Compare commits
No commits in common. "c8" and "imports/c9/s390utils-2.19.0-2.el9_0.3" have entirely different histories.
c8
...
imports/c9
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,4 +1 @@
|
|||||||
SOURCES/cmsfs-1.1.8c.tar.gz
|
SOURCES/s390-tools-2.19.0.tar.gz
|
||||||
SOURCES/s390-tools-2.29.0-rust-vendor.tar.xz
|
|
||||||
SOURCES/s390-tools-2.29.0.tar.gz
|
|
||||||
SOURCES/src_vipa-2.1.0.tar.gz
|
|
||||||
|
1
.s390utils.metadata
Normal file
1
.s390utils.metadata
Normal file
@ -0,0 +1 @@
|
|||||||
|
5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz
|
@ -1,9 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
COMMAND="$1"
|
|
||||||
KERNEL_VERSION="$2"
|
|
||||||
BOOT_DIR_ABS="$3"
|
|
||||||
KERNEL_IMAGE="$4"
|
|
||||||
|
|
||||||
# Remove it, since for zipl the images are always installed in /boot
|
|
||||||
rm -rf "${BOOT_DIR_ABS%/*}"
|
|
@ -1,13 +1,4 @@
|
|||||||
ACTION!="add|change", GOTO="ccw_end"
|
ACTION!="add|bind|change", GOTO="ccw_end"
|
||||||
SUBSYSTEM!="ccw", GOTO="ccw_end"
|
SUBSYSTEM!="ccw", GOTO="ccw_end"
|
||||||
ATTRS{cutype}=="1731/01", RUN+="ccw_init"
|
DRIVER=="ctcm|lcs|qeth", RUN+="ccw_init"
|
||||||
ATTRS{cutype}=="1731/02", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="1731/05", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="1731/06", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/01", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/08", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/60", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/61", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/1e", RUN+="ccw_init"
|
|
||||||
ATTRS{cutype}=="3088/1f", RUN+="ccw_init"
|
|
||||||
LABEL="ccw_end"
|
LABEL="ccw_end"
|
||||||
|
@ -1,12 +0,0 @@
|
|||||||
diff -up cmsfs-1.1.8c/cmsfslst.c.orig cmsfs-1.1.8c/cmsfslst.c
|
|
||||||
--- cmsfs-1.1.8c/cmsfslst.c.orig 2020-08-19 09:47:36.459063820 +0000
|
|
||||||
+++ cmsfs-1.1.8c/cmsfslst.c 2020-08-19 09:47:45.619063820 +0000
|
|
||||||
@@ -49,7 +49,7 @@ int main(int argc,unsigned char *argv[])
|
|
||||||
}
|
|
||||||
|
|
||||||
/* sanity check */
|
|
||||||
- if (*devname == 0x00)
|
|
||||||
+ if ((devname == NULL) || (*devname == 0x00))
|
|
||||||
{
|
|
||||||
(void) fprintf(stderr,"Please specify a CMS volume.\n");
|
|
||||||
(void) fprintf(stderr,USAGE,argv[0]);
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -aruN cmsfs-1.1.8c/cmsfssed.sh cmsfs-1.1.8c.alma/cmsfssed.sh
|
|
||||||
--- cmsfs-1.1.8c/cmsfssed.sh 2006-01-29 07:04:32
|
|
||||||
+++ cmsfs-1.1.8c.alma/cmsfssed.sh 2023-11-01 10:57:10
|
|
||||||
@@ -85,7 +85,7 @@
|
|
||||||
DRIVER_SOURCE="cmsfs22x.c"
|
|
||||||
MODULES_DIRECTORY="/lib/modules/`uname -r`/fs"
|
|
||||||
;;
|
|
||||||
- 2.4*|2.5*)
|
|
||||||
+ 2.4*|2.5*|2.6*|3.*|4.*|5.*)
|
|
||||||
LINUX_RELEASE="2.4"
|
|
||||||
# ln -s cmsfs24x.c cmsfsvfs.c
|
|
||||||
INCLUDES="-I/lib/modules/`uname -r`/build/include"
|
|
@ -1,31 +0,0 @@
|
|||||||
From 25442f958a12b428b7d063b927ac48965dcd8164 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
|
||||||
Date: Fri, 28 Jan 2011 16:11:19 +0100
|
|
||||||
Subject: [PATCH] use detected filesystem block size on FBA devices
|
|
||||||
|
|
||||||
If a FBA device is not properly formated, then the CMS file system can
|
|
||||||
have a different block size. The cmsfs tools were able to detect the file
|
|
||||||
system block size, but in fact they still used default 512 instead. And
|
|
||||||
using the default was causing crashes. Now the detected value is used.
