import s390utils-2.22.0-2.el9

This commit is contained in:
CentOS Sources 2022-11-15 02:09:35 -05:00 committed by Stepan Oksanichenko
parent 314681f912
commit cb1557e802
7 changed files with 332 additions and 589 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/s390-tools-2.19.0.tar.gz
SOURCES/s390-tools-2.22.0.tar.gz

View File

@ -1 +1 @@
5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz
7023dd992d5cb418cb522a62c6f8550bf3d4ec37 SOURCES/s390-tools-2.22.0.tar.gz

View File

@ -1,6 +1,221 @@
diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile
--- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort 2019-05-22 08:16:17.317273801 -0400
+++ s390-tools-2.9.0/zipl/src/Makefile 2019-05-22 08:18:02.947273801 -0400
From 14119148dabb7f4f633623c00eece44c5771db10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
Date: Mon, 20 Jun 2022 17:43:05 +0200
Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by
versions"
This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b.
---
zipl/src/scan.c | 139 ++----------------------------------------------
1 file changed, 3 insertions(+), 136 deletions(-)
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
index 0cea1d4..9352f76 100644
--- a/zipl/src/scan.c
+++ b/zipl/src/scan.c
@@ -10,7 +10,6 @@
*
*/
-static const char *VERSION_KEYWORD = "version";
/* Need ISOC99 function isblank() in ctype.h */
#ifndef __USE_ISOC99
@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token)
static int
-bls_filter_by_names(const struct dirent *ent)
+bls_filter(const struct dirent *ent)
{
int offset = strlen(ent->d_name) - strlen(".conf");
@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent)
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
}
-struct version {
- char *line; /* pointer to a line with version keyword */
- int offset; /* offset of version value in the line */
-};
-
-/*
- * Locate version in bls file represented by ENT
- */
-static void get_version(const struct dirent *ent, struct version *v)
-{
- char *line = NULL;
- size_t len = 0;
- char *d_name;
- FILE *stream;
- ssize_t read;
-
- memset(v, 0, sizeof(*v));
- d_name = misc_make_path((char *)blsdir, (char *)ent->d_name);
- if (!d_name)
- return;
-
- stream = fopen(d_name, "r");
- free(d_name);
- if (!stream)
- return;
-
- while ((read = getline(&line, &len, stream)) != -1) {
- if (line[read - 1] == '\n') {
- line[read - 1] = '\0';
- read--;
- }
- if ((size_t)read <= strlen(VERSION_KEYWORD) + 1)
- continue;
- if (strcmp(VERSION_KEYWORD, line) > 0)
- continue;
- if (!isblank(line[strlen(VERSION_KEYWORD)]))
- continue;
- /* skip blanks */
- v->offset = strlen(VERSION_KEYWORD) + 1;
- while (v->offset < read - 1 && isblank(line[v->offset]))
- v->offset++;
- if (isblank(line[v->offset]))
- /*
- * all characters after the keyword
- * are blanks. Invalid version
- */
- continue;
- v->line = line;
- fclose(stream);
- return;
- }
- free(line);
- fclose(stream);
-}
-
-static void put_version(struct version *v)
-{
- free(v->line);
-}
-
-/**
- * Check version in bls file represented by ENT.
- * Return 1 if version is valid. Otherwise return 0
- */
-static int bls_filter_by_versions(const struct dirent *ent)
-{
- struct version v;
-
- if (bls_filter_by_names(ent) == 0)
- return 0;
-
- get_version(ent, &v);
- if (v.line) {
- put_version(&v);
- return 1;
- }
- return 0;
-}
-
static int
-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b)
+bls_sort(const struct dirent **ent_a, const struct dirent **ent_b)
{
return strverscmp((*ent_a)->d_name, (*ent_b)->d_name);
}
-static int
-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b)
-{
- struct version v1, v2;
- int ret;
-
- get_version(*ent_a, &v1);
- get_version(*ent_b, &v2);
- /*
- * Both versions are valid.
