From 541e8e05c0bfa6eb93d324bb4b5f7dbad0648ec3 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Mon, 9 Oct 2023 11:18:06 +0000 Subject: [PATCH] import CS s390utils-2.27.0-4.el9 --- .gitignore | 2 +- .s390utils.metadata | 2 +- .../s390-tools-zipl-blscfg-rpm-nvr-sort.patch | 12 +- SOURCES/s390utils-2.25.0-rhel.patch | 35 - SOURCES/s390utils-2.27.0-rhel.patch | 1578 +++++++++++++++++ SPECS/s390utils.spec | 38 +- 6 files changed, 1612 insertions(+), 55 deletions(-) delete mode 100644 SOURCES/s390utils-2.25.0-rhel.patch create mode 100644 SOURCES/s390utils-2.27.0-rhel.patch diff --git a/.gitignore b/.gitignore index 60549f6..dee9e30 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/s390-tools-2.25.0.tar.gz +SOURCES/s390-tools-2.27.0.tar.gz diff --git a/.s390utils.metadata b/.s390utils.metadata index dba08ad..e0bea3f 100644 --- a/.s390utils.metadata +++ b/.s390utils.metadata @@ -1 +1 @@ -e8e0d3f651179fd14dc4a40d53a1e4ef6edaae7d SOURCES/s390-tools-2.25.0.tar.gz +ebfc228d39c55586d6b5af08682896adda6b0068 SOURCES/s390-tools-2.27.0.tar.gz diff --git a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch index 3960de1..366efba 100644 --- a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch +++ b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch @@ -1,4 +1,4 @@ -From a17c57bf2b7b6d64a509cb5fb02fe46849bc550c Mon Sep 17 00:00:00 2001 +From b2daaa34776ba6afec879e362378f6f7563590a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Mon, 20 Jun 2022 17:43:05 +0200 Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by @@ -194,10 +194,10 @@ index 0cea1d4..9352f76 100644 return n; -- -2.37.3 +2.39.2 -From 7a51cfc15b870d90bffe1e24a1da922663ffe1d7 Mon Sep 17 00:00:00 2001 +From 692e70bcfc32a05e30146bd7077c41e0eaceff03 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 20 Jun 2022 17:46:59 +0200 Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version @@ -213,7 +213,7 @@ Signed-off-by: Dan Horák 2 files changed, 95 insertions(+), 2 deletions(-) diff --git a/zipl/src/Makefile b/zipl/src/Makefile -index 64eabe4..7043005 100644 +index cab5655..7ec215d 100644 --- a/zipl/src/Makefile +++ b/zipl/src/Makefile @@ -9,6 +9,7 @@ ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS) @@ -223,7 +223,7 @@ index 64eabe4..7043005 100644 + -lrpmio -lrpm objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \ - bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o + bootmap_header.o envblk.o install.o zipl.o diff --git a/zipl/src/scan.c b/zipl/src/scan.c index 9352f76..3327e2d 100644 --- a/zipl/src/scan.c @@ -344,5 +344,5 @@ index 9352f76..3327e2d 100644 static int scan_append_section_heading(struct scan_token* scan, int* index, char* name); -- -2.37.3 +2.39.2 diff --git a/SOURCES/s390utils-2.25.0-rhel.patch b/SOURCES/s390utils-2.25.0-rhel.patch deleted file mode 100644 index 94453de..0000000 --- a/SOURCES/s390utils-2.25.0-rhel.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a9fed51fbf159a98fcd4a9dddf4fef243bb433af Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 20 Jan 2023 11:04:18 +0100 -Subject: [PATCH] zkey: Support EP11 host library version 4 (#2165812) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Try to load libep11.so.4 if available, but fallback to older -library versions if not. - -Reviewed-by: Jörg Schmidbauer -Signed-off-by: Ingo Franzki -Signed-off-by: Steffen Eiden -(cherry picked from commit 6222c384958729bc4b5bad61ad38967647cc3248) ---- - zkey/ep11.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/zkey/ep11.c b/zkey/ep11.c -index 58dc3c5..8359929 100644 ---- a/zkey/ep11.c -+++ b/zkey/ep11.c -@@ -35,7 +35,7 @@ - * Definitions for the EP11 library - */ - #define EP11_LIBRARY_NAME "libep11.so" --#define EP11_LIBRARY_VERSION 3 -+#define EP11_LIBRARY_VERSION 4 - #define EP11_WEB_PAGE "http://www.ibm.com/security/cryptocards" - - /** --- -2.39.1 - diff --git a/SOURCES/s390utils-2.27.0-rhel.patch b/SOURCES/s390utils-2.27.0-rhel.patch new file mode 100644 index 0000000..0ab3339 --- /dev/null +++ b/SOURCES/s390utils-2.27.0-rhel.patch @@ -0,0 +1,1578 @@ +From 368c5581b8e7f9f796764c3f697babd63d637767 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Mon, 8 May 2023 14:52:54 +0200 +Subject: [PATCH 1/7] zdev: add support for autoquiesce related sysfs + attributes (#2196517) + +Autoquiesce is a mechanism that tells Linux to stop issuing I/Os to a +specific DASD after certain events. + +Add support for configuring related DASD device attributes +that govern the following aspects of autoquiesce: + +aq_mask - Configure which events lead to autoquiesce. +aq_requeue - Configure if autoquiesce will requeue all I/O to blocklayer. +aq_timeouts - Configure the number of timeouts before autoquiesce. + +Signed-off-by: Stefan Haberland +Reviewed-by: Peter Oberparleiter +Signed-off-by: Steffen Eiden +(cherry picked from commit 493af760ed47454f5719f05a6e6316f43a3be98a) +--- + zdev/src/dasd.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/zdev/src/dasd.c b/zdev/src/dasd.c +index f9fd231..4330229 100644 +--- a/zdev/src/dasd.c ++++ b/zdev/src/dasd.c +@@ -344,6 +344,68 @@ static struct attrib dasd_attr_fc_security = { + .readonly = 1, + }; + ++static struct attrib dasd_attr_aq_mask = { ++ .name = "aq_mask", ++ .title = "Specify autoquiesce triggers", ++ .desc = ++ "Use the aq_mask attribute to automatically quiesce a device and block\n" ++ "new I/O after certain events.\n" ++ "\n" ++ "The value is a bitmask in decimal or hexadecimal format where each set bit\n" ++ "indicates that the associated event shown in the table below triggers an\n" ++ "autoquiesce.\n" ++ " Bit 0 is not used.\n" ++ " 1 - 0x02 - A terminal I/O error occurred\n" ++ " 2 - 0x04 - No active channel paths remain for the device\n" ++ " 3 - 0x08 - A state change interrupt occurred\n" ++ " 4 - 0x10 - The device is PPRC suspended\n" ++ " 5 - 0x20 - No space is left on an ESE device\n" ++ " 6 - 0x40 – The number of timeouts specified in aq_timeouts is reached\n" ++ " 7 - 0x80 - I/O was not started because of an error in the start function\n" ++ "\n" ++ "For example bits 1,3 and 5 set (0010 1010) lead to an integer value of 42\n" ++ "or 0x2A.\n" ++ "An integer value of 0 turns off the autoquiesce function.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "0", ++ /* ++ * Currently only 8 bits are defined and the max value is 255. ++ * This needs to be adjusted if more bits are defined. ++ */ ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 255)), ++}; ++ ++static struct attrib dasd_attr_aq_requeue = { ++ .name = "aq_requeue", ++ .title = "Control I/O requeing during autoquiesce", ++ .desc = ++ "Use the aq_requeue attribute to control whether outstanding I/O\n" ++ "operations to the blocklayer should be automatically requeued after\n" ++ "an autoquiesce event.\n" ++ "Valid values are 1 for requeuing, or 0 for no requeueing.\n" ++ "Requeing the I/O requests to the blocklayer might benefit I/O\n" ++ "in case of a copy_pair swap operation.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "0", ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 1)), ++}; ++ ++static struct attrib dasd_attr_aq_timeouts = { ++ .name = "aq_timeouts", ++ .title = "Specify timeout retry threshold", ++ .desc = ++ "Specify the number of sequential timeout events for an I/O operation\n" ++ "before an autoquiesce is triggered on a device.