[22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (s390-tools part)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Skipper Bug Screeners | ||
s390-tools (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Fix Released
|
High
|
Unassigned | ||
s390-tools-signed (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Fix Released
|
High
|
Unassigned |
Bug Description
SRU Justification:
==================
[Impact]
* This in a hardware enablement SRU,
and mainly adds support for CryptoExpress 8S adapters
to the s390-tools package.
* With that the new options 'show_serialnum
'--accelonly', '--ccaonly' and '--ep11only'
are introduced to the lszcrypt tool.
* In addition lszcrypt now supports the checkstop state
of a crypto card, that is provided by the 'chkstop'
attribute in the sysfs of newer kernels.
* And lszcrypt now shows the AP bus msg size limit capability,
which is needed for new adapter cards.
* New codes for zcryptstats are needed as well.
[Test Plan]
* Prepare an IBM z16 LPAR with Ubuntu 22.04 (incl. this patch)
that has an CryptoExpress 8S adapter attached to it
and at least one crypto domain online and available.
* Call 'lszcrypt -V' and check the 2nd column called 'type'
and the last column called 'driver'.
* If both have entries that start with "cex8..." then the new
CryptoExpress 8S driver is active and the new card is detected
and can be used (and the new features exploited).
* If the driver listed there is older than 'cex8',
than the new card is probably detected as an older type
and it runs in toleration mode only.
* Try and test the new options.
* Run zcryptstats and with that make use of the new codes
(which actually means add CEX8S support for zcryptstats).
* And finally extending lszcrypt's capabilities and
make it aware of CEX8S.
[Where problems could occur]
* The new declarations, initializations or the scan for the serial numbers
of the devices could fail, which would lead to a non-working
or even erroneous new '-s' option.
* The new filter mechanism could be broken and now incorrect
resources, but this would be limited to the new options
'--cardonly' and '--queueonly'.
* The same applies to the new options
'--accelonly', '--ccaonly' and '--ep11only'.
* The handling of the new chkstop state can be confusing or might be
broken, which may lead to wrong state representations.
* The new AP bus msg size limit mights be incorrectly calculated,
which leads to a wrong size and with that certain feature not to work.
* The new zcryptstats might come with wrong or mixed codes,
which would lead to wrong and misleading statistics,
or even break zcryptstats.
* Regarding the lszcrypt capability extension there is no danger
since an existing case statement is extended and the case content
reused unchanged.
* All this is s390x specific, and only affects the handling for
CryptoExpress 8S adapters. It won't have an impact on CPACF.
__________
zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware - s390-tools part
affects: | linux (Ubuntu) → s390-tools (Ubuntu) |
Changed in ubuntu-z-systems: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
Changed in s390-tools (Ubuntu): | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
Changed in ubuntu-z-systems: | |
status: | New → Incomplete |
Changed in s390-tools (Ubuntu): | |
status: | New → Incomplete |
Changed in s390-tools-signed (Ubuntu): | |
status: | New → Incomplete |
description: | updated |
Changed in s390-tools (Ubuntu): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Frank Heimes (fheimes) |
information type: | Private → Public |
description: | updated |
Changed in s390-tools-signed (Ubuntu): | |
status: | Incomplete → In Progress |
assignee: | nobody → Frank Heimes (fheimes) |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Kinetic): | |
assignee: | Frank Heimes (fheimes) → nobody |
Changed in s390-tools (Ubuntu Kinetic): | |
assignee: | Frank Heimes (fheimes) → nobody |
Changed in s390-tools-signed (Ubuntu Kinetic): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in s390-tools (Ubuntu Kinetic): | |
status: | In Progress → Fix Committed |
Changed in s390-tools (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in ubuntu-z-systems: | |
status: | In Progress → Fix Committed |
Changed in s390-tools (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in s390-tools-signed (Ubuntu Kinetic): | |
status: | Fix Committed → Fix Released |
Changed in s390-tools-signed (Ubuntu Jammy): | |
status: | Fix Committed → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2022-01-30 22:55 EDT-------
This also has a kernel part:
Canonical LP#1959547 - IBM BZ#196080[22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware - kernel part