diff --git a/.gitignore b/.gitignore index 2e735dc..49aaa1c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/cmsfs-1.1.8c.tar.gz -SOURCES/s390-tools-2.25.0.tar.gz +SOURCES/s390-tools-2.27.0.tar.gz SOURCES/src_vipa-2.1.0.tar.gz diff --git a/.s390utils.metadata b/.s390utils.metadata index 3c07f8b..ca41b06 100644 --- a/.s390utils.metadata +++ b/.s390utils.metadata @@ -1,3 +1,3 @@ 9c9a4e89bddb2b4e6e09ef6fc7c2e6f2ad6316de SOURCES/cmsfs-1.1.8c.tar.gz -e8e0d3f651179fd14dc4a40d53a1e4ef6edaae7d SOURCES/s390-tools-2.25.0.tar.gz +ebfc228d39c55586d6b5af08682896adda6b0068 SOURCES/s390-tools-2.27.0.tar.gz 8ed8592a0a9370ce8422df9231ccb17f6cf49bed SOURCES/src_vipa-2.1.0.tar.gz diff --git a/SOURCES/cmsfs-1.1.8-kernel26.patch b/SOURCES/cmsfs-1.1.8-kernel26.patch index c045827..8147ac6 100644 --- a/SOURCES/cmsfs-1.1.8-kernel26.patch +++ b/SOURCES/cmsfs-1.1.8-kernel26.patch @@ -6,7 +6,7 @@ diff -urN cmsfs-1.1.8/cmsfssed.sh cmsfs-1.1.8_/cmsfssed.sh MODULES_DIRECTORY="/lib/modules/`uname -r`/fs" ;; - 2.4*|2.5*) -+ 2.4*|2.5*|2.6*|3.*|4.*) ++ 2.4*|2.5*|2.6*|3.*|4.*|5.*) LINUX_RELEASE="2.4" # ln -s cmsfs24x.c cmsfsvfs.c INCLUDES="-I/lib/modules/`uname -r`/build/include" diff --git a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch index 4c55e19..59066c4 100644 --- a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch +++ b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch @@ -223,7 +223,7 @@ index 64eabe4..7043005 100644 + -lrpmio -lrpm objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \ - bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o + bootmap_header.o envblk.o install.o zipl.o diff --git a/zipl/src/scan.c b/zipl/src/scan.c index 9352f76..3327e2d 100644 --- a/zipl/src/scan.c diff --git a/SOURCES/s390utils-2.25.0-rhel.patch b/SOURCES/s390utils-2.25.0-rhel.patch deleted file mode 100644 index 8bc5883..0000000 --- a/SOURCES/s390utils-2.25.0-rhel.patch +++ /dev/null @@ -1,205 +0,0 @@ -From 48324b579e825a30110abac0369e9d544350ead1 Mon Sep 17 00:00:00 2001 -From: Steffen Eiden -Date: Wed, 14 Dec 2022 14:25:21 +0100 -Subject: [PATCH 1/4] zdump: replace atomic refcount with atomic int - -(Atomic) refcounting was introduced in glib2.58. -We want to support v2.56 as well, so replace it with int and the atomic -operations introduced in glib 2.4. - -Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/146 -Reviewed-by: Jan Hoeppner -Signed-off-by: Steffen Eiden ---- - zdump/pv_utils.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/zdump/pv_utils.c b/zdump/pv_utils.c -index 6d9f0bb..a39bfc5 100644 ---- a/zdump/pv_utils.c -+++ b/zdump/pv_utils.c -@@ -674,7 +674,7 @@ struct _storage_state_mmap { - size_t mapped_size; - pv_tweak_component_t *tweak_components; - size_t num_tweaks; -- gatomicrefcount ref_count; -+ int ref_count; - }; - - storage_state_mmap_t *storage_state_mmap_new(const int fd, const size_t file_size, const u64 offset, -@@ -733,14 +733,14 @@ storage_state_mmap_t *storage_state_mmap_new(const int fd, const size_t file_siz - ret->tweak_components = (pv_tweak_component_t *)(ptr + in_page_offset); - ret->num_tweaks = tweak_components_cnt; - ret->mapped_size = mmapped_size; -- g_atomic_ref_count_init(&ret->ref_count); -+ ret->ref_count = 1; - return g_steal_pointer(&ret); - } - - storage_state_mmap_t *storage_state_mmap_ref(storage_state_mmap_t *storage_state) - { - g_assert(storage_state); -- g_atomic_ref_count_inc(&storage_state->ref_count); -+ g_atomic_int_inc(&storage_state->ref_count); - return storage_state; - } - -@@ -748,7 +748,7 @@ void storage_state_mmap_unref(storage_state_mmap_t *storage_state) - { - if (!storage_state) - return; -- if (storage_state->ref_count && !g_atomic_ref_count_dec(&storage_state->ref_count)) -+ if (storage_state->ref_count && !g_atomic_int_dec_and_test(&storage_state->ref_count)) - return; - if (storage_state->first_page_ptr) { - int rc = munmap(storage_state->first_page_ptr, storage_state->mapped_size); --- -2.39.1 - - -From 4007220d35a9e33186fdfe3a4b5c22cd2eea9bb9 Mon Sep 17 00:00:00 2001 -From: Steffen Eiden -Date: Wed, 14 Dec 2022 13:53:29 +0100 -Subject: [PATCH 2/4] libpv: disallow glib features from after 2.56 - -Enforce that the first glib.h include is done via glib-helper.h for libpv -so that glib version checks are in place. - -Change zdump and pvattest such that they never include glibstuff before -libpv/glib-helper.h - -Reviewed-by: Jan Hoeppner -Signed-off-by: Steffen Eiden ---- - include/libpv/glib-helper.h | 6 ++++++ - pvattest/src/common.h | 2 +- - zdump/dfi_pv_elf.c | 1 - - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/include/libpv/glib-helper.h b/include/libpv/glib-helper.h -index 5d3df50..9f90b28 100644 ---- a/include/libpv/glib-helper.h -+++ b/include/libpv/glib-helper.h -@@ -18,6 +18,12 @@ - #define GLIB_VERSION_MIN_REQUIRED GLIB_VERSION_2_56 - #endif - -+#define GLIB_VERSION_MAX_ALLOWED GLIB_VERSION_2_56 -+ -+#ifdef __G_LIB_H__ -+#error "glib.h must be included via libpv/glib-helper.h" -+#endif -+ - #include - #include - #include -diff --git a/pvattest/src/common.h b/pvattest/src/common.h -index e2e3ef1..43d2ab9 100644 ---- a/pvattest/src/common.h -+++ b/pvattest/src/common.h -@@ -11,10 +11,10 @@ - /* Must be included before any other header */ - #include "config.h" - --#include - #include - - #include "libpv/glib-helper.h" -+#include - #include "libpv/macros.h" - #include "lib/zt_common.h" - -diff --git a/zdump/dfi_pv_elf.c b/zdump/dfi_pv_elf.c -index 8d1021e..9d33e8f 100644 ---- a/zdump/dfi_pv_elf.c -+++ b/zdump/dfi_pv_elf.c -@@ -21,7 +21,6 @@ - #include - #include - --#include - #include - #include - --- -2.39.1 - - -From fb01fb45bb6a9e62313e9cdb79ad5ed39471cfe7 Mon Sep 17 00:00:00 2001 -From: Marc Hartmayer -Date: Mon, 19 Dec 2022 09:51:51 +0000 -Subject: [PATCH 3/4] zgetdump/Makefile: don't use `.check_dep_zgetdump` as - linker input - -The `.check_dep_zgetdump` file is used to cache the result of the -dependency checks and should not be used as input for linking or -anything else. Let's add it as dependency for the objects file. This -shouldn't cause any problems since the Makefile rule for object files is -defined in `common.mak` as follows: - -%.o: %.c - $(CC) $(ALL_CPPFLAGS) $(ALL_CFLAGS) -c $< -o $@ - -Fixes: https://github.com/ibm-s390-linux/s390-tools/issues/147 -Fixes: 8d8d5e9746a4 ("zdump: Fix Makefile dependencies") -Signed-off-by: Marc Hartmayer -Reviewed-by: Jan Hoeppner -Signed-off-by: Jan Hoeppner ---- - zdump/Makefile | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/zdump/Makefile b/zdump/Makefile -index ca8aadc..934dc47 100644 ---- a/zdump/Makefile -+++ b/zdump/Makefile -@@ -119,7 +119,9 @@ libs = $(rootdir)/libutil/libutil.a $(LIBPV) - - all: $(BUILD_TARGETS) - --zgetdump: .check_dep_zgetdump $(OBJECTS) $(libs) -+$(OBJECTS): .check_dep_zgetdump -+ -+zgetdump: $(OBJECTS) $(libs) - - skip-zgetdump: - echo " SKIP zgetdump due to unresolved dependencies" --- -2.39.1 - - -From 1ad208c17a0edc65e6abd47b68a7d9c206faf2a6 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 20 Jan 2023 11:04:18 +0100 -Subject: [PATCH 4/4] zkey: Support EP11 host library version 4 (#2165811) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Try to load libep11.so.4 if available, but fallback to older -library versions if not. - -Reviewed-by: Jörg Schmidbauer -Signed-off-by: Ingo Franzki -Signed-off-by: Steffen Eiden -(cherry picked from commit 6222c384958729bc4b5bad61ad38967647cc3248) ---- - zkey/ep11.