|
|
||||||
|
|
||||||
https://bugzilla.redhat.com/show_bug.cgi?id=651012
|
|
||||||
---
|
|
||||||
cmsfsany.c | 2 +-
|
|
||||||
1 files changed, 1 insertions(+), 1 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/cmsfsany.c b/cmsfsany.c
|
|
||||||
index 55bcfdc..18efffb 100644
|
|
||||||
--- a/cmsfsany.c
|
|
||||||
+++ b/cmsfsany.c
|
|
||||||
@@ -102,7 +102,7 @@ int cmsfs_find_label(struct CMSSUPER *vol,struct CMSFSADT *adt)
|
|
||||||
cmsfs_error(cmsfs_ermsg);
|
|
||||||
}
|
|
||||||
vol->flags = CMSFSFBA;
|
|
||||||
- vol->blksz = 512;
|
|
||||||
+ vol->blksz = blksz;
|
|
||||||
return vol->blksz;
|
|
||||||
} }
|
|
||||||
|
|
||||||
--
|
|
||||||
1.7.3.5
|
|
||||||
|
|
@ -1,11 +0,0 @@
|
|||||||
--- cmsfs-1.1.8/cmsfsvol.c.warnings 2003-07-18 01:38:57.000000000 +0200
|
|
||||||
+++ cmsfs-1.1.8/cmsfsvol.c 2005-09-06 16:57:15.000000000 +0200
|
|
||||||
@@ -52,7 +52,7 @@
|
|
||||||
|
|
||||||
/* print a header; looks like CMS */
|
|
||||||
(void) printf("LABEL VDEV M STAT CYL TYPE \
|
|
||||||
-BLKSZ FILES BLKS USED-(%) BLKS LEFT BLK TOTAL\n");
|
|
||||||
+BLKSZ FILES BLKS USED-(%%) BLKS LEFT BLK TOTAL\n");
|
|
||||||
|
|
||||||
for ( ; i < argc ; i++)
|
|
||||||
{
|
|
@ -7,7 +7,6 @@ Before=sysinit.target systemd-udev-trigger.service
|
|||||||
Type=oneshot
|
Type=oneshot
|
||||||
RemainAfterExit=yes
|
RemainAfterExit=yes
|
||||||
ExecStart=/usr/sbin/device_cio_free
|
ExecStart=/usr/sbin/device_cio_free
|
||||||
StandardOutput=syslog
|
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=sysinit.target
|
WantedBy=sysinit.target
|
||||||
|
@ -1,234 +1,19 @@
|
|||||||
From b2daaa34776ba6afec879e362378f6f7563590a6 Mon Sep 17 00:00:00 2001
|
diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile
|
||||||
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
|
--- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort 2019-05-22 08:16:17.317273801 -0400
|
||||||
Date: Mon, 20 Jun 2022 17:43:05 +0200
|
+++ s390-tools-2.9.0/zipl/src/Makefile 2019-05-22 08:18:02.947273801 -0400
|
||||||
Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by
|
@@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \
|
||||||
versions"
|
-D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS)
|
||||||
|
ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
|
||||||
|
|
||||||
This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b.
|
-libs = $(rootdir)/libutil/libutil.a
|
||||||
---
|
+libs = $(rootdir)/libutil/libutil.a -lrpmio -lrpm
|
||||||
zipl/src/scan.c | 139 ++----------------------------------------------
|
|
||||||
1 file changed, 3 insertions(+), 136 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
|
|
||||||
index 0cea1d4..9352f76 100644
|
|
||||||
--- a/zipl/src/scan.c
|
|
||||||
+++ b/zipl/src/scan.c
|
|
||||||
@@ -10,7 +10,6 @@
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
|
|
||||||
-static const char *VERSION_KEYWORD = "version";
|
|
||||||
|
|
||||||
/* Need ISOC99 function isblank() in ctype.h */
|
|
||||||
#ifndef __USE_ISOC99
|
|
||||||
@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token)
|
|
||||||
|
|
||||||
|
|
||||||
static int
|
|
||||||
-bls_filter_by_names(const struct dirent *ent)
|
|
||||||
+bls_filter(const struct dirent *ent)
|
|
||||||
{
|
|
||||||
int offset = strlen(ent->d_name) - strlen(".conf");
|
|
||||||
|
|
||||||
@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent)
|
|
||||||
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-struct version {
|
|
||||||
- char *line; /* pointer to a line with version keyword */
|
|
||||||
- int offset; /* offset of version value in the line */
|
|
||||||
-};
|
|
||||||
-
|
|
||||||
-/*
|
|
||||||
- * Locate version in bls file represented by ENT
|
|
||||||
- */
|
|
||||||
-static void get_version(const struct dirent *ent, struct version *v)
|
|
||||||
-{
|
|
||||||
- char *line = NULL;
|
|
||||||
- size_t len = 0;
|
|
||||||
- char *d_name;
|
|
||||||
- FILE *stream;
|
|
||||||
- ssize_t read;
|
|
||||||
-
|
|
||||||
- memset(v, 0, sizeof(*v));
|
|
||||||
- d_name = misc_make_path((char *)blsdir, (char *)ent->d_name);
|
|
||||||
- if (!d_name)
|
|
||||||
- return;
|
|
||||||
-
|
|
||||||
- stream = fopen(d_name, "r");
|
|
||||||
- free(d_name);
|
|
||||||
- if (!stream)
|
|
||||||
- return;
|
|
||||||
-
|
|
||||||
- while ((read = getline(&line, &len, stream)) != -1) {
|
|
||||||
- if (line[read - 1] == '\n') {
|
|
||||||
- line[read - 1] = '\0';
|
|
||||||
- read--;
|
|
||||||
- }
|
|
||||||
- if ((size_t)read <= strlen(VERSION_KEYWORD) + 1)
|
|
||||||
- continue;
|
|
||||||
- if (strcmp(VERSION_KEYWORD, line) > 0)
|
|
||||||
- continue;
|
|
||||||
- if (!isblank(line[strlen(VERSION_KEYWORD)]))
|
|
||||||
- continue;
|
|
||||||
- /* skip blanks */
|
|
||||||
- v->offset = strlen(VERSION_KEYWORD) + 1;
|
|
||||||
- while (v->offset < read - 1 && isblank(line[v->offset]))
|
|
||||||
- v->offset++;
|
|
||||||
- if (isblank(line[v->offset]))
|
|
||||||
- /*
|
|
||||||
- * all characters after the keyword
|
|
||||||
- * are blanks. Invalid version
|
|
||||||
- */
|
|
||||||
- continue;
|
|
||||||
- v->line = line;
|
|
||||||
- fclose(stream);
|
|
||||||
- return;
|
|
||||||
- }
|
|
||||||
- free(line);
|
|
||||||
- fclose(stream);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-static void put_version(struct version *v)
|
|
||||||
-{
|
|
||||||
- free(v->line);
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-/**
|
|
||||||
- * Check version in bls file represented by ENT.
