diff --git a/debian/changelog b/debian/changelog index a19e3a4..53535ab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +s390-tools (2.12.0-0ubuntu3.5) focal; urgency=medium + + * d/p/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch + Fix for genprotimg failing to process z15 host key documents + after April 2022. + (LP: #1968260) + * refreshed in total 14 patches in d/p to fix offset issues + + -- Frank Heimes Tue, 12 Apr 2022 08:26:57 +0200 + s390-tools (2.12.0-0ubuntu3.4) focal; urgency=medium * Fixing zKVM: Host Key Document Verification diff --git a/debian/patches/0001-zdev-Add-build-option-to-update-initial-RAM-disk-by-default.patch b/debian/patches/0001-zdev-Add-build-option-to-update-initial-RAM-disk-by-default.patch index a9baf57..0629b70 100644 --- a/debian/patches/0001-zdev-Add-build-option-to-update-initial-RAM-disk-by-default.patch +++ b/debian/patches/0001-zdev-Add-build-option-to-update-initial-RAM-disk-by-default.patch @@ -41,11 +41,9 @@ Last-Update: 2021-03-11 zdev/src/root.c | 76 +++++++++++++++++++++++++++++++++++++++------ 5 files changed, 95 insertions(+), 15 deletions(-) -diff --git a/README.md b/README.md -index 5a2153c9..44a90d72 100644 --- a/README.md +++ b/README.md -@@ -284,10 +284,11 @@ build options: +@@ -274,10 +274,11 @@ This table lists additional build or install options: @@ -61,7 +59,7 @@ index 5a2153c9..44a90d72 100644 The s390-tools build process uses "pkg-config" if available and hard-coded compiler and linker options otherwise. -@@ -378,6 +379,17 @@ the different tools are provided: +@@ -360,6 +361,17 @@ Distributors with different boot or RAM-disk mechanisms should provide a custom zdev-root-update helper script. @@ -79,8 +77,6 @@ index 5a2153c9..44a90d72 100644 Some functions of zdev require that the following programs are available: - modprobe (kmod) -diff --git a/zdev/include/root.h b/zdev/include/root.h -index 6fd78e7e..d15d3934 100644 --- a/zdev/include/root.h +++ b/zdev/include/root.h @@ -12,6 +12,6 @@ @@ -91,11 +87,9 @@ index 6fd78e7e..d15d3934 100644 +exit_code_t initrd_check(bool all_pers); #endif /* ROOT_H */ -diff --git a/zdev/src/Makefile b/zdev/src/Makefile -index e9be1e2e..40a18792 100644 --- a/zdev/src/Makefile +++ b/zdev/src/Makefile -@@ -4,6 +4,16 @@ include ../../common.mak +@@ -4,6 +4,16 @@ ALL_CPPFLAGS += -I ../include -std=gnu99 -Wno-unused-parameter \ -Wno-missing-field-initializers @@ -112,11 +106,9 @@ index e9be1e2e..40a18792 100644 # Core chzdev_objects += attrib.o chzdev.o device.o devnode.o devtype.o exit_code.o \ export.o hash.o inuse.o misc.o namespace.o opts.o path.o \ -diff --git a/zdev/src/chzdev.c b/zdev/src/chzdev.c -index 4e453335..76f7309d 100644 --- a/zdev/src/chzdev.c +++ b/zdev/src/chzdev.c -@@ -3027,7 +3027,7 @@ int main(int argc, char *argv[]) +@@ -3027,7 +3027,7 @@ !dryrun) { /* If the root device/device type or early devices have been * modified, additional work might be necessary. */ @@ -125,11 +117,9 @@ index 4e453335..76f7309d 100644 if (rc && !drc) drc = rc; } -diff --git a/zdev/src/root.c b/zdev/src/root.c -index a6d9e0cc..385b7787 100644 --- a/zdev/src/root.c +++ b/zdev/src/root.c -@@ -58,11 +58,50 @@ static void add_early_removed(struct util_list *selected) +@@ -58,11 +58,50 @@ } } @@ -182,7 +172,7 @@ index a6d9e0cc..385b7787 100644 struct selected_dev_node *sel; struct device *dev; char *params_str; -@@ -76,6 +115,20 @@ exit_code_t root_check(void) +@@ -76,6 +115,20 @@ /* Get list of devices that provide the root device or require * early configuration. */ selected = selected_dev_list_new(); @@ -203,7 +193,7 @@ index a6d9e0cc..385b7787 100644 /* First add devices that had zdev:early removed or changed to 0. * The subsequent call to select_devices() will filter out any * duplicates. */ -@@ -95,8 +148,8 @@ exit_code_t root_check(void) +@@ -95,8 +148,8 @@ err_ignore); select_opts_free(select); @@ -213,7 +203,7 @@ index a6d9e0cc..385b7787 100644 util_list_iterate(selected, sel) { dt = sel->st->devtype; -@@ -127,17 +180,22 @@ exit_code_t root_check(void) +@@ -127,17 +180,22 @@ goto out; } @@ -242,6 +232,3 @@ index a6d9e0cc..385b7787 100644 } params_str = strlist_flatten(params, " "); strlist_free(params); --- -2.25.1 - diff --git a/debian/patches/0001-zkey-add-initramfs-hook.patch b/debian/patches/0001-zkey-add-initramfs-hook.patch index 435c18b..ed3cc7a 100644 --- a/debian/patches/0001-zkey-add-initramfs-hook.patch +++ b/debian/patches/0001-zkey-add-initramfs-hook.patch @@ -12,11 +12,9 @@ Signed-off-by: Dimitri John Ledkov create mode 100644 zkey/initramfs/Makefile create mode 100644 zkey/initramfs/hooks/s390-tools-zkey -diff --git a/zkey/Makefile b/zkey/Makefile -index 901ddd4..48ec5ed 100644 --- a/zkey/Makefile +++ b/zkey/Makefile -@@ -79,6 +79,7 @@ zkey-cryptsetup: zkey-cryptsetup.o pkey.o $(libs) +@@ -83,6 +83,7 @@ install-common: $(INSTALL) -d -m 755 $(DESTDIR)$(USRBINDIR) $(INSTALL) -d -m 755 $(DESTDIR)$(MANDIR)/man1 @@ -24,9 +22,6 @@ index 901ddd4..48ec5ed 100644 install-zkey: $(INSTALL) -g $(GROUP) -o $(OWNER) -m 755 zkey $(DESTDIR)$(USRBINDIR) -diff --git a/zkey/initramfs/Makefile b/zkey/initramfs/Makefile -new file mode 100644 -index 0000000..7038a63 --- /dev/null +++ b/zkey/initramfs/Makefile @@ -0,0 +1,21 @@ @@ -51,9 +46,6 @@ index 0000000..7038a63 + $(INSTALL) -m 755 -d $(DESTDIR)/$(HOOKDIR) $(DESTDIR)/$(INITTOP) + $(INSTALL) -m 755 hooks/s390-tools-zkey $(DESTDIR)/$(HOOKDIR) +endif -diff --git a/zkey/initramfs/hooks/s390-tools-zkey b/zkey/initramfs/hooks/s390-tools-zkey -new file mode 100644 -index 0000000..0e7fd0f --- /dev/null +++ b/zkey/initramfs/hooks/s390-tools-zkey @@ -0,0 +1,45 @@ @@ -102,6 +94,3 @@ index 0000000..0e7fd0f + +mkdir -p "${DESTDIR}/etc" +cp -a /etc/zkey "${DESTDIR}/etc/" --- -2.17.1 - diff --git a/debian/patches/0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch b/debian/patches/0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch index f343c8e..9eadf07 100644 --- a/debian/patches/0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch +++ b/debian/patches/0001-zkey-on-Ubuntu-use-default-benchmarked-Argon2i-with-.patch @@ -9,11 +9,9 @@ LP: #1820049 zkey/zkey.1 | 9 --------- 2 files changed, 1 insertion(+), 16 deletions(-) -Index: s390-tools-2.8.0/zkey/keystore.c -=================================================================== ---- s390-tools-2.8.0.orig/zkey/keystore.c -+++ s390-tools-2.8.0/zkey/keystore.c -@@ -3365,16 +3365,10 @@ static int _keystore_process_cryptsetup( +--- a/zkey/keystore.c ++++ b/zkey/keystore.c +@@ -3569,16 +3569,10 @@ printf("%s\n", cmd); } } else { @@ -31,11 +29,9 @@ Index: s390-tools-2.8.0/zkey/keystore.c info->batch_mode ? "-q " : "", keystore->verbose ? "-v " : "", key_file_name, key_file_size * 8, -Index: s390-tools-2.8.0/zkey/zkey.1 -=================================================================== ---- s390-tools-2.8.0.orig/zkey/zkey.1 -+++ s390-tools-2.8.0/zkey/zkey.1 -@@ -610,15 +610,6 @@ option to generate \fBcryptsetup luksFor +--- a/zkey/zkey.1 ++++ b/zkey/zkey.1 +@@ -651,15 +651,6 @@ type, this is the default. If specified for the plain volume type, then no command is generated. .P @@ -51,7 +47,7 @@ Index: s390-tools-2.8.0/zkey/zkey.1 For LUKS2 volumes, a passphrase is required. You are prompted for the passphrase when running the generated commands, unless option .B \-\-key\-file -@@ -1219,4 +1210,4 @@ If +@@ -1393,4 +1384,4 @@ .B $ZKEY_REPOSITORY is set, it specifies the location of the secure key repository. If it is not set, then the the default location of the secure key diff --git a/debian/patches/27a6409a4acfa3ab413dc3ff013ad761f6bf5e95.patch b/debian/patches/27a6409a4acfa3ab413dc3ff013ad761f6bf5e95.patch index 68d007b..de9bc47 100644 --- a/debian/patches/27a6409a4acfa3ab413dc3ff013ad761f6bf5e95.patch +++ b/debian/patches/27a6409a4acfa3ab413dc3ff013ad761f6bf5e95.patch @@ -18,11 +18,9 @@ Signed-off-by: Jan Höppner zipl/src/misc.c | 10 ++++++++++ 3 files changed, 14 insertions(+), 3 deletions(-) -diff --git a/zipl/include/misc.h b/zipl/include/misc.h -index 5a349a7b..f222d01e 100644 --- a/zipl/include/misc.h +++ b/zipl/include/misc.h -@@ -46,6 +46,7 @@ char* misc_make_path(char* dirname, char* filename); +@@ -46,6 +46,7 @@ int misc_temp_dev(dev_t dev, int blockdev, char** devno); int misc_temp_dev_from_file(char* file, char** devno); void misc_free_temp_dev(char* device); @@ -30,11 +28,9 @@ index 5a349a7b..f222d01e 100644 int misc_check_writable_directory(const char* directory); int misc_check_readable_file(const char* filename); int misc_check_writable_device(const char* devno, int blockdev, int chardev); -diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c -index f5cb37c6..fd54a5c6 100644 --- a/zipl/src/bootmap.c +++ b/zipl/src/bootmap.c -@@ -1286,9 +1286,7 @@ bootmap_create(struct job_data *job, disk_blockptr_t *program_table, +@@ -1292,9 +1292,7 @@ break; } if (dry_run) { @@ -45,7 +41,7 @@ index f5cb37c6..fd54a5c6 100644 } else if (job->id != job_dump_partition) { /* Rename to final bootmap name */ mapname = misc_make_path(job->target.bootmap_dir, -@@ -1315,6 +1313,8 @@ bootmap_create(struct job_data *job, disk_blockptr_t *program_table, +@@ -1321,6 +1319,8 @@ disk_free_info(info); out_close_fd: close(fd); @@ -54,11 +50,9 @@ index f5cb37c6..fd54a5c6 100644 out_free_filename: free(filename); return -1; -diff --git a/zipl/src/misc.c b/zipl/src/misc.c -index 057c9a0b..dff5c218 100644 --- a/zipl/src/misc.c +++ b/zipl/src/misc.c -@@ -366,6 +366,16 @@ misc_free_temp_dev(char* device) +@@ -366,6 +366,16 @@ free(device); } diff --git a/debian/patches/27f6c0a167da8d08f7f3343360528528f85d661f.patch b/debian/patches/27f6c0a167da8d08f7f3343360528528f85d661f.patch index f1989e3..aaba85a 100644 --- a/debian/patches/27f6c0a167da8d08f7f3343360528528f85d661f.patch +++ b/debian/patches/27f6c0a167da8d08f7f3343360528528f85d661f.patch @@ -19,11 +19,9 @@ Signed-off-by: Jan Höppner zipl/src/job.c | 52 ++++++++++++++++++++++------------------------ 2 files changed, 31 insertions(+), 27 deletions(-) -diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c -index 06c2c58a..efce0d00 100644 --- a/zipl/src/bootmap.c +++ b/zipl/src/bootmap.c -@@ -1134,6 +1134,12 @@ bootmap_create(struct job_data *job, disk_blockptr_t *program_table, +@@ -1140,6 +1140,12 @@ disk_get_type_name(info->type)); goto out_disk_free_info; } @@ -36,11 +34,9 @@ index 06c2c58a..efce0d00 100644 if (verbose) { printf("Target device information\n"); disk_print_info(info); -diff --git a/zipl/src/job.c b/zipl/src/job.c -index 2d3cf39b..db4315fa 100644 --- a/zipl/src/job.c +++ b/zipl/src/job.c -@@ -81,6 +81,7 @@ struct command_line { +@@ -81,6 +81,7 @@ int add_files; int dry_run; int force; @@ -48,7 +44,7 @@ index 2d3cf39b..db4315fa 100644 enum scan_section_type type; }; -@@ -98,6 +99,22 @@ store_option(struct command_line* cmdline, enum scan_keyword_id keyword, +@@ -98,6 +99,22 @@ return 0; } @@ -71,7 +67,7 @@ index 2d3cf39b..db4315fa 100644 static int get_command_line(int argc, char* argv[], struct command_line* line) -@@ -226,9 +243,7 @@ get_command_line(int argc, char* argv[], struct command_line* line) +@@ -226,9 +243,7 @@ cmdline.menu = optarg; break; case 'S': @@ -82,11 +78,10 @@ index 2d3cf39b..db4315fa 100644 break; case 'h': cmdline.help = 1; -@@ -1278,27 +1293,6 @@ type_from_target(char *target, disk_type_t *type) - } +@@ -1295,27 +1310,6 @@ } --static int + static int -set_secure_ipl(char *keyword, struct job_data *job) -{ - if (strcmp(keyword, "auto") == 0) { @@ -107,10 +102,11 @@ index 2d3cf39b..db4315fa 100644 - return 0; -} - - static int +-static int get_job_from_section_data(char* data[], struct job_data* job, char* section) { -@@ -1383,7 +1377,7 @@ get_job_from_section_data(char* data[], struct job_data* job, char* section) + int rc; +@@ -1399,7 +1393,7 @@ /* Fill in secure boot */ if (data[(int) scan_keyword_secure] != NULL) { rc = set_secure_ipl(data[(int) scan_keyword_secure], @@ -119,7 +115,7 @@ index 2d3cf39b..db4315fa 100644 if (rc) return rc; } -@@ -1547,7 +1541,7 @@ get_menu_job(struct scan_token* scan, char* menu, struct job_data* job) +@@ -1565,7 +1559,7 @@ case scan_keyword_secure: rc = set_secure_ipl( scan[i].content.keyword.value, @@ -128,7 +124,7 @@ index 2d3cf39b..db4315fa 100644 if (rc) return rc; break; -@@ -1904,7 +1898,6 @@ job_get(int argc, char* argv[], struct job_data** data) +@@ -1922,7 +1916,6 @@ job->add_files = cmdline.add_files; job->data.mvdump.force = cmdline.force; job->dry_run = cmdline.dry_run; @@ -136,7 +132,7 @@ index 2d3cf39b..db4315fa 100644 /* Get job data from user input */ if (cmdline.help) { job->command_line = 1; -@@ -1923,6 +1916,11 @@ job_get(int argc, char* argv[], struct job_data** data) +@@ -1941,6 +1934,11 @@ job_free(job); return rc; } diff --git a/debian/patches/299fd2b7729f35c6fe3be18964f7e5e6a365f94d.patch b/debian/patches/299fd2b7729f35c6fe3be18964f7e5e6a365f94d.patch index 26b1e62..f1335d2 100644 --- a/debian/patches/299fd2b7729f35c6fe3be18964f7e5e6a365f94d.patch +++ b/debian/patches/299fd2b7729f35c6fe3be18964f7e5e6a365f94d.patch @@ -15,11 +15,9 @@ Signed-off-by: Jan Höppner zipl/man/zipl.conf.5.in | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) -diff --git a/zipl/man/zipl.conf.5.in b/zipl/man/zipl.conf.5.in -index 37e1307e..41bf9765 100644 --- a/zipl/man/zipl.conf.5.in +++ b/zipl/man/zipl.conf.5.in -@@ -87,8 +87,6 @@ below). +@@ -87,8 +87,6 @@ .br defaultmenu = menu1 .br @@ -28,7 +26,7 @@ index 37e1307e..41bf9765 100644 [linux] .br -@@ -122,6 +120,8 @@ prompt = 1 +@@ -122,6 +120,8 @@ .br timeout = 0 .br @@ -37,7 +35,7 @@ index 37e1307e..41bf9765 100644 .PP .B BootLoaderSpec configuration files -@@ -533,7 +533,7 @@ non-default memory location. +@@ -549,7 +549,7 @@ .B secure = .IR auto / 1 / 0 diff --git a/debian/patches/6f9337d1016e00f360cf4a81d39a42df5184b3a2.patch