.gitignore

@@ -1 +1,4 @@
-SOURCES/s390-tools-2.19.0.tar.gz
+SOURCES/cmsfs-1.1.8c.tar.gz
+SOURCES/s390-tools-2.29.0-rust-vendor.tar.xz
+SOURCES/s390-tools-2.29.0.tar.gz
+SOURCES/src_vipa-2.1.0.tar.gz

.s390utils.metadata

@@ -1 +0,0 @@
-5b4eeed3868297ca65b7d5720484786172dc11d1 SOURCES/s390-tools-2.19.0.tar.gz

SOURCES/00-zipl-prepare.install

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+COMMAND="$1"
+KERNEL_VERSION="$2"
+BOOT_DIR_ABS="$3"
+KERNEL_IMAGE="$4"
+
+# Remove it, since for zipl the images are always installed in /boot
+rm -rf "${BOOT_DIR_ABS%/*}"

SOURCES/ccw.udev

@@ -1,4 +1,13 @@
-ACTION!="add|bind|change", GOTO="ccw_end"
+ACTION!="add|change", GOTO="ccw_end"
 SUBSYSTEM!="ccw", GOTO="ccw_end"
-DRIVER=="ctcm|lcs|qeth", RUN+="ccw_init"
+ATTRS{cutype}=="1731/01", RUN+="ccw_init"
+ATTRS{cutype}=="1731/02", RUN+="ccw_init"
+ATTRS{cutype}=="1731/05", RUN+="ccw_init"
+ATTRS{cutype}=="1731/06", RUN+="ccw_init"
+ATTRS{cutype}=="3088/01", RUN+="ccw_init"
+ATTRS{cutype}=="3088/08", RUN+="ccw_init"
+ATTRS{cutype}=="3088/60", RUN+="ccw_init"
+ATTRS{cutype}=="3088/61", RUN+="ccw_init"
+ATTRS{cutype}=="3088/1e", RUN+="ccw_init"
+ATTRS{cutype}=="3088/1f", RUN+="ccw_init"
 LABEL="ccw_end"

SOURCES/cmsfs-1.1.8-args.patch

@@ -0,0 +1,12 @@
+diff -up cmsfs-1.1.8c/cmsfslst.c.orig cmsfs-1.1.8c/cmsfslst.c
+--- cmsfs-1.1.8c/cmsfslst.c.orig	2020-08-19 09:47:36.459063820 +0000
++++ cmsfs-1.1.8c/cmsfslst.c	2020-08-19 09:47:45.619063820 +0000
+@@ -49,7 +49,7 @@ int main(int argc,unsigned char *argv[])
+       }
+ 
+     /*  sanity check  */
+-    if (*devname == 0x00)
++    if ((devname == NULL) || (*devname == 0x00))
+       {
+         (void) fprintf(stderr,"Please specify a CMS volume.\n");
+         (void) fprintf(stderr,USAGE,argv[0]);

SOURCES/cmsfs-1.1.8-kernel26.patch

@@ -0,0 +1,12 @@
+diff -aruN cmsfs-1.1.8c/cmsfssed.sh cmsfs-1.1.8c.alma/cmsfssed.sh
+--- cmsfs-1.1.8c/cmsfssed.sh	2006-01-29 07:04:32
++++ cmsfs-1.1.8c.alma/cmsfssed.sh	2023-11-01 10:57:10
+@@ -85,7 +85,7 @@
+         DRIVER_SOURCE="cmsfs22x.c"
+         MODULES_DIRECTORY="/lib/modules/`uname -r`/fs"
+         ;;
+-    2.4*|2.5*)
++    2.4*|2.5*|2.6*|3.*|4.*|5.*)
+         LINUX_RELEASE="2.4"
+ #       ln -s cmsfs24x.c cmsfsvfs.c
+         INCLUDES="-I/lib/modules/`uname -r`/build/include"

SOURCES/cmsfs-1.1.8-use-detected-filesystem-block-size-on-FBA-devices.patch

@@ -0,0 +1,31 @@
+From 25442f958a12b428b7d063b927ac48965dcd8164 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Fri, 28 Jan 2011 16:11:19 +0100
+Subject: [PATCH] use detected filesystem block size on FBA devices
+
+If a FBA device is not properly formated, then the CMS file system can
+have a different block size. The cmsfs tools were able to detect the file
+system block size, but in fact they still used default 512 instead. And
+using the default was causing crashes. Now the detected value is used.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=651012
+---
+ cmsfsany.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/cmsfsany.c b/cmsfsany.c
+index 55bcfdc..18efffb 100644
+--- a/cmsfsany.c
++++ b/cmsfsany.c
+@@ -102,7 +102,7 @@ int cmsfs_find_label(struct CMSSUPER *vol,struct CMSFSADT *adt)
+             cmsfs_error(cmsfs_ermsg);
+           }
+         vol->flags = CMSFSFBA;
+-        vol->blksz = 512;
++        vol->blksz = blksz;
+         return vol->blksz;
+       } }
+ 
+-- 
+1.7.3.5
+

