SHA256
1
0
forked from pool/s390-tools

Compare commits

..

246 Commits

Author SHA256 Message Date
Ana Guerrero
201c253b02 Accepting request 1236146 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1236146
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=88
2025-01-12 10:14:00 +00:00
Nikolay Gueorguiev
a45e3d9c5b - Applied backport patches from s390-tools 2.37 to 2.36 ( jsc#PED-11870 )
( jsc#IBM-1447, jsc#IBM-1062 )
  * s390-tools-General-update-01.patch
  * s390-tools-General-update-02.patch
  * s390-tools-General-update-03.patch
  * s390-tools-General-update-04.patch
  * s390-tools-General-update-05.patch
  * s390-tools-General-update-06.patch
  * s390-tools-General-update-07.patch
  * s390-tools-General-update-08.patch
  * s390-tools-General-update-09.patch
  * s390-tools-General-update-10.patch
  * s390-tools-General-update-11.patch
  * s390-tools-General-update-12.patch
  * s390-tools-Additional-update-01.patch
  * s390-tools-Additional-update-02.patch
    ( jsc#IBM-1570, jsc#IBM-1571 )
  * s390-tools-Support-unencrypted-SE-images-01.patch
    ( jsc#IBM-1572, jsc#IBM-1573 )
  * s390-tools-pvimg-info-command-01.patch
  * s390-tools-pvimg-info-command-02.patch
  * s390-tools-pvimg-info-command-03.patch
  * s390-tools-pvimg-info-command-04.patch
    ( jsc#IBM-1576, jsc#IBM-1577 )
  * s390-tools-pvimg-additional-01.patch
- Renamed patches from - to
  * s390-tools-01-opticsmon-Fix-runaway-loop-in-on_link_change.patch 
      to
      s390-tools-Additional-update-01.patch
  * s390-tools-02-libzpci-opticsmon-Refactor-on_link_change-using-new.patch
      to
      s390-tools-Additional-update-02.patch
  * s390-tools-03-rust-pvimg-Add-enable-disable-image-encryption-flags-to-pvimg-create.patch
      to
      s390-tools-Support-unencrypted-SE-images-01.patch
- Revendored vendor.tar.gz

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=243
2025-01-09 11:12:54 +00:00
Ana Guerrero
f40487aa79 Accepting request 1235532 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1235532
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=87
2025-01-07 19:54:01 +00:00
Nikolay Gueorguiev
263ba1bd7b - Applied a patch for '--(enable|disable)-image-encryption' flags for 'pvimg create' (jsc#PED-11870)
* s390-tools-03-rust-pvimg-Add-enable-disable-image-encryption-flags-to-pvimg-create.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=241
2025-01-07 09:33:50 +00:00
Ana Guerrero
1aca340a15 Accepting request 1234126 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1234126
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=86
2025-01-01 22:07:53 +00:00
Nikolay Gueorguiev
51403030c6 - Applied patches (jsc#PED-9591, jsc#PED-10303)
* s390-tools-01-opticsmon-Fix-runaway-loop-in-on_link_change.patch 
  * s390-tools-02-libzpci-opticsmon-Refactor-on_link_change-using-new.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=239
2024-12-31 10:13:14 +00:00
Ana Guerrero
f226d43bc0 Accepting request 1229339 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1229339
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=85
2024-12-09 20:12:51 +00:00
Nikolay Gueorguiev
e553b3bcf0 - Upgrade s390-tools to version 2.36 (jsc#PED-10303, jsc#PED-9591)
* s390-tools: Define Rust MSRV as 1.75.0
  * Add new tools / libraries:
    - cpacfinfo: Tool to provide CPACF information
    - opticsmon: Tools to monitor optical modules for directly attached PCI based NICs
    - pvimg: Rust rewrite of genprotimg
  * Changes of existing tools:
    - chpstat: Add data bandwidth utilization column
    - chpstat: Add support for full CMCB
    - chpstat: Add support for new CMG types
    - dbginfo.sh: add overview commands and crypto update
    - hyptop: Support for structured output (json, json-seq, csv)
    - lszfcp: Add missing fallback marker for non-good fc_host port_state
    - lszfcp: Improve speed with many SCSI devices
    - pvattest: Add attestation policy check command
    - zipl: Add support of partitions of mirror md-devices
  * Bug Fixes:
    - lszcrypt: Fix wrong state showing up for removed AP queue within SE guest
    - lszfcp: Show device names line for zfcp_units without SCSI device
- Revendored vendor.tar.gz
- Applied additional patch (bsc#1233889, bsc#1233079)
  * s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
- Applied a patch (bsc#1233889)
  * s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
- Amended the /usr/lib/modules-load.d/pkey.conf (bsc#1233233). Added
  * pkey_cca
  * pkey_ep11
  * pkey_pckmo

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=237
2024-12-09 12:14:57 +00:00
Nikolay Gueorguiev
1aa732b1b1 Upgrade to version 2.36
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=236
2024-12-09 11:03:58 +00:00
Nikolay Gueorguiev
989dd03b90 Upgrade to 2.36
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=235
2024-12-09 10:57:39 +00:00
Nikolay Gueorguiev
a05add60ad Upgrade to 2.36
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=234
2024-12-09 10:50:09 +00:00
Nikolay Gueorguiev
549859fb33 Upgrade to version 2.36
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=233
2024-12-09 10:35:11 +00:00
Nikolay Gueorguiev
37e471ec3d - Upgrade s390-tools to version 2.36 (jsc#PED-10303, jsc#PED-9591)
* s390-tools: Define Rust MSRV as 1.75.0
  * Add new tools / libraries:
    - cpacfinfo: Tool to provide CPACF information
    - opticsmon: Tools to monitor optical modules for directly attached PCI based NICs
    - pvimg: Rust rewrite of genprotimg
  * Changes of existing tools:
    - chpstat: Add data bandwidth utilization column
    - chpstat: Add support for full CMCB
    - chpstat: Add support for new CMG types
    - dbginfo.sh: add overview commands and crypto update
    - hyptop: Support for structured output (json, json-seq, csv)
    - lszfcp: Add missing fallback marker for non-good fc_host port_state
    - lszfcp: Improve speed with many SCSI devices
    - pvattest: Add attestation policy check command
    - zipl: Add support of partitions of mirror md-devices
  * Bug Fixes:
    - lszcrypt: Fix wrong state showing up for removed AP queue within SE guest
    - lszfcp: Show device names line for zfcp_units without SCSI device
- Revendored vendor.tar.gz

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=232
2024-12-09 10:05:08 +00:00
Ana Guerrero
88b4cf9a55 Accepting request 1228553 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1228553
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=84
2024-12-06 13:25:31 +00:00
Nikolay Gueorguiev
d2403fb3d3 - Applied a patch (bsc#1233889)
* s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
- Amended the /usr/lib/modules-load.d/pkey.conf (bsc#1233233). Added
  * pkey_cca
  * pkey_ep11
  * pkey_pckmo

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=230
2024-12-05 15:15:36 +00:00
Ana Guerrero
512d2a1762 Accepting request 1221334 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1221334
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=83
2024-11-05 14:41:44 +00:00
Nikolay Gueorguiev
e0449582f8 - Amended the *_configure scripts to update again the SUSE's specific file
'/boot/zipl/active_devices.txt' (bsc#1232474, bsc#1216257)
  * ctc_configure
  * dasd_configure
  * qeth_configure
  * zfcp_host_configure

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=228
2024-11-05 08:08:43 +00:00
Ana Guerrero
9e3bfc4f53 Accepting request 1206300 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1206300
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=82
2024-10-08 15:25:14 +00:00
Nikolay Gueorguiev
5f5c63d1e2 * Upgrade s390-tools to version 2.35 (jsc#PED-9591, jsc#PED-10303)
* Changes of existing tools:
  - cpacfstats: Add support for FULL XTS (MSA 10) and HMAC (MSA 11) PAI counter
  - cpuplugd: Make cpuplugd compatible with hiperdispatch
  - dbginfo.sh: Add network sockstat info
  - pvapconfig: s390x exclusive build
  - zdev: Add option to select IPL device
  - zdump/dfo_s390: Support s390 DFO for vr-kernel dumps
  - zipl: Add support of mirror devices
* Bug Fixes:
  - (genprotimg|zipl)/boot: discard .note.package ELF section to save memory
  - netboot/mk-s390image: Fix size when argument is a symlink
  - ziorep_config: Fix warning message when multipath device is not there.
  - zipl: Fix problems when target parameters are specified by user
  - zipl: Fix segfault when creating device-based dumps with '--dry-run'
* Removed obsolete patches
  - s390-tools-2.34-Fix-Rust-compilation-errors.patch
  - s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
  - s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
* Revendored vendor.tar.gz

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=226
2024-10-08 10:45:41 +00:00
Ana Guerrero
f85aac9036 Accepting request 1201422 from Base:System
* Applied patches (bsc#1230345)
  - zipl/src: add basic support for multiple target base disks
  - s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
  - s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch

OBS-URL: https://build.opensuse.org/request/show/1201422
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=81
2024-09-16 15:46:06 +00:00
Nikolay Gueorguiev
e47d5e3f02 * Applied patches (bsc#1230345)
- zipl/src: add basic support for multiple target base disks
  - s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
  - s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=224
2024-09-16 12:53:06 +00:00
Nikolay Gueorguiev
a5e2fe96bd Restore
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=223
2024-09-10 14:51:22 +00:00
Nikolay Gueorguiev
aaa3221da7 - Applied a patch to fix 'zdev warning about failed ATTR writes by udev'
(bsc#1224211)
 * s390-tools-zdev-fix-warning-about-failed-ATTR-writes-by-udev.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=222
2024-09-10 14:11:05 +00:00
Ana Guerrero
fe7c5e5c26 Accepting request 1196040 from Base:System
* Applied a patch to fix Rust compilation errors (bsc#1229461)
  - s390-tools-2.34-Fix-Rust-compilation-errors.patch
  - Fix: s390-tools: Rust compilation errors (s390_pv_core), build fails with
    "error: unnecessary qualification"
* Added BuildRequieres in the .spec file
  - perl-Bootloader >= 0.4.15 
* Upgrade s390-tools to version 2.34 (jsc#PED-3223,jsc#PED-9591)
*** v2.34.0
* Changes of existing tools:
  - ap_tools/ap-check: Add support for vfio-ap dynamic configuration
  - dbginfo.sh: Update/Add additional DASD data collection
  - dumpconf: Add new parameter 'SCP_DATA' for SCSI/NVMe/ECKD dump devices
  - libutil: Make formatted meta-data configurable
  - s390-tools: Replace 'which' with built-in 'command -v'
  - zdump/dfi_elf: Support core dumps of vr-kernels
* Bug Fixes:
  - chzdev: Fix warning about failed ATTR writes by udev
  - rust/pv: Try again if first CRL-URI is invalid
  - rust/pvattest: Add short option for --arpk
  - zdump: Fix 'zgetdump -i' ioctl error on s390 formatted dump file
*** v2.33.1
* Bug Fixes:
  - s390-tools: Fix formatting and typos in README.md
  - s390-tools: Fix release string
*** v2.33.0
* Add new tools / libraries:
  - chpstat: New tool for displaying channel path statistics
  - libutil: Add output format helpers(util_fmt: JSON, JSON-SEQ, CSV, text pairs)
* Changes of existing tools / libraries:
  - chzdev: Add --is-owner to identify files created by zdev
  - dasdfmt: Change default mode to always use full-format (Note: affects ESE DASD)
  - libap: Significantly reduce delay time between file lock retries
  - pvattest: Rewrite from C to Rust
  - pvattest: Support additional data & user-data
  - rust/pv: Support for Attestation
* Bug Fixes:
  - chreipl: Improve disk type detection when running under QEMU
  - dbginfo.sh: Use POSIX option with uname
  - s390-tools: Fix missing hyphen escapes in the man page for many tools
  - zipl/src: Fix bugs in disk_get_info() reproducible in corner cases
 *** v2.32.0
* Changes of existing tools:
  - cpumf/lscpumf: add support for machine type 3932
  - genprotimg, pvattest, and pvsecret accept IBM signing key with Armonk as
    subject locality
  - zdump/zipl: Support for List-Directed dump from ECKD DASD
  - zkey: Detect FIPS mode and generate PBKDF for luksFormat according to it
* Bug Fixes:
  - dbginfo.sh: dash compatible copy sequence
  - rust/pv_core: Fix UvDeviceInfo::get() method
  - zipl/src: Fix leak of files if run with a broken configuration
  - zkey: Fix convert command to accept only keys of type CCA-AESDATA
* Revendored vendor.tar.gz
* Removed obsolete patches
  - s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
  - s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
  - s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
  - s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch
  - s390-tools-sles15sp6-genprotimg-makefile.patch

OBS-URL: https://build.opensuse.org/request/show/1196040
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=80
2024-08-26 20:10:53 +00:00
Ana Guerrero
773b6c2834 Accepting request 1186905 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1186905
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=79
2024-07-11 18:33:57 +00:00
Nikolay Gueorguiev
b60bd99df6 - Applied a new patch (bsc#1227602)
* s390-tools-slfo-01-parse-ipl-device-for-activation.patch 
- Removed the old 'initial' patch 
  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=217
2024-07-11 15:31:35 +00:00
Ana Guerrero
a5cee92c1b Accepting request 1181962 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1181962
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=78
2024-06-20 14:49:19 +00:00
Nikolay Gueorguiev
b90e23c312 - Amended read_values.c (bsc#1226609)
* Added print for 'qc_type_name', amended the layers 
- Updated %description in the .spec file

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=215
2024-06-20 14:05:02 +00:00
Ana Guerrero
1d78b13c14 Accepting request 1170172 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1170172
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=77
2024-04-25 18:50:43 +00:00
Nikolay Gueorguiev
d297fda326 Accepting request 1170170 from home:dimstar:Factory
- s390-tools-genprotimg-data needs to require filesystem in order
  to ensure we are not installed before potential UsrMerge
  migration code was running (boo#1223090).

OBS-URL: https://build.opensuse.org/request/show/1170170
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=213
2024-04-25 15:05:56 +00:00
Ana Guerrero
5bd7cf33fd Accepting request 1168819 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1168819
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=76
2024-04-18 20:13:24 +00:00
Nikolay Gueorguiev
bc30f4c040 Accepting request 1168818 from home:ngueorguiev:branches:Base:System
- Applied an updated patch (bsc#1220949,bsc#1221873)
  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch

OBS-URL: https://build.opensuse.org/request/show/1168818
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=211
2024-04-18 11:22:24 +00:00
Dominique Leuenberger
5bcb4ee0b4 Accepting request 1168394 from Base:System
Amended the .spec file for x86_64. Recommends: s390-tools-genprotimg-data

OBS-URL: https://build.opensuse.org/request/show/1168394
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=75
2024-04-17 12:45:28 +00:00
Nikolay Gueorguiev
3ab90cf26b Accepting request 1168392 from home:ngueorguiev:branches:Base:System
- Amended the .spec file for x86_64
  * Recommends: s390-tools-genprotimg-data

OBS-URL: https://build.opensuse.org/request/show/1168392
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=209
2024-04-16 16:59:31 +00:00
Nikolay Gueorguiev
3dbfffe91f Accepting request 1168007 from home:ngueorguiev:branches:Base:System
Amended the .spec file

OBS-URL: https://build.opensuse.org/request/show/1168007
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=208
2024-04-16 10:39:22 +00:00
Nikolay Gueorguiev
6dbc844406 Accepting request 1167955 from home:ngueorguiev:branches:Base:System
- Amended the .spec file for s390-tools-genprotimg-data-*.noarch.rpm
  * Removed the dependency on it on x86_64 platform
  * Updated the Summary and Description of the *.noarch.rpm (bsc#1222675)

OBS-URL: https://build.opensuse.org/request/show/1167955
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=207
2024-04-16 08:24:54 +00:00
Nikolay Gueorguiev
6e6243123d Accepting request 1167136 from home:ngueorguiev:branches:Base:System
- Updated the .spec file to enable Secure Execution in the Cloud (bsc#1222675)
  * Creates a s390-tools-genprotimg-data-*.noarch.rpm package which includes
    s390x bootload binaries for x86_64: 
    - /lib/s390-tools/stage3.bin
    - /usr/share/s390-tools/genprotimg/stage3a.bin
    - /usr/share/s390-tools/genprotimg/stage3b_reloc.bin
  * Excludes the above binaries from the (main) s390-tools-*.s390x.rpm
  * Requires: s390-tools-genprotimg-data 
- SE-tooling: New IBM host-key subject locality (s390-tools) (bsc#1222282)
  * s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch 
- Apllied a patch(bsc#1220949,bsc#1221873)
  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch
- Applied a patch (bsc#1221072) 
  * s390-tools-sles15sp6-genprotimg-makefile.patch

OBS-URL: https://build.opensuse.org/request/show/1167136
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=206
2024-04-12 16:00:17 +00:00
Nikolay Gueorguiev
2f3aa4d874 Accepting request 1167028 from home:ngueorguiev:branches:Base:System
- Updated the .spec file to enable Secure Execution in the Cloud (bsc#1222675)
  * Creates a s390-tools-genprotimg-data-*.noarch.rpm package which includes
    s390x bootload binaries for x86_64: 
    - stage3a.bin and 
    - stage3b_reloc.bin 
    - plus check_hostkeydoc script

OBS-URL: https://build.opensuse.org/request/show/1167028
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=205
2024-04-12 09:50:38 +00:00
Ana Guerrero
5f5d153391 Accepting request 1164464 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1164464
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=74
2024-04-04 20:26:15 +00:00
Nikolay Gueorguiev
90cb01f5d3 Accepting request 1164463 from home:ngueorguiev:branches:Base:System
- SE-tooling: New IBM host-key subject locality (s390-tools) (bsc#1222282)
  * s390-tools-sles15sp5-01-rust-pv-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-02-genprotimg-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-03-libpv-support-Armonk-in-IBM-signing-key-subject.patch
  * s390-tools-sles15sp6-04-pvattest-Fix-root-ca-parsing.patch

OBS-URL: https://build.opensuse.org/request/show/1164463
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=203
2024-04-04 05:49:32 +00:00
Ana Guerrero
c663be0a92 Accepting request 1164031 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1164031
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=73
2024-04-02 14:43:48 +00:00
Nikolay Gueorguiev
1be3bd9ce3 Accepting request 1164030 from home:ngueorguiev:branches:Base:System
- Apllied a patch(bsc#1220949,bsc#1221873)
  * s390-tools-sles15sp6-01-parse-ipl-device-for-activation.patch

OBS-URL: https://build.opensuse.org/request/show/1164030
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=201
2024-04-02 06:06:40 +00:00
Ana Guerrero
8fef2acc25 Accepting request 1158287 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1158287
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=72
2024-03-15 19:32:31 +00:00
Nikolay Gueorguiev
a20ad4f579 Accepting request 1158286 from home:ngueorguiev:branches:Base:System
- Applied a patch (bsc#1221072) 
  * s390-tools-sles15sp6-genprotimg-makefile.patch

OBS-URL: https://build.opensuse.org/request/show/1158286
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=199
2024-03-15 17:23:15 +00:00
Ana Guerrero
b950cba805 Accepting request 1157137 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1157137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=71
2024-03-13 21:18:21 +00:00
Nikolay Gueorguiev
54cec27eb2 Accepting request 1157136 from home:ngueorguiev:branches:Base:System
- Amended the .spec file for x86_64 (jsc#PED-7135, jsc#IBM-1309)

OBS-URL: https://build.opensuse.org/request/show/1157136
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=197
2024-03-12 09:22:28 +00:00
Ana Guerrero
25240a2147 Accepting request 1148820 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1148820
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=70
2024-02-22 19:56:35 +00:00
Nikolay Gueorguiev
0d94837b97 Accepting request 1148818 from home:ngueorguiev:branches:Base:System
- Applied a patch for kdump initrd (bsc#1219471) 
  * s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch

OBS-URL: https://build.opensuse.org/request/show/1148818
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=195
2024-02-21 17:20:17 +00:00
Nikolay Gueorguiev
51c2776a32 Accepting request 1148512 from home:oertel:branches:Base:System
- Provide groups as required by RPM 4.19

OBS-URL: https://build.opensuse.org/request/show/1148512
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=194
2024-02-21 16:55:23 +00:00
Ana Guerrero
31a31c15c4 Accepting request 1145132 from Base:System
- Upgrade s390-tools to version 2.31 (jsc#PED-3275, jsc#PED-3223) 
- General:
  * common.mak: Set default C/C++ standard to gnu11/gnu++11
- Add new tools / libraries:
  * pvapconfig: Tool to automatically configure APQNs in SE KVM guests
  * s390-tools: Provide pre-commit configuration
- Changes of existing tools:
  * cpuplugd: Adjust to CPU 0 being no longer hotpluggable
  * dbginfo.sh: Check for Dynamic Partition Mode
  * dbginfo.sh: Update man page and copyright
  * rust/pv: Add user-data signing and verifying
  * rust/pvsecret: Add user defined signatures and verifications
  * zdev/dracut: Consolidate device configuration
- Bug Fixes:
  * dbginfo.sh: Fix relative path on script copy
  * libkmipclient: Fix build with libxml2-2.12.0
  * pvsecret: Fix panic if empty file is used as host key document
  * rust/pv: Fix 'elided_lifetimes_in_associated_constant' warning

OBS-URL: https://build.opensuse.org/request/show/1145132
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=69
2024-02-08 18:03:46 +00:00
Nikolay Gueorguiev
7696098655 Accepting request 1145079 from home:ngueorguiev:branches:Base:System
- Upgrade s390-tools to version 2.31 (jsc#PED-3275, jsc#PED-3223) 
- General:
  * common.mak: Set default C/C++ standard to gnu11/gnu++11
- Add new tools / libraries:
  * pvapconfig: Tool to automatically configure APQNs in SE KVM guests
  * s390-tools: Provide pre-commit configuration
- Changes of existing tools:
  * cpuplugd: Adjust to CPU 0 being no longer hotpluggable
  * dbginfo.sh: Check for Dynamic Partition Mode
  * dbginfo.sh: Update man page and copyright
  * rust/pv: Add user-data signing and verifying
  * rust/pvsecret: Add user defined signatures and verifications
  * zdev/dracut: Consolidate device configuration
- Bug Fixes:
  * dbginfo.sh: Fix relative path on script copy
  * libkmipclient: Fix build with libxml2-2.12.0
  * pvsecret: Fix panic if empty file is used as host key document
  * rust/pv: Fix 'elided_lifetimes_in_associated_constant' warning

OBS-URL: https://build.opensuse.org/request/show/1145079
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=192
2024-02-08 09:00:36 +00:00
Ana Guerrero
56e4b5a7ae Accepting request 1143269 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1143269
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=68
2024-02-01 17:05:55 +00:00
Nikolay Gueorguiev
548f90083d Accepting request 1143268 from home:ngueorguiev:branches:Base:System
- Updated read_values.c (bsc#1219227)

OBS-URL: https://build.opensuse.org/request/show/1143268
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=190
2024-02-01 09:52:13 +00:00
Ana Guerrero
c578730eb1 Accepting request 1141278 from Base:System
Resubmitting the upgrade s390-tools to version 2.30 (jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604, jsc#PED-6649, jsc#PED-7138)

- Updated the .spec file
  * Explicitly specified 'ExclusiveArch: s390x x86_64'

Build succeeded on IBS (in a home project).

OBS-URL: https://build.opensuse.org/request/show/1141278
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=67
2024-01-25 17:41:01 +00:00
Nikolay Gueorguiev
c3329ac036 Accepting request 1141270 from home:ngueorguiev:branches:Base:System
- Updated the .spec file
  * Explicitly specified 'ExclusiveArch: s390x x86_64'

OBS-URL: https://build.opensuse.org/request/show/1141270
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=188
2024-01-24 14:41:07 +00:00
Ana Guerrero
c43bec7f6f Accepting request 1133718 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1133718
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=66
2023-12-17 20:33:37 +00:00
Nikolay Gueorguiev
2b4fe82638 Accepting request 1133716 from home:ngueorguiev:branches:Base:System
- Updated the .spec file to use gcc13 (bsc#1217838) 
- Amended read_values for '-S' option (bsc#1217923)
- Upgrade s390-tools to version 2.30
    (jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604, 
     jsc#PED-6649, jsc#PED-7138 )

OBS-URL: https://build.opensuse.org/request/show/1133716
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=186
2023-12-17 06:44:35 +00:00
Nikolay Gueorguiev
8d7553371c Accepting request 1133714 from home:ngueorguiev:branches:Base:System
- Updated the .spec file to use gcc13 (bsc#1217838) 
- Amended read_values for '-S' option (bsc#1217923)
- Upgrade s390-tools to version 2.30
    (jsc#PED-5783, jsc#PED-6785, jsc#PED-7136, jsc#PED-6539, jsc#PED-4604, 
     jsc#PED-6649, jsc#PED-7138 )
- Amended the SUSE patches for version 2.30
- Revendored vendor.tar.gz
- Provide s390-tools on x86_64 to enable Secure Execution in the Cloud
    (jsc#PED-578, jsc#PED-7136, and jsc#PED-7138)
  * Selected tools from the s390-tools package need to be made available on x86_64.

OBS-URL: https://build.opensuse.org/request/show/1133714
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=185
2023-12-17 06:32:28 +00:00
Ana Guerrero
9065b637d9 Accepting request 1126535 from Base:System
Reworked: Upgrade s390-tools (directly) from version 2.25.0 to version 2.29.0

OBS-URL: https://build.opensuse.org/request/show/1126535
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=65
2023-11-27 21:42:44 +00:00
Nikolay Gueorguiev
37aa81f763 Accepting request 1126534 from home:ngueorguiev:branches:Base:System
- Fixed a logic error in read_values.c

OBS-URL: https://build.opensuse.org/request/show/1126534
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=183
2023-11-15 08:00:18 +00:00
Nikolay Gueorguiev
ff04561a05 Accepting request 1125589 from home:ngueorguiev:branches:Base:System
Upgrade s390-tools from version 2.25.0 to version 2.29.0 (Updated)

OBS-URL: https://build.opensuse.org/request/show/1125589
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=182
2023-11-13 13:50:17 +00:00
Ana Guerrero
183732819a Accepting request 1116618 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1116618
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=64
2023-10-10 19:00:50 +00:00
Nikolay Gueorguiev
d48f194e6b Accepting request 1116617 from home:ngueorguiev:branches:Base:System
Applied a patch (jsc#PED-6373)

OBS-URL: https://build.opensuse.org/request/show/1116617
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=180
2023-10-10 08:22:26 +00:00
Ana Guerrero
e193ad1d58 Accepting request 1107201 from Base:System
- Amended read_value.c for newer z16 models (bsc#1214534) 
- Upgrade to version 2.29.0 (jsc#PED-3275)
  * s390-tools now supports tools written in Rust.
  * Add compdb Makefile target to create 'compile_commands.json' to support LSP
    backends in IDEs and editors
- Add new tools / libraries:
  * rust/pv: Library for pv tools written in rust
  * rust/pvsecret: Tool to manage UV-secrets
- Changes of existing tools:
  * dbginfo.sh: Global IFS variable
  * genprotimg: Add support for add-secret requests
  * genprotimg: Build debuginfo files for bootloader
  * hyptop: Add real SMT utilization field
  * hyptop: Allow users to set speedup factor
  * pvattest: Add yaml-output for verify command
  * zipl: Build debuginfo files for bootloader
- Bug Fixes:
  * dump2tar: Fix truncated paths
  * zdev/dracut: fix kdump build to integrate with site support
- Amended .spec for version 2.29.0, including Rust integration
- The patches were updated by quilt

OBS-URL: https://build.opensuse.org/request/show/1107201
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=63
2023-08-28 15:18:04 +00:00
Nikolay Gueorguiev
16326310fb Accepting request 1107184 from home:ngueorguiev:branches:Base:System
- Amended read_value.c for newer z16 models (bsc#1214534), the patches were updated by quilt.

OBS-URL: https://build.opensuse.org/request/show/1107184
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=178
2023-08-28 12:27:50 +00:00
Nikolay Gueorguiev
ba8d894e4e Accepting request 1103339 from home:ngueorguiev:branches:Base:System
Version upgrade to 2.29.0, plus Rust integration, nee features, and bug fixes

OBS-URL: https://build.opensuse.org/request/show/1103339
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=177
2023-08-10 13:58:59 +00:00
Nikolay Gueorguiev
1191853280 Accepting request 1102845 from home:ngueorguiev:branches:Base:System
- Upgrade to version 2.29.0 (jsc#PED-3275)
  * s390-tools now supports tools written in Rust.
  * Add compdb Makefile target to create 'compile_commands.json' to support LSP
    backends in IDEs and editors
- Add new tools / libraries:
  * rust/pv: Library for pv tools written in rust
  * rust/pvsecret: Tool to manage UV-secrets
- Changes of existing tools:
  * dbginfo.sh: Global IFS variable
  * genprotimg: Add support for add-secret requests
  * genprotimg: Build debuginfo files for bootloader
  * hyptop: Add real SMT utilization field
  * hyptop: Allow users to set speedup factor
  * pvattest: Add yaml-output for verify command
  * zipl: Build debuginfo files for bootloader
- Bug Fixes:
  * dump2tar: Fix truncated paths
  * zdev/dracut: fix kdump build to integrate with site support
- Amended .spec for version 2.29.0, including Rust integration

OBS-URL: https://build.opensuse.org/request/show/1102845
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=176
2023-08-08 09:15:57 +00:00
Dominique Leuenberger
472fa20cc8 Accepting request 1093106 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1093106
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=62
2023-06-14 14:31:33 +00:00
Nikolay Gueorguiev
089c94ca65 Accepting request 1093105 from home:ngueorguiev:branches:Base:System
- Upgrade to version 2.27.0 (jsc#PED-3275)
- Changes of existing tools:
  * s390-tools cross-compile and non-s390x support:
    - pkg-config is now mandatory for the build process
    - Add PKG_CONFIG Makefile variable to select pkg-config program;
      default pkg-config or $(CROSS_COMPILE)pkg-config if
      CROSS_COMPILE is set
    - Rename Makefile variable ARCH to HOST_ARCH. HOST_ARCH is the
      architecture that will run the produced (executable) objects
    - Add the Makefile variable BUILD_ARCH. BUILD_ARCH is the
      architecture of the build system. For each Makefile variable like
      CC, LINK, CPP, ... there is a suffixed version of it - e.g.
      CC_FOR_BUILD. This is useful for cross compiling, and this naming
      convention is very similar to the Meson convention (see
      https://mesonbuild.com/Reference-tables.html#environment-variables-per-machine).
    - Limit build targets for non-s390x architectures (pvattest)
  * dasdfmt: Fall back to full format if space release fails
  * dbginfo.sh: Add nstat for network and SNMP stats
  * dbginfo.sh: Rework crypto data collection
  * hyptop: Show thread util by default
  * zipl: Add support for list-directed IPL dump from ECKD DASD
- Bug Fixes:
  * lszcrypt: Fix argument parsing
  * zdev/dracut: Fix out-of-memory (OOM) situations in the kdump crashkernel environment
  * ziomon/ziorep_config: Fix for SCSI devices of type disk without block dev
  * pvextract-hdr: Fix parsing issues on little-endian systems
- Amended the .patches to fit the 2.27 version
- Removed obsolete patches (the fixes are included in this version)
  * s390-tools-sles15sp5-zipl-boot-disable-Warray-bounds-for-now.patch
  * s390-tools-sles15sp5-zkey-Support-EP11-host-library-version-4.patch
  * s390-tools-sles15sp5-01-zipl-boot-discard-.eh_frame-and-.interp-input-sectio.patch
  * s390-tools-sles15sp5-02-zipl-boot-declare-that-no-executable-stack-is-requir.patch
  * s390-tools-sles15sp5-03-zipl-boot-use-no-warn-rwx-segments-linker-flag.patch
  * s390-tools-sles15sp5-04-zipl-boot-disable-build-id.patch
  * s390-tools-sles15sp5-05-zipl-boot-simplify-objcopy-commands.patch
  * s390-tools-sles15sp5-06-zipl-move-STAGE2_MAX_SIZE-and-STAGE1B_LOAD_ADDR-to-l.patch
  * s390-tools-sles15sp5-07-zipl-boot-use-linker-scripts-for-all-bootloaders.patch
  * s390-tools-sles15sp5-08-genprotimg-boot-declare-that-no-executable-stack-is-.patch
  * s390-tools-sles15sp5-09-genprotimg-boot-use-no-warn-rwx-segments-linker-flag.patch
  * s390-tools-sles15sp5-10-genprotimg-boot-disable-build-id.patch
  * s390-tools-sles15sp5-11-genprotimg-boot-Makefile-simplify-objcopy-command.patch
  * s390-tools-sles15sp5-12-genprotimg-boot-improve-linker-scripts.patch
  * s390-tools-sles15sp5-13-genprotimg-boot-stage3b-add-size-check-to-the-linker.patch
  * s390-tools-sles15sp5-14-genprotimg-boot-stage3b_reloc.bin-add-linker-script.patch
  * s390-tools-sles15sp5-15-zipl-Embed-loader-data-directly-into-boot-object.patch
  * s390-tools-sles15sp5-lszcrypt-use-separate-index-for-inner-sub-device-loo.patch
  * s390-tools-sles15sp5-01-ziomon-ziorep_config-fix-missing-SG-major-minor-for-.patch
  * s390-tools-sles15sp5-02-ziomon-ziorep_config-fix-for-SCSI-devices-of-type-di.patch
  * s390-tools-sles15sp5-fix-chown-commands-syntax.patch

OBS-URL: https://build.opensuse.org/request/show/1093105
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=174
2023-06-14 11:34:58 +00:00
Dominique Leuenberger
8b289ba900 Accepting request 1084723 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1084723
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=61
2023-05-04 15:11:07 +00:00
Nikolay Gueorguiev
7c95b541d5 Accepting request 1084721 from home:ngueorguiev:branches:Base:System
Amended the .spec and .changes files

OBS-URL: https://build.opensuse.org/request/show/1084721
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=172
2023-05-04 13:51:14 +00:00
Nikolay Gueorguiev
218a82336b Accepting request 1084572 from home:ngueorguiev:branches:Base:System
-  Applied patches for ziomon: fix for SCSI devices of type disk without block dev
    (bsc#1211008)
  * s390-tools-sles15sp5-01-ziomon-ziorep_config-fix-missing-SG-major-minor-for-.patch
  * s390-tools-sles15sp5-02-ziomon-ziorep_config-fix-for-SCSI-devices-of-type-di.patch

OBS-URL: https://build.opensuse.org/request/show/1084572
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=171
2023-05-04 09:04:23 +00:00
Dominique Leuenberger
330df351c2 Accepting request 1084026 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1084026
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=60
2023-05-02 14:19:36 +00:00
Nikolay Gueorguiev
0d293958ac Accepting request 1084025 from home:ngueorguiev:branches:Base:System
- Applies a fix, splitting of rd.zdev-parameters, in 
  * s390-tools-ALP-zdev-live.patch

OBS-URL: https://build.opensuse.org/request/show/1084025
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=169
2023-05-02 12:18:49 +00:00
Dominique Leuenberger
fe225ae107 Accepting request 1082966 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1082966
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=59
2023-04-26 15:26:44 +00:00
Nikolay Gueorguiev
a83d3a599a Accepting request 1082965 from home:ngueorguiev:branches:Base:System
- Tailored the .spec, added a patch 
  * s390-tools-ALP-zdev-live.patch

OBS-URL: https://build.opensuse.org/request/show/1082965
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=167
2023-04-26 10:36:10 +00:00
Dominique Leuenberger
54c5e4bde3 Accepting request 1073983 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1073983
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=58
2023-03-24 14:21:13 +00:00
Nikolay Gueorguiev
79397b8727 Accepting request 1073981 from home:ngueorguiev:branches:Base:System
Added scripts for activation of devices at boot via kernel command line for live installation (jsc#PED-2975)

OBS-URL: https://build.opensuse.org/request/show/1073981
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=165
2023-03-23 14:03:20 +00:00
Dominique Leuenberger
34753922d8 Accepting request 1073791 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1073791
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=57
2023-03-22 21:31:42 +00:00
Nikolay Gueorguiev
a50c71baff Accepting request 1073790 from home:ngueorguiev:branches:Base:System
- Added SUSE scripts
  * module-setup.sh
  * parse-zdev-suse.sh
  * write-udev-live-suse.sh

OBS-URL: https://build.opensuse.org/request/show/1073790
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=163
2023-03-22 13:16:35 +00:00
Dominique Leuenberger
6b197d5195 Accepting request 1071822 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1071822
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=56
2023-03-15 17:54:23 +00:00
Nikolay Gueorguiev
bff974e0d7 Accepting request 1071819 from home:ngueorguiev:branches:Base:System
- Applied a patch (bsc#1209196)
  * s390-tools-sles15sp5-lszcrypt-use-separate-index-for-inner-sub-device-loo.patch

OBS-URL: https://build.opensuse.org/request/show/1071819
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=161
2023-03-14 15:59:31 +00:00
Dominique Leuenberger
45a637bb05 Accepting request 1070179 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1070179
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=55
2023-03-08 13:54:23 +00:00
Nikolay Gueorguiev
943f9cc9ee Accepting request 1070178 from home:ngueorguiev:branches:Base:System
Updated s390-tools, cputype script (bsc#1208983)

OBS-URL: https://build.opensuse.org/request/show/1070178
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=159
2023-03-08 12:55:05 +00:00
Dominique Leuenberger
ffb7bc260c Accepting request 1067102 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1067102
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=54
2023-02-22 14:21:41 +00:00
Nikolay Gueorguiev
121bd3e056 Accepting request 1067101 from home:ngueorguiev:branches:Base:System
- Apllied the following patches (bsc#1208527, bsc#1206173) 
  * s390-tools-sles15sp5-01-zipl-boot-discard-.eh_frame-and-.interp-input-sectio.patch
  * s390-tools-sles15sp5-02-zipl-boot-declare-that-no-executable-stack-is-requir.patch
  * s390-tools-sles15sp5-03-zipl-boot-use-no-warn-rwx-segments-linker-flag.patch
  * s390-tools-sles15sp5-04-zipl-boot-disable-build-id.patch
  * s390-tools-sles15sp5-05-zipl-boot-simplify-objcopy-commands.patch
  * s390-tools-sles15sp5-06-zipl-move-STAGE2_MAX_SIZE-and-STAGE1B_LOAD_ADDR-to-l.patch
  * s390-tools-sles15sp5-07-zipl-boot-use-linker-scripts-for-all-bootloaders.patch
  * s390-tools-sles15sp5-08-genprotimg-boot-declare-that-no-executable-stack-is-.patch
  * s390-tools-sles15sp5-09-genprotimg-boot-use-no-warn-rwx-segments-linker-flag.patch
  * s390-tools-sles15sp5-10-genprotimg-boot-disable-build-id.patch
  * s390-tools-sles15sp5-11-genprotimg-boot-Makefile-simplify-objcopy-command.patch
  * s390-tools-sles15sp5-12-genprotimg-boot-improve-linker-scripts.patch
  * s390-tools-sles15sp5-13-genprotimg-boot-stage3b-add-size-check-to-the-linker.patch
  * s390-tools-sles15sp5-14-genprotimg-boot-stage3b_reloc.bin-add-linker-script.patch
  * s390-tools-sles15sp5-15-zipl-Embed-loader-data-directly-into-boot-object.patch

OBS-URL: https://build.opensuse.org/request/show/1067101
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=157
2023-02-22 08:12:19 +00:00
Dominique Leuenberger
2928d2c820 Accepting request 1066409 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1066409
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=53
2023-02-18 16:10:18 +00:00
Nikolay Gueorguiev
ac49185342 Accepting request 1066403 from home:josegomezr:branches:Base:System
- Implemented read_values -u. The result of -u is a unique identifier composed of:
  * Machine Serial Number.
  * LPAR Name.
  * VM Name (can be optional).

OBS-URL: https://build.opensuse.org/request/show/1066403
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=155
2023-02-17 15:49:52 +00:00
Dominique Leuenberger
2f1b611155 Accepting request 1063869 from Base:System
- Added patch (bsc#1207947) 
  * s390-tools-sles15sp5-zkey-Support-EP11-host

OBS-URL: https://build.opensuse.org/request/show/1063869
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=52
2023-02-08 16:28:56 +00:00
Mark Post
6d93276945 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=153 2023-02-08 15:35:07 +00:00
Mark Post
c754c8653a Accepting request 1063866 from home:ngueorguiev:branches:Base:System
Update package bsc#1207947

OBS-URL: https://build.opensuse.org/request/show/1063866
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=152
2023-02-08 15:34:33 +00:00
Dominique Leuenberger
1ed27f1466 Accepting request 1057829 from Base:System
- Updated read_values.c for z16 machine type (bsc#1206832)
  * Added the IBM LinuxONE Emperor 4 machine type
- Updated read_values.c for z16 machine type (bsc#1206832) 
- Replace transitional %usrmerged macro with regular version check (boo#1206798)

OBS-URL: https://build.opensuse.org/request/show/1057829
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=51
2023-01-12 21:44:36 +00:00
Mark Post
6db70f138f OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=150 2023-01-11 16:01:09 +00:00
Mark Post
470141458c OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=149 2023-01-11 15:53:37 +00:00
Mark Post
03e16a4f71 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=148 2023-01-11 15:50:55 +00:00
Mark Post
9781536900 Accepting request 1057822 from home:ngueorguiev:branches:Base:System
Updated package for bsc#1206832

OBS-URL: https://build.opensuse.org/request/show/1057822
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=147
2023-01-11 15:50:20 +00:00
Dominique Leuenberger
4aaa81d091 Accepting request 1057742 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1057742
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=50
2023-01-11 13:35:57 +00:00
Nikolay Gueorguiev
c2ff54d62c Accepting request 1057649 from home:ngueorguiev:branches:Base:System
Updated package for bsc#1206832

OBS-URL: https://build.opensuse.org/request/show/1057649
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=145
2023-01-11 09:45:11 +00:00
Dominique Leuenberger
c528bace6e Accepting request 1043348 from Base:System
- Updated to version 2.25.0 (jsc#PED-627)
  * __v2.25.0 (2022-12-12)__
  For Linux kernel version: 6.1
  Changes of existing tools:
  - ap_tools: Use new mdevctl installation location
  - lsdasd/tunedasd/zdev: Add support to handle copy pair relations presented by the DASD driver
  - zdev: Add --shell command line switch to generate output suitable for shell environments
  - zipl: Add List-Directed IPL from ECKD DASD to support secure boot
  Bug Fixes:
  - ipl_tools: Fix chreipl node for NVMes with CONFIG_NVME_MULTIPATH
  - libdasd: Fix bug that prevented positive ioctl return codes
- Updated s390-tools-sles15sp5-fix-chown-commands-syntax.patch to fit the current version
- Removed obsolete Patch002, and Patch003
  # Patch002:       s390-tools-sles15sp5-util_lockfile-fix-includes.patch
  # Patch003:       s390-tools-sles15sp5-ap_tools-ap-check-use-new-mdevctl-install-location.patch

OBS-URL: https://build.opensuse.org/request/show/1043348
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=49
2022-12-16 16:52:24 +00:00
Mark Post
41107f03e2 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=143 2022-12-12 15:18:51 +00:00
Mark Post
9f5dfc9a1c OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=142 2022-12-12 15:18:11 +00:00
Mark Post
f1cde68d53 Accepting request 1042407 from home:ngueorguiev:branches:Base:System
- Updated to version 2.25.0 (jsc#PED-627)
  * __v2.25.0 (2022-12-12)__
  For Linux kernel version: 6.1
  Changes of existing tools:
  - ap_tools: Use new mdevctl installation location
  - lsdasd/tunedasd/zdev: Add support to handle copy pair relations presented by the DASD driver
  - zdev: Add --shell command line switch to generate output suitable for shell environments
  - zipl: Add List-Directed IPL from ECKD DASD to support secure boot
  Bug Fixes:
  - ipl_tools: Fix chreipl node for NVMes with CONFIG_NVME_MULTIPATH
  - libdasd: Fix bug that prevented positive ioctl return codes
- Updated s390-tools-sles15sp5-fix-chown-commands-syntax.patch to fit the current version
- Removed obsolete Patch002, and Patch003
  # Patch002:       s390-tools-sles15sp5-util_lockfile-fix-includes.patch
  # Patch003:       s390-tools-sles15sp5-ap_tools-ap-check-use-new-mdevctl-install-location.patch

OBS-URL: https://build.opensuse.org/request/show/1042407
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=141
2022-12-12 15:17:09 +00:00
Dominique Leuenberger
b578ec1859 Accepting request 1041154 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1041154
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=48
2022-12-07 16:35:52 +00:00
Mark Post
cab6866186 Accepting request 1041153 from home:markkp:branches:Base:System
- Made extensive changes to the spec file to accomodate building
  this package on both openSUSE, which has implemented the
  "usrmerge" project, and SLES, which has not. This was accomplished
  by checking the usrmerged variable, and setting the value of the
  _mysbindir variable, accordingly. The files identified in the
  
  two versions. One for SLES, and one for openSUSE, with either
  ".suse" or ".opensuse" appended to the file name. The appropriate
  SOURCE variable is selected based on the usrmerged variable, and
  installed with the ".suse" or ".opensuse" suffix stripped from
  the name.
  *  59-graf.rules
  *  dasd_configure
  *  dasd_reload
  *  detach_disks.sh
  *  iucv_configure
  *  killcdl
  *  mkdump.pl
  *  README.SUSE
  *  s390-tools-sles12-update-by_id-links-on-change-and-add-action.patch
  *  virtsetup.sh
  *  vmlogrdr.service
- Updated to version 2.24.0 (jsc#PED-627)
  * __v2.24.0 (2022-11-09)__
    For Linux kernel version: 6.0
    Add new tools / libraries:
    - Provide config files for checkpatch, codespell, and clang-format
    Changes of existing tools:
    - dbginfo.sh: Collect log from various distro tools (YaST, DNF, Anaconda)
    - dbginfo.sh: add Kubernetes data collection
    - libutil: Introduce util_lockfile
    - zdev: Add site-aware device configuration
    - zdump: Add support to read Protected Virtualization dumps
    - zipl/boot: Add secure boot trailer
    Bug Fixes:
    - ap_tools/ap-check: Reject start for control domains without usage
    - cpumf/lshwc: Fix incremented counter output
    - cpumf/pai: Fix core dump when summary flag set
    - dbginfo.sh: Ensure compatibility with /bin/dash shell
    - dbginfo.sh: Save dbginfo.sh version to dbginfo.log
    - zipl/src/zipl_helper.device-mapper: Fix bug in error path
  * __v2.23.0 (2022-08-18)__
    For Linux kernel version: 5.19
    Changes of existing tools:
    - Makefile: use common Make definition for DRACUTDIR
    - Makefile: use common Make definition for UDEVDIR and UDEVRULESDIR
    - cpacfstats: Add PAI and hotplug support
    - cpumf/pai: Omit file write progress information
    - dbginfo.sh: Get more details on lspci command
    - dumpconf: Prevent running the service in containers
    - libcpumf: Detect PMU named pai_ext
    - pvattest: Improve error reporting and logging
    - zdev: Add some --type ap examples to manpages
    - zkey: Use default benchmarked Argon2i with LUKS2
    Bug Fixes:
    - dbginfo.sh: Fix accidental ftrace buffer shrinkage/free
    - genprotimg: Fix BIO_reset() returncode handling
    - libpv: Fix dependency checking
    - pvattest: Fix dependency checking
    - zipl: Fix segmentation fault when no parmline is provided
  * __v2.22.0 (2022-06-20)__
    For Linux kernel version: 5.18
    Add new tools / libraries:
    - ap_tools: Introduce ap_tools and the ap-check tool
    - cpumf/pai: Add Processor Activity Instrumentation tool
    - libpv: New library for PV tools
    - pvattest: Add new tool to create, perform, and verify attestation measurements
    - zipl/zdump: Add Next Gen Dump (NGDump) support
    Changes of existing tools:
    - Move man pages to System commands section (lscpumf, lshwc, pai, dbginfo.sh, zfcpdbf, zipl-switch-to-blscfg)
    - README.md: Add 70-chreipl-fcp-mpath.rules to the list of udev rule descriptions
    - Remove SysV related daemon scripts (cpacfstatsd, cpuplugd, mon_statd)
    - genprotimg: Move man page to section 1 for user commands
    - hyptop: increase initial update interval
    - libseckey: Adapt keymgmt_match() implementation to OpenSSL
    - libutil: Add util_exit_code
    - libutil: Introduce util_udev
    - zdev: Introduce the ap device type
    - zipl-editenv: Add zIPL multienvironment support
    - zipl: Implement sorting BLS entries by versions
    - zkey: Add initramfs hook
    Bug Fixes:
    - cmsfs-fuse: Fix enabling of hard_remove option
    - s390-tools: Fix typos that were detected by lintian as 'typo-in-manual-page'
    - zkey-kmip: Fix possible use after free
    - zkey: Fix EP11 host library version checking
    - zkey_kmip: Setup ext-lib once the APQNs have been configured
  * __v2.21.0 (2022-04-20)__
    For Linux kernel version: 5.17
    Add new tools / libraries:
    - libcpumf: Create library libcpumf for CPU Measurement functions
    Changes of existing tools:
    - chreipl-fcp-mpath: bundle a pre-cooked version of the manpage for build
                         environments without access to `pandoc`
    - dbginfo.sh: Add multipath info to map paths to FC addressing and prio group
    - dbginfo.sh: Collect config files of systemd-modules-load.service
    - dbginfo.sh: Sort list of environment variables for readability
    - dbginfo.sh: Replace "which" by builtin command "type"
    - dbginfo.sh: Rework script formatting (indents, order)
    - dbginfo.sh: Update sysfs collection (excludes, messages)
    - genprotimg: Add Protected Virtualization (PV) dump support
    - genprotimg: Remove DigiCert root CA pinning
    - lszcrypt: Add CEX8S support
    - zcryptctl: Add control domain handling
    - zcryptstats: Add CEX8 support
    - zipl: Allow optional entries that are left out when files are missing
    - zipl: make IPL sections defined with BLS to inherit a target field
    - zpcictl: Add option to trigger firmware reset
    Bug Fixes:
    - cpictl: Handle excessive kernel version numbers
    - dbginfo.sh: Collect all places where modprobe.d config files could exist
    - fdasd: Fix endless menu loop on EOF
    - zdump/dfi: Fix segfault due to double free
    - zdump: Fix /dev/mem reading
    - zpcictl: Fix race of SCLP reset and Linux recovery
  * __v2.20.0 (2022-02-04)__
    For Linux kernel version: 5.16
    Add new tools / libraries:
    - Add EditorConfig configuration
    Changes of existing tools:
    - s390-tools switches to Fuse 3 as Fuse 2 is deprecated.
          Affected tools: cmsfs, hmcdrvfs, hsavmcore, zdsfs, zdump
    - chreipl-fcp-mpath: don't compress the manpage before installing it
    - cpictl: Report extended version information
    - genprotimg: Add extended kernel command line support
    - zdev: modify the lsblk output parser in lszdev
    - zipl: Add support for longer kernel command lines (now supports up to 64k length)
    Bug Fixes:
    - cpictl: Suppress messages for unwritable sysfs files
    - dbginfo.sh: Fix missing syslog for step create_package
    - lshwc: Fix CPU list parameter setup for device driver
    - zdev: Check for errors when removing a devtype setting
    - zdev: Fix path resolution for multi-mount point file systems
- Updated s390-tools-sles15sp3-remove-no-pie-link-arguments.patch
  to fit the new version, and renamed it to
  s390-tools-sles15sp5-remove-no-pie-link-arguments.patch.
- Added s390-tools-sles15sp5-util_lockfile-fix-includes.patch to fix a
  compilation problem. One source file was missing an include statement
  for unistd.h.
- Added s390-tools-sles15sp5-ap_tools-ap-check-use-new-mdevctl-install-location.patch
  An executable binary was being installed under /etc, which is
  an FHS violation.
- Modified spec file to
  * Change BuildRequires for fuse-devel to fuse3-devel.
  * Remove obsolete BuildRequires for libpfm-devel
  * Add a BuildRequires for mdevctl and systemd-devel
  * Added a %files entry for dir %{_prefix}/lib/dracut/modules.d/99ngdump  
  * Added %config(noreplace) for the new file %{_sysconfdir}/ziplenv
  * Uncomment the %files entry for %{_mandir}/man7/chreipl-fcp-mpath.7%{?ext_man}
    Specifying ENABLE_DOC=1 is no longer needed for it to be generated.
  * Add %dir entries for
      %{_prefix}/lib/mdevctl,
      %{_prefix}/lib/mdevctl/scripts.d, and 
      %{_prefix}/lib/mdevctl/scripts.d/callouts
    NOTE that these directories do not belong to this package, but
    the mdevctl package has yet to be updated to claim them. So,
    until that happens, we have to temporarily claim ownership of
    them for the s390-tools package to build.
- Updated the s390-tools-rpmlintrc file to suppress two warnings about
  the /boot/zipl/active_devices.txt file.
- Removed the following obsolete patches:
  * s390-tools-sles15sp4-chreipl-fcp-mpath-don-t-compress-the-manpage-before-.patch
  * s390-tools-sles15sp4-chreipl-fcp-mpath-remove-shebang-from-chreipl-fcp-mp.patch
  * s390-tools-sles15sp4-zdev-modify-the-lsblk-output-parser-in-lszdev.patch
  * s390-tools-sles15sp4-zdev-Fix-path-resolution-for-multi-mount-point-file-.patch
  * s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
  * s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
  * s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  * s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch
  * s390-tools-sles15sp4-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  * s390-tools-sles15sp4-genprotimg-boot-disable-Warray-bounds-for-now.patch
  * s390-tools-sles15sp4-hyptop-increase-initial-update-interval.patch
  * s390-tools-sles15sp4-zipl-boot-add-secure-boot-trailer.patch
- Added s390-tools-sles15sp5-zipl-boot-disable-Warray-bounds-for-now.patch
  With this version, the same false positive of "array subscript 0
  is outside array bounds" that was previously seen in the
  genprotimage/boot directory is now happening in zipl/boot.
- Added s390-tools-sles15sp5-fix-chown-commands-syntax.patch to
  eliminate a bunch of warnings. The new version of chown complains
  if the deprecated 'owner.group' syntax is used instead of the
  'owner:group' syntax.
- Added s390-tools-sles15sp4-zipl-boot-add-secure-boot-trailer.patch
  for bsc#1204965. New IBM Z firmware requires all signed boot
  images to contain a trailing data block with a specific format.
- Added s390-tools-sles15sp4-hyptop-increase-initial-update-interval.patch
  for bsc#1201412. Initial iteration of hyptop can produce bloated values
  independent from the update delay set by the user.
- Added s390-tools-sles15sp4-genprotimg-boot-disable-Warray-bounds-for-now.patch
  to fix a build failure with gcc12. With gcc12, a "false positive"
  of "array subscript 0 is outside array bounds" is seen in
  genprotimg/boot/stage3a.c (bsc#1200131).