b/debian/patches/6f9337d1016e00f360cf4a81d39a42df5184b3a2.patch index 4e11a30..fb52e38 100644 --- a/debian/patches/6f9337d1016e00f360cf4a81d39a42df5184b3a2.patch +++ b/debian/patches/6f9337d1016e00f360cf4a81d39a42df5184b3a2.patch @@ -23,11 +23,9 @@ Signed-off-by: Jan Höppner zipl/src/job.c | 29 ++++++++++++++++++++++++++--- 4 files changed, 35 insertions(+), 4 deletions(-) -diff --git a/zipl/include/job.h b/zipl/include/job.h -index fce811ce..e04a7c1e 100644 --- a/zipl/include/job.h +++ b/zipl/include/job.h -@@ -94,6 +94,7 @@ struct job_menu_entry { +@@ -98,6 +98,7 @@ char* name; enum job_id id; union job_menu_entry_data data; @@ -35,8 +33,6 @@ index fce811ce..e04a7c1e 100644 }; struct job_menu_data { -diff --git a/zipl/include/zipl.h b/zipl/include/zipl.h -index b7721d4e..acfc738e 100644 --- a/zipl/include/zipl.h +++ b/zipl/include/zipl.h @@ -61,6 +61,7 @@ @@ -47,11 +43,9 @@ index b7721d4e..acfc738e 100644 #define SECURE_BOOT_DISABLED 0 #define SECURE_BOOT_ENABLED 1 #define SECURE_BOOT_AUTO 2 -diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c -index efce0d00..f5cb37c6 100644 --- a/zipl/src/bootmap.c +++ b/zipl/src/bootmap.c -@@ -946,6 +946,7 @@ build_program_table(int fd, struct job_data* job, disk_blockptr_t* pointer, +@@ -946,6 +946,7 @@ { disk_blockptr_t* table; int entries, component_header; @@ -59,7 +53,7 @@ index efce0d00..f5cb37c6 100644 int i; int rc; -@@ -1017,13 +1018,18 @@ build_program_table(int fd, struct job_data* job, disk_blockptr_t* pointer, +@@ -1023,13 +1024,18 @@ component_header_ipl; printf("\n"); } @@ -79,11 +73,9 @@ index efce0d00..f5cb37c6 100644 break; case job_print_usage: case job_print_version: -diff --git a/zipl/src/job.c b/zipl/src/job.c -index db4315fa..2c9cef83 100644 --- a/zipl/src/job.c +++ b/zipl/src/job.c -@@ -128,6 +128,7 @@ get_command_line(int argc, char* argv[], struct command_line* line) +@@ -128,6 +128,7 @@ memset((void *) &cmdline, 0, sizeof(struct command_line)); cmdline.type = section_invalid; is_keyword = 0; @@ -91,7 +83,7 @@ index db4315fa..2c9cef83 100644 /* Process options */ do { opt = getopt_long(argc, argv, option_string, options, NULL); -@@ -1064,6 +1065,21 @@ check_job_mvdump_data(struct job_mvdump_data* dump, char* name) +@@ -1080,6 +1081,21 @@ return 0; } @@ -113,7 +105,7 @@ index db4315fa..2c9cef83 100644 static int check_job_data(struct job_data* job) -@@ -1108,6 +1124,8 @@ check_job_data(struct job_data* job) +@@ -1124,6 +1140,8 @@ case job_mvdump: rc = check_job_mvdump_data(&job->data.mvdump, job->name); } @@ -122,7 +114,7 @@ index db4315fa..2c9cef83 100644 return rc; } -@@ -1603,6 +1621,7 @@ get_menu_job(struct scan_token* scan, char* menu, struct job_data* job) +@@ -1621,6 +1639,7 @@ sizeof(struct job_menu_entry) * job->data.menu.num); /* Fill in data */ current = 0; @@ -130,7 +122,7 @@ index db4315fa..2c9cef83 100644 for (i=index+1; (scan[i].id != scan_id_empty) && (scan[i].id != scan_id_section_heading) && (scan[i].id != scan_id_menu_heading); i++) { -@@ -1634,6 +1653,7 @@ get_menu_job(struct scan_token* scan, char* menu, struct job_data* job) +@@ -1652,6 +1671,7 @@ if (temp_job == NULL) return -1; memset((void *) temp_job, 0, sizeof(struct job_data)); @@ -138,7 +130,7 @@ index db4315fa..2c9cef83 100644 rc = get_job_from_section_data(data, temp_job, job->data.menu.entry[current].name); if (rc) { -@@ -1646,6 +1666,8 @@ get_menu_job(struct scan_token* scan, char* menu, struct job_data* job) +@@ -1664,6 +1684,8 @@ job->data.menu.entry[current].id = job_ipl; job->data.menu.entry[current].data.ipl = temp_job->data.ipl; @@ -147,7 +139,7 @@ index db4315fa..2c9cef83 100644 memset((void *) &temp_job->data.ipl, 0, sizeof(struct job_ipl_data)); break; -@@ -1898,6 +1920,7 @@ job_get(int argc, char* argv[], struct job_data** data) +@@ -1916,6 +1938,7 @@ job->add_files = cmdline.add_files; job->data.mvdump.force = cmdline.force; job->dry_run = cmdline.dry_run; @@ -155,7 +147,7 @@ index db4315fa..2c9cef83 100644 /* Get job data from user input */ if (cmdline.help) { job->command_line = 1; -@@ -1916,10 +1939,10 @@ job_get(int argc, char* argv[], struct job_data** data) +@@ -1934,10 +1957,10 @@ job_free(job); return rc; } diff --git a/debian/patches/729a98fcb30330273e1d05d0f170e4567b8fb67c.patch b/debian/patches/729a98fcb30330273e1d05d0f170e4567b8fb67c.patch index 96a2f75..e72b9af 100644 --- a/debian/patches/729a98fcb30330273e1d05d0f170e4567b8fb67c.patch +++ b/debian/patches/729a98fcb30330273e1d05d0f170e4567b8fb67c.patch @@ -14,11 +14,9 @@ Signed-off-by: Jan Höppner zkey/zkey.1 | 98 ++++++++++++++++++++++++------------------ 2 files changed, 87 insertions(+), 64 deletions(-) -diff --git a/zkey/zkey-cryptsetup.1 b/zkey/zkey-cryptsetup.1 -index 3f097c2a..9655f27c 100644 --- a/zkey/zkey-cryptsetup.1 +++ b/zkey/zkey-cryptsetup.1 -@@ -28,7 +28,7 @@ zkey\-cryptsetup \- Manage secure AES volume keys of volumes encrypted with +@@ -28,7 +28,7 @@ Use \fBzkey\-cryptsetup\fP to validate and re-encipher secure AES volume keys of volumes encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher. These secure AES volume keys are enciphered with a master key of an IBM @@ -27,7 +25,7 @@ index 3f097c2a..9655f27c 100644 .PP To encrypt a volume using \fBLUKS2\fP and the \fBpaes\fP cipher, generate a secure AES key using \fBzkey\fP: \fB'zkey generate luks.key --xts'\fP. -@@ -112,7 +112,7 @@ Use the +@@ -112,7 +112,7 @@ .B reencipher command to re-encipher a secure AES volume key of a volume encrypted with \fBLUKS2\fP and the \fBpaes\fP cipher. A secure AES volume key must be @@ -36,7 +34,7 @@ index 3f097c2a..9655f27c 100644 coprocessor mode changes. .PP The cryptographic adapter in CCA coprocessor mode has three different registers -@@ -135,11 +135,15 @@ the current master key. You can pro-actively re-encipher a secure key with the +@@ -135,11 +135,15 @@ option to do this. .RE .PP @@ -53,7 +51,7 @@ index 3f097c2a..9655f27c 100644 .PP .PP If both the -@@ -171,14 +175,14 @@ Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is performed in-place per +@@ -171,14 +175,14 @@ default. You can use option \fB--in-place\fP to force an in-place re-enciphering for the \fBCURRENT\fP to \fBNEW\fP case. Be aware that an encrypted volume with a secure volume key that was re-enciphered in-place @@ -72,7 +70,7 @@ index 3f097c2a..9655f27c 100644 re-enciphering. When completing the staged re-enciphering, the (unbound) key slot containing the re-enciphered secure volume key becomes the active key slot and, optionally, all key slots containing the old secure volume key -@@ -217,9 +221,11 @@ function used to encrypt the volume key in the LUKS key slots is of less +@@ -217,9 +221,11 @@ relevance. .PP .B Note: @@ -87,7 +85,7 @@ index 3f097c2a..9655f27c 100644 . . . -@@ -293,12 +299,13 @@ command to set a new secure AES volume key for a volume encrypted with +@@ -293,12 +299,13 @@ \fBLUKS2\fP and the \fBpaes\fP cipher. Use this command to recover from an invalid secure AES volume key contained in the LUKS2 header. A secure AES volume key contained in the LUKS2 header can become invalid when @@ -105,7 +103,7 @@ index 3f097c2a..9655f27c 100644 Specify the secure key file with option .B \-\-master\-key\-file to set this secure key as the new volume key. -@@ -369,17 +376,17 @@ Forces that the re-enciphering of a secure volume key in the LUKS2 +@@ -369,17 +376,17 @@ header is performed in staged mode. Staged mode means that the re-enciphered secure volume key is stored in a separate (unbound) key slot in the LUKS2 header of the encrypted volume. Thus all key slots containing the current @@ -132,11 +130,9 @@ index 3f097c2a..9655f27c 100644 .TP .BR \-q ", " \-\-batch\-mode Suppresses all confirmation questions. Use with care! -diff --git a/zkey/zkey.1 b/zkey/zkey.1 -index 777f7e52..4a0ec208 100644 --- a/zkey/zkey.1 +++ b/zkey/zkey.1 -@@ -24,9 +24,9 @@ zkey \- Manage secure AES keys +@@ -24,9 +24,9 @@ . .SH DESCRIPTION Use the \fBzkey\fP tool to generate and manage secure AES keys that are @@ -149,7 +145,7 @@ index 777f7e52..4a0ec208 100644 .PP The secure keys can either be stored in a file in the file system, or in the secure key repository. The default location of the secure key repository -@@ -43,7 +43,7 @@ group \fBzkeyadm\fP. +@@ -43,7 +43,7 @@ When storing the secure key in a key repository, additional information, such as a textual description of the key, can be associated with a secure key. You can associate a secure key with one or multiple cryptographic adapters @@ -158,7 +154,7 @@ index 777f7e52..4a0ec208 100644 You can also associate a secure key with one or multiple volumes (block devices), which are encrypted using dm-crypt with the secure key. The volume association also contains the device-mapper name, separated by a colon, -@@ -52,7 +52,7 @@ key. +@@ -52,7 +52,7 @@ .PP The generated secure key is saved in a file with a size of 64 or 128 bytes. The file contains an AES key with a length of 128, 192, or 256 bits. The key is @@ -167,7 +163,7 @@ index 777f7e52..4a0ec208 100644 Secure keys that are used for the XTS cipher mode can be 128 or 256 bits in size. . -@@ -111,13 +111,13 @@ key repository. +@@ -111,13 +111,13 @@ .PP Use the .B generate @@ -184,7 +180,7 @@ index 777f7e52..4a0ec208 100644 .PP The generated secure key can either be stored in a file in the file system, or in the secure key repository. To store the generated secure key in a -@@ -135,14 +135,17 @@ additional information can be associated with a secure key using the +@@ -135,14 +135,17 @@ .B \-\-sector-size options. .PP @@ -204,7 +200,7 @@ index 777f7e52..4a0ec208 100644 . .SS "Validating secure AES keys" . -@@ -223,7 +226,7 @@ are validated. +@@ -223,7 +226,7 @@ Use the .B reencipher command to re-encipher an existing secure key with a new master key. @@ -213,7 +209,7 @@ index 777f7e52..4a0ec208 100644 cryptographic adapter changes. .PP The CCA cryptographic adapter has three different registers to store -@@ -246,11 +249,15 @@ the current master key. You can pro-actively re-encipher a secure key with the +@@ -246,11 +249,15 @@ option to do this. .RE .PP @@ -230,7 +226,7 @@ index 777f7e52..4a0ec208 100644 .PP .PP If both the -@@ -301,19 +308,23 @@ the re-enciphered secure key. Re-enciphering from \fBOLD\fP to \fBCURRENT\fP is +@@ -301,19 +308,23 @@ performed in-place per default. You can use option \fB\-\-in-place\fP to force an in-place re-enciphering for the \fBCURRENT\fP to \fBNEW\fP case. Be aware that a secure key that was re-enciphered in-place from \fBCURRENT\fP to \fBNEW\fP @@ -262,7 +258,7 @@ index 777f7e52..4a0ec208 100644 \fIhttp://www.ibm.com/security/cryptocards\fP . .SS "Import existing AES secure keys into the secure key repository" -@@ -490,8 +501,8 @@ associations with one command. +@@ -490,8 +501,8 @@ .B Note: The secure key itself cannot be changed, only information about the secure key is changed. To rename a secure key, use the \fBrename\fP command. @@ -273,7 +269,7 @@ index 777f7e52..4a0ec208 100644 . .SS "Rename existing AES secure keys in the secure key repository" . -@@ -788,7 +799,7 @@ A specific volume can only be associated with a single secure key. +@@ -779,7 +790,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fIcard1.domain1[,card2.domain2[,...]]\fP @@ -282,7 +278,7 @@ index 777f7e52..4a0ec208 100644 coprocessor mode (APQN) which are associated with the secure AES key in the repository. Each APQN association specifies a card and domain number separated by a period (like lszcrypt displays it). When at least one APQN is specified, -@@ -818,11 +829,13 @@ the default volume type is \fBplain\fP. +@@ -809,11 +820,13 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-K ", " \-\-key-type\~\fItype\fP @@ -301,7 +297,7 @@ index 777f7e52..4a0ec208 100644 . . . -@@ -835,7 +848,7 @@ When wildcards are used you must quote the value. +@@ -826,7 +839,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fIcard1.domain1[,card2.domain2[,...]]\fP @@ -310,7 +306,7 @@ index 777f7e52..4a0ec208 100644 coprocessor mode (APQNs). You can use wildcards in the APQN specification. All secure keys contained in the secure key repository which are associated with the specified APQNs are validated. -@@ -858,6 +871,8 @@ master key in the CURRENT register with the master key in the NEW register. +@@ -849,6 +862,8 @@ .BR \-o ", " \-\-from\-old Re-enciphers a secure AES key that is currently enciphered with the master key in the OLD register with the master key in the CURRENT register. @@ -319,7 +315,7 @@ index 777f7e52..4a0ec208 100644 .TP .BR \-f ", " \-\-output\~\fIoutput\-file\fP Specifies the name of the output file to which the re-enciphered secure key -@@ -873,7 +888,7 @@ When wildcards are used you must quote the value. +@@ -864,7 +879,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fIcard1.domain1[,card2.domain2[,...]]\fP @@ -328,7 +324,7 @@ index 777f7e52..4a0ec208 100644 coprocessor mode (APQNs). You can use wildcards in the APQN specification. All secure keys contained in the secure key repository which are associated with the specified APQNs are re-enciphered. -@@ -892,16 +907,16 @@ This option is only used for secure keys contained in the secure key repository. +@@ -883,16 +898,16 @@ Forces that the re-enciphering of a secure AES key contained in the secure key repository is performed in staged mode. Staged mode means that the re-enciphered secure key is stored in a separate file in the secure key repository. Thus the @@ -351,7 +347,7 @@ index 777f7e52..4a0ec208 100644 This option is only used for secure keys contained in the secure key repository. . . -@@ -926,7 +941,7 @@ A specific volume can only be associated with a single secure key. +@@ -917,7 +932,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fIcard1.domain1[,card2.domain2[,...]]