import CS s390utils-2.40.0-1.el9

2026-04-20 03:43:31 -04:00 · 2026-04-20 03:43:31 -04:00 · 5674a8d3cd
commit 5674a8d3cd
parent 9fad6b652b
4 changed files with 36 additions and 176 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz
-SOURCES/s390-tools-2.38.0.tar.gz
+SOURCES/s390-tools-2.40.0-rust-vendor.tar.xz
+SOURCES/s390-tools-2.40.0.tar.gz
--- a/.s390utils.metadata
+++ b/.s390utils.metadata
@ -1,2 +1,2 @@
-f496e357bdbdf1e9546dd07138b5c12325d7584c SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz
-351614a3dbd4803691f54a1bd7622d4768703d2e SOURCES/s390-tools-2.38.0.tar.gz
+f894148be7a423a5745eb631125d455c8ca87d85 SOURCES/s390-tools-2.40.0-rust-vendor.tar.xz
+a383748d6e953b8024bd425cfeed7859e2faaa22 SOURCES/s390-tools-2.40.0.tar.gz
--- a/SOURCES/s390utils-2.38.0-rhel.patch
+++ b/SOURCES/s390utils-2.38.0-rhel.patch
@ -1,167 +0,0 @@
-From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
-From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
-Date: Fri, 16 May 2025 16:47:24 +0200
-Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The cpictl utility sends control-program identification data
-from protected virtualization guests to hosts by default.
-This behaviour leaks the below potentially sensitive
-information to untrusted hosts.
- system_type
- system_level
- sysplex_name
- system_name
-
-To prevent this behaviour, enhance the cpictl utility to stop
-setting CPI information on protected virtualization guests by
-default. If the user chooses to set the CPI information, it
-could be set by one of the below options
- use the command line option --permit-cpi
- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
-control the CPI service behaviour during boot
-
-Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
-Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
-Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
-Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
-Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
---
- etc/sysconfig/cpi      | 14 ++++++++++++++
- scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
- systemd/cpi.service.in |  1 +
- 3 files changed, 52 insertions(+), 2 deletions(-)
-
-diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
-index 866b589..78eb632 100644
--- a/etc/sysconfig/cpi
-+++ b/etc/sysconfig/cpi
-@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
- # CPI sysplex name
- #
- CPI_SYSPLEX_NAME=""
-+
-+#
-+# CPI permit on protected virtualization guests
-+#
-+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
-+# Enabling these options allows the host to receive potentially sensitive
-+# Control-Program Identification (CPI) data from the protected virtualization
-+# guest, including:
-+# - system_type
-+# - system_level
-+# - sysplex_name
-+# - system_name
-+#
-+CPI_PERMIT_ON_PVGUEST=
-diff --git a/scripts/cpictl b/scripts/cpictl
-index 16cadde..6096a67 100755
--- a/scripts/cpictl
-+++ b/scripts/cpictl
-@@ -32,6 +32,9 @@ declare TYPE
- declare NAME
- declare SYSPLEX
- 
-+declare PV_GUEST
-+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
-+
- declare -i DRYRUN=0
- 
- # Exit codes
-@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
- readonly EXIT_ARG_TOO_LONG=3
- readonly EXIT_INVALID_CHARS=4
- readonly EXIT_INVALID_ARGS=5
-+readonly EXIT_NO_PERMIT_CPI=6
- 
- # Distro-IDs as supported by SE/HMC firmware
- readonly DISTRO_GENERIC=0
-@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
-   -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
-   -T, --type TYPE        Set and commit OS type to TYPE
-   -v, --version          Print version information, then exit
-+  --permit-cpi           Permit to send Control-Program Identification data of
-+                         protected virtualization guest to the host (must be
-+                         specified before any commit option). See also the
-+                         important note.
-   --commit               Ignore all other options and commit any uncommitted
-                          values
-   --dry-run              Do not actually set or commit anything, but show what
-@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
-                          uncommitted) values
- 
- Environment variables used for the --defaults option:
-  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
-+  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
-+  CPI_PERMIT_ON_PVGUEST (See also the important note.)
-+
-+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
-+trust the host system. Enabling these options allows the host to receive
-+potentially sensitive Control-Program Identification (CPI) data from the
-+protected virtualization guest, including:
-+- system_type
-+- system_level
-+- sysplex_name
-+- system_name
- 
- Available bits for the --set-bit option:
-   kvm: Indicate that system is a KVM host
-@@ -124,6 +142,19 @@ fail_with()
- 
- cpi_commit()
- {
-+	# Commit Control-Program Identification changes on protected
-+	# virtualization guests only if it is permitted by the guest. This
-+	# prevents leakage of potentially sensitive information to untrusted
-+	# hosts.
-+	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
-+		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
-+		if [[ "$PV_GUEST" -eq 1 ]]; then
-+			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
-+				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
-+				exit "$EXIT_NO_PERMIT_CPI"
-+			fi
-+		fi
-+	fi
- 	echo 1 > "$CPI_SET" 2> /dev/null
- }
- 
-@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
- 	print_parse_error_and_exit
- fi
- 
-opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
-+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
- if [ $? -ne 0 ]; then
- 	print_parse_error_and_exit
- fi
-@@ -473,6 +504,10 @@ while [ -n $1 ]; do
- 		cpi_show
- 		exit $EXIT_SUCCESS
- 		;;
-+	--permit-cpi)
-+		CPI_PERMIT=1
-+		shift
-+		;;
- 	--commit)
- 		cpi_commit
- 		exit $EXIT_SUCCESS
-diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
-index 3976f68..ca21a8b 100644
--- a/systemd/cpi.service.in
-+++ b/systemd/cpi.service.in
-@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
- # Environment=CPI_SYSPLEX_NAME=
- # Environment=CPI_SYSTEM_LEVEL=
- # Environment=CPI_SYSTEM_TYPE=LINUX
-+# Environment=CPI_PERMIT_ON_PVGUEST=
- 
- #
- # Sending data to the HMC/SE
-- 
-2.50.1
-
--- a/SPECS/s390utils.spec
+++ b/SPECS/s390utils.spec
@ -14,8 +14,8 @@

