From cef705e9ff987063d67267866aaab8ad3782979b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Wed, 19 Nov 2025 12:41:55 +0100 Subject: [PATCH] - rebased to 2.39.0 (RHEL-100438) - udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126748) - udev/rules.d: make virtio-blk devices non-rotational (RHEL-126744) - zipl: makedumpfile is required for ngdump support (RHEL-114661) - libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114884) - chpstat: Fix DPU utilization scaling in reports (RHEL-109214) - Resolves: RHEL-100438 RHEL-126748 RHEL-126744 RHEL-114661 RHEL-114884 RHEL-109214 --- s390utils-2.38.0-rhel.patch | 167 ------------------------------------ s390utils-2.39.0-rhel.patch | 64 ++++++++++++++ s390utils.spec | 20 ++++- sources | 4 +- 4 files changed, 83 insertions(+), 172 deletions(-) delete mode 100644 s390utils-2.38.0-rhel.patch create mode 100644 s390utils-2.39.0-rhel.patch diff --git a/s390utils-2.38.0-rhel.patch b/s390utils-2.38.0-rhel.patch deleted file mode 100644 index c8c24fc..0000000 --- a/s390utils-2.38.0-rhel.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 070317ddb8613243ab284aa3c861f6374fc016ec Mon Sep 17 00:00:00 2001 -From: Shalini Chellathurai Saroja -Date: Fri, 16 May 2025 16:47:24 +0200 -Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76930) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The cpictl utility sends control-program identification data -from protected virtualization guests to hosts by default. -This behaviour leaks the below potentially sensitive -information to untrusted hosts. -- system_type -- system_level -- sysplex_name -- system_name - -To prevent this behaviour, enhance the cpictl utility to stop -setting CPI information on protected virtualization guests by -default. If the user chooses to set the CPI information, it -could be set by one of the below options -- use the command line option --permit-cpi -- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to -control the CPI service behaviour during boot - -Signed-off-by: Hendrik Brueckner -Signed-off-by: Shalini Chellathurai Saroja -Reviewed-by: Jan Höppner -Reviewed-by: Peter Oberparleiter -Reviewed-by: Hendrik Brueckner -Signed-off-by: Jan Höppner -(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551) ---- - etc/sysconfig/cpi | 14 ++++++++++++++ - scripts/cpictl | 39 +++++++++++++++++++++++++++++++++++++-- - systemd/cpi.service.in | 1 + - 3 files changed, 52 insertions(+), 2 deletions(-) - -diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi -index 866b589..78eb632 100644 ---- a/etc/sysconfig/cpi -+++ b/etc/sysconfig/cpi -@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME="" - # CPI sysplex name - # - CPI_SYSPLEX_NAME="" -+ -+# -+# CPI permit on protected virtualization guests -+# -+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system. -+# Enabling these options allows the host to receive potentially sensitive -+# Control-Program Identification (CPI) data from the protected virtualization -+# guest, including: -+# - system_type -+# - system_level -+# - sysplex_name -+# - system_name -+# -+CPI_PERMIT_ON_PVGUEST= -diff --git a/scripts/cpictl b/scripts/cpictl -index 16cadde..6096a67 100755 ---- a/scripts/cpictl -+++ b/scripts/cpictl -@@ -32,6 +32,9 @@ declare TYPE - declare NAME - declare SYSPLEX - -+declare PV_GUEST -+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST" -+ - declare -i DRYRUN=0 - - # Exit codes -@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1 - readonly EXIT_ARG_TOO_LONG=3 - readonly EXIT_INVALID_CHARS=4 - readonly EXIT_INVALID_ARGS=5 -+readonly EXIT_NO_PERMIT_CPI=6 - - # Distro-IDs as supported by SE/HMC firmware - readonly DISTRO_GENERIC=0 -@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings. - -S, --sysplex SYSPLEX Set and commit the sysplex name to SYSPLEX - -T, --type TYPE Set and commit OS type to TYPE - -v, --version Print version information, then exit -+ --permit-cpi Permit to send Control-Program Identification data of -+ protected virtualization guest to the host (must be -+ specified before any commit option). See also the -+ important note. - --commit Ignore all other