\fP @@ -360,7 +356,7 @@ index 777f7e52..4a0ec208 100644 coprocessor mode (APQN) which are associated with the secure AES key in the repository. Each APQN association specifies a card and domain number separated by a period (like lszcrypt displays it). All specified APQNs must be online, -@@ -986,7 +1001,7 @@ When wildcards are used you must quote the value. +@@ -977,7 +992,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fIcard1.domain1[,card2.domain2[,...]]\fP @@ -369,7 +365,7 @@ index 777f7e52..4a0ec208 100644 coprocessor mode (APQN) which are associated with the secure AES key in the repository. Only those keys are listed, which are associated with the specified APQNs. Each APQN association specifies a card and domain number separated -@@ -1004,8 +1019,9 @@ has been compiled with LUKS2 support enabled. +@@ -995,8 +1010,9 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-K ", " \-\-key-type\~\fItype\fP @@ -381,7 +377,7 @@ index 777f7e52..4a0ec208 100644 This option is only used for secure keys contained in the secure key repository. . . -@@ -1050,7 +1066,7 @@ A specific volume can only be associated with a single secure key. +@@ -1041,7 +1057,7 @@ This option is only used for secure keys contained in the secure key repository. .TP .BR \-a ", " \-\-apqns\~\fI[+|-]card1.domain1[,card2.domain2[,...]]\fP diff --git a/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch b/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch new file mode 100644 index 0000000..99d5cdd --- /dev/null +++ b/debian/patches/78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch @@ -0,0 +1,245 @@ +From 78b053326c504c0535b5ec1c244ad7bb5a1df29d Mon Sep 17 00:00:00 2001 +From: Marc Hartmayer +Date: Thu, 31 Mar 2022 14:00:31 +0000 +Subject: [PATCH] genprotimg: remove DigiCert root CA pinning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Remove the DigiCert root CA pinning. The root CA used for the chain of trust can +change in the future therefore let's remove this check. If someone wants to +enforce the usage of a specific root CA it can be selected by the genprotimg +command line option `--root-ca $CA`. Make it transparent to the user which root +CA is actually being used by printing the subject name of the root CA to stdout +in verbose mode. + +Signed-off-by: Marc Hartmayer +Acked-by: Viktor Mihajlovski +Reviewed-and-tested-by: Nico Boehr +Signed-off-by: Jan Höppner + +Origin: upstream, https://github.com/ibm-s390-tools/s390-tools78b0533 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1968260 +Last-Update: 2022-04-08 + +--- + genprotimg/man/genprotimg.8 | 2 +- + genprotimg/src/include/pv_crypto_def.h | 3 -- + genprotimg/src/pv/pv_args.c | 2 +- + genprotimg/src/pv/pv_image.c | 27 ++++++--------- + genprotimg/src/utils/crypto.c | 48 +++++++++++--------------- + genprotimg/src/utils/crypto.h | 4 +-- + 6 files changed, 35 insertions(+), 51 deletions(-) + +--- a/genprotimg/man/genprotimg.8 ++++ b/genprotimg/man/genprotimg.8 +@@ -87,7 +87,7 @@ + .TP + \fB\-\-root\-ca\fR=\fI\,FILE\/\fR + Specifies the root CA certificate for the verification. If omitted, +-the DigiCert root CA certificate installed on the system is used. Use ++the system wide root CAs installed on the system is used. Use + this only if you trust the specified certificate. Optional. + .TP + \fB\-\-no-verify\fR +--- a/genprotimg/src/include/pv_crypto_def.h ++++ b/genprotimg/src/include/pv_crypto_def.h +@@ -29,9 +29,6 @@ + */ + #define PV_CERTS_SECURITY_LEVEL 2 + +-/* SKID for DigiCert Assured ID Root CA */ +-#define DIGICERT_ASSURED_ID_ROOT_CA_SKID "45EBA2AFF492CB82312D518BA7A7219DF36DC80F" +- + union ecdh_pub_key { + struct { + uint8_t x[80]; +--- a/genprotimg/src/pv/pv_args.c ++++ b/genprotimg/src/pv/pv_args.c +@@ -104,7 +104,7 @@ + g_strv_length(args->untrusted_cert_paths) == 0)) { + g_set_error( + err, PV_PARSE_ERROR, PR_PARSE_ERROR_MISSING_ARGUMENT, +- _("Either specify the IBM Z signing key and (DigiCert) intermediate CA certificate\n" ++ _("Either specify the IBM Z signing key and intermediate CA certificate\n" + "by using the '--cert' option, or use the '--no-verify' flag to disable the\n" + "host-key document verification completely (at your own risk).")); + return -1; +--- a/genprotimg/src/pv/pv_image.c ++++ b/genprotimg/src/pv/pv_image.c +@@ -299,9 +299,10 @@ + } + + /* Load all untrusted certificates (e.g. IBM Z signing key and +- * DigiCert intermediate CA) that are required to establish a chain of +- * trust starting from the host-key document up to the root CA (if not +- * otherwise specified that's the DigiCert Assured ID Root CA). ++ * intermediate CA) that are required to establish a chain of trust ++ * starting from the host-key document up to the root CA (if not ++ * otherwise specified that can be one of the system wide installed ++ * root CAs, e.g. DigiCert). + */ + untrusted_certs_with_path = load_certificates(untrusted_cert_paths, err); + if (!untrusted_certs_with_path) +@@ -336,9 +337,8 @@ + * For this we must check: + * + * 1. Can a chain of trust be established ending in a root CA +- * 2. Is the correct root CA ued? It has either to be the +- * 'DigiCert Assured ID Root CA' or the root CA specified via +- * command line. ++ * 2. Is the correct root CA used? It has either to be a system CA ++ * or the root CA specified via command line. + */ + for (gint i = 0; i < sk_X509_num(ibm_signing_certs); ++i) { + X509 *ibm_signing_cert = sk_X509_value(ibm_signing_certs, i); +@@ -359,17 +359,12 @@ + if (verify_cert(ibm_signing_cert, ctx, err) < 0) + goto error; + +- /* Verify the build chain of trust chain. If the user passes a +- * trusted root CA on the command line then the check for the +- * Subject Key Identifier (SKID) is skipped, otherwise let's +- * check if the SKID meets our expectation. ++ /* If there is a chain of trust using either the provided root ++ * CA on the command line or a system wide trusted root CA. + */ +- if (!root_ca_path && +- check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), +- get_digicert_assured_id_root_ca_skid(), +- err) < 0) { ++ if (check_chain_parameters(X509_STORE_CTX_get0_chain(ctx), ++ err) < 0) + goto error; +- } + + ibm_signing_crls = store_ctx_find_valid_crls(ctx, ibm_signing_cert, err); + if (!ibm_signing_crls) { +@@ -583,7 +578,7 @@ + g_warning(_("host-key document verification is disabled. Your workload is not secured.")); + + if (args->root_ca_path) +- g_warning(_("A different root CA than the default DigiCert root CA is selected. Ensure that this root CA is trusted.")); ++ g_warning(_("The root CA is selected through the command line. Ensure that this root CA is trusted.")); + + ret->comps = pv_img_comps_new(EVP_sha512(), EVP_sha512(), EVP_sha512(), err); + if (!ret->comps) +--- a/genprotimg/src/utils/crypto.c ++++ b/genprotimg/src/utils/crypto.c +@@ -1078,8 +1078,8 @@ + g_abort(); + + /* The maximum depth level of the chain of trust for the verification of +- * the IBM Z signing key is 2, i.e. IBM Z signing key -> (DigiCert) +- * intermediate CA -> (DigiCert) root CA ++ * the IBM Z signing key is 2, i.e. IBM Z signing key -> intermediate CA ++ * -> root CA + */ + X509_VERIFY_PARAM_set_depth(param, 2); + +@@ -1266,46 +1266,38 @@ + return security_bits[level]; + } + +-static ASN1_OCTET_STRING *digicert_assured_id_root_ca; +- +-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void) +-{ +- pv_crypto_init(); +- return digicert_assured_id_root_ca; +-} +- + /* Used for the caching of the downloaded CRLs */ + static GHashTable *cached_crls; + + void pv_crypto_init(void) + { +- if (digicert_assured_id_root_ca) ++ if (cached_crls) + return; +- + cached_crls = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, + (GDestroyNotify)X509_CRL_free); +- digicert_assured_id_root_ca = s2i_ASN1_OCTET_STRING( +- NULL, NULL, DIGICERT_ASSURED_ID_ROOT_CA_SKID); + } + + void pv_crypto_cleanup(void) + { +- if (!digicert_assured_id_root_ca) ++ if (!cached_crls) + return; + g_clear_pointer(&cached_crls, g_hash_table_destroy); +- g_clear_pointer(&digicert_assured_id_root_ca, ASN1_OCTET_STRING_free); + } + + gint check_chain_parameters(const STACK_OF_X509 *chain, +- const ASN1_OCTET_STRING *skid, GError **err) ++ GError **err) + { +- const ASN1_OCTET_STRING *ca_skid = NULL; ++ const X509_NAME *ca_x509_subject = NULL; ++ g_autofree gchar *ca_subject = NULL; + gint len = sk_X509_num(chain); + X509 *ca = NULL; + +- g_assert(skid); + /* at least one root and one leaf certificate must be defined */ +- g_assert(len >= 2); ++ if (len < 2) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("there must be at least on root and one leaf certificate in the chain of trust")); ++ return -1; ++ } + + /* get the root certificate of the chain of trust */ + ca = sk_X509_value(chain, len - 1); +@@ -1315,19 +1307,21 @@ + return -1; + } + +- ca_skid = X509_get0_subject_key_id(ca); +- if (!ca_skid) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_MALFORMED_ROOT_CA, +- _("malformed root certificate")); ++ ca_x509_subject = X509_get_subject_name(ca); ++ if (!ca_x509_subject) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("subject of the root CA cannot be retrieved")); + return -1; + } + +- if (ASN1_STRING_cmp(ca_skid, skid) != 0) { +- g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_WRONG_CA_USED, +- _("expecting DigiCert root CA to be used")); ++ ca_subject = X509_NAME_oneline(ca_x509_subject, NULL, 0); ++ if (!ca_subject) { ++ g_set_error(err, PV_CRYPTO_ERROR, PV_CRYPTO_ERROR_INTERNAL, ++ _("subject name of the root CA cannot be retrieved")); + return -1; + } + ++ g_info("Root CA used: '%s'", ca_subject); + return 0; + } + +--- a/genprotimg/src/utils/crypto.h ++++ b/genprotimg/src/utils/crypto.h +@@ -125,7 +125,6 @@ + gint verify_flags, GError **err); + void pv_crypto_init(void); + void pv_crypto_cleanup(void); +-const ASN1_OCTET_STRING *get_digicert_assured_id_root_ca_skid(void); + gint verify_host_key(X509 *host_key, GSList *issuer_pairs, + gint verify_flags, int level, GError **err); + X509 *load_cert_from_file(const char *path, GError **err); +@@ -138,8 +137,7 @@ + int store_set_verify_param(X509_STORE *store, GError **err); + X509_CRL *load_crl_by_cert(X509 *cert, GError **err); + STACK_OF_X509_CRL *try_load_crls_by_certs(GSList *certs_with_path); +-gint check_chain_parameters(const STACK_OF_X509 *chain, +- const ASN1_OCTET_STRING *skid, GError **err); ++gint check_chain_parameters(const STACK_OF_X509 *chain, GError **err); + X509_NAME *c2b_name(const X509_NAME *name); + + STACK_OF_X509 *delete_ibm_signing_certs(STACK_OF_X509 *certs); diff --git a/debian/patches/82c86fa8bd1108dcca77e6610d9e42a29c7584b1.patch b/debian/patches/82c86fa8bd1108dcca77e6610d9e42a29c7584b1.patch index 8476b91..b68d00a 100644 --- a/debian/patches/82c86fa8bd1108dcca77e6610d9e42a29c7584b1.patch +++ b/debian/patches/82c86fa8bd1108dcca77e6610d9e42a29c7584b1.patch @@ -23,11 +23,9 @@ Signed-off-by: Jan Höppner zkey/zkey.c | 15 +++-- 8 files changed, 182 insertions(+), 70 deletions(-) -diff --git a/zkey/Makefile b/zkey/Makefile -index f92de4ff..e712313c 100644 --- a/zkey/Makefile +++ b/zkey/Makefile -@@ -67,7 +67,7 @@ all: $(BUILD_TARGETS) +@@ -67,7 +67,7 @@ zkey.o: zkey.c pkey.h cca.h misc.h pkey.o: pkey.c pkey.h cca.o: cca.c cca.h pkey.h utils.h @@ -36,11 +34,9 @@ index f92de4ff..e712313c 100644 properties.o: check-dep-zkey properties.c properties.h keystore.o: keystore.c keystore.h properties.h pkey.h cca.h utils.h zkey-cryptsetup.o: check-dep-zkey-cryptsetup zkey-cryptsetup.c pkey.h cca.h misc.h -diff --git a/zkey/cca.c b/zkey/cca.c -index 01f7bfd7..aa958930 100644 --- a/zkey/cca.c +++ b/zkey/cca.c -@@ -718,7 +718,7 @@ int select_cca_adapter_by_mkvp(struct cca_lib *cca, u64 mkvp, const char *apqns, +@@ -718,7 +718,7 @@ info.domain = 0; info.verbose = verbose; @@ -49,11 +45,9 @@ index 01f7bfd7..aa958930 100644 if (rc < 0) return rc; -diff --git a/zkey/keystore.c b/zkey/keystore.c -index 8ded144e..8e2f6469 100644 --- a/zkey/keystore.c +++ b/zkey/keystore.c -@@ -1085,6 +1085,7 @@ static int _keystore_process_filtered(struct keystore *keystore, +@@ -1085,6 +1085,7 @@ struct apqn_check { bool noonlinecheck; bool nomsg; @@ -61,7 +55,7 @@ index 8ded144e..8e2f6469 100644 }; /** -@@ -1136,11 +1137,11 @@ static int _keystore_apqn_check(const char *apqn, bool remove, bool UNUSED(set), +@@ -1136,11 +1137,11 @@ goto out; } @@ -75,7 +69,7 @@ index 8ded144e..8e2f6469 100644 rc = -EIO; goto out; } else { -@@ -1577,7 +1578,9 @@ static int _keystore_create_info_file(struct keystore *keystore, +@@ -1577,7 +1578,9 @@ struct volume_check vol_check = { .keystore = keystore, .name = name, .set = 0 }; struct apqn_check apqn_check = { .noonlinecheck = noapqncheck, @@ -86,7 +80,7 @@ index 8ded144e..8e2f6469 100644 struct properties *key_props; char temp[10]; int rc; -@@ -1726,7 +1729,8 @@ int keystore_generate_key(struct keystore *keystore, const char *name, +@@ -1726,7 +1729,8 @@ goto out_free_key_filenames; rc = cross_check_apqns(apqns, 0, @@ -96,7 +90,7 @@ index 8ded144e..8e2f6469 100644 keystore->verbose); if (rc == -EINVAL) goto out_free_key_filenames; -@@ -1859,7 +1863,8 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1859,7 +1863,8 @@ } rc = cross_check_apqns(apqns, mkvp, @@ -106,7 +100,7 @@ index 8ded144e..8e2f6469 100644 keystore->verbose); if (rc == -EINVAL) goto out_free_key; -@@ -2063,6 +2068,7 @@ int keystore_change_key(struct keystore *keystore, const char *name, +@@ -2063,6 +2068,7 @@ key_type = properties_get(key_props, PROP_NAME_KEY_TYPE); rc = cross_check_apqns(apqns_prop, mkvp, get_min_card_level_for_keytype(key_type), @@ -114,7 +108,7 @@ index 8ded144e..8e2f6469 100644 true, keystore->verbose); free(apqns_prop); free(key_type); -@@ -2440,7 +2446,8 @@ static int _keystore_display_apqn_status(struct