diff --git a/.gitignore b/.gitignore index 9c1cd55..35f0cd5 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/s390-tools-2.19.0.tar.gz +SOURCES/s390-tools-2.22.0.tar.gz diff --git a/.s390utils.metadata b/.s390utils.metadata index d3afc55..9162b5d 100644 --- a/.s390utils.metadata +++ b/.s390utils.metadata @@ -1 +1 @@ -5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz +7023dd992d5cb418cb522a62c6f8550bf3d4ec37 SOURCES/s390-tools-2.22.0.tar.gz diff --git a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch index 2278c3f..90866f8 100644 --- a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch +++ b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch @@ -1,6 +1,221 @@ -diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile ---- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort 2019-05-22 08:16:17.317273801 -0400 -+++ s390-tools-2.9.0/zipl/src/Makefile 2019-05-22 08:18:02.947273801 -0400 +From 14119148dabb7f4f633623c00eece44c5771db10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 20 Jun 2022 17:43:05 +0200 +Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by + versions" + +This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b. +--- + zipl/src/scan.c | 139 ++---------------------------------------------- + 1 file changed, 3 insertions(+), 136 deletions(-) + +diff --git a/zipl/src/scan.c b/zipl/src/scan.c +index 0cea1d4..9352f76 100644 +--- a/zipl/src/scan.c ++++ b/zipl/src/scan.c +@@ -10,7 +10,6 @@ + * + */ + +-static const char *VERSION_KEYWORD = "version"; + + /* Need ISOC99 function isblank() in ctype.h */ + #ifndef __USE_ISOC99 +@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token) + + + static int +-bls_filter_by_names(const struct dirent *ent) ++bls_filter(const struct dirent *ent) + { + int offset = strlen(ent->d_name) - strlen(".conf"); + +@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent) + return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0; + } + +-struct version { +- char *line; /* pointer to a line with version keyword */ +- int offset; /* offset of version value in the line */ +-}; +- +-/* +- * Locate version in bls file represented by ENT +- */ +-static void get_version(const struct dirent *ent, struct version *v) +-{ +- char *line = NULL; +- size_t len = 0; +- char *d_name; +- FILE *stream; +- ssize_t read; +- +- memset(v, 0, sizeof(*v)); +- d_name = misc_make_path((char *)blsdir, (char *)ent->d_name); +- if (!d_name) +- return; +- +- stream = fopen(d_name, "r"); +- free(d_name); +- if (!stream) +- return; +- +- while ((read = getline(&line, &len, stream)) != -1) { +- if (line[read - 1] == '\n') { +- line[read - 1] = '\0'; +- read--; +- } +- if ((size_t)read <= strlen(VERSION_KEYWORD) + 1) +- continue; +- if (strcmp(VERSION_KEYWORD, line) > 0) +- continue; +- if (!isblank(line[strlen(VERSION_KEYWORD)])) +- continue; +- /* skip blanks */ +- v->offset = strlen(VERSION_KEYWORD) + 1; +- while (v->offset < read - 1 && isblank(line[v->offset])) +- v->offset++; +- if (isblank(line[v->offset])) +- /* +- * all characters after the keyword +- * are blanks. Invalid version +- */ +- continue; +- v->line = line; +- fclose(stream); +- return; +- } +- free(line); +- fclose(stream); +-} +- +-static void put_version(struct version *v) +-{ +- free(v->line); +-} +- +-/** +- * Check version in bls file represented by ENT. +- * Return 1 if version is valid. Otherwise return 0 +- */ +-static int bls_filter_by_versions(const struct dirent *ent) +-{ +- struct version v; +- +- if (bls_filter_by_names(ent) == 0) +- return 0; +- +- get_version(ent, &v); +- if (v.line) { +- put_version(&v); +- return 1; +- } +- return 0; +-} +- + + static int +-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b) ++bls_sort(const struct dirent **ent_a, const struct dirent **ent_b) + { + return strverscmp((*ent_a)->d_name, (*ent_b)->d_name); + } + +-static int +-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b) +-{ +- struct version v1, v2; +- int ret; +- +- get_version(*ent_a, &v1); +- get_version(*ent_b, &v2); +- /* +- * Both versions are valid. +- * It is guaranteed by bls_filter_by_versions() +- */ +- ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset); +- +- put_version(&v1); +- put_version(&v2); +- +- return ret; +-} + + static int + scan_append_section_heading(struct scan_token* scan, int* index, char* name); +@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[]) + return num; + } + +-static int bls_scandir(struct dirent ***bls_entries) +-{ +- struct dirent **entries1; +- struct dirent **entries2; +- int n1, n2; +- +- /* arrange by names */ +- n1 = scandir(blsdir, &entries1, +- bls_filter_by_names, bls_sort_by_names); +- if (n1 <= 0) +- return n1; +- /* arrange by versions */ +- n2 = scandir(blsdir, &entries2, +- bls_filter_by_versions, bls_sort_by_versions); +- +- if (n2 <= 0 || n2 < n1) { +- /* +- * failed to sort by versions, +- * fall back to sorting by filenames +- */ +- *bls_entries = entries1; +- while (n2--) +- free(entries2[n2]); +- free(entries2); +- return n1; +- } +- /* use arrangement by versions */ +- *bls_entries = entries2; +- while (n1--) +- free(entries1[n1]); +- free(entries1); +- return n2; +-} +- + int + scan_check_target_data(char* keyword[], int* line) + { +@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size) + if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode))) + return 0; + +- n = bls_scandir(&bls_entries); ++ n = scandir(blsdir, &bls_entries, bls_filter, bls_sort); + if (n <= 0) + return n; + +-- +2.36.1 + + +From 661f143bb0b429c732d0ad9756c745dcb8799bc7 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 20 Jun 2022 17:46:59 +0200 +Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Peter Jones +Signed-off-by: Dan Horák +--- + zipl/src/Makefile | 2 +- + zipl/src/scan.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 95 insertions(+), 3 deletions(-) + +diff --git a/zipl/src/Makefile b/zipl/src/Makefile +index 786bb7f..1adc486 100644 +--- a/zipl/src/Makefile ++++ b/zipl/src/Makefile @@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \ -D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS) ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS) @@ -10,10 +225,11 @@ diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0 objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \ bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o -diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c ---- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort 2019-05-21 09:13:36.000000000 -0400 -+++ s390-tools-2.9.0/zipl/src/scan.c 2019-05-22 08:16:17.317273801 -0400 -@@ -33,6 +33,8 @@ +diff --git a/zipl/src/scan.c b/zipl/src/scan.c +index 9352f76..3327e2d 100644 +--- a/zipl/src/scan.c ++++ b/zipl/src/scan.c +@@ -35,6 +35,8 @@ #include "lib/util_base.h" @@ -22,7 +238,7 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z #include "boot.h" #include "error.h" #include "misc.h" -@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent) +@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent) return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0; } @@ -128,3 +344,6 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z static int scan_append_section_heading(struct scan_token* scan, int* index, char* name); +-- +2.36.1 + diff --git a/SOURCES/s390-tools-zipl-invert-script-options.patch b/SOURCES/s390-tools-zipl-invert-script-options.patch index 93d5cc7..d7d936f 100644 --- a/SOURCES/s390-tools-zipl-invert-script-options.patch +++ b/SOURCES/s390-tools-zipl-invert-script-options.patch @@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755 ;; --) shift -diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1 +diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8 index 6bd14d00d14..71b904ffd1c 100644 ---- a/scripts/zipl-switch-to-blscfg.1 -+++ b/scripts/zipl-switch-to-blscfg.1 +--- a/scripts/zipl-switch-to-blscfg.8 ++++ b/scripts/zipl-switch-to-blscfg.8 @@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create The FILE used for zipl configuration file, defaults to /etc/zipl.conf. diff --git a/SOURCES/s390utils-2.19.0-rhel.patch b/SOURCES/s390utils-2.19.0-rhel.patch deleted file mode 100644 index dcf40b0..0000000 --- a/SOURCES/s390utils-2.19.0-rhel.patch +++ /dev/null @@ -1,547 +0,0 @@ -From 55e2f3991a8f55d49d7e381dbd8d3fe347c3fc9e Mon Sep 17 00:00:00 2001 -From: Marc Hartmayer -Date: Thu, 31 Mar 2022 14:00:31 +0000 -Subject: [PATCH 1/5] genprotimg: remove DigiCert root CA pinning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Remove the DigiCert root CA pinning. The root CA used for the chain of trust can -change in the future therefore let's remove this check. If someone wants to -enforce the usage of a specific root CA it can be selected by the genprotimg -command line option `--root-ca $CA`. Make it transparent to the user which root -CA is actually being used by printing the subject name of the root CA to stdout -in verbose mode. - -Signed-off-by: Marc Hartmayer -Acked-by: Viktor Mihajlovski -Reviewed-and-tested-by: Nico Boehr -Signed-off-by: Jan Höppner -(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d) ---- - genprotimg/man/genprotimg.8 | 2 +- - genprotimg/src/include/pv_crypto_def.h | 3 -- - genprotimg/src/pv/pv_args.c | 2 +- - genprotimg/src/pv/pv_image.c | 27 ++++++--------- - genprotimg/src/utils/crypto.c | 48 +++++++++++--------------- - genprotimg/src/utils/crypto.h | 4 +-- - 6 files changed, 35 insertions(+), 51 deletions(-) - -diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8 -index 8a481c4..6f14052 100644 ---- a/genprotimg/man/genprotimg.8 -+++ b/genprotimg/man/genprotimg.8 -@@ -87,7 +87,7 @@ CRLs. Optional. - .TP - \fB\-\-root\-ca\fR=\fI\,FILE\/\fR - Specifies the root CA certificate for the verification. If omitted, --the DigiCert root CA certificate installed on the system is used. Use -+the system wide root CAs installed on the system is used. Use - this only if you trust the specified certificate. Optional. - .TP - \fB\-\-no-verify\fR -diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h -index 53984a3..3635433 100644 ---- a/genprotimg/src/include/pv_crypto_def.h -+++ b/genprotimg/src/include/pv_crypto_def.h -@@ -29,9 +29,6 @@ - */ - #define PV_CERTS_SECURITY_LEVEL 2 - --/* SKID for DigiCert Assured ID Root CA */ --#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F" -- - union ecdh_pub_key { - struct { - uint8_t x[80]; -diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c -index e644ae7..bcc3784 100644 ---- a/genprotimg/src/pv/pv_args.c -+++ b/genprotimg/src/pv/pv_args.c -@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err) - g_strv_length(args->untrusted_cert_paths) == 0)) { - g_set_error( - err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT, -- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n" -+ _("Either specify the IBM Z signing key and intermediate CA certificate\n" - "by using the '--cert' option, or use the '--no-verify' flag to disable the\n" - "host-key document verification completely (at your own risk).")); - return -1; -diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c -index 7359240..a5f07b8 100644 ---- a/genprotimg/src/pv/pv_image.c -+++ b/genprotimg/src/pv/pv_image.c -@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - } - - /* Load all untrusted certificates (e.g. IBM Z signing key and -- * DigiCert intermediate CA) that are required to establish a chain of -- * trust starting from the host-key document up to the root CA (if not -- * otherwise specified that's the DigiCert Assured ID Root CA). -+ * intermediate CA) that are required to establish a chain of trust -+ * starting from the host-key document up to the root CA (if not -+ * otherwise specified that can be one of the system wide installed -+ * root CAs, e.g. DigiCert). - */ - untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err); - if (!untrusted_certs_with_path) -@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - * For this we must check: - * - * 1. Can a chain of trust be established ending in a root CA -- * 2. Is the correct root CA ued? It has either to be the -- * 'DigiCert Assured ID Root CA' or the root CA specified via -- * command line. -+ * 2. Is the correct root CA used? It has either to be a system CA -+ * or the root CA specified via command line. - */ - for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) { - X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i); -@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - if (verify_cert(ibm_signing_cert, ctx, err) < 0) - goto error; - -- /* Verify the build chain of trust chain. If the user passes a -- * trusted root CA on the command line then the check for the -- * Subject Key Identifier (SKID) is skipped, otherwise let's -- * check if the SKID meets our expectation. -+ /* If there is a chain of trust using either the provided root -+ * CA on the command line or a system wide trusted root CA. - */ -- if (!root_ca_path && -- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), -- get_digicert_assured_id_root_ca_skid(), -- err) < 0) { -+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), -+ err) < 0) - goto error; -- } - - ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err); - if (!ibm_signing_crls) { -@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err) - g_warning(_("host-key document verification is disabled. Your workload is not secured.")); - - if (args->root_ca_path) -- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted.")); -+ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted.")); - - ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err); - if (!ret->comps) -diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c -index 087de37..9d1fdb0 100644 ---- a/genprotimg/src/utils/crypto.c -+++ b/genprotimg/src/utils/crypto.c -@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err) - g_abort(); - - /* The maximum depth level of the chain of trust for the verification of -- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert) -- * intermediate CA -> (DigiCert) root CA -+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA -+ * -> root CA - */ - X509_VERIFY_PARAM_set_depth(param, 2); - -@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level) - return security_bits[level]; - } - --static ASN1_OCTET_STRING *digicert_assured_id_root_ca; -- --const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void) --{ -- pv_crypto_init(); -- return digicert_assured_id_root_ca; --} -- - /* Used for the caching of the downloaded CRLs */ - static GHashTable *cached_crls; - - void pv_crypto_init(void) - { -- if (digicert_assured_id_root_ca) -+ if (cached_crls) - return; -- - cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, - (GDestroyNotify)X509_CRL_free); -- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING( -- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID); - } - - void pv_crypto_cleanup(void) - { -- if (!digicert_assured_id_root_ca) -+ if (!cached_crls) - return; - g_clear_pointer(&cached_crls, g_hash_table_destroy); -- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free); - } - - gint check_chain_parameters(const STACK_OF_X509 *chain, -- const ASN1_OCTET_STRING *skid, GError **err) -+ GError **err) - { -- const ASN1_OCTET_STRING *ca_skid = NULL; -+ const X509_NAME *ca_x509_subject = NULL; -+ g_autofree gchar *ca_subject = NULL; - gint len = sk_X509_num(chain); - X509 *ca = NULL; - -- g_assert(skid); - /* at least one root and one leaf certificate must be defined */ -- g_assert(len >= 2); -+ if (len < 2) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("there must be at least on root and one leaf certificate in the chain of trust")); -+ return -1; -+ } - - /* get the root certificate of the chain of trust */ - ca = sk_X509_value(chain, len - 1); -@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain, - return -1; - } - -- ca_skid = X509_get0_subject_key_id(ca); -- if (!ca_skid) { -- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA, -- _("malformed root certificate")); -+ ca_x509_subject = X509_get_subject_name(ca); -+ if (!ca_x509_subject) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("subject of the root CA cannot be retrieved")); - return -1; - } - -- if (ASN1_STRING_cmp(ca_skid, skid) != 0) { -- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED, -- _("expecting DigiCert root CA to be used")); -+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0); -+ if (!ca_subject) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("subject name of the root CA cannot be retrieved")); - return -1; - } - -+ g_info("Root CA used: '%s'", ca_subject); - return 0; - } - -diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h -index 3cda450..fdf66de 100644 ---- a/genprotimg/src/utils/crypto.h -+++ b/genprotimg/src/utils/crypto.h -@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert, - gint verify_flags, GError **err); - void pv_crypto_init(void); - void pv_crypto_cleanup(void); --const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void); - gint verify_host_key(X509 *host_key, GSList *issuer_pairs, - gint verify_flags, int level, GError **err); - X509 *load_cert_from_file(const char *path, GError **err); -@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path, - int store_set_verify_param(X509_STORE *store, GError **err); - X509_CRL *load_crl_by_cert(X509 *cert, GError **err); - STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path); --gint check_chain_parameters(const STACK_OF_X509 *chain, -- const ASN1_OCTET_STRING *skid, GError **err); -+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err); - X509_NAME *c2b_name(const X509_NAME *name); - - STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs); --- -2.37.1 - - -From 666cd637519efad9b9c4ca68a5d99b86e92d48ff Mon Sep 17 00:00:00 2001 -From: Viktor Mihajlovski -Date: Tue, 15 Mar 2022 12:55:02 +0100 -Subject: [PATCH 2/5] genprotimg/check_hostkeydoc: relax default issuer check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While the original default issuer's organizationalUnitName (OU) -was defined as "IBM Z Host Key Signing Service", any OU ending -with "Key Signing Service" is considered legal. - -Let's relax the default issuer check by stripping off characters -preceding "Key Signing Service". - -Signed-off-by: Viktor Mihajlovski -Reviewed-by: Marc Hartmayer -Signed-off-by: Jan Höppner -(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d) ---- - genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc -index a96576f..6a83739 100755 ---- a/genprotimg/samples/check_hostkeydoc -+++ b/genprotimg/samples/check_hostkeydoc -@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp) - ISSUER_DN_FILE=$(mktemp) - SUBJECT_DN_FILE=$(mktemp) - DEF_ISSUER_DN_FILE=$(mktemp) -+CANONICAL_ISSUER_DN_FILE=$(mktemp) - CRL_SERIAL_FILE=$(mktemp) - - # Cleanup on exit -@@ -30,7 +31,7 @@ cleanup() - { - rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \ - $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \ -- $CRL_SERIAL_FILE -+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE - } - trap cleanup EXIT - -@@ -121,20 +122,31 @@ default_issuer() - commonName = International Business Machines Corporation - countryName = US - localityName = Poughkeepsie -- organizationalUnitName = IBM Z Host Key Signing Service -+ organizationalUnitName = Key Signing Service - organizationName = International Business Machines Corporation - stateOrProvinceName = New York - EOF - } - --verify_issuer_files() -+# As organizationalUnitName can have an arbitrary prefix but must -+# end with "Key Signing Service" let's normalize the OU name by -+# stripping off the prefix -+verify_default_issuer() - { - default_issuer > $DEF_ISSUER_DN_FILE - -- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE -+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \ -+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE -+ -+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE - then - echo Incorrect default issuer >&2 && exit 1 - fi -+} -+ -+verify_issuer_files() -+{ -+ verify_default_issuer - - if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE - then --- -2.37.1 - - -From b4dc45d6f3fff7c57fd5a97cdab357a842ef021e Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 4 Apr 2022 16:38:41 +0200 -Subject: [PATCH 3/5] libseckey: Fix re-enciphering of EP11 secure key -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The re-enciphering of EP11 asymmetric secure keys does not work. -First, the result of the re-encipher operation of the private key -part must be copied back into the user supplied key token buffer. -Second, the public key part, i.e. the MACed SubjectPublicKeyInfo -(SPKI) structure must also be re-enciphered (i.e. re-MACed), since -the MAC is calculated with the EP11 master key. - -Signed-off-by: Ingo Franzki -Signed-off-by: Jan Höppner -(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397) ---- - libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 53 insertions(+) - -diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c -index b867626..e3bd3c9 100644 ---- a/libseckey/sk_ep11.c -+++ b/libseckey/sk_ep11.c -@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib, - return -EIO; - } - -+ memcpy(blob, lrb.payload, lrb.pllen); -+ -+ /* re-encipher MACed SPKI */ -+ rb.domain = domain; -+ lrb.domain = domain; -+ -+ resp_len = sizeof(resp); -+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT, -+ &rb, NULL, key_token + hdr->len, -+ key_token_length - hdr->len); -+ if (req_len < 0) { -+ sk_debug(debug, "Failed to build XCP command block"); -+ return -EIO; -+ } -+ -+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL, -+ 0, ep11_lib->target); -+ if (rv != CKR_OK || resp_len == 0) { -+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. " -+ "rc = 0x%lx, resp_len = %ld", rv, resp_len); -+ return -EIO; -+ } -+ -+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv); -+ if (rc != 0) { -+ sk_debug(debug, "Failed to parse response. rc = %d", rc); -+ return -EIO; -+ } -+ -+ if (rv != CKR_OK) { -+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. " -+ "rc = 0x%lx", rv); -+ switch (rv) { -+ case CKR_IBM_WKID_MISMATCH: -+ sk_debug(debug, "The EP11 secure key is currently " -+ "encrypted under a different master that does " -+ "not match the master key in the CURRENT " -+ "master key register of APQN %02X.