\n" ++ "This requires that the corresponding trigger bit 6 is set\n" ++ "in the aq_mask attribute.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "32768", ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 32768)), ++}; ++ + /* + * DASD subtype methods. + */ +@@ -725,6 +787,9 @@ struct subtype dasd_subtype_eckd = { + &dasd_attr_safe_offline, + &dasd_attr_fc_security, + &dasd_attr_copy_pair, ++ &dasd_attr_aq_mask, ++ &dasd_attr_aq_requeue, ++ &dasd_attr_aq_timeouts, + &internal_attr_early, + ), + .unknown_dev_attribs = 1, +-- +2.41.0 + + +From 21a9e00ffeb5ef885ad52b73f2724cef6d1ae73d Mon Sep 17 00:00:00 2001 +From: Vineeth Vijayan +Date: Wed, 7 Jun 2023 14:10:56 +0200 +Subject: [PATCH 2/7] zdev: add proper value input for the ZDEV_SITE_ID key + (#2223304) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +udev does not allow an empty value for keys when importing output +from an external program. Providing an empty value for any key +invokes a warning during the parsing. Currently, ZDEV_SITE_ID for +fallback sites are not assigned any value. Add an empty double +quotes as the value in case of failover sites. + +This modification is tested on udevadm version 253 on fedora38. + +Also verify that the ZDEV_SITE_ID is properly written, if not log +the error. + +Fixes: c8ad5f57d0fc ("zdev: modify zdev_id to read the site_id from loadparm") +Reported-by: Alexander Egorenkov +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Jan Höppner +(cherry picked from commit 27902c91064f5900fa0ae8116d3e1d0bcd9477bc) +--- + zdev/src/zdev_id.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/zdev/src/zdev_id.c b/zdev/src/zdev_id.c +index c341d31..9ad9961 100644 +--- a/zdev/src/zdev_id.c ++++ b/zdev/src/zdev_id.c +@@ -213,16 +213,28 @@ out: + static void write_zdev_site_id(int site_id) + { + FILE *fd; ++ int rc; + + fd = fopen(ZDEV_SITE_ID_FILE, "w"); + if (!fd) +- err(1, "Could not write to zdev_site_id file"); ++ goto err; ++ + if (site_id == SITE_FALLBACK) +- fprintf(fd, "ZDEV_SITE_ID=\n"); ++ rc = fprintf(fd, "ZDEV_SITE_ID=\"\"\n"); + else +- fprintf(fd, "ZDEV_SITE_ID=%d\n", site_id); ++ rc = fprintf(fd, "ZDEV_SITE_ID=%d\n", site_id); + +- fclose(fd); ++ if (rc < 0) { ++ fclose(fd); ++ goto err; ++ } ++ ++ if (fclose(fd)) ++ goto err; ++ ++ return; ++err: ++ err(1, "Could not write to zdev_site_id file"); + } + + /* Read the loadparm and extract the current site_id. +@@ -265,7 +277,7 @@ static void process_loadparm(const char *filename) + out: + write_zdev_site_id(site_id); + if (site_id == SITE_FALLBACK) +- printf("ZDEV_SITE_ID=\n"); ++ printf("ZDEV_SITE_ID=\"\"\n"); + else + printf("ZDEV_SITE_ID=%d\n", site_id); + } +-- +2.41.0 + + +From 90bab830c617cbecdc51ef9f6f2a19d14e6445c5 Mon Sep 17 00:00:00 2001 +From: Vineeth Vijayan +Date: Wed, 7 Jun 2023 14:10:57 +0200 +Subject: [PATCH 3/7] zdev: use rename-file to avoid any symlinks created + (#2223304) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +During the boot, the ZDEV_SITE_ID is derived with the help +of loadparm and will be saved in ZDEV_SITE_ID_FILE, which +will be the used by the udev-rules. + +ZDEV_SITE_ID_FILE creation can have a surface of symlink attack +as we are directly using the fopen and fprintf on it. To avoid +this, make sure that we are writing the ZDEV_SITE_ID to a temporary +file, which will then be renamed to ZDEV_SITE_ID_FILE, which will +remove all the existing symlinks associated with the target file. + +Reported-by: Marc Hartmayer +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Jan Höppner +(cherry picked from commit 09c01e580abc519976c8e20c5d867b3d1a31e062) +--- + zdev/src/zdev_id.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/zdev/src/zdev_id.c b/zdev/src/zdev_id.c +index 9ad9961..2464b16 100644 +--- a/zdev/src/zdev_id.c ++++ b/zdev/src/zdev_id.c +@@ -213,9 +213,16 @@ out: + static void write_zdev_site_id(int site_id) + { + FILE *fd; +- int rc; ++ int tmpfd, rc; ++ const char zdev_id_file[] = ZDEV_SITE_ID_FILE; ++ char zdev_id_tmpfile[] = ZDEV_SITE_ID_FILE "-XXXXXX"; + +- fd = fopen(ZDEV_SITE_ID_FILE, "w"); ++ tmpfd = mkstemp(zdev_id_tmpfile); ++ if (tmpfd == -1) ++ goto err; ++ ++ /* Open the temp file to use with fprintf */ ++ fd = fdopen(tmpfd, "w"); + if (!fd) + goto err; + +@@ -232,6 +239,12 @@ static void write_zdev_site_id(int site_id) + if (fclose(fd)) + goto err; + ++ /* Rename the temporary file to ZDEV_SITE_ID_FILE*/ ++ if (rename(zdev_id_tmpfile, zdev_id_file) == -1) { ++ remove(zdev_id_tmpfile); ++ goto err; ++ } ++ + return; + err: + err(1, "Could not write to zdev_site_id file"); +-- +2.41.0 + + +From 5e9a117d1da306ad13b46612b709d769c792baae Mon Sep 17 00:00:00 2001 +From: Vineeth Vijayan +Date: Mon, 19 Jun 2023 11:32:15 +0200 +Subject: [PATCH 4/7] zdev: add missing label in the udev-rules (#2222900) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The udev-rules generated with the current version of chzdev command +is missing the configuration label, incase of auto configuration, +resulting in an ineffective configuration logic. +Add the missing configuration start label for autoconfig. + +Fixes: 2e89722ef0ec ("zdev: make site specific udev-rule for ccw") +Signed-off-by: Vineeth Vijayan +Reviewed-by: Peter Oberparleiter +Signed-off-by: Jan Höppner +(cherry picked from commit 2a1a821bb3941ddd341b52068d5c05e06d907355) +--- + zdev/src/udev_ccw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/zdev/src/udev_ccw.c b/zdev/src/udev_ccw.c +index 3375a5e..1881337 100644 +--- a/zdev/src/udev_ccw.c ++++ b/zdev/src/udev_ccw.c +@@ -295,6 +295,7 @@ static exit_code_t udev_ccw_write_device_legacy(struct device *dev, bool autocon + } + fprintf(fd, "GOTO=\"%s\"\n", end_label); + fprintf(fd, "\n"); ++ fprintf(fd, "LABEL=\"%s\"\n", cfg_label); + + write_attr_to_file(fd, state, id); + +-- +2.41.0 + + +From 17d87f75f0e461429962f312fe3bf73ecd7d353a Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 17 May 2023 11:43:08 +0200 +Subject: [PATCH 5/7] lszcrypt: Support for SE AP pass-through support + (#2110521) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds support for Secure Execution with AP pass-through +support for lszcrypt. + +lszcrypt details: +* extension to -b: list AP bus features +* extension to -c: now also valid for queue devices, shows + bind and assoicate state in SE environment; + shows MK states (only for current MKs). +* extension to -V: new column SESTAT within an SE guest, shows text + for the BS bits within an SE environment: + "usable", "bond", "avail", "unuse". + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Signed-off-by: Jan Höppner +(cherry picked from commit f821f31a51e395c0d0b048413360eeff92eaee9c) +--- + zconf/zcrypt/lszcrypt.8 | 195 +++++++++++++++++++++++++--------------- + zconf/zcrypt/lszcrypt.c | 136 ++++++++++++++++++++++++---- + zconf/zcrypt/misc.c | 38 +++++++- + zconf/zcrypt/misc.h | 3 +- + 4 files changed, 278 insertions(+), 94 deletions(-) + +diff --git a/zconf/zcrypt/lszcrypt.8 b/zconf/zcrypt/lszcrypt.8 +index e1de2e9..536a3e3 100644 +--- a/zconf/zcrypt/lszcrypt.8 ++++ b/zconf/zcrypt/lszcrypt.8 +@@ -1,6 +1,6 @@ + .