29 changed files with 7325 additions and 537 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
-/s390-tools-*.tar.gz
+SOURCES/cmsfs-1.1.8c.tar.gz
-/s390-tools-*-rust-vendor.tar.xz
+SOURCES/s390-tools-2.29.0-rust-vendor.tar.xz
 SOURCES/s390-tools-2.29.0.tar.gz
 SOURCES/src_vipa-2.1.0.tar.gz
--- a/.s390utils.metadata
+++ b/.s390utils.metadata
@ -0,0 +1,4 @@
 9c9a4e89bddb2b4e6e09ef6fc7c2e6f2ad6316de SOURCES/cmsfs-1.1.8c.tar.gz
 1dcae3e55c2d4d945d0b5c61a12671468aa5f7ef SOURCES/s390-tools-2.29.0-rust-vendor.tar.xz
 e10ffbde7f3fcf4438fdfdd83051ad68518e7be5 SOURCES/s390-tools-2.29.0.tar.gz
 8ed8592a0a9370ce8422df9231ccb17f6cf49bed SOURCES/src_vipa-2.1.0.tar.gz
--- a/SOURCES/00-zipl-prepare.install
+++ b/SOURCES/00-zipl-prepare.install
@ -0,0 +1,9 @@
 #!/bin/bash
 COMMAND="$1"
 KERNEL_VERSION="$2"
 BOOT_DIR_ABS="$3"
 KERNEL_IMAGE="$4"
 # Remove it, since for zipl the images are always installed in /boot
 rm -rf "${BOOT_DIR_ABS%/*}"
--- a/SOURCES/20-zipl-kernel.install
+++ b/SOURCES/20-zipl-kernel.install
--- a/SOURCES/52-zipl-rescue.install
+++ b/SOURCES/52-zipl-rescue.install
--- a/SOURCES/91-zipl.install
+++ b/SOURCES/91-zipl.install
--- a/SOURCES/ccw.udev
+++ b/SOURCES/ccw.udev
@ -0,0 +1,13 @@
 ACTION!="add|change", GOTO="ccw_end"
 SUBSYSTEM!="ccw", GOTO="ccw_end"
 ATTRS{cutype}=="1731/01", RUN+="ccw_init"
 ATTRS{cutype}=="1731/02", RUN+="ccw_init"
 ATTRS{cutype}=="1731/05", RUN+="ccw_init"
 ATTRS{cutype}=="1731/06", RUN+="ccw_init"
 ATTRS{cutype}=="3088/01", RUN+="ccw_init"
 ATTRS{cutype}=="3088/08", RUN+="ccw_init"
 ATTRS{cutype}=="3088/60", RUN+="ccw_init"
 ATTRS{cutype}=="3088/61", RUN+="ccw_init"
 ATTRS{cutype}=="3088/1e", RUN+="ccw_init"
 ATTRS{cutype}=="3088/1f", RUN+="ccw_init"
 LABEL="ccw_end"
--- a/SOURCES/ccw_init
+++ b/SOURCES/ccw_init
--- a/SOURCES/cmsfs-1.1.8-args.patch
+++ b/SOURCES/cmsfs-1.1.8-args.patch
@ -0,0 +1,12 @@
 diff -up cmsfs-1.1.8c/cmsfslst.c.orig cmsfs-1.1.8c/cmsfslst.c
 --- cmsfs-1.1.8c/cmsfslst.c.orig	2020-08-19 09:47:36.459063820 +0000
 +++ cmsfs-1.1.8c/cmsfslst.c	2020-08-19 09:47:45.619063820 +0000
@@ -49,7 +49,7 @@ int main(int argc,unsigned char *argv[])
       }
     /*  sanity check  */
 -    if (*devname == 0x00)
 +    if ((devname == NULL) || (*devname == 0x00))
       {
         (void) fprintf(stderr,"Please specify a CMS volume.\n");
         (void) fprintf(stderr,USAGE,argv[0]);
--- a/SOURCES/cmsfs-1.1.8-kernel26.patch
+++ b/SOURCES/cmsfs-1.1.8-kernel26.patch
@ -0,0 +1,12 @@
 diff -urN cmsfs-1.1.8/cmsfssed.sh cmsfs-1.1.8_/cmsfssed.sh
 --- cmsfs-1.1.8/cmsfssed.sh	2003-02-28 17:52:59.000000000 -0500
 +++ cmsfs-1.1.8_/cmsfssed.sh	2004-05-28 16:36:22.000000000 -0400
@@ -85,7 +85,7 @@
         DRIVER_SOURCE="cmsfs22x.c"
         MODULES_DIRECTORY="/lib/modules/`uname -r`/fs"
         ;;
 -    2.4*|2.5*)
 +    2.4*|2.5*|2.6*|3.*|4.*)
         LINUX_RELEASE="2.4"
 #       ln -s cmsfs24x.c cmsfsvfs.c
         INCLUDES="-I/lib/modules/`uname -r`/build/include"
--- a/SOURCES/cmsfs-1.1.8-use-detected-filesystem-block-size-on-FBA-devices.patch
+++ b/SOURCES/cmsfs-1.1.8-use-detected-filesystem-block-size-on-FBA-devices.patch
@ -0,0 +1,31 @@
 From 25442f958a12b428b7d063b927ac48965dcd8164 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Fri, 28 Jan 2011 16:11:19 +0100
 Subject: [PATCH] use detected filesystem block size on FBA devices
 If a FBA device is not properly formated, then the CMS file system can
