diff --git a/SOURCES/0007-backport-GH2694-secure-execution-enablement-s390x.patch b/SOURCES/0007-backport-GH2694-secure-execution-enablement-s390x.patch
new file mode 100644
index 0000000..3bf792d
--- /dev/null
+++ b/SOURCES/0007-backport-GH2694-secure-execution-enablement-s390x.patch
@@ -0,0 +1,298 @@
+From 00697be199c08242e54c02e4557e20834030aaf3 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <nikita@linux.ibm.com>
+Date: Mon, 4 Apr 2022 16:09:50 +0200
+Subject: [PATCH 1/5] s390x: generate sd-boot at its own partition
+
+Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
+---
+ src/libostree/ostree-bootloader-zipl.c | 36 ++++++++++++++++++++++----
+ src/libostree/s390x-se-luks-gencpio | 4 +--
+ 2 files changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
+index 02c10826c3..fe024d8046 100644
+--- a/src/libostree/ostree-bootloader-zipl.c
++++ b/src/libostree/ostree-bootloader-zipl.c
+@@ -21,12 +21,17 @@
+ #include "ostree-bootloader-zipl.h"
+ #include "ostree-deployment-private.h"
+ #include "otutil.h"
++#include <sys/mount.h>
++#include <sys/stat.h>
+ #include <string.h>
+
+-#define SECURE_EXECUTION_BOOT_IMAGE "/boot/sd-boot"
++#define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
++#define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
++#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
+ #define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
+ #define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
+ #define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
++#define SECURE_EXECUTION_LUKS_BOOT_KEY "/etc/luks/boot"
+ #define SECURE_EXECUTION_LUKS_CONFIG "/etc/crypttab"
+ #define SECURE_EXECUTION_RAMDISK_TOOL PKGLIBEXECDIR "/s390x-se-luks-gencpio"
+
+@@ -67,6 +72,25 @@ _ostree_bootloader_zipl_get_name (OstreeBootloader *bootloader)
+ return "zipl";
+ }
+
++static gboolean
++_ostree_secure_execution_mount(GError **error)
++{
++ const char *device = realpath (SECURE_EXECUTION_PARTITION, NULL);
++ if (device == NULL)
++ return glnx_throw_errno_prefix(error, "s390x SE: resolving %s", SECURE_EXECUTION_PARTITION);
++ if (mount (device, SECURE_EXECUTION_MOUNTPOINT, "ext4", 0, NULL) < 0)
++ return glnx_throw_errno_prefix (error, "s390x SE: Mounting %s", device);
++ return TRUE;
++}
++
++static gboolean
++_ostree_secure_execution_umount(GError **error)
++{
++ if (umount (SECURE_EXECUTION_MOUNTPOINT) < 0)
++ return glnx_throw_errno_prefix (error, "s390x SE: Unmounting %s", SECURE_EXECUTION_MOUNTPOINT);
++ return TRUE;
++}
++
+ static gboolean
+ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
+ int bootversion,
+@@ -152,8 +176,8 @@ _ostree_secure_execution_get_bls_config (OstreeBootloaderZipl *self,
+ static gboolean
+ _ostree_secure_execution_luks_key_exists (void)
+ {
+- return (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 &&
+- access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0);
++ return (access(SECURE_EXECUTION_LUKS_CONFIG, F_OK) == 0 &&
++ (access(SECURE_EXECUTION_LUKS_ROOT_KEY, F_OK) == 0 || access(SECURE_EXECUTION_LUKS_BOOT_KEY, F_OK) == 0));
+ }
+
+ static gboolean
+@@ -250,7 +274,7 @@ static gboolean
+ _ostree_secure_execution_call_zipl (GError **error)
+ {
+ int status = 0;
+- const char *const zipl_argv[] = {"zipl", "-V", "-t", "/boot", "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
++ const char *const zipl_argv[] = {"zipl", "-V", "-t", SECURE_EXECUTION_MOUNTPOINT, "-i", SECURE_EXECUTION_BOOT_IMAGE, NULL};
+ if (!g_spawn_sync (NULL, (char**)zipl_argv, NULL, G_SPAWN_SEARCH_PATH,
+ NULL, NULL, NULL, NULL, &status, error))
+ return glnx_prefix_error(error, "s390x SE: spawning zipl");
+@@ -274,9 +298,11 @@ _ostree_secure_execution_enable (OstreeBootloaderZipl *self,
+ g_autofree gchar* options = NULL;
+
+ gboolean rc =
++ _ostree_secure_execution_mount (error) &&
+ _ostree_secure_execution_get_bls_config (self, bootversion, &vmlinuz, &initramfs, &options, cancellable, error) &&