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/zkey/ep11.c b/zkey/ep11.c -index 58dc3c5..8359929 100644 ---- a/zkey/ep11.c -+++ b/zkey/ep11.c -@@ -35,7 +35,7 @@ - * Definitions for the EP11 library - */ - #define EP11_LIBRARY_NAME "libep11.so" --#define EP11_LIBRARY_VERSION 3 -+#define EP11_LIBRARY_VERSION 4 - #define EP11_WEB_PAGE "http://www.ibm.com/security/cryptocards" - - /** --- -2.39.1 - diff --git a/SOURCES/s390utils-2.27.0-rhel.patch b/SOURCES/s390utils-2.27.0-rhel.patch new file mode 100644 index 0000000..ed1c8b3 --- /dev/null +++ b/SOURCES/s390utils-2.27.0-rhel.patch @@ -0,0 +1,1392 @@ +From 26251ccda8351529b8f1e8cb2aa5e73a8e9c4685 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Mon, 8 May 2023 14:52:54 +0200 +Subject: [PATCH 1/4] zdev: add support for autoquiesce related sysfs + attributes (#2196510) + +Autoquiesce is a mechanism that tells Linux to stop issuing I/Os to a +specific DASD after certain events. + +Add support for configuring related DASD device attributes +that govern the following aspects of autoquiesce: + +aq_mask - Configure which events lead to autoquiesce. +aq_requeue - Configure if autoquiesce will requeue all I/O to blocklayer. +aq_timeouts - Configure the number of timeouts before autoquiesce. + +Signed-off-by: Stefan Haberland +Reviewed-by: Peter Oberparleiter +Signed-off-by: Steffen Eiden +(cherry picked from commit 493af760ed47454f5719f05a6e6316f43a3be98a) +--- + zdev/src/dasd.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 65 insertions(+) + +diff --git a/zdev/src/dasd.c b/zdev/src/dasd.c +index f9fd231..4330229 100644 +--- a/zdev/src/dasd.c ++++ b/zdev/src/dasd.c +@@ -344,6 +344,68 @@ static struct attrib dasd_attr_fc_security = { + .readonly = 1, + }; + ++static struct attrib dasd_attr_aq_mask = { ++ .name = "aq_mask", ++ .title = "Specify autoquiesce triggers", ++ .desc = ++ "Use the aq_mask attribute to automatically quiesce a device and block\n" ++ "new I/O after certain events.\n" ++ "\n" ++ "The value is a bitmask in decimal or hexadecimal format where each set bit\n" ++ "indicates that the associated event shown in the table below triggers an\n" ++ "autoquiesce.\n" ++ " Bit 0 is not used.\n" ++ " 1 - 0x02 - A terminal I/O error occurred\n" ++ " 2 - 0x04 - No active channel paths remain for the device\n" ++ " 3 - 0x08 - A state change interrupt occurred\n" ++ " 4 - 0x10 - The device is PPRC suspended\n" ++ " 5 - 0x20 - No space is left on an ESE device\n" ++ " 6 - 0x40 – The number of timeouts specified in aq_timeouts is reached\n" ++ " 7 - 0x80 - I/O was not started because of an error in the start function\n" ++ "\n" ++ "For example bits 1,3 and 5 set (0010 1010) lead to an integer value of 42\n" ++ "or 0x2A.\n" ++ "An integer value of 0 turns off the autoquiesce function.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "0", ++ /* ++ * Currently only 8 bits are defined and the max value is 255. ++ * This needs to be adjusted if more bits are defined. ++ */ ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 255)), ++}; ++ ++static struct attrib dasd_attr_aq_requeue = { ++ .name = "aq_requeue", ++ .title = "Control I/O requeing during autoquiesce", ++ .desc = ++ "Use the aq_requeue attribute to control whether outstanding I/O\n" ++ "operations to the blocklayer should be automatically requeued after\n" ++ "an autoquiesce event.\n" ++ "Valid values are 1 for requeuing, or 0 for no requeueing.\n" ++ "Requeing the I/O requests to the blocklayer might benefit I/O\n" ++ "in case of a copy_pair swap operation.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "0", ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 1)), ++}; ++ ++static struct attrib dasd_attr_aq_timeouts = { ++ .name = "aq_timeouts", ++ .title = "Specify timeout retry threshold", ++ .desc = ++ "Specify the number of sequential timeout events for an I/O operation\n" ++ "before an autoquiesce is triggered on a device.\n" ++ "This requires that the corresponding trigger bit 6 is set\n" ++ "in the aq_mask attribute.\n", ++ .order_cmp = ccw_online_only_order_cmp, ++ .check = ccw_online_only_check, ++ .defval = "32768", ++ .accept = ACCEPT_ARRAY(ACCEPT_RANGE(0, 32768)), ++}; ++ + /* + * DASD subtype methods. + */ +@@ -725,6 +787,9 @@ struct subtype dasd_subtype_eckd = { + &dasd_attr_safe_offline, + &dasd_attr_fc_security, + &dasd_attr_copy_pair, ++ &dasd_attr_aq_mask, ++ &dasd_attr_aq_requeue, ++ &dasd_attr_aq_timeouts, + &internal_attr_early, + ), + .unknown_dev_attribs = 1, +-- +2.41.0 + + +From d26696e5bfbc0c95b9ca70c3bd4b8fff0e36e38f Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 17 May 2023 11:43:08 +0200 +Subject: [PATCH 2/4] lszcrypt: Support for SE AP pass-through support + (#2110510) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds support for Secure Execution with AP pass-through +support for lszcrypt. + +lszcrypt details: +* extension to -b: list AP bus features +* extension to -c: now also valid for queue devices, shows + bind and assoicate state in SE environment; + shows MK states (only for current MKs). +* extension to -V: new column SESTAT within an SE guest, shows text + for the BS bits within an SE environment: + "usable", "bond", "avail", "unuse". + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Signed-off-by: Jan Höppner +(cherry picked from commit f821f31a51e395c0d0b048413360eeff92eaee9c) +--- + zconf/zcrypt/lszcrypt.8 | 195 +++++++++++++++++++++++++--------------- + zconf/zcrypt/lszcrypt.c | 136 ++++++++++++++++++++++++---- + zconf/zcrypt/misc.c | 38 +++++++- + zconf/zcrypt/misc.h | 3 +- + 4 files changed, 278 insertions(+), 94 deletions(-) + +diff --git a/zconf/zcrypt/lszcrypt.8 b/zconf/zcrypt/lszcrypt.8 +index e1de2e9..536a3e3 100644 +--- a/zconf/zcrypt/lszcrypt.8 ++++ b/zconf/zcrypt/lszcrypt.8 +@@ -1,6 +1,6 @@ + .\" lszcrypt.8 + .\" +-.\" Copyright IBM Corp. 2019, 2022 ++.\" Copyright IBM Corp. 2019, 2023 + .\" s390-tools is free software; you can redistribute it and/or modify + .\" it under the terms of the MIT license. See LICENSE for details. + .\" +@@ -10,7 +10,7 @@ + .\" nroff -man lszcrypt.8 + .\" to process this source + .