%04X", -+ card, domain); -+ break; -+ } -+ return -EIO; -+ } -+ -+ if (key_token_length - hdr->len != lrb.pllen) { -+ sk_debug(debug, "Re-encrypted EP11 secure key size has " -+ "changed: org-len: %lu, new-len: %lu", -+ hdr->len - sizeof(*hdr), lrb.pllen); -+ return -EIO; -+ } -+ -+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen); -+ - return 0; - } - --- -2.37.1 - - -From bf4d971adb286fc42f6f5bcb45b6fb484eb9519b Mon Sep 17 00:00:00 2001 -From: Mete Durlu -Date: Fri, 10 Jun 2022 10:13:33 +0200 -Subject: [PATCH 4/5] hyptop: increase initial update interval -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Increase initial update interval from 200ms to 1 seconds to avoid -fluctuations on the initial data output. - -Signed-off-by: Mete Durlu -Signed-off-by: Jan Höppner -(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf) ---- - hyptop/sd.h | 2 +- - hyptop/sd_core.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hyptop/sd.h b/hyptop/sd.h -index 9ba3192..1aed707 100644 ---- a/hyptop/sd.h -+++ b/hyptop/sd.h -@@ -17,7 +17,7 @@ - #include "helper.h" - #include "table.h" - --#define SD_DG_INIT_INTERVAL_MS 200 -+#define SD_DG_INIT_INTERVAL_SEC 1 - #define SD_SYS_ID_SIZE 9 - - /* -diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c -index f1cb631..47b5b59 100644 ---- a/hyptop/sd_core.c -+++ b/hyptop/sd_core.c -@@ -150,7 +150,7 @@ void sd_update(void) - */ - void sd_dg_register(struct sd_dg *dg, int has_core_data) - { -- struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000}; -+ struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0}; - struct sd_sys_item *sys_item; - struct sd_cpu_item *cpu_item; - unsigned int i; --- -2.37.1 - - -From 0c7fa7ed53e0187ea9d89f05299f17378daf046e Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Thu, 12 May 2022 11:06:16 +0200 -Subject: [PATCH 5/5] libseckey: Adapt keymgmt_match() implementation to - OpenSSL -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the -OpenSSL provider's keymgmt_match() function to be not so strict with -the selector bits in regards to matching different key parts. - -Adapt the secure key provider's match function accordingly. -This means, that if the public key is selected to be matched, and -the public key matches (together with any also selected parameters), -then the private key is no longer checked, although it may also be -selected to be matched. This is according to how the OpenSSL function -EVP_PKEY_eq() is supposed to behave. - -OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match -function to check if the private key specified matches the public key -of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the -private key into the selector bits here, although the certificate -only contains the public key part. - -Signed-off-by: Ingo Franzki -Signed-off-by: Jan Höppner -(cherry picked from commit 6c5c5f7e558c114ddaa475e96c9ec708049aa423) ---- - libseckey/sk_provider.c | 18 ++++++++++++++---- - 1 file changed, 14 insertions(+), 4 deletions(-) - -diff --git a/libseckey/sk_provider.c b/libseckey/sk_provider.c -index 10f56c0..0abe99d 100644 ---- a/libseckey/sk_provider.c -+++ b/libseckey/sk_provider.c -@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1, - - if (key1->type != key2->type) - return 0; -+ -+ if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) { -+ /* match everything except private key */ -+ return default_match_fn(key1->default_key, key2->default_key, -+ selection & -+ (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY)); -+ } -+ - if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) { - if (key1->secure_key_size != key2->secure_key_size) - return 0; -- if (key1->secure_key_size > 0 && -- memcmp(key1->secure_key, key2->secure_key, -- key1->secure_key_size) != 0) -- return 0; -+ if (key1->secure_key_size > 0) { -+ if (memcmp(key1->secure_key, key2->secure_key, -+ key1->secure_key_size) != 0) -+ return 0; -+ selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY); -+ } - } - - return default_match_fn(key1->default_key, key2->default_key, --- -2.37.1 - diff --git a/SOURCES/s390utils-2.22.0-rhel.patch b/SOURCES/s390utils-2.22.0-rhel.patch new file mode 100644 index 0000000..623ce0e --- /dev/null +++ b/SOURCES/s390utils-2.22.0-rhel.patch @@ -0,0 +1,32 @@ +From 2844d07e4bba2301fef66f56574c92054bac7cac Mon Sep 17 00:00:00 2001 +From: Steffen Eiden +Date: Mon, 25 Jul 2022 12:57:53 +0200 +Subject: [PATCH] zipl: Add missing check for a nullpointer. + +Fixes a bug that leads to a segmentation fault when no parmline is +provided. + +Fixes: 11b401b5 ("zipl: move and make check for maximum command line length dynamic") +Signed-off-by: Steffen Eiden +Reviewed-by: Marc Hartmayer +Reviewed-by: Stefan Haberland +--- + zipl/src/job.