- rebased to 2.39.0 (RHEL-100439)

- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126743) - udev/rules.d: make virtio-blk devices non-rotational (RHEL-126745) - zipl: makedumpfile is required for ngdump support (RHEL-114663) - libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114885) - chpstat: Fix DPU utilization scaling in reports (RHEL-109215) - Resolves: RHEL-100439 RHEL-126743 RHEL-126745 RHEL-114663 RHEL-114885 RHEL-109215
2025-11-19 12:41:55 +01:00 · 2025-11-19 12:41:55 +01:00 · eb7ec72f4e
commit eb7ec72f4e
parent ee1fce7063
4 changed files with 84 additions and 172 deletions
--- a/s390utils-2.38.0-rhel.patch
+++ b/s390utils-2.38.0-rhel.patch
@ -1,167 +0,0 @@
-From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
-From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
-Date: Fri, 16 May 2025 16:47:24 +0200
-Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The cpictl utility sends control-program identification data
-from protected virtualization guests to hosts by default.
-This behaviour leaks the below potentially sensitive
-information to untrusted hosts.
- system_type
- system_level
- sysplex_name
- system_name
-
-To prevent this behaviour, enhance the cpictl utility to stop
-setting CPI information on protected virtualization guests by
-default. If the user chooses to set the CPI information, it
-could be set by one of the below options
- use the command line option --permit-cpi
- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
-control the CPI service behaviour during boot
-
-Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
-Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
-Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
-Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
-Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
---
- etc/sysconfig/cpi      | 14 ++++++++++++++
- scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
- systemd/cpi.service.in |  1 +
- 3 files changed, 52 insertions(+), 2 deletions(-)
-
-diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
-index 866b589..78eb632 100644
--- a/etc/sysconfig/cpi
-+++ b/etc/sysconfig/cpi
-@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
- # CPI sysplex name
- #
- CPI_SYSPLEX_NAME=""
-+
-+#
-+# CPI permit on protected virtualization guests
-+#
-+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
-+# Enabling these options allows the host to receive potentially sensitive
-+# Control-Program Identification (CPI) data from the protected virtualization
-+# guest, including:
-+# - system_type
-+# - system_level
-+# - sysplex_name
-+# - system_name
-+#
-+CPI_PERMIT_ON_PVGUEST=
-diff --git a/scripts/cpictl b/scripts/cpictl
-index 16cadde..6096a67 100755
--- a/scripts/cpictl
-+++ b/scripts/cpictl
-@@ -32,6 +32,9 @@ declare TYPE
- declare NAME
- declare SYSPLEX
- 
-+declare PV_GUEST
-+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
-+
- declare -i DRYRUN=0
- 
- # Exit codes
-@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
- readonly EXIT_ARG_TOO_LONG=3
- readonly EXIT_INVALID_CHARS=4
- readonly EXIT_INVALID_ARGS=5
-+readonly EXIT_NO_PERMIT_CPI=6
- 
- # Distro-IDs as supported by SE/HMC firmware
- readonly DISTRO_GENERIC=0
-@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
-   -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
-   -T, --type TYPE        Set and commit OS type to TYPE
-   -v, --version          Print version information, then exit
-+  --permit-cpi           Permit to send Control-Program Identification data of
-+                         protected virtualization guest to the host (must be
-+                         specified before any commit option). See also the
-+                         important note.
-   --commit               Ignore all other options and commit any uncommitted
-                          values
-   --dry-run              Do not actually set or commit anything, but show what
-@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
-                          uncommitted) values
- 
- Environment variables used for the --defaults option:
-  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
-+  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
-+  CPI_PERMIT_ON_PVGUEST (See also the important note.)
-+
-+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
