File s390-tools-sles15sp2-06-zkey-Add-function-to-print-the-MKVPs-of-APQNs.patch of Package s390-tools.15932
Subject: zkey: Add function to print the MKVPs of APQNs
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: check master key consistency
Description: Enhances the zkey tool to perform a cross check whether the
APQNs associated with a secure key have the same master key.
Display the master key verification pattern of a secure key
during the zkey validate command. This helps to better identify
which master key is the correct one, in case of master key
inconsistencies.
Select an appropriate APQN when re-enciphering a secure key.
Re-enciphering is done using the CCA host library. Special
handling is required to select an appropriate APQN for use with
the CCA host library.
Upstream-ID: bfc3dd018c4f0cc17f8463d8bd6be16aab8de4a4
Problem-ID: SEC1916
Upstream-Description:
zkey: Add function to print the MKVPs of APQNs
Add a utility function to print the master key verification patterns
of a set of APQNs. This allows the user to visually check which
master keys are set on which APQNs.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/utils.c | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
zkey/utils.h | 2 +
2 files changed, 82 insertions(+)
--- a/zkey/utils.c
+++ b/zkey/utils.c
@@ -426,3 +426,83 @@ int handle_apqns(const char *apqns, apqn
return rc;
}
+
+struct print_apqn_info {
+ struct util_rec *rec;
+ bool verbose;
+};
+
+static int print_apqn_mk_info(int card, int domain, void *handler_data)
+{
+ struct print_apqn_info *info = (struct print_apqn_info *)handler_data;
+ struct mk_info mk_info;
+ int rc;
+
+ rc = sysfs_get_mkvps(card, domain, &mk_info, info->verbose);
+ if (rc == -ENOTSUP)
+ return rc;
+
+ util_rec_set(info->rec, "APQN", "%02x.%04x", card, domain);
+
+ if (rc == 0) {
+ if (mk_info.new_mk.mk_state == MK_STATE_FULL)
+ util_rec_set(info->rec, "NEW", "%016llx",
+ mk_info.new_mk.mkvp);
+ else if (mk_info.new_mk.mk_state == MK_STATE_PARTIAL)
+ util_rec_set(info->rec, "NEW", "partially loaded");
+ else
+ util_rec_set(info->rec, "NEW", "-");
+
+ if (mk_info.cur_mk.mk_state == MK_STATE_VALID)
+ util_rec_set(info->rec, "CUR", "%016llx",
+ mk_info.cur_mk.mkvp);
+ else
+ util_rec_set(info->rec, "CUR", "-");
+
+ if (mk_info.old_mk.mk_state == MK_STATE_VALID)
+ util_rec_set(info->rec, "OLD", "%016llx",
+ mk_info.old_mk.mkvp);
+ else
+ util_rec_set(info->rec, "OLD", "-");
+ } else {
+ util_rec_set(info->rec, "NEW", "?");
+ util_rec_set(info->rec, "CUR", "?");
+ util_rec_set(info->rec, "OLD", "?");
+ }
+
+ util_rec_print(info->rec);
+
+ return 0;
+}
+
+/**
+ * Prints master key information for all specified APQNs
+ *
+ * @param[in] apqns a comma separated list of APQNs. If NULL is specified,
+ * or an empty string, then all online CCA APQNs are
+ * printed.
+ * @param[in] verbose if true, verbose messages are printed
+ *
+ * @returns 0 for success or a negative errno in case of an error. -ENOTSUP is
+ * returned when the mkvps sysfs attribute is not available, because
+ * the zcrypt kernel module is on an older level.
+ */
+int print_mk_info(const char *apqns, bool verbose)
+{
+ struct print_apqn_info info;
+ int rc;
+
+ info.verbose = verbose;
+ info.rec = util_rec_new_wide("-");
+
+ util_rec_def(info.rec, "APQN", UTIL_REC_ALIGN_LEFT, 11, "CARD.DOMAIN");
+ util_rec_def(info.rec, "NEW", UTIL_REC_ALIGN_LEFT, 16, "NEW MK");
+ util_rec_def(info.rec, "CUR", UTIL_REC_ALIGN_LEFT, 16, "CURRENT MK");
+ util_rec_def(info.rec, "OLD", UTIL_REC_ALIGN_LEFT, 16, "OLD MK");
+ util_rec_print_hdr(info.rec);
+
+ rc = handle_apqns(apqns, print_apqn_mk_info, &info, verbose);
+
+ util_rec_free(info.rec);
+ return rc;
+}
--- a/zkey/utils.h
+++ b/zkey/utils.h
@@ -46,4 +46,6 @@ typedef int(*apqn_handler_t) (int card,
int handle_apqns(const char *apqns, apqn_handler_t handler, void *handler_data,
bool verbose);
+int print_mk_info(const char *apqns, bool verbose);
+
#endif