import CS s390utils-2.38.0-2.el9

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/s390-tools-2.36.0-rust-vendor.tar.xz
+SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz
-SOURCES/s390-tools-2.36.0.tar.gz
+SOURCES/s390-tools-2.38.0.tar.gz

.s390utils.metadata

@@ -1,2 +1,2 @@
-0d9c47df20772a8973ee868c68d02e95871c2de2 SOURCES/s390-tools-2.36.0-rust-vendor.tar.xz
+f496e357bdbdf1e9546dd07138b5c12325d7584c SOURCES/s390-tools-2.38.0-rust-vendor.tar.xz
-8fc35ffa5dd6d4235c9894a1368e9592ad34c1ff SOURCES/s390-tools-2.36.0.tar.gz
+351614a3dbd4803691f54a1bd7622d4768703d2e SOURCES/s390-tools-2.38.0.tar.gz

SOURCES/s390utils-2.38.0-rhel.patch

@@ -0,0 +1,167 @@
+From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
+From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
+Date: Fri, 16 May 2025 16:47:24 +0200
+Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The cpictl utility sends control-program identification data
+from protected virtualization guests to hosts by default.
+This behaviour leaks the below potentially sensitive
+information to untrusted hosts.
+- system_type
+- system_level
+- sysplex_name
+- system_name
+
+To prevent this behaviour, enhance the cpictl utility to stop
+setting CPI information on protected virtualization guests by
+default. If the user chooses to set the CPI information, it
+could be set by one of the below options
+- use the command line option --permit-cpi
+- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
+control the CPI service behaviour during boot
+
+Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
+Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
+---
+ etc/sysconfig/cpi      | 14 ++++++++++++++
+ scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
+ systemd/cpi.service.in |  1 +
+ 3 files changed, 52 insertions(+), 2 deletions(-)
+
+diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
+index 866b589..78eb632 100644
+--- a/etc/sysconfig/cpi
++++ b/etc/sysconfig/cpi
+@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
+ # CPI sysplex name
+ #
+ CPI_SYSPLEX_NAME=""
++
++#
++# CPI permit on protected virtualization guests
++#
++# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
++# Enabling these options allows the host to receive potentially sensitive
++# Control-Program Identification (CPI) data from the protected virtualization
++# guest, including:
++# - system_type
++# - system_level
++# - sysplex_name
++# - system_name
++#
++CPI_PERMIT_ON_PVGUEST=
+diff --git a/scripts/cpictl b/scripts/cpictl
+index 16cadde..6096a67 100755
+--- a/scripts/cpictl
++++ b/scripts/cpictl
+@@ -32,6 +32,9 @@ declare TYPE
+ declare NAME
+ declare SYSPLEX
+ 
++declare PV_GUEST
++declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
++
+ declare -i DRYRUN=0
+ 
+ # Exit codes
+@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
+ readonly EXIT_ARG_TOO_LONG=3
+ readonly EXIT_INVALID_CHARS=4
+ readonly EXIT_INVALID_ARGS=5
++readonly EXIT_NO_PERMIT_CPI=6
+ 
+ # Distro-IDs as supported by SE/HMC firmware
+ readonly DISTRO_GENERIC=0
+@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
+   -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
+   -T, --type TYPE        Set and commit OS type to TYPE
+   -v, --version          Print version information, then exit
++  --permit-cpi           Permit to send Control-Program Identification data of
++                         protected virtualization guest to the host (must be
++                         specified before any commit option). See also the
++                         important note.
+   --commit               Ignore all other options and commit any uncommitted
+                          values
+   --dry-run              Do not actually set or commit anything, but show what
+@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
+                          uncommitted) values
+ 
+ Environment variables used for the --defaults option:
+-  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
++  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
++  CPI_PERMIT_ON_PVGUEST (See also the important note.)
++
++Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
++trust the host system. Enabling these options allows the host to receive
++potentially sensitive Control-Program Identification (CPI) data from the
++protected virtualization guest, including:
++- system_type
++- system_level
++- sysplex_name
++- system_name
+ 
+ Available bits for the --set-bit option:
+   kvm: Indicate that system is a KVM host
+@@ -124,6 +142,19 @@ fail_with()
+ 
+ cpi_commit()
+ {
++	# Commit Control-Program Identification changes on protected
++	# virtualization guests only if it is permitted by the guest. This
++	# prevents leakage of potentially sensitive information to untrusted
++	# hosts.
++	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
++		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
++		if [[ "$PV_GUEST" -eq 1 ]]; then
++			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
++				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
++				exit "$EXIT_NO_PERMIT_CPI"
++			fi
++		fi
++	fi
+ 	echo 1 > "$CPI_SET" 2> /dev/null
+ }
+ 
+@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
+ 	print_parse_error_and_exit
+ fi
+ 
+-opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
++opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
+ if [ $? -ne 0 ]; then
+ 	print_parse_error_and_exit
+ fi
+@@ -473,6 +504,10 @@ while [ -n $1 ]; do
+ 		cpi_show
+ 		exit $EXIT_SUCCESS
+ 		;;
++	--permit-cpi)
++		CPI_PERMIT=1
++		shift
++		;;
+ 	--commit)
+ 		cpi_commit
+ 		exit $EXIT_SUCCESS
+diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
+index 3976f68..ca21a8b 100644
+--- a/systemd/cpi.service.in
++++ b/systemd/cpi.service.in
+@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
+ # Environment=CPI_SYSPLEX_NAME=
+ # Environment=CPI_SYSTEM_LEVEL=
+ # Environment=CPI_SYSTEM_TYPE=LINUX
++# Environment=CPI_PERMIT_ON_PVGUEST=
+ 
+ #
+ # Sending data to the HMC/SE
+-- 
+2.50.1
+

