Just to provide some closure on this, Matt and I continued the investigation offline.
We did confirm that he has the crypto enabling microcode (FC #3863) installed. And we found in IBM's Announcement Letter for the z196, 110-170: "CP Assist for Cryptographic Function (CPACF) enhancements The following are exploitation of Message-Security-Assist Extension 4: New instructions: . Cipher Message with CFB (KMF) . Cipher Message with Counter (KMCTR) . Cipher Message with OFB (KMO) New function codes for existing instructions: . Compute intermediate Message Digest (KIMD) adds KIMD, an extension for GHASH More information on CPACF can be found in "IBM System z10 - Delivering security rich offerings to protect your data," Hardware Announcement 109-678, dated October 20, 2009. This Crypto function is exclusive to z196." I don't always trust announcement letters but our conclusion was that the z10 does not support the new instructions that are available with MSA-4, and the vendor confirmed that the MSA-4 support is a pre-req for the CFB support. Greg Boyd Mainframe Crypto www.mainframecrypto.com On Tue, 29 Sep 2015 14:00:52 -0500, Greg Boyd <[email protected]> wrote: >As I mentioned in the last post, TechDoc Flash10716 does talk about cipher >block chaining support on the CEX3 and I'm pretty sure that support is >available when the CEX3 is installed on z10. But I'm not so sure that the >chaining support that is avaliable on the CPACF hardware on the z196/z114 was >retrofitted to the z10. So in fact it may not be available on your machine. >Additional research is required. Does the vendor product claim to support CFB >mode on a z10? Do they call out a specific microcode level? > >As Rob Schramm points out, you can start ICSF even if you don't have crypto >cards, but if the product does not use the APIs that wouldn't provide any >benefit. It is possible the vendor product could query the configuration and >provide software routines that use the most efficient resources available. >That is, the logic could query the config and if the CFB support is not >available in the hardware, it could invoke the ICSF APIs that would perform >CFB. And in your case, since the APIs aren't available it might fall back on >it's own software routines that do provide CFB support. If this is true, then >starting ICSF might help. And you would not need an exit to provide the CFB >support. (I would not >advocate using an ICSF exit to support CFB.) > >I'm also wondering if they are using System SSL APIs? Does the vendor product >specifically say that they are using the native instructions that are >available on the CPACF hardware? System SSL is very efficient and will query >the environment to determine how best to service the request and as described >above will often provide software routines if the appropriate hardware support >or if ICSF is not available. > >It would be helpful to know which vendor product you are working with. If >you'd like to take this up offline, we can summarize the results for the list >later. Feel free to send me a note. > >Greg Boyd >Mainframe Crypto >www.mainframecrypto.com > >---------------------------------------------------------------------- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
