Merge branch 'c8' into a8
This commit is contained in:
commit
eafb5d65ac
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,3 +1,3 @@
|
|||||||
SOURCES/cmsfs-1.1.8c.tar.gz
|
SOURCES/cmsfs-1.1.8c.tar.gz
|
||||||
SOURCES/s390-tools-2.19.0.tar.gz
|
SOURCES/s390-tools-2.22.0.tar.gz
|
||||||
SOURCES/src_vipa-2.1.0.tar.gz
|
SOURCES/src_vipa-2.1.0.tar.gz
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
9c9a4e89bddb2b4e6e09ef6fc7c2e6f2ad6316de SOURCES/cmsfs-1.1.8c.tar.gz
|
9c9a4e89bddb2b4e6e09ef6fc7c2e6f2ad6316de SOURCES/cmsfs-1.1.8c.tar.gz
|
||||||
5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz
|
7023dd992d5cb418cb522a62c6f8550bf3d4ec37 SOURCES/s390-tools-2.22.0.tar.gz
|
||||||
8ed8592a0a9370ce8422df9231ccb17f6cf49bed SOURCES/src_vipa-2.1.0.tar.gz
|
8ed8592a0a9370ce8422df9231ccb17f6cf49bed SOURCES/src_vipa-2.1.0.tar.gz
|
||||||
|
@ -1,6 +1,221 @@
|
|||||||
diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile
|
From 14119148dabb7f4f633623c00eece44c5771db10 Mon Sep 17 00:00:00 2001
|
||||||
--- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort 2019-05-22 08:16:17.317273801 -0400
|
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
||||||
+++ s390-tools-2.9.0/zipl/src/Makefile 2019-05-22 08:18:02.947273801 -0400
|
Date: Mon, 20 Jun 2022 17:43:05 +0200
|
||||||
|
Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by
|
||||||
|
versions"
|
||||||
|
|
||||||
|
This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b.
|
||||||
|
---
|
||||||
|
zipl/src/scan.c | 139 ++----------------------------------------------
|
||||||
|
1 file changed, 3 insertions(+), 136 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
|
||||||
|
index 0cea1d4..9352f76 100644
|
||||||
|
--- a/zipl/src/scan.c
|
||||||
|
+++ b/zipl/src/scan.c
|
||||||
|
@@ -10,7 +10,6 @@
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
-static const char *VERSION_KEYWORD = "version";
|
||||||
|
|
||||||
|
/* Need ISOC99 function isblank() in ctype.h */
|
||||||
|
#ifndef __USE_ISOC99
|
||||||
|
@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token)
|
||||||
|
|
||||||
|
|
||||||
|
static int
|
||||||
|
-bls_filter_by_names(const struct dirent *ent)
|
||||||
|
+bls_filter(const struct dirent *ent)
|
||||||
|
{
|
||||||
|
int offset = strlen(ent->d_name) - strlen(".conf");
|
||||||
|
|
||||||
|
@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent)
|
||||||
|
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-struct version {
|
||||||
|
- char *line; /* pointer to a line with version keyword */
|
||||||
|
- int offset; /* offset of version value in the line */
|
||||||
|
-};
|
||||||
|
-
|
||||||
|
-/*
|
||||||
|
- * Locate version in bls file represented by ENT
|
||||||
|
- */
|
||||||
|
-static void get_version(const struct dirent *ent, struct version *v)
|
||||||
|
-{
|
||||||
|
- char *line = NULL;
|
||||||
|
- size_t len = 0;
|
||||||
|
- char *d_name;
|
||||||
|
- FILE *stream;
|
||||||
|
- ssize_t read;
|
||||||
|
-
|
||||||
|
- memset(v, 0, sizeof(*v));
|
||||||
|
- d_name = misc_make_path((char *)blsdir, (char *)ent->d_name);
|
||||||
|
- if (!d_name)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- stream = fopen(d_name, "r");
|
||||||
|
- free(d_name);
|
||||||
|
- if (!stream)
|
||||||
|
- return;
|
||||||
|
-
|
||||||
|
- while ((read = getline(&line, &len, stream)) != -1) {
|
||||||
|
- if (line[read - 1] == '\n') {
|
||||||
|
- line[read - 1] = '\0';
|
||||||
|
- read--;
|
||||||
|
- }
|
||||||
|
- if ((size_t)read <= strlen(VERSION_KEYWORD) + 1)
|
||||||
|
- continue;
|
||||||
|
- if (strcmp(VERSION_KEYWORD, line) > 0)
|
||||||
|
- continue;
|
||||||
|
- if (!isblank(line[strlen(VERSION_KEYWORD)]))
|
||||||
|
- continue;
|
||||||
|
- /* skip blanks */
|
||||||
|
- v->offset = strlen(VERSION_KEYWORD) + 1;
|
||||||
|
- while (v->offset < read - 1 && isblank(line[v->offset]))
|
||||||
|
- v->offset++;
|
||||||
|
- if (isblank(line[v->offset]))
|
||||||
|
- /*
|
||||||
|
- * all characters after the keyword
|
||||||
|
- * are blanks. Invalid version
|
||||||
|
- */
|
||||||
|
- continue;
|
||||||
|
- v->line = line;
|
||||||
|
- fclose(stream);
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
- free(line);
|
||||||
|
- fclose(stream);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-static void put_version(struct version *v)
|
||||||
|
-{
|
||||||
|
- free(v->line);
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
-/**
|
||||||
|
- * Check version in bls file represented by ENT.
|
||||||
|
- * Return 1 if version is valid. Otherwise return 0
|
||||||
|
- */
|
||||||
|
-static int bls_filter_by_versions(const struct dirent *ent)
|
||||||
|
-{
|
||||||
|
- struct version v;
|
||||||
|
-
|
||||||
|
- if (bls_filter_by_names(ent) == 0)
|
||||||
|
- return 0;
|
||||||
|
-
|
||||||
|
- get_version(ent, &v);
|
||||||
|
- if (v.line) {
|
||||||
|
- put_version(&v);
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- return 0;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
|
||||||
|
static int
|
||||||
|
-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b)
|
||||||
|
+bls_sort(const struct dirent **ent_a, const struct dirent **ent_b)
|
||||||
|
{
|
||||||
|
return strverscmp((*ent_a)->d_name, (*ent_b)->d_name);
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int
|
||||||
|
-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b)
|
||||||
|
-{
|
||||||
|
- struct version v1, v2;
|
||||||
|
- int ret;
|
||||||
|
-
|
||||||
|
- get_version(*ent_a, &v1);
|
||||||
|
- get_version(*ent_b, &v2);
|
||||||
|
- /*
|
||||||
|
- * Both versions are valid.
