Cryptographic features
This appendix briefly describes the optional Peripheral Component Interconnect Express (PCIe) cryptographic features of IBM Z platforms. It includes the following topics:
Overview
Public Key Cryptography Standards (PKCS) #111 and the IBM Common Cryptographic Architecture (CCA) define various cryptographic functions, external interfaces, and a set of key cryptographic algorithms. These specifications provide a consistent, end-to-end cryptographic architecture across IBM z/OS, IBM AIX®, and IBM i (formerly i5/OS) operating systems and other platforms, including Linux and Microsoft Windows.
The following cryptographic external interfaces are part of the IBM Z environment:
•Central Processor Assist for Cryptographic Function (CPACF-CP Assist). CPACF-CP Assist offers a set of symmetric cryptographic functions for high encrypting and decrypting performance of clear key operations. This interface is for Secure Sockets Layer/Transport Layer Security (SSL/TLS), VPN, and data-storing applications that do not require US Federal Information Processing Standard (FIPS2) 140-2 Level 4 security. The CP Assist for Cryptographic Function is integrated with the compression unit in the coprocessor in the core of the IBM Z.
Each coprocessor in an IBM Z platform consists of one compression (and expansion) unit, one cryptographic cipher engine, and one cryptographic hash engine. The cryptographic engine is embedded in each processing unit (PU core) of the IBM Z PU chip. On IBM Z before z EC12, this duty was shared between two processing units (cores).
For z13 and z13s, the COP has been redesigned to support SMT operation. For throughput increase, the z14 COP was further developed so that the coprocessor results are now stored directly in the L1 cache of the core. Figure A-1 compares the logical flow of the coprocessor on the chip for z13, z13s, z14 and z14 ZR1.
Figure A-1 Compression and cryptography accelerators on a core in the chip
•Crypto Express features are optional and available in different generations. All Crypto Express features can be configured during installation as either a secure coprocessor or an accelerator. The type of the Crypto Express feature can be changed after installation from the initial mode in a disruptive process.
The support of the different generations of Crypto Express features depends on the IBM Z server generation.
Crypto Express features provide a secure hardware and programming environment for cryptographic processes. Each cryptographic coprocessor includes a general-purpose processor, non-volatile storage, and specialized cryptographic electronics.
•The cryptographic coprocessor functions are supported by the Integrated Cryptographic Service Facility, a component of the z/OS operating system, and by the IBM Common Cryptographic Architecture Support Program for Linux on IBM Z.
Crypto Express6S
The Crypto Express6S feature is supported only on the z14. It has the following characteristics:
•It occupies one I/O slot in the PCIe I/O drawer.
•It has one PCIe adapter, with one PCHID assigned to it according to its physical location in the PCIe I/O drawer.
•On a z14 each Crypto Express6S PCIe adapter can be configured in one of the following modes:
– Secure IBM CCA coprocessor (CEX6C) for FIPS 140-2 Level 4 certification. This mode includes secure key functions. The Crypto Express6s supports user-defined extensions (UDX), which you can use to define and load customized cryptographic functions.
– Secure IBM Enterprise PKCS #11 (EP11) coprocessor (CEX6P) implements an industry-standardized set of services that adhere to the PKCS #11 specification v2.20.
This cryptographic coprocessor mode introduced the PKCS #11 secure key function.
A Trusted Key Entry (TKE) workstation is required to support the administration of the Crypto Express4S when it is configured in EP11 mode.
– Accelerator (CEX6A) for acceleration of public key and private key cryptographic operations that are used with SSL/TLS processing.
These modes can be configured by using the Support Element. The PCIe adapter must be configured offline to change the mode.
|
Note: When the Crypto Express6S PCIe adapter is configured as a secure IBM CCA coprocessor, it still provides accelerator functions. However, you can achieve up to three times better performance for those functions if the Crypto Express6S PCIe adapter is configured as an accelerator.
|
•Up to 16 Crypto Express6S features are supported (16 PCIe adapters per z14).
•The Crypto Express6S adapters support up to 85 domains on z14 and up to 40 domains on z14 ZR1 for logical partitions.
•In z/VM, up to 85 domains on z14 and up to 40 domains on z14 ZR1 for logical partitions or z/VM guests are supported. This enhancement is based on the new Adjunct Processor Extended Addressing (APXA), which enables the z/Architecture to support up to 256 domains in an Adjunct Processor (AP).
Crypto Express5S
The Crypto Express5S feature is supported on the z14 and z14 ZR1 (carry forward only), and also z13 and z13s. It has the following characteristics:
•It occupies one I/O slot in the PCIe I/O drawer.
•It has one PCIe adapter, with one PCHID assigned to it according to its physical location in the PCIe I/O drawer.
•On a z14 and z14 ZR1 (carry forward only), and also z13 or z13s, each Crypto Express5S PCIe adapter can be configured in one of the following modes:
– Secure IBM CCA coprocessor (CEX5C) for FIPS 140-2 Level 4 certification. This mode includes secure key functions. The Crypto Express5s supports UDX, which you can use to define and load customized cryptographic functions.
– Secure IBM Enterprise PKCS #11 (EP11) coprocessor (CEX5P) implements an industry-standardized set of services that adhere to the PKCS #11 specification v2.20.
This cryptographic coprocessor mode introduced the PKCS #11 secure key function.