 have a different block size. The cmsfs tools were able to detect the file
 system block size, but in fact they still used default 512 instead. And
 using the default was causing crashes. Now the detected value is used.
 https://bugzilla.redhat.com/show_bug.cgi?id=651012
 ---
 cmsfsany.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
 diff --git a/cmsfsany.c b/cmsfsany.c
 index 55bcfdc..18efffb 100644
 --- a/cmsfsany.c
 +++ b/cmsfsany.c
@@ -102,7 +102,7 @@ int cmsfs_find_label(struct CMSSUPER *vol,struct CMSFSADT *adt)
             cmsfs_error(cmsfs_ermsg);
           }
         vol->flags = CMSFSFBA;
 -        vol->blksz = 512;
 +        vol->blksz = blksz;
         return vol->blksz;
       } }
 -- 
 1.7.3.5
--- a/SOURCES/cmsfs-1.1.8-warnings.patch
+++ b/SOURCES/cmsfs-1.1.8-warnings.patch
@ -0,0 +1,11 @@
 --- cmsfs-1.1.8/cmsfsvol.c.warnings	2003-07-18 01:38:57.000000000 +0200
 +++ cmsfs-1.1.8/cmsfsvol.c	2005-09-06 16:57:15.000000000 +0200
@@ -52,7 +52,7 @@
     /*  print a header;  looks like CMS  */
     (void) printf("LABEL  VDEV M  STAT   CYL TYPE \
 -BLKSZ   FILES  BLKS USED-(%) BLKS LEFT  BLK TOTAL\n");
 +BLKSZ   FILES  BLKS USED-(%%) BLKS LEFT  BLK TOTAL\n");
     for (      ; i < argc ; i++)
       {
--- a/SOURCES/dasd.udev
+++ b/SOURCES/dasd.udev
--- a/SOURCES/dasdconf.sh
+++ b/SOURCES/dasdconf.sh
--- a/SOURCES/device_cio_free
+++ b/SOURCES/device_cio_free
--- a/SOURCES/device_cio_free.service
+++ b/SOURCES/device_cio_free.service
@ -7,6 +7,7 @@ Before=sysinit.target systemd-udev-trigger.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/sbin/device_cio_free
 StandardOutput=syslog
 [Install]
 WantedBy=sysinit.target
--- a/SOURCES/normalize_dasd_arg
+++ b/SOURCES/normalize_dasd_arg
--- a/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch
+++ b/SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch
--- a/SOURCES/s390-tools-zipl-invert-script-options.patch
+++ b/SOURCES/s390-tools-zipl-invert-script-options.patch
--- a/SOURCES/s390utils-2.29.0-rhel.patch
+++ b/SOURCES/s390utils-2.29.0-rhel.patch
--- a/SOURCES/src_vipa-2.1.0-deprecate.patch
+++ b/SOURCES/src_vipa-2.1.0-deprecate.patch
@ -0,0 +1,12 @@
 diff -up s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig s390-tools-2.2.0/src_vipa-2.1.0/Makefile
 --- s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig	2020-02-21 13:51:23.502305796 +0100
 +++ s390-tools-2.2.0/src_vipa-2.1.0/Makefile	2020-02-21 13:53:51.353817181 +0100
@@ -44,6 +44,8 @@ src_vipa.sh:
 	echo '#!/bin/bash' > src_vipa.sh
 	echo 'export LD_LIBRARY_PATH=$(LIBDIR):$$LD_LIBRARY_PATH' >> src_vipa.sh
 	echo 'export LD_PRELOAD=$(LIBDIR)/src_vipa.so' >> src_vipa.sh
 +	echo 'echo "WARNING: The src_vipa (flexible source address selection) feature is DEPRECATED"' >> src_vipa.sh
 +	echo 'echo "WARNING: It will be removed in the future."' >> src_vipa.sh
 	echo 'exec $$@' >> src_vipa.sh
 	chmod 755 src_vipa.sh
--- a/SOURCES/zfcp.udev
+++ b/SOURCES/zfcp.udev
--- a/SOURCES/zfcpconf.sh
+++ b/SOURCES/zfcpconf.sh
--- a/SPECS/s390utils.spec
+++ b/SPECS/s390utils.spec
--- a/ccw.udev
+++ b/ccw.udev
@ -1,4 +0,0 @@
 ACTION!="add|bind|change", GOTO="ccw_end"
 SUBSYSTEM!="ccw", GOTO="ccw_end"
 DRIVER=="ctcm|lcs|qeth", RUN+="ccw_init"
 LABEL="ccw_end"
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-9
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,9 +0,0 @@
