From d15780f78dd7bf217ceddd10362b8720685a0f0a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 8 Nov 2022 01:58:11 -0500 Subject: [PATCH] import s390utils-2.22.0-2.el8 --- .gitignore | 2 +- .s390utils.metadata | 2 +- .../s390-tools-zipl-blscfg-rpm-nvr-sort.patch | 235 ++++++++- ...390-tools-zipl-invert-script-options.patch | 6 +- SOURCES/s390utils-2.19.0-rhel.patch | 478 ------------------ SOURCES/s390utils-2.22.0-rhel.patch | 32 ++ SPECS/s390utils.spec | 89 +++- 7 files changed, 327 insertions(+), 517 deletions(-) delete mode 100644 SOURCES/s390utils-2.19.0-rhel.patch create mode 100644 SOURCES/s390utils-2.22.0-rhel.patch diff --git a/.gitignore b/.gitignore index 77f3f66..4eb33e6 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ SOURCES/cmsfs-1.1.8c.tar.gz -SOURCES/s390-tools-2.19.0.tar.gz +SOURCES/s390-tools-2.22.0.tar.gz SOURCES/src_vipa-2.1.0.tar.gz diff --git a/.s390utils.metadata b/.s390utils.metadata index db21295..00bf6c1 100644 --- a/.s390utils.metadata +++ b/.s390utils.metadata @@ -1,3 +1,3 @@ 9c9a4e89bddb2b4e6e09ef6fc7c2e6f2ad6316de SOURCES/cmsfs-1.1.8c.tar.gz -5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz +7023dd992d5cb418cb522a62c6f8550bf3d4ec37 SOURCES/s390-tools-2.22.0.tar.gz 8ed8592a0a9370ce8422df9231ccb17f6cf49bed SOURCES/src_vipa-2.1.0.tar.gz diff --git a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch index 93e5566..54e357d 100644 --- a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch +++ b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch @@ -1,6 +1,221 @@ -diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile ---- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort 2019-05-22 08:16:17.317273801 -0400 -+++ s390-tools-2.9.0/zipl/src/Makefile 2019-05-22 08:18:02.947273801 -0400 +From 14119148dabb7f4f633623c00eece44c5771db10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dan=20Hor=C3=A1k?= +Date: Mon, 20 Jun 2022 17:43:05 +0200 +Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by + versions" + +This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b. +--- + zipl/src/scan.c | 139 ++---------------------------------------------- + 1 file changed, 3 insertions(+), 136 deletions(-) + +diff --git a/zipl/src/scan.c b/zipl/src/scan.c +index 0cea1d4..9352f76 100644 +--- a/zipl/src/scan.c ++++ b/zipl/src/scan.c +@@ -10,7 +10,6 @@ + * + */ + +-static const char *VERSION_KEYWORD = "version"; + + /* Need ISOC99 function isblank() in ctype.h */ + #ifndef __USE_ISOC99 +@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token) + + + static int +-bls_filter_by_names(const struct dirent *ent) ++bls_filter(const struct dirent *ent) + { + int offset = strlen(ent->d_name) - strlen(".conf"); + +@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent) + return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0; + } + +-struct version { +- char *line; /* pointer to a line with version keyword */ +- int offset; /* offset of version value in the line */ +-}; +- +-/* +- * Locate version in bls file represented by ENT +- */ +-static void get_version(const struct dirent *ent, struct version *v) +-{ +- char *line = NULL; +- size_t len = 0; +- char *d_name; +- FILE *stream; +- ssize_t read; +- +- memset(v, 0, sizeof(*v)); +- d_name = misc_make_path((char *)blsdir, (char *)ent->d_name); +- if (!d_name) +- return; +- +- stream = fopen(d_name, "r"); +- free(d_name); +- if (!stream) +- return; +- +- while ((read = getline(&line, &len, stream)) != -1) { +- if (line[read - 1] == '\n') { +- line[read - 1] = '\0'; +- read--; +- } +- if ((size_t)read <= strlen(VERSION_KEYWORD) + 1) +- continue; +- if (strcmp(VERSION_KEYWORD, line) > 0) +- continue; +- if (!isblank(line[strlen(VERSION_KEYWORD)])) +- continue; +- /* skip blanks */ +- v->offset = strlen(VERSION_KEYWORD) + 1; +- while (v->offset < read - 1 && isblank(line[v->offset])) +- v->offset++; +- if (isblank(line[v->offset])) +- /* +- * all characters after the keyword +- * are blanks. Invalid version +- */ +- continue; +- v->line = line; +- fclose(stream); +- return; +- } +- free(line); +- fclose(stream); +-} +- +-static void put_version(struct version *v) +-{ +- free(v->line); +-} +- +-/** +- * Check version in bls file represented by ENT. +- * Return 1 if version is valid. Otherwise