keystore *keystore, +@@ -2440,7 +2446,8 @@ apqns = properties_get(properties, PROP_NAME_APQNS); key_type = properties_get(properties, PROP_NAME_KEY_TYPE); rc = cross_check_apqns(apqns, mkvp, @@ -124,7 +118,7 @@ index 8ded144e..8e2f6469 100644 keystore->verbose); if (rc != 0 && rc != -ENOTSUP) warning = 1; -@@ -4030,7 +4037,9 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4024,7 +4031,9 @@ if (apqns != NULL) apqn_list = str_list_split(apqns); @@ -135,15 +129,12 @@ index 8ded144e..8e2f6469 100644 if (rc == -EINVAL) goto out; if (rc != 0 && rc != -ENOTSUP && !noapqncheck) { -diff --git a/zkey/pkey.c b/zkey/pkey.c -index 640ff866..8fcd639b 100644 --- a/zkey/pkey.c +++ b/zkey/pkey.c -@@ -1651,6 +1651,26 @@ int get_min_card_level_for_keytype(const char *key_type) - return -1; +@@ -1652,6 +1652,26 @@ } -+/** + /** + * Returns the card type required for a specific key type + * + * @param[in] key_type the type of the key @@ -163,14 +154,13 @@ index 640ff866..8fcd639b 100644 + return CARD_TYPE_ANY; +} + - /** ++/** * Performs extended checks on an AES CIPHER key. It checks the key usage * fields (KUFs) and key management fields (KMFs) of the key. The function -diff --git a/zkey/pkey.h b/zkey/pkey.h -index 3dfd588f..38efdbe2 100644 + * returns -EINVAL and issues warning messages if a mismatch is detected. --- a/zkey/pkey.h +++ b/zkey/pkey.h -@@ -231,6 +231,12 @@ struct pkey_apqns4keytype { +@@ -231,6 +231,12 @@ #define ENC_ZERO_LEN (2 * PAES_BLOCK_SIZE) #define VERIFICATION_PATTERN_LEN (2 * ENC_ZERO_LEN + 1) @@ -183,7 +173,7 @@ index 3dfd588f..38efdbe2 100644 int open_pkey_device(bool verbose); int generate_secure_key_random(int pkey_fd, const char *keyfile, -@@ -265,6 +271,7 @@ bool is_xts_key(const u8 *key, size_t key_size); +@@ -265,6 +271,7 @@ int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize); const char *get_key_type(const u8 *key, size_t key_size); int get_min_card_level_for_keytype(const char *key_type); @@ -191,8 +181,6 @@ index 3dfd588f..38efdbe2 100644 int check_aes_cipher_key(const u8 *key, size_t key_size); #endif -diff --git a/zkey/utils.c b/zkey/utils.c -index e70ebcd7..9b010a6e 100644 --- a/zkey/utils.c +++ b/zkey/utils.c @@ -34,14 +34,16 @@ @@ -216,7 +204,7 @@ index e70ebcd7..9b010a6e 100644 { long int online; char *dev_path; -@@ -69,9 +71,21 @@ int sysfs_is_card_online(int card) +@@ -69,9 +71,21 @@ rc = 0; goto out; } @@ -241,7 +229,7 @@ index e70ebcd7..9b010a6e 100644 } out: -@@ -80,21 +94,22 @@ int sysfs_is_card_online(int card) +@@ -80,21 +94,22 @@ } /** @@ -269,7 +257,7 @@ index e70ebcd7..9b010a6e 100644 if (rc != 1) return rc; -@@ -145,7 +160,7 @@ int sysfs_get_card_level(int card) +@@ -145,7 +160,7 @@ rc = -1; goto out; } @@ -278,11 +266,10 @@ index e70ebcd7..9b010a6e 100644 rc = -1; goto out; } -@@ -161,6 +176,50 @@ int sysfs_get_card_level(int card) - return rc; +@@ -162,6 +177,50 @@ } -+/** + /** + * Returns the type of the card. For a CEXnC CARD_TYPE_CCA is returned, + * for a CEXnP CARD_TYPE_EP11. + * @@ -326,10 +313,11 @@ index e70ebcd7..9b010a6e 100644 + return cardtype; +} + - /** ++/** * Gets the 8 character ASCII serial number string of an card from the sysfs. * -@@ -169,9 +228,9 @@ int sysfs_get_card_level(int card) + * @param[in] card card number +@@ -169,9 +228,9 @@ * @param[in] verbose if true, verbose messages are printed * * @returns 0 if the serial number was returned. -ENODEV if the APQN is not @@ -342,7 +330,7 @@ index e70ebcd7..9b010a6e 100644 */ int sysfs_get_serialnr(int card, char serialnr[9], bool verbose) { -@@ -181,7 +240,7 @@ int sysfs_get_serialnr(int card, char serialnr[9], bool verbose) +@@ -181,7 +240,7 @@ if (serialnr == NULL) return -EINVAL; @@ -351,7 +339,7 @@ index e70ebcd7..9b010a6e 100644 return -ENODEV; dev_path = util_path_sysfs("bus/ap/devices/card%02x", card); -@@ -272,9 +331,9 @@ static int parse_mk_info(char *line, struct mk_info *mk_info) +@@ -272,9 +331,9 @@ * @param[in] verbose if true, verbose messages are printed * * @returns 0 if the master key info was returned. -ENODEV if the APQN is not @@ -364,7 +352,7 @@ index e70ebcd7..9b010a6e 100644 */ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) { -@@ -292,7 +351,7 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -292,7 +351,7 @@ mk_info->cur_mk.mk_state = MK_STATE_UNKNOWN; mk_info->old_mk.mk_state = MK_STATE_UNKNOWN; @@ -373,7 +361,7 @@ index e70ebcd7..9b010a6e 100644 return -ENODEV; dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/mkvps", -@@ -349,8 +408,9 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -349,8 +408,9 @@ return rc; } @@ -385,7 +373,7 @@ index e70ebcd7..9b010a6e 100644 { struct dirent **namelist; char fname[290]; -@@ -369,9 +429,9 @@ static int scan_for_domains(int card, apqn_handler_t handler, +@@ -369,9 +429,9 @@ pr_verbose(verbose, "Found %02x.%04x", card, domain); @@ -397,7 +385,7 @@ index e70ebcd7..9b010a6e 100644 continue; } -@@ -385,8 +445,8 @@ static int scan_for_domains(int card, apqn_handler_t handler, +@@ -385,8 +445,8 @@ } @@ -408,7 +396,7 @@ index e70ebcd7..9b010a6e 100644 { struct dirent **namelist; int i, n, card, rc = 0; -@@ -405,13 +465,14 @@ static int scan_for_apqns(apqn_handler_t handler, void *handler_data, +@@ -405,13 +465,14 @@ pr_verbose(verbose, "Found card %02x", card); @@ -427,7 +415,7 @@ index e70ebcd7..9b010a6e 100644 if (rc != 0) break; } -@@ -421,21 +482,22 @@ static int scan_for_apqns(apqn_handler_t handler, void *handler_data, +@@ -421,21 +482,22 @@ } /** @@ -457,7 +445,7 @@ index e70ebcd7..9b010a6e 100644 { int card, domain; char *copy, *tok; -@@ -443,7 +505,7 @@ int handle_apqns(const char *apqns, apqn_handler_t handler, void *handler_data, +@@ -443,7 +505,7 @@ int rc = 0; if (apqns == NULL || (apqns != NULL && strlen(apqns) == 0)) { @@ -466,7 +454,7 @@ index e70ebcd7..9b010a6e 100644 } else { copy = util_strdup(apqns); tok = strtok_r(copy, ",", &save); -@@ -480,12 +542,14 @@ static int print_apqn_mk_info(int card, int domain, void *handler_data) +@@ -480,12 +542,14 @@ struct print_apqn_info *info = (struct print_apqn_info *)handler_data; struct mk_info mk_info; int rc, level; @@ -481,7 +469,7 @@ index e70ebcd7..9b010a6e 100644 util_rec_set(info->rec, "APQN", "%02x.%04x", card, domain); -@@ -515,8 +579,9 @@ static int print_apqn_mk_info(int card, int domain, void *handler_data) +@@ -515,8 +579,9 @@ util_rec_set(info->rec, "OLD", "?"); } @@ -493,7 +481,7 @@ index e70ebcd7..9b010a6e 100644 else util_rec_set(info->rec, "TYPE", "?"); -@@ -529,15 +594,16 @@ static int print_apqn_mk_info(int card, int domain, void *handler_data) +@@ -529,15 +594,16 @@ * Prints master key information for all specified APQNs * * @param[in] apqns a comma separated list of APQNs. If NULL is specified, @@ -513,7 +501,7 @@ index e70ebcd7..9b010a6e 100644 { struct print_apqn_info info; int rc; -@@ -552,7 +618,7 @@ int print_mk_info(const char *apqns, bool verbose) +@@ -552,7 +618,7 @@ util_rec_def(info.rec, "TYPE", UTIL_REC_ALIGN_LEFT, 6, "TYPE"); util_rec_print_hdr(info.rec); @@ -522,7 +510,7 @@ index e70ebcd7..9b010a6e 100644 util_rec_free(info.rec); return rc; -@@ -583,7 +649,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -583,7 +649,7 @@ if (rc == -ENODEV) { info->print_mks = 1; printf("WARNING: APQN %02x.%04x: Not available or not of " @@ -531,7 +519,7 @@ index e70ebcd7..9b010a6e 100644 return 0; } if (rc != 0) -@@ -729,6 +795,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -729,6 +795,7 @@ * matched against it. * @param[in] min_level The minimum card level required. If min_level is -1 then * the card level is not checked. @@ -539,7 +527,7 @@ index e70ebcd7..9b010a6e 100644 * @param[in] print_mks if true, then a the full master key info of all * specified APQns is printed, in case of a mismatch. * @param[in] verbose if true, verbose messages are printed -@@ -739,7 +806,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -739,7 +806,7 @@ * available, because the zcrypt kernel module is on an older level. */ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, @@ -548,7 +536,7 @@ index e70ebcd7..9b010a6e 100644 { struct cross_check_info info; char temp[200]; -@@ -755,7 +822,7 @@ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, +@@ -755,7 +822,7 @@ "min-level %d: %s", mkvp, min_level, apqns != NULL ? apqns : "ANY"); @@ -557,7 +545,7 @@ index e70ebcd7..9b010a6e 100644 if (rc != 0) return rc; -@@ -771,7 +838,7 @@ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, +@@ -771,7 +838,7 @@ } if (info.num_checked == 0) { printf("WARNING: None of the APQNs is available or of " @@ -566,7 +554,7 @@ index e70ebcd7..9b010a6e 100644 rc = -ENODEV; } if (info.num_old_match > 0 && info.num_new_match > 0) { -@@ -787,7 +854,7 @@ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, +@@ -787,7 +854,7 @@ if (print_mks && info.print_mks) { printf("\n"); @@ -575,8 +563,6 @@ index e70ebcd7..9b010a6e 100644 printf("\n"); } -diff --git a/zkey/utils.h b/zkey/utils.h -index 2a915eb3..236e9d84 100644 --- a/zkey/utils.h +++ b/zkey/utils.h @@ -14,12 +14,16 @@ @@ -598,7 +584,7 @@ index 2a915eb3..236e9d84 100644 int sysfs_get_serialnr(int card, char serialnr[9], bool verbose); #define MK_STATE_EMPTY 0 -@@ -45,13 +49,13 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, +@@ -45,13 +49,13 @@ typedef int(*apqn_handler_t) (int card, int domain, void *handler_data); @@ -616,11 +602,9 @@ index 2a915eb3..236e9d84 100644 bool prompt_for_yes(bool verbose); -diff --git a/zkey/zkey.c b/zkey/zkey.c -index 8adbba28..a2509afc 100644 --- a/zkey/zkey.c +++ b/zkey/zkey.c -@@ -1173,6 +1173,7 @@ static int command_generate(void) +@@ -1173,6 +1173,7 @@ rc = cross_check_apqns(NULL, 0, get_min_card_level_for_keytype(g.key_type), @@ -628,7 +612,7 @@ index 8adbba28..a2509afc 100644 true, g.verbose); if (rc == -EINVAL) return EXIT_FAILURE; -@@ -1425,6 +1426,7 @@ static int command_validate_file(void) +@@ -1425,6 +1426,7 @@ char vp[VERIFICATION_PATTERN_LEN]; size_t secure_key_size; size_t clear_key_size; @@ -636,7 +620,7 @@ index 8adbba28..a2509afc 100644 u8 *secure_key; int is_old_mk; u64 mkvp; -@@ -1483,11 +1485,12 @@ static int command_validate_file(void) +@@ -1483,11 +1485,12 @@ goto out; } @@ -651,7 +635,7 @@ index 8adbba28..a2509afc 100644 printf(" Clear key size: %lu bits\n", clear_key_size); printf(" XTS type key: %s\n", is_xts_key(secure_key, secure_key_size) ? "Yes" : "No"); -@@ -1499,8 +1502,8 @@ static int command_validate_file(void) +@@ -1499,8 +1502,8 @@ &vp[VERIFICATION_PATTERN_LEN / 2]); rc = cross_check_apqns(NULL, mkvp, @@ -662,7 +646,7 @@ index 8adbba28..a2509afc 100644 true, g.verbose); if (rc == -EINVAL) return EXIT_FAILURE; -@@ -1775,7 +1778,9 @@ static int command_convert_file(void) +@@ -1775,7 +1778,9 @@ return EXIT_FAILURE; } diff --git a/debian/patches/88e6a18f960c8cfe0abd67ae7bc454fc37f222ef.patch b/debian/patches/88e6a18f960c8cfe0abd67ae7bc454fc37f222ef.patch index 858faa7..63db17f 100644 --- a/debian/patches/88e6a18f960c8cfe0abd67ae7bc454fc37f222ef.patch +++ b/debian/patches/88e6a18f960c8cfe0abd67ae7bc454fc37f222ef.patch @@ -23,11 +23,9 @@ Signed-off-by: Jan Höppner zkey/zkey.c | 7 +++++-- 7 files changed, 79 insertions(+), 14 deletions(-) -diff --git a/zkey/Makefile b/zkey/Makefile -index 4e65da10..100e4087 100644 --- a/zkey/Makefile +++ b/zkey/Makefile -@@ -65,7 +65,7 @@ zkey-cryptsetup-skip-jsonc: +@@ -65,7 +65,7 @@ all: $(BUILD_TARGETS) zkey.o: zkey.c pkey.h cca.h ep11.h misc.h @@ -36,11 +34,9 @@ index 4e65da10..100e4087 100644 cca.o: cca.c cca.h pkey.h ep11.h utils.h ep11.o: ep11.c ep11.h pkey.h cca.h utils.h utils.o: utils.h pkey.h cca.h ep11.h -diff --git a/zkey/keystore.c b/zkey/keystore.c -index f02cc6f4..da87d8fa 100644 --- a/zkey/keystore.c +++ b/zkey/keystore.c -@@ -1732,8 +1732,9 @@ int keystore_generate_key(struct keystore *keystore, const char *name, +@@ -1732,8 +1732,9 @@ rc = cross_check_apqns(apqns, NULL, get_min_card_level_for_keytype(key_type), @@ -52,7 +48,7 @@ index f02cc6f4..da87d8fa 100644 if (rc == -EINVAL) goto out_free_key_filenames; if (rc != 0 && rc != -ENOTSUP && noapqncheck == 0) { -@@ -1866,8 +1867,9 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1866,8 +1867,9 @@ rc = cross_check_apqns(apqns, mkvp, get_min_card_level_for_keytype(key_type), @@ -64,7 +60,7 @@ index f02cc6f4..da87d8fa 100644 if (rc == -EINVAL) goto out_free_key; if (rc != 0 && rc != -ENOTSUP && noapqncheck == 0) { -@@ -2070,6 +2072,7 @@ int keystore_change_key(struct keystore *keystore, const char *name, +@@ -2070,6 +2072,7 @@ key_type = properties_get(key_props, PROP_NAME_KEY_TYPE); rc = cross_check_apqns(apqns_prop, mkvp, get_min_card_level_for_keytype(key_type), @@ -72,7 +68,7 @@ index f02cc6f4..da87d8fa 100644 get_card_type_for_keytype(key_type), true, keystore->verbose); free(apqns_prop); -@@ -2455,6 +2458,7 @@ static int _keystore_display_apqn_status(struct keystore *keystore, +@@ -2455,6 +2458,7 @@ key_type = properties_get(properties, PROP_NAME_KEY_TYPE); rc = cross_check_apqns(apqns, mkvp, get_min_card_level_for_keytype(key_type), @@ -80,7 +76,7 @@ index f02cc6f4..da87d8fa 100644 get_card_type_for_keytype(key_type), true, keystore->verbose); if (rc != 0 && rc != -ENOTSUP) -@@ -4046,8 +4050,9 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4040,8 +4044,9 @@ apqn_list = str_list_split(apqns); rc = cross_check_apqns(apqns, NULL, min_level, @@ -92,8 +88,6 @@ index f02cc6f4..da87d8fa 100644 if (rc == -EINVAL) goto out; if (rc != 0 && rc != -ENOTSUP && !noapqncheck) { -diff --git a/zkey/pkey.c b/zkey/pkey.c -index 837ebfec..578a65a8 100644 --- a/zkey/pkey.c +++ b/zkey/pkey.c @@ -26,6 +26,7 @@ @@ -104,7 +98,7 @@ index 837ebfec..578a65a8 100644 #ifndef AF_ALG #define AF_ALG 38 -@@ -1708,6 +1709,20 @@ int get_min_card_level_for_keytype(const char *key_type) +@@ -1708,6 +1709,20 @@ return -1; } @@ -125,11 +119,9 @@ index 837ebfec..578a65a8 100644 /** * Returns the card type required for a specific key type * -diff --git a/zkey/pkey.h b/zkey/pkey.h -index ad1517c9..253cba24 100644 --- a/zkey/pkey.h +++ b/zkey/pkey.h -@@ -320,6 +320,7 @@ bool is_xts_key(const u8 *key, size_t key_size); +@@ -320,6 +320,7 @@ int get_key_bit_size(const u8 *key, size_t key_size, size_t *bitsize); const char *get_key_type(const u8 *key, size_t key_size); int get_min_card_level_for_keytype(const char *key_type); @@ -137,11 +129,9 @@ index ad1517c9..253cba24 100644 enum card_type get_card_type_for_keytype(const char *key_type); int check_aes_cipher_key(const u8 *key, size_t key_size); -diff --git a/zkey/utils.c b/zkey/utils.c -index f0050f28..a2d1c376 100644 --- a/zkey/utils.c +++ b/zkey/utils.c -@@ -809,6 +809,7 @@ struct cross_check_info { +@@ -809,6 +809,7 @@ bool key_mkvp; enum card_type cardtype; int min_level; @@ -149,7 +139,7 @@ index f0050f28..a2d1c376 100644 u32 num_cur_match; u32 num_old_match; u32 num_new_match; -@@ -821,10 +822,11 @@ struct cross_check_info { +@@ -821,10 +822,11 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) { struct cross_check_info *info = (struct cross_check_info *)handler_data; @@ -162,7 +152,7 @@ index f0050f28..a2d1c376 100644 rc = sysfs_get_mkvps(card, domain, &mk_info, info->verbose); if (rc == -ENODEV) { -@@ -864,6 +866,35 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -864,6 +866,35 @@ } } @@ -198,7 +188,7 @@ index f0050f28..a2d1c376 100644 if (mk_info.new_mk.mk_state == MK_STATE_PARTIAL) { info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The NEW master key " -@@ -1002,6 +1033,8 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -1002,6 +1033,8 @@ * not matched against it. * @param[in] min_level The minimum card level required. If min_level is -1 then * the card level is not checked. @@ -207,7 +197,7 @@ index f0050f28..a2d1c376 100644 * @param[in] cardtype card type (CCA, EP11 or ANY) * @param[in] print_mks if true, then a the full master key info of all * specified APQns is printed, in case of a mismatch. -@@ -1013,6 +1046,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -1013,6 +1046,7 @@ * available, because the zcrypt kernel module is on an older level. */ int cross_check_apqns(const char *apqns, u8 *mkvp, int min_level, @@ -215,7 +205,7 @@ index f0050f28..a2d1c376 100644 enum card_type cardtype, bool print_mks, bool verbose) { struct cross_check_info info; -@@ -1025,11 +1059,17 @@ int cross_check_apqns(const char *apqns, u8 *mkvp, int min_level, +@@ -1025,11 +1059,17 @@ memcpy(info.mkvp, mkvp, sizeof(info.mkvp)); info.cardtype = cardtype; info.min_level = min_level; @@ -236,11 +226,9 @@ index f0050f28..a2d1c376 100644 rc = handle_apqns(apqns, cardtype, cross_check_mk_info, &info, verbose); if (rc != 0) -diff --git a/zkey/utils.h b/zkey/utils.h -index 87bb104f..dd743f61 100644 --- a/zkey/utils.h +++ b/zkey/utils.h -@@ -68,7 +68,8 @@ int handle_apqns(const char *apqns, enum card_type cardtype, +@@ -68,7 +68,8 @@ int print_mk_info(const char *apqns, enum card_type cardtype, bool verbose); int cross_check_apqns(const char *apqns, u8 *mkvp, int min_level, @@ -250,11 +238,9 @@ index 87bb104f..dd743f61 100644 bool prompt_for_yes(bool verbose); -diff --git a/zkey/zkey.c b/zkey/zkey.c -index 39ee3789..d0fad71b 100644 --- a/zkey/zkey.c +++ b/zkey/zkey.c -@@ -1179,6 +1179,7 @@ static int command_generate(void) +@@ -1179,6 +1179,7 @@ rc = cross_check_apqns(NULL, NULL, get_min_card_level_for_keytype(g.key_type), @@ -262,7 +248,7 @@ index 39ee3789..d0fad71b 100644 get_card_type_for_keytype(g.key_type), true, g.verbose); if (rc == -EINVAL) -@@ -1510,6 +1511,7 @@ static int command_validate_file(void) +@@ -1510,6 +1511,7 @@ rc = cross_check_apqns(NULL, mkvp, get_min_card_level_for_keytype(key_type), @@ -270,7 +256,7 @@ index 39ee3789..d0fad71b 100644 get_card_type_for_keytype(key_type), true, g.verbose); if (rc == -EINVAL) -@@ -1786,8 +1788,9 @@ static int command_convert_file(void) +@@ -1786,8 +1788,9 @@ } rc = cross_check_apqns(NULL, NULL, min_level, diff --git a/debian/patches/b48aa5f4355c4547012bb60620ed4fa52e241e9d.patch b/debian/patches/b48aa5f4355c4547012bb60620ed4fa52e241e9d.patch index a2141e5..b7d5b34 100644 --- a/debian/patches/b48aa5f4355c4547012bb60620ed4fa52e241e9d.patch +++ b/debian/patches/b48aa5f4355c4547012bb60620ed4fa52e241e9d.patch @@ -25,11 +25,9 @@ Signed-off-by: Jan Höppner create mode 100644 zkey/ep11.c create mode 100644 zkey/ep11.h -diff --git a/zkey/Makefile b/zkey/Makefile -index d09762d3..4e65da10 100644 --- a/zkey/Makefile +++ b/zkey/Makefile -@@ -64,21 +64,22 @@ zkey-cryptsetup-skip-jsonc: +@@ -64,21 +64,22 @@ all: $(BUILD_TARGETS) @@ -60,9 +58,6 @@ index d09762d3..4e65da10 100644 $(LINK) $(ALL_LDFLAGS) $^ $(LDLIBS) -o $@ install-common: -diff --git a/zkey/ep11.c b/zkey/ep11.c -new file mode 100644 -index 00000000..e6ef1957 --- /dev/null +++ b/zkey/ep11.c @@ -0,0 +1,339 @@ @@ -405,9 +400,6 @@ index 00000000..e6ef1957 + + return 0; +} -diff --git a/zkey/ep11.h b/zkey/ep11.h -new file mode 100644 -index 00000000..212c9f9f --- /dev/null +++ b/zkey/ep11.h @@ -0,0 +1,119 @@ @@ -530,11 +522,9 @@ index 00000000..212c9f9f + bool verbose); + +#endif -diff --git a/zkey/keystore.c b/zkey/keystore.c -index 2ccc71ef..eda2339c 100644 --- a/zkey/keystore.c +++ b/zkey/keystore.c -@@ -1808,7 +1808,7 @@ int keystore_generate_key(struct keystore *keystore, const char *name, +@@ -1808,7 +1808,7 @@ * default is used. * @param[in] import_file The name of a secure key containing the key to import * @param[in] volume_type the type of volume @@ -543,7 +533,7 @@ index 2ccc71ef..eda2339c 100644 * * @returns 0 for success or a negative errno in case of an error */ -@@ -1816,7 +1816,7 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1816,7 +1816,7 @@ const char *description, const char *volumes, const char *apqns, bool noapqncheck, size_t sector_size, const char *import_file, const char *volume_type, @@ -552,7 +542,7 @@ index 2ccc71ef..eda2339c 100644 { struct key_filenames file_names = { NULL, NULL, NULL }; struct properties *key_props = NULL; -@@ -1874,13 +1874,13 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1874,13 +1874,13 @@ } if (is_cca_aes_cipher_key(secure_key, secure_key_size)) { @@ -569,7 +559,7 @@ index 2ccc71ef..eda2339c 100644 FLAG_SEL_CCA_MATCH_CUR_MKVP | FLAG_SEL_CCA_MATCH_OLD_MKVP, keystore->verbose); -@@ -1895,7 +1895,7 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1895,7 +1895,7 @@ goto out_free_key; } @@ -578,7 +568,7 @@ index 2ccc71ef..eda2339c 100644 keystore->verbose); if (rc != 0) { warnx("Failed to export-restrict the imported secure " -@@ -2662,7 +2662,7 @@ struct reencipher_params { +@@ -2662,7 +2662,7 @@ struct reencipher_info { struct reencipher_params params; int pkey_fd; @@ -587,7 +577,7 @@ index 2ccc71ef..eda2339c 100644 unsigned long num_reenciphered; unsigned long num_failed; unsigned long num_skipped; -@@ -2673,7 +2673,7 @@ struct reencipher_info { +@@ -2673,7 +2673,7 @@ * * @param[in] keystore the keystore * @param[in] name the name of the key @@ -596,7 +586,7 @@ index 2ccc71ef..eda2339c 100644 * @param[in] params reenciphering parameters * @param[in] secure_key a buffer containing the secure key * @param[in] secure_key_size the size of the secure key -@@ -2685,7 +2685,7 @@ struct reencipher_info { +@@ -2685,7 +2685,7 @@ */ static int _keystore_perform_reencipher(struct keystore *keystore, const char *name, @@ -605,7 +595,7 @@ index 2ccc71ef..eda2339c 100644 struct reencipher_params *params, u8 *secure_key, size_t secure_key_size, bool is_old_mk, const char *apqns) -@@ -2728,7 +2728,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2728,7 +2728,7 @@ "Secure key '%s' will be re-enciphered from OLD " "to the CURRENT master key", name); @@ -614,7 +604,7 @@ index 2ccc71ef..eda2339c 100644 FLAG_SEL_CCA_MATCH_OLD_MKVP, keystore->verbose); if (rc == -ENOTSUP) { -@@ -2741,7 +2741,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2741,7 +2741,7 @@ return rc; } @@ -623,7 +613,7 @@ index 2ccc71ef..eda2339c 100644 METHOD_OLD_TO_CURRENT, keystore->verbose); if (rc != 0) { -@@ -2760,7 +2760,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2760,7 +2760,7 @@ if (params->inplace == -1) params->inplace = 0; @@ -632,7 +622,7 @@ index 2ccc71ef..eda2339c 100644 FLAG_SEL_CCA_MATCH_CUR_MKVP | FLAG_SEL_CCA_NEW_MUST_BE_SET, keystore->verbose); -@@ -2776,7 +2776,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2776,7 +2776,7 @@ return rc; } @@ -641,7 +631,7 @@ index 2ccc71ef..eda2339c 100644 METHOD_CURRENT_TO_NEW, keystore->verbose); if (rc != 0) { -@@ -2877,7 +2877,7 @@ static int _keystore_process_reencipher(struct keystore *keystore, +@@ -2877,7 +2877,7 @@ if (!params.complete) { printf("Re-enciphering key '%s'\n", name); @@ -650,7 +640,7 @@ index 2ccc71ef..eda2339c 100644 ¶ms, secure_key, secure_key_size, is_old_mk, properties_get(properties, -@@ -2989,7 +2989,7 @@ static int _keystore_process_reencipher(struct keystore *keystore, +@@ -2989,7 +2989,7 @@ * @param[in] staged if true, the key will be re-enciphere not in-place * @param[in] complete if true, a pending re-encipherment is completed * @param[in] pkey_fd the file descriptor of /dev/pkey @@ -659,7 +649,7 @@ index 2ccc71ef..eda2339c 100644 * Note: if both fromOld and toNew are FALSE, then the reencipherement mode is * detected automatically. If both are TRUE then the key is reenciphered * from the OLD to the NEW master key. -@@ -3002,7 +3002,7 @@ int keystore_reencipher_key(struct keystore *keystore, const char *name_filter, +@@ -3002,7 +3002,7 @@ const char *apqn_filter, bool from_old, bool to_new, bool inplace, bool staged, bool complete, int pkey_fd, @@ -668,7 +658,7 @@ index 2ccc71ef..eda2339c 100644 { struct reencipher_info info; int rc; -@@ -3018,7 +3018,7 @@ int keystore_reencipher_key(struct keystore *keystore, const char *name_filter, +@@ -3018,7 +3018,7 @@ info.params.inplace = 0; info.params.complete = complete; info.pkey_fd = pkey_fd; @@ -677,7 +667,7 @@ index 2ccc71ef..eda2339c 100644 info.num_failed = 0; info.num_reenciphered = 0; info.num_skipped = 0; -@@ -3971,13 +3971,13 @@ int keystore_crypttab(struct keystore *keystore, const char *volume_filter, +@@ -3965,13 +3965,13 @@ * @param[in] noapqncheck if true, the specified APQN(s) are not checked for * existence and type. * @param[in] pkey_fd the file descriptor of /dev/pkey @@ -693,7 +683,7 @@ index 2ccc71ef..eda2339c 100644 { struct key_filenames file_names = { NULL, NULL, NULL }; u8 output_key[2 * MAX_SECURE_KEY_SIZE]; -@@ -4065,7 +4065,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4059,7 +4059,7 @@ if (rc) goto out; @@ -702,7 +692,7 @@ index 2ccc71ef..eda2339c 100644 FLAG_SEL_CCA_MATCH_CUR_MKVP, keystore->verbose); if (rc == -ENOTSUP) { -@@ -4095,7 +4095,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4089,7 +4089,7 @@ memset(output_key, 0, sizeof(output_key)); output_key_size = sizeof(output_key); @@ -711,7 +701,7 @@ index 2ccc71ef..eda2339c 100644 secure_key_size, output_key, &output_key_size, keystore->verbose); -@@ -4107,7 +4107,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4101,7 +4101,7 @@ goto out; } @@ -720,8 +710,6 @@ index 2ccc71ef..eda2339c 100644 keystore->verbose); if (rc != 0) { warnx("Export restricting the converted secure key '%s' has " -diff --git a/zkey/keystore.h b/zkey/keystore.h -index b17a575b..d9528144 100644 --- a/zkey/keystore.h +++ b/zkey/keystore.h @@ -14,7 +14,6 @@ @@ -732,7 +720,7 @@ index b17a575b..d9528144 100644 #include "pkey.h" struct keystore { -@@ -38,7 +37,7 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -38,7 +37,7 @@ const char *description, const char *volumes, const char *apqns, bool noapqncheck, size_t sector_size, const char *import_file, const char *volume_type, @@ -741,7 +729,7 @@ index b17a575b..d9528144 100644 int keystore_change_key(struct keystore *keystore, const char *name, const char *description, const char *volumes, -@@ -56,7 +55,7 @@ int keystore_reencipher_key(struct keystore *keystore, const char *name_filter, +@@ -56,7 +55,7 @@ const char *apqn_filter, bool from_old, bool to_new, bool inplace, bool staged, bool complete, int pkey_fd, @@ -750,7 +738,7 @@ index b17a575b..d9528144 100644 int keystore_copy_key(struct keystore *keystore, const char *name, const char *newname, const char *volumes); -@@ -83,7 +82,7 @@ int keystore_crypttab(struct keystore *keystore, const char *volume_filter, +@@ -83,7 +82,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, const char *key_type, bool noapqncheck, bool quiet, @@ -759,8 +747,6 @@ index b17a575b..d9528144 100644 void keystore_free(struct keystore *keystore); -diff --git a/zkey/pkey.h b/zkey/pkey.h -index d06f3cf0..71845c7f 100644 --- a/zkey/pkey.h +++ b/zkey/pkey.h @@ -15,6 +15,9 @@ @@ -773,7 +759,7 @@ index d06f3cf0..71845c7f 100644 /* * Definitions for the /dev/pkey kernel module interface */ -@@ -244,6 +247,11 @@ enum card_type { +@@ -244,6 +247,11 @@ CARD_TYPE_EP11 = 2, }; @@ -785,8 +771,6 @@ index d06f3cf0..71845c7f 100644 int open_pkey_device(bool verbose); int generate_secure_key_random(int pkey_fd, const char *keyfile, -diff --git a/zkey/zkey-cryptsetup.c b/zkey/zkey-cryptsetup.c -index 74bc5687..e72d3c6c 100644 --- a/zkey/zkey-cryptsetup.c +++ b/zkey/zkey-cryptsetup.c @@ -35,6 +35,7 @@ @@ -797,7 +781,7 @@ index 74bc5687..e72d3c6c 100644 #include "utils.h" /* Detect if cryptsetup 2.1 or later is available */ -@@ -105,12 +106,16 @@ static struct zkey_cryptsetup_globals { +@@ -105,12 +106,16 @@ bool batch_mode; bool debug; bool verbose; @@ -814,7 +798,7 @@ index 74bc5687..e72d3c6c 100644 }; /* -@@ -269,6 +274,7 @@ struct zkey_cryptsetup_command { +@@ -269,6 +274,7 @@ unsigned int abbrev_len; int (*function)(void); int