From efbf0ee8b47277517b158355e54df2835dfb3dfbd28fa3ab6bd3f2ee95825955 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Thu, 14 Apr 2022 13:51:10 +0000 Subject: [PATCH] Accepting request 970173 from home:markkp:branches:Base:System - Added the following patches for bsc#1198285: s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch The certificate verification of check_hostkeydoc is too strict and doesn't match the checking performed by genprotimg. - Added the following patch for bsc#1198284: s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch When re-enciphering the identity key and/or wrapping key of the zkey KMIP plugin via 'zkey kms reencipher', the operation completes without an error, but the secure keys are left un-reenciphered. OBS-URL: https://build.opensuse.org/request/show/970173 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=131 --- ...timg-remove-DigiCert-root-CA-pinning.patch | 271 ++++++++++++++++++ ..._hostkeydoc-relax-default-issuer-che.patch | 102 +++++++ ...ix-re-enciphering-of-EP11-secure-key.patch | 103 +++++++ s390-tools.changes | 15 + s390-tools.spec | 3 + 5 files changed, 494 insertions(+) create mode 100644 s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch create mode 100644 s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch create mode 100644 s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch diff --git a/s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch b/s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch new file mode 100644 index 0000000..5733fda --- /dev/null +++ b/s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch @@ -0,0 +1,271 @@ +Subject: [PATCH] [BZ 197604] genprotimg: remove DigiCert root CA pinning +From: Marc Hartmayer + +Description: genprotimg/check_hostkeydoc: cert. verification is too strict +Symptom: Verification failures will occur for newer host key documents +Problem: The certificate verification of check_hostkeydoc is too strict + and doesn't match the checking performed by genprotimg. This + applies to the OU field in the issuer DN of the host key + document. As a consequence verification failures will occur for + host key documents issued for hardware generations newer than + IBM z15. + + DigiCert is the CA issuing the signing certificate for Secure + Execution host key documents. This certificate is used for the + verification of the host key document validity. Recently, + DigiCert has changed the root CA certificate used for issuance + of the signing certificates. As genprotimg is checking the CA + serial, the verification of the chain of trust will fail. As a + workaround, it is possible to disable certificate verification, + but this is not recommended because it makes it easier to + provide a fake host key document. Since the previously issued + host key documents are expiring in April 2022, it is necessary + to fix genprotimg to accept the newly issued host key + documents. +Solution: Relax the certificate verification +Reproduction: Use a new host key document +Upstream-ID: 78b053326c504c0535b5ec1c244ad7bb5a1df29d +Problem-ID: 197604 + +Upstream-Description: + + genprotimg: remove DigiCert root CA pinning + + Remove the DigiCert root CA pinning. The root CA used for the chain of trust can + change in the future therefore let's remove this check. If someone wants to + enforce the usage of a specific root CA it can be selected by the genprotimg + command line option `--root-ca $CA`. Make it transparent to the user which root + CA is actually being used by printing the subject name of the root CA to stdout + in verbose mode. + + Signed-off-by: Marc Hartmayer + Acked-by: Viktor Mihajlovski + Reviewed-and-tested-by: Nico Boehr + Signed-off-by: Jan Hoeppner + + +Signed-off-by: Marc Hartmayer +Index: s390-tools-service/genprotimg/man/genprotimg.8 +=================================================================== +--- s390-tools-service.orig/genprotimg/man/genprotimg.8 ++++ s390-tools-service/genprotimg/man/genprotimg.8 +@@ -87,7 +87,7 @@ CRLs. Optional. + .TP + \fB\-\-root\-ca\fR=\fI\,FILE\/\fR + Specifies the root CA certificate for the verification. If omitted, +-the DigiCert root CA certificate installed on the system is used. Use ++the system wide root CAs installed on the system is used. Use + this only if you trust the specified certificate. Optional. + .TP + \fB\-\-no-verify\fR +Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h ++++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h +@@ -29,9 +29,6 @@ + */ + #define PV_CERTS_SECURITY_LEVEL 2 + +-/* SKID for DigiCert Assured ID Root CA */ +-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F" +- + union ecdh_pub_key { + struct { + uint8_t x[80]; +Index: s390-tools-service/genprotimg/src/pv/pv_args.c +=================================================================== +--- s390-tools-service.orig/genprotimg/src/pv/pv_args.c ++++ s390-tools-service/genprotimg/src/pv/pv_args.c +@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvA + g_strv_length(args->untrusted_cert_paths) == 0)) { + g_set_error( + err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT, +- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n" ++ _("Either specify the IBM Z signing key and intermediate CA certificate\n" + "by using the '--cert' option, or use the '--no-verify' flag to disable the\n" + "host-key document verification completely (at