OBS-URL: https://build.opensuse.org/request/show/1041153
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=139
2022-12-07 15:36:05 +00:00
Dominique Leuenberger
bfaab82b9c Accepting request 980530 from Base:System
OBS-URL: https://build.opensuse.org/request/show/980530
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=47
2022-06-02 19:54:55 +00:00
Mark Post
944f52c5bb Accepting request 980529 from home:markkp:branches:Base:System
- Modifed the spec file to install all binaires in /usr/sbin instead of /sbin
  to align with the "usrmerge" initiative in openSUSE. (bsc#1195914) Also
  modified the following files that SUSE provides that need to reflect this
  change:
  *  59-graf.rules
  *  dasd_configure
  *  dasd_reload
  *  detach_disks.sh
  *  iucv_configure
  *  killcdl
  *  mkdump.pl
  *  README.SUSE
  *  s390-tools-sles12-update-by_id-links-on-change-and-add-action.patch
  *  virtsetup.sh
  *  vmlogrdr.service
- Added s390-tools-sles15sp4-libseckey-Adapt-keymgmt_match-implementation-to-Open.patch
  for bsc#1199649. zkey: KMIP plugin fails to connection to KMIP server
  When a zkey key repository is bound to the KMIP plugin, and the
  connection to the KMIP server is to be configired using command 
  'zkey kms configure --kmip-server <server>', it fails to connect
  to the specified KMIP server. 
- Added s390-tools-sles15sp4-genprotimg-boot-disable-Warray-bounds-for-now.patch
  to fix a build failure with gcc12. With gcc12, a "false positive"
  of "array subscript 0 is outside array bounds" is seen in
  genprotimg/boot/stage3a.c (bsc#1200131).

OBS-URL: https://build.opensuse.org/request/show/980529
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=137
2022-06-02 16:42:42 +00:00
Dominique Leuenberger
e780a71f2a Accepting request 974770 from Base:System
OBS-URL: https://build.opensuse.org/request/show/974770
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=46
2022-05-03 19:19:41 +00:00
Mark Post
26778d88f7 Accepting request 974769 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch
  for bsc#1199128. zgetdump --info may lead to a core dump when
  issued for the device node (not a partition) right after
  installing multi-volume dump tool (without taking actual dump).

OBS-URL: https://build.opensuse.org/request/show/974769
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=135
2022-05-03 18:31:04 +00:00
Dominique Leuenberger
5b55f946cd Accepting request 970181 from Base:System
- Updated the cputype script to include the model number of IBM's
  recently announced z16 processor.
- Added the following patches for bsc#1198285:
  s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
  s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
  The certificate verification of check_hostkeydoc is too strict and
  doesn't match the checking performed by genprotimg.
- Added the following patch for bsc#1198284:
  s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  When re-enciphering the identity key and/or wrapping key of the
  zkey KMIP plugin via 'zkey kms reencipher', the operation
  completes without an error, but the secure keys are left 
  un-reenciphered.

OBS-URL: https://build.opensuse.org/request/show/970181
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=45
2022-04-14 15:26:04 +00:00
Mark Post
e797d2291b OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=133 2022-04-14 13:58:59 +00:00
Mark Post
9b20ffa361 - Updated the cputype script to include the model number of IBM's
recently announced z16 processor.

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=132
2022-04-14 13:58:10 +00:00
Mark Post
efbf0ee8b4 Accepting request 970173 from home:markkp:branches:Base:System
- Added the following patches for bsc#1198285:
  s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch
  s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch
  The certificate verification of check_hostkeydoc is too strict and
  doesn't match the checking performed by genprotimg.
- Added the following patch for bsc#1198284:
  s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch
  When re-enciphering the identity key and/or wrapping key of the
  zkey KMIP plugin via 'zkey kms reencipher', the operation
  completes without an error, but the secure keys are left 
  un-reenciphered.

OBS-URL: https://build.opensuse.org/request/show/970173
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=131
2022-04-14 13:51:10 +00:00
Dominique Leuenberger
deeeae98d6 Accepting request 961137 from Base:System
- install modprobe.conf files into %_modprobedir (bsc#1196275, jsc#SLE-20639)

OBS-URL: https://build.opensuse.org/request/show/961137
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=44
2022-03-11 20:54:16 +00:00
Mark Post
d545b2adf4 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=129 2022-03-11 20:01:09 +00:00
Mark Post
bf9057d3fe Accepting request 960056 from home:mwilck:modprobe.d
- install modprobe.conf files into %_modprobedir (bsc#1196275, jsc#SLE-20639)

OBS-URL: https://build.opensuse.org/request/show/960056
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=128
2022-03-10 20:23:58 +00:00
Dominique Leuenberger
6d956224a4 Accepting request 956862 from Base:System
OBS-URL: https://build.opensuse.org/request/show/956862
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=43
2022-02-23 15:26:01 +00:00
Mark Post
87107bff8d Accepting request 956861 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp4-zdev-modify-the-lsblk-output-parser-in-lszdev.patch
  for bsc#1196255. Version 2.37+ of util-linux modified the output
  characters of lsblk,which breaks the parser function. 
- Added s390-tools-sles15sp4-zdev-Fix-path-resolution-for-multi-mount-point-file-.patch
  for bsc#1196254. Path resolution fails when a device provides
  multiple mount points such as, for example, when using btrfs
  subvolumes, or when mounting the same file system at multiple
  mount points.

OBS-URL: https://build.opensuse.org/request/show/956861
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=127
2022-02-22 20:26:49 +00:00
Dominique Leuenberger
12e4c6c263 Accepting request 947319 from Base:System
OBS-URL: https://build.opensuse.org/request/show/947319
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=42
2022-01-21 00:25:05 +00:00
Mark Post
3a47b63b15 Accepting request 947318 from home:markkp:branches:Base:System
- Upgraded to version 2.19.0 (jsc#SLE-18324)
  * v2.19.0 (2021-11-10)__
    Add new tools / libraries:
    - chreipl-fcp-mpath: New toolset that uses multipath information to change
      the configured FCP re-IPL path on detecting issues with the current path
    Changes of existing tools:
    - dbginfo.sh: Add retry timeout and remove possible blocking "blockdev --report"
    - dbginfo.sh: Collect config- and debug-data for chreipl-fcp-mpath
    - hsci: Add support for multiple MAC addresses
    Bug Fixes:
    - lshwc: Fix compile error for gcc <8.1
    - zdump: Various clean-ups and fixes
    - ziomon: Correct throughput calculation in ziorep_printers
    - zipl: Fix segmentation fault when setting stage3_parms
  * v2.18.0 (2021-10-01)__
    Add new tools:
    - scripts: Add tool for parsing sclp s390dbf logs
    - zdev: Add udev rule helper tool
    - zipl-editenv: Add tool to operate with zIPL environment installed in the boot record
    Changes of existing tools:
    - Makefile: Fix order of build of libraries for parallel builds
    - dbginfo.sh: Add collection in area of timedate, coredump and --check option
    - dbginfo.sh: Add exception on dump2tar for /sys/kernel/mm/page_idle/bitmap
    - dbginfo.sh: Cleanup of outdated sections and general code rework
    - dbginfo.sh: Collect zipl boot menu entries from boot loader specification
    - lszcrypt: Add support for vfio-ap status field
    - lszcrypt: Improved output for deconfig cards and queues
    - lszfcp: Add linkdown case to host marker of extended output
    - zdev: Add auto-config for PCI and crypto devices
    - zdump: Introduce multi-level message logging
    - zipl: Add support for environment block interpretation
    - zkey-cryptsetup: Support LUKS2 volumes with integrity support enabled
    Bug Fixes:
    - hsavmcore: Avoid recompilation of overlay during install step
    - libkmipclient: Fix parsing of hex values for XML and JSON encoding
    - vmur/vmur.cpp: Fix error handling on transfer failure
    - zdump: Lots of smaller fixes across the board
  * v2.17.0 (2021-07-07)__
    Add new tools / libraries:
    - hsavmcore: New utility to make the dump process with kdump more efficient
    - libkmipclient: Add KMIP client shared library
    - libseckey: Add a secure key library
    - lshwc: New tool to extract and list complete counter sets
    Changes of existing tools:
    - genprotimg: Add '--(enable|disable)-pckmo' options
    - genprotimg: Add OpenSSL 3.0 support
    - genprotimg: Change plaintext control flags defaults so PCKMO functions are allowed
    - libutil: Introduce multi-level message logging (util_log)
    - libutil: Introduce util_arch module
    - udev/dasd: Change DASD udev-rule to set none scheduler
    - zdsfs: Add transparent codepage conversion
    - zkey: Add support for KMIP-based key management systems
    Bug Fixes:
    - ttyrun-getty: Avoid conflicts with serial-getty@
    - dbginfo: add /proc/kallsyms - refresh zVM, lscpu - fix WORKARCHIVE handling
    - dbginfo: add KVM data collection for server and guest - fix lszdev
    - genprotimg: Add missing return values in error paths
    - zkey: Fix conversion of CCA DATA keys to CCA CIPHER keys
    - znetconf: avoid conflict with "chzdev -e"
  * v2.16.0 (2021-02-19)__
    Add new tool:
    - hsci: New tool to manage HSCI (HiperSockets Converged Interfaces)
    Changes of existing tools:
    - genprotimg: Add host-key document verification support
    - genprotimg: boot: Make boot loader -march=z900 compatible
    - libekmfweb: Make install directory for shared libraries configurable
    - lsdasd: Add FC Endpoint Security information
    - make: Add address sanitizer support
    - netboot: Add version information to scripts
    - netboot: Bump busybox version in pxelinux.0 build
    - zdev: Add FC Endpoint Security information for DASD devices
    - zdev: Add build option to update initial RAM-disk by default
    - zkey-ekmfweb: Avoid sequence number clash when generating keys
    - zkey/zkey-ekmfweb: Install KMS plugins into configurable location
    - zkey: Add support to store LUKS2 dummy passphrase in key repository
    Bug Fixes:
    - dasdfmt: Fix segfault when an incorrect option is specified
    - genprotimg: Fix several build issues
    - genprotimg: Require argument for 'ramdisk' and 'parmfile' options
    - zcryptstats: Fix handling of partial results with many domains
    - zfcpdbf: Deal with crash 7.2.9 change in caller name formatting
    - zipl/boot: Fix memory use after free in stage2
    - zipl/boot: Fix potential heap overflow in stage2
    - zipl: Fix reading 4k disk's geometry
- Added the following two IBM patches:
  * s390-tools-sles15sp4-chreipl-fcp-mpath-don-t-compress-the-manpage-before-.patch
  * s390-tools-sles15sp4-chreipl-fcp-mpath-remove-shebang-from-chreipl-fcp-mp.patch
- Removed the following obsolete patches
  * s390-tools-sles15sp3-dasdfmt-Fix-segfault-when-an-incorrect-option-is-spe.patch
  * s390-tools-sles15sp3-libutil-Compare-proc-entries-to-vfstype.patch
  * s390-tools-sles15sp3-01-zdev-Add-FC-Endpoint-Security-information-for-DASD-d.patch
  * s390-tools-sles15sp3-02-lsdasd-Add-FC-Endpoint-Security-information.patch
  * s390-tools-sles15sp3-hsci-Add-new-tool-to-control-HiperSockets-Converged-.patch
  * s390-tools-sles15sp3-zcryptstats-Fix-handling-of-partial-results-with-man.patch
  * s390-tools-sles15sp3-01-genprotimg-abort-if-one-of-the-recursive-targets-is-.patch
  * s390-tools-sles15sp3-02-genprotimg-fix-two-memory-leaks.patch
  * s390-tools-sles15sp3-03-genprotimg-require-argument-for-ramdisk-and-parmfile.patch
  * s390-tools-sles15sp3-04-genprotimg-add-host-key-document-verification-suppor.patch
  * s390-tools-sles15sp3-zkey-Fix-APQN-property-names.patch
  * s390-tools-sles15sp3-zipl-fix-4k-scsi-ipl.patch
  * s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
  * s390-tools-sles15sp3-check-return-code-from-util_file_read_l.patch
  * s390-tools-sles15sp3-dbginfo.sh-exclude-page_idle-bitmap.patch
- Removed an obsolete "export ROOT_BUILD_DIR" statement from the spec file.
- Removed unnecessary defattr statements in the files section.

OBS-URL: https://build.opensuse.org/request/show/947318
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=126
2022-01-19 01:59:23 +00:00
Dominique Leuenberger
cb493329ea Accepting request 931286 from Base:System
- Upgraded to version 2.19.0 (jsc#SLE-18324)
  * v2.19.0 (2021-11-10)__
    Add new tools / libraries:
    - chreipl-fcp-mpath: New toolset that uses multipath information to change
      the configured FCP re-IPL path on detecting issues with the current path
    Changes of existing tools:
    - dbginfo.sh: Add retry timeout and remove possible blocking "blockdev --report"
    - dbginfo.sh: Collect config- and debug-data for chreipl-fcp-mpath
    - hsci: Add support for multiple MAC addresses
    Bug Fixes:
    - lshwc: Fix compile error for gcc <8.1
    - zdump: Various clean-ups and fixes
    - ziomon: Correct throughput calculation in ziorep_printers
    - zipl: Fix segmentation fault when setting stage3_parms
  * v2.18.0 (2021-10-01)__
    Add new tools:
    - scripts: Add tool for parsing sclp s390dbf logs
    - zdev: Add udev rule helper tool
    - zipl-editenv: Add tool to operate with zIPL environment installed in the boot record
    Changes of existing tools:
    - Makefile: Fix order of build of libraries for parallel builds
    - dbginfo.sh: Add collection in area of timedate, coredump and --check option
    - dbginfo.sh: Add exception on dump2tar for /sys/kernel/mm/page_idle/bitmap
    - dbginfo.sh: Cleanup of outdated sections and general code rework
    - dbginfo.sh: Collect zipl boot menu entries from boot loader specification
    - lszcrypt: Add support for vfio-ap status field
    - lszcrypt: Improved output for deconfig cards and queues
    - lszfcp: Add linkdown case to host marker of extended output
    - zdev: Add auto-config for PCI and crypto devices
    - zdump: Introduce multi-level message logging
    - zipl: Add support for environment block interpretation
    - zkey-cryptsetup: Support LUKS2 volumes with integrity support enabled
    Bug Fixes:
    - hsavmcore: Avoid recompilation of overlay during install step
    - libkmipclient: Fix parsing of hex values for XML and JSON encoding
    - vmur/vmur.cpp: Fix error handling on transfer failure
    - zdump: Lots of smaller fixes across the board
  * v2.17.0 (2021-07-07)__
    Add new tools / libraries:
    - hsavmcore: New utility to make the dump process with kdump more efficient
    - libkmipclient: Add KMIP client shared library
    - libseckey: Add a secure key library
    - lshwc: New tool to extract and list complete counter sets
    Changes of existing tools:
    - genprotimg: Add '--(enable|disable)-pckmo' options
    - genprotimg: Add OpenSSL 3.0 support
    - genprotimg: Change plaintext control flags defaults so PCKMO functions are allowed
    - libutil: Introduce multi-level message logging (util_log)
    - libutil: Introduce util_arch module
    - udev/dasd: Change DASD udev-rule to set none scheduler
    - zdsfs: Add transparent codepage conversion
    - zkey: Add support for KMIP-based key management systems
    Bug Fixes:
    - ttyrun-getty: Avoid conflicts with serial-getty@
    - dbginfo: add /proc/kallsyms - refresh zVM, lscpu - fix WORKARCHIVE handling
    - dbginfo: add KVM data collection for server and guest - fix lszdev
    - genprotimg: Add missing return values in error paths
    - zkey: Fix conversion of CCA DATA keys to CCA CIPHER keys
    - znetconf: avoid conflict with "chzdev -e"
  * v2.16.0 (2021-02-19)__
    Add new tool:
    - hsci: New tool to manage HSCI (HiperSockets Converged Interfaces)
    Changes of existing tools:
    - genprotimg: Add host-key document verification support
    - genprotimg: boot: Make boot loader -march=z900 compatible
    - libekmfweb: Make install directory for shared libraries configurable
    - lsdasd: Add FC Endpoint Security information
    - make: Add address sanitizer support
    - netboot: Add version information to scripts
    - netboot: Bump busybox version in pxelinux.0 build
    - zdev: Add FC Endpoint Security information for DASD devices
    - zdev: Add build option to update initial RAM-disk by default
    - zkey-ekmfweb: Avoid sequence number clash when generating keys
    - zkey/zkey-ekmfweb: Install KMS plugins into configurable location
    - zkey: Add support to store LUKS2 dummy passphrase in key repository
    Bug Fixes:
    - dasdfmt: Fix segfault when an incorrect option is specified
    - genprotimg: Fix several build issues
    - genprotimg: Require argument for 'ramdisk' and 'parmfile' options
    - zcryptstats: Fix handling of partial results with many domains
    - zfcpdbf: Deal with crash 7.2.9 change in caller name formatting
    - zipl/boot: Fix memory use after free in stage2
    - zipl/boot: Fix potential heap overflow in stage2
    - zipl: Fix reading 4k disk's geometry
- Removed the following obsolete patches
  * s390-tools-sles15sp3-dasdfmt-Fix-segfault-when-an-incorrect-option-is-spe.patch
  * s390-tools-sles15sp3-libutil-Compare-proc-entries-to-vfstype.patch
  * s390-tools-sles15sp3-01-zdev-Add-FC-Endpoint-Security-information-for-DASD-d.patch
  * s390-tools-sles15sp3-02-lsdasd-Add-FC-Endpoint-Security-information.patch
  * s390-tools-sles15sp3-hsci-Add-new-tool-to-control-HiperSockets-Converged-.patch
  * s390-tools-sles15sp3-zcryptstats-Fix-handling-of-partial-results-with-man.patch
  * s390-tools-sles15sp3-01-genprotimg-abort-if-one-of-the-recursive-targets-is-.patch
  * s390-tools-sles15sp3-02-genprotimg-fix-two-memory-leaks.patch
  * s390-tools-sles15sp3-03-genprotimg-require-argument-for-ramdisk-and-parmfile.patch
  * s390-tools-sles15sp3-04-genprotimg-add-host-key-document-verification-suppor.patch
  * s390-tools-sles15sp3-zkey-Fix-APQN-property-names.patch
  * s390-tools-sles15sp3-zipl-fix-4k-scsi-ipl.patch
  * s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
  * s390-tools-sles15sp3-check-return-code-from-util_file_read_l.patch  
- Removed an obsolete "export ROOT_BUILD_DIR" statement from the spec file.
- Removed unnecessary defattr statements in the files section.
- Updated the spec file to correspond to the changes made to the
  location and name of the kernel image in the kernel-zfcpdump
  package (bsc#1189841)
- Did some spec file cleanup based on the recommendations from
  spec-cleaner.

OBS-URL: https://build.opensuse.org/request/show/931286
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=41
2021-11-15 14:26:19 +00:00
Mark Post
cfd1a1864b OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=125 2021-11-13 20:15:37 +00:00
Mark Post
1df1badd32 Accepting request 931282 from home:markkp:branches:Base:System
- Upgraded to version 2.19.0 (jsc#SLE-18324)
  * v2.19.0 (2021-11-10)__
    Add new tools / libraries:
    - chreipl-fcp-mpath: New toolset that uses multipath information to change
      the configured FCP re-IPL path on detecting issues with the current path
    Changes of existing tools:
    - dbginfo.sh: Add retry timeout and remove possible blocking "blockdev --report"
    - dbginfo.sh: Collect config- and debug-data for chreipl-fcp-mpath
    - hsci: Add support for multiple MAC addresses
    Bug Fixes:
    - lshwc: Fix compile error for gcc <8.1
    - zdump: Various clean-ups and fixes
    - ziomon: Correct throughput calculation in ziorep_printers
    - zipl: Fix segmentation fault when setting stage3_parms
  * v2.18.0 (2021-10-01)__
    Add new tools:
    - scripts: Add tool for parsing sclp s390dbf logs
    - zdev: Add udev rule helper tool
    - zipl-editenv: Add tool to operate with zIPL environment installed in the boot record
    Changes of existing tools:
    - Makefile: Fix order of build of libraries for parallel builds
    - dbginfo.sh: Add collection in area of timedate, coredump and --check option
    - dbginfo.sh: Add exception on dump2tar for /sys/kernel/mm/page_idle/bitmap
    - dbginfo.sh: Cleanup of outdated sections and general code rework
    - dbginfo.sh: Collect zipl boot menu entries from boot loader specification
    - lszcrypt: Add support for vfio-ap status field
    - lszcrypt: Improved output for deconfig cards and queues
    - lszfcp: Add linkdown case to host marker of extended output
    - zdev: Add auto-config for PCI and crypto devices
    - zdump: Introduce multi-level message logging
    - zipl: Add support for environment block interpretation
    - zkey-cryptsetup: Support LUKS2 volumes with integrity support enabled
    Bug Fixes:
    - hsavmcore: Avoid recompilation of overlay during install step
    - libkmipclient: Fix parsing of hex values for XML and JSON encoding
    - vmur/vmur.cpp: Fix error handling on transfer failure
    - zdump: Lots of smaller fixes across the board
  * v2.17.0 (2021-07-07)__
    Add new tools / libraries:
    - hsavmcore: New utility to make the dump process with kdump more efficient
    - libkmipclient: Add KMIP client shared library
    - libseckey: Add a secure key library
    - lshwc: New tool to extract and list complete counter sets
    Changes of existing tools:
    - genprotimg: Add '--(enable|disable)-pckmo' options
    - genprotimg: Add OpenSSL 3.0 support
    - genprotimg: Change plaintext control flags defaults so PCKMO functions are allowed
    - libutil: Introduce multi-level message logging (util_log)
    - libutil: Introduce util_arch module
    - udev/dasd: Change DASD udev-rule to set none scheduler
    - zdsfs: Add transparent codepage conversion
    - zkey: Add support for KMIP-based key management systems
    Bug Fixes:
    - ttyrun-getty: Avoid conflicts with serial-getty@
    - dbginfo: add /proc/kallsyms - refresh zVM, lscpu - fix WORKARCHIVE handling
    - dbginfo: add KVM data collection for server and guest - fix lszdev
    - genprotimg: Add missing return values in error paths
    - zkey: Fix conversion of CCA DATA keys to CCA CIPHER keys
    - znetconf: avoid conflict with "chzdev -e"
  * v2.16.0 (2021-02-19)__
    Add new tool:
    - hsci: New tool to manage HSCI (HiperSockets Converged Interfaces)
    Changes of existing tools:
    - genprotimg: Add host-key document verification support
    - genprotimg: boot: Make boot loader -march=z900 compatible
    - libekmfweb: Make install directory for shared libraries configurable
    - lsdasd: Add FC Endpoint Security information
    - make: Add address sanitizer support
    - netboot: Add version information to scripts
    - netboot: Bump busybox version in pxelinux.0 build
    - zdev: Add FC Endpoint Security information for DASD devices
    - zdev: Add build option to update initial RAM-disk by default
    - zkey-ekmfweb: Avoid sequence number clash when generating keys
    - zkey/zkey-ekmfweb: Install KMS plugins into configurable location
    - zkey: Add support to store LUKS2 dummy passphrase in key repository
    Bug Fixes:
    - dasdfmt: Fix segfault when an incorrect option is specified
    - genprotimg: Fix several build issues
    - genprotimg: Require argument for 'ramdisk' and 'parmfile' options
    - zcryptstats: Fix handling of partial results with many domains
    - zfcpdbf: Deal with crash 7.2.9 change in caller name formatting
    - zipl/boot: Fix memory use after free in stage2
    - zipl/boot: Fix potential heap overflow in stage2
    - zipl: Fix reading 4k disk's geometry
- Removed the following obsolete patches
  * s390-tools-sles15sp3-dasdfmt-Fix-segfault-when-an-incorrect-option-is-spe.patch
  * s390-tools-sles15sp3-libutil-Compare-proc-entries-to-vfstype.patch
  * s390-tools-sles15sp3-01-zdev-Add-FC-Endpoint-Security-information-for-DASD-d.patch
  * s390-tools-sles15sp3-02-lsdasd-Add-FC-Endpoint-Security-information.patch
  * s390-tools-sles15sp3-hsci-Add-new-tool-to-control-HiperSockets-Converged-.patch
  * s390-tools-sles15sp3-zcryptstats-Fix-handling-of-partial-results-with-man.patch
  * s390-tools-sles15sp3-01-genprotimg-abort-if-one-of-the-recursive-targets-is-.patch
  * s390-tools-sles15sp3-02-genprotimg-fix-two-memory-leaks.patch
  * s390-tools-sles15sp3-03-genprotimg-require-argument-for-ramdisk-and-parmfile.patch
  * s390-tools-sles15sp3-04-genprotimg-add-host-key-document-verification-suppor.patch
  * s390-tools-sles15sp3-zkey-Fix-APQN-property-names.patch
  * s390-tools-sles15sp3-zipl-fix-4k-scsi-ipl.patch
  * s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
  * s390-tools-sles15sp3-check-return-code-from-util_file_read_l.patch  
- Removed an obsolete "export ROOT_BUILD_DIR" statement from the spec file.
- Removed unnecessary defattr statements in the files section.
- Updated the spec file to correspond to the changes made to the
  location and name of the kernel image in the kernel-zfcpdump
  package (bsc#1189841)
- Did some spec file cleanup based on the recommendations from
  spec-cleaner.

OBS-URL: https://build.opensuse.org/request/show/931282
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=124
2021-11-13 20:06:12 +00:00
Dominique Leuenberger
80e016489e Accepting request 926073 from Base:System
- Updated the spec file to correspond to the changes made to the
  location and name of the kernel image in the kernel-zfcpdump
  package (bsc#1189841)
- Did some spec file cleanup based on the recommendations from
  spec-cleaner.

OBS-URL: https://build.opensuse.org/request/show/926073
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=40
2021-10-20 18:22:56 +00:00
Mark Post
612a854c4f OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=123 2021-10-18 18:39:05 +00:00
Mark Post
8256a6e1e4 Accepting request 926071 from home:markkp:branches:Base:System
- Updated the spec file to correspond to the changes made to the
  location and name of the kernel image in the kernel-zfcpdump
  package (bsc#1189841)
- Did some spec file cleanup based on the recommendations from
  spec-cleaner.

OBS-URL: https://build.opensuse.org/request/show/926071
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=122
2021-10-18 18:36:45 +00:00
Dominique Leuenberger
860f5c26c9 Accepting request 891062 from Base:System
OBS-URL: https://build.opensuse.org/request/show/891062
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=39
2021-05-10 13:36:48 +00:00
Mark Post
7b865daa57 Accepting request 891061 from home:markkp:branches:Base:System
- Modified s390-tools-sles15-Implement-Y-yast_mode.patch by adding
  a fflush(stdout) statement so that the dasdfmt command would
  produce the  correct output for YaST. (bsc#1182816, bsc#1182820)
- Modified s390-tools-sles15-Implement-f-for-backwards-compability.patch
  to have the correct offset for hunk #2 to apply without warnings.

OBS-URL: https://build.opensuse.org/request/show/891061
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=120
2021-05-06 14:40:53 +00:00
Dominique Leuenberger
f5a81c6bd0 Accepting request 885470 from Base:System
- Added s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
  dasd: change default scheduler to reduce CPU consumption (bsc#1183810)
- Modified s390-tools-sles12-create-filesystem-links.patch to fit after
  applying s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
- Removed 59-dasd.rules-wait_for.patch obsoleted by bsc#1183810.

OBS-URL: https://build.opensuse.org/request/show/885470
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=38
2021-04-18 19:44:19 +00:00
Mark Post
8a9ea5c870 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=118 2021-04-14 20:14:48 +00:00
Mark Post
fb236d4d48 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=117 2021-04-14 20:14:28 +00:00
Mark Post
02084eb837 Accepting request 885467 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
  dasd: change default scheduler to reduce CPU consumption (bsc#1183810)
- Modified s390-tools-sles12-create-filesystem-links.patch to fit after
  applying s390-tools-sles15sp3-dasd-change-DASD-udev-rule-to-set-none-scheduler.patch
- Removed 59-dasd.rules-wait_for.patch obsoleted by bsc#1183810.

OBS-URL: https://build.opensuse.org/request/show/885467
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=116
2021-04-14 20:07:00 +00:00
Dominique Leuenberger
7298355cb2 Accepting request 877835 from Base:System
- Added s390-tools-sles15sp3-zipl-fix-4k-scsi-ipl.patch (bsc#1183039)
  IPL is not working when bootloader is installed on a SCSI disk
  with 4k physical blocksize without using a devicemapper target.
- Added s390-tools-sles15sp3-remove-no-pie-link-arguments.patch so
  that we can build on systems with binutils 2.36 and higher. Without
  this, the build fails because that version of the ld command
  doesn't recognize "-no-pie" an acceptable argument.
- Updated the mkdump.pl script to make the name of the temporary
  configuration file in /tmp/ unpredictable. (bsc#1182876)
- Updated detach_disks.sh to not use predictable temporary file
  names. (bsc#1182777, CVE-2021-25316)
- Made for the following changes for bsc#1182816:
  * Updated s390-tools-sles15sp3-Format-devices-in-parallel.patch to
    change all instances of the progress bar from printing "#" to
    printing the process number of the DASD volume being formatted.
  * Updated s390-tools-sles15sp3-Implement-Y-yast_mode.patch to print
    out the numbder of cylinders in a device, as was done in the
    prior versions of this patch, but was missed when modifying it
    for SLES15 SP3.
  * Added s390-tools-sles15sp3-check-return-code-from-util_file_read_l.patch
    because otherwise a warning message from dasdfmt is being generated
    that could interfere with YaST properly processing the progress
    of the formatting process.

OBS-URL: https://build.opensuse.org/request/show/877835
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=37
2021-03-10 07:49:32 +00:00
Mark Post
9901451234 Accepting request 877833 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp3-zipl-fix-4k-scsi-ipl.patch (bsc#1183039)
  IPL is not working when bootloader is installed on a SCSI disk
  with 4k physical blocksize without using a devicemapper target.
- Added s390-tools-sles15sp3-remove-no-pie-link-arguments.patch so
  that we can build on systems with binutils 2.36 and higher. Without
  this, the build fails because that version of the ld command
  doesn't recognize "-no-pie" an acceptable argument.
- Updated the mkdump.pl script to make the name of the temporary
  configuration file in /tmp/ unpredictable. (bsc#1182876)

OBS-URL: https://build.opensuse.org/request/show/877833
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=114
2021-03-08 22:40:53 +00:00
Mark Post
afd6f8a764 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=113 2021-03-01 16:10:09 +00:00
Mark Post
fb4c942b4b - Renamed iucvtty@hvc0.service to iucvtty@.service following the
`systemctl enable iucvtty@lxterm1.service`

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=112
2021-03-01 16:09:48 +00:00
Mark Post
6de0ac7584 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=111 2021-03-01 16:06:58 +00:00
Mark Post
07db5929d4 Accepting request 875841 from home:markkp:branches:Base:System
Corrected a syntax error in detach_disks.sh

OBS-URL: https://build.opensuse.org/request/show/875841
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=110
2021-02-28 23:36:46 +00:00
Mark Post
ff846aaceb Accepting request 875687 from home:markkp:branches:Base:System
Removed a debugging flag.

OBS-URL: https://build.opensuse.org/request/show/875687
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=109
2021-02-28 00:11:53 +00:00
Mark Post
a4a57474bc Accepting request 875686 from home:markkp:branches:Base:System
- Updated detach_disks.sh to not use predictable temporary file
  names. (bsc#1182777)
- Made for the following changes for bsc#1182816:
  * Updated s390-tools-sles15sp3-Format-devices-in-parallel.patch to
    change all instances of the progress bar from printing "#" to
    printing the process number of the DASD volume being formatted.
  * Updated s390-tools-sles15sp3-Implement-Y-yast_mode.patch to print
    out the numbder of cylinders in a device, as was done in the
    prior versions of this patch, but was missed when modifying it
    for SLES15 SP3.
  * Added s390-tools-sles15sp3-check-return-code-from-util_file_read_l.patch
    because otherwise a warning message from dasdfmt is being generated
    that could interfere with YaST properly processing the progress
    of the formatting process.

OBS-URL: https://build.opensuse.org/request/show/875686
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=108
2021-02-28 00:10:38 +00:00
Richard Brown
dd0d15825b Accepting request 873225 from Base:System
OBS-URL: https://build.opensuse.org/request/show/873225
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=36
2021-02-22 13:58:08 +00:00
Mark Post
66c3c71c82 Accepting request 873224 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp3-zkey-Fix-APQN-property-names.patch
  (bsc#1182113)
  Problem:  The KMS configuration property names to store the CCA and
            EP11 APQNs are incorrect, i.e. swapped.
  Solution: Correct the KMS configuration property names.

OBS-URL: https://build.opensuse.org/request/show/873224
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=106
2021-02-17 20:58:11 +00:00
Dominique Leuenberger
ad713c51e5 Accepting request 867584 from Base:System
OBS-URL: https://build.opensuse.org/request/show/867584
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=35
2021-02-01 13:41:31 +00:00
Mark Post
27bb40f3fd Accepting request 867582 from home:markkp:branches:Base:System
- Moved %dir %{_libdir}/zkey and %{_libdir}/zkey/zkey-ekmfweb.so
  from the libekfmweb1 package to the main package since it is a
  plugin for the zkey command, and not a shared library.
  (bsc#1180534)

OBS-URL: https://build.opensuse.org/request/show/867582
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=104
2021-01-28 22:00:24 +00:00
Dominique Leuenberger
26a26a5a1d Accepting request 854129 from Base:System
OBS-URL: https://build.opensuse.org/request/show/854129
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=34
2020-12-10 14:56:57 +00:00
Mark Post
6d6e14484a Accepting request 854128 from home:markkp:branches:Base:System
- Upgraded to version 2.15.1. (bsc#1178250, jsc#SLE-13663)
- Added s390-tools-sles15sp3-dasdfmt-Fix-segfault-when-an-incorrect-option-is-spe.patch
  (bsc#1178313). When specifying an incorrect program option, dasdfmt segfaults
  as the format string for the corresponding error message has no parameter.
- Added s390-tools-sles15sp3-libutil-Compare-proc-entries-to-vfstype.patch
  (bsc#1178315). The fdasd command was failing if sysfs was mounted this way:
  mount -t sysfs none /sys
  To make sure that the mount point of the sysfs is still found when mounted
  with a device keyword specified other than 'sysfs', check for the filesystem
  type instead, which is more specific.
- Added the following patches for bsc#1178427, and jsc#SLE-13768,
  Log DASD info for endpoint security
  * s390-tools-sles15sp3-01-zdev-Add-FC-Endpoint-Security-information-for-DASD-d.patch
  * s390-tools-sles15sp3-02-lsdasd-Add-FC-Endpoint-Security-information.patch
- Added the following patch for bsc#1178628 and jsc#SLE-13765, Converged
  HiperSockets/Ethernet Interface
  * s390-tools-sles15sp3-hsci-Add-new-tool-to-control-HiperSockets-Converged-.patch
- Added the following patches for bsc#1178992 and jsc#SLE-13772, Add host-key
  document verification support to genprotimg.
  * s390-tools-sles15sp3-01-genprotimg-abort-if-one-of-the-recursive-targets-is-.patch
  * s390-tools-sles15sp3-02-genprotimg-fix-two-memory-leaks.patch
  * s390-tools-sles15sp3-03-genprotimg-require-argument-for-ramdisk-and-parmfile.patch
  * s390-tools-sles15sp3-04-genprotimg-add-host-key-document-verification-suppor.patch
- Added the following patch for bsc#1178734. Running zcryptstats when many domains
  are available per cryto card does not produce any output, and is hanging in a loop.
  * s390-tools-sles15sp3-zcryptstats-Fix-handling-of-partial-results-with-man.patch
- Reworked and renamed the following patches to accommodate changes made by IBM
  to the structure of the dasdfmt command.
  * s390-tools-sles15-Allow-multiple-device-arguments.patch renamed to
    s390-tools-sles15sp3-Allow-multiple-device-arguments.patch.
  * s390-tools-sles15-Format-devices-in-parallel.patch renamed to
    s390-tools-sles15sp3-Format-devices-in-parallel.patch
  * dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch renamed to
    s390-tools-sles15sp3-dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch
  * s390-tools-sles15-Implement-f-for-backwards-compability.patch renamed to
    s390-tools-sles15sp3-Implement-f-for-backwards-compability.patch renamed to
  * s390-tools-sles15-Implement-Y-yast_mode.patch
    s390-tools-sles15sp3-Implement-Y-yast_mode.patch
- Upgraded to version 2.15.0 (jsc#SLE-13662, jsc#SLE-13663,
  jsc#SLE-13667, jsc#SLE-13724, jsc#SLE-13728, jsc#SLE-13730,
  jsc#SLE-13739, jsc#SLE-13744, jsc#SLE-13751, jsc#SLE-13755,
  jsc#SLE-13765, jsc#SLE-13768, jsc#SLE-13777, jsc#SLE-13814,
  jsc#SLE-13819, jsc#SLE-13820)
- Reworked s390-tools-sles12-sysconfig-compatible-dumpconf.patch to fit the
  current version and renamed it to s390-tools-sles15-sysconfig-compatible-dumpconf.patch
- Removed the following obsolete patches:
  * s390-tools-sles15sp2-01-zkey-Separate-and-rework-CCA-host-library-loading.patch
  * s390-tools-sles15sp2-02-zkey-Move-utility-functions-into-separate-source-fil.patch
  * s390-tools-sles15sp2-03-zkey-Add-utility-function-to-get-the-serial-number-o.patch
  * s390-tools-sles15sp2-04-zkey-Add-utility-function-to-get-the-mkvp-of-a-crypt.patch
  * s390-tools-sles15sp2-05-zkey-add-function-to-iterate-over-all-available-CCA-.patch
  * s390-tools-sles15sp2-06-zkey-Add-function-to-print-the-MKVPs-of-APQNs.patch
  * s390-tools-sles15sp2-07-zkey-Add-function-to-cross-check-APQNs-for-valid-mas.patch
  * s390-tools-sles15sp2-08-zkey-Add-function-to-obtain-the-mkvp-of-a-secure-key.patch
  * s390-tools-sles15sp2-09-zkey-Display-MKVP-when-validating-a-secure-key.patch
  * s390-tools-sles15sp2-10-zkey-Cross-check-APQNs-when-generating-secure-keys.patch
  * s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch
  * s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-when-importing-secure-keys.patch
  * s390-tools-sles15sp2-13-zkey-Cross-check-APQNs-when-changing-APQN-associatio.patch
  * s390-tools-sles15sp2-14-zkey-Add-function-to-select-a-specific-CCA-adapter.patch
  * s390-tools-sles15sp2-15-zkey-Add-function-to-select-a-CCA-adapter-by-mkvp.patch
  * s390-tools-sles15sp2-16-zkey-Select-CCA-adapter-when-re-enciphering.patch
  * s390-tools-sles15sp2-17-zkey-cryptsetup-Add-to-new-and-from-old-options.patch
  * s390-tools-sles15sp2-18-zkey-Display-key-type-with-list-and-validate-command.patch
  * s390-tools-sles15sp2-19-zkey-Allow-to-filter-list-output-by-key-type.patch
  * s390-tools-sles15sp2-20-zkey-Allow-to-specify-the-key-type-with-the-generate.patch
  * s390-tools-sles15sp2-21-zkey-Preparations-for-introducing-a-new-key-type.patch
  * s390-tools-sles15sp2-22-zkey-Introduce-the-CCA-AESCIPHER-key-type.patch
  * s390-tools-sles15sp2-23-zkey-Add-wrappers-for-the-new-IOCTLs-with-fallback-t.patch
  * s390-tools-sles15sp2-24-zkey-Add-helper-functions-to-build-lists-of-APQNs.patch
  * s390-tools-sles15sp2-25-zkey-Add-support-for-generating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-26-zkey-Add-support-for-validating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-27-zkey-Add-support-for-re-enciphering-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-28-zkey-Check-crypto-card-level-during-APQN-cross-check.patch
  * s390-tools-sles15sp2-29-zkey-Add-helper-function-to-query-the-CCA-firmware-v.patch
  * s390-tools-sles15sp2-30-zkey-Add-helper-function-to-convert-secure-keys-betw.patch
  * s390-tools-sles15sp2-31-zkey-Add-helper-function-to-restrict-export-of-secur.patch
  * s390-tools-sles15sp2-32-zkey-Add-helper-function-to-check-an-AES-CIPHER-key.patch
  * s390-tools-sles15sp2-33-zkey-Add-key-checks-when-importing-a-CCA-AESCIPHER-k.patch
  * s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys-from-one-ty.patch
  * s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
  * s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
  * s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
  * s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
  * s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch
  * s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch
  * s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch
  * s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch
  * s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch
  * s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch
  * s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch
  * s390-tools-sles15sp2-01-zipl-fix-Wdiscarded-qualifiers.patch
  * s390-tools-sles15sp2-02-zipl-fix-Waddress-of-packed-member.patch
  * s390-tools-sles15sp2-03-zipl-remove-some-useless-__packed___-attributes.patch
  * s390-tools-sles15sp2-04-zipl-Fix-entry-point-for-stand-alone-kdump.patch
  * s390-tools-sles15sp2-05-zipl-Fix-dependency-generation-in-zipl-boot.patch
  * s390-tools-sles15sp2-06-zipl-Make-use-of-__packed-macro.patch
  * s390-tools-sles15sp2-07-zipl-define-__section-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-08-zipl-Make-use-of-__noreturn-macro.patch
  * s390-tools-sles15sp2-09-zipl-Define-__noinline-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-10-zipl-stage3-Mark-start_kernel-__noreturn.patch
  * s390-tools-sles15sp2-11-zipl-sclp-Remove-duplicate-macros.patch
  * s390-tools-sles15sp2-12-zipl-Make-address-size-mask-macros-UL.patch
  * s390-tools-sles15sp2-13-zipl-libc-Use-stdint.h-instead-of-self-defined-macro.patch
  * s390-tools-sles15sp2-14-zipl-Consolidate-IMAGE-macros.patch
  * s390-tools-sles15sp2-15-zipl-Consolidate-STAGE-2-3-macros.patch
  * s390-tools-sles15sp2-16-zipl-stfle-use-uint64_t-instead-of-u64.patch
  * s390-tools-sles15sp2-17-zipl-boot-fix-comment-in-stage3.lds.patch
  * s390-tools-sles15sp2-18-lib-zt_common-add-STATIC_ASSERT-macro.patch
  * s390-tools-sles15sp2-19-zipl-use-STATIC_ASSERT-macro-for-no-padding-verifica.patch
  * s390-tools-sles15sp2-20-Support-lib-zt_common.h-to-be-used-in-assembler-and-.patch
  * s390-tools-sles15sp2-21-zipl-move-IPL-related-definitions-into-separate-head.patch
  * s390-tools-sles15sp2-22-zipl-move-SIGP-related-functions-and-definitions-int.patch
  * s390-tools-sles15sp2-23-zipl-add-SIGP_SET_ARCHITECTURE-to-sigp.h-and-use-it.patch
  * s390-tools-sles15sp2-24-zipl-stage3-make-IPL_DEVICE-definition-consistent-wi.patch
  * s390-tools-sles15sp2-25-zipl-move-Linux-layout-definitions-into-separate-hea.patch
  * s390-tools-sles15sp2-26-zipl-tape0-use-constants-defined-in-linux_layout.h.patch
  * s390-tools-sles15sp2-27-zipl-use-STAGE3_ENTRY-for-STAGE3_LOAD_ADDRESS.patch
  * s390-tools-sles15sp2-28-zipl-move-loaders-layout-definitions-into-separate-h.patch
  * s390-tools-sles15sp2-29-zipl-s390.h-rename-inline-macro-into-__always_inline.patch
  * s390-tools-sles15sp2-30-zipl-move-__always_inline-barrier-__pa32-pa-to-zt_co.patch
  * s390-tools-sles15sp2-31-zipl-make-BLK_PWRT-unsigned-int.patch
  * s390-tools-sles15sp2-32-Consolidate-MIN-and-MAX-macros.patch
  * s390-tools-sles15sp2-33-zipl-remove-libc.h-include-in-s390.h.patch
  * s390-tools-sles15sp2-34-zipl-move-s390.h-to-include-boot-s390.h.patch
  * s390-tools-sles15sp2-35-zipl-libc-include-s390.h.patch
  * s390-tools-sles15sp2-36-include-boot-s390.h-move-panic-and-panic_notify-to-l.patch
  * s390-tools-sles15sp2-37-include-boot-s390.h-fixes-for-Werror-sign-conversion.patch
  * s390-tools-sles15sp2-38-zipl-refactor-all-EBCDIC-code-into-separate-files.patch
  * s390-tools-sles15sp2-39-zipl-sclp-add-macros-for-the-control-program-masks.patch
  * s390-tools-sles15sp2-40-zipl-sclp-add-sclp_print_ascii.patch
  * s390-tools-sles15sp2-41-zipl-libc-printf-print-on-linemode-and-ASCII-console.patch
  * s390-tools-sles15sp2-42-Consolidate-ALIGN-__ALIGN_MASK-ARRAY_SIZE-macros.patch
  * s390-tools-sles15sp2-43-genprotimg-boot-initial-bootloader-support.patch
  * s390-tools-sles15sp2-44-genprotimg-boot-use-C-pre-processor-for-linker-scrip.patch
  * s390-tools-sles15sp2-45-genprotimg-add-relocator-for-stage3b.patch
  * s390-tools-sles15sp2-46-README.md-remove-useless-empty-line.patch
  * s390-tools-sles15sp2-47-include-boot-s390.h-add-guard-for-struct-__vector128.patch
  * s390-tools-sles15sp2-48-genprotimg-introduce-new-tool-for-the-creation-of-PV.patch
  * s390-tools-sles15sp2-01-zipl-Add-missing-options-to-help-output.patch
  * s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch
  * s390-tools-sles15sp2-03-zipl-correct-secure-boot-config-handling.patch
  * s390-tools-sles15sp2-04-zipl-fix-zipl.conf-man-page-example-for-secure-boot.patch
  * s390-tools-sles15sp2-01-cpumf-add-new-deflate-counters-for-z15.patch
  * s390-tools-sles15sp2-vmcp-exit-code.patch
  * s390-tools-sles15sp2-zipl-prevent-endless-loop-during-IPL.patch
  * s390-tools-sles15sp2-zipl-check-for-valid-ipl-parmblock-lowcore-pointer.patch
  * s390-tools-sles15sp2-01-zipl-libc-libc_stop-move-noreturn-to-declaration.patch
  * s390-tools-sles15sp2-02-zipl-stage3-correctly-handle-diag308-response-code.patch
  * s390-tools-sles15sp2-lsluns-try-harder-to-find-udevadm.patch
  * s390-tools-sles15sp2-znetconf-introduce-better-ways-to-locate-udevadm.patch
  * s390-tools-sles15sp2-mon_tools-update-udevadm-location.patch
  * s390-tools-sles15sp2-lscpumf-change-dflt-ccerror-counter-name.patch
  * s390-tools-sles15sp2-01-zdev-Introduce-read-only-attributes.patch
  * s390-tools-sles15sp2-02-zdev-Handle-special-case-in-if-case.patch
  * s390-tools-sles15sp2-03-zdev-Report-FC-Endpoint-Security-of-zfcp-devices.patch
  * s390-tools-sles15sp2-04-zfcpdbf-print-HBA-FC-Endpoint-Security-trace-records.patch
  * s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch not in spec file
  * s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch not in spec file
- Added s390-tools-sles15sp2-lscpumf-change-dflt-ccerror-counter-name.patch
  (bsc#1176508)
  lscpumf displays counter number 265 as DFLT_CCERROR. This is wrong
  and differs from the counter name as defined in the Linux kernel
  version 5.8 and later.
- Added the following patches to implement the post-GA feature jsc#ECO-2636
  Log FCP link info for endpoint security (bsc#1175477)