|
|
||||||
- * Return 1 if version is valid. Otherwise return 0
|
|
||||||
- */
|
|
||||||
-static int bls_filter_by_versions(const struct dirent *ent)
|
|
||||||
-{
|
|
||||||
- struct version v;
|
|
||||||
-
|
|
||||||
- if (bls_filter_by_names(ent) == 0)
|
|
||||||
- return 0;
|
|
||||||
-
|
|
||||||
- get_version(ent, &v);
|
|
||||||
- if (v.line) {
|
|
||||||
- put_version(&v);
|
|
||||||
- return 1;
|
|
||||||
- }
|
|
||||||
- return 0;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
|
|
||||||
static int
|
|
||||||
-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b)
|
|
||||||
+bls_sort(const struct dirent **ent_a, const struct dirent **ent_b)
|
|
||||||
{
|
|
||||||
return strverscmp((*ent_a)->d_name, (*ent_b)->d_name);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int
|
|
||||||
-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b)
|
|
||||||
-{
|
|
||||||
- struct version v1, v2;
|
|
||||||
- int ret;
|
|
||||||
-
|
|
||||||
- get_version(*ent_a, &v1);
|
|
||||||
- get_version(*ent_b, &v2);
|
|
||||||
- /*
|
|
||||||
- * Both versions are valid.
|
|
||||||
- * It is guaranteed by bls_filter_by_versions()
|
|
||||||
- */
|
|
||||||
- ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset);
|
|
||||||
-
|
|
||||||
- put_version(&v1);
|
|
||||||
- put_version(&v2);
|
|
||||||
-
|
|
||||||
- return ret;
|
|
||||||
-}
|
|
||||||
|
|
||||||
static int
|
|
||||||
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
|
||||||
@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[])
|
|
||||||
return num;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static int bls_scandir(struct dirent ***bls_entries)
|
|
||||||
-{
|
|
||||||
- struct dirent **entries1;
|
|
||||||
- struct dirent **entries2;
|
|
||||||
- int n1, n2;
|
|
||||||
-
|
|
||||||
- /* arrange by names */
|
|
||||||
- n1 = scandir(blsdir, &entries1,
|
|
||||||
- bls_filter_by_names, bls_sort_by_names);
|
|
||||||
- if (n1 <= 0)
|
|
||||||
- return n1;
|
|
||||||
- /* arrange by versions */
|
|
||||||
- n2 = scandir(blsdir, &entries2,
|
|
||||||
- bls_filter_by_versions, bls_sort_by_versions);
|
|
||||||
-
|
|
||||||
- if (n2 <= 0 || n2 < n1) {
|
|
||||||
- /*
|
|
||||||
- * failed to sort by versions,
|
|
||||||
- * fall back to sorting by filenames
|
|
||||||
- */
|
|
||||||
- *bls_entries = entries1;
|
|
||||||
- while (n2--)
|
|
||||||
- free(entries2[n2]);
|
|
||||||
- free(entries2);
|
|
||||||
- return n1;
|
|
||||||
- }
|
|
||||||
- /* use arrangement by versions */
|
|
||||||
- *bls_entries = entries2;
|
|
||||||
- while (n1--)
|
|
||||||
- free(entries1[n1]);
|
|
||||||
- free(entries1);
|
|
||||||
- return n2;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
int
|
|
||||||
scan_check_target_data(char* keyword[], int* line)
|
|
||||||
{
|
|
||||||
@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size)
|
|
||||||
if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode)))
|
|
||||||
return 0;
|
|
||||||
|
|
||||||
- n = bls_scandir(&bls_entries);
|
|
||||||
+ n = scandir(blsdir, &bls_entries, bls_filter, bls_sort);
|
|
||||||
if (n <= 0)
|
|
||||||
return n;
|
|
||||||
|
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
||||||
|
|
||||||
From 692e70bcfc32a05e30146bd7077c41e0eaceff03 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Mon, 20 Jun 2022 17:46:59 +0200
|
|
||||||
Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
Signed-off-by: Dan Horák <dan@danny.cz>
|
|
||||||
---
|
|
||||||
zipl/src/Makefile | 1 +
|
|
||||||
zipl/src/scan.c | 96 ++++++++++++++++++++++++++++++++++++++++++++++-
|
|
||||||
2 files changed, 95 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/zipl/src/Makefile b/zipl/src/Makefile
|
|
||||||
index cab5655..7ec215d 100644
|
|
||||||
--- a/zipl/src/Makefile
|
|
||||||
+++ b/zipl/src/Makefile
|
|
||||||
@@ -9,6 +9,7 @@ ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
|
|
||||||
|
|
||||||
libs = $(rootdir)/libutil/libutil.a \
|
|
||||||
$(rootdir)/libvtoc/libvtoc.a \
|
|
||||||
+ -lrpmio -lrpm
|
|
||||||
|
|
||||||
objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
|
objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