- * It is guaranteed by bls_filter_by_versions()
- */
- ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset);
-
- put_version(&v1);
- put_version(&v2);
-
- return ret;
-}
static int
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[])
return num;
}
-static int bls_scandir(struct dirent ***bls_entries)
-{
- struct dirent **entries1;
- struct dirent **entries2;
- int n1, n2;
-
- /* arrange by names */
- n1 = scandir(blsdir, &entries1,
- bls_filter_by_names, bls_sort_by_names);
- if (n1 <= 0)
- return n1;
- /* arrange by versions */
- n2 = scandir(blsdir, &entries2,
- bls_filter_by_versions, bls_sort_by_versions);
-
- if (n2 <= 0 || n2 < n1) {
- /*
- * failed to sort by versions,
- * fall back to sorting by filenames
- */
- *bls_entries = entries1;
- while (n2--)
- free(entries2[n2]);
- free(entries2);
- return n1;
- }
- /* use arrangement by versions */
- *bls_entries = entries2;
- while (n1--)
- free(entries1[n1]);
- free(entries1);
- return n2;
-}
-
int
scan_check_target_data(char* keyword[], int* line)
{
@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size)
if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode)))
return 0;
- n = bls_scandir(&bls_entries);
+ n = scandir(blsdir, &bls_entries, bls_filter, bls_sort);
if (n <= 0)
return n;
--
2.36.1
From 661f143bb0b429c732d0ad9756c745dcb8799bc7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Mon, 20 Jun 2022 17:46:59 +0200
Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Dan Horák <dan@danny.cz>
---
zipl/src/Makefile | 2 +-
zipl/src/scan.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 95 insertions(+), 3 deletions(-)
diff --git a/zipl/src/Makefile b/zipl/src/Makefile
index 786bb7f..1adc486 100644
--- a/zipl/src/Makefile
+++ b/zipl/src/Makefile
@@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \
-D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS)
ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
@ -10,10 +225,11 @@ diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0
objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o
diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c
--- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort 2019-05-21 09:13:36.000000000 -0400
+++ s390-tools-2.9.0/zipl/src/scan.c 2019-05-22 08:16:17.317273801 -0400
@@ -33,6 +33,8 @@
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
index 9352f76..3327e2d 100644
--- a/zipl/src/scan.c
+++ b/zipl/src/scan.c
@@ -35,6 +35,8 @@
#include "lib/util_base.h"
@ -22,7 +238,7 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
#include "boot.h"
#include "error.h"
#include "misc.h"
@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent)
@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent)
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
}
@ -128,3 +344,6 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
static int
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
--
2.36.1

View File

@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755
;;
--)
shift
diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1
diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8
index 6bd14d00d14..71b904ffd1c 100644
--- a/scripts/zipl-switch-to-blscfg.1
+++ b/scripts/zipl-switch-to-blscfg.1
--- a/scripts/zipl-switch-to-blscfg.8
+++ b/scripts/zipl-switch-to-blscfg.8
@@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
The FILE used for zipl configuration file, defaults to /etc/zipl.conf.

View File

@ -1,547 +0,0 @@
From 55e2f3991a8f55d49d7e381dbd8d3fe347c3fc9e Mon Sep 17 00:00:00 2001
From: Marc Hartmayer <mhartmay@linux.ibm.com>
Date: Thu, 31 Mar 2022 14:00:31 +0000
Subject: [PATCH 1/5] genprotimg: remove DigiCert root CA pinning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
change in the future therefore let's remove this check. If someone wants to
enforce the usage of a specific root CA it can be selected by the genprotimg
command line option `--root-ca $CA`. Make it transparent to the user which root
CA is actually being used by printing the subject name of the root CA to stdout
in verbose mode.
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d)
---
genprotimg/man/genprotimg.8 | 2 +-
genprotimg/src/include/pv_crypto_def.h | 3 --
genprotimg/src/pv/pv_args.c | 2 +-
genprotimg/src/pv/pv_image.c | 27 ++++++---------
genprotimg/src/utils/crypto.c | 48 +++++++++++---------------
genprotimg/src/utils/crypto.h | 4 +--
6 files changed, 35 insertions(+), 51 deletions(-)
diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
index 8a481c4..6f14052 100644
--- a/genprotimg/man/genprotimg.8
+++ b/genprotimg/man/genprotimg.8
@@ -87,7 +87,7 @@ CRLs. Optional.
