SHA256
1
0
forked from pool/s390-tools

Accepting request 648783 from home:markkp:branches:Base:System

Lots of features implemented for SLES15 SP1.

OBS-URL: https://build.opensuse.org/request/show/648783
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=57
This commit is contained in:
Mark Post 2018-11-13 20:02:51 +00:00 committed by Git OBS Bridge
parent 9528578d29
commit a7f8ed0265
42 changed files with 16695 additions and 19 deletions

View File

@ -1,3 +1,4 @@
addFilter("statically-linked-binary /usr/lib/s390-tools/.*") addFilter("statically-linked-binary /usr/lib/s390-tools/.*")
addFilter("statically-linked-binary /usr/bin/read_values") addFilter("statically-linked-binary /usr/bin/read_values")
addFilter("systemd-service-without-service_.* *@.service") addFilter("systemd-service-without-service_.* *@.service")
addFilter("position-independent-executable-suggested ")

View File

@ -0,0 +1,506 @@
Subject: zkey: Add properties file handling routines
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: 340da73bb7f06a9fc2aecfe4e33f1f3a17b3568d
Problem-ID: SEC1800
Upstream-Description:
zkey: Add properties file handling routines
In preparation for a new feature, introduce property file
handling routines. A property file stores key value pairs
in a text file. Optionally a hash of all keys and values
contained in the properties file can be generated to
ensure integrity of the properties file and to detect
manual modifications.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
zkey/Makefile | 5
zkey/properties.c | 409 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
zkey/properties.h | 36 ++++
3 files changed, 448 insertions(+), 2 deletions(-)
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -1,15 +1,16 @@
include ../common.mak
CPPFLAGS += -I../include
-LDLIBS += -ldl
+LDLIBS += -ldl -lcrypto
all: zkey
libs = $(rootdir)/libutil/libutil.a
zkey.o: zkey.c pkey.h misc.h
+properties.o: properties.c properties.h
-zkey: zkey.o $(libs)
+zkey: zkey.o properties.o $(libs)
install: all
$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
--- /dev/null
+++ b/zkey/properties.c
@@ -0,0 +1,409 @@
+/*
+ * zkey - Generate, re-encipher, and validate secure keys
+ *
+ * Properties file handling functions
+ *
+ * Copyright IBM Corp. 2018
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/evp.h>
+
+#include "lib/util_libc.h"
+#include "lib/util_list.h"
+#include "lib/util_panic.h"
+
+#include "properties.h"
+
+struct properties {
+ struct util_list list;
+};
+
+struct property {
+ struct util_list_node node;
+ char *name;
+ char *value;
+};
+
+#define SHA256_DIGEST_LEN 32
+#define INTEGRITY_KEY_NAME "__hash__"
+
+#define RESTRICTED_PROPERTY_NAME_CHARS "=\n"
+#define RESTRICTED_PROPERTY_VALUE_CHARS "\n"
+
+static int openssl_initialized;
+
+/**
+ * Allocate and initialize a SHA-256 context
+ *
+ * @returns a SHA context
+ */
+static EVP_MD_CTX *sha256_init(void)
+{
+ EVP_MD_CTX *ctx;
+ int rc;
+
+ if (!openssl_initialized) {
+ OpenSSL_add_all_algorithms();
+ openssl_initialized = 1;
+ }
+
+ ctx = EVP_MD_CTX_create();
+ util_assert(ctx != NULL,
+ "Internal error: OpenSSL MD context allocation failed");
+
+ rc = EVP_DigestInit_ex(ctx, EVP_sha256(), NULL);
+ util_assert(rc == 1, "Internal error: SHA-256 digest init failed");
+
+ return ctx;
+}
+
+/**
+ * Add data to the SHA-256 context
+ *
+ * @parm[in] ctx the SHA context
+ * @parm[in] data the data to be hashed
+ * @parm[in] data_len the length of the data
+ */
+static void sha256_update(EVP_MD_CTX *ctx,
+ const char *data, unsigned int data_len)
+{
+ int rc;
+
+ util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
+ util_assert(data != NULL || data_len == 0,
+ "Internal error: data is NULL");
+
+ rc = EVP_DigestUpdate(ctx, data, data_len);
+
+ util_assert(rc == 1, "Internal error: SHA-256 digest udpdate failed");
+}
+
+/**
+ * Produce the digest for the SHA-256 context and free the context
+ *
+ * @parm[in] ctx the SHA context
+ * @parm[out] digest a buffer where the digest is stored
+ * @parm[in/out] digest_len on entry, *digest_len contains the size of the
+ * digest buffer, which must be large enough to hold
+ * a SHA-256 digest (32 bytes),
+ * on exit it contains the size of the digest
+ * returned in the buffer.
+ */
+static void sha256_final(EVP_MD_CTX *ctx,
+ unsigned char *digest, unsigned int *digest_len)
+{
+ int rc;
+
+ util_assert(ctx != NULL, "Internal error: OpenSSL MD context is NULL");
+
+ if (digest != NULL && digest_len != NULL) {
+ util_assert(*digest_len >= (unsigned int)EVP_MD_CTX_size(ctx),
+ "Internal error: digest_len is too small");
+
+ rc = EVP_DigestFinal_ex(ctx, digest, digest_len);
+ util_assert(rc == 1,
+ "Internal error: SHA-256 digest final failed");
+ }
+
+ EVP_MD_CTX_destroy(ctx);
+}
+
+/**
+ * Allocates a new properties object
+ *
+ * @returns the properties object
+ */
+struct properties *properties_new(void)
+{
+ struct properties *properties;
+
+ properties = util_zalloc(sizeof(struct properties));
+
+ util_list_init_offset(&properties->list,
+ offsetof(struct property, node));
+ return properties;
+}
+
+/**
+ * Frees a properties object with all its properties
+ *
+ * @param[in] properties the properties object
+ */
+void properties_free(struct properties *properties)
+{
+ struct property *property;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+
+ while ((property = util_list_start(&properties->list)) != NULL) {
+ free(property->name);
+ free(property->value);
+ util_list_remove(&properties->list, property);
+ }
+
+ free(properties);
+}
+
+/**
+ * Find a property by its name in the list iof properties
+ *
+ * @param[in] properties the properties object
+ * @param[in] name the name of the property to find
+ *
+ * @returns a pointer to the proerty when it has been found, or NULL if not
+ */
+static struct property *properties_find(struct properties *properties,
+ const char *name)
+{
+ struct property *property;
+
+ property = util_list_start(&properties->list);
+ while (property != NULL) {
+ if (strcmp(property->name, name) == 0)
+ return property;
+ property = util_list_next(&properties->list, property);
+ }
+ return NULL;
+}
+
+/**
+ * Adds or updates a property
+ *
+ * @param[in] properties the properties object
+ * @param[in] name the name of the property
+ * @param[in] value the value of the property
+ *
+ * @returns 0 on success,
+ * -EINVAL if the name or value contains invalid characters
+ */
+int properties_set(struct properties *properties,
+ const char *name, const char *value)
+{
+ struct property *property;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+ util_assert(name != NULL, "Internal error: name is NULL");
+ util_assert(value != NULL, "Internal error: value is NULL");
+
+ if (strpbrk(name, RESTRICTED_PROPERTY_NAME_CHARS) != NULL)
+ return -EINVAL;
+ if (strpbrk(value, RESTRICTED_PROPERTY_VALUE_CHARS) != NULL)
+ return -EINVAL;
+
+ property = properties_find(properties, name);
+ if (property != NULL) {
+ free(property->value);
+ property->value = util_strdup(value);
+ } else {
+ property = util_zalloc(sizeof(struct property));
+ property->name = util_strdup(name);
+ property->value = util_strdup(value);
+ util_list_add_tail(&properties->list, property);
+ }
+ return 0;
+}
+
+/**
+ * Gets a property
+ *
+ * @param[in] properties the properties object
+ * @param[in] name the name of the property
+ *
+ * @returns a string containing the property value, or NULL if the property
+ * was not found.
+ * Note: The returned string must be freed via free() by the caller.
+ */
+char *properties_get(struct properties *properties, const char *name)
+{
+ struct property *property;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+ util_assert(name != NULL, "Internal error: name is NULL");
+
+ property = properties_find(properties, name);
+ if (property == NULL)
+ return NULL;
+
+ return util_strdup(property->value);
+}
+
+/**
+ * Removes a property
+ *
+ * @param[in] properties the properties object
+ * @param[in] name the name of the property
+ *
+ * @returns 0 on success, -ENOENT if the property was not found.
+ */
+int properties_remove(struct properties *properties, const char *name)
+{
+ struct property *property;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+ util_assert(name != NULL, "Internal error: name is NULL");
+
+ property = properties_find(properties, name);
+ if (property == NULL)
+ return -ENOENT;
+
+ free(property->name);
+ free(property->value);
+ util_list_remove(&properties->list, property);
+ return 0;
+}
+
+/**
+ * Saves the properties to a file
+ *
+ * @param[in] properties the properties object
+ * @param[in] filename the file name
+ * @param[in] check_integrity if TRUE, an hash of the key and values is
+ * stored as part of the file.
+ *
+ * @returns 0 on success, -EIO the file could not be created
+ */
+int properties_save(struct properties *properties, const char *filename,
+ bool check_integrity)
+{
+ char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
+ unsigned char digest[SHA256_DIGEST_LEN];
+ unsigned int digest_len = sizeof(digest);
+ struct property *property;
+ EVP_MD_CTX *ctx = NULL;
+ unsigned int i;
+ FILE *fp;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+ util_assert(filename != NULL, "Internal error: filename is NULL");
+
+ fp = fopen(filename, "w");
+ if (fp == NULL)
+ return -EIO;
+
+ if (check_integrity)
+ ctx = sha256_init();
+
+ property = util_list_start(&properties->list);
+ while (property != NULL) {
+ fprintf(fp, "%s=%s\n", property->name, property->value);
+
+ if (check_integrity) {
+ sha256_update(ctx, property->name,
+ strlen(property->name));
+ sha256_update(ctx, property->value,
+ strlen(property->value));
+ }
+
+ property = util_list_next(&properties->list, property);
+ }
+
+ if (check_integrity) {
+ sha256_final(ctx, digest, &digest_len);
+ util_assert(digest_len <= SHA256_DIGEST_LEN,
+ "Internal error: digest length too long");
+
+ for (i = 0; i < digest_len; i++)
+ sprintf(&digest_hex[i * 2], "%02x", digest[i]);
+ digest_hex[digest_len * 2] = '\0';
+
+ fprintf(fp, "%s=%s\n", INTEGRITY_KEY_NAME, digest_hex);
+ }
+
+ fclose(fp);
+ return 0;
+}
+
+/**
+ * Loads the properties from a file
+ *
+ * @param[in] properties the properties object
+ * @param[in] filename the file name
+ * @param[in] check_integrity if TRUE, an hash of the key and values is
+ * compared with the hash stored as part of the file.
+ *
+ * @returns 0 on success, -EIO the file could not be created,
+ * -EPERM in case of a syntax error or an integrity error
+ */
+int properties_load(struct properties *properties, const char *filename,
+ bool check_integrity)
+{
+ char digest_hex[SHA256_DIGEST_LEN * 2 + 1];
+ unsigned char digest[SHA256_DIGEST_LEN];
+ unsigned int digest_len = sizeof(digest);
+ char *digest_read = NULL;
+ EVP_MD_CTX *ctx = NULL;
+ char line[4096];
+ unsigned int len, i;
+ int rc = 0;
+ char *ch;
+ FILE *fp;
+
+ util_assert(properties != NULL, "Internal error: properties is NULL");
+ util_assert(filename != NULL, "Internal error: filename is NULL");
+
+ fp = fopen(filename, "r");
+ if (fp == NULL)
+ return -EIO;
+
+ if (check_integrity)
+ ctx = sha256_init();
+
+ while (fgets(line, sizeof(line), fp) != NULL) {
+ len = strlen(line);
+ if (line[len-1] == '\n')
+ line[len-1] = '\0';
+ ch = strchr(line, '=');
+ if (ch == NULL) {
+ rc = -EPERM;
+ goto out;
+ }
+
+ *ch = '\0';
+ ch++;
+
+ if (check_integrity) {
+ if (strcmp(line, INTEGRITY_KEY_NAME) == 0) {
+ digest_read = util_strdup(ch);
+ continue;
+ }
+
+ sha256_update(ctx, line, strlen(line));
+ sha256_update(ctx, ch, strlen(ch));
+ }
+
+ properties_set(properties, line, ch);
+ }
+
+ if (check_integrity) {
+ sha256_final(ctx, digest, &digest_len);
+ ctx = NULL;
+ util_assert(digest_len <= SHA256_DIGEST_LEN,
+ "Internal error: digest length too long");
+
+ for (i = 0; i < digest_len; i++)
+ sprintf(&digest_hex[i * 2], "%02x", digest[i]);
+ digest_hex[digest_len * 2] = '\0';
+
+ if (digest_read == NULL ||
+ strcmp(digest_hex, digest_read) != 0) {
+ rc = -EPERM;
+ goto out;
+ }
+ }
+
+out:
+ if (ctx != NULL)
+ sha256_final(ctx, NULL, NULL);
+ if (digest_read != NULL)
+ free(digest_read);
+ fclose(fp);
+ return rc;
+}
--- /dev/null
+++ b/zkey/properties.h
@@ -0,0 +1,36 @@
+/*
+ * zkey - Generate, re-encipher, and validate secure keys
+ *
+ * Properties file handling functions
+ *
+ * Copyright IBM Corp. 2018
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#ifndef PROPFILE_H
+#define PROPFILE_H
+
+#include <stdbool.h>
+
+struct properties;
+
+struct properties *properties_new(void);
+
+void properties_free(struct properties *properties);
+
+int properties_set(struct properties *properties,
+ const char *name, const char *value);
+
+char *properties_get(struct properties *properties, const char *name);
+
+int properties_remove(struct properties *properties, const char *name);
+
+int properties_save(struct properties *properties, const char *filename,
+ bool check_integrity);
+
+int properties_load(struct properties *properties, const char *filename,
+ bool check_integrity);
+
+#endif

View File

@ -0,0 +1,89 @@
Subject: zkey: Add build dependency to OpenSSL (libcrypto)
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: 5e24f74fdefc5fe7d315df080832f1b059485f0f
Problem-ID: SEC1800
Upstream-Description:
zkey: Add build dependency to OpenSSL (libcrypto)
The integrity support for the properties file routines use
SHA-256 to build a hash of the keys and values of a property file.
The codes uses the EVP_DigestInit_ex, EVP_DigestUpdate, and
EVP_DigestFinal from the libcrypto library (OpenSSL).
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
README.md | 6 ++++++
zkey/Makefile | 21 ++++++++++++++++++++-
2 files changed, 26 insertions(+), 1 deletion(-)
--- a/README.md
+++ b/README.md
@@ -263,6 +263,7 @@ build options:
| ncurses | `HAVE_NCURSES` | hyptop |
| pfm | `HAVE_PFM` | cpacfstats |
| net-snmp | `HAVE_SNMP` | osasnmpd |
+| openssl | `HAVE_OPENSSL` | zkey |
This table lists additional build or install options:
@@ -365,3 +366,8 @@ the different tools are provided:
For running znetconf these programs are required:
- modprobe (kmod)
- vmcp (s390-tools)
+
+* zkey:
+ For building the zkey tools you need openssl version 0.9.7 or newer installed
+ (openssl-devel.rpm). Tip: you may skip the zkey build by adding
+ `HAVE_OPENSSL=0` to the make invocation.
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -1,9 +1,26 @@
include ../common.mak
+ifeq (${HAVE_OPENSSL},0)
+
+all:
+ $(SKIP) HAVE_OPENSSL=0
+
+install:
+ $(SKIP) HAVE_OPENSSL=0
+
+else
+
+check_dep:
+ $(call check_dep, \
+ "zkey", \
+ "openssl/evp.h", \
+ "openssl-devel", \
+ "HAVE_OPENSSL=0")
+
CPPFLAGS += -I../include
LDLIBS += -ldl -lcrypto
-all: zkey
+all: check_dep zkey
libs = $(rootdir)/libutil/libutil.a
@@ -18,6 +35,8 @@ install: all
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+endif
+
clean:
rm -f *.o zkey