 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
-Version:        2.38.0
-Release:        2%{?dist}
+Version:        2.40.0
+Release:        1%{?dist}
 Epoch:          2
 License:        MIT
 URL:            https://github.com/ibm-s390-linux/s390-tools
@ -47,7 +47,7 @@ Patch0:         s390-tools-zipl-invert-script-options.patch
 Patch1:         s390-tools-zipl-blscfg-rpm-nvr-sort.patch

 # upstream fixes/updates
-Patch100:       s390utils-%{version}-rhel.patch
+#Patch100:       s390utils-%%{version}-rhel.patch

 # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval
 ExcludeArch:    %{ix86}
@ -121,7 +121,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
 %patch -P 1 -p1 -b .blscfg-rpm-nvr-sort

 # upstream fixes/updates
-%patch -P 100 -p1
+#%%patch -P 100 -p1

 # remove --strip from install
 find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g'
@ -190,6 +190,7 @@ fi

 # move tools to searchable dir
 mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image %{buildroot}%{_bindir}
+mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image.1 %{buildroot}%{_mandir}/man1

 mkdir -p %{buildroot}{/boot,%{_udevrulesdir},%{_sysconfdir}/{profile.d,sysconfig},%{_prefix}/lib/modules-load.d}
 install -p -m 644 zipl/boot/tape0.bin %{buildroot}/boot/tape0
@ -258,6 +259,7 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 %if %{with rust}
 %{_bindir}/pvimg
 %{_bindir}/pvsecret
+%{_bindir}/pvverify
 %endif
 %{_mandir}/man1/genprotimg.1*
 %{_mandir}/man1/pvattest.1*
@ -281,8 +283,10 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 %{_mandir}/man1/pvsecret-retrieve.1*
 %{_mandir}/man1/pvsecret-verify.1*
 %{_mandir}/man1/pvsecret.1*
+%{_mandir}/man1/pvverify.1*
 %endif
 %dir %{_datadir}/s390-tools
+%{_datadir}/s390-tools/netboot/
 %{_datadir}/s390-tools/pvimg/
 %{_datadir}/bash-completion/completions/*.bash
 %{_datadir}/zsh/site-functions/_*
@ -303,6 +307,8 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 License:        MIT
 Summary:        S390 core tools
 Requires:       coreutils
+# for /usr/sbin/makedumpfile (RHEL-114663)
+Requires:       kexec-tools
 %{?systemd_requires}
 # BRs are covered via the base package