|
||||||
|
- * It is guaranteed by bls_filter_by_versions()
|
||||||
|
- */
|
||||||
|
- ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset);
|
||||||
|
-
|
||||||
|
- put_version(&v1);
|
||||||
|
- put_version(&v2);
|
||||||
|
-
|
||||||
|
- return ret;
|
||||||
|
-}
|
||||||
|
|
||||||
|
static int
|
||||||
|
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
||||||
|
@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[])
|
||||||
|
return num;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int bls_scandir(struct dirent ***bls_entries)
|
||||||
|
-{
|
||||||
|
- struct dirent **entries1;
|
||||||
|
- struct dirent **entries2;
|
||||||
|
- int n1, n2;
|
||||||
|
-
|
||||||
|
- /* arrange by names */
|
||||||
|
- n1 = scandir(blsdir, &entries1,
|
||||||
|
- bls_filter_by_names, bls_sort_by_names);
|
||||||
|
- if (n1 <= 0)
|
||||||
|
- return n1;
|
||||||
|
- /* arrange by versions */
|
||||||
|
- n2 = scandir(blsdir, &entries2,
|
||||||
|
- bls_filter_by_versions, bls_sort_by_versions);
|
||||||
|
-
|
||||||
|
- if (n2 <= 0 || n2 < n1) {
|
||||||
|
- /*
|
||||||
|
- * failed to sort by versions,
|
||||||
|
- * fall back to sorting by filenames
|
||||||
|
- */
|
||||||
|
- *bls_entries = entries1;
|
||||||
|
- while (n2--)
|
||||||
|
- free(entries2[n2]);
|
||||||
|
- free(entries2);
|
||||||
|
- return n1;
|
||||||
|
- }
|
||||||
|
- /* use arrangement by versions */
|
||||||
|
- *bls_entries = entries2;
|
||||||
|
- while (n1--)
|
||||||
|
- free(entries1[n1]);
|
||||||
|
- free(entries1);
|
||||||
|
- return n2;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
int
|
||||||
|
scan_check_target_data(char* keyword[], int* line)
|
||||||
|
{
|
||||||
|
@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size)
|
||||||
|
if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode)))
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- n = bls_scandir(&bls_entries);
|
||||||
|
+ n = scandir(blsdir, &bls_entries, bls_filter, bls_sort);
|
||||||
|
if (n <= 0)
|
||||||
|
return n;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
||||||
|
|
||||||
|
From 661f143bb0b429c732d0ad9756c745dcb8799bc7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Peter Jones <pjones@redhat.com>
|
||||||
|
Date: Mon, 20 Jun 2022 17:46:59 +0200
|
||||||
|
Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
|
Signed-off-by: Dan Horák <dan@danny.cz>
|
||||||
|
---
|
||||||
|
zipl/src/Makefile | 2 +-
|
||||||
|
zipl/src/scan.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
2 files changed, 95 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/zipl/src/Makefile b/zipl/src/Makefile
|
||||||
|
index 786bb7f..1adc486 100644
|
||||||
|
--- a/zipl/src/Makefile
|
||||||
|
+++ b/zipl/src/Makefile
|
||||||
@@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \
|
@@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \
|
||||||
-D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS)
|
-D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS)
|
||||||
ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
|
ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
|
||||||
@ -10,10 +225,11 @@ diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0
|
|||||||
|
|
||||||
objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
|
objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
|
||||||
bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o
|
bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o
|
||||||
diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c
|
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
|
||||||
--- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort 2019-05-21 09:13:36.000000000 -0400
|
index 9352f76..3327e2d 100644
|
||||||
+++ s390-tools-2.9.0/zipl/src/scan.c 2019-05-22 08:16:17.317273801 -0400
|
--- a/zipl/src/scan.c
|
||||||
@@ -33,6 +33,8 @@
|
+++ b/zipl/src/scan.c
|
||||||
|
@@ -35,6 +35,8 @@
|
||||||
|
|
||||||
#include "lib/util_base.h"
|
#include "lib/util_base.h"
|
||||||
|
|
||||||
@ -22,7 +238,7 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
|
|||||||
#include "boot.h"
|
#include "boot.h"
|
||||||
#include "error.h"
|
#include "error.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent)
|
@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent)
|
||||||
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -128,3 +344,6 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
||||||
|
--
|
||||||
|
2.36.1
|
||||||
|
|
||||||
|
@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755
|
|||||||
;;
|
;;
|
||||||
--)
|
--)
|
||||||
shift
|
shift
|
||||||
diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1
|
diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8
|
||||||
index 6bd14d00d14..71b904ffd1c 100644
|
index 6bd14d00d14..71b904ffd1c 100644
|
||||||
--- a/scripts/zipl-switch-to-blscfg.1
|
--- a/scripts/zipl-switch-to-blscfg.8
|
||||||
+++ b/scripts/zipl-switch-to-blscfg.1
|
+++ b/scripts/zipl-switch-to-blscfg.8
|
||||||
@@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
|
@@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
|
||||||
The FILE used for zipl configuration file, defaults to /etc/zipl.conf.
|
The FILE used for zipl configuration file, defaults to /etc/zipl.conf.
|
||||||
|
|
||||||
|
@ -1,478 +0,0 @@
|
|||||||
From b6be5a1f038f07c0908d2929551831a228c48705 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
||||||
Date: Thu, 31 Mar 2022 14:00:31 +0000
|
|
||||||
Subject: [PATCH 1/4] genprotimg: remove DigiCert root CA pinning
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
|
|
||||||
change in the future therefore let's remove this check. If someone wants to
|
|
||||||
enforce the usage of a specific root CA it can be selected by the genprotimg
|
|
||||||
command line option `--root-ca $CA`. Make it transparent to the user which root
|
|
||||||
CA is actually being used by printing the subject name of the root CA to stdout
|
|
||||||
in verbose mode.
|
|
||||||
|
|
||||||
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
||||||
Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
|
||||||
Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
|
|
||||||
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
|
||||||
(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d)
|
|
||||||
---
|
|
||||||
genprotimg/man/genprotimg.8 | 2 +-
|
|
||||||
genprotimg/src/include/pv_crypto_def.h | 3 --
|
|
||||||
genprotimg/src/pv/pv_args.c | 2 +-
|
|
||||||
genprotimg/src/pv/pv_image.c | 27 ++++++---------
|
|
||||||
genprotimg/src/utils/crypto.c | 48 +++++++++++---------------
|
|
||||||
genprotimg/src/utils/crypto.h | 4 +--
|
|
||||||
6 files changed, 35 insertions(+), 51 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
|
|
||||||
index 8a481c4..6f14052 100644
|
|
||||||
--- a/genprotimg/man/genprotimg.8
|
|
||||||
+++ b/genprotimg/man/genprotimg.8
|
|
||||||
@@ -87,7 +87,7 @@ CRLs. Optional.