SOURCES/cmsfs-1.1.8-warnings.patch

@@ -0,0 +1,11 @@
+--- cmsfs-1.1.8/cmsfsvol.c.warnings	2003-07-18 01:38:57.000000000 +0200
++++ cmsfs-1.1.8/cmsfsvol.c	2005-09-06 16:57:15.000000000 +0200
+@@ -52,7 +52,7 @@
+ 
+     /*  print a header;  looks like CMS  */
+     (void) printf("LABEL  VDEV M  STAT   CYL TYPE \
+-BLKSZ   FILES  BLKS USED-(%) BLKS LEFT  BLK TOTAL\n");
++BLKSZ   FILES  BLKS USED-(%%) BLKS LEFT  BLK TOTAL\n");
+ 
+     for (      ; i < argc ; i++)
+       {

SOURCES/device_cio_free.service

@@ -7,6 +7,7 @@ Before=sysinit.target systemd-udev-trigger.service
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/usr/sbin/device_cio_free
+StandardOutput=syslog
 
 [Install]
 WantedBy=sysinit.target

SOURCES/s390-tools-zipl-blscfg-rpm-nvr-sort.patch

@@ -1,19 +1,234 @@
-diff -up s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/Makefile
---- s390-tools-2.9.0/zipl/src/Makefile.blscfg-rpm-nvr-sort	2019-05-22 08:16:17.317273801 -0400
-+++ s390-tools-2.9.0/zipl/src/Makefile	2019-05-22 08:18:02.947273801 -0400
-@@ -7,7 +7,7 @@ ALL_CPPFLAGS += -I../include -I../boot \
- 	    -D_FILE_OFFSET_BITS=64 $(NO_PIE_CFLAGS)
- ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
+From b2daaa34776ba6afec879e362378f6f7563590a6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Mon, 20 Jun 2022 17:43:05 +0200
+Subject: [PATCH 1/2] Revert "zipl/src: Implement sorting bls entries by
+ versions"
+
+This reverts commit a0dba6bfdb50ff373fa710ffe2a307cc0748f18b.
+---
+ zipl/src/scan.c | 139 ++----------------------------------------------
+ 1 file changed, 3 insertions(+), 136 deletions(-)
+
+diff --git a/zipl/src/scan.c b/zipl/src/scan.c
+index 0cea1d4..9352f76 100644
+--- a/zipl/src/scan.c
++++ b/zipl/src/scan.c
+@@ -10,7 +10,6 @@
+  *
+  */
  
