Determining coprocessor software segment contents

Edit online

The coprocessor has three segments: segment 1, segment 2, and segment 3. Each segment has a status, holds software and a validation public key, and an identifier of the owner (except for segment 1).

See Table 1 for information about the segments of the coprocessor.

Table 1. Software segment contents
Segment	Content
1	Miniboot contains diagnostics and code loading controls
2	Embedded control program
3	CCA or another application

You determine the current content and status of the coprocessor segments by using the ST command. Figure 1 shows a typical ST response.

Figure 1. Typical CLU status response


----------------------------------------------------------------------
              Coprocessor Load Utility (CLU) version 5.2.19  
----------------------------------------------------------------------
Invocation :  csufclu -c st -a 0 -l log.out 
Log File   :  log.out
Started    :  Tue Apr 12 11:30:22 2016
----------------------------------------------------------------------
 Value of ListInfo.num: 1 
Vital Product Data
  Part Number        : 00LU365
  Secure Part Number : 00LU348
  EC Number          : 0N36944
  Serial Number      : DV53H383
  Description        : IBM 4767-002 PCI-e Cryptographic Coprocessor
  Manufacturing Site : 91
  POST-0 Version     : 1
  POST-0 Release     : 16
  MiniBoot-0 Version : 1
  MiniBoot-0 Release : 2
ROM Status
  Page 1 Certified   : YES
  Segment-1 State    : INITIALIZED
  Segment-2 State    : RUNNABLE
  Segment-2 Owner ID : 2
  Segment-3 State    : RUNNABLE
  Segment-3 Owner ID : 2
Segment-1 Information
  Segment-1 Image    : 5.2.20   P0123 M0121 P0123 F0D01    201601141340502A000022000000000000
  Segment-1 Revision : 50220
  Segment-1 Hash     : 47DE D8EE BB79 CF98 2250 DDBB 1CE9 45C4 6CAB 4243 BD11 E4B0 D742 664C 978C 1702 C201 EF4E 4C97 A21A 73D1 F227 BAFD B5FE 5125 421C EEBC A9C3 4A12 7E32 645F 1588
Segment-2 Information
  Segment-2 Image    : 5.2.20   1.0-lnx-2015-06-16-20      201602021548502A000000000220022000
  Segment-2 Revision : 50220
  Segment-2 Hash     : 5B4C 5496 012A 8E74 8D51 22A3 39E9 89E7 BC8D 1A43 C946 E267 0BC4 87CD F436 AFDB 515E 167A 32AC E16D 6F99 BB75 C8AF E531 B0F7 9AF0 AC72 09F7 B8C4 4B45 037B 4583 
Segment-3 Information
  Segment-3 Image    : 5.2.20   CCA                        201602021548502A000000000000000000
  Segment-3 Revision : 50220
  Segment-3 Hash     : BF98 5EEB 74BF D622 2FB4 157D 8080 D385 8DCC F010 1B57 33CB D828 0EDE D7B6 2EF6 FD62 D0D9 3FF4 FB44 6FC0 64E4 66D8 36A3 D7F7 EF61 1CF7 5D07 448A 0A39 D7FE A9C5
----------------------------------------------------------------------
  Obtain Status ended successfully at Tue Apr 12 11:31:03 2016
  Finished   : Tue Apr 12 11:31:03 2016
----------------------------------------------------------------------

Definitions of the fields on the ST response follow:

Field

Description

PartNum

The part number (P/N) of the coprocessor.

EC Num

The engineering change number of the coprocessor.

Ser Num

The manufacturer's serial number of the coprocessor. This number is not the IBM tracking serial number that is used for warranty verification and download authorization.

Description

A statement that describes the type of coprocessor in general terms. Auditors must review this and other status information to confirm that an appropriate coprocessor is in use.

ROM Status

The coprocessor must always be in an INITIALIZED state. If the status is ZEROIZED, the coprocessor detected a possible tamper event and is in an unrecoverable, nonfunctional state. (Unintended tamper events are created if the coprocessor is not handled properly. Only replace the batteries when you follow the recommended procedure to change the batteries, maintain the coprocessor in the safe temperature range, and follow the instruction.

ROM Status SEG2 / SEG3

Several status conditions for Segment 2 and Segment 3 exist, which includes:

UNOWNED: Currently not in use, no content
RUNNABLE: Contains code and is in an usable state

Owner identifiers are also shown. The standard CCA Support Program is assigned identifier 2 for both Segment 2 and Segment 3. Any other owner identifier indicates that the software is not the standard IBM® CCA product code. In all cases, ensure that the software is loaded in your coprocessor. Unauthorized or unknown software can represent a security risk to your installation.

Segment 1 Image

The name and description of the software content of Segment 1. For a factory shipped coprocessor, the name includes Factory. This image and the associated validation key must be changed.

For a previously loaded coprocessor, the Segment 1 name probably includes CCA. Ensure that you observe the revision level.

Segment 2 and Segment 3 Images

If these segments have Owned status, observe the image name and the revision level. IBM incorporates CCA in the image name to indicate that the image is provided as part of the CCA Support Program. Be sure to observe the revision level.

Segment Hash values

The hash values for each segment must match the values that are shown in Figure 1.