|
|
||||||
.TP
|
|
||||||
\fB\-\-root\-ca\fR=\fI\,FILE\/\fR
|
|
||||||
Specifies the root CA certificate for the verification. If omitted,
|
|
||||||
-the DigiCert root CA certificate installed on the system is used. Use
|
|
||||||
+the system wide root CAs installed on the system is used. Use
|
|
||||||
this only if you trust the specified certificate. Optional.
|
|
||||||
.TP
|
|
||||||
\fB\-\-no-verify\fR
|
|
||||||
diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
|
|
||||||
index 53984a3..3635433 100644
|
|
||||||
--- a/genprotimg/src/include/pv_crypto_def.h
|
|
||||||
+++ b/genprotimg/src/include/pv_crypto_def.h
|
|
||||||
@@ -29,9 +29,6 @@
|
|
||||||
*/
|
|
||||||
#define PV_CERTS_SECURITY_LEVEL 2
|
|
||||||
|
|
||||||
-/* SKID for DigiCert Assured ID Root CA */
|
|
||||||
-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
|
|
||||||
-
|
|
||||||
union ecdh_pub_key {
|
|
||||||
struct {
|
|
||||||
uint8_t x[80];
|
|
||||||
diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
|
|
||||||
index e644ae7..bcc3784 100644
|
|
||||||
--- a/genprotimg/src/pv/pv_args.c
|
|
||||||
+++ b/genprotimg/src/pv/pv_args.c
|
|
||||||
@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
|
|
||||||
g_strv_length(args->untrusted_cert_paths) == 0)) {
|
|
||||||
g_set_error(
|
|
||||||
err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
|
|
||||||
- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
|
|
||||||
+ _("Either specify the IBM Z signing key and intermediate CA certificate\n"
|
|
||||||
"by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
|
|
||||||
"host-key document verification completely (at your own risk)."));
|
|
||||||
return -1;
|
|
||||||
diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
|
|
||||||
index 7359240..a5f07b8 100644
|
|
||||||
--- a/genprotimg/src/pv/pv_image.c
|
|
||||||
+++ b/genprotimg/src/pv/pv_image.c
|
|
||||||
@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Load all untrusted certificates (e.g. IBM Z signing key and
|
|
||||||
- * DigiCert intermediate CA) that are required to establish a chain of
|
|
||||||
- * trust starting from the host-key document up to the root CA (if not
|
|
||||||
- * otherwise specified that's the DigiCert Assured ID Root CA).
|
|
||||||
+ * intermediate CA) that are required to establish a chain of trust
|
|
||||||
+ * starting from the host-key document up to the root CA (if not
|
|
||||||
+ * otherwise specified that can be one of the system wide installed
|
|
||||||
+ * root CAs, e.g. DigiCert).
|
|
||||||
*/
|
|
||||||
untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
|
|
||||||
if (!untrusted_certs_with_path)
|
|
||||||
@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
|
||||||
* For this we must check:
|
|
||||||
*
|
|
||||||
* 1. Can a chain of trust be established ending in a root CA
|
|
||||||
- * 2. Is the correct root CA ued? It has either to be the
|
|
||||||
- * 'DigiCert Assured ID Root CA' or the root CA specified via
|
|
||||||
- * command line.
|
|
||||||
+ * 2. Is the correct root CA used? It has either to be a system CA
|
|
||||||
+ * or the root CA specified via command line.
|
|
||||||
*/
|
|
||||||
for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
|
|
||||||
X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
|
|
||||||
@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
|
||||||
if (verify_cert(ibm_signing_cert, ctx, err) < 0)
|
|
||||||
goto error;
|
|
||||||
|
|
||||||
- /* Verify the build chain of trust chain. If the user passes a
|
|
||||||
- * trusted root CA on the command line then the check for the
|
|
||||||
- * Subject Key Identifier (SKID) is skipped, otherwise let's
|
|
||||||
- * check if the SKID meets our expectation.
|
|
||||||
+ /* If there is a chain of trust using either the provided root
|
|
||||||
+ * CA on the command line or a system wide trusted root CA.
|
|
||||||
*/
|
|
||||||
- if (!root_ca_path &&
|
|
||||||
- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
|
|
||||||
- get_digicert_assured_id_root_ca_skid(),
|
|
||||||
- err) < 0) {
|
|
||||||
+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
|
|
||||||
+ err) < 0)
|
|
||||||
goto error;
|
|
||||||
- }
|
|
||||||
|
|
||||||
ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
|
|
||||||
if (!ibm_signing_crls) {
|
|
||||||
@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
|
|
||||||
g_warning(_("host-key document verification is disabled. Your workload is not secured."));
|
|
||||||
|
|
||||||
if (args->root_ca_path)
|
|
||||||
- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
|
|
||||||
+ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
|
|
||||||
|
|
||||||
ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
|
|
||||||
if (!ret->comps)
|
|
||||||
diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
|
|
||||||
index 087de37..9d1fdb0 100644
|
|
||||||
--- a/genprotimg/src/utils/crypto.c
|
|
||||||
+++ b/genprotimg/src/utils/crypto.c
|
|
||||||
@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
|
|
||||||
g_abort();
|
|
||||||
|
|
||||||
/* The maximum depth level of the chain of trust for the verification of
|
|
||||||
- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
|
|
||||||
- * intermediate CA -> (DigiCert) root CA
|
|
||||||
+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
|
|
||||||
+ * -> root CA
|
|
||||||
*/
|
|
||||||
X509_VERIFY_PARAM_set_depth(param, 2);
|
|
||||||
|
|
||||||
@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
|
|
||||||
return security_bits[level];
|
|
||||||
}
|
|
||||||
|
|
||||||
-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
|
|
||||||
-
|
|
||||||
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
|
|
||||||
-{
|
|
||||||
- pv_crypto_init();
|
|
||||||
- return digicert_assured_id_root_ca;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
/* Used for the caching of the downloaded CRLs */
|
|
||||||
static GHashTable *cached_crls;
|
|
||||||
|
|
||||||
void pv_crypto_init(void)
|
|
||||||
{
|
|
||||||
- if (digicert_assured_id_root_ca)
|
|
||||||
+ if (cached_crls)
|
|
||||||
return;
|
|
||||||
-
|
|
||||||
cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
|
|
||||||
(GDestroyNotify)X509_CRL_free);
|
|
||||||
- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
|
|
||||||
- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
|
|
||||||
}
|
|
||||||
|
|
||||||
void pv_crypto_cleanup(void)
|
|
||||||
{
|
|
||||||
- if (!digicert_assured_id_root_ca)
|
|
||||||
+ if (!cached_crls)
|
|
||||||
return;
|
|
||||||
g_clear_pointer(&cached_crls, g_hash_table_destroy);
|
|
||||||
- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
|
|
||||||
}
|
|
||||||
|
|
||||||