OBS-URL: https://build.opensuse.org/request/show/854128
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=102
2020-12-08 19:59:20 +00:00
Mark Post
7e8b34210d Accepting request 854117 from home:markkp:branches:Base:System
- Upgraded to version 2.15.1. (bsc#1178250, jsc#SLE-13663)
- Added s390-tools-sles15sp3-dasdfmt-Fix-segfault-when-an-incorrect-option-is-spe.patch
  (bsc#1178313). When specifying an incorrect program option, dasdfmt segfaults
  as the format string for the corresponding error message has no parameter.
- Added s390-tools-sles15sp3-libutil-Compare-proc-entries-to-vfstype.patch
  (bsc#1178315). The fdasd command was failing if sysfs was mounted this way:
  mount -t sysfs none /sys
  To make sure that the mount point of the sysfs is still found when mounted
  with a device keyword specified other than 'sysfs', check for the filesystem
  type instead, which is more specific.
- Added the following patches for bsc#1178427, and jsc#SLE-13768,
  Log DASD info for endpoint security
  * s390-tools-sles15sp3-01-zdev-Add-FC-Endpoint-Security-information-for-DASD-d.patch
  * s390-tools-sles15sp3-02-lsdasd-Add-FC-Endpoint-Security-information.patch
- Added the following patch for bsc#1178628 and jsc#SLE-13765, Converged
  HiperSockets/Ethernet Interface
  * s390-tools-sles15sp3-hsci-Add-new-tool-to-control-HiperSockets-Converged-.patch
- Added the following patches for bsc#1178992 and jsc#SLE-13772, Add host-key
  document verification support to genprotimg.
  * s390-tools-sles15sp3-01-genprotimg-abort-if-one-of-the-recursive-targets-is-.patch
  * s390-tools-sles15sp3-02-genprotimg-fix-two-memory-leaks.patch
  * s390-tools-sles15sp3-03-genprotimg-require-argument-for-ramdisk-and-parmfile.patch
  * s390-tools-sles15sp3-04-genprotimg-add-host-key-document-verification-suppor.patch
- Added the following patch for bsc#1178734. Running zcryptstats when many domains
  are available per cryto card does not produce any output, and is hanging in a loop.
  * s390-tools-sles15sp3-zcryptstats-Fix-handling-of-partial-results-with-man.patch
- Reworked and renamed the following patches to accommodate changes made by IBM
  to the structure of the dasdfmt command.
  * s390-tools-sles15-Allow-multiple-device-arguments.patch renamed to
    s390-tools-sles15sp3-Allow-multiple-device-arguments.patch.
  * s390-tools-sles15-Format-devices-in-parallel.patch renamed to
    s390-tools-sles15sp3-Format-devices-in-parallel.patch
  * dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch renamed to
    s390-tools-sles15sp3-dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch
  * s390-tools-sles15-Implement-f-for-backwards-compability.patch renamed to
    s390-tools-sles15-Implement-Y-yast_mode.patch
- Upgraded to version 2.15.0 (jsc#SLE-13662, jsc#SLE-13663,
  jsc#SLE-13667, jsc#SLE-13724, jsc#SLE-13728, jsc#SLE-13730,
  jsc#SLE-13739, jsc#SLE-13744, jsc#SLE-13751, jsc#SLE-13755,
  jsc#SLE-13765, jsc#SLE-13768, jsc#SLE-13777, jsc#SLE-13814,
  jsc#SLE-13819, jsc#SLE-13820)
- Reworked s390-tools-sles12-sysconfig-compatible-dumpconf.patch to fit the
  current version and renamed it to s390-tools-sles15-sysconfig-compatible-dumpconf.patch
- Removed the following obsolete patches:
  * s390-tools-sles15sp2-01-zkey-Separate-and-rework-CCA-host-library-loading.patch
  * s390-tools-sles15sp2-02-zkey-Move-utility-functions-into-separate-source-fil.patch
  * s390-tools-sles15sp2-03-zkey-Add-utility-function-to-get-the-serial-number-o.patch
  * s390-tools-sles15sp2-04-zkey-Add-utility-function-to-get-the-mkvp-of-a-crypt.patch
  * s390-tools-sles15sp2-05-zkey-add-function-to-iterate-over-all-available-CCA-.patch
  * s390-tools-sles15sp2-06-zkey-Add-function-to-print-the-MKVPs-of-APQNs.patch
  * s390-tools-sles15sp2-07-zkey-Add-function-to-cross-check-APQNs-for-valid-mas.patch
  * s390-tools-sles15sp2-08-zkey-Add-function-to-obtain-the-mkvp-of-a-secure-key.patch
  * s390-tools-sles15sp2-09-zkey-Display-MKVP-when-validating-a-secure-key.patch
  * s390-tools-sles15sp2-10-zkey-Cross-check-APQNs-when-generating-secure-keys.patch
  * s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch
  * s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-when-importing-secure-keys.patch
  * s390-tools-sles15sp2-13-zkey-Cross-check-APQNs-when-changing-APQN-associatio.patch
  * s390-tools-sles15sp2-14-zkey-Add-function-to-select-a-specific-CCA-adapter.patch
  * s390-tools-sles15sp2-15-zkey-Add-function-to-select-a-CCA-adapter-by-mkvp.patch
  * s390-tools-sles15sp2-16-zkey-Select-CCA-adapter-when-re-enciphering.patch
  * s390-tools-sles15sp2-17-zkey-cryptsetup-Add-to-new-and-from-old-options.patch
  * s390-tools-sles15sp2-18-zkey-Display-key-type-with-list-and-validate-command.patch
  * s390-tools-sles15sp2-19-zkey-Allow-to-filter-list-output-by-key-type.patch
  * s390-tools-sles15sp2-20-zkey-Allow-to-specify-the-key-type-with-the-generate.patch
  * s390-tools-sles15sp2-21-zkey-Preparations-for-introducing-a-new-key-type.patch
  * s390-tools-sles15sp2-22-zkey-Introduce-the-CCA-AESCIPHER-key-type.patch
  * s390-tools-sles15sp2-23-zkey-Add-wrappers-for-the-new-IOCTLs-with-fallback-t.patch
  * s390-tools-sles15sp2-24-zkey-Add-helper-functions-to-build-lists-of-APQNs.patch
  * s390-tools-sles15sp2-25-zkey-Add-support-for-generating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-26-zkey-Add-support-for-validating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-27-zkey-Add-support-for-re-enciphering-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-28-zkey-Check-crypto-card-level-during-APQN-cross-check.patch
  * s390-tools-sles15sp2-29-zkey-Add-helper-function-to-query-the-CCA-firmware-v.patch
  * s390-tools-sles15sp2-30-zkey-Add-helper-function-to-convert-secure-keys-betw.patch
  * s390-tools-sles15sp2-31-zkey-Add-helper-function-to-restrict-export-of-secur.patch
  * s390-tools-sles15sp2-32-zkey-Add-helper-function-to-check-an-AES-CIPHER-key.patch
  * s390-tools-sles15sp2-33-zkey-Add-key-checks-when-importing-a-CCA-AESCIPHER-k.patch
  * s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys-from-one-ty.patch
  * s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
  * s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
  * s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
  * s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
  * s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
  * s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch
  * s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch
  * s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch
  * s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch
  * s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch
  * s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch
  * s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch
  * s390-tools-sles15sp2-01-zipl-fix-Wdiscarded-qualifiers.patch
  * s390-tools-sles15sp2-02-zipl-fix-Waddress-of-packed-member.patch
  * s390-tools-sles15sp2-03-zipl-remove-some-useless-__packed___-attributes.patch
  * s390-tools-sles15sp2-04-zipl-Fix-entry-point-for-stand-alone-kdump.patch
  * s390-tools-sles15sp2-05-zipl-Fix-dependency-generation-in-zipl-boot.patch
  * s390-tools-sles15sp2-06-zipl-Make-use-of-__packed-macro.patch
  * s390-tools-sles15sp2-07-zipl-define-__section-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-08-zipl-Make-use-of-__noreturn-macro.patch
  * s390-tools-sles15sp2-09-zipl-Define-__noinline-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-10-zipl-stage3-Mark-start_kernel-__noreturn.patch
  * s390-tools-sles15sp2-11-zipl-sclp-Remove-duplicate-macros.patch
  * s390-tools-sles15sp2-12-zipl-Make-address-size-mask-macros-UL.patch
  * s390-tools-sles15sp2-13-zipl-libc-Use-stdint.h-instead-of-self-defined-macro.patch
  * s390-tools-sles15sp2-14-zipl-Consolidate-IMAGE-macros.patch
  * s390-tools-sles15sp2-15-zipl-Consolidate-STAGE-2-3-macros.patch
  * s390-tools-sles15sp2-16-zipl-stfle-use-uint64_t-instead-of-u64.patch
  * s390-tools-sles15sp2-17-zipl-boot-fix-comment-in-stage3.lds.patch
  * s390-tools-sles15sp2-18-lib-zt_common-add-STATIC_ASSERT-macro.patch
  * s390-tools-sles15sp2-19-zipl-use-STATIC_ASSERT-macro-for-no-padding-verifica.patch
  * s390-tools-sles15sp2-20-Support-lib-zt_common.h-to-be-used-in-assembler-and-.patch
  * s390-tools-sles15sp2-21-zipl-move-IPL-related-definitions-into-separate-head.patch
  * s390-tools-sles15sp2-22-zipl-move-SIGP-related-functions-and-definitions-int.patch
  * s390-tools-sles15sp2-23-zipl-add-SIGP_SET_ARCHITECTURE-to-sigp.h-and-use-it.patch
  * s390-tools-sles15sp2-24-zipl-stage3-make-IPL_DEVICE-definition-consistent-wi.patch
  * s390-tools-sles15sp2-25-zipl-move-Linux-layout-definitions-into-separate-hea.patch
  * s390-tools-sles15sp2-26-zipl-tape0-use-constants-defined-in-linux_layout.h.patch
  * s390-tools-sles15sp2-27-zipl-use-STAGE3_ENTRY-for-STAGE3_LOAD_ADDRESS.patch
  * s390-tools-sles15sp2-28-zipl-move-loaders-layout-definitions-into-separate-h.patch
  * s390-tools-sles15sp2-29-zipl-s390.h-rename-inline-macro-into-__always_inline.patch
  * s390-tools-sles15sp2-30-zipl-move-__always_inline-barrier-__pa32-pa-to-zt_co.patch
  * s390-tools-sles15sp2-31-zipl-make-BLK_PWRT-unsigned-int.patch
  * s390-tools-sles15sp2-32-Consolidate-MIN-and-MAX-macros.patch
  * s390-tools-sles15sp2-33-zipl-remove-libc.h-include-in-s390.h.patch
  * s390-tools-sles15sp2-34-zipl-move-s390.h-to-include-boot-s390.h.patch
  * s390-tools-sles15sp2-35-zipl-libc-include-s390.h.patch
  * s390-tools-sles15sp2-36-include-boot-s390.h-move-panic-and-panic_notify-to-l.patch
  * s390-tools-sles15sp2-37-include-boot-s390.h-fixes-for-Werror-sign-conversion.patch
  * s390-tools-sles15sp2-38-zipl-refactor-all-EBCDIC-code-into-separate-files.patch
  * s390-tools-sles15sp2-39-zipl-sclp-add-macros-for-the-control-program-masks.patch
  * s390-tools-sles15sp2-40-zipl-sclp-add-sclp_print_ascii.patch
  * s390-tools-sles15sp2-41-zipl-libc-printf-print-on-linemode-and-ASCII-console.patch
  * s390-tools-sles15sp2-42-Consolidate-ALIGN-__ALIGN_MASK-ARRAY_SIZE-macros.patch
  * s390-tools-sles15sp2-43-genprotimg-boot-initial-bootloader-support.patch
  * s390-tools-sles15sp2-44-genprotimg-boot-use-C-pre-processor-for-linker-scrip.patch
  * s390-tools-sles15sp2-45-genprotimg-add-relocator-for-stage3b.patch
  * s390-tools-sles15sp2-46-README.md-remove-useless-empty-line.patch
  * s390-tools-sles15sp2-47-include-boot-s390.h-add-guard-for-struct-__vector128.patch
  * s390-tools-sles15sp2-48-genprotimg-introduce-new-tool-for-the-creation-of-PV.patch
  * s390-tools-sles15sp2-01-zipl-Add-missing-options-to-help-output.patch
  * s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch
  * s390-tools-sles15sp2-03-zipl-correct-secure-boot-config-handling.patch
  * s390-tools-sles15sp2-04-zipl-fix-zipl.conf-man-page-example-for-secure-boot.patch
  * s390-tools-sles15sp2-01-cpumf-add-new-deflate-counters-for-z15.patch
  * s390-tools-sles15sp2-vmcp-exit-code.patch
  * s390-tools-sles15sp2-zipl-prevent-endless-loop-during-IPL.patch
  * s390-tools-sles15sp2-zipl-check-for-valid-ipl-parmblock-lowcore-pointer.patch
  * s390-tools-sles15sp2-01-zipl-libc-libc_stop-move-noreturn-to-declaration.patch
  * s390-tools-sles15sp2-02-zipl-stage3-correctly-handle-diag308-response-code.patch
  * s390-tools-sles15sp2-lsluns-try-harder-to-find-udevadm.patch
  * s390-tools-sles15sp2-znetconf-introduce-better-ways-to-locate-udevadm.patch
  * s390-tools-sles15sp2-mon_tools-update-udevadm-location.patch
  * s390-tools-sles15sp2-lscpumf-change-dflt-ccerror-counter-name.patch
  * s390-tools-sles15sp2-01-zdev-Introduce-read-only-attributes.patch
  * s390-tools-sles15sp2-02-zdev-Handle-special-case-in-if-case.patch
  * s390-tools-sles15sp2-03-zdev-Report-FC-Endpoint-Security-of-zfcp-devices.patch
  * s390-tools-sles15sp2-04-zfcpdbf-print-HBA-FC-Endpoint-Security-trace-records.patch
  * s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch not in spec file
  * s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch not in spec file
- Added s390-tools-sles15sp2-lscpumf-change-dflt-ccerror-counter-name.patch
  (bsc#1176508)
  lscpumf displays counter number 265 as DFLT_CCERROR. This is wrong
  and differs from the counter name as defined in the Linux kernel
  version 5.8 and later.
- Added the following patches to implement the post-GA feature jsc#ECO-2636
  Log FCP link info for endpoint security (bsc#1175477)
  * s390-tools-sles15sp2-01-zdev-Introduce-read-only-attributes.patch
  * s390-tools-sles15sp2-02-zdev-Handle-special-case-in-if-case.patch
  * s390-tools-sles15sp2-03-zdev-Report-FC-Endpoint-Security-of-zfcp-devices.patch
  * s390-tools-sles15sp2-04-zfcpdbf-print-HBA-FC-Endpoint-Security-trace-records.patch

OBS-URL: https://build.opensuse.org/request/show/854117
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=101
2020-12-08 19:29:12 +00:00
Dominique Leuenberger
afe66573c4 Accepting request 834889 from Base:System
- use libexecdir for net-snmp agent config (forwarded request 834723 from oertel)

OBS-URL: https://build.opensuse.org/request/show/834889
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=33
2020-09-18 12:30:10 +00:00
Ruediger Oertel
5f87a54d2f Accepting request 834723 from home:oertel:branches:Base:System
- use libexecdir for net-snmp agent config

OBS-URL: https://build.opensuse.org/request/show/834723
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=99
2020-09-16 11:25:27 +00:00
Dominique Leuenberger
ddc65e5249 Accepting request 823201 from Base:System
OBS-URL: https://build.opensuse.org/request/show/823201
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=32
2020-07-30 07:55:55 +00:00
Mark Post
58e312617d Accepting request 823200 from home:markkp:branches:Base:System
- The location of the udevadm binary was changed from /sbin/ to /usr/bin
  a while back. A symbolic link was added for compatibility. In the latest
  versions, that symbolic link has been removed, requiring changes to scripts
  that were depending on that.
  Added the following patches for bsc#1171587
  * s390-tools-sles15sp2-lsluns-try-harder-to-find-udevadm.patch
  * s390-tools-sles15sp2-znetconf-introduce-better-ways-to-locate-udevadm.patch
  *s390-tools-sles15sp2-mon_tools-update-udevadm-location.patch
- Added s390-tools-sles15sp2-zipl-prevent-endless-loop-during-IPL.patch
  (bsc#1174309) zipl: prevent endless loop during secure IPL
- Added s390-tools-sles15sp2-zipl-check-for-valid-ipl-parmblock-lowcore-pointer.patch
  (bsc#1174310) zipl: check for valid ipl parmblock lowcore pointer
- Added s390-tools-sles15sp2-01-zipl-libc-libc_stop-move-noreturn-to-declaration.patch
        s390-tools-sles15sp2-02-zipl-stage3-correctly-handle-diag308-response-code.patch
  (bsc1174311) zipl: Fix KVM IPL without bootindex
- Updated cputype and read_values to recognize the new z15 models.
- Added s390-tools-sles15sp2-zipl-prevent-endless-loop-during-IPL.patch
  (bsc#1174309) zipl: prevent endless loop during secure IPL
- Added s390-tools-sles15sp2-zipl-check-for-valid-ipl-parmblock-lowcore-pointer.patch
  (bsc#1174310) zipl: check for valid ipl parmblock lowcore pointer
- Added s390-tools-sles15sp2-01-zipl-libc-libc_stop-move-noreturn-to-declaration.patch
        s390-tools-sles15sp2-02-zipl-stage3-correctly-handle-diag308-response-code.patch
  (bsc1174311) zipl: Fix KVM IPL without bootindex
- Updated cputype and read_values to recognize the new z15 models.
- Added s390-tools-sles15sp2-vmcp-exit-code.patch (bsc#1173481)
  Change the vmcp exit code and return 'CP command failed' when both
  "CP command failed" and "response buffer is too small" error
  conditions are true.

OBS-URL: https://build.opensuse.org/request/show/823200
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=97
2020-07-28 16:49:48 +00:00
Dominique Leuenberger
a804c82051 Accepting request 792037 from Base:System
OBS-URL: https://build.opensuse.org/request/show/792037
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=31
2020-04-13 10:49:47 +00:00
Mark Post
ce4e84587f Accepting request 792036 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp2-01-cpumf-add-new-deflate-counters-for-z15.patch
  (bsc#1167853)
  lscpumf: New z15 CPU-MF counters not available, so add the
  definition for the new deflate counters.
- Updated read_values (bsc#1167815, jsc#SLE-10675)
  * Differentiate between IBM Z and IBM LinuxONE machines
  * Query and print the status of secure boot for the LPAR.

OBS-URL: https://build.opensuse.org/request/show/792036
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=95
2020-04-07 19:32:33 +00:00
Mark Post
ec45615fc4 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=94 2020-04-06 16:06:04 +00:00
Dominique Leuenberger
4a2ded890d Accepting request 786615 from Base:System
OBS-URL: https://build.opensuse.org/request/show/786615
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=30
2020-03-23 11:49:12 +00:00
Mark Post
30232e2023 Accepting request 786614 from home:markkp:branches:Base:System
- Added the following patches for bsc#1166850
  zipl: fix secure boot config handling:
  * s390-tools-sles15sp2-01-zipl-Add-missing-options-to-help-output.patch
  * s390-tools-sles15sp2-02-zipl-allow-stand-alone-secure-option-on-command-l.patch
  * s390-tools-sles15sp2-03-zipl-correct-secure-boot-config-handling.patch
  * s390-tools-sles15sp2-04-zipl-fix-zipl.conf-man-page-example-for-secure-boot.patch
- Modified the spec file so that the kernel used for the SCSI dump
  tool is named zfcpdump-image instead of zfcpdump_part.image. This
  is to match the new version of zipl that expects this new file name.
  (bsc#1166851)
- Added the following patches to implement jsc#SLE-7471, Enhanced
  tooling for kvm guest images (bsc#1165549):
  * s390-tools-sles15sp2-01-zipl-fix-Wdiscarded-qualifiers.patch
  * s390-tools-sles15sp2-02-zipl-fix-Waddress-of-packed-member.patch
  * s390-tools-sles15sp2-03-zipl-remove-some-useless-__packed___-attributes.patch
  * s390-tools-sles15sp2-04-zipl-Fix-entry-point-for-stand-alone-kdump.patch
  * s390-tools-sles15sp2-05-zipl-Fix-dependency-generation-in-zipl-boot.patch
  * s390-tools-sles15sp2-06-zipl-Make-use-of-__packed-macro.patch
  * s390-tools-sles15sp2-07-zipl-define-__section-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-08-zipl-Make-use-of-__noreturn-macro.patch
  * s390-tools-sles15sp2-09-zipl-Define-__noinline-macro-and-make-use-of-it.patch
  * s390-tools-sles15sp2-10-zipl-stage3-Mark-start_kernel-__noreturn.patch
  * s390-tools-sles15sp2-11-zipl-sclp-Remove-duplicate-macros.patch
  * s390-tools-sles15sp2-12-zipl-Make-address-size-mask-macros-UL.patch
  * s390-tools-sles15sp2-13-zipl-libc-Use-stdint.h-instead-of-self-defined-macro.patch
  * s390-tools-sles15sp2-14-zipl-Consolidate-IMAGE-macros.patch
  * s390-tools-sles15sp2-15-zipl-Consolidate-STAGE-2-3-macros.patch
  * s390-tools-sles15sp2-16-zipl-stfle-use-uint64_t-instead-of-u64.patch
  * s390-tools-sles15sp2-17-zipl-boot-fix-comment-in-stage3.lds.patch
  * s390-tools-sles15sp2-18-lib-zt_common-add-STATIC_ASSERT-macro.patch
  * s390-tools-sles15sp2-19-zipl-use-STATIC_ASSERT-macro-for-no-padding-verifica.patch
  * s390-tools-sles15sp2-20-Support-lib-zt_common.h-to-be-used-in-assembler-and-.patch
  * s390-tools-sles15sp2-21-zipl-move-IPL-related-definitions-into-separate-head.patch
  * s390-tools-sles15sp2-22-zipl-move-SIGP-related-functions-and-definitions-int.patch
  * s390-tools-sles15sp2-23-zipl-add-SIGP_SET_ARCHITECTURE-to-sigp.h-and-use-it.patch
  * s390-tools-sles15sp2-24-zipl-stage3-make-IPL_DEVICE-definition-consistent-wi.patch
  * s390-tools-sles15sp2-25-zipl-move-Linux-layout-definitions-into-separate-hea.patch
  * s390-tools-sles15sp2-26-zipl-tape0-use-constants-defined-in-linux_layout.h.patch
  * s390-tools-sles15sp2-27-zipl-use-STAGE3_ENTRY-for-STAGE3_LOAD_ADDRESS.patch
  * s390-tools-sles15sp2-28-zipl-move-loaders-layout-definitions-into-separate-h.patch
  * s390-tools-sles15sp2-29-zipl-s390.h-rename-inline-macro-into-__always_inline.patch
  * s390-tools-sles15sp2-30-zipl-move-__always_inline-barrier-__pa32-pa-to-zt_co.patch
  * s390-tools-sles15sp2-31-zipl-make-BLK_PWRT-unsigned-int.patch
  * s390-tools-sles15sp2-32-Consolidate-MIN-and-MAX-macros.patch
  * s390-tools-sles15sp2-33-zipl-remove-libc.h-include-in-s390.h.patch
  * s390-tools-sles15sp2-34-zipl-move-s390.h-to-include-boot-s390.h.patch
  * s390-tools-sles15sp2-35-zipl-libc-include-s390.h.patch
  * s390-tools-sles15sp2-36-include-boot-s390.h-move-panic-and-panic_notify-to-l.patch
  * s390-tools-sles15sp2-37-include-boot-s390.h-fixes-for-Werror-sign-conversion.patch
  * s390-tools-sles15sp2-38-zipl-refactor-all-EBCDIC-code-into-separate-files.patch
  * s390-tools-sles15sp2-39-zipl-sclp-add-macros-for-the-control-program-masks.patch
  * s390-tools-sles15sp2-40-zipl-sclp-add-sclp_print_ascii.patch
  * s390-tools-sles15sp2-41-zipl-libc-printf-print-on-linemode-and-ASCII-console.patch
  * s390-tools-sles15sp2-42-Consolidate-ALIGN-__ALIGN_MASK-ARRAY_SIZE-macros.patch
  * s390-tools-sles15sp2-43-genprotimg-boot-initial-bootloader-support.patch
  * s390-tools-sles15sp2-44-genprotimg-boot-use-C-pre-processor-for-linker-scrip.patch
  * s390-tools-sles15sp2-45-genprotimg-add-relocator-for-stage3b.patch
  * s390-tools-sles15sp2-46-README.md-remove-useless-empty-line.patch
  * s390-tools-sles15sp2-47-include-boot-s390.h-add-guard-for-struct-__vector128.patch
  * s390-tools-sles15sp2-48-genprotimg-introduce-new-tool-for-the-creation-of-PV.patch
- Added a BuildRequires for glib2-devel to support the new feature.
- Added a %dir entry for /usr/share/s390-tools/genprotimg

OBS-URL: https://build.opensuse.org/request/show/786614
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=92
2020-03-19 22:52:46 +00:00
Dominique Leuenberger
a27685791a Accepting request 783520 from Base:System
OBS-URL: https://build.opensuse.org/request/show/783520
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=29
2020-03-12 21:58:52 +00:00
Mark Post
7230df2ed5 Accepting request 783519 from home:markkp:branches:Base:System
- Added the following patches for bsc#1165978.
  zpcictl --reset only issues a SCLP reset and leaves the PCI function
  in an error state.
  Initiate an OS level recovery by calling /sys/bus/devices/<dev>/recover
  after the SCLP reset.
  * s390-tools-sles15sp2-01-zpcictl-Initiate-recover-after-reset.patch
  * s390-tools-sles15sp2-02-zpcictl-Rename-misleading-sysfs_write_data.patch
  * s390-tools-sles15sp2-03-zpcitctl-Exit-on-error-in-sysfs_report_error.patch
- The zipl boot loader may crash during boot. The solution is to
  implement vsnprintf and make use of it. (bsc#1165317)
  * s390-tools-sles15sp2-01-zipl-libc-Introduce-vsnprintf.patch
  * s390-tools-sles15sp2-02-zipl-libc-Fix-potential-buffer-overflow-in-printf.patch
  * s390-tools-sles15sp2-03-zipl-libc-Replace-sprintf-with-snprintf.patch
  * s390-tools-sles15sp2-04-zipl-libc-Indicate-truncated-lines-in-printf-with.patch

OBS-URL: https://build.opensuse.org/request/show/783519
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=90
2020-03-10 19:03:33 +00:00
Dominique Leuenberger
9bde674903 Accepting request 777412 from Base:System
OBS-URL: https://build.opensuse.org/request/show/777412
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=28
2020-02-22 18:03:27 +00:00
Mark Post
9d48c28fee Accepting request 777411 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch
  (bsc#1163002).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch
  (bsc#1163570).
- Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  from an IBM patch to a SUSE-maintained patch. (bsc#1162840)
- sign the stage3.bin bootloader stage (bsc#1163524)
- Added s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
  (bsc#1160373).
- Added s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  (bsc#1162840).
- Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
  (bsc#1162996).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
  (bsc#1163003).

OBS-URL: https://build.opensuse.org/request/show/777411
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=88
2020-02-19 19:16:44 +00:00
5838e20ccc Accepting request 776211 from home:msmeissn:branches:Base:System
- sign the stage3.bin bootloader stage (bsc#1163524)

OBS-URL: https://build.opensuse.org/request/show/776211
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=87
2020-02-19 08:12:16 +00:00
Dominique Leuenberger
0f065998ca Accepting request 772274 from Base:System
OBS-URL: https://build.opensuse.org/request/show/772274
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=27
2020-02-15 21:23:48 +00:00
Mark Post
fae628f0c4 Accepting request 772273 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
  (bsc#1160373).
- Added s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  (bsc#1162840).
- Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch
  (bsc#1162996).
- Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch
  (bsc#1163002).

OBS-URL: https://build.opensuse.org/request/show/772273
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=85
2020-02-08 03:21:31 +00:00
Dominique Leuenberger
9060e7acff Accepting request 750976 from Base:System
OBS-URL: https://build.opensuse.org/request/show/750976
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=26
2019-11-28 09:12:37 +00:00
Mark Post
50eb270fbf Accepting request 750974 from home:markkp:branches:Base:System
- Upgraded to version 2.11.0 (jsc#7831)
- Updated the cputype script and read_values program to recognize
  machine types up through the new z15.
- Added the following patches (bsc#1151859)
  * s390-tools-sles15sp2-01-zkey-Separate-and-rework-CCA-host-library-loading.patch
  * s390-tools-sles15sp2-02-zkey-Move-utility-functions-into-separate-source-fil.patch
  * s390-tools-sles15sp2-03-zkey-Add-utility-function-to-get-the-serial-number-o.patch
  * s390-tools-sles15sp2-04-zkey-Add-utility-function-to-get-the-mkvp-of-a-crypt.patch
  * s390-tools-sles15sp2-05-zkey-add-function-to-iterate-over-all-available-CCA-.patch
  * s390-tools-sles15sp2-06-zkey-Add-function-to-print-the-MKVPs-of-APQNs.patch
  * s390-tools-sles15sp2-07-zkey-Add-function-to-cross-check-APQNs-for-valid-mas.patch
  * s390-tools-sles15sp2-08-zkey-Add-function-to-obtain-the-mkvp-of-a-secure-key.patch
  * s390-tools-sles15sp2-09-zkey-Display-MKVP-when-validating-a-secure-key.patch
  * s390-tools-sles15sp2-10-zkey-Cross-check-APQNs-when-generating-secure-keys.patch
  * s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch
  * s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-when-importing-secure-keys.patch
  * s390-tools-sles15sp2-13-zkey-Cross-check-APQNs-when-changing-APQN-associatio.patch
  * s390-tools-sles15sp2-14-zkey-Add-function-to-select-a-specific-CCA-adapter.patch
  * s390-tools-sles15sp2-15-zkey-Add-function-to-select-a-CCA-adapter-by-mkvp.patch
  * s390-tools-sles15sp2-16-zkey-Select-CCA-adapter-when-re-enciphering.patch
  * s390-tools-sles15sp2-17-zkey-cryptsetup-Add-to-new-and-from-old-options.patch
- Added the following patches (bsc#1151858)
  * s390-tools-sles15sp2-18-zkey-Display-key-type-with-list-and-validate-command.patch
  * s390-tools-sles15sp2-19-zkey-Allow-to-filter-list-output-by-key-type.patch
  * s390-tools-sles15sp2-20-zkey-Allow-to-specify-the-key-type-with-the-generate.patch
  * s390-tools-sles15sp2-21-zkey-Preparations-for-introducing-a-new-key-type.patch
  * s390-tools-sles15sp2-22-zkey-Introduce-the-CCA-AESCIPHER-key-type.patch
  * s390-tools-sles15sp2-23-zkey-Add-wrappers-for-the-new-IOCTLs-with-fallback-t.patch
  * s390-tools-sles15sp2-24-zkey-Add-helper-functions-to-build-lists-of-APQNs.patch
  * s390-tools-sles15sp2-25-zkey-Add-support-for-generating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-26-zkey-Add-support-for-validating-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-27-zkey-Add-support-for-re-enciphering-AES-CIPHER-keys.patch
  * s390-tools-sles15sp2-28-zkey-Check-crypto-card-level-during-APQN-cross-check.patch
  * s390-tools-sles15sp2-29-zkey-Add-helper-function-to-query-the-CCA-firmware-v.patch
  * s390-tools-sles15sp2-30-zkey-Add-helper-function-to-convert-secure-keys-betw.patch
  * s390-tools-sles15sp2-31-zkey-Add-helper-function-to-restrict-export-of-secur.patch
  * s390-tools-sles15sp2-32-zkey-Add-helper-function-to-check-an-AES-CIPHER-key.patch
  * s390-tools-sles15sp2-33-zkey-Add-key-checks-when-importing-a-CCA-AESCIPHER-k.patch
  * s390-tools-sles15sp2-34-zkey-Add-convert-command-to-convert-keys-from-one-ty.patch
  * s390-tools-sles15sp2-35-zkey-Allow-zkey-cryptsetup-setkey-to-set-different-k.patch
- Added the following patches (bsc#1153757)
  * s390-tools-sles15sp2-zcrypt-CEX7S-exploitation-support.patch
  * s390-tools-sles15sp2-zcryptstats-Add-support-for-CEX7.patch
- Added s390-tools-sles15sp2-Close-file-descriptor-when-checking-for-read-only.patch
- Forward-ported the following patches to work with the restructuring IBM did for
  this version
  * dasdfmt-retry-BIODASDINFO-if-device-is-busy.patch
  * s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
  * s390-tools-sles15-Allow-multiple-device-arguments.patch 
  * s390-tools-sles15-Format-devices-in-parallel.patch
  * s390-tools-sles15-Implement-f-for-backwards-compability.patch
  * s390-tools-sles15-Implement-Y-yast_mode.patch
- Removed the following obsolete patches:
  * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
  * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
  * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch
  * s390-tools-sles15-4-lsluns-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-5-lstape-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-filter-f.patch
  * s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
  * s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
  * s390-tools-sles15-cpi-add-unit-install-section.patch
  * s390-tools-sles15-cpuplugd-Improve-systemctl-start-error-handling.patch
  * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
  * s390-tools-sles15-Drop-device_id-parameter.patch
  * s390-tools-sles15-Fix-truncation-warning.patch
  * s390-tools-sles15-Fixup-dasdfmt_get_volser.patch
  * s390-tools-sles15-Fixup-device-name-handling.patch
  * s390-tools-sles15-hmcdrvfs-fix-parsing-of-link-count.patch
  * s390-tools-sles15-iucvterm-include-ctype-for-toupper.patch
  * s390-tools-sles15-lsluns-clarify-discovery-use-case-relation-to-NPIV-a.patch
  * s390-tools-sles15-lsluns-complement-alternative-tools-with-lszdev.patch
  * s390-tools-sles15-lsluns-document-restriction-to-zfcp-only-systems.patch
  * s390-tools-sles15-lsluns-do-not-print-confusing-messages-when-a-filter.patch
  * s390-tools-sles15-lsluns-do-not-scan-all-if-filters-match-nothing.patch
  * s390-tools-sles15-lsluns-enhance-usage-statement-and-man-page.patch
  * s390-tools-sles15-lsluns-fix-flawed-formatting-of-man-page.patch
  * s390-tools-sles15-lsluns-point-out-IBM-Storwize-configuration-requirem.patch
  * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
  * s390-tools-sles15-mon_tools-Improve-systemctl-start-error-handling.patch
  * s390-tools-sles15sp1-0001-zkey-Add-properties-file-handling-routines.patch
  * s390-tools-sles15sp1-0002-zkey-Add-build-dependency-to-OpenSSL-libcrypto.patch
  * s390-tools-sles15sp1-0003-zkey-Add-helper-functions-for-comma-separated-string.patch
  * s390-tools-sles15sp1-0004-zkey-Externalize-secure-key-back-end-functions.patch
  * s390-tools-sles15sp1-0005-zkey-Add-keystore-implementation.patch
  * s390-tools-sles15sp1-0006-zkey-Add-keystore-related-commands.patch
  * s390-tools-sles15sp1-0007-zkey-Create-key-repository-and-group-during-make-ins.patch
  * s390-tools-sles15sp1-0008-zkey-Man-page-updates.patch
  * s390-tools-sles15sp1-0009-zkey-let-packaging-create-the-zkeyadm-group-and-perm.patch
  * s390-tools-sles15sp1-0010-zkey-Update-README-to-add-info-about-packaging-requi.patch
  * s390-tools-sles15sp1-0011-zkey-Typo-in-message.patch
  * s390-tools-sles15sp1-0012-zkey-Fix-memory-leak.patch
  * s390-tools-sles15sp1-0013-zkey-Fix-APQN-validation-routine.patch
  * s390-tools-sles15sp1-0014-zkey-Fix-generate-and-import-leaving-key-in-an-incon.patch
  * s390-tools-sles15sp1-0015-zkey-Add-zkey-cryptsetup-tool.patch
  * s390-tools-sles15sp1-0016-zkey-Add-man-page-for-zkey-cryptsetup.patch
  * s390-tools-sles15sp1-0017-zkey-Add-build-dependency-for-libcryptsetup-and-json.patch
  * s390-tools-sles15sp1-0018-zkey-Add-key-verification-pattern-property.patch
  * s390-tools-sles15sp1-0019-zkey-Add-volume-type-property-to-support-LUKS2-volum.patch
  * s390-tools-sles15sp1-01-chzcrypt-Corrections-at-the-chzcrypt-man-page.patch
  * s390-tools-sles15sp1-01-cpumf-Add-extended-counter-defintion-files-for-IBM-z.patch
  * s390-tools-sles15sp1-01-lszcrypt-CEX6S-exploitation.patch
  * s390-tools-sles15sp1-01-util_path-add-function-to-check-if-a-path-exists.patch
  * s390-tools-sles15sp1-01-zcryptctl-new-tool-zcryptctl-for-multiple-zcrypt-node.patch
  * s390-tools-sles15sp1-01-zdev-use-libutil-provided-path-functions.patch
  * s390-tools-sles15sp1-01-zkey-Include-sbin-into-PATH-when-executing-commands.patch
  * s390-tools-sles15sp1-02-cpumf-z14-split-counter-sets-according-to-CFVN-CSVN-.patch
  * s390-tools-sles15sp1-02-lszcrypt-fix-date-and-wrong-indentation.patch
  * s390-tools-sles15sp1-02-lszcrypt-support-for-alternate-zcrypt-device-drivers.patch
  * s390-tools-sles15sp1-02-util_path-Add-description-for-util_path_exists.patch
  * s390-tools-sles15sp1-02-zdev-Prepare-for-firmware-configuration-file-support.patch
  * s390-tools-sles15sp1-03-cpumf-cpumf_helper-read-split-counter-sets-part-2-2.patch
  * s390-tools-sles15sp1-03-util_path-Make-true-false-handling-consistent-with-o.patch
  * s390-tools-sles15sp1-03-zdev-Add-support-for-reading-firmware-configuration-.patch
  * s390-tools-sles15sp1-04-cpumf-correct-z14-counter-number.patch
  * s390-tools-sles15sp1-04-zdev-Implement-no-settle.patch
  * s390-tools-sles15sp1-04-zpcictl-Introduce-new-tool-zpcictl.patch
  * s390-tools-sles15sp1-05-cpumf-add-missing-Description-tag-for-z13-z14-ctr-12.patch
  * s390-tools-sles15sp1-05-zdev-Write-zfcp-lun-udev-rules-to-separate-files.patch
  * s390-tools-sles15sp1-05-zpcictl-include-sys-sysmacros.h-to-avoid-minor-major.patch
  * s390-tools-sles15sp1-06-cpumf-correct-counter-name-for-z13-and-z14.patch
  * s390-tools-sles15sp1-06-zdev-Add-support-for-handling-auto-configuration-dat.patch
  * s390-tools-sles15sp1-06-zpcictl-Rephrase-man-page-entries-and-tool-output.patch
  * s390-tools-sles15sp1-07-cpumf-Add-IBM-z14-ZR1-to-the-CPU-Measurement-Facilit.patch
  * s390-tools-sles15sp1-07-zdev-Integrate-firmware-auto-configuration-with-drac.patch
  * s390-tools-sles15sp1-07-zpcictl-Use-fopen-instead-of-open-for-writes.patch
  * s390-tools-sles15sp1-08-zdev-Integrate-firmware-auto-configuration-with-init.patch
  * s390-tools-sles15sp1-08-zpcictl-Read-device-link-to-obtain-device-address.patch
  * s390-tools-sles15sp1-09-zdev-Implement-internal-device-attributes.patch
  * s390-tools-sles15sp1-09-zpcictl-Make-device-node-for-NVMe-optional.patch
  * s390-tools-sles15sp1-10-zdev-Implement-support-for-early-device-configuratio.patch
  * s390-tools-sles15sp1-10-zpcictl-Change-wording-of-man-page-and-help-output.patch
  * s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
  * s390-tools-sles15sp1-dbginfo-gather-nvme-related-data.patch
  * s390-tools-sles15sp1-qethqoat-add-OSA-Express7S-support.patch
  * s390-tools-sles15sp1-zcrypt-refine-lszcrypt-man-page.patch
  * s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch
  * s390-tools-sles15sp1-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  * s390-tools-sles15sp1-zkey-Enhance-error-message-about-missing-CCA-library.patch
  * s390-tools-sles15-zdev-Enable-running-chzdev-from-unknown-root-devices.patch
  * s390-tools-sles15-zdev-Fix-zdev-dracut-module-aborting-on-unknown-root.patch
  * s390-tools-sles15-zdev-Use-correct-path-to-vmcp-binary.patch
  * s390-tools-sles15-ziomon-re-add-missing-line.patch
  * s390-tools-sles15-zipl-remove-invalid-dasdview-command-line-option.patch
- Added s390-tools-sles15sp1-ziomon-fix-utilization-data-recording-with-multi-dig.patch
  ziomon: fix utilization recording with multi-digit scsi hosts
  (bsc#1141876)

OBS-URL: https://build.opensuse.org/request/show/750974
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=83
2019-11-26 09:42:09 +00:00
Mark Post
0414295c92 Accepting request 695825 from Base:System
Revert back to revision # 79.

OBS-URL: https://build.opensuse.org/request/show/695825
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=82
2019-04-18 18:16:03 +00:00
Andreas Jaeger
e6494dc003 Accepting request 678101 from home:jengelh:branches:Base:System
- Make sure that *ALL* scripts are either sh compatible or have
  been properly tagged as #!/bin/bash, not just the specfile.
- Drop BuildRequires: dracut, because it is not required to build
  or install the source. Installation of the dracut module files
  depends on the HAVE_DRACUT make variable only.
- Remove invisible trailing whitespaces.

OBS-URL: https://build.opensuse.org/request/show/678101
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=81
2019-04-18 06:18:45 +00:00
Dominique Leuenberger
d2c53afb8d Accepting request 678097 from Base:System
- Now that IBM has the package on github, use a full source URL.
- Change Pre-Req to Requires(pre) and (post), and remove dracut.
- Changed the group for the hmcdrvfs package from Base:System to
  Base/Filesystems
- Institute the %autosetup macro.
- Remove erroneous %dir entry for %_unitdir
- Change bash-specific "==" tests in scriptlets with a more
  generic "=".
- Modified the spec file to add a group named cpacfstats
  (bsc#1123730)

OBS-URL: https://build.opensuse.org/request/show/678097
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=25
2019-02-26 21:13:46 +00:00
Mark Post
df32ae2dc8 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=79 2019-02-21 21:14:33 +00:00
Mark Post
abab0f4351 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=78 2019-02-21 21:13:40 +00:00
Mark Post
8b3799a6c8 Accepting request 678085 from home:markkp:branches:Base:System
- Now that IBM has the package on github, use a full source URL.
- Change Pre-Req to Requires(pre) and (post), and remove dracut.
- Institute the %autosetup macro.
- Remove erroneous %dir entry for %_unitdir
- Change bash-specific "==" tests in scriptlets with a more
  generic "=".

OBS-URL: https://build.opensuse.org/request/show/678085
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=77
2019-02-21 20:22:30 +00:00
Mark Post
0ab3f07ba3 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=76 2019-02-15 09:32:36 +00:00
Mark Post
b76a19aa36 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=75 2019-02-15 09:32:09 +00:00
Mark Post
f7fd775620 Accepting request 676267 from home:markkp:branches:Base:System
- Reverted the previous change to use the "new and shiny" system RPM method of adding groups that doesn't apply to this package.
- Modified the spec file to add a group named cpacfstats
  (bsc#1123730)

OBS-URL: https://build.opensuse.org/request/show/676267
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=74
2019-02-15 00:37:21 +00:00
6761090444 Accepting request 670592 from home:michals:s390
OBS-URL: https://build.opensuse.org/request/show/670592
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=73
2019-02-03 18:25:11 +00:00
Dominique Leuenberger
479bd37946 Accepting request 669358 from Base:System
OBS-URL: https://build.opensuse.org/request/show/669358
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=24
2019-01-29 13:45:54 +00:00
Mark Post
1e480d4bdd Accepting request 669357 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp1-zcrypt-refine-lszcrypt-man-page.patch
  Added some explanations about the columns shown with the lszcrypt
  verbose output.  (bsc#1123041)

OBS-URL: https://build.opensuse.org/request/show/669357
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=71
2019-01-28 18:27:05 +00:00
Mark Post
0e5ab6cb16 Accepting request 668209 from home:markkp:branches:Base:System
- Updated the spec file to regenerate the initrd in the post, postun,
  and poststrans scriptlets. (bsc#1112018)

OBS-URL: https://build.opensuse.org/request/show/668209
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=70
2019-01-24 04:52:52 +00:00
Mark Post
a3eb83fa88 Accepting request 666551 from home:markkp:branches:Base:System
- Enable cryptsetup now that version 2 is included in SLES15 SP1.
  (Fate#325684)

OBS-URL: https://build.opensuse.org/request/show/666551
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=69
2019-01-16 21:38:23 +00:00
Mark Post
3a20173448 Accepting request 666037 from home:markkp:branches:Base:System
- Added the following two patches from IBM (bsc#1121719):
  * s390-tools-sles15sp1-01-zkey-Include-sbin-into-PATH-when-executing-commands.patch
  * s390-tools-sles15sp1-zkey-Enhance-error-message-about-missing-CCA-library.patch
- Added the following patch to correct a problem with CTC network
  interfaces not coming up after a reboot (bsc#1119102)
  * s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch

OBS-URL: https://build.opensuse.org/request/show/666037
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=68
2019-01-14 18:51:09 +00:00
Mark Post
714bda41fe Accepting request 666019 from home:markkp:branches:Base:System
- Added the following two patches from IBM (bsc#1121719):
  * s390-tools-sles15sp1-01-zkey-Include-sbin-into-PATH-when-executing-commands.patch
  * s390-tools-sles15sp1-zkey-Enhance-error-message-about-missing-CCA-library.patch

OBS-URL: https://build.opensuse.org/request/show/666019
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=67
2019-01-14 17:16:03 +00:00
Mark Post
da00c9b14c Accepting request 664262 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp1-qethqoat-add-OSA-Express7S-support.patch
  qethqoat: add OSA-Express7S support
  (Fate#326805, bsc#1121222)
- Modified the spec file to: (bsc#1119966)
  * Add a group named zkeyadm
  * Create directory /etc/zkey/repository
  * Set the permissions on /etc/zkey and /etc/zkey/repository
  * Added /usr/lib/modules-load.d/pkey.conf 
- Made numerous changes to the spec file based on the output from
  spec-cleaner.

OBS-URL: https://build.opensuse.org/request/show/664262
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=66
2019-01-10 06:15:49 +00:00
Mark Post
2ffa16183f Accepting request 664200 from home:markkp:branches:Base:System
- Added s390-tools-sles15sp1-qethqoat-add-OSA-Express7S-support.patch
  qethqoat: add OSA-Express7S support
  (Fate#326805, bsc#1121222)

OBS-URL: https://build.opensuse.org/request/show/664200
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=65
2019-01-09 23:44:56 +00:00
Dominique Leuenberger
7f9a95e4ae Accepting request 655912 from Base:System
- Added the following patches for Fate#326825 (bsc#1113329)
  I/O device pre-configuration
  * s390-tools-sles15sp1-01-zdev-use-libutil-provided-path-functions.patch
  * s390-tools-sles15sp1-02-zdev-Prepare-for-firmware-configuration-file-support.patch
  * s390-tools-sles15sp1-03-zdev-Add-support-for-reading-firmware-configuration-.patch
  * s390-tools-sles15sp1-04-zdev-Implement-no-settle.patch
  * s390-tools-sles15sp1-05-zdev-Write-zfcp-lun-udev-rules-to-separate-files.patch
  * s390-tools-sles15sp1-06-zdev-Add-support-for-handling-auto-configuration-dat.patch
  * s390-tools-sles15sp1-07-zdev-Integrate-firmware-auto-configuration-with-drac.patch
  * s390-tools-sles15sp1-08-zdev-Integrate-firmware-auto-configuration-with-init.patch
  * s390-tools-sles15sp1-09-zdev-Implement-internal-device-attributes.patch
  * s390-tools-sles15sp1-10-zdev-Implement-support-for-early-device-configuratio.patch
  * s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
- Removed the obsolete customize-zdev-root-update-script.patch
- Replaced s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  with s390-tools-sles15sp1-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  to fit the current version (bsc#1118618).

OBS-URL: https://build.opensuse.org/request/show/655912
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=23
2018-12-10 11:22:47 +00:00
Mark Post
abb3f04920 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=63 2018-12-06 22:36:39 +00:00
Mark Post
d596eac230 Accepting request 655908 from home:markkp:branches:Base:System
Removed obsolete script.

OBS-URL: https://build.opensuse.org/request/show/655908
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=62
2018-12-06 22:30:51 +00:00
Mark Post
5500b3a5bc Accepting request 655900 from home:markkp:branches:Base:System
- Added the following patches for Fate#326825 (bsc#1113329)
  I/O device pre-configuration
  * s390-tools-sles15sp1-01-zdev-use-libutil-provided-path-functions.patch
  * s390-tools-sles15sp1-02-zdev-Prepare-for-firmware-configuration-file-support.patch
  * s390-tools-sles15sp1-03-zdev-Add-support-for-reading-firmware-configuration-.patch
  * s390-tools-sles15sp1-04-zdev-Implement-no-settle.patch
  * s390-tools-sles15sp1-05-zdev-Write-zfcp-lun-udev-rules-to-separate-files.patch
  * s390-tools-sles15sp1-06-zdev-Add-support-for-handling-auto-configuration-dat.patch
  * s390-tools-sles15sp1-07-zdev-Integrate-firmware-auto-configuration-with-drac.patch
  * s390-tools-sles15sp1-08-zdev-Integrate-firmware-auto-configuration-with-init.patch
  * s390-tools-sles15sp1-09-zdev-Implement-internal-device-attributes.patch
  * s390-tools-sles15sp1-10-zdev-Implement-support-for-early-device-configuratio.patch
  * s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch
- Removed the obsolete customize-zdev-root-update-script.patch
- Replaced s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  with s390-tools-sles15sp1-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  to fit the current version.

OBS-URL: https://build.opensuse.org/request/show/655900
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=61
2018-12-06 21:23:28 +00:00
Dominique Leuenberger
8c79fe2f2f Accepting request 653162 from Base:System
Re-ordered the patch numbers to match IBM's recommendation.

- Added the following patches for Fate#326862 (bsc#1113328)
  zcrypt DD: introduce APQN tags to support deterministic driver binding
  * s390-tools-sles15sp1-01-chzcrypt-Corrections-at-the-chzcrypt-man-page.patch
  * s390-tools-sles15sp1-02-lszcrypt-support-for-alternate-zcrypt-device-drivers.patch
- Added the following patches for Fate#326804 (bsc#1113330)
  Extended access controls for AP queue
  * s390-tools-sles15sp1-01-zcryptctl-new-tool-zcryptctl-for-multiple-zcrypt-node.patch

OBS-URL: https://build.opensuse.org/request/show/653162
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=22
2018-12-03 09:07:03 +00:00
Mark Post
6f83d79828 Accepting request 653160 from home:markkp:branches:Base:System
- Added the following patches for Fate#326862 (bsc#1113328)
  zcrypt DD: introduce APQN tags to support deterministic driver binding
  * s390-tools-sles15sp1-01-chzcrypt-Corrections-at-the-chzcrypt-man-page.patch
  * s390-tools-sles15sp1-02-lszcrypt-support-for-alternate-zcrypt-device-drivers.patch
- Added the following patches for Fate#326804 (bsc#1113330)
  Extended access controls for AP queue
  * s390-tools-sles15sp1-01-zcryptctl-new-tool-zcryptctl-for-multiple-zcrypt-node.patch

OBS-URL: https://build.opensuse.org/request/show/653160
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=59
2018-11-30 23:25:09 +00:00
Dominique Leuenberger
57fd3077e4 Accepting request 648784 from Base:System
OBS-URL: https://build.opensuse.org/request/show/648784
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=21
2018-11-18 22:22:32 +00:00
Mark Post
a7f8ed0265 Accepting request 648783 from home:markkp:branches:Base:System
Lots of features implemented for SLES15 SP1.

OBS-URL: https://build.opensuse.org/request/show/648783
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=57
2018-11-13 20:02:51 +00:00
Mark Post
9528578d29 Accepting request 643829 from home:markkp:branches:Base:System
- Added s390-tools-sles15-zdev-fix-qeth-BridgePort-and-VNICC-conflict-checking.patch
  zdev: qeth BridgePort and VNICC attribute conflict (bsc#1112536)

OBS-URL: https://build.opensuse.org/request/show/643829
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=56
2018-10-22 22:02:59 +00:00
Yuchen Lin
352be82c0a Accepting request 635597 from Base:System
- Added the following patch for bsc#1094354
  * customize-zdev-root-update-script.patch
- Modified ctc_configure to not pass a "protcol=" parameter when
  configuring LCS devices. (bsc#1096520)
- Added the following patches for bsc#1098069
  * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
  * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
  * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
  * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
  * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch
  * s390-tools-sles15-4-lsluns-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-5-lstape-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-filter-f.patch
  * s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
  * s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch
- dasd_reload: Fixed several syntax errors. Changed the script to
  ensure that the DASD volume are actually activated in device
  number order. If an old 51-dasd-<ccw>.rules file is found,
  rename it to obsolete-51-dasd-<ccw>.rules, and use chzdev to
  generate a new rules file. (bsc#1103407)
- dasd_reload: Check for 41-dasd-<type>-<ccw>.rules in addition
  to the original 51-dasd-<ccw>.rules (bsc#1103407)
- Removed s390 from the ExclusiveArch parameter (bsc#1102906)

OBS-URL: https://build.opensuse.org/request/show/635597
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=20
2018-09-20 09:37:11 +00:00
Mark Post
cd557016ed - Added the following patch for bsc#1094354
- Added the following patches for bsc#1098069
  * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
  * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
  * s390-tools-sles15-1-lstape-fix-output-with-SCSI-lin_tape-and-multiple-pa.patch
  * s390-tools-sles15-2-lstape-fix-to-prefer-sysfs-to-find-lin_tape-device-n.patch
  * s390-tools-sles15-3-lstape-fix-output-without-SCSI-generic-sg.patch
  * s390-tools-sles15-4-lsluns-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-5-lstape-fix-to-prevent-error-messages-if-there-are-no.patch
  * s390-tools-sles15-6-lstape-fix-description-of-type-and-devbusid-filter-f.patch
  * s390-tools-sles15-7-lstape-fix-SCSI-output-description-in-man-page.patch
  * s390-tools-sles15-8-lstape-fix-SCSI-HBA-CCW-device-bus-ID-e.g.-for-virti.patch

- dasd_reload: Fixed several syntax errors. Changed the script to
  ensure that the DASD volume are actually activated in device
  number order. If an old 51-dasd-<ccw>.rules file is found,
  rename it to obsolete-51-dasd-<ccw>.rules, and use chzdev to
  generate a new rules file. (bsc#1103407)

- dasd_reload: Check for 41-dasd-<type>-<ccw>.rules in addition
  to the original 51-dasd-<ccw>.rules (bsc#1103407)

- Removed s390 from the ExclusiveArch parameter (bsc#1102906)

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=54
2018-08-31 21:13:20 +00:00
Mark Post
7a618d686a OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=53 2018-08-24 18:55:57 +00:00
Mark Post
0e0d01b0a0 - dasd_reload:
* Fixed several syntax errors.
  * Changed the script to ensure that the DASD volume are actually
    activated in device number order.
  * Check for 41-dasd-<type>-<ccw>.rules in addition to the
    original 51-dasd-<ccw>.rules. If an old 51-dasd-<ccw>.rules
    file is found, rename it to obsolete-51-dasd-<ccw>.rules, and
    use chzdev to generate a new rules file. (bsc#1103407)
- Added the following patches for bsc#1098069:
  * s390-tools-sles15-dbginfo-add-data-for-ps-cpprot.patch
  * s390-tools-sles15-mon_procd-fix-parsing-of-proc-pid-stat.patch
- Added the following patch (bsc#1094354)
  * customize-zdev-root-update-script.patch
- Modified ctc_configure to not pass a "protcol=" parameter when
  configuring LCS devices. (bsc#1096520)

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=52
2018-08-24 18:54:31 +00:00
Dominique Leuenberger
53be671404 Accepting request 621201 from Base:System
OBS-URL: https://build.opensuse.org/request/show/621201
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=19
2018-07-13 08:15:33 +00:00
Mark Post
d4760b840e Accepting request 621200 from home:markkp:branches:Base:System
- mark active_devices.txt as %config(noreplace) (bsc#1090213)

OBS-URL: https://build.opensuse.org/request/show/621200
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=50
2018-07-05 19:19:14 +00:00
Yuchen Lin
6735555ff1 Accepting request 594083 from Base:System
- Added s390-tools-sles15-hmcdrvfs-fix-parsing-of-link-count.patch
  (bsc#1087452)
  * hmcdrvfs: fix parsing of link count >= 1000

OBS-URL: https://build.opensuse.org/request/show/594083
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=18
2018-04-10 07:52:57 +00:00
Mark Post
4577a4484a Accepting request 594082 from home:markkp:branches:Base:System
- Added s390-tools-sles15-hmcdrvfs-fix-parsing-of-link-count.patch
  (bsc#1087452)
  * hmcdrvfs: fix parsing of link count >= 1000

OBS-URL: https://build.opensuse.org/request/show/594082
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=48
2018-04-06 18:59:03 +00:00
Mark Post
cfa910daff Accepting request 594078 from home:markkp:branches:Base:System
- Added s390-tools-sles12sp3-hmcdrvfs-fix-parsing-of-link-count.patch
  (bsc#1087452)
  * hmcdrvfs: fix parsing of link count >= 1000

OBS-URL: https://build.opensuse.org/request/show/594078
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=47
2018-04-06 18:50:16 +00:00
Dominique Leuenberger
93f8946142 Accepting request 590431 from Base:System
OBS-URL: https://build.opensuse.org/request/show/590431
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=17
2018-03-26 10:32:26 +00:00
Mark Post
cedfeed3a5 Accepting request 590430 from home:markkp:branches:Base:System
- Modified dasd_configure script to set a return code of 8 if a
  DASD volume being brought online is not formatted. (bsc#1084503)

OBS-URL: https://build.opensuse.org/request/show/590430
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=45
2018-03-22 21:23:35 +00:00
Dominique Leuenberger
c324b42414 Accepting request 563490 from Base:System
OBS-URL: https://build.opensuse.org/request/show/563490
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=16
2018-01-16 08:39:44 +00:00
Mark Post
f675d71be2 Accepting request 563489 from home:markkp:branches:Base:System
- Converted the following SysV init scripts to systemd unit files
  and scripts (bsc#1050786):
  * appldata
  * hsnc
  * vmlogrdr
  * xpram

OBS-URL: https://build.opensuse.org/request/show/563489
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=43
2018-01-11 00:30:11 +00:00
Dominique Leuenberger
cfaef81101 Accepting request 555142 from Base:System
OBS-URL: https://build.opensuse.org/request/show/555142
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=15
2017-12-12 20:19:08 +00:00
Mark Post
b12140c3aa Accepting request 555141 from home:markkp:branches:Base:System
- Added the following two patches (bsc#1071166):
  s390-tools-sles15-zdev-Enable-running-chzdev-from-unknown-root-devices.patch
  s390-tools-sles15-zdev-Fix-zdev-dracut-module-aborting-on-unknown-root.patch

OBS-URL: https://build.opensuse.org/request/show/555141
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=41
2017-12-07 23:24:33 +00:00
Mark Post
d3b5067da2 Accepting request 554611 from home:markkp:branches:Base:System
- Added the following patches (bsc#1070836):
  s390-tools-sles15-cpuplugd-Improve-systemctl-start-error-handling.patch
  s390-tools-sles15-mon_tools-Improve-systemctl-start-error-handling.patch
  s390-tools-sles15-lsluns-do-not-scan-all-if-filters-match-nothing.patch
  s390-tools-sles15-lsluns-do-not-print-confusing-messages-when-a-filter.patch
  s390-tools-sles15-lsluns-fix-flawed-formatting-of-man-page.patch
  s390-tools-sles15-lsluns-enhance-usage-statement-and-man-page.patch
  s390-tools-sles15-lsluns-clarify-discovery-use-case-relation-to-NPIV-a.patch
  s390-tools-sles15-lsluns-point-out-IBM-Storwize-configuration-requirem.patch
  s390-tools-sles15-lsluns-document-restriction-to-zfcp-only-systems.patch
  s390-tools-sles15-lsluns-complement-alternative-tools-with-lszdev.patch

OBS-URL: https://build.opensuse.org/request/show/554611
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=40
2017-12-05 19:04:03 +00:00
Mark Post
119b4cab84 Accepting request 554557 from home:markkp:branches:Base:System
- Added "--no-root-update" to all the chzdev calls in the following
  scripts for bsc#1071165:
  ctc_configure
  dasd_configure
  qeth_configure
  zfcp_disk_configure
  zfcp_host_configure

OBS-URL: https://build.opensuse.org/request/show/554557
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=39
2017-12-05 15:58:29 +00:00
Mark Post
2fb5028b0b Accepting request 546824 from home:markkp:branches:Base:System
- Added the following patches (bsc#1068538)
  * s390-tools-sles15-cpi-add-unit-install-section.patch
  * s390-tools-sles15-zipl-remove-invalid-dasdview-command-line-option.patch
  * s390-tools-sles15-ziomon-re-add-missing-line.patch
- Modified s390-tools-sles15-zdev-Use-correct-path-to-vmcp-binary.patch to
  point to the correct line in the common.mk file.