\" +-.TH LSZCRYPT 8 "FEB 2022" "s390-tools" ++.TH LSZCRYPT 8 "MAY 2023" "s390-tools" + .SH NAME + lszcrypt \- display zcrypt device and configuration information + .SH SYNOPSIS +@@ -24,7 +24,7 @@ lszcrypt \- display zcrypt device and configuration information + .TP + .B lszcrypt + .B -c +- ++ + .TP + .B lszcrypt -b + .TP +@@ -41,43 +41,60 @@ lszcrypt \- display zcrypt device and configuration information + .SH DESCRIPTION + The + .B lszcrypt +-command is used to display information about cryptographic devices managed by +-zcrypt and the AP bus attributes of zcrypt. Displayed information depends on the +-kernel version. ++command is used to display information about cryptographic devices ++managed by zcrypt and the AP bus attributes of zcrypt. Displayed ++information depends on the kernel version. + .B lszcrypt + requires that sysfs is mounted. + .P + The following information can be displayed for each cryptographic + device: card ID, domain ID, card type (symbolic), mode, online status, +-hardware card type (numeric), installed function facilities, card capability, +-hardware queue depth, request count, number of requests in hardware queue, and +-the number of outstanding requests. +-The following AP bus attributes can be displayed: AP domain, Max AP domain, +-configuration timer, poll thread status, poll timeout, and AP interrupt +-status. ++hardware card type (numeric), installed function facilities, card ++capability, hardware queue depth, request count, number of requests in ++hardware queue, and the number of outstanding requests. The following ++AP bus attributes can be displayed: AP domain, Max AP domain, ++configuration timer, poll thread status, poll timeout, and AP ++interrupt status. + .SH OPTIONS + .TP 8 + .B -V, --verbose +-The verbose level for cryptographic device information. +-With this verbose level additional information like hardware card type, +-hardware queue depth, pending requests count, installed function +-facilities and driver binding is displayed. ++The verbose level for cryptographic device information. With this ++verbose level additional information like hardware card type, hardware ++queue depth, pending requests count, installed function facilities and ++driver binding is displayed. + .TP 8 + .B +-Specifies a cryptographic device to display. A cryptographic device can be +-either a card device or a queue device. If no devices are specified information +-about all available devices is displayed. ++Specifies a cryptographic device to display. A cryptographic device ++can be either a card device or a queue device. If no devices are ++specified information about all available devices is displayed. + Please note that the card device representation and the queue device + are both in hexadecimal notation. + .TP 8 + .B -b, --bus + Displays the AP bus attributes and exits. ++ ++There is also a list of AP bus features shown here: ++.RS ++.IP "o" 3 ++APSC - Extended TAPQ (Test AP Queue) support. ++.IP "o" ++APXA - Support for more than 16 domains per card. ++.IP "o" ++QACT - QACT support for toleration of new unknown crypto cards. ++.IP "o" ++RC8A - Firmware reports 0x8A instead of 0x42 on some error conditions. ++.IP "o" ++APSB - AP bus has Secure Execution AP pass-through support. ++.RE + .TP 8 +-.B -c, --capability +-Shows the capabilities of a cryptographic card device of hardware type 6 or +-higher. The card device id value may be given as decimal or hex value (with +-a leading 0x). The capabilities of a cryptographic card device depend on +-the card type and the installed function facilities. A cryptographic card ++.B -c, --capability ++Shows the capabilities of a cryptographic card or queue device of ++hardware type 6 or higher. A card device id value may be given as ++decimal or hex value (with a leading 0x), a queue device needs to be ++given as xy.abcd (as it is displayed by lszcrypt). ++ ++The capabilities of a cryptographic card device depend on the card ++type and the installed function facilities. A cryptographic card + device can provide one or more of the following capabilities: + .RS + .IP "o" 3 +@@ -94,14 +111,25 @@ Long RNG + + .RS 8 + The CCA Secure Key capability may be limited by a hypervisor +-layer. The remarks 'full function set' or 'restricted function set' may +-reflect this. For details about these limitations please check the ++layer. The remarks 'full function set' or 'restricted function set' ++may reflect this. For details about these limitations please check the + hypervisor documentation. + .RE ++ ++.RS 8 ++The capabilities of a cryptographic queue device may vary depending ++on some state or environment. However if a queue device is given here, ++and the runtime environment is a KVM guest in Secure Execution mode ++with AP pass-through support, then the AP queue bind state and AP ++queue association state is shown here. Furthermore the state(s) and ++mkvp(s) (Master Key Verification Pattern) of the current master WK ++(Wrapping Key - EP11 mode) or current master AES, APKA and ASYM (CCA ++mode) are shown here. ++.RE + .TP 8 + .B -d, --domains +-Shows the usage and control domains of the cryptographic devices. +-The displayed domains of the cryptographic device depends on the initial ++Shows the usage and control domains of the cryptographic devices. The ++displayed domains of the cryptographic device depends on the initial + cryptographic configuration. + .RS + .IP "o" 3 +@@ -140,18 +168,20 @@ Here is an explanation of the columns displayed. Please note that some + of the columns show up in verbose mode only. + .TP + .B CARD.DOM +-The crypto card number in hexadecimal for a crypto card line or +-the crypto card number and the domain id both in hex separated by a single ++The crypto card number in hexadecimal for a crypto card line or the ++crypto card number and the domain id both in hex separated by a single + dot for a queue line. + .TP + .B TYPE and HWTYPE +-The HWTYPE is a numeric value showing which type of hardware the zcrypt +-device driver presumes that this crypto card is. The currently known values +-are 7=CEX3C, 8=CEX3A, 10=CEX4, 11=CEX5, 12=CEX6, 13=CEX7 and 14=CEX8. ++The HWTYPE is a numeric value showing which type of hardware the ++zcrypt device driver presumes that this crypto card is. The currently ++known values are 7=CEX3C, 8=CEX3A, 10=CEX4, 11=CEX5, 12=CEX6, 13=CEX7 ++and 14=CEX8. + .br +-The TYPE is a human readable value showing the hardware type and the basic +-function type (A=Accelerator, C=CCA Coprocessor, P=EP11 Coprocessor). So +-for example CEX6P means a CEX6 card in EP11 Coprocessor mode. ++The TYPE is a human readable value showing the hardware type and the ++basic function type (A=Accelerator, C=CCA Coprocessor, P=EP11 ++Coprocessor). So for example CEX6P means a CEX6 card in EP11 ++Coprocessor mode. + .TP + .B MODE + A crypto card can be configured to run into one of 3 modes: +@@ -170,13 +200,13 @@ online/offline state is kept by the zcrypt device driver and can be + switched on or off with the help of the chzcrypt application. + .br + A crypto card can also be 'configured' or 'deconfigured'. This state +-may be adjusted on the HMC or SE. The chzcrypt application can also +-trigger this state with the --config-on and --config-off options. ++may be adjusted on the HMC. The chzcrypt application can also trigger ++this state with the --config-on and --config-off options. + .br + lszcrypt shows 'online' when a card or queue is available for + cryptographic operations. 