|
||||||
bootmap_header.o envblk.o install.o zipl.o
|
bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o
|
||||||
diff --git a/zipl/src/scan.c b/zipl/src/scan.c
|
diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c
|
||||||
index 9352f76..3327e2d 100644
|
--- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort 2019-05-21 09:13:36.000000000 -0400
|
||||||
--- a/zipl/src/scan.c
|
+++ s390-tools-2.9.0/zipl/src/scan.c 2019-05-22 08:16:17.317273801 -0400
|
||||||
+++ b/zipl/src/scan.c
|
@@ -33,6 +33,8 @@
|
||||||
@@ -35,6 +35,8 @@
|
|
||||||
|
|
||||||
#include "lib/util_base.h"
|
#include "lib/util_base.h"
|
||||||
|
|
||||||
@ -237,7 +22,7 @@ index 9352f76..3327e2d 100644
|
|||||||
#include "boot.h"
|
#include "boot.h"
|
||||||
#include "error.h"
|
#include "error.h"
|
||||||
#include "misc.h"
|
#include "misc.h"
|
||||||
@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent)
|
@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent)
|
||||||
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -343,6 +128,3 @@ index 9352f76..3327e2d 100644
|
|||||||
|
|
||||||
static int
|
static int
|
||||||
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
scan_append_section_heading(struct scan_token* scan, int* index, char* name);
|
||||||
--
|
|
||||||
2.39.2
|
|
||||||
|
|
||||||
|
@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755
|
|||||||
;;
|
;;
|
||||||
--)
|
--)
|
||||||
shift
|
shift
|
||||||
diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8
|
diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1
|
||||||
index 6bd14d00d14..71b904ffd1c 100644
|
index 6bd14d00d14..71b904ffd1c 100644
|
||||||
--- a/scripts/zipl-switch-to-blscfg.8
|
--- a/scripts/zipl-switch-to-blscfg.1
|
||||||
+++ b/scripts/zipl-switch-to-blscfg.8
|
+++ b/scripts/zipl-switch-to-blscfg.1
|
||||||
@@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
|
@@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
|
||||||
The FILE used for zipl configuration file, defaults to /etc/zipl.conf.
|
The FILE used for zipl configuration file, defaults to /etc/zipl.conf.
|
||||||
|
|
||||||
|
547
SOURCES/s390utils-2.19.0-rhel.patch
Normal file
547
SOURCES/s390utils-2.19.0-rhel.patch
Normal file
@ -0,0 +1,547 @@
|
|||||||
|
From 55e2f3991a8f55d49d7e381dbd8d3fe347c3fc9e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Marc Hartmayer <mhartmay@linux.ibm.com>
|
||||||
|
Date: Thu, 31 Mar 2022 14:00:31 +0000
|
||||||
|
Subject: [PATCH 1/5] genprotimg: remove DigiCert root CA pinning
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
|
||||||
|
change in the future therefore let's remove this check. If someone wants to
|
||||||
|
enforce the usage of a specific root CA it can be selected by the genprotimg
|
||||||
|
command line option `--root-ca $CA`. Make it transparent to the user which root
|
||||||
|
CA is actually being used by printing the subject name of the root CA to stdout
|
||||||
|
in verbose mode.
|
||||||
|
|
||||||
|
Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
||||||
|
Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
||||||
|
Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d)
|
||||||
|
---
|
||||||
|
genprotimg/man/genprotimg.8 | 2 +-
|
||||||
|
genprotimg/src/include/pv_crypto_def.h | 3 --
|
||||||
|
genprotimg/src/pv/pv_args.c | 2 +-
|
||||||
|
genprotimg/src/pv/pv_image.c | 27 ++++++---------
|
||||||
|
genprotimg/src/utils/crypto.c | 48 +++++++++++---------------
|
||||||
|
genprotimg/src/utils/crypto.h | 4 +--
|
||||||
|
6 files changed, 35 insertions(+), 51 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
|
||||||
|
index 8a481c4..6f14052 100644
|
||||||
|
--- a/genprotimg/man/genprotimg.8
|
||||||
|
+++ b/genprotimg/man/genprotimg.8
|
||||||
|
@@ -87,7 +87,7 @@ CRLs. Optional.
|
||||||
|
.TP
|
||||||
|
\fB\-\-root\-ca\fR=\fI\,FILE\/\fR
|
||||||
|
Specifies the root CA certificate for the verification. If omitted,
|
||||||
|
-the DigiCert root CA certificate installed on the system is used. Use
|
||||||
|
+the system wide root CAs installed on the system is used. Use
|
||||||
|
this only if you trust the specified certificate. Optional.