SPECS/s390utils.spec

@@ -14,7 +14,7 @@
 
 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
-Version:        2.36.0
+Version:        2.38.0
 Release:        2%{?dist}
 Epoch:          2
 License:        MIT
@@ -157,6 +157,7 @@ make \
 
 %install
 make install \
+        CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \
         RUSTFLAGS="%{build_rustflags}" \
 %if %{without rust}
         HAVE_CARGO=0 \
@@ -273,6 +274,7 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 %{_mandir}/man1/pvsecret-create-association.1*
 %{_mandir}/man1/pvsecret-create-meta.1*
 %{_mandir}/man1/pvsecret-create-retrievable.1*
+%{_mandir}/man1/pvsecret-create-update-cck.1*
 %{_mandir}/man1/pvsecret-create.1*
 %{_mandir}/man1/pvsecret-list.1*
 %{_mandir}/man1/pvsecret-lock.1*
@@ -282,6 +284,8 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 %endif
 %dir %{_datadir}/s390-tools
 %{_datadir}/s390-tools/pvimg/
+%{_datadir}/bash-completion/completions/*.bash
+%{_datadir}/zsh/site-functions/_*
 
 #
 # enf of multi-arch section
@@ -378,6 +382,8 @@ This package provides minimal set of tools needed to system to boot.
 %{_udevrulesdir}/81-ccw.rules
 %{_udevrulesdir}/81-dpm.rules
 %{_udevrulesdir}/90-cpi.rules
+# rule provided by systemd-udev
+%exclude %{_udevrulesdir}/80-hotplug-cpu.rules
 %{_sysconfdir}/kernel/install.d/20-grubby.install
 %{_prefix}/lib/kernel/install.d/10-zfcpdump.install
 %{_prefix}/lib/kernel/install.d/20-zipl-kernel.install
@@ -485,9 +491,6 @@ s390 base tools. This collection provides the following utilities:
      feature. Those traces are filtered with the zfcpdbf script, i.e. merge
      several traces, make it more readable etc.
 