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/zipl/src/job.c b/zipl/src/job.c +index ffdc297..b5bf5b2 100644 +--- a/zipl/src/job.c ++++ b/zipl/src/job.c +@@ -790,7 +790,7 @@ check_common_ipl_data(struct job_common_ipl_data *common, const char *section, + if (!max_parm_size) + max_parm_size = LEGACY_MAXIMUM_PARMLINE_SIZE; + +- len = strlen(common->parmline); ++ len = common->parmline ? strlen(common->parmline) : 0; + if (len > max_parm_size) { + error_text("The length of the parameters line " + "(%d bytes) exceeds the allowed maximum " +-- +2.37.1 + diff --git a/SPECS/s390utils.spec b/SPECS/s390utils.spec index afb366c..21f1c36 100644 --- a/SPECS/s390utils.spec +++ b/SPECS/s390utils.spec @@ -3,10 +3,14 @@ %global signzipl 1 %endif +%if 0%{?fedora} +%global with_pandoc 1 +%endif + Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.19.0 -Release: 2%{?dist}.3 +Version: 2.22.0 +Release: 2%{?dist} Epoch: 2 License: MIT ExclusiveArch: s390 s390x @@ -34,7 +38,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch # backported fixes -Patch100: s390utils-2.19.0-rhel.patch +Patch100: s390utils-%{version}-rhel.patch Requires: s390utils-core = %{epoch}:%{version}-%{release} Requires: s390utils-base = %{epoch}:%{version}-%{release} @@ -64,6 +68,9 @@ be used together with the zSeries (s390) Linux kernel and device drivers. %patch100 -p1 +# drop -Werror from genprotimg to allow building with GCC 12 +sed -i.bak -e 's/-Werror//g' genprotimg/src/Makefile genprotimg/boot/Makefile + # remove --strip from install find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g' @@ -72,6 +79,9 @@ find . -name Makefile | xargs sed -i 's/$(INSTALL) -s/$(INSTALL)/g' make \ CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \ HAVE_DRACUT=1 \ +%if 0%{?with_pandoc} + ENABLE_DOC=1 \ +%endif NO_PIE_LDFLAGS="" \ BINDIR=/usr/sbin \ UDEVRUNDIR=/run/udev \ @@ -82,6 +92,9 @@ make \ %install make install \ HAVE_DRACUT=1 \ +%if 0%{?with_pandoc} + ENABLE_DOC=1 \ +%endif DESTDIR=%{buildroot} \ BINDIR=/usr/sbin \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ @@ -149,10 +162,6 @@ install -p -m 644 %{SOURCE17} %{buildroot}%{_udevrulesdir}/81-ccw.rules # zipl.conf to be ghosted touch %{buildroot}%{_sysconfdir}/zipl.conf -# fixups -# https://bugzilla.redhat.com/show_bug.cgi?id=2024102 -chmod 755 %{buildroot}/lib/s390-tools/cpictl - %files %doc README.md @@ -203,6 +212,7 @@ This package provides minimal set of tools needed to system to boot. /lib/s390-tools/zdev-root-update /lib/s390-tools/zipl.conf %ghost %config(noreplace) %{_sysconfdir}/zipl.conf +%config(noreplace) %{_sysconfdir}/ziplenv %{_unitdir}/cpi.service %config(noreplace) %{_sysconfdir}/sysconfig/cpi /usr/lib/dracut/modules.d/95zdev/ @@ -267,6 +277,7 @@ BuildRequires: json-c-devel BuildRequires: rpm-devel BuildRequires: glib2-devel BuildRequires: libxml2-devel +BuildRequires: liblockfile-devel %description base @@ -444,6 +455,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_sbindir}/lstape %{_sbindir}/lszcrypt %{_sbindir}/lszfcp +%{_sbindir}/pai %{_sbindir}/qetharp %{_sbindir}/qethconf %{_sbindir}/qethqoat @@ -466,12 +478,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/dump2tar %{_bindir}/genprotimg %{_bindir}/mk-s390image +%{_bindir}/pvattest +%{_bindir}/pvextract-hdr %{_bindir}/vmconvert %{_bindir}/zkey %{_bindir}/zkey-cryptsetup %{_unitdir}/dumpconf.service %ghost %config(noreplace) %{_sysconfdir}/zipl.conf %config(noreplace) %{_sysconfdir}/sysconfig/dumpconf +%{_sysconfdir}/mdevctl.d/* +/usr/lib/dracut/modules.d/99ngdump/ /lib/s390-tools/dumpconf /lib/s390-tools/lsznet.raw %dir /lib/s390-tools/zfcpdump @@ -482,13 +498,13 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %dir %{_libdir}/zkey %{_libdir}/zkey/zkey-ekmfweb.so %{_libdir}/zkey/zkey-kmip.so -%{_mandir}/man1/dbginfo.sh.1* %{_mandir}/man1/dump2tar.1* -%{_mandir}/man1/lscpumf.1* -%{_mandir}/man1/lshwc.1* +%{_mandir}/man1/genprotimg.1* +%{_mandir}/man1/pvattest.1* +%{_mandir}/man1/pvattest-create.1* +%{_mandir}/man1/pvattest-perform.1* +%{_mandir}/man1/pvattest-verify.1* %{_mandir}/man1/vmconvert.1* -%{_mandir}/man1/zfcpdbf.1* -%{_mandir}/man1/zipl-switch-to-blscfg.1* %{_mandir}/man1/zkey.1* %{_mandir}/man1/zkey-cryptsetup.1* %{_mandir}/man1/zkey-ekmfweb.1* @@ -502,14 +518,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/chzcrypt.8* %{_mandir}/man8/dasdstat.8* %{_mandir}/man8/dasdview.8* +%{_mandir}/man8/dbginfo.sh.8* %{_mandir}/man8/dumpconf.8* -%{_mandir}/man8/genprotimg.8.