good catch! I'll tell our ID department to have this corrected.
-Reinhard
On 16.01.20 03:03, Marcy Cortes wrote:
Hi Ingo. Looking at this page... If its 85, why 00-5d in hex? Isn't 5d = 93
?
Marcy
On 1/13/20, 8:52 AM, "Linux on 390 Port on behalf of Ingo Adlung"
<LINUX-390@VM.MARIST.EDU on behalf of adl...@de.ibm.com> wrote:
Hey Marcy,
I'm not the crypto expert (Reinhard please jump in) but aren't we talking
about crypto domain dedication? I.e. not dedicating complete cards ...
don't know about z14/z15 but with z13 we supported up to 85 domains per
LPAR per single adapter like described here:
https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lgdd/lgdd_c_crypto_virtual.html
Best regards
Ingo
Linux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 13/01/2020 17:34:43:
> From: Marcy Cortes <marcy.d.cor...@wellsfargo.com>
> To: LINUX-390@VM.MARIST.EDU
> Date: 13/01/2020 17:35
> Subject: [EXTERNAL] Re: [LINUX-390] Pervasive disk encryption questions
> Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU>
>
> Thanks! Was hoping you'd respond.
>
> So essentially to do the disk encryption stuff documented here
> https://www.ibm.com/support/knowledgecenter/en/linuxonibm/
> com.ibm.linux.z.lxdc/lxdc_linuxonz.html
> one has to dedicate to the guest.
>
> If I can put 16 cards on a z15, I'm essentially limited to 8 guests
> per LPAR with the ability to do this.
> (need redundancy so two per guest). Correct ? There's not a
> way to dedicate, put master key on, then make it apvirt after that,
correct?
>
> Marcy
>
>
> -----Original Message-----
> From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of
> Reinhard Buendgen
> Sent: Monday, January 13, 2020 7:19 AM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: [LINUX-390] Pervasive disk encryption questions
>
> Hi,
>
> crypto adapter domains defined for z/VM guests with APVIRT are
> restricted to perform clear key crypto operations (possibly including
> random number generations). Regard less whether the backing adapters are
> in accelerator mode or in CCA mode (AP-virt does not support adapters in
> EP11 mode).
> And if there are multiple backing adapters of different modes z/VM gives
> priority to accelerator mode when choosing the type of the shared
> virtual adapter.
>
> When you want to use secure key crypto you must define your crypto
> adapter domain in the guest as dedicated adapter (APDED for z/VM guests,
> for KVM guests currently only dedicated adapter domains are supported).
> Dedicated adapter domains can be of any type: accelerator, CCA or EP11.
> Only the CCA and EP11 types provide support for clear key crypto.
>
> To set/manage the master key of a dedicated CCA adapter domain assigned
> to a guest there are multiple options
> — connect the TKE to the catcher.exe daemon (part of the CCA host
> package) running on the Linux system and use the TKE to mange the
> master key of the adapter domain belonging to the Linux guest (option
> recommended for production use)
> — use the panel.exe tool (part of the CCA host package) on the Linux
> guest to set/manage the master key of the adapter domain belonging to
> the Linux guest (this option is not recommended for production use, due
> to some security limitations -- I like this option )
> — use a z/OS System on the same CEC (or other Linux System) that has an
> appropriate control domain setting. Using the z/OS system can go via
> ICSF functions (which I guess are similar in function and security to
> what the panel.exe tool provides) or a TKE connected to the z/OS system.
> — use another Linux system on the same CEC that has an appropriate
> control domain setting and do the management either vie panel.exe or TKE
> (again TKE being recommended for production use).
> There is no need for a special system to set master keys. Each system
> can manage its own master keys. But if you choose to do so, say because
> you want to use ICSF or panel.exe from a particularly secured system
> then all you need is a system that has an arbitrary usage domain and
> control domains configured to the domains you want to manage.
> Unfortunately control domains cannot be freely configured for z/VM
> guests. (z/VM sets the control domain to be equal to the usage domain).
> So this option works only for LPARs and KVM guests. For z/VM guests you
> may have to switch the adapter domains form the key mangement guest to
> the actual working guests.
>
>
> Reinhard
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
> https://urldefense.proofpoint.com/v2/url?
>
u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-
> siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-
> y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO-
> HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e=
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
> https://urldefense.proofpoint.com/v2/url?
>
u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-
> siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-
> y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO-
> HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e=
>
Ingo Adlung IBM Deutschland Research &
IBM Distinguished Engineer Development GmbH
Chief Architect, and CTO Vorsitzender des Aufsichtsrats:
IBM Z and LinuxONE Virtualization Matthias Hartmann
& Linux Geschäftsführung: Dirk Wittkopp
mail: adl...@de.ibm.com Sitz der Gesellschaft: Böblingen
phone: +49-7031-16-4263 Registergericht: Amtsgericht
Stuttgart, HRB 243294
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or
visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit
http://www2.marist.edu/htbin/wlvindex?LINUX-390