your own risk).")); + return -1; +Index: s390-tools-service/genprotimg/src/pv/pv_image.c +=================================================================== +--- s390-tools-service.orig/genprotimg/src/pv/pv_image.c ++++ s390-tools-service/genprotimg/src/pv/pv_image.c +@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList + } + + /* Load all untrusted certificates (e.g. IBM Z signing key and +- * DigiCert intermediate CA) that are required to establish a chain of +- * trust starting from the host-key document up to the root CA (if not +- * otherwise specified that's the DigiCert Assured ID Root CA). ++ * intermediate CA) that are required to establish a chain of trust ++ * starting from the host-key document up to the root CA (if not ++ * otherwise specified that can be one of the system wide installed ++ * root CAs, e.g. DigiCert). + */ + untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err); + if (!untrusted_certs_with_path) +@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList + * For this we must check: + * + * 1. Can a chain of trust be established ending in a root CA +- * 2. Is the correct root CA ued? It has either to be the +- * 'DigiCert Assured ID Root CA' or the root CA specified via +- * command line. ++ * 2. Is the correct root CA used? It has either to be a system CA ++ * or the root CA specified via command line. + */ + for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) { + X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i); +@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList + if (verify_cert(ibm_signing_cert, ctx, err) < 0) + goto error; + +- /* Verify the build chain of trust chain. If the user passes a +- * trusted root CA on the command line then the check for the +- * Subject Key Identifier (SKID) is skipped, otherwise let's +- * check if the SKID meets our expectation. ++ /* If there is a chain of trust using either the provided root ++ * CA on the command line or a system wide trusted root CA. + */ +- if (!root_ca_path && +- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), +- get_digicert_assured_id_root_ca_skid(), +- err) < 0) { ++ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), ++ err) < 0) + goto error; +- } + + ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err); + if (!ibm_signing_crls) { +@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const + g_warning(_("host-key document verification is disabled. Your workload is not secured.")); + + if (args->root_ca_path) +- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted.")); ++ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted.")); + + ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err); + if (!ret->comps) +Index: s390-tools-service/genprotimg/src/utils/crypto.c +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.c ++++ s390-tools-service/genprotimg/src/utils/crypto.c +@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *s + g_abort(); + + /* The maximum depth level of the chain of trust for the verification of +- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert) +- * intermediate CA -> (DigiCert) root CA ++ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA ++ * -> root CA + */ + X509_VERIFY_PARAM_set_depth(param, 2); + +@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int le + return security_bits[level]; + } + +-static ASN1_OCTET_STRING *digicert_assured_id_root_ca; +- +-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void) +-{ +- pv_crypto_init(); +- return digicert_assured_id_root_ca; +-} +- + /* Used for the caching of the downloaded CRLs */ + static GHashTable *cached_crls; + + void pv_crypto_init(void) + { +- if (digicert_assured_id_root_ca) ++ if (cached_crls) + return; +- + cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, + (GDestroyNotify)X509_CRL_free); +- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING( +- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID); + } + + void pv_crypto_cleanup(void) + { +- if (!digicert_assured_id_root_ca) ++ if (!cached_crls) + return; + g_clear_pointer(&cached_crls, g_hash_table_destroy); +- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free); + } + + gint check_chain_parameters(const STACK_OF_X509 *chain, +- const ASN1_OCTET_STRING *skid, GError **err) ++ GError **err) + { +- const ASN1_OCTET_STRING *ca_skid = NULL; ++ const X509_NAME *ca_x509_subject = NULL; ++ g_autofree gchar *ca_subject = NULL; + gint len = sk_X509_num(chain); + X509 *ca = NULL; + +- g_assert(skid); + /* at least one root and one leaf certificate must be defined */ +- g_assert(len >= 2); ++ if (len < 2) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("there must be at least on root and one leaf certificate in the chain of trust")); ++ return -1; ++ } + + /* get the root certificate of the chain of trust */ + ca = sk_X509_value(chain, len - 1); +@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_ + return -1; + } + +- ca_skid = X509_get0_subject_key_id(ca); +- if (!ca_skid) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA, +- _("malformed root certificate")); ++ ca_x509_subject = X509_get_subject_name(ca); ++ if (!ca_x509_subject) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("subject of the root CA cannot be retrieved")); + return -1; + } + +- if (ASN1_STRING_cmp(ca_skid, skid) != 0) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED, +- _("expecting