Dynamically adding and removing cryptographic adapters

Edit online

Red Hat Enterprise Linux 9.2 LPAR mode z/VM guest KVM guest

You can add or remove cryptographic adapters from a running Linux® instance.

Before you begin

For z/VM® or KVM guests, your hypervisor version must support dynamic adding and removing of cryptographic adapters.

About this task

Linux attempts to detect new cryptographic adapters and set them online every time a configuration timer expires. Read or modify the expiration time with the lszcrypt and chzcrypt commands.

Adding or removing of cryptographic adapters to or from an LPAR is transparent to applications that use clear key functions. If a cryptographic adapter is removed while cryptographic requests are being processed, the device driver automatically resubmits lost requests to the remaining adapters. Special handling is required for secure key.

Secure key requests are submitted to a dedicated cryptographic coprocessor. If this coprocessor is removed or lost, new requests cannot be submitted to a different coprocessor. Therefore, dynamically adding and removing adapters with a secure key application requires support within the application. For more information about secure key cryptography, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this publication at 
https://www.ibm.com/docs/linuxonibm/liaaf/lnz_r_ccacnt.html

Alternatively, you can read or set the configuration timer through the config_time sysfs attribute. This read-write attribute can be found at the AP bus level. Valid values for the config_time sysfs attribute are in the range 5 - 120 seconds.

For the secure key cryptographic functions on EP11 coprocessors, see Exploiting Enterprise PKCS #11 using openCryptoki, SC34-2713. You can obtain it at ibm.com/docs/en/linux-on-systems?topic=overview-exploiting-enterprise-pkcs-11-using-opencryptoki

Procedure

You can work with cryptographic adapters in the following ways:
  • Add or remove cryptographic adapters by using the SE or HMC.
    After the configuration timer expires, the cryptographic adapter is added to or removed from Linux, and the corresponding sysfs entries are created or deleted.
  • Enable or disable a cryptographic adapter by using the chzcrypt command.
    The cryptographic adapter is only set online or offline in sysfs. The sysfs entries for the cryptographic adapter are retained. Use the lszcrypt command to check the results of the chzcrypt command.

Examples

  • To use the lszcrypt and chzcrypt commands to find out the current configuration timer setting, issue: 
    # lszcrypt -b
...
config_time=30 (seconds)
...
    In the example, the timer is set to 30 seconds.
  • To set the configuration timer to 60 seconds, issue: 
    # chzcrypt -c 60
To use sysfs to find out the current configuration timer setting, issue:
  • To read the configuration timer setting, issue: 
    # cat  /sys/bus/ap/config_time
  • To set the configuration timer to 60 seconds, issue: 
    # echo 60 > /sys/bus/ap/config_time