zcryptctl - display information and administrate zcrypt multiple
device nodes
The zcryptctl command displays information and maintains
the multi device node extension for the zcrypt device driver.
With the multi device node extension you can create and configure
additional zcrypt device nodes which can be used as alternate device nodes
to access the crypto hardware provided by the zcrypt device driver. Each
zcrypt device node can be restricted in terms of crypto cards, domains, and
available ioctls. Such a device node can be used as a base for container
solutions like Docker to control and restrict the access to crypto
resources.
- zcryptctl
list
- Show all the additional device nodes that are currently active.
- zcryptctl
create
- [ node-name ] Create a new zcrypt device node. The node-name
might be given and needs to be unique and not in use. If there is no node
name provided, the zcrypt device driver will create a new one with pattern
zcrypt_x, with x being the next free number. Up to 256
additional device nodes can be created. The newly created additional
device node appears in /dev and has read and write permissions enabled
only for root. By default all adapters, domains and ioctls are initially
disabled on this new device node.
- zcryptctl
destroy
- node-name Destroy an additional zcrypt device node. The device node
is only marked for disposal and destroyed when it is no longer used.
- zcryptctl
addap
- | delap node-name adapter-nr Update the filter for the
specified zcrypt device node and add or delete a crypto adapter to be
accessible via this node. The symbol ALL can be used to enable or
disable all adapters.
- zcryptctl
adddom
- | deldom node-name domain-nr Update the filter for the
specified zcrypt device node and add or delete a domain to be accessible
through this node. The symbol ALL can be used to enable or disable
all domains.
- zcryptctl
addioctl
- | delioctl node-name ioctl-term Update the filter for the
specified zcrypt device node and add or delete an ioctl. The ioctl might
be specified as symbolic string (one of ICARSAMODEXPO,
ICARSACRT, ZSECSENDCPRB, ZSENDEP11CPRB,
ZCRYPT_DEVICE_STATUS, ZCRYPT_STATUS_MASK,
ZCRYPT_QDEPTH_MASK, ZCRYPT_PERDEV_REQCNT) or numeric value
in the range 0-255 and the symbol ALL can be used to include all
ioctls.
- zcryptctl
config
- config-file Process a config file. The given configuration file is
read line by line and the settings are applied. Syntax is simple:
- node=<node-name>
- aps=<list of ap
numbers separated by space, tab or ','>
- doms=<list of
domain numbers separated by space, tab or ','>
- ioctls=<list
of ioctl as numeric or symbolic number separated by space, tab or
','>
Empty lines are ignored and the '#' marks the rest of the line as
comment.
The node= line creates a new zcrypt device node, the
aps=, doms= and ioctls= lines customize the previously
created node. The symbol ALL is also recognized for aps, doms, and
ioctls.
Each action must fit into one line, spreading over multiple lines
is not supported. But you can use more than one aps=, doms=
and ioctls= lines to customize the very same node.
Processing stops when a line cannot be parsed or the current
action fails. In this case the exit status is non zero but the successful
actions until the failure occurs are not rolled back.
- zcryptctl
listconfig
- List the current configuration in a form suitable for input to the
zcryptctl config command.
On successful completion of the command the exit status is 0. A
non zero return code (and some kind of failure message) is emitted if the
processing could not complete successful.