L2I_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from the Level-2 Instruction cache
|
||||||
|
+.
|
||||||
|
+Counter:137 Name:TLB2_PTE_WRITES
|
||||||
|
+Description:
|
||||||
|
+A translation entry was written into the Page Table Entry array in the
|
||||||
|
+Level-2 TLB
|
||||||
|
+.
|
||||||
|
+Counter:138 Name:TLB2_CRSTE_WRITES
|
||||||
|
+Description:
|
||||||
|
+Translation entries were written into the Combined Region and Segment
|
||||||
|
+Table Entry array and the Page Table Entry array in the Level-2 TLB
|
||||||
|
+.
|
||||||
|
+Counter:139 Name:TLB2_ENGINES_BUSY
|
||||||
|
+Description:
|
||||||
|
+The number of Level-2 TLB translation engines busy in a cycle
|
||||||
|
+.
|
||||||
|
+Counter:140 Name:TX_C_TEND
|
||||||
|
+Description:
|
||||||
|
+A TEND instruction has completed in a constrained transactional-execution
|
||||||
|
+mode
|
||||||
|
+.
|
||||||
|
+Counter:141 Name:TX_NC_TEND
|
||||||
|
+Description:
|
||||||
|
+A TEND instruction has completed in a non-constrained
|
||||||
|
+transactional-execution mode
|
||||||
|
+.
|
||||||
|
+Counter:143 Name:L1C_TLB2_MISSES
|
||||||
|
+Description:
|
||||||
|
+Increments by one for any cycle where a level-1 cache or level-2 TLB miss
|
||||||
|
+is in progress
|
||||||
|
+.
|
||||||
|
+Counter:144 Name:L1D_ONCHIP_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an On-Chip Level-3 cache without intervention
|
||||||
|
+.
|
||||||
|
+Counter:145 Name:L1D_ONCHIP_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from On-Chip memory
|
||||||
|
+.
|
||||||
|
+Counter:146 Name:L1D_ONCHIP_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an On-Chip Level-3 cache with intervention
|
||||||
|
+.
|
||||||
|
+Counter:147 Name:L1D_ONCLUSTER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from On-Cluster Level-3 cache withountervention
|
||||||
|
+.
|
||||||
|
+Counter:148 Name:L1D_ONCLUSTER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an On-Cluster memory
|
||||||
|
+.
|
||||||
|
+Counter:149 Name:L1D_ONCLUSTER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an On-Cluster Level-3 cache with intervention
|
||||||
|
+.
|
||||||
|
+Counter:150 Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an Off-Cluster Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:151 Name:L1D_OFFCLUSTER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from Off-Cluster memory
|
||||||
|
+.
|
||||||
|
+Counter:152 Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an Off-Cluster Level-3 cache with intervention
|
||||||
|
+.
|
||||||
|
+Counter:153 Name:L1D_OFFDRAWER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an Off-Drawer Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:154 Name:L1D_OFFDRAWER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from Off-Drawer memory
|
||||||
|
+.
|
||||||
|
+Counter:155 Name:L1D_OFFDRAWER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from an Off-Drawer Level-3 cache with intervention
|
||||||
|
+.
|
||||||
|
+Counter:156 Name:L1D_ONDRAWER_L4_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from On-Drawer Level-4 cache
|
||||||
|
+.
|
||||||
|
+Counter:157 Name:L1D_OFFDRAWER_L4_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from Off-Drawer Level-4 cache
|
||||||
|
+.
|
||||||
|
+Counter:158 Name:L1D_ONCHIP_L3_SOURCED_WRITES_RO
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Data cache directory where the returned
|
||||||
|
+cache line was sourced from On-Chip L3 but a read-only invalidate was
|
||||||
|
+done to remove other copies of the cache line
|
||||||
|
+.
|
||||||
|
+Counter:162 Name:L1I_ONCHIP_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache ine was sourced from an On-Chip Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:163 Name:L1I_ONCHIP_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache ine was sourced from On-Chip memory
|
||||||
|
+.
|
||||||
|
+Counter:164 Name:L1I_ONCHIP_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache ine was sourced from an On-Chip Level-3 cache with
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:165 Name:L1I_ONCLUSTER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an On-Cluster Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:166 Name:L1I_ONCLUSTER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an On-Cluster memory
|
||||||
|
+.
|
||||||
|
+Counter:167 Name:L1I_ONCLUSTER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from On-Cluster Level-3 cache with
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:168 Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an Off-Cluster Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:169 Name:L1I_OFFCLUSTER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from Off-Cluster memory
|
||||||
|
+.
|
||||||
|
+Counter:170 Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an Off-Cluster Level-3 cache with
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:171 Name:L1I_OFFDRAWER_L3_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an Off-Drawer Level-3 cache without
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:172 Name:L1I_OFFDRAWER_MEMORY_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from Off-Drawer memory
|
||||||
|
+.
|
||||||
|
+Counter:173 Name:L1I_OFFDRAWER_L3_SOURCED_WRITES_IV
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from an Off-Drawer Level-3 cache with
|
||||||
|
+intervention
|
||||||
|
+.
|
||||||
|
+Counter:174 Name:L1I_ONDRAWER_L4_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from On-Drawer Level-4 cache
|
||||||
|
+.
|
||||||
|
+Counter:175 Name:L1I_OFFDRAWER_L4_SOURCED_WRITES
|
||||||
|
+Description:
|
||||||
|
+A directory write to the Level-1 Instruction cache directory where the
|
||||||
|
+returned cache line was sourced from Off-Drawer Level-4 cache
|
||||||
|
+.
|
||||||
|
+Counter:224 Name:BCD_DFP_EXECUTION_SLOTS
|
||||||
|
+Description:
|
||||||
|
+Count of floating point execution slots used for finished Binary Coded
|
||||||
|
+Decimal to Decimal Floating Point conversions. Instructions: CDZT,
|
||||||
|
+CXZT, CZDT, CZXT
|
||||||
|
+.
|
||||||
|
+Counter:225 Name:VX_BCD_EXECUTION_SLOTS
|
||||||
|
+Description:
|
||||||
|
+Count of floating point execution slots used for finished vector arithmetic
|
||||||
|
+Binary Coded Decimal instructions. Instructions: VAP, VSP, VMPVMSP, VDP,
|
||||||
|
+VSDP, VRP, VLIP, VSRP, VPSOPVCP, VTP, VPKZ, VUPKZ, VCVB, VCVBG, VCVDVCVDG
|
||||||
|
+.
|
||||||
|
+Counter:226 Name:DECIMAL_INSTRUCTIONS
|
||||||
|
+Description:
|
||||||
|
+Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
|
||||||
|
+EDMK, MP, SRP, SP, ZAP
|
||||||
|
+.
|
||||||
|
+Counter:233 Name:LAST_HOST_TRANSLATIONS
|
||||||
|
+Description:
|
||||||
|
+Last Host Translation done
|
||||||
|
+.
|
||||||
|
+Counter:243 Name:TX_NC_TABORT
|
||||||
|
+Description:
|
||||||
|
+A transaction abort has occurred in a non-constrained
|
||||||
|
+transactional-execution mode
|
||||||
|
+.
|
||||||
|
+Counter:244 Name:TX_C_TABORT_NO_SPECIAL
|
||||||
|
+Description:
|
||||||
|
+A transaction abort has occurred in a constrained transactional-execution
|
||||||
|
+mode and the CPU is not using any special logic to allow the transaction
|
||||||
|
+to complete
|
||||||
|
+.
|
||||||
|
+Counter:245 Name:TX_C_TABORT_SPECIAL
|
||||||
|
+Description:
|
||||||
|
+A transaction abort has occurred in a constrained transactional-execution
|
||||||
|
+mode and the CPU is using special logic to allow the transaction to
|
||||||
|
+complete
|
||||||
|
+.
|
||||||
|
+#
|
||||||
|
+# MT-diagnostic counter set
|
||||||
|
+# ---------------------------------------------------------------------
|
||||||
|
+Counter:448 Name:MT_DIAG_CYCLES_ONE_THR_ACTIVE
|
||||||
|
+Description:
|
||||||
|
+Cycle count with one thread active
|
||||||
|
+.
|
||||||
|
+Counter:449 Name:MT_DIAG_CYCLES_TWO_THR_ACTIVE
|
||||||
|
+Description:
|
||||||
|
+Cycle count with two threads active
|
||||||
|
+.
|
||||||
|
--- a/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
+++ b/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
@@ -14,4 +14,5 @@
|
||||||
|
2828 => 'cpum-cf-extended-zEC12.ctr',
|
||||||
|
2964 => 'cpum-cf-extended-z13.ctr',
|
||||||
|
2965 => 'cpum-cf-extended-z13.ctr',
|
||||||
|
+ 3906 => 'cpum-cf-extended-z14.ctr',
|
||||||
|
};
|
124
s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
Normal file
124
s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
Subject: lszcrypt: CEX6S exploitation
|
||||||
|
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
Summary: s390-tools: Exploitation Support for CEX6S
|
||||||
|
Description: Exploitation Support for CEX6S
|
||||||
|
Upstream-ID: 31866fbfa4bd89606af2a313427ca06d230e20dc
|
||||||
|
Problem-ID: SEC1519
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
lszcrypt: CEX6S exploitation
|
||||||
|
|
||||||
|
With z14 there comes a new crypto card 'CEX6S'.
|
||||||
|
|
||||||
|
This patch introduces the s390-tools changes needed
|
||||||
|
to list the new card and show the capabilities correctly.
|
||||||
|
|
||||||
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
---
|
||||||
|
zconf/zcrypt/lszcrypt.8 | 6 ++++++
|
||||||
|
zconf/zcrypt/lszcrypt.c | 37 ++++++++++++++++++++++++++++---------
|
||||||
|
2 files changed, 34 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
--- a/zconf/zcrypt/lszcrypt.8
|
||||||
|
+++ b/zconf/zcrypt/lszcrypt.8
|
||||||
|
@@ -85,6 +85,12 @@ EP11 Secure Key
|
||||||
|
.IP "o"
|
||||||
|
Long RNG
|
||||||
|
.RE
|
||||||
|
+
|
||||||
|
+.RS 8
|
||||||
|
+The CCA Secure Key capability may be limited by a hypervisor
|
||||||
|
+layer. The remarks 'full function set' or 'restricted function set' may
|
||||||
|
+reflect this. For details about these limitations please check the
|
||||||
|
+hypervisor documentation.
|
||||||
|
.TP 8
|
||||||
|
.B -d, --domains
|
||||||
|
Shows the usage and control domains of the cryptographic devices.
|
||||||
|
--- a/zconf/zcrypt/lszcrypt.c
|
||||||
|
+++ b/zconf/zcrypt/lszcrypt.c
|
||||||
|
@@ -42,11 +42,19 @@ struct lszcrypt_l *lszcrypt_l = &l;
|
||||||
|
/*
|
||||||
|
* Card types
|
||||||
|
*/
|
||||||
|
-#define MASK_APSC 0x80000000
|
||||||
|
-#define MASK_RSA4K 0x60000000
|
||||||
|
-#define MASK_COPRO 0x10000000
|
||||||
|
-#define MASK_ACCEL 0x08000000
|
||||||
|
-#define MASK_EP11 0x04000000
|
||||||
|
+#define MASK_APSC 0x80000000
|
||||||
|
+#define MASK_RSA4K 0x60000000
|
||||||
|
+#define MASK_COPRO 0x10000000
|
||||||
|
+#define MASK_ACCEL 0x08000000
|
||||||
|
+#define MASK_EP11 0x04000000
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Classification
|
||||||
|
+ */
|
||||||
|
+#define MASK_CLASS_FULL 0x00800000
|
||||||
|
+#define CLASS_FULL "full function set"
|
||||||
|
+#define MASK_CLASS_STATELESS 0x00400000
|
||||||
|
+#define CLASS_STATELESS "restricted function set"
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Program configuration
|
||||||
|
@@ -226,7 +234,7 @@ static void show_capability(const char *
|
||||||
|
{
|
||||||
|
unsigned long func_val;
|
||||||
|
long hwtype, id;
|
||||||
|
- char *p, *ap, *dev, card[16];
|
||||||
|
+ char *p, *ap, *dev, card[16], cbuf[256];
|
||||||
|
|
||||||
|
/* check if ap driver is available */
|
||||||
|
ap = util_path_sysfs("bus/ap");
|
||||||
|
@@ -250,6 +258,11 @@ static void show_capability(const char *
|
||||||
|
printf("Detailed capability information for %s (hardware type %ld) is not available.\n", card, hwtype);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ cbuf[0] = '\0';
|
||||||
|
+ if (func_val & MASK_CLASS_FULL)
|
||||||
|
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_FULL);
|
||||||
|
+ else if (func_val & MASK_CLASS_STATELESS)
|
||||||
|
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_STATELESS);
|
||||||
|
printf("%s provides capability for:\n", card);
|
||||||
|
switch (hwtype) {
|
||||||
|
case 6:
|
||||||
|
@@ -262,11 +275,15 @@ static void show_capability(const char *
|
||||||
|
case 7:
|
||||||
|
case 9:
|
||||||
|
printf("%s\n", CAP_RSA4K);
|
||||||
|
- printf("%s\n", CAP_CCA);
|
||||||
|
+ if (cbuf[0])
|
||||||
|
+ printf("%s (%s)\n", CAP_CCA, cbuf);
|
||||||
|
+ else
|
||||||
|
+ printf("%s\n", CAP_CCA);
|
||||||
|
printf("%s", CAP_RNG);
|
||||||
|
break;
|
||||||
|
case 10:
|
||||||
|
case 11:
|
||||||
|
+ case 12:
|
||||||
|
if (func_val & MASK_ACCEL) {
|
||||||
|
if (func_val & MASK_RSA4K)
|
||||||
|
printf("%s", CAP_RSA4K);
|
||||||
|
@@ -274,12 +291,14 @@ static void show_capability(const char *
|
||||||
|
printf("%s", CAP_RSA2K);
|
||||||
|
} else if (func_val & MASK_COPRO) {
|
||||||
|
printf("%s\n", CAP_RSA4K);
|
||||||
|
- printf("%s\n", CAP_CCA);
|
||||||
|
+ if (cbuf[0])
|
||||||
|
+ printf("%s (%s)\n", CAP_CCA, cbuf);
|
||||||
|
+ else
|
||||||
|
+ printf("%s\n", CAP_CCA);
|
||||||
|
printf("%s", CAP_RNG);
|
||||||
|
} else if (func_val & MASK_EP11) {
|
||||||
|
printf("%s", CAP_EP11);
|
||||||
|
} else {
|
||||||
|
-
|
||||||
|
printf("Detailed capability information for %s (hardware type %ld) is not available.", card, hwtype);
|
||||||
|
}
|
||||||
|
break;
|
@ -0,0 +1,55 @@
|
|||||||
|
Subject: util_path: add function to check if a path exists
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: df133846b5889a7698ac09f00284c1be54926b59
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
util_path: add function to check if a path exists
|
||||||
|
|
||||||
|
GitHub-ID: #20
|
||||||
|
|
||||||
|
Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
|
||||||
|
Acked-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
include/lib/util_path.h | 1 +
|
||||||
|
libutil/util_path.c | 12 ++++++++++++
|
||||||
|
2 files changed, 13 insertions(+)
|
||||||
|
|
||||||
|
--- a/include/lib/util_path.h
|
||||||
|
+++ b/include/lib/util_path.h
|
||||||
|
@@ -20,5 +20,6 @@ bool util_path_is_readable(const char *f
|
||||||
|
bool util_path_is_writable(const char *fmt, ...);
|
||||||
|
bool util_path_is_dir(const char *fmt, ...);
|
||||||
|
bool util_path_is_reg_file(const char *fmt, ...);
|
||||||
|
+bool util_path_exists(const char *fmt, ...);
|
||||||
|
|
||||||
|
#endif /** LIB_UTIL_PATH_H @} */
|
||||||
|
--- a/libutil/util_path.c
|
||||||
|
+++ b/libutil/util_path.c
|
||||||
|
@@ -194,3 +194,15 @@ free_str:
|
||||||
|
free(path);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+bool util_path_exists(const char *fmt, ...)
