Installing and loading the cryptographic device driver

Edit online

The cryptographic device driver is included in the regular kernel package shipped with your Linux® distribution.

To check, enter the lszcrypt command:
# lszcrypt
CARD.DOMAIN TYPE  MODE        STATUS  REQUESTS
----------------------------------------------
00          CEX5A Accelerator online         0
00.001a     CEX5A Accelerator online         0
01          CEX5C CCA-Coproc  online        55
01.001a     CEX5C CCA-Coproc  online        55
03          CEX5P EP11-Coproc online        50
03.001a     CEX5P EP11-Coproc online        50
04          CEX6A Accelerator online         0
04.001a     CEX6A Accelerator online         0
05          CEX6C CCA-Coproc  online       104
05.001a     CEX6C CCA-Coproc  online       104
06          CEX7P EP11-Coproc online         8
06.001a     CEX7P EP11-Coproc online         8
If the following error message is displayed, load the zcrypt device driver main module:

error - cryptographic device driver zcrypt is not loaded!

In earlier Linux distributions, the cryptographic device driver is shipped as a single module called z90crypt. In more recent distributions, the cryptographic device driver is shipped as set of modules with the ap module being the main module that triggers loading all required sub-modules. There is, however, an alias name z90crypt that links to the ap main module.

There might be distributions using kernel levels starting with 4.10, that have basic cryptographic device driver support as part of the kernel (that is, the ap module is already compiled in the kernel). In this case, the subsequently mentioned lsmod and modprobe commands do not work as described. In addition, the domain and poll_thread parameters are no longer module parameters, but kernel parameters. In this case, you can change the values directly via sysfs, or change as kernel parameters. Refer to the Device Drivers, Features, and Commands for upstream kernels for further information.

For installations with a loadable cryptographic device driver, use the lsmod command to find out if either the z90crypt or the ap module is already loaded.

If required, use the modprobe command to load the z90crypt or ap module. When loading the z90crypt or ap module, you can use the following optional module parameters:
domain=
specifies a particular cryptographic domain. By default, the device driver attempts to use the domain with the maximum number of devices.

After loading the device driver, use the lszcrypt command with the -b option to confirm that the correct domain is used. If your distribution does not include this command, see the version of Device Drivers, Features, and Commands that applies to your distribution about how to use the sysfs interface to find out the domain. This publication also provides more information about loading and configuring the cryptographic device driver.

If the cryptographic device driver is part of the kernel, you cannot unload it. In this case, you can directly edit domain settings via sysfs.

poll_thread=
enables the polling thread for instances of Linux on z/VM® and for Linux instances that run in LPAR mode on an IBM Z® platform earlier than z10™.

For Linux instances that run in LPAR mode on a z10 or later, this setting is ignored and AP interrupts are used instead.

For more information about these module parameters, the polling thread, and AP interrupts, see the version of Device Drivers, Features, and Commands that applies to your distribution.

See your Linux distribution documentation for how to load the module persistently.

Checking the cryptographic adapter availability

Check whether you have plugged in and enabled your IBM® cryptographic adapter and validate your model and type configuration (accelerator or coprocessor).

Use the lszcrypt -V command to display detailed information about the cryptographic coprocessors:

# lszcrypt -V

CARD.DOMAIN TYPE  MODE        STATUS  REQUESTS  PENDING HWTYPE QDEPTH FUNCTIONS  DRIVER
--------------------------------------------------------------------------------------------
0c          CEX7A Accelerator online        46        0     13     08 -MC-A-NF-  cex4card
0c.004c     CEX7A Accelerator online        46        0     13     08 -MC-A-NF-  cex4queue
0f          CEX7C CCA-Coproc  online         4        0     13     08 S--D--NF-  cex4card
0f.004c     CEX7C CCA-Coproc  online         4        0     13     08 S--D--NF-  cex4queue
10          CEX7P EP11-Coproc online         0        0     13     08 -----XNF-  cex4card
10.004c     CEX7P EP11-Coproc online         0        0     13     08 -----XNF-  cex4queue

Use the chzcrypt command to enable (online state) or disable (offline state) an IBM cryptographic adapter:

$ chzcrypt -e 0x06    // set card 06 online
$ chzcrypt -d 0x06    // set card 06 offline
For more information about IBM cryptographic coprocessors with Linux on IBM Z and IBM LinuxONE see 
Drivers, Features, and Commands, SC33-8411.