a Subchannel-Set Identifier/Subchannel Number has a set of Channel-Path Identifiers (CHPIDs), each of which has an associated Physical-Channel-Path Identifier(PCHID) . The unit and control unit are part of the Device Identifier.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of kekronbekron [000002dee3fcae33-dmarc-requ...@listserv.ua.edu] Sent: Tuesday, June 14, 2022 10:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RIsks of sharing FICON adapters between LPARs on the same host Somebody mixing up the IODF is a far bigger problem for the LPARs operationally first... let alone security. If a CHPID is shared between the 2 LPARs, then yes, the pipe is shared. But is it a security "gotcha"? Unlikely to hell and back. I think this goes down to microcode and I would bet that IBM test these things out for 'leaks' thoroughly. Anyway, if you do let your security know that the CHPID is shared, be prepared for many months and years of isolated CHPID talk, etc. Do correct me if I'm wrong: LPAR <-> unit <-> control unit <-> chpid <-> pchid <-> FC switch I don't believe there's room for a "whoopsie, I sent to this LPAR instead". Can't quite explain it clearly. Someone like Timothy Sipples can do that magic! - KB ------- Original Message ------- On Wednesday, June 15th, 2022 at 7:36 AM, Laurence Chiu <lch...@gmail.com> wrote: > We had an interesting question raised recently in my work place by our > security team. > > They said, if you have multiple LPARs on a Z box and you share FICON > adapters going to the same DS8K is there any data leak issue that could > occur? That is, could LPAR1 inadvertently see traffic to the SAN that is > defined for LPAR2 but sharing the same FICON adapter. Maybe somebody mixed > up the IODF or something like that? > > I thought not and said, isn't that how VMware and Hiper-V work. The > hypervisors share out FC cards etc. to the various VM's and it doesn't seem > to be an issue and z/OS (or is PR/SM) is likely to be a much hardier OS > security wise. > > Anyway I would get the view of the experts on the forum. > > Thanks > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