|
||||||
|
+{
|
||||||
|
+ va_list ap;
|
||||||
|
+ char *path;
|
||||||
|
+ bool rc;
|
||||||
|
+
|
||||||
|
+ UTIL_VASPRINTF(&path, fmt, ap);
|
||||||
|
+ rc = access(path, F_OK) == 0;
|
||||||
|
+ free(path);
|
||||||
|
+ return rc;
|
||||||
|
+}
|
@ -0,0 +1,382 @@
|
|||||||
|
Subject: cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: d121ffa3f01e08d2cc53140444dfcab830319012
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
|
||||||
|
|
||||||
|
With z14, the counters in the problem-state are reduced resulting
|
||||||
|
in an increased first version number of the CPUM CF. To adapt to
|
||||||
|
this change, split the counter sets according to their counter
|
||||||
|
first and second version number. The second version number controls
|
||||||
|
the crypto-activity and extended counter set. Treat the crypto-activity
|
||||||
|
counter set as generic, as the extended counter set is already handled
|
||||||
|
based on hardware models.
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/Makefile | 4 -
|
||||||
|
cpumf/data/cpum-cf-cfvn-1.ctr | 48 +++++++++++++
|
||||||
|
cpumf/data/cpum-cf-cfvn-3.ctr | 32 ++++++++
|
||||||
|
cpumf/data/cpum-cf-csvn-generic.ctr | 84 ++++++++++++++++++++++
|
||||||
|
cpumf/data/cpum-cf-generic.ctr | 132 ------------------------------------
|
||||||
|
cpumf/data/cpum-cf-hw-counter.map | 15 +++-
|
||||||
|
6 files changed, 180 insertions(+), 135 deletions(-)
|
||||||
|
|
||||||
|
--- a/cpumf/Makefile
|
||||||
|
+++ b/cpumf/Makefile
|
||||||
|
@@ -4,7 +4,9 @@ include ../common.mak
|
||||||
|
|
||||||
|
|
||||||
|
CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
|
||||||
|
-DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
|
||||||
|
+DATA_FILES = cpum-cf-hw-counter.map \
|
||||||
|
+ cpum-cf-cfvn-1.ctr cpum-cf-cfvn-3.ctr \
|
||||||
|
+ cpum-cf-csvn-generic.ctr \
|
||||||
|
cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
|
||||||
|
cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
|
||||||
|
cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/cpumf/data/cpum-cf-cfvn-1.ctr
|
||||||
|
@@ -0,0 +1,48 @@
|
||||||
|
+Counter: 0 Name:CPU_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 1 Name:INSTRUCTIONS
|
||||||
|
+Description:
|
||||||
|
+Instruction Count
|
||||||
|
+.
|
||||||
|
+Counter: 2 Name:L1I_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Level-1 I-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 3 Name:L1I_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Level-1 I-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 4 Name:L1D_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Level-1 D-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 5 Name:L1D_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Level-1 D-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
|
||||||
|
+Description:
|
||||||
|
+Problem-State Instruction Count
|
||||||
|
+.
|
||||||
|
+Counter: 34 Name:PROBLEM_STATE_L1I_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Level-1 I-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 35 Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Level-1 I-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 36 Name:PROBLEM_STATE_L1D_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Level-1 D-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 37 Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Level-1 D-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/cpumf/data/cpum-cf-cfvn-3.ctr
|
||||||
|
@@ -0,0 +1,32 @@
|
||||||
|
+Counter: 0 Name:CPU_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 1 Name:INSTRUCTIONS
|
||||||
|
+Description:
|
||||||
|
+Instruction Count
|
||||||
|
+.
|
||||||
|
+Counter: 2 Name:L1I_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Level-1 I-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 3 Name:L1I_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Level-1 I-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 4 Name:L1D_DIR_WRITES
|
||||||
|
+Description:
|
||||||
|
+Level-1 D-Cache Directory Write Count
|
||||||
|
+.
|
||||||
|
+Counter: 5 Name:L1D_PENALTY_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Level-1 D-Cache Penalty Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Problem-State Cycle Count
|
||||||
|
+.
|
||||||
|
+Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
|
||||||
|
+Description:
|
||||||
|
+Problem-State Instruction Count
|
||||||
|
+.
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/cpumf/data/cpum-cf-csvn-generic.ctr
|
||||||
|
@@ -0,0 +1,84 @@
|
||||||
|
+Counter: 64 Name:PRNG_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of the PRNG functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 65 Name:PRNG_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
+performing PRNG functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 66 Name:PRNG_BLOCKED_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of the PRNG functions that are issued by the CPU and are
|
||||||
|
+blocked because the DEA/AES coprocessor is busy performing a function
|
||||||
|
+issued by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 67 Name:PRNG_BLOCKED_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles blocked for the PRNG functions issued by
|
||||||
|
+the CPU because the DEA/AES coprocessor is busy performing a function
|
||||||
|
+issued by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 68 Name:SHA_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of SHA functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 69 Name:SHA_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles when the SHA coprocessor is busy performing
|
||||||
|
+the SHA functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 70 Name:SHA_BLOCKED_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of the SHA functions that are issued by the CPU and are
|
||||||
|
+blocked because the SHA coprocessor is busy performing a function issued
|
||||||
|
+by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 71 Name:SHA_BLOCKED_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles blocked for the SHA functions issued by the
|
||||||
|
+CPU because the SHA coprocessor is busy performing a function issued
|
||||||
|
+by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 72 Name:DEA_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of the DEA functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 73 Name:DEA_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
+performing the DEA functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 74 Name:DEA_BLOCKED_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of the DEA functions that are issued by the CPU and are
|
||||||
|
+blocked because the DEA/AES coprocessor is busy performing a function
|
||||||
|
+issued by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 75 Name:DEA_BLOCKED_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles blocked for the DEA functions issued by the
|
||||||
|
+CPU because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
+by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 76 Name:AES_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of AES functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 77 Name:AES_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
+performing the AES functions issued by the CPU
|
||||||
|
+.
|
||||||
|
+Counter: 78 Name:AES_BLOCKED_FUNCTIONS
|
||||||
|
+Description:
|
||||||
|
+Total number of AES functions that are issued by the CPU and are blocked
|
||||||
|
+because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
+by another CPU
|
||||||
|
+.
|
||||||
|
+Counter: 79 Name:AES_BLOCKED_CYCLES
|
||||||
|
+Description:
|
||||||
|
+Total number of CPU cycles blocked for the AES functions issued by the
|
||||||
|
+CPU because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
+by another CPU
|
||||||
|
+.
|
||||||
|
--- a/cpumf/data/cpum-cf-generic.ctr
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,132 +0,0 @@
|
||||||
|
-Counter: 0 Name:CPU_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 1 Name:INSTRUCTIONS
|
||||||
|
-Description:
|
||||||
|
-Instruction Count
|
||||||
|
-.
|
||||||
|
-Counter: 2 Name:L1I_DIR_WRITES
|
||||||
|
-Description:
|
||||||
|
-Level-1 I-Cache Directory Write Count
|
||||||
|
-.
|
||||||
|
-Counter: 3 Name:L1I_PENALTY_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Level-1 I-Cache Penalty Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 4 Name:L1D_DIR_WRITES
|
||||||
|
-Description:
|
||||||
|
-Level-1 D-Cache Directory Write Count
|
||||||
|
-.
|
||||||
|
-Counter: 5 Name:L1D_PENALTY_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Level-1 D-Cache Penalty Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Problem-State Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
|
||||||
|
-Description:
|
||||||
|
-Problem-State Instruction Count
|
||||||
|
-.
|
||||||
|
-Counter: 34 Name:PROBLEM_STATE_L1I_DIR_WRITES
|
||||||
|
-Description:
|
||||||
|
-Problem-State Level-1 I-Cache Directory Write Count
|
||||||
|
-.
|
||||||
|
-Counter: 35 Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Problem-State Level-1 I-Cache Penalty Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 36 Name:PROBLEM_STATE_L1D_DIR_WRITES
|
||||||
|
-Description:
|
||||||
|
-Problem-State Level-1 D-Cache Directory Write Count
|
||||||
|
-.
|
||||||
|
-Counter: 37 Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Problem-State Level-1 D-Cache Penalty Cycle Count
|
||||||
|
-.
|
||||||
|
-Counter: 64 Name:PRNG_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of the PRNG functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 65 Name:PRNG_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
-performing PRNG functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 66 Name:PRNG_BLOCKED_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of the PRNG functions that are issued by the CPU and are
|
||||||
|
-blocked because the DEA/AES coprocessor is busy performing a function
|
||||||
|
-issued by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 67 Name:PRNG_BLOCKED_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles blocked for the PRNG functions issued by
|
||||||
|
-the CPU because the DEA/AES coprocessor is busy performing a function
|
||||||
|
-issued by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 68 Name:SHA_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of SHA functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 69 Name:SHA_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles when the SHA coprocessor is busy performing
|
||||||
|
-the SHA functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 70 Name:SHA_BLOCKED_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of the SHA functions that are issued by the CPU and are
|
||||||
|
-blocked because the SHA coprocessor is busy performing a function issued
|
||||||
|
-by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 71 Name:SHA_BLOCKED_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles blocked for the SHA functions issued by the
|
||||||
|
-CPU because the SHA coprocessor is busy performing a function issued
|
||||||
|
-by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 72 Name:DEA_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of the DEA functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 73 Name:DEA_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
-performing the DEA functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 74 Name:DEA_BLOCKED_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of the DEA functions that are issued by the CPU and are
|
||||||
|
-blocked because the DEA/AES coprocessor is busy performing a function
|
||||||
|
-issued by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 75 Name:DEA_BLOCKED_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles blocked for the DEA functions issued by the
|
||||||
|
-CPU because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
-by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 76 Name:AES_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of AES functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 77 Name:AES_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles when the DEA/AES coprocessor is busy
|
||||||
|
-performing the AES functions issued by the CPU
|
||||||
|
-.
|
||||||
|
-Counter: 78 Name:AES_BLOCKED_FUNCTIONS
|
||||||
|
-Description:
|
||||||
|
-Total number of AES functions that are issued by the CPU and are blocked
|
||||||
|
-because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
-by another CPU
|
||||||
|
-.
|
||||||
|
-Counter: 79 Name:AES_BLOCKED_CYCLES
|
||||||
|
-Description:
|
||||||
|
-Total number of CPU cycles blocked for the AES functions issued by the
|
||||||
|
-CPU because the DEA/AES coprocessor is busy performing a function issued
|
||||||
|
-by another CPU
|
||||||
|
-.