-+trust the host system. Enabling these options allows the host to receive
-+potentially sensitive Control-Program Identification (CPI) data from the
-+protected virtualization guest, including:
-+- system_type
-+- system_level
-+- sysplex_name
-+- system_name
- 
- Available bits for the --set-bit option:
-   kvm: Indicate that system is a KVM host
-@@ -124,6 +142,19 @@ fail_with()
- 
- cpi_commit()
- {
-+	# Commit Control-Program Identification changes on protected
-+	# virtualization guests only if it is permitted by the guest. This
-+	# prevents leakage of potentially sensitive information to untrusted
-+	# hosts.
-+	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
-+		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
-+		if [[ "$PV_GUEST" -eq 1 ]]; then
-+			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
-+				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
-+				exit "$EXIT_NO_PERMIT_CPI"
-+			fi
-+		fi
-+	fi
- 	echo 1 > "$CPI_SET" 2> /dev/null
- }
- 
-@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
- 	print_parse_error_and_exit
- fi
- 
-opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
-+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
- if [ $? -ne 0 ]; then
- 	print_parse_error_and_exit
- fi
-@@ -473,6 +504,10 @@ while [ -n $1 ]; do
- 		cpi_show
- 		exit $EXIT_SUCCESS
- 		;;
-+	--permit-cpi)
-+		CPI_PERMIT=1
-+		shift
-+		;;
- 	--commit)
- 		cpi_commit
- 		exit $EXIT_SUCCESS
-diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
-index 3976f68..ca21a8b 100644
--- a/systemd/cpi.service.in
-+++ b/systemd/cpi.service.in
-@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
- # Environment=CPI_SYSPLEX_NAME=
- # Environment=CPI_SYSTEM_LEVEL=
- # Environment=CPI_SYSTEM_TYPE=LINUX
-+# Environment=CPI_PERMIT_ON_PVGUEST=
- 
- #
- # Sending data to the HMC/SE
-- 
-2.50.1
-
--- a/s390utils-2.39.0-rhel.patch
+++ b/s390utils-2.39.0-rhel.patch
@ -0,0 +1,64 @@
+From daf4c2f581dee9602e325f80cb5425d352e9dd2d Mon Sep 17 00:00:00 2001
+From: Peter Jin <pjin@linux.ibm.com>
+Date: Wed, 1 Oct 2025 15:02:10 -0400
+Subject: [PATCH 1/2] udev/rules.d: make virtio-blk devices non-rotational
+ (RHEL-126745)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Performance measurements turned out that in certain situations the
+paging/swap logic turns on the rotational feature for block devices. In the
+past, this feature has been disabled for DASD devices. FCP and NVMe devices
+are considered non-rotational by default (or exposed by the storage server).
+Because those are the backing devices on Linux on Z/LinuxONE instances,
+ensure that virtio-blk devices are always non-rotational.
+
+Signed-off-by: Peter Jin <pjin@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 82f8c137e1881577d89309223f6d459361c671dd)
+---
+ etc/udev/rules.d/59-virtio-blk.rules | 1 +
+ 1 file changed, 1 insertion(+)
+ create mode 100644 etc/udev/rules.d/59-virtio-blk.rules
+
+diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules
+new file mode 100644
+index 00000000..2e3c13f7
+--- /dev/null
+++ b/etc/udev/rules.d/59-virtio-blk.rules
+@@ -0,0 +1 @@
+SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0"
+-- 
+2.52.0
+
+
+From 6ddd22a0972c3e931780b4a4e61f884aedb3a4ff Mon Sep 17 00:00:00 2001
+From: Peter Jin <pjin@linux.ibm.com>
+Date: Wed, 1 Oct 2025 15:09:49 -0400
+Subject: [PATCH 2/2] udev/rules.d: Set default io scheduler to 'none' for
+ virtio-blk (RHEL-126743)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use 'none' as default io scheduler for virtio-blk devices. Performance
+improvements for multi-queue setups and to reduce CPU consumption.
+
+Signed-off-by: Peter Jin <pjin@linux.ibm.com>
+Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
+(cherry picked from commit 6ee5ffef91cb4157079fecb89bf42aa41e81e801)
+---
+ etc/udev/rules.d/59-virtio-blk.rules | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules
+index 2e3c13f7..ca6e1c4d 100644
+--- a/etc/udev/rules.d/59-virtio-blk.rules
+++ b/etc/udev/rules.d/59-virtio-blk.rules
+@@ -1 +1,2 @@
+ SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0"
+SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/scheduler", ATTR{queue/scheduler}="none"
+-- 
+2.52.0
+
--- a/s390utils.spec
+++ b/s390utils.spec
@ -14,8 +14,8 @@

