Ingo is correct. Each domain on an adapter functions as a separate HSM.
So you have 85 times 16 HSMs on an enterprise class machine and 40 times
16 HSMs on business class machine. Each of these HSM can be configured
with a different master key. - Having as many domains as LPARs is just
coincidental so no LPAR domain association is required.
If you like redundancy, then for each guest you should dedicate two
adapter domains (distributed over two adapters) and configure both
domains with the same master key
-Reinhard
On 13.01.20 17:51, Ingo Adlung wrote:
Hey Marcy,
I'm not the crypto expert (Reinhard please jump in) but aren't we talking
about crypto domain dedication? I.e. not dedicating complete cards ...
don't know about z14/z15 but with z13 we supported up to 85 domains per
LPAR per single adapter like described here:
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lgdd/lgdd_c_crypto_virtual.html
Best regards
Ingo
Linux on 390 Port <[email protected]> wrote on 13/01/2020 17:34:43:
From: Marcy Cortes <[email protected]>
To: [email protected]
Date: 13/01/2020 17:35
Subject: [EXTERNAL] Re: [LINUX-390] Pervasive disk encryption questions
Sent by: Linux on 390 Port <[email protected]>
Thanks! Was hoping you'd respond.
So essentially to do the disk encryption stuff documented here
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/
com.ibm.linux.z.lxdc/lxdc_linuxonz.html
one has to dedicate to the guest.
If I can put 16 cards on a z15, I'm essentially limited to 8 guests
per LPAR with the ability to do this.
(need redundancy so two per guest). Correct ? There's not a
way to dedicate, put master key on, then make it apvirt after that,
correct?
Marcy
-----Original Message-----
From: Linux on 390 Port <[email protected]> On Behalf Of
Reinhard Buendgen
Sent: Monday, January 13, 2020 7:19 AM
To: [email protected]
Subject: Re: [LINUX-390] Pervasive disk encryption questions
Hi,
crypto adapter domains defined for z/VM guests with APVIRT are
restricted to perform clear key crypto operations (possibly including
random number generations). Regard less whether the backing adapters are
in accelerator mode or in CCA mode (AP-virt does not support adapters in
EP11 mode).
And if there are multiple backing adapters of different modes z/VM gives
priority to accelerator mode when choosing the type of the shared
virtual adapter.
When you want to use secure key crypto you must define your crypto
adapter domain in the guest as dedicated adapter (APDED for z/VM guests,
for KVM guests currently only dedicated adapter domains are supported).
Dedicated adapter domains can be of any type: accelerator, CCA or EP11.
Only the CCA and EP11 types provide support for clear key crypto.
To set/manage the master key of a dedicated CCA adapter domain assigned
to a guest there are multiple options
— connect the TKE to the catcher.exe daemon (part of the CCA host
package) running on the Linux system and use the TKE to mange the
master key of the adapter domain belonging to the Linux guest (option
recommended for production use)
— use the panel.exe tool (part of the CCA host package) on the Linux
guest to set/manage the master key of the adapter domain belonging to
the Linux guest (this option is not recommended for production use, due
to some security limitations -- I like this option )
— use a z/OS System on the same CEC (or other Linux System) that has an
appropriate control domain setting. Using the z/OS system can go via
ICSF functions (which I guess are similar in function and security to
what the panel.exe tool provides) or a TKE connected to the z/OS system.
— use another Linux system on the same CEC that has an appropriate
control domain setting and do the management either vie panel.exe or TKE
(again TKE being recommended for production use).
There is no need for a special system to set master keys. Each system
can manage its own master keys. But if you choose to do so, say because
you want to use ICSF or panel.exe from a particularly secured system
then all you need is a system that has an arbitrary usage domain and
control domains configured to the domains you want to manage.
Unfortunately control domains cannot be freely configured for z/VM
guests. (z/VM sets the control domain to be equal to the usage domain).
So this option works only for LPARs and KVM guests. For z/VM guests you
may have to switch the adapter domains form the key mangement guest to
the actual working guests.
Reinhard
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
https://urldefense.proofpoint.com/v2/url?
u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-
siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-
y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO-
HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e=
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or
visit
https://urldefense.proofpoint.com/v2/url?
u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-
siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-
y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO-
HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e=
Ingo Adlung IBM Deutschland Research &
IBM Distinguished Engineer Development GmbH
Chief Architect, and CTO Vorsitzender des Aufsichtsrats:
IBM Z and LinuxONE Virtualization Matthias Hartmann
& Linux Geschäftsführung: Dirk Wittkopp
mail: [email protected] Sitz der Gesellschaft: Böblingen
phone: +49-7031-16-4263 Registergericht: Amtsgericht
Stuttgart, HRB 243294
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
