Binding an accelerator AP queue using the chzcrypt command

To use a Crypto Express adapter in accelerator mode, you must bind an AP queue to the secure-execution guest. You can use the chzcrypt command with the --se-bind option to bind an accelerator AP queue to a secure-execution guest.

Alternatively you can use the pvapconfig command to bind AP queues.

About this task

This example uses the chzcrypt and lszcrypt commands to bind an AP queue. For an alternative, see pvapconfig - Implement an AP queue configuration.

Procedure

  1. Optionally, on the secure-execution guest, list the available AP queues.
    Use the lszcrypt command with the -V option to see AP queues listed under SESTAT.
    For example:
    [secguest]: lszcrypt -V
    CARD.DOMAIN  TYPE   MODE        STATUS   REQ... PENDING HWTYPE QDEPTH FUNCTIONS   DRIVER    SESTAT
    ------------------------------------------------------------------------------------------------------
    0f           CEX8A  Accelerator online        0       0     14     08 -MC-A-NF-   cex4card  -
    0f.0014      CEX8A  Accelerator online        0       0     14     08 -MC-A-NF-   cex4queue unbound
    
    AP queues that are available for binding are marked unbound.
    SESTAT can show the following states:
    • usable - the AP queue can be used for cryptographic requests.
    • bound - the AP queue is bound but not associated.
    • unbound - the AP queue is unbound and must be bound to this secure-execution guest to use it.
    • illicit - the AP queue is not available for this secure-execution guest.
  2. To bind an AP queue to the guest, issue a command of the following form:
    [secguest]: chzcrypt --se-bind <aa.dddd>
    where <aa> is the adapter ID of the cryptographic device and <dddd> is the domain.
    For example, to bind the unbound AP queue 0f.0014 to the secure-execution guest, issue:
    [secguest]: chzcrypt --se-bind 0f.0014
  3. Optionally confirm that the AP queue is now bound and usable.
    Use the lszcrypt command again to check that the status of the AP queue is now usable.
    For example:
    [secguest]: lszcrypt -V
    CARD.DOMAIN  TYPE   MODE        STATUS   REQ... PENDING HWTYPE QDEPTH FUNCTIONS   DRIVER    SESTAT
    --------------------------------------------------------------------------------------------------------
    0f           CEX8A  Accelerator online        0       0     14     08 -MC-A-N-F-  cex4card  -
    0f.0014      CEX8A  Accelerator online        0       0     14     08 -MC-A-N-F-  cex4queue usable

Results

After successfully binding an accelerator AP queue, you can use it to send requests and receive replies for clear key cryptography. The AP queue is now exclusively available to the secure guest. Other operating systems, including that of the KVM host, cannot access the AP queue. However, the KVM host can, when needed, reset the cryptographic resource. As a result, the AP queue is unbound in the secure guest, which leads to failures of further cryptographic requests from the secure guest.

What to do next

You can unbind the AP queue from the guest by using the chzcrypt command with the --se-unbind option.
For example, to unbind AP queue 0f.0014, issue:
[secguest]: chzcrypt --se-unbind 0f.0014