gint check_chain_parameters(const STACK_OF_X509 *chain,
|
|
||||||
- const ASN1_OCTET_STRING *skid, GError **err)
|
|
||||||
+ GError **err)
|
|
||||||
{
|
|
||||||
- const ASN1_OCTET_STRING *ca_skid = NULL;
|
|
||||||
+ const X509_NAME *ca_x509_subject = NULL;
|
|
||||||
+ g_autofree gchar *ca_subject = NULL;
|
|
||||||
gint len = sk_X509_num(chain);
|
|
||||||
X509 *ca = NULL;
|
|
||||||
|
|
||||||
- g_assert(skid);
|
|
||||||
/* at least one root and one leaf certificate must be defined */
|
|
||||||
- g_assert(len >= 2);
|
|
||||||
+ if (len < 2) {
|
|
||||||
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
|
||||||
+ _("there must be at least on root and one leaf certificate in the chain of trust"));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* get the root certificate of the chain of trust */
|
|
||||||
ca = sk_X509_value(chain, len - 1);
|
|
||||||
@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ca_skid = X509_get0_subject_key_id(ca);
|
|
||||||
- if (!ca_skid) {
|
|
||||||
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
|
|
||||||
- _("malformed root certificate"));
|
|
||||||
+ ca_x509_subject = X509_get_subject_name(ca);
|
|
||||||
+ if (!ca_x509_subject) {
|
|
||||||
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
|
||||||
+ _("subject of the root CA cannot be retrieved"));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
|
|
||||||
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
|
|
||||||
- _("expecting DigiCert root CA to be used"));
|
|
||||||
+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
|
|
||||||
+ if (!ca_subject) {
|
|
||||||
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
|
||||||
+ _("subject name of the root CA cannot be retrieved"));
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ g_info("Root CA used: '%s'", ca_subject);
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
|
|
||||||
index 3cda450..fdf66de 100644
|
|
||||||
--- a/genprotimg/src/utils/crypto.h
|
|
||||||
+++ b/genprotimg/src/utils/crypto.h
|
|
||||||
@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
|
|
||||||
gint verify_flags, GError **err);
|
|
||||||
void pv_crypto_init(void);
|
|
||||||
void pv_crypto_cleanup(void);
|
|
||||||
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
|
|
||||||
gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
|
|
||||||
gint verify_flags, int level, GError **err);
|
|
||||||
X509 *load_cert_from_file(const char *path, GError **err);
|
|
||||||
@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
|
|
||||||
int store_set_verify_param(X509_STORE *store, GError **err);
|
|
||||||
X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
|
|
||||||
STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
|
|
||||||
-gint check_chain_parameters(const STACK_OF_X509 *chain,
|
|
||||||
- const ASN1_OCTET_STRING *skid, GError **err);
|
|
||||||
+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
|
|
||||||
X509_NAME *c2b_name(const X509_NAME *name);
|
|
||||||
|
|
||||||
STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From ea6a6c04a263eca7f9e3dd9922344d4843b739ec Mon Sep 17 00:00:00 2001
|
|
||||||
From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
|
||||||
Date: Tue, 15 Mar 2022 12:55:02 +0100
|
|
||||||
Subject: [PATCH 2/4] genprotimg/check_hostkeydoc: relax default issuer check
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
While the original default issuer's organizationalUnitName (OU)
|
|
||||||
was defined as "IBM Z Host Key Signing Service", any OU ending
|
|
||||||
with "Key Signing Service" is considered legal.
|
|
||||||
|
|
||||||
Let's relax the default issuer check by stripping off characters
|
|
||||||
preceding "Key Signing Service".
|
|
||||||
|
|
||||||
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
|
||||||
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
|
||||||
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
|
||||||
(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d)
|
|
||||||
---
|
|
||||||
genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
|
|
||||||
1 file changed, 16 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
|
|
||||||
index a96576f..6a83739 100755
|
|
||||||
--- a/genprotimg/samples/check_hostkeydoc
|
|
||||||
+++ b/genprotimg/samples/check_hostkeydoc
|
|
||||||
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
|
|
||||||
ISSUER_DN_FILE=$(mktemp)
|
|
||||||
SUBJECT_DN_FILE=$(mktemp)
|
|
||||||
DEF_ISSUER_DN_FILE=$(mktemp)
|
|
||||||
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
|
|
||||||
CRL_SERIAL_FILE=$(mktemp)
|
|
||||||
|
|
||||||
# Cleanup on exit
|
|
||||||
@@ -30,7 +31,7 @@ cleanup()
|
|
||||||
{
|
|
||||||
rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
|
|
||||||
$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
|
|
||||||
- $CRL_SERIAL_FILE
|
|
||||||
+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
|
|
||||||
}
|
|
||||||
trap cleanup EXIT
|
|
||||||
|
|
||||||
@@ -121,20 +122,31 @@ default_issuer()
|
|
||||||
commonName = International Business Machines Corporation
|
|
||||||
countryName = US
|
|
||||||
localityName = Poughkeepsie
|
|
||||||
- organizationalUnitName = IBM Z Host Key Signing Service
|
|
||||||
+ organizationalUnitName = Key Signing Service
|
|
||||||
organizationName = International Business Machines Corporation
|
|
||||||
stateOrProvinceName = New York
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
-verify_issuer_files()
|
|
||||||
+# As organizationalUnitName can have an arbitrary prefix but must
|
|
||||||
+# end with "Key Signing Service" let's normalize the OU name by
|
|
||||||
+# stripping off the prefix
|
|
||||||
+verify_default_issuer()
|
|
||||||
{
|
|
||||||
default_issuer > $DEF_ISSUER_DN_FILE
|
|
||||||
|
|
||||||
- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
|
|
||||||
+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
|
|
||||||
+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
|
|
||||||
+
|
|
||||||
+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
|
|
||||||
then
|
|
||||||
echo Incorrect default issuer >&2 && exit 1
|
|
||||||
fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+verify_issuer_files()
|
|
||||||
+{
|
|
||||||
+ verify_default_issuer
|
|
||||||
|
|
||||||
if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
|
|
||||||
then
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From f24295fbb9b254ec808ac558d6ac8e62f55e19f9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Date: Mon, 4 Apr 2022 16:38:41 +0200
|
|
||||||
Subject: [PATCH 3/4] libseckey: Fix re-enciphering of EP11 secure key
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
The re-enciphering of EP11 asymmetric secure keys does not work.