View File

@ -0,0 +1,276 @@
Subject: zkey: Add helper functions for comma separated string handling
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: a090a1ffe8bc780059ebed99f19d32a2a6a3426d
Problem-ID: SEC1800
Upstream-Description:
zkey: Add helper functions for comma separated string handling
Comma separated strings are used in property values to store
multiple values in one property. These helper functions allow to
work with such comma separated strings.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
zkey/properties.c | 214 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
zkey/properties.h | 12 +++
2 files changed, 226 insertions(+)
--- a/zkey/properties.c
+++ b/zkey/properties.c
@@ -38,6 +38,8 @@ struct property {
#define RESTRICTED_PROPERTY_NAME_CHARS "=\n"
#define RESTRICTED_PROPERTY_VALUE_CHARS "\n"
+#define RESTRICTED_STR_LIST_CHARS ",\n"
+
static int openssl_initialized;
/**
@@ -407,3 +409,215 @@ out:
fclose(fp);
return rc;
}
+
+/**
+ * Combines a list of strings into one comma separated string
+ *
+ * @param[in] strings zero terminated array of pointers to C-strings
+ *
+ * @returns a new string. This must be freed by the caller when no longer used.
+ * returns NULL if a string contains an invalid character.
+ */
+char *str_list_combine(const char **strings)
+{
+ unsigned int i, size;
+ char *str;
+
+ util_assert(strings != NULL, "Internal error: strings is NULL");
+
+ for (i = 0, size = 0; strings[i] != NULL; i++) {
+ if (strpbrk(strings[i], RESTRICTED_STR_LIST_CHARS) != NULL)
+ return NULL;
+
+ if (i > 0)
+ size += 1;
+ size += strlen(strings[i]);
+ }
+
+ str = util_zalloc(size + 1);
+ for (i = 0, size = 0; strings[i] != NULL; i++) {
+ if (i > 0)
+ strcat(str, ",");
+ strcat(str, strings[i]);
+ }
+
+ return str;
+}
+
+/**
+ * Splits a comma separated string into its parts
+ *
+ * @param[in] str_list the comma separated string
+ *
+ * @returns a zero terminated array of pointers to C-strings. This array
+ * and all individual C-Strings need to be freed bay the caller when
+ * no longer used. This can be done using str_list_free_string_array().
+ */
+char **str_list_split(const char *str_list)
+{
+ unsigned int i, count;
+ char **list;
+ char *copy;
+ char *tok;
+
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
+
+ count = str_list_count(str_list);
+ list = util_zalloc((count + 1) * sizeof(char *));
+
+ copy = util_strdup(str_list);
+ tok = strtok(copy, ",");
+ i = 0;
+ while (tok != NULL) {
+ list[i] = util_strdup(tok);
+ i++;
+ tok = strtok(NULL, ",");
+ }
+
+ free(copy);
+ return list;
+}
+
+/**
+ * Count the number of parts a comma separated string contains
+ *
+ * param[in] str_list the comma separated string
+ *
+ * @returns the number of parts
+ */
+unsigned int str_list_count(const char *str_list)
+{
+ unsigned int i, count;
+
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
+
+ if (strlen(str_list) == 0)
+ return 0;
+
+ for (i = 0, count = 1; str_list[i] != '\0'; i++)
+ if (str_list[i] == ',')
+ count++;
+ return count;
+}
+
+/**
+ * Find a string in a comma separated string
+ *
+ * @param str_list the comma separated string.
+ * @param str the string to find
+ *
+ * @returns a pointer to the string within the comma separated string,
+ * or NULL if the string was not found
+ *
+ */
+static char *str_list_find(const char *str_list, const char *str)
+{
+ char *before;
+ char *after;
+ char *ch;
+
+ ch = strstr(str_list, str);
+ if (ch == NULL)
+ return NULL;
+
+ if (ch != str_list) {
+ before = ch - 1;
+ if (*before != ',')
+ return NULL;
+ }
+
+ after = ch + strlen(str);
+ if (*after != ',' && *after != '\0')
+ return NULL;
+
+ return ch;
+}
+
+/**
+ * Appends a string to a comma separated string
+ *
+ * @param str_list the comma separated string.
+ * @param str the string to add
+ *
+ * @returns a new comma separated string. This must be freed by the caller when
+ * no longer used. If the string to add is already contained in the
+ * comma separated list, it is not added and NULL is returned.
+ * If the string to be added contains a comma, NULL is returned.
+ */
+char *str_list_add(const char *str_list, const char *str)
+{
+ char *ret;
+
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
+ util_assert(str != NULL, "Internal error: str is NULL");
+
+ if (strpbrk(str, RESTRICTED_STR_LIST_CHARS) != NULL)
+ return NULL;
+
+ if (str_list_find(str_list, str))
+ return NULL;
+
+ ret = util_zalloc(strlen(str_list) + 1 + strlen(str) + 1);
+ strcpy(ret, str_list);
+ if (strlen(str_list) > 0)
+ strcat(ret, ",");
+ strcat(ret, str);
+
+ return ret;
+}
+
+/**
+ * Removes a string from a comma separated string
+ *
+ * @param str_list the comma separated string.
+ * @param str the string to remove
+ *
+ * @returns a new comma separated string. This must be freed by the caller when
+ * no longer used. If the string to remove is not found in the
+ * comma separated string, NULL is returned
+ */
+char *str_list_remove(const char *str_list, const char *str)
+{
+ char *after;
+ char *ret;
+ char *ch;
+
+ util_assert(str_list != NULL, "Internal error: str_list is NULL");
+ util_assert(str != NULL, "Internal error: str is NULL");
+
+ ch = str_list_find(str_list, str);
+ if (ch == NULL)
+ return NULL;
+
+ after = ch + strlen(str);
+ if (*after == ',') {
+ /* there are more parts after the one to remove */
+ ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
+ strncpy(ret, str_list, ch - str_list);
+ strcat(ret, after + 1);
+ } else if (ch == str_list) {
+ /* removing the one and only part -> empty string */
+ ret = util_zalloc(1);
+ } else {
+ /* there are no more parts after the one to remove */
+ ret = util_zalloc(strlen(str_list) - strlen(str) - 1 + 1);
+ strncpy(ret, str_list, ch - 1 - str_list);
+ }
+
+ return ret;
+}
+
+/**
+ * Frees a string array (as produced by str_list_split())
+ *
+ * @param strings a NULL terminated array of pointers to C-Strings.
+ */
+void str_list_free_string_array(char **strings)
+{
+ util_assert(strings != NULL, "Internal error: strings is NULL");
+
+ while (*strings != NULL) {
+ free((void *)*strings);
+ strings++;
+ }
+}
--- a/zkey/properties.h
+++ b/zkey/properties.h
@@ -33,4 +33,16 @@ int properties_save(struct properties *p
int properties_load(struct properties *properties, const char *filename,
bool check_integrity);
+char *str_list_combine(const char **strings);
+
+char **str_list_split(const char *str_list);
+
+unsigned int str_list_count(const char *str_list);
+
+char *str_list_add(const char *str_list, const char *str);
+
+char *str_list_remove(const char *str_list, const char *str);
+
+void str_list_free_string_array(char **strings);
+
#endif

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,40 @@
Subject: zkey: Create key repository and group during make install
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: 6a2f4fd3760420e11b23db13f8b736f87764d409
Problem-ID: SEC1800
Upstream-Description:
zkey: Create key repository and group during make install
Create the default keystore directory '/etc/zkey/repository'
and the user group 'zkeyadm' during make install.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
zkey/Makefile | 3 +++
1 file changed, 3 insertions(+)
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -36,6 +36,9 @@ install: all
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+ getent group zkeyadm >/dev/null || groupadd -r zkeyadm
+ $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
+ $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
endif

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,38 @@
Subject: zkey: let packaging create the zkeyadm group and permission setup
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: 3eb9af9c97c98e9f9665af1c5e671266400aaafc
Problem-ID: SEC1800
Upstream-Description:
zkey: let packaging create the zkeyadm group and permission setup
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
zkey/Makefile | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -36,9 +36,8 @@ install: all
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
- getent group zkeyadm >/dev/null || groupadd -r zkeyadm
- $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
- $(INSTALL) -d -g zkeyadm -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
+ $(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
+ $(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
endif

View File

@ -0,0 +1,34 @@
Subject: zkey: Update README to add info about packaging requirements
From: Philipp Rudo <prudo@linux.ibm.com>
Summary: zkey: Add support of protected key crypto for dm-crypt.
Description: Support the usage of protected key crypto for dm-crypt disks in
plain format by providing a tool to manage a key repository
allowing to associate secure keys with disk partitions or logical
volumes.
Upstream-ID: 80b66da1d81793232646d2504c4d4c0ec94170f1
Problem-ID: SEC1800
Upstream-Description:
zkey: Update README to add info about packaging requirements
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Philipp Rudo <prudo@linux.ibm.com>
---
README.md | 4 ++++
1 file changed, 4 insertions(+)
--- a/README.md
+++ b/README.md
@@ -371,3 +371,7 @@ the different tools are provided:
For building the zkey tools you need openssl version 0.9.7 or newer installed
(openssl-devel.rpm). Tip: you may skip the zkey build by adding
`HAVE_OPENSSL=0` to the make invocation.
+ A new group 'zkeyadm' needs to be created and all users intending to use the
+ tool must be added to this group. The owner of the default key repository
+ '/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
+ for this group.

View File

@ -0,0 +1,34 @@
Subject: zkey: Typo in message
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: dec58c349e794f6333771457d9dcb9c0768fe28e
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Typo in message
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2319,7 +2319,7 @@ static int _keystore_process_reencipher(
if (params.complete) {
if (!_keystore_reencipher_key_exists(file_names)) {
- warnx("Staged re-enciphering in not pending for key "
+ warnx("Staged re-enciphering is not pending for key "
"'%s', skipping",
name);
info->num_skipped++;

View File

@ -0,0 +1,102 @@
Subject: zkey: Fix memory leak
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: d6a96f07c1a0ba9b1a559561698f82f5a19829ff
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Fix memory leak
The APQN check routine as well as the properties helper functions
do not free all memory that they allocated.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 22 +++++++++++++++-------
zkey/properties.c | 5 +++++
2 files changed, 20 insertions(+), 7 deletions(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -981,25 +981,33 @@ static int _keystore_apqn_check(const ch
rc = regexec(&reg_buf, apqn, (size_t) 1, pmatch, 0);
if (rc != 0) {
warnx("the APQN '%s' is not valid", apqn);
- return -EINVAL;
+ rc = -EINVAL;
+ goto out;
}
- if (sscanf(apqn, "%x.%x", &card, &domain) != 2)
- return -EINVAL;
+ if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
+ rc = -EINVAL;
+ goto out;
+ }
util_asprintf(normalized, "%02x.%04x", card, domain);
- if (remove)
- return 0;
+ if (remove) {
+ rc = 0;
+ goto out;
+ }
rc = _keystore_is_apqn_online(card, domain);
if (rc != 1) {
warnx("The APQN %02x.%04x is %s", card, domain,
rc == -1 ? "not a CCA card" : "not online");
- return -EIO;
+ rc = -EIO;
+ goto out;
}
- return 0;
+out:
+ regfree(&reg_buf);
+ return rc;
}
--- a/zkey/properties.c
+++ b/zkey/properties.c
@@ -149,6 +149,7 @@ void properties_free(struct properties *
free(property->name);
free(property->value);
util_list_remove(&properties->list, property);
+ free(property);
}
free(properties);
@@ -259,6 +260,7 @@ int properties_remove(struct properties
free(property->name);
free(property->value);
util_list_remove(&properties->list, property);
+ free(property);
return 0;
}
@@ -614,10 +616,13 @@ char *str_list_remove(const char *str_li
*/
void str_list_free_string_array(char **strings)
{
+ char **list = strings;
+
util_assert(strings != NULL, "Internal error: strings is NULL");
while (*strings != NULL) {
free((void *)*strings);
strings++;
}
+ free(list);
}

View File

@ -0,0 +1,47 @@
Subject: zkey: Fix APQN validation routine
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: 344965bd296f434ccbd9ad5b16427590b988d480
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Fix APQN validation routine
When a zkey generate or change command is used to associate one
or multiple APQNs the command succeeds, but no key is generated
and no APQNs are associated, because the return code returned by
_keystore_apqn_check() is wrong.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 3 +++
1 file changed, 3 insertions(+)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -986,6 +986,7 @@ static int _keystore_apqn_check(const ch
}
if (sscanf(apqn, "%x.%x", &card, &domain) != 2) {
+ warnx("the APQN '%s' is not valid", apqn);
rc = -EINVAL;
goto out;
}
@@ -1003,6 +1004,8 @@ static int _keystore_apqn_check(const ch
rc == -1 ? "not a CCA card" : "not online");
rc = -EIO;
goto out;
+ } else {
+ rc = 0;
}
out:

View File

@ -0,0 +1,47 @@
Subject: zkey: Fix generate and import leaving key in an inconsistent state
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: 672548ce30f61e94c8465a560a54a4a8fe568c06
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Fix generate and import leaving key in an inconsistent state
When a volume or APQN association is made while generating or
importing a key, and a duplicate association is detected, then
this may leave the key in an inconsistent state.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -1534,7 +1534,7 @@ int keystore_generate_key(struct keystor
out_free_props:
if (key_props != NULL)
properties_free(key_props);
- if (rc != 0 && rc != -EEXIST)
+ if (rc != 0)
remove(file_names.skey_filename);
out_free_key_filenames:
_keystore_free_key_filenames(&file_names);
@@ -1617,7 +1617,7 @@ int keystore_import_key(struct keystore
out_free_props:
if (key_props != NULL)
properties_free(key_props);
- if (rc != 0 && rc != -EEXIST)
+ if (rc != 0)
remove(file_names.skey_filename);
out_free_key_filenames:
_keystore_free_key_filenames(&file_names);

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,443 @@
Subject: zkey: Add man page for zkey-cryptsetup
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: 5e65df7375aec81d9348a57cdcbccb89a65422c3
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Add man page for zkey-cryptsetup
Add documentation for the new zkey-cryptsetup tool
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/Makefile | 1
zkey/zkey-cryptsetup.1 | 403 +++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 404 insertions(+)
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -42,6 +42,7 @@ install: all
$(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
+ $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
--- /dev/null
+++ b/zkey/zkey-cryptsetup.1
@@ -0,0 +1,403 @@
+.\" Copyright IBM Corp. 2018
+.\" s390-tools is free software; you can redistribute it and/or modify
+.\" it under the terms of the MIT license. See LICENSE for details.
+.\"
+.TH ZKEY\-CRYPTSETUP 1 "May 2018" "s390-tools"
+.SH NAME
+zkey\-cryptsetup \- Manage secure AES volume keys of volumes encrypted with
+\fBLUKS2\fP and the \fBpaes\fP cipher
+.
+.
+.SH SYNOPSIS
+.B zkey\-cryptsetup
+.I command
+.I device
+.RI [ OPTIONS ]
+.
+.PP
+.B zkey\-cryptsetup
+.RI [ command ]
+.BR \-\-help | \-h
+.br
+.B zkey\-cryptsetup
+.BR \-\-version | \-v
+.
+.
+.
+.SH DESCRIPTION
+Use \fBzkey\-cryptsetup\fP to validate and re-encipher secure AES
+volume keys of volumes encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher.
+These secure AES volume keys are enciphered with a master key of an IBM
+cryptographic adapter in CCA coprocessor mode.
+.PP
+To encrypt a volume using \fBLUKS2\fP and the \fBpaes\fP cipher, generate a
+secure AES key using \fBzkey\fP: \fB'zkey generate luks.key --xts'\fP.
+Then format the device with \fBcryptsetup\fP using the just generated secure
+AES key from file luks.key: \fB'cryptsetup luksFormat <device> --type luks2
+--cipher paes-xts-plain64 --master-key-file luks.key --key-size 1024'\fP. For
+more details about \fBzkey\fP or \fBcryptsetup\fP see the
+corresponding man pages.
+.
+.
+.
+.SH COMMANDS
+.
+.
+.SS "Validate secure AES volume keys"
+.
+.B zkey\-cryptsetup
+.BR validate | val
+.I device
+.RB [ \-\-key\-file | \-d
+.IR file-name ]
+.RB [ \-\-keyfile\-offset | \-o
+.IR bytes ]
+.RB [ \-\-keyfile\-size | \-l
+.IR bytes ]
+.RB [ \-\-tries | \-T
+.IR number ]
+.RB [ \-\-verbose | \-V ]
+.RB [ \-\-debug | \-D ]
+.PP
+Use the
+.B validate
+command to validate a secure AES volume key of a volume encrypted with
+\fBLUKS2\fP and the \fBpaes\fP cipher.
+It checks if the LUKS2 header of the volume contains a valid secure key.
+It also displays the attributes of the secure key, such as key size, whether
+it is a secure key that can be used for the XTS cipher mode, and the master key
+register (CURRENT or OLD) with which the secure key is enciphered.
+For further information about master key registers, see the
+\fBreencipher\fP command.
+.PP
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
+required. You are prompted for the passphrase, unless option
+.B \-\-key\-file
+is specified. Option
+.B \-\-tries
+specifies how often a passphrase can be re-entered. When option
+.B \-\-key\-file
+is specified, the passphrase is read from the specified file. You can specify
+options
+.B \-\-keyfile\-offset
+and
+.B \-\-keyfile\-size
+to control which part of the key file is used as passphrase. These options
+behave in the same way as with \fBcryptsetup\fP.
+.
+.SS "Re-encipher secure AES volume keys"
+.
+.PP
+.B zkey\-cryptsetup
+.BR reencipher | re
+.I device
+.RB [ \-\-staged | \-s ]
+.RB [ \-\-in\-place | \-i ]
+.RB [ \-\-complete | \-c ]
+.RB [ \-\-key\-file | \-d
+.IR file-name ]
+.RB [ \-\-keyfile\-offset | \-o
+.IR bytes ]
+.RB [ \-\-keyfile\-size | \-l
+.IR bytes ]
+.RB [ \-\-tries | \-T
+.IR number ]
+.RB [ \-\-verbose | \-V ]
+.RB [ \-\-debug | \-D ]
+.PP
+Use the
+.B reencipher
+command to re-encipher a secure AES volume key of a volume encrypted with
+\fBLUKS2\fP and the \fBpaes\fP cipher. A secure AES volume key must be
+re-enciphered when the master key of the cryptographic adapter in CCA
+coprocessor mode changes.
+.PP
+The cryptographic adapter in CCA coprocessor mode has three different registers
+to store master keys:
+.RS 2
+.IP "\(bu" 2
+The \fBCURRENT\fP register contains the current master key.
+.
+.IP "\(bu" 2
+The \fBOLD\fP register contains the previously used master key.
+Secure keys enciphered with the master key contained in the \fBOLD\fP
+register can still be used until the master key is changed again.
+.
+.IP "\(bu" 2
+The \fBNEW\fP register contains the new master key to be set.
+The master key in the \fBNEW\fP register cannot be used until it is made
+the current master key. You can pro-actively re-encipher a secure key with the
+\fBNEW\fP master key before this key is made the \fBCURRENT\fP key.
+.RE
+.PP
+\fBzkey\-cryptsetup\fP automatically detects whether the secure volume key
+is currently enciphered with the master key in the \fBOLD\fP register or with
+the master key in the \fBCURRENT\fP register. If currently enciphered with the
+master key in the \fBOLD\fP register, it is re-enciphered with the master key
+in the \fBCURRENT\fP register. If it is currently enciphered with the master
+key in the \fBCURRENT\fP register, it is re-enciphered with the master key in
+the \fBNEW\fP register. If for this case the \fBNEW\fP register does not
+contain a valid master key, then the re-encipher operation fails.
+.PP
+Re-enciphering a secure volume key of a volume encrypted with
+\fBLUKS2\fP and the \fBpaes\fP cipher can be performed \fBin-place\fP, or in
+\fBstaged\fP mode.
+.PP
+\fB"In-place"\fP immediately replaces the secure volume key in the LUKS2
+header of the encrypted volume with the re-enciphered secure volume key.
+Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
+default. You can use option \fB--in-place\fP to force an in-place
+re-enciphering for the \fBCURRENT\fP to \fBNEW\fP case. Be aware that
+an encrypted volume with a secure volume key that was re-enciphered in-place
+from \fBCURRENT\fP to \fBNEW\fP is no longer usable, until the new CCA master
+key has been made the current one.
+.PP
+\fBStaged\fP mode means that the re-enciphered secure volume key is stored in a
+separate (unbound) key slot in the LUKS2 header of the encrypted volume. Thus
+all key slots containing the current secure volume key are still valid at this
+point. Once the new CCA master key has been set (made active), you must rerun
+the reencipher command with option \fB--complete\fP to complete the staged
+re-enciphering. When completing the staged re-enciphering, the (unbound) key
+slot containing the re-enciphered secure volume key becomes the active
+key slot and, optionally, all key slots containing the old secure volume key
+are removed.
+Re-enciphering from \fBCURRENT\fP to \fBNEW\fP is performed in staged mode per
+default. You can use option \fB--staged\fP to force a staged re-enciphering for
+the \fBOLD\fP to \fBCURRENT\fP case.
+.PP
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
+required. You are prompted for the passphrase, unless option
+.B \-\-key\-file
+is specified. Option
+.B \-\-tries
+specifies how often a passphrase can be re-entered. When option
+.B \-\-key\-file
+is specified, the passphrase is read from the specified file. You can specify
+options
+.B \-\-keyfile\-offset
+and
+.B \-\-keyfile\-size
+to control which part of the key file is used as passphrase. These options
+behave in the same way as with \fBcryptsetup\fP.
+.PP
+.B Note:
+The \fBreencipher\fP command requires the CCA host library (libcsulcca.so)
+to be installed.
+.
+.
+.
+.SS "Set a verification pattern of the secure AES volume key"
+.
+.B zkey\-cryptsetup
+.BR setvp | setv
+.I device
+.RB [ \-\-key\-file | \-d
+.IR file-name ]
+.RB [ \-\-keyfile\-offset | \-o
+.IR bytes ]
+.RB [ \-\-keyfile\-size | \-l
+.IR bytes ]
+.RB [ \-\-tries | \-T
+.IR number ]
+.RB [ \-\-verbose | \-V ]
+.RB [ \-\-debug | \-D ]
+.PP
+Use the
+.B setvp
+command to set a verification pattern of the secure AES volume key of a volume
+encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher. The verification pattern
+identifies the effective key used to encrypt the volume's data.
+The verification pattern is stored in a token named
+\fBpaes-verification-pattern\fP in the LUKS2 header.
+.PP
+.B Note:
+Set the verification pattern right after formatting the volume using
+\fB'cryptsetup luksFormat'\fP.
+.PP
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
+required. You are prompted for the passphrase, unless option
+.B \-\-key\-file
+is specified. Option
+.B \-\-tries
+specifies how often a passphrase can be re-entered. When option
+.B \-\-key\-file
+is specified, the passphrase is read from the specified file. You can specify
+options
+.B \-\-keyfile\-offset
+and
+.B \-\-keyfile\-size
+to control which part of the key file is used as passphrase. These options
+behave in the same way as with \fBcryptsetup\fP.
+.
+.
+.
+.SS "Set a new secure AES volume key for a volume"
+.
+.B zkey\-cryptsetup
+.BR setkey | setk
+.I device
+.BR \-\-master\-key\-file | \-m
+.IR file-name
+.RB [ \-\-key\-file | \-d
+.IR file-name ]
+.RB [ \-\-keyfile\-offset | \-o
+.IR bytes ]
+.RB [ \-\-keyfile\-size | \-l
+.IR bytes ]
+.RB [ \-\-tries | \-T
+.IR number ]
+.RB [ \-\-verbose | \-V ]
+.RB [ \-\-debug | \-D ]
+.PP
+Use the
+.B setkey
+command to set a new secure AES volume key for a volume encrypted with
+\fBLUKS2\fP and the \fBpaes\fP cipher. Use this command to recover from an
+invalid secure AES volume key contained in the LUKS2 header.
+A secure AES volume key contained in the LUKS2 header can become invalid when
+the CCA master key is changed without re-enciphering the secure volume key.
+.PP
+You can recover the secure volume key only if you have a copy of the secure key
+in a file, and this copy was re-enciphered when the CCA master key has been
+changed. Thus, the copy of the secure key must be currently enciphered with the
+CCA master key in the CURRENT or OLD master key register.
+Specify the secure key file with option
+.B \-\-master\-key\-file
+to set this secure key as the new volume key.
+.PP
+In case the LUKS2 header of the volume contains a verification pattern token,
+it is used to ensure that the new volume key contains the same effective key.
+If no verification pattern token is available, then you are prompted to confirm
+that the specified secure key is the correct one.
+.B ATTENTION:
+If you set a wrong secure key you will loose all the data on the encrypted
+volume!
+.PP
+To open a key slot contained in the LUKS2 header of the volume, a passphrase is
+required. You are prompted for the passphrase, unless option
+.B \-\-key\-file
+is specified. Option
+.B \-\-tries
+specifies how often a passphrase can be re-entered. When option
+.B \-\-key\-file
+is specified, the passphrase is read from the specified file. You can specify
+options
+.B \-\-keyfile\-offset
+and
+.B \-\-keyfile\-size
+to control which part of the key file is used as passphrase. These options
+behave in the same way the same as with \fBcryptsetup\fP.
+.
+.
+.
+.
+.SH OPTIONS
+.
+.SS "Options for the reencipher command"
+.TP
+.BR \-i ", " \-\-in-place
+Forces an in-place re-enciphering of a secure volume key in the LUKS2
+header. This option immediately replaces the secure volume key in the LUKS2
+header of the encrypted volume with the re-enciphered secure volume key.
+Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per
+default.
+.TP
+.BR \-s ", " \-\-staged
+Forces that the re-enciphering of a secure volume key in the LUKS2
+header is performed in staged mode. Staged mode means that the re-enciphered
+secure volume key is stored in a separate (unbound) key slot in the LUKS2
+header of the encrypted volume. Thus all key slots containing the current
+secure volume key are still valid at this point. Once the new CCA master key
+has been set (made active), you must rerun the reencipher command with option
+\fB--complete\fP to complete the staged re-enciphering. Re-enciphering from
+\fBCURRENT\fP to \fBNEW\fP is performed in staged mode per default.
+.TP
+.BR \-p ", " \-\-complete
+Completes a staged re-enciphering. Use this option after the new CCA master key
+has been set (made active). When completing the staged re-enciphering, the
+(unbound) key slot containing the re-enciphered secure volume key becomes
+the active key slot and, optionally, all key slots containing the old secure
+volume key are removed.
+.
+.
+.
+.SS "Options for the setkey command"
+.TP
+.BR \-m ", " \-\-master\-key\-file\~\fIfile\-name\fP
+Specifies the name of a file containing the secure AES key that is set as the
+new volume key.
+.
+.
+.
+.SS "Options for supplying the passphrase"
+.TP
+.BR \-d ", " \-\-key\-file\~\fIfile\-name\fP
+Reads the passphrase from the specified file. If this option is omitted,
+or if the file\-name is \fI-\fP (a dash), then you are prompted to enter the
+passphrase interactively.
+.TP
+.BR \-o ", " \-\-keyfile\-offset\~\fIbytes\fP
+Specifies the number of bytes to skip before starting to read in the file
+specified with option \fB\-\-key\-file\fP. If omitted, the file is read
+from the beginning. When option \fB\-\-key\-file\fP is not specified, this
+option is ignored.
+.TP
+.BR \-l ", " \-\-keyfile\-size\~\fIbytes\fP
+Specifies the number of bytes to be read from the beginning of the file
+specified with option \fB\-\-key\-file\fP. If omitted, the file is read
+until the end. When \fB\-\-keyfile\-offset\fP is also specified, reading starts
+at the offset. When option \fB\-\-key\-file\fP is not specified, this option is
+ignored.
+.TP
+.BR \-T ", " \-\-tries\~\fInumber\fP
+Specifies how often the interactive input of the passphrase can be re-entered.
+The default is 3 times. When option \fB\-\-key\-file\fP is specified, this
+option is ignored, and the passphrase is read only once from the file.
+.
+.
+.
+.SS "General options"
+.TP
+.BR \-V ", " \-\-verbose
+Displays additional information messages during processing.
+.TP
+.BR \-D ", " \-\-debug
+Displays additional debugging messages during processing. This option also
+implies \fB\-\-verbose\fP.
+.TP
+.BR \-h ", " \-\-help
+Displays help text and exits.
+.TP
+.BR \-v ", " \-\-version
+Displays version information and exits.
+.
+.
+.
+.SH EXAMPLES
+.TP
+.B zkey-cryptsetup reencipher /dev/dasdd1
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1.
+.TP
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-staged
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
+staged mode.
+.TP
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-complete
+Completes re-enciphers the secure volume key of the encrypted
+volume /dev/dasdd1.
+.TP
+.B zkey-cryptsetup reencipher /dev/dasdd1 \-\-in\-place
+Re-enciphers the secure volume key of the encrypted volume /dev/dasdd1 in
+in-place mode.
+.TP
+.B zkey-cryptsetup validate /dev/dasdd1
+Validates the secure volume key of the encrypted volume /dev/dasdd1 and
+displays its attributes.
+.TP
+.B zkey-cryptsetup setvp /dev/dasdd1
+Sets the verification pattern of the secure volume key of the encrypted
+volume /dev/dasdd1.
+.TP
+.B zkey-cryptsetup setkey /dev/dasdd1 --master-key-file seckey.key
+Sets the secure key contained in file seckey.key as the new volume key
+for the encrypted volume /dev/dasdd1.