|
||||||
|
--- a/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
+++ b/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
@@ -1,11 +1,22 @@
|
||||||
|
# CPU-measurement facilities
|
||||||
|
#
|
||||||
|
-# Mapping of IBM System z hardware types to extended counter set defintions
|
||||||
|
+# Mapping of:
|
||||||
|
+# 1. CPU-MF counter first/second version numbers to "generic" counter
|
||||||
|
+# definitions
|
||||||
|
+# 2. IBM z Systems hardware to respective extended counter set definitions
|
||||||
|
#
|
||||||
|
#
|
||||||
|
{
|
||||||
|
# Definition # File name
|
||||||
|
- 0 => 'cpum-cf-generic.ctr',
|
||||||
|
+
|
||||||
|
+ # CFVN
|
||||||
|
+ 'cfvn-1' => 'cpum-cf-cfvn-1.ctr',
|
||||||
|
+ 'cfvn-3' => 'cpum-cf-cfvn-3.ctr',
|
||||||
|
+
|
||||||
|
+ # CSVN
|
||||||
|
+ 'csvn-generic' => 'cpum-cf-csvn-generic.ctr',
|
||||||
|
+
|
||||||
|
+ # Extended counters
|
||||||
|
2097 => 'cpum-cf-extended-z10.ctr',
|
||||||
|
2098 => 'cpum-cf-extended-z10.ctr',
|
||||||
|
2817 => 'cpum-cf-extended-z196.ctr',
|
@ -0,0 +1,56 @@
|
|||||||
|
Subject: lszcrypt: fix date and wrong indentation
|
||||||
|
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
Summary: s390-tools: Exploitation Support for CEX6S
|
||||||
|
Description: Exploitation Support for CEX6S
|
||||||
|
Upstream-ID: 4ad5e29f2f02e02c772ca4707b9f10253b1e5692
|
||||||
|
Problem-ID: SEC1519
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
lszcrypt: fix date and wrong indentation
|
||||||
|
|
||||||
|
The man page date was AUG 2008. Changed to OCT 2017.
|
||||||
|
A previous commit had a wrong indentation on following
|
||||||
|
options text for lszcrypt. Fixed.
|
||||||
|
|
||||||
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
|
||||||
|
---
|
||||||
|
zconf/zcrypt/chzcrypt.8 | 2 +-
|
||||||
|
zconf/zcrypt/lszcrypt.8 | 3 ++-
|
||||||
|
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/zconf/zcrypt/chzcrypt.8
|
||||||
|
+++ b/zconf/zcrypt/chzcrypt.8
|
||||||
|
@@ -2,7 +2,7 @@
|
||||||
|
.\" s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
.\" it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
.\"
|
||||||
|
-.TH CHZCRYPT 8 "AUG 2008" "s390-tools"
|
||||||
|
+.TH CHZCRYPT 8 "OCT 2017" "s390-tools"
|
||||||
|
.SH NAME
|
||||||
|
chzcrypt \- modify zcrypt configuration
|
||||||
|
.SH SYNOPSIS
|
||||||
|
--- a/zconf/zcrypt/lszcrypt.8
|
||||||
|
+++ b/zconf/zcrypt/lszcrypt.8
|
||||||
|
@@ -10,7 +10,7 @@
|
||||||
|
.\" nroff -man lszcrypt.8
|
||||||
|
.\" to process this source
|
||||||
|
.\"
|
||||||
|
-.TH LSZCRYPT 8 "AUG 2008" "s390-tools"
|
||||||
|
+.TH LSZCRYPT 8 "OCT 2017" "s390-tools"
|
||||||
|
.SH NAME
|
||||||
|
lszcrypt \- display zcrypt device and configuration information
|
||||||
|
.SH SYNOPSIS
|
||||||
|
@@ -91,6 +91,7 @@ The CCA Secure Key capability may be lim
|
||||||
|
layer. The remarks 'full function set' or 'restricted function set' may
|
||||||
|
reflect this. For details about these limitations please check the
|
||||||
|
hypervisor documentation.
|
||||||
|
+.RE
|
||||||
|
.TP 8
|
||||||
|
.B -d, --domains
|
||||||
|
Shows the usage and control domains of the cryptographic devices.
|
@ -0,0 +1,43 @@
|
|||||||
|
Subject: util_path: Add description for util_path_exists()
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: d0e2caf0ffb195568bba89a95549a5a4f026a4e6
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
util_path: Add description for util_path_exists()
|
||||||
|
|
||||||
|
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
libutil/util_path.c | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
--- a/libutil/util_path.c
|
||||||
|
+++ b/libutil/util_path.c
|
||||||
|
@@ -195,6 +195,17 @@ free_str:
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/**
|
||||||
|
+ * Test if path to directory or file exists
|
||||||
|
+ *
|
||||||
|
+ * This function has the same semantics as "-e path" in bash.
|
||||||
|
+ *
|
||||||
|
+ * @param[in] fmt Format string for path to test
|
||||||
|
+ * @param[in] ... Variable arguments for format string
|
||||||
|
+ *
|
||||||
|
+ * @returns true Path exists
|
||||||
|
+ * false Otherwise
|
||||||
|
+ */
|
||||||
|
bool util_path_exists(const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list ap;
|
@ -0,0 +1,107 @@
|
|||||||
|
Subject: cpumf/cpumf_helper: read split counter sets (part 2/2)
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: 1064e5b9cc3bdeb5731c2e152ce146dfdad27e6f
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf/cpumf_helper: read split counter sets (part 2/2)
|
||||||
|
|
||||||
|
Update the cpumf helper program to read the split counter set
|
||||||
|
definition files. Changes to higher-level program like lscpumf
|
||||||
|
are not necessary.
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/bin/cpumf_helper.in | 50 ++++++++++++++++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 42 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
--- a/cpumf/bin/cpumf_helper.in
|
||||||
|
+++ b/cpumf/bin/cpumf_helper.in
|
||||||
|
@@ -229,6 +229,28 @@ sub get_hardware_type()
|
||||||
|
return $type;
|
||||||
|
}
|
||||||
|
|
||||||
|
+sub get_cpum_cf_version()
|
||||||
|
+{
|
||||||
|
+ my $SL;
|
||||||
|
+
|
||||||
|
+ my $v = {
|
||||||
|
+ cfvn => 0,
|
||||||
|
+ csvn => 0,
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
+ return $v unless open($SL, '<', $SERVICE_LEVELS);
|
||||||
|
+ while (my $line = <$SL>) {
|
||||||
|
+ # CPU-MF: Counter facility: version=3.5
|
||||||
|
+ if ($line =~ m/^CPU-MF: Counter facility: version=(\d+)\.(\d+)/) {
|
||||||
|
+ $v->{cfvn} = $1; # Counter First Version Number
|
||||||
|
+ $v->{csvn} = $2; # Counter Second Version Number
|
||||||
|
+ last;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ close($SL);
|
||||||
|
+ return $v
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
sub cpumf_load_ctrdef($;$)
|
||||||
|
{
|
||||||
|
my $hw_type = shift();
|
||||||
|
@@ -237,10 +259,20 @@ sub cpumf_load_ctrdef($;$)
|
||||||
|
my $ctrmap = cpumf_hardware_counter_map();
|
||||||
|
return unless $ctrmap;
|
||||||
|
|
||||||
|
+ # Obtain CPU-MF counter facility versions
|
||||||
|
+ my $version = get_cpum_cf_version();
|
||||||
|
+
|
||||||
|
+ # List of "generic" counter sets
|
||||||
|
+ my @def = ();
|
||||||
|
+ push @def, "cfvn-" . $version->{cfvn};
|
||||||
|
+ push @def, "csvn-generic";
|
||||||
|
+
|
||||||
|
my $h = {};
|
||||||
|
- # Load generic counter sets
|
||||||
|
- cpumf_parse_ctrdef($ctrmap->{0}, $h) or
|
||||||
|
- croak "Failed to read generic counter definition: $!\n";
|
||||||
|
+ # Load counter set definition
|
||||||
|
+ foreach my $ent (@def) {
|
||||||
|
+ cpumf_parse_ctrdef($ctrmap->{$ent}, $h) or
|
||||||
|
+ croak "Failed to read counter definition for $ent: $!\n";
|
||||||
|
+ }
|
||||||
|
# Load hardware model specific counter set(s)
|
||||||
|
if ($hw_type && $ctrmap->{$hw_type}) {
|
||||||
|
# Hardware-model specific counter sets are:
|
||||||
|
@@ -323,7 +355,7 @@ sub cpumf_helper_main()
|
||||||
|
GetOptions(
|
||||||
|
"i|info" => \$conf->{opt_info},
|
||||||
|
"c|counter=i" => \$conf->{opt_ctr},
|
||||||
|
- "ctr-def=i" => \$conf->{opt_ctrdef},
|
||||||
|
+ "ctr-def=s" => \$conf->{opt_ctrdef},
|
||||||
|
"hardware-type" => \$conf->{opt_hwtype},
|
||||||
|
"ctr-set-names" => \$conf->{opt_ctrset_names},
|
||||||
|
"ctr-set-ids" => \$conf->{opt_ctrset_ids},
|
||||||
|
@@ -428,11 +460,13 @@ B<--ctr-def> option and specify the Syst
|
||||||
|
|
||||||
|
Displays the System z hardware type.
|
||||||
|
|
||||||
|
-=item B<--ctr-def> I<hardware_type>
|
||||||
|
+=item B<--ctr-def> I<ctr-definition>
|
||||||
|
|
||||||
|
-Displays detailed information about a particular counter set for the specified
|
||||||
|
-System z hardware type, I<hardware_type>. If you specify zero for
|
||||||
|
-I<hardware_type>, type-independent counter sets are displayed.
|
||||||
|
+Displays detailed information about the specified counter definition.
|
||||||
|
+Valid counter definitions start with C<cfvn-> or <csvn-> followed by
|
||||||
|
+the counter first/second version number of the CPU-Measurement Counter
|
||||||
|
+Facility. To display counter information of model-specific counter
|
||||||
|
+sets, specify the System z hardware type for I<ctr-definition>.
|
||||||
|
|
||||||
|
=item B<--ctr-set-names>
|
||||||
|
|
@ -0,0 +1,34 @@
|
|||||||
|
Subject: util_path: Make true/false handling consistent with other functions
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: 2b92bc4c087fd7a2275ba8fd5608cf3c86cdcc98
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
util_path: Make true/false handling consistent with other functions
|
||||||
|
|
||||||
|
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
libutil/util_path.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/libutil/util_path.c
|
||||||
|
+++ b/libutil/util_path.c
|
||||||
|
@@ -213,7 +213,7 @@ bool util_path_exists(const char *fmt, .
|
||||||
|
bool rc;
|
||||||
|
|
||||||
|
UTIL_VASPRINTF(&path, fmt, ap);
|
||||||
|
- rc = access(path, F_OK) == 0;
|
||||||
|
+ rc = access(path, F_OK) == 0 ? true : false;
|
||||||
|
free(path);
|
||||||
|
return rc;
|
||||||
|
}
|
@ -0,0 +1,32 @@
|
|||||||
|
Subject: cpumf: correct z14 counter number
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: 144bddbf5bce749549a289acbeb49337edaaea45
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf: correct z14 counter number
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/data/cpum-cf-extended-z14.ctr | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
@@ -269,7 +269,7 @@ Description:
|
||||||
|
Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
|
||||||
|
EDMK, MP, SRP, SP, ZAP
|
||||||
|
.
|
||||||
|
-Counter:233 Name:LAST_HOST_TRANSLATIONS
|
||||||
|
+Counter:232 Name:LAST_HOST_TRANSLATIONS
|
||||||
|
Description:
|
||||||
|
Last Host Translation done
|
||||||
|
.
|
603
s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
Normal file
603
s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
Normal file
@ -0,0 +1,603 @@
|
|||||||
|
Subject: zpcictl: Introduce new tool zpcictl
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: 177cf8cfeb83f85bc164c462b5534f93be3bd979
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Introduce new tool zpcictl
|
||||||
|
|
||||||
|
zpcictl is used to manage PCI devices on z Systems. In this first
|
||||||
|
version it is mainly used to handle erroneous PCI devices by changing
|
||||||
|
their state and make those changes known to the SE. Log data, such as
|
||||||
|
S.M.A.R.T. data for NVMe devices, is sent alongside those state changes.
|
||||||
|
|
||||||
|
The state change is issued by sending data via the PCI 'report_error'
|
||||||
|
sysfs attribute. It's a binary attribute which will cause the host to
|
||||||
|
send an Adapter Notification Event.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
.gitignore | 1
|
||||||
|
Makefile | 2
|
||||||
|
zpcictl/Makefile | 18 ++
|
||||||
|
zpcictl/zpcictl.8 | 80 +++++++++++
|
||||||
|
zpcictl/zpcictl.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
zpcictl/zpcictl.h | 60 ++++++++
|
||||||
|
6 files changed, 538 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/.gitignore
|
||||||
|
+++ b/.gitignore
|
||||||
|
@@ -87,3 +87,4 @@ zipl/boot/data.h
|
||||||
|
zipl/src/chreipl_helper.device-mapper
|
||||||
|
zipl/src/zipl
|
||||||
|
zkey/zkey
|
||||||
|
+zpcictl/zpcictl
|
||||||
|
--- a/Makefile
|
||||||
|
+++ b/Makefile
|
||||||
|
@@ -8,7 +8,7 @@ TOOL_DIRS = zipl zdump fdasd dasdfmt das
|
||||||
|
tape390 osasnmpd qetharp ip_watcher qethconf scripts zconf \
|
||||||
|
vmconvert vmcp man mon_tools dasdinfo vmur cpuplugd ipl_tools \
|
||||||
|
ziomon iucvterm hyptop cmsfs-fuse qethqoat zfcpdump zdsfs cpumf \
|
||||||
|
- systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot
|
||||||
|
+ systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot zpcictl
|
||||||
|
SUB_DIRS = $(LIB_DIRS) $(TOOL_DIRS)
|
||||||
|
|
||||||
|
all: $(TOOL_DIRS)
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zpcictl/Makefile
|
||||||
|
@@ -0,0 +1,18 @@
|
||||||
|
+include ../common.mak
|
||||||
|
+
|
||||||
|
+all: zpcictl
|
||||||
|
+
|
||||||
|
+libs = $(rootdir)/libutil/libutil.a
|
||||||
|
+
|
||||||
|
+zpcictl: zpcictl.o $(libs)
|
||||||
|
+
|
||||||
|
+install: all
|
||||||
|
+ $(INSTALL) -d -m 755 $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man8
|
||||||
|
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zpcictl $(DESTDIR)$(BINDIR)
|
||||||
|
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 zpcictl.8 \
|
||||||
|
+ $(DESTDIR)$(MANDIR)/man8
|
||||||
|
+
|
||||||
|
+clean:
|
||||||
|
+ rm -f *.o *~ zpcictl core
|
||||||
|
+
|
||||||
|
+.PHONY: all install clean
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zpcictl/zpcictl.8
|
||||||
|
@@ -0,0 +1,80 @@
|
||||||
|
+.\" Copyright 2017 IBM Corp.
