Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
SUSE:SLE-15-SP2:Update
s390-tools.15932
s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s390-tools-sles15sp2-12-zkey-Cross-check-APQNs-when-importing-secure-keys.patch of Package s390-tools.15932
Subject: zkey: Cross check APQNs when importing secure keys From: Ingo Franzki <ifranzki@linux.ibm.com> Summary: zkey: check master key consistency Description: Enhances the zkey tool to perform a cross check whether the APQNs associated with a secure key have the same master key. Display the master key verification pattern of a secure key during the zkey validate command. This helps to better identify which master key is the correct one, in case of master key inconsistencies. Select an appropriate APQN when re-enciphering a secure key. Re-enciphering is done using the CCA host library. Special handling is required to select an appropriate APQN for use with the CCA host library. Upstream-ID: d854aed4b8154e7420def8749db2106a049dd80a Problem-ID: SEC1916 Upstream-Description: zkey: Cross check APQNs when importing secure keys Perform a cross check of the APQNs when an existing secure AES key is imported into the key repository. When a set of APQNs are associated to the imported secure key, these APQNs are cross checked. If no APQNs are associated to imported secure key, then all currently available APQNs are cross checked. If a master key mismatch is detected, then the key import is rejected. Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> --- zkey/keystore.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -1770,6 +1770,7 @@ int keystore_import_key(struct keystore struct properties *key_props = NULL; size_t secure_key_size; u8 *secure_key; + u64 mkvp; int rc; util_assert(keystore != NULL, "Internal error: keystore is NULL"); @@ -1791,9 +1792,26 @@ int keystore_import_key(struct keystore goto out_free_key_filenames; } + rc = get_master_key_verification_pattern(secure_key, secure_key_size, + &mkvp, keystore->verbose); + if (rc != 0) { + warnx("Failed to get the master key verification pattern: %s", + strerror(-rc)); + goto out_free_key; + } + + rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose); + if (rc == -EINVAL) + goto out_free_key; + if (rc != 0 && rc != -ENOTSUP && noapqncheck == 0) { + warnx("Your master key setup is improper"); + goto out_free_key; + } + rc = write_secure_key(file_names.skey_filename, secure_key, secure_key_size, keystore->verbose); free(secure_key); + secure_key = NULL; if (rc != 0) goto out_free_props; @@ -1811,6 +1829,9 @@ int keystore_import_key(struct keystore "Successfully imported a secure key in '%s' and key info in '%s'", file_names.skey_filename, file_names.info_filename); +out_free_key: + if (secure_key != NULL) + free(secure_key); out_free_props: if (key_props != NULL) properties_free(key_props);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor