EP11 Token

==========

The EP11 token is a token that uses the IBM Crypto Express adapters (starting

with Crypto Express 4S adapters) configured with Enterprise PKCS#11 (EP11)

firmware. By convention, Crypto Express n adapters with that firmware load are

also called CEXnP adapters for n >= 4.

The EP11 token is only supported on the System z architecture and requires a

Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver loaded

into the kernel and the availability of EP11 library libep11.

The token directory of the EP11 token is opencryptoki/ep11tok typically located

in /var/lib.

There is a new possibility to configure multiple EP11 tokens.

Thus dedicated adapter/domains can be assigned to different tokens respectively

applications. That ensures data isolation between multiple applications.

Configuration

-------------

To use the EP11 token a slot entry must be defined in the general openCryptoki

configuration file that sets the stdll attribute to libpkcs11_ep11.so.

A EP11 token specific configuration file must be set up to define the target

adapters and target adapter domains. The name of the configuration file must be

defined in the global openCryptoki configuration opencryptoki.conf file as part

of the token specification using the confname attribute. In case of using

multiple ep11 tokens a token directory name must be specified for each token

using the tokname attribute.

E.g.

slot 4

{

stdll = libpkcs11_ep11.so

confname = ep11tok01.conf

tokname = ep11token01

}

slot 5

{

stdll = libpkcs11_ep11.so

confname = ep11tok02.conf

tokname = ep11token02

}

The sample entry define the name of the configuration files of the EP11 token

to be e.g. ep11tok01.conf. Per default this file is searched in the directory

where openCryptoki searches its global configuration file. This default path

can be overriden using the OCK_EP11_TOKEN_DIR environment variable.

The tokname attribute specifies the name of the individual token directory.

Typically it's located in /var/lib/opencryptoki/. Each token directory contain

it's own token individual objects that are separated from other ep11 tokens.

EP11 token configuration files defines a list of adapter/domain pairs to which

the EP11 token sends its cryptographic requests. This list can be specified as a

white list starting with a line containing the key word APQN_WHITELIST followed

by one or more lines containing each two integers (in the range of 0 - 255)

separated by a white space. The white list is ended with a line containing the

key word END. In each of lines of the white list the first integer denotes the

adapter number and the second integer denotes the domain id. Alternatively the

keyword APQN_ANY can be used to define that all adapter/domain pairs with EP11

firmware load that are available to the system shall be used as target adapters.

An adapter number corresponds to the numerical part xx of an adapter id of the

form cardxx as displayed by the lszcrypt tool or in the sys file system (e.g. in

/sys/bus/ap/devices).  Currently Linux on z only supports a single domain. That

domain number can be displayed with lszcrypt -b (see the value of ap_domain) or

alternatively as contents of /sys/bus/ap/ap_domain.

Crypto Express Adapter EP11 Master Key Management

-------------------------------------------------

If master keys are changed on an EP11 adapter all key objects in the token

object repository (in the TOK_OBJ directory within the EP11 token directory)

become invalid.

The key migration tool pkcsep11_migrate can be used to perform the migration of

the current EP11 master keys to new master keys. Therefore the following steps

must be performed:

1) On the Trusted Key Entry console (TKE): Submit and commit new master keys on

the EP11 adapter(s).

2) On Linux: Stop all processes using openCryptoki with the EP11 token.

3) On Linux: Back up the token object repository of the EP11 token.

4) On Linux: Migrate keys of object repository of EP11 token with migration

tool. If a failure occurs restore the backed up token repository and retry step

4.

5) On the TKE: Activate new master keys on the EP11 adapter(s).

6) On Linux: Restart applications using openCryptoki with the EP11 token.

Token specifics

---------------

The EP11 token only supports secure keys (i.e. key wrapped by a master key of

the Crypto Express adapter). Therefore all keys must have the attribute

CKA_SENSITIVE set to CK_TRUE. Since the PKCS#11 standard does not define a

(token specific) default for secret keys the attribute must be explicitly

provided whenever a secret key is generated, unwrapped or build with

C_CreateObject. In addition all keys used with the EP11 token are extractable.

i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.

When creating keys the default values of the attributes CKA_ENCRYPT,

CKA_DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. Note, no

EP11 mechanism supports the Sign/Recover or Verify/Recover functions.

All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than or

equal to 17.

The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)

according to ANSI X9.31. Therefore in the EP11 token the lengths of the RSA

primes (p or q) must be a multiple of 128 bits and the length of the modulus

(CKA_MODULUS_BITS) must be a multiple of 256.

The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have a

length that is a multiple of the block size of DES3 or AES respectively.

See the mechanism list and mechanism info (pkcsconf -m) for supported mechanisms

together with supported functions and key sizes. Note the supported mechanism

list is currently fix and matches the most stringent setting of the Crypto

Express adapter.

Note, the EP11 coprocessor adapter can be configured to restrict the

cryptographic capabilities in order for the adapter to comply with specific

security requirements and regulations. Such restrictions on the adapter impact

the capabilitiy of the EP11 token.