\" lszcrypt.8 + .\" +-.\" Copyright IBM Corp. 2019, 2022 ++.\" Copyright IBM Corp. 2019, 2023 + .\" s390-tools is free software; you can redistribute it and/or modify + .\" it under the terms of the MIT license. See LICENSE for details. + .\" +@@ -10,7 +10,7 @@ + .\" nroff -man lszcrypt.8 + .\" to process this source + .\" +-.TH LSZCRYPT 8 "FEB 2022" "s390-tools" ++.TH LSZCRYPT 8 "MAY 2023" "s390-tools" + .SH NAME + lszcrypt \- display zcrypt device and configuration information + .SH SYNOPSIS +@@ -24,7 +24,7 @@ lszcrypt \- display zcrypt device and configuration information + .TP + .B lszcrypt + .B -c +- ++ + .TP + .B lszcrypt -b + .TP +@@ -41,43 +41,60 @@ lszcrypt \- display zcrypt device and configuration information + .SH DESCRIPTION + The + .B lszcrypt +-command is used to display information about cryptographic devices managed by +-zcrypt and the AP bus attributes of zcrypt. Displayed information depends on the +-kernel version. ++command is used to display information about cryptographic devices ++managed by zcrypt and the AP bus attributes of zcrypt. Displayed ++information depends on the kernel version. + .B lszcrypt + requires that sysfs is mounted. + .P + The following information can be displayed for each cryptographic + device: card ID, domain ID, card type (symbolic), mode, online status, +-hardware card type (numeric), installed function facilities, card capability, +-hardware queue depth, request count, number of requests in hardware queue, and +-the number of outstanding requests. +-The following AP bus attributes can be displayed: AP domain, Max AP domain, +-configuration timer, poll thread status, poll timeout, and AP interrupt +-status. ++hardware card type (numeric), installed function facilities, card ++capability, hardware queue depth, request count, number of requests in ++hardware queue, and the number of outstanding requests. The following ++AP bus attributes can be displayed: AP domain, Max AP domain, ++configuration timer, poll thread status, poll timeout, and AP ++interrupt status. + .SH OPTIONS + .TP 8 + .B -V, --verbose +-The verbose level for cryptographic device information. +-With this verbose level additional information like hardware card type, +-hardware queue depth, pending requests count, installed function +-facilities and driver binding is displayed. ++The verbose level for cryptographic device information. With this ++verbose level additional information like hardware card type, hardware ++queue depth, pending requests count, installed function facilities and ++driver binding is displayed. + .TP 8 + .B +-Specifies a cryptographic device to display. A cryptographic device can be +-either a card device or a queue device. If no devices are specified information +-about all available devices is displayed. ++Specifies a cryptographic device to display. A cryptographic device ++can be either a card device or a queue device. If no devices are ++specified information about all available devices is displayed. + Please note that the card device representation and the queue device + are both in hexadecimal notation. + .TP 8 + .B -b, --bus + Displays the AP bus attributes and exits. ++ ++There is also a list of AP bus features shown here: ++.RS ++.IP "o" 3 ++APSC - Extended TAPQ (Test AP Queue) support. ++.IP "o" ++APXA - Support for more than 16 domains per card. ++.IP "o" ++QACT - QACT support for toleration of new unknown crypto cards. ++.IP "o" ++RC8A - Firmware reports 0x8A instead of 0x42 on some error conditions. ++.IP "o" ++APSB - AP bus has Secure Execution AP pass-through support. ++.RE + .TP 8 +-.B -c, --capability +-Shows the capabilities of a cryptographic card device of hardware type 6 or +-higher. The card device id value may be given as decimal or hex value (with +-a leading 0x). The capabilities of a cryptographic card device depend on +-the card type and the installed function facilities. A cryptographic card ++.B -c, --capability ++Shows the capabilities of a cryptographic card or queue device of ++hardware type 6 or higher. A card device id value may be given as ++decimal or hex value (with a leading 0x), a queue device needs to be ++given as xy.abcd (as it is displayed by lszcrypt). ++ ++The capabilities of a cryptographic card device depend on the card ++type and the installed function facilities. A cryptographic card + device can provide one or more of the following capabilities: + .RS + .IP "o" 3 +@@ -94,14 +111,25 @@ Long RNG + + .RS 8 + The CCA Secure Key capability may be limited by a hypervisor +-layer. The remarks 'full function set' or 'restricted function set' may +-reflect this. For details about these limitations please check the ++layer. The remarks 'full function set' or 'restricted function set' ++may reflect this. For details about these limitations please check the + hypervisor documentation. + .RE ++ ++.RS 8 ++The capabilities of a cryptographic queue device may vary depending ++on some state or environment. However if a queue device is given here, ++and the runtime environment is a KVM guest in Secure Execution mode ++with AP pass-through support, then the AP queue bind state and AP ++queue association state is shown here. Furthermore the state(s) and ++mkvp(s) (Master Key Verification Pattern) of the current master WK ++(Wrapping Key - EP11 mode) or current master AES, APKA and ASYM (CCA ++mode) are shown here. ++.RE + .TP 8 + .B -d, --domains +-Shows the usage and control domains of the cryptographic devices. +-The displayed domains of the cryptographic device depends on the initial ++Shows the usage and control domains of the cryptographic devices. The ++displayed domains of the cryptographic device depends on the initial + cryptographic configuration. + .RS + .IP "o" 3 +@@ -140,18 +168,20 @@ Here is an explanation of the columns displayed. Please note that some + of the columns show up in verbose mode only. + .TP + .B CARD.DOM +-The crypto card number in hexadecimal for a crypto card line or +-the crypto card number and the domain id both in hex separated by a single ++The crypto card number in hexadecimal for a crypto card line or the ++crypto card number and the domain id both in hex separated by a single + dot for a queue line. + .TP + .B TYPE and HWTYPE +-The HWTYPE is a numeric value showing which type of hardware the zcrypt +-device driver presumes that this crypto card is. The currently known values +-are 7=CEX3C, 8=CEX3A, 10=CEX4, 11=CEX5, 12=CEX6, 13=CEX7 and 14=CEX8. ++The HWTYPE is a numeric value showing which type of hardware the ++zcrypt device driver presumes that this crypto card is. The currently ++known values are 7=CEX3C, 8=CEX3A, 10=CEX4, 11=CEX5, 12=CEX6, 13=CEX7 ++and 14=CEX8. + .br +-The TYPE is a human readable value showing the hardware type and the basic +-function type (A=Accelerator, C=CCA Coprocessor, P=EP11 Coprocessor). So +-for example CEX6P means a CEX6 card in EP11 Coprocessor mode. ++The TYPE is a human readable value showing the hardware type and the ++basic function type (A=Accelerator, C=CCA Coprocessor, P=EP11 ++Coprocessor). So for example CEX6P means a CEX6 card in EP11 ++Coprocessor mode. + .TP + .B MODE + A crypto card can be configured to run into one of 3 modes: +@@ -170,13 +200,13 @@ online/offline state is kept by the zcrypt device driver and can be + switched on or off with the help of the chzcrypt application. + .br + A crypto card can also be 'configured' or 'deconfigured'. This state +-may be adjusted on the HMC or SE. The chzcrypt application can also +-trigger this state with the --config-on and --config-off options. ++may be adjusted on the HMC. The chzcrypt application can also trigger ++this state with the --config-on and --config-off options. + .br + lszcrypt shows 'online' when a card or queue is available for + cryptographic operations. 