Building a kernel with hardware-accelerated cryptographic operations
Control the build options for hardware-accelerated in-kernel cryptographic operations through the kernel configuration menu.
Cryptographic API ---> (common code option CONFIG_CRYPTO)
...
Accelerated Cryptographic Algorithms for CPU (s390) --->
CRC32c and CRC32 (CONFIG_CRYPTO_CRC32_S390)
Hash functions: SHA-384 and SHA-512 (CONFIG_CRYPTO_SHA512_S390)
Hash functions: SHA-1 (CONFIG_CRYPTO_SHA1_S390)
Hash functions: SHA-224 and SHA-256 (CONFIG_CRYPTO_SHA256_S390)
Hash functions: SHA3-224 and SHA3-256 (CONFIG_CRYPTO_SHA3_256_S390)
Hash functions: SHA3-384 and SHA3-512 (CONFIG_CRYPTO_SHA3_512_S390)
Hash functions: GHASH (CONFIG_CRYPTO_GHASH_S390)
Ciphers: AES, modes: ECB, CBC, CTR, XTS, GCM (CONFIG_CRYPTO_AES_S390)
Ciphers: DES and Triple DES EDE, modes: ECB, CBC, CTR (CONFIG_CRYPTO_DES_S390)
Ciphers: ChaCha20 (CONFIG_CRYPTO_CHACHA_S390)
Hardware crypto devices ---> (common code option CONFIG_CRYPTO_HW)
Support for s390 cryptographic adapters (CONFIG_ZCRYPT)
...
└─ Kernel API for protected key handling (CONFIG_PKEY)
└─ PKEY CCA (CONFIG_PKEY_CCA)
└─ PKEY EP11 (CONFIG_PKEY_EP11)
└─ PKEY PCKMO (CONFIG_PKEY_PCKMO)
└─ PKEY UV (CONFIG_PKEY_UV)
└─ PAES cipher algorithms (CONFIG_CRYPTO_PAES_S390)- CONFIG_PKEY
- This option provides an API for creation and handling of protected keys.
- CONFIG_PKEY_CCA
- This is the CCA support handler for deriving protected keys from CCA (secure) keys. Also this handler provides an alternate way to make protected keys from clear key values. The PKEY CCA support handler needs a Crypto Express card (CEX) in CCA mode.
- CONFIG_PKEY_EP11
- This is the EP11 support handler for deriving protected keys from EP11 (secure) keys. Also this handler provides an alternate way to make protected keys from clear key values. The PKEY EP11 support handler needs a Crypto Express card (CEX) in EP11 mode.
- CONFIG_PKEY_PCKMO
- This is the PCKMO support handler for deriving protected keys from clear key values via invoking the PCKMO instruction. The PCKMO instruction can be enabled and disabled in the crypto settings at the LPAR profile. The PCKMO way of deriving protected keys from clear key material is especially used during self test of protected key ciphers like PAES but the CCA and EP11 handler provide alternate ways to generate protected keys from clear key values.
- CONFIG_PKEY_UV
- This is the PKEY Ultravisor support handler for deriving protected keys from secrets stored within the Ultravisor (UV). This module works together with the UV device and supports the retrieval of protected keys from secrets stored within the UV firmware layer. This service is only available within a protected execution guest.
- CONFIG_CRYPTO_PAES_S390
- This option provides support for hardware-acceleration of the AES cipher algorithms for use with
protected key. The support can be compiled into the kernel or as a separate module,
paes_s390. - CONFIG_CRYPTO_SHA1_S390
-
This option provides support for hardware-acceleration of the SHA-1 secure hash standard (FIPS 180-1/DFIPS 180-2). The support can be compiled into the kernel or as a separate module,
sha1_s390. - CONFIG_CRYPTO_SHA256_S390
-
This option provides support for hardware-acceleration of the SHA2-224 and SHA2-256 secure hash standards (DFIPS 180-2). The support can be compiled into the kernel or as a separate module,
sha256_s390. - CONFIG_CRYPTO_SHA512_S390
-
This option provides support for hardware-acceleration of the SHA2-384 and SHA2-512 secure hash standards. The support can be compiled into the kernel or as a separate module,
sha512_s390. - CONFIG_CRYPTO_SHA3_256_S390
-
This option provides support for hardware-acceleration of the SHA3-224 and SHA3-256 secure hash standards. The support can be compiled into the kernel or as a separate module,
sha3_256_s390. - CONFIG_CRYPTO_SHA3_512_S390
-
This option provides support for hardware-acceleration of the SHA3-384 and SHA3-512 secure hash standards. The support can be compiled into the kernel or as a separate module,
sha3_512_s390. - CONFIG_CRYPTO_DES_S390
-
This option provides support for hardware-acceleration, through CPACF, of the DES cipher algorithm (FIPS 46-2), and Triple DES EDE (FIPS 46-3). The support can be compiled into the kernel or as a separate module,
des_s390. - CONFIG_CRYPTO_AES_S390
-
This option provides support for hardware-acceleration, through CPACF, of the AES cipher algorithms (FIPS-197). The support can be compiled into the kernel or as a separate module,
aes_s390. - CONFIG_CRYPTO_CHACHA_S390
- This option provides support for the s390 SIMD implementation of the ChaCha20 stream cipher (RFC
7539). The support can be compiled into the kernel or as a separate module,
chacha_s390. - CONFIG_CRYPTO_GHASH_S390
-
This option provides support for hardware-acceleration, through CPACF, of the GHASH message digest algorithm for GCM (Galois/Counter Mode). The support can be compiled into the kernel or as a separate module,
ghash_s390. - CONFIG_CRYPTO_CRC32_S390
-
This option provides support for hardware-accelerated implementations of CRC algorithms. With this option, you can optimize the computation of CRC-32 (IEEE 802.3 Ethernet) and CRC-32C (Castagnoli). The support can be compiled into the kernel or as a separate module,
crc32-vx_s390. - CONFIG_CRYPTO_HMAC_S390
- s390 specific HMAC hardware support for SHA224, SHA256, SHA384 and SHA512.
PAES does not have a separate kernel configuration option, but it depends on the protected key device driver.