VCM features
Handling of VCM features
Features applicable to a VCM may be specified when the VCM is created by using the --features option of vcmadmin-create.
If the --features property is omitted when creating the VCM then the VCM features will default to
be the same as those at platform level.
VCM features can be altered by first stopping the VCM with command vcmadmin stop and then altering the features with vcmadmin properties set. You will require a request file signed by the tenant to alter the properties.
| It is important that the clock on the tenant’s machine is synchronized with the clock on your machine. You will need to contact the tenant to confirm this. It is also important that the module clock is synchronized with your host machine. Refer to Setting the system clock for how to set the system clock, as any error messages received will refer to the module clock. |
In all cases the features set at VCM level must be equal to, or a subset of, the features at platform level. It is not possible to set a feature for a VCM that does not exist at platform level. If you wish to set a feature for a VCM that does not exist at platform level you must first purchase a license for the HSM and apply that license at platform level.
Built-in features
A number of features that were optional on earlier versions of firmware are now built in to the firmware and are always available for use regardless of whether they are specified in any commands or not. These are:
-
StandardKM
-
EllipticCurve
-
ECCMQV
-
AcceleratedECC
-
PostQuantum
Specifying, or not specifying, these features in any commands will have no effect on the tenant’s ability to use these features.
Specification of VCM features
The features option can be specified in one of two ways as described below.
Specification of VCM features as feature names
Features may be specified as a list of feature names, as specified in the table below, separated by the | character.
To protect the | character from the command line interpreter it must be enclosed in double quotes.
For example if the required features are:
-
FTO commands available
-
Korean Algorithms available
-
ECC mechanisms available
This would be written as
"ForeignTokenpen|KISAAlgorithms|EllipticCurve"Specification of VCM features as a 32-bit word
Features may be specified as a 32-bit hexadecimal word, calculated by adding the hexadecimal values of the features listed in the table below.
For example if the required features are:
-
FTO commands available
-
ReceiveShare command available
-
Any SEE machine may be loaded
-
Korean Algorithms available
-
Standard key management commands available
-
ECC mechanisms available
-
ECC-MQV key agreement protocol is available
-
ECC point multiplications are accelerated where available
-
High Speed HSM
The calculation would be:
00000001 + 00000002 + 00000004 + 00000010 + 00000020 + 00000200 + 00000800 + 00001000 + 00008000 = 9A37VCM feature values and feature names
| Value (Hexadecimal) | Feature | Feature name |
|---|---|---|
00000001 |
FTO commands available |
ForeignTokenOpen |
00000002 |
ReceiveShare command available |
RemoteShare |
00000004 |
Any SEE machine may be loaded (Not applicable to nShield 5) |
GeneralSEE |
00000008 |
CodeSafe 5 activation |
ExportCGEA |
00000010 |
Korean algorithms available |
KISAAlgorithms |
00000020 |
Standard key management commands available |
StandardKM |
00000200 |
ECC mechanisms available |
Elliptic curve |
00000400 |
Base Speed HSM |
HSMSpeed0 |
00000800 |
ECC-MQV key agreement protocol is available |
ECCMQV |
00001000 |
ECC point multiplications are accelerated where available |
AcceleratedECC |
00004000 |
Mid Speed HSM |
HSMSpeed1 |
00008000 |
High Speed HSM |
HSMSpeed2 |
00100000 |
Enable high-speed but non-certified random number source for ECDSA operations |
FastRandom |
Any bits not appearing in the table above are reserved or obsolete and will have no effect on operation.
Output of VCM features
The features set on a VCM can be displayed with vcmadmin show and are always displayed as a list of feature names regardless of which option was used to set the features.
An example vcmadmin show output would be:
FEATURES : ForeignTokenOpen|RemoteShare|StandardKM|EllipticCurve|ECCMQV|AcceleratedECC|HSMSpeed2The 32 bit word representing the features can be seen by using the --json option with either vcmadmin list or
vcmadmin show.
An example vcmadmin show --json output would be:
"features": 39459,Due to the internal format used, this JSON formatted output will appear as a decimal number and must be converted to hexadecimal if you wish to use this as an input parameter. For example, 39459 in decimal is 9A23 in hexadecimal.
| The tenant will have access to all built-in features regardless of these settings. See Built-in features |
VCM speed rating
You can control the relative proportion of available processing capacity that is allocated to an individual HSM using the following speed bits:
-
HSMSpeed0 -
HSMSpeed1 -
HSMSpeed2
This does not provide total control, because the exact allocation of resources depends upon a number of factors, including the number of active VCMs, the total load of the HSM, and the individual cryptographic operations being performed by each VCM. This means that the VCM speed rating is only an approximation of actual performance.
You cannot set the speed rating of a VCM higher than the speed rating of the HSM on which it is hosted.
This means that you cannot use HSMSpeed3 because it is never set on an HSM.
When hosting VCMs on an nShield 5s Mid-speed HSM, you cannot create a VCM with the HSMSpeed1 bit set.
Requests for VCMs with an HSMSpeed1 speed bit are automatically converted to HSMSpeed0 when hosted on a Mid-speed HSM.
|