[Bug 1959548] Re: [22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware (s390-tools part)
Frank Heimes
1959548 at bugs.launchpad.net
Mon Jul 4 10:33:10 UTC 2022
Many thx Harald for the verification.
(I'm adjusting the tags accordingly...)
** Tags removed: verification-needed verification-needed-jammy
** Tags added: verification-done verification-done-jammy
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to s390-tools-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1959548
Title:
[22.04 FEAT] zcrypt DD: Exploitation Support of new IBM Z Crypto
Hardware (s390-tools part)
Status in Ubuntu on IBM z Systems:
Fix Committed
Status in s390-tools package in Ubuntu:
Fix Released
Status in s390-tools-signed package in Ubuntu:
Fix Committed
Status in s390-tools source package in Jammy:
Fix Committed
Status in s390-tools-signed source package in Jammy:
Fix Committed
Status in s390-tools source package in Kinetic:
Fix Released
Status in s390-tools-signed source package in Kinetic:
Fix Committed
Bug description:
SRU Justification:
==================
[Impact]
* This in a hardware enablement SRU,
and mainly adds support for CryptoExpress 8S adapters
to the s390-tools package.
* With that the new options 'show_serialnumbers',
'--accelonly', '--ccaonly' and '--ep11only'
are introduced to the lszcrypt tool.
* In addition lszcrypt now supports the checkstop state
of a crypto card, that is provided by the 'chkstop'
attribute in the sysfs of newer kernels.
* And lszcrypt now shows the AP bus msg size limit capability,
which is needed for new adapter cards.
* New codes for zcryptstats are needed as well.
[Test Plan]
* Prepare an IBM z16 LPAR with Ubuntu 22.04 (incl. this patch)
that has an CryptoExpress 8S adapter attached to it
and at least one crypto domain online and available.
* Call 'lszcrypt -V' and check the 2nd column called 'type'
and the last column called 'driver'.
* If both have entries that start with "cex8..." then the new
CryptoExpress 8S driver is active and the new card is detected
and can be used (and the new features exploited).
* If the driver listed there is older than 'cex8',
than the new card is probably detected as an older type
and it runs in toleration mode only.
* Try and test the new options.
* Run zcryptstats and with that make use of the new codes
(which actually means add CEX8S support for zcryptstats).
* And finally extending lszcrypt's capabilities and
make it aware of CEX8S.
[Where problems could occur]
* The new declarations, initializations or the scan for the serial numbers
of the devices could fail, which would lead to a non-working
or even erroneous new '-s' option.
* The new filter mechanism could be broken and now incorrect
resources, but this would be limited to the new options
'--cardonly' and '--queueonly'.
* The same applies to the new options
'--accelonly', '--ccaonly' and '--ep11only'.
* The handling of the new chkstop state can be confusing or might be
broken, which may lead to wrong state representations.
* The new AP bus msg size limit mights be incorrectly calculated,
which leads to a wrong size and with that certain feature not to work.
* The new zcryptstats might come with wrong or mixed codes,
which would lead to wrong and misleading statistics,
or even break zcryptstats.
* Regarding the lszcrypt capability extension there is no danger
since an existing case statement is extended and the case content
reused unchanged.
* All this is s390x specific, and only affects the handling for
CryptoExpress 8S adapters. It won't have an impact on CPACF.
__________
zcrypt DD: Exploitation Support of new IBM Z Crypto Hardware -
s390-tools part
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1959548/+subscriptions
More information about the foundations-bugs
mailing list