+ _ostree_secure_execution_generate_sdboot (vmlinuz, initramfs, options, keys, error) &&
+- _ostree_secure_execution_call_zipl (error);
++ _ostree_secure_execution_call_zipl (error) &&
++ _ostree_secure_execution_umount (error);
+
+ return rc;
+ }
+diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
+index f0ad24eb32..7d62258a31 100755
+--- a/src/libostree/s390x-se-luks-gencpio
++++ b/src/libostree/s390x-se-luks-gencpio
+@@ -12,11 +12,11 @@ gzip -cd ${old_initrd} | cpio -imd --quiet
+
+ # Adding LUKS root key and crypttab config
+ mkdir -p etc/luks
+-cp -f /etc/luks/root etc/luks/
++cp -f /etc/luks/* etc/luks/
+ cp -f /etc/crypttab etc/
+
+ # Creating new initramdisk image
+-find . | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
++find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+
+ # Cleanup
+ rm -rf ${workdir}
+
+From 91e71022ebc2422f278c285e55f4c88d7f572eeb Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <nikita@linux.ibm.com>
+Date: Mon, 23 May 2022 17:28:54 +0200
+Subject: [PATCH 2/5] s390x: ensure SecureExecution is enabled before sd-boot
+ generation
+
+Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
+---
+ src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
+index fe024d8046..348dfe036d 100644
+--- a/src/libostree/ostree-bootloader-zipl.c
++++ b/src/libostree/ostree-bootloader-zipl.c
+@@ -25,6 +25,7 @@
+ #include <sys/stat.h>
+ #include <string.h>
+
++#define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
+ #define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
+ #define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
+ #define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
+@@ -109,6 +110,14 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
+ return TRUE;
+ }
+
++static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
++ gsize len = 0;
++ g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
++ if (!data)
++ return FALSE;
++ return strstr (data, "1") != NULL;
++}
++
+ static gboolean
+ _ostree_secure_execution_get_keys (GPtrArray **keys,
+ GCancellable *cancellable,
+@@ -329,12 +338,15 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
+ return TRUE;
+
+ /* Try with Secure Execution */
+- g_autoptr(GPtrArray) keys = NULL;
+- if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+- return FALSE;
+- if (keys && keys->len)
+- return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+-
++ if ( _ostree_secure_execution_is_enabled (cancellable) )
++ {
++ g_autoptr(GPtrArray) keys = NULL;
++ if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
++ return FALSE;
++ if (!keys || keys->len == 0)
++ return glnx_throw (error, "s390x SE: no keys");
++ return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
++ }
+ /* Fallback to non-SE setup */
+ const char *const zipl_argv[] = {"zipl", NULL};
+ int estatus;
+
+From 2e2854239189044cc1ffd100959b7c7bfe92b0f9 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <nikita@linux.ibm.com>
+Date: Tue, 24 May 2022 19:30:35 +0200
+Subject: [PATCH 3/5] s390x: fail on error during reading of SecureExecution
+ sysfs flag
+
+---
+ src/libostree/ostree-bootloader-zipl.c | 24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
+index 348dfe036d..87b9b67aec 100644
+--- a/src/libostree/ostree-bootloader-zipl.c
++++ b/src/libostree/ostree-bootloader-zipl.c
+@@ -110,12 +110,21 @@ _ostree_bootloader_zipl_write_config (OstreeBootloader *bootloader,
+ return TRUE;
+ }
+
+-static gboolean _ostree_secure_execution_is_enabled (GCancellable *cancellable) {
+- gsize len = 0;
+- g_autofree char *data = glnx_file_get_contents_utf8_at (-1, SECURE_EXECUTION_SYSFS_FLAG, &len, cancellable, NULL);
++static gboolean _ostree_secure_execution_is_enabled (gboolean *out_enabled,
++ GCancellable *cancellable,
++ GError **error)
++{
++ *out_enabled = FALSE;
++ glnx_autofd int fd = -1;
++ if (!ot_openat_ignore_enoent (AT_FDCWD, SECURE_EXECUTION_SYSFS_FLAG, &fd, error))
++ return FALSE;
++ if (fd == -1)
++ return TRUE; //ENOENT --> SecureExecution is disabled