return 0 +- */ +-static int bls_filter_by_versions(const struct dirent *ent) +-{ +- struct version v; +- +- if (bls_filter_by_names(ent) == 0) +- return 0; +- +- get_version(ent, &v); +- if (v.line) { +- put_version(&v); +- return 1; +- } +- return 0; +-} +- + + static int +-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b) ++bls_sort(const struct dirent **ent_a, const struct dirent **ent_b) + { + return strverscmp((*ent_a)->d_name, (*ent_b)->d_name); + } + +-static int +-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b) +-{ +- struct version v1, v2; +- int ret; +- +- get_version(*ent_a, &v1); +- get_version(*ent_b, &v2); +- /* +- * Both versions are valid. +- * It is guaranteed by bls_filter_by_versions() +- */ +- ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset); +- +- put_version(&v1); +- put_version(&v2); +- +- return ret; +-} + + static int + scan_append_section_heading(struct scan_token* scan, int* index, char* name); +@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[]) + return num; + } + +-static int bls_scandir(struct dirent ***bls_entries) +-{ +- struct dirent **entries1; +- struct dirent **entries2; +- int n1, n2; +- +- /* arrange by names */ +- n1 = scandir(blsdir, &entries1, +- bls_filter_by_names, bls_sort_by_names); +- if (n1 <= 0) +- return n1; +- /* arrange by versions */ +- n2 = scandir(blsdir, &entries2, +- bls_filter_by_versions, bls_sort_by_versions); +- +- if (n2 <= 0 || n2 < n1) { +- /* +- * failed to sort by versions, +- * fall back to sorting by filenames +- */ +- *bls_entries = entries1; +- while (n2--) +- free(entries2[n2]); +- free(entries2); +- return n1; +- } +- /* use arrangement by versions */ +- *bls_entries = entries2; +- while (n1--) +- free(entries1[n1]); +- free(entries1); +- return n2; +-} +- + int + scan_check_target_data(char* keyword[], int* line) + { +@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size) + if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode))) + return 0; + +- n = bls_scandir(&bls_entries); ++ n = scandir(blsdir, &bls_entries, bls_filter, bls_sort); + if (n <= 0) + return n; + +-- +2.36.1 + + +From 661f143bb0b429c732d0ad9756c745dcb8799bc7 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 20 Jun 2022 17:46:59 +0200 +Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Peter Jones +Signed-off-by: Dan Horák +--- + zipl/src/Makefile | 2 +- + zipl/src/scan.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 95 insertions(+), 3 deletions(-) + +diff --git a/zipl/src/Makefile b/zipl/src/Makefile +index 786bb7f..1adc486 100644 +--- a/zipl/src/Makefile ++++ b/zipl/src/Makefile @@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \ -D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS) ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS) @@ -10,10 +225,11 @@ diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0 objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \ bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o -diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c ---- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort 2019-05-21 09:13:36.000000000 -0400 -+++ s390-tools-2.9.0/zipl/src/scan.c 2019-05-22 08:16:17.317273801 -0400 -@@ -33,6 +33,8 @@ +diff --git a/zipl/src/scan.c b/zipl/src/scan.c +index 9352f76..3327e2d 100644 +--- a/zipl/src/scan.c ++++ b/zipl/src/scan.c +@@ -35,6 +35,8 @@ #include "lib/util_base.h" @@ -22,7 +238,7 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z #include "boot.h" #include "error.h" #include "misc.h" -@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent) +@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent) return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0; } @@ -128,3 +344,6 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z static int scan_append_section_heading(struct scan_token* scan, int* index, char* name); +-- +2.36.1 + diff --git a/SOURCES/s390-tools-zipl-invert-script-options.patch b/SOURCES/s390-tools-zipl-invert-script-options.patch index 93d5cc7..d7d936f 100644 --- a/SOURCES/s390-tools-zipl-invert-script-options.patch +++ b/SOURCES/s390-tools-zipl-invert-script-options.patch @@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755 ;; --) shift -diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1 +diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8 index 6bd14d00d14..71b904ffd1c 100644 ---- a/scripts/zipl-switch-to-blscfg.1 -+++ b/scripts/zipl-switch-to-blscfg.1 +--- a/scripts/zipl-switch-to-blscfg.8 ++++ b/scripts/zipl-switch-to-blscfg.8 @@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create The FILE used for zipl configuration file, defaults to /etc/zipl.conf. diff --git a/SOURCES/s390utils-2.19.0-rhel.patch b/SOURCES/s390utils-2.19.0-rhel.patch deleted file mode 100644 index 0b9d230..0000000 --- a/SOURCES/s390utils-2.19.0-rhel.patch +++ /dev/null @@ -1,478 +0,0 @@ -From b6be5a1f038f07c0908d2929551831a228c48705 Mon Sep 17 00:00:00 2001 -From: Marc Hartmayer -Date: Thu, 31 Mar 2022 14:00:31 +0000 -Subject: [PATCH 1/4] genprotimg: remove DigiCert root CA pinning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Remove the DigiCert root CA pinning. The root CA used for the chain of trust can -change in the future therefore let's remove this check. If someone wants to -enforce the usage of a specific root CA it can be selected by the genprotimg -command line option `--root-ca $CA`. Make it transparent to the user which root -CA is actually being used by printing the subject name of the root CA to stdout -in verbose mode. - -Signed-off-by: Marc Hartmayer -Acked-by: Viktor Mihajlovski -Reviewed-and-tested-by: Nico Boehr -Signed-off-by: Jan Höppner -(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d) ---- - genprotimg/man/genprotimg.8 | 2 +- - genprotimg/src/include/pv_crypto_def.h | 3 -- - genprotimg/src/pv/pv_args.c | 2 +- - genprotimg/src/pv/pv_image.c | 27 ++++++--------- - genprotimg/src/utils/crypto.c | 48 +++++++++++--------------- - genprotimg/src/utils/crypto.h | 4 +-- - 6 files changed, 35 insertions(+), 51 deletions(-) - -diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8 -index 8a481c4..6f14052 100644 ---- a/genprotimg/man/genprotimg.8 -+++ b/genprotimg/man/genprotimg.8 -@@ -87,7 +87,7 @@ CRLs. Optional. - .TP - \fB\-\-root\-ca\fR=\fI\,FILE\/\fR - Specifies the root CA certificate for the verification. If omitted, --the DigiCert root CA certificate installed on the system is used. Use -+the system wide root CAs installed on the system is used. Use - this only if you trust the specified certificate. Optional. - .TP - \fB\-\-no-verify\fR -diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h -index 53984a3..3635433 100644 ---- a/genprotimg/src/include/pv_crypto_def.h -+++ b/genprotimg/src/include/pv_crypto_def.h -@@ -29,9 +29,6 @@ - */ - #define PV_CERTS_SECURITY_LEVEL 2 - --/* SKID for DigiCert Assured ID Root CA */ --#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F" -- - union ecdh_pub_key { - struct { - uint8_t x[80]; -diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c -index e644ae7..bcc3784 100644 ---- a/genprotimg/src/pv/pv_args.c -+++ b/genprotimg/src/pv/pv_args.c -@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err) - g_strv_length(args->untrusted_cert_paths) == 0)) { - g_set_error( - err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT, -- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n" -+ _("Either specify the IBM Z signing key and intermediate CA certificate\n" - "by using the '--cert' option, or use the '--no-verify' flag to disable the\n" - "host-key document verification completely (at your own risk).")); - return -1; -diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c -index 7359240..a5f07b8 100644 ---- a/genprotimg/src/pv/pv_image.c -+++ b/genprotimg/src/pv/pv_image.c -@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - } - - /* Load all untrusted certificates (e.g. IBM Z signing key and -- * DigiCert intermediate CA) that are required to establish a chain of -- * trust starting from the host-key document up to the root CA (if not -- * otherwise specified that's the DigiCert Assured ID Root CA). -+ * intermediate CA) that are required to establish a chain of trust -+ * starting from the host-key document up to the root CA (if not -+ * otherwise specified that can be one of the system wide installed -+ * root CAs, e.g. DigiCert). - */ - untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err); - if (!untrusted_certs_with_path) -@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - * For this we must check: - * - * 1. Can a chain of trust be established ending in a root CA -- * 2. Is the correct root CA ued? It has either to be the -- * 'DigiCert Assured ID Root CA' or the root CA specified via -- * command line. -+ * 2. Is the correct root CA used? It has either to be a system CA -+ * or the root CA specified via command line. - */ - for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) { - X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i); -@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs, - if (verify_cert(ibm_signing_cert, ctx, err) < 0) - goto error; - -- /* Verify the build chain of trust chain. If the user passes a -- * trusted root CA on the command line then the check for the -- * Subject Key Identifier (SKID) is skipped, otherwise let's -- * check if the SKID meets our expectation. -+ /* If there is a chain of trust using either the provided root -+ * CA on the command line or a system wide trusted root CA. - */ -- if (!root_ca_path && -- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), -- get_digicert_assured_id_root_ca_skid(), -- err) < 0) { -+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), -+ err) < 0) - goto error; -- } - - ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err); - if (!ibm_signing_crls) { -@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err) - g_warning(_("host-key document verification is disabled. Your workload is not secured.")); - - if (args->root_ca_path) -- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted.")); -+ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted.")); - - ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err); - if (!ret->comps) -diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c -index 087de37..9d1fdb0 100644 ---- a/genprotimg/src/utils/crypto.c -+++ b/genprotimg/src/utils/crypto.c -@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err) - g_abort(); - - /* The maximum depth level of the chain of trust for the verification of -- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert) -- * intermediate CA -> (DigiCert) root CA -+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA -+ * -> root CA - */ - X509_VERIFY_PARAM_set_depth(param, 2); - -@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level) - return security_bits[level]; - } - --static ASN1_OCTET_STRING *digicert_assured_id_root_ca; -- --const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void) --{ -- pv_crypto_init(); -- return digicert_assured_id_root_ca; --} -- - /* Used for the caching of the downloaded CRLs */ - static GHashTable *cached_crls; - - void pv_crypto_init(void) - { -- if (digicert_assured_id_root_ca) -+ if (cached_crls) - return; -- - cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, - (GDestroyNotify)X509_CRL_free); -- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING( -- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID); - } - - void pv_crypto_cleanup(void) - { -- if (!digicert_assured_id_root_ca) -+ if (!cached_crls) - return; - g_clear_pointer(&cached_crls, g_hash_table_destroy); -- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free); - } - - gint check_chain_parameters(const STACK_OF_X509 *chain, -- const ASN1_OCTET_STRING *skid, GError **err) -+ GError **err) - { -- const ASN1_OCTET_STRING *ca_skid = NULL; -+ const X509_NAME *ca_x509_subject = NULL; -+ g_autofree gchar *ca_subject = NULL; - gint len = sk_X509_num(chain); - X509 *ca = NULL; - -- g_assert(skid); - /* at least one root and one leaf certificate must be defined */ -- g_assert(len >= 2); -+ if (len < 2) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("there must be at least on root and one leaf certificate in the chain of trust")); -+ return -1; -+ } - - /* get the root certificate of the chain of trust */ - ca = sk_X509_value(chain, len - 1); -@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain, - return -1; - } - -- ca_skid = X509_get0_subject_key_id(ca); -- if (!ca_skid) { -- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA, -- _("malformed root certificate")); -+ ca_x509_subject = X509_get_subject_name(ca); -+ if (!ca_x509_subject) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("subject of the root CA cannot be retrieved")); - return -1; - } - -- if (ASN1_STRING_cmp(ca_skid, skid) != 0) { -- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED, -- _("expecting DigiCert root CA to be used")); -+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0); -+ if (!ca_subject) { -+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, -+ _("subject name of the root CA cannot be retrieved")); - return -1; - } - -+ g_info("Root CA used: '%s'", ca_subject); - return 0; - } - -diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h -index 3cda450..fdf66de 100644 ---- a/genprotimg/src/utils/crypto.h -+++ b/genprotimg/src/utils/crypto.h -@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert, - gint verify_flags, GError **err); - void pv_crypto_init(void); - void pv_crypto_cleanup(void); --const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void); - gint verify_host_key(X509 *host_key, GSList *issuer_pairs, - gint verify_flags, int level, GError **err); - X509 *load_cert_from_file(const char *path, GError **err); -@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path, - int store_set_verify_param(X509_STORE *store, GError **err); - X509_CRL *load_crl_by_cert(X509 *cert, GError **err); - STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path); --gint check_chain_parameters(const STACK_OF_X509 *chain, -- const ASN1_OCTET_STRING *skid, GError **err); -+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err); - X509_NAME *c2b_name(const X509_NAME *name); - - STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs); --- -2.36.1 - - -From ea6a6c04a263eca7f9e3dd9922344d4843b739ec Mon Sep 17 00:00:00 2001 -From: Viktor Mihajlovski -Date: Tue, 15 Mar 2022 12:55:02 +0100 -Subject: [PATCH 2/4] genprotimg/check_hostkeydoc: relax default issuer check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While the original default issuer's organizationalUnitName (OU) -was defined as "IBM Z Host Key Signing Service", any OU ending -with "Key Signing Service" is considered legal. - -Let's relax the default issuer check by stripping off characters -preceding "Key Signing Service". - -Signed-off-by: Viktor Mihajlovski -Reviewed-by: Marc Hartmayer -Signed-off-by: Jan Höppner -(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d) ---- - genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++---- - 1 file changed, 16 insertions(+), 4 deletions(-) - -diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc -index a96576f..6a83739 100755 ---- a/genprotimg/samples/check_hostkeydoc -+++ b/genprotimg/samples/check_hostkeydoc -@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp) - ISSUER_DN_FILE=$(mktemp) - SUBJECT_DN_FILE=$(mktemp) - DEF_ISSUER_DN_FILE=$(mktemp) -+CANONICAL_ISSUER_DN_FILE=$(mktemp) - CRL_SERIAL_FILE=$(mktemp) - - # Cleanup on exit -@@ -30,7 +31,7 @@ cleanup() - { - rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \ - $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \ -- $CRL_SERIAL_FILE -+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE - } - trap cleanup EXIT - -@@ -121,20 +122,31 @@ default_issuer() - commonName = International Business Machines Corporation - countryName = US - localityName = Poughkeepsie -- organizationalUnitName = IBM Z Host Key Signing Service -+ organizationalUnitName = Key Signing Service - organizationName = International Business Machines Corporation - stateOrProvinceName = New York - EOF - } - --verify_issuer_files() -+# As organizationalUnitName can have an arbitrary prefix but must -+# end with "Key Signing Service" let's normalize the OU name by -+# stripping off the prefix -+verify_default_issuer() - { - default_issuer > $DEF_ISSUER_DN_FILE - -- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE -+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \ -+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE -+ -+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE - then - echo Incorrect default issuer >&2 && exit 1 - fi -+} -+ -+verify_issuer_files() -+{ -+ verify_default_issuer - - if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE - then --- -2.36.1 - - -From f24295fbb9b254ec808ac558d6ac8e62f55e19f9 Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Mon, 4 Apr 2022 16:38:41 +0200 -Subject: [PATCH 3/4] libseckey: Fix re-enciphering of EP11 