From 5674a8d3cd93810f1c359efea1ec74b50df8e920 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Mon, 20 Apr 2026 03:43:31 -0400 Subject: [PATCH] import CS s390utils-2.40.0-1.el9 --- .gitignore | 4 +- .s390utils.metadata | 4 +- SOURCES/s390utils-2.38.0-rhel.patch | 167 ---------------------------- SPECS/s390utils.spec | 37 +++++- 4 files changed, 36 insertions(+), 176 deletions(-) delete mode 100644 SOURCES/s390utils-2.38.0-rhel.patch diff --git a/.gitignore b/.gitignore index c4bd0b0..642e18f 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz -SOURCES/s390-tools-2.38.0.tar.gz +SOURCES/s390-tools-2.40.0-rust-vendor.tar.xz +SOURCES/s390-tools-2.40.0.tar.gz diff --git a/.s390utils.metadata b/.s390utils.metadata index 2990de9..676728d 100644 --- a/.s390utils.metadata +++ b/.s390utils.metadata @@ -1,2 +1,2 @@ -f496e357bdbdf1e9546dd07138b5c12325d7584c SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz -351614a3dbd4803691f54a1bd7622d4768703d2e SOURCES/s390-tools-2.38.0.tar.gz +f894148be7a423a5745eb631125d455c8ca87d85 SOURCES/s390-tools-2.40.0-rust-vendor.tar.xz +a383748d6e953b8024bd425cfeed7859e2faaa22 SOURCES/s390-tools-2.40.0.tar.gz diff --git a/SOURCES/s390utils-2.38.0-rhel.patch b/SOURCES/s390utils-2.38.0-rhel.patch deleted file mode 100644 index 8325acf..0000000 --- a/SOURCES/s390utils-2.38.0-rhel.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001 -From: Shalini Chellathurai Saroja -Date: Fri, 16 May 2025 16:47:24 +0200 -Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The cpictl utility sends control-program identification data -from protected virtualization guests to hosts by default. -This behaviour leaks the below potentially sensitive -information to untrusted hosts. -- system_type -- system_level -- sysplex_name -- system_name - -To prevent this behaviour, enhance the cpictl utility to stop -setting CPI information on protected virtualization guests by -default. If the user chooses to set the CPI information, it -could be set by one of the below options -- use the command line option --permit-cpi -- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to -control the CPI service behaviour during boot - -Signed-off-by: Hendrik Brueckner -Signed-off-by: Shalini Chellathurai Saroja -Reviewed-by: Jan Höppner -Reviewed-by: Peter Oberparleiter -Reviewed-by: Hendrik Brueckner -Signed-off-by: Jan Höppner -(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551) ---- - etc/sysconfig/cpi | 14 ++++++++++++++ - scripts/cpictl | 39 +++++++++++++++++++++++++++++++++++++-- - systemd/cpi.service.in | 1 + - 3 files changed, 52 insertions(+), 2 deletions(-) - -diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi -index 866b589..78eb632 100644 ---- a/etc/sysconfig/cpi -+++ b/etc/sysconfig/cpi -@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME="" - # CPI sysplex name - # - CPI_SYSPLEX_NAME="" -+ -+# -+# CPI permit on protected virtualization guests -+# -+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system. -+# Enabling these options allows the host to receive potentially sensitive -+# Control-Program Identification (CPI) data from the protected virtualization -+# guest, including: -+# - system_type -+# - system_level -+# - sysplex_name -+# - system_name -+# -+CPI_PERMIT_ON_PVGUEST= -diff --git a/scripts/cpictl b/scripts/cpictl -index 16cadde..6096a67 100755 ---- a/scripts/cpictl -+++ b/scripts/cpictl -@@ -32,6 +32,9 @@ declare TYPE - declare NAME - declare SYSPLEX - -+declare PV_GUEST -+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST" -+ - declare -i DRYRUN=0 - - # Exit codes -@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1 - readonly EXIT_ARG_TOO_LONG=3 - readonly EXIT_INVALID_CHARS=4 - readonly EXIT_INVALID_ARGS=5 -+readonly