need_cca_library; @@ -822,22 +806,20 @@ index 74bc5687..e72d3c6c 100644 int need_pkey_device; char *short_desc; char *long_desc; -@@ -2435,6 +2441,13 @@ int main(int argc, char *argv[]) +@@ -2433,6 +2439,13 @@ + if (rc != 0) { + rc = EXIT_FAILURE; goto out; - } - } ++ } ++ } + if (command->need_ep11_library) { + rc = load_ep11_library(&g.ep11, g.verbose); + if (rc != 0) { + rc = EXIT_FAILURE; + goto out; -+ } -+ } + } + } if (command->need_pkey_device) { - g.pkey_fd = open_pkey_device(g.verbose); - if (g.pkey_fd == -1) { -diff --git a/zkey/zkey.c b/zkey/zkey.c -index ab0e0149..22f66ce9 100644 --- a/zkey/zkey.c +++ b/zkey/zkey.c @@ -28,6 +28,7 @@ @@ -848,7 +830,7 @@ index ab0e0149..22f66ce9 100644 #include "keystore.h" #include "misc.h" #include "pkey.h" -@@ -83,12 +84,16 @@ static struct zkey_globals { +@@ -83,12 +84,16 @@ bool force; bool open; bool format; @@ -865,7 +847,7 @@ index ab0e0149..22f66ce9 100644 }; /* -@@ -822,6 +827,7 @@ struct zkey_command { +@@ -822,6 +827,7 @@ unsigned int abbrev_len; int (*function)(void); int need_cca_library; @@ -873,7 +855,7 @@ index ab0e0149..22f66ce9 100644 int need_pkey_device; char *short_desc; char *long_desc; -@@ -1396,7 +1402,7 @@ static int command_reencipher_repository(void) +@@ -1396,7 +1402,7 @@ rc = keystore_reencipher_key(g.keystore, g.name, g.apqns, g.fromold, g.tonew, g.inplace, g.staged, g.complete, @@ -882,7 +864,7 @@ index ab0e0149..22f66ce9 100644 return rc != 0 ? EXIT_FAILURE : EXIT_SUCCESS; } -@@ -1575,7 +1581,7 @@ static int command_import(void) +@@ -1575,7 +1581,7 @@ rc = keystore_import_key(g.keystore, g.name, g.description, g.volumes, g.apqns, g.noapqncheck, g.sector_size, @@ -891,7 +873,7 @@ index ab0e0149..22f66ce9 100644 return rc != 0 ? EXIT_FAILURE : EXIT_SUCCESS; } -@@ -1916,7 +1922,7 @@ static int command_convert_repository(void) +@@ -1916,7 +1922,7 @@ } rc = keystore_convert_key(g.keystore, g.name, g.key_type, g.noapqncheck, @@ -900,7 +882,7 @@ index ab0e0149..22f66ce9 100644 return rc != 0 ? EXIT_FAILURE : EXIT_SUCCESS; } -@@ -2231,6 +2237,13 @@ int main(int argc, char *argv[]) +@@ -2231,6 +2237,13 @@ goto out; } } @@ -914,7 +896,7 @@ index ab0e0149..22f66ce9 100644 if (command->need_pkey_device) { g.pkey_fd = open_pkey_device(g.verbose); if (g.pkey_fd == -1) { -@@ -2246,6 +2259,8 @@ int main(int argc, char *argv[]) +@@ -2246,6 +2259,8 @@ out: if (g.cca.lib_csulcca) dlclose(g.cca.lib_csulcca); diff --git a/debian/patches/ce4704f36537828d9378ea7640777f5b1275dfe8.patch b/debian/patches/ce4704f36537828d9378ea7640777f5b1275dfe8.patch index eabd609..5d822d2 100644 --- a/debian/patches/ce4704f36537828d9378ea7640777f5b1275dfe8.patch +++ b/debian/patches/ce4704f36537828d9378ea7640777f5b1275dfe8.patch @@ -29,11 +29,9 @@ Signed-off-by: Jan Höppner zkey/zkey.c | 47 +++---- 10 files changed, 371 insertions(+), 174 deletions(-) -diff --git a/zkey/Makefile b/zkey/Makefile -index e712313c..d09762d3 100644 --- a/zkey/Makefile +++ b/zkey/Makefile -@@ -70,13 +70,14 @@ cca.o: cca.c cca.h pkey.h utils.h +@@ -70,13 +70,14 @@ utils.o: utils.h pkey.h properties.o: check-dep-zkey properties.c properties.h keystore.o: keystore.c keystore.h properties.h pkey.h cca.h utils.h @@ -50,11 +48,9 @@ index e712313c..d09762d3 100644 zkey-cryptsetup: zkey-cryptsetup.o pkey.o cca.o utils.o $(libs) $(LINK) $(ALL_LDFLAGS) $^ $(LDLIBS) -o $@ -diff --git a/zkey/cca.c b/zkey/cca.c -index aa958930..f8c2c670 100644 --- a/zkey/cca.c +++ b/zkey/cca.c -@@ -630,7 +630,7 @@ int select_cca_adapter(struct cca_lib *cca, int card, int domain, bool verbose) +@@ -630,7 +630,7 @@ } struct find_mkvp_info { @@ -63,7 +59,7 @@ index aa958930..f8c2c670 100644 unsigned int flags; bool found; int card; -@@ -653,12 +653,12 @@ static int find_mkvp(int card, int domain, void *handler_data) +@@ -653,12 +653,12 @@ if (info->flags & FLAG_SEL_CCA_MATCH_CUR_MKVP) if (mk_info.cur_mk.mk_state == MK_STATE_VALID && @@ -78,7 +74,7 @@ index aa958930..f8c2c670 100644 found = true; if (info->flags & FLAG_SEL_CCA_NEW_MUST_BE_SET) -@@ -700,18 +700,20 @@ static int find_mkvp(int card, int domain, void *handler_data) +@@ -700,18 +700,20 @@ * because the zcrypt kernel module is on an older level. -ENODEV is * returned if no APQN is available with the desired mkvp. */ @@ -103,11 +99,9 @@ index aa958930..f8c2c670 100644 info.flags = flags; info.found = false; info.card = 0; -diff --git a/zkey/cca.h b/zkey/cca.h -index 2b248ec2..c4761d58 100644 --- a/zkey/cca.h +++ b/zkey/cca.h -@@ -129,7 +129,7 @@ int select_cca_adapter(struct cca_lib *cca, int card, int domain, bool verbose); +@@ -129,7 +129,7 @@ #define FLAG_SEL_CCA_MATCH_OLD_MKVP 0x02 #define FLAG_SEL_CCA_NEW_MUST_BE_SET 0x80 @@ -116,11 +110,9 @@ index 2b248ec2..c4761d58 100644 unsigned int flags, bool verbose); void print_msg_for_cca_envvars(const char *key_name); -diff --git a/zkey/keystore.c b/zkey/keystore.c -index 8e2f6469..2ccc71ef 100644 --- a/zkey/keystore.c +++ b/zkey/keystore.c -@@ -1728,7 +1728,7 @@ int keystore_generate_key(struct keystore *keystore, const char *name, +@@ -1728,7 +1728,7 @@ if (rc != 0) goto out_free_key_filenames; @@ -129,7 +121,7 @@ index 8e2f6469..2ccc71ef 100644 get_min_card_level_for_keytype(key_type), get_card_type_for_keytype(key_type), true, keystore->verbose); -@@ -1822,9 +1822,9 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1822,9 +1822,9 @@ struct properties *key_props = NULL; size_t secure_key_size; const char *key_type; @@ -140,7 +132,7 @@ index 8e2f6469..2ccc71ef 100644 int rc; util_assert(keystore != NULL, "Internal error: keystore is NULL"); -@@ -1855,7 +1855,7 @@ int keystore_import_key(struct keystore *keystore, const char *name, +@@ -1855,7 +1855,7 @@ } rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -149,7 +141,7 @@ index 8e2f6469..2ccc71ef 100644 if (rc != 0) { warnx("Failed to get the master key verification pattern: %s", strerror(-rc)); -@@ -1999,9 +1999,9 @@ int keystore_change_key(struct keystore *keystore, const char *name, +@@ -1999,9 +1999,9 @@ struct properties *key_props = NULL; char *apqns_prop, *key_type; size_t secure_key_size; @@ -160,7 +152,7 @@ index 8e2f6469..2ccc71ef 100644 int rc; util_assert(keystore != NULL, "Internal error: keystore is NULL"); -@@ -2058,7 +2058,7 @@ int keystore_change_key(struct keystore *keystore, const char *name, +@@ -2058,7 +2058,7 @@ rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -169,7 +161,7 @@ index 8e2f6469..2ccc71ef 100644 keystore->verbose); free(secure_key); if (rc) -@@ -2283,7 +2283,7 @@ static void _keystore_print_record(struct util_rec *rec, +@@ -2283,7 +2283,7 @@ bool validation, const char *skey_filename, size_t secure_key_size, bool is_xts, size_t clear_key_bitsize, bool valid, @@ -178,7 +170,7 @@ index 8e2f6469..2ccc71ef 100644 { char temp_vp[VERIFICATION_PATTERN_LEN + 2]; char *volumes_argz = NULL; -@@ -2347,11 +2347,17 @@ static void _keystore_print_record(struct util_rec *rec, +@@ -2347,11 +2347,17 @@ if (validation) { if (valid) util_rec_set(rec, REC_MASTERKEY, @@ -199,7 +191,7 @@ index 8e2f6469..2ccc71ef 100644 } if (volumes_argz != NULL) util_rec_set_argz(rec, REC_VOLUMES, volumes_argz, -@@ -2433,7 +2439,7 @@ struct validate_info { +@@ -2433,7 +2439,7 @@ */ static int _keystore_display_apqn_status(struct keystore *keystore, struct properties *properties, @@ -208,7 +200,7 @@ index 8e2f6469..2ccc71ef 100644 { int rc, warning = 0; char *apqns; -@@ -2525,11 +2531,11 @@ static int _keystore_process_validate(struct keystore *keystore, +@@ -2525,11 +2531,11 @@ char **apqn_list = NULL; size_t clear_key_bitsize; size_t secure_key_size; @@ -221,7 +213,7 @@ index 8e2f6469..2ccc71ef 100644 rc = _keystore_ensure_keyfiles_exist(file_names, name); if (rc != 0) -@@ -2559,7 +2565,7 @@ static int _keystore_process_validate(struct keystore *keystore, +@@ -2559,7 +2565,7 @@ } rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -230,7 +222,7 @@ index 8e2f6469..2ccc71ef 100644 free(secure_key); if (rc) goto out; -@@ -2573,9 +2579,9 @@ static int _keystore_process_validate(struct keystore *keystore, +@@ -2573,9 +2579,9 @@ if (valid && is_old_mk) { util_print_indented("WARNING: The secure key is currently " @@ -242,7 +234,7 @@ index 8e2f6469..2ccc71ef 100644 "master key\n", 0); info->num_warnings++; } -@@ -2685,10 +2691,10 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2685,10 +2691,10 @@ bool is_old_mk, const char *apqns) { int rc, selected = 1; @@ -255,7 +247,7 @@ index 8e2f6469..2ccc71ef 100644 if (rc != 0) { warnx("Failed to get the master key verification pattern: %s", strerror(-rc)); -@@ -2700,16 +2706,16 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2700,16 +2706,16 @@ if (is_old_mk) { params->from_old = 1; util_print_indented("The secure key is currently " @@ -276,7 +268,7 @@ index 8e2f6469..2ccc71ef 100644 "master key\n", 0); } } -@@ -2720,7 +2726,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2720,7 +2726,7 @@ pr_verbose(keystore, "Secure key '%s' will be re-enciphered from OLD " @@ -285,7 +277,7 @@ index 8e2f6469..2ccc71ef 100644 rc = select_cca_adapter_by_mkvp(cca, mkvp, apqns, FLAG_SEL_CCA_MATCH_OLD_MKVP, -@@ -2740,7 +2746,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2740,7 +2746,7 @@ keystore->verbose); if (rc != 0) { warnx("Failed to re-encipher '%s' from OLD to " @@ -294,7 +286,7 @@ index 8e2f6469..2ccc71ef 100644 if (!selected) print_msg_for_cca_envvars("secure AES key"); return rc; -@@ -2749,7 +2755,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2749,7 +2755,7 @@ if (params->to_new) { pr_verbose(keystore, "Secure key '%s' will be re-enciphered from " @@ -303,7 +295,7 @@ index 8e2f6469..2ccc71ef 100644 if (params->inplace == -1) params->inplace = 0; -@@ -2775,7 +2781,7 @@ static int _keystore_perform_reencipher(struct keystore *keystore, +@@ -2775,7 +2781,7 @@ keystore->verbose); if (rc != 0) { warnx("Failed to re-encipher '%s' from CURRENT to " @@ -312,7 +304,7 @@ index 8e2f6469..2ccc71ef 100644 if (!selected) print_msg_for_cca_envvars("secure AES key"); return rc; -@@ -2857,7 +2863,7 @@ static int _keystore_process_reencipher(struct keystore *keystore, +@@ -2857,7 +2863,7 @@ if (params.complete) { warnx("Key '%s' is not valid, re-enciphering is not " "completed", name); @@ -321,7 +313,7 @@ index 8e2f6469..2ccc71ef 100644 "as the CURRENT master key."); } else { warnx("Key '%s' is not valid, it is not re-enciphered", -@@ -2940,7 +2946,7 @@ static int _keystore_process_reencipher(struct keystore *keystore, +@@ -2940,7 +2946,7 @@ if (params.inplace != 1) { util_asprintf(&temp, "Staged re-enciphering is initiated for " @@ -330,7 +322,7 @@ index 8e2f6469..2ccc71ef 100644 "set to become the CURRENT master key run " "'zkey reencipher' with option '--complete' to " "complete the re-enciphering process", name); -@@ -2976,17 +2982,17 @@ static int _keystore_process_reencipher(struct keystore *keystore, +@@ -2976,17 +2982,17 @@ * @param[in] name_filter the name filter to select the key (can be NULL) * @param[in] apqn_filter the APQN filter to seletc the key (can be NULL) * @param[in] from_old If true the key is reenciphered from the OLD to the @@ -352,7 +344,7 @@ index 8e2f6469..2ccc71ef 100644 * Note: if both inplace and staged are FLASE, then the key is re-enciphered * inplace when for OLD-to-CURRENT, and is reenciphered staged for * CURRENT-to-NEW. -@@ -3982,9 +3988,9 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -3976,9 +3982,9 @@ char **apqn_list = NULL; size_t secure_key_size; u8 *secure_key = NULL; @@ -363,7 +355,7 @@ index 8e2f6469..2ccc71ef 100644 util_assert(keystore != NULL, "Internal error: keystore is NULL"); util_assert(name != NULL, "Internal error: name is NULL"); -@@ -4037,7 +4043,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4031,7 +4037,7 @@ if (apqns != NULL) apqn_list = str_list_split(apqns); @@ -372,7 +364,7 @@ index 8e2f6469..2ccc71ef 100644 get_card_type_for_keytype(key_type), true, keystore->verbose); if (rc == -EINVAL) -@@ -4055,7 +4061,7 @@ int keystore_convert_key(struct keystore *keystore, const char *name, +@@ -4049,7 +4055,7 @@ goto out; rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -381,11 +373,9 @@ index 8e2f6469..2ccc71ef 100644 if (rc) goto out; -diff --git a/zkey/pkey.c b/zkey/pkey.c -index 8fcd639b..591152da 100644 --- a/zkey/pkey.c +++ b/zkey/pkey.c -@@ -753,7 +753,6 @@ static int build_apqn_list_for_key(int pkey_fd, u8 *key, u32 keylen, u32 flags, +@@ -753,7 +753,6 @@ u32 *apqn_entries, bool verbose) { struct pkey_apqns4key apqns4key; @@ -393,7 +383,7 @@ index 8fcd639b..591152da 100644 int rc; util_assert(pkey_fd != -1, "Internal error: pkey_fd is -1"); -@@ -796,12 +795,6 @@ static int build_apqn_list_for_key(int pkey_fd, u8 *key, u32 keylen, u32 flags, +@@ -796,12 +795,6 @@ if (!is_cca_aes_data_key(key, keylen)) return -ENOTSUP; @@ -406,7 +396,7 @@ index 8fcd639b..591152da 100644 rc = build_apqn_list_for_aes_data(apqn_list, apqns, apqn_entries, verbose); -@@ -1218,7 +1211,7 @@ static int validate_secure_xts_key(int pkey_fd, struct pkey_apqn *apqn, +@@ -1218,7 +1211,7 @@ * @param[out] clear_key_bitsize on return , the cryptographic size of the * clear key * @param[out] is_old_mk in return set to 1 to indicate if the secure key @@ -415,7 +405,7 @@ index 8fcd639b..591152da 100644 * @param[in] apqns a zero terminated array of pointers to APQN-strings, * or NULL for AUTOSELECT * @param[in] verbose if true, verbose messages are printed -@@ -1454,7 +1447,7 @@ int generate_key_verification_pattern(const u8 *key, size_t key_size, +@@ -1454,7 +1447,7 @@ } int get_master_key_verification_pattern(const u8 *key, size_t key_size, @@ -424,7 +414,7 @@ index 8fcd639b..591152da 100644 { struct aesdatakeytoken *datakey = (struct aesdatakeytoken *)key; struct aescipherkeytoken *cipherkey = (struct aescipherkeytoken *)key; -@@ -1462,10 +1455,11 @@ int get_master_key_verification_pattern(const u8 *key, size_t key_size, +@@ -1462,10 +1455,11 @@ util_assert(key != NULL, "Internal error: secure_key is NULL"); util_assert(mkvp != NULL, "Internal error: mkvp is NULL"); @@ -438,11 +428,9 @@ index 8fcd639b..591152da 100644 else return -EINVAL; -diff --git a/zkey/pkey.h b/zkey/pkey.h -index 38efdbe2..d06f3cf0 100644 --- a/zkey/pkey.h +++ b/zkey/pkey.h -@@ -231,6 +231,13 @@ struct pkey_apqns4keytype { +@@ -231,6 +231,13 @@ #define ENC_ZERO_LEN (2 * PAES_BLOCK_SIZE) #define VERIFICATION_PATTERN_LEN (2 * ENC_ZERO_LEN + 1) @@ -456,7 +444,7 @@ index 38efdbe2..d06f3cf0 100644 enum card_type { CARD_TYPE_ANY = -1, CARD_TYPE_CCA = 1, -@@ -263,7 +270,7 @@ int generate_key_verification_pattern(const u8 *key, size_t key_size, +@@ -263,7 +270,7 @@ char *vp, size_t vp_len, bool verbose); int get_master_key_verification_pattern(const u8 *key, size_t key_size, @@ -465,8 +453,6 @@ index 38efdbe2..d06f3cf0 100644 bool is_cca_aes_data_key(const u8 *key, size_t key_size); bool is_cca_aes_cipher_key(const u8 *key, size_t key_size); -diff --git a/zkey/utils.c b/zkey/utils.c -index 2384da3d..4abc312b 100644 --- a/zkey/utils.c +++ b/zkey/utils.c @@ -25,6 +25,8 @@ @@ -478,7 +464,7 @@ index 2384da3d..4abc312b 100644 #include "utils.h" #include "properties.h" -@@ -98,6 +100,7 @@ int sysfs_is_card_online(int card, enum card_type cardtype) +@@ -98,6 +100,7 @@ * * @param[in] card card number * @param[in] domain the domain @@ -486,7 +472,7 @@ index 2384da3d..4abc312b 100644 * * @returns 1 if its card of the specified type and is online, * 0 if offline, -@@ -335,11 +338,12 @@ int sysfs_get_firmware_version(int card, struct fw_version *fw_version, +@@ -335,11 +338,12 @@ return rc; } @@ -500,14 +486,14 @@ index 2384da3d..4abc312b 100644 tok = strtok_r(line, " ", &save); if (tok == NULL) -@@ -382,9 +386,79 @@ static int parse_mk_info(char *line, struct mk_info *mk_info) +@@ -382,9 +386,79 @@ if (tok == NULL) return -EIO; - if (sscanf(tok, "%llx", &mk_reg->mkvp) != 1) + if (sscanf(tok, "%llx", &mkvp) != 1) - return -EIO; - ++ return -EIO; ++ + memcpy(mk_reg->mkvp, &mkvp, sizeof(mkvp)); + + return 0; @@ -541,8 +527,8 @@ index 2384da3d..4abc312b 100644 + + tok = strtok_r(NULL, " ", &save); + if (tok == NULL) -+ return -EIO; -+ + return -EIO; + + if (strcasecmp(tok, "valid") == 0) + mk_reg->mk_state = MK_STATE_VALID; + else if (strcasecmp(tok, "invalid") == 0) @@ -581,7 +567,7 @@ index 2384da3d..4abc312b 100644 return 0; } -@@ -404,6 +478,7 @@ static int parse_mk_info(char *line, struct mk_info *mk_info) +@@ -404,6 +478,7 @@ */ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) { @@ -589,7 +575,7 @@ index 2384da3d..4abc312b 100644 char *dev_path; char *p, *end; char buf[100]; -@@ -421,6 +496,8 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -421,6 +496,8 @@ if (sysfs_is_apqn_online(card, domain, CARD_TYPE_ANY) != 1) return -ENODEV; @@ -598,7 +584,7 @@ index 2384da3d..4abc312b 100644 dev_path = util_path_sysfs("bus/ap/devices/card%02x/%02x.%04x/mkvps", card, card, domain); if (!util_path_is_reg_file(dev_path)) { -@@ -436,14 +513,22 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -436,14 +513,22 @@ /* * Expected contents: @@ -629,7 +615,7 @@ index 2384da3d..4abc312b 100644 */ while ((p = fgets(buf, sizeof(buf), fp)) != NULL) { end = memchr(buf, '\n', sizeof(buf)); -@@ -455,7 +540,17 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -455,7 +540,17 @@ pr_verbose(verbose, "mkvp for %02x.%04x: %s", card, domain, buf); @@ -648,7 +634,7 @@ index 2384da3d..4abc312b 100644 if (rc != 0) break; } -@@ -464,7 +559,8 @@ int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, bool verbose) +@@ -464,7 +559,8 @@ if (mk_info->new_mk.mk_state == MK_STATE_UNKNOWN && mk_info->cur_mk.mk_state == MK_STATE_UNKNOWN && @@ -658,7 +644,7 @@ index 2384da3d..4abc312b 100644 rc = -EIO; out: if (rc != 0) -@@ -601,6 +697,7 @@ int handle_apqns(const char *apqns, enum card_type cardtype, +@@ -601,6 +697,7 @@ struct print_apqn_info { struct util_rec *rec; @@ -666,7 +652,7 @@ index 2384da3d..4abc312b 100644 bool verbose; }; -@@ -620,24 +717,30 @@ static int print_apqn_mk_info(int card, int domain, void *handler_data) +@@ -620,24 +717,30 @@ util_rec_set(info->rec, "APQN", "%02x.%04x", card, domain); @@ -704,7 +690,7 @@ index 2384da3d..4abc312b 100644 else util_rec_set(info->rec, "OLD", "-"); } else { -@@ -673,15 +776,23 @@ static int print_apqn_mk_info(int card, int domain, void *handler_data) +@@ -673,15 +776,23 @@ int print_mk_info(const char *apqns, enum card_type cardtype, bool verbose) { struct print_apqn_info info; @@ -732,7 +718,7 @@ index 2384da3d..4abc312b 100644 util_rec_def(info.rec, "TYPE", UTIL_REC_ALIGN_LEFT, 6, "TYPE"); util_rec_print_hdr(info.rec); -@@ -692,9 +803,10 @@ int print_mk_info(const char *apqns, enum card_type cardtype, bool verbose) +@@ -692,9 +803,10 @@ } struct cross_check_info { @@ -745,7 +731,7 @@ index 2384da3d..4abc312b 100644 int min_level; u32 num_cur_match; u32 num_old_match; -@@ -708,6 +820,7 @@ struct cross_check_info { +@@ -708,6 +820,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) { struct cross_check_info *info = (struct cross_check_info *)handler_data; @@ -753,7 +739,7 @@ index 2384da3d..4abc312b 100644 struct mk_info mk_info; char temp[200]; int rc, level; -@@ -724,6 +837,19 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -724,6 +837,19 @@ info->num_checked++; @@ -773,7 +759,7 @@ index 2384da3d..4abc312b 100644 if (info->min_level >= 0) { level = sysfs_get_card_level(card); -@@ -731,7 +857,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -731,7 +857,7 @@ info->print_mks = 1; info->mismatch = 1; sprintf(temp, "WARNING: APQN %02x.%04x: The card level " @@ -782,7 +768,7 @@ index 2384da3d..4abc312b 100644 info->min_level); util_print_indented(temp, 0); } -@@ -743,13 +869,22 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -743,13 +869,22 @@ "register is only partially loaded.", card, domain); util_print_indented(temp, 0); } @@ -796,21 +782,22 @@ index 2384da3d..4abc312b 100644 - if (info->new_mkvp == 0 && - mk_info.new_mk.mk_state == MK_STATE_FULL) - info->new_mkvp = mk_info.new_mk.mkvp; +- +- if (mk_info.new_mk.mk_state == MK_STATE_FULL && +- mk_info.new_mk.mkvp != info->new_mkvp) { + if (MKVP_ZERO(info->new_mkvp) && + (mk_info.new_mk.mk_state == MK_STATE_FULL || + mk_info.new_mk.mk_state == MK_STATE_COMMITTED)) + memcpy(info->new_mkvp, mk_info.new_mk.mkvp, + sizeof(info->new_mkvp)); - -- if (mk_info.new_mk.mk_state == MK_STATE_FULL && -- mk_info.new_mk.mkvp != info->new_mkvp) { ++ + if ((mk_info.new_mk.mk_state == MK_STATE_FULL || + mk_info.new_mk.mk_state == MK_STATE_COMMITTED) && + !MKVP_EQ(mk_info.new_mk.mkvp, info->new_mkvp)) { info->print_mks = 1; sprintf(temp, "WARNING: APQN %02x.%04x: The NEW master key " "register contains a different master key than " -@@ -767,15 +902,16 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -767,15 +902,16 @@ } if (mk_info.old_mk.mk_state == MK_STATE_VALID && @@ -830,7 +817,7 @@ index 2384da3d..4abc312b 100644 info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The NEW master key " "register contains the same master key as the CURRENT " -@@ -784,7 +920,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -784,7 +920,7 @@ } if (mk_info.new_mk.mk_state == MK_STATE_FULL && mk_info.old_mk.mk_state == MK_STATE_VALID && @@ -839,7 +826,7 @@ index 2384da3d..4abc312b 100644 info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The NEW master key " "register contains the same master key as the OLD " -@@ -792,28 +928,29 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -792,28 +928,29 @@ util_print_indented(temp, 0); } @@ -877,7 +864,7 @@ index 2384da3d..4abc312b 100644 info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The master" " key has been changed to a new " -@@ -821,8 +958,10 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -821,8 +958,10 @@ "not yet been re-enciphered.", card, domain); util_print_indented(temp, 0); @@ -890,7 +877,7 @@ index 2384da3d..4abc312b 100644 info->print_mks = 1; sprintf(temp, "INFO: APQN %02x.%04x: The master" " key has been changed but is not " -@@ -855,11 +994,11 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -855,11 +994,11 @@ * out an information message about the APQNs that have a different master key. * * @param[in] apqns a comma separated list of APQNs. If NULL is specified, @@ -905,7 +892,7 @@ index 2384da3d..4abc312b 100644 * @param[in] min_level The minimum card level required. If min_level is -1 then * the card level is not checked. * @param[in] cardtype card type (CCA, EP11 or ANY) -@@ -872,7 +1011,7 @@ static int cross_check_mk_info(int card, int domain, void *handler_data) +@@ -872,7 +1011,7 @@ * -ENOTSUP is returned when the mkvps sysfs attribute is not * available, because the zcrypt kernel module is on an older level. */ @@ -914,7 +901,7 @@ index 2384da3d..4abc312b 100644 enum card_type cardtype, bool print_mks, bool verbose) { struct cross_check_info info; -@@ -880,14 +1019,16 @@ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, +@@ -880,14 +1019,16 @@ int rc; memset(&info, 0, sizeof(info)); @@ -936,7 +923,7 @@ index 2384da3d..4abc312b 100644 rc = handle_apqns(apqns, cardtype, cross_check_mk_info, &info, verbose); if (rc != 0) -@@ -896,11 +1037,11 @@ int cross_check_apqns(const char *apqns, u64 mkvp, int min_level, +@@ -896,11 +1037,11 @@ if (info.mismatch) { if (info.key_mkvp) printf("WARNING: Not all APQNs have the correct master " @@ -951,7 +938,7 @@ index 2384da3d..4abc312b 100644 rc = -ENODEV; } if (info.num_checked == 0) { -@@ -951,3 +1092,38 @@ bool prompt_for_yes(bool verbose) +@@ -951,3 +1092,38 @@ return false; } @@ -990,11 +977,9 @@ index 2384da3d..4abc312b 100644 + + return mkvp_print_buf; +} -diff --git a/zkey/utils.h b/zkey/utils.h -index 98865643..f361b21d 100644 --- a/zkey/utils.h +++ b/zkey/utils.h -@@ -36,21 +36,23 @@ int sysfs_get_firmware_version(int card, struct fw_version *fw_version, +@@ -36,21 +36,23 @@ bool verbose); #define MK_STATE_EMPTY 0 @@ -1022,7 +1007,7 @@ index 98865643..f361b21d 100644 }; int sysfs_get_mkvps(int card, int domain, struct mk_info *mk_info, -@@ -63,9 +65,11 @@ int handle_apqns(const char *apqns, enum card_type cardtype, +@@ -63,9 +65,11 @@ int print_mk_info(const char *apqns, enum card_type cardtype, bool verbose); @@ -1035,8 +1020,6 @@ index 98865643..f361b21d 100644 +char *printable_mkvp(enum card_type cardtype, u8 *mkvp); + #endif -diff --git a/zkey/zkey-cryptsetup.c b/zkey/zkey-cryptsetup.c -index 938cf729..74bc5687 100644 --- a/zkey/zkey-cryptsetup.c +++ b/zkey/zkey-cryptsetup.c @@ -35,6 +35,7 @@ @@ -1047,7 +1030,7 @@ index 938cf729..74bc5687 100644 /* Detect if cryptsetup 2.1 or later is available */ #ifdef CRYPT_LOG_DEBUG_JSON -@@ -195,7 +196,7 @@ static struct util_opt opt_vec[] = { +@@ -195,7 +196,7 @@ { .option = {"complete", 0, NULL, 'c'}, .desc = "Completes a staged re-enciphering. Use this option " @@ -1056,7 +1039,7 @@ index 938cf729..74bc5687 100644 "active)", .command = COMMAND_REENCIPHER, }, -@@ -1198,7 +1199,7 @@ static int open_device(const char *device, struct crypt_device **cd) +@@ -1198,7 +1199,7 @@ /* * Prompts for yes or no. Returns true if 'y' or 'yes' was entered. */ @@ -1065,7 +1048,7 @@ index 938cf729..74bc5687 100644 { char str[20]; -@@ -1295,7 +1296,7 @@ static int activate_unbound_keyslot(int token, int keyslot, const char *key, +@@ -1295,7 +1296,7 @@ "now in unbound state. Do you want to remove " "these key slots [y/N]?", 0); @@ -1074,7 +1057,7 @@ index 938cf729..74bc5687 100644 return 0; for (i = 0, n = 0; ; i++) { -@@ -1533,6 +1534,7 @@ static int reencipher_prepare(int token) +@@ -1533,6 +1534,7 @@ struct reencipher_token reenc_tok; struct vp_token vp_tok; char *password = NULL; @@ -1082,7 +1065,7 @@ index 938cf729..74bc5687 100644 size_t password_len; char *key = NULL; int selected = 1; -@@ -1540,7 +1542,6 @@ static int reencipher_prepare(int token) +@@ -1540,7 +1542,6 @@ int is_old_mk; char *prompt; char *msg; @@ -1090,7 +1073,7 @@ index 938cf729..74bc5687 100644 int rc; if (token >= 0) { -@@ -1551,7 +1552,7 @@ static int reencipher_prepare(int token) +@@ -1551,7 +1552,7 @@ util_print_indented(msg, 0); free(msg); @@ -1099,7 +1082,7 @@ index 938cf729..74bc5687 100644 warnx("Device '%s' is left unchanged", g.pos_arg); return -ECANCELED; } -@@ -1598,25 +1599,25 @@ static int reencipher_prepare(int token) +@@ -1598,25 +1599,25 @@ if (is_old_mk) { g.fromold = 1; util_asprintf(&msg, "The secure volume key of device " @@ -1130,7 +1113,7 @@ index 938cf729..74bc5687 100644 g.verbose); if (rc != 0) { warnx("Failed to get the master key verification pattern: %s", -@@ -1636,7 +1637,7 @@ static int reencipher_prepare(int token) +@@ -1636,7 +1637,7 @@ util_print_indented("No APQN found that is suitable " "for re-enciphering the secure AES " "volume key from the OLD to the " @@ -1139,7 +1122,7 @@ index 938cf729..74bc5687 100644 goto out; } -@@ -1666,7 +1667,7 @@ static int reencipher_prepare(int token) +@@ -1666,7 +1667,7 @@ util_print_indented("No APQN found that is suitable " "for re-enciphering the secure AES " "volume key from the CURRENT to " @@ -1148,7 +1131,7 @@ index 938cf729..74bc5687 100644 goto out; } -@@ -1721,7 +1722,7 @@ static int reencipher_prepare(int token) +@@ -1721,7 +1722,7 @@ rc = 0; util_asprintf(&msg, "Staged re-enciphering is initiated for " @@ -1157,7 +1140,7 @@ index 938cf729..74bc5687 100644 "to become the CURRENT master key, run 'zkey-cryptsetup " "reencipher' with option '--complete' to complete the " "re-enciphering process.", g.pos_arg, -@@ -1744,6 +1745,7 @@ static int reencipher_complete(int token) +@@ -1744,6 +1745,7 @@ char vp[VERIFICATION_PATTERN_LEN]; struct reencipher_token