.TP
\fB\-\-root\-ca\fR=\fI\,FILE\/\fR
Specifies the root CA certificate for the verification. If omitted,
-the DigiCert root CA certificate installed on the system is used. Use
+the system wide root CAs installed on the system is used. Use
this only if you trust the specified certificate. Optional.
.TP
\fB\-\-no-verify\fR
diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
index 53984a3..3635433 100644
--- a/genprotimg/src/include/pv_crypto_def.h
+++ b/genprotimg/src/include/pv_crypto_def.h
@@ -29,9 +29,6 @@
*/
#define PV_CERTS_SECURITY_LEVEL 2
-/* SKID for DigiCert Assured ID Root CA */
-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
-
union ecdh_pub_key {
struct {
uint8_t x[80];
diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
index e644ae7..bcc3784 100644
--- a/genprotimg/src/pv/pv_args.c
+++ b/genprotimg/src/pv/pv_args.c
@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
g_strv_length(args->untrusted_cert_paths) == 0)) {
g_set_error(
err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
+ _("Either specify the IBM Z signing key and intermediate CA certificate\n"
"by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
"host-key document verification completely (at your own risk)."));
return -1;
diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
index 7359240..a5f07b8 100644
--- a/genprotimg/src/pv/pv_image.c
+++ b/genprotimg/src/pv/pv_image.c
@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
}
/* Load all untrusted certificates (e.g. IBM Z signing key and
- * DigiCert intermediate CA) that are required to establish a chain of
- * trust starting from the host-key document up to the root CA (if not
- * otherwise specified that's the DigiCert Assured ID Root CA).
+ * intermediate CA) that are required to establish a chain of trust
+ * starting from the host-key document up to the root CA (if not
+ * otherwise specified that can be one of the system wide installed
+ * root CAs, e.g. DigiCert).
*/
untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
if (!untrusted_certs_with_path)
@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
* For this we must check:
*
* 1. Can a chain of trust be established ending in a root CA
- * 2. Is the correct root CA ued? It has either to be the
- * 'DigiCert Assured ID Root CA' or the root CA specified via
- * command line.
+ * 2. Is the correct root CA used? It has either to be a system CA
+ * or the root CA specified via command line.
*/
for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
if (verify_cert(ibm_signing_cert, ctx, err) < 0)
goto error;
- /* Verify the build chain of trust chain. If the user passes a
- * trusted root CA on the command line then the check for the
- * Subject Key Identifier (SKID) is skipped, otherwise let's
- * check if the SKID meets our expectation.
+ /* If there is a chain of trust using either the provided root
+ * CA on the command line or a system wide trusted root CA.
*/
- if (!root_ca_path &&
- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
- get_digicert_assured_id_root_ca_skid(),
- err) < 0) {
+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
+ err) < 0)
goto error;
- }
ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
if (!ibm_signing_crls) {
@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
g_warning(_("host-key document verification is disabled. Your workload is not secured."));
if (args->root_ca_path)
- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
+ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
if (!ret->comps)
diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
index 087de37..9d1fdb0 100644
--- a/genprotimg/src/utils/crypto.c
+++ b/genprotimg/src/utils/crypto.c
@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
g_abort();
/* The maximum depth level of the chain of trust for the verification of
- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
- * intermediate CA -> (DigiCert) root CA
+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
+ * -> root CA
*/
X509_VERIFY_PARAM_set_depth(param, 2);
@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
return security_bits[level];
}
-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
-
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
-{
- pv_crypto_init();
- return digicert_assured_id_root_ca;
-}
-
/* Used for the caching of the downloaded CRLs */
static GHashTable *cached_crls;
void pv_crypto_init(void)
{
- if (digicert_assured_id_root_ca)
+ if (cached_crls)
return;
-
cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
(GDestroyNotify)X509_CRL_free);
- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
}
void pv_crypto_cleanup(void)
{
- if (!digicert_assured_id_root_ca)
+ if (!cached_crls)
return;
g_clear_pointer(&cached_crls, g_hash_table_destroy);
- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
}