|
||||||
|
.TP
|
||||||
|
\fB\-\-no-verify\fR
|
||||||
|
diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
|
||||||
|
index 53984a3..3635433 100644
|
||||||
|
--- a/genprotimg/src/include/pv_crypto_def.h
|
||||||
|
+++ b/genprotimg/src/include/pv_crypto_def.h
|
||||||
|
@@ -29,9 +29,6 @@
|
||||||
|
*/
|
||||||
|
#define PV_CERTS_SECURITY_LEVEL 2
|
||||||
|
|
||||||
|
-/* SKID for DigiCert Assured ID Root CA */
|
||||||
|
-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
|
||||||
|
-
|
||||||
|
union ecdh_pub_key {
|
||||||
|
struct {
|
||||||
|
uint8_t x[80];
|
||||||
|
diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
|
||||||
|
index e644ae7..bcc3784 100644
|
||||||
|
--- a/genprotimg/src/pv/pv_args.c
|
||||||
|
+++ b/genprotimg/src/pv/pv_args.c
|
||||||
|
@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
|
||||||
|
g_strv_length(args->untrusted_cert_paths) == 0)) {
|
||||||
|
g_set_error(
|
||||||
|
err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
|
||||||
|
- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
|
||||||
|
+ _("Either specify the IBM Z signing key and intermediate CA certificate\n"
|
||||||
|
"by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
|
||||||
|
"host-key document verification completely (at your own risk)."));
|
||||||
|
return -1;
|
||||||
|
diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
|
||||||
|
index 7359240..a5f07b8 100644
|
||||||
|
--- a/genprotimg/src/pv/pv_image.c
|
||||||
|
+++ b/genprotimg/src/pv/pv_image.c
|
||||||
|
@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Load all untrusted certificates (e.g. IBM Z signing key and
|
||||||
|
- * DigiCert intermediate CA) that are required to establish a chain of
|
||||||
|
- * trust starting from the host-key document up to the root CA (if not
|
||||||
|
- * otherwise specified that's the DigiCert Assured ID Root CA).
|
||||||
|
+ * intermediate CA) that are required to establish a chain of trust
|
||||||
|
+ * starting from the host-key document up to the root CA (if not
|
||||||
|
+ * otherwise specified that can be one of the system wide installed
|
||||||
|
+ * root CAs, e.g. DigiCert).
|
||||||
|
*/
|
||||||
|
untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
|
||||||
|
if (!untrusted_certs_with_path)
|
||||||
|
@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
||||||
|
* For this we must check:
|
||||||
|
*
|
||||||
|
* 1. Can a chain of trust be established ending in a root CA
|
||||||
|
- * 2. Is the correct root CA ued? It has either to be the
|
||||||
|
- * 'DigiCert Assured ID Root CA' or the root CA specified via
|
||||||
|
- * command line.
|
||||||
|
+ * 2. Is the correct root CA used? It has either to be a system CA
|
||||||
|
+ * or the root CA specified via command line.
|
||||||
|
*/
|
||||||
|
for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
|
||||||
|
X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
|
||||||
|
@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
|
||||||
|
if (verify_cert(ibm_signing_cert, ctx, err) < 0)
|
||||||
|
goto error;
|
||||||
|
|
||||||
|
- /* Verify the build chain of trust chain. If the user passes a
|
||||||
|
- * trusted root CA on the command line then the check for the
|
||||||
|
- * Subject Key Identifier (SKID) is skipped, otherwise let's
|
||||||
|
- * check if the SKID meets our expectation.
|
||||||
|
+ /* If there is a chain of trust using either the provided root
|
||||||
|
+ * CA on the command line or a system wide trusted root CA.
|
||||||
|
*/
|
||||||
|
- if (!root_ca_path &&
|
||||||
|
- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
|
||||||
|
- get_digicert_assured_id_root_ca_skid(),
|
||||||
|
- err) < 0) {
|
||||||
|
+ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
|
||||||
|
+ err) < 0)
|
||||||
|
goto error;
|
||||||
|
- }
|
||||||
|
|
||||||
|
ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
|
||||||
|
if (!ibm_signing_crls) {
|
||||||
|
@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
|
||||||
|
g_warning(_("host-key document verification is disabled. Your workload is not secured."));
|
||||||
|
|
||||||
|
if (args->root_ca_path)
|
||||||
|
- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
|
||||||
|
+ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
|
||||||
|
|
||||||
|
ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
|
||||||
|
if (!ret->comps)
|
||||||
|
diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
|
||||||
|
index 087de37..9d1fdb0 100644
|
||||||
|
--- a/genprotimg/src/utils/crypto.c
|
||||||
|
+++ b/genprotimg/src/utils/crypto.c
|
||||||
|
@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
|
||||||
|
g_abort();
|
||||||
|
|
||||||
|
/* The maximum depth level of the chain of trust for the verification of
|
||||||
|
- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
|
||||||
|
- * intermediate CA -> (DigiCert) root CA
|
||||||
|
+ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
|
||||||
|
+ * -> root CA
|
||||||
|
*/
|
||||||