tok; char *password = NULL; @@ -1165,7 +1148,7 @@ index 938cf729..74bc5687 100644 size_t password_len; char *key = NULL; int selected = 1; -@@ -1751,7 +1753,6 @@ static int reencipher_complete(int token) +@@ -1751,7 +1753,6 @@ int is_old_mk; char *prompt; char *msg; @@ -1173,7 +1156,7 @@ index 938cf729..74bc5687 100644 int rc; rc = get_reencipher_token(g.cd, token, &tok, true); -@@ -1762,7 +1763,7 @@ static int reencipher_complete(int token) +@@ -1762,7 +1763,7 @@ } util_asprintf(&msg, "The re-enciphered secure volume key for " @@ -1182,7 +1165,7 @@ index 938cf729..74bc5687 100644 "yet have to be set as the CURRENT master key.", g.pos_arg); util_asprintf(&prompt, "Enter passphrase for key slot %d of '%s': ", -@@ -1780,25 +1781,25 @@ static int reencipher_complete(int token) +@@ -1780,25 +1781,25 @@ if (is_old_mk) { util_asprintf(&msg, "The re-enciphered secure volume key " @@ -1213,7 +1196,7 @@ index 938cf729..74bc5687 100644 if (rc != 0) { warnx("Failed to get the master key verification " "pattern: %s", -@@ -1817,7 +1818,7 @@ static int reencipher_complete(int token) +@@ -1817,7 +1818,7 @@ util_print_indented("No APQN found that is suitable " "for re-enciphering the secure AES " "volume key from the OLD to the " @@ -1222,7 +1205,7 @@ index 938cf729..74bc5687 100644 goto out; } -@@ -1952,13 +1953,14 @@ static int command_validate(void) +@@ -1952,13 +1953,14 @@ int reenc_pending = 0, vp_tok_avail = 0, is_valid = 0, is_old_mk = 0; struct reencipher_token reenc_tok; struct vp_token vp_tok; @@ -1238,7 +1221,7 @@ index 938cf729..74bc5687 100644 int rc; util_asprintf(&prompt, "Enter passphrase for '%s': ", g.pos_arg); -@@ -1990,28 +1992,32 @@ static int command_validate(void) +@@ -1990,28 +1992,32 @@ } rc = get_master_key_verification_pattern((u8 *)key, keysize, @@ -1278,7 +1261,7 @@ index 938cf729..74bc5687 100644 } if (vp_tok_avail) print_verification_pattern(vp_tok.verification_pattern); -@@ -2029,10 +2035,10 @@ static int command_validate(void) +@@ -2029,10 +2035,10 @@ if (is_old_mk) util_print_indented("\nWARNING: The secure volume key is " @@ -1291,7 +1274,7 @@ index 938cf729..74bc5687 100644 if (is_valid && !vp_tok_avail) { util_asprintf(&msg, "\nWARNING: The volume key cannot be " -@@ -2148,14 +2154,14 @@ static int command_setkey(void) +@@ -2148,14 +2154,14 @@ if (is_old_mk) { util_asprintf(&msg, "The secure key in file '%s' is " @@ -1308,7 +1291,7 @@ index 938cf729..74bc5687 100644 warnx("Device '%s' is left unchanged", g.pos_arg); rc = -EINVAL; goto out; -@@ -2213,7 +2219,7 @@ static int command_setkey(void) +@@ -2213,7 +2219,7 @@ util_print_indented(msg, 0); free(msg); @@ -1317,11 +1300,9 @@ index 938cf729..74bc5687 100644 warnx("Device '%s' is left unchanged", g.pos_arg); rc = -EINVAL; goto out; -diff --git a/zkey/zkey.c b/zkey/zkey.c -index a2509afc..ab0e0149 100644 --- a/zkey/zkey.c +++ b/zkey/zkey.c -@@ -259,7 +259,7 @@ static struct util_opt opt_vec[] = { +@@ -259,7 +259,7 @@ { .option = {"complete", 0, NULL, 'p'}, .desc = "Completes a staged re-enciphering. Use this option " @@ -1330,7 +1311,7 @@ index a2509afc..ab0e0149 100644 "active)", .command = COMMAND_REENCIPHER, }, -@@ -874,7 +874,7 @@ static struct zkey_command zkey_commands[] = { +@@ -874,7 +874,7 @@ .long_desc = "Re-encipher an existing secure AES " "key that is either contained in SECURE-KEY-FILE " "or is stored in the repository with another " @@ -1339,7 +1320,7 @@ index a2509afc..ab0e0149 100644 .has_options = 1, .pos_arg = "[SECURE-KEY-FILE]", .pos_arg_optional = 1, -@@ -1171,7 +1171,7 @@ static int command_generate(void) +@@ -1171,7 +1171,7 @@ return EXIT_FAILURE; } @@ -1348,7 +1329,7 @@ index a2509afc..ab0e0149 100644 get_min_card_level_for_keytype(g.key_type), get_card_type_for_keytype(g.key_type), true, g.verbose); -@@ -1198,10 +1198,10 @@ static int command_generate(void) +@@ -1198,10 +1198,10 @@ static int command_reencipher_file(void) { size_t secure_key_size; @@ -1360,7 +1341,7 @@ index a2509afc..ab0e0149 100644 if (g.name != NULL) { warnx("Option '--name|-N' is not valid for " -@@ -1248,7 +1248,7 @@ static int command_reencipher_file(void) +@@ -1248,7 +1248,7 @@ } rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -1369,7 +1350,7 @@ index a2509afc..ab0e0149 100644 if (rc != 0) { warnx("Failed to get the master key verification pattern: %s", strerror(-rc)); -@@ -1261,16 +1261,16 @@ static int command_reencipher_file(void) +@@ -1261,16 +1261,16 @@ if (is_old_mk) { g.fromold = 1; util_print_indented("The secure key is currently " @@ -1390,7 +1371,7 @@ index a2509afc..ab0e0149 100644 "master key\n", 0); } } -@@ -1279,13 +1279,13 @@ static int command_reencipher_file(void) +@@ -1279,13 +1279,13 @@ if (g.fromold) { if (!is_old_mk) { warnx("The secure key is already enciphered " @@ -1406,7 +1387,7 @@ index a2509afc..ab0e0149 100644 rc = select_cca_adapter_by_mkvp(&g.cca, mkvp, NULL, FLAG_SEL_CCA_MATCH_OLD_MKVP, -@@ -1305,7 +1305,7 @@ static int command_reencipher_file(void) +@@ -1305,7 +1305,7 @@ METHOD_OLD_TO_CURRENT, g.verbose); if (rc != 0) { @@ -1415,7 +1396,7 @@ index a2509afc..ab0e0149 100644 "master key has failed\n"); if (!selected) print_msg_for_cca_envvars("secure AES key"); -@@ -1315,7 +1315,7 @@ static int command_reencipher_file(void) +@@ -1315,7 +1315,7 @@ } if (g.tonew) { pr_verbose("Secure key will be re-enciphered from CURRENT " @@ -1424,7 +1405,7 @@ index a2509afc..ab0e0149 100644 rc = select_cca_adapter_by_mkvp(&g.cca, mkvp, NULL, FLAG_SEL_CCA_MATCH_CUR_MKVP | -@@ -1337,7 +1337,7 @@ static int command_reencipher_file(void) +@@ -1337,7 +1337,7 @@ rc = key_token_change(&g.cca, secure_key, secure_key_size, METHOD_CURRENT_TO_NEW, g.verbose); if (rc != 0) { @@ -1433,7 +1414,7 @@ index a2509afc..ab0e0149 100644 "master key has failed\n"); if (!selected) print_msg_for_cca_envvars("secure AES key"); -@@ -1361,7 +1361,7 @@ static int command_reencipher_file(void) +@@ -1361,7 +1361,7 @@ /* * Command handler for 'reencipher in repository'. * @@ -1442,7 +1423,7 @@ index a2509afc..ab0e0149 100644 */ static int command_reencipher_repository(void) { -@@ -1404,7 +1404,7 @@ static int command_reencipher_repository(void) +@@ -1404,7 +1404,7 @@ /* * Command handler for 'reencipher'. * @@ -1451,7 +1432,7 @@ index a2509afc..ab0e0149 100644 */ static int command_reencipher(void) { -@@ -1427,9 +1427,9 @@ static int command_validate_file(void) +@@ -1427,9 +1427,9 @@ size_t secure_key_size; size_t clear_key_size; const char *key_type; @@ -1462,7 +1443,7 @@ index a2509afc..ab0e0149 100644 int rc; if (g.name != NULL) { -@@ -1477,7 +1477,7 @@ static int command_validate_file(void) +@@ -1477,7 +1477,7 @@ } rc = get_master_key_verification_pattern(secure_key, secure_key_size, @@ -1471,7 +1452,7 @@ index a2509afc..ab0e0149 100644 if (rc != 0) { warnx("Failed to get the master key verification pattern: %s", strerror(-rc)); -@@ -1494,8 +1494,9 @@ static int command_validate_file(void) +@@ -1494,8 +1494,9 @@ printf(" Clear key size: %lu bits\n", clear_key_size); printf(" XTS type key: %s\n", is_xts_key(secure_key, secure_key_size) ? "Yes" : "No"); @@ -1483,7 +1464,7 @@ index a2509afc..ab0e0149 100644 printf(" Verification pattern: %.*s\n", VERIFICATION_PATTERN_LEN / 2, vp); printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2, -@@ -1753,11 +1754,11 @@ static int command_convert_file(void) +@@ -1753,11 +1754,11 @@ u8 output_key[2 * MAX_SECURE_KEY_SIZE]; unsigned int output_key_size; size_t secure_key_size; @@ -1496,7 +1477,7 @@ index a2509afc..ab0e0149 100644 if (g.name != NULL) { warnx("Option '--name|-N' is not valid for " -@@ -1778,7 +1779,7 @@ static int command_convert_file(void) +@@ -1778,7 +1779,7 @@ return EXIT_FAILURE; } @@ -1505,7 +1486,7 @@ index a2509afc..ab0e0149 100644 get_card_type_for_keytype(g.key_type), true, g.verbose); if (rc == -EINVAL) -@@ -1802,7 +1803,7 @@ static int command_convert_file(void) +@@ -1802,7 +1803,7 @@ } rc = get_master_key_verification_pattern(secure_key, secure_key_size, diff --git a/debian/patches/series b/debian/patches/series index f24af1a..309dc13 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -117,3 +117,4 @@ s390-tools-sru-lp1902179-focal.patch 0001-genprotimg-add-host-key-document-verification.patch 0002-genprotimg-add-missing-return.patch 0003-genprotimg-check-return-value-of-BIO_reset.patch +78b0533-genprotimg-remove-DigiCert-root-CA-pinning.patch diff --git a/debian/patches/sg3-utils.patch b/debian/patches/sg3-utils.patch index 7b7bcc0..ea63f2f 100644 --- a/debian/patches/sg3-utils.patch +++ b/debian/patches/sg3-utils.patch @@ -4,11 +4,9 @@ Forwarded: no Last-Update: 2015-12-08 --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ -Index: s390-tools-1.32.0/zconf/lsluns -=================================================================== ---- s390-tools-1.32.0.orig/zconf/lsluns -+++ s390-tools-1.32.0/zconf/lsluns -@@ -321,7 +321,7 @@ push @port, map { @{$res_hash{$_}} } key +--- a/zconf/lsluns ++++ b/zconf/lsluns +@@ -333,7 +333,7 @@ # checking for helper progs diff --git a/debian/patches/zipl-optional.patch b/debian/patches/zipl-optional.patch index f45e0ea..c18d4dc 100644 --- a/debian/patches/zipl-optional.patch +++ b/debian/patches/zipl-optional.patch @@ -1,8 +1,6 @@ -Index: s390-tools-2.8.0/zipl/src/bootmap.c -=================================================================== ---- s390-tools-2.8.0.orig/zipl/src/bootmap.c -+++ s390-tools-2.8.0/zipl/src/bootmap.c -@@ -998,6 +998,12 @@ build_program_table(int fd, struct job_d +--- a/zipl/src/bootmap.c ++++ b/zipl/src/bootmap.c +@@ -1002,6 +1002,12 @@ for (i=0; i < job->data.menu.num; i++) { switch (job->data.menu.entry[i].id) { case job_ipl: @@ -15,11 +13,9 @@ Index: s390-tools-2.8.0/zipl/src/bootmap.c printf("Adding #%d: IPL section '%s'%s", job->data.menu.entry[i].pos, job->data.menu.entry[i].name, -Index: s390-tools-2.8.0/zipl/src/scan.c -=================================================================== ---- s390-tools-2.8.0.orig/zipl/src/scan.c -+++ s390-tools-2.8.0/zipl/src/scan.c -@@ -45,45 +45,45 @@ enum scan_key_state scan_key_table[SCAN_ +--- a/zipl/src/scan.c ++++ b/zipl/src/scan.c +@@ -45,45 +45,45 @@ * ult to tofs e mete file isk ent et pt out ultm dump * rs enu * @@ -77,7 +73,7 @@ Index: s390-tools-2.8.0/zipl/src/scan.c }; /* Mapping of keyword IDs to strings */ -@@ -112,6 +112,7 @@ static const struct { +@@ -112,6 +112,7 @@ { "tape", scan_keyword_tape}, { "kdump", scan_keyword_kdump}, { "secure", scan_keyword_secure}, @@ -85,10 +81,8 @@ Index: s390-tools-2.8.0/zipl/src/scan.c }; /* List of keywords that are used without an assignment */ -Index: s390-tools-2.8.0/zipl/include/job.h -=================================================================== ---- s390-tools-2.8.0.orig/zipl/include/job.h -+++ s390-tools-2.8.0/zipl/include/job.h +--- a/zipl/include/job.h ++++ b/zipl/include/job.h @@ -13,6 +13,8 @@ #ifndef JOB_H #define JOB_H @@ -98,7 +92,7 @@ Index: s390-tools-2.8.0/zipl/include/job.h #include "disk.h" #include "zipl.h" -@@ -47,6 +49,8 @@ struct job_ipl_data { +@@ -47,6 +49,8 @@ address_t parm_addr; address_t ramdisk_addr; int is_kdump; @@ -107,11 +101,9 @@ Index: s390-tools-2.8.0/zipl/include/job.h }; struct job_segment_data { -Index: s390-tools-2.8.0/zipl/src/job.c -=================================================================== ---- s390-tools-2.8.0.orig/zipl/src/job.c -+++ s390-tools-2.8.0/zipl/src/job.c -@@ -800,14 +800,20 @@ out_free: +--- a/zipl/src/job.c ++++ b/zipl/src/job.c +@@ -809,14 +809,20 @@ static int @@ -134,7 +126,7 @@ Index: s390-tools-2.8.0/zipl/src/job.c error_text("Image file '%s'", ipl->image); } else { error_text("Image file '%s' in section '%s'", -@@ -819,7 +825,13 @@ check_job_ipl_data(struct job_ipl_data * +@@ -828,7 +834,13 @@ if (ipl->ramdisk != NULL) { rc = misc_check_readable_file(ipl->ramdisk); if (rc) { @@ -149,7 +141,7 @@ Index: s390-tools-2.8.0/zipl/src/job.c error_text("Ramdisk file '%s'", ipl->ramdisk); } else { error_text("Ramdisk file '%s' in section '%s'", -@@ -916,9 +928,13 @@ check_job_menu_data(struct job_menu_data +@@ -925,9 +937,13 @@ switch (menu->entry[i].id) { case job_ipl: rc = check_job_ipl_data(&menu->entry[i].data.ipl, @@ -164,7 +156,7 @@ Index: s390-tools-2.8.0/zipl/src/job.c break; case job_print_usage: case job_print_version: -@@ -1067,7 +1083,7 @@ check_job_data(struct job_data* job) +@@ -1076,7 +1092,7 @@ rc = 0; break; case job_ipl: @@ -173,7 +165,7 @@ Index: s390-tools-2.8.0/zipl/src/job.c break; case job_menu: rc = check_job_menu_data(&job->data.menu); -@@ -1378,6 +1394,8 @@ get_job_from_section_data(char* data[], +@@ -1387,6 +1403,8 @@ if (rc) return rc; } @@ -182,11 +174,9 @@ Index: s390-tools-2.8.0/zipl/src/job.c break; case section_ipl_tape: /* Tape IPL job */ -Index: s390-tools-2.8.0/zipl/man/zipl.conf.5.in -=================================================================== ---- s390-tools-2.8.0.orig/zipl/man/zipl.conf.5.in -+++ s390-tools-2.8.0/zipl/man/zipl.conf.5.in -@@ -436,6 +436,22 @@ This option cannot be used together with +--- a/zipl/man/zipl.conf.5.in ++++ b/zipl/man/zipl.conf.5.in +@@ -447,6 +447,22 @@ .BR 'segment' . .PP @@ -209,10 +199,8 @@ Index: s390-tools-2.8.0/zipl/man/zipl.conf.5.in .B parameters = .I kernel\-parameters -Index: s390-tools-2.8.0/zipl/include/scan.h -=================================================================== ---- s390-tools-2.8.0.orig/zipl/include/scan.h -+++ s390-tools-2.8.0/zipl/include/scan.h +--- a/zipl/include/scan.h ++++ b/zipl/include/scan.h @@ -16,7 +16,7 @@ @@ -222,7 +210,7 @@ Index: s390-tools-2.8.0/zipl/include/scan.h #define SCAN_KEYWORD_ONLY_NUM 1 #define SCAN_AUTOMENU_NAME "zipl-automatic-menu" -@@ -52,6 +52,7 @@ enum scan_keyword_id { +@@ -52,6 +52,7 @@ scan_keyword_defaultauto = 19, scan_keyword_kdump = 20, scan_keyword_secure = 21,