OBS-URL: https://build.opensuse.org/request/show/546824
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=38
2017-11-30 21:03:10 +00:00
Dominique Leuenberger
bb8810e1c4 Accepting request 545112 from Base:System
OBS-URL: https://build.opensuse.org/request/show/545112
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=14
2017-11-29 09:51:38 +00:00
43a99763d5 Accepting request 544694 from home:RBrownSUSE:branches:Base:System
Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)

OBS-URL: https://build.opensuse.org/request/show/544694
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=36
2017-11-24 10:17:06 +00:00
Dominique Leuenberger
9797d484a7 Accepting request 541904 from Base:System
OBS-URL: https://build.opensuse.org/request/show/541904
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=13
2017-11-16 12:59:52 +00:00
Mark Post
1abb2ddd03 Accepting request 541903 from home:markkp:branches:Base:System
- Added "HAVE_DRACUT=1" to the make install command. This will
  include the new dracut support module. (bsc#1068040)

OBS-URL: https://build.opensuse.org/request/show/541903
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=34
2017-11-14 22:16:21 +00:00
Dominique Leuenberger
6377a678b5 Accepting request 541729 from Base:System
OBS-URL: https://build.opensuse.org/request/show/541729
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=12
2017-11-14 11:42:03 +00:00
Mark Post
2730a444e5 Accepting request 541728 from home:markkp:branches:Base:System
- Added s390-tools-sles15-zdev-Use-correct-path-to-vmcp-binary.patch
  zdev: Use correct path to vmcp binary (bsc#1055909)
- Modified the spec file to also install /etc/cpuplugd.conf
  (bsc#1066328)
- Dropped installation of obsolete /etc/sysconfig/mon_statd.
- Removed "-i" option from "fillup_only" macro for osasnmpd to get
  rid of a warning message from RPM.

OBS-URL: https://build.opensuse.org/request/show/541728
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=32
2017-11-14 03:34:41 +00:00
Mark Post
224f6e131f - Added s390-tools-sles15-zdev-Use-correct-path-to-vmcp-binary.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=31
2017-11-14 00:59:21 +00:00
Mark Post
abb5f3f721 Accepting request 541709 from home:markkp:branches:Base:System
- Added s390-tools-sles12sp3-zdev-Use-correct-path-to-vmcp-binary.patch
  zdev: Use correct path to vmcp binary (bsc#1055909)

OBS-URL: https://build.opensuse.org/request/show/541709
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=30
2017-11-14 00:51:10 +00:00
Mark Post
4c67ea0039 Accepting request 540339 from home:markkp:branches:Base:System
- Updated the cputype script to recognize the new IBM z14
  processor (bsc#1049843).
- Re-instated the new versions of ctc_configure, dasd_configure,
  qeth_configure, zfcp_disk_configure, zfcp_host_configure.

OBS-URL: https://build.opensuse.org/request/show/540339
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=29
2017-11-09 20:49:43 +00:00
Dominique Leuenberger
df1944a1a5 Accepting request 537235 from Base:System
- Modified s390-tools-sles15-Format-devices-in-parallel.patch to
  reset the rc variable before using it again (bsc#1063393).
- Reverted the changes to the *_configure scripts until
  bsc#1064791 is fixed.

OBS-URL: https://build.opensuse.org/request/show/537235
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=11
2017-11-03 15:21:40 +00:00
Mark Post
d718dd8e55 Accepting request 537233 from home:markkp:branches:Base:System
- Reverted the changes to the *_configure scripts until
  bsc#1064791 is fixed.
- Replaced the following SUSE-written scripts with wrappers that
  call the IBM-provided chzdev command in s390-tools. (Fate#322268)
  * ctc_configure
  * dasd_configure
  * qeth_configure
  * zfcp_disk_configure
  * zfcp_host_configure

OBS-URL: https://build.opensuse.org/request/show/537233
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=27
2017-10-27 17:37:30 +00:00
Mark Post
c4a452042f Accepting request 536602 from home:markkp:branches:Base:System
Fixing bsc#1063393 and temporarily reverting changes to *_configure scripts.

OBS-URL: https://build.opensuse.org/request/show/536602
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=26
2017-10-25 17:52:12 +00:00
Dominique Leuenberger
ef37effb44 Accepting request 536228 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/536228
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=10
2017-10-25 15:44:27 +00:00
Mark Post
9730c21a90 Accepting request 536227 from home:markkp:branches:Base:System
- Replaced the following SUSE-written scripts with wrappers that
  call the IBM-provided chzdev command in s390-tools. (Fate#322268)
  * ctc_configure
  * dasd_configure
  * qeth_configure
  * zfcp_disk_configure
  * zfcp_host_configure

OBS-URL: https://build.opensuse.org/request/show/536227
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=24
2017-10-24 00:01:47 +00:00
Dominique Leuenberger
19dd1da4b7 Accepting request 535009 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/535009
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=9
2017-10-20 12:39:10 +00:00
Mark Post
b5ca2618dd Accepting request 535008 from home:markkp:branches:Base:System
Implemented parallel formatting patches, other misc. changes

OBS-URL: https://build.opensuse.org/request/show/535008
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=22
2017-10-18 17:18:18 +00:00
Dominique Leuenberger
24761c730a Accepting request 531962 from Base:System
Upgrade to version 2.1.0 per Fate#323291.

OBS-URL: https://build.opensuse.org/request/show/531962
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=8
2017-10-13 12:03:14 +00:00
Mark Post
2cfb6d9dfa Accepting request 531960 from home:markkp:branches:Base:System
Upgrade to version 2.1.0 per Fate#323291.

OBS-URL: https://build.opensuse.org/request/show/531960
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=20
2017-10-05 23:01:07 +00:00
Mark Post
0975e08340 Accepting request 531958 from home:markkp:branches:Base:System
- Modified mkdump perl script to work with the updated version
  of the IBM tools dasdview, zipl and zgetdump. (bsc#1020336).
- Upgraded to version 2.1.0 (Fate#323291).
  Changes from 2.0.0 to 2.1.0
  * Added the following tools:
    netboot: Scripts for building a PXE-style netboot image for KVM
    90-cpi.rules/cpictl: New udev rule to update CPI when KVM is used
  * Modified lsqeth/zdev to add VNIC Characteristics support
  Bug fixes
  * chzcrypt: Corrected handling of insufficient permissions
  * cpacfstats: Add size setting to perf event
  * fdasd: Skip partition check with the force option
  * ttyrun: Fix deprecated BindTo usage in ttyrun-getty@.service.in
  * lszcrypt: Fix core dump caused by stack overwrite
  * lszcrypt: Fix random domain printout when no config available
  * zdev: Fix segfault with unknown qeth attribute
  * zdev: Fix IPv6 NDP proxy description
  * zdev: Fix zdev dracut module temp file location
  * zkey: Correctly detect abbreviated commands
  * zkey: Validate XTS key: ignore domain and card
  * zkey: Use octal values instead of S_IRWX* constants
  * zkey: Properly set umask to prohibit permissions to group and others
  * zkey: Add -ldl to LDLIBS (not LDFLAGS)
  * znetconf: Re-add missing line in lsznet.raw
  * Fix several gcc 7 warnings
- Modified s390-tools-sles12-fdasd-skip-partition-check-and-BLKRRPART-ioctl.patch
  to apply cleanly to this version.
- Removed the following obsolete patches:
  * s390-tools-sles15-zgetdump-Fix-gcc-7-warning.patch
  * s390-tools-sles15-lscss-Get-rid-of-gcc-7-buffer-truncation-warnings.patch
  * s390-tools-sles15-Get-rid-of-gcc-7-fall-through-warnings.patch
  * s390-tools-sles15-lszcrypt-Fix-core-dump-caused-by-stack-overwrite.patch
  * s390-tools-sles15-dasdinfo-Fix-GCC-7-overflow-warning.patch
- Added the following patches (bsc#1056498)
  - s390-tools-sles15-zgetdump-Fix-gcc-7-warning.patch
  - s390-tools-sles15-lscss-Get-rid-of-gcc-7-buffer-truncation-warnings.patch
  - s390-tools-sles15-Get-rid-of-gcc-7-fall-through-warnings.patch
  - s390-tools-sles15-lszcrypt-Fix-core-dump-caused-by-stack-overwrite.patch
  - s390-tools-sles15-dasdinfo-Fix-GCC-7-overflow-warning.patch
- Upgraded to version 2.0.0 (Fate#323291).
  - Changes from 1.34.0 to 1.35.0
    - cpuplugd: Make default config file location more distribution agnostic
                Add systemd service unit to start/stop the cpuplug daemon
                Add force-reload action to init script for LSB-compliance
    - mon_statd: Add force-reload action to init script for LSB-compliance
    - chiucvallow: corrected verification return code
    - lczdev/chzdev: Add support for resolving iSCSI block devices
    Bug fixes
    - chzdev, lszdev: Fix incorrect zfcp module parameter name
    - chreipl: Fix chreipl node for virtio devices
    - libus2s: Fix busid parsing
    - zipl/boot: Fix failed start subchannel in FBA loader
  - Changes from 1.35.0 to 1.36.0
    - chzdev/lszdev: Add device resolution for vlan and bonding devices
    - dasdfmt: Add quick format support
    - lsdasd/fdasd/dasdfmt/zdsfs: Add query host access to volume support
    - zfcpdbf: Make timestamp the first field in record output
               Exclude Payload hex field from log message record output
               Add Area field to record output
               Add missing header fields to area record output
               Print the Record id field for Area area class records
               Mark oldest and newest trace area records
               Mark oldest and newest def_err pseudo area records
               Mark oldest and newest foreign area records
               Mark oldest and newest log message records
               Add a warning about low resolution timestamps
               Add Trace Area Statistics table to script output
               Add time zone command line option
               Add collection of domain xml files
    Bug fixes
    - zfcpdbf: Move and fix CPU id field output to print_header function
               Include microseconds in warning threshold calculation
               Fix parsing of precise syslog timestamps
               Fix labels for REC ERP action status and ERP step fields
  - Changes from 1.36.0 to 1.36.1
    - zfcpdbf: Support basic HBA record type without warning
               Restore tracing of handle for port and LUN with HBA records
               Print full payload for all SAN traces (req, resp, iels)
               Print payload length everywhere applicable
               Disambiguate printing of payload record content
    Bug fixes
    - fdasd: Prevent buffer overflow
    - znetconf: Fix detection of chpids as OSX instead of OSM
  - Changes from 1.36.1 to 1.37.0
     - Added dump2tar: sysfs collection helper for dbginfo.sh
     - qethconf: Remove check for OSN-device
     - znetconf: Remove OSN-support
     - lsdasd/tunedasd: Add channel path aware erp
     - zcrypt: Add multi domain support for zcrypt device driver
     - scm: Reimplement lsscm in C
     - chp: Reimplement chchp and lschp in C
     - dbginfo.sh: Make use of sysinfo collection helper
    Bug fixes
    - zfcpdbf: Only cap SAN short payload if pl_len exists
    - chzdev: Fix bug when configuring QETH devices
    - libu2s: Prevent buffer overflow
    - ziomon: No blktrace kill which can corrupt kernel blktrace state
  - Changes from 1.37.0 to 1.37.1
    - dbginfo.sh: Add Docker debug data
    Bug fixes
    - lsdasd: Replace continue with return
    - lscss: Allow to specify devices from subchannel set 3
    - mon_fsstatd: Only use physical filesystems
                   Fix double free in error path
    - mon_procd: Fix segmentation fault
  - Changes from 1.37.1 to 1.38.0
    - systemd: Add new units for cpi, dumpconf, mon_fsstatd, and mon_procd
    - fdasd: Add new command action 'l' to list known partition types
    - chmem: Try to online memory to zone movable
             Starting with kernel 4.13 (commit f1dd2cd1), the default zone for
             hotplug memory is changed from zone movable to zone normal. In order
             to preserve the previous default behaviour, chmem will now always try
             to set memory online to the zone movable, before trying to set it
             online to the default zone.
    - zfcpdbf: Print high part of "new" 64 bit SCSI LUN
               Print payload with full FCP_RSP IU in SCSI trace records
    - util_opt: Add command specific command line parsing
    - util_rec: Implement util_rec_iterate() function
    - util_rec: Record field values can be stored and processed in argz format
    Bug fixes
    - zipl/zgetdump: Add missing SCSI multipath dump information to man pages
    - lsqeth: Fix attributes name: ipa -> ipa_takeover and parp -> rxip
              Fix lsqeth output of ipa/vipa/rxip addresses of interfaces
    - zfcpdbf: Fix payload length for zfcp_dbf_hba_bit_err
    - chzdev: Add implicit qeth layer settings handling
    - qethqoat: Fix OSA 6S detection
  - Changes from 1.38.0 to 2.0.0 (also known as 1.39.0)
    - IBM changed the license to MIT.
    - Added zkey: Generate, re-encipher, and validate secure AES keys
    - cpumf: Add hardware counters for z13 and z13s
    - lscss: Reimplement lscss script in C
    - lsqeth: Reimplement lsqeth script in C
    Bug fixes
    - lscpumf: Fix Perl warnings
  - Removed the following obsolete patches:
    s390-tools-sles12sp2-chiucvallow-verify.patch
    s390-tools-sles12sp2-chreipl-virtio.patch
    s390-tools-sles12sp2-chzdev-disable-root-update.patch
    s390-tools-sles12sp2-lscss-allow-to-specify-devices-from-ssid-3.patch
    s390-tools-sles12sp2-zipl-fix-failed-start-subchannel.patch
    s390-tools-sles12sp3-chmem-try-to-online-zone-movable.patch
    s390-tools-sles12sp3-dasdfmt-01-Fix-behaviour-of-t-combined-with-y.patch
    s390-tools-sles12sp3-dasdfmt-02-Fix-trailing-whitespace.patch
    s390-tools-sles12sp3-dasdfmt-03-Apply-coding-convention.patch
    s390-tools-sles12sp3-dasdfmt-04-Use-enhanced-DASD-information.patch
    s390-tools-sles12sp3-dasdfmt-05-Refactor-do_format_dasd.patch
    s390-tools-sles12sp3-dasdfmt-06-Make-the-IOCTL-BLKSSZGET-reusable.patch
    s390-tools-sles12sp3-dasdfmt-07-Add-quick-format-support.patch
    s390-tools-sles12sp3-dasdfmt-08-Make-progress-output-reusable-and-add-ETR.patch
    s390-tools-sles12sp3-dasdfmt-09-Add-command-line-argument-check.patch
    s390-tools-sles12sp3-dasdfmt-10-Add-expand-format-mode.patch
    s390-tools-sles12sp3-dbginfo-01-libutil-Add-utility-functions.patch
    s390-tools-sles12sp3-dbginfo-02-dump2tar-Add-sysfs-collection-helper-for-dbginfo.sh-v2.patch
    s390-tools-sles12sp3-dbginfo-03-dbginfo.sh-Make-use-of-sysinfo-collection-helper.patch
    s390-tools-sles12sp3-dbginfo-Collect-docker-debug-data.patch
    s390-tools-sles12sp3-lsdasd-tunedasd-Add-channel-path-aware-erp.patch
    s390-tools-sles12sp3-mon_fsstatd-fix-double-free-in-error-path-and-skip-virtual-fs.patch
    s390-tools-sles12sp3-util_proc-fix-memory-allocation-error-messages.patch
    s390-tools-sles12sp3-ziomon-no-blktrace-kill-which-can-corrupt-kernel-blk.patch
- Added s390-tools-sles15-add--ldl-to-LDLIBS.patch to fix a problem with zkey/Makefile.

OBS-URL: https://build.opensuse.org/request/show/531958
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=19
2017-10-05 22:49:30 +00:00
Dominique Leuenberger
32d11d674a Accepting request 522151 from Base:System
Bug fixes for SLE15

OBS-URL: https://build.opensuse.org/request/show/522151
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=7
2017-09-12 17:39:36 +00:00
Mark Post
d9456cfc0f - Remove lsmem and chmem and their manpages from the package,
both tools have been added to util-linux-2.30

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=17
2017-09-07 19:52:06 +00:00
Mark Post
61d7da7911 - Temporarily added BuildIgnore: gcc-PIE to the spec file to
avoid a problem with zipl not working. (bsc#1055343)

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=16
2017-09-07 19:42:38 +00:00
Mark Post
cfbb64749f - Added s390-tools-sles12sp3-chmem-try-to-online-zone-movable.patch
(bsc#1048363).

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=15
2017-07-12 18:32:43 +00:00
Dominique Leuenberger
9c3abf4a56 Accepting request 507931 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/507931
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=6
2017-07-11 06:32:59 +00:00
0b033348ca Accepting request 507903 from home:oertel:branches:Base:System
- remove lsmem and chmem and their manpages from the package,
  both tools have been added to util-linux-2.30

OBS-URL: https://build.opensuse.org/request/show/507903
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=13
2017-07-03 20:29:54 +00:00
Dominique Leuenberger
c6adf975fa Accepting request 500277 from Base:System
Fix for bsc#1038255 and general improvements to the zpxe.rexx script.

OBS-URL: https://build.opensuse.org/request/show/500277
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=5
2017-06-03 23:48:21 +00:00
Mark Post
d36b87680e OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=11 2017-05-31 22:25:25 +00:00
Mark Post
ddabd5b0e5 - Made a number of modification to zpxe.rexx to
- Made several hard-coded values variables.
  - Make it more obvious which default values can be modified
  - Increased the default size of the FFFF VDISK.
  - Don't execute the wait if "debug" was specified as a parm.
  - Change nodebug variable name to debug for clarity, updated
    logic as needed.

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=10
2017-05-31 22:21:08 +00:00
Dominique Leuenberger
50eb3ac5cd Accepting request 495132 from Base:System
1

OBS-URL: https://build.opensuse.org/request/show/495132
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=4
2017-05-20 12:29:34 +00:00
Mark Post
a416fd0dcd Accepting request 495131 from openSUSE:Factory:zSystems
Bug fix from Beta testing.

OBS-URL: https://build.opensuse.org/request/show/495131
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=8
2017-05-16 01:32:01 +00:00
Dominique Leuenberger
149f2f9832 Accepting request 489189 from Base:System
Due to the change to qclib packaging, change BuildRequires from qclib-devel to qclib-devel-static.

OBS-URL: https://build.opensuse.org/request/show/489189
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=3
2017-05-03 13:51:35 +00:00
Mark Post
9130ff8ac6 - Due to the change to qclib packaging, change BuildRequires
from qclib-devel to qclib-devel-static.

OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=6
2017-04-18 22:26:07 +00:00
Mark Post
fece9b1b1b Accepting request 489187 from openSUSE:Factory:zSystems
Due to the change to qclib packaging, change BuildRequires from qclib-devel to qclib-devel-static.

OBS-URL: https://build.opensuse.org/request/show/489187
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=5
2017-04-18 22:20:08 +00:00
Yuchen Lin
603b55f0c2 Accepting request 478024 from Base:System
Automatic submission by obs-autosubmit

OBS-URL: https://build.opensuse.org/request/show/478024
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=2
2017-03-29 11:19:59 +00:00
Dominique Leuenberger
e6c7f5a26e Accepting request 459568 from Base:System
Initial package creation.

OBS-URL: https://build.opensuse.org/request/show/459568
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/s390-tools?expand=0&rev=1
2017-03-02 18:28:31 +00:00
Mark Post
f7a512ba31 Accepting request 459916 from openSUSE:Factory:zSystems
New fixes from IBM

OBS-URL: https://build.opensuse.org/request/show/459916
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=2
2017-02-22 23:40:55 +00:00
9b729e2acc Accepting request 459343 from openSUSE:Factory:zSystems
New package per "Factory first" policy. Please list me as bug owner and maintainer, if possible.

OBS-URL: https://build.opensuse.org/request/show/459343
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=1
2017-02-21 11:14:26 +00:00
41 changed files with 6628 additions and 1115 deletions

View File

@ -44,6 +44,14 @@ debug_mesg () {
esac esac
} }
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){ usage(){
echo "Usage: ${0} <read channel> <write channel> <online> [<protocol>]" echo "Usage: ${0} <read channel> <write channel> <online> [<protocol>]"
echo " read/write channel = x.y.ssss where" echo " read/write channel = x.y.ssss where"
@ -112,3 +120,9 @@ RC=${?}
if [ ${RC} -ne 0 ]; then if [ ${RC} -ne 0 ]; then
exit ${RC} exit ${RC}
fi fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CTC_READ_CHAN},${CTC_WRITE_CHAN}"
else remove_cio_channel "${CTC_READ_CHAN}"
remove_cio_channel "${CTC_WRITE_CHAN}"
fi

View File

@ -43,6 +43,14 @@ debug_mesg () {
esac esac
} }
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){ usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]" echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo echo
@ -157,4 +165,9 @@ elif [ ${ON_OFF} == 1 ]; then
fi fi
fi fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode} exit ${exitcode}

View File

@ -43,6 +43,14 @@ debug_mesg () {
esac esac
} }
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){ usage(){
echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]" echo "Usage: ${0} [-f -t <dasd_type> ] <ccwid> <online> [use_diag]"
echo echo
@ -157,4 +165,9 @@ elif [ ${ON_OFF} == 1 ]; then
fi fi
fi fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi
exit ${exitcode} exit ${exitcode}

View File

@ -1,7 +1,10 @@
# #
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # Copyright (c) 2018-2024 SUSE LINUX GmbH, Nuernberg, Germany.
# All rights reserved. # All rights reserved.
# #
# load pkey module at boot time # load pkey module at boot time
pkey pkey
pkey_cca
pkey_ep11
pkey_pckmo

View File

@ -48,6 +48,14 @@ debug_mesg () {
esac esac
} }
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){ usage(){
echo "Usage: ${0} [options] <read chan> <write chan> <data chan> <online>" echo "Usage: ${0} [options] <read chan> <write chan> <data chan> <online>"
echo " -i Configure IP takeover" echo " -i Configure IP takeover"
@ -157,3 +165,10 @@ RC=${?}
if [ ${RC} -ne 0 ]; then if [ ${RC} -ne 0 ]; then
exit ${RC} exit ${RC}
fi fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${QETH_READ_CHAN},${QETH_WRITE_CHAN},${QETH_DATA_CHAN}"
else remove_cio_channel "${QETH_READ_CHAN}"
remove_cio_channel "${QETH_WRITE_CHAN}"
remove_cio_channel "${QETH_DATA_CHAN}"
fi

View File

@ -0,0 +1,67 @@
From 2d26a63806d2847f549c06276070a636a61bcb80 Mon Sep 17 00:00:00 2001
From: Eduard Shishkin <edward6@linux.ibm.com>
Date: Wed, 4 Dec 2024 13:37:46 +0100
Subject: [PATCH s390-tools] zipl_helper.device-mapper: add missed step in
logical device resolution
This fixes 670bf3e
Preparing a loop device for IPL by zipl tool, using its partition as
zipl target, leads to inconsistent installation setup. The problem is in
a missed step in the procedure of logical device resolution performed
by the script zipl_helper.device-mapper:
\# lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 5G 0 loop
|-loop0p1 253:15 0 128M 0 part
`-loop0p2 253:16 0 4.9G 0 part /mnt
\# ./zipl_helper.device-mapper 253:16
Expected result:
targetbase=7:0
targettype=SCSI
targetblocksize=4096
targetoffset=32784
Actual result:
targetbase=253:16
targettype=SCSI
targetblocksize=4096
targetoffset=32784
The fixup adds a missed resolution step.
Reference-ID: LTC210771
Signed-off-by: Eduard Shishkin <edward6@linux.ibm.com>
---
zipl/src/zipl_helper.device-mapper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/zipl/src/zipl_helper.device-mapper.c b/zipl/src/zipl_helper.device-mapper.c
index aca52be1..918c5aba 100644
--- a/zipl/src/zipl_helper.device-mapper.c
+++ b/zipl/src/zipl_helper.device-mapper.c
@@ -1306,13 +1306,13 @@ static int complete_physical_device(struct physical_device *pd, dev_t *base_dev)
*base_dev = base_entry->dev.dev;
} else {
/*
- * In this case base device is the uppermost logical
+ * In this case base device is the uppermost
* device which provides access to boot sectors
*/
base_entry = find_base_entry(pd->dmpath, dc->bootsectors);
if (!base_entry)
return -1;
- *base_dev = base_entry->dev.dev;
+ *base_dev = first_device_by_target_data(base_entry->target);
}
/* Check for valid offset of filesystem */
if ((pd->offset % (dc->blocksize / SECTOR_SIZE)) != 0) {
--
2.39.0

View File

@ -0,0 +1,63 @@
From 592a016a1095fa9813f0bae8256433ba5af4ab9b Mon Sep 17 00:00:00 2001
From: Eduard Shishkin <edward6@linux.ibm.com>
Date: Sat, 7 Dec 2024 12:48:12 +0100
Subject: [PATCH s390-tools 2/2] zipl/src: fix imprecise check that file is on
specified device
This fixes c0f02d2
The check that file is on specified disk is imprecise: In case when
target parameters are specified by user, the check compares a logical
device with a base disk, which is incorrect.
The fixup makes the check compare base disks (a specified one with
the base disk determined by disk_get_info() procedure).
Signed-off-by: Eduard Shishkin <edward6@linux.ibm.com>
---
zipl/src/bootmap.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c
index 7d340156..880b93ce 100644
--- a/zipl/src/bootmap.c
+++ b/zipl/src/bootmap.c
@@ -299,14 +299,15 @@ create_component_header(void* buffer, component_header_type type)
}
/*
- * Not precise check that the file FILENAME locates on specified physical DISK.
+ * Not precise check that the file FILENAME locates on the physical
+ * disk specified by WHERE.
*
* Try to auto-detect parameters of the disk which the file locates on
* and compare found device-ID with DISK.
* Return 0, if auto-detection succeeded, and it is proven that the
* file does NOT locate on DISK. Otherwise, return 1.
*/
-static int file_is_on_disk(const char *filename, dev_t disk)
+static int file_is_on_disk(const char *filename, struct disk_info *where)
{
/*
* Retrieve info of the underlying disk without any user hints
@@ -331,7 +332,7 @@ static int file_is_on_disk(const char *filename, dev_t disk)
"Warning: Preparing a logical device for boot might fail\n");
return 1;
}
- if (info->device != disk) {
+ if (info->basedisks[0] != where->basedisks[0]) {
disk_free_info(info);
return 0;
}
@@ -378,7 +379,7 @@ static int add_component_file_range(struct install_set *bis,
return -1;
}
} else {
- if (!file_is_on_disk(filename, bis->info->device)) {
+ if (!file_is_on_disk(filename, bis->info)) {
error_reason("File is not on target device");
return -1;
}
--
2.39.0

BIN
s390-tools-2.31.0.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -1,51 +0,0 @@
From 6a55d0c2e57952600164822dd100e8247b4b010f Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Fri, 23 Aug 2024 09:16:26 +0200
Subject: [PATCH] rust/pv: Lower most lints to warn
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Lower the lint level to warn for the styling lints.
This avoids compile issues during packaging for newer tooling with
potential more lint findings.
Still deny compiling if a public symbol has no documentation.
Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/173
Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
rust/pv/src/lib.rs | 4 ++--
rust/pv_core/src/lib.rs | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/rust/pv/src/lib.rs b/rust/pv/src/lib.rs
index 9a647617..1084f8e8 100644
--- a/rust/pv/src/lib.rs
+++ b/rust/pv/src/lib.rs
@@ -2,8 +2,8 @@
//
// Copyright IBM Corp. 2023, 2024
-#![deny(
- missing_docs,
+#![deny(missing_docs)]
+#![warn(
missing_debug_implementations,
trivial_numeric_casts,
unstable_features,
diff --git a/rust/pv_core/src/lib.rs b/rust/pv_core/src/lib.rs
index 1356c1b7..b617b8f9 100644
--- a/rust/pv_core/src/lib.rs
+++ b/rust/pv_core/src/lib.rs
@@ -1,8 +1,8 @@
// SPDX-License-Identifier: MIT
//
// Copyright IBM Corp. 2023, 2024
-#![deny(
- missing_docs,
+#![deny(missing_docs)]
+#![warn(
missing_debug_implementations,
trivial_numeric_casts,
unstable_features,

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ea4758c4e460d7f7e040e6aedf68b1be32d63fecb733358b08182f6b9b7440a2
size 2114507

BIN
s390-tools-2.36.0.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,64 @@
From dff965465ca9d9c4edaf0f90eadd9a6de335b354 Mon Sep 17 00:00:00 2001
From: Niklas Schnelle <schnelle@linux.ibm.com>
Date: Fri, 6 Dec 2024 15:28:08 +0100
Subject: [PATCH] opticsmon: Fix runaway loop in on_link_change()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When on_link_change() gets called with a netdev that would be monitored
but hasn't entered zpci_list yet, reloads is 1 after the loops and
a reload occurs. Then the netdev is found in the list and reloads
becomes -1 which incorrectly triggers more reloads until underflow.
Fix this by returning once the device is found. Also just check for
reloads being larger than zero.
Fixes: c34adb9cabee ("opticsmon: Introduce opticsmon tool")
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
opticsmon/opticsmon.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/opticsmon/opticsmon.c b/opticsmon/opticsmon.c
index c2f355e2..50dd8d7f 100644
--- a/opticsmon/opticsmon.c
+++ b/opticsmon/opticsmon.c
@@ -280,16 +280,15 @@ void on_link_change(struct zpci_netdev *netdev, void *arg)
if (!ctx->zpci_list || util_list_is_empty(ctx->zpci_list))
zpci_list_reload(&ctx->zpci_list);
-reload:
+find:
util_list_iterate(ctx->zpci_list, zdev) {
for (i = 0; i < zdev->num_netdevs; i++) {
if (!strcmp(zdev->netdevs[i].name, netdev->name)) {
- reloads--;
/* Skip data collection if operational state is
* unchanged
*/
if (zdev->netdevs[i].operstate == netdev->operstate)
- continue;
+ return;
/* Update operation state for VFs even though
* they are skipped just for a consistent view
*/
@@ -297,14 +296,15 @@ void on_link_change(struct zpci_netdev *netdev, void *arg)
/* Only collect optics data for PFs */
if (!zpci_is_vf(zdev))
dump_adapter_data(ctx, zdev);
+ return;
}
}
}
/* Might be a new device, reload list of devices and retry */
- if (reloads) {
+ if (reloads > 0) {
zpci_list_reload(&ctx->zpci_list);
reloads--;
- goto reload;
+ goto find;
}
}

View File

@ -0,0 +1,129 @@
From cf5560a100b5552e2eeeaac9c60a88ae77233530 Mon Sep 17 00:00:00 2001
From: Niklas Schnelle <schnelle@linux.ibm.com>
Date: Mon, 9 Dec 2024 15:08:03 +0100
Subject: [PATCH] libzpci: opticsmon: Refactor on_link_change() using new
zpci_find_by_netdev()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Finding a PCI device given the name of a netdev seems generally useful
so pull this out into a new zpci_find_by_netdev() function in libzpci
and use this to simplify on_link_change() removing the need for
backwards goto.
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
include/lib/pci_list.h | 3 +++
libzpci/pci_list.c | 31 +++++++++++++++++++++++++++++++
opticsmon/opticsmon.c | 27 +++++++++++----------------
3 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/include/lib/pci_list.h b/include/lib/pci_list.h
index 829ec244..5b2918bc 100644
--- a/include/lib/pci_list.h
+++ b/include/lib/pci_list.h
@@ -93,4 +93,7 @@ const char *zpci_pft_str(struct zpci_dev *zdev);
const char *zpci_operstate_str(operstate_t state);
operstate_t zpci_operstate_from_str(const char *oper_str);
+struct zpci_dev *zpci_find_by_netdev(struct util_list *zpci_list, char *netdev_name,
+ struct zpci_netdev **netdev);
+
#endif /* LIB_ZPCI_PCI_LIST_H */
diff --git a/libzpci/pci_list.c b/libzpci/pci_list.c
index 10f64e89..e0d56e44 100644
--- a/libzpci/pci_list.c
+++ b/libzpci/pci_list.c
@@ -356,3 +356,34 @@ void zpci_free_dev_list(struct util_list *zpci_list)
}
util_list_free(zpci_list);
}
+
+/**
+ * Find a PCI device given the name of a netdev
+ *
+ * This function allows finding a PCI device when only the name of one
+ * of its netdevs is known.
+ *
+ * @param[in] zpci_list The device list to search
+ * @param[in] netdev_name The name of the netdev
+ * @param[out] netdev Pointer to store the netdev or NULL if
+ * only the PCI device is needed
+ *
+ * @return The PCI device if one is found NULL otherwise
+ */
+struct zpci_dev *zpci_find_by_netdev(struct util_list *zpci_list, char *netdev_name,
+ struct zpci_netdev **netdev)
+{
+ struct zpci_dev *zdev = NULL;
+ int i;
+
+ util_list_iterate(zpci_list, zdev) {
+ for (i = 0; i < zdev->num_netdevs; i++) {
+ if (!strcmp(zdev->netdevs[i].name, netdev_name)) {
+ if (netdev)
+ *netdev = &zdev->netdevs[i];
+ return zdev;
+ }
+ }
+ }
+ return NULL;
+}
diff --git a/opticsmon/opticsmon.c b/opticsmon/opticsmon.c
index 50dd8d7f..7ecaa125 100644
--- a/opticsmon/opticsmon.c
+++ b/opticsmon/opticsmon.c
@@ -274,38 +274,33 @@ static int oneshot_mode(struct opticsmon_ctx *ctx)
void on_link_change(struct zpci_netdev *netdev, void *arg)
{
struct opticsmon_ctx *ctx = arg;
- struct zpci_dev *zdev;
- int i, reloads = 1;
-
- if (!ctx->zpci_list || util_list_is_empty(ctx->zpci_list))
- zpci_list_reload(&ctx->zpci_list);
+ struct zpci_netdev *found_netdev;
+ struct zpci_dev *zdev = NULL;
+ int reloads = 1;
-find:
- util_list_iterate(ctx->zpci_list, zdev) {
- for (i = 0; i < zdev->num_netdevs; i++) {
- if (!strcmp(zdev->netdevs[i].name, netdev->name)) {
+ do {
+ if (ctx->zpci_list) {
+ zdev = zpci_find_by_netdev(ctx->zpci_list, netdev->name, &found_netdev);
+ if (zdev) {
/* Skip data collection if operational state is
* unchanged
*/
- if (zdev->netdevs[i].operstate == netdev->operstate)
+ if (found_netdev->operstate == netdev->operstate)
return;
/* Update operation state for VFs even though
* they are skipped just for a consistent view
*/
- zdev->netdevs[i].operstate = netdev->operstate;
+ found_netdev->operstate = netdev->operstate;
/* Only collect optics data for PFs */
if (!zpci_is_vf(zdev))
dump_adapter_data(ctx, zdev);
return;
}
}
- }
- /* Might be a new device, reload list of devices and retry */
- if (reloads > 0) {
+ /* Could be uninitalized list or a new device, retry after reload */
zpci_list_reload(&ctx->zpci_list);
reloads--;
- goto find;
- }
+ } while (reloads > 0);
}
#define MAX_EVENTS 8

View File

@ -0,0 +1,147 @@
From 1e44ace41de3cbd744b22a8f9835473b091186e0 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Thu, 18 Jul 2024 10:55:45 +0200
Subject: [PATCH] rust/pvsecret: Refactor writing secret
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Refactor the writing of secret-type dependent output files to ease
extensions.
Reviewed-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv/src/uvsecret/guest_secret.rs | 2 +-
rust/pvsecret/src/cmd/create.rs | 89 +++++++++++++++-------------
2 files changed, 48 insertions(+), 43 deletions(-)
diff --git a/rust/pv/src/uvsecret/guest_secret.rs b/rust/pv/src/uvsecret/guest_secret.rs
index 509691fa..4f1db31c 100644
--- a/rust/pv/src/uvsecret/guest_secret.rs
+++ b/rust/pv/src/uvsecret/guest_secret.rs
@@ -68,7 +68,7 @@ impl GuestSecret {
}
/// Reference to the confidential data
- pub(crate) fn confidential(&self) -> &[u8] {
+ pub fn confidential(&self) -> &[u8] {
match &self {
Self::Null => &[],
Self::Association { secret, .. } => secret.value().as_slice(),
diff --git a/rust/pvsecret/src/cmd/create.rs b/rust/pvsecret/src/cmd/create.rs
index 808b29e1..9251c38c 100644
--- a/rust/pvsecret/src/cmd/create.rs
+++ b/rust/pvsecret/src/cmd/create.rs
@@ -62,7 +62,7 @@ pub fn create(opt: &CreateSecretOpt) -> Result<()> {
write_out(&opt.output, ser_asrbc, "add-secret request")?;
info!("Successfully wrote the request to '{}'", &opt.output);
- write_secret(&opt.secret, &asrcb, &opt.output)
+ write_secret(&opt.secret, asrcb.guest_secret(), &opt.output)
}
/// Read+parse the first key from the buffer.
@@ -206,54 +206,59 @@ fn read_cuid(asrcb: &mut AddSecretRequest, opt: &CreateSecretOpt) -> Result<()>
Ok(())
}
+// Write non confidential data (=name+id) to a yaml stdout
+fn write_yaml<P: AsRef<Path>>(
+ name: &str,
+ guest_secret: &GuestSecret,
+ stdout: &bool,
+ outp_path: P,
+) -> Result<()> {
+ debug!("Non-confidential secret information: {guest_secret:x?}");
+
+ let secret_info = serde_yaml::to_string(guest_secret)?;
+ if stdout.to_owned() {
+ println!("{secret_info}");
+ return Ok(());
+ }
+
+ let gen_name: String = name
+ .chars()
+ .map(|c| if c.is_whitespace() { '_' } else { c })
+ .collect();
+ let mut yaml_path = outp_path
+ .as_ref()
+ .parent()
+ .with_context(|| format!("Cannot open directory of {:?}", outp_path.as_ref()))?
+ .to_owned();
+ yaml_path.push(gen_name);
+ yaml_path.set_extension("yaml");
+ write_out(&yaml_path, secret_info, "secret information")?;
+ warn!(
+ "Successfully wrote secret info to '{}'",
+ yaml_path.display().to_string()
+ );
+ Ok(())
+}
+
/// Write the generated secret (if any) to the specified output stream
fn write_secret<P: AsRef<Path>>(
secret: &AddSecretType,
- asrcb: &AddSecretRequest,
+ guest_secret: &GuestSecret,
outp_path: P,
) -> Result<()> {
- if let AddSecretType::Association {
- name,
- stdout,
- output_secret: secret_out,
- ..
- } = secret
- {
- let gen_name: String = name
- .chars()
- .map(|c| if c.is_whitespace() { '_' } else { c })
- .collect();
- let mut gen_path = outp_path
- .as_ref()
- .parent()
- .with_context(|| format!("Cannot open directory of {:?}", outp_path.as_ref()))?
- .to_owned();
- gen_path.push(format!("{gen_name}.yaml"));
-
- // write non confidential data (=name+id) to a yaml
- let secret_info = serde_yaml::to_string(asrcb.guest_secret())?;
- if stdout.to_owned() {
- println!("{secret_info}");
- } else {
- write_out(&gen_path, secret_info, "association secret info")?;
- debug!(
- "Non-confidential secret information: {:x?}",
- asrcb.guest_secret()
- );
- warn!(
- "Successfully wrote association info to '{}'",
- gen_path.display()
- );
- }
-
- if let Some(path) = secret_out {
- if let GuestSecret::Association { secret, .. } = asrcb.guest_secret() {
- write_out(path, secret.value(), "Association secret")?
- } else {
- unreachable!("The secret type has to be `association` at this point (bug)!")
+ match secret {
+ AddSecretType::Association {
+ name,
+ stdout,
+ output_secret,
+ ..
+ } => {
+ write_yaml(name, guest_secret, stdout, outp_path)?;
+ if let Some(path) = output_secret {
+ write_out(path, guest_secret.confidential(), "Association secret")?
}
- info!("Successfully wrote generated association secret to '{path}'");
}
+ _ => (),
};
Ok(())
}

View File

@ -0,0 +1,467 @@
From d1636168b26cc842bc0766235c8a4f2da9663f20 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Tue, 5 Mar 2024 10:46:29 +0100
Subject: [PATCH] rust/pv: Support for writing data in PEM format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Use existing OpenSSL functionalities to create PEM files containing
arbitrary data.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Acked-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv/src/error.rs | 3 +
rust/pv/src/lib.rs | 6 +
rust/pv/src/openssl_extensions/bio.rs | 85 +++++++
rust/pv/src/openssl_extensions/mod.rs | 2 +
.../src/openssl_extensions/stackable_crl.rs | 41 +---
rust/pv/src/pem_utils.rs | 222 ++++++++++++++++++
6 files changed, 321 insertions(+), 38 deletions(-)
create mode 100644 rust/pv/src/openssl_extensions/bio.rs
create mode 100644 rust/pv/src/pem_utils.rs
diff --git a/rust/pv/src/error.rs b/rust/pv/src/error.rs
index af85e93e..3ba808f2 100644
--- a/rust/pv/src/error.rs
+++ b/rust/pv/src/error.rs
@@ -106,6 +106,9 @@ pub enum Error {
)]
AddDataMissing(&'static str),
+ #[error("An ASCII string was expected, but non-ASCII characters were received.")]
+ NonAscii,
+
// errors from other crates
#[error(transparent)]
PvCore(#[from] pv_core::Error),
diff --git a/rust/pv/src/lib.rs b/rust/pv/src/lib.rs
index 7a33210c..ec31b9a4 100644
--- a/rust/pv/src/lib.rs
+++ b/rust/pv/src/lib.rs
@@ -37,6 +37,7 @@ mod brcb;
mod crypto;
mod error;
mod openssl_extensions;
+mod pem_utils;
mod req;
mod utils;
mod uvattest;
@@ -71,6 +72,11 @@ pub mod attest {
};
}
+/// Definitions and functions to write objects in PEM format
+pub mod pem {
+ pub use crate::pem_utils::Pem;
+}
+
/// Miscellaneous functions and definitions
pub mod misc {
pub use pv_core::misc::*;
diff --git a/rust/pv/src/openssl_extensions/bio.rs b/rust/pv/src/openssl_extensions/bio.rs
new file mode 100644
index 00000000..73528eed
--- /dev/null
+++ b/rust/pv/src/openssl_extensions/bio.rs
@@ -0,0 +1,85 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright IBM Corp. 2024
+
+use core::slice;
+use openssl::error::ErrorStack;
+use openssl_sys::BIO_new_mem_buf;
+use std::ffi::c_int;
+use std::{marker::PhantomData, ptr};
+
+pub struct BioMem(*mut openssl_sys::BIO);
+
+impl Drop for BioMem {
+ fn drop(&mut self) {
+ // SAFETY: Pointer is valid. The pointer value is dropped after the free.
+ unsafe {
+ openssl_sys::BIO_free_all(self.0);
+ }
+ }
+}
+
+impl BioMem {
+ pub fn new() -> Result<Self, ErrorStack> {
+ openssl_sys::init();
+
+ // SAFETY: Returns a valid pointer or null. null-case is tested right after this.
+ let bio = unsafe { openssl_sys::BIO_new(openssl_sys::BIO_s_mem()) };
+ match bio.is_null() {
+ true => Err(ErrorStack::get()),
+ false => Ok(Self(bio)),
+ }
+ }
+
+ pub fn as_ptr(&self) -> *mut openssl_sys::BIO {
+ self.0
+ }
+
+ /// Copies the content of this slice into a Vec
+ pub fn to_vec(&self) -> Vec<u8> {
+ let buf;
+ // SAFTEY: BIO provides a continuous memory that can be used to build a slice.
+ unsafe {
+ let mut ptr = ptr::null_mut();
+ let len = openssl_sys::BIO_get_mem_data(self.0, &mut ptr);
+ buf = slice::from_raw_parts(ptr as *const _ as *const _, len as usize)
+ }
+ buf.to_vec()
+ }
+}
+
+pub struct BioMemSlice<'a>(*mut openssl_sys::BIO, PhantomData<&'a [u8]>);
+impl Drop for BioMemSlice<'_> {
+ fn drop(&mut self) {
+ // SAFETY: Pointer is valid. The pointer value is dropped after the free.
+ unsafe {
+ openssl_sys::BIO_free_all(self.0);
+ }
+ }
+}
+
+impl<'a> BioMemSlice<'a> {
+ pub fn new(buf: &'a [u8]) -> Result<BioMemSlice<'a>, ErrorStack> {
+ openssl_sys::init();
+
+ // SAFETY: `buf` is a slice (i.e. pointer+size) pointing to a valid memory region.
+ // So the resulting bio is valid. Lifetime of the slice is connected by this Rust
+ // structure.
+ assert!(buf.len() <= c_int::MAX as usize);
+ let bio = unsafe {
+ {
+ let r = BIO_new_mem_buf(buf.as_ptr() as *const _, buf.len() as c_int);
+ match r.is_null() {
+ true => Err(ErrorStack::get()),
+ false => Ok(r),
+ }
+ }?
+ };
+
+ Ok(BioMemSlice(bio, PhantomData))
+ }
+
+ pub fn as_ptr(&self) -> *mut openssl_sys::BIO {
+ self.0
+ }
+}
diff --git a/rust/pv/src/openssl_extensions/mod.rs b/rust/pv/src/openssl_extensions/mod.rs
index fab26638..f6234e5d 100644
--- a/rust/pv/src/openssl_extensions/mod.rs
+++ b/rust/pv/src/openssl_extensions/mod.rs
@@ -6,8 +6,10 @@
/// Extensions to the rust-openssl crate
mod akid;
+mod bio;
mod crl;
mod stackable_crl;
pub use akid::*;
+pub use bio::*;
pub use crl::*;
diff --git a/rust/pv/src/openssl_extensions/stackable_crl.rs b/rust/pv/src/openssl_extensions/stackable_crl.rs
index aef7cf86..12a9f9de 100644
--- a/rust/pv/src/openssl_extensions/stackable_crl.rs
+++ b/rust/pv/src/openssl_extensions/stackable_crl.rs
@@ -2,16 +2,14 @@
//
// Copyright IBM Corp. 2023
-use std::{marker::PhantomData, ptr};
-
+use crate::openssl_extensions::bio::BioMemSlice;
use foreign_types::{ForeignType, ForeignTypeRef};
use openssl::{
error::ErrorStack,
stack::Stackable,
x509::{X509Crl, X509CrlRef},
};
-use openssl_sys::BIO_new_mem_buf;
-use std::ffi::c_int;
+use std::ptr;
#[derive(Debug)]
pub struct StackableX509Crl(*mut openssl_sys::X509_CRL);
@@ -62,44 +60,11 @@ impl Stackable for StackableX509Crl {
type StackType = openssl_sys::stack_st_X509_CRL;
}
-pub struct MemBioSlice<'a>(*mut openssl_sys::BIO, PhantomData<&'a [u8]>);
-impl Drop for MemBioSlice<'_> {
- fn drop(&mut self) {
- unsafe {
- openssl_sys::BIO_free_all(self.0);
- }
- }
-}
-
-impl<'a> MemBioSlice<'a> {
- pub fn new(buf: &'a [u8]) -> Result<MemBioSlice<'a>, ErrorStack> {
- openssl_sys::init();
-
- assert!(buf.len() <= c_int::MAX as usize);
- let bio = unsafe {
- {
- let r = BIO_new_mem_buf(buf.as_ptr() as *const _, buf.len() as c_int);
- if r.is_null() {
- Err(ErrorStack::get())
- } else {
- Ok(r)
- }
- }?
- };
-
- Ok(MemBioSlice(bio, PhantomData))
- }
-
- pub fn as_ptr(&self) -> *mut openssl_sys::BIO {
- self.0
- }
-}
-
impl StackableX509Crl {
pub fn stack_from_pem(pem: &[u8]) -> Result<Vec<X509Crl>, ErrorStack> {
unsafe {
openssl_sys::init();
- let bio = MemBioSlice::new(pem)?;
+ let bio = BioMemSlice::new(pem)?;
let mut crls = vec![];
loop {
diff --git a/rust/pv/src/pem_utils.rs b/rust/pv/src/pem_utils.rs
new file mode 100644
index 00000000..e6462519
--- /dev/null
+++ b/rust/pv/src/pem_utils.rs
@@ -0,0 +1,222 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright IBM Corp. 2024
+
+use crate::Result;
+use crate::{openssl_extensions::BioMem, Error};
+use openssl::error::ErrorStack;
+use pv_core::request::Confidential;
+use std::{
+ ffi::{c_char, CString},
+ fmt::Display,
+};
+
+mod ffi {
+ use openssl_sys::BIO;
+ use std::ffi::{c_char, c_int, c_long, c_uchar};
+ extern "C" {
+ pub fn PEM_write_bio(
+ bio: *mut BIO,
+ name: *const c_char,
+ header: *const c_char,
+ data: *const c_uchar,
+ len: c_long,
+ ) -> c_int;
+ }
+}
+
+/// Thin wrapper around [`CString`] only containing ASCII chars.
+#[derive(Debug)]
+struct AsciiCString(CString);
+
+impl AsciiCString {
+ /// Convert from string
+ ///
+ /// # Returns
+ /// Error if string is not ASCII or contains null chars
+ pub(crate) fn from_str(s: &str) -> Result<Self> {
+ match s.is_ascii() {
+ true => Ok(Self(CString::new(s).map_err(|_| Error::NonAscii)?)),
+ false => Err(Error::NonAscii),
+ }
+ }
+
+ fn as_ptr(&self) -> *const c_char {
+ self.0.as_ptr()
+ }
+}
+
+/// Helper struct to construct the PEM format
+#[derive(Debug)]
+struct InnerPem<'d> {
+ name: AsciiCString,
+ header: Option<AsciiCString>,
+ data: &'d [u8],
+}
+
+impl<'d> InnerPem<'d> {
+ fn new(name: &str, header: Option<String>, data: &'d [u8]) -> Result<Self> {
+ Ok(Self {
+ name: AsciiCString::from_str(name)?,
+ header: match header {
+ Some(h) => Some(AsciiCString::from_str(&h)?),
+ None => None,
+ },
+ data,
+ })
+ }
+
+ /// Generate PEM representation of the data
+ fn to_pem(&self) -> Result<Vec<u8>> {
+ let bio = BioMem::new()?;
+ let hdr_ptr = match self.header {
+ // avoid moving variable -> use reference
+ Some(ref h) => h.as_ptr(),
+ None => std::ptr::null(),
+ };
+
+ // SAFETY:
+ // All pointers point to valid C strings or memory regions
+ let rc = unsafe {
+ ffi::PEM_write_bio(
+ bio.as_ptr(),
+ self.name.as_ptr(),
+ hdr_ptr,
+ self.data.as_ptr(),
+ self.data.len() as std::ffi::c_long,
+ )
+ };
+
+ match rc {
+ 1 => Err(Error::InternalSsl("Could not write PEM", ErrorStack::get())),
+ _ => Ok(bio.to_vec()),
+ }
+ }
+}
+
+/// Data in PEM format
+///
+/// Displays into a printable PEM structure.
+/// Must be constructed from another structure in this library.
+///
+/// ```rust,ignore
+/// let pem: Pem = ...;
+/// println!("PEM {pem}");
+/// ```
+/// ```PEM
+///-----BEGIN <name>-----
+///<header>
+///
+///<Base64 formatted binary data>
+///-----END <name>-----
+
+#[derive(Debug)]
+pub struct Pem {
+ pem: Confidential<String>,
+}
+
+#[allow(unused)]
+impl Pem {
+ /// Create a new PEM structure.
+ ///
+ /// # Errors
+ ///
+ /// This function will return an error if name or header contain non-ASCII chars, or OpenSSL
+ /// could not generate the PEM (very likely due to OOM).
+ pub(crate) fn new<D, H>(name: &str, header: H, data: D) -> Result<Self>
+ where
+ D: AsRef<[u8]>,
+ H: Into<Option<String>>,
+ {
+ let mut header = header.into();
+ let header = match header {
+ Some(h) if h.ends_with('\n') => Some(h),
+ Some(h) if h.is_empty() => None,
+ Some(mut h) => {
+ h.push('\n');
+ Some(h)
+ }
+ None => None,
+ };
+
+ let inner_pem = InnerPem::new(name, header, data.as_ref())?;
+
+ // Create the PEM format eagerly so that to_string/display cannot fail because of ASCII or OpenSSL Errors
+ // Both error should be very unlikely
+ // OpenSSL should be able to create PEM if there is enough memory and produce a non-null
+ // terminated ASCII-string
+ // Unwrap succeeds it's all ASCII
+ // Std lib implements all the conversations without a copy
+ let pem = CString::new(inner_pem.to_pem()?)
+ .map_err(|_| Error::NonAscii)?
+ .into_string()
+ .unwrap()
+ .into();
+
+ Ok(Self { pem })
+ }
+
+ /// Converts the PEM-data into a byte vector.
+ ///
+ /// This consumes the `PEM`.
+ #[inline]
+ #[must_use = "`self` will be dropped if the result is not used"]
+ pub fn into_bytes(self) -> Confidential<Vec<u8>> {
+ self.pem.into_inner().into_bytes().into()
+ }
+}
+
+impl Display for Pem {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ self.pem.value().fmt(f)
+ }
+}
+
+#[cfg(test)]
+mod test {
+ use super::*;
+
+ #[test]
+ fn no_data() {
+ const EXP: &str =
+ "-----BEGIN PEM test-----\ntest hdr value: 17\n\n-----END PEM test-----\n";
+ let test_pem = Pem::new("PEM test", "test hdr value: 17".to_string(), []).unwrap();
+ let pem_str = test_pem.to_string();
+ assert_eq!(pem_str, EXP);
+ }
+
+ #[test]
+ fn no_hdr() {
+ const EXP: &str =
+ "-----BEGIN PEM test-----\ndmVyeSBzZWNyZXQga2V5\n-----END PEM test-----\n";
+ let test_pem = Pem::new("PEM test", None, "very secret key").unwrap();
+ let pem_str = test_pem.to_string();
+ assert_eq!(pem_str, EXP);
+ }
+
+ #[test]
+ fn some_data() {
+ const EXP: &str= "-----BEGIN PEM test-----\ntest hdr value: 17\n\ndmVyeSBzZWNyZXQga2V5\n-----END PEM test-----\n";
+ let test_pem = Pem::new(
+ "PEM test",
+ "test hdr value: 17".to_string(),
+ "very secret key",
+ )
+ .unwrap();
+ let pem_str = test_pem.to_string();
+ assert_eq!(pem_str, EXP);
+ }
+
+ #[test]
+ fn data_linebreak() {
+ const EXP: &str= "-----BEGIN PEM test-----\ntest hdr value: 17\n\ndmVyeSBzZWNyZXQga2V5\n-----END PEM test-----\n";
+ let test_pem = Pem::new(
+ "PEM test",
+ "test hdr value: 17\n".to_string(),
+ "very secret key",
+ )
+ .unwrap();
+ let pem_str = test_pem.to_string();
+ assert_eq!(pem_str, EXP);
+ }
+}