'offline' is displayed when a card or queue + is switched to (software) offline. If a card is 'deconfigured' via +-HMC, SE or chzcrypt the field shows 'deconfig'. ++HMC or chzcrypt the field shows 'deconfig'. + .br + A crypto card may also reach a 'checkstopped' state. lszcrypt shows + this as 'chkstop'. +@@ -184,21 +214,22 @@ this as 'chkstop'. + If a queue is not bound to a device driver there is no detailed + information available and thus the status shows only '-'. + .br +-If a queue is bound to the vfio-ap device driver it is up to this driver +-to give some status information and what exactly this means. So lszcrypt +-shows the text retrieved from the underlying sysfs attribute here. ++If a queue is bound to the vfio-ap device driver it is up to this ++driver to give some status information and what exactly this means. So ++lszcrypt shows the text retrieved from the underlying sysfs attribute ++here. + .TP + .B REQUESTS +-This is the counter value of successful processed requests on card or queue +-level. Successful here means the request was processed without any failure +-in the whole processing chain. ++This is the counter value of successful processed requests on card or ++queue level. Successful here means the request was processed without ++any failure in the whole processing chain. + .TP + .B PENDING +-The underlying firmware and hardware layer usually provide some queuing +-space for requests. When this queue is already filled up, the zcrypt device +-driver maintains a software queue of pending requests. The sum of these +-both values is displayed here and shows the amount of requests waiting for +-processing on card or queue level. ++The underlying firmware and hardware layer usually provide some ++queuing space for requests. When this queue is already filled up, the ++zcrypt device driver maintains a software queue of pending ++requests. The sum of these both values is displayed here and shows the ++amount of requests waiting for processing on card or queue level. + .TP + .B FUNCTIONS + This column shows firmware and hardware function details: +@@ -224,48 +255,64 @@ F - Full function support (opposed to restricted function support, see below). + .br + R - Restricted function support. The F and R flag both reflect if a + hypervisor is somehow restricting this crypto resource in a virtual +-environment. Dependent on the hypervisor configuration the crypto requests +-may be filtered by the hypervisor to allow only a subset of functions +-within the virtual runtime environment. For example a shared CCA +-Coprocessor may be restricted by the hypervisor to allow only clear key +-operations within the guests. ++environment. Dependent on the hypervisor configuration the crypto ++requests may be filtered by the hypervisor to allow only a subset of ++functions within the virtual runtime environment. For example a shared ++CCA Coprocessor may be restricted by the hypervisor to allow only ++clear key operations within the guests. + .TP + .B DRIVER + .br + Shows which card or queue device driver currently handles this crypto + resource. Currently known drivers are cex4card/cex4queue (CEX4-CEX8 + hardware), cex2card/cex2cqueue (CEX2C and CEX3C hardware), +-cex2acard/cex2aqueue (CEX2A and CEX3A hardware) and vfio_ap (queue reserved +-for use by kvm hypervisor for kvm guests and not accessible to host +-applications). It is also valid to have no driver handling a queue which is +-shown as a -no-driver- entry. ++cex2acard/cex2aqueue (CEX2A and CEX3A hardware) and vfio_ap (queue ++reserved for use by KVM hypervisor for KVM guests and not accessible ++to host applications). It is also valid to have no driver handling a ++queue which is shown as a -no-driver- entry. ++.TP ++.B SESTAT ++.br ++Shows the state of the BS bits associated with every AP queue within a ++Secure Execution guest when AP Pass-through support is available: ++.br ++usable - AP queue is usable for crypto load. ++.br ++bound - AP queue is bound but not yet associated. ++.br ++unbound - AP queue is unbound and needs to get bound to this Secure ++Execution guest. ++.br ++illicit - AP queue is not available for this Secure Execution guest. + .SH NOTES +-Use only one of the mode filtering options --accelonly, --ccaonly, --ep11only. +-Same with card/queue filtering: Use only one of --cardonly, --queueonly. +-However, one of the mode filtering options and one of the card/queue filtering +-can be combined. ++Use only one of the mode filtering options --accelonly, --ccaonly, ++--ep11only. Same with card/queue filtering: Use only one of ++--cardonly, --queueonly. However, one of the mode filtering options ++and one of the card/queue filtering can be combined. + .SH EXAMPLES + .TP + .B lszcrypt +-Displays the card/domain ID, card type (short name), mode (long name), online +-status and request count of all available cryptographic devices. ++Displays the card/domain ID, card type (short name), mode (long name), ++online status and request count of all available cryptographic ++devices. + .TP + .B lszcrypt 1 3 5 +-Displays the card/domain ID, card type, mode, online status and request count +-for cryptographic devices 1, 3, and 5. ++Displays the card/domain ID, card type, mode, online status and ++request count for cryptographic devices 1, 3, and 5. + .TP + .B lszcrypt -V 3 7 11 +-Displays the card/domain ID, card type, mode, online status, request count, +-number of requests in the hardware queue, number of outstanding requests and +-installed function facilities for cryptographic devices 3, 7 and 17 (0x11). ++Displays the card/domain ID, card type, mode, online status, request ++count, number of requests in the hardware queue, number of outstanding ++requests and installed function facilities for cryptographic devices ++3, 7 and 17 (0x11). + .TP + .B lszcrypt 10.0038 +-Displays information of the cryptographic device '10.0038' respectively card +-id 16 (0x10) with domain 56 (0x38). ++Displays information of the cryptographic device '10.0038' ++respectively card id 16 (0x10) with domain 56 (0x38). + .TP + .B lszcrypt .0038 +-Displays information of all available queue devices (potentially multiple +-adapters) with domain 56 (0x38). ++Displays information of all available queue devices (potentially ++multiple adapters) with domain 56 (0x38). + .TP + .B lszcrypt -b + Displays AP bus information. +diff --git a/zconf/zcrypt/lszcrypt.c b/zconf/zcrypt/lszcrypt.c +index 43a3c39..09de77e 100644 +--- a/zconf/zcrypt/lszcrypt.c ++++ b/zconf/zcrypt/lszcrypt.c +@@ -1,7 +1,7 @@ + /** + * lszcrypt - Display zcrypt devices and configuration settings + * +- * Copyright IBM Corp. 2008, 2022 ++ * Copyright IBM Corp. 2008, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -55,7 +55,7 @@ static struct lszcrypt_l { + #define MASK_COPRO 0x10000000 + #define MASK_ACCEL 0x08000000 + #define MASK_EP11 0x04000000 +-#define MASK_HSL 0x01000000 ++#define MASK_HSL 0x01000000 + + /* + * Classification +@@ -85,6 +85,8 @@ static struct fac_bits_s { + { 0x00400000, 'R' }, /* bit 9, restricted function set */ + }; + ++#define EXTRACT_BS_BITS(f) (((f) & 0x0000c000UL) >> 14) ++ + /* + * Program configuration + */ +@@ -95,7 +97,7 @@ static const struct util_prg prg = { + { + .owner = "IBM Corp.", + .pub_first = 2008, +- .pub_last = 2020, ++ .pub_last = 2023, + }, + UTIL_PRG_COPYRIGHT_END + } +@@ -169,8 +171,9 @@ static struct util_opt opt_vec[] = { + static void show_bus(void) + { + long domain, max_domain, config_time, value; +- unsigned long long poll_timeout; + const char *poll_thread, *ap_interrupts; ++ unsigned long long poll_timeout; ++ char features[256]; + char *ap; + + /* check if ap driver is available */ +@@ -178,6 +181,10 @@ static void show_bus(void) + if (!util_path_is_dir(ap)) + errx(EXIT_FAILURE, "Crypto device driver not available."); + ++ if (util_path_is_readable("%s/features", ap)) ++ util_file_read_line(features, sizeof(features), "%s/features", ap); ++ else ++ features[0] = '\0'; + util_file_read_l(&domain, 10, "%s/ap_domain", ap); + util_file_read_l(&max_domain, 10, "%s/ap_max_domain_id", ap); + util_file_read_l(&config_time, 10, "%s/config_time", ap); +@@ -192,6 +199,8 @@ static void show_bus(void) + ap_interrupts = "enabled"; + else + ap_interrupts = "disabled"; ++ if (features[0]) ++ printf("features: %s\n", features); + printf("ap_domain=0x%lx\n", domain); + printf("ap_max_domain_id=0x%lx\n", max_domain); + if (util_path_is_reg_file("%s/ap_interrupts", ap)) +@@ -374,23 +383,15 @@ next: + } + + /* +- * Show capability ++ * Show card capability + */ +-static void show_capability(const char *id_str) ++static void show_card_capability(int id) + { + unsigned long func_val; +- long hwtype, id, max_msg_size; +- char *p, *ap, *dev, card[16], cbuf[256]; +- +- /* check if ap driver is available */ +- ap = util_path_sysfs("bus/ap"); +- if (!util_path_is_dir(ap)) +- errx(EXIT_FAILURE, "Crypto device driver not available."); ++ long hwtype, max_msg_size; ++ char *dev, card[16], cbuf[256]; + +- id = strtol(id_str, &p, 0); +- if (id < 0 || id > 255 || p == id_str || *p != '\0') +- errx(EXIT_FAILURE, "Error - '%s' is an invalid cryptographic device id.", id_str); +- snprintf(card, sizeof(card), "card%02lx", id); ++ snprintf(card, sizeof(card), "card%02x", id); + dev = util_path_sysfs("devices/ap/%s", card); + if (!util_path_is_dir(dev)) + errx(EXIT_FAILURE, "Error - cryptographic device %s does not exist.", card); +@@ -464,6 +465,78 @@ static void show_capability(const char *id_str) + card, hwtype); + break; + } ++ ++ free(dev); ++} ++ ++/* ++ * Show queue capability ++ */ ++static void show_queue_capability(int id, int dom) ++{ ++ char *dev, card[16], queue[16], buf[256]; ++ ++ snprintf(card, sizeof(card), "card%02x", id); ++ snprintf(queue, sizeof(queue), "%02x.%04x", id, dom); ++ dev = util_path_sysfs("devices/ap/%s/%s", card, queue); ++ if (!util_path_is_dir(dev)) ++ errx(EXIT_FAILURE, "Error - cryptographic queue device %02x.%04x does not exist.", ++ id, dom); ++ ++ printf("queue %02x.%04x capabilities:\n", id, dom); ++ ++ if (util_path_is_reg_file("%s/se_bind", dev)) { ++ util_file_read_line(buf, sizeof(buf), "%s/se_bind", dev); ++ printf("SE bind state: %s\n", buf); ++ } ++ if (util_path_is_reg_file("%s/se_associate", dev)) { ++ util_file_read_line(buf, sizeof(buf), "%s/se_associate", dev); ++ printf("SE association state: %s\n", buf); ++ } ++ if (util_path_is_reg_file("%s/mkvps", dev)) { ++ char *mkvps = util_path_sysfs("devices/ap/%s/%s/mkvps", card, queue); ++ FILE *f = fopen(mkvps, "r"); ++ ++ if (!f) ++ errx(EXIT_FAILURE, "Error - failed to open sysfs file %s.", ++ mkvps); ++ while (fgets(buf, sizeof(buf), f)) { ++ if (strstr(buf, "WK CUR") || ++ strstr(buf, "AES CUR") || ++ strstr(buf, "APKA CUR") || ++ strstr(buf, "ASYM CUR")) ++ printf("MK %s", buf); /* no newline here */ ++ } ++ fclose(f); ++ free(mkvps); ++ } ++ ++ free(dev); ++} ++ ++/* ++ * Show capability ++ */ ++static void show_capability(const char *id_str) ++{ ++ char *p, *ap; ++ int id, dom; ++ ++ /* check if ap driver is available */ ++ ap = util_path_sysfs("bus/ap"); ++ if (!util_path_is_dir(ap)) ++ errx(EXIT_FAILURE, "Crypto device driver not available."); ++ ++ if (sscanf(id_str, "%x.%x", &id, &dom) == 2) { ++ show_queue_capability(id, dom); ++ } else { ++ id = strtol(id_str, &p, 0); ++ if (id < 0 || id > 255 || p == id_str || *p != '\0') ++ errx(EXIT_FAILURE, ++ "Error - '%s' is an invalid cryptographic device id.", ++ id_str); ++ show_card_capability(id); ++ } + } + + /* +@@ -601,11 +674,33 @@ static void read_subdev_rec_verbose(struct util_rec *rec, const char *grp_dev, + util_file_read_l(&depth, 10, "%s/depth", grp_dev); + util_rec_set(rec, "depth", "%02d", depth + 1); + +- util_file_read_ul(&facility, 16, "%s/ap_functions", grp_dev); ++ if (util_path_is_readable("%s/%s/ap_functions", grp_dev, sub_dev)) ++ util_file_read_ul(&facility, 16, "%s/%s/ap_functions", grp_dev, sub_dev); ++ else ++ util_file_read_ul(&facility, 16, "%s/ap_functions", grp_dev); + for (i = 0; i < MAX_FAC_BITS; i++) + buf[i] = facility & fac_bits[i].mask ? fac_bits[i].c : '-'; + buf[i] = '\0'; + util_rec_set(rec, "facility", buf); ++ ++ if (ap_bus_has_SB_support()) { ++ switch (EXTRACT_BS_BITS(facility)) { ++ case 0: ++ util_rec_set(rec, "sestat", "usable"); ++ break; ++ case 1: ++ util_rec_set(rec, "sestat", "bound"); ++ break; ++ case 2: ++ util_rec_set(rec, "sestat", "unbound"); ++ break; ++ case 3: ++ util_rec_set(rec, "sestat", "illicit"); ++ break; ++ default: ++ util_rec_set(rec, "sestat", "-"); ++ } ++ } + } + + /* +@@ -750,6 +845,9 @@ static void read_rec_verbose(struct util_rec *rec, const char *grp_dev) + + i = read_driver(grp_dev, NULL, buf, sizeof(buf)); + util_rec_set(rec, "driver", i > 0 ? buf : "-no-driver-"); ++ ++ if (ap_bus_has_SB_support()) ++ util_rec_set(rec, "sestat", "-"); + } + + /* +@@ -818,6 +916,8 @@ static void define_rec_verbose(struct util_rec *rec) + util_rec_def(rec, "depth", UTIL_REC_ALIGN_RIGHT, 6, "QDEPTH"); + util_rec_def(rec, "facility", UTIL_REC_ALIGN_LEFT, 10, "FUNCTIONS"); + util_rec_def(rec, "driver", UTIL_REC_ALIGN_LEFT, 11, "DRIVER"); ++ if (ap_bus_has_SB_support()) ++ util_rec_def(rec, "sestat", UTIL_REC_ALIGN_LEFT, 11, "SESTAT"); + } + + /* +diff --git a/zconf/zcrypt/misc.c b/zconf/zcrypt/misc.c +index 4296cb1..05913d6 100644 +--- a/zconf/zcrypt/misc.c ++++ b/zconf/zcrypt/misc.c +@@ -1,16 +1,20 @@ + /* + * Misc - Local helper functions + * +- * Copyright IBM Corp. 2016, 2017 ++ * Copyright IBM Corp. 2016, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. + */ + + #include ++#include + #include + ++#include "lib/util_base.h" ++#include "lib/util_file.h" + #include "lib/util_panic.h" ++#include "lib/util_path.h" + #include "misc.h" + + /** +@@ -35,3 +39,35 @@ bool misc_regex_match(const char *str, const char *regex) + regfree(&preg); + return rc == 0 ? true : false; + } ++ ++/** ++ * Test if AP bus has SB support available. ++ * ++ * @returns true Yes, SB support is available ++ * false No ++ */ ++bool ap_bus_has_SB_support(void) ++{ ++ static int sb_support = -1; ++ ++ if (sb_support < 0) { ++ char *ap, buf[256]; ++ ++ ap = util_path_sysfs("bus/ap"); ++ if (!util_path_is_dir(ap)) { ++ sb_support = 0; ++ } else { ++ if (!util_path_is_readable("%s/features", ap)) { ++ sb_support = 0; ++ } else { ++ util_file_read_line(buf, sizeof(buf), ++ "%s/features", ap); ++ if (strstr(buf, "APSB")) ++ sb_support = 1; ++ } ++ } ++ free(ap); ++ } ++ ++ return sb_support > 0 ? true : false; ++} +diff --git a/zconf/zcrypt/misc.h b/zconf/zcrypt/misc.h +index 502a687..92cf453 100644 +--- a/zconf/zcrypt/misc.h ++++ b/zconf/zcrypt/misc.h +@@ -1,7 +1,7 @@ + /* + * misc - Local helper functions + * +- * Copyright IBM Corp. 2016, 2017 ++ * Copyright IBM Corp. 2016, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -13,5 +13,6 @@ + #include + + bool misc_regex_match(const char *str, const char *regex); ++bool ap_bus_has_SB_support(void); + + #endif /* MISC_H */ +-- +2.41.0 + + +From f5c3fabce59c71fb9fbf2d21ab4bbf909c2653b5 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 17 May 2023 13:13:09 +0200 +Subject: [PATCH 6/7] chzcrypt: Support for SE bind, unbind and associate + (#2110521) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds support for Secure Execution with AP pass-through +support for chzcrypt. + +chzcrypt details: +* new command: --se-associate +* new command: --se-bind +* new command: --se-unbind + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Signed-off-by: Jan Höppner +(cherry picked from commit e35e73d2a3f60d43b109168cc37f9c43bc35b0a4) +--- + zconf/zcrypt/chzcrypt.8 | 72 +++++++---- + zconf/zcrypt/chzcrypt.c | 278 +++++++++++++++++++++++++++++++++++++--- + 2 files changed, 310 insertions(+), 40 deletions(-) + +diff --git a/zconf/zcrypt/chzcrypt.8 b/zconf/zcrypt/chzcrypt.8 +index a73ff27..94e32fb 100644 +--- a/zconf/zcrypt/chzcrypt.8 ++++ b/zconf/zcrypt/chzcrypt.8 +@@ -1,10 +1,16 @@ + .\" chzcrypt.8 + .\" +-.\" Copyright 2020 IBM Corp. ++.\" Copyright 2020, 2023 IBM Corp. + .\" s390-tools is free software; you can redistribute it and/or modify + .\" it under the terms of the MIT license. See LICENSE for details. + .\" +-.TH CHZCRYPT 8 "OCT 2020" "s390-tools" ++.\" use ++.\" groff -man -Tutf8 chzcrypt.8 ++.\" or ++.\" nroff -man chzcrypt.8 ++.\" to process this source ++.\" ++.TH CHZCRYPT 8 "MAY 2023" "s390-tools" + .SH NAME + chzcrypt \- modify zcrypt configuration + .SH SYNOPSIS +@@ -46,8 +52,8 @@ chzcrypt \- modify zcrypt configuration + .SH DESCRIPTION + The + .B chzcrypt +-command is used to configure cryptographic devices managed by zcrypt and +-modify zcrypt's AP bus attributes. ++command is used to configure cryptographic devices managed by zcrypt ++and modify zcrypt's AP bus attributes. + + Attributes may vary depending on the kernel + version. +@@ -70,19 +76,6 @@ Set the given cryptographic card device(s) config on ('configured'). + .B --config-off + Set the given cryptographic card device(s) config off ('deconfigured'). + .TP 8 +-.B +-Specifies a cryptographic device which will be set either online or +-offline or configured on or off. For online and offline the device can +-either be a card device or a queue device. A queue device can only get +-switched online when the providing card is online. +-.br +-For config on/off the device needs to be a card device. A card or +-queue device cannot get switched online if the card is in deconfigured +-state. +-.br +-Please note that the card device and queue device representation are both +-in hexadecimal notation. +-.TP 8 + .B -p, --poll-thread-enable + Enable zcrypt's poll thread. + .TP 8 +@@ -94,15 +87,28 @@ Set configuration timer for re-scanning the AP bus to + .I + seconds. + .TP 8 ++.B --se-associate ++Associate the given queue device with the given association ++index. This command is only valid within an Secure Execution guest ++with AP pass-through support enabled. ++.TP 8 ++.B --se-bind ++Bind the given queue device. This command is only valid within an ++Secure Execution guest with AP pass-through support enabled. ++.TP 8 ++.B --se-unbind ++Unbind the given queue device. This command is only valid within an ++Secure Execution guest with AP pass-through support enabled. ++.TP 8 + .BI "-t, --poll-timeout" " " + Set poll timer to run poll tasklet all + .I + nanoseconds. + .TP 8 + .BI "-q, --default-domain" " " +-Set the new default domain of the AP bus to . +-The number of available domains can be retrieved with the lszcrypt +-command ('-d' option). ++Set the new default domain of the AP bus to . The number of ++available domains can be retrieved with the lszcrypt command ('-d' ++option). + .TP 8 + .B -V, --verbose + Print verbose messages. +@@ -112,6 +118,22 @@ Print help text and exit. + .TP 8 + .B -v, --version + Print version information and exit. ++.TP 8 ++.B ++Specifies a cryptographic device which will be set either online or ++offline or configured on or off. For online and offline the device can ++either be a card device or a queue device. A queue device can only get ++switched online when the providing card is online. ++.br ++For config on/off the device needs to be a card device. A card or ++queue device cannot get switched online if the card is in deconfigured ++state. ++.br ++Please note that the card device and queue device representation are ++both in hexadecimal notation. ++.TP 8 ++.B ++An APQN queue device given as xy.abcd as it is listed by lszcrypt -V. + .SH EXAMPLES + .TP + .B chzcrypt -e 0 1 12 +@@ -131,8 +153,8 @@ Set all available crypto cards to config on, be verbose. + Switch the two crypto cards 1 and 3 to deconfigured, be verbose. + .TP + .B chzcrypt -c 60 -n +-Will set configuration timer for re-scanning the AP bus to 60 seconds and +-disable zcrypt's poll thread. ++Will set configuration timer for re-scanning the AP bus to 60 seconds ++and disable zcrypt's poll thread. + .TP + .B chzcrypt -q 67 + Will set the default domain to 67. +@@ -144,5 +166,11 @@ chzcrypt exits with an appropriate message. Even more config on/off + may require support from a hypervisor like KVM or zVM and may fail if + the Linux kernel is unable to perform the SCLP command. Check syslog + on failure. ++.TP ++Bind, associate and unbind command on an queue device are only ++available and valid within an Secure Execution environment with AP ++pass-through enabled and a Linux kernel providing the low level sysfs ++API. If these conditions are not fulfilled, the command will fail with ++an appropriate error messages. + .SH SEE ALSO + \fBlszcrypt\fR(8) +diff --git a/zconf/zcrypt/chzcrypt.c b/zconf/zcrypt/chzcrypt.c +index 68b36a5..b04bcfa 100644 +--- a/zconf/zcrypt/chzcrypt.c ++++ b/zconf/zcrypt/chzcrypt.c +@@ -1,7 +1,7 @@ + /* + * chzcrypt - Tool to modify zcrypt configuration + * +- * Copyright IBM Corp. 2008, 2020 ++ * Copyright IBM