options and commit any uncommitted - values - --dry-run Do not actually set or commit anything, but show what -@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings. - uncommitted) values - - Environment variables used for the --defaults option: -- CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME -+ CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME, -+ CPI_PERMIT_ON_PVGUEST (See also the important note.) -+ -+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you -+trust the host system. Enabling these options allows the host to receive -+potentially sensitive Control-Program Identification (CPI) data from the -+protected virtualization guest, including: -+- system_type -+- system_level -+- sysplex_name -+- system_name - - Available bits for the --set-bit option: - kvm: Indicate that system is a KVM host -@@ -124,6 +142,19 @@ fail_with() - - cpi_commit() - { -+ # Commit Control-Program Identification changes on protected -+ # virtualization guests only if it is permitted by the guest. This -+ # prevents leakage of potentially sensitive information to untrusted -+ # hosts. -+ if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then -+ read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest" -+ if [[ "$PV_GUEST" -eq 1 ]]; then -+ if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then -+ echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2 -+ exit "$EXIT_NO_PERMIT_CPI" -+ fi -+ fi -+ fi - echo 1 > "$CPI_SET" 2> /dev/null - } - -@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then - print_parse_error_and_exit - fi - --opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@") -+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@") - if [ $? -ne 0 ]; then - print_parse_error_and_exit - fi -@@ -473,6 +504,10 @@ while [ -n $1 ]; do - cpi_show - exit $EXIT_SUCCESS - ;; -+ --permit-cpi) -+ CPI_PERMIT=1 -+ shift -+ ;; - --commit) - cpi_commit - exit $EXIT_SUCCESS -diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in -index 3976f68..ca21a8b 100644 ---- a/systemd/cpi.service.in -+++ b/systemd/cpi.service.in -@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi - # Environment=CPI_SYSPLEX_NAME= - # Environment=CPI_SYSTEM_LEVEL= - # Environment=CPI_SYSTEM_TYPE=LINUX -+# Environment=CPI_PERMIT_ON_PVGUEST= - - # - # Sending data to the HMC/SE --- -2.50.1 - diff --git a/s390utils-2.39.0-rhel.patch b/s390utils-2.39.0-rhel.patch new file mode 100644 index 0000000..f55beaa --- /dev/null +++ b/s390utils-2.39.0-rhel.patch @@ -0,0 +1,64 @@ +From 5c52438d3551222bf0df7c63a223b28b35f5bbef Mon Sep 17 00:00:00 2001 +From: Peter Jin +Date: Wed, 1 Oct 2025 15:02:10 -0400 +Subject: [PATCH 1/2] udev/rules.d: make virtio-blk devices non-rotational + (RHEL-126744) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Performance measurements turned out that in certain situations the +paging/swap logic turns on the rotational feature for block devices. In the +past, this feature has been disabled for DASD devices. FCP and NVMe devices +are considered non-rotational by default (or exposed by the storage server). +Because those are the backing devices on Linux on Z/LinuxONE instances, +ensure that virtio-blk devices are always non-rotational. + +Signed-off-by: Peter Jin +Signed-off-by: Jan Höppner +(cherry picked from commit 82f8c137e1881577d89309223f6d459361c671dd) +--- + etc/udev/rules.d/59-virtio-blk.rules | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 etc/udev/rules.d/59-virtio-blk.rules + +diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules +new file mode 100644 +index 00000000..2e3c13f7 +--- /dev/null ++++ b/etc/udev/rules.d/59-virtio-blk.rules +@@ -0,0 +1 @@ ++SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0" +-- +2.51.1 + + +From b55b683fb400fba6f76ce67fada8b90bb09ab118 Mon Sep 17 00:00:00 2001 +From: Peter Jin +Date: Wed, 1 Oct 2025 15:09:49 -0400 +Subject: [PATCH 2/2] udev/rules.d: Set default io scheduler to 'none' for + virtio-blk (RHEL-126748) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use 'none' as default io scheduler for virtio-blk devices. Performance +improvements for multi-queue setups and to reduce CPU consumption. + +Signed-off-by: Peter Jin +Signed-off-by: Jan Höppner +(cherry picked from commit 6ee5ffef91cb4157079fecb89bf42aa41e81e801) +--- + etc/udev/rules.d/59-virtio-blk.rules | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules +index 2e3c13f7..ca6e1c4d 100644 +--- a/etc/udev/rules.d/59-virtio-blk.rules ++++ b/etc/udev/rules.d/59-virtio-blk.rules +@@ -1 +1,2 @@ + SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0" ++SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/scheduler", ATTR{queue/scheduler}="none" +-- +2.51.1 + diff --git a/s390utils.spec b/s390utils.spec index 435d153..d2192bc 100644 --- a/s390utils.spec +++ b/s390utils.spec @@ -13,8 +13,8 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.38.0 -Release: 2%{?dist} +Version: 2.39.0 +Release: 1%{?dist} Epoch: 2 # MIT covers nearly all the files, except init files License: MIT AND LGPL-2.1-or-later @@ -181,6 +181,7 @@ fi # move tools to searchable dir mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image %{buildroot}%{_bindir} +mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image.1 %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}{/boot,%{_udevrulesdir},%{_sysconfdir}/{profile.d,sysconfig},%{_prefix}/lib/modules-load.d} install -p -m 644 zipl/boot/tape0.bin %{buildroot}/boot/tape0 @@ -295,6 +296,7 @@ License: MIT Summary: S390 core tools Provides: s390-tools-core = %{epoch}:%{version}-%{release} Requires: coreutils +Requires: makedumpfile %{?systemd_requires} # BRs are covered via the base package @@ -370,6 +372,7 @@ This package provides minimal set of tools needed to system to boot. %{_udevrulesdir}/56-dasd.rules %{_udevrulesdir}/56-zfcp.rules %{_udevrulesdir}/59-dasd.rules +%{_udevrulesdir}/59-virtio-blk.rules %{_udevrulesdir}/60-readahead.rules %{_udevrulesdir}/81-ccw.rules %{_udevrulesdir}/81-dpm.rules @@ -608,9 +611,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/cpacfinfo %{_bindir}/dump2tar %{_bindir}/genprotimg +%{_bindir}/mk-s390image %{_bindir}/pvapconfig %{_bindir}/pvimg -%{_bindir}/mk-s390image %{_bindir}/pvattest %{_bindir}/pvextract-hdr %{_bindir}/pvsecret @@ -642,6 +645,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/cpacfinfo.1* %{_mandir}/man1/dump2tar.1* %{_mandir}/man1/genprotimg.1* +%{_mandir}/man1/mk-s390image.1* %{_mandir}/man1/pvapconfig.1* %{_mandir}/man1/pvattest.1* %{_mandir}/man1/pvattest-check.1* @@ -930,6 +934,7 @@ fi %{_mandir}/man1/ts-shell.1* %{_mandir}/man7/af_iucv.7* %{_mandir}/man8/chiucvallow.8* +%{_mandir}/man8/lsiucvallow.8* %{_mandir}/man9/hvc_iucv.9* %{_unitdir}/iucvtty-login@.service %{_unitdir}/ttyrun-getty@.service @@ -1096,6 +1101,15 @@ User-space development files for the s390/s390x architecture. %changelog +* Wed Nov 19 2025 Dan Horák - 2:2.39.0-1 +- rebased to 2.39.0 (RHEL-100438) +- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126748) +- udev/rules.d: make virtio-blk devices non-rotational (RHEL-126744) +- zipl: makedumpfile is required for ngdump support (RHEL-114661) +- libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114884) +- chpstat: Fix DPU utilization scaling in reports (RHEL-109214) +- Resolves: RHEL-100438 RHEL-126748 RHEL-126744 RHEL-114661 RHEL-114884 RHEL-109214 + * Wed Aug 13 2025 Dan Horák - 2:2.38.0-2 - cpi: Disable CPI for SEL guests by default (RHEL-76930) - Resolves: RHEL-76930 diff --git a/sources b/sources index 16b71cb..17deb64 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (s390-tools-2.38.0.tar.gz) = 9ca9393e9deeab5c1df5e9eaa3c12e340917ffd5fe07d9a09087d6488d8e2ec0a136805650830d128595854b818a1da94151003e15954e556ba373b226a7369e -SHA512 (s390-tools-2.38.0-rust-vendor.tar.xz) = c55d2870ad9f90333de2536e7921951185746f0972d5d488bf317b56e754525e4dbd0f63d547229197199b51d41b7032172b6ba7ffacd9a96a01dbd13b9c4d9e +SHA512 (s390-tools-2.39.0.tar.gz) = ee9447f28f0cc43b4eba8110879174372a4ed85e2e53c3500e02723275c0aee01fd4913558ef3eaa62be40a0f5e634c3eb59587150e809fe14e8b4794e340ac7 +SHA512 (s390-tools-2.39.0-rust-vendor.tar.xz) = eb0cd352e8d3721ba52f79968494e72fc99b5655bbd34c359dfb98d81748a367d87854c799e5d7e88d9fef5209ce0cc5e91286a8259e3fef90e0e53a7b195a20