View File

@ -0,0 +1,57 @@
From 69eb06f39e5134565babfe96c66a3786c0a571cf Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Tue, 20 Feb 2024 14:50:47 +0100
Subject: [PATCH] rust/pv_core: Update ffi.rs to linux/uvdevice.h v6.13
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While at it, add a file global #[allow(dead_code)].
The file is a rustified copy of linux/arch/s390/include/uapi/asm/uvdevice.h
and there might be things that are not needed here but are defined in that header.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv_core/src/uvdevice/ffi.rs | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/rust/pv_core/src/uvdevice/ffi.rs b/rust/pv_core/src/uvdevice/ffi.rs
index bbcc5867..3d9998db 100644
--- a/rust/pv_core/src/uvdevice/ffi.rs
+++ b/rust/pv_core/src/uvdevice/ffi.rs
@@ -2,6 +2,13 @@
//
// Copyright IBM Corp. 2023
+// This file is a rustified copy of linux/arch/s390/include/uapi/asm/uvdevice.h
+// There might be things that are not needed here but nontheless defined in that header.
+// Those two files should be in sync -> there might be unused/dead code.
+//
+// The `UVIO_IOCTL_*` and `UVIO_SUPP_*` macros
+#![allow(dead_code)]
+
use std::mem::size_of;
use crate::{assert_size, static_assert};
@@ -11,9 +18,8 @@ pub const UVIO_ATT_ARCB_MAX_LEN: usize = 0x100000;
pub const UVIO_ATT_MEASUREMENT_MAX_LEN: usize = 0x8000;
pub const UVIO_ATT_ADDITIONAL_MAX_LEN: usize = 0x8000;
pub const UVIO_ADD_SECRET_MAX_LEN: usize = 0x100000;
-#[allow(unused)]
-// here for completeness
pub const UVIO_LIST_SECRETS_LEN: usize = 0x1000;
+pub const UVIO_RETR_SECRET_MAX_LEN: usize = 0x2000;
// equal to ascii 'u'
pub const UVIO_TYPE_UVC: u8 = 117u8;
@@ -23,6 +29,7 @@ pub const UVIO_IOCTL_ATT_NR: u8 = 1;
pub const UVIO_IOCTL_ADD_SECRET_NR: u8 = 2;
pub const UVIO_IOCTL_LIST_SECRETS_NR: u8 = 3;
pub const UVIO_IOCTL_LOCK_SECRETS_NR: u8 = 4;
+pub const UVIO_IOCTL_RETR_SECRET_NR: u8 = 5;
/// Uvdevice IOCTL control block
/// Programs can use this struct to communicate with the uvdevice via IOCTLs

View File

@ -0,0 +1,204 @@
From 01cd81ecf5d1a7e1e504ae1b67692cf63cd4b51d Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Tue, 5 Mar 2024 11:56:57 +0100
Subject: [PATCH] rust/pv_core: Retrieve Secret UVC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Create the uvdevice-IOCTL functionality for the new Retrieve Secret UVC.
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv_core/src/error.rs | 7 ++
rust/pv_core/src/lib.rs | 2 +-
rust/pv_core/src/uvdevice/secret.rs | 97 +++++++++++++++++++++++-
rust/pv_core/src/uvdevice/secret_list.rs | 15 ++++
4 files changed, 118 insertions(+), 3 deletions(-)
diff --git a/rust/pv_core/src/error.rs b/rust/pv_core/src/error.rs
index 20fca24d..ba7b7e26 100644
--- a/rust/pv_core/src/error.rs
+++ b/rust/pv_core/src/error.rs
@@ -4,6 +4,8 @@
use std::path::PathBuf;
+use crate::uv::SecretId;
+
/// Result type for this crate
pub type Result<T, E = Error> = std::result::Result<T, E>;
@@ -70,6 +72,11 @@ pub enum Error {
#[error("The attestation request does not specify a measurement size or measurement data.")]
BinArcbNoMeasurement,
+ #[error(
+ "The secret with the ID {id} cannot be retrieved. The requested size is too large ({size})"
+ )]
+ InvalidRetrievableSecretType { id: SecretId, size: usize },
+
// errors from other crates
#[error(transparent)]
Io(#[from] std::io::Error),
diff --git a/rust/pv_core/src/lib.rs b/rust/pv_core/src/lib.rs
index 349c0b28..5922211f 100644
--- a/rust/pv_core/src/lib.rs
+++ b/rust/pv_core/src/lib.rs
@@ -32,7 +32,7 @@ pub mod misc {
/// [`crate::uv::UvCmd`]
pub mod uv {
pub use crate::uvdevice::attest::AttestationCmd;
- pub use crate::uvdevice::secret::{AddCmd, ListCmd, LockCmd};
+ pub use crate::uvdevice::secret::{AddCmd, ListCmd, LockCmd, RetrieveCmd};
pub use crate::uvdevice::secret_list::{ListableSecretType, SecretEntry, SecretId, SecretList};
pub use crate::uvdevice::{ConfigUid, UvCmd, UvDevice, UvDeviceInfo, UvFlags, UvcSuccess};
}
diff --git a/rust/pv_core/src/uvdevice/secret.rs b/rust/pv_core/src/uvdevice/secret.rs
index 6c22b6ed..263f17d5 100644
--- a/rust/pv_core/src/uvdevice/secret.rs
+++ b/rust/pv_core/src/uvdevice/secret.rs
@@ -3,8 +3,15 @@
// Copyright IBM Corp. 2023
use super::ffi;
-use crate::{request::MagicValue, uv::UvCmd, uvsecret::AddSecretMagic, Error, Result, PAGESIZE};
-use std::io::Read;
+use crate::{
+ request::{Confidential, MagicValue},
+ uv::{SecretEntry, UvCmd},
+ uvsecret::AddSecretMagic,
+ Error, Result, PAGESIZE,
+};
+use log::debug;
+use std::{io::Read, mem::size_of_val};
+use zerocopy::AsBytes;
/// _List Secrets_ Ultravisor command.
///
@@ -116,3 +123,89 @@ impl UvCmd for LockCmd {
}
}
}
+
+/// Retrieve a secret value from UV store
+#[derive(Debug)]
+pub struct RetrieveCmd {
+ entry: SecretEntry,
+ key: Confidential<Vec<u8>>,
+}
+
+impl RetrieveCmd {
+ /// Maximum size of a retrieved key (=2 pages)
+ pub const MAX_SIZE: usize = ffi::UVIO_RETR_SECRET_MAX_LEN;
+
+ /// Create a retrieve-secret UVC from a [`SecretEntry`].
+ ///
+ /// This uses the index of the secret entry for the UVC.
+ pub fn from_entry(entry: SecretEntry) -> Result<Self> {
+ entry.try_into()
+ }
+
+ /// Transform a [`RetrieveCmd`] into a key-vector.
+ ///
+ /// Only makes sense to call after a successful UVC execution.
+ pub fn into_key(self) -> Confidential<Vec<u8>> {
+ self.key
+ }
+
+ /// Get the secret entry
+ ///
+ /// Get the secret entry that is used as metadata to retrieve the secret
+ pub fn meta_data(&self) -> &SecretEntry {
+ &self.entry
+ }
+}
+
+impl TryFrom<SecretEntry> for RetrieveCmd {
+ type Error = Error;
+
+ fn try_from(entry: SecretEntry) -> Result<Self> {
+ let len = entry.secret_size() as usize;
+
+ // Next to impossible if the secret entry is a valid response from UV
+ if len > Self::MAX_SIZE {
+ return Err(Error::InvalidRetrievableSecretType {
+ id: entry.secret_id().to_owned(),
+ size: len,
+ });
+ }
+
+ // Ensure that an u16 fits into the buffer.
+ let size = std::cmp::max(size_of_val(&entry.index()), len);
+ debug!("Create a buf with {} elements", size);
+ let mut buf = vec![0; size];
+ // The IOCTL expects the secret index in the first two bytes of the buffer. They will be
+ // overwritten in the response
+ entry.index_be().write_to_prefix(&mut buf).unwrap();
+ Ok(Self {
+ entry,
+ key: buf.into(),
+ })
+ }
+}
+
+impl UvCmd for RetrieveCmd {
+ const UV_IOCTL_NR: u8 = ffi::UVIO_IOCTL_RETR_SECRET_NR;
+
+ fn rc_fmt(&self, rc: u16, _: u16) -> Option<&'static str> {
+ match rc {
+ // should not appear (TM), software creates request from a list item
+ 0x0009 => Some("the allocated buffer is to small to store the secret"),
+ // should not appear (TM), kernel allocates the memory
+ 0x0102 => {
+ Some("access exception recognized when accessing retrieved secret storage area")
+ }
+ // should not appear (TM), software creates request from a list item
+ 0x010f => Some("the Secret Store is empty"),
+ // should not appear (TM), software creates request from a list item
+ 0x0110 => Some("the Secret Store does not contain a secret with the specified index"),
+ 0x0111 => Some("the secret is not retrievable"),
+ _ => None,
+ }
+ }
+
+ fn data(&mut self) -> Option<&mut [u8]> {
+ Some(self.key.value_mut())
+ }
+}
diff --git a/rust/pv_core/src/uvdevice/secret_list.rs b/rust/pv_core/src/uvdevice/secret_list.rs
index d20928b5..0a8af504 100644
--- a/rust/pv_core/src/uvdevice/secret_list.rs
+++ b/rust/pv_core/src/uvdevice/secret_list.rs
@@ -110,6 +110,11 @@ impl SecretEntry {
self.index.get()
}
+ /// Returns the index of this [`SecretEntry`] in BE.
+ pub(crate) fn index_be(&self) -> &U16<BigEndian> {
+ &self.index
+ }
+
/// Returns the secret type of this [`SecretEntry`].
pub fn stype(&self) -> ListableSecretType {
self.stype.into()
@@ -127,6 +132,16 @@ impl SecretEntry {
pub fn id(&self) -> &[u8] {
self.id.as_ref()
}
+
+ /// Get the id as [`SecretId`] reference
+ pub(crate) fn secret_id(&self) -> &SecretId {
+ &self.id
+ }
+
+ /// Returns the secret size of this [`SecretEntry`].
+ pub fn secret_size(&self) -> u32 {
+ self.len.get()
+ }
}
impl Display for SecretEntry {

View File

@ -0,0 +1,710 @@
From 4af137f4fad8638169ccf0ddcb6dc4b0fe8fb1c1 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Tue, 5 Mar 2024 12:16:44 +0100
Subject: [PATCH] rust/pv_core: Support for listing Retrievable Secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add support for listing retrievable secrets in the List Secrets UVC.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv_core/src/lib.rs | 2 +
rust/pv_core/src/uvdevice.rs | 1 +
rust/pv_core/src/uvdevice/retr_secret.rs | 399 +++++++++++++++++++++++
rust/pv_core/src/uvdevice/secret_list.rs | 157 +++++++--
4 files changed, 536 insertions(+), 23 deletions(-)
create mode 100644 rust/pv_core/src/uvdevice/retr_secret.rs
diff --git a/rust/pv_core/src/lib.rs b/rust/pv_core/src/lib.rs
index 5922211f..caebfcea 100644
--- a/rust/pv_core/src/lib.rs
+++ b/rust/pv_core/src/lib.rs
@@ -32,6 +32,8 @@ pub mod misc {
/// [`crate::uv::UvCmd`]
pub mod uv {
pub use crate::uvdevice::attest::AttestationCmd;
+ pub use crate::uvdevice::retr_secret::RetrievableSecret;
+ pub use crate::uvdevice::retr_secret::{AesSizes, AesXtsSizes, EcCurves, HmacShaSizes};
pub use crate::uvdevice::secret::{AddCmd, ListCmd, LockCmd, RetrieveCmd};
pub use crate::uvdevice::secret_list::{ListableSecretType, SecretEntry, SecretId, SecretList};
pub use crate::uvdevice::{ConfigUid, UvCmd, UvDevice, UvDeviceInfo, UvFlags, UvcSuccess};
diff --git a/rust/pv_core/src/uvdevice.rs b/rust/pv_core/src/uvdevice.rs
index d4176815..e9848243 100644
--- a/rust/pv_core/src/uvdevice.rs
+++ b/rust/pv_core/src/uvdevice.rs
@@ -25,6 +25,7 @@ mod info;
mod test;
pub(crate) use ffi::uv_ioctl;
pub mod attest;
+pub mod retr_secret;
pub mod secret;
pub mod secret_list;
diff --git a/rust/pv_core/src/uvdevice/retr_secret.rs b/rust/pv_core/src/uvdevice/retr_secret.rs
new file mode 100644
index 00000000..490152b4
--- /dev/null
+++ b/rust/pv_core/src/uvdevice/retr_secret.rs
@@ -0,0 +1,399 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright IBM Corp. 2024
+
+use crate::uv::{ListableSecretType, RetrieveCmd};
+use serde::{Deserialize, Serialize, Serializer};
+use std::fmt::Display;
+
+/// Allowed sizes for AES keys
+#[non_exhaustive]
+#[derive(PartialEq, Eq, Debug)]
+pub enum AesSizes {
+ /// 128 bit key
+ Bits128,
+ /// 192 bit key
+ Bits192,
+ /// 256 bit key
+ Bits256,
+}
+
+impl AesSizes {
+ /// Construct the key-size from the bit-size.
+ ///
+ /// Returns [`None`] if the bit-size is not supported.
+ pub fn from_bits(bits: u32) -> Option<Self> {
+ match bits {
+ 128 => Some(Self::Bits128),
+ 192 => Some(Self::Bits192),
+ 256 => Some(Self::Bits256),
+ _ => None,
+ }
+ }
+
+ /// Returns the bit-size for the key-type
+ const fn bit_size(&self) -> u32 {
+ match self {
+ Self::Bits128 => 128,
+ Self::Bits192 => 192,
+ Self::Bits256 => 256,
+ }
+ }
+}
+
+impl Display for AesSizes {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ write!(f, "{}", self.bit_size())
+ }
+}
+
+/// Allowed sizes for AES-XTS keys
+#[non_exhaustive]
+#[derive(PartialEq, Eq, Debug)]
+pub enum AesXtsSizes {
+ /// Two AES 128 bit keys
+ Bits128,
+ /// Two AES 256 bit keys
+ Bits256,
+}
+
+impl AesXtsSizes {
+ /// Construct the key-size from the bit-size.
+ ///
+ /// It's a key containing two keys; bit-size is half the number of bits it has
+ /// Returns [`None`] if the bit-size is not supported.
+ pub fn from_bits(bits: u32) -> Option<Self> {
+ match bits {
+ 128 => Some(Self::Bits128),
+ 256 => Some(Self::Bits256),
+ _ => None,
+ }
+ }
+
+ /// Returns the bit-size for the key-type
+ ///
+ /// It's a key containing two keys: bit-size is half the number of bits it has
+ const fn bit_size(&self) -> u32 {
+ match self {
+ Self::Bits128 => 128,
+ Self::Bits256 => 256,
+ }
+ }
+}
+
+impl Display for AesXtsSizes {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ write!(f, "{}", self.bit_size())
+ }
+}
+
+/// Allowed sizes for HMAC-SHA keys
+#[non_exhaustive]
+#[derive(PartialEq, Eq, Debug)]
+pub enum HmacShaSizes {
+ /// SHA 256 bit
+ Sha256,
+ /// SHA 512 bit
+ Sha512,
+}
+
+impl HmacShaSizes {
+ /// Construct the key-size from the sha-size.
+ ///
+ /// FW expects maximum resistance keys (double the SHA size).
+ /// The `sha_size` is half of the number of bits in the key
+ /// Returns [`None`] if the `sha_size` is not supported.
+ pub fn from_sha_size(sha_size: u32) -> Option<Self> {
+ match sha_size {
+ 256 => Some(Self::Sha256),
+ 512 => Some(Self::Sha512),
+ _ => None,
+ }
+ }
+
+ /// Returns the sha-size for the key-type
+ ///
+ /// FW expects maximum resistance keys (double the SHA size).
+ /// The `sha_size` is half of the number of bits in the key
+ const fn sha_size(&self) -> u32 {
+ match self {
+ Self::Sha256 => 256,
+ Self::Sha512 => 512,
+ }
+ }
+}
+
+impl Display for HmacShaSizes {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ write!(f, "{}", self.sha_size())
+ }
+}
+
+/// Allowed curves for EC private keys
+#[non_exhaustive]
+#[derive(PartialEq, Eq, Debug)]
+pub enum EcCurves {
+ /// secp256r1 or prime256v1 curve
+ Secp256R1,
+ /// secp384p1 curve
+ Secp384R1,
+ /// secp521r1 curve
+ Secp521R1,
+ /// ed25519 curve
+ Ed25519,
+ /// ed448 curve
+ Ed448,
+}
+
+impl EcCurves {
+ const fn exp_size(&self) -> usize {
+ match self {
+ Self::Secp256R1 => 32,
+ Self::Secp384R1 => 48,
+ Self::Secp521R1 => 80,
+ Self::Ed25519 => 32,
+ Self::Ed448 => 64,
+ }
+ }
+
+ /// Resizes the raw key to the expected size.
+ ///
+ /// See [`Vec::resize`]
+ pub fn resize_raw_key(&self, mut raw: Vec<u8>) -> Vec<u8> {
+ raw.resize(self.exp_size(), 0);
+ raw
+ }
+}
+
+// The names have to stay constant, otherwise the PEM contains invalid types
+impl Display for EcCurves {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ match self {
+ Self::Secp256R1 => write!(f, "SECP256R1"),
+ Self::Secp384R1 => write!(f, "SECP384R1"),
+ Self::Secp521R1 => write!(f, "SECP521R1"),
+ Self::Ed25519 => write!(f, "ED25519"),
+ Self::Ed448 => write!(f, "ED448"),
+ }
+ }
+}
+
+/// Retrievable Secret types
+#[non_exhaustive]
+#[derive(PartialEq, Eq, Debug)]
+pub enum RetrievableSecret {
+ /// Plain-text secret
+ PlainText,
+ /// Protected AES key
+ Aes(AesSizes),
+ /// Protected AES-XTS key
+ AesXts(AesXtsSizes),
+ /// Protected HMAC-SHA key
+ HmacSha(HmacShaSizes),
+ /// Protected EC-private key
+ Ec(EcCurves),
+}
+
+// The names have to stay constant, otherwise the PEM contains invalid/unknown types
+impl Display for RetrievableSecret {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ // Alternate representation: Omit sizes/curves
+ if f.alternate() {
+ match self {
+ Self::PlainText => write!(f, "PLAINTEXT"),
+ Self::Aes(_) => write!(f, "AES-KEY"),
+ Self::AesXts(_) => write!(f, "AES-XTS-KEY"),
+ Self::HmacSha(_) => write!(f, "HMAC-SHA-KEY"),
+ Self::Ec(_) => write!(f, "EC-PRIVATE-KEY"),
+ }
+ } else {
+ match self {
+ Self::PlainText => write!(f, "PLAINTEXT"),
+ Self::Aes(s) => write!(f, "AES-{s}-KEY"),
+ Self::AesXts(s) => write!(f, "AES-XTS-{s}-KEY"),
+ Self::HmacSha(s) => write!(f, "HMAC-SHA-{s}-KEY"),
+ Self::Ec(c) => write!(f, "EC-{c}-PRIVATE-KEY"),
+ }
+ }
+ }
+}
+
+impl RetrievableSecret {
+ /// Report expected input types
+ pub fn expected(&self) -> String {
+ match self {
+ Self::PlainText => format!("less than {}", RetrieveCmd::MAX_SIZE),
+ Self::Aes(_) => "128, 192, or 256".to_string(),
+ Self::AesXts(_) => "128 or 256".to_string(),
+ Self::HmacSha(_) => "256 or 512".to_string(),
+ Self::Ec(_) => "secp256r1, secp384r1, secp521r1, ed25519, or ed448".to_string(),
+ }
+ }
+}
+
+impl From<&RetrievableSecret> for u16 {
+ fn from(value: &RetrievableSecret) -> Self {
+ match value {
+ RetrievableSecret::PlainText => ListableSecretType::PLAINTEXT,
+ RetrievableSecret::Aes(AesSizes::Bits128) => ListableSecretType::AES_128_KEY,
+ RetrievableSecret::Aes(AesSizes::Bits192) => ListableSecretType::AES_192_KEY,
+ RetrievableSecret::Aes(AesSizes::Bits256) => ListableSecretType::AES_256_KEY,
+ RetrievableSecret::AesXts(AesXtsSizes::Bits128) => ListableSecretType::AES_128_XTS_KEY,
+ RetrievableSecret::AesXts(AesXtsSizes::Bits256) => ListableSecretType::AES_256_XTS_KEY,
+ RetrievableSecret::HmacSha(HmacShaSizes::Sha256) => {
+ ListableSecretType::HMAC_SHA_256_KEY
+ }
+ RetrievableSecret::HmacSha(HmacShaSizes::Sha512) => {
+ ListableSecretType::HMAC_SHA_512_KEY
+ }
+ RetrievableSecret::Ec(EcCurves::Secp256R1) => ListableSecretType::ECDSA_P256_KEY,
+ RetrievableSecret::Ec(EcCurves::Secp384R1) => ListableSecretType::ECDSA_P384_KEY,
+ RetrievableSecret::Ec(EcCurves::Secp521R1) => ListableSecretType::ECDSA_P521_KEY,
+ RetrievableSecret::Ec(EcCurves::Ed25519) => ListableSecretType::ECDSA_ED25519_KEY,
+ RetrievableSecret::Ec(EcCurves::Ed448) => ListableSecretType::ECDSA_ED448_KEY,
+ }
+ }
+}
+
+// serializes to: <secret type nb> (String name)
+impl Serialize for RetrievableSecret {
+ fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+ where
+ S: Serializer,
+ {
+ let id: u16 = self.into();
+ serializer.serialize_str(&format!("{id} ({self})"))
+ }
+}
+
+/// deserializes from the secret type nb only
+impl<'de> Deserialize<'de> for RetrievableSecret {
+ fn deserialize<D>(de: D) -> Result<Self, D::Error>
+ where
+ D: serde::Deserializer<'de>,
+ {
+ struct RetrSecretVisitor;
+ impl<'de> serde::de::Visitor<'de> for RetrSecretVisitor {
+ type Value = RetrievableSecret;
+
+ fn expecting(&self, fmt: &mut std::fmt::Formatter) -> std::fmt::Result {
+ fmt.write_str(
+ "a retrievable secret type: `<number> (String name)` number in [3,10]|[17,21]",
+ )
+ }
+ fn visit_str<E>(self, s: &str) -> Result<Self::Value, E>
+ where
+ E: serde::de::Error,
+ {
+ let (n, _) = s.split_once(' ').ok_or(serde::de::Error::invalid_value(
+ serde::de::Unexpected::Str(s),
+ &self,
+ ))?;
+ let id: u16 = n.parse().map_err(|_| {
+ serde::de::Error::invalid_value(serde::de::Unexpected::Str(n), &self)
+ })?;
+ let listable: ListableSecretType = id.into();
+ match listable {
+ ListableSecretType::Retrievable(r) => Ok(r),
+ _ => Err(serde::de::Error::invalid_value(
+ serde::de::Unexpected::Unsigned(id.into()),
+ &self,
+ )),
+ }
+ }
+ }
+ de.deserialize_str(RetrSecretVisitor)
+ }
+}
+
+#[cfg(test)]
+mod test {
+ use serde_test::{assert_tokens, Token};
+
+ use super::*;
+
+ #[test]
+ fn retr_serde_plain() {
+ let retr = RetrievableSecret::PlainText;
+ assert_tokens(&retr, &[Token::Str("3 (PLAINTEXT)")]);
+ }
+
+ #[test]
+ fn retr_serde_aes() {
+ let retr = RetrievableSecret::Aes(AesSizes::Bits192);
+ assert_tokens(&retr, &[Token::Str("5 (AES-192-KEY)")]);
+ }
+
+ #[test]
+ fn retr_serde_aes_xts() {
+ let retr = RetrievableSecret::AesXts(AesXtsSizes::Bits128);
+ assert_tokens(&retr, &[Token::Str("7 (AES-XTS-128-KEY)")]);
+ }
+
+ #[test]
+ fn retr_serde_hmac() {
+ let retr = RetrievableSecret::HmacSha(HmacShaSizes::Sha256);
+ assert_tokens(&retr, &[Token::Str("9 (HMAC-SHA-256-KEY)")]);
+ }
+
+ #[test]
+ fn retr_serde_es() {
+ let retr = RetrievableSecret::Ec(EcCurves::Secp521R1);
+ assert_tokens(&retr, &[Token::Str("19 (EC-SECP521R1-PRIVATE-KEY)")]);
+ }
+
+ // Ensure that the string representation of the retrievable types stay constant, or PEM will have
+ // different, incompatible types
+ #[test]
+ fn stable_type_names() {
+ assert_eq!("PLAINTEXT", RetrievableSecret::PlainText.to_string());
+ assert_eq!(
+ "AES-128-KEY",
+ RetrievableSecret::Aes(AesSizes::Bits128).to_string()
+ );
+ assert_eq!(
+ "AES-192-KEY",
+ RetrievableSecret::Aes(AesSizes::Bits192).to_string()
+ );
+ assert_eq!(
+ "AES-256-KEY",
+ RetrievableSecret::Aes(AesSizes::Bits256).to_string()
+ );
+ assert_eq!(
+ "AES-XTS-128-KEY",
+ RetrievableSecret::AesXts(AesXtsSizes::Bits128).to_string()
+ );
+ assert_eq!(
+ "AES-XTS-256-KEY",
+ RetrievableSecret::AesXts(AesXtsSizes::Bits256).to_string()
+ );
+ assert_eq!(
+ "HMAC-SHA-256-KEY",
+ RetrievableSecret::HmacSha(HmacShaSizes::Sha256).to_string()
+ );
+ assert_eq!(
+ "HMAC-SHA-512-KEY",
+ RetrievableSecret::HmacSha(HmacShaSizes::Sha512).to_string()
+ );
+ assert_eq!(
+ "EC-SECP256R1-PRIVATE-KEY",
+ RetrievableSecret::Ec(EcCurves::Secp256R1).to_string()
+ );
+ assert_eq!(
+ "EC-SECP384R1-PRIVATE-KEY",
+ RetrievableSecret::Ec(EcCurves::Secp384R1).to_string()
+ );
+ assert_eq!(
+ "EC-SECP521R1-PRIVATE-KEY",
+ RetrievableSecret::Ec(EcCurves::Secp521R1).to_string()
+ );
+ assert_eq!(
+ "EC-ED25519-PRIVATE-KEY",
+ RetrievableSecret::Ec(EcCurves::Ed25519).to_string()
+ );
+ assert_eq!(
+ "EC-ED448-PRIVATE-KEY",
+ RetrievableSecret::Ec(EcCurves::Ed448).to_string()
+ );
+ }
+}
diff --git a/rust/pv_core/src/uvdevice/secret_list.rs b/rust/pv_core/src/uvdevice/secret_list.rs
index 0a8af504..4e955010 100644
--- a/rust/pv_core/src/uvdevice/secret_list.rs
+++ b/rust/pv_core/src/uvdevice/secret_list.rs
@@ -2,9 +2,14 @@
//
// Copyright IBM Corp. 2024
-use crate::assert_size;
-use crate::{misc::to_u16, uv::ListCmd, uvdevice::UvCmd, Error, Result};
-use byteorder::{BigEndian, ReadBytesExt, WriteBytesExt};
+use crate::{
+ assert_size,
+ misc::to_u16,
+ uv::{AesSizes, AesXtsSizes, EcCurves, HmacShaSizes, ListCmd, RetrievableSecret},
+ uvdevice::UvCmd,
+ Error, Result,
+};
+use byteorder::{BigEndian, ByteOrder, ReadBytesExt, WriteBytesExt};
use serde::{Deserialize, Serialize, Serializer};
use std::{
fmt::Display,
@@ -18,7 +23,7 @@ use zerocopy::{AsBytes, FromBytes, FromZeroes, U16, U32};
///
/// (de)serializes itself in/from a hex-string
#[repr(C)]
-#[derive(PartialEq, Eq, AsBytes, FromZeroes, FromBytes, Debug, Clone)]
+#[derive(PartialEq, Eq, AsBytes, FromZeroes, FromBytes, Debug, Clone, Default)]
pub struct SecretId([u8; Self::ID_SIZE]);
assert_size!(SecretId, SecretId::ID_SIZE);
@@ -94,11 +99,11 @@ impl SecretEntry {
/// Create a new entry for a [`SecretList`].
///
/// The content of this entry will very likely not represent the status of the guest in the
- /// Ultravisor. Use of [`SecretList::decode`] in any non-test environments is encuraged.
+ /// Ultravisor. Use of [`SecretList::decode`] in any non-test environments is encouraged.
pub fn new(index: u16, stype: ListableSecretType, id: SecretId, secret_len: u32) -> Self {
Self {
index: index.into(),
- stype: stype.into(),
+ stype: U16::new(stype.into()),
len: secret_len.into(),
res_8: 0,
id,
@@ -117,7 +122,7 @@ impl SecretEntry {
/// Returns the secret type of this [`SecretEntry`].
pub fn stype(&self) -> ListableSecretType {
- self.stype.into()
+ self.stype.get().into()
}
/// Returns a reference to the id of this [`SecretEntry`].
@@ -146,7 +151,7 @@ impl SecretEntry {
impl Display for SecretEntry {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
- let stype: ListableSecretType = self.stype.into();
+ let stype: ListableSecretType = self.stype.get().into();
writeln!(f, "{} {}:", self.index, stype)?;
write!(f, " ")?;
for b in self.id.as_ref() {
@@ -298,51 +303,115 @@ fn ser_u16<S: Serializer>(v: &U16<BigEndian>, ser: S) -> Result<S::Ok, S::Error>
pub enum ListableSecretType {
/// Association Secret
Association,
+ /// Retrievable key
+ Retrievable(RetrievableSecret),
+
/// Invalid secret type, that should never appear in a list
///
/// 0 is reserved
- /// 1 is Null secret, with no id and not listable
+ /// 1 is Null secret, with no id and not list-able
Invalid(u16),
/// Unknown secret type
Unknown(u16),
}
impl ListableSecretType {
- /// UV type id for an association secret
- pub const ASSOCIATION: u16 = 0x0002;
- /// UV type id for a null secret
- pub const NULL: u16 = 0x0001;
const RESERVED_0: u16 = 0x0000;
+ /// UV secret-type id for a null secret
+ pub const NULL: u16 = 0x0001;
+ /// UV secret-type id for an association secret
+ pub const ASSOCIATION: u16 = 0x0002;
+ /// UV secret-type id for a plain text secret
+ pub const PLAINTEXT: u16 = 0x0003;
+ /// UV secret-type id for an aes-128-key secret
+ pub const AES_128_KEY: u16 = 0x0004;
+ /// UV secret-type id for an aes-192-key secret
+ pub const AES_192_KEY: u16 = 0x0005;
+ /// UV secret-type id for an aes-256-key secret
+ pub const AES_256_KEY: u16 = 0x0006;
+ /// UV secret-type id for an aes-xts-128-key secret
+ pub const AES_128_XTS_KEY: u16 = 0x0007;
+ /// UV secret-type id for an aes-xts-256-key secret
+ pub const AES_256_XTS_KEY: u16 = 0x0008;
+ /// UV secret-type id for an hmac-sha-256-key secret
+ pub const HMAC_SHA_256_KEY: u16 = 0x0009;
+ /// UV secret-type id for an hmac-sha-512-key secret
+ pub const HMAC_SHA_512_KEY: u16 = 0x000a;
+ // 0x000b - 0x0010 reserved
+ /// UV secret-type id for an ecdsa-p256-private-key secret
+ pub const ECDSA_P256_KEY: u16 = 0x0011;
+ /// UV secret-type id for an ecdsa-p384-private-key secret
+ pub const ECDSA_P384_KEY: u16 = 0x0012;
+ /// UV secret-type id for an ecdsa-p521-private-key secret
+ pub const ECDSA_P521_KEY: u16 = 0x0013;
+ /// UV secret-type id for an ed25519-private-key secret
+ pub const ECDSA_ED25519_KEY: u16 = 0x0014;
+ /// UV secret-type id for an ed448-private-key secret
+ pub const ECDSA_ED448_KEY: u16 = 0x0015;
}
impl Display for ListableSecretType {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Self::Association => write!(f, "Association"),
- Self::Invalid(n) => write!(f, "Invalid({n})"),
- Self::Unknown(n) => write!(f, "Unknown({n})"),
+ Self::Invalid(n) => write!(f, "Invalid(0x{n:04x})"),
+ Self::Unknown(n) => write!(f, "Unknown(0x{n:04x})"),
+ Self::Retrievable(r) => write!(f, "{r}"),
}
}
}
-impl From<U16<BigEndian>> for ListableSecretType {
- fn from(value: U16<BigEndian>) -> Self {
- match value.get() {
+impl<O: ByteOrder> From<U16<O>> for ListableSecretType {
+ fn from(value: U16<O>) -> Self {
+ value.get().into()
+ }
+}
+
+impl From<u16> for ListableSecretType {
+ fn from(value: u16) -> Self {
+ match value {
Self::RESERVED_0 => Self::Invalid(Self::RESERVED_0),
Self::NULL => Self::Invalid(Self::NULL),
Self::ASSOCIATION => Self::Association,
+ Self::PLAINTEXT => Self::Retrievable(RetrievableSecret::PlainText),
+ Self::AES_128_KEY => Self::Retrievable(RetrievableSecret::Aes(AesSizes::Bits128)),
+ Self::AES_192_KEY => Self::Retrievable(RetrievableSecret::Aes(AesSizes::Bits192)),
+ Self::AES_256_KEY => Self::Retrievable(RetrievableSecret::Aes(AesSizes::Bits256)),
+ Self::AES_128_XTS_KEY => {
+ Self::Retrievable(RetrievableSecret::AesXts(AesXtsSizes::Bits128))
+ }
+ Self::AES_256_XTS_KEY => {
+ Self::Retrievable(RetrievableSecret::AesXts(AesXtsSizes::Bits256))
+ }
+ Self::HMAC_SHA_256_KEY => {
+ Self::Retrievable(RetrievableSecret::HmacSha(HmacShaSizes::Sha256))
+ }
+ Self::HMAC_SHA_512_KEY => {
+ Self::Retrievable(RetrievableSecret::HmacSha(HmacShaSizes::Sha512))
+ }
+ Self::ECDSA_P256_KEY => Self::Retrievable(RetrievableSecret::Ec(EcCurves::Secp256R1)),
+ Self::ECDSA_P384_KEY => Self::Retrievable(RetrievableSecret::Ec(EcCurves::Secp384R1)),
+ Self::ECDSA_P521_KEY => Self::Retrievable(RetrievableSecret::Ec(EcCurves::Secp521R1)),
+ Self::ECDSA_ED25519_KEY => Self::Retrievable(RetrievableSecret::Ec(EcCurves::Ed25519)),
+ Self::ECDSA_ED448_KEY => Self::Retrievable(RetrievableSecret::Ec(EcCurves::Ed448)),
n => Self::Unknown(n),
}
}
}
-impl From<ListableSecretType> for U16<BigEndian> {
+impl<O: ByteOrder> From<ListableSecretType> for U16<O> {
+ fn from(value: ListableSecretType) -> Self {
+ Self::new(value.into())
+ }
+}
+
+impl From<ListableSecretType> for u16 {
fn from(value: ListableSecretType) -> Self {
match value {
ListableSecretType::Association => ListableSecretType::ASSOCIATION,
ListableSecretType::Invalid(n) | ListableSecretType::Unknown(n) => n,
+ ListableSecretType::Retrievable(r) => (&r).into(),
}
- .into()
}
}
@@ -363,8 +432,8 @@ where
where
E: serde::de::Error,
{
- if s.len() != SecretId::ID_SIZE * 2 + 2 {
- return Err(serde::de::Error::invalid_length(s.len(), &self));
+ if s.len() != SecretId::ID_SIZE * 2 + "0x".len() {
+ return Err(serde::de::Error::invalid_length(s.len() - 2, &self));
}
let nb = s.strip_prefix("0x").ok_or_else(|| {
serde::de::Error::invalid_value(serde::de::Unexpected::Str(s), &self)
@@ -385,7 +454,6 @@ mod test {
use super::*;
use std::io::{BufReader, BufWriter, Cursor};
-
#[test]
fn dump_secret_entry() {
const EXP: &[u8] = &[
@@ -516,4 +584,47 @@ mod test {
)],
)
}
+
+ #[test]
+ fn secret_list_ser() {
+ let list = SecretList {
+ total_num_secrets: 0x112,
+ secrets: vec![SecretEntry {
+ index: 1.into(),
+ stype: 2.into(),
+ len: 32.into(),
+ res_8: 0,
+ id: SecretId::from([0; 32]),
+ }],
+ };
+
+ assert_ser_tokens(
+ &list,
+ &[
+ Token::Struct {
+ name: "SecretList",
+ len: 2,
+ },
+ Token::String("total_num_secrets"),
+ Token::U64(0x112),
+ Token::String("secrets"),
+ Token::Seq { len: Some(1) },
+ Token::Struct {
+ name: "SecretEntry",
+ len: (4),
+ },
+ Token::String("index"),
+ Token::U16(1),
+ Token::String("stype"),
+ Token::U16(2),
+ Token::String("len"),
+ Token::U32(32),
+ Token::String("id"),
+ Token::String("0x0000000000000000000000000000000000000000000000000000000000000000"),
+ Token::StructEnd,
+ Token::SeqEnd,
+ Token::StructEnd,
+ ],
+ )
+ }
}