++ g_autofree char *data = glnx_fd_readall_utf8 (fd, NULL, cancellable, error);
+ if (!data)
+ return FALSE;
+- return strstr (data, "1") != NULL;
++ *out_enabled = strstr (data, "1") != NULL;
++ return TRUE;
+ }
+
+ static gboolean
+@@ -338,13 +347,16 @@ _ostree_bootloader_zipl_post_bls_sync (OstreeBootloader *bootloader,
+ return TRUE;
+
+ /* Try with Secure Execution */
+- if ( _ostree_secure_execution_is_enabled (cancellable) )
++ gboolean se_enabled = FALSE;
++ if ( !_ostree_secure_execution_is_enabled (&se_enabled, cancellable, error))
++ return FALSE;
++ if (se_enabled)
+ {
+ g_autoptr(GPtrArray) keys = NULL;
+ if (!_ostree_secure_execution_get_keys (&keys, cancellable, error))
+ return FALSE;
+ if (!keys || keys->len == 0)
+- return glnx_throw (error, "s390x SE: no keys");
++ return glnx_throw (error, "s390x SE: no keys");
+ return _ostree_secure_execution_enable (self, bootversion, keys, cancellable, error);
+ }
+ /* Fallback to non-SE setup */
+
+From 89ed46e8a9f584e2a6c1966fbf4c99f0fe51424e Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <nikita@linux.ibm.com>
+Date: Fri, 27 May 2022 09:13:18 +0200
+Subject: [PATCH 4/5] s390x: do not unpack existing initrd, just append LUKS
+ keys to its copy
+
+Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
+---
+ src/libostree/s390x-se-luks-gencpio | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/libostree/s390x-se-luks-gencpio b/src/libostree/s390x-se-luks-gencpio
+index 7d62258a31..f444198a40 100755
+--- a/src/libostree/s390x-se-luks-gencpio
++++ b/src/libostree/s390x-se-luks-gencpio
+@@ -4,19 +4,19 @@ set -euo pipefail
+
+ old_initrd=$1
+ new_initrd=$2
++currdir=$PWD
+
+-# Unpacking existing initramdisk
++# Copying existing initramdisk
++cp ${old_initrd} ${new_initrd}
++
++# Appending LUKS root keys and crypttab config to the end of initrd
+ workdir=$(mktemp -d -p /tmp se-initramfs-XXXXXX)
+ cd ${workdir}
+-gzip -cd ${old_initrd} | cpio -imd --quiet
+-
+-# Adding LUKS root key and crypttab config
+ mkdir -p etc/luks
+ cp -f /etc/luks/* etc/luks/
+ cp -f /etc/crypttab etc/
+-
+-# Creating new initramdisk image
+ find . -mindepth 1 | cpio --quiet -H newc -o | gzip -9 -n >> ${new_initrd}
+
+ # Cleanup
++cd ${currdir}
+ rm -rf ${workdir}
+
+From 2c8d5b95c7f2fee90e73bdd9222e002c44e797b7 Mon Sep 17 00:00:00 2001
+From: Nikita Dubrovskii <nikita@linux.ibm.com>
+Date: Thu, 23 Jun 2022 15:54:04 +0200
+Subject: [PATCH 5/5] s390x: rename sd-boot to sdboot
+
+Signed-off-by: Nikita Dubrovskii <nikita@linux.ibm.com>
+---
+ src/libostree/ostree-bootloader-zipl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libostree/ostree-bootloader-zipl.c b/src/libostree/ostree-bootloader-zipl.c
+index 87b9b67aec..0ff350f942 100644
+--- a/src/libostree/ostree-bootloader-zipl.c
++++ b/src/libostree/ostree-bootloader-zipl.c
+@@ -28,7 +28,7 @@
+ #define SECURE_EXECUTION_SYSFS_FLAG "/sys/firmware/uv/prot_virt_guest"
+ #define SECURE_EXECUTION_PARTITION "/dev/disk/by-label/se"
+ #define SECURE_EXECUTION_MOUNTPOINT "/sysroot/se"
+-#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sd-boot"
++#define SECURE_EXECUTION_BOOT_IMAGE SECURE_EXECUTION_MOUNTPOINT "/sdboot"
+ #define SECURE_EXECUTION_HOSTKEY_PATH "/etc/se-hostkeys/"
+ #define SECURE_EXECUTION_HOSTKEY_PREFIX "ibm-z-hostkey"
+ #define SECURE_EXECUTION_LUKS_ROOT_KEY "/etc/luks/root"
diff --git a/SOURCES/0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch b/SOURCES/0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
new file mode 100644
index 0000000..041e33d
--- /dev/null
+++ b/SOURCES/0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
@@ -0,0 +1,32 @@
+From 56820e54392efc5dd59032f8872aaf219190ad4f Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Thu, 14 Jul 2022 14:42:19 -0400
+Subject: [PATCH] sign/ed25519: Verify signatures are minimum length
+
+The ed25519 signature verification code does not
+check that the signature is a minimum/correct length.
