Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
s390-tools.19914
s390-tools-sles15sp2-09-zkey-Display-MKVP-when-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File s390-tools-sles15sp2-09-zkey-Display-MKVP-when-validating-a-secure-key.patch of Package s390-tools.19914
Subject: zkey: Display MKVP when validating a secure key From: Ingo Franzki <ifranzki@linux.ibm.com> Summary: zkey: check master key consistency Description: Enhances the zkey tool to perform a cross check whether the APQNs associated with a secure key have the same master key. Display the master key verification pattern of a secure key during the zkey validate command. This helps to better identify which master key is the correct one, in case of master key inconsistencies. Select an appropriate APQN when re-enciphering a secure key. Re-enciphering is done using the CCA host library. Special handling is required to select an appropriate APQN for use with the CCA host library. Upstream-ID: c2244a57950f4eb35e3209151dcf48de66828df1 Problem-ID: SEC1916 Upstream-Description: zkey: Display MKVP when validating a secure key Display the master key verification pattern of a secure key while 'zkey validate' and 'zkey-cryptsetup validate' Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> Reviewed-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com> Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com> --- zkey/keystore.c | 20 ++++++++++++++------ zkey/zkey-cryptsetup.c | 16 +++++++++++++--- zkey/zkey.c | 14 ++++++++++++-- 3 files changed, 39 insertions(+), 11 deletions(-) --- a/zkey/keystore.c +++ b/zkey/keystore.c @@ -2107,7 +2107,7 @@ static void _keystore_print_record(struc bool validation, const char *skey_filename, size_t secure_key_size, size_t clear_key_bitsize, bool valid, - bool is_old_mk, bool reenc_pending) + bool is_old_mk, bool reenc_pending, u64 mkvp) { char temp_vp[VERIFICATION_PATTERN_LEN + 2]; char *volumes_argz = NULL; @@ -2169,10 +2169,11 @@ static void _keystore_print_record(struc if (validation) { if (valid) util_rec_set(rec, REC_MASTERKEY, - is_old_mk ? "OLD CCA master key" : - "CURRENT CCA master key"); + "%s CCA master key (MKVP: %016llx)", + is_old_mk ? "OLD" : "CURRENT", mkvp); else - util_rec_set(rec, REC_MASTERKEY, "(unknown)"); + util_rec_set(rec, REC_MASTERKEY, + "(unknown, MKVP: %016llx)", mkvp); } if (volumes_argz != NULL) util_rec_set_argz(rec, REC_VOLUMES, volumes_argz, @@ -2350,6 +2351,7 @@ static int _keystore_process_validate(st u8 *secure_key; int is_old_mk; int rc, valid; + u64 mkvp; rc = _keystore_ensure_keyfiles_exist(file_names, name); if (rc != 0) @@ -2373,12 +2375,18 @@ static int _keystore_process_validate(st info->num_valid++; valid = 1; } + + rc = get_master_key_verification_pattern(secure_key, secure_key_size, + &mkvp, keystore->verbose); free(secure_key); + if (rc) + goto out; _keystore_print_record(info->rec, name, properties, 1, file_names->skey_filename, secure_key_size, clear_key_bitsize, valid, is_old_mk, - _keystore_reencipher_key_exists(file_names)); + _keystore_reencipher_key_exists(file_names), + mkvp); if (valid && is_old_mk) { util_print_indented("WARNING: The secure key is currently " @@ -3131,7 +3139,7 @@ static int _keystore_display_key(struct IS_XTS(secure_key_size) ? secure_key->bitsize * 2 : secure_key->bitsize, 0, 0, - _keystore_reencipher_key_exists(file_names)); + _keystore_reencipher_key_exists(file_names), 0); out: free(secure_key); --- a/zkey/zkey-cryptsetup.c +++ b/zkey/zkey-cryptsetup.c @@ -1834,6 +1834,7 @@ static int command_validate(void) char *prompt; char *msg; int token; + u64 mkvp; int rc; util_asprintf(&prompt, "Enter passphrase for '%s': ", g.pos_arg); @@ -1864,6 +1865,14 @@ static int command_validate(void) vp_tok_avail = 1; } + rc = get_master_key_verification_pattern((u8 *)key, keysize, + &mkvp, g.verbose); + if (rc != 0) { + warnx("Failed to get the master key verification pattern: %s", + strerror(-rc)); + goto out; + } + printf("Validation of secure volume key of device '%s':\n", g.pos_arg); printf(" Status: %s\n", is_valid ? "Valid" : "Invalid"); printf(" Secure key size: %lu bytes\n", keysize); @@ -1871,11 +1880,12 @@ static int command_validate(void) keysize > SECURE_KEY_SIZE ? "Yes" : "No"); if (is_valid) { printf(" Clear key size: %lu bits\n", clear_keysize); - printf(" Enciphered with: %s CCA master key\n", - is_old_mk ? "OLD" : "CURRENT"); + printf(" Enciphered with: %s CCA master key (MKVP: " + "%016llx)\n", is_old_mk ? "OLD" : "CURRENT", mkvp); } else { printf(" Clear key size: (unknown)\n"); - printf(" Enciphered with: (unknown)\n"); + printf(" Enciphered with: (unknown, MKVP: %016llx)\n", + mkvp); } if (vp_tok_avail) print_verification_pattern(vp_tok.verification_pattern); --- a/zkey/zkey.c +++ b/zkey/zkey.c @@ -1300,6 +1300,7 @@ static int command_validate_file(void) size_t clear_key_size; u8 *secure_key; int is_old_mk; + u64 mkvp; int rc; if (g.name != NULL) { @@ -1346,14 +1347,23 @@ static int command_validate_file(void) goto out; } + rc = get_master_key_verification_pattern(secure_key, secure_key_size, + &mkvp, g.verbose); + if (rc != 0) { + warnx("Failed to get the master key verification pattern: %s", + strerror(-rc)); + rc = EXIT_FAILURE; + goto out; + } + printf("Validation of secure key in file '%s':\n", g.pos_arg); printf(" Status: Valid\n"); printf(" Secure key size: %lu bytes\n", secure_key_size); printf(" Clear key size: %lu bits\n", clear_key_size); printf(" XTS type key: %s\n", secure_key_size > SECURE_KEY_SIZE ? "Yes" : "No"); - printf(" Enciphered with: %s CCA master key\n", - is_old_mk ? "OLD" : "CURRENT"); + printf(" Enciphered with: %s CCA master key (MKVP: %016llx)\n", + is_old_mk ? "OLD" : "CURRENT", mkvp); printf(" Verification pattern: %.*s\n", VERIFICATION_PATTERN_LEN / 2, vp); printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2,
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor