Table of Contents
Advertisement
SCSI Commands: 44BSECURITY PROTOCOL OUT
3.32.2.1
If the Encryption Mode is ENCRYPT, then the Key-Associated Data Descriptors list
may contain one descriptor with twelve bytes of authenticated key-associated data
(A-KAD). It may also contain one descriptor with sixteen bytes of unauthenticated
key-associated data (U-KAD).
Host-supplied nonces are not supported. If the encryption mode is ENCRYPT and a
nonce value descriptor is present, then the device server shall terminate the
command with CHECK CONDITION status, with the sense key set to ILLEGAL
REQUEST, and the additional sense code set to INVALID FIELD IN PARAMETER
DATA.
Set Data Encryption Field Descriptions
Field
Bytes
LOCK
4
SCOPE
4
Clear Key on
5
Reservation
Loss (CKORL)
Clear Key on
5
Reservation
Preemption
(CKORP)
Clear Key on
5
De-mount
(CKOD)
SDK
5
Bits
Description
0
0 = Not locked.
1 = The I_T nexus that issued the SECURITY PROTOCOL OUT
command is locked to the set of data encryption parameters
established at the completion of the processing of the
command. (See SSC-3.)
5-7
0 = PUBLIC (All fields other than the scope field and LOCK bit
shall be ignored. The I_T nexus shall use data encryption
parameters that are shared by other I_T nexuses. If no I_T
nexuses are sharing data encryption parameters, the device
server shall use default data encryption parameters.)
1 = LOCAL (The data encryption parameters are unique to the I_T
nexus associated with the SECURITY PROTOCOL OUT
command and shall not be shared with other I_T nexuses.)
2 = ALL I_T NEXUS (The data encryption parameters shall be
shared with all I_T nexuses.)
0
0 = Key is not cleared on reservation loss.
1 = Key is cleared on reservation loss. If the CKORL bit is set to
one and there is no reservation in effect for the I_T nexus
associated with the SECURITY PROTOCOL OUT command,
the device server shall terminate the command with CHECK
CONDITION status, with the sense key set to ILLEGAL
REQUEST, and the additional sense code set to INVALID
FIELD IN PARAMETER DATA.
1
0 = Key is not cleared on preemption of a persistent reservation.
1 = Key is cleared on preemption of a persistent reservation. If the
CKORP bit is set to one and there is no persistent reservation
in effect for the I_T nexus associated with the SECURITY
PROTOCOL OUT command, the device server shall terminate
the command with CHECK CONDITION status, with the sense
key set to ILLEGAL REQUEST, and the additional sense code
set to INVALID FIELD IN PARAMETER DATA.
2
0 = Key is not cleared on completion of a volume de-mount.
1 = Key is cleared on completion of a volume de-mount. If the
CKOD bit is set to one and there is no volume mounted in the
device, the device server shall terminate the command with
CHECK CONDITION status, with the sense key set to
ILLEGAL REQUEST, and the additional sense code set to
INVALID FIELD IN PARAMETER DATA.
3
0 = The key is not a supplemental decryption key. If the SDK bit is
set to one, the device server shall terminate the command with
CHECK CONDITION status, with the sense key set to
ILLEGAL REQUEST, and the additional sense code set to
INVALID FIELD IN PARAMETER LIST.
Page 197
Advertisement
Table of Contents
