Secure usage requirements for Crypto Express adapters in EP11 mode
Trust in the TKE administrators for the domains and the adapter is essential when you use Crypto Express® adapters in Enterprise PKCS #11 coprocessor mode.
Secure usage of AP queues in Enterprise PKCS #11 coprocessor mode requires careful assignment of master keys to adapter domains and association of association secrets with these domains. Trust in TKE administrators for Crypto Express® adapter domains is paramount. If you cannot trust your TKE domain administrator, you cannot use AP queues securely. This is a general requirement and not specific to IBM® Secure Execution for Linux®.
Requirement 1: TKE domain administrators of your adapter domains
The TKE domain administrators must provide the administrators of your secure-execution guest with necessary information, such as:
- Adapters (SNs) and domains that are configured for your use, potentially communicating installed certificates in the domains.
- The master key verification patterns of the HSM master keys (aka EP11 wrapping keys) that are installed in your adapter domains.
- Timely communication of any changes to HSM master keys in the adapter domains, such as master key rolls.
- Timely communication of zeroization of adapter domains.
Further, TKE domain administrators must ensure that master keys are configured uniquely in each domain in the same Crypto Express adapter. That is, no master key must be configured in a domain that was, is, or will be configured in another domain in the same adapter. This precludes any domain from using a master key assigned to another domain in the same adapter. Consequently, domains in the same adapter allocated to the same guest must not share master keys. For redundancy, you can configure the same master keys in domains that are contained in separate adapters.
Requirement 2: Protection against adapter zeroization
A TKE adapter administrator holds the power to zeroize a whole Crypto Express adapter and thus zeroize all domains in that adapter. Unless the TKE adapter administrator reliably announces each adapter zeroization, this action can result in a loss of control over domains previously owned by trusted domain administrators.
To maintain control and trust, secure-execution guest administrator applications must verify master key verification patterns for every secure key generated by adapter domains against those communicated by the trusted TKE domain administrator.
Restriction: Policies for association keys
The owner of a secure-execution guest must refrain from associating an association secret with different master key verification patterns, unless these patterns are sequentially related due to master key roll operations. That is, if two domains serve distinct purposes, they should not share the same association pattern.
Restriction: Never reuse the same association secret for two AP queues of the same adapter
Adhere to the restriction imposed by current IBM Z® and IBM® LinuxONE firmware, preventing the use of the same association secret with two AP queues of the same adapter. This restriction aims to prevent unexpected side effects that are associated with resetting an EP11 AP queue.
Planning for redundancy
It is considered secure to use the same master key and association secret on two domains located on different adapters. Therefore, for redundancy or backup purposes, place the redundant or backup domain on a separate adapter from the primary domain. This practice not only enhances security but also ensures hardware redundancy for the redundant or backup domains.
Moving master keys
When your TKE domain administrator needs to move
a master key from one domain to another
on the same adapter, ensure that none of your secure execution guests have any AP queues bound to
either domain during the migration process.