 ---
 pathmigration:
    excluded_paths:
        - /lib/s390-tools
 badfuncs:
    allowed:
        /usr/sbin/qethqoat:
            - inet_ntoa
--- a/s390utils-2.38.0-rhel.patch
+++ b/s390utils-2.38.0-rhel.patch
@ -1,167 +0,0 @@
 From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
 From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
 Date: Fri, 16 May 2025 16:47:24 +0200
 Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The cpictl utility sends control-program identification data
 from protected virtualization guests to hosts by default.
 This behaviour leaks the below potentially sensitive
 information to untrusted hosts.
 - system_type
 - system_level
 - sysplex_name
 - system_name
 To prevent this behaviour, enhance the cpictl utility to stop
 setting CPI information on protected virtualization guests by
 default. If the user chooses to set the CPI information, it
 could be set by one of the below options
 - use the command line option --permit-cpi
 - set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
 control the CPI service behaviour during boot
 Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
 Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
 Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
 Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
 Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
 Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
 (cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
 ---
 etc/sysconfig/cpi      | 14 ++++++++++++++
 scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
 systemd/cpi.service.in |  1 +
 3 files changed, 52 insertions(+), 2 deletions(-)
 diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
 index 866b589..78eb632 100644
 --- a/etc/sysconfig/cpi
 +++ b/etc/sysconfig/cpi
@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
 # CPI sysplex name
 #
 CPI_SYSPLEX_NAME=""
 +
 +#
 +# CPI permit on protected virtualization guests
 +#
 +# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
 +# Enabling these options allows the host to receive potentially sensitive
 +# Control-Program Identification (CPI) data from the protected virtualization
 +# guest, including:
 +# - system_type
 +# - system_level
 +# - sysplex_name
 +# - system_name
 +#
 +CPI_PERMIT_ON_PVGUEST=
 diff --git a/scripts/cpictl b/scripts/cpictl
 index 16cadde..6096a67 100755
 --- a/scripts/cpictl
 +++ b/scripts/cpictl
@@ -32,6 +32,9 @@ declare TYPE
 declare NAME
 declare SYSPLEX
 +declare PV_GUEST
 +declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
 +
 declare -i DRYRUN=0
 # Exit codes
@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
 readonly EXIT_ARG_TOO_LONG=3
 readonly EXIT_INVALID_CHARS=4
 readonly EXIT_INVALID_ARGS=5
 +readonly EXIT_NO_PERMIT_CPI=6
 # Distro-IDs as supported by SE/HMC firmware
 readonly DISTRO_GENERIC=0
@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
   -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
   -T, --type TYPE        Set and commit OS type to TYPE
   -v, --version          Print version information, then exit
 +  --permit-cpi           Permit to send Control-Program Identification data of
 +                         protected virtualization guest to the host (must be
 +                         specified before any commit option). See also the
 +                         important note.