View File

@ -0,0 +1,877 @@
From fd024387d710887bd2016658c44d4762a08c791c Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Tue, 5 Mar 2024 12:19:22 +0100
Subject: [PATCH] rust/pv: Retrievable secrets support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Support retrievable secret for Add-Secret requests.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv/src/crypto.rs | 3 +-
rust/pv/src/error.rs | 8 +
rust/pv/src/lib.rs | 8 +-
rust/pv/src/uvsecret.rs | 1 +
rust/pv/src/uvsecret/guest_secret.rs | 399 +++++++++++++++++++++++++--
rust/pv/src/uvsecret/retr_secret.rs | 234 ++++++++++++++++
6 files changed, 631 insertions(+), 22 deletions(-)
create mode 100644 rust/pv/src/uvsecret/retr_secret.rs
diff --git a/rust/pv/src/crypto.rs b/rust/pv/src/crypto.rs
index 8f11d2b4..ebc85f72 100644
--- a/rust/pv/src/crypto.rs
+++ b/rust/pv/src/crypto.rs
@@ -29,7 +29,6 @@ pub type Aes256XtsKey = Confidential<[u8; SymKeyType::AES_256_XTS_KEY_LEN]>;
/// SHA-512 digest length (in bytes)
pub const SHA_512_HASH_LEN: usize = 64;
-
#[allow(dead_code)]
pub(crate) const SHA_256_HASH_LEN: u32 = 32;
#[allow(dead_code)]
@@ -60,6 +59,8 @@ impl SymKeyType {
pub const AES_256_XTS_KEY_LEN: usize = 64;
/// AES256-XTS tweak length (in bytes)
pub const AES_256_XTS_TWEAK_LEN: usize = 16;
+ /// AES256 GCM Block length
+ pub const AES_256_GCM_BLOCK_LEN: usize = 16;
/// Returns the tag length of the [`SymKeyType`] if it is an AEAD key
pub const fn tag_len(&self) -> Option<usize> {
diff --git a/rust/pv/src/error.rs b/rust/pv/src/error.rs
index 3ba808f2..601b40f0 100644
--- a/rust/pv/src/error.rs
+++ b/rust/pv/src/error.rs
@@ -109,6 +109,14 @@ pub enum Error {
#[error("An ASCII string was expected, but non-ASCII characters were received.")]
NonAscii,
+ #[error("Incorrect {what} for a {kind}. Is: {value}; expected: {exp}")]
+ RetrInvKey {
+ what: &'static str,
+ kind: String,
+ value: String,
+ exp: String,
+ },
+
// errors from other crates
#[error(transparent)]
PvCore(#[from] pv_core::Error),
diff --git a/rust/pv/src/lib.rs b/rust/pv/src/lib.rs
index ec31b9a4..43375669 100644
--- a/rust/pv/src/lib.rs
+++ b/rust/pv/src/lib.rs
@@ -104,7 +104,12 @@ pub mod request {
/// Reexports some useful OpenSSL symbols
pub mod openssl {
- pub use openssl::{error::ErrorStack, hash::DigestBytes, pkey, x509};
+ pub use openssl::{error::ErrorStack, hash::DigestBytes, nid::Nid, pkey, x509};
+ // rust-OpenSSL does not define these NIDs
+ #[allow(missing_docs)]
+ pub const NID_ED25519: Nid = Nid::from_raw(openssl_sys::NID_ED25519);
+ #[allow(missing_docs)]
+ pub const NID_ED448: Nid = Nid::from_raw(openssl_sys::NID_ED448);
}
pub use pv_core::request::*;
@@ -118,6 +123,7 @@ pub mod secret {
asrcb::{AddSecretFlags, AddSecretRequest, AddSecretVersion},
ext_secret::ExtSecret,
guest_secret::GuestSecret,
+ retr_secret::{IbmProtectedKey, RetrievedSecret},
user_data::verify_asrcb_and_get_user_data,
};
}
diff --git a/rust/pv/src/uvsecret.rs b/rust/pv/src/uvsecret.rs
index 343e4b05..c3b43bba 100644
--- a/rust/pv/src/uvsecret.rs
+++ b/rust/pv/src/uvsecret.rs
@@ -10,4 +10,5 @@
pub mod asrcb;
pub mod ext_secret;
pub mod guest_secret;
+pub mod retr_secret;
pub mod user_data;
diff --git a/rust/pv/src/uvsecret/guest_secret.rs b/rust/pv/src/uvsecret/guest_secret.rs
index 4f1db31c..3bad6d3c 100644
--- a/rust/pv/src/uvsecret/guest_secret.rs
+++ b/rust/pv/src/uvsecret/guest_secret.rs
@@ -4,20 +4,34 @@
#[allow(unused_imports)] // used for more convenient docstring
use super::asrcb::AddSecretRequest;
-use crate::assert_size;
use crate::{
- crypto::{hash, random_array},
- request::Confidential,
- Result,
+ assert_size,
+ crypto::{hash, random_array, SymKeyType},
+ request::{
+ openssl::{NID_ED25519, NID_ED448},
+ Confidential,
+ },
+ uv::{
+ AesSizes, AesXtsSizes, EcCurves, HmacShaSizes, ListableSecretType, RetrievableSecret,
+ RetrieveCmd, SecretId,
+ },
+ Error, Result,
};
use byteorder::BigEndian;
-use openssl::hash::MessageDigest;
-use pv_core::uv::{ListableSecretType, SecretId};
+use openssl::{
+ hash::MessageDigest,
+ nid::Nid,
+ pkey::{Id, PKey, Private},
+};
+use pv_core::static_assert;
use serde::{Deserialize, Serialize};
-use std::{convert::TryInto, fmt::Display};
+use std::fmt::Display;
use zerocopy::{AsBytes, U16, U32};
const ASSOC_SECRET_SIZE: usize = 32;
+/// Maximum size of a plain-text secret payload (8190)
+pub(crate) const MAX_SIZE_PLAIN_PAYLOAD: usize = RetrieveCmd::MAX_SIZE - 2;
+static_assert!(MAX_SIZE_PLAIN_PAYLOAD == 8190);
/// A Secret to be added in [`AddSecretRequest`]
#[derive(Debug, Serialize, Deserialize, PartialEq, Eq)]
@@ -36,13 +50,60 @@ pub enum GuestSecret {
#[serde(skip)]
secret: Confidential<[u8; ASSOC_SECRET_SIZE]>,
},
+ /// Retrievable key
+ ///
+ /// Create Retrievables using [`GuestSecret::retrievable`]
+ /// Secret size is always valid for the type/kind
+ Retrievable {
+ /// Retrievable secret type
+ kind: RetrievableSecret,
+ /// Name of the secret
+ name: String,
+ /// SHA256 hash of [`GuestSecret::RetrievableKey::name`]
+ id: SecretId,
+ /// Confidential actual retrievable secret (32 bytes)
+ #[serde(skip)]
+ secret: Confidential<Vec<u8>>,
+ },
+}
+
+macro_rules! retr_constructor {
+ ($(#[$err:meta])* | $(#[$kind:meta])* => $type: ty, $func: ident) => {
+ /// Create a new
+ $(#[$kind])*
+ /// [`GuestSecret::Retrievable`] secret.
+ ///
+ /// * `name` - Name of the secret. Will be hashed into a 32 byte id
+ /// * `secret` - the secret value
+ ///
+ /// # Errors
+ ///
+ $(#[$err])*
+ pub fn $func(name: &str, secret: $type) -> Result<Self> {
+ let (kind, secret) = $func(secret)?;
+ Ok(Self::Retrievable {
+ kind,
+ name: name.to_string(),
+ id: Self::name_to_id(name)?,
+ secret,
+ })
+ }
+ };
}
impl GuestSecret {
+ fn name_to_id(name: &str) -> Result<SecretId> {
+ let id: [u8; SecretId::ID_SIZE] = hash(MessageDigest::sha256(), name.as_bytes())?
+ .to_vec()
+ .try_into()
+ .unwrap();
+ Ok(id.into())
+ }
+
/// Create a new [`GuestSecret::Association`].
///
/// * `name` - Name of the secret. Will be hashed into a 32 byte id
- /// * `secret` - Value of the secret. Ranom if [`Option::None`]
+ /// * `secret` - Value of the secret. Random if [`Option::None`]
///
/// # Errors
///
@@ -51,10 +112,6 @@ impl GuestSecret {
where
O: Into<Option<[u8; ASSOC_SECRET_SIZE]>>,
{
- let id: [u8; SecretId::ID_SIZE] = hash(MessageDigest::sha256(), name.as_bytes())?
- .to_vec()
- .try_into()
- .unwrap();
let secret = match secret.into() {
Some(s) => s,
None => random_array()?,
@@ -62,16 +119,28 @@ impl GuestSecret {
Ok(Self::Association {
name: name.to_string(),
- id: id.into(),
+ id: Self::name_to_id(name)?,
secret: secret.into(),
})
}
+ retr_constructor!(#[doc = r"This function will return an error if the secret is larger than 8 pages"]
+ | #[doc = r"plaintext"] => Confidential<Vec<u8>>, plaintext);
+ retr_constructor!(#[doc = r"This function will return an error if OpenSSL cannot create a hash or the secret size is invalid"]
+ | #[doc = r"AES Key"] => Confidential<Vec<u8>>, aes);
+ retr_constructor!(#[doc = r"This function will return an error if OpenSSL cannot create a hash or the secret size is invalid"]
+ | #[doc = r"AES-XTS Key"] => Confidential<Vec<u8>>, aes_xts);
+ retr_constructor!(#[doc = r"This function will return an error if OpenSSL cannot create a hash or the secret size is invalid"]
+ | #[doc = r"HMAC-SHA Key"] => Confidential<Vec<u8>>, hmac_sha);
+ retr_constructor!(#[doc = r"This function will return an error if OpenSSL cannot create a hash or the curve is invalid"]
+ | #[doc = r"EC PRIVATE Key"] => PKey<Private>, ec);
+
/// Reference to the confidential data
pub fn confidential(&self) -> &[u8] {
match &self {
Self::Null => &[],
Self::Association { secret, .. } => secret.value().as_slice(),
+ Self::Retrievable { secret, .. } => secret.value(),
}
}
@@ -79,7 +148,7 @@ impl GuestSecret {
pub(crate) fn auth(&self) -> SecretAuth {
match &self {
Self::Null => SecretAuth::Null,
- // Panic: every non null secret type is listable -> no panic
+ // Panic: every non null secret type is list-able -> no panic
listable => {
SecretAuth::Listable(ListableSecretHdr::from_guest_secret(listable).unwrap())
}
@@ -92,6 +161,7 @@ impl GuestSecret {
// Null is not listable, but the ListableSecretType provides the type constant (1)
Self::Null => ListableSecretType::NULL,
Self::Association { .. } => ListableSecretType::ASSOCIATION,
+ Self::Retrievable { kind, .. } => kind.into(),
}
}
@@ -100,6 +170,7 @@ impl GuestSecret {
match self {
Self::Null => 0,
Self::Association { secret, .. } => secret.value().len() as u32,
+ Self::Retrievable { secret, .. } => secret.value().len() as u32,
}
}
@@ -107,18 +178,157 @@ impl GuestSecret {
fn id(&self) -> Option<SecretId> {
match self {
Self::Null => None,
- Self::Association { id, .. } => Some(id.to_owned()),
+ Self::Association { id, .. } | Self::Retrievable { id, .. } => Some(id.to_owned()),
}
}
}
+type RetrKeyInfo = (RetrievableSecret, Confidential<Vec<u8>>);
+
+fn extend_to_multiple(mut key: Vec<u8>, multiple: usize) -> Confidential<Vec<u8>> {
+ match key.len().checked_rem(multiple) {
+ Some(0) | None => key,
+ Some(m) => {
+ key.resize(key.len() + multiple - m, 0);
+ key
+ }
+ }
+ .into()
+}
+
+/// Get a plain-text key
+///
+/// ```none
+/// size U16<BigEndian> | payload (0-8190) bytes
+/// ```
+fn plaintext(inp: Confidential<Vec<u8>>) -> Result<RetrKeyInfo> {
+ let key_len = inp.value().len();
+ if key_len > RetrieveCmd::MAX_SIZE {
+ return Err(Error::RetrInvKey {
+ what: "key size",
+ value: key_len.to_string(),
+ kind: RetrievableSecret::PlainText.to_string(),
+ exp: RetrievableSecret::PlainText.expected(),
+ });
+ }
+ let mut key = Vec::with_capacity(2 + inp.value().len());
+ let key_len: U16<BigEndian> = (key_len as u16).into();
+ key.extend_from_slice(key_len.as_bytes());
+ key.extend_from_slice(inp.value());
+ let key = extend_to_multiple(key, SymKeyType::AES_256_GCM_BLOCK_LEN);
+
+ Ok((RetrievableSecret::PlainText, key))
+}
+
+/// Get an AES-key
+fn aes(key: Confidential<Vec<u8>>) -> Result<RetrKeyInfo> {
+ let key_len = key.value().len() as u32;
+ let bit_size = bitsize(key_len);
+ match AesSizes::from_bits(bit_size) {
+ Some(size) => Ok((RetrievableSecret::Aes(size), key)),
+ None => {
+ // Use some AES type to get exp sizes and name
+ let kind = RetrievableSecret::Aes(AesSizes::Bits128);
+ Err(Error::RetrInvKey {
+ what: "key size",
+ value: bit_size.to_string(),
+ kind: format!("{kind:#}"),
+ exp: kind.expected(),
+ })
+ }
+ }
+}
+
+/// Get an AES-XTS-key
+fn aes_xts(key: Confidential<Vec<u8>>) -> Result<RetrKeyInfo> {
+ let key_len = key.value().len() as u32;
+ let bit_size = bitsize(key_len / 2);
+ match AesXtsSizes::from_bits(bit_size) {
+ Some(size) => Ok((RetrievableSecret::AesXts(size), key)),
+ None => {
+ // Use some AES-XTS type to get exp sizes and name
+ let kind = RetrievableSecret::AesXts(AesXtsSizes::Bits128);
+ Err(Error::RetrInvKey {
+ what: "key size",
+ value: bit_size.to_string(),
+ kind: format!("{kind:#}"),
+ exp: kind.expected(),
+ })
+ }
+ }
+}
+
+/// Get an HMAC-SHA-key
+fn hmac_sha(key: Confidential<Vec<u8>>) -> Result<RetrKeyInfo> {
+ let key_len = key.value().len() as u32;
+ let size = bitsize(key_len / 2);
+ match HmacShaSizes::from_sha_size(size) {
+ Some(size) => Ok((RetrievableSecret::HmacSha(size), key)),
+ None => {
+ // Use some HMAC type to get exp sizes and name
+ let kind = RetrievableSecret::HmacSha(HmacShaSizes::Sha256);
+ Err(Error::RetrInvKey {
+ what: "key size",
+ value: size.to_string(),
+ kind: format!("{kind:#}"),
+ exp: kind.expected(),
+ })
+ }
+ }
+}
+
+/// Get an EC-private-key
+fn ec(key: PKey<Private>) -> Result<RetrKeyInfo> {
+ let (key, nid) = match key.id() {
+ Id::EC => {
+ let ec_key = key.ec_key()?;
+ let key = ec_key.private_key().to_vec();
+ let nid = ec_key.group().curve_name().unwrap_or(Nid::UNDEF);
+ (key, nid)
+ }
+ // ED keys are not handled via the EC struct in OpenSSL.
+ id @ (Id::ED25519 | Id::ED448) => {
+ let key = key.raw_private_key()?;
+ let nid = Nid::from_raw(id.as_raw());
+ (key, nid)
+ }
+ _ => (vec![], Nid::UNDEF),
+ };
+
+ let kind = match nid {
+ Nid::X9_62_PRIME256V1 => EcCurves::Secp256R1,
+ Nid::SECP384R1 => EcCurves::Secp384R1,
+ Nid::SECP521R1 => EcCurves::Secp521R1,
+ NID_ED25519 => EcCurves::Ed25519,
+ NID_ED448 => EcCurves::Ed448,
+ nid => {
+ // Use some EC type to get exp sizes and name
+ let ec = RetrievableSecret::Ec(EcCurves::Secp521R1);
+ return Err(Error::RetrInvKey {
+ what: "curve or format",
+ kind: format!("{ec:#}"),
+ value: nid.long_name()?.to_string(),
+ exp: ec.expected(),
+ });
+ }
+ };
+
+ let key = kind.resize_raw_key(key);
+ Ok((RetrievableSecret::Ec(kind), key.into()))
+}
+
+#[inline(always)]
+const fn bitsize(bytesize: u32) -> u32 {
+ bytesize * 8
+}
+
impl Display for GuestSecret {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
Self::Null => write!(f, "Meta"),
gs => {
let kind: U16<BigEndian> = gs.kind().into();
- let st: ListableSecretType = kind.into();
+ let st: ListableSecretType = kind.get().into();
write!(f, "{st}")
}
}
@@ -153,20 +363,24 @@ assert_size!(ListableSecretHdr, 0x30);
impl ListableSecretHdr {
fn from_guest_secret(gs: &GuestSecret) -> Option<Self> {
- let id = gs.id()?;
Some(Self {
res0: 0,
kind: gs.kind().into(),
secret_len: gs.secret_len().into(),
res8: 0,
- id,
+ id: gs.id()?,
})
}
}
#[cfg(test)]
mod test {
+
+ use super::HmacShaSizes as HmacSizes;
+ use super::RetrievableSecret::*;
use super::*;
+ use openssl::ec::{EcGroup, EcKey};
+ use pv_core::uv::AesSizes;
use serde_test::{assert_tokens, Token};
#[test]
@@ -187,8 +401,103 @@ mod test {
assert_eq!(secret, exp);
}
+ macro_rules! retr_test {
+ ($name: ident, $func: ident, $size: expr, $exp_kind: expr) => {
+ #[test]
+ fn $name() {
+ let secret_value = vec![0x11; $size];
+ let name = "test retr secret".to_string();
+ let secret = GuestSecret::$func(&name, secret_value.clone().into()).unwrap();
+ let exp_id = [
+ 0x61, 0x2c, 0xd6, 0x3e, 0xa8, 0xf2, 0xc1, 0x15, 0xc1, 0xe, 0x15, 0xb8, 0x8a,
+ 0x90, 0x16, 0xc1, 0x55, 0xef, 0x9c, 0x7c, 0x2c, 0x8e, 0x56, 0xd0, 0x78, 0x4c,
+ 0x8a, 0x1d, 0xc9, 0x3a, 0x80, 0xba,
+ ];
+ let exp = GuestSecret::Retrievable {
+ kind: $exp_kind,
+ name,
+ id: exp_id.into(),
+ secret: secret_value.into(),
+ };
+ assert_eq!(exp, secret);
+ }
+ };
+ }
+
+ retr_test!(retr_aes_128, aes, 16, Aes(AesSizes::Bits128));
+ retr_test!(retr_aes_192, aes, 24, Aes(AesSizes::Bits192));
+ retr_test!(retr_aes_256, aes, 32, Aes(AesSizes::Bits256));
+ retr_test!(retr_aes_xts_128, aes_xts, 32, AesXts(AesXtsSizes::Bits128));
+ retr_test!(retr_aes_xts_256, aes_xts, 64, AesXts(AesXtsSizes::Bits256));
+ retr_test!(retr_aes_hmac_256, hmac_sha, 64, HmacSha(HmacSizes::Sha256));
+ retr_test!(retr_aes_hmac_512, hmac_sha, 128, HmacSha(HmacSizes::Sha512));
+
+ #[test]
+ fn plaintext_no_pad() {
+ let key = vec![0, 14, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7];
+ let name = "PLAINTEXT_PAD".to_string();
+ let secret = GuestSecret::plaintext(&name, key[2..].to_vec().into()).unwrap();
+ let exp_id = [
+ 15, 123, 176, 210, 135, 231, 220, 232, 148, 93, 198, 195, 165, 212, 214, 129, 45, 1,
+ 94, 11, 167, 18, 151, 15, 120, 254, 13, 109, 173, 186, 37, 74,
+ ];
+ let exp = GuestSecret::Retrievable {
+ kind: PlainText,
+ name,
+ id: exp_id.into(),
+ secret: key.into(),
+ };
+
+ assert_eq!(secret, exp);
+ }
+
#[test]
- fn ap_asc_parse() {
+ fn plaintext_pad() {
+ let key = vec![0, 10, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 0, 0, 0, 0];
+ let name = "PLAINTEXT_PAD".to_string();
+ let secret = GuestSecret::plaintext(&name, key[2..12].to_vec().into()).unwrap();
+ let exp_id = [
+ 15, 123, 176, 210, 135, 231, 220, 232, 148, 93, 198, 195, 165, 212, 214, 129, 45, 1,
+ 94, 11, 167, 18, 151, 15, 120, 254, 13, 109, 173, 186, 37, 74,
+ ];
+ let exp = GuestSecret::Retrievable {
+ kind: PlainText,
+ name,
+ id: exp_id.into(),
+ secret: key.into(),
+ };
+
+ assert_eq!(secret, exp);
+ }
+
+ #[track_caller]
+ fn test_ec(grp: Nid, exp_kind: EcCurves, exp_len: usize) {
+ let key = match grp {
+ NID_ED25519 => PKey::generate_ed25519().unwrap(),
+ NID_ED448 => PKey::generate_ed448().unwrap(),
+ nid => {
+ let group = EcGroup::from_curve_name(nid).unwrap();
+ let key = EcKey::generate(&group).unwrap();
+ PKey::from_ec_key(key).unwrap()
+ }
+ };
+ let (kind, key) = ec(key).unwrap();
+
+ assert_eq!(kind, Ec(exp_kind));
+ assert_eq!(key.value().len(), exp_len);
+ }
+
+ #[test]
+ fn retr_ec() {
+ test_ec(Nid::X9_62_PRIME256V1, EcCurves::Secp256R1, 32);
+ test_ec(Nid::SECP384R1, EcCurves::Secp384R1, 48);
+ test_ec(Nid::SECP521R1, EcCurves::Secp521R1, 80);
+ test_ec(NID_ED25519, EcCurves::Ed25519, 32);
+ test_ec(NID_ED448, EcCurves::Ed448, 64);
+ }
+
+ #[test]
+ fn asc_parse() {
let id = [
0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67,
@@ -217,6 +526,39 @@ mod test {
);
}
+ #[test]
+ fn retrievable_parse() {
+ let id = [
+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab,
+ 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef, 0x01, 0x23, 0x45, 0x67,
+ 0x89, 0xab, 0xcd, 0xef,
+ ];
+ let asc = GuestSecret::Retrievable {
+ kind: PlainText,
+ name: "test123".to_string(),
+ id: id.into(),
+ secret: vec![].into(),
+ };
+
+ assert_tokens(
+ &asc,
+ &[
+ Token::StructVariant {
+ name: "GuestSecret",
+ variant: "Retrievable",
+ len: 3,
+ },
+ Token::String("kind"),
+ Token::String("3 (PLAINTEXT)"),
+ Token::String("name"),
+ Token::String("test123"),
+ Token::String("id"),
+ Token::String("0x0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"),
+ Token::StructVariantEnd,
+ ],
+ );
+ }
+
#[test]
fn guest_secret_bin_null() {
let gs = GuestSecret::Null;
@@ -228,7 +570,7 @@ mod test {
}
#[test]
- fn guest_secret_bin_ap() {
+ fn guest_secret_bin_asoc() {
let gs = GuestSecret::Association {
name: "test".to_string(),
id: [1; 32].into(),
@@ -241,4 +583,21 @@ mod test {
assert_eq!(exp, gs_bytes_auth.get());
assert_eq!(&[2; 32], gs.confidential());
}
+
+ #[test]
+ fn guest_secret_bin_retr() {
+ let gs = GuestSecret::Retrievable {
+ kind: PlainText,
+ name: "test".to_string(),
+ id: [1; 32].into(),
+ secret: vec![2; 32].into(),
+ };
+ let auth = gs.auth();
+ let gs_bytes_auth = auth.get();
+ let mut exp = vec![0u8, 0, 0, 3, 0, 0, 0, 0x20, 0, 0, 0, 0, 0, 0, 0, 0];
+ exp.extend([1; 32]);
+
+ assert_eq!(exp, gs_bytes_auth);
+ assert_eq!(&[2; 32], gs.confidential());
+ }
}
diff --git a/rust/pv/src/uvsecret/retr_secret.rs b/rust/pv/src/uvsecret/retr_secret.rs
new file mode 100644
index 00000000..5fad016f
--- /dev/null
+++ b/rust/pv/src/uvsecret/retr_secret.rs
@@ -0,0 +1,234 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright IBM Corp. 2024
+
+use crate::{pem::Pem, uvsecret::guest_secret::MAX_SIZE_PLAIN_PAYLOAD, Result};
+
+use byteorder::BigEndian;
+use log::warn;
+use pv_core::{
+ request::Confidential,
+ uv::{ListableSecretType, RetrievableSecret, RetrieveCmd},
+};
+use zerocopy::{FromBytes, U16};
+
+/// An IBM Protected Key
+///
+/// A protected key, writeable as pem.
+///
+/// Will convert into PEM as:
+/// ```PEM
+///-----BEGIN IBM PROTECTED KEY-----
+///kind: <name>
+///
+///<protected key in base64>
+///-----END IBM PROTECTED KEY-----
+/// ```
+#[derive(Debug, PartialEq, Eq)]
+pub struct IbmProtectedKey {
+ kind: ListableSecretType,
+ key: Confidential<Vec<u8>>,
+}
+
+impl IbmProtectedKey {
+ /// Get the binary representation of the key.
+ pub fn data(&self) -> &[u8] {
+ self.key.value()
+ }
+
+ /// Converts a [`IbmProtectedKey`] into a vector.
+ pub fn into_bytes(self) -> Confidential<Vec<u8>> {
+ self.key
+ }
+
+ /// Get the data in PEM format.
+ ///
+ /// # Errors
+ ///
+ /// This function will return an error if the PEM conversion failed (very unlikely).
+ pub fn to_pem(&self) -> Result<Pem> {
+ Pem::new(
+ "IBM PROTECTED KEY",
+ format!("kind: {}", self.kind),
+ self.key.value(),
+ )
+ }
+
+ fn new<K>(kind: ListableSecretType, key: K) -> Self
+ where
+ K: Into<Confidential<Vec<u8>>>,
+ {
+ Self {
+ kind,
+ key: key.into(),
+ }
+ }
+}
+
+impl From<RetrieveCmd> for RetrievedSecret {
+ fn from(value: RetrieveCmd) -> Self {
+ let kind = value.meta_data().stype();
+ let key = value.into_key();
+
+ match kind {
+ ListableSecretType::Retrievable(RetrievableSecret::PlainText) => {
+ // Will not run into default, retrieve has a granularity of 16 bytes and 16 bytes is the
+ // minimum size
+ let len = U16::<BigEndian>::read_from_prefix(key.value())
+ .unwrap_or_default()
+ .get() as usize;
+
+ // Test if the plain text secret has a size:
+ // 1. len <= 8190
+ // 2. first two bytes are max 15 less than buffer-size+2
+ // 3. bytes after len + 2 are zero
+ match len <= MAX_SIZE_PLAIN_PAYLOAD
+ && key.value().len() - (len + 2) < 15
+ && key.value()[len + 2..].iter().all(|c| *c == 0)
+ {
+ false => Self::Plaintext(key),
+ true => Self::Plaintext(key.value()[2..len + 2].to_vec().into()),
+ }
+ }
+ kind => {
+ match kind {
+ ListableSecretType::Retrievable(_) => (),
+ _ => warn!("Retrieved an unretrievable Secret! Will continue; interpreting it as a protected key."),
+ }
+ Self::ProtectedKey(IbmProtectedKey::new(kind, key))
+ }
+ }
+ }
+}
+
+/// A retrieved Secret.
+#[derive(Debug, PartialEq, Eq)]
+pub enum RetrievedSecret {
+ /// A plaintext secret
+ Plaintext(Confidential<Vec<u8>>),
+ /// An [`IbmProtectedKey`]
+ ProtectedKey(IbmProtectedKey),
+}
+
+impl RetrievedSecret {
+ /// Create a new IBM PROTECTED KEY object
+ pub fn from_cmd(cmd: RetrieveCmd) -> Self {
+ cmd.into()
+ }
+
+ /// Get the binary representation of the key.
+ pub fn data(&self) -> &[u8] {
+ match self {
+ RetrievedSecret::Plaintext(p) => p.value(),
+ RetrievedSecret::ProtectedKey(p) => p.data(),
+ }
+ }
+
+ /// Converts a [`IbmProtectedKey`] into a vector.
+ pub fn into_bytes(self) -> Confidential<Vec<u8>> {
+ match self {
+ RetrievedSecret::Plaintext(p) => p,
+ RetrievedSecret::ProtectedKey(p) => p.into_bytes(),
+ }
+ }
+ /// Get the data in PEM format.
+ ///
+ /// # Errors
+ ///
+ /// This function will return an error if the PEM conversion failed (very unlikely).
+ pub fn to_pem(&self) -> Result<Pem> {
+ match self {
+ RetrievedSecret::Plaintext(p) => Pem::new("PLAINTEXT SECRET", None, p.value()),
+ RetrievedSecret::ProtectedKey(p) => p.to_pem(),
+ }
+ }
+}
+
+#[cfg(test)]
+mod test {
+ use super::*;
+ use pv_core::uv::*;
+
+ fn mk_retr(secret: &[u8]) -> RetrievedSecret {
+ let entry = SecretEntry::new(
+ 0,
+ ListableSecretType::Retrievable(RetrievableSecret::PlainText),
+ SecretId::default(),
+ secret.len() as u32,
+ );
+ let mut cmd = RetrieveCmd::from_entry(entry).unwrap();
+ cmd.data().unwrap().copy_from_slice(secret);
+ RetrievedSecret::from_cmd(cmd)
+ }
+
+ #[test]
+ fn from_retr_cmd() {
+ let secret = vec![0, 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0, 0, 0, 0];
+ let prot_key = mk_retr(&secret);
+ let exp = RetrievedSecret::Plaintext(secret[2..12].to_vec().into());
+ assert_eq!(prot_key, exp);
+ }
+
+ #[test]
+ fn from_retr_inv_size() {
+ let secret = vec![0x20; 32];
+ let prot_key = mk_retr(&secret);
+ let exp = RetrievedSecret::Plaintext(secret.into());
+ assert_eq!(prot_key, exp);
+ }
+
+ #[test]
+ fn from_retr_inv_no_zero_after_end() {
+ let secret = vec![0, 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 1, 0, 0, 0];
+ let prot_key = mk_retr(&secret);
+ let exp = RetrievedSecret::Plaintext(secret.into());
+ assert_eq!(prot_key, exp);
+ }
+
+ #[test]
+ fn from_retr_inv_to_much_padding() {
+ let secret = vec![
+ 0, 10, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0xa, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0,
+ ];
+ let prot_key = mk_retr(&secret);
+ let exp = RetrievedSecret::Plaintext(secret.into());
+ assert_eq!(prot_key, exp);
+ }
+
+ #[test]
+ fn from_retr_0_size() {
+ let secret = vec![0x00; 32];
+ let prot_key = mk_retr(&secret);
+ let exp = RetrievedSecret::Plaintext(secret.into());
+ assert_eq!(prot_key, exp);
+ }
+
+ #[test]
+ fn plain_text_pem() {
+ let exp = "\
+ -----BEGIN PLAINTEXT SECRET-----\n\
+ ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER\n\
+ -----END PLAINTEXT SECRET-----\n";
+ let prot = RetrievedSecret::Plaintext(vec![17; 48].into());
+ let pem = prot.to_pem().unwrap();
+ let pem_str = pem.to_string();
+ assert_eq!(pem_str, exp);
+ }
+
+ #[test]
+ fn prot_key_pem() {
+ let exp = "\
+ -----BEGIN IBM PROTECTED KEY-----\n\
+ kind: AES-128-KEY\n\n\
+ ERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER\n\
+ -----END IBM PROTECTED KEY-----\n";
+ let prot = IbmProtectedKey::new(
+ ListableSecretType::Retrievable(RetrievableSecret::Aes(AesSizes::Bits128)),
+ vec![17; 48],
+ );
+ let pem = prot.to_pem().unwrap();
+ let pem_str = pem.to_string();
+ assert_eq!(pem_str, exp);
+ }
+}

View File

@ -0,0 +1,95 @@
From a14f9d4edcc5db0d54e4fbe3ec3d98c7c270bf8e Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Fri, 13 Dec 2024 15:04:02 +0100
Subject: [PATCH] rust/pvsecret: Improve CLI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Improve the wording of the help/man text/
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvsecret/src/cli.rs | 26 +++++++++++++-------------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/rust/pvsecret/src/cli.rs b/rust/pvsecret/src/cli.rs
index 6deaaebd..c4b9f2b3 100644
--- a/rust/pvsecret/src/cli.rs
+++ b/rust/pvsecret/src/cli.rs
@@ -37,8 +37,8 @@ pub struct CreateSecretOpt {
/// Specifies the header of the guest image.
///
- /// Can be an IBM Secure Execution image created by genprotimg or an extracted IBM Secure
- /// Execution header. The header must start at a page boundary.
+ /// Can be an IBM Secure Execution image created by 'pvimg/genprotimg' or an
+ /// extracted IBM Secure Execution header.
#[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath)]
pub hdr: String,
@@ -150,12 +150,12 @@ pub enum AddSecretType {
/// Create an association secret.
///
- /// Use an association secret to connect a trusted I/O device to a guest. The `pvapconfig` tool
+ /// Use an association secret to connect a trusted I/O device to a guest. The 'pvapconfig' tool
/// provides more information about association secrets.
Association {
- /// String to identify the new secret.
+ /// String that identifies the new secret.
///
- /// The actual secret is set with --input-secret. The name is saved in `NAME.yaml` with
+ /// The actual secret is set with '--input-secret'. The name is saved in `NAME.yaml` with
/// white-spaces mapped to `_`.
name: String,
@@ -166,15 +166,15 @@ pub enum AddSecretType {
stdout: bool,
/// Path from which to read the plaintext secret. Uses a random secret if not specified.
- #[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath, conflicts_with("output_secret"))]
+ #[arg(long, value_name = "SECRET-FILE", value_hint = ValueHint::FilePath, conflicts_with("output_secret"))]
input_secret: Option<String>,
- /// Save the generated secret as plaintext in FILE.
+ /// Save the generated secret as plaintext in SECRET-FILE.
///
/// The generated secret can be used to generate add-secret requests for a different guest
- /// with the same secret using --input-secret. Destroy the secret when it is not used
+ /// with the same secret using '--input-secret'. Destroy the secret when it is not used
/// anymore.
- #[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath,)]
+ #[arg(long, value_name = "SECRET-FILE", value_hint = ValueHint::FilePath,)]
output_secret: Option<String>,
},
}
@@ -243,13 +243,13 @@ pub enum Command {
/// Create a new add-secret request.
///
/// Create add-secret requests for IBM Secure Execution guests. Only create these requests in a
- /// trusted environment, such as your workstation. The `pvattest create` command creates a
+ /// trusted environment, such as your workstation. The 'pvattest create' command creates a
/// randomly generated key to protect the request. The generated requests can then be added on
- /// an IBM Secure Execution guest using `pvsecret add`. The guest can then use the secrets with
+ /// an IBM Secure Execution guest using 'pvsecret add'. The guest can then use the secrets with
/// the use case depending on the secret type.
Create(Box<CreateSecretOpt>),
- /// Perform an add-secret request (s390x only).
+ /// Submit an add-secret request to the Ultravisor (s390x only).
///
/// Perform an add-secret request using a previously generated add-secret request. Only
/// available on s390x.
@@ -258,7 +258,7 @@ pub enum Command {
/// Lock the secret-store (s390x only).
///
/// Lock the secret store (s390x only). After this command executed successfully, all
- /// add-secret requests will fail. Only available on s390x.
+ /// subsequent add-secret requests will fail. Only available on s390x.
Lock,
/// List all ultravisor secrets (s390x only).

View File

@ -0,0 +1,423 @@
From 93da795520ca2f0a73cfbfc951a9b16437a1b95b Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Mon, 19 Feb 2024 15:15:16 +0100
Subject: [PATCH] rust/pvsecret: Add support for retrievable secrets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Support for creating and retrieving retrievable secrets.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvsecret/src/cli.rs | 129 +++++++++++++++++++++++++++++++-
rust/pvsecret/src/cmd.rs | 6 +-
rust/pvsecret/src/cmd/create.rs | 30 +++++++-
rust/pvsecret/src/cmd/list.rs | 12 ++-
rust/pvsecret/src/cmd/retr.rs | 62 +++++++++++++++
rust/pvsecret/src/main.rs | 1 +
6 files changed, 230 insertions(+), 10 deletions(-)
create mode 100644 rust/pvsecret/src/cmd/retr.rs
diff --git a/rust/pvsecret/src/cli.rs b/rust/pvsecret/src/cli.rs
index c4b9f2b3..4e747682 100644
--- a/rust/pvsecret/src/cli.rs
+++ b/rust/pvsecret/src/cli.rs
@@ -1,7 +1,10 @@
// SPDX-License-Identifier: MIT
//
-// Copyright IBM Corp. 2023
+// Copyright IBM Corp. 2023, 2024
+use std::fmt::Display;
+
+use clap::error::ErrorKind::ValueValidation;
use clap::{ArgGroup, Args, CommandFactory, Parser, Subcommand, ValueEnum, ValueHint};
use utils::{CertificateOptions, DeprecatedVerbosityOptions, STDOUT};
@@ -177,6 +180,72 @@ pub enum AddSecretType {
#[arg(long, value_name = "SECRET-FILE", value_hint = ValueHint::FilePath,)]
output_secret: Option<String>,
},
+
+ /// Create a retrievable secret.
+ ///
+ /// A retrievable secret is stored in the per-guest storage of the Ultravisor. A SE-guest can
+ /// retrieve the secret at runtime and use it. All retrievable secrets, but the plaintext
+ /// secret, are retrieved as wrapped/protected key objects and only usable inside the current,
+ /// running SE-guest instance.
+ #[command(visible_alias = "retr")]
+ Retrievable {
+ /// String that identifies the new secret.
+ ///
+ /// The actual secret is set with '--secret'. The name is saved in `NAME.yaml` with
+ /// white-spaces mapped to `_`.
+ name: String,
+
+ /// Print the hashed name to stdout.
+ ///
+ /// The hashed name is not written to `NAME.yaml`
+ #[arg(long)]
+ stdout: bool,
+
+ /// Use SECRET-FILE as retrievable secret
+ #[arg(long, value_name = "SECRET-FILE", value_hint = ValueHint::FilePath)]
+ secret: String,
+
+ /// Specify the secret type.
+ ///
+ /// Limitations to the input data apply depending on the secret type.
+ #[arg(long = "type", value_name = "TYPE")]
+ kind: RetrieveableSecretInpKind,
+ },
+}
+
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, ValueEnum, Debug)]
+pub enum RetrieveableSecretInpKind {
+ /// A plaintext secret.
+ /// Can be any file up to 8190 bytes long
+ Plain,
+ /// An AES key.
+ /// Must be a plain byte file 128, 192, or 256 bit long.
+ Aes,
+ /// An AES-XTS key.
+ /// Must be a plain byte file 512, or 1024 bit long.
+ AesXts,
+ /// A HMAC-SHA key.
+ /// Must be a plain byte file 512, or 1024 bit long.
+ HmacSha,
+ /// An elliptic curve private key.
+ /// Must be a PEM or DER file.
+ Ec,
+}
+
+impl Display for RetrieveableSecretInpKind {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ write!(
+ f,
+ "{}",
+ match self {
+ Self::Plain => "PLAINTEXT",
+ Self::Aes => "AES KEY",
+ Self::AesXts => "AES-XTS KEY",
+ Self::HmacSha => "HMAC-SHA KEY",
+ Self::Ec => "EC PRIVATE KEY",
+ }
+ )
+ }
}
// all members s390x only
@@ -238,6 +307,56 @@ pub struct VerifyOpt {
pub output: String,
}
+// all members s390x only
+#[derive(Args, Debug)]
+pub struct RetrSecretOptions {
+ /// Specify the secret ID to be retrieved.
+ ///
+ /// Input type depends on '--inform'. If `yaml` (default) is specified, it must be a yaml
+ /// created by the create subcommand of this tool. If `hex` is specified, it must be a hex
+ /// 32-byte unsigned big endian number string. Leading zeros are required.
+ #[cfg(target_arch = "s390x")]
+ #[arg(value_name = "ID", value_hint = ValueHint::FilePath)]
+ pub input: String,
+
+ /// Specify the output path to place the secret value
+ #[cfg(target_arch = "s390x")]
+ #[arg(short, long, value_name = "FILE", default_value = STDOUT, value_hint = ValueHint::FilePath)]
+ pub output: String,
+
+ /// Define input type for the Secret ID
+ #[cfg(target_arch = "s390x")]
+ #[arg(long, value_enum, default_value_t)]
+ pub inform: RetrInpFmt,
+
+ /// Define the output format for the retrieved secret
+ #[cfg(target_arch = "s390x")]
+ #[arg(long, value_enum, default_value_t)]
+ pub outform: RetrOutFmt,
+}
+
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, ValueEnum, Debug, Default)]
+pub enum RetrInpFmt {
+ /// Use a yaml file
+ #[default]
+ Yaml,
+ /// Use a hex string.
+ Hex,
+}
+
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, ValueEnum, Debug, Default)]
+pub enum RetrOutFmt {
+ /// Write the secret as PEM.
+ ///
+ /// File starts with `-----BEGIN IBM PROTECTED KEY----` and `-----BEGIN
+ /// PLAINTEXT SECRET-----` for plaintext secrets it contains one header
+ /// line with the type information and the base64 protected key
+ #[default]
+ Pem,
+ /// Write the secret in binary.
+ Bin,
+}
+
#[derive(Subcommand, Debug)]
pub enum Command {
/// Create a new add-secret request.
@@ -274,6 +393,10 @@ pub enum Command {
/// provided key. Outputs the arbitrary user-data.
Verify(VerifyOpt),
+ /// Retrieve a secret from the UV secret store (s390x only).
+ #[command(visible_alias = "retr")]
+ Retrieve(RetrSecretOptions),
+
/// Print version information and exit.
#[command(aliases(["--version"]), hide(true))]
Version,
@@ -294,13 +417,13 @@ pub fn validate_cli(cli: &CliOptions) -> Result<(), clap::Error> {
}
if secret_out == &Some(format!("{name}.yaml")) {
return Err(CliOptions::command().error(
- clap::error::ErrorKind::ValueValidation,
+ ValueValidation,
format!("Secret output file and the secret name '{name}.yaml' are the same."),
));
}
if format!("{name}.yaml") == opt.output {
return Err(CliOptions::command().error(
- clap::error::ErrorKind::ValueValidation,
+ ValueValidation,
format!(
"output file and the secret name '{}' are the same.",
&opt.output
diff --git a/rust/pvsecret/src/cmd.rs b/rust/pvsecret/src/cmd.rs
index a826fb31..10d99a5b 100644
--- a/rust/pvsecret/src/cmd.rs
+++ b/rust/pvsecret/src/cmd.rs
@@ -16,6 +16,8 @@ mod add;
mod list;
#[cfg(target_arch = "s390x")]
mod lock;
+#[cfg(target_arch = "s390x")]
+mod retr;
// Commands (directly) related to UVCs are only available on s389x
#[cfg(target_arch = "s390x")]
@@ -24,12 +26,13 @@ mod uv_cmd {
pub use add::add;
pub use list::list;
pub use lock::lock;
+ pub use retr::retr;
pub const UV_CMD_FN: &[&str] = &["+add", "+lock", "+list"];
}
#[cfg(not(target_arch = "s390x"))]
mod uv_cmd {
- use crate::cli::{AddSecretOpt, ListSecretOpt};
+ use crate::cli::{AddSecretOpt, ListSecretOpt, RetrSecretOptions};
use anyhow::{bail, Result};
macro_rules! not_supp {
($name: ident $( ,$opt: ty )?) => {
@@ -40,6 +43,7 @@ mod uv_cmd {
}
not_supp!(add, AddSecretOpt);
not_supp!(list, ListSecretOpt);
+ not_supp!(retr, RetrSecretOptions);
not_supp!(lock);
pub const UV_CMD_FN: &[&str] = &[];
}
diff --git a/rust/pvsecret/src/cmd/create.rs b/rust/pvsecret/src/cmd/create.rs
index 9251c38c..73089a12 100644
--- a/rust/pvsecret/src/cmd/create.rs
+++ b/rust/pvsecret/src/cmd/create.rs
@@ -4,7 +4,6 @@
use std::path::Path;
-use crate::cli::{AddSecretType, CreateSecretFlags, CreateSecretOpt};
use anyhow::{anyhow, bail, Context, Error, Result};
use log::{debug, info, trace, warn};
use pv::{
@@ -22,6 +21,8 @@ use pv::{
use serde_yaml::Value;
use utils::get_writer_from_cli_file_arg;
+use crate::cli::{AddSecretType, CreateSecretFlags, CreateSecretOpt, RetrieveableSecretInpKind};
+
fn write_out<P, D>(path: &P, data: D, ctx: &str) -> pv::Result<()>
where
P: AsRef<Path>,
@@ -32,6 +33,23 @@ where
Ok(())
}
+fn retrievable(name: &str, secret: &str, kind: &RetrieveableSecretInpKind) -> Result<GuestSecret> {
+ let secret_data = read_file(secret, &format!("retrievable {kind}"))?.into();
+
+ match kind {
+ RetrieveableSecretInpKind::Plain => GuestSecret::plaintext(name, secret_data),
+ RetrieveableSecretInpKind::Aes => GuestSecret::aes(name, secret_data),
+ RetrieveableSecretInpKind::AesXts => GuestSecret::aes_xts(name, secret_data),
+ RetrieveableSecretInpKind::HmacSha => GuestSecret::hmac_sha(name, secret_data),
+ RetrieveableSecretInpKind::Ec => GuestSecret::ec(
+ name,
+ read_private_key(secret_data.value())
+ .with_context(|| format!("Cannot read {secret} as {kind} from PEM or DER"))?,
+ ),
+ }
+ .map_err(Error::from)
+}
+
/// Prepare an add-secret request
pub fn create(opt: &CreateSecretOpt) -> Result<()> {
if pv_guest_bit_set() {
@@ -88,6 +106,9 @@ fn build_asrcb(opt: &CreateSecretOpt) -> Result<AddSecretRequest> {
input_secret: None,
..
} => GuestSecret::association(name, None)?,
+ AddSecretType::Retrievable {
+ name, secret, kind, ..
+ } => retrievable(name, secret, kind)?,
};
trace!("AddSecret: {secret:x?}");
@@ -136,7 +157,9 @@ fn build_asrcb(opt: &CreateSecretOpt) -> Result<AddSecretRequest> {
.as_ref()
.map(|p| read_file(p, "User-signing key"))
.transpose()?
- .map(|buf| read_private_key(&buf))
+ .map(|buf| {
+ read_private_key(&buf).context("Cannot read {secret} as private key from PEM or DER")
+ })
.transpose()?;
if user_data.is_some() || user_key.is_some() {
@@ -258,6 +281,9 @@ fn write_secret<P: AsRef<Path>>(
write_out(path, guest_secret.confidential(), "Association secret")?
}
}
+ AddSecretType::Retrievable { name, stdout, .. } => {
+ write_yaml(name, guest_secret, stdout, outp_path)?
+ }
_ => (),
};
Ok(())
diff --git a/rust/pvsecret/src/cmd/list.rs b/rust/pvsecret/src/cmd/list.rs
index f7e3a72b..0bd9eca4 100644
--- a/rust/pvsecret/src/cmd/list.rs
+++ b/rust/pvsecret/src/cmd/list.rs
@@ -3,21 +3,25 @@
// Copyright IBM Corp. 2023
use crate::cli::{ListSecretOpt, ListSecretOutputType};
-use anyhow::{Context, Result};
+use anyhow::{Context, Error, Result};
use log::warn;
use pv::uv::{ListCmd, SecretList, UvDevice, UvcSuccess};
use utils::{get_writer_from_cli_file_arg, STDOUT};
/// Do a List Secrets UVC
-pub fn list(opt: &ListSecretOpt) -> Result<()> {
- let uv = UvDevice::open()?;
+pub fn list_uvc(uv: &UvDevice) -> Result<SecretList> {
let mut cmd = ListCmd::default();
match uv.send_cmd(&mut cmd)? {
UvcSuccess::RC_SUCCESS => (),
UvcSuccess::RC_MORE_DATA => warn!("There is more data available than expected"),
};
+ cmd.try_into().map_err(Error::new)
+}
- let secret_list: SecretList = cmd.try_into()?;
+/// Do a List Secrets UVC and output the list in the requested format
+pub fn list(opt: &ListSecretOpt) -> Result<()> {
+ let uv = UvDevice::open()?;
+ let secret_list = list_uvc(&uv)?;
let mut wr_out = get_writer_from_cli_file_arg(&opt.output)?;
match &opt.format {
diff --git a/rust/pvsecret/src/cmd/retr.rs b/rust/pvsecret/src/cmd/retr.rs
new file mode 100644
index 00000000..7f7704cc
--- /dev/null
+++ b/rust/pvsecret/src/cmd/retr.rs
@@ -0,0 +1,62 @@
+// SPDX-License-Identifier: MIT
+//
+// Copyright IBM Corp. 2024
+
+use super::list::list_uvc;
+use crate::cli::{RetrInpFmt, RetrOutFmt, RetrSecretOptions};
+use anyhow::{anyhow, bail, Context, Result};
+use log::{debug, info};
+use pv::{
+ misc::open_file,
+ misc::write,
+ secret::{GuestSecret, RetrievedSecret},
+ uv::{RetrieveCmd, SecretId, UvDevice},
+};
+use utils::get_writer_from_cli_file_arg;
+
+fn retrieve(id: &SecretId) -> Result<RetrievedSecret> {
+ let uv = UvDevice::open()?;
+ let secrets = list_uvc(&uv)?;
+ let secret = secrets
+ .into_iter()
+ .find(|s| s.id() == id.as_ref())
+ .ok_or(anyhow!(
+ "The UV secret-store has no secret with the ID {id}"
+ ))?;
+
+ info!("Try to retrieve secret at index: {}", secret.index());
+ debug!("Try to retrieve: {secret:?}");
+
+ let mut uv_cmd = RetrieveCmd::from_entry(secret)?;
+ uv.send_cmd(&mut uv_cmd)?;
+
+ Ok(RetrievedSecret::from_cmd(uv_cmd))
+}
+
+pub fn retr(opt: &RetrSecretOptions) -> Result<()> {
+ let mut output = get_writer_from_cli_file_arg(&opt.output)?;
+ let id = match &opt.inform {
+ RetrInpFmt::Yaml => match serde_yaml::from_reader(&mut open_file(&opt.input)?)? {
+ GuestSecret::Retrievable { id, .. } => id,
+ gs => bail!("The file contains a {gs}-secret, which is not retrievable."),
+ },
+ RetrInpFmt::Hex => {
+ serde_yaml::from_str(&opt.input).context("Cannot parse SecretId information")?
+ }
+ };
+
+ let retr_secret =
+ retrieve(&id).context("Could not retrieve the secret from the UV secret store.")?;
+
+ let out_data = match opt.outform {
+ RetrOutFmt::Bin => retr_secret.into_bytes(),
+ RetrOutFmt::Pem => retr_secret.to_pem()?.into_bytes(),
+ };
+ write(
+ &mut output,
+ out_data.value(),
+ &opt.output,
+ "IBM Protected Key",
+ )?;
+ Ok(())
+}
diff --git a/rust/pvsecret/src/main.rs b/rust/pvsecret/src/main.rs
index 502a6ea0..883a3ee2 100644
--- a/rust/pvsecret/src/main.rs
+++ b/rust/pvsecret/src/main.rs
@@ -45,6 +45,7 @@ fn main() -> ExitCode {
Command::Create(opt) => cmd::create(opt),
Command::Version => Ok(print_version!("2024", log_level; FEATURES.concat())),
Command::Verify(opt) => cmd::verify(opt),
+ Command::Retrieve(opt) => cmd::retr(opt),
};
match res {

View File

@ -0,0 +1,313 @@
From 256289a30aa5d3f6a4d2631dea69d1dc47205150 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Wed, 12 Jun 2024 16:23:31 +0200
Subject: [PATCH] rust/pv_core: Refactor secret list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Improve the secret list implementation. Use structs+{As,From}Bytes
instead of arbitrary seeks and reads/writes to parse the secret list.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv_core/src/uvdevice.rs | 10 ++
rust/pv_core/src/uvdevice/secret_list.rs | 124 ++++++++++++++---------
2 files changed, 86 insertions(+), 48 deletions(-)
diff --git a/rust/pv_core/src/uvdevice.rs b/rust/pv_core/src/uvdevice.rs
index e9848243..e701366d 100644
--- a/rust/pv_core/src/uvdevice.rs
+++ b/rust/pv_core/src/uvdevice.rs
@@ -163,6 +163,16 @@ pub enum UvcSuccess {
RC_MORE_DATA = UvDevice::RC_MORE_DATA,
}
+impl UvcSuccess {
+ /// Returns true if there is more data available
+ pub fn more_data(&self) -> bool {
+ match self {
+ Self::RC_SUCCESS => false,
+ Self::RC_MORE_DATA => true,
+ }
+ }
+}
+
/// The `UvDevice` is a (virtual) device on s390 machines to send Ultravisor commands(UVCs) from
/// userspace.
///
diff --git a/rust/pv_core/src/uvdevice/secret_list.rs b/rust/pv_core/src/uvdevice/secret_list.rs
index 4e955010..d7c268c9 100644
--- a/rust/pv_core/src/uvdevice/secret_list.rs
+++ b/rust/pv_core/src/uvdevice/secret_list.rs
@@ -4,16 +4,16 @@
use crate::{
assert_size,
- misc::to_u16,
uv::{AesSizes, AesXtsSizes, EcCurves, HmacShaSizes, ListCmd, RetrievableSecret},
uvdevice::UvCmd,
Error, Result,
};
-use byteorder::{BigEndian, ByteOrder, ReadBytesExt, WriteBytesExt};
+use byteorder::{BigEndian, ByteOrder};
use serde::{Deserialize, Serialize, Serializer};
use std::{
fmt::Display,
io::{Cursor, Read, Seek, Write},
+ mem::size_of,
slice::Iter,
vec::IntoIter,
};
@@ -31,7 +31,7 @@ impl SecretId {
/// Size in bytes of the [`SecretId`]
pub const ID_SIZE: usize = 32;
- /// Create a [`SecretId`] forom a buffer.
+ /// Create a [`SecretId`] from a buffer.
pub fn from(buf: [u8; Self::ID_SIZE]) -> Self {
buf.into()
}
@@ -120,7 +120,7 @@ impl SecretEntry {
&self.index
}
- /// Returns the secret type of this [`SecretEntry`].
+ /// Returns the secret type of this [`SecretEntry`]
pub fn stype(&self) -> ListableSecretType {
self.stype.get().into()
}
@@ -161,12 +161,45 @@ impl Display for SecretEntry {
}
}
+#[repr(C)]
+#[derive(Debug, FromBytes, AsBytes, FromZeroes, Clone, PartialEq, Eq, Default, Serialize)]
+struct SecretListHdr {
+ #[serde(skip)]
+ num_secrets_stored: U16<BigEndian>,
+ #[serde(serialize_with = "ser_u16")]
+ total_num_secrets: U16<BigEndian>,
+ #[serde(skip)]
+ next_secret_idx: U16<BigEndian>,
+ #[serde(skip)]
+ reserved_06: u16,
+ #[serde(skip)]
+ reserved_08: u64,
+}
+
+impl SecretListHdr {
+ fn new(num_secrets_stored: u16, total_num_secrets: u16, next_secret_idx: u16) -> Self {
+ Self {
+ num_secrets_stored: num_secrets_stored.into(),
+ total_num_secrets: total_num_secrets.into(),
+ next_secret_idx: next_secret_idx.into(),
+ reserved_06: 0,
+ reserved_08: 0,
+ }
+ }
+}
+assert_size!(SecretListHdr, 16);
+
/// List of secrets used to parse the [`crate::uv::ListCmd`] result.
///
-/// The list should not hold more than 0xffffffff elements
-#[derive(Debug, PartialEq, Eq, Serialize)]
+/// The list should ONLY be created from an UV-Call result using either:
+/// - [`TryInto::try_into`] from [`ListCmd`]
+/// - [`SecretList::decode`]
+/// Any other ways can create invalid lists that do not represent the UV secret store.
+/// The list must not hold more than [`u32::MAX`] elements
+#[derive(Debug, PartialEq, Eq, Serialize, Default)]
pub struct SecretList {
- total_num_secrets: usize,
+ #[serde(flatten)]
+ hdr: SecretListHdr,
secrets: Vec<SecretEntry>,
}
@@ -202,10 +235,14 @@ impl SecretList {
/// The content of this list will very likely not represent the status of the guest in the
/// Ultravisor. Use of [`SecretList::decode`] in any non-test environments is encuraged.
pub fn new(total_num_secrets: u16, secrets: Vec<SecretEntry>) -> Self {
- Self {
- total_num_secrets: total_num_secrets as usize,
+ Self::new_with_hdr(
+ SecretListHdr::new(total_num_secrets, total_num_secrets, 0),
secrets,
- }
+ )
+ }
+
+ fn new_with_hdr(hdr: SecretListHdr, secrets: Vec<SecretEntry>) -> Self {
+ Self { hdr, secrets }
}
/// Returns an iterator over the slice.
@@ -229,19 +266,12 @@ impl SecretList {
///
/// This number may be not equal to the provided number of [`SecretEntry`]
pub fn total_num_secrets(&self) -> usize {
- self.total_num_secrets
+ self.hdr.total_num_secrets.get() as usize
}
/// Encodes the list in the same binary format the UV would do
pub fn encode<T: Write>(&self, w: &mut T) -> Result<()> {
- let num_s = to_u16(self.secrets.len()).ok_or(Error::ManySecrets)?;
- w.write_u16::<BigEndian>(num_s)?;
- w.write_u16::<BigEndian>(
- self.total_num_secrets
- .try_into()
- .map_err(|_| Error::ManySecrets)?,
- )?;
- w.write_all(&[0u8; 12])?;
+ w.write_all(self.hdr.as_bytes())?;
for secret in &self.secrets {
w.write_all(secret.as_bytes())?;
}
@@ -250,19 +280,20 @@ impl SecretList {
/// Decodes the list from the binary format of the UV into this internal representation
pub fn decode<R: Read + Seek>(r: &mut R) -> std::io::Result<Self> {
- let num_s = r.read_u16::<BigEndian>()?;
- let total_num_secrets = r.read_u16::<BigEndian>()? as usize;
- let mut v: Vec<SecretEntry> = Vec::with_capacity(num_s as usize);
- r.seek(std::io::SeekFrom::Current(12))?; // skip reserved bytes
+ let mut buf = [0u8; size_of::<SecretListHdr>()];
+ r.read_exact(&mut buf)?;
+ let hdr = SecretListHdr::ref_from(&buf).unwrap();
+
let mut buf = [0u8; SecretEntry::STRUCT_SIZE];
- for _ in 0..num_s {
+ let mut v = Vec::with_capacity(hdr.num_secrets_stored.get() as usize);
+ for _ in 0..hdr.num_secrets_stored.get() {
r.read_exact(&mut buf)?;
// cannot fail. buffer has the same size as the secret entry
let secr = SecretEntry::read_from(buf.as_slice()).unwrap();
v.push(secr);
}
Ok(Self {
- total_num_secrets,
+ hdr: hdr.clone(),
secrets: v,
})
}
@@ -278,7 +309,7 @@ impl TryFrom<ListCmd> for SecretList {
impl Display for SecretList {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
- writeln!(f, "Total number of secrets: {}", self.total_num_secrets)?;
+ writeln!(f, "Total number of secrets: {}", self.total_num_secrets())?;
if !self.secrets.is_empty() {
writeln!(f)?;
}
@@ -481,8 +512,8 @@ mod test {
let buf = [
0x00u8, 0x01, // num secr stored
0x01, 0x12, // total num secrets
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, // reserved
+ 0x01, 0x01, // next valid idx
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // reserved
// secret
0x00, 0x01, 0x00, 0x02, // idx + type
0x00, 0x00, 0x00, 0x20, // len
@@ -493,16 +524,16 @@ mod test {
0x00, 0x00, 0x00, 0x00,
];
- let exp = SecretList {
- total_num_secrets: 0x112,
- secrets: vec![SecretEntry {
+ let exp = SecretList::new_with_hdr(
+ SecretListHdr::new(0x001, 0x112, 0x101),
+ vec![SecretEntry {
index: 1.into(),
stype: 2.into(),
len: 32.into(),
res_8: 0,
id: SecretId::from([0; 32]),
}],
- };
+ );
let mut br = BufReader::new(Cursor::new(buf));
let sl = SecretList::decode(&mut br).unwrap();
@@ -514,8 +545,8 @@ mod test {
const EXP: &[u8] = &[
0x00, 0x01, // num secr stored
0x01, 0x12, // total num secrets
- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
- 0x00, // reserved
+ 0x01, 0x01, // next valid idx
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // reserved
// secret
0x00, 0x01, 0x00, 0x02, // idx + type
0x00, 0x00, 0x00, 0x20, // len
@@ -526,16 +557,16 @@ mod test {
0x00, 0x00, 0x00, 0x00,
];
- let sl = SecretList {
- total_num_secrets: 0x112,
- secrets: vec![SecretEntry {
+ let sl = SecretList::new_with_hdr(
+ SecretListHdr::new(0x001, 0x112, 0x101),
+ vec![SecretEntry {
index: 1.into(),
stype: 2.into(),
len: 32.into(),
res_8: 0,
id: SecretId::from([0; 32]),
}],
- };
+ );
let mut buf = [0u8; 0x40];
{
@@ -587,26 +618,23 @@ mod test {
#[test]
fn secret_list_ser() {
- let list = SecretList {
- total_num_secrets: 0x112,
- secrets: vec![SecretEntry {
+ let list = SecretList::new_with_hdr(
+ SecretListHdr::new(0x001, 0x112, 0x101),
+ vec![SecretEntry {
index: 1.into(),
stype: 2.into(),
len: 32.into(),
res_8: 0,
id: SecretId::from([0; 32]),
}],
- };
+ );
assert_ser_tokens(
&list,
&[
- Token::Struct {
- name: "SecretList",
- len: 2,
- },
+ Token::Map { len: None },
Token::String("total_num_secrets"),
- Token::U64(0x112),
+ Token::U16(0x112),
Token::String("secrets"),
Token::Seq { len: Some(1) },
Token::Struct {
@@ -623,7 +651,7 @@ mod test {
Token::String("0x0000000000000000000000000000000000000000000000000000000000000000"),
Token::StructEnd,
Token::SeqEnd,
- Token::StructEnd,
+ Token::MapEnd,
],
)
}

View File

@ -0,0 +1,111 @@
From 93216d916c479ee1292aa1d598ac9c0e7f585bd8 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Wed, 12 Jun 2024 16:35:15 +0200
Subject: [PATCH] rust/pv*: Support longer secret lists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Make use of the enhanced list secrets UAPI for the uvdevice in the latest kernel
version. This allows fetching secret lists with more than 85 entries via
reserving more userspace memory in the IOCTL argument.
While at it, move the errno readout next to the ioctl-syscall.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv_core/src/uvdevice.rs | 6 ++++--
rust/pv_core/src/uvdevice/secret.rs | 11 +++++++++++
rust/pvsecret/src/cmd/list.rs | 28 +++++++++++++++++++++-------
3 files changed, 36 insertions(+), 9 deletions(-)
diff --git a/rust/pv_core/src/uvdevice.rs b/rust/pv_core/src/uvdevice.rs
index e701366d..689748a1 100644
--- a/rust/pv_core/src/uvdevice.rs
+++ b/rust/pv_core/src/uvdevice.rs
@@ -59,11 +59,13 @@ fn ioctl_raw(raw_fd: RawFd, cmd: c_ulong, cb: &mut IoctlCb) -> Result<()> {
rc = ioctl(raw_fd, cmd, cb.as_ptr_mut());
}
+ // NOTE io::Error handles all errnos ioctl uses
+ let errno = std::io::Error::last_os_error();
+
debug!("ioctl resulted with {cb:?}");
match rc {
0 => Ok(()),
- // NOTE io::Error handles all errnos ioctl uses
- _ => Err(std::io::Error::last_os_error().into()),
+ _ => Err(errno.into()),
}
}
diff --git a/rust/pv_core/src/uvdevice/secret.rs b/rust/pv_core/src/uvdevice/secret.rs
index 263f17d5..cb5b7233 100644
--- a/rust/pv_core/src/uvdevice/secret.rs
+++ b/rust/pv_core/src/uvdevice/secret.rs
@@ -24,6 +24,17 @@ impl ListCmd {
Self(vec![0; size])
}
+ /// Create a new list secrets command with `pages` capacity.
+ ///
+ /// * `pages` - number pf pages to allocate for this IOCTL
+ ///
+ /// # Panic
+ /// This function will trigger a panic if the allocation size is larger than [`usize::MAX`].
+ /// Very likely an OOM situation occurs way before this!
+ pub fn with_pages(pages: usize) -> Self {
+ Self::with_size(pages * PAGESIZE)
+ }
+
/// Create a new list secrets command with a one page capacity
pub fn new() -> Self {
Self::with_size(PAGESIZE)
diff --git a/rust/pvsecret/src/cmd/list.rs b/rust/pvsecret/src/cmd/list.rs
index 0bd9eca4..56294cac 100644
--- a/rust/pvsecret/src/cmd/list.rs
+++ b/rust/pvsecret/src/cmd/list.rs
@@ -2,19 +2,33 @@
//
// Copyright IBM Corp. 2023
+use std::io::ErrorKind;
+
use crate::cli::{ListSecretOpt, ListSecretOutputType};
use anyhow::{Context, Error, Result};
-use log::warn;
-use pv::uv::{ListCmd, SecretList, UvDevice, UvcSuccess};
+use log::{info, warn};
+use pv::uv::{ListCmd, SecretList, UvDevice};
use utils::{get_writer_from_cli_file_arg, STDOUT};
+const SECRET_LIST_BUF_SIZE: usize = 4;
+
/// Do a List Secrets UVC
pub fn list_uvc(uv: &UvDevice) -> Result<SecretList> {
- let mut cmd = ListCmd::default();
- match uv.send_cmd(&mut cmd)? {
- UvcSuccess::RC_SUCCESS => (),
- UvcSuccess::RC_MORE_DATA => warn!("There is more data available than expected"),
- };
+ let mut cmd = ListCmd::with_pages(SECRET_LIST_BUF_SIZE);
+ let more_data = match uv.send_cmd(&mut cmd) {
+ Ok(v) => Ok(v),
+ Err(pv::PvCoreError::Io(e)) if e.kind() == ErrorKind::InvalidInput => {
+ info!("Uvdevice does not suport longer list. Fallback to one page list.");
+ cmd = ListCmd::default();
+ uv.send_cmd(&mut cmd)
+ }
+ Err(e) => Err(e),
+ }?
+ .more_data();
+ if more_data {
+ warn!("The secret list contains more data but the uvdevice cannot show all.");
+ }
+
cmd.try_into().map_err(Error::new)
}