|
||||||
|
+.\" s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+.\" it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+.\"
|
||||||
|
+.\" Macro for inserting an option description prologue.
|
||||||
|
+.\" .OD <long> [<short>] [args]
|
||||||
|
+.de OD
|
||||||
|
+. ds args "
|
||||||
|
+. if !'\\$3'' .as args \fI\\$3\fP
|
||||||
|
+. if !'\\$4'' .as args \\$4
|
||||||
|
+. if !'\\$5'' .as args \fI\\$5\fP
|
||||||
|
+. if !'\\$6'' .as args \\$6
|
||||||
|
+. if !'\\$7'' .as args \fI\\$7\fP
|
||||||
|
+. PD 0
|
||||||
|
+. if !'\\$2'' .IP "\fB\-\\$2\fP \\*[args]" 4
|
||||||
|
+. if !'\\$1'' .IP "\fB\-\-\\$1\fP \\*[args]" 4
|
||||||
|
+. PD
|
||||||
|
+..
|
||||||
|
+.
|
||||||
|
+.TH zpcictl 8 "Oct 2018" s390-tools zpcictl
|
||||||
|
+.
|
||||||
|
+.SH NAME
|
||||||
|
+zpcictl - Manage PCI devices on z Systems
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH SYNOPSIS
|
||||||
|
+.B "zpcictl"
|
||||||
|
+.I "OPTIONS"
|
||||||
|
+.I "DEVICE"
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH DESCRIPTION
|
||||||
|
+.B zpcictl
|
||||||
|
+is a tool for managing PCI devices on the IBM z Systems platform. It is
|
||||||
|
+especially used for reporting errorneous PCI devices to the service element.
|
||||||
|
+
|
||||||
|
+.B Note:
|
||||||
|
+For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
|
||||||
|
+with any error handling action. The smartmontools are required to be installed
|
||||||
|
+for this to work.
|
||||||
|
+.PP
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH DEVICE
|
||||||
|
+.B DEVICE
|
||||||
|
+can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
|
||||||
|
+of an NVMe device (e.g. /dev/nvme0).
|
||||||
|
+.
|
||||||
|
+.
|
||||||
|
+.SH OPTIONS
|
||||||
|
+.SS Error Handling
|
||||||
|
+.OD reset "" "DEVICE"
|
||||||
|
+Reset
|
||||||
|
+.I DEVICE
|
||||||
|
+and initiate a re-initialisation of the adapter.
|
||||||
|
+.PP
|
||||||
|
+.
|
||||||
|
+.OD deconfigure "" "DEVICE"
|
||||||
|
+De-configure
|
||||||
|
+.I DEVICE
|
||||||
|
+and prepare for any repair action. This action will move the
|
||||||
|
+PCI device from a configured to a reserved state.
|
||||||
|
+.PP
|
||||||
|
+.
|
||||||
|
+.OD report-error "" "DEVICE"
|
||||||
|
+Report any device error for
|
||||||
|
+.IR DEVICE .
|
||||||
|
+The
|
||||||
|
+.I DEVICE
|
||||||
|
+is marked as erroneous and no further action is initiated on it.
|
||||||
|
+.PP
|
||||||
|
+.
|
||||||
|
+.SS Misc
|
||||||
|
+.OD help "h" ""
|
||||||
|
+Print usage information, then exit.
|
||||||
|
+.PP
|
||||||
|
+.
|
||||||
|
+.OD version "v" ""
|
||||||
|
+Print version information, then exit.
|
||||||
|
+.PP
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -0,0 +1,378 @@
|
||||||
|
+/*
|
||||||
|
+ * zpcictl - Manage PCI devices on z Systems
|
||||||
|
+ *
|
||||||
|
+ * Copyright IBM Corp. 2018
|
||||||
|
+ *
|
||||||
|
+ * s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <errno.h>
|
||||||
|
+#include <fcntl.h>
|
||||||
|
+#include <sys/stat.h>
|
||||||
|
+#include <time.h>
|
||||||
|
+
|
||||||
|
+#include "lib/util_base.h"
|
||||||
|
+#include "lib/util_libc.h"
|
||||||
|
+#include "lib/util_opt.h"
|
||||||
|
+#include "lib/util_path.h"
|
||||||
|
+#include "lib/util_prg.h"
|
||||||
|
+#include "lib/util_proc.h"
|
||||||
|
+#include "lib/util_rec.h"
|
||||||
|
+#include "lib/util_scandir.h"
|
||||||
|
+
|
||||||
|
+#include "zpcictl.h"
|
||||||
|
+
|
||||||
|
+#define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
|
||||||
|
+
|
||||||
|
+static const struct util_prg prg = {
|
||||||
|
+ .desc = "Use zpcictl to manage PCI devices on s390\n"
|
||||||
|
+ "DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
|
||||||
|
+ .args = "DEVICE",
|
||||||
|
+ .copyright_vec = {
|
||||||
|
+ {
|
||||||
|
+ .owner = "IBM Corp.",
|
||||||
|
+ .pub_first = 2018,
|
||||||
|
+ .pub_last = 2018,
|
||||||
|
+ },
|
||||||
|
+ UTIL_PRG_COPYRIGHT_END
|
||||||
|
+ }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/* Defines for options with no short command */
|
||||||
|
+#define OPT_RESET 128
|
||||||
|
+#define OPT_DECONF 129
|
||||||
|
+#define OPT_REPORT_ERR 130
|
||||||
|
+
|
||||||
|
+static struct util_opt opt_vec[] = {
|
||||||
|
+ UTIL_OPT_SECTION("ERROR HANDLING"),
|
||||||
|
+ {
|
||||||
|
+ .option = { "reset", no_argument, NULL, OPT_RESET },
|
||||||
|
+ .desc = "Reset device",
|
||||||
|
+ .flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ .option = { "deconfigure", no_argument, NULL, OPT_DECONF },
|
||||||
|
+ .desc = "De-configure device and prepare for any repair action",
|
||||||
|
+ .flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
+ },
|
||||||
|
+ {
|
||||||
|
+ .option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
|
||||||
|
+ .desc = "Report device error to service element (SE)",
|
||||||
|
+ .flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
+ },
|
||||||
|
+ UTIL_OPT_SECTION("MISC"),
|
||||||
|
+ UTIL_OPT_HELP,
|
||||||
|
+ UTIL_OPT_VERSION,
|
||||||
|
+ UTIL_OPT_END
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static int is_char_dev(const char *dev)
|
||||||
|
+{
|
||||||
|
+ struct stat s;
|
||||||
|
+
|
||||||
|
+ if (stat(dev, &s))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ return S_ISCHR(s.st_mode);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int is_blk_dev(const char *dev)
|
||||||
|
+{
|
||||||
|
+ struct stat s;
|
||||||
|
+
|
||||||
|
+ if (stat(dev, &s))
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ return S_ISBLK(s.st_mode);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void fopen_err(char *path)
|
||||||
|
+{
|
||||||
|
+ warnx("Could not open file %s: %s", path, strerror(errno));
|
||||||
|
+ free(path);
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define READ_CHUNK_SIZE 512
|
||||||
|
+
|
||||||
|
+static char *collect_smart_data(struct zpci_device *pdev)
|
||||||
|
+{
|
||||||
|
+ char *buffer = NULL;
|
||||||
|
+ size_t count = 0;
|
||||||
|
+ char *cmd;
|
||||||
|
+ FILE *fd;
|
||||||
|
+
|
||||||
|
+ util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
|
||||||
|
+ fd = popen(cmd, "r");
|
||||||
|
+ if (!fd)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
+ while (!feof(fd)) {
|
||||||
|
+ buffer = realloc(buffer, count + READ_CHUNK_SIZE);
|
||||||
|
+ if (!buffer) {
|
||||||
|
+ warnx("Could not collect S.M.A.R.T. data");
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ count += fread(&buffer[count], 1, READ_CHUNK_SIZE, fd);
|
||||||
|
+ if (ferror(fd)) {
|
||||||
|
+ free(buffer);
|
||||||
|
+ buffer = NULL;
|
||||||
|
+ goto out;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ buffer = realloc(buffer, count);
|
||||||
|
+ if (!buffer && count > 0)
|
||||||
|
+ warnx("Could not collect S.M.A.R.T. data");
|
||||||
|
+ if (buffer)
|
||||||
|
+ buffer[count] = '\0';
|
||||||
|
+
|
||||||
|
+out:
|
||||||
|
+ pclose(fd);
|
||||||
|
+ free(cmd);
|
||||||
|
+
|
||||||
|
+ return buffer;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static unsigned int sysfs_read_value(struct zpci_device *pdev, const char *attr)
|
||||||
|
+{
|
||||||
|
+ unsigned int val;
|
||||||
|
+ char *path;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ path = util_path_sysfs("bus/pci/devices/%s/%s", pdev->slot, attr);
|
||||||
|
+ fp = fopen(path, "r");
|
||||||
|
+ if (!fp)
|
||||||
|
+ fopen_err(path);
|
||||||
|
+ fscanf(fp, "%x", &val);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ free(path);
|
||||||
|
+
|
||||||
|
+ return val;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void sysfs_write_data(struct zpci_report_error *report, char *slot)
|
||||||
|
+{
|
||||||
|
+ char *path;
|
||||||
|
+ int fd, rc;
|
||||||
|
+
|
||||||
|
+ path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
|
||||||
|
+ fd = open(path, O_WRONLY);
|
||||||
|
+ if (!fd)
|
||||||
|
+ fopen_err(path);
|
||||||
|
+ rc = write(fd, report, sizeof(*report));
|
||||||
|
+ if (rc == -1)
|
||||||
|
+ warnx("Could not write to file: %s: %s", path, strerror(errno));
|
||||||
|
+ if (close(fd))
|
||||||
|
+ warnx("Could not close file: %s: %s", path, strerror(errno));
|
||||||
|
+ free(path);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void sysfs_get_slot_addr(const char *dev, char *slot)
|
||||||
|
+{
|
||||||
|
+ unsigned int major, minor;
|
||||||
|
+ struct stat dev_stat;
|
||||||
|
+ char addr[13];
|
||||||
|
+ char *path;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ if (stat(dev, &dev_stat) != 0) {
|
||||||
|
+ errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
|
||||||
|
+ dev, strerror(errno));
|
||||||
|
+ }
|
||||||
|
+ major = major(dev_stat.st_rdev);
|
||||||
|
+ minor = minor(dev_stat.st_rdev);
|
||||||
|
+
|
||||||
|
+ path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
|
||||||
|
+ fp = fopen(path, "r");
|
||||||
|
+ if (!fp)
|
||||||
|
+ fopen_err(path);
|
||||||
|
+ fscanf(fp, "%s", addr);
|
||||||
|
+ fclose(fp);
|
||||||
|
+ free(path);
|
||||||
|
+
|
||||||
|
+ strcpy(slot, addr);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void get_device_node(struct zpci_device *pdev)
|
||||||
|
+{
|
||||||
|
+ struct dirent **de_vec;
|
||||||
|
+ char *path, *dev;
|
||||||
|
+ char slot[13];
|
||||||
|
+ int count, i;
|
||||||
|
+
|
||||||
|
+ path = util_path_sysfs("bus/pci/devices/%s/nvme", pdev->slot);
|
||||||
|
+ count = util_scandir(&de_vec, alphasort, path, "nvme*");
|
||||||
|
+ if (count == -1) {
|
||||||
|
+ warnx("Could not read directory %s: %s", path, strerror(errno));
|
||||||
|
+ free(path);
|
||||||
|
+ exit(EXIT_FAILURE);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < count; i++) {
|
||||||
|
+ util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
|
||||||
|
+ sysfs_get_slot_addr(dev, slot);
|
||||||
|
+ if (strcmp(slot, pdev->slot) == 0) {
|
||||||
|
+ pdev->device = dev;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ util_scandir_free(de_vec, count);
|
||||||
|
+ free(path);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int device_exists(char *dev)
|
||||||
|
+{
|
||||||
|
+ char *path;
|
||||||
|
+ int rc = 0;
|
||||||
|
+
|
||||||
|
+ path = util_path_sysfs("bus/pci/devices/%s", dev);
|
||||||
|
+ if (util_path_exists(path) || util_path_exists(dev))
|
||||||
|
+ rc = 1;
|
||||||
|
+ free(path);
|
||||||
|
+
|
||||||
|
+ return rc;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void get_device_info(struct zpci_device *pdev, char *dev)
|
||||||
|
+{
|
||||||
|
+ if (!device_exists(dev))
|
||||||
|
+ errx(EXIT_FAILURE, "Device %s not found", dev);
|
||||||
|
+ if (is_blk_dev(dev))
|
||||||
|
+ errx(EXIT_FAILURE, "Unsupported device type %s", dev);
|
||||||
|
+ if (is_char_dev(dev)) {
|
||||||
|
+ sysfs_get_slot_addr(dev, pdev->slot);
|
||||||
|
+ pdev->device = dev;
|
||||||
|
+ } else {
|
||||||
|
+ strcpy(pdev->slot, dev);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ pdev->class = sysfs_read_value(pdev, "class");
|
||||||
|
+ pdev->fid = sysfs_read_value(pdev, "function_id");
|
||||||
|
+ pdev->pchid = sysfs_read_value(pdev, "pchid");
|
||||||
|
+
|
||||||
|
+ /* In case a slot address was specified, we still need to figure out
|
||||||
|
+ * the device node for NVMe devices. Otherwise we won't be able to
|
||||||
|
+ * collect S.M.A.R.T. data at a later point.