EXIT_NO_PERMIT_CPI=6 - - # Distro-IDs as supported by SE/HMC firmware - readonly DISTRO_GENERIC=0 -@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings. - -S, --sysplex SYSPLEX Set and commit the sysplex name to SYSPLEX - -T, --type TYPE Set and commit OS type to TYPE - -v, --version Print version information, then exit -+ --permit-cpi Permit to send Control-Program Identification data of -+ protected virtualization guest to the host (must be -+ specified before any commit option). See also the -+ important note. - --commit Ignore all other options and commit any uncommitted - values - --dry-run Do not actually set or commit anything, but show what -@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings. - uncommitted) values - - Environment variables used for the --defaults option: -- CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME -+ CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME, -+ CPI_PERMIT_ON_PVGUEST (See also the important note.) -+ -+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you -+trust the host system. Enabling these options allows the host to receive -+potentially sensitive Control-Program Identification (CPI) data from the -+protected virtualization guest, including: -+- system_type -+- system_level -+- sysplex_name -+- system_name - - Available bits for the --set-bit option: - kvm: Indicate that system is a KVM host -@@ -124,6 +142,19 @@ fail_with() - - cpi_commit() - { -+ # Commit Control-Program Identification changes on protected -+ # virtualization guests only if it is permitted by the guest. This -+ # prevents leakage of potentially sensitive information to untrusted -+ # hosts. -+ if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then -+ read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest" -+ if [[ "$PV_GUEST" -eq 1 ]]; then -+ if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then -+ echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2 -+ exit "$EXIT_NO_PERMIT_CPI" -+ fi -+ fi -+ fi - echo 1 > "$CPI_SET" 2> /dev/null - } - -@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then - print_parse_error_and_exit - fi - --opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@") -+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@") - if [ $? -ne 0 ]; then - print_parse_error_and_exit - fi -@@ -473,6 +504,10 @@ while [ -n $1 ]; do - cpi_show - exit $EXIT_SUCCESS - ;; -+ --permit-cpi) -+ CPI_PERMIT=1 -+ shift -+ ;; - --commit) - cpi_commit - exit $EXIT_SUCCESS -diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in -index 3976f68..ca21a8b 100644 ---- a/systemd/cpi.service.in -+++ b/systemd/cpi.service.in -@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi - # Environment=CPI_SYSPLEX_NAME= - # Environment=CPI_SYSTEM_LEVEL= - # Environment=CPI_SYSTEM_TYPE=LINUX -+# Environment=CPI_PERMIT_ON_PVGUEST= - - # - # Sending data to the HMC/SE --- -2.50.1 - diff --git a/SPECS/s390utils.spec b/SPECS/s390utils.spec index 54fbc03..a5551c0 100644 --- a/SPECS/s390utils.spec +++ b/SPECS/s390utils.spec @@ -14,8 +14,8 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.38.0 -Release: 2%{?dist} +Version: 2.40.0 +Release: 1%{?dist} Epoch: 2 License: MIT URL: https://github.com/ibm-s390-linux/s390-tools @@ -47,7 +47,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch # upstream fixes/updates -Patch100: s390utils-%{version}-rhel.patch +#Patch100: s390utils-%%{version}-rhel.patch # https://fedoraproject.org/wiki/Changes/EncourageI686LeafRemoval ExcludeArch: %{ix86} @@ -121,7 +121,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers. %patch -P 1 -p1 -b .blscfg-rpm-nvr-sort # upstream fixes/updates -%patch -P 100 -p1 +#%%patch -P 100 -p1 # remove --strip from install