secure key -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The re-enciphering of EP11 asymmetric secure keys does not work. -First, the result of the re-encipher operation of the private key -part must be copied back into the user supplied key token buffer. -Second, the public key part, i.e. the MACed SubjectPublicKeyInfo -(SPKI) structure must also be re-enciphered (i.e. re-MACed), since -the MAC is calculated with the EP11 master key. - -Signed-off-by: Ingo Franzki -Signed-off-by: Jan Höppner -(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397) ---- - libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 53 insertions(+) - -diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c -index b867626..e3bd3c9 100644 ---- a/libseckey/sk_ep11.c -+++ b/libseckey/sk_ep11.c -@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib, - return -EIO; - } - -+ memcpy(blob, lrb.payload, lrb.pllen); -+ -+ /* re-encipher MACed SPKI */ -+ rb.domain = domain; -+ lrb.domain = domain; -+ -+ resp_len = sizeof(resp); -+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT, -+ &rb, NULL, key_token + hdr->len, -+ key_token_length - hdr->len); -+ if (req_len < 0) { -+ sk_debug(debug, "Failed to build XCP command block"); -+ return -EIO; -+ } -+ -+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL, -+ 0, ep11_lib->target); -+ if (rv != CKR_OK || resp_len == 0) { -+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. " -+ "rc = 0x%lx, resp_len = %ld", rv, resp_len); -+ return -EIO; -+ } -+ -+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv); -+ if (rc != 0) { -+ sk_debug(debug, "Failed to parse response. rc = %d", rc); -+ return -EIO; -+ } -+ -+ if (rv != CKR_OK) { -+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. " -+ "rc = 0x%lx", rv); -+ switch (rv) { -+ case CKR_IBM_WKID_MISMATCH: -+ sk_debug(debug, "The EP11 secure key is currently " -+ "encrypted under a different master that does " -+ "not match the master key in the CURRENT " -+ "master key register of APQN %02X.%04X", -+ card, domain); -+ break; -+ } -+ return -EIO; -+ } -+ -+ if (key_token_length - hdr->len != lrb.pllen) { -+ sk_debug(debug, "Re-encrypted EP11 secure key size has " -+ "changed: org-len: %lu, new-len: %lu", -+ hdr->len - sizeof(*hdr), lrb.pllen); -+ return -EIO; -+ } -+ -+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen); -+ - return 0; - } - --- -2.36.1 - - -From 5085236986b1c99d16f376273d4c710002abcb4e Mon Sep 17 00:00:00 2001 -From: Mete Durlu -Date: Fri, 10 Jun 2022 10:13:33 +0200 -Subject: [PATCH 4/4] hyptop: increase initial update interval -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Increase initial update interval from 200ms to 1 seconds to avoid -fluctuations on the initial data output. - -Signed-off-by: Mete Durlu -Signed-off-by: Jan Höppner -(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf) ---- - hyptop/sd.h | 2 +- - hyptop/sd_core.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/hyptop/sd.h b/hyptop/sd.h -index 9ba3192..1aed707 100644 ---- a/hyptop/sd.h -+++ b/hyptop/sd.h -@@ -17,7 +17,7 @@ - #include "helper.h" - #include "table.h" - --#define SD_DG_INIT_INTERVAL_MS 200 -+#define SD_DG_INIT_INTERVAL_SEC 1 - #define SD_SYS_ID_SIZE 9 - - /* -diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c -index f1cb631..47b5b59 100644 ---- a/hyptop/sd_core.c -+++ b/hyptop/sd_core.c -@@ -150,7 +150,7 @@ void sd_update(void) - */ - void sd_dg_register(struct sd_dg *dg, int has_core_data) - { -- struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000}; -+ struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0}; - struct sd_sys_item *sys_item; - struct sd_cpu_item *cpu_item; - unsigned int i; --- -2.36.1 - diff --git a/SOURCES/s390utils-2.22.0-rhel.patch b/SOURCES/s390utils-2.22.0-rhel.patch new file mode 100644 index 0000000..82e7c10 --- /dev/null +++ b/SOURCES/s390utils-2.22.0-rhel.patch @@ -0,0 +1,32 @@ +From ce0ae3c869dccaff3ed976d58b2d63ce461507e6 Mon Sep 17 00:00:00 2001 +From: Steffen Eiden +Date: Mon, 25 Jul 2022 12:57:53 +0200 +Subject: [PATCH] zipl: Add missing check for a nullpointer. + +Fixes a bug that leads to a segmentation fault when no parmline is +provided. + +Fixes: 11b401b5 ("zipl: move and make check for maximum command line length dynamic") +Signed-off-by: Steffen Eiden +Reviewed-by: Marc Hartmayer +Reviewed-by: Stefan Haberland +--- + zipl/src/job.