View File

@ -0,0 +1,188 @@
Subject: zkey: Add build dependency for libcryptsetup and json-c
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: 818ffbc4b05783851cc12682d3d8ad6b99312d63
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Add build dependency for libcryptsetup and json-c
The zkey-cryptsetup tool has a build dependency to
libcryptsetup version 2.0.3 or later, and json-c.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
README.md | 9 ++++--
common.mak | 3 +-
zkey/Makefile | 84 +++++++++++++++++++++++++++++++++++++++++++---------------
3 files changed, 72 insertions(+), 24 deletions(-)
--- a/README.md
+++ b/README.md
@@ -264,6 +264,8 @@ build options:
| pfm | `HAVE_PFM` | cpacfstats |
| net-snmp | `HAVE_SNMP` | osasnmpd |
| openssl | `HAVE_OPENSSL` | zkey |
+| cryptsetup | `HAVE_CRYPTSETUP2` | zkey-cryptsetup |
+| json-c | `HAVE_JSONC` | zkey-cryptsetup |
This table lists additional build or install options:
@@ -369,8 +371,11 @@ the different tools are provided:
* zkey:
For building the zkey tools you need openssl version 0.9.7 or newer installed
- (openssl-devel.rpm). Tip: you may skip the zkey build by adding
- `HAVE_OPENSSL=0` to the make invocation.
+ (openssl-devel.rpm). Also required are cryptsetup version 2.0.3 or newer
+ (cryptsetup-devel.rpm), and json-c version 0.12 or newer (json-c-devel.rpm).
+ Tip: you may skip the zkey build by adding `HAVE_OPENSSL=0`, and you may
+ may skip the zkey-cryptsetup build by adding `HAVE_CRYPTSETUP2=0`, or
+ `HAVE_JSONC=0` to the make invocation.
A new group 'zkeyadm' needs to be created and all users intending to use the
tool must be added to this group. The owner of the default key repository
'/etc/zkey/repository' must be set to group 'zkeyadm' with write permission
--- a/common.mak
+++ b/common.mak
@@ -113,9 +113,10 @@ DEFAULT_LDFLAGS = -rdynamic
# $2: Name of include file to check
# $3: Name of required devel package
# $4: Option to skip build (e.g. HAVE_FUSE=0)
+# $5: Additional compiler & linker options (optional)
#
check_dep=\
-printf "\#include <%s>" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) -c -o /dev/null -xc - ) > /dev/null 2>&1; \
+printf "\#include <%s>\n int main(void) {return 0;}" $2 | ( $(CC) $(filter-out --coverage, $(ALL_CFLAGS)) $(ALL_CPPFLAGS) $5 -o /dev/null -xc - ) > /dev/null 2>&1; \
if [ $$? != 0 ]; \
then \
printf " REQCHK %s (%s)\n" $1 $2; \
--- a/zkey/Makefile
+++ b/zkey/Makefile
@@ -1,54 +1,96 @@
include ../common.mak
-ifeq (${HAVE_OPENSSL},0)
+ifneq (${HAVE_OPENSSL},0)
+ BUILD_TARGETS += zkey
+ INSTALL_TARGETS += install-zkey
+else
+ BUILD_TARGETS += zkey-skip
+ INSTALL_TARGETS += zkey-skip
+endif
-all:
- $(SKIP) HAVE_OPENSSL=0
+ifneq (${HAVE_CRYPTSETUP2},0)
+ ifneq (${HAVE_JSONC},0)
+ BUILD_TARGETS += zkey-cryptsetup
+ INSTALL_TARGETS += install-zkey-cryptsetup
+ else
+ BUILD_TARGETS += zkey-cryptsetup-skip-jsonc
+ INSTALL_TARGETS += zkey-cryptsetup-skip-jsonc
+ endif
+else
+ BUILD_TARGETS += zkey-cryptsetup-skip-cryptsetup2
+ INSTALL_TARGETS += zkey-cryptsetup-skip-cryptsetup2
+endif
-install:
- $(SKIP) HAVE_OPENSSL=0
+CPPFLAGS += -I../include
+LIBS = $(rootdir)/libutil/libutil.a
-else
+detect-libcryptsetup.h:
+ echo "#include <libcryptsetup.h>" > detect-libcryptsetup.h
+ echo "#ifndef CRYPT_LUKS2" >> detect-libcryptsetup.h
+ echo " #error libcryptsetup version 2.0.3 is required" >> detect-libcryptsetup.h
+ echo "#endif" >> detect-libcryptsetup.h
+ echo "int i = CRYPT_SLOT_UNBOUND;" >> detect-libcryptsetup.h
-check_dep:
+check-dep-zkey:
$(call check_dep, \
"zkey", \
"openssl/evp.h", \
"openssl-devel", \
"HAVE_OPENSSL=0")
-CPPFLAGS += -I../include
+check-dep-zkey-cryptsetup: detect-libcryptsetup.h
+ $(call check_dep, \
+ "zkey-cryptsetup", \
+ "detect-libcryptsetup.h", \
+ "cryptsetup-devel version 2.0.3", \
+ "HAVE_CRYPTSETUP2=0", \
+ "-I.")
+ $(call check_dep, \
+ "zkey-cryptsetup", \
+ "json-c/json.h", \
+ "json-c-devel", \
+ "HAVE_JSONC=0")
+
+zkey-skip:
+ echo " SKIP zkey due to HAVE_OPENSSL=0"
+
+zkey-cryptsetup-skip-cryptsetup2:
+ echo " SKIP zkey-cryptsetup due to HAVE_CRYPTSETUP2=0"
-all: check_dep zkey zkey-cryptsetup
+zkey-cryptsetup-skip-jsonc:
+ echo " SKIP zkey-cryptsetup due to HAVE_JSONC=0"
-libs = $(rootdir)/libutil/libutil.a
+all: $(BUILD_TARGETS)
zkey.o: zkey.c pkey.h misc.h
pkey.o: pkey.c pkey.h
-properties.o: properties.c properties.h
+properties.o: check-dep-zkey properties.c properties.h
keystore.o: keystore.c keystore.h properties.h
-zkey-cryptsetup.o: zkey-cryptsetup.c pkey.h misc.h
+zkey-cryptsetup.o: check-dep-zkey-cryptsetup zkey-cryptsetup.c pkey.h misc.h
zkey: LDLIBS = -ldl -lcrypto
-zkey: zkey.o pkey.o properties.o keystore.o $(libs)
+zkey: zkey.o pkey.o properties.o keystore.o $(LIBS)
zkey-cryptsetup: LDLIBS = -ldl -lcryptsetup -ljson-c
-zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(libs)
+zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(LIBS)
-
-install: all
+install-common:
$(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR)
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
$(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1
+
+install-zkey:
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR)
$(INSTALL) -m 644 -c zkey.1 $(DESTDIR)$(MANDIR)/man1
- $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey
$(INSTALL) -d -m 770 $(DESTDIR)$(SYSCONFDIR)/zkey/repository
-endif
+install-zkey-cryptsetup:
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey-cryptsetup $(DESTDIR)$(USRBINDIR)
+ $(INSTALL) -m 644 -c zkey-cryptsetup.1 $(DESTDIR)$(MANDIR)/man1
+
+install: all install-common $(INSTALL_TARGETS)
clean:
- rm -f *.o zkey zkey-cryptsetup
+ rm -f *.o zkey zkey-cryptsetup detect-libcryptsetup.h
.PHONY: all install clean