DigiCert root CA to be used")); ++ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0); ++ if (!ca_subject) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("subject name of the root CA cannot be retrieved")); + return -1; + } + ++ g_info("Root CA used: '%s'", ca_subject); + return 0; + } + +Index: s390-tools-service/genprotimg/src/utils/crypto.h +=================================================================== +--- s390-tools-service.orig/genprotimg/src/utils/crypto.h ++++ s390-tools-service/genprotimg/src/utils/crypto.h +@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *c + gint verify_flags, GError **err); + void pv_crypto_init(void); + void pv_crypto_cleanup(void); +-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void); + gint verify_host_key(X509 *host_key, GSList *issuer_pairs, + gint verify_flags, int level, GError **err); + X509 *load_cert_from_file(const char *path, GError **err); +@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *roo + int store_set_verify_param(X509_STORE *store, GError **err); + X509_CRL *load_crl_by_cert(X509 *cert, GError **err); + STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path); +-gint check_chain_parameters(const STACK_OF_X509 *chain, +- const ASN1_OCTET_STRING *skid, GError **err); ++gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err); + X509_NAME *c2b_name(const X509_NAME *name); + + STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs); diff --git a/s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch b/s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch new file mode 100644 index 0000000..22dcd26 --- /dev/null +++ b/s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch @@ -0,0 +1,102 @@ +Subject: [PATCH] [BZ 197604] genprotimg/check_hostkeydoc: relax default issuer check +From: Marc Hartmayer + +Description: genprotimg/check_hostkeydoc: cert. verification is too strict +Symptom: Verification failures will occur for newer host key documents +Problem: The certificate verification of check_hostkeydoc is too strict + and doesn't match the checking performed by genprotimg. This + applies to the OU field in the issuer DN of the host key + document. As a consequence verification failures will occur for + host key documents issued for hardware generations newer than + IBM z15. + + DigiCert is the CA issuing the signing certificate for Secure + Execution host key documents. This certificate is used for the + verification of the host key document validity. Recently, + DigiCert has changed the root CA certificate used for issuance + of the signing certificates. As genprotimg is checking the CA + serial, the verification of the chain of trust will fail. As a + workaround, it is possible to disable certificate verification, + but this is not recommended because it makes it easier to + provide a fake host key document. Since the previously issued + host key documents are expiring in April 2022, it is necessary + to fix genprotimg to accept the newly issued host key + documents. +Solution: Relax the certificate verification +Reproduction: Use a new host key document +Upstream-ID: 673ff375d939d3cde674f8f99a62d456f8b1673d +Problem-ID: 197604 + +Upstream-Description: + + genprotimg/check_hostkeydoc: relax default issuer check + + While the original default issuer's organizationalUnitName (OU) + was defined as "IBM Z Host Key Signing Service", any OU ending + with "Key Signing Service" is considered legal. + + Let's relax the default issuer check by stripping off characters + preceding "Key Signing Service". + + Signed-off-by: Viktor Mihajlovski + Reviewed-by: Marc Hartmayer + Signed-off-by: Jan Hoeppner + + +Signed-off-by: Marc Hartmayer +Index: s390-tools-service/genprotimg/samples/check_hostkeydoc +=================================================================== +--- s390-tools-service.orig/genprotimg/samples/check_hostkeydoc ++++ s390-tools-service/genprotimg/samples/check_hostkeydoc +@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp) + ISSUER_DN_FILE=$(mktemp) + SUBJECT_DN_FILE=$(mktemp) + DEF_ISSUER_DN_FILE=$(mktemp) ++CANONICAL_ISSUER_DN_FILE=$(mktemp) + CRL_SERIAL_FILE=$(mktemp) + + # Cleanup on exit +@@ -30,7 +31,7 @@ cleanup() + { + rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \ + $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \ +- $CRL_SERIAL_FILE ++ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE + } + trap cleanup EXIT + +@@ -121,20 +122,31 @@ default_issuer() + commonName = International Business Machines Corporation + countryName = US + localityName = Poughkeepsie +- organizationalUnitName = IBM Z Host Key Signing Service ++ organizationalUnitName = Key Signing Service + organizationName = International Business Machines Corporation + stateOrProvinceName = New York + EOF + } + +-verify_issuer_files() ++# As organizationalUnitName can have an arbitrary prefix but must ++# end with "Key Signing Service" let's normalize the OU name by ++# stripping off the prefix ++verify_default_issuer() + { + default_issuer > $DEF_ISSUER_DN_FILE + +- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE ++ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \ ++ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE ++ ++ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE + then + echo Incorrect default issuer >&2 && exit 1 + fi ++} ++ ++verify_issuer_files() ++{ ++ verify_default_issuer + + if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE + then diff --git a/s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch b/s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch new file mode 100644 index 0000000..7b328eb --- /dev/null +++ b/s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch @@ -0,0 +1,103 @@ +Subject: [PATCH] [BZ 197605] libseckey: Fix re-enciphering of EP11 secure key +From: Ingo Franzki + +Description: zkey: Fix re-enciphering of EP11 identity key of KMIP plugin +Symptom: When re-enciphering the identity key and/or wrapping key of the + zkey KMIP plugin via 'zkey kms reencipher', the operation + completes without an error, but the secure keys are left + un-reenciphered. A subsequent connection attempt with the KMIP + server will fail because the identity key is no longer valid. +Problem: The re-enciphered secure key is not copied back into the + key token buffer. Also, the the public key part, i.e. the MACed + SubjectPublicKeyInfo (SPKI) structure must also be re- + enciphered (i.e. re-MACed), since the MAC is calculated with + the EP11 master key. +Solution: Copy the re-enciphered secure key back into the key toke + buffer, and also re-encipher the public key part. +Reproduction: Perform a master key change on the EP11 APQNs used with the + KMIP plugin. +Upstream-ID: 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397 +Problem-ID: 197605 + +Upstream-Description: + + libseckey: Fix re-enciphering of EP11 secure key + + The re-enciphering of EP11 asymmetric secure keys does not work. + First, the result of the re-encipher operation of the private key + part must be copied back into the user supplied key token buffer. + Second, the public key part, i.e. the MACed SubjectPublicKeyInfo + (SPKI) structure must also be re-enciphered (i.e. re-MACed), since + the MAC is calculated with the EP11 master key. + + Signed-off-by: Ingo Franzki + Signed-off-by: Jan Hoeppner + + +Signed-off-by: Ingo Franzki +--- + libseckey/sk_ep11.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 53 insertions(+) + +--- a/libseckey/sk_ep11.c ++++ b/libseckey/sk_ep11.c +@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct + return -EIO; + } + ++ memcpy(blob, lrb.payload, lrb.pllen); ++ ++ /* re-encipher MACed SPKI */ ++ rb.domain = domain; ++ lrb.domain = domain; ++ ++ resp_len = sizeof(resp); ++ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT, ++ &rb, NULL, key_token + hdr->len, ++ key_token_length - hdr->len); ++ if (req_len < 0) { ++ sk_debug(debug, "Failed to build XCP command block"); ++ return -EIO; ++ } ++ ++ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL, ++ 0, ep11_lib->target); ++ if (rv != CKR_OK || resp_len == 0) { ++ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. " ++ "rc = 0x%lx, resp_len = %ld", rv, resp_len); ++ return -EIO; ++ } ++ ++ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv); ++ if (rc != 0) { ++ sk_debug(debug, "Failed to parse response. rc = %d", rc); ++ return -EIO; ++ } ++ ++ if (rv != CKR_OK) { ++ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. " ++ "rc = 0x%lx", rv); ++ switch (rv) { ++ case CKR_IBM_WKID_MISMATCH: ++ sk_debug(debug, "The EP11 secure key is currently " ++ "encrypted under a different master that does " ++ "not match the master key in the CURRENT " ++ "master key register of APQN %02X.%04X", ++ card, domain); ++ break; ++ } ++ return -EIO; ++ } ++ ++ if (key_token_length - hdr->len != lrb.pllen) { ++ sk_debug(debug, "Re-encrypted EP11 secure key size has " ++ "changed: org-len: %lu, new-len: %lu", ++ hdr->len - sizeof(*hdr), lrb.pllen); ++ return -EIO; ++ } ++ ++ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen); ++ + return 0; + } + diff --git a/s390-tools.changes b/s390-tools.changes index 36fca34..bf41438 100644 --- a/s390-tools.changes +++ b/s390-tools.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Apr 11 21:11:48 UTC 2022 - Mark Post + +- Added the following patches for bsc#1198285: + s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch + s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch + The certificate verification of check_hostkeydoc is too strict and + doesn't match the checking performed by genprotimg. +- Added the following patch for bsc#1198284: + s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch + When re-enciphering the identity key and/or wrapping key of the + zkey KMIP plugin via 'zkey kms reencipher', the operation + completes without an error, but the secure keys are left + un-reenciphered. + ------------------------------------------------------------------- Fri Mar 4 13:55:43 UTC 2022 - Martin Wilck diff --git a/s390-tools.spec b/s390-tools.spec index 0a3a0de..8048369 100644 --- a/s390-tools.spec +++ b/s390-tools.spec @@ -97,6 +97,9 @@ Patch001: s390-tools-sles15sp4-chreipl-fcp-mpath-don-t-compress-the-manpag Patch002: s390-tools-sles15sp4-chreipl-fcp-mpath-remove-shebang-from-chreipl-fcp-mp.patch Patch003: s390-tools-sles15sp4-zdev-modify-the-lsblk-output-parser-in-lszdev.patch Patch004: s390-tools-sles15sp4-zdev-Fix-path-resolution-for-multi-mount-point-file-.patch +Patch005: s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch +Patch006: s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch +Patch007: s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch # SUSE patches Patch900: s390-tools-sles12-zipl_boot_msg.patch