Dynamically adding and removing cryptographic adapters
You can add or remove cryptographic adapters from a running Linux® instance.
Before you begin
About this task
By default, the device driver scans the cryptographic configuration every 30 seconds. Newly detected cryptographic adapters are set online. If an adapter has disappeared, its associated cryptographic device is removed. Read or modify the expiration time of this rescan interval with the lszcrypt and chzcrypt commands.
Adding or removing of cryptographic adapters to or from an LPAR is transparent to applications that use clear key functions. If a cryptographic adapter is removed while cryptographic requests are being processed, zcrypt automatically resubmits lost requests to the remaining adapters. Special handling is required for secure key.
Secure key requests are submitted to a dedicated cryptographic coprocessor. If this coprocessor is removed or lost, new requests cannot be submitted to a different coprocessor. Therefore, dynamically adding and removing adapters with a secure key application requires support within the application. For more information about secure key cryptography, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this book at https://www.ibm.com/docs/linuxonibm/liaaf/lnz_r_ccacnt.html.
Alternatively, you can read or set the configuration timer through the config_time
sysfs attribute. This read-write attribute can be found at the AP bus level. Valid
values for the config_time
sysfs attribute are in the range 5 - 120
seconds.
Procedure
You can work with cryptographic adapters in the following ways:
- Add or remove cryptographic adapters by using the SE or
HMC. After the configuration timer expires, the cryptographic adapter is added to or removed from Linux, and the corresponding sysfs entries are created or deleted.
- Enable or disable a cryptographic adapter by using the chzcrypt command.
The cryptographic adapter is only set online or offline in sysfs. The sysfs entries for the cryptographic adapter are retained. Use the lszcrypt command to check the results of the chzcrypt command.
Examples
- To use the lszcrypt and chzcrypt commands
to find out the current configuration timer setting, issue:
In the example, the timer is set to 30 seconds.# lszcrypt -b ... config_time=30 (seconds) ...
- To set the configuration timer to 60 seconds, issue:
# chzcrypt -c 60
- To read the configuration timer setting, issue:
# cat /sys/bus/ap/config_time
- To set the configuration timer to 60 seconds, issue:
# echo 60 > /sys/bus/ap/config_time