'offline' is displayed when a card or queue + is switched to (software) offline. If a card is 'deconfigured' via +-HMC, SE or chzcrypt the field shows 'deconfig'. ++HMC or chzcrypt the field shows 'deconfig'. + .br + A crypto card may also reach a 'checkstopped' state. lszcrypt shows + this as 'chkstop'. +@@ -184,21 +214,22 @@ this as 'chkstop'. + If a queue is not bound to a device driver there is no detailed + information available and thus the status shows only '-'. + .br +-If a queue is bound to the vfio-ap device driver it is up to this driver +-to give some status information and what exactly this means. So lszcrypt +-shows the text retrieved from the underlying sysfs attribute here. ++If a queue is bound to the vfio-ap device driver it is up to this ++driver to give some status information and what exactly this means. So ++lszcrypt shows the text retrieved from the underlying sysfs attribute ++here. + .TP + .B REQUESTS +-This is the counter value of successful processed requests on card or queue +-level. Successful here means the request was processed without any failure +-in the whole processing chain. ++This is the counter value of successful processed requests on card or ++queue level. Successful here means the request was processed without ++any failure in the whole processing chain. + .TP + .B PENDING +-The underlying firmware and hardware layer usually provide some queuing +-space for requests. When this queue is already filled up, the zcrypt device +-driver maintains a software queue of pending requests. The sum of these +-both values is displayed here and shows the amount of requests waiting for +-processing on card or queue level. ++The underlying firmware and hardware layer usually provide some ++queuing space for requests. When this queue is already filled up, the ++zcrypt device driver maintains a software queue of pending ++requests. The sum of these both values is displayed here and shows the ++amount of requests waiting for processing on card or queue level. + .TP + .B FUNCTIONS + This column shows firmware and hardware function details: +@@ -224,48 +255,64 @@ F - Full function support (opposed to restricted function support, see below). + .br + R - Restricted function support. The F and R flag both reflect if a + hypervisor is somehow restricting this crypto resource in a virtual +-environment. Dependent on the hypervisor configuration the crypto requests +-may be filtered by the hypervisor to allow only a subset of functions +-within the virtual runtime environment. For example a shared CCA +-Coprocessor may be restricted by the hypervisor to allow only clear key +-operations within the guests. ++environment. Dependent on the hypervisor configuration the crypto ++requests may be filtered by the hypervisor to allow only a subset of ++functions within the virtual runtime environment. For example a shared ++CCA Coprocessor may be restricted by the hypervisor to allow only ++clear key operations within the guests. + .TP + .B DRIVER + .br + Shows which card or queue device driver currently handles this crypto + resource. Currently known drivers are cex4card/cex4queue (CEX4-CEX8 + hardware), cex2card/cex2cqueue (CEX2C and CEX3C hardware), +-cex2acard/cex2aqueue (CEX2A and CEX3A hardware) and vfio_ap (queue reserved +-for use by kvm hypervisor for kvm guests and not accessible to host +-applications). It is also valid to have no driver handling a queue which is +-shown as a -no-driver- entry. ++cex2acard/cex2aqueue (CEX2A and CEX3A hardware) and vfio_ap (queue ++reserved for use by KVM hypervisor for KVM guests and not accessible ++to host applications). It is also valid to have no driver handling a ++queue which is shown as a -no-driver- entry. ++.TP ++.B SESTAT ++.br ++Shows the state of the BS bits associated with every AP queue within a ++Secure Execution guest when AP Pass-through support is available: ++.br ++usable - AP queue is usable for crypto load. ++.br ++bound - AP queue is bound but not yet associated. ++.br ++unbound - AP queue is unbound and needs to get bound to this Secure ++Execution guest. ++.br ++illicit - AP queue is not available for this Secure Execution guest. + .SH NOTES +-Use only one of the mode filtering options --accelonly, --ccaonly, --ep11only. +-Same with card/queue filtering: Use only one of --cardonly, --queueonly. +-However, one of the mode filtering options and one of the card/queue filtering +-can be combined. ++Use only one of the mode filtering options --accelonly, --ccaonly, ++--ep11only. Same with card/queue filtering: Use only one of ++--cardonly, --queueonly. However, one of the mode filtering options ++and one of the card/queue filtering can be combined. + .SH EXAMPLES + .TP + .B lszcrypt +-Displays the card/domain ID, card type (short name), mode (long name), online +-status and request count of all available cryptographic devices. ++Displays the card/domain ID, card type (short name), mode (long name), ++online status and request count of all available cryptographic ++devices. + .TP + .B lszcrypt 1 3 5 +-Displays the card/domain ID, card type, mode, online status and request count +-for cryptographic devices 1, 3, and 5. ++Displays the card/domain ID, card type, mode, online status and ++request count for cryptographic devices 1, 3, and 5. + .TP + .B lszcrypt -V 3 7 11 +-Displays the card/domain ID, card type, mode, online status, request count, +-number of requests in the hardware queue, number of outstanding requests and +-installed function facilities for cryptographic devices 3, 7 and 17 (0x11). ++Displays the card/domain ID, card type, mode, online status, request ++count, number of requests in the hardware queue, number of outstanding ++requests and installed function facilities for cryptographic devices ++3, 7 and 17 (0x11). + .TP + .B lszcrypt 10.0038 +-Displays information of the cryptographic device '10.0038' respectively card +-id 16 (0x10) with domain 56 (0x38). ++Displays information of the cryptographic device '10.0038' ++respectively card id 16 (0x10) with domain 56 (0x38). + .TP + .B lszcrypt .0038 +-Displays information of all available queue devices (potentially multiple +-adapters) with domain 56 (0x38). ++Displays information of all available queue devices (potentially ++multiple adapters) with domain 56 (0x38). + .TP + .B lszcrypt -b + Displays AP bus information. +diff --git a/zconf/zcrypt/lszcrypt.c b/zconf/zcrypt/lszcrypt.c +index 43a3c39..09de77e 100644 +--- a/zconf/zcrypt/lszcrypt.c ++++ b/zconf/zcrypt/lszcrypt.c +@@ -1,7 +1,7 @@ + /** + * lszcrypt - Display zcrypt devices and configuration settings + * +- * Copyright IBM Corp. 2008, 2022 ++ * Copyright IBM Corp. 2008, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -55,7 +55,7 @@ static struct lszcrypt_l { + #define MASK_COPRO 0x10000000 + #define MASK_ACCEL 0x08000000 + #define MASK_EP11 0x04000000 +-#define MASK_HSL 0x01000000 ++#define MASK_HSL 0x01000000 + + /* + * Classification +@@ -85,6 +85,8 @@ static struct fac_bits_s { + { 0x00400000, 'R' }, /* bit 9, restricted