good catch! I'll tell our ID department to have this corrected.
-Reinhard On 16.01.20 03:03, Marcy Cortes wrote:
Hi Ingo. Looking at this page... If its 85, why 00-5d in hex? Isn't 5d = 93 ? Marcy On 1/13/20, 8:52 AM, "Linux on 390 Port on behalf of Ingo Adlung" <LINUX-390@VM.MARIST.EDU on behalf of adl...@de.ibm.com> wrote: Hey Marcy, I'm not the crypto expert (Reinhard please jump in) but aren't we talking about crypto domain dedication? I.e. not dedicating complete cards ... don't know about z14/z15 but with z13 we supported up to 85 domains per LPAR per single adapter like described here:https://www.ibm.com/support/knowledgecenter/linuxonibm/com.ibm.linux.z.lgdd/lgdd_c_crypto_virtual.html Best regardsIngoLinux on 390 Port <LINUX-390@VM.MARIST.EDU> wrote on 13/01/2020 17:34:43: > From: Marcy Cortes <marcy.d.cor...@wellsfargo.com>> To: LINUX-390@VM.MARIST.EDU > Date: 13/01/2020 17:35 > Subject: [EXTERNAL] Re: [LINUX-390] Pervasive disk encryption questions > Sent by: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> > > Thanks! Was hoping you'd respond. > > So essentially to do the disk encryption stuff documented here > https://www.ibm.com/support/knowledgecenter/en/linuxonibm/ > com.ibm.linux.z.lxdc/lxdc_linuxonz.html > one has to dedicate to the guest. > > If I can put 16 cards on a z15, I'm essentially limited to 8 guests > per LPAR with the ability to do this. > (need redundancy so two per guest). Correct ? There's not a > way to dedicate, put master key on, then make it apvirt after that, correct? > > Marcy > > > -----Original Message----- > From: Linux on 390 Port <LINUX-390@VM.MARIST.EDU> On Behalf Of > Reinhard Buendgen > Sent: Monday, January 13, 2020 7:19 AM > To: LINUX-390@VM.MARIST.EDU > Subject: Re: [LINUX-390] Pervasive disk encryption questions > > Hi, > > crypto adapter domains defined for z/VM guests with APVIRT are > restricted to perform clear key crypto operations (possibly including > random number generations). Regard less whether the backing adapters are > in accelerator mode or in CCA mode (AP-virt does not support adapters in > EP11 mode). > And if there are multiple backing adapters of different modes z/VM gives > priority to accelerator mode when choosing the type of the shared > virtual adapter. > > When you want to use secure key crypto you must define your crypto > adapter domain in the guest as dedicated adapter (APDED for z/VM guests, > for KVM guests currently only dedicated adapter domains are supported). > Dedicated adapter domains can be of any type: accelerator, CCA or EP11. > Only the CCA and EP11 types provide support for clear key crypto. > > To set/manage the master key of a dedicated CCA adapter domain assigned > to a guest there are multiple options > — connect the TKE to the catcher.exe daemon (part of the CCA host > package) running on the Linux system and use the TKE to mange the > master key of the adapter domain belonging to the Linux guest (option > recommended for production use) > — use the panel.exe tool (part of the CCA host package) on the Linux > guest to set/manage the master key of the adapter domain belonging to > the Linux guest (this option is not recommended for production use, due > to some security limitations -- I like this option ) > — use a z/OS System on the same CEC (or other Linux System) that has an > appropriate control domain setting. Using the z/OS system can go via > ICSF functions (which I guess are similar in function and security to > what the panel.exe tool provides) or a TKE connected to the z/OS system. > — use another Linux system on the same CEC that has an appropriate > control domain setting and do the management either vie panel.exe or TKE > (again TKE being recommended for production use). > There is no need for a special system to set master keys. Each system > can manage its own master keys. But if you choose to do so, say because > you want to use ICSF or panel.exe from a particularly secured system > then all you need is a system that has an arbitrary usage domain and > control domains configured to the domains you want to manage. > Unfortunately control domains cannot be freely configured for z/VM > guests. (z/VM sets the control domain to be equal to the usage domain). > So this option works only for LPARs and KVM guests. For z/VM guests you > may have to switch the adapter domains form the key mangement guest to > the actual working guests. > > > Reinhard > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > https://urldefense.proofpoint.com/v2/url? > u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-> siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-> y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO- > HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e= > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit > https://urldefense.proofpoint.com/v2/url? > u=http-3A__www2.marist.edu_htbin_wlvindex-3FLINUX-2D390&d=DwIGaQ&c=jf_iaSHvJObTbx-> siA1ZOg&r=jQ4IiHbzZ0l-wFKuUHMHvPIsi5vD8MZZCyI-> y49pWL0&m=DhEPjijzZHzxFUR5Ocah1MuFFKk-0-wj639ZIZ9EjFo&s=vIEO- > HPz83_EsRxjBWYxTWa_wZKC7Qa5SEl0hBZZbJE&e= >Ingo Adlung IBM Deutschland Research &IBM Distinguished Engineer Development GmbH Chief Architect, and CTO Vorsitzender des Aufsichtsrats: IBM Z and LinuxONE Virtualization Matthias Hartmann & Linux Geschäftsführung: Dirk Wittkopp mail: adl...@de.ibm.com Sitz der Gesellschaft: Böblingen phone: +49-7031-16-4263 Registergericht: Amtsgericht Stuttgart, HRB 243294----------------------------------------------------------------------For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