   --commit               Ignore all other options and commit any uncommitted
                          values
   --dry-run              Do not actually set or commit anything, but show what
@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
                          uncommitted) values
 Environment variables used for the --defaults option:
 -  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
 +  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
 +  CPI_PERMIT_ON_PVGUEST (See also the important note.)
 +
 +Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
 +trust the host system. Enabling these options allows the host to receive
 +potentially sensitive Control-Program Identification (CPI) data from the
 +protected virtualization guest, including:
 +- system_type
 +- system_level
 +- sysplex_name
 +- system_name
 Available bits for the --set-bit option:
   kvm: Indicate that system is a KVM host
@@ -124,6 +142,19 @@ fail_with()
 cpi_commit()
 {
 +	# Commit Control-Program Identification changes on protected
 +	# virtualization guests only if it is permitted by the guest. This
 +	# prevents leakage of potentially sensitive information to untrusted
 +	# hosts.
 +	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
 +		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
 +		if [[ "$PV_GUEST" -eq 1 ]]; then
 +			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
 +				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
 +				exit "$EXIT_NO_PERMIT_CPI"
 +			fi
 +		fi
 +	fi
 	echo 1 > "$CPI_SET" 2> /dev/null
 }
@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
 	print_parse_error_and_exit
 fi
 -opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
 +opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
 if [ $? -ne 0 ]; then
 	print_parse_error_and_exit
 fi
@@ -473,6 +504,10 @@ while [ -n $1 ]; do
 		cpi_show
 		exit $EXIT_SUCCESS
 		;;
 +	--permit-cpi)
 +		CPI_PERMIT=1
 +		shift
 +		;;
 	--commit)
 		cpi_commit
 		exit $EXIT_SUCCESS
 diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
 index 3976f68..ca21a8b 100644
 --- a/systemd/cpi.service.in
 +++ b/systemd/cpi.service.in
@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
 # Environment=CPI_SYSPLEX_NAME=
 # Environment=CPI_SYSTEM_LEVEL=
 # Environment=CPI_SYSTEM_TYPE=LINUX
 +# Environment=CPI_PERMIT_ON_PVGUEST=
 #
 # Sending data to the HMC/SE
 -- 
 2.50.1
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (s390-tools-2.38.0.tar.gz) = 9ca9393e9deeab5c1df5e9eaa3c12e340917ffd5fe07d9a09087d6488d8e2ec0a136805650830d128595854b818a1da94151003e15954e556ba373b226a7369e
 SHA512 (s390-tools-2.38.0-rust-vendor.tar.xz) = c55d2870ad9f90333de2536e7921951185746f0972d5d488bf317b56e754525e4dbd0f63d547229197199b51d41b7032172b6ba7ffacd9a96a01dbd13b9c4d9e
		`@ -1,2 +0,0 @@`
			`SHA512 (s390-tools-2.38.0.tar.gz) = 9ca9393e9deeab5c1df5e9eaa3c12e340917ffd5fe07d9a09087d6488d8e2ec0a136805650830d128595854b818a1da94151003e15954e556ba373b226a7369e`
			`SHA512 (s390-tools-2.38.0-rust-vendor.tar.xz) = c55d2870ad9f90333de2536e7921951185746f0972d5d488bf317b56e754525e4dbd0f63d547229197199b51d41b7032172b6ba7ffacd9a96a01dbd13b9c4d9e`