|
||||||
|
+ */
|
||||||
|
+ if (!pdev->device && pdev->class == PCI_CLASS_NVME)
|
||||||
|
+ get_device_node(pdev);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Issue an SCLP Adapter Error Notification event with a specific action
|
||||||
|
+ * qualifier.
|
||||||
|
+ *
|
||||||
|
+ * Collect additional information when possible (e.g. S.M.A.R.T. data for NVMe
|
||||||
|
+ * devices).
|
||||||
|
+ */
|
||||||
|
+static void sclp_issue_action(struct zpci_device *pdev, int action)
|
||||||
|
+{
|
||||||
|
+ struct zpci_report_error report = {
|
||||||
|
+ .header = { 0 },
|
||||||
|
+ .data = { 0 }
|
||||||
|
+ };
|
||||||
|
+ char *sdata = NULL;
|
||||||
|
+
|
||||||
|
+ report.header.version = 1;
|
||||||
|
+ report.header.action = action;
|
||||||
|
+ report.header.length = sizeof(report.data);
|
||||||
|
+ report.data.timestamp = (__u64)time(NULL);
|
||||||
|
+ report.data.err_log_id = 0x4713;
|
||||||
|
+
|
||||||
|
+ if (pdev->class == PCI_CLASS_NVME)
|
||||||
|
+ sdata = collect_smart_data(pdev);
|
||||||
|
+ if (sdata) {
|
||||||
|
+ strncpy(report.data.log_data, sdata, sizeof(report.data.log_data));
|
||||||
|
+ free(sdata);
|
||||||
|
+ }
|
||||||
|
+ sysfs_write_data(&report, pdev->slot);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Reset the PCI device and initiate a re-initialization.
|
||||||
|
+ */
|
||||||
|
+static void sclp_reset_device(struct zpci_device *pdev)
|
||||||
|
+{
|
||||||
|
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_RESET);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * De-Configure/repair PCI device. Moves the device from configured
|
||||||
|
+ * to reserved state.
|
||||||
|
+ */
|
||||||
|
+static void sclp_deconfigure(struct zpci_device *pdev)
|
||||||
|
+{
|
||||||
|
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_DECONF);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Report an error to the SE.
|
||||||
|
+ */
|
||||||
|
+static void sclp_report_error(struct zpci_device *pdev)
|
||||||
|
+{
|
||||||
|
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_REPORT_ERR);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void parse_cmdline(int argc, char *argv[], struct options *opts)
|
||||||
|
+{
|
||||||
|
+ int cmd;
|
||||||
|
+
|
||||||
|
+ util_prg_init(&prg);
|
||||||
|
+ util_opt_init(opt_vec, NULL);
|
||||||
|
+
|
||||||
|
+ do {
|
||||||
|
+ cmd = util_opt_getopt_long(argc, argv);
|
||||||
|
+
|
||||||
|
+ switch (cmd) {
|
||||||
|
+ case OPT_RESET:
|
||||||
|
+ opts->reset = 1;
|
||||||
|
+ break;
|
||||||
|
+ case OPT_DECONF:
|
||||||
|
+ opts->deconfigure = 1;
|
||||||
|
+ break;
|
||||||
|
+ case OPT_REPORT_ERR:
|
||||||
|
+ opts->report = 1;
|
||||||
|
+ break;
|
||||||
|
+ case 'h':
|
||||||
|
+ util_prg_print_help();
|
||||||
|
+ util_opt_print_help();
|
||||||
|
+ exit(EXIT_SUCCESS);
|
||||||
|
+ case 'v':
|
||||||
|
+ util_prg_print_version();
|
||||||
|
+ exit(EXIT_SUCCESS);
|
||||||
|
+ case -1:
|
||||||
|
+ /* End of options string */
|
||||||
|
+ if (argc == 1) {
|
||||||
|
+ errx(EXIT_FAILURE,
|
||||||
|
+ "Use '%s --help' for more information",
|
||||||
|
+ argv[0]);
|
||||||
|
+ }
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ } while (cmd != -1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+int main(int argc, char *argv[])
|
||||||
|
+{
|
||||||
|
+ struct zpci_device pdev = { 0 };
|
||||||
|
+ struct options opts = { 0 };
|
||||||
|
+
|
||||||
|
+ parse_cmdline(argc, argv, &opts);
|
||||||
|
+
|
||||||
|
+ if (optind >= argc)
|
||||||
|
+ errx(EXIT_FAILURE, "No device specified");
|
||||||
|
+
|
||||||
|
+ get_device_info(&pdev, argv[optind]);
|
||||||
|
+
|
||||||
|
+ if (opts.reset)
|
||||||
|
+ sclp_reset_device(&pdev);
|
||||||
|
+ else if (opts.deconfigure)
|
||||||
|
+ sclp_deconfigure(&pdev);
|
||||||
|
+ else if (opts.report)
|
||||||
|
+ sclp_report_error(&pdev);
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/zpcictl/zpcictl.h
|
||||||
|
@@ -0,0 +1,60 @@
|
||||||
|
+/*
|
||||||
|
+ * zpcictl - Manage PCI devices on z Systems
|
||||||
|
+ *
|
||||||
|
+ * Copyright IBM Corp. 2018
|
||||||
|
+ *
|
||||||
|
+ * s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#ifndef ZPCICTL_H
|
||||||
|
+#define ZPCICTL_H
|
||||||
|
+
|
||||||
|
+#include <linux/types.h>
|
||||||
|
+#include "lib/zt_common.h"
|
||||||
|
+
|
||||||
|
+#define SCLP_ERRNOTIFY_AQ_RESET 0
|
||||||
|
+#define SCLP_ERRNOTIFY_AQ_DECONF 1
|
||||||
|
+#define SCLP_ERRNOTIFY_AQ_REPORT_ERR 2
|
||||||
|
+
|
||||||
|
+#define PCI_CLASS_UNCLASSIFIED 0x000000U
|
||||||
|
+#define PCI_CLASS_NVME 0x010802U
|
||||||
|
+#define PCI_CLASS_NETWORK 0x020000U
|
||||||
|
+
|
||||||
|
+struct options {
|
||||||
|
+ unsigned int reset;
|
||||||
|
+ unsigned int deconfigure;
|
||||||
|
+ unsigned int report;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct zpci_device {
|
||||||
|
+ u16 fid;
|
||||||
|
+ u16 pchid;
|
||||||
|
+ u32 class;
|
||||||
|
+ char slot[13];
|
||||||
|
+ char *device;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct zpci_report_error_header {
|
||||||
|
+ __u8 version; /* Interface version byte */
|
||||||
|
+ __u8 action; /* Action qualifier byte
|
||||||
|
+ * 0: Adapter Reset Request
|
||||||
|
+ * 1: Deconfigure and repair action requested
|
||||||
|
+ * 2: Informational Report
|
||||||
|
+ */
|
||||||
|
+ __u16 length; /* Length of Subsequent Data (up to 4K – SCLP header) */
|
||||||
|
+ __u8 data[0]; /* Subsequent Data passed verbatim to SCLP ET 24 */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct zpci_report_error_data {
|
||||||
|
+ __u64 timestamp;
|
||||||
|
+ __u64 err_log_id;
|
||||||
|
+ char log_data[4054]; /* We cannot exceed a total of 4074 bytes (header + data) */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+struct zpci_report_error {
|
||||||
|
+ struct zpci_report_error_header header;
|
||||||
|
+ struct zpci_report_error_data data;
|
||||||
|
+} __packed;
|
||||||
|
+
|
||||||
|
+#endif /* ZPCICTL_H */
|
@ -0,0 +1,42 @@
|
|||||||
|
Subject: cpumf: add missing Description: tag for z13/z14/ctr:128
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: a3c746846d86ebcee6cbf36505598b7da367665b
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf: add missing Description: tag for z13/z14/ctr:128
|
||||||
|
|
||||||
|
Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/data/cpum-cf-extended-z13.ctr | 1 +
|
||||||
|
cpumf/data/cpum-cf-extended-z14.ctr | 1 +
|
||||||
|
2 files changed, 2 insertions(+)
|
||||||
|
|
||||||
|
--- a/cpumf/data/cpum-cf-extended-z13.ctr
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z13.ctr
|
||||||
|
@@ -17,6 +17,7 @@
|
||||||
|
# Extended Counter Set
|
||||||
|
# ---------------------------------------------------------------------
|
||||||
|
Counter:128 Name:L1D_WRITES_RO_EXCL
|
||||||
|
+Description:
|
||||||
|
A directory write to the Level-1 Data cache where the line was
|
||||||
|
originally in a Read-Only state in the cache but has been updated
|
||||||
|
to be in the Exclusive state that allows stores to the cache line.
|
||||||
|
--- a/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
@@ -20,6 +20,7 @@
|
||||||
|
# Extended Counter Set
|
||||||
|
# ---------------------------------------------------------------------
|
||||||
|
Counter:128 Name:L1D_WRITES_RO_EXCL
|
||||||
|
+Description:
|
||||||
|
A directory write to the Level-1 Data cache where the line was
|
||||||
|
originally in a Read-Only state in the cache but has been updated
|
||||||
|
to be in the Exclusive state that allows stores to the cache line
|
@ -0,0 +1,48 @@
|
|||||||
|
Subject: zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: f35c5d01fd04ecf019f31c58edc0c5165ad276ad
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
|
||||||
|
|
||||||
|
The minor()/major() function definitions are moved to sys/sysmacros.h
|
||||||
|
and will be removed from sys/types.h. To correct below warning, simply
|
||||||
|
include sys/sysmacros.h.
|
||||||
|
|
||||||
|
zpcictl.c: In function ‘sysfs_get_slot_addr’:
|
||||||
|
zpcictl.c:184:13: warning: In the GNU C Library, "major" is defined
|
||||||
|
by <sys/sysmacros.h>. For historical compatibility, it is
|
||||||
|
currently defined by <sys/types.h> as well, but we plan to
|
||||||
|
remove this soon. To use "major", include <sys/sysmacros.h>
|
||||||
|
directly. If you did not intend to use a system-defined macro
|
||||||
|
"major", you should undefine it after including <sys/types.h>.
|
||||||
|
major = major(dev_stat.st_rdev);
|
||||||
|
^~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -10,6 +10,7 @@
|
||||||
|
#include <errno.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
+#include <sys/sysmacros.h>
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
|
#include "lib/util_base.h"
|
@ -0,0 +1,44 @@
|
|||||||
|
Subject: cpumf: correct counter name for z13 and z14
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: 9745e4678adf18869e661d13f2b666a929450fa1
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf: correct counter name for z13 and z14
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/data/cpum-cf-extended-z13.ctr | 2 +-
|
||||||
|
cpumf/data/cpum-cf-extended-z14.ctr | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
--- a/cpumf/data/cpum-cf-extended-z13.ctr
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z13.ctr
|
||||||
|
@@ -16,7 +16,7 @@
|
||||||
|
#
|
||||||
|
# Extended Counter Set
|
||||||
|
# ---------------------------------------------------------------------
|
||||||
|
-Counter:128 Name:L1D_WRITES_RO_EXCL
|
||||||
|
+Counter:128 Name:L1D_RO_EXCL_WRITES
|
||||||
|
Description:
|
||||||
|
A directory write to the Level-1 Data cache where the line was
|
||||||
|
originally in a Read-Only state in the cache but has been updated
|
||||||
|
--- a/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
|
||||||
|
@@ -19,7 +19,7 @@
|
||||||
|
#
|
||||||
|
# Extended Counter Set
|
||||||
|
# ---------------------------------------------------------------------
|
||||||
|
-Counter:128 Name:L1D_WRITES_RO_EXCL
|
||||||
|
+Counter:128 Name:L1D_RO_EXCL_WRITES
|
||||||
|
Description:
|
||||||
|
A directory write to the Level-1 Data cache where the line was
|
||||||
|
originally in a Read-Only state in the cache but has been updated
|
@ -0,0 +1,91 @@
|
|||||||
|
Subject: zpcictl: Rephrase man page entries and tool output
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: d03be735366de57be0c642f6f21b06b1f2df6a6e
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Rephrase man page entries and tool output
|
||||||
|
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.8 | 13 ++++++++-----
|
||||||
|
zpcictl/zpcictl.c | 9 +++++----
|
||||||
|
2 files changed, 13 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.8
|
||||||
|
+++ b/zpcictl/zpcictl.8
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-.\" Copyright 2017 IBM Corp.
|
||||||
|
+.\" Copyright IBM Corp. 2018
|
||||||
|
.\" s390-tools is free software; you can redistribute it and/or modify
|
||||||
|
.\" it under the terms of the MIT license. See LICENSE for details.
|
||||||
|
.\"
|
||||||
|
@@ -30,9 +30,10 @@ zpcictl - Manage PCI devices on z System
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH DESCRIPTION
|
||||||
|
+With
|
||||||
|
.B zpcictl
|
||||||
|
-is a tool for managing PCI devices on the IBM z Systems platform. It is
|
||||||
|
-especially used for reporting errorneous PCI devices to the service element.
|
||||||
|
+, you can manage PCI devices on the IBM z Systems platform. It is especially
|
||||||
|
+used for reporting erroneous PCI devices to the service element.
|
||||||
|
|
||||||
|
.B Note:
|
||||||
|
For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
|
||||||
|
@@ -44,7 +45,9 @@ for this to work.
|
||||||
|
.SH DEVICE
|
||||||
|
.B DEVICE
|
||||||
|
can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
|
||||||
|
-of an NVMe device (e.g. /dev/nvme0).
|
||||||
|
+of an NVMe device (e.g.
|
||||||
|
+.I /dev/nvme0
|
||||||
|
+).
