Investigating master key states and verification patterns
For information about the master keys on an AP queue and the keys' verification patterns read the queues' mkvps sysfs attribute.
In sysfs, AP queues are represented as subdirectories of the cryptographic adapter to
which they belong. The paths to the mkvps sysfs attribute with the master key
states and verification patterns have the following format:
where <XX> is the adapter ID of the cryptographic device and
<YYYY> is the domain ID. For example, the mkvps attribute
for an AP queue /sys/bus/ap/devices/card<XX>/<XX>.<YYYY>/mkvps
01.002a
is at
/sys/bus/ap/devices/card01/01.002a/mkvps.The read-only mkvps attribute holds multiple lines of information about the master key states and verification patterns. If no valid state information is available, dashes (-) are shown instead of both the state and the verification pattern.
CCA coprocessors
For CCA coprocessors, the mkvps attribute shows the state of the AES and
APKA key registers (see Secure Key Solution with the Common Cryptographic Architecture
Application Programmer's Guide, SC33-8294). The information has this
format:
AES NEW: <new_aes_mk_state> <new_aes_mkvp>
AES CUR: <cur_aes_mk_state> <cur_aes_mkvp>
AES OLD: <old_aes_mk_state> <old_aes_mkvp>
APKA NEW: <new_apka_mk_state> <new_apka_mkvp>
APKA CUR: <cur_apka_mk_state> <cur_apka_mkvp>
APKA OLD: <old_apka_mk_state> <old_apka_mkvp>
Where:
- <new_aes_mk_state>
- is the key state of the new AES master key, which can be one of the following values:
empty
,partial
, orfull
. - <cur_aes_mk_state> and <old_aes_mk_state>
- are the key states of the current and old AES master key, which can be one of the following
values:
valid
orinvalid
. - <new_apka_mk_state>
- is the key state of the new APKA master key, which can be one of the following values:
empty
,partial
, orfull
. - <cur_apka_mk_state> and <old_apka_mk_state>
- are the key states of the current and old APKA master key, which can be one of the following
values:
valid
orinvalid
. - <*_*_mkvp>
- <new_aes_mkvp>, <cur_aes_mkvp>,
<old_aes_mkvp>, <new_apka_mkvp>,
<cur_apka_mkvp>, and <old_apka_mkvp> are all 8-byte
hexadecimal master key verification patterns, with a leading
0x
.Useful verification patterns are present only for key states
full
andvalid
. For other states,0x0000000000000000
is shown instead.
The following example shows the information for an AP queue
in CCA coprocessor mode:
# cat /sys/devices/ap/card01/01.002a/mkvps
AES NEW: empty 0x0000000000000000
AES CUR: valid 0x7d10d17bc8a409c4
AES OLD: invalid 0x0000000000000000
APKA NEW: empty 0x0000000000000000
APKA CUR: valid 0x82a5e2cd5030d5ec
APKA OLD: invalid 0x0000000000000000
EP11 coprocessors
For EP11 coprocessors, the information has this
format:
MK CUR: <cur_mk_state> <cur_mkvp>
MK NEW: <new_mk_state> <new_mkvp>
Where:
- <new_mk_state>
- is the key state of the new master key, which can be one of the following values:
empty
,uncommitted
, orcommitted
. - <cur_mk_state>
- is the key state of the current master key, which can be one of the
following values:
valid
orinvalid
. - <new_mkvp> and <cur_mkvp>
- are 32-byte hexadecimal master key verification patterns with a 0x prefix.
Useful verification patterns are present only for key states
committed
andvalid
.