View File

@ -0,0 +1,349 @@
Subject: zkey: Add key verification pattern property
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: Support CCA master key change with LUKS2 volumes using paes
Description: Support the usage of protected key crypto for dm-crypt disks in
LUKS2 format by providing a tool allowing to re-encipher a
secure LUKS2 volume key when the CCA master key is changed
Upstream-ID: 512b47c0042a3cdedafce8d46dcc76053298116c
Problem-ID: SEC1424.1
Upstream-Description:
zkey: Add key verification pattern property
Store a verification pattern in the properties file along
with the secure key. The verification pattern allows to identify
the inner key even when the secure key is no longer valid.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++++++-----
zkey/zkey.1 | 4 -
zkey/zkey.c | 27 +++++++++--
3 files changed, 145 insertions(+), 18 deletions(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -58,6 +58,7 @@ struct key_filenames {
#define PROP_NAME_CREATION_TIME "creation-time"
#define PROP_NAME_CHANGE_TIME "update-time"
#define PROP_NAME_REENC_TIME "reencipher-time"
+#define PROP_NAME_KEY_VP "verification-pattern"
#define IS_XTS(secure_key_size) (secure_key_size > SECURE_KEY_SIZE ? 1 : 0)
@@ -75,6 +76,7 @@ struct key_filenames {
#define REC_CREATION_TIME "Created"
#define REC_CHANGE_TIME "Changed"
#define REC_REENC_TIME "Re-enciphered"
+#define REC_KEY_VP "Verification pattern"
#define pr_verbose(keystore, fmt...) do { \
if (keystore->verbose) \
@@ -1270,6 +1272,77 @@ struct keystore *keystore_new(const char
}
/**
+ * Generate the key verification pattern from the specified secure key file
+ *
+ * @param[in] keystore the key store
+ * @param[in} keyfile the key file
+ * @param[in] vp buffer filled with the verification pattern
+ * @param[in] vp_len length of the buffer. Must be at
+ * least VERIFICATION_PATTERN_LEN bytes in size.
+ *
+ * @returns 0 for success or a negative errno in case of an error
+ */
+static int _keystore_generate_verification_pattern(struct keystore *keystore,
+ const char *keyfile,
+ char *vp, size_t vp_len)
+{
+ size_t key_size;
+ u8 *key;
+ int rc;
+
+ util_assert(keystore != NULL, "Internal error: keystore is NULL");
+ util_assert(keyfile != NULL, "Internal error: keyfile is NULL");
+ util_assert(vp != NULL, "Internal error: vp is NULL");
+
+ key = read_secure_key(keyfile, &key_size, keystore->verbose);
+ if (key == NULL)
+ return -EIO;
+
+ rc = generate_key_verification_pattern((const char *)key, key_size,
+ vp, vp_len, keystore->verbose);
+
+ free(key);
+ return rc;
+}
+
+/**
+ * Checks if the key verification pattern property exists. If not, then it is
+ * created from the secure key.
+ *
+ * @param[in] keystore the key store
+ * @param[in] file_names the file names of the key
+ * @param[in] key_props the properties of the key
+ *
+ * @returns 0 for success or a negative errno in case of an error
+ */
+static int _keystore_ensure_vp_exists(struct keystore *keystore,
+ const struct key_filenames *file_names,
+ struct properties *key_props)
+{
+ char vp[VERIFICATION_PATTERN_LEN];
+ char *temp;
+ int rc;
+
+ temp = properties_get(key_props, PROP_NAME_KEY_VP);
+ if (temp != NULL) {
+ free(temp);
+ return 0;
+ }
+
+ rc = _keystore_generate_verification_pattern(keystore,
+ file_names->skey_filename,
+ vp, sizeof(vp));
+ if (rc != 0)
+ return rc;
+
+ rc = properties_set(key_props, PROP_NAME_KEY_VP, vp);
+ if (rc != 0)
+ return rc;
+
+ return 0;
+}
+
+/**
* Sets a timestamp to be used as creation/update/reencipher time into
* the specified property
*
@@ -1348,7 +1421,7 @@ static int _keystore_set_default_propert
*/
static int _keystore_create_info_file(struct keystore *keystore,
const char *name,
- const char *info_filename,
+ const struct key_filenames *filenames,
const char *description,
const char *volumes, const char *apqns,
size_t sector_size)
@@ -1396,17 +1469,26 @@ static int _keystore_create_info_file(st
goto out;
}
- rc = properties_save(key_props, info_filename, 1);
+ rc = _keystore_ensure_vp_exists(keystore, filenames, key_props);
+ if (rc != 0) {
+ warnx("Failed to generate the key verification pattern: %s",
+ strerror(-rc));
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
+ "that the 'paes' cipher is available");
+ return rc;
+ }
+
+ rc = properties_save(key_props, filenames->info_filename, 1);
if (rc != 0) {
pr_verbose(keystore,
"Key info file '%s' could not be written: %s",
- info_filename, strerror(-rc));
+ filenames->info_filename, strerror(-rc));
goto out;
}
- rc = _keystore_set_file_permission(keystore, info_filename);
+ rc = _keystore_set_file_permission(keystore, filenames->info_filename);
if (rc != 0) {
- remove(info_filename);
+ remove(filenames->info_filename);
goto out;
}
@@ -1519,8 +1601,7 @@ int keystore_generate_key(struct keystor
if (rc != 0)
goto out_free_props;
- rc = _keystore_create_info_file(keystore, name,
- file_names.info_filename,
+ rc = _keystore_create_info_file(keystore, name, &file_names,
description, volumes, apqns,
sector_size);
if (rc != 0)
@@ -1603,8 +1684,7 @@ int keystore_import_key(struct keystore
if (rc != 0)
goto out_free_props;
- rc = _keystore_create_info_file(keystore, name,
- file_names.info_filename,
+ rc = _keystore_create_info_file(keystore, name, &file_names,
description, volumes, apqns,
sector_size);
if (rc != 0)
@@ -1723,6 +1803,9 @@ int keystore_change_key(struct keystore
}
}
+ rc = _keystore_ensure_vp_exists(keystore, &file_names, key_props);
+ /* ignore return code, vp generation might fail if key is not valid */
+
rc = _keystore_set_timestamp_property(key_props, PROP_NAME_CHANGE_TIME);
if (rc != 0)
goto out;
@@ -1838,7 +1921,7 @@ static struct util_rec *_keystore_setup_
{
struct util_rec *rec;
- rec = util_rec_new_long("-", ":", REC_KEY, 23, 54);
+ rec = util_rec_new_long("-", ":", REC_KEY, 28, 54);
util_rec_def(rec, REC_KEY, UTIL_REC_ALIGN_LEFT, 54, REC_KEY);
if (validation)
util_rec_def(rec, REC_STATUS, UTIL_REC_ALIGN_LEFT, 54,
@@ -1858,6 +1941,7 @@ static struct util_rec *_keystore_setup_
util_rec_def(rec, REC_KEY_FILE, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_FILE);
util_rec_def(rec, REC_SECTOR_SIZE, UTIL_REC_ALIGN_LEFT, 54,
REC_SECTOR_SIZE);
+ util_rec_def(rec, REC_KEY_VP, UTIL_REC_ALIGN_LEFT, 54, REC_KEY_VP);
util_rec_def(rec, REC_CREATION_TIME, UTIL_REC_ALIGN_LEFT, 54,
REC_CREATION_TIME);
util_rec_def(rec, REC_CHANGE_TIME, UTIL_REC_ALIGN_LEFT, 54,
@@ -1876,6 +1960,7 @@ static void _keystore_print_record(struc
size_t clear_key_bitsize, bool valid,
bool is_old_mk, bool reenc_pending)
{
+ char temp_vp[VERIFICATION_PATTERN_LEN + 2];
char *volumes_argz = NULL;
size_t volumes_argz_len;
char *apqns_argz = NULL;
@@ -1888,6 +1973,8 @@ static void _keystore_print_record(struc
char *change;
char *apqns;
char *temp;
+ char *vp;
+ int len;
description = properties_get(properties, PROP_NAME_DESCRIPTION);
volumes = properties_get(properties, PROP_NAME_VOLUMES);
@@ -1913,6 +2000,7 @@ static void _keystore_print_record(struc
creation = properties_get(properties, PROP_NAME_CREATION_TIME);
change = properties_get(properties, PROP_NAME_CHANGE_TIME);
reencipher = properties_get(properties, PROP_NAME_REENC_TIME);
+ vp = properties_get(properties, PROP_NAME_KEY_VP);
util_rec_set(rec, REC_KEY, name);
if (validation)
@@ -1951,6 +2039,15 @@ static void _keystore_print_record(struc
else
util_rec_set(rec, REC_SECTOR_SIZE, "%lu bytes",
sector_size);
+ if (vp != NULL) {
+ len = sprintf(temp_vp, "%.*s%c%.*s",
+ VERIFICATION_PATTERN_LEN / 2, vp,
+ '\0', VERIFICATION_PATTERN_LEN / 2,
+ &vp[VERIFICATION_PATTERN_LEN / 2]);
+ util_rec_set_argz(rec, REC_KEY_VP, temp_vp, len + 1);
+ } else {
+ util_rec_set(rec, REC_KEY_VP, "(not available)");
+ }
util_rec_set(rec, REC_CREATION_TIME, creation);
util_rec_set(rec, REC_CHANGE_TIME,
change != NULL ? change : "(never)");
@@ -1976,6 +2073,8 @@ static void _keystore_print_record(struc
free(change);
if (reencipher != NULL)
free(reencipher);
+ if (vp != NULL)
+ free(vp);
}
struct validate_info {
@@ -2404,6 +2503,17 @@ static int _keystore_process_reencipher(
if (rc != 0)
goto out;
+ rc = _keystore_ensure_vp_exists(keystore, file_names,
+ properties);
+ if (rc != 0) {
+ warnx("Failed to generate the key verification pattern "
+ "for key '%s': %s", file_names->skey_filename,
+ strerror(-rc));
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
+ "that the 'paes' cipher is available");
+ goto out;
+ }
+
rc = properties_save(properties, file_names->info_filename, 1);
if (rc != 0) {
pr_verbose(keystore,
@@ -3040,7 +3150,7 @@ static int _keystore_process_crypttab(st
"At the time this utility was developed, systemd's "
"support of crypttab did not support to specify a "
"sector size with plain dm-crypt devices. The generated "
- "crypttab entry may or may not work, and may need "
+ "crypttab entry might or might not work, and might need "
"manual adoptions.", volume, sector_size);
util_print_indented(temp, 0);
}
--- a/zkey/zkey.1
+++ b/zkey/zkey.1
@@ -361,8 +361,8 @@ The
command displays the attributes of the secure keys, such as key sizes,
whether it is a secure key that can be used for the XTS cipher mode, the textual
description, associated cryptographic adapters (APQNs) and volumes, the
-sector size, and timestamps for key creation, last modification and last
-re-encipherment.
+sector size, the key verification pattern, and timestamps for key creation, last
+modification and last re-encipherment.
.
.SS "Remove existing AES secure keys from the secure key repository"
.
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1057,6 +1057,7 @@ static int command_reencipher(void)
*/
static int command_validate_file(void)
{
+ char vp[VERIFICATION_PATTERN_LEN];
size_t secure_key_size;
size_t clear_key_size;
u8 *secure_key;
@@ -1089,14 +1090,30 @@ static int command_validate_file(void)
goto out;
}
+ rc = generate_key_verification_pattern((char *)secure_key,
+ secure_key_size, vp, sizeof(vp),
+ g.verbose);
+ if (rc != 0) {
+ warnx("Failed to generate the verification pattern: %s",
+ strerror(-rc));
+ warnx("Make sure that kernel module 'paes_s390' is loaded and "
+ "that the 'paes' cipher is available");
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+
printf("Validation of secure key in file '%s':\n", g.pos_arg);
- printf(" Status: Valid\n");
- printf(" Secure key size: %lu bytes\n", secure_key_size);
- printf(" Clear key size: %lu bits\n", clear_key_size);
- printf(" XTS type key: %s\n",
+ printf(" Status: Valid\n");
+ printf(" Secure key size: %lu bytes\n", secure_key_size);
+ printf(" Clear key size: %lu bits\n", clear_key_size);
+ printf(" XTS type key: %s\n",
secure_key_size > SECURE_KEY_SIZE ? "Yes" : "No");
- printf(" Encrypted with: %s CCA master key\n",
+ printf(" Enciphered with: %s CCA master key\n",
is_old_mk ? "OLD" : "CURRENT");
+ printf(" Verification pattern: %.*s\n", VERIFICATION_PATTERN_LEN / 2,
+ vp);
+ printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2,
+ &vp[VERIFICATION_PATTERN_LEN / 2]);
out:
free(secure_key);

View File

@ -0,0 +1,361 @@
Subject: cpumf: Add extended counter defintion files for IBM z14
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: 57f18c5f59766832822a74cc029a8d3b60e3ba0f
Problem-ID: KRN1608
Upstream-Description:
cpumf: Add extended counter defintion files for IBM z14
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
[brueckner: Prefer plural for counter names]
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/Makefile | 2
cpumf/bin/cpumf_helper.in | 1
cpumf/data/cpum-cf-extended-z14.ctr | 303 ++++++++++++++++++++++++++++++++++++
cpumf/data/cpum-cf-hw-counter.map | 1
4 files changed, 306 insertions(+), 1 deletion(-)
--- a/cpumf/Makefile
+++ b/cpumf/Makefile
@@ -7,7 +7,7 @@ CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
- cpum-cf-extended-z13.ctr
+ cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
LIB_FILES = bin/cpumf_helper
USRBIN_SCRIPTS = bin/lscpumf
USRSBIN_SCRIPTS = bin/chcpumf
--- a/cpumf/bin/cpumf_helper.in
+++ b/cpumf/bin/cpumf_helper.in
@@ -210,6 +210,7 @@ my $system_z_hwtype_map = {
2828 => 'IBM zEnterprise BC12',
2964 => 'IBM z13',
2965 => 'IBM z13s',
+ 3906 => 'IBM z14',
};
sub get_hardware_type()
--- /dev/null
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
@@ -0,0 +1,303 @@
+# Counter decriptions for the
+# IBM z14 extended counter and MT-diagnostic counter set
+#
+# Notes for transactional-execution mode symbolic names:
+# TX .. transactional-execution mode
+# NC .. nonconstrained
+# C .. constrained
+#
+# Undefined counters in the extended counter set:
+# 142
+# 158-161
+# 176-223
+# 227-231
+# 233-242
+# 246-255
+# Undefined counters in the MT-diagnostic counter set:
+# 450-495
+#
+#
+# Extended Counter Set
+# ---------------------------------------------------------------------
+Counter:128 Name:L1D_WRITES_RO_EXCL
+A directory write to the Level-1 Data cache where the line was
+originally in a Read-Only state in the cache but has been updated
+to be in the Exclusive state that allows stores to the cache line
+.
+Counter:129 Name:DTLB2_WRITES
+Description:
+A translation has been written into The Translation Lookaside
+Buffer 2 (TLB2) and the request was made by the data cache
+.
+Counter:130 Name:DTLB2_MISSES
+Description:
+A TLB2 miss is in progress for a request made by the data cache.
+Incremented by one for every TLB2 miss in progress for the Level-1
+Data cache on this cycle
+.
+Counter:131 Name:DTLB2_HPAGE_WRITES
+Description:
+A translation entry was written into the Combined Region and Segment
+Table Entry array in the Level-2 TLB for a one-megabyte page or a
+Last Host Translation was done
+.
+Counter:132 Name:DTLB2_GPAGE_WRITES
+Description:
+A translation entry for a two-gigabyte page was written into the
+Level-2 TLB
+.
+Counter:133 Name:L1D_L2D_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the
+returned cache line was sourced from the Level-2 Data cache
+.
+Counter:134 Name:ITLB2_WRITES
+Description:
+A translation entry has been written into the Translation Lookaside
+Buffer 2 (TLB2) and the request was made by the instruction cache
+.
+Counter:135 Name:ITLB2_MISSES
+Description:
+A TLB2 miss is in progress for a request made by the instruction cache.
+Incremented by one for every TLB2 miss in progress for the Level-1
+Instruction cache in a cycle
+.
+Counter:136 Name:L1I_L2I_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from the Level-2 Instruction cache
+.
+Counter:137 Name:TLB2_PTE_WRITES
+Description:
+A translation entry was written into the Page Table Entry array in the
+Level-2 TLB
+.
+Counter:138 Name:TLB2_CRSTE_WRITES
+Description:
+Translation entries were written into the Combined Region and Segment
+Table Entry array and the Page Table Entry array in the Level-2 TLB
+.
+Counter:139 Name:TLB2_ENGINES_BUSY
+Description:
+The number of Level-2 TLB translation engines busy in a cycle
+.
+Counter:140 Name:TX_C_TEND
+Description:
+A TEND instruction has completed in a constrained transactional-execution
+mode
+.
+Counter:141 Name:TX_NC_TEND
+Description:
+A TEND instruction has completed in a non-constrained
+transactional-execution mode
+.
+Counter:143 Name:L1C_TLB2_MISSES
+Description:
+Increments by one for any cycle where a level-1 cache or level-2 TLB miss
+is in progress
+.
+Counter:144 Name:L1D_ONCHIP_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an On-Chip Level-3 cache without intervention
+.
+Counter:145 Name:L1D_ONCHIP_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from On-Chip memory
+.
+Counter:146 Name:L1D_ONCHIP_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an On-Chip Level-3 cache with intervention
+.
+Counter:147 Name:L1D_ONCLUSTER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from On-Cluster Level-3 cache withountervention
+.
+Counter:148 Name:L1D_ONCLUSTER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an On-Cluster memory
+.
+Counter:149 Name:L1D_ONCLUSTER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an On-Cluster Level-3 cache with intervention
+.
+Counter:150 Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an Off-Cluster Level-3 cache without
+intervention
+.
+Counter:151 Name:L1D_OFFCLUSTER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from Off-Cluster memory
+.
+Counter:152 Name:L1D_OFFCLUSTER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an Off-Cluster Level-3 cache with intervention
+.
+Counter:153 Name:L1D_OFFDRAWER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an Off-Drawer Level-3 cache without
+intervention
+.
+Counter:154 Name:L1D_OFFDRAWER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from Off-Drawer memory
+.
+Counter:155 Name:L1D_OFFDRAWER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from an Off-Drawer Level-3 cache with intervention
+.
+Counter:156 Name:L1D_ONDRAWER_L4_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from On-Drawer Level-4 cache
+.
+Counter:157 Name:L1D_OFFDRAWER_L4_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from Off-Drawer Level-4 cache
+.
+Counter:158 Name:L1D_ONCHIP_L3_SOURCED_WRITES_RO
+Description:
+A directory write to the Level-1 Data cache directory where the returned
+cache line was sourced from On-Chip L3 but a read-only invalidate was
+done to remove other copies of the cache line
+.
+Counter:162 Name:L1I_ONCHIP_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache ine was sourced from an On-Chip Level-3 cache without
+intervention
+.
+Counter:163 Name:L1I_ONCHIP_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache ine was sourced from On-Chip memory
+.
+Counter:164 Name:L1I_ONCHIP_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache ine was sourced from an On-Chip Level-3 cache with
+intervention
+.
+Counter:165 Name:L1I_ONCLUSTER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an On-Cluster Level-3 cache without
+intervention
+.
+Counter:166 Name:L1I_ONCLUSTER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an On-Cluster memory
+.
+Counter:167 Name:L1I_ONCLUSTER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from On-Cluster Level-3 cache with
+intervention
+.
+Counter:168 Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an Off-Cluster Level-3 cache without
+intervention
+.
+Counter:169 Name:L1I_OFFCLUSTER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from Off-Cluster memory
+.
+Counter:170 Name:L1I_OFFCLUSTER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an Off-Cluster Level-3 cache with
+intervention
+.
+Counter:171 Name:L1I_OFFDRAWER_L3_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an Off-Drawer Level-3 cache without
+intervention
+.
+Counter:172 Name:L1I_OFFDRAWER_MEMORY_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from Off-Drawer memory
+.
+Counter:173 Name:L1I_OFFDRAWER_L3_SOURCED_WRITES_IV
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from an Off-Drawer Level-3 cache with
+intervention
+.
+Counter:174 Name:L1I_ONDRAWER_L4_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from On-Drawer Level-4 cache
+.
+Counter:175 Name:L1I_OFFDRAWER_L4_SOURCED_WRITES
+Description:
+A directory write to the Level-1 Instruction cache directory where the
+returned cache line was sourced from Off-Drawer Level-4 cache
+.
+Counter:224 Name:BCD_DFP_EXECUTION_SLOTS
+Description:
+Count of floating point execution slots used for finished Binary Coded
+Decimal to Decimal Floating Point conversions. Instructions: CDZT,
+CXZT, CZDT, CZXT
+.
+Counter:225 Name:VX_BCD_EXECUTION_SLOTS
+Description:
+Count of floating point execution slots used for finished vector arithmetic
+Binary Coded Decimal instructions. Instructions: VAP, VSP, VMPVMSP, VDP,
+VSDP, VRP, VLIP, VSRP, VPSOPVCP, VTP, VPKZ, VUPKZ, VCVB, VCVBG, VCVDVCVDG
+.
+Counter:226 Name:DECIMAL_INSTRUCTIONS
+Description:
+Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
+EDMK, MP, SRP, SP, ZAP
+.
+Counter:233 Name:LAST_HOST_TRANSLATIONS
+Description:
+Last Host Translation done
+.
+Counter:243 Name:TX_NC_TABORT
+Description:
+A transaction abort has occurred in a non-constrained
+transactional-execution mode
+.
+Counter:244 Name:TX_C_TABORT_NO_SPECIAL
+Description:
+A transaction abort has occurred in a constrained transactional-execution
+mode and the CPU is not using any special logic to allow the transaction
+to complete
+.
+Counter:245 Name:TX_C_TABORT_SPECIAL
+Description:
+A transaction abort has occurred in a constrained transactional-execution
+mode and the CPU is using special logic to allow the transaction to
+complete
+.
+#
+# MT-diagnostic counter set
+# ---------------------------------------------------------------------
+Counter:448 Name:MT_DIAG_CYCLES_ONE_THR_ACTIVE
+Description:
+Cycle count with one thread active
+.
+Counter:449 Name:MT_DIAG_CYCLES_TWO_THR_ACTIVE
+Description:
+Cycle count with two threads active
+.
--- a/cpumf/data/cpum-cf-hw-counter.map
+++ b/cpumf/data/cpum-cf-hw-counter.map
@@ -14,4 +14,5 @@
2828 => 'cpum-cf-extended-zEC12.ctr',
2964 => 'cpum-cf-extended-z13.ctr',
2965 => 'cpum-cf-extended-z13.ctr',
+ 3906 => 'cpum-cf-extended-z14.ctr',
};