View File

@ -0,0 +1,387 @@
From ff04f76257791593c8f92374f295a0c478e3b0f7 Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Mon, 5 Aug 2024 09:34:47 +0200
Subject: [PATCH] rust/pv*: Allow the use of non-hashes secret IDs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Secret IDs identify a secret in the store. Tooling (pvsecret) calculates
them by hashing a user-defined string. With this patch it is now
possible to skip the hash step and directly use the input string as the
ID. Up to the first 31 bytes of the input ASCII-string are used. The last byte
is the NUL char. During list pvsecret tries to interpret the secret
as ASCII string and if possible displays the ASCII characters alongside
the hex number.
Also, use the Upper/Lower Hex formatters for the hexstring formatting of
SecretId. Display will, additionally show the ASCII representation if
applicable.
While at it, use Self wherever possible.
Acked-by: Marc Hartmayer <marc@linux.ibm.com>
Reviewed-by: Christoph Schlameuss <schlameuss@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pv/src/uvsecret/guest_secret.rs | 16 ++-
rust/pv_core/src/uvdevice/secret_list.rs | 163 ++++++++++++++++++++---
rust/pvsecret/src/cli.rs | 8 ++
rust/pvsecret/src/cmd/create.rs | 4 +-
rust/pvsecret/src/cmd/retr.rs | 14 +-
5 files changed, 184 insertions(+), 21 deletions(-)
diff --git a/rust/pv/src/uvsecret/guest_secret.rs b/rust/pv/src/uvsecret/guest_secret.rs
index 3bad6d3c..87b58bb8 100644
--- a/rust/pv/src/uvsecret/guest_secret.rs
+++ b/rust/pv/src/uvsecret/guest_secret.rs
@@ -92,7 +92,8 @@ macro_rules! retr_constructor {
}
impl GuestSecret {
- fn name_to_id(name: &str) -> Result<SecretId> {
+ /// Hashes the name with sha256
+ pub fn name_to_id(name: &str) -> Result<SecretId> {
let id: [u8; SecretId::ID_SIZE] = hash(MessageDigest::sha256(), name.as_bytes())?
.to_vec()
.try_into()
@@ -135,6 +136,19 @@ impl GuestSecret {
retr_constructor!(#[doc = r"This function will return an error if OpenSSL cannot create a hash or the curve is invalid"]
| #[doc = r"EC PRIVATE Key"] => PKey<Private>, ec);
+ /// Use the name as ID, do not hash it
+ pub fn no_hash_name(&mut self) {
+ match self {
+ Self::Null => (),
+ Self::Association {
+ name, ref mut id, ..
+ }
+ | Self::Retrievable {
+ name, ref mut id, ..
+ } => id.clone_from(&SecretId::from_string(name)),
+ }
+ }
+
/// Reference to the confidential data
pub fn confidential(&self) -> &[u8] {
match &self {
diff --git a/rust/pv_core/src/uvdevice/secret_list.rs b/rust/pv_core/src/uvdevice/secret_list.rs
index d7c268c9..7c7e63b5 100644
--- a/rust/pv_core/src/uvdevice/secret_list.rs
+++ b/rust/pv_core/src/uvdevice/secret_list.rs
@@ -11,7 +11,9 @@ use crate::{
use byteorder::{BigEndian, ByteOrder};
use serde::{Deserialize, Serialize, Serializer};
use std::{
- fmt::Display,
+ cmp::min,
+ ffi::CStr,
+ fmt::{Debug, Display, LowerHex, UpperHex},
io::{Cursor, Read, Seek, Write},
mem::size_of,
slice::Iter,
@@ -35,6 +37,33 @@ impl SecretId {
pub fn from(buf: [u8; Self::ID_SIZE]) -> Self {
buf.into()
}
+
+ /// Create a Id from a string
+ ///
+ /// Uses the first 31 bytes from `name` as id
+ /// Does not hash anything. Byte 32 is the NUL char
+ pub fn from_string(name: &str) -> Self {
+ let len = min(name.len(), Self::ID_SIZE - 1);
+ let mut res = Self::default();
+ res.0[0..len].copy_from_slice(&name.as_bytes()[0..len]);
+ res
+ }
+
+ /// Tries to represent the Id as printable-ASCII string
+ pub fn as_ascii(&self) -> Option<&str> {
+ if let Ok(t) = CStr::from_bytes_until_nul(&self.0) {
+ if let Ok(t) = t.to_str() {
+ if !t.is_empty()
+ && t.chars()
+ .all(|c| c.is_ascii_whitespace() | c.is_ascii_graphic())
+ && self.0[t.len()..].iter().all(|b| *b == 0)
+ {
+ return Some(t);
+ }
+ }
+ };
+ None
+ }
}
impl Serialize for SecretId {
@@ -42,8 +71,8 @@ impl Serialize for SecretId {
where
S: Serializer,
{
- // calls Display at one point
- ser.serialize_str(&self.to_string())
+ // calls LowerHex at one point
+ ser.serialize_str(&format!("{self:#x}"))
}
}
@@ -56,12 +85,36 @@ impl<'de> Deserialize<'de> for SecretId {
}
}
+impl UpperHex for SecretId {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ if f.alternate() {
+ write!(f, "0x")?;
+ }
+ for b in self.0 {
+ write!(f, "{b:02X}")?;
+ }
+ Ok(())
+ }
+}
+
+impl LowerHex for SecretId {
+ fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+ if f.alternate() {
+ write!(f, "0x")?;
+ }
+ for b in self.0 {
+ write!(f, "{b:02x}")?;
+ }
+ Ok(())
+ }
+}
+
impl Display for SecretId {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
- let mut s = String::with_capacity(32 * 2 + 2);
- s.push_str("0x");
- let s = self.0.iter().fold(s, |acc, e| acc + &format!("{e:02x}"));
- write!(f, "{s}")
+ if let Some(s) = self.as_ascii() {
+ write!(f, "{s} | ")?;
+ }
+ write!(f, "{self:#x}")
}
}
@@ -79,7 +132,7 @@ impl AsRef<[u8]> for SecretId {
/// A secret in a [`SecretList`]
#[repr(C)]
-#[derive(Debug, PartialEq, Eq, AsBytes, FromZeroes, FromBytes, Serialize)]
+#[derive(Debug, Clone, PartialEq, Eq, AsBytes, FromZeroes, FromBytes, Serialize)]
pub struct SecretEntry {
#[serde(serialize_with = "ser_u16")]
index: U16<BigEndian>,
@@ -153,11 +206,7 @@ impl Display for SecretEntry {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
let stype: ListableSecretType = self.stype.get().into();
writeln!(f, "{} {}:", self.index, stype)?;
- write!(f, " ")?;
- for b in self.id.as_ref() {
- write!(f, "{b:02x}")?;
- }
- Ok(())
+ write!(f, " {}", self.id)
}
}
@@ -269,6 +318,11 @@ impl SecretList {
self.hdr.total_num_secrets.get() as usize
}
+ /// Find the first [`SecretEntry`] that has the provided [`SecretId`]
+ pub fn find(&self, id: &SecretId) -> Option<SecretEntry> {
+ self.iter().find(|e| e.id() == id.as_ref()).cloned()
+ }
+
/// Encodes the list in the same binary format the UV would do
pub fn encode<T: Write>(&self, w: &mut T) -> Result<()> {
w.write_all(self.hdr.as_bytes())?;
@@ -456,7 +510,7 @@ where
type Value = [u8; SecretId::ID_SIZE];
fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
- formatter.write_str("a `32 bytes long hexstring` prepended with 0x")
+ formatter.write_str("a `32 bytes (=64 character) long hexstring` prepended with 0x")
}
fn visit_str<E>(self, s: &str) -> Result<Self::Value, E>
@@ -464,7 +518,10 @@ where
E: serde::de::Error,
{
if s.len() != SecretId::ID_SIZE * 2 + "0x".len() {
- return Err(serde::de::Error::invalid_length(s.len() - 2, &self));
+ return Err(serde::de::Error::invalid_length(
+ s.len().saturating_sub("0x".len()),
+ &self,
+ ));
}
let nb = s.strip_prefix("0x").ok_or_else(|| {
serde::de::Error::invalid_value(serde::de::Unexpected::Str(s), &self)
@@ -655,4 +712,80 @@ mod test {
],
)
}
+
+ #[test]
+ fn secret_id_display() {
+ let text = "Fancy secret ID";
+ let id = SecretId::from_string(text);
+
+ let exp =
+ "Fancy secret ID | 0x46616e6379207365637265742049440000000000000000000000000000000000";
+ assert_eq!(id.to_string(), exp);
+ }
+
+ #[test]
+ fn secret_id_long_name() {
+ let text = "the most fanciest secret ID you ever seen in the time the universe exists";
+ let id = SecretId::from_string(text);
+ let exp =
+ "the most fanciest secret ID you | 0x746865206d6f73742066616e63696573742073656372657420494420796f7500";
+ assert_eq!(id.to_string(), exp);
+ }
+
+ #[test]
+ fn secret_id_no_ascii_name() {
+ let text = [0; 32];
+ let id = SecretId::from(text);
+
+ let exp = "0x0000000000000000000000000000000000000000000000000000000000000000";
+ assert_eq!(id.to_string(), exp);
+ }
+
+ #[test]
+ fn secret_id_no_ascii_name2() {
+ let text = [
+ 0x25, 0x55, 3, 4, 50, 0, 6, 0, 8, 0, 0, 0, 0, 0, 0, 0, 90, 0, 0xa, 0, 0, 0, 0, 0xf, 0,
+ 0, 0, 0, 0, 0, 0, 0,
+ ];
+ let id = SecretId::from(text);
+ assert_eq!(id.as_ascii(), None);
+ }
+
+ #[test]
+ fn secret_id_no_ascii_name3() {
+ let text = [
+ 0x25, 0x55, 0, 4, 50, 0, 6, 0, 8, 0, 0, 0, 0, 0, 0, 0, 90, 0, 0xa, 0, 0, 0, 0, 0xf, 0,
+ 0, 0, 0, 0, 0, 0, 0,
+ ];
+ let id = SecretId::from(text);
+ assert_eq!(id.as_ascii(), None);
+ }
+
+ #[test]
+ fn secret_id_hex() {
+ let id_str = "Nice Test 123";
+ let id = SecretId::from_string(id_str);
+
+ let s = format!("{id:#x}");
+ assert_eq!(
+ s,
+ "0x4e69636520546573742031323300000000000000000000000000000000000000"
+ );
+ let s = format!("{id:x}");
+ assert_eq!(
+ s,
+ "4e69636520546573742031323300000000000000000000000000000000000000"
+ );
+ let s = format!("{id:#X}");
+ assert_eq!(
+ s,
+ "0x4E69636520546573742031323300000000000000000000000000000000000000"
+ );
+
+ let s = format!("{id:X}");
+ assert_eq!(
+ s,
+ "4E69636520546573742031323300000000000000000000000000000000000000"
+ );
+ }
}
diff --git a/rust/pvsecret/src/cli.rs b/rust/pvsecret/src/cli.rs
index 4e747682..d858fc29 100644
--- a/rust/pvsecret/src/cli.rs
+++ b/rust/pvsecret/src/cli.rs
@@ -141,6 +141,12 @@ pub struct CreateSecretOpt {
/// by default.
#[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath,)]
pub user_sign_key: Option<String>,
+
+ /// Do not hash the name, use it directly as secret ID.
+ ///
+ /// Ignored for meta-secrets.
+ #[arg(long)]
+ pub use_name: bool,
}
#[derive(Subcommand, Debug)]
@@ -342,6 +348,8 @@ pub enum RetrInpFmt {
Yaml,
/// Use a hex string.
Hex,
+ /// Use a name-string. Will hash it if no secret with the name found.
+ Name,
}
#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, ValueEnum, Debug, Default)]
diff --git a/rust/pvsecret/src/cmd/create.rs b/rust/pvsecret/src/cmd/create.rs
index 73089a12..fab37e67 100644
--- a/rust/pvsecret/src/cmd/create.rs
+++ b/rust/pvsecret/src/cmd/create.rs
@@ -94,7 +94,7 @@ fn read_private_key(buf: &[u8]) -> Result<PKey<Private>> {
fn build_asrcb(opt: &CreateSecretOpt) -> Result<AddSecretRequest> {
debug!("Build add-secret request");
- let secret = match &opt.secret {
+ let mut secret = match &opt.secret {
AddSecretType::Meta => GuestSecret::Null,
AddSecretType::Association {
name,
@@ -112,6 +112,8 @@ fn build_asrcb(opt: &CreateSecretOpt) -> Result<AddSecretRequest> {
};
trace!("AddSecret: {secret:x?}");
+ opt.use_name.then(|| secret.no_hash_name());
+
let mut flags = match &opt.pcf {
Some(v) => (&try_parse_u64(v, "pcf")?).into(),
None => AddSecretFlags::default(),
diff --git a/rust/pvsecret/src/cmd/retr.rs b/rust/pvsecret/src/cmd/retr.rs
index 7f7704cc..ad3e91c3 100644
--- a/rust/pvsecret/src/cmd/retr.rs
+++ b/rust/pvsecret/src/cmd/retr.rs
@@ -17,12 +17,17 @@ use utils::get_writer_from_cli_file_arg;
fn retrieve(id: &SecretId) -> Result<RetrievedSecret> {
let uv = UvDevice::open()?;
let secrets = list_uvc(&uv)?;
- let secret = secrets
- .into_iter()
- .find(|s| s.id() == id.as_ref())
+ let secret = match secrets.find(id) {
+ Some(s) => s,
+ // hash it + try again if it is ASCII-representable
+ None => match id.as_ascii() {
+ Some(s) => secrets.find(&GuestSecret::name_to_id(s)?),
+ None => None,
+ }
.ok_or(anyhow!(
"The UV secret-store has no secret with the ID {id}"
- ))?;
+ ))?,
+ };
info!("Try to retrieve secret at index: {}", secret.index());
debug!("Try to retrieve: {secret:?}");
@@ -43,6 +48,7 @@ pub fn retr(opt: &RetrSecretOptions) -> Result<()> {
RetrInpFmt::Hex => {
serde_yaml::from_str(&opt.input).context("Cannot parse SecretId information")?
}
+ RetrInpFmt::Name => SecretId::from_string(&opt.input),
};
let retr_secret =

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,334 @@
From cf51ac786095f2a1a17d04fea9ee73271438d247 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Wed, 11 Dec 2024 19:25:59 +0100
Subject: [PATCH] rust/pvimg: Add '--(enable|disable)-image-encryption' flags
to 'pvimg create'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
With runtime attestation it might be useful to have non-encrypted Secure
Execution images. This patch adds the support for this to the 'pvimg
create' and 'genprotimg' commands.
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvimg/man/genprotimg.1 | 26 +++++++++++++++++++++-----
rust/pvimg/man/pvimg-create.1 | 26 +++++++++++++++++++++-----
rust/pvimg/man/pvimg-info.1 | 10 +++++-----
rust/pvimg/man/pvimg-test.1 | 10 +++++-----
rust/pvimg/man/pvimg.1 | 10 +++++-----
rust/pvimg/src/cli.rs | 18 ++++++++++++++++++
rust/pvimg/src/cmd/create.rs | 10 ++++++++++
7 files changed, 85 insertions(+), 25 deletions(-)
diff --git a/rust/pvimg/man/genprotimg.1 b/rust/pvimg/man/genprotimg.1
index 46a91aa4..3f4949e9 100644
--- a/rust/pvimg/man/genprotimg.1
+++ b/rust/pvimg/man/genprotimg.1
@@ -3,11 +3,11 @@
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH genprotimg 1 "2024-12-05" "s390-tools" "Genprotimg Manual"
+.TH genprotimg 1 "2024-12-11" "s390-tools" "Genprotimg Manual"
.nh
.ad l
.SH NAME
-\fBgenprotimg\fP - Create an IBM Secure Execution image
+\fBgenprotimg\fP \- Create an IBM Secure Execution image
\fB
.SH SYNOPSIS
.nf
@@ -196,6 +196,22 @@ Disable the support for backup target keys (default).
.RE
.RE
.PP
+\-\-enable\-image\-encryption
+.RS 4
+Enable encryption of the image components (default). The image components are:
+the kernel, ramdisk, and kernel command line.
+.RE
+.RE
+.PP
+\-\-disable\-image\-encryption
+.RS 4
+Disable encryption of the image components. The image components are: the
+kernel, ramdisk, and kernel command line. Use only if the components used do not
+contain any confidential content (for example, secrets like non\-public
+cryptographic keys).
+.RE
+.RE
+.PP
\-v, \-\-verbose
.RS 4
Provide more detailed output.
@@ -222,16 +238,16 @@ Print help (see a summary with \fB\-h\fR).
.SH EXIT STATUS
.TP 8
-.B 0 - Program finished successfully
+.B 0 \- Program finished successfully
The command was executed successfully.
.RE
.TP 8
-.B 1 - Generic error
+.B 1 \- Generic error
Something went wrong during the operation. Refer to the error
message.
.RE
.TP 8
-.B 2 - Usage error
+.B 2 \- Usage error
The command was used incorrectly, for example: unsupported command
line flag, or wrong number of arguments.
.RE
diff --git a/rust/pvimg/man/pvimg-create.1 b/rust/pvimg/man/pvimg-create.1
index aba197fa..dae1cf18 100644
--- a/rust/pvimg/man/pvimg-create.1
+++ b/rust/pvimg/man/pvimg-create.1
@@ -3,11 +3,11 @@
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH pvimg-create 1 "2024-12-05" "s390-tools" "Pvimg Manual"
+.TH pvimg-create 1 "2024-12-11" "s390-tools" "Pvimg Manual"
.nh
.ad l
.SH NAME
-\fBpvimg create\fP - Create an IBM Secure Execution image
+\fBpvimg create\fP \- Create an IBM Secure Execution image
\fB
.SH SYNOPSIS
.nf
@@ -195,6 +195,22 @@ Disable the support for backup target keys (default).
.RE
.RE
.PP
+\-\-enable\-image\-encryption
+.RS 4
+Enable encryption of the image components (default). The image components are:
+the kernel, ramdisk, and kernel command line.
+.RE
+.RE
+.PP
+\-\-disable\-image\-encryption
+.RS 4
+Disable encryption of the image components. The image components are: the
+kernel, ramdisk, and kernel command line. Use only if the components used do not
+contain any confidential content (for example, secrets like non\-public
+cryptographic keys).
+.RE
+.RE
+.PP
\-h, \-\-help
.RS 4
Print help (see a summary with \fB\-h\fR).
@@ -203,16 +219,16 @@ Print help (see a summary with \fB\-h\fR).
.SH EXIT STATUS
.TP 8
-.B 0 - Program finished successfully
+.B 0 \- Program finished successfully
The command was executed successfully.
.RE
.TP 8
-.B 1 - Generic error
+.B 1 \- Generic error
Something went wrong during the operation. Refer to the error
message.
.RE
.TP 8
-.B 2 - Usage error
+.B 2 \- Usage error
The command was used incorrectly, for example: unsupported command
line flag, or wrong number of arguments.
.RE
diff --git a/rust/pvimg/man/pvimg-info.1 b/rust/pvimg/man/pvimg-info.1
index e88cbe49..d2726c35 100644
--- a/rust/pvimg/man/pvimg-info.1
+++ b/rust/pvimg/man/pvimg-info.1
@@ -3,11 +3,11 @@
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH pvimg-info 1 "2024-12-05" "s390-tools" "Pvimg Manual"
+.TH pvimg-info 1 "2024-12-11" "s390-tools" "Pvimg Manual"
.nh
.ad l
.SH NAME
-\fBpvimg info\fP - Print information about the IBM Secure Execution image
+\fBpvimg info\fP \- Print information about the IBM Secure Execution image
\fB
.SH SYNOPSIS
.nf
@@ -51,16 +51,16 @@ Print help (see a summary with \fB\-h\fR).
.SH EXIT STATUS
.TP 8
-.B 0 - Program finished successfully
+.B 0 \- Program finished successfully
The command was executed successfully.
.RE
.TP 8
-.B 1 - Generic error
+.B 1 \- Generic error
Something went wrong during the operation. Refer to the error
message.
.RE
.TP 8
-.B 2 - Usage error
+.B 2 \- Usage error
The command was used incorrectly, for example: unsupported command
line flag, or wrong number of arguments.
.RE
diff --git a/rust/pvimg/man/pvimg-test.1 b/rust/pvimg/man/pvimg-test.1
index 901c7edb..4fb7d73f 100644
--- a/rust/pvimg/man/pvimg-test.1
+++ b/rust/pvimg/man/pvimg-test.1
@@ -3,11 +3,11 @@
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH pvimg-test 1 "2024-12-05" "s390-tools" "Pvimg Manual"
+.TH pvimg-test 1 "2024-12-11" "s390-tools" "Pvimg Manual"
.nh
.ad l
.SH NAME
-\fBpvimg test\fP - Test different aspects of an existing IBM Secure Execution image
+\fBpvimg test\fP \- Test different aspects of an existing IBM Secure Execution image
\fB
.SH SYNOPSIS
.nf
@@ -54,16 +54,16 @@ Print help (see a summary with \fB\-h\fR).
.SH EXIT STATUS
.TP 8
-.B 0 - Program finished successfully
+.B 0 \- Program finished successfully
The command was executed successfully.
.RE
.TP 8
-.B 1 - Generic error
+.B 1 \- Generic error
Something went wrong during the operation. Refer to the error
message.
.RE
.TP 8
-.B 2 - Usage error
+.B 2 \- Usage error
The command was used incorrectly, for example: unsupported command
line flag, or wrong number of arguments.
.RE
diff --git a/rust/pvimg/man/pvimg.1 b/rust/pvimg/man/pvimg.1
index 37c8e978..5676b61d 100644
--- a/rust/pvimg/man/pvimg.1
+++ b/rust/pvimg/man/pvimg.1
@@ -3,11 +3,11 @@
.\" it under the terms of the MIT license. See LICENSE for details.
.\"
-.TH pvimg 1 "2024-12-05" "s390-tools" "Pvimg Manual"
+.TH pvimg 1 "2024-12-11" "s390-tools" "Pvimg Manual"
.nh
.ad l
.SH NAME
-\fBpvimg\fP - Create and inspect IBM Secure Execution images
+\fBpvimg\fP \- Create and inspect IBM Secure Execution images
\fB
.SH SYNOPSIS
.nf
@@ -69,16 +69,16 @@ Print help (see a summary with \fB\-h\fR).
.SH EXIT STATUS
.TP 8
-.B 0 - Program finished successfully
+.B 0 \- Program finished successfully
The command was executed successfully.
.RE
.TP 8
-.B 1 - Generic error
+.B 1 \- Generic error
Something went wrong during the operation. Refer to the error
message.
.RE
.TP 8
-.B 2 - Usage error
+.B 2 \- Usage error
The command was used incorrectly, for example: unsupported command
line flag, or wrong number of arguments.
.RE
diff --git a/rust/pvimg/src/cli.rs b/rust/pvimg/src/cli.rs
index 2ca4e901..12f0b764 100644
--- a/rust/pvimg/src/cli.rs
+++ b/rust/pvimg/src/cli.rs
@@ -140,6 +140,20 @@ pub struct CreateBootImageLegacyFlags {
/// Disable the support for backup target keys (default).
#[arg(long, action = clap::ArgAction::SetTrue, conflicts_with="enable_backup_keys", group="header-flags")]
pub disable_backup_keys: Option<bool>,
+
+ /// Enable encryption of the image components (default).
+ ///
+ /// The image components are: the kernel, ramdisk, and kernel command line.
+ #[arg(long, action = clap::ArgAction::SetTrue, group="header-flags")]
+ pub enable_image_encryption: Option<bool>,
+
+ /// Disable encryption of the image components.
+ ///
+ /// The image components are: the kernel, ramdisk, and kernel command line.
+ /// Use only if the components used do not contain any confidential content
+ /// (for example, secrets like non-public cryptographic keys).
+ #[arg(long, action = clap::ArgAction::SetTrue, conflicts_with="enable_image_encryption", group="header-flags")]
+ pub disable_image_encryption: Option<bool>,
}
#[non_exhaustive]
@@ -476,6 +490,8 @@ mod test {
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-pckmo", ["--enable-pckmo"])])),
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-pckmo-hmac", ["--enable-pckmo-hmac"])])),
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-backup-keys", ["--enable-backup-keys"])])),
+ flat_map_collect(insert(mvca.clone(), vec![CliOption::new("disable-image-encryption", ["--disable-image-encryption"])])),
+ flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-image-encryption", ["--enable-image-encryption"])])),
];
let invalid_create_args = [
flat_map_collect(remove(mvcanv.clone(), "no-verify")),
@@ -501,6 +517,8 @@ mod test {
CliOption::new("x-pcf2", ["--x-pcf", "0x0"])])),
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-pckmo", ["--enable-pckmo"]),
CliOption::new("disable-pckmo", ["--disable-pckmo"])])),
+ flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-image-encryption", ["--enable-image-encryption"]),
+ CliOption::new("disable-image-encryption", ["--disable-image-encryption"])])),
];
let mut genprotimg_valid_args = vec![
diff --git a/rust/pvimg/src/cmd/create.rs b/rust/pvimg/src/cmd/create.rs
index b696d790..475d3523 100644
--- a/rust/pvimg/src/cmd/create.rs
+++ b/rust/pvimg/src/cmd/create.rs
@@ -80,6 +80,12 @@ fn parse_flags(
lf.enable_backup_keys
.filter(|x| *x)
.and(Some(PcfV1::all_enabled([PcfV1::BackupTargetKeys]))),
+ lf.disable_image_encryption
+ .filter(|x| *x)
+ .and(Some(PcfV1::all_enabled([PcfV1::NoComponentEncryption]))),
+ lf.enable_image_encryption
+ .filter(|x| *x)
+ .and(Some(PcfV1::all_disabled([PcfV1::NoComponentEncryption]))),
]
.into_iter()
.flatten()
@@ -135,6 +141,10 @@ pub fn create(opt: &CreateBootImageArgs) -> Result<OwnExitCode> {
read_user_provided_keys(opt.comm_key.as_deref(), &opt.experimental_args)?;
let (plaintext_flags, secret_flags) = parse_flags(opt)?;
+ if plaintext_flags.is_set(PcfV1::NoComponentEncryption) {
+ warn!("The components encryption is disabled, make sure that the components do not contain any confidential content.");
+ }
+
let mut components = components(&opt.component_paths)?;
if opt.no_component_check {
warn!("The component check is turned off!");

View File

@ -0,0 +1,167 @@
From 5b6d7a467dc342c9c25a0af72b2d5546798cdc94 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Thu, 12 Dec 2024 20:19:56 +0100
Subject: [PATCH] rust/pvimg: Add '--cck <FILE>' command line option and make
'--comm-key' an alias
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add '--cck <FILE>' as an command line option and make '--comm-key' an
alias of it. This makes the command line more similar to the other
Secure Execution related PV-tools (e.g. pvattest and pvsecret).
Suggested-by: Reinhard Bündgen <buendgen@de.ibm.com>
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvimg/man/genprotimg.1 | 11 +++++------
rust/pvimg/man/pvimg-create.1 | 11 +++++------
rust/pvimg/src/cli.rs | 14 ++++++++------
rust/pvimg/src/cmd/create.rs | 3 +--
4 files changed, 19 insertions(+), 20 deletions(-)
Index: s390-tools-2.36.0/rust/pvimg/man/genprotimg.1
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/man/genprotimg.1
+++ s390-tools-2.36.0/rust/pvimg/man/genprotimg.1
@@ -123,7 +123,7 @@ Overwrite an existing Secure Execution b
.RE
.RE
.PP
-\-\-comm\-key <FILE>
+\-\-cck, \-\-comm\-key <FILE>
.RS 4
Use the content of FILE as the customer\-communication key (CCK). The file must
contain exactly 32 bytes of data.
@@ -133,7 +133,7 @@ contain exactly 32 bytes of data.
\-\-enable\-dump
.RS 4
Enable Secure Execution guest dump support. This option requires the
-\fB\-\-comm\-key\fR option.
+\fB\-\-cck\fR option.
.RE
.RE
.PP
@@ -146,8 +146,7 @@ Disable Secure Execution guest dump supp
\-\-enable\-cck\-extension\-secret
.RS 4
Add\-secret requests must provide an extension secret that matches the
-CCK\-derived extension secret. This option requires the \fB\-\-comm\-key\fR
-option.
+CCK\-derived extension secret. This option requires the \fB\-\-cck\fR option.
.RE
.RE
.PP
@@ -268,7 +267,7 @@ Generate an IBM Secure Execution image:
Generate an IBM Secure Execution image with Secure Execution guest dump support:
.PP
-.B genprotimg \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-comm\-key \fI\,comm-key\fR
+.B genprotimg \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-cck \fI\,comm-key\fR
.SH NOTES
.IP "1." 4
The \fBgenprotimg\fR(1) command is a symbolic link to the \fBpvimg-create\fR(1) command.
Index: s390-tools-2.36.0/rust/pvimg/man/pvimg-create.1
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/man/pvimg-create.1
+++ s390-tools-2.36.0/rust/pvimg/man/pvimg-create.1
@@ -122,7 +122,7 @@ Overwrite an existing Secure Execution b
.RE
.RE
.PP
-\-\-comm\-key <FILE>
+\-\-cck, \-\-comm\-key <FILE>
.RS 4
Use the content of FILE as the customer\-communication key (CCK). The file must
contain exactly 32 bytes of data.
@@ -132,7 +132,7 @@ contain exactly 32 bytes of data.
\-\-enable\-dump
.RS 4
Enable Secure Execution guest dump support. This option requires the
-\fB\-\-comm\-key\fR option.
+\fB\-\-cck\fR option.
.RE
.RE
.PP
@@ -145,8 +145,7 @@ Disable Secure Execution guest dump supp
\-\-enable\-cck\-extension\-secret
.RS 4
Add\-secret requests must provide an extension secret that matches the
-CCK\-derived extension secret. This option requires the \fB\-\-comm\-key\fR
-option.
+CCK\-derived extension secret. This option requires the \fB\-\-cck\fR option.
.RE
.RE
.PP
@@ -249,7 +248,7 @@ Generate an IBM Secure Execution image:
Generate an IBM Secure Execution image with Secure Execution guest dump support:
.PP
-.B pvimg create \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-comm\-key \fI\,comm-key\fR
+.B pvimg create \-i \fI\,/boot/vmlinuz\/\fR \-r \fI\,/boot/initrd.img\/\fR \-p \fI\,parmfile\/\fR \-k \fI\,host_key.crt\/\fR \-C \fI\,ibm-z-host-key-signing.crt\/\fR \-C \fI\,DigiCertCA.crt\fR \-o \fI\,/boot/secure-linux\/\fR \-\-enable\-dump \-\-cck \fI\,comm-key\fR
.SH NOTES
.IP "1." 4
The \fBgenprotimg\fR(1) command is a symbolic link to the \fBpvimg-create\fR(1) command.
Index: s390-tools-2.36.0/rust/pvimg/src/cli.rs
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/src/cli.rs
+++ s390-tools-2.36.0/rust/pvimg/src/cli.rs
@@ -96,8 +96,8 @@ pub struct ComponentPaths {
#[command(group(ArgGroup::new("header-flags").multiple(true).conflicts_with_all(["x_pcf", "x_scf"])))]
pub struct CreateBootImageLegacyFlags {
/// Enable Secure Execution guest dump support. This option requires the
- /// '--comm-key' option.
- #[arg(long, action = clap::ArgAction::SetTrue, requires="comm_key", group="header-flags")]
+ /// '--cck' option.
+ #[arg(long, action = clap::ArgAction::SetTrue, requires="cck", group="header-flags")]
pub enable_dump: Option<bool>,
/// Disable Secure Execution guest dump support (default).
@@ -105,9 +105,9 @@ pub struct CreateBootImageLegacyFlags {
pub disable_dump: Option<bool>,
/// Add-secret requests must provide an extension secret that matches the
- /// CCK-derived extension secret. This option requires the '--comm-key'
+ /// CCK-derived extension secret. This option requires the '--cck'
/// option.
- #[arg(long, action = clap::ArgAction::SetTrue, requires="comm_key", group="header-flags")]
+ #[arg(long, action = clap::ArgAction::SetTrue, requires="cck", group="header-flags")]
pub enable_cck_extension_secret: Option<bool>,
/// Add-secret requests don't have to provide the CCK-derived extension
@@ -328,8 +328,8 @@ pub struct CreateBootImageArgs {
/// Use the content of FILE as the customer-communication key (CCK).
///
/// The file must contain exactly 32 bytes of data.
- #[arg(long, value_name = "FILE")]
- pub comm_key: Option<PathBuf>,
+ #[arg(long, value_name = "FILE", visible_alias = "comm-key")]
+ pub cck: Option<PathBuf>,
#[clap(flatten)]
pub legacy_flags: CreateBootImageLegacyFlags,
@@ -482,6 +482,8 @@ mod test {
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]),
CliOption::new("comm-key", ["--comm-key", "/dev/null"])])),
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]),
+ CliOption::new("comm-key", ["--cck", "/dev/null"])])),
+ flat_map_collect(insert(mvca.clone(), vec![CliOption::new("enable-dump", ["--enable-dump"]),
CliOption::new("comm-key", ["--comm-key", "/dev/null"])])),
flat_map_collect(insert(mvca.clone(), vec![CliOption::new("x-pcf", ["--x-pcf", "0x0"]),
CliOption::new("x-scf", ["--x-scf", "0x0"])])),
Index: s390-tools-2.36.0/rust/pvimg/src/cmd/create.rs
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/src/cmd/create.rs
+++ s390-tools-2.36.0/rust/pvimg/src/cmd/create.rs
@@ -137,8 +137,7 @@ pub fn create(opt: &CreateBootImageArgs)
let verified_host_keys = opt
.certificate_args
.get_verified_hkds("Secure Execution image")?;
- let user_provided_keys =
- read_user_provided_keys(opt.comm_key.as_deref(), &opt.experimental_args)?;
+ let user_provided_keys = read_user_provided_keys(opt.cck.as_deref(), &opt.experimental_args)?;
let (plaintext_flags, secret_flags) = parse_flags(opt)?;
if plaintext_flags.is_set(PcfV1::NoComponentEncryption) {

View File

@ -0,0 +1,58 @@
From 560b276f7e9938475af921c8ebd4cd05910dbf31 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Fri, 6 Dec 2024 20:45:36 +0100
Subject: [PATCH] rust/pvimg: Fix possible 'range start index out of range for
slice' error
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix possible 'range start index 16 out of range for slice of length 0'
error by adding a check of the slice data length.
Fixes: f4cf4ae6ebb1 ("rust: Add a new tool called 'pvimg'")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvimg/src/pv_utils/se_hdr/brb.rs | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/rust/pvimg/src/pv_utils/se_hdr/brb.rs b/rust/pvimg/src/pv_utils/se_hdr/brb.rs
index f7ae1bc9..ac3a2e6e 100644
--- a/rust/pvimg/src/pv_utils/se_hdr/brb.rs
+++ b/rust/pvimg/src/pv_utils/se_hdr/brb.rs
@@ -259,6 +259,10 @@ impl SeHdr {
return Err(Error::InvalidSeHdr);
}
+ if sehs <= common_size {
+ return Err(Error::InvalidSeHdr);
+ }
+
data.resize(sehs, 0);
reader.read_exact(&mut data[common_size..])?;
Self::try_from_data(&data)
@@ -366,3 +370,22 @@ impl AeadCipherTrait for SeHdrPlain {
self.data.aead_tag_size()
}
}
+
+#[cfg(test)]
+mod tests {
+ use std::io::Cursor;
+
+ use super::SeHdr;
+ use crate::error::Error;
+
+ #[test]
+ fn test_sehdr_try_from_io() {
+ // Invalid SeHdr as `sehs` is set to 0
+ assert!(matches!(
+ SeHdr::try_from_io(Cursor::new([
+ 73, 66, 77, 83, 101, 99, 69, 120, 0, 0, 1, 0, 0, 0, 0, 0, 2, 0, 8
+ ])),
+ Err(Error::InvalidSeHdr)
+ ));
+ }
+}

View File

@ -0,0 +1,51 @@
From 3f6572e901ddcc654021c4302cb2a99999acb87a Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Wed, 18 Dec 2024 13:41:13 +0100
Subject: [PATCH] rust/utils: mkdtemp: fix memory leak
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fix memory leak of @template_raw. The documentation of CString::into_raw
reads:
"Consumes the CString and transfers ownership of the string to a C
caller.
...
Failure to call CString::from_raw will lead to a memory leak." [1]
Let's fix the memory leak by always calling `CString::from_raw` and
therefore reclaim the ownership.
[1] https://doc.rust-lang.org/std/ffi/struct.CString.html#method.into_raw
Fixes: e56acf4f14b0 ("pv_core: add `TemporaryDirectory`")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/utils/src/tmpfile.rs | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/rust/utils/src/tmpfile.rs b/rust/utils/src/tmpfile.rs
index 07acdba8..883d5586 100644
--- a/rust/utils/src/tmpfile.rs
+++ b/rust/utils/src/tmpfile.rs
@@ -16,13 +16,14 @@ fn mkdtemp<P: AsRef<Path>>(template: P) -> Result<PathBuf, std::io::Error> {
// SAFETY: template_raw is a valid CString because it was generated by
// the `CString::new`.
let ret = libc::mkdtemp(template_raw);
+ // SAFETY: `template_raw` is still a valid CString because it was
+ // generated by `CString::new` and modified by `libc::mkdtemp`.
+ let path_cstr = std::ffi::CString::from_raw(template_raw);
if ret.is_null() {
+ drop(path_cstr);
Err(std::io::Error::last_os_error())
} else {
- // SAFETY: `template_raw` is still a valid CString because it was
- // generated by `CString::new` and modified by `libc::mkdtemp`.
- let path_cstr = std::ffi::CString::from_raw(template_raw);
let path = OsStr::from_bytes(path_cstr.as_bytes());
let path = std::path::PathBuf::from(path);

View File

@ -0,0 +1,334 @@
From 944581eaefe4c6887790f2b8ed39c9ee76146c55 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Tue, 17 Dec 2024 11:58:01 +0100
Subject: [PATCH] rust/pvimg: Add upper estimates for the Secure Execution
header
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A Secure Execution header V1 can be at maximum two pages large, optional
items are not supported, and the size of the encrypted part cannot be
larger than the total size of the Secure Execution header add this as
Deku assertions and additional conditions to the code. In addition, add
a check for the number of key slots.
Fixes: f4cf4ae6ebb1 ("rust: Add a new tool called 'pvimg'")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvimg/src/pv_utils/error.rs | 3 +
rust/pvimg/src/pv_utils/se_hdr/brb.rs | 50 +++++++++++++---
rust/pvimg/src/pv_utils/se_hdr/builder.rs | 10 +++-
rust/pvimg/src/pv_utils/se_hdr/hdr_v1.rs | 71 ++++++++++++++++++++---
rust/pvimg/src/pv_utils/uvdata.rs | 18 ++++--
5 files changed, 130 insertions(+), 22 deletions(-)
diff --git a/rust/pvimg/src/pv_utils/error.rs b/rust/pvimg/src/pv_utils/error.rs
index 2a176276..a12c4a22 100644
--- a/rust/pvimg/src/pv_utils/error.rs
+++ b/rust/pvimg/src/pv_utils/error.rs
@@ -30,6 +30,9 @@ pub enum Error {
#[error("Invalid Secure Execution header")]
InvalidSeHdr,
+ #[error("Secure Execution header size {given} is larger than the maximum of {maximum} bytes")]
+ InvalidSeHdrTooLarge { given: usize, maximum: usize },
+
#[error("Invalid component metadata.")]
InvalidComponentMetadata,
diff --git a/rust/pvimg/src/pv_utils/se_hdr/brb.rs b/rust/pvimg/src/pv_utils/se_hdr/brb.rs
index ac3a2e6e..b8dadba1 100644
--- a/rust/pvimg/src/pv_utils/se_hdr/brb.rs
+++ b/rust/pvimg/src/pv_utils/se_hdr/brb.rs
@@ -171,8 +171,8 @@ impl AeadCipherTrait for SeHdr {
}
impl AeadDataTrait for SeHdr {
- fn aad(&self) -> Vec<u8> {
- [serialize_to_bytes(&self.common).unwrap(), self.data.aad()].concat()
+ fn aad(&self) -> Result<Vec<u8>> {
+ Ok([serialize_to_bytes(&self.common)?, self.data.aad()?].concat())
}
fn data(&self) -> Vec<u8> {
@@ -265,7 +265,7 @@ impl SeHdr {
data.resize(sehs, 0);
reader.read_exact(&mut data[common_size..])?;
- Self::try_from_data(&data)
+ Self::try_from_data(&data).map_err(|_| Error::InvalidSeHdr)
}
}
@@ -342,13 +342,13 @@ impl UvDataPlainTrait for SeHdrPlain {
}
impl AeadPlainDataTrait for SeHdrPlain {
- fn aad(&self) -> Vec<u8> {
- let data_aad = self.data.aad();
+ fn aad(&self) -> Result<Vec<u8>> {
+ let data_aad = self.data.aad()?;
- [serialize_to_bytes(&self.common).unwrap(), data_aad].concat()
+ Ok([serialize_to_bytes(&self.common)?, data_aad].concat())
}
- fn data(&self) -> Confidential<Vec<u8>> {
+ fn data(&self) -> Result<Confidential<Vec<u8>>> {
self.data.data()
}
@@ -387,5 +387,41 @@ mod tests {
])),
Err(Error::InvalidSeHdr)
));
+
+ // Invalid SeHdr as the `sehs` is too large.
+ assert!(matches!(
+ SeHdr::try_from_io(Cursor::new([
+ 73, 66, 77, 83, 101, 99, 69, 120, 0, 0, 1, 0, 0, 0, 1, 255, 65, 65, 65, 65, 67, 0,
+ 65, 17, 65, 0, 65, 65, 65, 65, 65, 65, 91, 91, 180, 91, 91, 91, 91, 91, 91, 91, 91,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 241, 241,
+ 241, 241, 241, 91, 91, 91, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 80,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112,
+ 112, 112, 112, 112, 91, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112,
+ 112, 112, 112, 112, 112, 112, 112, 0, 0, 0, 0, 101, 99, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 65, 65, 65, 65, 67, 0, 65, 17, 65, 0, 65, 65, 65, 65,
+ 65, 65, 91, 91, 180, 91, 91, 91, 91, 91, 91, 91, 91, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 255, 255, 255, 255, 255, 241, 241, 241, 241, 241, 91, 91, 91, 112,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 80, 112, 112, 112, 112, 112, 112,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 91, 112, 112,
+ 112, 112, 112, 112, 112, 112, 112, 112, 112, 112, 73, 66, 77, 83, 101, 99, 69, 120,
+ 0, 112, 112, 0, 1, 0, 0, 0, 0, 101, 99, 255, 255, 255, 255, 255, 255, 255, 255,
+ 255, 255, 255, 65, 65, 65, 65, 67, 0, 65, 17, 65, 0, 65, 65, 65, 65, 65, 65, 91,
+ 91, 180, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91, 91,
+ 91, 91, 112, 112, 112, 112, 112, 73, 66, 77, 83, 101, 99, 69, 120, 0, 0, 1, 0, 0,
+ 0, 0, 48, 53, 53, 53, 53, 53, 53, 53, 91, 91, 91, 241, 241, 46, 49, 49, 0, 49, 49,
+ 0, 0, 112, 112, 112, 91, 0, 0, 0, 0, 9, 0, 49, 50, 22, 241, 241, 241, 241, 241,
+ 241, 241, 241, 241, 241, 241, 91, 91, 91, 91, 91, 255, 251, 0, 0, 91, 91, 91, 91,
+ 91, 91, 91, 91, 91, 91, 91, 0, 0, 91, 0, 0, 10, 91, 91, 91, 65, 65, 65, 65
+ ])),
+ Err(Error::InvalidSeHdr)
+ ));
}
}
diff --git a/rust/pvimg/src/pv_utils/se_hdr/builder.rs b/rust/pvimg/src/pv_utils/se_hdr/builder.rs
index ba6de898..93bcc7af 100644
--- a/rust/pvimg/src/pv_utils/se_hdr/builder.rs
+++ b/rust/pvimg/src/pv_utils/se_hdr/builder.rs
@@ -230,8 +230,14 @@ mod tests {
let decrypted = bin.decrypt(&prot_key).expect("BUG");
assert_eq!(bin.common, decrypted.common);
- assert_eq!(bin.aad(), decrypted.aad());
- assert_ne!(&bin.data(), decrypted.data().value());
+ assert_eq!(
+ bin.aad().expect("should not fail"),
+ decrypted.aad().expect("should not fail")
+ );
+ assert_ne!(
+ &bin.data(),
+ decrypted.data().expect("should not fail").value()
+ );
let _decrypted_hdrv1: SeHdrDataV1 = decrypted.data.try_into().expect("BUG");
}
diff --git a/rust/pvimg/src/pv_utils/se_hdr/hdr_v1.rs b/rust/pvimg/src/pv_utils/se_hdr/hdr_v1.rs
index a7f2f609..b179d50d 100644
--- a/rust/pvimg/src/pv_utils/se_hdr/hdr_v1.rs
+++ b/rust/pvimg/src/pv_utils/se_hdr/hdr_v1.rs
@@ -19,6 +19,7 @@ use serde::{Serialize, Serializer};
use super::keys::phkh_v1;
use crate::{
error::Error,
+ misc::PAGESIZE,
pv_utils::{
error::Result,
se_hdr::{
@@ -51,11 +52,14 @@ struct HdrSizesV1 {
#[derive(Debug, Clone, PartialEq, Eq, DekuRead, DekuWrite, Serialize)]
#[deku(endian = "endian", ctx = "endian: Endian", ctx_default = "Endian::Big")]
struct SeHdrAadV1 {
+ #[deku(assert = "*sehs <= SeHdrDataV1::MAX_SIZE.try_into().unwrap()")]
sehs: u32,
#[serde(serialize_with = "ser_hex")]
iv: [u8; SymKeyType::AES_256_GCM_IV_LEN],
res1: u32,
+ #[deku(assert = "*nks <= (*sehs).into()", update = "self.keyslots.len()")]
nks: u64,
+ #[deku(assert = "*sea <= (*sehs).into()")]
sea: u64,
nep: u64,
#[serde(serialize_with = "ser_lower_hex")]
@@ -118,6 +122,7 @@ pub struct SeHdrConfV1 {
psw: PSW,
#[serde(serialize_with = "ser_lower_hex")]
scf: u64,
+ #[deku(assert_eq = "0")]
noi: u32,
res2: u32,
#[deku(count = "noi")]
@@ -200,6 +205,7 @@ where
}
impl SeHdrDataV1 {
+ const MAX_SIZE: usize = 2 * PAGESIZE;
const PCF_DEFAULT: u64 = 0x0;
const SCF_DEFAULT: u64 = 0x0;
@@ -241,7 +247,14 @@ impl SeHdrDataV1 {
tag: SeHdrTagV1::default(),
};
let hdr_size = ret.size()?;
- ret.aad.sehs = hdr_size.phs.try_into()?;
+ let phs = hdr_size.phs.try_into()?;
+ if phs > Self::MAX_SIZE {
+ return Err(Error::InvalidSeHdrTooLarge {
+ given: phs,
+ maximum: Self::MAX_SIZE,
+ });
+ }
+ ret.aad.sehs = phs.try_into()?;
ret.aad.sea = hdr_size.sea;
Ok(ret)
}
@@ -494,8 +507,8 @@ impl KeyExchangeTrait for SeHdrBinV1 {
}
impl AeadDataTrait for SeHdrBinV1 {
- fn aad(&self) -> Vec<u8> {
- serialize_to_bytes(&self.aad).unwrap()
+ fn aad(&self) -> Result<Vec<u8>> {
+ serialize_to_bytes(&self.aad)
}
fn data(&self) -> Vec<u8> {
@@ -508,12 +521,12 @@ impl AeadDataTrait for SeHdrBinV1 {
}
impl AeadPlainDataTrait for SeHdrDataV1 {
- fn aad(&self) -> Vec<u8> {
- serialize_to_bytes(&self.aad).unwrap()
+ fn aad(&self) -> Result<Vec<u8>> {
+ serialize_to_bytes(&self.aad)
}
- fn data(&self) -> Confidential<Vec<u8>> {
- serialize_to_bytes(self.data.value()).unwrap().into()
+ fn data(&self) -> Result<Confidential<Vec<u8>>> {
+ Ok(serialize_to_bytes(self.data.value())?.into())
}
fn tag(&self) -> Vec<u8> {
@@ -610,4 +623,48 @@ mod tests {
assert_eq!(psw, hdr_data_v1.data.value().psw);
assert_eq!(cck.value(), hdr_data_v1.data.value().cck.value());
}
+
+ #[test]
+ fn max_size_sehdr_test() {
+ const MAX_HOST_KEYS: usize = 95;
+
+ let (_, host_key) = get_test_key_and_cert();
+ let pub_key = host_key.public_key().unwrap();
+ let host_keys_max: Vec<_> = (0..MAX_HOST_KEYS).map(|_| pub_key.clone()).collect();
+ let too_many_host_keys: Vec<_> = (0..MAX_HOST_KEYS + 1).map(|_| pub_key.clone()).collect();
+ let xts_key = Confidential::new([0x3; SymKeyType::AES_256_XTS_KEY_LEN]);
+ let meta = ComponentMetadataV1 {
+ ald: [0x1; SHA_512_HASH_LEN],
+ pld: [0x2; SHA_512_HASH_LEN],
+ tld: [0x3; SHA_512_HASH_LEN],
+ nep: 3,
+ key: xts_key,
+ };
+ let psw = PSW {
+ addr: 1234,
+ mask: 5678,
+ };
+
+ let mut builder = SeHdrBuilder::new(SeHdrVersion::V1, psw.clone(), meta.clone())
+ .expect("should not fail");
+ builder
+ .add_hostkeys(&host_keys_max)
+ .expect("should not fail")
+ .with_components(meta.clone())
+ .expect("should not fail");
+ let bin = builder.build().expect("should not fail");
+ assert_eq!(bin.common.version, SeHdrVersion::V1);
+ let hdr_v1: SeHdrBinV1 = bin.data.try_into().expect("should not fail");
+ assert_eq!(hdr_v1.aad.sehs, 8160);
+
+ let mut builder = SeHdrBuilder::new(SeHdrVersion::V1, psw.clone(), meta.clone())
+ .expect("should not fail");
+
+ builder
+ .add_hostkeys(&too_many_host_keys)
+ .expect("should not fail")
+ .with_components(meta)
+ .expect("should not fail");
+ assert!(matches!(builder.build(), Err(Error::InvalidSeHdr)));
+ }
}
diff --git a/rust/pvimg/src/pv_utils/uvdata.rs b/rust/pvimg/src/pv_utils/uvdata.rs
index b0ec355a..c6ed9567 100644
--- a/rust/pvimg/src/pv_utils/uvdata.rs
+++ b/rust/pvimg/src/pv_utils/uvdata.rs
@@ -34,7 +34,7 @@ pub trait AeadCipherTrait {
#[enum_dispatch]
pub trait AeadDataTrait {
/// Returns the authenticated associated data.
- fn aad(&self) -> Vec<u8>;
+ fn aad(&self) -> Result<Vec<u8>>;
/// Returns the encrypted data.
fn data(&self) -> Vec<u8>;
@@ -47,10 +47,10 @@ pub trait AeadDataTrait {
#[enum_dispatch]
pub trait AeadPlainDataTrait {
/// Returns the authenticated associated data.
- fn aad(&self) -> Vec<u8>;
+ fn aad(&self) -> Result<Vec<u8>>;
/// Returns the unencrypted data.
- fn data(&self) -> Confidential<Vec<u8>>;
+ fn data(&self) -> Result<Confidential<Vec<u8>>>;
/// Returns the tag data.
fn tag(&self) -> Vec<u8>;
@@ -124,8 +124,14 @@ pub trait UvDataPlainTrait:
expected: self.aead_key_type().to_string(),
});
}
- let aad = self.aad();
- let unecrypted_data = self.data();
+ let aad = self.aad().map_err(|err| match err {
+ Error::Deku(_) => Error::InvalidSeHdr,
+ err => err,
+ })?;
+ let unecrypted_data = self.data().map_err(|err| match err {
+ Error::Deku(_) => Error::InvalidSeHdr,
+ err => err,
+ })?;
let iv = self.iv();
let result = encrypt_aead(key, iv, &aad, unecrypted_data.value())?;
Self::C::try_from_data(&result.into_buf())
@@ -169,7 +175,7 @@ pub trait UvDataTrait: AeadDataTrait + AeadCipherTrait + KeyExchangeTrait + Clon
}
let tag_size = self.aead_tag_size();
- let aad = self.aad();
+ let aad = self.aad()?;
let unecrypted_data = self.data();
let iv = self.iv();
let tag = self.tag();