--libs = $(rootdir)/libutil/libutil.a
-+libs = $(rootdir)/libutil/libutil.a -lrpmio -lrpm
+-static const char *VERSION_KEYWORD = "version";
+ 
+ /* Need ISOC99 function isblank() in ctype.h */
+ #ifndef __USE_ISOC99
+@@ -646,7 +645,7 @@ scan_file(const char* filename, struct scan_token** token)
+ 
+ 
+ static int
+-bls_filter_by_names(const struct dirent *ent)
++bls_filter(const struct dirent *ent)
+ {
+ 	int offset = strlen(ent->d_name) - strlen(".conf");
+ 
+@@ -656,111 +655,13 @@ bls_filter_by_names(const struct dirent *ent)
+ 	return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
+ }
+ 
+-struct version {
+-	char *line; /* pointer to a line with version keyword */
+-	int offset; /* offset of version value in the line */
+-};
+-
+-/*
+- * Locate version in bls file represented by ENT
+- */
+-static void get_version(const struct dirent *ent, struct version *v)
+-{
+-	char *line = NULL;
+-	size_t len = 0;
+-	char *d_name;
+-	FILE *stream;
+-	ssize_t read;
+-
+-	memset(v, 0, sizeof(*v));
+-	d_name = misc_make_path((char *)blsdir, (char *)ent->d_name);
+-	if (!d_name)
+-		return;
+-
+-	stream = fopen(d_name, "r");
+-	free(d_name);
+-	if (!stream)
+-		return;
+-
+-	while ((read = getline(&line, &len, stream)) != -1) {
+-		if (line[read - 1] == '\n') {
+-			line[read - 1] = '\0';
+-			read--;
+-		}
+-		if ((size_t)read <= strlen(VERSION_KEYWORD) + 1)
+-			continue;
+-		if (strcmp(VERSION_KEYWORD, line) > 0)
+-			continue;
+-		if (!isblank(line[strlen(VERSION_KEYWORD)]))
+-			continue;
+-		/* skip blanks */
+-		v->offset = strlen(VERSION_KEYWORD) + 1;
+-		while (v->offset < read - 1 && isblank(line[v->offset]))
+-			v->offset++;
+-		if (isblank(line[v->offset]))
+-			/*
+-			 * all characters after the keyword
+-			 * are blanks. Invalid version
+-			 */
+-			continue;
+-		v->line = line;
+-		fclose(stream);
+-		return;
+-	}
+-	free(line);
+-	fclose(stream);
+-}
+-
+-static void put_version(struct version *v)
+-{
+-	free(v->line);
+-}
+-
+-/**
+- * Check version in bls file represented by ENT.
+- * Return 1 if version is valid. Otherwise return 0
+- */
+-static int bls_filter_by_versions(const struct dirent *ent)
+-{
+-	struct version v;
+-
+-	if (bls_filter_by_names(ent) == 0)
+-		return 0;
+-
+-	get_version(ent, &v);
+-	if (v.line) {
+-		put_version(&v);
+-		return 1;
+-	}
+-	return 0;
+-}
+-
+ 
+ static int
+-bls_sort_by_names(const struct dirent **ent_a, const struct dirent **ent_b)
++bls_sort(const struct dirent **ent_a, const struct dirent **ent_b)
+ {
+ 	return strverscmp((*ent_a)->d_name, (*ent_b)->d_name);
+ }
+ 
+-static int
+-bls_sort_by_versions(const struct dirent **ent_a, const struct dirent **ent_b)
+-{
+-	struct version v1, v2;
+-	int ret;
+-
+-	get_version(*ent_a, &v1);
+-	get_version(*ent_b, &v2);
+-	/*
+-	 * Both versions are valid.
+-	 * It is guaranteed by bls_filter_by_versions()
+-	 */
+-	ret = strverscmp(v1.line + v1.offset, v2.line + v2.offset);
+-
+-	put_version(&v1);
+-	put_version(&v2);
+-
+-	return ret;
+-}
+ 
+ static int
+ scan_append_section_heading(struct scan_token* scan, int* index, char* name);
+@@ -1110,40 +1011,6 @@ scan_count_target_keywords(char* keyword[])
+ 	return num;
+ }
+ 
+-static int bls_scandir(struct dirent ***bls_entries)
+-{
+-	struct dirent **entries1;
+-	struct dirent **entries2;
+-	int n1, n2;
+-
+-	/* arrange by names */
+-	n1 = scandir(blsdir, &entries1,
+-		     bls_filter_by_names, bls_sort_by_names);
+-	if (n1 <= 0)
+-		return n1;
+-	/* arrange by versions */
+-	n2 = scandir(blsdir, &entries2,
+-		     bls_filter_by_versions, bls_sort_by_versions);
+-
+-	if (n2 <= 0 || n2 < n1) {
+-		/*
+-		 * failed to sort by versions,
+-		 * fall back to sorting by filenames
+-		 */
+-		*bls_entries = entries1;
+-		while (n2--)
+-			free(entries2[n2]);
+-		free(entries2);
+-		return n1;
+-	}
+-	/* use arrangement by versions */
+-	*bls_entries = entries2;
+-	while (n1--)
+-		free(entries1[n1]);
+-	free(entries1);
+-	return n2;
+-}
+-
+ int
+ scan_check_target_data(char* keyword[], int* line)
+ {
+@@ -1464,7 +1331,7 @@ int scan_bls(struct scan_token **token, int scan_size)
+ 	if (!(stat(blsdir, &sb) == 0 && S_ISDIR(sb.st_mode)))
+ 		return 0;
+ 
+-	n = bls_scandir(&bls_entries);
++	n = scandir(blsdir, &bls_entries, bls_filter, bls_sort);
+ 	if (n <= 0)
+ 		return n;
+ 
+-- 
+2.39.2
+
+
+From 692e70bcfc32a05e30146bd7077c41e0eaceff03 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 20 Jun 2022 17:46:59 +0200
+Subject: [PATCH 2/2] blscfg: sort like rpm nvr, not like a single version
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Dan Horák <dan@danny.cz>
+---
+ zipl/src/Makefile |  1 +
+ zipl/src/scan.c   | 96 ++++++++++++++++++++++++++++++++++++++++++++++-
+ 2 files changed, 95 insertions(+), 2 deletions(-)
+
+diff --git a/zipl/src/Makefile b/zipl/src/Makefile
+index cab5655..7ec215d 100644
+--- a/zipl/src/Makefile
++++ b/zipl/src/Makefile
+@@ -9,6 +9,7 @@ ALL_LDFLAGS += -Wl,-z,noexecstack $(NO_PIE_LDFLAGS)
+ 
+ libs =  $(rootdir)/libutil/libutil.a \
+ 	$(rootdir)/libvtoc/libvtoc.a \
++	-lrpmio -lrpm
  
  objects = misc.o error.o scan.o job.o boot.o bootmap.o fs-map.o disk.o \
- 	  bootmap_header.o envblk.o install.o zipl.o $(rootdir)/zipl/boot/data.o
-diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/zipl/src/scan.c
---- s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort	2019-05-21 09:13:36.000000000 -0400
-+++ s390-tools-2.9.0/zipl/src/scan.c	2019-05-22 08:16:17.317273801 -0400
-@@ -33,6 +33,8 @@
+ 	  bootmap_header.o envblk.o install.o zipl.o
+diff --git a/zipl/src/scan.c b/zipl/src/scan.c
+index 9352f76..3327e2d 100644
+--- a/zipl/src/scan.c
++++ b/zipl/src/scan.c
+@@ -35,6 +35,8 @@
  