@ -378,6 +384,7 @@ This package provides minimal set of tools needed to system to boot.
 %{_udevrulesdir}/56-dasd.rules
 %{_udevrulesdir}/56-zfcp.rules
 %{_udevrulesdir}/59-dasd.rules
+%{_udevrulesdir}/59-virtio-blk.rules
 %{_udevrulesdir}/60-readahead.rules
 %{_udevrulesdir}/81-ccw.rules
 %{_udevrulesdir}/81-dpm.rules
@ -609,16 +616,18 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_bindir}/cpacfinfo
 %{_bindir}/dump2tar
 %{_bindir}/genprotimg
+%{_bindir}/mk-s390image
 %{_bindir}/pvapconfig
 %{_bindir}/pvimg
-%{_bindir}/mk-s390image
 %if %{with rust}
 %{_bindir}/pvapconfig
+%{_bindir}/pvinfo
 %endif
 %{_bindir}/pvattest
 %{_bindir}/pvextract-hdr
 %if %{with rust}
 %{_bindir}/pvsecret
+%{_bindir}/pvverify
 %endif
 %{_bindir}/zkey
 %{_bindir}/zkey-cryptsetup
@ -648,6 +657,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man1/cpacfinfo.1*
 %{_mandir}/man1/dump2tar.1*
 %{_mandir}/man1/genprotimg.1*
+%{_mandir}/man1/mk-s390image.1*
 %if %{with rust}
 %{_mandir}/man1/pvapconfig.1*
 %endif
@ -672,6 +682,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man1/pvsecret-retrieve.1*
 %{_mandir}/man1/pvsecret-verify.1*
 %{_mandir}/man1/pvsecret.1*
+%{_mandir}/man1/pvverify.1*
 %endif
 %{_mandir}/man1/zkey.1*
 %{_mandir}/man1/zkey-cryptsetup.1*
@ -934,6 +945,7 @@ fi
 %{_mandir}/man1/ts-shell.1*
 %{_mandir}/man7/af_iucv.7*
 %{_mandir}/man8/chiucvallow.8*
+%{_mandir}/man8/lsiucvallow.8*
 %{_mandir}/man9/hvc_iucv.9*
 %{_unitdir}/iucvtty-login@.service
 %{_unitdir}/ttyrun-getty@.service
@ -1095,6 +1107,21 @@ User-space development files for the s390/s390x architecture.


 %changelog
+* Mon Jan 12 2026 Dan Horák <dhorak@redhat.com> - 2:2.40.0-1
+- rebased to 2.40.0 (RHEL-100439)
+- zipl/boot: Fix unused loadparm when SCLP line-mode console is absent
+- Secure Execution: Add tool to verify host-key documents (RHEL-136796)
+- Resolves: RHEL-100439 RHEL-136796
+
+* Mon Nov 24 2025 Dan Horák <dhorak@redhat.com> - 2:2.39.0-1
+- rebased to 2.39.0 (RHEL-100439)
+- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126743)
+- udev/rules.d: make virtio-blk devices non-rotational (RHEL-126745)
+- zipl: makedumpfile is required for ngdump support (RHEL-114663)
+- libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114885)
+- chpstat: Fix DPU utilization scaling in reports (RHEL-109215)
+- Resolves: RHEL-100439 RHEL-126743 RHEL-126745 RHEL-114663 RHEL-114885 RHEL-109215
+
 * Wed Aug 13 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-2
 - cpi: Disable CPI for SEL guests by default (RHEL-76931)
 - Resolves: RHEL-76931