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH OPTIONS
|
||||||
|
@@ -52,7 +55,7 @@ of an NVMe device (e.g. /dev/nvme0).
|
||||||
|
.OD reset "" "DEVICE"
|
||||||
|
Reset
|
||||||
|
.I DEVICE
|
||||||
|
-and initiate a re-initialisation of the adapter.
|
||||||
|
+and initiate a re-initialization of the PCI device.
|
||||||
|
.PP
|
||||||
|
.
|
||||||
|
.OD deconfigure "" "DEVICE"
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -240,7 +240,7 @@ static int device_exists(char *dev)
|
||||||
|
static void get_device_info(struct zpci_device *pdev, char *dev)
|
||||||
|
{
|
||||||
|
if (!device_exists(dev))
|
||||||
|
- errx(EXIT_FAILURE, "Device %s not found", dev);
|
||||||
|
+ errx(EXIT_FAILURE, "Could not find device %s", dev);
|
||||||
|
if (is_blk_dev(dev))
|
||||||
|
errx(EXIT_FAILURE, "Unsupported device type %s", dev);
|
||||||
|
if (is_char_dev(dev)) {
|
||||||
|
@@ -254,9 +254,10 @@ static void get_device_info(struct zpci_
|
||||||
|
pdev->fid = sysfs_read_value(pdev, "function_id");
|
||||||
|
pdev->pchid = sysfs_read_value(pdev, "pchid");
|
||||||
|
|
||||||
|
- /* In case a slot address was specified, we still need to figure out
|
||||||
|
- * the device node for NVMe devices. Otherwise we won't be able to
|
||||||
|
- * collect S.M.A.R.T. data at a later point.
|
||||||
|
+ /*
|
||||||
|
+ * In case a slot address was specified, the device node for NVMe
|
||||||
|
+ * devices is still needed. Otherwise it won't be possible to collect
|
||||||
|
+ * S.M.A.R.T. data at a later point.
|
||||||
|
*/
|
||||||
|
if (!pdev->device && pdev->class == PCI_CLASS_NVME)
|
||||||
|
get_device_node(pdev);
|
@ -0,0 +1,41 @@
|
|||||||
|
Subject: cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
|
||||||
|
From: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: cpumf: Add CPU-MF hardware counters for z14
|
||||||
|
Description: Add hardware counter definitions for IBM z14.
|
||||||
|
Upstream-ID: f642019bcc17370231666e772c7e4cec19f1dfdc
|
||||||
|
Problem-ID: KRN1608
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
|
||||||
|
|
||||||
|
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
---
|
||||||
|
cpumf/bin/cpumf_helper.in | 1 +
|
||||||
|
cpumf/data/cpum-cf-hw-counter.map | 1 +
|
||||||
|
2 files changed, 2 insertions(+)
|
||||||
|
|
||||||
|
--- a/cpumf/bin/cpumf_helper.in
|
||||||
|
+++ b/cpumf/bin/cpumf_helper.in
|
||||||
|
@@ -211,6 +211,7 @@ my $system_z_hwtype_map = {
|
||||||
|
2964 => 'IBM z13',
|
||||||
|
2965 => 'IBM z13s',
|
||||||
|
3906 => 'IBM z14',
|
||||||
|
+ 3907 => 'IBM z14 ZR1',
|
||||||
|
};
|
||||||
|
|
||||||
|
sub get_hardware_type()
|
||||||
|
--- a/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
+++ b/cpumf/data/cpum-cf-hw-counter.map
|
||||||
|
@@ -26,4 +26,5 @@
|
||||||
|
2964 => 'cpum-cf-extended-z13.ctr',
|
||||||
|
2965 => 'cpum-cf-extended-z13.ctr',
|
||||||
|
3906 => 'cpum-cf-extended-z14.ctr',
|
||||||
|
+ 3907 => 'cpum-cf-extended-z14.ctr',
|
||||||
|
};
|
@ -0,0 +1,55 @@
|
|||||||
|
Subject: zpcictl: Use fopen() instead of open() for writes
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: 8f0496b26aae88e206ac9a95b317043e78d147b8
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Use fopen() instead of open() for writes
|
||||||
|
|
||||||
|
Be consistent with the rest of the code and use fopen() rather than
|
||||||
|
open().
|
||||||
|
|
||||||
|
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.c | 14 ++++++++------
|
||||||
|
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -155,17 +155,19 @@ static unsigned int sysfs_read_value(str
|
||||||
|
|
||||||
|
static void sysfs_write_data(struct zpci_report_error *report, char *slot)
|
||||||
|
{
|
||||||
|
+ size_t r_size;
|
||||||
|
char *path;
|
||||||
|
- int fd, rc;
|
||||||
|
+ FILE *fp;
|
||||||
|
+
|
||||||
|
+ r_size = sizeof(*report);
|
||||||
|
|
||||||
|
path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
|
||||||
|
- fd = open(path, O_WRONLY);
|
||||||
|
- if (!fd)
|
||||||
|
+ fp = fopen(path, "w");
|
||||||
|
+ if (!fp)
|
||||||
|
fopen_err(path);
|
||||||
|
- rc = write(fd, report, sizeof(*report));
|
||||||
|
- if (rc == -1)
|
||||||
|
+ if (fwrite(report, 1, r_size, fp) != r_size)
|
||||||
|
warnx("Could not write to file: %s: %s", path, strerror(errno));
|
||||||
|
- if (close(fd))
|
||||||
|
+ if (fclose(fp))
|
||||||
|
warnx("Could not close file: %s: %s", path, strerror(errno));
|
||||||
|
free(path);
|
||||||
|
}
|
@ -0,0 +1,77 @@
|
|||||||
|
Subject: zpcictl: Read device link to obtain device address
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: e2a8d85916fb77d2a9b41253446973cd97107c42
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Read device link to obtain device address
|
||||||
|
|
||||||
|
The address sysfs attribute might not be present on some older kernel
|
||||||
|
levels. Read the device link instead using readlink() to obtain the
|
||||||
|
address.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.c | 27 ++++++++++++++++++---------
|
||||||
|
1 file changed, 18 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -172,13 +172,16 @@ static void sysfs_write_data(struct zpci
|
||||||
|
free(path);
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
|
||||||
|
+#define READLINK_SIZE 256
|
||||||
|
+
|
||||||
|
static void sysfs_get_slot_addr(const char *dev, char *slot)
|
||||||
|
{
|
||||||
|
+ char device[READLINK_SIZE], *result;
|
||||||
|
unsigned int major, minor;
|
||||||
|
struct stat dev_stat;
|
||||||
|
- char addr[13];
|
||||||
|
+ ssize_t len;
|
||||||
|
char *path;
|
||||||
|
- FILE *fp;
|
||||||
|
|
||||||
|
if (stat(dev, &dev_stat) != 0) {
|
||||||
|
errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
|
||||||
|
@@ -187,15 +190,21 @@ static void sysfs_get_slot_addr(const ch
|
||||||
|
major = major(dev_stat.st_rdev);
|
||||||
|
minor = minor(dev_stat.st_rdev);
|
||||||
|
|
||||||
|
- path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
|
||||||
|
- fp = fopen(path, "r");
|
||||||
|
- if (!fp)
|
||||||
|
- fopen_err(path);
|
||||||
|
- fscanf(fp, "%s", addr);
|
||||||
|
- fclose(fp);
|
||||||
|
+ path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
|
||||||
|
+ len = readlink(path, device, READLINK_SIZE - 1);
|
||||||
|
free(path);
|
||||||
|
+ if (len != -1)
|
||||||
|
+ device[len] = '\0';
|
||||||
|
+ else
|
||||||
|
+ errx(EXIT_FAILURE, "Could not read device link for %s", dev);
|
||||||
|
+
|
||||||
|
+ result = strrchr(device, '/');
|
||||||
|
+ if (result)
|
||||||
|
+ result++;
|
||||||
|
+ else
|
||||||
|
+ result = device;
|
||||||
|
|
||||||
|
- strcpy(slot, addr);
|
||||||
|
+ strcpy(slot, result);
|
||||||
|
}
|
||||||
|
|
||||||
|
static void get_device_node(struct zpci_device *pdev)
|
@ -0,0 +1,124 @@
|
|||||||
|
Subject: zpcictl: Make device node for NVMe optional
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: 342c6a3707315514f0f886fabb532f6c8b59b694
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Make device node for NVMe optional
|
||||||
|
|
||||||
|
At the moment, if we specify the slot address of an NVMe device but
|
||||||
|
can't find the corresponding device node, the execution is terminated.
|
||||||
|
|
||||||
|
This is a bit harsh as the device node is rather optional and only
|
||||||
|
necessary to collect S.M.A.R.T. data. We should still be able to issue
|
||||||
|
the error reporting, even if we couldn't determine the device node.
|
||||||
|
|
||||||
|
Therefore, make sure the device node for NVMe devices is optional by
|
||||||
|
changing various error messages to warnings.
|
||||||
|
Change sysfs_get_slot_addr() to have a return value and work with that
|
||||||
|
accordingly.
|
||||||
|
Also make sure, that execution is terminated when a valid device node
|
||||||
|
was specified but no matching slot address was determined. The slot
|
||||||
|
address is necessary to issue the error reporting commands.
|
||||||
|
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.c | 30 ++++++++++++++++++++----------
|
||||||
|
1 file changed, 20 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -104,6 +104,9 @@ static char *collect_smart_data(struct z
|
||||||
|
char *cmd;
|
||||||
|
FILE *fd;
|
||||||
|
|
||||||
|
+ if (!pdev->device)
|
||||||
|
+ return NULL;
|
||||||
|
+
|
||||||
|
util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
|
||||||
|
fd = popen(cmd, "r");
|
||||||
|
if (!fd)
|
||||||
|
@@ -175,7 +178,7 @@ static void sysfs_write_data(struct zpci
|
||||||
|
/* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
|
||||||
|
#define READLINK_SIZE 256
|
||||||
|
|
||||||
|
-static void sysfs_get_slot_addr(const char *dev, char *slot)
|
||||||
|
+static int sysfs_get_slot_addr(const char *dev, char *slot)
|
||||||
|
{
|
||||||
|
char device[READLINK_SIZE], *result;
|
||||||
|
unsigned int major, minor;
|
||||||
|
@@ -184,8 +187,9 @@ static void sysfs_get_slot_addr(const ch
|
||||||
|
char *path;
|
||||||
|
|
||||||
|
if (stat(dev, &dev_stat) != 0) {
|
||||||
|
- errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
|
||||||
|
- dev, strerror(errno));
|
||||||
|
+ warnx("Could not get stat information for %s: %s",
|
||||||
|
+ dev, strerror(errno));
|
||||||
|
+ return 0;
|
||||||
|
}
|
||||||
|
major = major(dev_stat.st_rdev);
|
||||||
|
minor = minor(dev_stat.st_rdev);
|
||||||
|
@@ -193,18 +197,21 @@ static void sysfs_get_slot_addr(const ch
|
||||||
|
path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
|
||||||
|
len = readlink(path, device, READLINK_SIZE - 1);
|
||||||
|
free(path);
|
||||||
|
- if (len != -1)
|
||||||
|
+ if (len != -1) {
|
||||||
|
device[len] = '\0';
|
||||||
|
- else
|
||||||
|
- errx(EXIT_FAILURE, "Could not read device link for %s", dev);
|
||||||
|
+ } else {
|
||||||
|
+ warnx("Could not read device link for %s", dev);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
result = strrchr(device, '/');
|
||||||
|
if (result)
|
||||||
|
result++;
|
||||||
|
else
|
||||||
|
result = device;
|
||||||
|
-
|
||||||
|
strcpy(slot, result);
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void get_device_node(struct zpci_device *pdev)
|
||||||
|
@@ -219,12 +226,13 @@ static void get_device_node(struct zpci_
|
||||||
|
if (count == -1) {
|
||||||
|
warnx("Could not read directory %s: %s", path, strerror(errno));
|
||||||
|
free(path);
|
||||||
|
- exit(EXIT_FAILURE);
|
||||||
|
+ return;
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < count; i++) {
|
||||||
|
util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
|
||||||
|
- sysfs_get_slot_addr(dev, slot);
|
||||||
|
+ if (!sysfs_get_slot_addr(dev, slot))
|
||||||
|
+ continue;
|
||||||
|
if (strcmp(slot, pdev->slot) == 0) {
|
||||||
|
pdev->device = dev;
|
||||||
|
break;
|
||||||
|
@@ -255,7 +263,9 @@ static void get_device_info(struct zpci_
|
||||||
|
if (is_blk_dev(dev))
|
||||||
|
errx(EXIT_FAILURE, "Unsupported device type %s", dev);
|
||||||
|
if (is_char_dev(dev)) {
|
||||||
|
- sysfs_get_slot_addr(dev, pdev->slot);
|
||||||
|
+ if (!sysfs_get_slot_addr(dev, pdev->slot))
|
||||||
|
+ errx(EXIT_FAILURE,
|
||||||
|
+ "Could not determine slot address for %s", dev);
|
||||||
|
pdev->device = dev;
|
||||||
|
} else {
|
||||||
|
strcpy(pdev->slot, dev);
|
@ -0,0 +1,143 @@
|
|||||||
|
Subject: zpcictl: Change wording of man-page and help output
|
||||||
|
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
|
||||||
|
Summary: zpcictl: Add tool to manage PCI devices
|
||||||
|
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
|
||||||
|
platform. Initial functions include generating firmware
|
||||||
|
error logs, resetting PCI devices, and preparing a device
|
||||||
|
for further repair actions.