|
X509_VERIFY_PARAM_set_depth(param, 2);
|
||||||
|
|
||||||
|
@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
|
||||||
|
return security_bits[level];
|
||||||
|
}
|
||||||
|
|
||||||
|
-static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
|
||||||
|
-
|
||||||
|
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
|
||||||
|
-{
|
||||||
|
- pv_crypto_init();
|
||||||
|
- return digicert_assured_id_root_ca;
|
||||||
|
-}
|
||||||
|
-
|
||||||
|
/* Used for the caching of the downloaded CRLs */
|
||||||
|
static GHashTable *cached_crls;
|
||||||
|
|
||||||
|
void pv_crypto_init(void)
|
||||||
|
{
|
||||||
|
- if (digicert_assured_id_root_ca)
|
||||||
|
+ if (cached_crls)
|
||||||
|
return;
|
||||||
|
-
|
||||||
|
cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
|
||||||
|
(GDestroyNotify)X509_CRL_free);
|
||||||
|
- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
|
||||||
|
- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
|
||||||
|
}
|
||||||
|
|
||||||
|
void pv_crypto_cleanup(void)
|
||||||
|
{
|
||||||
|
- if (!digicert_assured_id_root_ca)
|
||||||
|
+ if (!cached_crls)
|
||||||
|
return;
|
||||||
|
g_clear_pointer(&cached_crls, g_hash_table_destroy);
|
||||||
|
- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
|
||||||
|
}
|
||||||
|
|
||||||
|
gint check_chain_parameters(const STACK_OF_X509 *chain,
|
||||||
|
- const ASN1_OCTET_STRING *skid, GError **err)
|
||||||
|
+ GError **err)
|
||||||
|
{
|
||||||
|
- const ASN1_OCTET_STRING *ca_skid = NULL;
|
||||||
|
+ const X509_NAME *ca_x509_subject = NULL;
|
||||||
|
+ g_autofree gchar *ca_subject = NULL;
|
||||||
|
gint len = sk_X509_num(chain);
|
||||||
|
X509 *ca = NULL;
|
||||||
|
|
||||||
|
- g_assert(skid);
|
||||||
|
/* at least one root and one leaf certificate must be defined */
|
||||||
|
- g_assert(len >= 2);
|
||||||
|
+ if (len < 2) {
|
||||||
|
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
||||||
|
+ _("there must be at least on root and one leaf certificate in the chain of trust"));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
/* get the root certificate of the chain of trust */
|
||||||
|
ca = sk_X509_value(chain, len - 1);
|
||||||
|
@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ca_skid = X509_get0_subject_key_id(ca);
|
||||||
|
- if (!ca_skid) {
|
||||||
|
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
|
||||||
|
- _("malformed root certificate"));
|
||||||
|
+ ca_x509_subject = X509_get_subject_name(ca);
|
||||||
|
+ if (!ca_x509_subject) {
|
||||||
|
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
||||||
|
+ _("subject of the root CA cannot be retrieved"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
|
||||||
|
- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
|
||||||
|
- _("expecting DigiCert root CA to be used"));
|
||||||
|
+ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
|
||||||
|
+ if (!ca_subject) {
|
||||||
|
+ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
|
||||||
|
+ _("subject name of the root CA cannot be retrieved"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ g_info("Root CA used: '%s'", ca_subject);
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
|
||||||
|
index 3cda450..fdf66de 100644
|
||||||
|
--- a/genprotimg/src/utils/crypto.h
|
||||||
|
+++ b/genprotimg/src/utils/crypto.h
|
||||||
|
@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
|
||||||
|
gint verify_flags, GError **err);
|
||||||
|
void pv_crypto_init(void);
|
||||||
|
void pv_crypto_cleanup(void);
|
||||||
|
-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
|
||||||
|
gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
|
||||||
|
gint verify_flags, int level, GError **err);
|
||||||
|
X509 *load_cert_from_file(const char *path, GError **err);
|
||||||
|
@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
|
||||||
|
int store_set_verify_param(X509_STORE *store, GError **err);
|
||||||
|
X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
|
||||||
|
STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
|
||||||
|
-gint check_chain_parameters(const STACK_OF_X509 *chain,
|
||||||
|
- const ASN1_OCTET_STRING *skid, GError **err);
|
||||||
|
+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
|
||||||
|
X509_NAME *c2b_name(const X509_NAME *name);
|
||||||
|
|
||||||
|
STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
||||||
|
|
||||||
|
From 666cd637519efad9b9c4ca68a5d99b86e92d48ff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
||||||
|
Date: Tue, 15 Mar 2022 12:55:02 +0100
|
||||||
|
Subject: [PATCH 2/5] genprotimg/check_hostkeydoc: relax default issuer check
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
While the original default issuer's organizationalUnitName (OU)
|
||||||
|
was defined as "IBM Z Host Key Signing Service", any OU ending
|
||||||
|
with "Key Signing Service" is considered legal.
|
||||||
|
|
||||||
|
Let's relax the default issuer check by stripping off characters
|
||||||
|
preceding "Key Signing Service".