  #include "lib/util_base.h"
  
@@ -22,7 +237,7 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
  #include "boot.h"
  #include "error.h"
  #include "misc.h"
-@@ -653,13 +655,103 @@ bls_filter(const struct dirent *ent)
+@@ -655,13 +657,103 @@ bls_filter(const struct dirent *ent)
  	return strncmp(ent->d_name + offset, ".conf", strlen(".conf")) == 0;
  }
  
@@ -128,3 +343,6 @@ diff -up s390-tools-2.9.0/zipl/src/scan.c.blscfg-rpm-nvr-sort s390-tools-2.9.0/z
  
  static int
  scan_append_section_heading(struct scan_token* scan, int* index, char* name);
+-- 
+2.39.2
+

SOURCES/s390-tools-zipl-invert-script-options.patch

@@ -61,10 +61,10 @@ index 871935c783f..d8d5eca5867 100755
  	    ;;
  	--)
  	    shift
-diff --git a/scripts/zipl-switch-to-blscfg.1 b/scripts/zipl-switch-to-blscfg.1
+diff --git a/scripts/zipl-switch-to-blscfg.8 b/scripts/zipl-switch-to-blscfg.8
 index 6bd14d00d14..71b904ffd1c 100644
---- a/scripts/zipl-switch-to-blscfg.1
-+++ b/scripts/zipl-switch-to-blscfg.1
+--- a/scripts/zipl-switch-to-blscfg.8
++++ b/scripts/zipl-switch-to-blscfg.8
 @@ -37,9 +37,9 @@ The DIRECTORY where the BLS fragments will be generated. The directory is create
  The FILE used for zipl configuration file, defaults to /etc/zipl.conf.
  