|
|
||||||
First, the result of the re-encipher operation of the private key
|
|
||||||
part must be copied back into the user supplied key token buffer.
|
|
||||||
Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
|
|
||||||
(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
|
|
||||||
the MAC is calculated with the EP11 master key.
|
|
||||||
|
|
||||||
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
||||||
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
|
||||||
(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397)
|
|
||||||
---
|
|
||||||
libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 53 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c
|
|
||||||
index b867626..e3bd3c9 100644
|
|
||||||
--- a/libseckey/sk_ep11.c
|
|
||||||
+++ b/libseckey/sk_ep11.c
|
|
||||||
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib,
|
|
||||||
return -EIO;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ memcpy(blob, lrb.payload, lrb.pllen);
|
|
||||||
+
|
|
||||||
+ /* re-encipher MACed SPKI */
|
|
||||||
+ rb.domain = domain;
|
|
||||||
+ lrb.domain = domain;
|
|
||||||
+
|
|
||||||
+ resp_len = sizeof(resp);
|
|
||||||
+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
|
|
||||||
+ &rb, NULL, key_token + hdr->len,
|
|
||||||
+ key_token_length - hdr->len);
|
|
||||||
+ if (req_len < 0) {
|
|
||||||
+ sk_debug(debug, "Failed to build XCP command block");
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
|
|
||||||
+ 0, ep11_lib->target);
|
|
||||||
+ if (rv != CKR_OK || resp_len == 0) {
|
|
||||||
+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
|
|
||||||
+ "rc = 0x%lx, resp_len = %ld", rv, resp_len);
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
|
|
||||||
+ if (rc != 0) {
|
|
||||||
+ sk_debug(debug, "Failed to parse response. rc = %d", rc);
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (rv != CKR_OK) {
|
|
||||||
+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
|
|
||||||
+ "rc = 0x%lx", rv);
|
|
||||||
+ switch (rv) {
|
|
||||||
+ case CKR_IBM_WKID_MISMATCH:
|
|
||||||
+ sk_debug(debug, "The EP11 secure key is currently "
|
|
||||||
+ "encrypted under a different master that does "
|
|
||||||
+ "not match the master key in the CURRENT "
|
|
||||||
+ "master key register of APQN %02X.%04X",
|
|
||||||
+ card, domain);
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (key_token_length - hdr->len != lrb.pllen) {
|
|
||||||
+ sk_debug(debug, "Re-encrypted EP11 secure key size has "
|
|
||||||
+ "changed: org-len: %lu, new-len: %lu",
|
|
||||||
+ hdr->len - sizeof(*hdr), lrb.pllen);
|
|
||||||
+ return -EIO;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
||||||
|
|
||||||
From 5085236986b1c99d16f376273d4c710002abcb4e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mete Durlu <meted@linux.ibm.com>
|
|
||||||
Date: Fri, 10 Jun 2022 10:13:33 +0200
|
|
||||||
Subject: [PATCH 4/4] hyptop: increase initial update interval
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Increase initial update interval from 200ms to 1 seconds to avoid
|
|
||||||
fluctuations on the initial data output.
|
|
||||||
|
|
||||||
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
|
|
||||||
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
|
||||||
(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf)
|
|
||||||
---
|
|
||||||
hyptop/sd.h | 2 +-
|
|
||||||
hyptop/sd_core.c | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/hyptop/sd.h b/hyptop/sd.h
|
|
||||||
index 9ba3192..1aed707 100644
|
|
||||||
--- a/hyptop/sd.h
|
|
||||||
+++ b/hyptop/sd.h
|
|
||||||
@@ -17,7 +17,7 @@
|
|
||||||
#include "helper.h"
|
|
||||||
#include "table.h"
|
|
||||||
|
|
||||||
-#define SD_DG_INIT_INTERVAL_MS 200
|
|
||||||
+#define SD_DG_INIT_INTERVAL_SEC 1
|
|
||||||
#define SD_SYS_ID_SIZE 9
|
|
||||||
|
|
||||||
/*
|
|
||||||
diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c
|
|
||||||
index f1cb631..47b5b59 100644
|
|
||||||
--- a/hyptop/sd_core.c
|
|
||||||
+++ b/hyptop/sd_core.c
|
|
||||||
@@ -150,7 +150,7 @@ void sd_update(void)
|
|
||||||
*/
|
|
||||||
void sd_dg_register(struct sd_dg *dg, int has_core_data)
|
|
||||||
{
|
|
||||||
- struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000};
|
|
||||||
+ struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0};
|
|
||||||
struct sd_sys_item *sys_item;
|
|
||||||
struct sd_cpu_item *cpu_item;
|
|
||||||
unsigned int i;
|
|
||||||
--
|
|
||||||
2.36.1
|
|
||||||
|
|
32
SOURCES/s390utils-2.22.0-rhel.patch
Normal file
32
SOURCES/s390utils-2.22.0-rhel.patch
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
From ce0ae3c869dccaff3ed976d58b2d63ce461507e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steffen Eiden <seiden@linux.ibm.com>
|
||||||
|
Date: Mon, 25 Jul 2022 12:57:53 +0200
|
||||||
|
Subject: [PATCH] zipl: Add missing check for a nullpointer.
|
||||||
|
|
||||||
|
Fixes a bug that leads to a segmentation fault when no parmline is
|
||||||
|
provided.