find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g' @@ -190,6 +190,7 @@ fi # move tools to searchable dir mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image %{buildroot}%{_bindir} +mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image.1 %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}{/boot,%{_udevrulesdir},%{_sysconfdir}/{profile.d,sysconfig},%{_prefix}/lib/modules-load.d} install -p -m 644 zipl/boot/tape0.bin %{buildroot}/boot/tape0 @@ -258,6 +259,7 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf %if %{with rust} %{_bindir}/pvimg %{_bindir}/pvsecret +%{_bindir}/pvverify %endif %{_mandir}/man1/genprotimg.1* %{_mandir}/man1/pvattest.1* @@ -281,8 +283,10 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf %{_mandir}/man1/pvsecret-retrieve.1* %{_mandir}/man1/pvsecret-verify.1* %{_mandir}/man1/pvsecret.1* +%{_mandir}/man1/pvverify.1* %endif %dir %{_datadir}/s390-tools +%{_datadir}/s390-tools/netboot/ %{_datadir}/s390-tools/pvimg/ %{_datadir}/bash-completion/completions/*.bash %{_datadir}/zsh/site-functions/_* @@ -303,6 +307,8 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf License: MIT Summary: S390 core tools Requires: coreutils +# for /usr/sbin/makedumpfile (RHEL-114663) +Requires: kexec-tools %{?systemd_requires} # BRs are covered via the base package @@ -378,6 +384,7 @@ This package provides minimal set of tools needed to system to boot. %{_udevrulesdir}/56-dasd.rules %{_udevrulesdir}/56-zfcp.rules %{_udevrulesdir}/59-dasd.rules +%{_udevrulesdir}/59-virtio-blk.rules %{_udevrulesdir}/60-readahead.rules %{_udevrulesdir}/81-ccw.rules %{_udevrulesdir}/81-dpm.rules @@ -609,16 +616,18 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/cpacfinfo %{_bindir}/dump2tar %{_bindir}/genprotimg +%{_bindir}/mk-s390image %{_bindir}/pvapconfig %{_bindir}/pvimg -%{_bindir}/mk-s390image %if %{with rust} %{_bindir}/pvapconfig +%{_bindir}/pvinfo %endif %{_bindir}/pvattest %{_bindir}/pvextract-hdr %if %{with rust} %{_bindir}/pvsecret +%{_bindir}/pvverify %endif %{_bindir}/zkey %{_bindir}/zkey-cryptsetup @@ -648,6 +657,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/cpacfinfo.1* %{_mandir}/man1/dump2tar.1* %{_mandir}/man1/genprotimg.1* +%{_mandir}/man1/mk-s390image.1* %if %{with rust} %{_mandir}/man1/pvapconfig.1* %endif @@ -672,6 +682,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/pvsecret-retrieve.1* %{_mandir}/man1/pvsecret-verify.1* %{_mandir}/man1/pvsecret.1* +%{_mandir}/man1/pvverify.1* %endif %{_mandir}/man1/zkey.1* %{_mandir}/man1/zkey-cryptsetup.1* @@ -934,6 +945,7 @@ fi %{_mandir}/man1/ts-shell.1* %{_mandir}/man7/af_iucv.7* %{_mandir}/man8/chiucvallow.8* +%{_mandir}/man8/lsiucvallow.8* %{_mandir}/man9/hvc_iucv.9* %{_unitdir}/iucvtty-login@.service %{_unitdir}/ttyrun-getty@.service @@ -1095,6 +1107,21 @@ User-space development files for the s390/s390x architecture. %changelog +* Mon Jan 12 2026 Dan Horák - 2:2.40.0-1 +- rebased to 2.40.0 (RHEL-100439) +- zipl/boot: Fix unused loadparm when SCLP line-mode console is absent +- Secure Execution: Add tool to verify host-key documents (RHEL-136796) +- Resolves: RHEL-100439 RHEL-136796 + +* Mon Nov 24 2025 Dan Horák - 2:2.39.0-1 +- rebased to 2.39.0 (RHEL-100439) +- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126743) +- udev/rules.d: make virtio-blk devices non-rotational (RHEL-126745) +- zipl: makedumpfile is required for ngdump support (RHEL-114663) +- libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114885) +- chpstat: Fix DPU utilization scaling in reports (RHEL-109215) +- Resolves: RHEL-100439 RHEL-126743 RHEL-126745 RHEL-114663 RHEL-114885 RHEL-109215 + * Wed Aug 13 2025 Dan Horák - 2:2.38.0-2 - cpi: Disable CPI for SEL guests by default (RHEL-76931) - Resolves: RHEL-76931