Reinhard Buendgen wrote:
>As for the recommendation, I am not sure where it is written. But I
>remember that there was a time where IBM would only sell at least two to
>enforce/encourage redundancy. But I am not sure whether this is still
>true fro small systems.
I believe it's possible to order e
Hi,
as for error indications adapter domain failures lead to the AP queue
being set to the offline state in the kernel, a state that can be
displayed with lszcrypt.
Further depending on the type of error an error will be logged in the
syslog. More information on errors can be found in
/sys/
Marcy, in answer to your question on error messages from VM:
it depends on whether the Linux guest is APVIRT or APDED.
With APDED guests, VM plays a minimal role - basically a configuration
role that assigns a subset of its crypto resources to the guest.
Thereafter the guest has direct access
As for the recommendation, I am not sure where it is written. But I
remember that there was a time where IBM would only sell at least two to
enforce/encourage redundancy. But I am not sure whether this is still
true fro small systems. Anyway one reason to have redundancy within you
system is th
Reinhard Buendgen wrote:
>The number 680 just reflects the recommendation to achieve
>crypto redundancy per configuration (once configured properly
>the Linux kernel will do the rest).
Where is that recommendation coming from? Is there any nuance to it, and
does it still make sense?
>As for the l
This brings up another set of questions from me :)
Under the assumption that hardware eventually fails and I could lose a card...
If there's two on a guest I assume things seamlessly continue on if one card
fails? Do I get messages on Linux, VM, or the HW if that should happen?
If there's on
Tim,
I fully agree. Yet the Z platform is designed for RAS where
the"R"eliabiity translates to redundancy of the available resources
either within the system for built-in resources or as an configuration
option for external resources. The number 680 just reflects the
recommendation to achieve
I'd like to comment on the 680 number for a moment. I don't think 680 is
the correct number of Linux guests that can use protected key
dm-crypt/LUKS2 encrypted volumes. I'd like to argue the case for why the
current maximum number is 1,360 guests per machine that can use this
particular feature. (I
Marcy,
with in one CEC you cannot share an APQN (a specific domain in a
specific adapter) in two active LPARs or guests (regradless) of the
location of the two guests.
Is 680 guest too few? How much would you like to have?
As for letting the hypervisor do the disk encryption, this is easily
I was talking about the CCA rpm package needed on Linux
Sent with BlackBerry Work
(www.blackberry.com)
From: Alan Altmark mailto:alan_altm...@us.ibm.com>>
Date: Saturday, Jan 18, 2020, 2:01 AM
To: LINUX-390@VM.MARIST.EDU
mailto:LINUX-390@VM.MARIST.EDU>>
Subject: Re: [LINUX-390] Pervasive disk
To be clear, a CCA is a crypto in Coprocessor mode. It is the only mode
that allows Linux or z/OS to load master keys without TKE, so keeping it
out of the picture isn’t going to work if you want to use ICSF to load
keys.
A (crypto, domain) pair can be online to only one LPAR at a time, but in
an
680 guests I mean - can't type!
-Original Message-
From: Linux on 390 Port On Behalf Of Marcy Cortes
Sent: Friday, January 17, 2020 5:00 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: [LINUX-390] Pervasive disk encryption questions
One more question I have and its probably more VM orienta
One more question I have and its probably more VM orientated.
Say we decide z/OS ICSF loads all the master keys for us (keeping CCA out of
the pic) . Can a guest on VM1 use the same card/domain as a guest on VM2 in
another lpar provided they user the same MK? Trying to figure out HW
require
Hi,
a few comments on what was in an earlier Mail by Alan:
to set a master key in an EP11 adapter you always need a TKE, even if
you want to do it via z/OS, in which case a TKE must be connected to a
z/OS image.
Unless a domain of an adapter has been configured by the TKE to be only
manageble
Hi,
a few comments on what was said below:
to set a master key in an EP11 adapter you always need a TKE, even if
you want to do it via z/OS, in which case a TKE must be connected to a
z/OS image.