SOURCES/s390utils-2.19.0-rhel.patch

@@ -1,547 +0,0 @@
-From 55e2f3991a8f55d49d7e381dbd8d3fe347c3fc9e Mon Sep 17 00:00:00 2001
-From: Marc Hartmayer <mhartmay@linux.ibm.com>
-Date: Thu, 31 Mar 2022 14:00:31 +0000
-Subject: [PATCH 1/5] genprotimg: remove DigiCert root CA pinning
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Remove the DigiCert root CA pinning. The root CA used for the chain of trust can
-change in the future therefore let's remove this check. If someone wants to
-enforce the usage of a specific root CA it can be selected by the genprotimg
-command line option `--root-ca $CA`. Make it transparent to the user which root
-CA is actually being used by printing the subject name of the root CA to stdout
-in verbose mode.
-
-Signed-off-by: Marc Hartmayer <mhartmay@linux.ibm.com>
-Acked-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
-Reviewed-and-tested-by: Nico Boehr <nrb@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit 78b053326c504c0535b5ec1c244ad7bb5a1df29d)
----
- genprotimg/man/genprotimg.8            |  2 +-
- genprotimg/src/include/pv_crypto_def.h |  3 --
- genprotimg/src/pv/pv_args.c            |  2 +-
- genprotimg/src/pv/pv_image.c           | 27 ++++++---------
- genprotimg/src/utils/crypto.c          | 48 +++++++++++---------------
- genprotimg/src/utils/crypto.h          |  4 +--
- 6 files changed, 35 insertions(+), 51 deletions(-)
-
-diff --git a/genprotimg/man/genprotimg.8 b/genprotimg/man/genprotimg.8
-index 8a481c4..6f14052 100644
---- a/genprotimg/man/genprotimg.8
-+++ b/genprotimg/man/genprotimg.8
-@@ -87,7 +87,7 @@ CRLs. Optional.
- .TP
- \fB\-\-root\-ca\fR=\fI\,FILE\/\fR
- Specifies the root CA certificate for the verification. If omitted,
--the DigiCert root CA certificate installed on the system is used. Use
-+the system wide root CAs installed on the system is used. Use
- this only if you trust the specified certificate. Optional.
- .TP
- \fB\-\-no-verify\fR
-diff --git a/genprotimg/src/include/pv_crypto_def.h b/genprotimg/src/include/pv_crypto_def.h
-index 53984a3..3635433 100644
---- a/genprotimg/src/include/pv_crypto_def.h
-+++ b/genprotimg/src/include/pv_crypto_def.h
-@@ -29,9 +29,6 @@
-  */
- #define PV_CERTS_SECURITY_LEVEL 2
- 
--/* SKID for DigiCert Assured ID Root CA */
--#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F"
--
- union ecdh_pub_key {
- 	struct {
- 		uint8_t x[80];
-diff --git a/genprotimg/src/pv/pv_args.c b/genprotimg/src/pv/pv_args.c
-index e644ae7..bcc3784 100644
---- a/genprotimg/src/pv/pv_args.c
-+++ b/genprotimg/src/pv/pv_args.c
-@@ -111,7 +111,7 @@ static gint pv_args_validate_options(PvArgs *args, GError **err)
- 	     g_strv_length(args->untrusted_cert_paths) == 0)) {
- 		g_set_error(
- 			err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT,
--			_("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n"
-+			_("Either specify the IBM Z signing key and intermediate CA certificate\n"
- 			  "by using the '--cert' option, or use the '--no-verify' flag to disable the\n"
- 			  "host-key document verification completely (at your own risk)."));
- 		return -1;
-diff --git a/genprotimg/src/pv/pv_image.c b/genprotimg/src/pv/pv_image.c
-index 7359240..a5f07b8 100644
---- a/genprotimg/src/pv/pv_image.c
-+++ b/genprotimg/src/pv/pv_image.c
-@@ -304,9 +304,10 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
- 	}
- 
- 	/* Load all untrusted certificates (e.g. IBM Z signing key and
--	 * DigiCert intermediate CA) that are required to establish a chain of
--	 * trust starting from the host-key document up to the root CA (if not
--	 * otherwise specified that's the DigiCert Assured ID Root CA).
-+	 * intermediate CA) that are required to establish a chain of trust
-+	 * starting from the host-key document up to the root CA (if not
-+	 * otherwise specified that can be one of the system wide installed
-+	 * root CAs, e.g. DigiCert).
- 	 */
- 	untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err);
- 	if (!untrusted_certs_with_path)
-@@ -341,9 +342,8 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
- 	 * For this we must check:
- 	 *
- 	 * 1. Can a chain of trust be established ending in a root CA
--	 * 2. Is the correct root CA ued? It has either to be the
--	 *    'DigiCert Assured ID Root CA' or the root CA specified via
--	 *    command line.
-+	 * 2. Is the correct root CA used? It has either to be a system CA
-+	 *    or the root CA specified via command line.
- 	 */
- 	for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) {
- 		X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i);
-@@ -364,17 +364,12 @@ static gint pv_img_hostkey_verify(GSList *host_key_certs,
- 		if (verify_cert(ibm_signing_cert, ctx, err) < 0)
- 			goto error;
- 
--		/* Verify the build chain of trust chain. If the user passes a
--		 * trusted root CA on the command line then the check for the
--		 * Subject Key Identifier (SKID) is skipped, otherwise let's
--		 * check if the SKID meets our expectation.
-+		/* If there is a chain of trust using either the provided root
-+		 * CA on the command line or a system wide trusted root CA.