gint check_chain_parameters(const STACK_OF_X509 *chain,
- const ASN1_OCTET_STRING *skid, GError **err)
+ GError **err)
{
- const ASN1_OCTET_STRING *ca_skid = NULL;
+ const X509_NAME *ca_x509_subject = NULL;
+ g_autofree gchar *ca_subject = NULL;
gint len = sk_X509_num(chain);
X509 *ca = NULL;
- g_assert(skid);
/* at least one root and one leaf certificate must be defined */
- g_assert(len >= 2);
+ if (len < 2) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("there must be at least on root and one leaf certificate in the chain of trust"));
+ return -1;
+ }
/* get the root certificate of the chain of trust */
ca = sk_X509_value(chain, len - 1);
@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
return -1;
}
- ca_skid = X509_get0_subject_key_id(ca);
- if (!ca_skid) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
- _("malformed root certificate"));
+ ca_x509_subject = X509_get_subject_name(ca);
+ if (!ca_x509_subject) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("subject of the root CA cannot be retrieved"));
return -1;
}
- if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
- _("expecting DigiCert root CA to be used"));
+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
+ if (!ca_subject) {
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
+ _("subject name of the root CA cannot be retrieved"));
return -1;
}
+ g_info("Root CA used: '%s'", ca_subject);
return 0;
}
diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
index 3cda450..fdf66de 100644
--- a/genprotimg/src/utils/crypto.h
+++ b/genprotimg/src/utils/crypto.h
@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
gint verify_flags, GError **err);
void pv_crypto_init(void);
void pv_crypto_cleanup(void);
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
gint verify_flags, int level, GError **err);
X509 *load_cert_from_file(const char *path, GError **err);
@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
int store_set_verify_param(X509_STORE *store, GError **err);
X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
-gint check_chain_parameters(const STACK_OF_X509 *chain,
- const ASN1_OCTET_STRING *skid, GError **err);
+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
X509_NAME *c2b_name(const X509_NAME *name);
STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
--
2.37.1
From 666cd637519efad9b9c4ca68a5d99b86e92d48ff Mon Sep 17 00:00:00 2001
From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Date: Tue, 15 Mar 2022 12:55:02 +0100
Subject: [PATCH 2/5] genprotimg/check_hostkeydoc: relax default issuer check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While the original default issuer's organizationalUnitName (OU)
was defined as "IBM Z Host Key Signing Service", any OU ending
with "Key Signing Service" is considered legal.
Let's relax the default issuer check by stripping off characters
preceding "Key Signing Service".
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d)
---
genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
index a96576f..6a83739 100755
--- a/genprotimg/samples/check_hostkeydoc
+++ b/genprotimg/samples/check_hostkeydoc
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
ISSUER_DN_FILE=$(mktemp)
SUBJECT_DN_FILE=$(mktemp)
DEF_ISSUER_DN_FILE=$(mktemp)
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
CRL_SERIAL_FILE=$(mktemp)
# Cleanup on exit
@@ -30,7 +31,7 @@ cleanup()
{
rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
- $CRL_SERIAL_FILE
+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
}
trap cleanup EXIT
@@ -121,20 +122,31 @@ default_issuer()
commonName = International Business Machines Corporation
countryName = US
localityName = Poughkeepsie
- organizationalUnitName = IBM Z Host Key Signing Service
+ organizationalUnitName = Key Signing Service
organizationName = International Business Machines Corporation
stateOrProvinceName = New York
EOF
}
-verify_issuer_files()
+# As organizationalUnitName can have an arbitrary prefix but must
+# end with "Key Signing Service" let's normalize the OU name by
+# stripping off the prefix
+verify_default_issuer()
{
default_issuer > $DEF_ISSUER_DN_FILE
- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
+
+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
then
echo Incorrect default issuer >&2 && exit 1
fi
+}
+
+verify_issuer_files()
+{
+ verify_default_issuer
if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
then
--
2.37.1
From b4dc45d6f3fff7c57fd5a97cdab357a842ef021e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon, 4 Apr 2022 16:38:41 +0200
Subject: [PATCH 3/5] libseckey: Fix re-enciphering of EP11 secure key
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The re-enciphering of EP11 asymmetric secure keys does not work.
First, the result of the re-encipher operation of the private key
part must be copied back into the user supplied key token buffer.
Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
the MAC is calculated with the EP11 master key.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397)
---
libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 53 insertions(+)
diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c
index b867626..e3bd3c9 100644
--- a/libseckey/sk_ep11.c
+++ b/libseckey/sk_ep11.c
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib,
return -EIO;
}
+ memcpy(blob, lrb.payload, lrb.pllen);
+
+ /* re-encipher MACed SPKI */
+ rb.domain = domain;
+ lrb.domain = domain;
+
+ resp_len = sizeof(resp);
+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
+ &rb, NULL, key_token + hdr->len,
+ key_token_length - hdr->len);
+ if (req_len < 0) {
+ sk_debug(debug, "Failed to build XCP command block");
+ return -EIO;
+ }
+
+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
+ 0, ep11_lib->target);
+ if (rv != CKR_OK || resp_len == 0) {
+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
+ "rc = 0x%lx, resp_len = %ld", rv, resp_len);
+ return -EIO;
+ }
+
+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
+ if (rc != 0) {
+ sk_debug(debug, "Failed to parse response. rc = %d", rc);
+ return -EIO;
+ }
+
+ if (rv != CKR_OK) {
+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
+ "rc = 0x%lx", rv);
+ switch (rv) {
+ case CKR_IBM_WKID_MISMATCH:
+ sk_debug(debug, "The EP11 secure key is currently "
+ "encrypted under a different master that does "
+ "not match the master key in the CURRENT "
+ "master key register of APQN %02X.%04X",
+ card, domain);
+ break;
+ }
+ return -EIO;
+ }
+
+ if (key_token_length - hdr->len != lrb.pllen) {
+ sk_debug(debug, "Re-encrypted EP11 secure key size has "
+ "changed: org-len: %lu, new-len: %lu",
+ hdr->len - sizeof(*hdr), lrb.pllen);
+ return -EIO;
+ }
+
+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
+
return 0;
}
--
2.37.1
From bf4d971adb286fc42f6f5bcb45b6fb484eb9519b Mon Sep 17 00:00:00 2001
From: Mete Durlu <meted@linux.ibm.com>
Date: Fri, 10 Jun 2022 10:13:33 +0200
Subject: [PATCH 4/5] hyptop: increase initial update interval
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Increase initial update interval from 200ms to 1 seconds to avoid
fluctuations on the initial data output.
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf)
---
hyptop/sd.h | 2 +-
hyptop/sd_core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/hyptop/sd.h b/hyptop/sd.h
index 9ba3192..1aed707 100644
--- a/hyptop/sd.h
+++ b/hyptop/sd.h
@@ -17,7 +17,7 @@
#include "helper.h"
#include "table.h"
-#define SD_DG_INIT_INTERVAL_MS 200
+#define SD_DG_INIT_INTERVAL_SEC 1
#define SD_SYS_ID_SIZE 9
/*
diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c
index f1cb631..47b5b59 100644
--- a/hyptop/sd_core.c
+++ b/hyptop/sd_core.c
@@ -150,7 +150,7 @@ void sd_update(void)
*/
void sd_dg_register(struct sd_dg *dg, int has_core_data)
{
- struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000};
+ struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0};
struct sd_sys_item *sys_item;
struct sd_cpu_item *cpu_item;
unsigned int i;
--
2.37.1
From 0c7fa7ed53e0187ea9d89f05299f17378daf046e Mon Sep 17 00:00:00 2001
From: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu, 12 May 2022 11:06:16 +0200
Subject: [PATCH 5/5] libseckey: Adapt keymgmt_match() implementation to
OpenSSL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
OpenSSL provider's keymgmt_match() function to be not so strict with
the selector bits in regards to matching different key parts.
Adapt the secure key provider's match function accordingly.
This means, that if the public key is selected to be matched, and
the public key matches (together with any also selected parameters),
then the private key is no longer checked, although it may also be
selected to be matched. This is according to how the OpenSSL function
EVP_PKEY_eq() is supposed to behave.
OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
function to check if the private key specified matches the public key
of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
private key into the selector bits here, although the certificate
only contains the public key part.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit 6c5c5f7e558c114ddaa475e96c9ec708049aa423)
---
libseckey/sk_provider.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/libseckey/sk_provider.c b/libseckey/sk_provider.c
index 10f56c0..0abe99d 100644
--- a/libseckey/sk_provider.c
+++ b/libseckey/sk_provider.c
@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1,
if (key1->type != key2->type)
return 0;
+
+ if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
+ /* match everything except private key */
+ return default_match_fn(key1->default_key, key2->default_key,
+ selection &
+ (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
+ }
+
if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
if (key1->secure_key_size != key2->secure_key_size)
return 0;
- if (key1->secure_key_size > 0 &&
- memcmp(key1->secure_key, key2->secure_key,
- key1->secure_key_size) != 0)
- return 0;
+ if (key1->secure_key_size > 0) {
+ if (memcmp(key1->secure_key, key2->secure_key,
+ key1->secure_key_size) != 0)
+ return 0;
+ selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
+ }
}
return default_match_fn(key1->default_key, key2->default_key,
--
2.37.1

View File

@ -0,0 +1,32 @@
From 2844d07e4bba2301fef66f56574c92054bac7cac Mon Sep 17 00:00:00 2001
From: Steffen Eiden <seiden@linux.ibm.com>
Date: Mon, 25 Jul 2022 12:57:53 +0200
Subject: [PATCH] zipl: Add missing check for a nullpointer.
Fixes a bug that leads to a segmentation fault when no parmline is
provided.
Fixes: 11b401b5 ("zipl: move and make check for maximum command line length dynamic")
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
---
zipl/src/job.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/zipl/src/job.c b/zipl/src/job.c
index ffdc297..b5bf5b2 100644
--- a/zipl/src/job.c
+++ b/zipl/src/job.c
@@ -790,7 +790,7 @@ check_common_ipl_data(struct job_common_ipl_data *common, const char *section,
if (!max_parm_size)
max_parm_size = LEGACY_MAXIMUM_PARMLINE_SIZE;
- len = strlen(common->parmline);
+ len = common->parmline ? strlen(common->parmline) : 0;
if (len > max_parm_size) {
error_text("The length of the parameters line "
"(%d bytes) exceeds the allowed maximum "
--
2.37.1

View File

@ -3,10 +3,14 @@
%global signzipl 1
%endif
%if 0%{?fedora}
%global with_pandoc 1
%endif
Name: s390utils
Summary: Utilities and daemons for IBM z Systems
Version: 2.19.0
Release: 2%{?dist}.3
Version: 2.22.0
Release: 2%{?dist}
Epoch: 2
License: MIT
ExclusiveArch: s390 s390x
@ -34,7 +38,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch
Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch
# backported fixes
Patch100: s390utils-2.19.0-rhel.patch
Patch100: s390utils-%{version}-rhel.patch
Requires: s390utils-core = %{epoch}:%{version}-%{release}
Requires: s390utils-base = %{epoch}:%{version}-%{release}
@ -64,6 +68,9 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
%patch100 -p1
# drop -Werror from genprotimg to allow building with GCC 12
sed -i.bak -e 's/-Werror//g' genprotimg/src/Makefile genprotimg/boot/Makefile
# remove --strip from install
find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g'
@ -72,6 +79,9 @@ find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g'
make \
CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \
HAVE_DRACUT=1 \
%if 0%{?with_pandoc}
ENABLE_DOC=1 \
%endif
NO_PIE_LDFLAGS="" \
BINDIR=/usr/sbin \
UDEVRUNDIR=/run/udev \
@ -82,6 +92,9 @@ make \
%install
make install \
HAVE_DRACUT=1 \
%if 0%{?with_pandoc}
ENABLE_DOC=1 \
%endif
DESTDIR=%{buildroot} \
BINDIR=/usr/sbin \
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
@ -149,10 +162,6 @@ install -p -m 644 %{SOURCE17} %{buildroot}%{_udevrulesdir}/81-ccw.rules
# zipl.conf to be ghosted
touch %{buildroot}%{_sysconfdir}/zipl.conf
# fixups
# https://bugzilla.redhat.com/show_bug.cgi?id=2024102
chmod 755 %{buildroot}/lib/s390-tools/cpictl
%files
%doc README.md
@ -203,6 +212,7 @@ This package provides minimal set of tools needed to system to boot.