View File

@ -0,0 +1,124 @@
Subject: lszcrypt: CEX6S exploitation
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Summary: s390-tools: Exploitation Support for CEX6S
Description: Exploitation Support for CEX6S
Upstream-ID: 31866fbfa4bd89606af2a313427ca06d230e20dc
Problem-ID: SEC1519
Upstream-Description:
lszcrypt: CEX6S exploitation
With z14 there comes a new crypto card 'CEX6S'.
This patch introduces the s390-tools changes needed
to list the new card and show the capabilities correctly.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
zconf/zcrypt/lszcrypt.8 | 6 ++++++
zconf/zcrypt/lszcrypt.c | 37 ++++++++++++++++++++++++++++---------
2 files changed, 34 insertions(+), 9 deletions(-)
--- a/zconf/zcrypt/lszcrypt.8
+++ b/zconf/zcrypt/lszcrypt.8
@@ -85,6 +85,12 @@ EP11 Secure Key
.IP "o"
Long RNG
.RE
+
+.RS 8
+The CCA Secure Key capability may be limited by a hypervisor
+layer. The remarks 'full function set' or 'restricted function set' may
+reflect this. For details about these limitations please check the
+hypervisor documentation.
.TP 8
.B -d, --domains
Shows the usage and control domains of the cryptographic devices.
--- a/zconf/zcrypt/lszcrypt.c
+++ b/zconf/zcrypt/lszcrypt.c
@@ -42,11 +42,19 @@ struct lszcrypt_l *lszcrypt_l = &l;
/*
* Card types
*/
-#define MASK_APSC 0x80000000
-#define MASK_RSA4K 0x60000000
-#define MASK_COPRO 0x10000000
-#define MASK_ACCEL 0x08000000
-#define MASK_EP11 0x04000000
+#define MASK_APSC 0x80000000
+#define MASK_RSA4K 0x60000000
+#define MASK_COPRO 0x10000000
+#define MASK_ACCEL 0x08000000
+#define MASK_EP11 0x04000000
+
+/*
+ * Classification
+ */
+#define MASK_CLASS_FULL 0x00800000
+#define CLASS_FULL "full function set"
+#define MASK_CLASS_STATELESS 0x00400000
+#define CLASS_STATELESS "restricted function set"
/*
* Program configuration
@@ -226,7 +234,7 @@ static void show_capability(const char *
{
unsigned long func_val;
long hwtype, id;
- char *p, *ap, *dev, card[16];
+ char *p, *ap, *dev, card[16], cbuf[256];
/* check if ap driver is available */
ap = util_path_sysfs("bus/ap");
@@ -250,6 +258,11 @@ static void show_capability(const char *
printf("Detailed capability information for %s (hardware type %ld) is not available.\n", card, hwtype);
return;
}
+ cbuf[0] = '\0';
+ if (func_val & MASK_CLASS_FULL)
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_FULL);
+ else if (func_val & MASK_CLASS_STATELESS)
+ snprintf(cbuf, sizeof(cbuf), "%s", CLASS_STATELESS);
printf("%s provides capability for:\n", card);
switch (hwtype) {
case 6:
@@ -262,11 +275,15 @@ static void show_capability(const char *
case 7:
case 9:
printf("%s\n", CAP_RSA4K);
- printf("%s\n", CAP_CCA);
+ if (cbuf[0])
+ printf("%s (%s)\n", CAP_CCA, cbuf);
+ else
+ printf("%s\n", CAP_CCA);
printf("%s", CAP_RNG);
break;
case 10:
case 11:
+ case 12:
if (func_val & MASK_ACCEL) {
if (func_val & MASK_RSA4K)
printf("%s", CAP_RSA4K);
@@ -274,12 +291,14 @@ static void show_capability(const char *
printf("%s", CAP_RSA2K);
} else if (func_val & MASK_COPRO) {
printf("%s\n", CAP_RSA4K);
- printf("%s\n", CAP_CCA);
+ if (cbuf[0])
+ printf("%s (%s)\n", CAP_CCA, cbuf);
+ else
+ printf("%s\n", CAP_CCA);
printf("%s", CAP_RNG);
} else if (func_val & MASK_EP11) {
printf("%s", CAP_EP11);
} else {
-
printf("Detailed capability information for %s (hardware type %ld) is not available.", card, hwtype);
}
break;

View File

@ -0,0 +1,55 @@
Subject: util_path: add function to check if a path exists
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: df133846b5889a7698ac09f00284c1be54926b59
Problem-ID: RAS1703
Upstream-Description:
util_path: add function to check if a path exists
GitHub-ID: #20
Signed-off-by: Rafael Fonseca <r4f4rfs@gmail.com>
Acked-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
include/lib/util_path.h | 1 +
libutil/util_path.c | 12 ++++++++++++
2 files changed, 13 insertions(+)
--- a/include/lib/util_path.h
+++ b/include/lib/util_path.h
@@ -20,5 +20,6 @@ bool util_path_is_readable(const char *f
bool util_path_is_writable(const char *fmt, ...);
bool util_path_is_dir(const char *fmt, ...);
bool util_path_is_reg_file(const char *fmt, ...);
+bool util_path_exists(const char *fmt, ...);
#endif /** LIB_UTIL_PATH_H @} */
--- a/libutil/util_path.c
+++ b/libutil/util_path.c
@@ -194,3 +194,15 @@ free_str:
free(path);
return rc;
}
+
+bool util_path_exists(const char *fmt, ...)
+{
+ va_list ap;
+ char *path;
+ bool rc;
+
+ UTIL_VASPRINTF(&path, fmt, ap);
+ rc = access(path, F_OK) == 0;
+ free(path);
+ return rc;
+}

View File

@ -0,0 +1,382 @@
Subject: cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: d121ffa3f01e08d2cc53140444dfcab830319012
Problem-ID: KRN1608
Upstream-Description:
cpumf/z14: split counter sets according to CFVN/CSVN (part 1/2)
With z14, the counters in the problem-state are reduced resulting
in an increased first version number of the CPUM CF. To adapt to
this change, split the counter sets according to their counter
first and second version number. The second version number controls
the crypto-activity and extended counter set. Treat the crypto-activity
counter set as generic, as the extended counter set is already handled
based on hardware models.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/Makefile | 4 -
cpumf/data/cpum-cf-cfvn-1.ctr | 48 +++++++++++++
cpumf/data/cpum-cf-cfvn-3.ctr | 32 ++++++++
cpumf/data/cpum-cf-csvn-generic.ctr | 84 ++++++++++++++++++++++
cpumf/data/cpum-cf-generic.ctr | 132 ------------------------------------
cpumf/data/cpum-cf-hw-counter.map | 15 +++-
6 files changed, 180 insertions(+), 135 deletions(-)
--- a/cpumf/Makefile
+++ b/cpumf/Makefile
@@ -4,7 +4,9 @@ include ../common.mak
CPUMF_DATADIR = $(TOOLS_DATADIR)/cpumf
-DATA_FILES = cpum-cf-hw-counter.map cpum-cf-generic.ctr \
+DATA_FILES = cpum-cf-hw-counter.map \
+ cpum-cf-cfvn-1.ctr cpum-cf-cfvn-3.ctr \
+ cpum-cf-csvn-generic.ctr \
cpum-cf-extended-z10.ctr cpum-cf-extended-z196.ctr \
cpum-cf-extended-zEC12.ctr cpum-sf-modes.ctr \
cpum-cf-extended-z13.ctr cpum-cf-extended-z14.ctr
--- /dev/null
+++ b/cpumf/data/cpum-cf-cfvn-1.ctr
@@ -0,0 +1,48 @@
+Counter: 0 Name:CPU_CYCLES
+Description:
+Cycle Count
+.
+Counter: 1 Name:INSTRUCTIONS
+Description:
+Instruction Count
+.
+Counter: 2 Name:L1I_DIR_WRITES
+Description:
+Level-1 I-Cache Directory Write Count
+.
+Counter: 3 Name:L1I_PENALTY_CYCLES
+Description:
+Level-1 I-Cache Penalty Cycle Count
+.
+Counter: 4 Name:L1D_DIR_WRITES
+Description:
+Level-1 D-Cache Directory Write Count
+.
+Counter: 5 Name:L1D_PENALTY_CYCLES
+Description:
+Level-1 D-Cache Penalty Cycle Count
+.
+Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
+Description:
+Problem-State Cycle Count
+.
+Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
+Description:
+Problem-State Instruction Count
+.
+Counter: 34 Name:PROBLEM_STATE_L1I_DIR_WRITES
+Description:
+Problem-State Level-1 I-Cache Directory Write Count
+.
+Counter: 35 Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
+Description:
+Problem-State Level-1 I-Cache Penalty Cycle Count
+.
+Counter: 36 Name:PROBLEM_STATE_L1D_DIR_WRITES
+Description:
+Problem-State Level-1 D-Cache Directory Write Count
+.
+Counter: 37 Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
+Description:
+Problem-State Level-1 D-Cache Penalty Cycle Count
+.
--- /dev/null
+++ b/cpumf/data/cpum-cf-cfvn-3.ctr
@@ -0,0 +1,32 @@
+Counter: 0 Name:CPU_CYCLES
+Description:
+Cycle Count
+.
+Counter: 1 Name:INSTRUCTIONS
+Description:
+Instruction Count
+.
+Counter: 2 Name:L1I_DIR_WRITES
+Description:
+Level-1 I-Cache Directory Write Count
+.
+Counter: 3 Name:L1I_PENALTY_CYCLES
+Description:
+Level-1 I-Cache Penalty Cycle Count
+.
+Counter: 4 Name:L1D_DIR_WRITES
+Description:
+Level-1 D-Cache Directory Write Count
+.
+Counter: 5 Name:L1D_PENALTY_CYCLES
+Description:
+Level-1 D-Cache Penalty Cycle Count
+.
+Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
+Description:
+Problem-State Cycle Count
+.
+Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
+Description:
+Problem-State Instruction Count
+.
--- /dev/null
+++ b/cpumf/data/cpum-cf-csvn-generic.ctr
@@ -0,0 +1,84 @@
+Counter: 64 Name:PRNG_FUNCTIONS
+Description:
+Total number of the PRNG functions issued by the CPU
+.
+Counter: 65 Name:PRNG_CYCLES
+Description:
+Total number of CPU cycles when the DEA/AES coprocessor is busy
+performing PRNG functions issued by the CPU
+.
+Counter: 66 Name:PRNG_BLOCKED_FUNCTIONS
+Description:
+Total number of the PRNG functions that are issued by the CPU and are
+blocked because the DEA/AES coprocessor is busy performing a function
+issued by another CPU
+.
+Counter: 67 Name:PRNG_BLOCKED_CYCLES
+Description:
+Total number of CPU cycles blocked for the PRNG functions issued by
+the CPU because the DEA/AES coprocessor is busy performing a function
+issued by another CPU
+.
+Counter: 68 Name:SHA_FUNCTIONS
+Description:
+Total number of SHA functions issued by the CPU
+.
+Counter: 69 Name:SHA_CYCLES
+Description:
+Total number of CPU cycles when the SHA coprocessor is busy performing
+the SHA functions issued by the CPU
+.
+Counter: 70 Name:SHA_BLOCKED_FUNCTIONS
+Description:
+Total number of the SHA functions that are issued by the CPU and are
+blocked because the SHA coprocessor is busy performing a function issued
+by another CPU
+.
+Counter: 71 Name:SHA_BLOCKED_CYCLES
+Description:
+Total number of CPU cycles blocked for the SHA functions issued by the
+CPU because the SHA coprocessor is busy performing a function issued
+by another CPU
+.
+Counter: 72 Name:DEA_FUNCTIONS
+Description:
+Total number of the DEA functions issued by the CPU
+.
+Counter: 73 Name:DEA_CYCLES
+Description:
+Total number of CPU cycles when the DEA/AES coprocessor is busy
+performing the DEA functions issued by the CPU
+.
+Counter: 74 Name:DEA_BLOCKED_FUNCTIONS
+Description:
+Total number of the DEA functions that are issued by the CPU and are
+blocked because the DEA/AES coprocessor is busy performing a function
+issued by another CPU
+.
+Counter: 75 Name:DEA_BLOCKED_CYCLES
+Description:
+Total number of CPU cycles blocked for the DEA functions issued by the
+CPU because the DEA/AES coprocessor is busy performing a function issued
+by another CPU
+.
+Counter: 76 Name:AES_FUNCTIONS
+Description:
+Total number of AES functions issued by the CPU
+.
+Counter: 77 Name:AES_CYCLES
+Description:
+Total number of CPU cycles when the DEA/AES coprocessor is busy
+performing the AES functions issued by the CPU
+.
+Counter: 78 Name:AES_BLOCKED_FUNCTIONS
+Description:
+Total number of AES functions that are issued by the CPU and are blocked
+because the DEA/AES coprocessor is busy performing a function issued
+by another CPU
+.
+Counter: 79 Name:AES_BLOCKED_CYCLES
+Description:
+Total number of CPU cycles blocked for the AES functions issued by the
+CPU because the DEA/AES coprocessor is busy performing a function issued
+by another CPU
+.
--- a/cpumf/data/cpum-cf-generic.ctr
+++ /dev/null
@@ -1,132 +0,0 @@
-Counter: 0 Name:CPU_CYCLES
-Description:
-Cycle Count
-.
-Counter: 1 Name:INSTRUCTIONS
-Description:
-Instruction Count
-.
-Counter: 2 Name:L1I_DIR_WRITES
-Description:
-Level-1 I-Cache Directory Write Count
-.
-Counter: 3 Name:L1I_PENALTY_CYCLES
-Description:
-Level-1 I-Cache Penalty Cycle Count
-.
-Counter: 4 Name:L1D_DIR_WRITES
-Description:
-Level-1 D-Cache Directory Write Count
-.
-Counter: 5 Name:L1D_PENALTY_CYCLES
-Description:
-Level-1 D-Cache Penalty Cycle Count
-.
-Counter: 32 Name:PROBLEM_STATE_CPU_CYCLES
-Description:
-Problem-State Cycle Count
-.
-Counter: 33 Name:PROBLEM_STATE_INSTRUCTIONS
-Description:
-Problem-State Instruction Count
-.
-Counter: 34 Name:PROBLEM_STATE_L1I_DIR_WRITES
-Description:
-Problem-State Level-1 I-Cache Directory Write Count
-.
-Counter: 35 Name:PROBLEM_STATE_L1I_PENALTY_CYCLES
-Description:
-Problem-State Level-1 I-Cache Penalty Cycle Count
-.
-Counter: 36 Name:PROBLEM_STATE_L1D_DIR_WRITES
-Description:
-Problem-State Level-1 D-Cache Directory Write Count
-.
-Counter: 37 Name:PROBLEM_STATE_L1D_PENALTY_CYCLES
-Description:
-Problem-State Level-1 D-Cache Penalty Cycle Count
-.
-Counter: 64 Name:PRNG_FUNCTIONS
-Description:
-Total number of the PRNG functions issued by the CPU
-.
-Counter: 65 Name:PRNG_CYCLES
-Description:
-Total number of CPU cycles when the DEA/AES coprocessor is busy
-performing PRNG functions issued by the CPU
-.
-Counter: 66 Name:PRNG_BLOCKED_FUNCTIONS
-Description:
-Total number of the PRNG functions that are issued by the CPU and are
-blocked because the DEA/AES coprocessor is busy performing a function
-issued by another CPU
-.
-Counter: 67 Name:PRNG_BLOCKED_CYCLES
-Description:
-Total number of CPU cycles blocked for the PRNG functions issued by
-the CPU because the DEA/AES coprocessor is busy performing a function
-issued by another CPU
-.
-Counter: 68 Name:SHA_FUNCTIONS
-Description:
-Total number of SHA functions issued by the CPU
-.
-Counter: 69 Name:SHA_CYCLES
-Description:
-Total number of CPU cycles when the SHA coprocessor is busy performing
-the SHA functions issued by the CPU
-.
-Counter: 70 Name:SHA_BLOCKED_FUNCTIONS
-Description:
-Total number of the SHA functions that are issued by the CPU and are
-blocked because the SHA coprocessor is busy performing a function issued
-by another CPU
-.
-Counter: 71 Name:SHA_BLOCKED_CYCLES
-Description:
-Total number of CPU cycles blocked for the SHA functions issued by the
-CPU because the SHA coprocessor is busy performing a function issued
-by another CPU
-.
-Counter: 72 Name:DEA_FUNCTIONS
-Description:
-Total number of the DEA functions issued by the CPU
-.
-Counter: 73 Name:DEA_CYCLES
-Description:
-Total number of CPU cycles when the DEA/AES coprocessor is busy
-performing the DEA functions issued by the CPU
-.
-Counter: 74 Name:DEA_BLOCKED_FUNCTIONS
-Description:
-Total number of the DEA functions that are issued by the CPU and are
-blocked because the DEA/AES coprocessor is busy performing a function
-issued by another CPU
-.
-Counter: 75 Name:DEA_BLOCKED_CYCLES
-Description:
-Total number of CPU cycles blocked for the DEA functions issued by the
-CPU because the DEA/AES coprocessor is busy performing a function issued
-by another CPU
-.
-Counter: 76 Name:AES_FUNCTIONS
-Description:
-Total number of AES functions issued by the CPU
-.
-Counter: 77 Name:AES_CYCLES
-Description:
-Total number of CPU cycles when the DEA/AES coprocessor is busy
-performing the AES functions issued by the CPU
-.
-Counter: 78 Name:AES_BLOCKED_FUNCTIONS
-Description:
-Total number of AES functions that are issued by the CPU and are blocked
-because the DEA/AES coprocessor is busy performing a function issued
-by another CPU
-.
-Counter: 79 Name:AES_BLOCKED_CYCLES
-Description:
-Total number of CPU cycles blocked for the AES functions issued by the
-CPU because the DEA/AES coprocessor is busy performing a function issued
-by another CPU
-.
--- a/cpumf/data/cpum-cf-hw-counter.map
+++ b/cpumf/data/cpum-cf-hw-counter.map
@@ -1,11 +1,22 @@
# CPU-measurement facilities
#
-# Mapping of IBM System z hardware types to extended counter set defintions
+# Mapping of:
+# 1. CPU-MF counter first/second version numbers to "generic" counter
+# definitions
+# 2. IBM z Systems hardware to respective extended counter set definitions
#
#
{
# Definition # File name
- 0 => 'cpum-cf-generic.ctr',
+
+ # CFVN
+ 'cfvn-1' => 'cpum-cf-cfvn-1.ctr',
+ 'cfvn-3' => 'cpum-cf-cfvn-3.ctr',
+
+ # CSVN
+ 'csvn-generic' => 'cpum-cf-csvn-generic.ctr',
+
+ # Extended counters
2097 => 'cpum-cf-extended-z10.ctr',
2098 => 'cpum-cf-extended-z10.ctr',
2817 => 'cpum-cf-extended-z196.ctr',

View File

@ -0,0 +1,56 @@
Subject: lszcrypt: fix date and wrong indentation
From: Harald Freudenberger <freude@linux.vnet.ibm.com>
Summary: s390-tools: Exploitation Support for CEX6S
Description: Exploitation Support for CEX6S
Upstream-ID: 4ad5e29f2f02e02c772ca4707b9f10253b1e5692
Problem-ID: SEC1519
Upstream-Description:
lszcrypt: fix date and wrong indentation
The man page date was AUG 2008. Changed to OCT 2017.
A previous commit had a wrong indentation on following
options text for lszcrypt. Fixed.
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
---
zconf/zcrypt/chzcrypt.8 | 2 +-
zconf/zcrypt/lszcrypt.8 | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/zconf/zcrypt/chzcrypt.8
+++ b/zconf/zcrypt/chzcrypt.8
@@ -2,7 +2,7 @@
.\" s390-tools is free software; you can redistribute it and/or modify
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH CHZCRYPT 8 "AUG 2008" "s390-tools"
+.TH CHZCRYPT 8 "OCT 2017" "s390-tools"
.SH NAME
chzcrypt \- modify zcrypt configuration
.SH SYNOPSIS
--- a/zconf/zcrypt/lszcrypt.8
+++ b/zconf/zcrypt/lszcrypt.8
@@ -10,7 +10,7 @@
.\" nroff -man lszcrypt.8
.\" to process this source
.\"
-.TH LSZCRYPT 8 "AUG 2008" "s390-tools"
+.TH LSZCRYPT 8 "OCT 2017" "s390-tools"
.SH NAME
lszcrypt \- display zcrypt device and configuration information
.SH SYNOPSIS
@@ -91,6 +91,7 @@ The CCA Secure Key capability may be lim
layer. The remarks 'full function set' or 'restricted function set' may
reflect this. For details about these limitations please check the
hypervisor documentation.
+.RE
.TP 8
.B -d, --domains
Shows the usage and control domains of the cryptographic devices.