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/zipl/src/job.c b/zipl/src/job.c +index ffdc297..b5bf5b2 100644 +--- a/zipl/src/job.c ++++ b/zipl/src/job.c +@@ -790,7 +790,7 @@ check_common_ipl_data(struct job_common_ipl_data *common, const char *section, + if (!max_parm_size) + max_parm_size = LEGACY_MAXIMUM_PARMLINE_SIZE; + +- len = strlen(common->parmline); ++ len = common->parmline ? strlen(common->parmline) : 0; + if (len > max_parm_size) { + error_text("The length of the parameters line " + "(%d bytes) exceeds the allowed maximum " +-- +2.37.1 + diff --git a/SPECS/s390utils.spec b/SPECS/s390utils.spec index dc1857e..eda59fa 100644 --- a/SPECS/s390utils.spec +++ b/SPECS/s390utils.spec @@ -6,10 +6,14 @@ %global signzipl 1 %endif +%if 0%{?fedora} +%global with_pandoc 1 +%endif + Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.19.0 -Release: 1%{?dist}.2 +Version: 2.22.0 +Release: 2%{?dist} Epoch: 2 License: MIT ExclusiveArch: s390 s390x @@ -43,7 +47,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch # backported fixes -Patch100: s390utils-2.19.0-rhel.patch +Patch100: s390utils-%{version}-rhel.patch Patch1000: cmsfs-1.1.8-warnings.patch Patch1001: cmsfs-1.1.8-kernel26.patch @@ -123,6 +127,10 @@ popd make \ CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \ HAVE_DRACUT=1 \ +%if 0%{?with_pandoc} + ENABLE_DOC=1 \ +%endif + NO_PIE_LDFLAGS="" \ BINDIR=/usr/sbin \ UDEVRUNDIR=/run/udev \ DISTRELEASE=%{release} \ @@ -141,6 +149,9 @@ popd %install make install \ HAVE_DRACUT=1 \ +%if 0%{?with_pandoc} + ENABLE_DOC=1 \ +%endif DESTDIR=%{buildroot} \ BINDIR=/usr/sbin \ SYSTEMDSYSTEMUNITDIR=%{_unitdir} \ @@ -220,10 +231,6 @@ install -p -m 644 %{SOURCE17} %{buildroot}%{_udevrulesdir}/81-ccw.rules # zipl.conf to be ghosted touch %{buildroot}%{_sysconfdir}/zipl.conf -# fixups -# https://bugzilla.redhat.com/show_bug.cgi?id=2024102 -chmod 755 %{buildroot}/lib/s390-tools/cpictl - %files %doc README.md @@ -279,6 +286,7 @@ systemctl --no-reload preset device_cio_free.service >/dev/null 2>&1 || : /lib/s390-tools/zdev-root-update /lib/s390-tools/zipl.conf %ghost %config(noreplace) %{_sysconfdir}/zipl.conf +%config(noreplace) %{_sysconfdir}/ziplenv %{_unitdir}/cpi.service %config(noreplace) %{_sysconfdir}/sysconfig/cpi /usr/lib/dracut/modules.d/95zdev/ @@ -345,6 +353,7 @@ BuildRequires: json-c-devel BuildRequires: rpm-devel BuildRequires: glib2-devel BuildRequires: libxml2-devel +BuildRequires: liblockfile-devel %description base @@ -522,6 +531,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_sbindir}/lstape %{_sbindir}/lszcrypt %{_sbindir}/lszfcp +%{_sbindir}/pai %{_sbindir}/qetharp %{_sbindir}/qethconf %{_sbindir}/qethqoat @@ -544,12 +554,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/dump2tar %{_bindir}/genprotimg %{_bindir}/mk-s390image +%{_bindir}/pvattest +%{_bindir}/pvextract-hdr %{_bindir}/vmconvert %{_bindir}/zkey %{_bindir}/zkey-cryptsetup %{_unitdir}/dumpconf.service %ghost %config(noreplace) %{_sysconfdir}/zipl.conf %config(noreplace) %{_sysconfdir}/sysconfig/dumpconf +%{_sysconfdir}/mdevctl.d/* +/usr/lib/dracut/modules.d/99ngdump/ /lib/s390-tools/dumpconf /lib/s390-tools/lsznet.raw %dir /lib/s390-tools/zfcpdump @@ -560,13 +574,13 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %dir %{_libdir}/zkey %{_libdir}/zkey/zkey-ekmfweb.so %{_libdir}/zkey/zkey-kmip.so -%{_mandir}/man1/dbginfo.sh.1* %{_mandir}/man1/dump2tar.1* -%{_mandir}/man1/lscpumf.1* -%{_mandir}/man1/lshwc.1* +%{_mandir}/man1/genprotimg.1* +%{_mandir}/man1/pvattest.1* +%{_mandir}/man1/pvattest-create.1* +%{_mandir}/man1/pvattest-perform.1* +%{_mandir}/man1/pvattest-verify.1* %{_mandir}/man1/vmconvert.1* -%{_mandir}/man1/zfcpdbf.1* -%{_mandir}/man1/zipl-switch-to-blscfg.1* %{_mandir}/man1/zkey.1* %{_mandir}/man1/zkey-cryptsetup.1* %{_mandir}/man1/zkey-ekmfweb.1* @@ -581,14 +595,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/chzcrypt.8* %{_mandir}/man8/dasdstat.8* %{_mandir}/man8/dasdview.8* +%{_mandir}/man8/dbginfo.sh.8* %{_mandir}/man8/dumpconf.8* -%{_mandir}/man8/genprotimg.8.