View File

@ -0,0 +1,101 @@
From 6e48c5ebaa26c6bd2a1bc33ccf36ed8bd6946358 Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Tue, 17 Dec 2024 18:13:31 +0100
Subject: [PATCH] pvimg: info: Rename '--key' into '--hdr-key' and use '--key'
as an alias
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Rename '--key' into '--hdr-key' and use '--key' as an (non-visible)
alias for '--hdr-key' in order to keep the command line backwards
compatible. The chances of someone using '--key' are very low, as this
version has not yet been released by any OS distribution.
This change makes the command line options for the different subcommands
more consistent and therefore easier to use.
Suggested-by: Reinhard Bündgen <buendgen@de.ibm.com>
Acked-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
---
rust/pvimg/man/pvimg-info.1 | 2 +-
rust/pvimg/src/cli.rs | 22 +++++++++++++++++++---
rust/pvimg/src/cmd/info.rs | 2 +-
3 files changed, 21 insertions(+), 5 deletions(-)
Index: s390-tools-2.36.0/rust/pvimg/man/pvimg-info.1
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/man/pvimg-info.1
+++ s390-tools-2.36.0/rust/pvimg/man/pvimg-info.1
@@ -37,7 +37,7 @@ Possible values:
.RE
.RE
.PP
-\-\-key <FILE>
+\-\-hdr\-key <FILE>
.RS 4
Use the key in FILE to decrypt the Secure Execution header.
.RE
Index: s390-tools-2.36.0/rust/pvimg/src/cli.rs
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/src/cli.rs
+++ s390-tools-2.36.0/rust/pvimg/src/cli.rs
@@ -192,8 +192,8 @@ pub struct InfoArgs {
pub format: OutputFormat,
/// Use the key in FILE to decrypt the Secure Execution header.
- #[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath,)]
- pub key: Option<PathBuf>,
+ #[arg(long, value_name = "FILE", value_hint = ValueHint::FilePath, alias = "key")]
+ pub hdr_key: Option<PathBuf>,
}
#[derive(Args, Debug)]
@@ -710,6 +710,22 @@ mod test {
CliOption::new("image", ["/dev/null"]),
],
)),
+ flat_map_collect(insert(
+ args.clone(),
+ vec![
+ CliOption::new("hdr-key", ["--hdr-key", "/dev/null"]),
+ CliOption::new("format", ["--format=json"]),
+ CliOption::new("image", ["/dev/null"]),
+ ],
+ )),
+ flat_map_collect(insert(
+ args.clone(),
+ vec![
+ CliOption::new("hdr-key", ["--key", "/dev/null"]),
+ CliOption::new("format", ["--format=json"]),
+ CliOption::new("image", ["/dev/null"]),
+ ],
+ )),
// separation between keyword and positional args works
flat_map_collect(insert(
args.clone(),
@@ -750,7 +766,7 @@ mod test {
// Test for invalid combinations
// Input is missing
- let mut pvimg_invalid_args = vec![vec!["pvimg", "test"]];
+ let mut pvimg_invalid_args = vec![vec!["pvimg", "info"]];
for create_args in &valid_test_args {
pvimg_valid_args.push(
Index: s390-tools-2.36.0/rust/pvimg/src/cmd/info.rs
===================================================================
--- s390-tools-2.36.0.orig/rust/pvimg/src/cmd/info.rs
+++ s390-tools-2.36.0/rust/pvimg/src/cmd/info.rs
@@ -27,7 +27,7 @@ pub fn info(opt: &InfoArgs) -> Result<Ow
SeHdr::seek_sehdr(&mut input, None)?;
let hdr = SeHdr::try_from_io(input)?;
- if let Some(key_path) = &opt.key {
+ if let Some(key_path) = &opt.hdr_key {
let key =
SymKey::try_from_data(hdr.key_type(), read_file(key_path, "Reading key")?.into())?;
serde_json::to_writer_pretty(&mut output, &hdr.decrypt(&key)?)?;

View File

@ -1,286 +0,0 @@
Index: s390-tools-service/rust/pv/src/verify.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify.rs
+++ s390-tools-service/rust/pv/src/verify.rs
@@ -3,10 +3,11 @@
// Copyright IBM Corp. 2023
use core::slice;
-use log::debug;
+use log::{debug, trace};
+use openssl::error::ErrorStack;
use openssl::stack::Stack;
use openssl::x509::store::X509Store;
-use openssl::x509::{CrlStatus, X509Ref, X509StoreContext, X509};
+use openssl::x509::{CrlStatus, X509NameRef, X509Ref, X509StoreContext, X509StoreContextRef, X509};
use openssl_extensions::crl::StackableX509Crl;
use openssl_extensions::crl::X509StoreContextExtension;
@@ -82,8 +83,8 @@ impl HkdVerifier for CertVerifier {
if verified_crls.is_empty() {
bail_hkd_verify!(NoCrl);
}
- for crl in &verified_crls {
- match crl.get_by_cert(&hkd.to_owned()) {
+ for crl in verified_crls {
+ match crl.get_by_serial(hkd.serial_number()) {
CrlStatus::NotRevoked => (),
_ => bail_hkd_verify!(HdkRevoked),
}
@@ -94,21 +95,54 @@ impl HkdVerifier for CertVerifier {
}
impl CertVerifier {
+ fn quirk_crls(
+ ctx: &mut X509StoreContextRef,
+ subject: &X509NameRef,
+ ) -> Result<Stack<StackableX509Crl>, ErrorStack> {
+ match ctx.crls(subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // Armonk/Poughkeepsie fixup
+ trace!("quirk_crls: Try Locality");
+ if let Some(locality_subject) = helper::armonk_locality_fixup(subject) {
+ match ctx.crls(&locality_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+
+ // reorder
+ trace!("quirk_crls: Try Locality+Reorder");
+ if let Ok(locality_ordered_subject) = helper::reorder_x509_names(&locality_subject) {
+ match ctx.crls(&locality_ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ }
+
+ // reorder unchanged loaciliy subject
+ trace!("quirk_crls: Try Reorder");
+ if let Ok(ordered_subject) = helper::reorder_x509_names(subject) {
+ match ctx.crls(&ordered_subject) {
+ Ok(ret) if !ret.is_empty() => return Ok(ret),
+ _ => (),
+ }
+ }
+ // nothing found, return empty stack
+ Stack::new()
+ }
+
///Download the CLRs that a HKD refers to.
pub fn hkd_crls(&self, hkd: &X509Ref) -> Result<Stack<StackableX509Crl>> {
let mut ctx = X509StoreContext::new()?;
// Unfortunately we cannot use a dedicated function here and have to use a closure (E0434)
// Otherwise, we cannot refer to self
+ // Search for local CRLs
let mut crls = ctx.init_opt(&self.store, None, None, |ctx| {
let subject = self.ibm_z_sign_key.subject_name();
- match ctx.crls(subject) {
- Ok(crls) => Ok(crls),
- _ => {
- // reorder the name and try again
- let broken_subj = helper::reorder_x509_names(subject)?;
- ctx.crls(&broken_subj).or_else(helper::stack_err_hlp)
- }
- }
+ Self::quirk_crls(ctx, subject)
})?;
if !self.offline {
Index: s390-tools-service/rust/pv/src/verify/helper.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/helper.rs
+++ s390-tools-service/rust/pv/src/verify/helper.rs
@@ -13,7 +13,7 @@ use openssl::{
error::ErrorStack,
nid::Nid,
ssl::SslFiletype,
- stack::{Stack, Stackable},
+ stack::Stack,
x509::{
store::{File, X509Lookup, X509StoreBuilder, X509StoreBuilderRef, X509StoreRef},
verify::{X509VerifyFlags, X509VerifyParam},
@@ -25,6 +25,7 @@ use openssl_extensions::{
akid::{AkidCheckResult, AkidExtension},
crl::X509StoreExtension,
};
+use std::str::from_utf8;
use std::{cmp::Ordering, ffi::c_int, time::Duration, usize};
/// Minimum security level for the keys/certificates used to establish a chain of
@@ -39,7 +40,6 @@ const SECURITY_CHAIN_MAX_LEN: c_int = 2;
/// verifies that the HKD
/// * has enough security bits
/// * is inside its validity period
-/// * issuer name is the subject name of the [`sign_key`]
/// * the Authority Key ID matches the Signing Key ID of the [`sign_key`]
pub fn verify_hkd_options(hkd: &X509Ref, sign_key: &X509Ref) -> Result<()> {
let hk_pkey = hkd.public_key()?;
@@ -53,9 +53,6 @@ pub fn verify_hkd_options(hkd: &X509Ref,
// verify that the hkd is still valid
check_validity_period(hkd.not_before(), hkd.not_after())?;
- // check if hkd.issuer_name == issuer.subject
- check_x509_name_equal(sign_key.subject_name(), hkd.issuer_name())?;
-
// verify that the AKID of the hkd matches the SKID of the issuer
if let Some(akid) = hkd.akid() {
if akid.check(sign_key) != AkidCheckResult::OK {
@@ -75,9 +72,6 @@ pub fn verify_crl(crl: &X509CrlRef, issu
return None;
}
}
-
- check_x509_name_equal(crl.issuer_name(), issuer.subject_name()).ok()?;
-
match crl.verify(issuer.public_key().ok()?.as_ref()).ok()? {
true => Some(()),
false => None,
@@ -207,7 +201,8 @@ pub fn download_crls_into_store(store: &
//Asn1StringRef::as_slice aka ASN1_STRING_get0_data gives a string without \0 delimiter
const IBM_Z_COMMON_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_COUNTRY_NAME: &[u8; 2usize] = b"US";
-const IBM_Z_LOCALITY_NAME: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_POUGHKEEPSIE: &[u8; 12usize] = b"Poughkeepsie";
+const IBM_Z_LOCALITY_NAME_ARMONK: &[u8; 6usize] = b"Armonk";
const IBM_Z_ORGANIZATIONAL_UNIT_NAME_SUFFIX: &str = "Key Signing Service";
const IBM_Z_ORGANIZATION_NAME: &[u8; 43usize] = b"International Business Machines Corporation";
const IBM_Z_STATE: &[u8; 8usize] = b"New York";
@@ -226,7 +221,8 @@ fn is_ibm_signing_cert(cert: &X509) -> b
if subj.entries().count() != IMB_Z_ENTRY_COUNT
|| !name_data_eq(subj, Nid::COUNTRYNAME, IBM_Z_COUNTRY_NAME)
|| !name_data_eq(subj, Nid::STATEORPROVINCENAME, IBM_Z_STATE)
- || !name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME)
+ || !(name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_POUGHKEEPSIE)
+ || name_data_eq(subj, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK))
|| !name_data_eq(subj, Nid::ORGANIZATIONNAME, IBM_Z_ORGANIZATION_NAME)
|| !name_data_eq(subj, Nid::COMMONNAME, IBM_Z_COMMON_NAME)
{
@@ -367,24 +363,6 @@ fn check_validity_period(not_before: &As
}
}
-fn check_x509_name_equal(lhs: &X509NameRef, rhs: &X509NameRef) -> Result<()> {
- if lhs.entries().count() != rhs.entries().count() {
- bail_hkd_verify!(IssuerMismatch);
- }
-
- for l in lhs.entries() {
- // search for the matching value in the rhs names
- // found none? -> names are not equal
- if !rhs
- .entries()
- .any(|r| l.data().as_slice() == r.data().as_slice())
- {
- bail_hkd_verify!(IssuerMismatch);
- }
- }
- Ok(())
-}
-
const NIDS_CORRECT_ORDER: [Nid; 6] = [
Nid::COUNTRYNAME,
Nid::ORGANIZATIONNAME,
@@ -407,13 +385,28 @@ pub fn reorder_x509_names(subject: &X509
Ok(correct_subj.build())
}
-pub fn stack_err_hlp<T: Stackable>(
- e: ErrorStack,
-) -> std::result::Result<Stack<T>, openssl::error::ErrorStack> {
- match e.errors().len() {
- 0 => Stack::<T>::new(),
- _ => Err(e),
+/**
+* Workaround for potential locality mismatches between CRLs and Certs
+* # Return
+* fixed subject or none if locality was not Armonk or any OpenSSL error
+*/
+pub fn armonk_locality_fixup(subject: &X509NameRef) -> Option<X509Name> {
+ if !name_data_eq(subject, Nid::LOCALITYNAME, IBM_Z_LOCALITY_NAME_ARMONK) {
+ return None;
+ }
+
+ let mut ret = X509Name::builder().ok()?;
+ for entry in subject.entries() {
+ match entry.object().nid() {
+ nid @ Nid::LOCALITYNAME => ret
+ .append_entry_by_nid(nid, from_utf8(IBM_Z_LOCALITY_NAME_POUGHKEEPSIE).ok()?)
+ .ok()?,
+ _ => {
+ ret.append_entry(entry).ok()?;
+ }
+ }
}
+ Some(ret.build())
}
#[cfg(test)]
@@ -451,20 +444,6 @@ mod test {
));
}
- #[test]
- fn x509_name_equal() {
- let sign_crt = load_gen_cert("ibm.crt");
- let hkd = load_gen_cert("host.crt");
- let other = load_gen_cert("inter_ca.crt");
-
- assert!(super::check_x509_name_equal(sign_crt.subject_name(), hkd.issuer_name()).is_ok(),);
-
- assert!(matches!(
- super::check_x509_name_equal(other.subject_name(), hkd.subject_name()),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
- }
-
#[test]
fn is_ibm_z_sign_key() {
let ibm_crt = load_gen_cert("ibm.crt");
Index: s390-tools-service/rust/pv/src/verify/test.rs
===================================================================
--- s390-tools-service.orig/rust/pv/src/verify/test.rs
+++ s390-tools-service/rust/pv/src/verify/test.rs
@@ -84,7 +84,6 @@ fn verify_online() {
let inter_crt = get_cert_asset_path_string("inter_ca.crt");
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -112,11 +111,6 @@ fn verify_online() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));
@@ -130,7 +124,6 @@ fn verify_offline() {
let ibm_crt = get_cert_asset_path_string("ibm.crt");
let ibm_crl = get_cert_asset_path_string("ibm.crl");
let hkd_revoked = load_gen_cert("host_rev.crt");
- let hkd_inv = load_gen_cert("host_invalid_signing_key.crt");
let hkd_exp = load_gen_cert("host_crt_expired.crt");
let hkd = load_gen_cert("host.crt");
@@ -149,11 +142,6 @@ fn verify_offline() {
));
assert!(matches!(
- verifier.verify(&hkd_inv),
- Err(Error::HkdVerify(IssuerMismatch))
- ));
-
- assert!(matches!(
verifier.verify(&hkd_exp),
Err(Error::HkdVerify(AfterValidity))
));

View File

@ -1,97 +0,0 @@
From 3ea6d6dfd2eb120ffee4c44ff51b7e9e7a9097a6 Mon Sep 17 00:00:00 2001
From: Thomas Blume <Thomas.Blume@suse.com>
Date: Thu, 28 Mar 2024 13:32:46 +0100
Subject: [PATCH] parse ipl device for activation
ported from dracut modules
---
zdev/dracut/95zdev/parse-dasd.sh | 15 ++++++++---
zdev/dracut/95zdev/parse-zfcp.sh | 46 +++++++++++++++++++-------------
2 files changed, 39 insertions(+), 22 deletions(-)
diff --git a/zdev/dracut/95zdev/parse-dasd.sh b/zdev/dracut/95zdev/parse-dasd.sh
index a97801f..eb2fa64 100644
--- a/zdev/dracut/95zdev/parse-dasd.sh
+++ b/zdev/dracut/95zdev/parse-dasd.sh
@@ -27,9 +27,18 @@ zdev_vinfo() {
zdev_parse_rd_dasd() {
local _zdev_dasd _zdev_dasd_list
- for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
- _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
- done
+ # autodetect active bootdev from zipl device
+ if ! getargbool 0 'rd.dasd' \
+ && [[ -f /sys/firmware/ipl/ipl_type ]] \
+ && [[ $(< /sys/firmware/ipl/ipl_type) == "ccw" ]]; then
+ read -r _ccw < /sys/firmware/ipl/device
+
+ chzdev --offline --existing --enable --active dasd "$_ccw"
+ else
+ for _zdev_dasd in $(getargs rd.dasd -d 'rd_DASD='); do
+ _zdev_dasd_list="${_zdev_dasd_list:+${_zdev_dasd_list},}$_zdev_dasd"
+ done
+ fi
echo "$_zdev_dasd_list"
}
diff --git a/zdev/dracut/95zdev/parse-zfcp.sh b/zdev/dracut/95zdev/parse-zfcp.sh
index 715aa00..6279beb 100644
--- a/zdev/dracut/95zdev/parse-zfcp.sh
+++ b/zdev/dracut/95zdev/parse-zfcp.sh
@@ -12,25 +12,33 @@
zdev_zfcp_base_args="--no-settle --yes --no-root-update --force"
-for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
- (
- IFS_SAVED="$IFS"
- IFS="," # did not work in front of built-in set command below
- # shellcheck disable=SC2086
- set -- $zdev_zfcp_arg
- IFS=":" args="$*"
- IFS="$IFS_SAVED"
- echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
- if [ "$#" -eq 1 ]; then
+# autodetect active bootdev from zipl device
+if ! getargbool 0 'rd.zfcp' \
+ && [[ -f /sys/firmware/ipl/ipl_type ]] \
+ && [[ $(< /sys/firmware/ipl/ipl_type) == "fcp" ]]; then
+ chzdev --offline --existing --enable --active zfcp-host 2>&1 | zdev_vinfo
+else
+ for zdev_zfcp_arg in $(getargs rd.zfcp -d 'rd_ZFCP='); do
+ (
+ IFS_SAVED="$IFS"
+ IFS="," # did not work in front of built-in set command below
# shellcheck disable=SC2086
- chzdev --enable --persistent $zdev_zfcp_base_args \
- zfcp-host "$args" 2>&1 | zdev_vinfo
- else
- # shellcheck disable=SC2086
- chzdev --enable --persistent $zdev_zfcp_base_args \
- zfcp-lun "$args" 2>&1 | zdev_vinfo
- fi
- )
-done
+ set -- $zdev_zfcp_arg
+ IFS=":" args="$*"
+ IFS="$IFS_SAVED"
+ echo "rd.zfcp ${zdev_zfcp_arg} :" | zdev_vinfo
+ if [ "$#" -eq 1 ]; then
+ # shellcheck disable=SC2086
+ chzdev --enable --persistent $zdev_zfcp_base_args \
+ zfcp-host "$args" 2>&1 | zdev_vinfo
+ else
+ # shellcheck disable=SC2086
+ chzdev --enable --persistent $zdev_zfcp_base_args \
+ zfcp-lun "$args" 2>&1 | zdev_vinfo
+ fi
+ )
+ done
+fi
+
unset zdev_zfcp_arg
unset zdev_zfcp_base_args
--
2.44.0

View File

@ -1,304 +0,0 @@
Index: s390-tools-service/genprotimg/src/include/pv_crypto_def.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/include/pv_crypto_def.h
+++ s390-tools-service/genprotimg/src/include/pv_crypto_def.h
@@ -17,7 +17,8 @@
/* IBM signing key subject */
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/genprotimg/src/utils/crypto.c
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.c
+++ s390-tools-service/genprotimg/src/utils/crypto.c
@@ -664,62 +664,9 @@ static gboolean x509_name_data_by_nid_eq
return memcmp(data, y, data_len) == 0;
}
-static gboolean own_X509_NAME_ENTRY_equal(const X509_NAME_ENTRY *x,
- const X509_NAME_ENTRY *y)
-{
- const ASN1_OBJECT *x_obj = X509_NAME_ENTRY_get_object(x);
- const ASN1_STRING *x_data = X509_NAME_ENTRY_get_data(x);
- const ASN1_OBJECT *y_obj = X509_NAME_ENTRY_get_object(y);
- const ASN1_STRING *y_data = X509_NAME_ENTRY_get_data(y);
- gint x_len = ASN1_STRING_length(x_data);
- gint y_len = ASN1_STRING_length(y_data);
-
- if (x_len < 0 || x_len != y_len)
- return FALSE;
-
- /* ASN1_STRING_cmp(x_data, y_data) == 0 doesn't work because it also
- * compares the type, which is sometimes different.
- */
- return OBJ_cmp(x_obj, y_obj) == 0 &&
- memcmp(ASN1_STRING_get0_data(x_data),
- ASN1_STRING_get0_data(y_data),
- (unsigned long)x_len) == 0;
-}
-
-static gboolean own_X509_NAME_equal(const X509_NAME *x, const X509_NAME *y)
-{
- gint x_count = X509_NAME_entry_count(x);
- gint y_count = X509_NAME_entry_count(y);
-
- if (x != y && (!x || !y))
- return FALSE;
-
- if (x_count != y_count)
- return FALSE;
-
- for (gint i = 0; i < x_count; i++) {
- const X509_NAME_ENTRY *entry_i = X509_NAME_get_entry(x, i);
- gboolean entry_found = FALSE;
-
- for (gint j = 0; j < y_count; j++) {
- const X509_NAME_ENTRY *entry_j =
- X509_NAME_get_entry(y, j);
-
- if (own_X509_NAME_ENTRY_equal(entry_i, entry_j)) {
- entry_found = TRUE;
- break;
- }
- }
-
- if (!entry_found)
- return FALSE;
- }
- return TRUE;
-}
-
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -743,8 +690,10 @@ static gboolean has_ibm_signing_subject(
PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName,
- PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -806,6 +755,39 @@ static X509_NAME *x509_name_reorder_attr
return g_steal_pointer(&ret);
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
/* In RFC 5280 the attributes of a (subject/issuer) name is not mandatory
* ordered. The problem is that our certificates are not consistent in the order
* (see https://tools.ietf.org/html/rfc5280#section-4.1.2.4 for details).
@@ -828,24 +810,10 @@ X509_NAME *c2b_name(const X509_NAME *nam
return X509_NAME_dup((X509_NAME *)name);
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) if available */
static gint check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **err)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = X509_NAME_oneline(issuer_subject,
- NULL, 0);
- g_autofree char *crl_issuer_str = X509_NAME_oneline(crl_issuer, NULL, 0);
-
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"),
- issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -881,7 +849,6 @@ gint check_crl_valid_for_cert(X509_CRL *
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, err) < 0)
return -1;
@@ -910,6 +877,60 @@ gint check_crl_valid_for_cert(X509_CRL *
return 0;
}
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = Pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -927,20 +948,9 @@ STACK_OF_X509_CRL *store_ctx_find_valid_
return NULL;
}
- ret = X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = c2b_name(subject);
-
- ret = X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_NO_CRL,
- _("no CRL found"));
- return NULL;
- }
- }
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, err);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (gint i = 0; i < sk_X509_CRL_num(ret); i++) {
@@ -1328,32 +1338,14 @@ gint check_chain_parameters(const STACK_
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static gint check_host_key_issued(X509 *cert, X509 *issuer, GError **err)
{
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
- AUTHORITY_KEYID *akid = NULL;
-
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str =
- X509_NAME_oneline(issuer_subject, NULL, 0);
- g_autofree char *cert_issuer_str =
- X509_NAME_oneline(cert_issuer, NULL, 0);
- g_set_error(err, PV_CRYPTO_ERROR,
- PV_CRYPTO_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"),
- issuer_subject_str, cert_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
Index: s390-tools-service/genprotimg/src/utils/crypto.h
===================================================================
--- s390-tools-service.orig/genprotimg/src/utils/crypto.h
+++ s390-tools-service/genprotimg/src/utils/crypto.h
@@ -75,6 +75,7 @@ void x509_pair_free(x509_pair *pair);
/* Register auto cleanup functions */
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_INTEGER, ASN1_INTEGER_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(ASN1_OCTET_STRING, ASN1_OCTET_STRING_free)
+WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(AUTHORITY_KEYID, AUTHORITY_KEYID_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIGNUM, BN_free)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BIO, BIO_free_all)
WRAPPED_G_DEFINE_AUTOPTR_CLEANUP_FUNC(BN_CTX, BN_CTX_free)

View File

@ -1,224 +0,0 @@
Index: s390-tools-service/include/libpv/cert.h
===================================================================
--- s390-tools-service.orig/include/libpv/cert.h
+++ s390-tools-service/include/libpv/cert.h
@@ -16,7 +16,8 @@
#define PV_IBM_Z_SUBJECT_COMMON_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_COUNTRY_NAME "US"
-#define PV_IBM_Z_SUBJECT_LOCALITY_NAME "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE "Poughkeepsie"
+#define PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK "Armonk"
#define PV_IBM_Z_SUBJECT_ORGANIZATIONAL_UNIT_NAME_SUFFIX "Key Signing Service"
#define PV_IBM_Z_SUBJECT_ORGANIZATION_NAME "International Business Machines Corporation"
#define PV_IBM_Z_SUBJECT_STATE "New York"
Index: s390-tools-service/libpv/cert.c
===================================================================
--- s390-tools-service.orig/libpv/cert.c
+++ s390-tools-service/libpv/cert.c
@@ -857,7 +857,7 @@ static gboolean x509_name_data_by_nid_eq
/* Checks whether the subject of @cert is a IBM signing key subject. For this we
* must check that the subject is equal to: 'C = US, ST = New York, L =
- * Poughkeepsie, O = International Business Machines Corporation, CN =
+ * Poughkeepsie or Armonk, O = International Business Machines Corporation, CN =
* International Business Machines Corporation' and the organization unit (OUT)
* must end with the suffix ' Key Signing Service'.
*/
@@ -879,7 +879,10 @@ static gboolean has_ibm_signing_subject(
if (!x509_name_data_by_nid_equal(subject, NID_stateOrProvinceName, PV_IBM_Z_SUBJECT_STATE))
return FALSE;
- if (!x509_name_data_by_nid_equal(subject, NID_localityName, PV_IBM_Z_SUBJECT_LOCALITY_NAME))
+ if (!(x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) ||
+ x509_name_data_by_nid_equal(subject, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK)))
return FALSE;
if (!x509_name_data_by_nid_equal(subject, NID_organizationName,
@@ -1085,10 +1088,9 @@ static int check_signature_algo_match(co
/* It's almost the same as X509_check_issed from OpenSSL does except that we
* don't check the key usage of the potential issuer. This means we check:
- * 1. issuer_name(cert) == subject_name(issuer)
- * 2. Check whether the akid(cert) (if available) matches the issuer skid
- * 3. Check that the cert algrithm matches the subject algorithm
- * 4. Verify the signature of certificate @cert is using the public key of
+ * 1. Check whether the akid(cert) (if available) matches the issuer skid
+ * 2. Check that the cert algrithm matches the subject algorithm
+ * 3. Verify the signature of certificate @cert is using the public key of
* @issuer.
*/
static int check_host_key_issued(X509 *cert, X509 *issuer, GError **error)
@@ -1097,19 +1099,6 @@ static int check_host_key_issued(X509 *c
const X509_NAME *cert_issuer = X509_get_issuer_name(cert);
g_autoptr(AUTHORITY_KEYID) akid = NULL;
- /* We cannot use X509_NAME_cmp() because it considers the order of the
- * X509_NAME_Entries.
- */
- if (!own_X509_NAME_equal(issuer_subject, cert_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *cert_issuer_str = pv_X509_NAME_oneline(cert_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CERT_SUBJECT_ISSUER_MISMATCH,
- _("Subject issuer mismatch:\n'%s'\n'%s'"), issuer_subject_str,
- cert_issuer_str);
- return -1;
- }
-
akid = X509_get_ext_d2i(cert, NID_authority_key_identifier, NULL, NULL);
if (akid && X509_check_akid(issuer, akid) != X509_V_OK) {
g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_SKID_AKID_MISMATCH,
@@ -1286,21 +1275,10 @@ int pv_verify_cert(X509_STORE_CTX *ctx,
return 0;
}
-/* Verify that: subject(issuer) == issuer(crl) and SKID(issuer) == AKID(crl) */
+/* Verify that SKID(issuer) == AKID(crl) */
static int check_crl_issuer(X509_CRL *crl, X509 *issuer, GError **error)
{
- const X509_NAME *crl_issuer = X509_CRL_get_issuer(crl);
- const X509_NAME *issuer_subject = X509_get_subject_name(issuer);
- AUTHORITY_KEYID *akid = NULL;
-
- if (!own_X509_NAME_equal(issuer_subject, crl_issuer)) {
- g_autofree char *issuer_subject_str = pv_X509_NAME_oneline(issuer_subject);
- g_autofree char *crl_issuer_str = pv_X509_NAME_oneline(crl_issuer);
-
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_CRL_SUBJECT_ISSUER_MISMATCH,
- _("issuer mismatch:\n%s\n%s"), issuer_subject_str, crl_issuer_str);
- return -1;
- }
+ g_autoptr(AUTHORITY_KEYID) akid = NULL;
/* If AKID(@crl) is specified it must match with SKID(@issuer) */
akid = X509_CRL_get_ext_d2i(crl, NID_authority_key_identifier, NULL, NULL);
@@ -1325,7 +1303,6 @@ int pv_verify_crl(X509_CRL *crl, X509 *c
return -1;
}
- /* check that the @crl issuer matches with the subject name of @cert*/
if (check_crl_issuer(crl, cert, error) < 0)
return -1;
@@ -1393,6 +1370,93 @@ int pv_check_chain_parameters(const STAC
return 0;
}
+/** Replace locality 'Armonk' with 'Pougkeepsie'. If Armonk was not set return
+ * `NULL`.
+ */
+static X509_NAME *x509_armonk_locality_fixup(const X509_NAME *name)
+{
+ g_autoptr(X509_NAME) ret = NULL;
+ int pos;
+
+ /* Check if ``L=Armonk`` */
+ if (!x509_name_data_by_nid_equal((X509_NAME *)name, NID_localityName,
+ PV_IBM_Z_SUBJECT_LOCALITY_NAME_ARMONK))
+ return NULL;
+
+ ret = X509_NAME_dup(name);
+ if (!ret)
+ g_abort();
+
+ pos = X509_NAME_get_index_by_NID(ret, NID_localityName, -1);
+ if (pos == -1)
+ return NULL;
+
+ X509_NAME_ENTRY_free(X509_NAME_delete_entry(ret, pos));
+
+ /* Create a new name entry at the same position as before */
+ if (X509_NAME_add_entry_by_NID(
+ ret, NID_localityName, MBSTRING_UTF8,
+ (const unsigned char *)&PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE,
+ sizeof(PV_IBM_Z_SUBJECT_LOCALITY_NAME_POUGHKEEPSIE) - 1, pos, 0) != 1)
+ return NULL;
+
+ return g_steal_pointer(&ret);
+}
+
+/* This function contains work-arounds for some known subject(CRT)<->issuer(CRL)
+ * issues.
+ */
+static STACK_OF_X509_CRL *quirk_X509_STORE_ctx_get1_crls(X509_STORE_CTX *ctx,
+ const X509_NAME *subject, GError **err)
+{
+ g_autoptr(X509_NAME) fixed_subject = NULL;
+ g_autoptr(STACK_OF_X509_CRL) ret = NULL;
+
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the mismatch between issuer name of the * IBM
+ * signing CRLs and the IBM signing key subject name. Locality name has
+ * changed from Poughkeepsie to Armonk.
+ */
+ fixed_subject = x509_armonk_locality_fixup(subject);
+ /* Was the locality replaced? */
+ if (fixed_subject) {
+ X509_NAME *tmp;
+
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ /* Workaround to fix the ordering mismatch between issuer name
+ * of the IBM signing CRLs and the IBM signing key subject name.
+ */
+ tmp = fixed_subject;
+ fixed_subject = pv_c2b_name(fixed_subject);
+ X509_NAME_free(tmp);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+ X509_NAME_free(fixed_subject);
+ fixed_subject = NULL;
+ }
+
+ /* Workaround to fix the ordering mismatch between issuer name of the
+ * IBM signing CRLs and the IBM signing key subject name.
+ */
+ fixed_subject = pv_c2b_name(subject);
+ sk_X509_CRL_free(ret);
+ ret = pv_X509_STORE_CTX_get1_crls(ctx, fixed_subject);
+ if (ret && sk_X509_CRL_num(ret) > 0)
+ return g_steal_pointer(&ret);
+
+ g_set_error(err, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
+ return NULL;
+}
+
/* Given a certificate @cert try to find valid revocation lists in @ctx. If no
* valid CRL was found NULL is returned.
*/
@@ -1412,21 +1476,9 @@ STACK_OF_X509_CRL *pv_store_ctx_find_val
return NULL;
}
- ret = pv_X509_STORE_CTX_get1_crls(ctx, subject);
- if (!ret) {
- /* Workaround to fix the mismatch between issuer name of the
- * IBM Z signing CRLs and the IBM Z signing key subject name.
- */
- g_autoptr(X509_NAME) broken_subject = pv_c2b_name(subject);
-
- ret = pv_X509_STORE_CTX_get1_crls(ctx, broken_subject);
- if (!ret) {
- g_set_error(error, PV_CERT_ERROR, PV_CERT_ERROR_NO_CRL, _("no CRL found"));
- g_info("ERROR: %s", (*error)->message);
- return NULL;
- }
- }
-
+ ret = quirk_X509_STORE_ctx_get1_crls(ctx, subject, error);
+ if (!ret)
+ return NULL;
/* Filter out non-valid CRLs for @cert */
for (int i = 0; i < sk_X509_CRL_num(ret); i++) {
X509_CRL *crl = sk_X509_CRL_value(ret, i);

View File

@ -1,25 +0,0 @@
Index: s390-tools-service/pvattest/src/argparse.c
===================================================================
--- s390-tools-service.orig/pvattest/src/argparse.c
+++ s390-tools-service/pvattest/src/argparse.c
@@ -190,13 +190,13 @@ static gboolean hex_str_toull(const char
}
/* NOTE REQUIRED */
-#define _entry_root_ca(__arg_data, __indent) \
- { \
- .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
- .arg = G_OPTION_ARG_FILENAME_ARRAY, .arg_data = __arg_data, \
- .description = "Use FILE as the trusted root CA instead the\n" __indent \
- "root CAs that are installed on the system (optional).\n", \
- .arg_description = "FILE", \
+#define _entry_root_ca(__arg_data, __indent) \
+ { \
+ .long_name = "root-ca", .short_name = 0, .flags = G_OPTION_FLAG_NONE, \
+ .arg = G_OPTION_ARG_FILENAME, .arg_data = __arg_data, \
+ .description = "Use FILE as the trusted root CA instead the\n" __indent \
+ "root CAs that are installed on the system (optional).\n", \
+ .arg_description = "FILE", \
}
/* NOTE REQUIRED */

View File

@ -1,92 +0,0 @@
From 0748d365a60477c96cb9f6a12e9dbe547d549e1f Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Tue, 12 Mar 2024 09:33:19 +0000
Subject: [PATCH] genprotimg/**/Makefile: Fix staged installs
Fix the support for staged installs. The Makefile variable `PKGDATADIR`
uses `DESTDIR` for all Makefile target, but actually it should only be
used for the `install*` and `uninstall*` targets. [1] Fix this by using
`DESTDIR` only for `install*` targets - uninstall* targets are not
supported by s390-tools.
Before this change, if `DESTDIR` was set for staged installs,
`genprotimg` has tried to find the bootloader binaries at the temporary
installation path `$DESTDIR$(TOOLS_DATADIR)/genprotimg/` instead of
`$(TOOLS_DATADIR)/genprotimg`.
[1] https://www.gnu.org/prep/standards/html_node/DESTDIR.html
Fixes: 65b9fc442c1a ("genprotimg: introduce new tool for the creation of PV images")
Reviewed-by: Steffen Eiden <seiden@linux.ibm.com>
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
---
genprotimg/Makefile | 6 +++---
genprotimg/boot/Makefile | 8 ++++----
genprotimg/src/Makefile | 2 +-
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/genprotimg/Makefile b/genprotimg/Makefile
index 8c9f7048..6a2e37e4 100644
--- a/genprotimg/Makefile
+++ b/genprotimg/Makefile
@@ -3,7 +3,7 @@ include ../common.mak
.DEFAULT_GOAL := all
-PKGDATADIR := "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR := "$(TOOLS_DATADIR)/genprotimg"
TESTS :=
SUBDIRS := boot src man
RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
@@ -11,8 +11,8 @@ RECURSIVE_TARGETS := all-recursive install-recursive clean-recursive
all: all-recursive
install: install-recursive
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 samples/check_hostkeydoc "$(DESTDIR)$(PKGDATADIR)"
clean: clean-recursive
diff --git a/genprotimg/boot/Makefile b/genprotimg/boot/Makefile
index 799df9cc..73f3c9a8 100644
--- a/genprotimg/boot/Makefile
+++ b/genprotimg/boot/Makefile
@@ -7,7 +7,7 @@ DEBUG_FILES := $(addsuffix .debug,$(FILES))
ifeq ($(HOST_ARCH),s390x)
ZIPL_DIR := $(rootdir)/zipl
ZIPL_BOOT_DIR := $(ZIPL_DIR)/boot
-PKGDATADIR := $(DESTDIR)$(TOOLS_DATADIR)/genprotimg
+PKGDATADIR := $(TOOLS_DATADIR)/genprotimg
INCLUDE_PATHS := $(ZIPL_BOOT_DIR) $(ZIPL_DIR)/include $(rootdir)/include
INCLUDE_PARMS := $(addprefix -I,$(INCLUDE_PATHS))
@@ -86,9 +86,9 @@ stage3b.elf: head.o $(ZIPL_OBJS)
@chmod a-x $@
install: stage3a.bin stage3b_reloc.bin
- $(INSTALL) -d -m 755 "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(PKGDATADIR)"
- $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(PKGDATADIR)"
+ $(INSTALL) -d -m 755 "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3a.bin "$(DESTDIR)$(PKGDATADIR)"
+ $(INSTALL) -g $(GROUP) -o $(OWNER) -m 644 stage3b_reloc.bin "$(DESTDIR)$(PKGDATADIR)"
else
# Don't generate the dependency files (see `common.mak` for the
diff --git a/genprotimg/src/Makefile b/genprotimg/src/Makefile
index 08734bff..d447e6cf 100644
--- a/genprotimg/src/Makefile
+++ b/genprotimg/src/Makefile
@@ -3,7 +3,7 @@ include ../../common.mak
bin_PROGRAM = genprotimg
-PKGDATADIR ?= "$(DESTDIR)$(TOOLS_DATADIR)/genprotimg"
+PKGDATADIR ?= "$(TOOLS_DATADIR)/genprotimg"
SRC_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))
TOP_SRCDIR := $(SRC_DIR)/../
ROOT_DIR = $(TOP_SRC_DIR)/../../

View File

@ -1,3 +1,134 @@
-------------------------------------------------------------------
Thu Jan 9 07:05:53 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied backport patches from s390-tools 2.37 to 2.36 ( jsc#PED-11870 )
( jsc#IBM-1447, jsc#IBM-1062 )
* s390-tools-General-update-01.patch
* s390-tools-General-update-02.patch
* s390-tools-General-update-03.patch
* s390-tools-General-update-04.patch
* s390-tools-General-update-05.patch
* s390-tools-General-update-06.patch
* s390-tools-General-update-07.patch
* s390-tools-General-update-08.patch
* s390-tools-General-update-09.patch
* s390-tools-General-update-10.patch
* s390-tools-General-update-11.patch
* s390-tools-General-update-12.patch
* s390-tools-Additional-update-01.patch
* s390-tools-Additional-update-02.patch
( jsc#IBM-1570, jsc#IBM-1571 )
* s390-tools-Support-unencrypted-SE-images-01.patch
( jsc#IBM-1572, jsc#IBM-1573 )
* s390-tools-pvimg-info-command-01.patch
* s390-tools-pvimg-info-command-02.patch
* s390-tools-pvimg-info-command-03.patch
* s390-tools-pvimg-info-command-04.patch
( jsc#IBM-1576, jsc#IBM-1577 )
* s390-tools-pvimg-additional-01.patch
- Renamed patches from - to
* s390-tools-01-opticsmon-Fix-runaway-loop-in-on_link_change.patch
to
s390-tools-Additional-update-01.patch
* s390-tools-02-libzpci-opticsmon-Refactor-on_link_change-using-new.patch
to
s390-tools-Additional-update-02.patch
* s390-tools-03-rust-pvimg-Add-enable-disable-image-encryption-flags-to-pvimg-create.patch
to
s390-tools-Support-unencrypted-SE-images-01.patch
- Revendored vendor.tar.gz
-------------------------------------------------------------------
Tue Jan 7 08:59:16 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch for '--(enable|disable)-image-encryption' flags for 'pvimg create' (jsc#PED-11870)
* s390-tools-03-rust-pvimg-Add-enable-disable-image-encryption-flags-to-pvimg-create.patch
-------------------------------------------------------------------
Tue Dec 31 09:59:27 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied patches (jsc#PED-9591, jsc#PED-10303)
* s390-tools-01-opticsmon-Fix-runaway-loop-in-on_link_change.patch
* s390-tools-02-libzpci-opticsmon-Refactor-on_link_change-using-new.patch
-------------------------------------------------------------------
Mon Dec 9 09:49:52 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Upgrade s390-tools to version 2.36 (jsc#PED-10303, jsc#PED-9591)
* s390-tools: Define Rust MSRV as 1.75.0
* Add new tools / libraries:
- cpacfinfo: Tool to provide CPACF information
- opticsmon: Tools to monitor optical modules for directly attached PCI based NICs
- pvimg: Rust rewrite of genprotimg
* Changes of existing tools:
- chpstat: Add data bandwidth utilization column
- chpstat: Add support for full CMCB
- chpstat: Add support for new CMG types
- dbginfo.sh: add overview commands and crypto update
- hyptop: Support for structured output (json, json-seq, csv)
- lszfcp: Add missing fallback marker for non-good fc_host port_state
- lszfcp: Improve speed with many SCSI devices
- pvattest: Add attestation policy check command
- zipl: Add support of partitions of mirror md-devices
* Bug Fixes:
- lszcrypt: Fix wrong state showing up for removed AP queue within SE guest
- lszfcp: Show device names line for zfcp_units without SCSI device
- Revendored vendor.tar.gz
- Applied additional patch (bsc#1233889, bsc#1233079)
* s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
-------------------------------------------------------------------
Thu Dec 5 15:13:49 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Applied a patch (bsc#1233889)
* s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
- Amended the /usr/lib/modules-load.d/pkey.conf (bsc#1233233). Added
* pkey_cca
* pkey_ep11
* pkey_pckmo
-------------------------------------------------------------------
Tue Nov 5 07:39:58 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
- Amended the *_configure scripts to update again the SUSE's specific file
'/boot/zipl/active_devices.txt' (bsc#1232474, bsc#1216257)
* ctc_configure
* dasd_configure
* qeth_configure
* zfcp_host_configure
-------------------------------------------------------------------
Tue Oct 8 10:35:04 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
* Upgrade s390-tools to version 2.35 (jsc#PED-9591, jsc#PED-10303)
* Changes of existing tools:
- cpacfstats: Add support for FULL XTS (MSA 10) and HMAC (MSA 11) PAI counter
- cpuplugd: Make cpuplugd compatible with hiperdispatch
- dbginfo.sh: Add network sockstat info
- pvapconfig: s390x exclusive build
- zdev: Add option to select IPL device
- zdump/dfo_s390: Support s390 DFO for vr-kernel dumps
- zipl: Add support of mirror devices
* Bug Fixes:
- (genprotimg|zipl)/boot: discard .note.package ELF section to save memory
- netboot/mk-s390image: Fix size when argument is a symlink
- ziorep_config: Fix warning message when multipath device is not there.
- zipl: Fix problems when target parameters are specified by user
- zipl: Fix segfault when creating device-based dumps with '--dry-run'
* Removed obsolete patches
- s390-tools-2.34-Fix-Rust-compilation-errors.patch
- s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
- s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
* Revendored vendor.tar.gz
-------------------------------------------------------------------
Mon Sep 16 12:49:55 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
* Applied patches (bsc#1230345)
- zipl/src: add basic support for multiple target base disks
- s390-tools-01-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
- s390-tools-02-zipl-src-add-basic-support-for-multiple-target-base-disks.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 26 09:17:17 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com> Mon Aug 26 09:17:17 UTC 2024 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

View File

@ -1,7 +1,7 @@
# #
# spec file for package s390-tools # spec file for package s390-tools
# #
# Copyright (c) 2024 SUSE LLC # Copyright (c) 2025 SUSE LLC
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -33,7 +33,7 @@
%endif %endif
Name: s390-tools Name: s390-tools
Version: 2.34.0 Version: 2.36.0
Release: 0 Release: 0
Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64) Summary: S/390 tools like zipl and dasdfmt for s390x (plus selected tools for x86_64)
License: MIT License: MIT
@ -153,20 +153,48 @@ Patch910: s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.p
Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch Patch911: s390-tools-sles15sp5-remove-no-pie-link-arguments.patch
Patch912: s390-tools-ALP-zdev-live.patch Patch912: s390-tools-ALP-zdev-live.patch
Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch Patch913: s390-tools-sles15sp6-kdump-initrd-59-zfcp-compat-rules.patch
Patch914: s390-tools-slfo-01-parse-ipl-device-for-activation.patch ###
Patch915: s390-tools-2.34-Fix-Rust-compilation-errors.patch Patch914: s390-tools-01-zipl_helper.device-mapper-add-missed-step-in-logical.patch
Patch915: s390-tools-02-zipl-src-fix-imprecise-check-that-file-is-on-specifi.patch
###
Patch920: s390-tools-General-update-01.patch
Patch921: s390-tools-General-update-02.patch
Patch922: s390-tools-General-update-03.patch
Patch923: s390-tools-General-update-04.patch
Patch924: s390-tools-General-update-05.patch
Patch925: s390-tools-General-update-06.patch
Patch926: s390-tools-General-update-07.patch
Patch927: s390-tools-General-update-08.patch
Patch928: s390-tools-General-update-09.patch
Patch929: s390-tools-General-update-10.patch
Patch930: s390-tools-General-update-11.patch
Patch931: s390-tools-General-update-12.patch
###
Patch935: s390-tools-Additional-update-01.patch
Patch936: s390-tools-Additional-update-02.patch
###
Patch950: s390-tools-pvimg-info-command-01.patch
Patch951: s390-tools-pvimg-info-command-02.patch
Patch952: s390-tools-pvimg-info-command-03.patch
###
Patch960: s390-tools-Support-unencrypted-SE-images-01.patch
Patch961: s390-tools-pvimg-info-command-04.patch
Patch962: s390-tools-pvimg-additional-01.patch
###
Patch990: s390-tools-slfo-01-parse-ipl-device-for-activation.patch
### ###
BuildRequires: curl-devel BuildRequires: curl-devel
BuildRequires: dracut BuildRequires: dracut
BuildRequires: fuse3-devel BuildRequires: fuse3-devel
BuildRequires: gcc13 BuildRequires: gcc
BuildRequires: gcc13-c++ BuildRequires: gcc-c++
BuildRequires: gettext-tools BuildRequires: gettext-tools
BuildRequires: glib2-devel BuildRequires: glib2-devel
BuildRequires: glibc-devel-static BuildRequires: glibc-devel-static
BuildRequires: libcryptsetup-devel > 2.0.3 BuildRequires: libcryptsetup-devel > 2.0.3
BuildRequires: libjson-c-devel BuildRequires: libjson-c-devel
BuildRequires: libnl3-devel
BuildRequires: libxml2-devel BuildRequires: libxml2-devel
BuildRequires: mdevctl BuildRequires: mdevctl
BuildRequires: ncurses-devel BuildRequires: ncurses-devel
@ -225,12 +253,13 @@ zipl - boot loader and dump DASD initializer
zgetdump - tool to get linux system dumps from DASD zgetdump - tool to get linux system dumps from DASD
- x86_64 - x86_64
genprotimg - create a protected virtualization image pvimg - create a protected virtualization image (genprotimg)
pvattest - create, perform, and verify protected virtualization attestation measurements pvattest - create, perform, and verify protected virtualization attestation measurements
pvsecret - manage secrets for IBM Secure Execution guests. pvsecret - manage secrets for IBM Secure Execution guests.
pvapconfig - used to automatically set up the AP configuration within an IBM Secure Execution guest.
Note: Auxiliary data package - s390-tools-genprotimg-data Warning: There is an auxiliary data package - s390-tools-genprotimg-data.
To install s390-tools properly, please use:
'sudo zypper install s390-tools s390-tools-genprotimg-data'
%package -n osasnmpd %package -n osasnmpd
Summary: OSA-Express SNMP subagent Summary: OSA-Express SNMP subagent
@ -349,11 +378,11 @@ BuildArch: noarch
Requires(pre): filesystem Requires(pre): filesystem
%description genprotimg-data %description genprotimg-data
The genprotimg allows preparing and analyzing boot images The pvimg (genprotimg) allows preparing and analyzing boot images
in the realm of IBM Secure Execution on a trusted environment, in the realm of IBM Secure Execution on a trusted environment,
such as the laptop of an admin by limiting the build targets such as the laptop of an admin by limiting the build targets
depending on the defined or detected host architecture. depending on the defined or detected host architecture.
This package provides auxiliary data used by genprotimg. This package provides auxiliary data used by pvimg(genprotimg).
### *** s390x ************************************************************************* ### ### *** s390x ************************************************************************* ###
%ifarch s390x %ifarch s390x
@ -363,7 +392,7 @@ This package provides auxiliary data used by genprotimg.
cp -vi %{SOURCE22} CAUTION cp -vi %{SOURCE22} CAUTION
install -D -m 0644 %{SOURCE200} .cargo/config install -D -m 0644 %{SOURCE200} .cargo/config.toml
tar -xzf %{SOURCE201} tar -xzf %{SOURCE201}
%build %build
@ -380,11 +409,9 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
DISTRELEASE=%{release} \ DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \ UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \ HAVE_CARGO=1 \
HAVE_DRACUT=1 \ HAVE_DRACUT=1
CC=gcc-13 \
CXX=g++-13
### all ### all
gcc-13 -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc gcc -static -o read_values ${OPT_FLAGS} %{SOURCE86} -lqc
%install %install
mkdir -p %{buildroot}/boot/zipl mkdir -p %{buildroot}/boot/zipl
@ -395,9 +422,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/zkey/repository
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
UDEVRUNDIR=/run/udev \ UDEVRUNDIR=/run/udev \
HAVE_CARGO=1 \ HAVE_CARGO=1 \
HAVE_DRACUT=1 \ HAVE_DRACUT=1
CC=gcc-13 \
CXX=g++-13
### all ### all
# The make install command puts things in /etc/sysconfig and not the # The make install command puts things in /etc/sysconfig and not the
@ -719,7 +744,6 @@ done
%dir %{_prefix}/lib/systemd/scripts %dir %{_prefix}/lib/systemd/scripts
%dir %{_datadir}/s390-tools %dir %{_datadir}/s390-tools
%dir %{_datadir}/s390-tools/netboot %dir %{_datadir}/s390-tools/netboot
%dir %{_datadir}/s390-tools/genprotimg
%dir %{_prefix}/lib/dracut/modules.d/95zdev %dir %{_prefix}/lib/dracut/modules.d/95zdev
%dir %{_prefix}/lib/dracut/modules.d/95zdev-kdump %dir %{_prefix}/lib/dracut/modules.d/95zdev-kdump
%dir %{_prefix}/lib/dracut/modules.d/96zdev-live %dir %{_prefix}/lib/dracut/modules.d/96zdev-live
@ -742,8 +766,8 @@ done
%dir /etc/mdevctl.d/scripts.d/callouts/ %dir /etc/mdevctl.d/scripts.d/callouts/
### ###
%exclude /lib/s390-tools/stage3.bin %exclude /lib/s390-tools/stage3.bin
%exclude %{_datadir}/s390-tools/genprotimg/stage3a.bin %exclude %{_datadir}/s390-tools/pvimg/stage3a.bin
%exclude %{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin %exclude %{_datadir}/s390-tools/pvimg/stage3b_reloc.bin
### ###
%files -n osasnmpd -f %{_builddir}/%{name}.osasnmp %files -n osasnmpd -f %{_builddir}/%{name}.osasnmp
@ -794,8 +818,9 @@ done
### genprotimg ### genprotimg
%files genprotimg-data %files genprotimg-data
/lib/s390-tools/stage3.bin /lib/s390-tools/stage3.bin
%{_datadir}/s390-tools/genprotimg/stage3a.bin %dir %{_datadir}/s390-tools/pvimg
%{_datadir}/s390-tools/genprotimg/stage3b_reloc.bin %{_datadir}/s390-tools/pvimg/stage3a.bin
%{_datadir}/s390-tools/pvimg/stage3b_reloc.bin
### _endif ### _endif
### *** !s390x ************************************************************************* ### ### *** !s390x ************************************************************************* ###
@ -805,12 +830,13 @@ done
%prep %prep
%autosetup -p1 %autosetup -p1
install -D -m 0644 %{SOURCE200} .cargo/config install -D -m 0644 %{SOURCE200} .cargo/config.toml
tar -xzf %{SOURCE201} tar -xzf %{SOURCE201}
%build %build
export OPT_FLAGS="%{optflags}" export OPT_FLAGS="%{optflags}"
export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}" export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%make_build \ %make_build \
DISTRELEASE=%{release} \ DISTRELEASE=%{release} \
UDEVRUNDIR=/run/udev \ UDEVRUNDIR=/run/udev \
@ -818,6 +844,7 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
HAVE_DRACUT=1 HAVE_DRACUT=1
%install %install
%make_install \ %make_install \
DISTRELEASE=%{release} \ DISTRELEASE=%{release} \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
@ -828,8 +855,8 @@ export KERNELIMAGE_MAKEFLAGS="%%{?_smp_mflags}"
%files %files
%{_prefix}/bin/* %{_prefix}/bin/*
%dir %{_datadir}/s390-tools %dir %{_datadir}/s390-tools
%dir %{_datadir}/s390-tools/genprotimg %dir %{_datadir}/s390-tools/pvimg
%{_datadir}/s390-tools/genprotimg/check_hostkeydoc %{_datadir}/s390-tools/pvimg/check_hostkeydoc
%{_mandir}/man1/* %{_mandir}/man1/*
%endif %endif

BIN
vendor.tar.gz (Stored with Git LFS)

Binary file not shown.

View File

@ -38,6 +38,14 @@ debug_mesg () {
esac esac
} }
add_cio_channel() {
echo "$* # ${DATE}" >> /boot/zipl/active_devices.txt
}
remove_cio_channel() {
[ -w /boot/zipl/active_devices.txt ] && sed -i -e "/^${1}/d" /boot/zipl/active_devices.txt
}
usage(){ usage(){
echo "Usage: ${0} <ccwid> <online>" echo "Usage: ${0} <ccwid> <online>"
echo " ccwid = x.y.ssss where" echo " ccwid = x.y.ssss where"
@ -80,3 +88,8 @@ RC=${?}
if [ ${RC} -ne 0 ]; then if [ ${RC} -ne 0 ]; then
exit ${RC} exit ${RC}
fi fi
if [ ${ON_OFF} == 1 ]; then
add_cio_channel "${CCW_CHAN_ID}"
else remove_cio_channel "${CCW_CHAN_ID}"
fi