View File

@ -0,0 +1,43 @@
Subject: util_path: Add description for util_path_exists()
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: d0e2caf0ffb195568bba89a95549a5a4f026a4e6
Problem-ID: RAS1703
Upstream-Description:
util_path: Add description for util_path_exists()
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
libutil/util_path.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/libutil/util_path.c
+++ b/libutil/util_path.c
@@ -195,6 +195,17 @@ free_str:
return rc;
}
+/**
+ * Test if path to directory or file exists
+ *
+ * This function has the same semantics as "-e path" in bash.
+ *
+ * @param[in] fmt Format string for path to test
+ * @param[in] ... Variable arguments for format string
+ *
+ * @returns true Path exists
+ * false Otherwise
+ */
bool util_path_exists(const char *fmt, ...)
{
va_list ap;

View File

@ -0,0 +1,107 @@
Subject: cpumf/cpumf_helper: read split counter sets (part 2/2)
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: 1064e5b9cc3bdeb5731c2e152ce146dfdad27e6f
Problem-ID: KRN1608
Upstream-Description:
cpumf/cpumf_helper: read split counter sets (part 2/2)
Update the cpumf helper program to read the split counter set
definition files. Changes to higher-level program like lscpumf
are not necessary.
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/bin/cpumf_helper.in | 50 ++++++++++++++++++++++++++++++++++++++--------
1 file changed, 42 insertions(+), 8 deletions(-)
--- a/cpumf/bin/cpumf_helper.in
+++ b/cpumf/bin/cpumf_helper.in
@@ -229,6 +229,28 @@ sub get_hardware_type()
return $type;
}
+sub get_cpum_cf_version()
+{
+ my $SL;
+
+ my $v = {
+ cfvn => 0,
+ csvn => 0,
+ };
+
+ return $v unless open($SL, '<', $SERVICE_LEVELS);
+ while (my $line = <$SL>) {
+ # CPU-MF: Counter facility: version=3.5
+ if ($line =~ m/^CPU-MF: Counter facility: version=(\d+)\.(\d+)/) {
+ $v->{cfvn} = $1; # Counter First Version Number
+ $v->{csvn} = $2; # Counter Second Version Number
+ last;
+ }
+ }
+ close($SL);
+ return $v
+}
+
sub cpumf_load_ctrdef($;$)
{
my $hw_type = shift();
@@ -237,10 +259,20 @@ sub cpumf_load_ctrdef($;$)
my $ctrmap = cpumf_hardware_counter_map();
return unless $ctrmap;
+ # Obtain CPU-MF counter facility versions
+ my $version = get_cpum_cf_version();
+
+ # List of "generic" counter sets
+ my @def = ();
+ push @def, "cfvn-" . $version->{cfvn};
+ push @def, "csvn-generic";
+
my $h = {};
- # Load generic counter sets
- cpumf_parse_ctrdef($ctrmap->{0}, $h) or
- croak "Failed to read generic counter definition: $!\n";
+ # Load counter set definition
+ foreach my $ent (@def) {
+ cpumf_parse_ctrdef($ctrmap->{$ent}, $h) or
+ croak "Failed to read counter definition for $ent: $!\n";
+ }
# Load hardware model specific counter set(s)
if ($hw_type && $ctrmap->{$hw_type}) {
# Hardware-model specific counter sets are:
@@ -323,7 +355,7 @@ sub cpumf_helper_main()
GetOptions(
"i|info" => \$conf->{opt_info},
"c|counter=i" => \$conf->{opt_ctr},
- "ctr-def=i" => \$conf->{opt_ctrdef},
+ "ctr-def=s" => \$conf->{opt_ctrdef},
"hardware-type" => \$conf->{opt_hwtype},
"ctr-set-names" => \$conf->{opt_ctrset_names},
"ctr-set-ids" => \$conf->{opt_ctrset_ids},
@@ -428,11 +460,13 @@ B<--ctr-def> option and specify the Syst
Displays the System z hardware type.
-=item B<--ctr-def> I<hardware_type>
+=item B<--ctr-def> I<ctr-definition>
-Displays detailed information about a particular counter set for the specified
-System z hardware type, I<hardware_type>. If you specify zero for
-I<hardware_type>, type-independent counter sets are displayed.
+Displays detailed information about the specified counter definition.
+Valid counter definitions start with C<cfvn-> or <csvn-> followed by
+the counter first/second version number of the CPU-Measurement Counter
+Facility. To display counter information of model-specific counter
+sets, specify the System z hardware type for I<ctr-definition>.
=item B<--ctr-set-names>

View File

@ -0,0 +1,34 @@
Subject: util_path: Make true/false handling consistent with other functions
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: 2b92bc4c087fd7a2275ba8fd5608cf3c86cdcc98
Problem-ID: RAS1703
Upstream-Description:
util_path: Make true/false handling consistent with other functions
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
libutil/util_path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/libutil/util_path.c
+++ b/libutil/util_path.c
@@ -213,7 +213,7 @@ bool util_path_exists(const char *fmt, .
bool rc;
UTIL_VASPRINTF(&path, fmt, ap);
- rc = access(path, F_OK) == 0;
+ rc = access(path, F_OK) == 0 ? true : false;
free(path);
return rc;
}

View File

@ -0,0 +1,32 @@
Subject: cpumf: correct z14 counter number
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: 144bddbf5bce749549a289acbeb49337edaaea45
Problem-ID: KRN1608
Upstream-Description:
cpumf: correct z14 counter number
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/data/cpum-cf-extended-z14.ctr | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/cpumf/data/cpum-cf-extended-z14.ctr
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
@@ -269,7 +269,7 @@ Description:
Decimal instructions dispatched. Instructions: CVB, CVD, AP, CP, DP, ED,
EDMK, MP, SRP, SP, ZAP
.
-Counter:233 Name:LAST_HOST_TRANSLATIONS
+Counter:232 Name:LAST_HOST_TRANSLATIONS
Description:
Last Host Translation done
.

View File

@ -0,0 +1,603 @@
Subject: zpcictl: Introduce new tool zpcictl
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: 177cf8cfeb83f85bc164c462b5534f93be3bd979
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Introduce new tool zpcictl
zpcictl is used to manage PCI devices on z Systems. In this first
version it is mainly used to handle erroneous PCI devices by changing
their state and make those changes known to the SE. Log data, such as
S.M.A.R.T. data for NVMe devices, is sent alongside those state changes.
The state change is issued by sending data via the PCI 'report_error'
sysfs attribute. It's a binary attribute which will cause the host to
send an Adapter Notification Event.
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
.gitignore | 1
Makefile | 2
zpcictl/Makefile | 18 ++
zpcictl/zpcictl.8 | 80 +++++++++++
zpcictl/zpcictl.c | 378 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
zpcictl/zpcictl.h | 60 ++++++++
6 files changed, 538 insertions(+), 1 deletion(-)
--- a/.gitignore
+++ b/.gitignore
@@ -87,3 +87,4 @@ zipl/boot/data.h
zipl/src/chreipl_helper.device-mapper
zipl/src/zipl
zkey/zkey
+zpcictl/zpcictl
--- a/Makefile
+++ b/Makefile
@@ -8,7 +8,7 @@ TOOL_DIRS = zipl zdump fdasd dasdfmt das
tape390 osasnmpd qetharp ip_watcher qethconf scripts zconf \
vmconvert vmcp man mon_tools dasdinfo vmur cpuplugd ipl_tools \
ziomon iucvterm hyptop cmsfs-fuse qethqoat zfcpdump zdsfs cpumf \
- systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot
+ systemd hmcdrvfs cpacfstats zdev dump2tar zkey netboot zpcictl
SUB_DIRS = $(LIB_DIRS) $(TOOL_DIRS)
all: $(TOOL_DIRS)
--- /dev/null
+++ b/zpcictl/Makefile
@@ -0,0 +1,18 @@
+include ../common.mak
+
+all: zpcictl
+
+libs = $(rootdir)/libutil/libutil.a
+
+zpcictl: zpcictl.o $(libs)
+
+install: all
+ $(INSTALL) -d -m 755 $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man8
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zpcictl $(DESTDIR)$(BINDIR)
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 zpcictl.8 \
+ $(DESTDIR)$(MANDIR)/man8
+
+clean:
+ rm -f *.o *~ zpcictl core
+
+.PHONY: all install clean
--- /dev/null
+++ b/zpcictl/zpcictl.8
@@ -0,0 +1,80 @@
+.\" Copyright 2017 IBM Corp.
+.\" s390-tools is free software; you can redistribute it and/or modify
+.\" it under the terms of the MIT license. See LICENSE for details.
+.\"
+.\" Macro for inserting an option description prologue.
+.\" .OD <long> [<short>] [args]
+.de OD
+. ds args "
+. if !'\\$3'' .as args \fI\\$3\fP
+. if !'\\$4'' .as args \\$4
+. if !'\\$5'' .as args \fI\\$5\fP
+. if !'\\$6'' .as args \\$6
+. if !'\\$7'' .as args \fI\\$7\fP
+. PD 0
+. if !'\\$2'' .IP "\fB\-\\$2\fP \\*[args]" 4
+. if !'\\$1'' .IP "\fB\-\-\\$1\fP \\*[args]" 4
+. PD
+..
+.
+.TH zpcictl 8 "Oct 2018" s390-tools zpcictl
+.
+.SH NAME
+zpcictl - Manage PCI devices on z Systems
+.
+.
+.SH SYNOPSIS
+.B "zpcictl"
+.I "OPTIONS"
+.I "DEVICE"
+.
+.
+.SH DESCRIPTION
+.B zpcictl
+is a tool for managing PCI devices on the IBM z Systems platform. It is
+especially used for reporting errorneous PCI devices to the service element.
+
+.B Note:
+For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
+with any error handling action. The smartmontools are required to be installed
+for this to work.
+.PP
+.
+.
+.SH DEVICE
+.B DEVICE
+can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
+of an NVMe device (e.g. /dev/nvme0).
+.
+.
+.SH OPTIONS
+.SS Error Handling
+.OD reset "" "DEVICE"
+Reset
+.I DEVICE
+and initiate a re-initialisation of the adapter.
+.PP
+.
+.OD deconfigure "" "DEVICE"
+De-configure
+.I DEVICE
+and prepare for any repair action. This action will move the
+PCI device from a configured to a reserved state.
+.PP
+.
+.OD report-error "" "DEVICE"
+Report any device error for
+.IR DEVICE .
+The
+.I DEVICE
+is marked as erroneous and no further action is initiated on it.
+.PP
+.
+.SS Misc
+.OD help "h" ""
+Print usage information, then exit.
+.PP
+.
+.OD version "v" ""
+Print version information, then exit.
+.PP
--- /dev/null
+++ b/zpcictl/zpcictl.c
@@ -0,0 +1,378 @@
+/*
+ * zpcictl - Manage PCI devices on z Systems
+ *
+ * Copyright IBM Corp. 2018
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/stat.h>
+#include <time.h>
+
+#include "lib/util_base.h"
+#include "lib/util_libc.h"
+#include "lib/util_opt.h"
+#include "lib/util_path.h"
+#include "lib/util_prg.h"
+#include "lib/util_proc.h"
+#include "lib/util_rec.h"
+#include "lib/util_scandir.h"
+
+#include "zpcictl.h"
+
+#define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
+
+static const struct util_prg prg = {
+ .desc = "Use zpcictl to manage PCI devices on s390\n"
+ "DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
+ .args = "DEVICE",
+ .copyright_vec = {
+ {
+ .owner = "IBM Corp.",
+ .pub_first = 2018,
+ .pub_last = 2018,
+ },
+ UTIL_PRG_COPYRIGHT_END
+ }
+};
+
+/* Defines for options with no short command */
+#define OPT_RESET 128
+#define OPT_DECONF 129
+#define OPT_REPORT_ERR 130
+
+static struct util_opt opt_vec[] = {
+ UTIL_OPT_SECTION("ERROR HANDLING"),
+ {
+ .option = { "reset", no_argument, NULL, OPT_RESET },
+ .desc = "Reset device",
+ .flags = UTIL_OPT_FLAG_NOSHORT,
+ },
+ {
+ .option = { "deconfigure", no_argument, NULL, OPT_DECONF },
+ .desc = "De-configure device and prepare for any repair action",
+ .flags = UTIL_OPT_FLAG_NOSHORT,
+ },
+ {
+ .option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
+ .desc = "Report device error to service element (SE)",
+ .flags = UTIL_OPT_FLAG_NOSHORT,
+ },
+ UTIL_OPT_SECTION("MISC"),
+ UTIL_OPT_HELP,
+ UTIL_OPT_VERSION,
+ UTIL_OPT_END
+};
+
+static int is_char_dev(const char *dev)
+{
+ struct stat s;
+
+ if (stat(dev, &s))
+ return 0;
+
+ return S_ISCHR(s.st_mode);
+}
+
+static int is_blk_dev(const char *dev)
+{
+ struct stat s;
+
+ if (stat(dev, &s))
+ return 0;
+
+ return S_ISBLK(s.st_mode);
+}
+
+static void fopen_err(char *path)
+{
+ warnx("Could not open file %s: %s", path, strerror(errno));
+ free(path);
+ exit(EXIT_FAILURE);
+}
+
+#define READ_CHUNK_SIZE 512
+
+static char *collect_smart_data(struct zpci_device *pdev)
+{
+ char *buffer = NULL;
+ size_t count = 0;
+ char *cmd;
+ FILE *fd;
+
+ util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
+ fd = popen(cmd, "r");
+ if (!fd)
+ goto out;
+
+ while (!feof(fd)) {
+ buffer = realloc(buffer, count + READ_CHUNK_SIZE);
+ if (!buffer) {
+ warnx("Could not collect S.M.A.R.T. data");
+ goto out;
+ }
+ count += fread(&buffer[count], 1, READ_CHUNK_SIZE, fd);
+ if (ferror(fd)) {
+ free(buffer);
+ buffer = NULL;
+ goto out;
+ }
+ }
+
+ buffer = realloc(buffer, count);
+ if (!buffer && count > 0)
+ warnx("Could not collect S.M.A.R.T. data");
+ if (buffer)
+ buffer[count] = '\0';
+
+out:
+ pclose(fd);
+ free(cmd);
+
+ return buffer;
+}
+
+static unsigned int sysfs_read_value(struct zpci_device *pdev, const char *attr)
+{
+ unsigned int val;
+ char *path;
+ FILE *fp;
+
+ path = util_path_sysfs("bus/pci/devices/%s/%s", pdev->slot, attr);
+ fp = fopen(path, "r");
+ if (!fp)
+ fopen_err(path);
+ fscanf(fp, "%x", &val);
+ fclose(fp);
+ free(path);
+
+ return val;
+}
+
+static void sysfs_write_data(struct zpci_report_error *report, char *slot)
+{
+ char *path;
+ int fd, rc;
+
+ path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
+ fd = open(path, O_WRONLY);
+ if (!fd)
+ fopen_err(path);
+ rc = write(fd, report, sizeof(*report));
+ if (rc == -1)
+ warnx("Could not write to file: %s: %s", path, strerror(errno));
+ if (close(fd))
+ warnx("Could not close file: %s: %s", path, strerror(errno));
+ free(path);
+}
+
+static void sysfs_get_slot_addr(const char *dev, char *slot)
+{
+ unsigned int major, minor;
+ struct stat dev_stat;
+ char addr[13];
+ char *path;
+ FILE *fp;
+
+ if (stat(dev, &dev_stat) != 0) {
+ errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
+ dev, strerror(errno));
+ }
+ major = major(dev_stat.st_rdev);
+ minor = minor(dev_stat.st_rdev);
+
+ path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
+ fp = fopen(path, "r");
+ if (!fp)
+ fopen_err(path);
+ fscanf(fp, "%s", addr);
+ fclose(fp);
+ free(path);
+
+ strcpy(slot, addr);
+}
+
+static void get_device_node(struct zpci_device *pdev)
+{
+ struct dirent **de_vec;
+ char *path, *dev;
+ char slot[13];
+ int count, i;
+
+ path = util_path_sysfs("bus/pci/devices/%s/nvme", pdev->slot);
+ count = util_scandir(&de_vec, alphasort, path, "nvme*");
+ if (count == -1) {
+ warnx("Could not read directory %s: %s", path, strerror(errno));
+ free(path);
+ exit(EXIT_FAILURE);
+ }
+
+ for (i = 0; i < count; i++) {
+ util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
+ sysfs_get_slot_addr(dev, slot);
+ if (strcmp(slot, pdev->slot) == 0) {
+ pdev->device = dev;
+ break;
+ }
+ }
+
+ util_scandir_free(de_vec, count);
+ free(path);
+}
+
+static int device_exists(char *dev)
+{
+ char *path;
+ int rc = 0;
+
+ path = util_path_sysfs("bus/pci/devices/%s", dev);
+ if (util_path_exists(path) || util_path_exists(dev))
+ rc = 1;
+ free(path);
+
+ return rc;
+}
+
+static void get_device_info(struct zpci_device *pdev, char *dev)
+{
+ if (!device_exists(dev))
+ errx(EXIT_FAILURE, "Device %s not found", dev);
+ if (is_blk_dev(dev))
+ errx(EXIT_FAILURE, "Unsupported device type %s", dev);
+ if (is_char_dev(dev)) {
+ sysfs_get_slot_addr(dev, pdev->slot);
+ pdev->device = dev;
+ } else {
+ strcpy(pdev->slot, dev);
+ }
+
+ pdev->class = sysfs_read_value(pdev, "class");
+ pdev->fid = sysfs_read_value(pdev, "function_id");
+ pdev->pchid = sysfs_read_value(pdev, "pchid");
+
+ /* In case a slot address was specified, we still need to figure out
+ * the device node for NVMe devices. Otherwise we won't be able to
+ * collect S.M.A.R.T. data at a later point.
+ */
+ if (!pdev->device && pdev->class == PCI_CLASS_NVME)
+ get_device_node(pdev);
+}
+
+/*
+ * Issue an SCLP Adapter Error Notification event with a specific action
+ * qualifier.
+ *
+ * Collect additional information when possible (e.g. S.M.A.R.T. data for NVMe
+ * devices).
+ */
+static void sclp_issue_action(struct zpci_device *pdev, int action)
+{
+ struct zpci_report_error report = {
+ .header = { 0 },
+ .data = { 0 }
+ };
+ char *sdata = NULL;
+
+ report.header.version = 1;
+ report.header.action = action;
+ report.header.length = sizeof(report.data);
+ report.data.timestamp = (__u64)time(NULL);
+ report.data.err_log_id = 0x4713;
+
+ if (pdev->class == PCI_CLASS_NVME)
+ sdata = collect_smart_data(pdev);
+ if (sdata) {
+ strncpy(report.data.log_data, sdata, sizeof(report.data.log_data));
+ free(sdata);
+ }
+ sysfs_write_data(&report, pdev->slot);
+}
+
+/*
+ * Reset the PCI device and initiate a re-initialization.
+ */
+static void sclp_reset_device(struct zpci_device *pdev)
+{
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_RESET);
+}
+
+/*
+ * De-Configure/repair PCI device. Moves the device from configured
+ * to reserved state.
+ */
+static void sclp_deconfigure(struct zpci_device *pdev)
+{
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_DECONF);
+}
+
+/*
+ * Report an error to the SE.
+ */
+static void sclp_report_error(struct zpci_device *pdev)
+{
+ sclp_issue_action(pdev, SCLP_ERRNOTIFY_AQ_REPORT_ERR);
+}
+
+static void parse_cmdline(int argc, char *argv[], struct options *opts)
+{
+ int cmd;
+
+ util_prg_init(&prg);
+ util_opt_init(opt_vec, NULL);
+
+ do {
+ cmd = util_opt_getopt_long(argc, argv);
+
+ switch (cmd) {
+ case OPT_RESET:
+ opts->reset = 1;
+ break;
+ case OPT_DECONF:
+ opts->deconfigure = 1;
+ break;
+ case OPT_REPORT_ERR:
+ opts->report = 1;
+ break;
+ case 'h':
+ util_prg_print_help();
+ util_opt_print_help();
+ exit(EXIT_SUCCESS);
+ case 'v':
+ util_prg_print_version();
+ exit(EXIT_SUCCESS);
+ case -1:
+ /* End of options string */
+ if (argc == 1) {
+ errx(EXIT_FAILURE,
+ "Use '%s --help' for more information",
+ argv[0]);
+ }
+ break;
+ }
+ } while (cmd != -1);
+}
+
+int main(int argc, char *argv[])
+{
+ struct zpci_device pdev = { 0 };
+ struct options opts = { 0 };
+
+ parse_cmdline(argc, argv, &opts);
+
+ if (optind >= argc)
+ errx(EXIT_FAILURE, "No device specified");
+
+ get_device_info(&pdev, argv[optind]);
+
+ if (opts.reset)
+ sclp_reset_device(&pdev);
+ else if (opts.deconfigure)
+ sclp_deconfigure(&pdev);
+ else if (opts.report)
+ sclp_report_error(&pdev);
+
+ return 0;
+}
--- /dev/null
+++ b/zpcictl/zpcictl.h
@@ -0,0 +1,60 @@
+/*
+ * zpcictl - Manage PCI devices on z Systems
+ *
+ * Copyright IBM Corp. 2018
+ *
+ * s390-tools is free software; you can redistribute it and/or modify
+ * it under the terms of the MIT license. See LICENSE for details.
+ */
+
+#ifndef ZPCICTL_H
+#define ZPCICTL_H
+
+#include <linux/types.h>
+#include "lib/zt_common.h"
+
+#define SCLP_ERRNOTIFY_AQ_RESET 0
+#define SCLP_ERRNOTIFY_AQ_DECONF 1
+#define SCLP_ERRNOTIFY_AQ_REPORT_ERR 2
+
+#define PCI_CLASS_UNCLASSIFIED 0x000000U
+#define PCI_CLASS_NVME 0x010802U
+#define PCI_CLASS_NETWORK 0x020000U
+
+struct options {
+ unsigned int reset;
+ unsigned int deconfigure;
+ unsigned int report;
+};
+
+struct zpci_device {
+ u16 fid;
+ u16 pchid;
+ u32 class;
+ char slot[13];
+ char *device;
+};
+
+struct zpci_report_error_header {
+ __u8 version; /* Interface version byte */
+ __u8 action; /* Action qualifier byte
+ * 0: Adapter Reset Request
+ * 1: Deconfigure and repair action requested
+ * 2: Informational Report
+ */
+ __u16 length; /* Length of Subsequent Data (up to 4K SCLP header) */
+ __u8 data[0]; /* Subsequent Data passed verbatim to SCLP ET 24 */
+};
+
+struct zpci_report_error_data {
+ __u64 timestamp;
+ __u64 err_log_id;
+ char log_data[4054]; /* We cannot exceed a total of 4074 bytes (header + data) */
+};
+
+struct zpci_report_error {
+ struct zpci_report_error_header header;
+ struct zpci_report_error_data data;
+} __packed;
+
+#endif /* ZPCICTL_H */