function set */ + }; + ++#define EXTRACT_BS_BITS(f) (((f) & 0x0000c000UL) >> 14) ++ + /* + * Program configuration + */ +@@ -95,7 +97,7 @@ static const struct util_prg prg = { + { + .owner = "IBM Corp.", + .pub_first = 2008, +- .pub_last = 2020, ++ .pub_last = 2023, + }, + UTIL_PRG_COPYRIGHT_END + } +@@ -169,8 +171,9 @@ static struct util_opt opt_vec[] = { + static void show_bus(void) + { + long domain, max_domain, config_time, value; +- unsigned long long poll_timeout; + const char *poll_thread, *ap_interrupts; ++ unsigned long long poll_timeout; ++ char features[256]; + char *ap; + + /* check if ap driver is available */ +@@ -178,6 +181,10 @@ static void show_bus(void) + if (!util_path_is_dir(ap)) + errx(EXIT_FAILURE, "Crypto device driver not available."); + ++ if (util_path_is_readable("%s/features", ap)) ++ util_file_read_line(features, sizeof(features), "%s/features", ap); ++ else ++ features[0] = '\0'; + util_file_read_l(&domain, 10, "%s/ap_domain", ap); + util_file_read_l(&max_domain, 10, "%s/ap_max_domain_id", ap); + util_file_read_l(&config_time, 10, "%s/config_time", ap); +@@ -192,6 +199,8 @@ static void show_bus(void) + ap_interrupts = "enabled"; + else + ap_interrupts = "disabled"; ++ if (features[0]) ++ printf("features: %s\n", features); + printf("ap_domain=0x%lx\n", domain); + printf("ap_max_domain_id=0x%lx\n", max_domain); + if (util_path_is_reg_file("%s/ap_interrupts", ap)) +@@ -374,23 +383,15 @@ next: + } + + /* +- * Show capability ++ * Show card capability + */ +-static void show_capability(const char *id_str) ++static void show_card_capability(int id) + { + unsigned long func_val; +- long hwtype, id, max_msg_size; +- char *p, *ap, *dev, card[16], cbuf[256]; +- +- /* check if ap driver is available */ +- ap = util_path_sysfs("bus/ap"); +- if (!util_path_is_dir(ap)) +- errx(EXIT_FAILURE, "Crypto device driver not available."); ++ long hwtype, max_msg_size; ++ char *dev, card[16], cbuf[256]; + +- id = strtol(id_str, &p, 0); +- if (id < 0 || id > 255 || p == id_str || *p != '\0') +- errx(EXIT_FAILURE, "Error - '%s' is an invalid cryptographic device id.", id_str); +- snprintf(card, sizeof(card), "card%02lx", id); ++ snprintf(card, sizeof(card), "card%02x", id); + dev = util_path_sysfs("devices/ap/%s", card); + if (!util_path_is_dir(dev)) + errx(EXIT_FAILURE, "Error - cryptographic device %s does not exist.", card); +@@ -464,6 +465,78 @@ static void show_capability(const char *id_str) + card, hwtype); + break; + } ++ ++ free(dev); ++} ++ ++/* ++ * Show queue capability ++ */ ++static void show_queue_capability(int id, int dom) ++{ ++ char *dev, card[16], queue[16], buf[256]; ++ ++ snprintf(card, sizeof(card), "card%02x", id); ++ snprintf(queue, sizeof(queue), "%02x.%04x", id, dom); ++ dev = util_path_sysfs("devices/ap/%s/%s", card, queue); ++ if (!util_path_is_dir(dev)) ++ errx(EXIT_FAILURE, "Error - cryptographic queue device %02x.%04x does not exist.", ++ id, dom); ++ ++ printf("queue %02x.%04x capabilities:\n", id, dom); ++ ++ if (util_path_is_reg_file("%s/se_bind", dev)) { ++ util_file_read_line(buf, sizeof(buf), "%s/se_bind", dev); ++ printf("SE bind state: %s\n", buf); ++ } ++ if (util_path_is_reg_file("%s/se_associate", dev)) { ++ util_file_read_line(buf, sizeof(buf), "%s/se_associate", dev); ++ printf("SE association state: %s\n", buf); ++ } ++ if (util_path_is_reg_file("%s/mkvps", dev)) { ++ char *mkvps = util_path_sysfs("devices/ap/%s/%s/mkvps", card, queue); ++ FILE *f = fopen(mkvps, "r"); ++ ++ if (!f) ++ errx(EXIT_FAILURE, "Error - failed to open sysfs file %s.", ++ mkvps); ++ while (fgets(buf, sizeof(buf), f)) { ++ if (strstr(buf, "WK CUR") || ++ strstr(buf, "AES CUR") || ++ strstr(buf, "APKA CUR") || ++ strstr(buf, "ASYM CUR")) ++ printf("MK %s", buf); /* no newline here */ ++ } ++ fclose(f); ++ free(mkvps); ++ } ++ ++ free(dev); ++} ++ ++/* ++ * Show capability ++ */ ++static void show_capability(const char *id_str) ++{ ++ char *p, *ap; ++ int id, dom; ++ ++ /* check if ap driver is available */ ++ ap = util_path_sysfs("bus/ap"); ++ if (!util_path_is_dir(ap)) ++ errx(EXIT_FAILURE, "Crypto device driver not available."); ++ ++ if (sscanf(id_str, "%x.%x", &id, &dom) == 2) { ++ show_queue_capability(id, dom); ++ } else { ++ id = strtol(id_str, &p, 0); ++ if (id < 0 || id > 255 || p == id_str || *p != '\0') ++ errx(EXIT_FAILURE, ++ "Error - '%s' is an invalid cryptographic device id.", ++ id_str); ++ show_card_capability(id); ++ } + } + + /* +@@ -601,11 +674,33 @@ static void read_subdev_rec_verbose(struct util_rec *rec, const char *grp_dev, + util_file_read_l(&depth, 10, "%s/depth", grp_dev); + util_rec_set(rec, "depth", "%02d", depth + 1); + +- util_file_read_ul(&facility, 16, "%s/ap_functions", grp_dev); ++ if (util_path_is_readable("%s/%s/ap_functions", grp_dev, sub_dev)) ++ util_file_read_ul(&facility, 16, "%s/%s/ap_functions", grp_dev, sub_dev); ++ else ++ util_file_read_ul(&facility, 16, "%s/ap_functions", grp_dev); + for (i = 0; i < MAX_FAC_BITS; i++) + buf[i] = facility & fac_bits[i].mask ? fac_bits[i].c : '-'; + buf[i] = '\0'; + util_rec_set(rec, "facility", buf); ++ ++ if (ap_bus_has_SB_support()) { ++ switch (EXTRACT_BS_BITS(facility)) { ++ case 0: ++ util_rec_set(rec, "sestat", "usable"); ++ break; ++ case 1: ++ util_rec_set(rec, "sestat", "bound"); ++ break; ++ case 2: ++ util_rec_set(rec, "sestat", "unbound"); ++ break; ++ case 3: ++ util_rec_set(rec, "sestat", "illicit"); ++ break; ++ default: ++ util_rec_set(rec, "sestat", "-"); ++ } ++ } + } + + /* +@@ -750,6 +845,9 @@ static void read_rec_verbose(struct util_rec *rec, const char *grp_dev) + + i = read_driver(grp_dev, NULL, buf, sizeof(buf)); + util_rec_set(rec, "driver", i > 0 ? buf : "-no-driver-"); ++ ++ if (ap_bus_has_SB_support()) ++ util_rec_set(rec, "sestat", "-"); + } + + /* +@@ -818,6 +916,8 @@ static void define_rec_verbose(struct util_rec *rec) + util_rec_def(rec, "depth", UTIL_REC_ALIGN_RIGHT, 6, "QDEPTH"); + util_rec_def(rec, "facility", UTIL_REC_ALIGN_LEFT, 10, "FUNCTIONS"); + util_rec_def(rec, "driver", UTIL_REC_ALIGN_LEFT, 11, "DRIVER"); ++ if (ap_bus_has_SB_support()) ++ util_rec_def(rec, "sestat", UTIL_REC_ALIGN_LEFT, 11, "SESTAT"); + } + + /* +diff --git a/zconf/zcrypt/misc.c b/zconf/zcrypt/misc.c +index 4296cb1..05913d6 100644 +--- a/zconf/zcrypt/misc.c ++++ b/zconf/zcrypt/misc.c +@@ -1,16 +1,20 @@ + /* + * Misc - Local helper functions + * +- * Copyright IBM Corp. 2016, 2017 ++ * Copyright IBM Corp. 2016, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. + */ + + #include ++#include + #include + ++#include "lib/util_base.h" ++#include "lib/util_file.h" + #include "lib/util_panic.h" ++#include "lib/util_path.h" + #include "misc.h" + + /** +@@ -35,3 +39,35 @@ bool misc_regex_match(const char *str, const char *regex) + regfree(&preg); + return rc == 0 ? true : false; + } ++ ++/** ++ * Test if AP bus has SB support available. ++ * ++ * @returns true Yes, SB support is available ++ * false No ++ */ ++bool ap_bus_has_SB_support(void) ++{ ++ static int sb_support = -1; ++ ++ if (sb_support < 0) { ++ char *ap, buf[256]; ++ ++ ap = util_path_sysfs("bus/ap"); ++ if (!util_path_is_dir(ap)) { ++ sb_support = 0; ++ } else { ++ if (!util_path_is_readable("%s/features", ap)) { ++ sb_support = 0; ++ } else { ++ util_file_read_line(buf, sizeof(buf), ++ "%s/features", ap); ++ if (strstr(buf, "APSB")) ++ sb_support = 1; ++ } ++ } ++ free(ap); ++ } ++ ++ return sb_support > 0 ? true : false; ++} +diff --git a/zconf/zcrypt/misc.h b/zconf/zcrypt/misc.h +index 502a687..92cf453 100644 +--- a/zconf/zcrypt/misc.h ++++ b/zconf/zcrypt/misc.h +@@ -1,7 +1,7 @@ + /* + * misc - Local helper functions + * +- * Copyright IBM Corp. 2016, 2017 ++ * Copyright IBM Corp. 2016, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -13,5 +13,6 @@ + #include + + bool misc_regex_match(const char *str, const char *regex); ++bool ap_bus_has_SB_support(void); + + #endif /* MISC_H */ +-- +2.41.0 + + +From 4b8726135731ee039d8eb33566bfa051b66b7bfb Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Wed, 17 May 2023 13:13:09 +0200 +Subject: [PATCH 3/4] chzcrypt: Support for SE bind, unbind and associate + (#2110510) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This patch adds support for Secure Execution with AP pass-through +support for chzcrypt. + +chzcrypt details: +* new command: --se-associate +* new command: --se-bind +* new command: --se-unbind + +Signed-off-by: Harald Freudenberger +Reviewed-by: Holger Dengler +Signed-off-by: Jan Höppner +(cherry picked from commit e35e73d2a3f60d43b109168cc37f9c43bc35b0a4) +--- + zconf/zcrypt/chzcrypt.8 | 72 +++++++---- + zconf/zcrypt/chzcrypt.c | 278 +++++++++++++++++++++++++++++++++++++--- + 2 files changed, 310 insertions(+), 40 deletions(-) + +diff --git a/zconf/zcrypt/chzcrypt.8 b/zconf/zcrypt/chzcrypt.8 +index a73ff27..94e32fb 100644 +--- a/zconf/zcrypt/chzcrypt.8 ++++ b/zconf/zcrypt/chzcrypt.8 +@@ -1,10 +1,16 @@ + .\" chzcrypt.8 + .\" +-.\" Copyright 2020 IBM Corp. ++.\" Copyright 2020, 2023 IBM Corp. + .\" s390-tools is free software; you can redistribute it and/or modify + .\" it under the terms of the MIT license. See LICENSE for details. + .\" +-.TH CHZCRYPT 8 "OCT 2020" "s390-tools" ++.\" use ++.\" groff -man -Tutf8 chzcrypt.8 ++.\" or ++.\" nroff -man chzcrypt.8 ++.\" to process this source ++.\" ++.TH CHZCRYPT 8 "MAY 2023" "s390-tools" + .SH NAME + chzcrypt \- modify zcrypt configuration + .SH SYNOPSIS +@@ -46,8 +52,8 @@ chzcrypt \- modify zcrypt configuration + .SH DESCRIPTION + The + .B chzcrypt +-command is used to configure cryptographic devices managed by zcrypt and +-modify zcrypt's AP bus attributes. ++command is used to configure cryptographic devices managed by zcrypt ++and modify zcrypt's AP bus attributes. + + Attributes may vary depending on the kernel + version. +@@ -70,19 +76,6 @@ Set the given cryptographic card device(s) config on ('configured'). + .B --config-off + Set the given cryptographic card device(s) config off ('deconfigured'). + .TP 8 +-.B +-Specifies a cryptographic device which will be set either online or +-offline or configured on or off. For online and offline the device can +-either be a card device or a queue device. A queue device can only get +-switched online when the providing card is online. +-.br +-For config on/off the device needs to be a card device. A card or +-queue device cannot get switched online if the card is in deconfigured +-state. +-.br +-Please note that the card device and queue device representation are both +-in hexadecimal notation. +-.TP 8 + .B -p, --poll-thread-enable + Enable zcrypt's poll thread. + .TP 8 +@@ -94,15 +87,28 @@ Set configuration timer for re-scanning the AP bus to + .I + seconds. + .TP 8 ++.B --se-associate ++Associate the given queue device with the given association ++index. This command is only valid within an Secure Execution guest ++with AP pass-through support enabled. ++.TP 8 ++.B --se-bind ++Bind the given queue device. This command is only valid within an ++Secure Execution guest with AP pass-through support enabled. ++.TP 8 ++.B --se-unbind ++Unbind the given queue device. This command is only valid within an ++Secure Execution guest with AP pass-through support enabled. ++.TP 8 + .BI "-t, --poll-timeout" " " + Set poll timer to run poll tasklet all + .I + nanoseconds. + .TP 8 + .BI "-q, --default-domain" " " +-Set the new default domain of the AP bus to . +-The number of available domains can be retrieved with the lszcrypt +-command ('-d' option). ++Set the new default domain of the AP bus to . The number of ++available domains can be retrieved with the lszcrypt command ('-d' ++option). + .TP 8 + .B -V, --verbose + Print verbose messages. +@@ -112,6 +118,22 @@ Print help text and exit. + .TP 8 + .B -v, --version + Print version information and exit. ++.TP 8 ++.B ++Specifies a cryptographic device which will be set either online or ++offline or configured on or off. For online and offline the device can ++either be a card device or a queue device. A queue device can only get ++switched online when the providing card is online. ++.br ++For config on/off the device needs to be a card device. A card or ++queue device cannot get switched online if the card is in deconfigured ++state. ++.br ++Please note that the card device and queue device representation are ++both in hexadecimal notation. ++.TP 8 ++.B ++An APQN queue device given as xy.abcd as it is listed by lszcrypt -V. + .SH EXAMPLES + .TP + .B chzcrypt -e 0 1 12 +@@ -131,8 +153,8 @@ Set all available crypto cards to config on, be verbose. + Switch the two crypto cards 1 and 3 to deconfigured, be verbose. + .TP + .B chzcrypt -c 60 -n +-Will set configuration timer for re-scanning the AP bus to 60 seconds and +-disable zcrypt's poll thread. ++Will set configuration timer for re-scanning the AP bus to 60 seconds ++and disable zcrypt's poll thread. + .TP + .B chzcrypt -q 67 + Will set the default domain to 67. +@@ -144,5 +166,11 @@ chzcrypt exits with an appropriate message. Even more config on/off + may require support from a hypervisor like KVM or zVM and may fail if + the Linux kernel is unable to perform the SCLP command. Check syslog + on failure. ++.TP ++Bind, associate and unbind command on an queue device are only ++available and valid within an Secure Execution environment with AP ++pass-through enabled and a Linux kernel providing the low level sysfs ++API. If these conditions are not fulfilled, the command will fail with ++an appropriate error messages. + .SH SEE ALSO + \fBlszcrypt\fR(8) +diff --git a/zconf/zcrypt/chzcrypt.c b/zconf/zcrypt/chzcrypt.c +index 68b36a5..b04bcfa 100644 +--- a/zconf/zcrypt/chzcrypt.c ++++ b/zconf/zcrypt/chzcrypt.c +@@ -1,7 +1,7 @@ + /* + * chzcrypt - Tool to modify zcrypt configuration + * +- * Copyright IBM Corp. 2008, 2020 ++ * Copyright IBM Corp. 2008, 2023 + * + * s390-tools is free software; you can redistribute it and/or modify + * it under the terms of the MIT license. See LICENSE for details. +@@ -28,6 +28,12 @@ + + #include "misc.h" + ++/* max seconds the