Corp. 2008, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -28,6 +28,12 @@ + + #include "misc.h" + ++/* max seconds the se-association command will wait for completion */ ++#define MAX_ASSOC_POLL_TIME_IN_S 30 ++ ++/* max seconds the se-unbind command will wait for unbind complete */ ++#define MAX_UNBIND_POLL_TIME_IN_S 30 ++ + /* + * Private data + */ +@@ -45,7 +51,7 @@ static const struct util_prg prg = { + { + .owner = "IBM Corp.", + .pub_first = 2008, +- .pub_last = 2020, ++ .pub_last = 2023, + }, + UTIL_PRG_COPYRIGHT_END + } +@@ -57,6 +63,9 @@ static const struct util_prg prg = { + + #define OPT_CONFIG_ON 0x80 + #define OPT_CONFIG_OFF 0x81 ++#define OPT_SE_ASSOC 0x82 ++#define OPT_SE_BIND 0x83 ++#define OPT_SE_UNBIND 0x84 + + static struct util_opt opt_vec[] = { + { +@@ -116,6 +125,22 @@ static struct util_opt opt_vec[] = { + .option = { "verbose", no_argument, NULL, 'V'}, + .desc = "Print verbose messages", + }, ++ { ++ .option = { "se-associate", required_argument, NULL, OPT_SE_ASSOC}, ++ .argument = "assoc_idx", ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Associate the given queue device", ++ }, ++ { ++ .option = { "se-bind", no_argument, NULL, OPT_SE_BIND}, ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Bind the given queue device", ++ }, ++ { ++ .option = { "se-unbind", no_argument, NULL, OPT_SE_UNBIND}, ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Unbind the given queue device", ++ }, + UTIL_OPT_HELP, + UTIL_OPT_VERSION, + UTIL_OPT_END +@@ -336,6 +361,186 @@ next: + } + } + ++static void se_assoc(const char *assoc_idx, const char *dev) ++{ ++ int i, idx, rc, ap, dom, loop; ++ char *dev_path, *attr; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ if (sscanf(assoc_idx, "%i", &idx) != 1) ++ errx(EXIT_FAILURE, "Error - Can't parse association index '%s' as number.", ++ assoc_idx); ++ if (idx < 0 || idx > 0xFFFF) ++ errx(EXIT_FAILURE, "Error - Association index needs to be in range [0...%d].", ++ 0xffff); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_associate", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* read se_associate attribute and check for 'unassociated' */ ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "unassociated")) ++ errx(EXIT_FAILURE, ++ "Error - Queue device %s is NOT in 'unassociated' state (state '%s' found).", ++ dev, buf); ++ ++ /* write assocition index to the se_associate attribute */ ++ rc = util_file_write_l(idx, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* loop up to MAX_ASSOC_POLL_TIME_IN_S seconds for completion */ ++ for (loop = 0; loop < 2 * MAX_ASSOC_POLL_TIME_IN_S; usleep(500000), loop++) { ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (!strncmp(buf, "associated", strlen("associated"))) ++ break; ++ if (!strcmp(buf, "unassociated")) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (state '%s' found).", ++ dev, buf); ++ } ++ if (loop >= 2 * MAX_ASSOC_POLL_TIME_IN_S) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (timeout after %d s).", ++ dev, MAX_ASSOC_POLL_TIME_IN_S); ++ ++ if (sscanf(buf, "associated %d", &i) != 1 || idx != i) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (state '%s' found).", ++ dev, buf); ++ ++ verbose("Queue device %s successful associated with index %d.\n", ++ dev, idx); ++ ++ free(dev_path); ++ free(attr); ++} ++ ++static void se_bind(const char *dev) ++{ ++ char *dev_path, *attr; ++ int rc, ap, dom; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_bind", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* read se_bind attribute and check for 'unboud' */ ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "unbound")) ++ errx(EXIT_FAILURE, ++ "Error - Queue device %s is NOT in 'unbound' state (state '%s' found).", ++ dev, buf); ++ ++ /* write se_bind attribute, check for 'bound' afterwards */ ++ rc = util_file_write_l(1, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "bound")) ++ errx(EXIT_FAILURE, "Error - Failure binding queue device %s (state '%s' found).", ++ dev, buf); ++ ++ verbose("Queue device %s successful bound.\n", dev); ++ ++ free(dev_path); ++ free(attr); ++} ++ ++static void se_unbind(const char *dev) ++{ ++ int rc, ap, dom, loop; ++ char *dev_path, *attr; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_bind", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* write se_bind attribute */ ++ rc = util_file_write_l(0, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* loop up to MAX_UNBIND_POLL_TIME_IN_S seconds for completion */ ++ for (loop = 0; loop < 2 * MAX_UNBIND_POLL_TIME_IN_S; usleep(500000), loop++) { ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (!strcmp(buf, "unbound")) ++ break; ++ } ++ if (loop >= 2 * MAX_UNBIND_POLL_TIME_IN_S) ++ errx(EXIT_FAILURE, ++ "Error - Failure unbinding queue device %s (timeout after %d s).", ++ dev, MAX_UNBIND_POLL_TIME_IN_S); ++ ++ verbose("Queue device %s successful unbound.\n", dev); ++ ++ free(dev_path); ++ free(attr); ++} ++ + /* + * Print invalid commandline error message and then exit with error code + */ +@@ -389,10 +594,10 @@ static void print_adapter_id_help(void) + printf("DEVICE_IDS\n"); + printf(" List of cryptographic device ids separated by blanks which will be set\n"); + printf(" online/offline. Must be used in conjunction with the enable or disable option.\n"); +- + printf(" DEVICE_ID could either be card device id ('') or queue device id\n"); +- printf(" '.').\n"); +- printf(" \n"); ++ printf(" '.').\n\n"); ++ printf("QUEUE_DEVICE:\n"); ++ printf(" An APQN queue device given as xy.abcd as it is listed by lszcrypt -V.\n\n"); + printf("EXAMPLE:\n"); + printf(" Disable the cryptographic device with card id '02' (inclusive all queues).\n"); + printf(" #>chzcrypt -d 02\n"); +@@ -407,13 +612,14 @@ static void print_adapter_id_help(void) + */ + int main(int argc, char *argv[]) + { ++ const char *default_domain = NULL, *config = NULL, *config_text = NULL; + const char *online = NULL, *online_text = NULL, *poll_thread = NULL; + const char *config_time = NULL, *poll_timeout = NULL; +- const char *default_domain = NULL, *config = NULL, *config_text = NULL; ++ const char *queue_device = NULL, *assoc_idx = NULL; ++ int c, i, j, action = 0; + char *path, *dev_list; +- bool all = false, actionset = false; ++ bool all = false; + size_t len; +- int c, i, j; + + for (i=0; i < argc; i++) + for (j=2; j < (int) strlen(argv[i]); j++) +@@ -428,12 +634,12 @@ int main(int argc, char *argv[]) + break; + switch (c) { + case 'e': +- actionset = true; ++ action = c; + online = "1"; + online_text = "online"; + break; + case 'd': +- actionset = true; ++ action = c; + online = "0"; + online_text = "offline"; + break; +@@ -441,23 +647,23 @@ int main(int argc, char *argv[]) + all = true; + break; + case 'p': +- actionset = true; ++ action = c; + poll_thread = "1"; + break; + case 'n': +- actionset = true; ++ action = c; + poll_thread = "0"; + break; + case 'c': +- actionset = true; ++ action = c; + config_time = optarg; + break; + case 't': +- actionset = true; ++ action = c; + poll_timeout = optarg; + break; + case 'q': +- actionset = true; ++ action = c; + default_domain = optarg; + break; + case 'V': +@@ -472,21 +678,31 @@ int main(int argc, char *argv[]) + util_prg_print_version(); + return EXIT_SUCCESS; + case OPT_CONFIG_ON: +- actionset = true; ++ action = c; + config = "1"; + config_text = "config on"; + break; + case OPT_CONFIG_OFF: +- actionset = true; ++ action = c; + config = "0"; + config_text = "config off"; + break; ++ case OPT_SE_ASSOC: ++ action = c; ++ assoc_idx = optarg; ++ break; ++ case OPT_SE_BIND: ++ action = c; ++ break; ++ case OPT_SE_UNBIND: ++ action = c; ++ break; + default: + util_opt_print_parse_error(c, argv); + return EXIT_FAILURE; + } + } +- if (!actionset) ++ if (!action) + invalid_cmdline_exit("Error - missing argument.