On 22/08/2018 11:42, Cornelia Huck wrote:
On Wed, 22 Aug 2018 01:18:20 +0200
Halil Pasic <pasic@xxxxxxxxxxxxx> wrote:
On 08/21/2018 07:07 PM, Tony Krowiak wrote:
This convention has been enforced by the kernel since v1. This is also
enforced by both the LPAR as well as in z/VM. The following is from the
PR/SM Planning Guide:
Control Domain
A logical partition's control domains are those cryptographic domains for which remote secure
administration functions can be established and administered from this logical partition. This
logical partition’s control domains must include its usage domains. For each index selected in the
usage domain index list, you must select the same index in the control domain index list
That's interesting.
IMHO this quote is quite a half-full half-empty cup one:
* it mandates the set of usage domains is a subset of the set
of the control domains, but
* it speaks of independent controls, namely about the 'usage domain index'
and the 'control domain index list' and makes the enforcement of the rule
a job of the administrator (instead of codifying it in the controls).
I'm wondering if a configuration with a usage domain that is not also a
control domain is rejected outright? Anybody tried that? :)
Yes, and no it is not.
We can use a queue (usage domain) to a AP card for SHA-512 or RSA without
having to define the queue as a control domain.
Regards,
Pierre
--
Pierre Morel
Linux/KVM/QEMU in Böblingen - Germany