- 		 */
--		if (!root_ca_path &&
--		    check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
--					   get_digicert_assured_id_root_ca_skid(),
--					   err) < 0) {
-+		if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx),
-+					   err) < 0)
- 			goto error;
--		}
- 
- 		ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err);
- 		if (!ibm_signing_crls) {
-@@ -588,7 +583,7 @@ PvImage *pv_img_new(PvArgs *args, const gchar *stage3a_path, GError **err)
- 		g_warning(_("host-key document verification is disabled. Your workload is not secured."));
- 
- 	if (args->root_ca_path)
--		g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted."));
-+		g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted."));
- 
- 	ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err);
- 	if (!ret->comps)
-diff --git a/genprotimg/src/utils/crypto.c b/genprotimg/src/utils/crypto.c
-index 087de37..9d1fdb0 100644
---- a/genprotimg/src/utils/crypto.c
-+++ b/genprotimg/src/utils/crypto.c
-@@ -1079,8 +1079,8 @@ int store_set_verify_param(X509_STORE *store, GError **err)
- 		g_abort();
- 
- 	/* The maximum depth level of the chain of trust for the verification of
--	 * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert)
--	 * intermediate CA -> (DigiCert) root CA
-+	 * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA
-+	 * -> root CA
- 	 */
- 	X509_VERIFY_PARAM_set_depth(param, 2);
- 
-@@ -1267,46 +1267,38 @@ static int security_level_to_bits(int level)
- 	return security_bits[level];
- }
- 
--static ASN1_OCTET_STRING *digicert_assured_id_root_ca;
--
--const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void)
--{
--	pv_crypto_init();
--	return digicert_assured_id_root_ca;
--}
--
- /* Used for the caching of the downloaded CRLs */
- static GHashTable *cached_crls;
- 
- void pv_crypto_init(void)
- {
--	if (digicert_assured_id_root_ca)
-+	if (cached_crls)
- 		return;
--
- 	cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free,
- 					    (GDestroyNotify)X509_CRL_free);
--	digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING(
--		NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID);
- }
- 
- void pv_crypto_cleanup(void)
- {
--	if (!digicert_assured_id_root_ca)
-+	if (!cached_crls)
- 		return;
- 	g_clear_pointer(&cached_crls, g_hash_table_destroy);
--	g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free);
- }
- 
- gint check_chain_parameters(const STACK_OF_X509 *chain,
--			    const ASN1_OCTET_STRING *skid, GError **err)
-+			    GError **err)
- {
--	const ASN1_OCTET_STRING *ca_skid = NULL;
-+	const X509_NAME *ca_x509_subject = NULL;
-+	g_autofree gchar *ca_subject = NULL;
- 	gint len = sk_X509_num(chain);
- 	X509 *ca = NULL;
- 
--	g_assert(skid);
- 	/* at least one root and one leaf certificate must be defined */
--	g_assert(len >= 2);
-+	if (len < 2) {
-+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
-+			    _("there must be at least on root and one leaf certificate in the chain of trust"));
-+		return -1;
-+	}
- 
- 	/* get the root certificate of the chain of trust */
- 	ca = sk_X509_value(chain, len - 1);
-@@ -1316,19 +1308,21 @@ gint check_chain_parameters(const STACK_OF_X509 *chain,
- 		return -1;
- 	}
- 
--	ca_skid = X509_get0_subject_key_id(ca);
--	if (!ca_skid) {
--		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA,
--			    _("malformed root certificate"));
-+	ca_x509_subject = X509_get_subject_name(ca);
-+	if (!ca_x509_subject) {
-+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
-+			    _("subject of the root CA cannot be retrieved"));
- 		return -1;
- 	}
- 
--	if (ASN1_STRING_cmp(ca_skid, skid) != 0) {
--		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED,
--			    _("expecting DigiCert root CA to be used"));
-+	ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0);
-+	if (!ca_subject) {
-+		g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL,
-+			    _("subject name of the root CA cannot be retrieved"));
- 		return -1;
- 	}
- 
-+	g_info("Root CA used: '%s'", ca_subject);
- 	return 0;
- }
- 
-diff --git a/genprotimg/src/utils/crypto.h b/genprotimg/src/utils/crypto.h
-index 3cda450..fdf66de 100644
---- a/genprotimg/src/utils/crypto.h
-+++ b/genprotimg/src/utils/crypto.h
-@@ -125,7 +125,6 @@ int check_crl_valid_for_cert(X509_CRL *crl, X509 *cert,
- 			     gint verify_flags, GError **err);
- void pv_crypto_init(void);
- void pv_crypto_cleanup(void);
--const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void);
- gint verify_host_key(X509 *host_key, GSList *issuer_pairs,
- 		     gint verify_flags, int level, GError **err);
- X509 *load_cert_from_file(const char *path, GError **err);
-@@ -138,8 +137,7 @@ X509_STORE *store_setup(const gchar *root_ca_path,
- int store_set_verify_param(X509_STORE *store, GError **err);
- X509_CRL *load_crl_by_cert(X509 *cert, GError **err);
- STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path);
--gint check_chain_parameters(const STACK_OF_X509 *chain,
--			    const ASN1_OCTET_STRING *skid, GError **err);
-+gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err);
- X509_NAME *c2b_name(const X509_NAME *name);
