acfo Command
Purpose
Manages the tunable parameters of the Advanced Crypto Facility (ACF).
Syntax
acfo [-d] | [-d -t tunable_name]
acfo -R
acfo -r tunable_name
acfo -p [-R | -r -t tunable_name] | [-t tunable_name=value]
acfo -t tunable_name=value
acfo [-h] | [-h -t tunable_name]
Description
The acfo command can display or modify current and persistent tunable parameters of ACF. The ACF tunable parameters determine if the nest (NX) acceleration or in-core cryptographic acceleration must be used in kernel-crypto APIs that are provided by Public Key Cryptography Standards (PKCS) #11.
Currently, the NX and in-core crypto acceleration supports only the Advanced Encryption Standard (AES) for the PKCS #11 subsystem.
The NX cryptographic acceleration is supported on POWER7®+ processor-based servers, and later. The in-core cryptographic acceleration is supported on POWER8® processor-based servers, and later. You cannot turn on the in-core cryptographic acceleration if the server does not support it.
The kernel crypto APIs are used by Encrypting File System (EFS), IP security (IPSec), logical volume encryption, kernel extensions, and the user-space applications that use the AIX® PKCS #11 API object, /usr/lib/pkcs11/ibm_pks11.so.
The PKCS #11 device driver must be active when you run the acfo command.
Persistent tunable parameter values are values that are retained by the tunable parameters across the reboot operation. Persistent tunable parameter values are stored in the ODM database. These values are used by the PKCS #11 device drivers when the CFG_INIT command is run to initialize the tunable parameters.
Flags
- -a
- Displays value of all the ACF tunable parameters, one per line.
- -d
- Displays all ACF tunable parameter names and current values. When you use the -d flag with the -t flag, the acfo command displays the current values of the specified tunable parameters.
- -h
- Displays help information about the command and its arguments. When you use the -t flag with the -h flag, the command displays help information for the specific tunable parameters.
- -p
- Modifies the current values and next boot values of the tunable parameters permanently. If you do not specify the -p flag, only the current values of the tunable parameters are changed; the changes are not persistent across the next boot operation.
- -R
- Resets all tunable parameters to their default values.
- -r tunable
- Resets specified tunable parameter to its default value.
- -t tunable [=new_value]
- Displays the current value of the specified tunable parameter or sets the tunable parameter to the specified value.
Tunable parameters
For default values and range of values of AFC tunable parameters, run the acfo -h -t tunable_name command. The valid tunable parameter names follow:
- nx_enabled
- Specifies NX crypto acceleration. A value of 1 enables NX crypto acceleration and a value of 0 disables NX crypto acceleration.
- min_sz
- Specifies the minimum data size (in bytes) that is suitable for NX crypto acceleration. If the acceleration request requires less data than the specified minimum value, the acceleration request uses the software implementation such as cryptographic software methods that are executed by the general-purpose CPU. This tunable parameter is applicable only for NX crypto acceleration.
- in_core_enabled
- Specifies in-core crypto acceleration. A value of 1 enables in-core crypto acceleration and a value of 0 disables in-core crypto acceleration. This tunable parameter precedes the nx_enabled tunable parameter.
Security
Examples
- To display all AFC tunable parameters names and the corresponding current values, run the
following command:
acfo -d nx_enabled : 1. min_sz : 1024. in_core_enabled : 0.
- To set minimum data size of AFC NX crypto acceleration to a non-persistent value of 1024 bytes,
run the following command:
acfo -t min_size=1024
- To turn off NX crypto acceleration permanently, run the following
command:
acfo -p -t nx_enabled=0