|
||||||
|
Upstream-ID: aaaebb2030c80151ecac528f22cb9a52752b868c
|
||||||
|
Problem-ID: RAS1703
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
zpcictl: Change wording of man-page and help output
|
||||||
|
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
|
||||||
|
---
|
||||||
|
zpcictl/zpcictl.8 | 38 +++++++++++++++-----------------------
|
||||||
|
zpcictl/zpcictl.c | 15 ++++++++-------
|
||||||
|
2 files changed, 23 insertions(+), 30 deletions(-)
|
||||||
|
|
||||||
|
--- a/zpcictl/zpcictl.8
|
||||||
|
+++ b/zpcictl/zpcictl.8
|
||||||
|
@@ -20,7 +20,7 @@
|
||||||
|
.TH zpcictl 8 "Oct 2018" s390-tools zpcictl
|
||||||
|
.
|
||||||
|
.SH NAME
|
||||||
|
-zpcictl - Manage PCI devices on z Systems
|
||||||
|
+zpcictl - Manage PCI devices on IBM Z
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH SYNOPSIS
|
||||||
|
@@ -30,50 +30,42 @@ zpcictl - Manage PCI devices on z System
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH DESCRIPTION
|
||||||
|
-With
|
||||||
|
+Use
|
||||||
|
.B zpcictl
|
||||||
|
-, you can manage PCI devices on the IBM z Systems platform. It is especially
|
||||||
|
-used for reporting erroneous PCI devices to the service element.
|
||||||
|
+to manage PCI devices on the IBM Z platform. In particular,
|
||||||
|
+use this command to report defective PCI devices to the service element.
|
||||||
|
|
||||||
|
.B Note:
|
||||||
|
For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
|
||||||
|
-with any error handling action. The smartmontools are required to be installed
|
||||||
|
-for this to work.
|
||||||
|
+with any error handling action. For this extendend data collection, the
|
||||||
|
+smartmontools must be installed.
|
||||||
|
.PP
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH DEVICE
|
||||||
|
-.B DEVICE
|
||||||
|
-can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
|
||||||
|
-of an NVMe device (e.g.
|
||||||
|
+A PCI slot address (e.g. 0000:00:00.0) or the main device node of an NVMe
|
||||||
|
+device (e.g.
|
||||||
|
.I /dev/nvme0
|
||||||
|
).
|
||||||
|
.
|
||||||
|
.
|
||||||
|
.SH OPTIONS
|
||||||
|
-.SS Error Handling
|
||||||
|
+.SS Error Handling Options
|
||||||
|
.OD reset "" "DEVICE"
|
||||||
|
-Reset
|
||||||
|
-.I DEVICE
|
||||||
|
-and initiate a re-initialization of the PCI device.
|
||||||
|
+Reset and re-initialize the PCI device.
|
||||||
|
.PP
|
||||||
|
.
|
||||||
|
.OD deconfigure "" "DEVICE"
|
||||||
|
-De-configure
|
||||||
|
-.I DEVICE
|
||||||
|
-and prepare for any repair action. This action will move the
|
||||||
|
-PCI device from a configured to a reserved state.
|
||||||
|
+Deconfigure the PCI device and prepare for any repair action. This action
|
||||||
|
+changes the status of the PCI device from configured to reserved.
|
||||||
|
.PP
|
||||||
|
.
|
||||||
|
.OD report-error "" "DEVICE"
|
||||||
|
-Report any device error for
|
||||||
|
-.IR DEVICE .
|
||||||
|
-The
|
||||||
|
-.I DEVICE
|
||||||
|
-is marked as erroneous and no further action is initiated on it.
|
||||||
|
+Report any device error for the PCI device.
|
||||||
|
+The device is marked as defective but no further action is taken.
|
||||||
|
.PP
|
||||||
|
.
|
||||||
|
-.SS Misc
|
||||||
|
+.SS General Options
|
||||||
|
.OD help "h" ""
|
||||||
|
Print usage information, then exit.
|
||||||
|
.PP
|
||||||
|
--- a/zpcictl/zpcictl.c
|
||||||
|
+++ b/zpcictl/zpcictl.c
|
||||||
|
@@ -27,8 +27,9 @@
|
||||||
|
#define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
|
||||||
|
|
||||||
|
static const struct util_prg prg = {
|
||||||
|
- .desc = "Use zpcictl to manage PCI devices on s390\n"
|
||||||
|
- "DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
|
||||||
|
+ .desc = "Use zpcictl to manage PCI devices on IBM Z\n"
|
||||||
|
+ "DEVICE is the slot ID or node of the device "
|
||||||
|
+ "(e.g. 0000:00:00.0 or /dev/nvme0)",
|
||||||
|
.args = "DEVICE",
|
||||||
|
.copyright_vec = {
|
||||||
|
{
|
||||||
|
@@ -46,23 +47,23 @@ static const struct util_prg prg = {
|
||||||
|
#define OPT_REPORT_ERR 130
|
||||||
|
|
||||||
|
static struct util_opt opt_vec[] = {
|
||||||
|
- UTIL_OPT_SECTION("ERROR HANDLING"),
|
||||||
|
+ UTIL_OPT_SECTION("ERROR HANDLING OPTIONS"),
|
||||||
|
{
|
||||||
|
.option = { "reset", no_argument, NULL, OPT_RESET },
|
||||||
|
- .desc = "Reset device",
|
||||||
|
+ .desc = "Reset the device",
|
||||||
|
.flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.option = { "deconfigure", no_argument, NULL, OPT_DECONF },
|
||||||
|
- .desc = "De-configure device and prepare for any repair action",
|
||||||
|
+ .desc = "Deconfigure the device to prepare for any repair action",
|
||||||
|
.flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
.option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
|
||||||
|
- .desc = "Report device error to service element (SE)",
|
||||||
|
+ .desc = "Report a device error to the service element (SE)",
|
||||||
|
.flags = UTIL_OPT_FLAG_NOSHORT,
|
||||||
|
},
|
||||||
|
- UTIL_OPT_SECTION("MISC"),
|
||||||
|
+ UTIL_OPT_SECTION("GENERAL OPTIONS"),
|
||||||
|
UTIL_OPT_HELP,
|
||||||
|
UTIL_OPT_VERSION,
|
||||||
|
UTIL_OPT_END
|
75
s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
Normal file
75
s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
Subject: dbginfo: gather nvme related data
|
||||||
|
From: Sebastian Ott <sebott@linux.ibm.com>
|
||||||
|
|
||||||
|
Summary: s390-tools/dbginfo: Collect NVMe-related debug data
|
||||||
|
Description: Collect SMART (Self-Monitoring, Analysis and Reporting Technology)
|
||||||
|
data in dbginfo.sh .
|
||||||
|
Upstream-ID: b9e47e356bbfc92e41b758e74606baacbab33ee4
|
||||||
|
Problem-ID: RAS1702
|
||||||
|
|
||||||
|
Upstream-Description:
|
||||||
|
|
||||||
|
dbginfo: gather nvme related data
|
||||||
|
|
||||||
|
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
|
||||||
|
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
|
||||||
|
|
||||||
|
|
||||||
|
Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
|
||||||
|
---
|
||||||
|
scripts/dbginfo.sh | 26 +++++++++++++++++++++++++-
|
||||||
|
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
--- a/scripts/dbginfo.sh
|
||||||
|
+++ b/scripts/dbginfo.sh
|
||||||
|
@@ -182,11 +182,14 @@ readonly OUTPUT_FILE_XML="${WORKPATH}dom
|
||||||
|
# File that includes the docker inspect output
|
||||||
|
readonly OUTPUT_FILE_DOCKER="${WORKPATH}docker_inspect.out"
|
||||||
|
|
||||||
|
+# File that includes nvme related information
|
||||||
|
+readonly OUTPUT_FILE_NVME="${WORKPATH}nvme.out"
|
||||||
|
+
|
||||||
|
# Mount point of the debug file system
|
||||||
|
readonly MOUNT_POINT_DEBUGFS="/sys/kernel/debug"
|
||||||
|
|
||||||
|
# The amount of steps running the whole collections
|
||||||
|
-readonly COLLECTION_COUNT=11
|
||||||
|
+readonly COLLECTION_COUNT=12
|
||||||
|
|
||||||
|
# The kernel version (e.g. '2' from 2.6.32 or '3' from 3.2.1)
|
||||||
|
readonly KERNEL_VERSION=$(uname -r 2>/dev/null | cut -d'.' -f1)
|
||||||
|
@@ -829,6 +832,25 @@ collect_docker() {
|
||||||
|
}
|
||||||
|
|
||||||
|
########################################
|
||||||
|
+collect_nvme() {
|
||||||
|
+ local NVME
|
||||||
|
+
|
||||||
|
+ pr_syslog_stdout "11 of ${COLLECTION_COUNT}: Collecting nvme output"
|
||||||
|
+ call_run_command "nvme list" "${OUTPUT_FILE_NVME}"
|
||||||
|
+
|
||||||
|
+ for NVME in /dev/nvme[0-9]*; do
|
||||||
|
+ if [ -c $NVME ]; then
|
||||||
|
+ call_run_command "smartctl -x $NVME" "${OUTPUT_FILE_NVME}"
|
||||||
|
+ call_run_command "nvme fw-log $NVME" "${OUTPUT_FILE_NVME}"
|
||||||
|
+ call_run_command "nvme smart-log $NVME" "${OUTPUT_FILE_NVME}"
|
||||||
|
+ call_run_command "nvme error-log $NVME" "${OUTPUT_FILE_NVME}"
|
||||||
|
+ fi
|
||||||
|
+ done
|
||||||
|
+
|
||||||
|
+ pr_log_stdout " "
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+########################################
|
||||||
|
post_processing() {
|
||||||
|
local file_mtime
|
||||||
|
local file_mtime_epoche
|
||||||
|
@@ -1120,6 +1142,8 @@ collect_domain_xml
|
||||||
|
|
||||||
|
collect_docker
|
||||||
|
|
||||||
|
+collect_nvme
|
||||||
|
+
|
||||||
|
post_processing
|
||||||
|
|
||||||
|
create_package
|
@ -1,19 +1,76 @@
|
|||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Oct 22 19:44:05 UTC 2018 - mpost@suse.com
|
Tue Nov 13 19:22:01 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
- Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
|
- Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
|
||||||
zdev: qeth BridgePort and VNICC attribute conflict (bsc#1112536)
|
(bsc#1112536)
|
||||||
|
zdev: qeth BridgePort and VNICC attribute conflict
|
||||||
|
- Added the following patches for Fate#326376 (bsc#1113321)
|
||||||
|
* s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
|
||||||
|
* s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
|
||||||
|
* s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
|
||||||
|
* s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
|
||||||
|
* s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
|
||||||
|
* s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
|
||||||
|
* s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
|
||||||
|
* s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
|
||||||
|
* s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
|
||||||
|
* s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
|
||||||
|
- Added the following patches for Fate#325684 (bsc#1113323)
|
||||||
|
* s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
|
||||||
|
* s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
|
||||||
|
* s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
|
||||||
|
* s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
|
||||||
|
* s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
|
||||||
|
* s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
|
||||||
|
* s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
|
||||||
|
* s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
|
||||||
|
* s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
|
||||||
|
* s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
|
||||||
|
- Added the following patches for Fate#326390 (bsc#1113353)
|
||||||
|
* s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
|
||||||
|
* s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
|
||||||
|
* s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
|
||||||
|
* s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
|
||||||
|
* s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
|
||||||
|
* s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
|
||||||
|
* s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
|
||||||
|
* s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
|
||||||
|
* s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
|
||||||
|
- Added the following patches for Fate#325691 (bsc#1113324)
|
||||||
|
* s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
|
||||||
|
* s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
|
||||||
|
- Added the following patches for Fate#326388 (bsc#1113331)
|
||||||
|
* s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
|
||||||
|
* s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
|
||||||
|
* s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
|
||||||
|
* s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
|
||||||
|
* s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
|
||||||
|
* s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
|
||||||
|
* s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
|
||||||
|
- Added the following patch for Fate#326361 (bsc#1113333)
|
||||||
|
* s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
|
||||||
|
- Temporarily added "HAVE_CRYPTSETUP2=0" to the make and make install
|
||||||
|
commands, because a couple of Fate requests have not been approved
|
||||||
|
yet, resulting in build failure.
|
||||||
|
- Added "Recommends: blktrace" to the spec file (bsc#1112855)
|
||||||
|
- Changed remaining insserv references to systemd entries.
|
||||||
|
- Changed the Group from the obsolete "System Environment/Base" to
|
||||||
|
"System/Base."