- 
- STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs);
--- 
-2.37.1
-
-
-From 666cd637519efad9b9c4ca68a5d99b86e92d48ff Mon Sep 17 00:00:00 2001
-From: Viktor Mihajlovski <mihajlov@linux.ibm.com>
-Date: Tue, 15 Mar 2022 12:55:02 +0100
-Subject: [PATCH 2/5] genprotimg/check_hostkeydoc: relax default issuer check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-While the original default issuer's organizationalUnitName (OU)
-was defined as "IBM Z Host Key Signing Service", any OU ending
-with "Key Signing Service" is considered legal.
-
-Let's relax the default issuer check by stripping off characters
-preceding "Key Signing Service".
-
-Signed-off-by: Viktor Mihajlovski <mihajlov@linux.ibm.com>
-Reviewed-by: Marc Hartmayer <mhartmay@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit 673ff375d939d3cde674f8f99a62d456f8b1673d)
----
- genprotimg/samples/check_hostkeydoc | 20 ++++++++++++++++----
- 1 file changed, 16 insertions(+), 4 deletions(-)
-
-diff --git a/genprotimg/samples/check_hostkeydoc b/genprotimg/samples/check_hostkeydoc
-index a96576f..6a83739 100755
---- a/genprotimg/samples/check_hostkeydoc
-+++ b/genprotimg/samples/check_hostkeydoc
-@@ -23,6 +23,7 @@ BODY_FILE=$(mktemp)
- ISSUER_DN_FILE=$(mktemp)
- SUBJECT_DN_FILE=$(mktemp)
- DEF_ISSUER_DN_FILE=$(mktemp)
-+CANONICAL_ISSUER_DN_FILE=$(mktemp)
- CRL_SERIAL_FILE=$(mktemp)
- 
- # Cleanup on exit
-@@ -30,7 +31,7 @@ cleanup()
- {
-     rm -f $ISSUER_PUBKEY_FILE $SIGNATURE_FILE $BODY_FILE \
-         $ISSUER_DN_FILE $SUBJECT_DN_FILE $DEF_ISSUER_DN_FILE \
--        $CRL_SERIAL_FILE
-+        $CANONICAL_ISSUER_DN_FILE $CRL_SERIAL_FILE
- }
- trap cleanup EXIT
- 
-@@ -121,20 +122,31 @@ default_issuer()
-     commonName                = International Business Machines Corporation
-     countryName               = US
-     localityName              = Poughkeepsie
--    organizationalUnitName    = IBM Z Host Key Signing Service
-+    organizationalUnitName    = Key Signing Service
-     organizationName          = International Business Machines Corporation
-     stateOrProvinceName       = New York
- EOF
- }
- 
--verify_issuer_files()
-+# As organizationalUnitName can have an arbitrary prefix but must
-+# end with "Key Signing Service" let's normalize the OU name by
-+# stripping off the prefix
-+verify_default_issuer()
- {
-     default_issuer > $DEF_ISSUER_DN_FILE
- 
--    if ! diff $ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
-+    sed "s/\(^[ ]*organizationalUnitName[ ]*=[ ]*\).*\(Key Signing Service$\)/\1\2/" \
-+	$ISSUER_DN_FILE > $CANONICAL_ISSUER_DN_FILE
-+
-+    if ! diff $CANONICAL_ISSUER_DN_FILE $DEF_ISSUER_DN_FILE
-     then
-         echo Incorrect default issuer >&2 && exit 1
-     fi
-+}
-+
-+verify_issuer_files()
-+{
-+    verify_default_issuer
- 
-     if diff $ISSUER_DN_FILE $SUBJECT_DN_FILE
-     then
--- 
-2.37.1
-
-
-From b4dc45d6f3fff7c57fd5a97cdab357a842ef021e Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Mon, 4 Apr 2022 16:38:41 +0200
-Subject: [PATCH 3/5] libseckey: Fix re-enciphering of EP11 secure key
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The re-enciphering of EP11 asymmetric secure keys does not work.
-First, the result of the re-encipher operation of the private key
-part must be copied back into the user supplied key token buffer.
-Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
-(SPKI) structure must also be re-enciphered (i.e. re-MACed), since
-the MAC is calculated with the EP11 master key.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit 4e2ebe0370d9fb036b7554d5ac5df4418dbe0397)
----
- libseckey/sk_ep11.c | 53 +++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 53 insertions(+)
-
-diff --git a/libseckey/sk_ep11.c b/libseckey/sk_ep11.c
-index b867626..e3bd3c9 100644
---- a/libseckey/sk_ep11.c
-+++ b/libseckey/sk_ep11.c
-@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct sk_ext_ep11_lib *ep11_lib,
- 		return -EIO;
- 	}
- 
-+	memcpy(blob, lrb.payload, lrb.pllen);
-+
-+	/* re-encipher MACed SPKI */
-+	rb.domain = domain;
-+	lrb.domain = domain;
-+
-+	resp_len = sizeof(resp);
-+	req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
-+					 &rb, NULL, key_token + hdr->len,
-+					 key_token_length - hdr->len);
-+	if (req_len < 0) {
-+		sk_debug(debug, "Failed to build XCP command block");
-+		return -EIO;
-+	}
-+
-+	rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
-+			      0, ep11_lib->target);
-+	if (rv != CKR_OK || resp_len == 0) {
-+		sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
-+			 "rc = 0x%lx, resp_len = %ld", rv, resp_len);
-+		return -EIO;
-+	}
-+
-+	rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
-+	if (rc != 0) {
-+		sk_debug(debug, "Failed to parse response. rc = %d", rc);
-+		return -EIO;
-+	}
-+
-+	if (rv != CKR_OK) {
-+		sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
-+			 "rc = 0x%lx", rv);
-+		switch (rv) {
-+		case CKR_IBM_WKID_MISMATCH:
-+			sk_debug(debug, "The EP11 secure key is currently "
-+				 "encrypted under a different master that does "
-+				 "not match the master key in the CURRENT "