View File

@ -0,0 +1,42 @@
Subject: cpumf: add missing Description: tag for z13/z14/ctr:128
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: a3c746846d86ebcee6cbf36505598b7da367665b
Problem-ID: KRN1608
Upstream-Description:
cpumf: add missing Description: tag for z13/z14/ctr:128
Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/data/cpum-cf-extended-z13.ctr | 1 +
cpumf/data/cpum-cf-extended-z14.ctr | 1 +
2 files changed, 2 insertions(+)
--- a/cpumf/data/cpum-cf-extended-z13.ctr
+++ b/cpumf/data/cpum-cf-extended-z13.ctr
@@ -17,6 +17,7 @@
# Extended Counter Set
# ---------------------------------------------------------------------
Counter:128 Name:L1D_WRITES_RO_EXCL
+Description:
A directory write to the Level-1 Data cache where the line was
originally in a Read-Only state in the cache but has been updated
to be in the Exclusive state that allows stores to the cache line.
--- a/cpumf/data/cpum-cf-extended-z14.ctr
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
@@ -20,6 +20,7 @@
# Extended Counter Set
# ---------------------------------------------------------------------
Counter:128 Name:L1D_WRITES_RO_EXCL
+Description:
A directory write to the Level-1 Data cache where the line was
originally in a Read-Only state in the cache but has been updated
to be in the Exclusive state that allows stores to the cache line

View File

@ -0,0 +1,48 @@
Subject: zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: f35c5d01fd04ecf019f31c58edc0c5165ad276ad
Problem-ID: RAS1703
Upstream-Description:
zpcictl: include sys/sysmacros.h to avoid minor/major glibc warnings
The minor()/major() function definitions are moved to sys/sysmacros.h
and will be removed from sys/types.h. To correct below warning, simply
include sys/sysmacros.h.
zpcictl.c: In function sysfs_get_slot_addr:
zpcictl.c:184:13: warning: In the GNU C Library, "major" is defined
by <sys/sysmacros.h>. For historical compatibility, it is
currently defined by <sys/types.h> as well, but we plan to
remove this soon. To use "major", include <sys/sysmacros.h>
directly. If you did not intend to use a system-defined macro
"major", you should undefine it after including <sys/types.h>.
major = major(dev_stat.st_rdev);
^~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.c | 1 +
1 file changed, 1 insertion(+)
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -10,6 +10,7 @@
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
+#include <sys/sysmacros.h>
#include <time.h>
#include "lib/util_base.h"

View File

@ -0,0 +1,44 @@
Subject: cpumf: correct counter name for z13 and z14
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: 9745e4678adf18869e661d13f2b666a929450fa1
Problem-ID: KRN1608
Upstream-Description:
cpumf: correct counter name for z13 and z14
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/data/cpum-cf-extended-z13.ctr | 2 +-
cpumf/data/cpum-cf-extended-z14.ctr | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/cpumf/data/cpum-cf-extended-z13.ctr
+++ b/cpumf/data/cpum-cf-extended-z13.ctr
@@ -16,7 +16,7 @@
#
# Extended Counter Set
# ---------------------------------------------------------------------
-Counter:128 Name:L1D_WRITES_RO_EXCL
+Counter:128 Name:L1D_RO_EXCL_WRITES
Description:
A directory write to the Level-1 Data cache where the line was
originally in a Read-Only state in the cache but has been updated
--- a/cpumf/data/cpum-cf-extended-z14.ctr
+++ b/cpumf/data/cpum-cf-extended-z14.ctr
@@ -19,7 +19,7 @@
#
# Extended Counter Set
# ---------------------------------------------------------------------
-Counter:128 Name:L1D_WRITES_RO_EXCL
+Counter:128 Name:L1D_RO_EXCL_WRITES
Description:
A directory write to the Level-1 Data cache where the line was
originally in a Read-Only state in the cache but has been updated

View File

@ -0,0 +1,91 @@
Subject: zpcictl: Rephrase man page entries and tool output
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: d03be735366de57be0c642f6f21b06b1f2df6a6e
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Rephrase man page entries and tool output
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.8 | 13 ++++++++-----
zpcictl/zpcictl.c | 9 +++++----
2 files changed, 13 insertions(+), 9 deletions(-)
--- a/zpcictl/zpcictl.8
+++ b/zpcictl/zpcictl.8
@@ -1,4 +1,4 @@
-.\" Copyright 2017 IBM Corp.
+.\" Copyright IBM Corp. 2018
.\" s390-tools is free software; you can redistribute it and/or modify
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
@@ -30,9 +30,10 @@ zpcictl - Manage PCI devices on z System
.
.
.SH DESCRIPTION
+With
.B zpcictl
-is a tool for managing PCI devices on the IBM z Systems platform. It is
-especially used for reporting errorneous PCI devices to the service element.
+, you can manage PCI devices on the IBM z Systems platform. It is especially
+used for reporting erroneous PCI devices to the service element.
.B Note:
For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
@@ -44,7 +45,9 @@ for this to work.
.SH DEVICE
.B DEVICE
can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
-of an NVMe device (e.g. /dev/nvme0).
+of an NVMe device (e.g.
+.I /dev/nvme0
+).
.
.
.SH OPTIONS
@@ -52,7 +55,7 @@ of an NVMe device (e.g. /dev/nvme0).
.OD reset "" "DEVICE"
Reset
.I DEVICE
-and initiate a re-initialisation of the adapter.
+and initiate a re-initialization of the PCI device.
.PP
.
.OD deconfigure "" "DEVICE"
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -240,7 +240,7 @@ static int device_exists(char *dev)
static void get_device_info(struct zpci_device *pdev, char *dev)
{
if (!device_exists(dev))
- errx(EXIT_FAILURE, "Device %s not found", dev);
+ errx(EXIT_FAILURE, "Could not find device %s", dev);
if (is_blk_dev(dev))
errx(EXIT_FAILURE, "Unsupported device type %s", dev);
if (is_char_dev(dev)) {
@@ -254,9 +254,10 @@ static void get_device_info(struct zpci_
pdev->fid = sysfs_read_value(pdev, "function_id");
pdev->pchid = sysfs_read_value(pdev, "pchid");
- /* In case a slot address was specified, we still need to figure out
- * the device node for NVMe devices. Otherwise we won't be able to
- * collect S.M.A.R.T. data at a later point.
+ /*
+ * In case a slot address was specified, the device node for NVMe
+ * devices is still needed. Otherwise it won't be possible to collect
+ * S.M.A.R.T. data at a later point.
*/
if (!pdev->device && pdev->class == PCI_CLASS_NVME)
get_device_node(pdev);

View File

@ -0,0 +1,41 @@
Subject: cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
From: Hendrik Brueckner <brueckner@linux.ibm.com>
Summary: cpumf: Add CPU-MF hardware counters for z14
Description: Add hardware counter definitions for IBM z14.
Upstream-ID: f642019bcc17370231666e772c7e4cec19f1dfdc
Problem-ID: KRN1608
Upstream-Description:
cpumf: Add IBM z14 ZR1 to the CPU Measurement Facility model list
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
---
cpumf/bin/cpumf_helper.in | 1 +
cpumf/data/cpum-cf-hw-counter.map | 1 +
2 files changed, 2 insertions(+)
--- a/cpumf/bin/cpumf_helper.in
+++ b/cpumf/bin/cpumf_helper.in
@@ -211,6 +211,7 @@ my $system_z_hwtype_map = {
2964 => 'IBM z13',
2965 => 'IBM z13s',
3906 => 'IBM z14',
+ 3907 => 'IBM z14 ZR1',
};
sub get_hardware_type()
--- a/cpumf/data/cpum-cf-hw-counter.map
+++ b/cpumf/data/cpum-cf-hw-counter.map
@@ -26,4 +26,5 @@
2964 => 'cpum-cf-extended-z13.ctr',
2965 => 'cpum-cf-extended-z13.ctr',
3906 => 'cpum-cf-extended-z14.ctr',
+ 3907 => 'cpum-cf-extended-z14.ctr',
};

View File

@ -0,0 +1,55 @@
Subject: zpcictl: Use fopen() instead of open() for writes
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: 8f0496b26aae88e206ac9a95b317043e78d147b8
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Use fopen() instead of open() for writes
Be consistent with the rest of the code and use fopen() rather than
open().
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -155,17 +155,19 @@ static unsigned int sysfs_read_value(str
static void sysfs_write_data(struct zpci_report_error *report, char *slot)
{
+ size_t r_size;
char *path;
- int fd, rc;
+ FILE *fp;
+
+ r_size = sizeof(*report);
path = util_path_sysfs("bus/pci/devices/%s/report_error", slot);
- fd = open(path, O_WRONLY);
- if (!fd)
+ fp = fopen(path, "w");
+ if (!fp)
fopen_err(path);
- rc = write(fd, report, sizeof(*report));
- if (rc == -1)
+ if (fwrite(report, 1, r_size, fp) != r_size)
warnx("Could not write to file: %s: %s", path, strerror(errno));
- if (close(fd))
+ if (fclose(fp))
warnx("Could not close file: %s: %s", path, strerror(errno));
free(path);
}

View File

@ -0,0 +1,77 @@
Subject: zpcictl: Read device link to obtain device address
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: e2a8d85916fb77d2a9b41253446973cd97107c42
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Read device link to obtain device address
The address sysfs attribute might not be present on some older kernel
levels. Read the device link instead using readlink() to obtain the
address.
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.c | 27 ++++++++++++++++++---------
1 file changed, 18 insertions(+), 9 deletions(-)
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -172,13 +172,16 @@ static void sysfs_write_data(struct zpci
free(path);
}
+/* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
+#define READLINK_SIZE 256
+
static void sysfs_get_slot_addr(const char *dev, char *slot)
{
+ char device[READLINK_SIZE], *result;
unsigned int major, minor;
struct stat dev_stat;
- char addr[13];
+ ssize_t len;
char *path;
- FILE *fp;
if (stat(dev, &dev_stat) != 0) {
errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
@@ -187,15 +190,21 @@ static void sysfs_get_slot_addr(const ch
major = major(dev_stat.st_rdev);
minor = minor(dev_stat.st_rdev);
- path = util_path_sysfs("dev/char/%u:%u/address", major, minor);
- fp = fopen(path, "r");
- if (!fp)
- fopen_err(path);
- fscanf(fp, "%s", addr);
- fclose(fp);
+ path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
+ len = readlink(path, device, READLINK_SIZE - 1);
free(path);
+ if (len != -1)
+ device[len] = '\0';
+ else
+ errx(EXIT_FAILURE, "Could not read device link for %s", dev);
+
+ result = strrchr(device, '/');
+ if (result)
+ result++;
+ else
+ result = device;
- strcpy(slot, addr);
+ strcpy(slot, result);
}
static void get_device_node(struct zpci_device *pdev)

View File

@ -0,0 +1,124 @@
Subject: zpcictl: Make device node for NVMe optional
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: 342c6a3707315514f0f886fabb532f6c8b59b694
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Make device node for NVMe optional
At the moment, if we specify the slot address of an NVMe device but
can't find the corresponding device node, the execution is terminated.
This is a bit harsh as the device node is rather optional and only
necessary to collect S.M.A.R.T. data. We should still be able to issue
the error reporting, even if we couldn't determine the device node.
Therefore, make sure the device node for NVMe devices is optional by
changing various error messages to warnings.
Change sysfs_get_slot_addr() to have a return value and work with that
accordingly.
Also make sure, that execution is terminated when a valid device node
was specified but no matching slot address was determined. The slot
address is necessary to issue the error reporting commands.
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -104,6 +104,9 @@ static char *collect_smart_data(struct z
char *cmd;
FILE *fd;
+ if (!pdev->device)
+ return NULL;
+
util_asprintf(&cmd, SMARTCTL_CMDLINE, pdev->device);
fd = popen(cmd, "r");
if (!fd)
@@ -175,7 +178,7 @@ static void sysfs_write_data(struct zpci
/* lstat() doesn't work for sysfs files, so we have to work with a fixed size */
#define READLINK_SIZE 256
-static void sysfs_get_slot_addr(const char *dev, char *slot)
+static int sysfs_get_slot_addr(const char *dev, char *slot)
{
char device[READLINK_SIZE], *result;
unsigned int major, minor;
@@ -184,8 +187,9 @@ static void sysfs_get_slot_addr(const ch
char *path;
if (stat(dev, &dev_stat) != 0) {
- errx(EXIT_FAILURE, "Could not get stat information for %s: %s",
- dev, strerror(errno));
+ warnx("Could not get stat information for %s: %s",
+ dev, strerror(errno));
+ return 0;
}
major = major(dev_stat.st_rdev);
minor = minor(dev_stat.st_rdev);
@@ -193,18 +197,21 @@ static void sysfs_get_slot_addr(const ch
path = util_path_sysfs("dev/char/%u:%u/device", major, minor);
len = readlink(path, device, READLINK_SIZE - 1);
free(path);
- if (len != -1)
+ if (len != -1) {
device[len] = '\0';
- else
- errx(EXIT_FAILURE, "Could not read device link for %s", dev);
+ } else {
+ warnx("Could not read device link for %s", dev);
+ return 0;
+ }
result = strrchr(device, '/');
if (result)
result++;
else
result = device;
-
strcpy(slot, result);
+
+ return 1;
}
static void get_device_node(struct zpci_device *pdev)
@@ -219,12 +226,13 @@ static void get_device_node(struct zpci_
if (count == -1) {
warnx("Could not read directory %s: %s", path, strerror(errno));
free(path);
- exit(EXIT_FAILURE);
+ return;
}
for (i = 0; i < count; i++) {
util_asprintf(&dev, "/dev/%s", de_vec[i]->d_name);
- sysfs_get_slot_addr(dev, slot);
+ if (!sysfs_get_slot_addr(dev, slot))
+ continue;
if (strcmp(slot, pdev->slot) == 0) {
pdev->device = dev;
break;
@@ -255,7 +263,9 @@ static void get_device_info(struct zpci_
if (is_blk_dev(dev))
errx(EXIT_FAILURE, "Unsupported device type %s", dev);
if (is_char_dev(dev)) {
- sysfs_get_slot_addr(dev, pdev->slot);
+ if (!sysfs_get_slot_addr(dev, pdev->slot))
+ errx(EXIT_FAILURE,
+ "Could not determine slot address for %s", dev);
pdev->device = dev;
} else {
strcpy(pdev->slot, dev);