/lib/s390-tools/zdev-root-update
/lib/s390-tools/zipl.conf
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
%config(noreplace) %{_sysconfdir}/ziplenv
%{_unitdir}/cpi.service
%config(noreplace) %{_sysconfdir}/sysconfig/cpi
/usr/lib/dracut/modules.d/95zdev/
@ -267,6 +277,7 @@ BuildRequires: json-c-devel
BuildRequires: rpm-devel
BuildRequires: glib2-devel
BuildRequires: libxml2-devel
BuildRequires: liblockfile-devel
%description base
@ -444,6 +455,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%{_sbindir}/lstape
%{_sbindir}/lszcrypt
%{_sbindir}/lszfcp
%{_sbindir}/pai
%{_sbindir}/qetharp
%{_sbindir}/qethconf
%{_sbindir}/qethqoat
@ -466,12 +478,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%{_bindir}/dump2tar
%{_bindir}/genprotimg
%{_bindir}/mk-s390image
%{_bindir}/pvattest
%{_bindir}/pvextract-hdr
%{_bindir}/vmconvert
%{_bindir}/zkey
%{_bindir}/zkey-cryptsetup
%{_unitdir}/dumpconf.service
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
%config(noreplace) %{_sysconfdir}/sysconfig/dumpconf
%{_sysconfdir}/mdevctl.d/*
/usr/lib/dracut/modules.d/99ngdump/
/lib/s390-tools/dumpconf
/lib/s390-tools/lsznet.raw
%dir /lib/s390-tools/zfcpdump
@ -482,13 +498,13 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%dir %{_libdir}/zkey
%{_libdir}/zkey/zkey-ekmfweb.so
%{_libdir}/zkey/zkey-kmip.so
%{_mandir}/man1/dbginfo.sh.1*
%{_mandir}/man1/dump2tar.1*
%{_mandir}/man1/lscpumf.1*
%{_mandir}/man1/lshwc.1*
%{_mandir}/man1/genprotimg.1*
%{_mandir}/man1/pvattest.1*
%{_mandir}/man1/pvattest-create.1*
%{_mandir}/man1/pvattest-perform.1*
%{_mandir}/man1/pvattest-verify.1*
%{_mandir}/man1/vmconvert.1*
%{_mandir}/man1/zfcpdbf.1*
%{_mandir}/man1/zipl-switch-to-blscfg.1*
%{_mandir}/man1/zkey.1*
%{_mandir}/man1/zkey-cryptsetup.1*
%{_mandir}/man1/zkey-ekmfweb.1*
@ -502,14 +518,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%{_mandir}/man8/chzcrypt.8*
%{_mandir}/man8/dasdstat.8*
%{_mandir}/man8/dasdview.8*
%{_mandir}/man8/dbginfo.sh.8*
%{_mandir}/man8/dumpconf.8*
%{_mandir}/man8/genprotimg.8.*
%{_mandir}/man8/hsavmcore.8*
%{_mandir}/man8/hsci.8*
%{_mandir}/man8/hyptop.8*
%{_mandir}/man8/lschp.8*
%{_mandir}/man8/lscpumf.8*
%{_mandir}/man8/lscss.8*
%{_mandir}/man8/lsdasd.8*
%{_mandir}/man8/lshwc.8*
%{_mandir}/man8/lsluns.8*
%{_mandir}/man8/lsqeth.8*
%{_mandir}/man8/lsreipl.8*
@ -519,6 +537,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%{_mandir}/man8/lstape.8*
%{_mandir}/man8/lszcrypt.8*
%{_mandir}/man8/lszfcp.8*
%{_mandir}/man8/pai.8*
%{_mandir}/man8/qetharp.8*
%{_mandir}/man8/qethconf.8*
%{_mandir}/man8/qethqoat.8*
@ -529,7 +548,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
%{_mandir}/man8/vmur.8*
%{_mandir}/man8/zcryptctl.8*
%{_mandir}/man8/zcryptstats.8*
%{_mandir}/man8/zfcpdbf.8*
%{_mandir}/man8/zgetdump.8*
%{_mandir}/man8/zipl-switch-to-blscfg.8*
%{_mandir}/man8/znetconf.8*
%{_mandir}/man8/zpcictl.8*
%dir %{_datadir}/s390-tools
@ -737,8 +758,8 @@ fi
#
%package cmsfs-fuse
Summary: CMS file system based on FUSE
BuildRequires: fuse-devel
Requires: fuse
BuildRequires: fuse3-devel
Requires: fuse3
Requires: glibc-gconv-extra
Obsoletes: %{name}-cmsfs < 2:2.7.0-3
@ -756,9 +777,9 @@ This package contains the CMS file system based on FUSE.
