Investigating master key states and verification patterns

6.10 LPAR mode z/VM guest KVM guest

For information about the master keys on an AP queue and the keys' verification patterns read the queues' mkvps sysfs attribute.

In sysfs, AP queues are represented as subdirectories of the cryptographic adapter to which they belong. The paths to the mkvps sysfs attribute with the master key states and verification patterns have the following format:
/sys/bus/ap/devices/card<XX>/<XX>.<YYYY>/mkvps
where <XX> is the adapter ID of the cryptographic device and <YYYY> is the domain ID. For example, the mkvps attribute for an AP queue 01.002a is at /sys/bus/ap/devices/card01/01.002a/mkvps.

The read-only mkvps attribute holds multiple lines of information about the master key states and verification patterns. If no valid state information is available, dashes (-) are shown instead of both the state and the verification pattern.

CCA coprocessors

For CCA coprocessors, the mkvps attribute shows the state of the AES and APKA key registers (see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294). The information has this format:
AES NEW: <new_aes_mk_state> <new_aes_mkvp>
AES CUR: <cur_aes_mk_state> <cur_aes_mkvp>
AES OLD: <old_aes_mk_state> <old_aes_mkvp>
APKA NEW: <new_apka_mk_state> <new_apka_mkvp>
APKA CUR: <cur_apka_mk_state> <cur_apka_mkvp>
APKA OLD: <old_apka_mk_state> <old_apka_mkvp>
Where:
<new_aes_mk_state>
is the key state of the new AES master key, which can be one of the following values: empty, partial, or full.
<cur_aes_mk_state> and <old_aes_mk_state>
are the key states of the current and old AES master key, which can be one of the following values: valid or invalid.
<new_apka_mk_state>
is the key state of the new APKA master key, which can be one of the following values: empty, partial, or full.
<cur_apka_mk_state> and <old_apka_mk_state>
are the key states of the current and old APKA master key, which can be one of the following values: valid or invalid.
<*_*_mkvp>
<new_aes_mkvp>, <cur_aes_mkvp>, <old_aes_mkvp>, <new_apka_mkvp>, <cur_apka_mkvp>, and <old_apka_mkvp> are all 8-byte hexadecimal master key verification patterns, with a leading 0x.

Useful verification patterns are present only for key states full and valid. For other states, 0x0000000000000000 is shown instead.

The following example shows the information for an AP queue in CCA coprocessor mode:
# cat /sys/devices/ap/card01/01.002a/mkvps
AES NEW: empty 0x0000000000000000
AES CUR: valid 0x7d10d17bc8a409c4
AES OLD: invalid 0x0000000000000000
APKA NEW: empty 0x0000000000000000
APKA CUR: valid 0x82a5e2cd5030d5ec
APKA OLD: invalid 0x0000000000000000

EP11 coprocessors

For EP11 coprocessors, the information has this format:
MK CUR: <cur_mk_state> <cur_mkvp>
MK NEW: <new_mk_state> <new_mkvp>
Where:
<new_mk_state>
is the key state of the new master key, which can be one of the following values: empty, uncommitted, or committed.
<cur_mk_state>
is the key state of the current master key, which can be one of the following values: valid or invalid.
<new_mkvp> and <cur_mkvp>
are 32-byte hexadecimal master key verification patterns with a 0x prefix.

Useful verification patterns are present only for key states committed and valid.