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Aug 31 18:57:54 UTC 2018 - mpost@suse.com
|
Fri Aug 31 18:57:54 UTC 2018 - mpost@suse.com
|
||||||
|
|
||||||
- Added the following patch for bsc#1094354
|
- Added the following patch to remove the call to zipl for bsc#1094354
|
||||||
* customize-zdev-root-update-script.patch
|
* customize-zdev-root-update-script.patch
|
||||||
- Modified ctc_configure to not pass a "protcol=" parameter when
|
- Modified ctc_configure to not pass a "protcol=" parameter when
|
||||||
configuring LCS devices. (bsc#1096520)
|
configuring LCS devices. (bsc#1096520)
|
||||||
- Added the following patches for bsc#1098069
|
- Added the following two patches for bsc#1098069
|
||||||
* s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
|
* dbginfo.sh: Extend data collection
|
||||||
* s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
|
s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
|
||||||
|
* mon_procd: fix parsing of /proc/<pid>/stat
|
||||||
|
s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
|
||||||
|
- Added the following patches for "lstape, lsluns: handle non-zfcp;
|
||||||
|
lin_tape multiple paths" (bsc#1098069)
|
||||||
* s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
|
* s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
|
||||||
* s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
|
* s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
|
||||||
* s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch
|
* s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch
|
||||||
|
116
s390-tools.spec
116
s390-tools.spec
@ -40,7 +40,7 @@ BuildRequires: net-snmp-devel
|
|||||||
BuildRequires: qclib-devel-static
|
BuildRequires: qclib-devel-static
|
||||||
BuildRequires: tcpd-devel
|
BuildRequires: tcpd-devel
|
||||||
BuildRequires: zlib-devel-static
|
BuildRequires: zlib-devel-static
|
||||||
PreReq: shadow %insserv_prereq %fillup_prereq dracut permissions
|
PreReq: shadow %fillup_prereq dracut permissions
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires: gawk
|
Requires: gawk
|
||||||
Requires: perl-base
|
Requires: perl-base
|
||||||
@ -49,6 +49,7 @@ Requires: rsync
|
|||||||
Requires: tar
|
Requires: tar
|
||||||
Requires: util-linux
|
Requires: util-linux
|
||||||
Provides: s390utils:/sbin/dasdfmt
|
Provides: s390utils:/sbin/dasdfmt
|
||||||
|
Recommends: blktrace
|
||||||
# Don't build with pie to avoid problems with zipl
|
# Don't build with pie to avoid problems with zipl
|
||||||
#!BuildIgnore: gcc-PIE
|
#!BuildIgnore: gcc-PIE
|
||||||
Source: s390-tools-%{version}.tar.gz
|
Source: s390-tools-%{version}.tar.gz
|
||||||
@ -152,6 +153,45 @@ Patch41: s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-
|
|||||||
Patch42: s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
|
Patch42: s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
|
||||||
Patch43: s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
|
Patch43: s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
|
||||||
Patch44: s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
|
Patch44: s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
|
||||||
|
Patch45: s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
|
||||||
|
Patch46: s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
|
||||||
|
Patch47: s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
|
||||||
|
Patch48: s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
|
||||||
|
Patch49: s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
|
||||||
|
Patch50: s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
|
||||||
|
Patch51: s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
|
||||||
|
Patch52: s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
|
||||||
|
Patch53: s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
|
||||||
|
Patch54: s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
|
||||||
|
Patch55: s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
|
||||||
|
Patch56: s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
|
||||||
|
Patch57: s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
|
||||||
|
Patch58: s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
|
||||||
|
Patch59: s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
|
||||||
|
Patch60: s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
|
||||||
|
Patch61: s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
|
||||||
|
Patch62: s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
|
||||||
|
Patch63: s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
|
||||||
|
Patch64: s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
|
||||||
|
Patch65: s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
|
||||||
|
Patch66: s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
|
||||||
|
Patch67: s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
|
||||||
|
Patch68: s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
|
||||||
|
Patch69: s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
|
||||||
|
Patch70: s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
|
||||||
|
Patch71: s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
|
||||||
|
Patch72: s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
|
||||||
|
Patch73: s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
|
||||||
|
Patch74: s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
|
||||||
|
Patch75: s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
|
||||||
|
Patch76: s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
|
||||||
|
Patch77: s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
|
||||||
|
Patch78: s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
|
||||||
|
Patch79: s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
|
||||||
|
Patch80: s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
|
||||||
|
Patch81: s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
|
||||||
|
Patch82: s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
|
||||||
|
Patch83: s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
|
||||||
|
|
||||||
Patch999: customize-zdev-root-update-script.patch
|
Patch999: customize-zdev-root-update-script.patch
|
||||||
|
|
||||||
@ -199,7 +239,7 @@ represented as a file in that directory.
|
|||||||
%package hmcdrvfs
|
%package hmcdrvfs
|
||||||
Summary: HMC drive file system based on FUSE
|
Summary: HMC drive file system based on FUSE
|
||||||
License: GPL-2.0
|
License: GPL-2.0
|
||||||
Group: System Environment/Base
|
Group: System/Base
|
||||||
Requires: fuse
|
Requires: fuse
|
||||||
|
|
||||||
%description hmcdrvfs
|
%description hmcdrvfs
|
||||||
@ -254,6 +294,45 @@ to list files and directories.
|
|||||||
%patch42 -p1
|
%patch42 -p1
|
||||||
%patch43 -p1
|
%patch43 -p1
|
||||||
%patch44 -p1
|
%patch44 -p1
|
||||||
|
%patch45 -p1
|
||||||
|
%patch46 -p1
|
||||||
|
%patch47 -p1
|
||||||
|
%patch48 -p1
|
||||||
|
%patch49 -p1
|
||||||
|
%patch50 -p1
|
||||||
|
%patch51 -p1
|
||||||
|
%patch52 -p1
|
||||||
|
%patch53 -p1
|
||||||
|
%patch54 -p1
|
||||||
|
%patch55 -p1
|
||||||
|
%patch56 -p1
|
||||||
|
%patch57 -p1
|
||||||
|
%patch58 -p1
|
||||||
|
%patch59 -p1
|
||||||
|
%patch60 -p1
|
||||||
|
%patch61 -p1
|
||||||
|
%patch62 -p1
|
||||||
|
%patch63 -p1
|
||||||
|
%patch64 -p1
|
||||||
|
%patch65 -p1
|
||||||
|
%patch66 -p1
|
||||||
|
%patch67 -p1
|
||||||
|
%patch68 -p1
|
||||||
|
%patch69 -p1
|
||||||
|
%patch70 -p1
|
||||||
|
%patch71 -p1
|
||||||
|
%patch72 -p1
|
||||||
|
%patch73 -p1
|
||||||
|
%patch74 -p1
|
||||||
|
%patch75 -p1
|
||||||
|
%patch76 -p1
|
||||||
|
%patch77 -p1
|
||||||
|
%patch78 -p1
|
||||||
|
%patch79 -p1
|
||||||
|
%patch80 -p1
|
||||||
|
%patch81 -p1
|
||||||
|
%patch82 -p1
|
||||||
|
%patch83 -p1
|
||||||
|
|
||||||
%patch999 -p1
|
%patch999 -p1
|
||||||
|
|
||||||
@ -267,12 +346,12 @@ cp -vi %{S:22} CAUTION
|
|||||||
|
|
||||||
export OPT_FLAGS="%{optflags}"
|
export OPT_FLAGS="%{optflags}"
|
||||||
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
|
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
|
||||||
make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release}
|
make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release} HAVE_CRYPTSETUP2=0
|
||||||
gcc -static -o read_values ${OPT_FLAGS} %{S:86} -lqc
|
gcc -static -o read_values ${OPT_FLAGS} %{S:86} -lqc
|
||||||
|
|
||||||
%install
|
%install
|
||||||
mkdir -p %{buildroot}/boot/zipl
|
mkdir -p %{buildroot}/boot/zipl
|
||||||
%make_install \
|
%make_install HAVE_CRYPTSETUP2=0 \
|
||||||
ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump \
|
ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump \
|
||||||
DISTRELEASE=%{release} \
|
DISTRELEASE=%{release} \
|
||||||
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
||||||
@ -396,14 +475,18 @@ chmod 755 osasnmpd
|
|||||||
%pre
|
%pre
|
||||||
# check for ts-shell group or create it
|
# check for ts-shell group or create it
|
||||||
getent group ts-shell >/dev/null 2>&1 || groupadd -r ts-shell
|
getent group ts-shell >/dev/null 2>&1 || groupadd -r ts-shell
|
||||||
|
%service_add_pre appldata.service
|
||||||
%service_add_pre cio_ignore.service
|
%service_add_pre cio_ignore.service
|
||||||
%service_add_pre cpacfstatsd.service
|
%service_add_pre cpacfstatsd.service
|
||||||
%service_add_pre cpi.service
|
%service_add_pre cpi.service
|
||||||
%service_add_pre cpuplugd.service
|
%service_add_pre cpuplugd.service
|
||||||
%service_add_pre dumpconf.service
|
%service_add_pre dumpconf.service
|
||||||
|
%service_add_pre hsnc.service
|
||||||
%service_add_pre mon_fsstatd.service
|
%service_add_pre mon_fsstatd.service
|
||||||
%service_add_pre mon_procd.service
|
%service_add_pre mon_procd.service
|
||||||
%service_add_pre virtsetup.service
|
%service_add_pre virtsetup.service
|
||||||
|
%service_add_pre vmlogrdr.service
|
||||||
|
%service_add_pre xpram.service
|
||||||
|
|
||||||
%post
|
%post
|
||||||
read INITPGM < /proc/1/comm
|
read INITPGM < /proc/1/comm
|
||||||
@ -415,14 +498,18 @@ fi
|
|||||||
%set_permissions /var/log/ts-shell
|
%set_permissions /var/log/ts-shell
|
||||||
|
|
||||||
# Create symbolic links to the scripts from setup and boot directories
|
# Create symbolic links to the scripts from setup and boot directories
|
||||||
|
%service_add_post appldata.service
|
||||||
%service_add_post cio_ignore.service
|
%service_add_post cio_ignore.service
|
||||||
%service_add_post cpacfstatsd.service
|
%service_add_post cpacfstatsd.service
|
||||||
%service_add_post cpi.service
|
%service_add_post cpi.service
|
||||||
%service_add_post cpuplugd.service
|
%service_add_post cpuplugd.service
|
||||||
%service_add_post dumpconf.service
|
%service_add_post dumpconf.service
|
||||||
|
%service_add_post hsnc.service
|
||||||
%service_add_post mon_fsstatd.service
|
%service_add_post mon_fsstatd.service
|
||||||
%service_add_post mon_procd.service
|
%service_add_post mon_procd.service
|
||||||
%service_add_post virtsetup.service
|
%service_add_post virtsetup.service
|
||||||
|
%service_add_post vmlogrdr.service
|
||||||
|
%service_add_post xpram.service
|
||||||
|
|
||||||
# Create the initial versions of the sysconfig files:
|
# Create the initial versions of the sysconfig files:
|
||||||
%{fillup_only -n appldata}
|
%{fillup_only -n appldata}
|
||||||
@ -443,33 +530,36 @@ grep -q '^/usr/bin/ts-shell$' /etc/shells \
|
|||||||
%{fillup_only -n osasnmpd}
|
%{fillup_only -n osasnmpd}
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%{stop_on_removal appldata}
|
%service_del_preun appldata.service
|
||||||
%{stop_on_removal hsnc}
|
|
||||||
%{stop_on_removal vmlogrdr}
|
|
||||||
%{stop_on_removal xpram}
|
|
||||||
%service_del_preun cio_ignore.service
|
%service_del_preun cio_ignore.service
|
||||||
%service_del_preun cpacfstatsd.service
|
%service_del_preun cpacfstatsd.service
|
||||||
%service_del_preun cpi.service
|
%service_del_preun cpi.service
|
||||||
%service_del_preun cpuplugd.service
|
%service_del_preun cpuplugd.service
|
||||||
%service_del_preun dumpconf.service
|
%service_del_preun dumpconf.service
|
||||||
|
%service_del_preun hsnc.service
|
||||||
%service_del_preun mon_fsstatd.service
|
%service_del_preun mon_fsstatd.service
|
||||||
%service_del_preun mon_procd.service
|
%service_del_preun mon_procd.service
|
||||||
%service_del_preun virtsetup.service
|
%service_del_preun virtsetup.service
|
||||||
|
%service_del_preun vmlogrdr.service
|
||||||
|
%service_del_preun xpram.service
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%{restart_on_update appldata}
|
%service_del_postun appldata.service
|
||||||
%{restart_on_update hsnc}
|
|
||||||
%{restart_on_update vmlogrdr}
|
|
||||||
%{restart_on_update xpram}
|
|
||||||
%service_del_postun cio_ignore.service
|
%service_del_postun cio_ignore.service
|
||||||
%service_del_postun cpacfstatsd.service
|
%service_del_postun cpacfstatsd.service
|
||||||
%service_del_postun cpi.service
|
%service_del_postun cpi.service
|
||||||
%service_del_postun cpuplugd.service
|
%service_del_postun cpuplugd.service
|
||||||
%service_del_postun dumpconf.service
|
%service_del_postun dumpconf.service
|
||||||
|
%service_del_postun hsnc.service
|
||||||
%service_del_postun mon_fsstatd.service
|
%service_del_postun mon_fsstatd.service
|
||||||
%service_del_postun mon_procd.service
|
%service_del_postun mon_procd.service
|
||||||
%service_del_postun virtsetup.service
|
%service_del_postun virtsetup.service
|
||||||
|
%service_del_postun vmlogrdr.service
|
||||||
|
%service_del_postun xpram.service
|
||||||
|
|
||||||
|
# Even though SLES15+ is systemd based, the build service doesn't
|
||||||
|
# run it, so we have to make sure we can safely issue the
|
||||||
|
# systemctl command.
|
||||||
read INITPGM < /proc/1/comm
|
read INITPGM < /proc/1/comm
|
||||||
if [ "${INITPGM}" == "systemd" ]; then
|
if [ "${INITPGM}" == "systemd" ]; then
|
||||||
echo "Running systemctl daemon-reload."
|
echo "Running systemctl daemon-reload."
|
||||||
@ -480,7 +570,7 @@ if [ ! -x /boot/zipl ]; then
|
|||||||
echo "Attention, after uninstalling this package,"
|
echo "Attention, after uninstalling this package,"
|
||||||
echo "you will NOT be able to IPL from DASD anymore!!!"
|
echo "you will NOT be able to IPL from DASD anymore!!!"
|
||||||
fi
|
fi
|
||||||
%{insserv_cleanup}
|
|
||||||
if test x$1 = x0; then
|
if test x$1 = x0; then
|
||||||
# remove ts-shell from /etc/shells
|
# remove ts-shell from /etc/shells
|
||||||
grep -v '^/usr/bin/ts-shell$' /etc/shells > /etc/shells.ts-new
|
grep -v '^/usr/bin/ts-shell$' /etc/shells > /etc/shells.ts-new
|
||||||
|
Loading…
Reference in New Issue
Block a user