File s390-tools-sles15sp2-11-zkey-Cross-check-APQNs-when-validating-secure-keys.patch of Package s390-tools.16701
Subject: zkey: Cross check APQNs when validating secure keys
From: Ingo Franzki <ifranzki@linux.ibm.com>
Summary: zkey: check master key consistency
Description: Enhances the zkey tool to perform a cross check whether the
APQNs associated with a secure key have the same master key.
Display the master key verification pattern of a secure key
during the zkey validate command. This helps to better identify
which master key is the correct one, in case of master key
inconsistencies.
Select an appropriate APQN when re-enciphering a secure key.
Re-enciphering is done using the CCA host library. Special
handling is required to select an appropriate APQN for use with
the CCA host library.
Upstream-ID: 7f8e31e8619b32297b432a4882d78af79de37a58
Problem-ID: SEC1916
Upstream-Description:
zkey: Cross check APQNs when validating secure keys
Perform a cross check of the APQNs when a secure AES key is validated.
When a set of APQNs are associated to a secure key, these APQNs are
cross checked. If a secure key is validated outside of the key repository,
or no APQNs are associated to a secure key inside the key repository,
then all currently available APQNs are cross checked. If a master key
mismatch is detected, then an error message is issued.
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
zkey/keystore.c | 34 ++++++++++++----------------------
zkey/zkey.c | 9 +++++++++
2 files changed, 21 insertions(+), 22 deletions(-)
--- a/zkey/keystore.c
+++ b/zkey/keystore.c
@@ -2252,43 +2252,32 @@ struct validate_info {
/**
* Displays the status of the associated APQNs.
*
+ * @param[in] keystore the key store
* @param[in] properties the properties of the key
- * @param[in] name the name of the key
+ * @param[in] mkvp the master key verification pattern of the key
*
* @returns 0 in case of success, 1 if at least one of the APQNs is not
- * available
+ * available or has a master key mismatch
*/
-static int _keystore_display_apqn_status(struct properties *properties,
- const char *name)
+static int _keystore_display_apqn_status(struct keystore *keystore,
+ struct properties *properties,
+ u64 mkvp)
{
- int i, rc, card, domain, warning = 0;
- char **apqn_list;
+ int rc, warning = 0;
char *apqns;
apqns = properties_get(properties, PROP_NAME_APQNS);
if (apqns == NULL)
return 0;
- apqn_list = str_list_split(apqns);
-
- for (i = 0; apqn_list[i] != NULL; i++) {
-
- if (sscanf(apqn_list[i], "%x.%x", &card, &domain) != 2)
- continue;
- rc = sysfs_is_apqn_online(card, domain);
- if (rc != 1) {
- printf("WARNING: The APQN %02x.%04x associated with "
- "key '%s' is %s\n", card, domain, name,
- rc == -1 ? "not a CCA card" : "not online");
- warning = 1;
- }
- }
+ rc = cross_check_apqns(apqns, mkvp, true, keystore->verbose);
+ if (rc != 0 && rc != -ENOTSUP)
+ warning = 1;
if (warning)
printf("\n");
free(apqns);
- str_list_free_string_array(apqn_list);
return warning;
}
/**
@@ -2405,7 +2394,8 @@ static int _keystore_process_validate(st
info->num_warnings++;
}
if (info->noapqncheck == 0)
- if (_keystore_display_apqn_status(properties, name) != 0)
+ if (_keystore_display_apqn_status(keystore, properties,
+ mkvp) != 0)
info->num_warnings++;
if (_keystore_display_volume_status(properties, name) != 0)
info->num_warnings++;
--- a/zkey/zkey.c
+++ b/zkey/zkey.c
@@ -1380,6 +1380,15 @@ static int command_validate_file(void)
printf(" %.*s\n", VERIFICATION_PATTERN_LEN / 2,
&vp[VERIFICATION_PATTERN_LEN / 2]);
+ rc = cross_check_apqns(NULL, mkvp, true, g.verbose);
+ if (rc == -EINVAL)
+ return EXIT_FAILURE;
+ if (rc != 0 && rc != -ENOTSUP) {
+ warnx("Your master key setup is improper");
+ rc = EXIT_FAILURE;
+ goto out;
+ }
+
out:
free(secure_key);
return rc;