se-association command will wait for completion */ ++#define MAX_ASSOC_POLL_TIME_IN_S 30 ++ ++/* max seconds the se-unbind command will wait for unbind complete */ ++#define MAX_UNBIND_POLL_TIME_IN_S 30 ++ + /* + * Private data + */ +@@ -45,7 +51,7 @@ static const struct util_prg prg = { + { + .owner = "IBM Corp.", + .pub_first = 2008, +- .pub_last = 2020, ++ .pub_last = 2023, + }, + UTIL_PRG_COPYRIGHT_END + } +@@ -57,6 +63,9 @@ static const struct util_prg prg = { + + #define OPT_CONFIG_ON 0x80 + #define OPT_CONFIG_OFF 0x81 ++#define OPT_SE_ASSOC 0x82 ++#define OPT_SE_BIND 0x83 ++#define OPT_SE_UNBIND 0x84 + + static struct util_opt opt_vec[] = { + { +@@ -116,6 +125,22 @@ static struct util_opt opt_vec[] = { + .option = { "verbose", no_argument, NULL, 'V'}, + .desc = "Print verbose messages", + }, ++ { ++ .option = { "se-associate", required_argument, NULL, OPT_SE_ASSOC}, ++ .argument = "assoc_idx", ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Associate the given queue device", ++ }, ++ { ++ .option = { "se-bind", no_argument, NULL, OPT_SE_BIND}, ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Bind the given queue device", ++ }, ++ { ++ .option = { "se-unbind", no_argument, NULL, OPT_SE_UNBIND}, ++ .flags = UTIL_OPT_FLAG_NOSHORT, ++ .desc = "SE guest with AP support only: Unbind the given queue device", ++ }, + UTIL_OPT_HELP, + UTIL_OPT_VERSION, + UTIL_OPT_END +@@ -336,6 +361,186 @@ next: + } + } + ++static void se_assoc(const char *assoc_idx, const char *dev) ++{ ++ int i, idx, rc, ap, dom, loop; ++ char *dev_path, *attr; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ if (sscanf(assoc_idx, "%i", &idx) != 1) ++ errx(EXIT_FAILURE, "Error - Can't parse association index '%s' as number.", ++ assoc_idx); ++ if (idx < 0 || idx > 0xFFFF) ++ errx(EXIT_FAILURE, "Error - Association index needs to be in range [0...%d].", ++ 0xffff); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_associate", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* read se_associate attribute and check for 'unassociated' */ ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "unassociated")) ++ errx(EXIT_FAILURE, ++ "Error - Queue device %s is NOT in 'unassociated' state (state '%s' found).", ++ dev, buf); ++ ++ /* write assocition index to the se_associate attribute */ ++ rc = util_file_write_l(idx, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* loop up to MAX_ASSOC_POLL_TIME_IN_S seconds for completion */ ++ for (loop = 0; loop < 2 * MAX_ASSOC_POLL_TIME_IN_S; usleep(500000), loop++) { ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (!strncmp(buf, "associated", strlen("associated"))) ++ break; ++ if (!strcmp(buf, "unassociated")) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (state '%s' found).", ++ dev, buf); ++ } ++ if (loop >= 2 * MAX_ASSOC_POLL_TIME_IN_S) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (timeout after %d s).", ++ dev, MAX_ASSOC_POLL_TIME_IN_S); ++ ++ if (sscanf(buf, "associated %d", &i) != 1 || idx != i) ++ errx(EXIT_FAILURE, ++ "Error - Failure associating queue device %s (state '%s' found).", ++ dev, buf); ++ ++ verbose("Queue device %s successful associated with index %d.\n", ++ dev, idx); ++ ++ free(dev_path); ++ free(attr); ++} ++ ++static void se_bind(const char *dev) ++{ ++ char *dev_path, *attr; ++ int rc, ap, dom; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_bind", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* read se_bind attribute and check for 'unboud' */ ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "unbound")) ++ errx(EXIT_FAILURE, ++ "Error - Queue device %s is NOT in 'unbound' state (state '%s' found).", ++ dev, buf); ++ ++ /* write se_bind attribute, check for 'bound' afterwards */ ++ rc = util_file_write_l(1, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (strcmp(buf, "bound")) ++ errx(EXIT_FAILURE, "Error - Failure binding queue device %s (state '%s' found).", ++ dev, buf); ++ ++ verbose("Queue device %s successful bound.\n", dev); ++ ++ free(dev_path); ++ free(attr); ++} ++ ++static void se_unbind(const char *dev) ++{ ++ int rc, ap, dom, loop; ++ char *dev_path, *attr; ++ char buf[256]; ++ ++ if (!ap_bus_has_SB_support()) ++ errx(EXIT_FAILURE, "Error - AP bus: SE bind support is not available."); ++ ++ if (sscanf(dev, "%02x.%04x", &ap, &dom) != 2) ++ errx(EXIT_FAILURE, "Error - Can't parse queue device '%s' as xy.abcd.", ++ dev); ++ dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x", ++ ap, ap, dom); ++ if (!util_path_is_dir(dev_path)) ++ errx(EXIT_FAILURE, "Error - Queue device %s does not exist.", ++ dev); ++ ++ attr = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/se_bind", ++ ap, ap, dom); ++ if (!util_path_is_writable(attr)) ++ errx(EXIT_FAILURE, "Error - Can't write to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* write se_bind attribute */ ++ rc = util_file_write_l(0, 10, attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure writing to %s (errno '%s').", ++ attr, strerror(errno)); ++ ++ /* loop up to MAX_UNBIND_POLL_TIME_IN_S seconds for completion */ ++ for (loop = 0; loop < 2 * MAX_UNBIND_POLL_TIME_IN_S; usleep(500000), loop++) { ++ rc = util_file_read_line(buf, sizeof(buf), attr); ++ if (rc) ++ errx(EXIT_FAILURE, "Error - Failure reading from %s (errno '%s').", ++ attr, strerror(errno)); ++ if (!strcmp(buf, "unbound")) ++ break; ++ } ++ if (loop >= 2 * MAX_UNBIND_POLL_TIME_IN_S) ++ errx(EXIT_FAILURE, ++ "Error - Failure unbinding queue device %s (timeout after %d s).", ++ dev, MAX_UNBIND_POLL_TIME_IN_S); ++ ++ verbose("Queue device %s successful unbound.\n", dev); ++ ++ free(dev_path); ++ free(attr); ++} ++ + /* + * Print invalid commandline error message and then exit with error code + */ +@@ -389,10 +594,10 @@ static void print_adapter_id_help(void) + printf("DEVICE_IDS\n"); + printf(" List of cryptographic device ids separated by blanks which will be set\n"); + printf(" online/offline. Must be used in conjunction with the enable or disable option.\n"); +- + printf(" DEVICE_ID could either be card device id ('') or queue device id\n"); +- printf(" '.').\n"); +- printf(" \n"); ++ printf(" '.').\n\n"); ++ printf("QUEUE_DEVICE:\n"); ++ printf(" An APQN queue device given as xy.abcd as it is listed by lszcrypt -V.\n\n"); + printf("EXAMPLE:\n"); + printf(" Disable the cryptographic device with card id '02' (inclusive all queues).