|
||||||
|
|
||||||
|
Fixes: 11b401b5 ("zipl: move and make check for maximum command line length dynamic")
|
||||||
|
Signed-off-by: Steffen Eiden <seiden@linux.ibm.com>
|
||||||
|
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
||||||
|
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
|
||||||
|
---
|
||||||
|
zipl/src/job.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/zipl/src/job.c b/zipl/src/job.c
|
||||||
|
index ffdc297..b5bf5b2 100644
|
||||||
|
--- a/zipl/src/job.c
|
||||||
|
+++ b/zipl/src/job.c
|
||||||
|
@@ -790,7 +790,7 @@ check_common_ipl_data(struct job_common_ipl_data *common, const char *section,
|
||||||
|
if (!max_parm_size)
|
||||||
|
max_parm_size = LEGACY_MAXIMUM_PARMLINE_SIZE;
|
||||||
|
|
||||||
|
- len = strlen(common->parmline);
|
||||||
|
+ len = common->parmline ? strlen(common->parmline) : 0;
|
||||||
|
if (len > max_parm_size) {
|
||||||
|
error_text("The length of the parameters line "
|
||||||
|
"(%d bytes) exceeds the allowed maximum "
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
@ -6,10 +6,14 @@
|
|||||||
%global signzipl 1
|
%global signzipl 1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?fedora}
|
||||||
|
%global with_pandoc 1
|
||||||
|
%endif
|
||||||
|
|
||||||
Name: s390utils
|
Name: s390utils
|
||||||
Summary: Utilities and daemons for IBM z Systems
|
Summary: Utilities and daemons for IBM z Systems
|
||||||
Version: 2.19.0
|
Version: 2.22.0
|
||||||
Release: 1%{?dist}.2.alma
|
Release: 2%{?dist}.alma
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
License: MIT
|
License: MIT
|
||||||
ExclusiveArch: s390 s390x
|
ExclusiveArch: s390 s390x
|
||||||
@ -43,7 +47,7 @@ Patch0: s390-tools-zipl-invert-script-options.patch
|
|||||||
Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch
|
Patch1: s390-tools-zipl-blscfg-rpm-nvr-sort.patch
|
||||||
|
|
||||||
# backported fixes
|
# backported fixes
|
||||||
Patch100: s390utils-2.19.0-rhel.patch
|
Patch100: s390utils-%{version}-rhel.patch
|
||||||
|
|
||||||
Patch1000: cmsfs-1.1.8-warnings.patch
|
Patch1000: cmsfs-1.1.8-warnings.patch
|
||||||
Patch1001: cmsfs-1.1.8-kernel26.patch
|
Patch1001: cmsfs-1.1.8-kernel26.patch
|
||||||
@ -123,6 +127,10 @@ popd
|
|||||||
make \
|
make \
|
||||||
CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \
|
CFLAGS="%{build_cflags}" CXXFLAGS="%{build_cxxflags}" LDFLAGS="%{build_ldflags}" \
|
||||||
HAVE_DRACUT=1 \
|
HAVE_DRACUT=1 \
|
||||||
|
%if 0%{?with_pandoc}
|
||||||
|
ENABLE_DOC=1 \
|
||||||
|
%endif
|
||||||
|
NO_PIE_LDFLAGS="" \
|
||||||
BINDIR=/usr/sbin \
|
BINDIR=/usr/sbin \
|
||||||
UDEVRUNDIR=/run/udev \
|
UDEVRUNDIR=/run/udev \
|
||||||
DISTRELEASE=%{release} \
|
DISTRELEASE=%{release} \
|
||||||
@ -141,6 +149,9 @@ popd
|
|||||||
%install
|
%install
|
||||||
make install \
|
make install \
|
||||||
HAVE_DRACUT=1 \
|
HAVE_DRACUT=1 \
|
||||||
|
%if 0%{?with_pandoc}
|
||||||
|
ENABLE_DOC=1 \
|
||||||
|
%endif
|
||||||
DESTDIR=%{buildroot} \
|
DESTDIR=%{buildroot} \
|
||||||
BINDIR=/usr/sbin \
|
BINDIR=/usr/sbin \
|
||||||
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
SYSTEMDSYSTEMUNITDIR=%{_unitdir} \
|
||||||
@ -220,10 +231,6 @@ install -p -m 644 %{SOURCE17} %{buildroot}%{_udevrulesdir}/81-ccw.rules
|
|||||||
# zipl.conf to be ghosted
|
# zipl.conf to be ghosted
|
||||||
touch %{buildroot}%{_sysconfdir}/zipl.conf
|
touch %{buildroot}%{_sysconfdir}/zipl.conf
|
||||||
|
|
||||||
# fixups
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2024102
|
|
||||||
chmod 755 %{buildroot}/lib/s390-tools/cpictl
|
|
||||||
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc README.md
|
%doc README.md
|
||||||
@ -279,6 +286,7 @@ systemctl --no-reload preset device_cio_free.service >/dev/null 2>&1 || :
|
|||||||
/lib/s390-tools/zdev-root-update
|
/lib/s390-tools/zdev-root-update
|
||||||
/lib/s390-tools/zipl.conf
|
/lib/s390-tools/zipl.conf
|
||||||
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
|
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
|
||||||
|
%config(noreplace) %{_sysconfdir}/ziplenv
|
||||||
%{_unitdir}/cpi.service
|
%{_unitdir}/cpi.service
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/cpi
|
%config(noreplace) %{_sysconfdir}/sysconfig/cpi
|
||||||
/usr/lib/dracut/modules.d/95zdev/
|
/usr/lib/dracut/modules.d/95zdev/
|
||||||
@ -345,6 +353,7 @@ BuildRequires: json-c-devel
|
|||||||
BuildRequires: rpm-devel
|
BuildRequires: rpm-devel
|
||||||
BuildRequires: glib2-devel
|
BuildRequires: glib2-devel
|
||||||
BuildRequires: libxml2-devel
|
BuildRequires: libxml2-devel
|
||||||
|
BuildRequires: liblockfile-devel
|
||||||
|
|
||||||
|
|
||||||
%description base
|
%description base
|
||||||
@ -522,6 +531,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%{_sbindir}/lstape
|
%{_sbindir}/lstape
|
||||||
%{_sbindir}/lszcrypt
|
%{_sbindir}/lszcrypt
|
||||||
%{_sbindir}/lszfcp
|
%{_sbindir}/lszfcp
|
||||||
|
%{_sbindir}/pai
|
||||||
%{_sbindir}/qetharp
|
%{_sbindir}/qetharp
|
||||||
