Enabling a cryptographic coprocessor for EP11 firmware exploitation

You must have an IBM® 4765 Crypto Express4 feature or higher that is configured as an EP11 coprocessor, and that is initialized and personalized in your z/VM® guest or LPAR. Read this topic to learn how to check for the existence of a suitably configured CEX*P adapter (starting with CEX4P, or higher), and how to configure this adapter if it is missing yet.

About this task

A CEX*S Crypto Express card configured in the Enterprise PKCS #11 coprocessor mode (or shortly EP11 coprocessor mode) is also called a Crypto Express EP11 coprocessor (CEX*P). Such a coprocessor, which is installed in your z/VM guest or LPAR, is a prerequisite for using the functions of the EP11 library. This procedure shows you how to configure a CEX*S Crypto Express adapter into a CEX*P adapter by enabling the installed EP11 firmware from the Support Element.

Procedure

  1. Check whether you have already plugged in and enabled your CEX*S Crypto Express card, and validate your model and type configuration (accelerator or coprocessor).

    To check, enter the lszcrypt command and check the output:

    # lszcrypt
    CARD.DOMAIN TYPE  MODE        STATUS  REQUESTS
    ----------------------------------------------
    00          CEX5A Accelerator online         0
    00.001a     CEX5A Accelerator online         0
    01          CEX5C CCA-Coproc  online        50
    01.001a     CEX5C CCA-Coproc  offline       50
    02          CEX6C CCA-Coproc  online        55
    02.001a     CEX6C CCA-Coproc  offline       55
    03          CEX6P EP11-Coproc online         8
    03.001a     CEX6P EP11-Coproc online         8
    05          CEX7P EP11-Coproc online       104
    05.001a     CEX7P EP11-Coproc online       104
    
    
    
    If you see the output as shown, with an output line similar to
    xx.xxxx     CEX6P EP11-Coproc online
    then an CEX6P adapter is available and ready for use with EP11 and the task is completed.
  2. If the following error message is displayed, the zcrypt device driver module must be installed.

    error - cryptographic device driver zcrypt is not loaded!

    For installation information, refer to Installing and loading the cryptographic device driver.

  3. If the output from the lszcrypt command in step 1 does not show one of CEX<n>P, (where <n> can be 4, or higher), then check the reason why this happened. If a CEX*S card is correctly assigned to the LPAR or z/VM guest, where the Linux is running in, but none of CEX<n>P is shown, then you must activate the EP11 firmware on the CEX*S adapter.
    For this purpose, log on to the Support Element with a user ID granted the appropriate access rights. You can either go directly to the Support Element, or you can use its web interface.
  4. In the System Management window, select the CPC that holds the CEX*S adapter that you want to configure.
    In the sample screen from Figure 1, the selected CPC is M35.
    Figure 1. System Management in the Support Element

    System Management in the Support Element
  5. Select Cryptos from the navigation area on the left of the dialog to get a list of installed adapters as shown in Figure 2.
    Figure 2. System Management - installed crypto adapters

    System Management - installed crypto adapters
  6. Select the crypto card to be changed - in our scenario, a CEX6 coprocessor with PCHID 01DC and ID 11 - and also select Configure On/Off from the Crypto Service Operations to reach the view shown in Figure 3.
    Figure 3. System Management - configure LPARs off

    System Management - configure LPARs off
  7. Select all LPARs, where this adapter is configured online (if any), as shown in Figure 3.
    The Crypto Express adapter must be configured offline in all LPARs, before you can change the configuration type. For this purpose, specify Toggle from the Select Action pull-down to toggle to the desired state and then press OK to apply the change. In the next dialog, you need to confirm your intended action, because this could be disruptive for processes from the affected LPARs.

    Finally, you return to the view shown in Figure 2. You see the selected adapter stopped now.

  8. Navigate back to the System Management window (Figure 1). Now scroll down and select Cryptographic Configuration from the Configuration menu on the right hand side.
    This leads you to the figure shown in Figure 4.
    Figure 4. System Management - Cryptographic Configuration

    System Management - Cryptographic Configuration
  9. Select the desired adapter again (see step 4).
    Now press Crypto Type Configuration from the dialog shown in Figure 4. This selection brings you to the dialog shown in Figure 5.
    Figure 5. System Management - Crypto Type Configuration

    System Management - Crypto Type Configuration
  10. Select EP11 Coprocessor and press OK.
    This action makes the adapter to become a CEX*P adapter that is upgraded with the EP11 firmware. Also note, that TKE commands are always permitted for a CEX*P adapter, so that it can communicate with the TKE daemon ep11TKEd.
  11. You must now select those LPARs that you want to allow to access and use the reconfigured adapter. For these LPARs, you need to configure back online the reconfigured adapter.
    Therefore, go to the dialog shown in Figure 3, now toggling the status of the adapter for the LPAR back to online.
  12. A restart of z/VM or the LPAR is required to activate the reconfiguration.
    For z/VM, check before, that the correct definitions have been applied to the EP11 coprocessor card. Also for the LPARs, on z/VM and on Linux, you must add the reconfigured adapter to the activation profile. Now deactivate and activate the LPAR. Then perform an IPL of Linux on that LPAR, respectively perform an IPL of z/VM and then start the guests using the reconfigured adapter.
  13. Optionally, you can use the chzcrypt command to enable (online state) and disable (offline state) the IBM crypto adapter:
    $ chzcrypt -e 0x06    // set card06 online
    $ chzcrypt -d 0x06    // set card06 offline
    For more information about the IBM crypto adapter, see Device Drivers, Features, and Commands, SC33-8411 available at
    www.ibm.com/developerworks/linux/linux390/documentation_dev.html

Results

Now that the EP11 firmware has been enabled on your cryptographic coprocessor, this card turned into a so called CEX*P coprocessor which can take advantage of the Linux on Z EP11 enablement. To check the capability of a configured adapter, you can use the following lszcrypt -c <card-number> command:
$ lszcrypt -c 03
card03 provides capability for:
EP11 Secure Key
Notes:
  1. If you work with the available session modes (strict session mode or virtual HSM mode) as described in Controlling access to cryptographic objects, a unique EP11 session ID is generated for each session and is stored as a pin-blob (binary large object) on the coprocessor domain. A Crypto Express EP11 coprocessor offers storage for up to 1024 nonces or pin-blobs (binary large objects), shared among all defined domains on the coprocessor.
  2. If multiple EP11 cryptographic coprocessors in your environment are configured with different levels of the EP11 firmware (module part of the EP11 library), then the EP11 token only provides those features that the lowest CEX*P EP11 coprocessor provides.