diff --git a/s390utils-2.38.0-rhel.patch b/s390utils-2.38.0-rhel.patch deleted file mode 100644 index 8325acf..0000000 --- a/s390utils-2.38.0-rhel.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001 -From: Shalini Chellathurai Saroja -Date: Fri, 16 May 2025 16:47:24 +0200 -Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The cpictl utility sends control-program identification data -from protected virtualization guests to hosts by default. -This behaviour leaks the below potentially sensitive -information to untrusted hosts. -- system_type -- system_level -- sysplex_name -- system_name - -To prevent this behaviour, enhance the cpictl utility to stop -setting CPI information on protected virtualization guests by -default. If the user chooses to set the CPI information, it -could be set by one of the below options -- use the command line option --permit-cpi -- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to -control the CPI service behaviour during boot - -Signed-off-by: Hendrik Brueckner -Signed-off-by: Shalini Chellathurai Saroja -Reviewed-by: Jan Höppner -Reviewed-by: Peter Oberparleiter -Reviewed-by: Hendrik Brueckner -Signed-off-by: Jan Höppner -(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551) ---- - etc/sysconfig/cpi | 14 ++++++++++++++ - scripts/cpictl | 39 +++++++++++++++++++++++++++++++++++++-- - systemd/cpi.service.in | 1 + - 3 files changed, 52 insertions(+), 2 deletions(-) - -diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi -index 866b589..78eb632 100644 ---- a/etc/sysconfig/cpi -+++ b/etc/sysconfig/cpi -@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME="" - # CPI sysplex name - # - CPI_SYSPLEX_NAME="" -+ -+# -+# CPI permit on protected virtualization guests -+# -+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system. -+# Enabling these options allows the host to receive potentially sensitive -+# Control-Program Identification (CPI) data from the protected virtualization -+# guest, including: -+# - system_type -+# - system_level -+# - sysplex_name -+# - system_name -+# -+CPI_PERMIT_ON_PVGUEST= -diff --git a/scripts/cpictl b/scripts/cpictl -index 16cadde..6096a67 100755 ---- a/scripts/cpictl -+++ b/scripts/cpictl -@@ -32,6 +32,9 @@ declare TYPE - declare NAME - declare SYSPLEX - -+declare PV_GUEST -+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST" -+ - declare -i DRYRUN=0 - - # Exit codes -@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1 - readonly EXIT_ARG_TOO_LONG=3 - readonly EXIT_INVALID_CHARS=4 - readonly EXIT_INVALID_ARGS=5 -+readonly EXIT_NO_PERMIT_CPI=6 - - # Distro-IDs as supported by SE/HMC firmware - readonly DISTRO_GENERIC=0 -@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings. - -S, --sysplex SYSPLEX Set and commit the sysplex name to SYSPLEX - -T, --type TYPE Set and commit OS type to TYPE - -v, --version Print version information, then exit -+ --permit-cpi Permit to send Control-Program Identification data of -+ protected virtualization guest to the host (must be -+ specified before any commit option). See also the -+ important note. - --commit Ignore all other options and commit any uncommitted - values - --dry-run Do not actually set or commit anything, but show what -@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings. - uncommitted) values - - Environment variables used for the --defaults option: -- CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME -+ CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME, -+ CPI_PERMIT_ON_PVGUEST (See also the important note.) -+ -+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you -+trust the host system. Enabling these options allows the host to receive -+potentially sensitive Control-Program Identification (CPI) data from the -+protected virtualization guest, including: -+- system_type -+- system_level -+- sysplex_name -+- system_name - - Available bits for the --set-bit option: - kvm: Indicate that system is a KVM host -@@ -124,6 +142,19 @@ fail_with() - - cpi_commit() - { -+ # Commit Control-Program Identification changes on protected -+ # virtualization guests only if it is permitted by the guest. This -+ # prevents leakage of potentially sensitive information to untrusted -+ # hosts. -+ if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then -+ read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest" -+ if [[ "$PV_GUEST" -eq 1 ]]; then -+ if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then -+ echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2 -+ exit "$EXIT_NO_PERMIT_CPI" -+ fi -+ fi -+ fi - echo 1 > "$CPI_SET" 2> /dev/null - } - -@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then - print_parse_error_and_exit - fi - --opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@") -+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@") - if [ $? -ne 0 ]; then - print_parse_error_and_exit - fi -@@ -473,6 +504,10 @@ while [ -n $1 ]; do - cpi_show - exit $EXIT_SUCCESS - ;; -+ --permit-cpi) -+ CPI_PERMIT=1 -+ shift -+ ;; - --commit) - cpi_commit - exit $EXIT_SUCCESS -diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in -index 3976f68..ca21a8b 100644 ---- a/systemd/cpi.service.in -+++ b/systemd/cpi.service.in -@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi - # Environment=CPI_SYSPLEX_NAME= - # Environment=CPI_SYSTEM_LEVEL= - # Environment=CPI_SYSTEM_TYPE=LINUX -+# Environment=CPI_PERMIT_ON_PVGUEST= - - # - # Sending data to the HMC/SE --- -2.50.1 - diff --git a/s390utils-2.39.0-rhel.patch b/s390utils-2.39.0-rhel.patch new file mode 100644 index 0000000..8515640 --- /dev/null +++ b/s390utils-2.39.0-rhel.patch @@ -0,0 +1,64 @@ +From daf4c2f581dee9602e325f80cb5425d352e9dd2d Mon Sep 17 00:00:00 2001 +From: Peter Jin +Date: Wed, 1 Oct 2025 15:02:10 -0400 +Subject: [PATCH 1/2] udev/rules.d: make virtio-blk devices non-rotational + (RHEL-126745) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Performance measurements turned out that in certain situations the +paging/swap logic turns on the rotational feature for block devices. In the +past, this feature has been disabled for DASD devices. FCP and NVMe devices +are considered non-rotational by default (or exposed by the storage server). +Because those are the backing devices on Linux on Z/LinuxONE instances, +ensure that virtio-blk devices are always non-rotational. + +Signed-off-by: Peter Jin +Signed-off-by: Jan Höppner +(cherry picked from commit 82f8c137e1881577d89309223f6d459361c671dd) +--- + etc/udev/rules.d/59-virtio-blk.rules | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 etc/udev/rules.d/59-virtio-blk.rules + +diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules +new file mode 100644 +index 00000000..2e3c13f7 +--- /dev/null ++++ b/etc/udev/rules.d/59-virtio-blk.rules +@@ -0,0 +1 @@ ++SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0" +-- +2.52.0 + + +From 6ddd22a0972c3e931780b4a4e61f884aedb3a4ff Mon Sep 17 00:00:00 2001 +From: Peter Jin +Date: Wed, 1 Oct 2025 15:09:49 -0400 +Subject: [PATCH 2/2] udev/rules.d: Set default io scheduler to 'none' for + virtio-blk (RHEL-126743) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Use 'none' as default io scheduler for virtio-blk devices. Performance +improvements for multi-queue setups and to reduce CPU consumption. + +Signed-off-by: Peter Jin +Signed-off-by: Jan Höppner +(cherry picked from commit 6ee5ffef91cb4157079fecb89bf42aa41e81e801) +--- + etc/udev/rules.d/59-virtio-blk.rules | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/etc/udev/rules.d/59-virtio-blk.rules b/etc/udev/rules.d/59-virtio-blk.rules +index 2e3c13f7..ca6e1c4d 100644 +--- a/etc/udev/rules.d/59-virtio-blk.rules ++++ b/etc/udev/rules.d/59-virtio-blk.rules +@@ -1 +1,2 @@ + SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/rotational", ATTR{queue/rotational}="0" ++SUBSYSTEM=="block", ACTION=="add", KERNEL=="vd*[!0-9]", TEST=="queue/scheduler", ATTR{queue/scheduler}="none" +-- +2.52.0 + diff --git a/s390utils.spec b/s390utils.spec index 54fbc03..68892dd 100644 --- a/s390utils.spec +++ b/s390utils.spec @@ -14,8 +14,8 @@ Name: s390utils Summary: Utilities and daemons for IBM z Systems -Version: 2.38.0 -Release: 2%{?dist} +Version: 2.39.0 +Release: 1%{?dist} Epoch: 2 License: MIT URL: https://github.com/ibm-s390-linux/s390-tools @@ -190,6 +190,7 @@ fi # move tools to searchable dir mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image %{buildroot}%{_bindir} +mv %{buildroot}%{_datadir}/s390-tools/netboot/mk-s390image.1 %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}{/boot,%{_udevrulesdir},%{_sysconfdir}/{profile.d,sysconfig},%{_prefix}/lib/modules-load.d} install -p -m 644 zipl/boot/tape0.bin %{buildroot}/boot/tape0 @@ -303,6 +304,8 @@ touch %{buildroot}%{_sysconfdir}/zipl.conf License: MIT Summary: S390 core tools Requires: coreutils +# for /usr/sbin/makedumpfile (RHEL-114663) +Requires: kexec-tools %{?systemd_requires} # BRs are covered via the base package @@ -378,6 +381,7 @@ This package provides minimal set of tools needed to system to boot. %{_udevrulesdir}/56-dasd.rules %{_udevrulesdir}/56-zfcp.rules %{_udevrulesdir}/59-dasd.rules +%{_udevrulesdir}/59-virtio-blk.rules %{_udevrulesdir}/60-readahead.rules %{_udevrulesdir}/81-ccw.rules %{_udevrulesdir}/81-dpm.rules @@ -609,9 +613,9 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_bindir}/cpacfinfo %{_bindir}/dump2tar %{_bindir}/genprotimg +%{_bindir}/mk-s390image %{_bindir}/pvapconfig %{_bindir}/pvimg -%{_bindir}/mk-s390image %if %{with rust} %{_bindir}/pvapconfig %endif @@ -648,6 +652,7 @@ getent group zkeyadm > /dev/null || groupadd -r zkeyadm %{_mandir}/man1/cpacfinfo.1* %{_mandir}/man1/dump2tar.1* %{_mandir}/man1/genprotimg.1* +%{_mandir}/man1/mk-s390image.1* %if %{with rust} %{_mandir}/man1/pvapconfig.1* %endif @@ -934,6 +939,7 @@ fi %{_mandir}/man1/ts-shell.1* %{_mandir}/man7/af_iucv.7* %{_mandir}/man8/chiucvallow.8* +%{_mandir}/man8/lsiucvallow.8* %{_mandir}/man9/hvc_iucv.9* %{_unitdir}/iucvtty-login@.service %{_unitdir}/ttyrun-getty@.service @@ -1095,6 +1101,15 @@ User-space development files for the s390/s390x architecture. %changelog +* Mon Nov 24 2025 Dan Horák - 2:2.39.0-1 +- rebased to 2.39.0 (RHEL-100439) +- udev/rules.d: Set default io scheduler to 'none' for virtio-blk (RHEL-126743) +- udev/rules.d: make virtio-blk devices non-rotational (RHEL-126745) +- zipl: makedumpfile is required for ngdump support (RHEL-114663) +- libekmfweb: Fix gen of cert or CSR to use RSA not RSA-PSS (RHEL-114885) +- chpstat: Fix DPU utilization scaling in reports (RHEL-109215) +- Resolves: RHEL-100439 RHEL-126743 RHEL-126745 RHEL-114663 RHEL-114885 RHEL-109215 + * Wed Aug 13 2025 Dan Horák - 2:2.38.0-2 - cpi: Disable CPI for SEL guests by default (RHEL-76931) - Resolves: RHEL-76931 diff --git a/sources b/sources index 16b71cb..17deb64 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (s390-tools-2.38.0.tar.gz) = 9ca9393e9deeab5c1df5e9eaa3c12e340917ffd5fe07d9a09087d6488d8e2ec0a136805650830d128595854b818a1da94151003e15954e556ba373b226a7369e -SHA512 (s390-tools-2.38.0-rust-vendor.tar.xz) = c55d2870ad9f90333de2536e7921951185746f0972d5d488bf317b56e754525e4dbd0f63d547229197199b51d41b7032172b6ba7ffacd9a96a01dbd13b9c4d9e +SHA512 (s390-tools-2.39.0.tar.gz) = ee9447f28f0cc43b4eba8110879174372a4ed85e2e53c3500e02723275c0aee01fd4913558ef3eaa62be40a0f5e634c3eb59587150e809fe14e8b4794e340ac7 +SHA512 (s390-tools-2.39.0-rust-vendor.tar.xz) = eb0cd352e8d3721ba52f79968494e72fc99b5655bbd34c359dfb98d81748a367d87854c799e5d7e88d9fef5209ce0cc5e91286a8259e3fef90e0e53a7b195a20