+As a result, if the signature is too short, libsodium will end up
+reading a few bytes out of bounds.
+
+Reported-by: Demi Marie Obenour <demi@invisiblethingslab.com>
+Co-authored-by: Demi Marie Obenour <demi@invisiblethingslab.com>
+
+Closes: https://github.com/ostreedev/ostree/security/advisories/GHSA-gqf4-p3gv-g8vw
+---
+ src/libostree/ostree-sign-ed25519.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c
+index 809ffe8790..f271fd49e0 100644
+--- a/src/libostree/ostree-sign-ed25519.c
++++ b/src/libostree/ostree-sign-ed25519.c
+@@ -209,6 +209,9 @@ gboolean ostree_sign_ed25519_data_verify (OstreeSign *self,
+ g_autoptr (GVariant) child = g_variant_get_child_value (signatures, i);
+ g_autoptr (GBytes) signature = g_variant_get_data_as_bytes(child);
+
++ if (g_bytes_get_size (signature) != crypto_sign_BYTES)
++ return glnx_throw (error, "Invalid signature length of %" G_GSIZE_FORMAT " bytes, expected %" G_GSIZE_FORMAT, (gsize) g_bytes_get_size (signature), (gsize) crypto_sign_BYTES);
++
+ g_autofree char * hex = g_malloc0 (crypto_sign_PUBLICKEYBYTES*2 + 1);
+
+ g_debug("Read signature %d: %s", (gint)i, g_variant_print(child, TRUE));
diff --git a/SPECS/ostree.spec b/SPECS/ostree.spec
index a86168e..9919712 100644
--- a/SPECS/ostree.spec
+++ b/SPECS/ostree.spec
@@ -8,7 +8,7 @@
Summary: Tool for managing bootable, immutable filesystem trees
Name: ostree
Version: 2022.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz
License: LGPLv2+
URL: https://ostree.readthedocs.io/en/latest/
@@ -21,6 +21,8 @@ Patch2: 0003-repo-Factor-out-_ostree_repo_auto_transaction_new.patch
Patch3: 0004-repo-Correctly-initialize-refcount-of-temporary-tran.patch
Patch4: 0005-deploy-Try-to-rebuild-policy-in-new-deployment-if-ne.patch
Patch5: 0006-deploy-Be-a-bit-more-verbose-about-SELinux-bits.patch
+Patch6: 0007-backport-GH2694-secure-execution-enablement-s390x.patch
+Patch7: 0008-backport-GH2696-ed25519-verify-signatures-minimum-length.patch
BuildRequires: make
BuildRequires: git
@@ -172,6 +174,14 @@ find %{buildroot} -name '*.la' -delete
%endif
%changelog
+* Tue Aug 23 2022 Luca BRUNO <lucab@redhat.com> - 2022.2-5
+- Backport enablement patches for Secure Execution on s390x
+ https://github.com/ostreedev/ostree/pull/2694
+ Resolves: rhbz#2120522
+- Backport security fix to verify signatures are minimum length (advisory GHSA-gqf4-p3gv-g8vw)
+ https://github.com/ostreedev/ostree/pull/2696
+ Resolves: rhbz#2119444
+
* Wed May 04 2022 Colin Walters <walters@verbum.org> - 2022.2-4
- Backport patches from 2022.3, particularly SELinux
Resolves: rhbz#2057497