#
%package zdsfs
Summary: z/OS data set access based on FUSE
BuildRequires: fuse-devel
BuildRequires: fuse3-devel
BuildRequires: libcurl-devel
Requires: fuse
Requires: fuse3
%description zdsfs
This package contains the z/OS data set access based on FUSE.
@ -772,8 +793,8 @@ This package contains the z/OS data set access based on FUSE.
#
%package hmcdrvfs
Summary: HMC drive file system based on FUSE
BuildRequires: fuse-devel
Requires: fuse
BuildRequires: fuse3-devel
Requires: fuse3
%description hmcdrvfs
This package contains a HMC drive file system based on FUSE and a tool
@ -827,6 +848,9 @@ Summary: Use multipath information for re-IPL path failover
BuildRequires: make
BuildRequires: bash
BuildRequires: coreutils
%if 0%{?with_pandoc}
BuildRequires: pandoc
%endif
BuildRequires: gawk
BuildRequires: gzip
BuildRequires: sed
@ -845,6 +869,9 @@ reconfigures the FCP re-IPL settings to use an operational path.
%files chreipl-fcp-mpath
%doc chreipl-fcp-mpath/README.md
%if 0%{?with_pandoc}
%doc chreipl-fcp-mpath/README.html
%endif
%dir %{_prefix}/lib/chreipl-fcp-mpath/
%{_prefix}/lib/chreipl-fcp-mpath/*
%{_prefix}/lib/dracut/dracut.conf.d/70-chreipl-fcp-mpath.conf
@ -854,6 +881,7 @@ reconfigures the FCP re-IPL settings to use an operational path.
%{_prefix}/lib/udev/chreipl-fcp-mpath-record-volume-identifier
%{_prefix}/lib/udev/chreipl-fcp-mpath-try-change-ipl-path
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
%{_mandir}/man7/chreipl-fcp-mpath.7*
#
# *********************** devel package ***********************
@ -875,18 +903,29 @@ User-space development files for the s390/s390x architecture.
%changelog
* Wed Jul 20 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.3
- zkey: KMIP plugin fails to connection to KMIP server (#2109102)
- Resolves: #2109102
* Thu Aug 04 2022 Dan Horák <dhorak@redhat.com> - 2:2.22.0-2
- zipl: Add missing check for a nullpointer (#2113884)
- Resolves: #2113884
* Tue Jul 12 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.2
- hyptop: observable value fluctuations on initial iteration (#2101808)
- Resolves: #2101808
* Mon Jul 11 2022 Dan Horák <dhorak@redhat.com> - 2:2.22.0-1
- rebased to 2.22.0 (#2044205)
- add tool to persistently configure vfio-ap devices (#1870699)
- NVMe stand-alone dump support (#1878081)
- zipl: Site-aware environment block (#2044199)
- KVM: Secure Execution Attestation Userspace Tool (#2044203)
- Add new CPU-MF Counters for IBM z16 Hardware (#2047722)
- Resolves: #2044205 #1870699 #1878081 #2044199 #2044203 #2047722
* Tue May 03 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-2.1
- genprotimg: certificate verification is too strict (#2081271)
- zkey: fix re-enciphering of EP11 identity key of KMIP plugin (#2081272)
- Resolves: #2081271 #2081272
* Tue Apr 26 2022 Dan Horák <dhorak@redhat.com> - 2:2.21.0-1
- rebased to 2.21.0 (#2044205)
- cpictl: Suppress messages for unwritable sysfs files (#1985745)
- KVM: Secure Execution guest dump encryption with customer keys (#2044204)
- KVM: Allow long kernel command lines for Secure Execution guests (#2044197)
- zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (#2044206)
- Long Kernel Commmand Line for s390x (#2060826)
- zcryptctl support for control domains (#2076920)
- Add additional information to SCLP CPI (#2046680)
- Resolves: #2044205 #1985745 #2044204 #2044197 #2044206 #2060826 #2076920 #2046680
* Tue Dec 14 2021 Dan Horák <dan[at]danny.cz> - 2:2.19.0-2
- update ccw udev rules for synthetic events (#2027357)