A TKE workstation is required to support the administration of the Crypto Express5S when it is configured in EP11 mode.
– Accelerator (CEX5A) for acceleration of public key and private key cryptographic operations that are used with SSL/TLS processing.
These modes can be configured by using the Support Element. The PCIe adapter must be configured offline to change the mode.
|
Note: When the Crypto Express5S PCIe adapter is configured as a secure IBM CCA coprocessor, it still provides accelerator functions. However, you can achieve up to three times better performance for those functions if the Crypto Express5S PCIe adapter is configured as an accelerator.
|
•Up to 16 Crypto Express5S features are supported per z14, z14 ZR1, z13, or z13s.
•The Crypto Express5S adapters support up to 85 domains on z14 and z13, and 40 domains on z14 ZR1 and z13s.
•Started with z13, up to 85 domains (up to 40 for z13s) for logical partitions or z/VM guests is supported. This enhancement is based on the new APXA, which enables the z/Architecture to support up to 256 domains in an AP.
Crypto Express4S
The Crypto Express4S feature is supported on the zEC12 and zBC12. It has the following characteristics:
•It occupies one I/O slot in the PCIe I/O drawer.
•It has one PCIe adapter, with one PCHID assigned to it according to its physical location in the PCIe I/O drawer.
•On the zEC12 and zBC12, each Crypto Express4S PCIe adapter can be configured in one of the following modes:
– Secure IBM CCA coprocessor (CEX4C) for FIPS 140-2 Level 4 certification. This mode includes secure key functions. The Crypto Express4s supports UDX, which you can use to define and load customized cryptographic functions.
– Secure IBM Enterprise PKCS #11 (EP11) coprocessor (CEX4P) implements an industry-standardized set of services that adhere to the PKCS #11 specification v2.20 and more recent amendments. It was designed for extended FIPS and Common Criteria evaluations to meet public sector requirements.
This new cryptographic coprocessor mode introduced the PKCS #11 secure key function.
A TKE workstation is required to support the administration of the Crypto Express4S when it is configured in EP11 mode.
– Accelerator (CEX4A) for acceleration of public key and private key cryptographic operations that are used with SSL/TLS processing.
These modes can be configured by using the Support Element. The PCIe adapter must be configured offline to change the mode.
|
Note: When the Crypto Express4S PCIe adapter is configured as a secure IBM CCA coprocessor, it still provides accelerator functions. However, you can achieve up to three times better performance for those functions if the Crypto Express4S PCIe adapter is configured as an accelerator.
|
•Up to 16 Crypto Express4S features are supported.
Crypto Express3
The Crypto Express3 feature is supported on zEC12 and zBC12 servers. It is available on a carry-forward only basis when you are upgrading from earlier generations to zEC12 and zBC12. Crypto Express3 has the following characteristics:
•The Crypto Express3 feature occupies one I/O slot in an I/O cage or in an I/O drawer.
•The Crypto Express3 feature has two PCIe adapters3, with two PCHIDs assigned to it according to its physical location in the I/O cage or I/O drawer.
•There is no need to define a CHPID for the Crypto Express3 feature in the HCD/IOCP.
Do not allow a Crypto Express3-associated PCHID to be used by another device in the HCD/IOCP definition.
Do not allow a Crypto Express3-associated PCHID to be used by another device in the HCD/IOCP definition.
•On Z platforms, each Crypto Express3 PCIe adapter can be configured in one of the following modes:
– Secure coprocessor for FIPS 140-2 Level 4 certification. This mode includes secure key functions. You have the option to program it to deploy additional functions and algorithms by using a UDX.
– Accelerator for public key and private key cryptographic operations that are used with SSL/TLS processing.
– These modes can be configured by using the Support Element. The PCIe adapter must be configured offline to change the mode.
|
Note: When the Crypto Express3 PCIe adapter is configured as a secure coprocessor, it still provides accelerator functions. However, you can achieve up to three times better performance for those functions if the Crypto Express3 PCIe adapter is configured as an accelerator.
|
•Up to eight Crypto Express3 features (16 PCIe adapters) for zEC12 or z BC12 CPCs.
•Up to eight Crypto Express3-1P features (eight PCIe adapters) for each IBM zEnterprise BC12 (zBC12).
|
Note: The Crypto Express3-1P feature is exclusive to the zBC12 and the features can be ordered just in an MES process.
|
References
For more information, see the following publications:
•IBM zNextTechnical Introduction, SG24-8450
•IBM zNext Configuration Setup, SG24-8460
•IBM z13 and IBM z13s Technical Introduction, SG24-8250
•IBM z13 Technical Guide, SG24-8251
•IBM z13s Technical Guide, SG24-8294
•IBM z13 Configuration Setup, SG24-8260
•IBM zEnterprise System Technical Introduction, SG24-8050
•IBM zEnterprise EC12 Technical Guide, SG24-8049
•IBM zEnterprise BC12 Technical Guide, SG24-8138
•IBM zEnterprise EC12 Configuration Setup, SG24-8034
1 One of the industry-accepted Public Key Cryptographic Standards (PKCS) provided by RSA Laboratories from RSA, the security division of Dell EMC Corporation.
2 Federal Information Processing Standards (FIPS)140-2 Security Requirements for Cryptographic Modules.
3 The Crypto Express3-1P feature has one PCIe adapter and just one associated physical channel ID (PCHID).
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.