%{_sbindir}/qethconf
|
%{_sbindir}/qethconf
|
||||||
%{_sbindir}/qethqoat
|
%{_sbindir}/qethqoat
|
||||||
@ -544,12 +554,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%{_bindir}/dump2tar
|
%{_bindir}/dump2tar
|
||||||
%{_bindir}/genprotimg
|
%{_bindir}/genprotimg
|
||||||
%{_bindir}/mk-s390image
|
%{_bindir}/mk-s390image
|
||||||
|
%{_bindir}/pvattest
|
||||||
|
%{_bindir}/pvextract-hdr
|
||||||
%{_bindir}/vmconvert
|
%{_bindir}/vmconvert
|
||||||
%{_bindir}/zkey
|
%{_bindir}/zkey
|
||||||
%{_bindir}/zkey-cryptsetup
|
%{_bindir}/zkey-cryptsetup
|
||||||
%{_unitdir}/dumpconf.service
|
%{_unitdir}/dumpconf.service
|
||||||
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
|
%ghost %config(noreplace) %{_sysconfdir}/zipl.conf
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/dumpconf
|
%config(noreplace) %{_sysconfdir}/sysconfig/dumpconf
|
||||||
|
%{_sysconfdir}/mdevctl.d/*
|
||||||
|
/usr/lib/dracut/modules.d/99ngdump/
|
||||||
/lib/s390-tools/dumpconf
|
/lib/s390-tools/dumpconf
|
||||||
/lib/s390-tools/lsznet.raw
|
/lib/s390-tools/lsznet.raw
|
||||||
%dir /lib/s390-tools/zfcpdump
|
%dir /lib/s390-tools/zfcpdump
|
||||||
@ -560,13 +574,13 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%dir %{_libdir}/zkey
|
%dir %{_libdir}/zkey
|
||||||
%{_libdir}/zkey/zkey-ekmfweb.so
|
%{_libdir}/zkey/zkey-ekmfweb.so
|
||||||
%{_libdir}/zkey/zkey-kmip.so
|
%{_libdir}/zkey/zkey-kmip.so
|
||||||
%{_mandir}/man1/dbginfo.sh.1*
|
|
||||||
%{_mandir}/man1/dump2tar.1*
|
%{_mandir}/man1/dump2tar.1*
|
||||||
%{_mandir}/man1/lscpumf.1*
|
%{_mandir}/man1/genprotimg.1*
|
||||||
%{_mandir}/man1/lshwc.1*
|
%{_mandir}/man1/pvattest.1*
|
||||||
|
%{_mandir}/man1/pvattest-create.1*
|
||||||
|
%{_mandir}/man1/pvattest-perform.1*
|
||||||
|
%{_mandir}/man1/pvattest-verify.1*
|
||||||
%{_mandir}/man1/vmconvert.1*
|
%{_mandir}/man1/vmconvert.1*
|
||||||
%{_mandir}/man1/zfcpdbf.1*
|
|
||||||
%{_mandir}/man1/zipl-switch-to-blscfg.1*
|
|
||||||
%{_mandir}/man1/zkey.1*
|
%{_mandir}/man1/zkey.1*
|
||||||
%{_mandir}/man1/zkey-cryptsetup.1*
|
%{_mandir}/man1/zkey-cryptsetup.1*
|
||||||
%{_mandir}/man1/zkey-ekmfweb.1*
|
%{_mandir}/man1/zkey-ekmfweb.1*
|
||||||
@ -581,14 +595,16 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%{_mandir}/man8/chzcrypt.8*
|
%{_mandir}/man8/chzcrypt.8*
|
||||||
%{_mandir}/man8/dasdstat.8*
|
%{_mandir}/man8/dasdstat.8*
|
||||||
%{_mandir}/man8/dasdview.8*
|
%{_mandir}/man8/dasdview.8*
|
||||||
|
%{_mandir}/man8/dbginfo.sh.8*
|
||||||
%{_mandir}/man8/dumpconf.8*
|
%{_mandir}/man8/dumpconf.8*
|
||||||
%{_mandir}/man8/genprotimg.8.*
|
|
||||||
%{_mandir}/man8/hsavmcore.8*
|
%{_mandir}/man8/hsavmcore.8*
|
||||||
%{_mandir}/man8/hsci.8*
|
%{_mandir}/man8/hsci.8*
|
||||||
%{_mandir}/man8/hyptop.8*
|
%{_mandir}/man8/hyptop.8*
|
||||||
%{_mandir}/man8/lschp.8*
|
%{_mandir}/man8/lschp.8*
|
||||||
|
%{_mandir}/man8/lscpumf.8*
|
||||||
%{_mandir}/man8/lscss.8*
|
%{_mandir}/man8/lscss.8*
|
||||||
%{_mandir}/man8/lsdasd.8*
|
%{_mandir}/man8/lsdasd.8*
|
||||||
|
%{_mandir}/man8/lshwc.8*
|
||||||
%{_mandir}/man8/lsluns.8*
|
%{_mandir}/man8/lsluns.8*
|
||||||
%{_mandir}/man8/lsqeth.8*
|
%{_mandir}/man8/lsqeth.8*
|
||||||
%{_mandir}/man8/lsreipl.8*
|
%{_mandir}/man8/lsreipl.8*
|
||||||
@ -598,6 +614,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%{_mandir}/man8/lstape.8*
|
%{_mandir}/man8/lstape.8*
|
||||||
%{_mandir}/man8/lszcrypt.8*
|
%{_mandir}/man8/lszcrypt.8*
|
||||||
%{_mandir}/man8/lszfcp.8*
|
%{_mandir}/man8/lszfcp.8*
|
||||||
|
%{_mandir}/man8/pai.8*
|
||||||
%{_mandir}/man8/qetharp.8*
|
%{_mandir}/man8/qetharp.8*
|
||||||
%{_mandir}/man8/qethconf.8*
|
%{_mandir}/man8/qethconf.8*
|
||||||
%{_mandir}/man8/qethqoat.8*
|
%{_mandir}/man8/qethqoat.8*
|
||||||
@ -608,7 +625,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
|
|||||||
%{_mandir}/man8/vmur.8*
|
%{_mandir}/man8/vmur.8*
|
||||||
%{_mandir}/man8/zcryptctl.8*
|
%{_mandir}/man8/zcryptctl.8*
|
||||||
%{_mandir}/man8/zcryptstats.8*
|
%{_mandir}/man8/zcryptstats.8*
|
||||||
|
%{_mandir}/man8/zfcpdbf.8*
|
||||||
%{_mandir}/man8/zgetdump.8*
|
%{_mandir}/man8/zgetdump.8*
|
||||||
|
%{_mandir}/man8/zipl-switch-to-blscfg.8*
|
||||||
%{_mandir}/man8/znetconf.8*
|
%{_mandir}/man8/znetconf.8*
|
||||||
%{_mandir}/man8/zpcictl.8*
|
%{_mandir}/man8/zpcictl.8*
|
||||||
%dir %{_datadir}/s390-tools
|
%dir %{_datadir}/s390-tools
|
||||||
@ -844,8 +863,8 @@ This package contains the CMS file system tools.
|
|||||||
#
|
#
|
||||||
%package cmsfs-fuse
|
%package cmsfs-fuse
|
||||||
Summary: CMS file system based on FUSE
|
Summary: CMS file system based on FUSE
|
||||||
BuildRequires: fuse-devel
|
BuildRequires: fuse3-devel
|
||||||
Requires: fuse
|
Requires: fuse3
|
||||||
|
|
||||||
%description cmsfs-fuse
|
%description cmsfs-fuse
|
||||||
This package contains the CMS file system based on FUSE.
|
This package contains the CMS file system based on FUSE.
|
||||||
@ -861,9 +880,9 @@ This package contains the CMS file system based on FUSE.
