168 lines
		
	
	
		
			5.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			168 lines
		
	
	
		
			5.8 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| From 022b0c3bbe1d55a4d4fe65438d5b7c647f799e74 Mon Sep 17 00:00:00 2001
 | |
| From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
 | |
| Date: Fri, 16 May 2025 16:47:24 +0200
 | |
| Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76931)
 | |
| MIME-Version: 1.0
 | |
| Content-Type: text/plain; charset=UTF-8
 | |
| Content-Transfer-Encoding: 8bit
 | |
| 
 | |
| The cpictl utility sends control-program identification data
 | |
| from protected virtualization guests to hosts by default.
 | |
| This behaviour leaks the below potentially sensitive
 | |
| information to untrusted hosts.
 | |
| - system_type
 | |
| - system_level
 | |
| - sysplex_name
 | |
| - system_name
 | |
| 
 | |
| To prevent this behaviour, enhance the cpictl utility to stop
 | |
| setting CPI information on protected virtualization guests by
 | |
| default. If the user chooses to set the CPI information, it
 | |
| could be set by one of the below options
 | |
| - use the command line option --permit-cpi
 | |
| - set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
 | |
| control the CPI service behaviour during boot
 | |
| 
 | |
| Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
 | |
| Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
 | |
| Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
 | |
| Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
 | |
| Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
 | |
| Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
 | |
| (cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
 | |
| ---
 | |
|  etc/sysconfig/cpi      | 14 ++++++++++++++
 | |
|  scripts/cpictl         | 39 +++++++++++++++++++++++++++++++++++++--
 | |
|  systemd/cpi.service.in |  1 +
 | |
|  3 files changed, 52 insertions(+), 2 deletions(-)
 | |
| 
 | |
| diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
 | |
| index 866b589..78eb632 100644
 | |
| --- a/etc/sysconfig/cpi
 | |
| +++ b/etc/sysconfig/cpi
 | |
| @@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
 | |
|  # CPI sysplex name
 | |
|  #
 | |
|  CPI_SYSPLEX_NAME=""
 | |
| +
 | |
| +#
 | |
| +# CPI permit on protected virtualization guests
 | |
| +#
 | |
| +# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
 | |
| +# Enabling these options allows the host to receive potentially sensitive
 | |
| +# Control-Program Identification (CPI) data from the protected virtualization
 | |
| +# guest, including:
 | |
| +# - system_type
 | |
| +# - system_level
 | |
| +# - sysplex_name
 | |
| +# - system_name
 | |
| +#
 | |
| +CPI_PERMIT_ON_PVGUEST=
 | |
| diff --git a/scripts/cpictl b/scripts/cpictl
 | |
| index 16cadde..6096a67 100755
 | |
| --- a/scripts/cpictl
 | |
| +++ b/scripts/cpictl
 | |
| @@ -32,6 +32,9 @@ declare TYPE
 | |
|  declare NAME
 | |
|  declare SYSPLEX
 | |
|  
 | |
| +declare PV_GUEST
 | |
| +declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
 | |
| +
 | |
|  declare -i DRYRUN=0
 | |
|  
 | |
|  # Exit codes
 | |
| @@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
 | |
|  readonly EXIT_ARG_TOO_LONG=3
 | |
|  readonly EXIT_INVALID_CHARS=4
 | |
|  readonly EXIT_INVALID_ARGS=5
 | |
| +readonly EXIT_NO_PERMIT_CPI=6
 | |
|  
 | |
|  # Distro-IDs as supported by SE/HMC firmware
 | |
|  readonly DISTRO_GENERIC=0
 | |
| @@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
 | |
|    -S, --sysplex SYSPLEX  Set and commit the sysplex name to SYSPLEX
 | |
|    -T, --type TYPE        Set and commit OS type to TYPE
 | |
|    -v, --version          Print version information, then exit
 | |
| +  --permit-cpi           Permit to send Control-Program Identification data of
 | |
| +                         protected virtualization guest to the host (must be
 | |
| +                         specified before any commit option). See also the
 | |
| +                         important note.
 | |
|    --commit               Ignore all other options and commit any uncommitted
 | |
|                           values
 | |
|    --dry-run              Do not actually set or commit anything, but show what
 | |
| @@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
 | |
|                           uncommitted) values
 | |
|  
 | |
|  Environment variables used for the --defaults option:
 | |
| -  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
 | |
| +  CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
 | |
| +  CPI_PERMIT_ON_PVGUEST (See also the important note.)
 | |
| +
 | |
| +Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
 | |
| +trust the host system. Enabling these options allows the host to receive
 | |
| +potentially sensitive Control-Program Identification (CPI) data from the
 | |
| +protected virtualization guest, including:
 | |
| +- system_type
 | |
| +- system_level
 | |
| +- sysplex_name
 | |
| +- system_name
 | |
|  
 | |
|  Available bits for the --set-bit option:
 | |
|    kvm: Indicate that system is a KVM host
 | |
| @@ -124,6 +142,19 @@ fail_with()
 | |
|  
 | |
|  cpi_commit()
 | |
|  {
 | |
| +	# Commit Control-Program Identification changes on protected
 | |
| +	# virtualization guests only if it is permitted by the guest. This
 | |
| +	# prevents leakage of potentially sensitive information to untrusted
 | |
| +	# hosts.
 | |
| +	if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
 | |
| +		read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
 | |
| +		if [[ "$PV_GUEST" -eq 1 ]]; then
 | |
| +			if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
 | |
| +				echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
 | |
| +				exit "$EXIT_NO_PERMIT_CPI"
 | |
| +			fi
 | |
| +		fi
 | |
| +	fi
 | |
|  	echo 1 > "$CPI_SET" 2> /dev/null
 | |
|  }
 | |
|  
 | |
| @@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
 | |
|  	print_parse_error_and_exit
 | |
|  fi
 | |
|  
 | |
| -opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
 | |
| +opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
 | |
|  if [ $? -ne 0 ]; then
 | |
|  	print_parse_error_and_exit
 | |
|  fi
 | |
| @@ -473,6 +504,10 @@ while [ -n $1 ]; do
 | |
|  		cpi_show
 | |
|  		exit $EXIT_SUCCESS
 | |
|  		;;
 | |
| +	--permit-cpi)
 | |
| +		CPI_PERMIT=1
 | |
| +		shift
 | |
| +		;;
 | |
|  	--commit)
 | |
|  		cpi_commit
 | |
|  		exit $EXIT_SUCCESS
 | |
| diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
 | |
| index 3976f68..ca21a8b 100644
 | |
| --- a/systemd/cpi.service.in
 | |
| +++ b/systemd/cpi.service.in
 | |
| @@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
 | |
|  # Environment=CPI_SYSPLEX_NAME=
 | |
|  # Environment=CPI_SYSTEM_LEVEL=
 | |
|  # Environment=CPI_SYSTEM_TYPE=LINUX
 | |
| +# Environment=CPI_PERMIT_ON_PVGUEST=
 | |
|  
 | |
|  #
 | |
|  # Sending data to the HMC/SE
 | |
| -- 
 | |
| 2.50.1
 | |
| 
 |