\n"); + path = util_path_sysfs("bus/ap"); + if (!util_path_is_dir(path)) +@@ -508,6 +724,32 @@ int main(int argc, char *argv[]) + default_domain_set(default_domain); + return EXIT_SUCCESS; + } ++ ++ if (action == OPT_SE_ASSOC) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-associate needs a queue device given."); ++ queue_device = argv[optind]; ++ se_assoc(assoc_idx, queue_device); ++ return EXIT_SUCCESS; ++ } ++ if (action == OPT_SE_BIND) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-bind needs a queue device given."); ++ queue_device = argv[optind]; ++ se_bind(queue_device); ++ return EXIT_SUCCESS; ++ } ++ if (action == OPT_SE_UNBIND) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-unbind needs a queue device given."); ++ queue_device = argv[optind]; ++ se_unbind(queue_device); ++ return EXIT_SUCCESS; ++ } ++ + if (all) + dev_list_all(&dev_list, &len); + else +-- +2.41.0 + + +From a2a364b456185eebca87f43b280c4f25b323f65b Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 1 Aug 2023 18:58:45 +0200 +Subject: [PATCH 7/7] zdev/dracut: fix kdump build to integrate with site + support (#2229177) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This complements v2.27.0 commit 73c46a30563d ("zdev/dracut: fix kdump by +only activating required devices"). On older distributions, the absence of +zdev_id can cause the following harmless error messages for each udev +event: + +(spawn)[387]: failed to execute '/lib/s390-tools/zdev_id' \ +'/lib/s390-tools/zdev_id': No such file or directory + +Kdump is still functional nonetheless. + +As of v2.24.0 commit 2e89722ef0ec ("zdev: make site specific udev-rule for +ccw"), the invocations of chzdev within +zdev/dracut/95zdev-kdump/module-setup.sh generate +/etc/udev/rules.d/40-zdev-id.rules. And so even though zdev-kdump +intentionally does not install zdev_id and its previous singular user +zdev/udev/81-dpm.rules into the kdump initrd, because DPM device auto +configuration is not desired in the kdump environment, zdev_id meanwhile +has an additional functionality for site-support and the generated +40-zdev-id.rules calls /lib/s390-tools/zdev_id. By installing zdev_id into +the kdump initrd, 40-zdev-id.rules can work without error. + +Fixes: 73c46a30563d ("zdev/dracut: fix kdump by only activating required devices") +Reviewed-by: Alexander Egorenkov +Reviewed-by: Vineeth Vijayan +Signed-off-by: Steffen Maier +Signed-off-by: Jan Höppner +(cherry picked from commit 4b486e87cc2875f532784bd69ee680e714508059) +--- + zdev/dracut/95zdev-kdump/module-setup.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/zdev/dracut/95zdev-kdump/module-setup.sh b/zdev/dracut/95zdev-kdump/module-setup.sh +index ad8e309..4ce2fc6 100755 +--- a/zdev/dracut/95zdev-kdump/module-setup.sh ++++ b/zdev/dracut/95zdev-kdump/module-setup.sh +@@ -46,6 +46,10 @@ installkernel() { + install() { + local _tempfile + ++ # zdev_id is not functionally required for kdump but optionally ++ # installing avoids error messages from zdev site udev rule processing ++ inst_multiple -o /lib/s390-tools/zdev_id ++ + # Obtain kdump target device configuration + + _tempfile=$(mktemp --tmpdir dracut-zdev.XXXXXX) +-- +2.41.0 + diff --git a/SPECS/s390utils.spec b/SPECS/s390utils.spec index 37b7894..5395d5a 100644 --- a/SPECS/s390utils.spec +++ b/SPECS/s390utils.spec @@ -9,7 +9,7 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.25.0 +Version: 2.27.0 Release: 4%{?dist} Epoch: 2 License: MIT @@ -38,7 +38,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch # upstream fixes/updates -Patch100: s390utils-%%{version}-rhel.patch +Patch100: s390utils-%{version}-rhel.patch Requires: s390utils-core = %{epoch}:%{version}-%{release} Requires: s390utils-base = %{epoch}:%{version}-%{release} @@ -69,9 +69,6 @@ be used together with the zSeries (s390) Linux kernel and device drivers. # upstream fixes/updates %patch100 -p1 -# drop -Werror from genprotimg to allow building with GCC 12 -sed -i.bak -e 's/-Werror//g' genprotimg/src/Makefile genprotimg/boot/Makefile - # remove --strip from install find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g' @@ -215,6 +212,7 @@ This package provides minimal set of tools needed to system to boot. %{_unitdir}/cpi.service %config(noreplace) %{_sysconfdir}/sysconfig/cpi /usr/lib/dracut/modules.d/95zdev/ +/usr/lib/dracut/modules.d/95zdev-kdump/ %{_mandir}/man5/zipl.conf.5* %{_mandir}/man8/chreipl.8* %{_mandir}/man8/chzdev.8* @@ -340,11 +338,6 @@ s390 base tools. This collection provides the following utilities: * tunedasd: Adjust tunable parameters on DASD devices. - * vmconvert: - Convert system dumps created by the z/VM VMDUMP command into dumps with - LKCD format. These LKCD dumps can then be analyzed with the dump analysis - tool lcrash. - * vmcp: Allows Linux users to send commands to the z/VM control program (CP). The normal usage is to invoke vmcp with the command you want to @@ -478,7 +471,6 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/mk-s390image %{_bindir}/pvattest %{_bindir}/pvextract-hdr -%{_bindir}/vmconvert %{_bindir}/zkey %{_bindir}/zkey-cryptsetup %{_unitdir}/dumpconf.service @@ -507,7 +499,6 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/pvattest-create.1* %{_mandir}/man1/pvattest-perform.1* %{_mandir}/man1/pvattest-verify.1* -%{_mandir}/man1/vmconvert.1* %{_mandir}/man1/zkey.1* %{_mandir}/man1/zkey-cryptsetup.1* %{_mandir}/man1/zkey-ekmfweb.1* @@ -907,6 +898,29 @@ User-space development files for the s390/s390x architecture. %changelog +* Mon Aug 7 2023 Dan Horák - 2:2.27.0-4 +- zdev/dracut: fix kdump build to integrate with site support (#2229177) +- Resolves: #2229177 + +* Thu Jul 20 2023 Dan Horák - 2:2.27.0-3 +- Secure Execution APQN binding and IBK association (#2110521) +- Resolves: #2110521 + +* Mon Jul 17 2023 Dan Horák - 2:2.27.0-2 +- zdev: cleanup patches to fix warnings (#2223304) +- zdev: add missing label in the udev-rules (#2222900) +- Resolves: #2223304 #2222900 + +* Wed May 31 2023 Dan Horák - 2:2.27.0-1 +- rebased to 2.27.0 (#2160062) +- lszcrypt fails when querying a specific domain (#2177612) +- DASD autoquiesce support (#2196517) +- zcrypt DD: AP command filtering (#2170360) +- vmconvert and zgetdump consolidation (#2173924) +- Support for List-Directed dump from ECKD DASD (#2160052) +- Support for List-Directed IPL and re-IPL from ECKD DASD (#2160040) +- Resolves: #2160062 #2177612 #2196517 #2170360 #2173924 #2160052 #2160040 + * Thu Feb 02 2023 Dan Horák - 2:2.25.0-4 - zkey: Support EP11 host library version 4 (#2165812) - Resolves: #2165812