Unless a domain of an adapter has been configured by the TKE to be only
manageble using signed
good catch! I'll tell our ID department to have this corrected.
-Reinhard
On 16.01.20 03:03, Marcy Cortes wrote:
Hi Ingo. Looking at this page... If its 85, why 00-5d in hex? Isn't 5d = 93
?
Marcy
On 1/13/20, 8:52 AM, "Linux on 390 Port on behalf of Ingo Adlung"
wrote:
Hey Marcy
Hi Ingo. Looking at this page... If its 85, why 00-5d in hex? Isn't 5d = 93
?
Marcy
On 1/13/20, 8:52 AM, "Linux on 390 Port on behalf of Ingo Adlung"
wrote:
Hey Marcy,
I'm not the crypto expert (Reinhard please jump in) but aren't we talking
about crypto domain dedication? I.
On Saturday, 01/11/2020 at 01:25 GMT, marcy cortes
wrote:
> First, my understand of virtualizing crypto is that if any of the cards
are
> defined as accelerators then CRYPTO APVIRT in the directory will give
linux an
> accelerator. If you want linux to have a coprocessor, you’d have to
dedic
Thanks for catching this: I wanted to say
Only the CCA and EP11 types provide support for secure key crypto.
... and support to transform secure keys into protected keys.
-Reinhard
On 13.01.20 18:22, R. J. Moore wrote:
Reinhard, one correction I think:
>> When you want to use secure key cryp
Reinhard, one correction I think:
>> When you want to use secure key crypto you must define your crypto
adapter domain in the guest as dedicated adapter (APDED for z/VM guests,
for KVM guests currently only dedicated adapter domains are supported).
>> Dedicated adapter domains can be of any typ
Ingo is correct. Each domain on an adapter functions as a separate HSM.
So you have 85 times 16 HSMs on an enterprise class machine and 40 times
16 HSMs on business class machine. Each of these HSM can be configured
with a different master key. - Having as many domains as LPARs is just
coinci
Hey Marcy,
I'm not the crypto expert (Reinhard please jump in) but aren't we talking
about crypto domain dedication? I.e. not dedicating complete cards ...
don't know about z14/z15 but with z13 we supported up to 85 domains per
LPAR per single adapter like described here:
https://www.ibm.com/suppo
Hi,
with our Crypto HW we distinguish from a security dimension
- clear key crypto (keys reside in plain text in memory)
- secure key crypto (keys are wrapped by (amster) keys hidden in a
Crypto adapter aka HSM)
- protected key crypto (keys are wrapped by keys hidden in firmware not
accessible
Thanks! Was hoping you'd respond.
So essentially to do the disk encryption stuff documented here
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxdc/lxdc_linuxonz.html
one has to dedicate to the guest.
If I can put 16 cards on a z15, I'm essentially limited to 8 gue
Hi,
crypto adapter domains defined for z/VM guests with APVIRT are
restricted to perform clear key crypto operations (possibly including
random number generations). Regard less whether the backing adapters are
in accelerator mode or in CCA mode (AP-virt does not support adapters in
EP11 mode)
: Friday, January 10, 2020 8:52 PM
> To: LINUX-390@VM.MARIST.EDU
> Subject: Re: Pervasive disk encryption questions
>
> CAUTION: This email originated from outside the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.
>
the usage
on the Linux on Z builds operates the same way.
Regards,
Peter
-Original Message-
From: Linux on 390 Port On Behalf Of Rick Troth
Sent: Friday, January 10, 2020 8:52 PM
To: LINUX-390@VM.MARIST.EDU
Subject: Re: Pervasive disk encryption questions
CAUTION: This email originated
My understanding of the cards is that they're more of a trust anchor
than an accelerator. What I mean is ... differentiate symmetric crypto
from asymmetric crypto. Symmetric crypto (think AES) is handled by the
main processor, right? (This is where Brian or Alan will chime in, and
please do.) So wh
28 matches
Mail list logo