-   * scsi_logging_level:
-     Create, get or set the logging level for the SCSI logging facility.
-
    * zconf:
      Set of scripts to configure and list status information of Linux for
      zSeries IO devices.
@@ -587,7 +590,6 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_sbindir}/qetharp
 %{_sbindir}/qethconf
 %{_sbindir}/qethqoat
-%{_sbindir}/scsi_logging_level
 %{_sbindir}/sclpdbf
 %{_sbindir}/start_hsnc.sh
 %{_sbindir}/tape390_crypt
@@ -601,6 +603,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_sbindir}/zfcpdbf
 %{_sbindir}/zgetdump
 %{_sbindir}/zipl-switch-to-blscfg
+%{_sbindir}/zmemtopo
 %{_sbindir}/znetconf
 %{_sbindir}/zpcictl
 %{_bindir}/cpacfinfo
@@ -619,12 +622,14 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %endif
 %{_bindir}/zkey
 %{_bindir}/zkey-cryptsetup
+%{_bindir}/zpwr
 %{_unitdir}/dumpconf.service
 %{_unitdir}/opticsmon.service
 %ghost %config(noreplace) %{_sysconfdir}/zipl.conf
 %config(noreplace) %{_sysconfdir}/sysconfig/dumpconf
 %{_sysconfdir}/mdevctl.d/*
 /usr/lib/dracut/modules.d/99ngdump/
+/usr/lib/dracut/dracut.conf.d/99-pkey.conf
 # own the mdevctl dirs until new release is available
 %dir /usr/lib/mdevctl
 %dir /usr/lib/mdevctl/scripts.d
@@ -660,6 +665,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man1/pvsecret-create-association.1*
 %{_mandir}/man1/pvsecret-create-meta.1*
 %{_mandir}/man1/pvsecret-create-retrievable.1*
+%{_mandir}/man1/pvsecret-create-update-cck.1*
 %{_mandir}/man1/pvsecret-create.1*
 %{_mandir}/man1/pvsecret-list.1*
 %{_mandir}/man1/pvsecret-lock.1*
@@ -671,6 +677,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man1/zkey-cryptsetup.1*
 %{_mandir}/man1/zkey-ekmfweb.1*
 %{_mandir}/man1/zkey-kmip.1*
+%{_mandir}/man1/zpwr.1*
 %{_mandir}/man4/prandom.4*
 %{_mandir}/man5/hsavmcore.conf.5*
 %{_mandir}/man8/chccwdev.8*
@@ -716,10 +723,13 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man8/zfcpdbf.8*
 %{_mandir}/man8/zgetdump.8*
 %{_mandir}/man8/zipl-switch-to-blscfg.8*
+%{_mandir}/man8/zmemtopo.8*
 %{_mandir}/man8/znetconf.8*
 %{_mandir}/man8/zpcictl.8*
 %dir %{_datadir}/s390-tools
 %{_datadir}/s390-tools/netboot/
+%{_datadir}/bash-completion/completions/*.bash
+%{_datadir}/zsh/site-functions/_*
 %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey
 %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey/kmip
 %dir %attr(0770,root,zkeyadm) %{_sysconfdir}/zkey/kmip/profiles
@@ -1085,6 +1095,18 @@ User-space development files for the s390/s390x architecture.
 
 
 %changelog
+* Wed Aug 13 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-2
+- cpi: Disable CPI for SEL guests by default (RHEL-76931)
+- Resolves: RHEL-76931
+
+* Mon Jul 14 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-1
+- rebased to 2.38.0 (RHEL-73342)
+- LPAR level power consumption reporting (RHEL-72675)
+- Provide Topology-Map information to userspace (RHEL-72682)
+- Add CCK secret type for updating the Customer Communication Key (RHEL-73021)
+- Convert LUKS2 volume from AES keys to retrievable PAES keys (RHEL-85390)
+- Resolves: RHEL-73342 RHEL-72675 RHEL-72682 RHEL-73021 RHEL-85390
+
 * Thu Jan 30 2025 Dan Horák <dhorak@redhat.com> - 2:2.36.0-2
 - pvimg/genprotimg: Fix confidential dump support (RHEL-76912)
 - Resolves: RHEL-76912