|
||||||
|
|
||||||
|
Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
|
||||||
|
Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d)
|
||||||
|
---
|
||||||
|
genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
|
||||||
|
1 file changed, 16 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
|
||||||
|
index a96576f..6a83739 100755
|
||||||
|
--- a/genprotimg/samples/check_hostkeydoc
|
||||||
|
+++ b/genprotimg/samples/check_hostkeydoc
|
||||||
|
@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
|
||||||
|
ISSUER_DN_FILE=$(mktemp)
|
||||||
|
SUBJECT_DN_FILE=$(mktemp)
|
||||||
|
DEF_ISSUER_DN_FILE=$(mktemp)
|
||||||
|
+CANONICAL_ISSUER_DN_FILE=$(mktemp)
|
||||||
|
CRL_SERIAL_FILE=$(mktemp)
|
||||||
|
|
||||||
|
# Cleanup on exit
|
||||||
|
@@ -30,7 +31,7 @@ cleanup()
|
||||||
|
{
|
||||||
|
rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
|
||||||
|
$ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
|
||||||
|
- $CRL_SERIAL_FILE
|
||||||
|
+ $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
|
||||||
|
}
|
||||||
|
trap cleanup EXIT
|
||||||
|
|
||||||
|
@@ -121,20 +122,31 @@ default_issuer()
|
||||||
|
commonName = International Business Machines Corporation
|
||||||
|
countryName = US
|
||||||
|
localityName = Poughkeepsie
|
||||||
|
- organizationalUnitName = IBM Z Host Key Signing Service
|
||||||
|
+ organizationalUnitName = Key Signing Service
|
||||||
|
organizationName = International Business Machines Corporation
|
||||||
|
stateOrProvinceName = New York
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
-verify_issuer_files()
|
||||||
|
+# As organizationalUnitName can have an arbitrary prefix but must
|
||||||
|
+# end with "Key Signing Service" let's normalize the OU name by
|
||||||
|
+# stripping off the prefix
|
||||||
|
+verify_default_issuer()
|
||||||
|
{
|
||||||
|
default_issuer > $DEF_ISSUER_DN_FILE
|
||||||
|
|
||||||
|
- if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
|
||||||
|
+ sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
|
||||||
|
+ $ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
|
||||||
|
+
|
||||||
|
+ if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
|
||||||
|
then
|
||||||
|
echo Incorrect default issuer >&2 && exit 1
|
||||||
|
fi
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+verify_issuer_files()
|
||||||
|
+{
|
||||||
|
+ verify_default_issuer
|
||||||
|
|
||||||
|
if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
|
||||||
|
then
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
||||||
|
|
||||||
|
From b4dc45d6f3fff7c57fd5a97cdab357a842ef021e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Mon, 4 Apr 2022 16:38:41 +0200
|
||||||
|
Subject: [PATCH 3/5] libseckey: Fix re-enciphering of EP11 secure key
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The re-enciphering of EP11 asymmetric secure keys does not work.
|
||||||
|
First, the result of the re-encipher operation of the private key
|
||||||
|
part must be copied back into the user supplied key token buffer.
|
||||||
|
Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
|
||||||
|
(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
|
||||||
|
the MAC is calculated with the EP11 master key.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397)
|
||||||
|
---
|
||||||
|
libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 53 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c
|
||||||
|
index b867626..e3bd3c9 100644
|
||||||
|
--- a/libseckey/sk_ep11.c
|
||||||
|
+++ b/libseckey/sk_ep11.c
|
||||||
|
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib,
|
||||||
|
return -EIO;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ memcpy(blob, lrb.payload, lrb.pllen);
|
||||||
|
+
|
||||||
|
+ /* re-encipher MACed SPKI */
|
||||||
|
+ rb.domain = domain;
|
||||||
|
+ lrb.domain = domain;
|
||||||
|
+
|
||||||
|
+ resp_len = sizeof(resp);
|
||||||
|
+ req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
|
||||||
|
+ &rb, NULL, key_token + hdr->len,
|
||||||
|
+ key_token_length - hdr->len);
|
||||||
|
+ if (req_len < 0) {
|
||||||
|
+ sk_debug(debug, "Failed to build XCP command block");
|
||||||
|
+ return -EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
|
||||||
|
+ 0, ep11_lib->target);
|
||||||
|
+ if (rv != CKR_OK || resp_len == 0) {
|
||||||
|
+ sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
|
||||||
|
+ "rc = 0x%lx, resp_len = %ld", rv, resp_len);
|
||||||
|
+ return -EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
|
||||||
|
+ if (rc != 0) {
|
||||||
|
+ sk_debug(debug, "Failed to parse response. rc = %d", rc);
|
||||||
|
+ return -EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (rv != CKR_OK) {
|
||||||
|
+ sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
|
||||||
|
+ "rc = 0x%lx", rv);
|
||||||
|
+ switch (rv) {
|
||||||
|
+ case CKR_IBM_WKID_MISMATCH:
|
||||||
|
+ sk_debug(debug, "The EP11 secure key is currently "
|
||||||
|
+ "encrypted under a different master that does "
|
||||||
|
+ "not match the master key in the CURRENT "
|
||||||
|
+ "master key register of APQN %02X.%04X",
|
||||||
|
+ card, domain);
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ return -EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (key_token_length - hdr->len != lrb.pllen) {
|
||||||
|
+ sk_debug(debug, "Re-encrypted EP11 secure key size has "
|
||||||
|
+ "changed: org-len: %lu, new-len: %lu",
|
||||||
|
+ hdr->len - sizeof(*hdr), lrb.pllen);
|
||||||
|
+ return -EIO;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
||||||
|
|
||||||
|
From bf4d971adb286fc42f6f5bcb45b6fb484eb9519b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mete Durlu <meted@linux.ibm.com>
|
||||||
|
Date: Fri, 10 Jun 2022 10:13:33 +0200
|
||||||
|
Subject: [PATCH 4/5] hyptop: increase initial update interval
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Increase initial update interval from 200ms to 1 seconds to avoid
|
||||||
|
fluctuations on the initial data output.