* %{_mandir}/man8/hsavmcore.8* %{_mandir}/man8/hsci.8* %{_mandir}/man8/hyptop.8* %{_mandir}/man8/lschp.8* +%{_mandir}/man8/lscpumf.8* %{_mandir}/man8/lscss.8* %{_mandir}/man8/lsdasd.8* +%{_mandir}/man8/lshwc.8* %{_mandir}/man8/lsluns.8* %{_mandir}/man8/lsqeth.8* %{_mandir}/man8/lsreipl.8* @@ -598,6 +614,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/lstape.8* %{_mandir}/man8/lszcrypt.8* %{_mandir}/man8/lszfcp.8* +%{_mandir}/man8/pai.8* %{_mandir}/man8/qetharp.8* %{_mandir}/man8/qethconf.8* %{_mandir}/man8/qethqoat.8* @@ -608,7 +625,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man8/vmur.8* %{_mandir}/man8/zcryptctl.8* %{_mandir}/man8/zcryptstats.8* +%{_mandir}/man8/zfcpdbf.8* %{_mandir}/man8/zgetdump.8* +%{_mandir}/man8/zipl-switch-to-blscfg.8* %{_mandir}/man8/znetconf.8* %{_mandir}/man8/zpcictl.8* %dir %{_datadir}/s390-tools @@ -844,8 +863,8 @@ This package contains the CMS file system tools. # %package cmsfs-fuse Summary: CMS file system based on FUSE -BuildRequires: fuse-devel -Requires: fuse +BuildRequires: fuse3-devel +Requires: fuse3 %description cmsfs-fuse This package contains the CMS file system based on FUSE. @@ -861,9 +880,9 @@ This package contains the CMS file system based on FUSE. # %package zdsfs Summary: z/OS data set access based on FUSE -BuildRequires: fuse-devel +BuildRequires: fuse3-devel BuildRequires: libcurl-devel -Requires: fuse +Requires: fuse3 %description zdsfs This package contains the z/OS data set access based on FUSE. @@ -877,8 +896,8 @@ This package contains the z/OS data set access based on FUSE. # %package hmcdrvfs Summary: HMC drive file system based on FUSE -BuildRequires: fuse-devel -Requires: fuse +BuildRequires: fuse3-devel +Requires: fuse3 %description hmcdrvfs This package contains a HMC drive file system based on FUSE and a tool @@ -932,6 +951,9 @@ Summary: Use multipath information for re-IPL path failover BuildRequires: make BuildRequires: bash BuildRequires: coreutils +%if 0%{?with_pandoc} +BuildRequires: pandoc +%endif BuildRequires: gawk BuildRequires: gzip BuildRequires: sed @@ -950,6 +972,9 @@ reconfigures the FCP re-IPL settings to use an operational path. %files chreipl-fcp-mpath %doc chreipl-fcp-mpath/README.md +%if 0%{?with_pandoc} +%doc chreipl-fcp-mpath/README.html +%endif %dir %{_prefix}/lib/chreipl-fcp-mpath/ %{_prefix}/lib/chreipl-fcp-mpath/* %{_prefix}/lib/dracut/dracut.conf.d/70-chreipl-fcp-mpath.conf @@ -959,6 +984,7 @@ reconfigures the FCP re-IPL settings to use an operational path. %{_prefix}/lib/udev/chreipl-fcp-mpath-record-volume-identifier %{_prefix}/lib/udev/chreipl-fcp-mpath-try-change-ipl-path %{_udevrulesdir}/70-chreipl-fcp-mpath.rules +%{_mandir}/man7/chreipl-fcp-mpath.7* # # *********************** devel package *********************** @@ -980,14 +1006,25 @@ User-space development files for the s390/s390x architecture. %changelog -* Tue Jul 12 2022 Dan Horák - 2:2.19.0-1.2 -- hyptop: observable value fluctuations on initial iteration (#2101809) -- Resolves: #2101809 +* Fri Aug 05 2022 Dan Horák - 2:2.22.0-2 +- zipl: Add missing check for a nullpointer (#2113976) +- Resolves: #2113976 -* Thu Jun 09 2022 Dan Horák - 2:2.19.0-1.1 -- genprotimg: certificate verification is too strict (#2081311) -- zkey: fix re-enciphering of EP11 identity key of KMIP plugin (#2081310) -- Resolves: #2081311 #2081310 +* Tue Jul 12 2022 Dan Horák - 2:2.22.0-1 +- rebased to 2.22.0 (#2043846) +- add tool to persistently configure vfio-ap devices (#1660911) +- NVMe stand-alone dump support (#1847462) +- KVM: Secure Execution Attestation Userspace Tool (#1984908) +- KVM: Allow long kernel command lines for Secure Execution guests (#2043831) +- KVM: Secure Execution guest dump encryption with customer keys (#2043833) +- zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (#2043857) +- zipl: Site-aware environment block (#2043913) +- Add additional information to SCLP CPI (#2046681) +- Add new CPU-MF Counters for IBM z16 Hardware (#2047727) +- Long Kernel Commmand Line for s390x (#2060829) +- zkey: Fix re-enciphering of EP11 identity key of KMIP plugin (#2075011) +- genprotimg/check_hostkeydoc: cert. verification is too strict (#2075013) +- Resolves: #2043846 #1660911 #1847462 #1984908 #2043831 #2043833 #2043857 #2043913 #2046681 #2047727 #2060829 #2075011 #2075013 * Thu Nov 18 2021 Dan Horák - 2:2.19.0-1 - rebased to 2.19.0 (#1984976)