* %{_mandir}/man8/hsavmcore.8* %{_mandir}/man8/hsci.8* %{_mandir}/man8/hyptop.8* %{_mandir}/man8/lschp.8* +%{_mandir}/man8/lscpumf.8* %{_mandir}/man8/lscss.8* %{_mandir}/man8/lsdasd.8* +%{_mandir}/man8/lshwc.8* %{_mandir}/man8/lsluns.8* %{_mandir}/man8/lsqeth.8* %{_mandir}/man8/lsreipl.8* @@ -519,6 +537,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/lstape.8* %{_mandir}/man8/lszcrypt.8* %{_mandir}/man8/lszfcp.8* +%{_mandir}/man8/pai.8* %{_mandir}/man8/qetharp.8* %{_mandir}/man8/qethconf.8* %{_mandir}/man8/qethqoat.8* @@ -529,7 +548,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/vmur.8* %{_mandir}/man8/zcryptctl.8* %{_mandir}/man8/zcryptstats.8* +%{_mandir}/man8/zfcpdbf.8* %{_mandir}/man8/zgetdump.8* +%{_mandir}/man8/zipl-switch-to-blscfg.8* %{_mandir}/man8/znetconf.8* %{_mandir}/man8/zpcictl.8* %dir %{_datadir}/s390-tools @@ -737,8 +758,8 @@ fi # %package cmsfs-fuse Summary: CMS file system based on FUSE -BuildRequires: fuse-devel -Requires: fuse +BuildRequires: fuse3-devel +Requires: fuse3 Requires: glibc-gconv-extra Obsoletes: %{name}-cmsfs < 2:2.7.0-3 @@ -756,9 +777,9 @@ This package contains the CMS file system based on FUSE. # %package zdsfs Summary: z/OS data set access based on FUSE -BuildRequires: fuse-devel +BuildRequires: fuse3-devel BuildRequires: libcurl-devel -Requires: fuse +Requires: fuse3 %description zdsfs This package contains the z/OS data set access based on FUSE. @@ -772,8 +793,8 @@ This package contains the z/OS data set access based on FUSE. # %package hmcdrvfs Summary: HMC drive file system based on FUSE -BuildRequires: fuse-devel -Requires: fuse +BuildRequires: fuse3-devel +Requires: fuse3 %description hmcdrvfs This package contains a HMC drive file system based on FUSE and a tool @@ -827,6 +848,9 @@ Summary: Use multipath information for re-IPL path failover BuildRequires: make BuildRequires: bash BuildRequires: coreutils +%if 0%{?with_pandoc} +BuildRequires: pandoc +%endif BuildRequires: gawk BuildRequires: gzip BuildRequires: sed @@ -845,6 +869,9 @@ reconfigures the FCP re-IPL settings to use an operational path. %files chreipl-fcp-mpath %doc chreipl-fcp-mpath/README.md +%if 0%{?with_pandoc} +%doc chreipl-fcp-mpath/README.html +%endif %dir %{_prefix}/lib/chreipl-fcp-mpath/ %{_prefix}/lib/chreipl-fcp-mpath/* %{_prefix}/lib/dracut/dracut.conf.d/70-chreipl-fcp-mpath.conf @@ -854,6 +881,7 @@ reconfigures the FCP re-IPL settings to use an operational path. %{_prefix}/lib/udev/chreipl-fcp-mpath-record-volume-identifier %{_prefix}/lib/udev/chreipl-fcp-mpath-try-change-ipl-path %{_udevrulesdir}/70-chreipl-fcp-mpath.rules +%{_mandir}/man7/chreipl-fcp-mpath.7* # # *********************** devel package *********************** @@ -875,18 +903,29 @@ User-space development files for the s390/s390x architecture. %changelog -* Wed Jul 20 2022 Dan Horák - 2:2.19.0-2.3 -- zkey: KMIP plugin fails to connection to KMIP server (#2109102) -- Resolves: #2109102 +* Thu Aug 04 2022 Dan Horák - 2:2.22.0-2 +- zipl: Add missing check for a nullpointer (#2113884) +- Resolves: #2113884 -* Tue Jul 12 2022 Dan Horák - 2:2.19.0-2.2 -- hyptop: observable value fluctuations on initial iteration (#2101808) -- Resolves: #2101808 +* Mon Jul 11 2022 Dan Horák - 2:2.22.0-1 +- rebased to 2.22.0 (#2044205) +- add tool to persistently configure vfio-ap devices (#1870699) +- NVMe stand-alone dump support (#1878081) +- zipl: Site-aware environment block (#2044199) +- KVM: Secure Execution Attestation Userspace Tool (#2044203) +- Add new CPU-MF Counters for IBM z16 Hardware (#2047722) +- Resolves: #2044205 #1870699 #1878081 #2044199 #2044203 #2047722 -* Tue May 03 2022 Dan Horák - 2:2.19.0-2.1 -- genprotimg: certificate verification is too strict (#2081271) -- zkey: fix re-enciphering of EP11 identity key of KMIP plugin (#2081272) -- Resolves: #2081271 #2081272 +* Tue Apr 26 2022 Dan Horák - 2:2.21.0-1 +- rebased to 2.21.0 (#2044205) +- cpictl: Suppress messages for unwritable sysfs files (#1985745) +- KVM: Secure Execution guest dump encryption with customer keys (#2044204) +- KVM: Allow long kernel command lines for Secure Execution guests (#2044197) +- zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (#2044206) +- Long Kernel Commmand Line for s390x (#2060826) +- zcryptctl support for control domains (#2076920) +- Add additional information to SCLP CPI (#2046680) +- Resolves: #2044205 #1985745 #2044204 #2044197 #2044206 #2060826 #2076920 #2046680 * Tue Dec 14 2021 Dan Horák - 2:2.19.0-2 - update ccw udev rules for synthetic events (#2027357)