 Name:           s390utils
 Summary:        Utilities and daemons for IBM z Systems
-Version:        2.38.0
-Release:        2%{?dist}
+Version:        2.39.0
+Release:        1%{?dist}
 Epoch:          2
 License:        MIT
 URL:            https://github.com/ibm-s390-linux/s390-tools
@ -190,6 +190,7 @@ fi

 # move tools to searchable dir
 mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image %{buildroot}%{_bindir}
+mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image.1 %{buildroot}%{_mandir}/man1

 mkdir -p %{buildroot}{/boot,%{_udevrulesdir},%{_sysconfdir}/{profile.d,sysconfig},%{_prefix}/lib/modules-load.d}
 install -p -m 644 zipl/boot/tape0.bin %{buildroot}/boot/tape0
@ -303,6 +304,8 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf
 License:        MIT
 Summary:        S390 core tools
 Requires:       coreutils
+# for /usr/sbin/makedumpfile (RHEL-114663)
+Requires:       kexec-tools
 %{?systemd_requires}
 # BRs are covered via the base package

@ -378,6 +381,7 @@ This package provides minimal set of tools needed to system to boot.
 %{_udevrulesdir}/56-dasd.rules
 %{_udevrulesdir}/56-zfcp.rules
 %{_udevrulesdir}/59-dasd.rules
+%{_udevrulesdir}/59-virtio-blk.rules
 %{_udevrulesdir}/60-readahead.rules
 %{_udevrulesdir}/81-ccw.rules
 %{_udevrulesdir}/81-dpm.rules
@ -609,9 +613,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_bindir}/cpacfinfo
 %{_bindir}/dump2tar
 %{_bindir}/genprotimg
+%{_bindir}/mk-s390image
 %{_bindir}/pvapconfig
 %{_bindir}/pvimg
-%{_bindir}/mk-s390image
 %if %{with rust}
 %{_bindir}/pvapconfig
 %endif
@ -648,6 +652,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm
 %{_mandir}/man1/cpacfinfo.1*
 %{_mandir}/man1/dump2tar.1*
 %{_mandir}/man1/genprotimg.1*
+%{_mandir}/man1/mk-s390image.1*
 %if %{with rust}
 %{_mandir}/man1/pvapconfig.1*
 %endif
@ -934,6 +939,7 @@ fi
 %{_mandir}/man1/ts-shell.1*
 %{_mandir}/man7/af_iucv.7*
 %{_mandir}/man8/chiucvallow.8*
+%{_mandir}/man8/lsiucvallow.8*
 %{_mandir}/man9/hvc_iucv.9*
 %{_unitdir}/iucvtty-login@.service
 %{_unitdir}/ttyrun-getty@.service
@ -1095,6 +1101,15 @@ User-space development files for the s390/s390x architecture.


 %changelog
+* Mon Nov 24 2025 Dan Horák <dhorak@redhat.com> - 2:2.39.0-1
+- rebased to 2.39.0 (RHEL-100439)
+- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126743)
+- udev/rules.d: make virtio-blk devices non-rotational (RHEL-126745)
+- zipl: makedumpfile is required for ngdump support (RHEL-114663)
+- libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114885)
+- chpstat: Fix DPU utilization scaling in reports (RHEL-109215)
+- Resolves: RHEL-100439 RHEL-126743 RHEL-126745 RHEL-114663 RHEL-114885 RHEL-109215
+
 * Wed Aug 13 2025 Dan Horák <dhorak@redhat.com> - 2:2.38.0-2
 - cpi: Disable CPI for SEL guests by default (RHEL-76931)
 - Resolves: RHEL-76931
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (s390-tools-2.38.0.tar.gz) = 9ca9393e9deeab5c1df5e9eaa3c12e340917ffd5fe07d9a09087d6488d8e2ec0a136805650830d128595854b818a1da94151003e15954e556ba373b226a7369e
-SHA512 (s390-tools-2.38.0-rust-vendor.tar.xz) = c55d2870ad9f90333de2536e7921951185746f0972d5d488bf317b56e754525e4dbd0f63d547229197199b51d41b7032172b6ba7ffacd9a96a01dbd13b9c4d9e
+SHA512 (s390-tools-2.39.0.tar.gz) = ee9447f28f0cc43b4eba8110879174372a4ed85e2e53c3500e02723275c0aee01fd4913558ef3eaa62be40a0f5e634c3eb59587150e809fe14e8b4794e340ac7
+SHA512 (s390-tools-2.39.0-rust-vendor.tar.xz) = eb0cd352e8d3721ba52f79968494e72fc99b5655bbd34c359dfb98d81748a367d87854c799e5d7e88d9fef5209ce0cc5e91286a8259e3fef90e0e53a7b195a20