|
|||||||
#
|
#
|
||||||
%package zdsfs
|
%package zdsfs
|
||||||
Summary: z/OS data set access based on FUSE
|
Summary: z/OS data set access based on FUSE
|
||||||
BuildRequires: fuse-devel
|
BuildRequires: fuse3-devel
|
||||||
BuildRequires: libcurl-devel
|
BuildRequires: libcurl-devel
|
||||||
Requires: fuse
|
Requires: fuse3
|
||||||
|
|
||||||
%description zdsfs
|
%description zdsfs
|
||||||
This package contains the z/OS data set access based on FUSE.
|
This package contains the z/OS data set access based on FUSE.
|
||||||
@ -877,8 +896,8 @@ This package contains the z/OS data set access based on FUSE.
|
|||||||
#
|
#
|
||||||
%package hmcdrvfs
|
%package hmcdrvfs
|
||||||
Summary: HMC drive file system based on FUSE
|
Summary: HMC drive file system based on FUSE
|
||||||
BuildRequires: fuse-devel
|
BuildRequires: fuse3-devel
|
||||||
Requires: fuse
|
Requires: fuse3
|
||||||
|
|
||||||
%description hmcdrvfs
|
%description hmcdrvfs
|
||||||
This package contains a HMC drive file system based on FUSE and a tool
|
This package contains a HMC drive file system based on FUSE and a tool
|
||||||
@ -932,6 +951,9 @@ Summary: Use multipath information for re-IPL path failover
|
|||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: bash
|
BuildRequires: bash
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
|
%if 0%{?with_pandoc}
|
||||||
|
BuildRequires: pandoc
|
||||||
|
%endif
|
||||||
BuildRequires: gawk
|
BuildRequires: gawk
|
||||||
BuildRequires: gzip
|
BuildRequires: gzip
|
||||||
BuildRequires: sed
|
BuildRequires: sed
|
||||||
@ -950,6 +972,9 @@ reconfigures the FCP re-IPL settings to use an operational path.
|
|||||||
|
|
||||||
%files chreipl-fcp-mpath
|
%files chreipl-fcp-mpath
|
||||||
%doc chreipl-fcp-mpath/README.md
|
%doc chreipl-fcp-mpath/README.md
|
||||||
|
%if 0%{?with_pandoc}
|
||||||
|
%doc chreipl-fcp-mpath/README.html
|
||||||
|
%endif
|
||||||
%dir %{_prefix}/lib/chreipl-fcp-mpath/
|
%dir %{_prefix}/lib/chreipl-fcp-mpath/
|
||||||
%{_prefix}/lib/chreipl-fcp-mpath/*
|
%{_prefix}/lib/chreipl-fcp-mpath/*
|
||||||
%{_prefix}/lib/dracut/dracut.conf.d/70-chreipl-fcp-mpath.conf
|
%{_prefix}/lib/dracut/dracut.conf.d/70-chreipl-fcp-mpath.conf
|
||||||
@ -959,6 +984,7 @@ reconfigures the FCP re-IPL settings to use an operational path.
|
|||||||
%{_prefix}/lib/udev/chreipl-fcp-mpath-record-volume-identifier
|
%{_prefix}/lib/udev/chreipl-fcp-mpath-record-volume-identifier
|
||||||
%{_prefix}/lib/udev/chreipl-fcp-mpath-try-change-ipl-path
|
%{_prefix}/lib/udev/chreipl-fcp-mpath-try-change-ipl-path
|
||||||
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
|
%{_udevrulesdir}/70-chreipl-fcp-mpath.rules
|
||||||
|
%{_mandir}/man7/chreipl-fcp-mpath.7*
|
||||||
|
|
||||||
#
|
#
|
||||||
# *********************** devel package ***********************
|
# *********************** devel package ***********************
|
||||||
@ -980,16 +1006,28 @@ User-space development files for the s390/s390x architecture.
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed Oct 26 2022 Eduard Abdullin <eabdullin@almalinux.org> - 2:2.19.0-1.2.alma
|
* Tue Nov 08 2022 Eduard Abdullin <eabdullin@almalinux.org> - 2:2.22.0-2.alma
|
||||||
- Fix detection 5* kernel
|
- Fix detection 5* kernel
|
||||||
|
|
||||||
* Tue Jul 12 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-1.2
|
* Fri Aug 05 2022 Dan Horák <dhorak@redhat.com> - 2:2.22.0-2
|
||||||
- hyptop: observable value fluctuations on initial iteration (#2101809)
|
- zipl: Add missing check for a nullpointer (#2113976)
|
||||||
- Resolves: #2101809
|
- Resolves: #2113976
|
||||||
* Thu Jun 09 2022 Dan Horák <dhorak@redhat.com> - 2:2.19.0-1.1
|
|
||||||
- genprotimg: certificate verification is too strict (#2081311)
|
* Tue Jul 12 2022 Dan Horák <dhorak@redhat.com> - 2:2.22.0-1
|
||||||
- zkey: fix re-enciphering of EP11 identity key of KMIP plugin (#2081310)
|
- rebased to 2.22.0 (#2043846)
|
||||||
- Resolves: #2081311 #2081310
|
- add tool to persistently configure vfio-ap devices (#1660911)
|
||||||
|
- NVMe stand-alone dump support (#1847462)
|
||||||
|
- KVM: Secure Execution Attestation Userspace Tool (#1984908)
|
||||||
|
- KVM: Allow long kernel command lines for Secure Execution guests (#2043831)
|
||||||
|
- KVM: Secure Execution guest dump encryption with customer keys (#2043833)
|
||||||
|
- zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (#2043857)
|
||||||
|
- zipl: Site-aware environment block (#2043913)
|
||||||
|
- Add additional information to SCLP CPI (#2046681)
|
||||||
|
- Add new CPU-MF Counters for IBM z16 Hardware (#2047727)
|
||||||
|
- Long Kernel Commmand Line for s390x (#2060829)
|
||||||
|
- zkey: Fix re-enciphering of EP11 identity key of KMIP plugin (#2075011)
|
||||||
|
- genprotimg/check_hostkeydoc: cert. verification is too strict (#2075013)
|
||||||
|
- Resolves: #2043846 #1660911 #1847462 #1984908 #2043831 #2043833 #2043857 #2043913 #2046681 #2047727 #2060829 #2075011 #2075013
|
||||||
|
|
||||||
* Thu Nov 18 2021 Dan Horák <dhorak@redhat.com> - 2:2.19.0-1
|
* Thu Nov 18 2021 Dan Horák <dhorak@redhat.com> - 2:2.19.0-1
|
||||||
- rebased to 2.19.0 (#1984976)
|
- rebased to 2.19.0 (#1984976)
|
||||||
|
Loading…
Reference in New Issue
Block a user