\n"); + printf(" #>chzcrypt -d 02\n"); +@@ -407,13 +612,14 @@ static void print_adapter_id_help(void) + */ + int main(int argc, char *argv[]) + { ++ const char *default_domain = NULL, *config = NULL, *config_text = NULL; + const char *online = NULL, *online_text = NULL, *poll_thread = NULL; + const char *config_time = NULL, *poll_timeout = NULL; +- const char *default_domain = NULL, *config = NULL, *config_text = NULL; ++ const char *queue_device = NULL, *assoc_idx = NULL; ++ int c, i, j, action = 0; + char *path, *dev_list; +- bool all = false, actionset = false; ++ bool all = false; + size_t len; +- int c, i, j; + + for (i=0; i < argc; i++) + for (j=2; j < (int) strlen(argv[i]); j++) +@@ -428,12 +634,12 @@ int main(int argc, char *argv[]) + break; + switch (c) { + case 'e': +- actionset = true; ++ action = c; + online = "1"; + online_text = "online"; + break; + case 'd': +- actionset = true; ++ action = c; + online = "0"; + online_text = "offline"; + break; +@@ -441,23 +647,23 @@ int main(int argc, char *argv[]) + all = true; + break; + case 'p': +- actionset = true; ++ action = c; + poll_thread = "1"; + break; + case 'n': +- actionset = true; ++ action = c; + poll_thread = "0"; + break; + case 'c': +- actionset = true; ++ action = c; + config_time = optarg; + break; + case 't': +- actionset = true; ++ action = c; + poll_timeout = optarg; + break; + case 'q': +- actionset = true; ++ action = c; + default_domain = optarg; + break; + case 'V': +@@ -472,21 +678,31 @@ int main(int argc, char *argv[]) + util_prg_print_version(); + return EXIT_SUCCESS; + case OPT_CONFIG_ON: +- actionset = true; ++ action = c; + config = "1"; + config_text = "config on"; + break; + case OPT_CONFIG_OFF: +- actionset = true; ++ action = c; + config = "0"; + config_text = "config off"; + break; ++ case OPT_SE_ASSOC: ++ action = c; ++ assoc_idx = optarg; ++ break; ++ case OPT_SE_BIND: ++ action = c; ++ break; ++ case OPT_SE_UNBIND: ++ action = c; ++ break; + default: + util_opt_print_parse_error(c, argv); + return EXIT_FAILURE; + } + } +- if (!actionset) ++ if (!action) + invalid_cmdline_exit("Error - missing argument.\n"); + path = util_path_sysfs("bus/ap"); + if (!util_path_is_dir(path)) +@@ -508,6 +724,32 @@ int main(int argc, char *argv[]) + default_domain_set(default_domain); + return EXIT_SUCCESS; + } ++ ++ if (action == OPT_SE_ASSOC) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-associate needs a queue device given."); ++ queue_device = argv[optind]; ++ se_assoc(assoc_idx, queue_device); ++ return EXIT_SUCCESS; ++ } ++ if (action == OPT_SE_BIND) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-bind needs a queue device given."); ++ queue_device = argv[optind]; ++ se_bind(queue_device); ++ return EXIT_SUCCESS; ++ } ++ if (action == OPT_SE_UNBIND) { ++ if (optind >= argc) ++ errx(EXIT_FAILURE, ++ "Error - The --se-unbind needs a queue device given."); ++ queue_device = argv[optind]; ++ se_unbind(queue_device); ++ return EXIT_SUCCESS; ++ } ++ + if (all) + dev_list_all(&dev_list, &len); + else +-- +2.41.0 + + +From 8212d3474c84309adb5955dcc3820a375f76c7ad Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Tue, 1 Aug 2023 18:58:45 +0200 +Subject: [PATCH 4/4] zdev/dracut: fix kdump build to integrate with site + support (#2229178) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +This complements v2.27.0 commit 73c46a30563d ("zdev/dracut: fix kdump by +only activating required devices"). On older distributions, the absence of +zdev_id can cause the following harmless error messages for each udev +event: + +(spawn)[387]: failed to execute '/lib/s390-tools/zdev_id' \ +'/lib/s390-tools/zdev_id': No such file or directory + +Kdump is still functional nonetheless. + +As of v2.24.0 commit 2e89722ef0ec ("zdev: make site specific udev-rule for +ccw"), the invocations of chzdev within +zdev/dracut/95zdev-kdump/module-setup.sh generate +/etc/udev/rules.d/40-zdev-id.rules. And so even though zdev-kdump +intentionally does not install zdev_id and its previous singular user +zdev/udev/81-dpm.rules into the kdump initrd, because DPM device auto +configuration is not desired in the kdump environment, zdev_id meanwhile +has an additional functionality for site-support and the generated +40-zdev-id.rules calls /lib/s390-tools/zdev_id. By installing zdev_id into +the kdump initrd, 40-zdev-id.rules can work without error. + +Fixes: 73c46a30563d ("zdev/dracut: fix kdump by only activating required devices") +Reviewed-by: Alexander Egorenkov +Reviewed-by: Vineeth Vijayan +Signed-off-by: Steffen Maier +Signed-off-by: Jan Höppner +(cherry picked from commit 4b486e87cc2875f532784bd69ee680e714508059) +--- + zdev/dracut/95zdev-kdump/module-setup.sh | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/zdev/dracut/95zdev-kdump/module-setup.sh b/zdev/dracut/95zdev-kdump/module-setup.sh +index ad8e309..4ce2fc6 100755 +--- a/zdev/dracut/95zdev-kdump/module-setup.sh ++++ b/zdev/dracut/95zdev-kdump/module-setup.sh +@@ -46,6 +46,10 @@ installkernel() { + install() { + local _tempfile + ++ # zdev_id is not functionally required for kdump but optionally ++ # installing avoids error messages from zdev site udev rule processing ++ inst_multiple -o /lib/s390-tools/zdev_id ++ + # Obtain kdump target device configuration + + _tempfile=$(mktemp --tmpdir dracut-zdev.XXXXXX) +-- +2.41.0 + diff --git a/SPECS/s390utils.spec b/SPECS/s390utils.spec index 29b7fd3..ea8224d 100644 --- a/SPECS/s390utils.spec +++ b/SPECS/s390utils.spec @@ -12,8 +12,8 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.25.0 -Release: 2%{?dist} +Version: 2.27.0 +Release: 3%{?dist}.alma.1 Epoch: 2 License: MIT ExclusiveArch: s390 s390x @@ -47,7 +47,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch # upstream fixes/updates -Patch100: s390utils-%%{version}-rhel.patch +Patch100: s390utils-%{version}-rhel.patch Patch1000: cmsfs-1.1.8-warnings.patch Patch1001: cmsfs-1.1.8-kernel26.patch @@ -83,7 +83,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers. %patch1 -p1 -b .blscfg-rpm-nvr-sort # upstream fixes/updates -%%patch100 -p1 +%patch100 -p1 # # cmsfs @@ -289,6 +289,7 @@ systemctl --no-reload preset device_cio_free.service >/dev/null 2>&1 || : %{_unitdir}/cpi.service %config(noreplace) %{_sysconfdir}/sysconfig/cpi /usr/lib/dracut/modules.d/95zdev/ +/usr/lib/dracut/modules.d/95zdev-kdump/ %{_mandir}/man5/zipl.conf.5* %{_mandir}/man8/chreipl.8* %{_mandir}/man8/chzdev.8* @@ -416,11 +417,6 @@ s390 base tools. This collection provides the following utilities: * tunedasd: Adjust tunable parameters on DASD devices. - * vmconvert: - Convert system dumps created by the z/VM VMDUMP command into dumps with - LKCD format. These LKCD dumps can then be analyzed with the dump analysis - tool lcrash. - * vmcp: Allows Linux users to send commands to the z/VM control program (CP). The normal usage is to invoke vmcp with the command you want to @@ -554,7 +550,6 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/mk-s390image %{_bindir}/pvattest %{_bindir}/pvextract-hdr -%{_bindir}/vmconvert %{_bindir}/zkey %{_bindir}/zkey-cryptsetup %{_unitdir}/dumpconf.service @@ -583,7 +578,6 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/pvattest-create.1* %{_mandir}/man1/pvattest-perform.1* %{_mandir}/man1/pvattest-verify.1* -%{_mandir}/man1/vmconvert.1* %{_mandir}/man1/zkey.1* %{_mandir}/man1/zkey-cryptsetup.1* %{_mandir}/man1/zkey-ekmfweb.1* @@ -1010,6 +1004,9 @@ User-space development files for the s390/s390x architecture. %changelog +* Wed Nov 01 2023 Eduard Abdullin - 2:2.27.0-3.alma.1 +- Update to 2.27.0 + * Fri Feb 03 2023 Dan Horák - 2:2.25.0-2 - zkey: Support EP11 host library version 4 (#2165811) - Resolves: #2165811