I'd like to comment on the 680 number for a moment. I don't think 680 is the correct number of Linux guests that can use protected key dm-crypt/LUKS2 encrypted volumes. I'd like to argue the case for why the current maximum number is 1,360 guests per machine that can use this particular feature. (It's a security feature that doesn't exist on any other platform, we should note, so it's either 680 or 1,360 more Linux guests than any other machine.)
The number 680 is derived by taking the current maximum number of physical Crypto Express features per machine (16), configuring them all in CCA mode, multiplying by the current maximum number of domains per feature (85)(*), then dividing in half, with the idea being that each Linux guest would benefit from the services of two CCA domains spread across two physical Crypto Express features. I think this last assumption is fairly arbitrary. A single Linux guest is one kernel running within only one instance of the hypervisor (which may or may not be nested). It's a singleton, inherently. In a production environment you'd presumably have something more than singleton Linux guests running particular workloads, at least if they're important workloads. You pick up redundancy there. If a particular Linux guest is offline for whatever reason, there's another handling the workload (or ready to handle it), with its own Crypto Express domain. You certainly could decide to add Crypto Express redundancy on a per guest basis in addition to whole Linux guest redundancy, but if you're going to measure the outer bound maximum number I don't think you ought to assume "redundancy squared." It seems rather arbitrary to me that that's where you draw that particular line. There is no intrinsic limit to the number of Linux guests using dm-crypt/LUKS2 encrypted volumes with clear keys. You can also decide on a guest-by-guest basis whether to double up on Crypto Express CCA domains or not, which would mean a current upper bound limit somewhere between 680 and 1,360 Linux guests using CCA domains. And/or you can decide how many Crypto Express features you want to configure in another mode, notably EP11. If for example you configure two Crypto Express features in EP11 mode, then there are up to 14 available for CCA mode, supporting up to 1,190 Linux guests using protected key dm-crypt/LUKS2 (up to 595 if you decide to double them all up, or somewhere in between if you double up some of them). Anyway, this is an interesting discussion! If you're pushing these limits or at least forecast you will, let IBM know, officially. (*) This particular number is 40 on IBM z14 ZR1, LinuxONE Rockhopper II, and their predecessor models. Adjust the rest of the math accordingly for these machine models. -------------------------------------------------------------------------------------------------------- Timothy Sipples IT Architect Executive, Digital Asset & Other Industry Solutions, IBM Z & LinuxONE -------------------------------------------------------------------------------------------------------- E-Mail: [email protected] ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
