rpms/s390utils
6
0
Fork 0
Code Issues Pull Requests Releases Activity
b84c0f81db
s390utils/s390utils-2.38.0-rhel.patch
Dan Horák b84c0f81db - cpi: Disable CPI for SEL guests by default (RHEL-76930) 
- Resolves: RHEL-76930
2025-08-13 13:42:33 +02:00

168 lines
5.8 KiB
Diff
Raw Blame History

From 070317ddb8613243ab284aa3c861f6374fc016ec Mon Sep 17 00:00:00 2001
From: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
Date: Fri, 16 May 2025 16:47:24 +0200
Subject: [PATCH] cpi: Disable CPI for SEL guests by default (RHEL-76930)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The cpictl utility sends control-program identification data
from protected virtualization guests to hosts by default.
This behaviour leaks the below potentially sensitive
information to untrusted hosts.
- system_type
- system_level
- sysplex_name
- system_name
To prevent this behaviour, enhance the cpictl utility to stop
setting CPI information on protected virtualization guests by
default. If the user chooses to set the CPI information, it
could be set by one of the below options
- use the command line option --permit-cpi
- set the environment variable CPI_PERMIT_ON_PVGUEST to 1 to
control the CPI service behaviour during boot
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Shalini Chellathurai Saroja <shalini@linux.ibm.com>
Reviewed-by: Jan Höppner <hoeppner@linux.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
(cherry picked from commit ce9c518b977925cc4c9eb92a3e508762fd57f551)
---
etc/sysconfig/cpi | 14 ++++++++++++++
scripts/cpictl | 39 +++++++++++++++++++++++++++++++++++++--
systemd/cpi.service.in | 1 +
3 files changed, 52 insertions(+), 2 deletions(-)
diff --git a/etc/sysconfig/cpi b/etc/sysconfig/cpi
index 866b589..78eb632 100644
--- a/etc/sysconfig/cpi
+++ b/etc/sysconfig/cpi
@@ -18,3 +18,17 @@ CPI_SYSTEM_NAME=""
# CPI sysplex name
#
CPI_SYSPLEX_NAME=""
+
+#
+# CPI permit on protected virtualization guests
+#
+# Important: Set CPI_PERMIT_ON_PVGUEST=1 only if you trust the host system.
+# Enabling these options allows the host to receive potentially sensitive
+# Control-Program Identification (CPI) data from the protected virtualization
+# guest, including:
+# - system_type
+# - system_level
+# - sysplex_name
+# - system_name
+#
+CPI_PERMIT_ON_PVGUEST=
diff --git a/scripts/cpictl b/scripts/cpictl
index 16cadde..6096a67 100755
--- a/scripts/cpictl
+++ b/scripts/cpictl
@@ -32,6 +32,9 @@ declare TYPE
declare NAME
declare SYSPLEX
+declare PV_GUEST
+declare -i CPI_PERMIT="$CPI_PERMIT_ON_PVGUEST"
+
declare -i DRYRUN=0
# Exit codes
@@ -40,6 +43,7 @@ readonly EXIT_FAILURE=1
readonly EXIT_ARG_TOO_LONG=3
readonly EXIT_INVALID_CHARS=4
readonly EXIT_INVALID_ARGS=5
+readonly EXIT_NO_PERMIT_CPI=6
# Distro-IDs as supported by SE/HMC firmware
readonly DISTRO_GENERIC=0
@@ -69,6 +73,10 @@ Configure the Control-Program-Information (CPI) settings.
-S, --sysplex SYSPLEX Set and commit the sysplex name to SYSPLEX
-T, --type TYPE Set and commit OS type to TYPE
-v, --version Print version information, then exit
+ --permit-cpi Permit to send Control-Program Identification data of
+ protected virtualization guest to the host (must be
+ specified before any commit option). See also the
+ important note.
--commit Ignore all other options and commit any uncommitted
values
--dry-run Do not actually set or commit anything, but show what
@@ -77,7 +85,17 @@ Configure the Control-Program-Information (CPI) settings.
uncommitted) values
Environment variables used for the --defaults option:
- CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME
+ CPI_SYSTEM_TYPE, CPI_SYSTEM_LEVEL, CPI_SYSTEM_NAME, CPI_SYSPLEX_NAME,
+ CPI_PERMIT_ON_PVGUEST (See also the important note.)
+
+Important: Set CPI_PERMIT_ON_PVGUEST=1 or use --permit_cpi option only if you
+trust the host system. Enabling these options allows the host to receive
+potentially sensitive Control-Program Identification (CPI) data from the
+protected virtualization guest, including:
+- system_type
+- system_level
+- sysplex_name
+- system_name
Available bits for the --set-bit option:
kvm: Indicate that system is a KVM host
@@ -124,6 +142,19 @@ fail_with()
cpi_commit()
{
+ # Commit Control-Program Identification changes on protected
+ # virtualization guests only if it is permitted by the guest. This
+ # prevents leakage of potentially sensitive information to untrusted
+ # hosts.
+ if [[ -f "/sys/firmware/uv/prot_virt_guest" ]]; then
+ read -r PV_GUEST < "/sys/firmware/uv/prot_virt_guest"
+ if [[ "$PV_GUEST" -eq 1 ]]; then
+ if [[ -z "$CPI_PERMIT" ]] || [[ "$CPI_PERMIT" -ne 1 ]]; then
+ echo "Sending CPI data from secure execution Linux guests is disabled. Use --permit-cpi to enable CPI data." >&2
+ exit "$EXIT_NO_PERMIT_CPI"
+ fi
+ fi
+ fi
echo 1 > "$CPI_SET" 2> /dev/null
}
@@ -404,7 +435,7 @@ if [ $# -le 0 ]; then
print_parse_error_and_exit
fi
-opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,show,version -n $PRG -- "$@")
+opts=$(getopt -o b:ehL:N:S:T:v -l set-bit:,environment,help,level:,name:,sysplex:,type:,commit,dry-run,permit-cpi,show,version -n "$PRG" -- "$@")
if [ $? -ne 0 ]; then
print_parse_error_and_exit
fi
@@ -473,6 +504,10 @@ while [ -n $1 ]; do
cpi_show
exit $EXIT_SUCCESS
;;
+ --permit-cpi)
+ CPI_PERMIT=1
+ shift
+ ;;
--commit)
cpi_commit
exit $EXIT_SUCCESS
diff --git a/systemd/cpi.service.in b/systemd/cpi.service.in
index 3976f68..ca21a8b 100644
--- a/systemd/cpi.service.in
+++ b/systemd/cpi.service.in
@@ -37,6 +37,7 @@ EnvironmentFile=@sysconf_path@/sysconfig/cpi
# Environment=CPI_SYSPLEX_NAME=
# Environment=CPI_SYSTEM_LEVEL=
# Environment=CPI_SYSTEM_TYPE=LINUX
+# Environment=CPI_PERMIT_ON_PVGUEST=
#
# Sending data to the HMC/SE
--
2.50.1
Reference in New Issue View Git Blame Copy Permalink