Using panel.exe to query the adapter compliance state

Using the --qcomp --vsig parameter, the panel.exe utility allows you to query the compliance state of a specified cryptographic coprocessor.

This command returns the status of a specified domain and parses all of the data fields to display the information on the console. Figure 1 and Figure 2 show a successful run - with added explanations - for a domain that is not in compliance mode, with the additional --vsig option which requests that the output be signed by the card, and that the signature be verified by panel.exe.

Figure 1. Querying an adapter's compliance mode (part 1)
panel.exe -–qcomp --vsig
---------------------------------------------------------------
------------- ------------- ------------- for domain [42]...
------------- Compliance Data for this card --[0x96 bytes]--
CARD PN [01KU719]                  <--- CARD PART NUMBER
CARD EC [0N37513]                  <--- CARD EC level (hardware sub-version)
CARD SN [YH10DV731308]             <--- CARD Serial Number
rsvd1/2 [0x00 0x00]                <--- EMPTY fields
CCA vs [6.0.8z ]                   <--- Segment 3 firmware level (CCA version)
UDX vs1 [NONE ]                    <--- UDX version first field
UDX vs2 [NONE ]                    <--- UDX version second field
CCA CARD TIME NOW [20180131185938] <--- Current timestamp according to card internal clock
CCA BUILD TIME [20171108150441]    <--- Timestamp for build of Segment 3 firmware
CCA COMPLIANCE ]                   <--- Detailed flags fields, see below 

   cardact[0x00000000] cmp iss[0x00000000
             CARD ACTIONS on:
             <NONE>
   slogmax[0x00000200] slgevsz[0x00D2] kdf/rsvd [0x0000]
   dom act[0x00000000]
            DOM ACTIONS:
            <NONE>
   dom cmp[0x00000000]
            DOM COMPLIANCE FLAGS:
            <NONE>
   slogcnt [0x00000000]

CARD Seg2 ownerID [0x0002]         <--- Owner ID code for Segment 2 firmware
CARD Seg3 ownerID [0x0002]         <--- Owner ID code for Segment 3 firmware
CARD AdapterID [0x00000008]        <--- Adapter ID code for internal work
CARD MiniBoot-0 Ver [0x00]         <--- Miniboot 0 version (unused)
CARD MiniBoot-0 Rel [0x00]         <--- Miniboot 0 release (unused)
CARD MiniBoot-1 Ver [0x48]         <--- Miniboot 1 version (unused)
CARD MiniBoot-1 Rel [0x00]         <--- Miniboot 1 release (unused)

---> Following output is added because of --vsig option --->
               Getting Epoch Cert to verify Sig
Epoch Cert Subject Name:
      [07C8F43AD7854F599EB21EE9DC3651CAAC44DF745886CF3D83A6487F4616E455] 32
Signer Name:
      [55EB692CE3368F3DD1CCCA9115B6B50B51EDCF0BCB6B21F69734E44438DF991A] 32
------------- Compliance Data for this card Signature Verified.--
Figure 2. Querying an adapter's compliance mode (part 2)
COMPLIANCE Fields detail:
Note: all un-used bits are reserved

cardact[0x00000000]   <--- (bitfield) Card state or actions in force now
          0x80000000, "CARDZEROSTRT" -- the card is in the middle of a whole card zeroize
          0x40000000, "CARDCLOCKSET" -- the card has had the internal clock set
cmp iss[0x00000000    <--- (bitfield) Bits representing reasons this domain cannot go into 
                      compliance mode, if any
          0x80000000, -- Card Firmware is a UDX, cannot enter compliance mode
          0x40000000, -- CCA responding is from a simulator or debug image, cannot enter compliance mode
          0x20000000, -- Outbound Authentication certificate chain is not valid, cannot enter compliance 
                         mode (contact IBM service if this occurs)
slogmax[0x00000200]   <--- Maximum count of secure audit log entries
slgevsz[0x00D2]       <--- Size of each secure audit log entry
kdf/rsvd [0x0000]     <--- Current KDF for compliance level
dom act[0x00000000]   <--- (bitfield) Domain compliance / restart actions in force now
          0x80000000, "DOM_ZEROSTRT" -- the domain is in the middle of a domain-scope zeroize
          0x40000000, "DOM_IMPRSTRT" - the domain internal state is transitioning to imprint mode
          0x20000000, "DOM_IMPR_ACT" - the domain is now in imprint mode, a configuration state before  
		              compliance mode
          0x10000000, "DOM_COMP_ACT" - the domain is now in compliance mode
          0x08000000, "DOM_COMPRMST" - the domain internal state is transitioning out of compliance mode
          0x04000000, "DOM_COMP_MIG" - the domain is now in migration mode, a sub-state of  
                      compliance mode
          0x00008000, "DOM_SLOGENAB" - the domain secure audit log is enabled (required for imprint and  
		              compliance modes)
          0x00004000, "DOM_SLOGNOWR" - the domain secure audit log is enabled for no-wrap mode: 
                      secure read/clear is required
dom cmp[0x00000000]   <--- (bitfield) Domain compliance configuration (if in compliance mode)
          0x80000000, "CMP_PCIH2016"
slogcnt [0x00000000]  <--- Current count of secure audit log entries