Cross posted to Linux-390 and IBMVM
First, my understand of virtualizing crypto is that if any of the cards are defined as accelerators then CRYPTO APVIRT in the directory will give linux an accelerator. If you want linux to have a coprocessor, you’d have to dedicate one. If you want a lot of servers to have coprocessors (more than the HW cards to dedicate), you’d get rid of the accelerators and make them all coprocessors. Is my understanding correct? And to do the AES master key load, it has generally been done from z/OS here. It looks like for my z/vm only boxes TKE is required, but I could use the CCA package to generate some for a test only scenario. If I do want to try that CCA key load on a non prod box, I’m thinking I would have to dedicate all of the coprocessors to a Linux guest and create them there. Then undedicate and then any guest with an APVIRT would find valid master keys and would then be able to “zkey generate” a secure key for use in each disk. Am I on the right track? Marcy -- Marcy ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
