EP11 Token
==========

The EP11 token is a token that uses the IBM Crypto Express adapters (starting
with Crypto Express 4S adapters) configured with Enterprise PKCS#11 (EP11)
firmware. By convention, Crypto Express n adapters with that firmware load are
also called CEXnP adapters for n >= 4.

The EP11 token is only supported on the System z architecture and requires a
Crypto Express adapter with EP11 firmware load, a zcrypt/ap device driver loaded
into the kernel and the availability of EP11 library libep11.

The token directory of the EP11 token is opencryptoki/ep11tok typically located
in /var/lib.

There is a new possibility to configure multiple EP11 tokens.
Thus dedicated adapter/domains can be assigned to different tokens respectively
applications. That ensures data isolation between multiple applications.

Configuration
-------------

To use the EP11 token a slot entry must be defined in the general openCryptoki
configuration file that sets the stdll attribute to libpkcs11_ep11.so.

A EP11 token specific configuration file must be set up to define the target
adapters and target adapter domains. The name of the configuration file must be
defined in the global openCryptoki configuration opencryptoki.conf file as part
of the token specification using the confname attribute. In case of using
multiple ep11 tokens a token directory name must be specified for each token
using the tokname attribute.
E.g.

slot 4
{
stdll = libpkcs11_ep11.so
confname = ep11tok01.conf
tokname = ep11token01
}

slot 5
{
stdll = libpkcs11_ep11.so
confname = ep11tok02.conf
tokname = ep11token02
}

The sample entry define the name of the configuration files of the EP11 token
to be e.g. ep11tok01.conf. Per default this file is searched in the directory
where openCryptoki searches its global configuration file. This default path
can be overriden using the OCK_EP11_TOKEN_DIR environment variable.

The tokname attribute specifies the name of the individual token directory.
Typically it's located in /var/lib/opencryptoki/. Each token directory contain
it's own token individual objects that are separated from other ep11 tokens.

EP11 token configuration files defines a list of adapter/domain pairs to which
the EP11 token sends its cryptographic requests. This list can be specified as a
white list starting with a line containing the key word APQN_WHITELIST followed
by one or more lines containing each two integers (in the range of 0 - 255)
separated by a white space. The white list is ended with a line containing the
key word END. In each of lines of the white list the first integer denotes the
adapter number and the second integer denotes the domain id. Alternatively the
keyword APQN_ANY can be used to define that all adapter/domain pairs with EP11
firmware load that are available to the system shall be used as target adapters.
An adapter number corresponds to the numerical part xx of an adapter id of the
form cardxx as displayed by the lszcrypt tool or in the sys file system (e.g. in
/sys/bus/ap/devices).  Currently Linux on z only supports a single domain. That
domain number can be displayed with lszcrypt -b (see the value of ap_domain) or
alternatively as contents of /sys/bus/ap/ap_domain.

Crypto Express Adapter EP11 Master Key Management
-------------------------------------------------

If master keys are changed on an EP11 adapter all key objects in the token
object repository (in the TOK_OBJ directory within the EP11 token directory)
become invalid.

The key migration tool pkcsep11_migrate can be used to perform the migration of
the current EP11 master keys to new master keys. Therefore the following steps
must be performed:
1) On the Trusted Key Entry console (TKE): Submit and commit new master keys on
the EP11 adapter(s).
2) On Linux: Stop all processes using openCryptoki with the EP11 token.
3) On Linux: Back up the token object repository of the EP11 token.
4) On Linux: Migrate keys of object repository of EP11 token with migration
tool. If a failure occurs restore the backed up token repository and retry step
4.
5) On the TKE: Activate new master keys on the EP11 adapter(s).
6) On Linux: Restart applications using openCryptoki with the EP11 token.

Token specifics
---------------

The EP11 token only supports secure keys (i.e. key wrapped by a master key of
the Crypto Express adapter). Therefore all keys must have the attribute
CKA_SENSITIVE set to CK_TRUE. Since the PKCS#11 standard does not define a
(token specific) default for secret keys the attribute must be explicitly
provided whenever a secret key is generated, unwrapped or build with
C_CreateObject. In addition all keys used with the EP11 token are extractable.
i.e. they must have the attribute CKA_EXTRACTABLE set to CK_TRUE.

When creating keys the default values of the attributes CKA_ENCRYPT,
CKA_DECRYPT, CKA_VERYFY, CKA_SIGN, CKA_WRAP and CKA_UNWRAP are CK_TRUE. Note, no
EP11 mechanism supports the Sign/Recover or Verify/Recover functions.

All RSA key must have a public exponent (CKA_PUBLIC_EXPONENT) greater than or
equal to 17.

The CryptoExpress EP11 coprocessor restricts RSA keys (primes and moduli)
according to ANSI X9.31. Therefore in the EP11 token the lengths of the RSA
primes (p or q) must be a multiple of 128 bits and the length of the modulus
(CKA_MODULUS_BITS) must be a multiple of 256.

The mechanisms CKM_DES3_CBC and CKM_AES_CBC can only wrap keys which have a
length that is a multiple of the block size of DES3 or AES respectively.

See the mechanism list and mechanism info (pkcsconf -m) for supported mechanisms
together with supported functions and key sizes. Note the supported mechanism
list is currently fix and matches the most stringent setting of the Crypto
Express adapter.

Note, the EP11 coprocessor adapter can be configured to restrict the
cryptographic capabilities in order for the adapter to comply with specific
security requirements and regulations. Such restrictions on the adapter impact
the capabilitiy of the EP11 token.