Binding and associating an EP11 adapter AP queue using the pvapconfig command
You can use the pvapconfig command to implement AP queue device configurations that are defined in a configuration YAML file to bind and associate an AP queue from a Crypto Express adapter configured as an Enterprise PKCS#11 coprocessor.
Use the pvapconfig command to automate the mapping of AP queues to association secrets. The command is also useful if many AP queues need to be configured.
About this task
IBM Secure Execution for Linux uses a special secret to associate a secure guest to an AP queue. The untrusted provider of the host environment configures the AP queue for the KVM guest, but cannot use it once it is associated with the secure guest.
For details of how to enhance the security of an add-secret request, see Preventing the misuse of add-secret requests.
For Crypto Express8S adapters in Enterprise PKCS #11 coprocessor mode, you need to bind and associate an AP queue with a secret.
The procedure that follows presents a simple example of binding an EP11 AP queue and associating it with a specific HSM master key, thus making it usable for the secure guest.