IBM AIX: How to check skeyctl setting

How To

Summary

The skeyctl command is a privileged command used on a system that supports storage protection keys. The skeyctl command can change the number of user-space storage keys, disable user-space storage keys, enable/disable kernel storage key state, and display the default, current, and next boot storage keys attributes. This document shows how to use skeyctl to view and change settings related to storage key.

Objective

1. Show "skeyctl" command usage.
2. Check Storage Key attributes for current and next boot session.
3. Check "skey_kmode in memory and ODM
4. How to change the storage_key_kmode value in ODM

Steps

We can use skeyctl to view and change settings related to storage key.
a) Command Usage

# skeyctl -? or skeyctl -help
Usage: skeyctl [-D]
skeyctl [-h <nhkeys>] [-u <nukeys>/off] [-k on/off/default] [-x kkey ]
skeyctl [-v [now|default|boot]
where:
-h <nhkeys> # number of hardware keys (0, 2-31)
-u <nukeys> # number of user keys (2 - max. no. of hardware keys)
-u off # disable user keys
-k on/off # enable/disable kernel keys
-k default # set default kernel key state
-x <kkey> # kernel key mapped exclusively
to a hardware key
-D # use defaults
-v now # view current settings
-v default # view defaults
-v boot # view settings for next boot

b) Check the current settings for "skeyctl"
> skeyctl -v now
Storage Key attributes for current boot session:
Max. number of hardware keys = 8
Number of hardware keys enabled = 8
Number of user keys = 2
Kernel keys state = enabled <==
Exclusive kernel key value = disabled

c) Check the "skey_kmode" value in memory

In fact "skeyctl -v now" reads "skey_kmode" value from memory:
(0)> dw skey_kmode
skey_kmode+000000: 00000001 <== "1" means Kernel keys state is enabled.

d) Next boot session "skeyctl" settings
>skeyctl -v boot
Storage Key attributes for next boot session:
Max. number of hardware keys = default
Number of hardware keys enabled = default
Number of user keys = default
Kernel keys state = disabled <==
Exclusive kernel key value = disabled

e) Check "storage_key_kmode" value in ODM

In fact "skeyctl -v boot" read value from odm:
> odmget -q "attribute = storage_key_kmode" SWservAt
SWservAt:
attribute = "storage_key_kmode"
deflt = "-1"
value = "0"

f) how to change "storage_key_kmode" attribute value in the ODM
"skeyctl -k" will write the value to odm:
> skeyctl -k on

g) Verify the "storage_key_kmode" value in ODM
> odmget -q "attribute = storage_key_kmode" SWservAt
SWservAt:
attribute = "storage_key_kmode"
deflt = "-1"
value = "1" <== The value has been changed from "0" to "1"

h) Make sure the changes for the "Storage Key attributes" are set for the next boot session
> skeyctl -v boot
Storage Key attributes for next boot session:
Max. number of hardware keys = default
Number of hardware keys enabled = default
Number of user keys = default
Kernel keys state = enabled <==
Exclusive kernel key value = disabled

i) Run bosboot and reboot
After using "skeyctl -k" we must run bosboot before reboot,
thus the value will be saved in kernel image.
We can find following line in /usr/sbin/bosboot:
zap_var $kmode $sk_kmode $kmode_sz

The $kmode is skey_kmode, and $sk_kmode is the storage_key_kmode value in SWservAt.
So bosboot uses zap_var to change variable skey_kmode in kernel image.

We can find following line in bosboot:
integer -i10 byte_offset=$nm_offset-$vtr_int+$raw_int

> nm -X64 /unix | grep skey_kmode
skey_kmode D 45767764 4
so $nm_offset is 0x2BA5C54.

> dump -X64 -h /unix
/unix:
***Section Header Information***
Section Header for .data
PHYaddr VTRaddr SCTsiz RAWptr RELptr
0x02000000 0x02000000 0x00bad9b8 0x009f0288 0x01919ec4

So $vtr_int is 0x02000000 and $raw_int is 0x009f0288.
Thus byte_offset is 0x2BA5C54 - 0x02000000 + 0x009f0288 = 0x1595EDC.

k) Check the "skey_kmode" value in kernel image
We can check the skey_kmode in kernel image:
> lquerypv -h /unix 0x1595EDC 4
01595ED0 00000000 00000000 FFFFFFFF FFFFFFFF <== default value is -1

Additional Information

SUPPORT:

If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a case for software under warranty or with an active and valid support contract. The technical support specialist assigned to your case will confirm that you have completed these steps.

a. Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred

b. Capture any logs or data relevant to the situation.

c. Contact IBM to open a case:

   -For electronic support, please visit the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, please visit the web page:
      https://www.ibm.com/planetwide/

d. Provide a good description of your issue and reference this technote

e. Upload all of the details and data to your case

-You can attach files to your case in the IBM Support Community
-Or Upload data to IBM testcase server analysis:

http://www.ibm.com/support/docview.wss?uid=ibm10733581

f. Click here to submit feedback for this document.

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Product Synonym

skctl

Was this topic helpful?

Document Information

Modified date:
31 May 2019

UID

ibm10886035

Tips