-+				 "master key register of APQN %02X.%04X",
-+				 card, domain);
-+			break;
-+		}
-+		return -EIO;
-+	}
-+
-+	if (key_token_length - hdr->len != lrb.pllen) {
-+		sk_debug(debug, "Re-encrypted EP11 secure key size has "
-+			 "changed: org-len: %lu, new-len: %lu",
-+			 hdr->len - sizeof(*hdr), lrb.pllen);
-+		return -EIO;
-+	}
-+
-+	memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
-+
- 	return 0;
- }
- 
--- 
-2.37.1
-
-
-From bf4d971adb286fc42f6f5bcb45b6fb484eb9519b Mon Sep 17 00:00:00 2001
-From: Mete Durlu <meted@linux.ibm.com>
-Date: Fri, 10 Jun 2022 10:13:33 +0200
-Subject: [PATCH 4/5] hyptop: increase initial update interval
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Increase initial update interval from 200ms to 1 seconds to avoid
-fluctuations on the initial data output.
-
-Signed-off-by: Mete Durlu <meted@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit 80e54ac888d6232d99a485c74071fc2173f3dfbf)
----
- hyptop/sd.h      | 2 +-
- hyptop/sd_core.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/hyptop/sd.h b/hyptop/sd.h
-index 9ba3192..1aed707 100644
---- a/hyptop/sd.h
-+++ b/hyptop/sd.h
-@@ -17,7 +17,7 @@
- #include "helper.h"
- #include "table.h"
- 
--#define SD_DG_INIT_INTERVAL_MS	200
-+#define SD_DG_INIT_INTERVAL_SEC	1
- #define SD_SYS_ID_SIZE		9
- 
- /*
-diff --git a/hyptop/sd_core.c b/hyptop/sd_core.c
-index f1cb631..47b5b59 100644
---- a/hyptop/sd_core.c
-+++ b/hyptop/sd_core.c
-@@ -150,7 +150,7 @@ void sd_update(void)
-  */
- void sd_dg_register(struct sd_dg *dg, int has_core_data)
- {
--	struct timespec ts = {0, SD_DG_INIT_INTERVAL_MS * 1000000};
-+	struct timespec ts = {SD_DG_INIT_INTERVAL_SEC, 0};
- 	struct sd_sys_item *sys_item;
- 	struct sd_cpu_item *cpu_item;
- 	unsigned int i;
--- 
-2.37.1
-
-
-From 0c7fa7ed53e0187ea9d89f05299f17378daf046e Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Thu, 12 May 2022 11:06:16 +0200
-Subject: [PATCH 5/5] libseckey: Adapt keymgmt_match() implementation to
- OpenSSL
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-OpenSSL commit ee22a3741e3fc27c981e7f7e9bcb8d3342b0c65a changed the
-OpenSSL provider's keymgmt_match() function to be not so strict with
-the selector bits in regards to matching different key parts.
-
-Adapt the secure key provider's match function accordingly.
-This means, that if the public key is selected to be matched, and
-the public key matches (together with any also selected parameters),
-then the private key is no longer checked, although it may also be
-selected to be matched. This is according to how the OpenSSL function
-EVP_PKEY_eq() is supposed to behave.
-
-OpenSSL function SSL_CTX_use_PrivateKey() calls the providers match
-function to check if the private key specified matches the public key
-of the certificate using EVP_PKEY_eq(). EVP_PKEY_eq() includes the
-private key into the selector bits here, although the certificate
-only contains the public key part.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
-(cherry picked from commit 6c5c5f7e558c114ddaa475e96c9ec708049aa423)
----
- libseckey/sk_provider.c | 18 ++++++++++++++----
- 1 file changed, 14 insertions(+), 4 deletions(-)
-
-diff --git a/libseckey/sk_provider.c b/libseckey/sk_provider.c
-index 10f56c0..0abe99d 100644
---- a/libseckey/sk_provider.c
-+++ b/libseckey/sk_provider.c
-@@ -2216,13 +2216,23 @@ static int sk_prov_keymgmt_match(const struct sk_prov_key *key1,
- 
- 	if (key1->type != key2->type)
- 		return 0;
-+
-+	if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) {
-+		/* match everything except private key */
-+		return default_match_fn(key1->default_key, key2->default_key,
-+					selection &
-+					    (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY));
-+	}
-+
- 	if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) {
- 		if (key1->secure_key_size != key2->secure_key_size)
- 			return 0;
--		if (key1->secure_key_size > 0 &&
--		    memcmp(key1->secure_key, key2->secure_key,
--			    key1->secure_key_size) != 0)
--			return 0;
-+		if (key1->secure_key_size > 0) {
-+			if (memcmp(key1->secure_key, key2->secure_key,
-+				   key1->secure_key_size) != 0)
-+				return 0;
-+			selection &= (~OSSL_KEYMGMT_SELECT_PRIVATE_KEY);
-+		}
- 	}
- 
- 	return default_match_fn(key1->default_key, key2->default_key,
--- 
-2.37.1
-

SOURCES/src_vipa-2.1.0-deprecate.patch

@@ -0,0 +1,12 @@
+diff -up s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig s390-tools-2.2.0/src_vipa-2.1.0/Makefile
+--- s390-tools-2.2.0/src_vipa-2.1.0/Makefile.orig	2020-02-21 13:51:23.502305796 +0100
++++ s390-tools-2.2.0/src_vipa-2.1.0/Makefile	2020-02-21 13:53:51.353817181 +0100
+@@ -44,6 +44,8 @@ src_vipa.sh:
+ 	echo '#!/bin/bash' > src_vipa.sh
+ 	echo 'export LD_LIBRARY_PATH=$(LIBDIR):$$LD_LIBRARY_PATH' >> src_vipa.sh
+ 	echo 'export LD_PRELOAD=$(LIBDIR)/src_vipa.so' >> src_vipa.sh
++	echo 'echo "WARNING: The src_vipa (flexible source address selection) feature is DEPRECATED"' >> src_vipa.sh
++	echo 'echo "WARNING: It will be removed in the future."' >> src_vipa.sh
+ 	echo 'exec $$@' >> src_vipa.sh
+ 	chmod 755 src_vipa.sh
+