Cryptographic domains
Crypto Express hardware adapters are divided into multiple domains, also called cryptographic domains or AP domains.
Each domain acts as an independent cryptographic device with its own state, including its own master key. Two domains in the same Crypto Express adapter are completely isolated and cannot access each other's states. The maximum number of domains depends on the mainframe model and is the same for all Crypto Express adapters in that mainframe. For example, a z13® supports up to 85 domains (with hexadecimal domain IDs 0000 to 0054).
Cryptographic devices on LPARs
When you assign adapters and domains to an LPAR on the HMC or SE, you indirectly assign virtual cryptographic devices.
For example, assigning adapter ID 00 and 02 as well as domains 0002, 0003, and 0005 to an LPAR implicitly assigns six virtual cryptographic devices to the LPAR: (00,0002), (00,0003), (00,0005), (02,0002), (02,0003), and (02,0005).
You can choose between two types of access to a cryptographic domain:
- To use cryptographic functions.
- A domain that is assigned to an LPAR for usage access is called a usage domain of that LPAR on the HMC or SE.
- To manage or control the domain, including the management of the master keys.
- A domain that is assigned to an LPAR for management (control) access is called a control domain of that LPAR on the HMC or SE.
Every usage domain of an LPAR must also be a control domain of that LPAR.
The list of usage domains and the list of adapter IDs define the list of virtual cryptographic devices that are assigned to an LPAR. For example, if 00 is an adapter ID and 0002 is a usage domain ID, then the virtual cryptographic device (00,0002) is assigned to the LPAR.
Cryptographic devices on z/VM
CRYPTO
directory statement:- The
CRYPTO APDEDICATE
statement assigns domain IDs and adapter IDs to the guest. This assignment implicitly defines a list of dedicated virtual cryptographic devices. All virtual cryptographic devices that are determined by an ID from the adapter list of that guest and an ID from the domain list of that guest are assigned to the guest. - The
CRYPTO APVIRT
statement assigns one virtual cryptographic device that can be shared among multiple guests with a guest-specific virtualized adapter ID and a virtualized domain ID.
Linux® on z/VM with access to a shared cryptographic accelerator can either observe an accelerator or a CCA coprocessor.
- Random number functions
- Clear-key RSA functions
- If APAR VM65942 has been installed: Clear-key ECC functions
Cryptographic devices on Linux
/sys/devices/ap/card00/00.0002
/sys/devices/ap/card00/00.0003
/sys/devices/ap/card00/00.0005
/sys/devices/ap/card02/02.0002
/sys/devices/ap/card02/02.0003
/sys/devices/ap/card02/02.0005
Cryptographic devices and KVM
- The AP queue must be freed from control of the zcrypt device driver.
- The AP queue must be configured for a VFIO mediated device that is controlled by the vfio_ap device driver.