View File

@ -0,0 +1,143 @@
Subject: zpcictl: Change wording of man-page and help output
From: Jan Hoeppner <jan.hoeppner@de.ibm.com>
Summary: zpcictl: Add tool to manage PCI devices
Description: Use the zpcictl tool to manage PCI devices on the IBM Z
platform. Initial functions include generating firmware
error logs, resetting PCI devices, and preparing a device
for further repair actions.
Upstream-ID: aaaebb2030c80151ecac528f22cb9a52752b868c
Problem-ID: RAS1703
Upstream-Description:
zpcictl: Change wording of man-page and help output
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Jan Hoeppner <jan.hoeppner@de.ibm.com>
---
zpcictl/zpcictl.8 | 38 +++++++++++++++-----------------------
zpcictl/zpcictl.c | 15 ++++++++-------
2 files changed, 23 insertions(+), 30 deletions(-)
--- a/zpcictl/zpcictl.8
+++ b/zpcictl/zpcictl.8
@@ -20,7 +20,7 @@
.TH zpcictl 8 "Oct 2018" s390-tools zpcictl
.
.SH NAME
-zpcictl - Manage PCI devices on z Systems
+zpcictl - Manage PCI devices on IBM Z
.
.
.SH SYNOPSIS
@@ -30,50 +30,42 @@ zpcictl - Manage PCI devices on z System
.
.
.SH DESCRIPTION
-With
+Use
.B zpcictl
-, you can manage PCI devices on the IBM z Systems platform. It is especially
-used for reporting erroneous PCI devices to the service element.
+to manage PCI devices on the IBM Z platform. In particular,
+use this command to report defective PCI devices to the service element.
.B Note:
For NVMe devices additional data (such as S.M.A.R.T. data) is collected and sent
-with any error handling action. The smartmontools are required to be installed
-for this to work.
+with any error handling action. For this extendend data collection, the
+smartmontools must be installed.
.PP
.
.
.SH DEVICE
-.B DEVICE
-can be either the PCI slot address (e.g. 0000:00:00.0) or the main device node
-of an NVMe device (e.g.
+A PCI slot address (e.g. 0000:00:00.0) or the main device node of an NVMe
+device (e.g.
.I /dev/nvme0
).
.
.
.SH OPTIONS
-.SS Error Handling
+.SS Error Handling Options
.OD reset "" "DEVICE"
-Reset
-.I DEVICE
-and initiate a re-initialization of the PCI device.
+Reset and re-initialize the PCI device.
.PP
.
.OD deconfigure "" "DEVICE"
-De-configure
-.I DEVICE
-and prepare for any repair action. This action will move the
-PCI device from a configured to a reserved state.
+Deconfigure the PCI device and prepare for any repair action. This action
+changes the status of the PCI device from configured to reserved.
.PP
.
.OD report-error "" "DEVICE"
-Report any device error for
-.IR DEVICE .
-The
-.I DEVICE
-is marked as erroneous and no further action is initiated on it.
+Report any device error for the PCI device.
+The device is marked as defective but no further action is taken.
.PP
.
-.SS Misc
+.SS General Options
.OD help "h" ""
Print usage information, then exit.
.PP
--- a/zpcictl/zpcictl.c
+++ b/zpcictl/zpcictl.c
@@ -27,8 +27,9 @@
#define SMARTCTL_CMDLINE "smartctl -x %s 2>/dev/null"
static const struct util_prg prg = {
- .desc = "Use zpcictl to manage PCI devices on s390\n"
- "DEVICE is the slot id or node of the device (e.g. /dev/nvme0)",
+ .desc = "Use zpcictl to manage PCI devices on IBM Z\n"
+ "DEVICE is the slot ID or node of the device "
+ "(e.g. 0000:00:00.0 or /dev/nvme0)",
.args = "DEVICE",
.copyright_vec = {
{
@@ -46,23 +47,23 @@ static const struct util_prg prg = {
#define OPT_REPORT_ERR 130
static struct util_opt opt_vec[] = {
- UTIL_OPT_SECTION("ERROR HANDLING"),
+ UTIL_OPT_SECTION("ERROR HANDLING OPTIONS"),
{
.option = { "reset", no_argument, NULL, OPT_RESET },
- .desc = "Reset device",
+ .desc = "Reset the device",
.flags = UTIL_OPT_FLAG_NOSHORT,
},
{
.option = { "deconfigure", no_argument, NULL, OPT_DECONF },
- .desc = "De-configure device and prepare for any repair action",
+ .desc = "Deconfigure the device to prepare for any repair action",
.flags = UTIL_OPT_FLAG_NOSHORT,
},
{
.option = { "report-error", no_argument, NULL, OPT_REPORT_ERR },
- .desc = "Report device error to service element (SE)",
+ .desc = "Report a device error to the service element (SE)",
.flags = UTIL_OPT_FLAG_NOSHORT,
},
- UTIL_OPT_SECTION("MISC"),
+ UTIL_OPT_SECTION("GENERAL OPTIONS"),
UTIL_OPT_HELP,
UTIL_OPT_VERSION,
UTIL_OPT_END

View File

@ -0,0 +1,75 @@
Subject: dbginfo: gather nvme related data
From: Sebastian Ott <sebott@linux.ibm.com>
Summary: s390-tools/dbginfo: Collect NVMe-related debug data
Description: Collect SMART (Self-Monitoring, Analysis and Reporting Technology)
data in dbginfo.sh .
Upstream-ID: b9e47e356bbfc92e41b758e74606baacbab33ee4
Problem-ID: RAS1702
Upstream-Description:
dbginfo: gather nvme related data
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Signed-off-by: Stefan Haberland <sth@linux.vnet.ibm.com>
Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
---
scripts/dbginfo.sh | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
--- a/scripts/dbginfo.sh
+++ b/scripts/dbginfo.sh
@@ -182,11 +182,14 @@ readonly OUTPUT_FILE_XML="${WORKPATH}dom
# File that includes the docker inspect output
readonly OUTPUT_FILE_DOCKER="${WORKPATH}docker_inspect.out"
+# File that includes nvme related information
+readonly OUTPUT_FILE_NVME="${WORKPATH}nvme.out"
+
# Mount point of the debug file system
readonly MOUNT_POINT_DEBUGFS="/sys/kernel/debug"
# The amount of steps running the whole collections
-readonly COLLECTION_COUNT=11
+readonly COLLECTION_COUNT=12
# The kernel version (e.g. '2' from 2.6.32 or '3' from 3.2.1)
readonly KERNEL_VERSION=$(uname -r 2>/dev/null | cut -d'.' -f1)
@@ -829,6 +832,25 @@ collect_docker() {
}
########################################
+collect_nvme() {
+ local NVME
+
+ pr_syslog_stdout "11 of ${COLLECTION_COUNT}: Collecting nvme output"
+ call_run_command "nvme list" "${OUTPUT_FILE_NVME}"
+
+ for NVME in /dev/nvme[0-9]*; do
+ if [ -c $NVME ]; then
+ call_run_command "smartctl -x $NVME" "${OUTPUT_FILE_NVME}"
+ call_run_command "nvme fw-log $NVME" "${OUTPUT_FILE_NVME}"
+ call_run_command "nvme smart-log $NVME" "${OUTPUT_FILE_NVME}"
+ call_run_command "nvme error-log $NVME" "${OUTPUT_FILE_NVME}"
+ fi
+ done
+
+ pr_log_stdout " "
+}
+
+########################################
post_processing() {
local file_mtime
local file_mtime_epoche
@@ -1120,6 +1142,8 @@ collect_domain_xml
collect_docker
+collect_nvme
+
post_processing
create_package

View File

@ -1,19 +1,76 @@
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Oct 22 19:44:05 UTC 2018 - mpost@suse.com Tue Nov 13 19:22:01 UTC 2018 - mpost@suse.com
- Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch - Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
zdev: qeth BridgePort and VNICC attribute conflict (bsc#1112536) (bsc#1112536)
zdev: qeth BridgePort and VNICC attribute conflict
- Added the following patches for Fate#326376 (bsc#1113321)
* s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
* s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
* s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
* s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
* s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
* s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
* s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
* s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
* s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
* s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
- Added the following patches for Fate#325684 (bsc#1113323)
* s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
* s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
* s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
* s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
* s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
* s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
* s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
* s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
* s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
* s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
- Added the following patches for Fate#326390 (bsc#1113353)
* s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
* s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
* s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
* s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
* s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
* s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
* s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
* s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
* s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
- Added the following patches for Fate#325691 (bsc#1113324)
* s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
* s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
- Added the following patches for Fate#326388 (bsc#1113331)
* s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
* s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
* s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
* s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
* s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
* s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
* s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
- Added the following patch for Fate#326361 (bsc#1113333)
* s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
- Temporarily added "HAVE_CRYPTSETUP2=0" to the make and make install
commands, because a couple of Fate requests have not been approved
yet, resulting in build failure.
- Added "Recommends: blktrace" to the spec file (bsc#1112855)
- Changed remaining insserv references to systemd entries.
- Changed the Group from the obsolete "System Environment/Base" to
"System/Base."
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Aug 31 18:57:54 UTC 2018 - mpost@suse.com Fri Aug 31 18:57:54 UTC 2018 - mpost@suse.com
- Added the following patch for bsc#1094354 - Added the following patch to remove the call to zipl for bsc#1094354
* customize-zdev-root-update-script.patch * customize-zdev-root-update-script.patch
- Modified ctc_configure to not pass a "protcol=" parameter when - Modified ctc_configure to not pass a "protcol=" parameter when
configuring LCS devices. (bsc#1096520) configuring LCS devices. (bsc#1096520)
- Added the following patches for bsc#1098069 - Added the following two patches for bsc#1098069
* s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch * dbginfo.sh: Extend data collection
* s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
* mon_procd: fix parsing of /proc/<pid>/stat
s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
- Added the following patches for "lstape, lsluns: handle non-zfcp;
lin_tape multiple paths" (bsc#1098069)
* s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
* s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
* s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch

View File

@ -40,7 +40,7 @@ BuildRequires: net-snmp-devel
BuildRequires: qclib-devel-static BuildRequires: qclib-devel-static
BuildRequires: tcpd-devel BuildRequires: tcpd-devel
BuildRequires: zlib-devel-static BuildRequires: zlib-devel-static
PreReq: shadow %insserv_prereq %fillup_prereq dracut permissions PreReq: shadow %fillup_prereq dracut permissions
Requires: coreutils Requires: coreutils
Requires: gawk Requires: gawk
Requires: perl-base Requires: perl-base
@ -49,6 +49,7 @@ Requires: rsync
Requires: tar Requires: tar
Requires: util-linux Requires: util-linux
Provides: s390utils:/sbin/dasdfmt Provides: s390utils:/sbin/dasdfmt
Recommends: blktrace
# Don't build with pie to avoid problems with zipl # Don't build with pie to avoid problems with zipl
#!BuildIgnore: gcc-PIE #!BuildIgnore: gcc-PIE
Source: s390-tools-%{version}.tar.gz Source: s390-tools-%{version}.tar.gz
@ -152,6 +153,45 @@ Patch41: s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-
Patch42: s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch Patch42: s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
Patch43: s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch Patch43: s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
Patch44: s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch Patch44: s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
Patch45: s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
Patch46: s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
Patch47: s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
Patch48: s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
Patch49: s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
Patch50: s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
Patch51: s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
Patch52: s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
Patch53: s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
Patch54: s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
Patch55: s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
Patch56: s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
Patch57: s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
Patch58: s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
Patch59: s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
Patch60: s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
Patch61: s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
Patch62: s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
Patch63: s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
Patch64: s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
Patch65: s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
Patch66: s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
Patch67: s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
Patch68: s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
Patch69: s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
Patch70: s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
Patch71: s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
Patch72: s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
Patch73: s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
Patch74: s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
Patch75: s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
Patch76: s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
Patch77: s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
Patch78: s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
Patch79: s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
Patch80: s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
Patch81: s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
Patch82: s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
Patch83: s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
Patch999: customize-zdev-root-update-script.patch Patch999: customize-zdev-root-update-script.patch
@ -199,7 +239,7 @@ represented as a file in that directory.
%package hmcdrvfs %package hmcdrvfs
Summary: HMC drive file system based on FUSE Summary: HMC drive file system based on FUSE
License: GPL-2.0 License: GPL-2.0
Group: System Environment/Base Group: System/Base
Requires: fuse Requires: fuse
%description hmcdrvfs %description hmcdrvfs
@ -254,6 +294,45 @@ to list files and directories.
%patch42 -p1 %patch42 -p1
%patch43 -p1 %patch43 -p1
%patch44 -p1 %patch44 -p1
%patch45 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch49 -p1
%patch50 -p1
%patch51 -p1
%patch52 -p1
%patch53 -p1
%patch54 -p1
%patch55 -p1
%patch56 -p1
%patch57 -p1
%patch58 -p1
%patch59 -p1
%patch60 -p1
%patch61 -p1
%patch62 -p1
%patch63 -p1
%patch64 -p1
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p1
%patch69 -p1
%patch70 -p1
%patch71 -p1
%patch72 -p1
%patch73 -p1
%patch74 -p1
%patch75 -p1
%patch76 -p1
%patch77 -p1
%patch78 -p1
%patch79 -p1
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch999 -p1 %patch999 -p1
@ -267,12 +346,12 @@ cp -vi %{S:22} CAUTION
export OPT_FLAGS="%{optflags}" export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release} make ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump DISTRELEASE=%{release} HAVE_CRYPTSETUP2=0
gcc -static -o read_values ${OPT_FLAGS} %{S:86} -lqc gcc -static -o read_values ${OPT_FLAGS} %{S:86} -lqc
%install %install
mkdir -p %{buildroot}/boot/zipl mkdir -p %{buildroot}/boot/zipl
%make_install \ %make_install HAVE_CRYPTSETUP2=0 \
ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump \ ZFCPDUMP_DIR=/usr/lib/s390-tools/zfcpdump \
DISTRELEASE=%{release} \ DISTRELEASE=%{release} \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
@ -396,14 +475,18 @@ chmod 755 osasnmpd
%pre %pre
# check for ts-shell group or create it # check for ts-shell group or create it
getent group ts-shell >/dev/null 2>&1 || groupadd -r ts-shell getent group ts-shell >/dev/null 2>&1 || groupadd -r ts-shell
%service_add_pre appldata.service
%service_add_pre cio_ignore.service %service_add_pre cio_ignore.service
%service_add_pre cpacfstatsd.service %service_add_pre cpacfstatsd.service
%service_add_pre cpi.service %service_add_pre cpi.service
%service_add_pre cpuplugd.service %service_add_pre cpuplugd.service
%service_add_pre dumpconf.service %service_add_pre dumpconf.service
%service_add_pre hsnc.service
%service_add_pre mon_fsstatd.service %service_add_pre mon_fsstatd.service
%service_add_pre mon_procd.service %service_add_pre mon_procd.service
%service_add_pre virtsetup.service %service_add_pre virtsetup.service
%service_add_pre vmlogrdr.service
%service_add_pre xpram.service
%post %post
read INITPGM < /proc/1/comm read INITPGM < /proc/1/comm
@ -415,14 +498,18 @@ fi
%set_permissions /var/log/ts-shell %set_permissions /var/log/ts-shell
# Create symbolic links to the scripts from setup and boot directories # Create symbolic links to the scripts from setup and boot directories
%service_add_post appldata.service
%service_add_post cio_ignore.service %service_add_post cio_ignore.service
%service_add_post cpacfstatsd.service %service_add_post cpacfstatsd.service
%service_add_post cpi.service %service_add_post cpi.service
%service_add_post cpuplugd.service %service_add_post cpuplugd.service
%service_add_post dumpconf.service %service_add_post dumpconf.service
%service_add_post hsnc.service
%service_add_post mon_fsstatd.service %service_add_post mon_fsstatd.service
%service_add_post mon_procd.service %service_add_post mon_procd.service
%service_add_post virtsetup.service %service_add_post virtsetup.service
%service_add_post vmlogrdr.service
%service_add_post xpram.service
# Create the initial versions of the sysconfig files: # Create the initial versions of the sysconfig files:
%{fillup_only -n appldata} %{fillup_only -n appldata}
@ -443,33 +530,36 @@ grep -q '^/usr/bin/ts-shell$' /etc/shells \
%{fillup_only -n osasnmpd} %{fillup_only -n osasnmpd}
%preun %preun
%{stop_on_removal appldata} %service_del_preun appldata.service
%{stop_on_removal hsnc}
%{stop_on_removal vmlogrdr}
%{stop_on_removal xpram}
%service_del_preun cio_ignore.service %service_del_preun cio_ignore.service
%service_del_preun cpacfstatsd.service %service_del_preun cpacfstatsd.service
%service_del_preun cpi.service %service_del_preun cpi.service
%service_del_preun cpuplugd.service %service_del_preun cpuplugd.service
%service_del_preun dumpconf.service %service_del_preun dumpconf.service
%service_del_preun hsnc.service
%service_del_preun mon_fsstatd.service %service_del_preun mon_fsstatd.service
%service_del_preun mon_procd.service %service_del_preun mon_procd.service
%service_del_preun virtsetup.service %service_del_preun virtsetup.service
%service_del_preun vmlogrdr.service
%service_del_preun xpram.service
%postun %postun
%{restart_on_update appldata} %service_del_postun appldata.service
%{restart_on_update hsnc}
%{restart_on_update vmlogrdr}
%{restart_on_update xpram}
%service_del_postun cio_ignore.service %service_del_postun cio_ignore.service
%service_del_postun cpacfstatsd.service %service_del_postun cpacfstatsd.service
%service_del_postun cpi.service %service_del_postun cpi.service
%service_del_postun cpuplugd.service %service_del_postun cpuplugd.service
%service_del_postun dumpconf.service %service_del_postun dumpconf.service
%service_del_postun hsnc.service
%service_del_postun mon_fsstatd.service %service_del_postun mon_fsstatd.service
%service_del_postun mon_procd.service %service_del_postun mon_procd.service
%service_del_postun virtsetup.service %service_del_postun virtsetup.service
%service_del_postun vmlogrdr.service
%service_del_postun xpram.service
# Even though SLES15+ is systemd based, the build service doesn't
# run it, so we have to make sure we can safely issue the
# systemctl command.
read INITPGM < /proc/1/comm read INITPGM < /proc/1/comm
if [ "${INITPGM}" == "systemd" ]; then if [ "${INITPGM}" == "systemd" ]; then
echo "Running systemctl daemon-reload." echo "Running systemctl daemon-reload."
@ -480,7 +570,7 @@ if [ ! -x /boot/zipl ]; then
echo "Attention, after uninstalling this package," echo "Attention, after uninstalling this package,"
echo "you will NOT be able to IPL from DASD anymore!!!" echo "you will NOT be able to IPL from DASD anymore!!!"
fi fi
%{insserv_cleanup}
if test x$1 = x0; then if test x$1 = x0; then
# remove ts-shell from /etc/shells # remove ts-shell from /etc/shells
grep -v '^/usr/bin/ts-shell$' /etc/shells > /etc/shells.ts-new grep -v '^/usr/bin/ts-shell$' /etc/shells > /etc/shells.ts-new