My understanding of the cards is that they're more of a trust anchor than an accelerator. What I mean is ... differentiate symmetric crypto from asymmetric crypto. Symmetric crypto (think AES) is handled by the main processor, right? (This is where Brian or Alan will chime in, and please do.) So why shuttle the work to a co-processor? Symmetric crypto is faster (much!) than asymmetric.
Who uses AES as a master key? The concept of "master" should be asymmetric, not symmetric. Symmetric keys are the kind you create for a session and then discard. But ... this is pervasive ... okay ... keys ... and store them. Where? On the card? Okay, but still, doesn't mean the *processing* of symmetric gets done there. Last I knew (haven't read the PoOp for z15), the CPU didn't have asymmetric instructions (think RSA). Asymmetric crypto is slower (much!) than symmetric, so one could conceivably shuttle that work to a daughter card and get a win (or at least parity!). But there's another point: "trust" is all about asymmetric keys, where you have a PUBLIC half and a PRIVATE half to the pair. So the card can hold the private half (and prove itself against the public half, like for an SSL cert) or can hold the public half (and serve to confirm a third party, like a remote web site SSL cert). Not sure I'm splainin it well. Solly. But this could be old news. IBMers? What's new? -- R; <>< On 1/10/20 8:24 PM, marcy cortes wrote: > Cross posted to Linux-390 and IBMVM > > > First, my understand of virtualizing crypto is that if any of the cards are > defined as accelerators then CRYPTO APVIRT in the directory will give linux > an accelerator. If you want linux to have a coprocessor, you’d have to > dedicate one. If you want a lot of servers to have coprocessors (more > than the HW cards to dedicate), you’d get rid of the accelerators and make > them all coprocessors. Is my understanding correct? > > And to do the AES master key load, it has generally been done from z/OS > here. It looks like for my z/vm only boxes TKE is required, but I could > use the CCA package to generate some for a test only scenario. > > If I do want to try that CCA key load on a non prod box, I’m thinking I > would have to dedicate all of the coprocessors to a Linux guest and create > them there. Then undedicate and then any guest with an APVIRT would find > valid master keys and would then be able to “zkey generate” a secure key > for use in each disk. > > Am I on the right track? > > Marcy > -- -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