|
||||||
|
|
||||||
|
Signed-off-by: Mete Durlu <meted@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf)
|
||||||
|
---
|
||||||
|
hyptop/sd.h | 2 +-
|
||||||
|
hyptop/sd_core.c | 2 +-
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/hyptop/sd.h b/hyptop/sd.h
|
||||||
|
index 9ba3192..1aed707 100644
|
||||||
|
--- a/hyptop/sd.h
|
||||||
|
+++ b/hyptop/sd.h
|
||||||
|
@@ -17,7 +17,7 @@
|
||||||
|
#include "helper.h"
|
||||||
|
#include "table.h"
|
||||||
|
|
||||||
|
-#define SD_DG_INIT_INTERVAL_MS 200
|
||||||
|
+#define SD_DG_INIT_INTERVAL_SEC 1
|
||||||
|
#define SD_SYS_ID_SIZE 9
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c
|
||||||
|
index f1cb631..47b5b59 100644
|
||||||
|
--- a/hyptop/sd_core.c
|
||||||
|
+++ b/hyptop/sd_core.c
|
||||||
|
@@ -150,7 +150,7 @@ void sd_update(void)
|
||||||
|
*/
|
||||||
|
void sd_dg_register(struct sd_dg *dg, int has_core_data)
|
||||||
|
{
|
||||||
|
- struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000};
|
||||||
|
+ struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0};
|
||||||
|
struct sd_sys_item *sys_item;
|
||||||
|
struct sd_cpu_item *cpu_item;
|
||||||
|
unsigned int i;
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
||||||
|
|
||||||
|
From 0c7fa7ed53e0187ea9d89f05299f17378daf046e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Date: Thu, 12 May 2022 11:06:16 +0200
|
||||||
|
Subject: [PATCH 5/5] libseckey: Adapt keymgmt_match() implementation to
|
||||||
|
OpenSSL
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
|
||||||
|
OpenSSL provider's keymgmt_match() function to be not so strict with
|
||||||
|
the selector bits in regards to matching different key parts.
|
||||||
|
|
||||||
|
Adapt the secure key provider's match function accordingly.
|
||||||
|
This means, that if the public key is selected to be matched, and
|
||||||
|
the public key matches (together with any also selected parameters),
|
||||||
|
then the private key is no longer checked, although it may also be
|
||||||
|
selected to be matched. This is according to how the OpenSSL function
|
||||||
|
EVP_PKEY_eq() is supposed to behave.
|
||||||
|
|
||||||
|
OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
|
||||||
|
function to check if the private key specified matches the public key
|
||||||
|
of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
|
||||||
|
private key into the selector bits here, although the certificate
|
||||||
|
only contains the public key part.
|
||||||
|
|
||||||
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
||||||
|
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
|
||||||
|
(cherry picked from commit 6c5c5f7e558c114ddaa475e96c9ec708049aa423)
|
||||||
|
---
|
||||||
|
libseckey/sk_provider.c | 18 ++++++++++++++----
|
||||||
|
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libseckey/sk_provider.c b/libseckey/sk_provider.c
|
||||||
|
index 10f56c0..0abe99d 100644
|
||||||
|
--- a/libseckey/sk_provider.c
|
||||||
|
+++ b/libseckey/sk_provider.c
|
||||||
|
@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1,
|
||||||
|
|
||||||
|
if (key1->type != key2->type)
|
||||||
|
return 0;
|
||||||
|
+
|
||||||
|
+ if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
|
||||||
|
+ /* match everything except private key */
|
||||||
|
+ return default_match_fn(key1->default_key, key2->default_key,
|
||||||
|
+ selection &
|
||||||
|
+ (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
|
||||||
|
if (key1->secure_key_size != key2->secure_key_size)
|
||||||
|
return 0;
|
||||||
|
- if (key1->secure_key_size > 0 &&
|
||||||
|
- memcmp(key1->secure_key, key2->secure_key,
|
||||||
|
- key1->secure_key_size) != 0)
|
||||||
|
- return 0;
|
||||||
|
+ if (key1->secure_key_size > 0) {
|
||||||
|
+ if (memcmp(key1->secure_key, key2->secure_key,
|
||||||
|
+ key1->secure_key_size) != 0)
|
||||||
|
+ return 0;
|
||||||
|
+ selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return default_match_fn(key1->default_key, key2->default_key,
|
||||||
|
--
|
||||||
|
2.37.1
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,12 +0,0 @@
|
|||||||
diff -up s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig s390-tools-2.2.0/src_vipa-2.1.0/Makefile
|
|
||||||
--- s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig 2020-02-21 13:51:23.502305796 +0100
|
|
||||||
+++ s390-tools-2.2.0/src_vipa-2.1.0/Makefile 2020-02-21 13:53:51.353817181 +0100
|
|
||||||
@@ -44,6 +44,8 @@ src_vipa.sh:
|
|
||||||
echo '#!/bin/bash' > src_vipa.sh
|
|
||||||
echo 'export LD_LIBRARY_PATH=$(LIBDIR):$$LD_LIBRARY_PATH' >> src_vipa.sh
|
|
||||||
echo 'export LD_PRELOAD=$(LIBDIR)/src_vipa.so' >> src_vipa.sh
|
|
||||||
+ echo 'echo "WARNING: The src_vipa (flexible source address selection) feature is DEPRECATED"' >> src_vipa.sh
|
|
||||||
+ echo 'echo "WARNING: It will be removed in the future."' >> src_vipa.sh
|
|
||||||
echo 'exec $$@' >> src_vipa.sh
|
|
||||||
chmod 755 src_vipa.sh
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user