File s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-... of Package s390-tools.17983

Overview Repositories Revisions Requests Users Attributes Meta

File s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch of Package s390-tools.17983

Subject: zkey: Cross check APQNs when validating secure keys
From: Ingo Franzki <ifranzki@linux.ibm.com>

Summary:     zkey: check master key consistency
Description: Enhances the zkey tool to perform a cross check whether the
             APQNs associated with a secure key have the same master key.
             Display the master key verification pattern of a secure key
             during the zkey validate command. This helps to better identify
             which master key is the correct one, in case of master key 
             inconsistencies.
             Select an appropriate APQN when re-enciphering a secure key.
             Re-enciphering is done using the CCA host library. Special
             handling is required to select an appropriate APQN for use with
             the CCA host library.
Upstream-ID: 7f8e31e8619b32297b432a4882d78af79de37a58
Problem-ID:  SEC1916

Upstream-Description:

zkey: Cross check APQNs when validating secure keys

Perform a cross check of the APQNs when a secure AES key is validated.
             When a set of APQNs are associated to a secure key, these APQNs are
             cross checked. If a secure key is validated outside of the key repository,
             or no APQNs are associated to a secure key inside the key repository,
             then all currently available APQNs are cross checked. If a master key
             mismatch is detected, then an error message is issued.

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
             Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
             Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>

Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
 zkey/keystore.c |   34 ++++++++++++----------------------
 zkey/zkey.c     |    9 +++++++++
 2 files changed, 21 insertions(+), 22 deletions(-)

--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2252,43 +2252,32 @@ struct validate_info {
 /**
  * Displays the status of the associated APQNs.
  *
+ * @param[in] keystore the key store
  * @param[in] properties  the properties of the key
- * @param[in] name        the name of the key
+ * @param[in] mkvp        the master key verification pattern of the key
  *
  * @returns 0 in case of success, 1 if at least one of the APQNs is not
- *          available
+ *          available or has a master key mismatch
  */
-static int _keystore_display_apqn_status(struct properties *properties,
-					 const char *name)
+static int _keystore_display_apqn_status(struct keystore *keystore,
+					 struct properties *properties,
+					 u64 mkvp)
 {
-	int i, rc, card, domain, warning = 0;
-	char **apqn_list;
+	int rc, warning = 0;
 	char *apqns;
 
 	apqns = properties_get(properties, PROP_NAME_APQNS);
 	if (apqns == NULL)
 		return 0;
-	apqn_list = str_list_split(apqns);
-
-	for (i = 0; apqn_list[i] != NULL; i++) {
-
-		if (sscanf(apqn_list[i], "%x.%x", &card, &domain) != 2)
-			continue;
 
-		rc = sysfs_is_apqn_online(card, domain);
-		if (rc != 1) {
-			printf("WARNING: The APQN %02x.%04x associated with "
-			       "key '%s' is %s\n", card, domain, name,
-			       rc == -1 ? "not a CCA card" : "not online");
-			warning = 1;
-		}
-	}
+	rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose);
+	if (rc != 0 && rc != -ENOTSUP)
+		warning = 1;
 
 	if (warning)
 		printf("\n");
 
 	free(apqns);
-	str_list_free_string_array(apqn_list);
 	return warning;
 }
 /**
@@ -2405,7 +2394,8 @@ static int _keystore_process_validate(st
 		info->num_warnings++;
 	}
 	if (info->noapqncheck == 0)
-		if (_keystore_display_apqn_status(properties, name) != 0)
+		if (_keystore_display_apqn_status(keystore, properties,
+						  mkvp) != 0)
 			info->num_warnings++;
 	if (_keystore_display_volume_status(properties, name) != 0)
 		info->num_warnings++;
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1380,6 +1380,15 @@ static int command_validate_file(void)
 	printf("                         %.*s\n", VERIFICATION_PATTERN_LEN / 2,
 	       &vp[VERIFICATION_PATTERN_LEN / 2]);
 
+	rc = cross_check_apqns(NULL, mkvp, true, g.verbose);
+	if (rc == -EINVAL)
+		return EXIT_FAILURE;
+	if (rc != 0 && rc != -ENOTSUP) {
+		warnx("Your master key setup is improper");
+		rc = EXIT_FAILURE;
+		goto out;
+	}
+
 out:
 	free(secure_key);
 	return rc;

Places

File s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch of Package s390-tools.17983

Places