Do not be so sure that the crypto cards will help with CPU over CPACF. It depends upon what the vendor is doing.
For SSL and communications things, the crypto cards help. For symmetric ciphering, CPACF is an order of magnitude faster. Go check the white papers at IBM for details. Remember the crypto cards are on the I/O bus and not directly part of the CPU like CPACF. So they have slightly higher overhead to get to them. In addition, IBM has never documented how to access the crypto cards directly so the only way there is through ICSF. That also slows things down. A program can access CPACF directly to do ciphering. The program does need to protect the keys itself instead of relying on the crypto cards/ICSF/trusted key workstation to protect them. Lloyd --- On Wed, 12/9/09, Gentry, Stephen <stephen.gen...@lafayettelife.com> wrote: > From: Gentry, Stephen <stephen.gen...@lafayettelife.com> > Subject: Re: CPACF and z/VM > To: IBMVM@LISTSERV.UARK.EDU > Date: Wednesday, December 9, 2009, 8:40 AM > Alan, thanks for the clarifications, > the code and enduring my questions. > With regards to the Q CRYPTO: One of the IBM manual alludes > to the > result not always being consistent if no crypto card is > installed and > CPACF is installed. (I don't remember which manual, I've > looked at quite > a few regarding this over the past few days). > After all of this I can comfortably say that, yes, CPACF is > activated. > Now, it's back to the vendor to work out the run times. I > also realize > that a crypto card would help this job run faster. > The CPACF less so. > However 13 hours for a normal 30 minute job . . . > Again, thanks. > Steve > > -----Original Message----- > From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] > On > Behalf Of Alan Altmark > Sent: Tuesday, December 08, 2009 5:06 PM > To: IBMVM@LISTSERV.UARK.EDU > Subject: Re: CPACF and z/VM > > On Monday, 12/07/2009 at 02:19 EST, "Gentry, Stephen" > <stephen.gen...@lafayettelife.com> > wrote: > > Hmm, interesting comment, have I re-IPL'd. The > z9 was shipped with > the > > feature code. We've had it for quite a while and have > IPL'd numerous > > times. This then leads me to believe that I have > to do something in > the > > LPAR definition on the HMC? I have looked at the > activation profile > for > > our LPAR and there is a CRYPTO link. Clicking on that, > I see that no > > boxes are checked. This is where the doc get's > confusing. Am I > > supposed to check mark some boxes if I have CPACF? The > way the doc > > reads, leads me to think you only use these options if > you have the > full > > blown crypto card installed in the box. That > being said, where can I > > find some doc. etc. that more or less gives a step by > step walk > through > > of what to do? > > Ignore what I said before. I did more research: > > - If the CPC Details window shows "CP Assist for Crypto > Functions > [CPACF]: > Installed" then CPACF is installed. I believe POR is > required if the > feature is installed after delivery, so if the machine is > up, the > instructions are available. > > - If CPACF is not installed, QUERY CRYPTO will display "No > CAM or DAC > Crypto Facilities are installed". [Don't ask.] > > - Any other response to QUERY CRYPTO indicates CPACF is > installed. > > > > The results I get when I issue a QUERY CRYPTO > command: > > > q crypto > > > Crypto Adjunct Processor Instructions are not > installed > > > Ready; > > So you have CPACF installed and this jives with the guest's > report. > > > The guest reports that CRYPTO hardware assist is > available. But I > don't > > know how/what it is checking. Is it checking for > the feature? Yes, > > that's installed. Is it active for the LPAR? I > don't know, I don't > > think so (depends on your reply to the LPAR question > above.) > > So now you have to figure out why the guest is taking so > long. "What > changed?" > > Here is a program to tell you if CPACF is installed. > Note that the > instructions are part of an architectural group called > "Message Security > > Assist". CPACF is the name given to implementation, > not the > architecture. > > * a) VMFHLASM QCPACF DMSVM > * b) LOAD QCPACF (RLDSAVE > * c) GENMOD > QCPACF CSECT > USING *,R12 > LR > R12,R15 > LR > R10,R14 > > LHI R0,1 > # dwords > XC > STFLEBUF,STFLEBUF > STFLE STFLEBUF > TM > STFLEBUF+2,X'40' MSA? > BZ > NOMSA > APPLMSG TEXT='CPACF > is installed' > > SLR R15,R15 > BR R10 > NOMSA DS 0H > APPLMSG TEXT='CPACF > is not installed' > > LHI R15,1 > BR R10 > > STFLEBUF DS D > REGEQU > > END QCPACF > > > Alan Altmark > z/VM Development > IBM Endicott >
