Hardware dependencies and restrictions
The cryptographic operations that can be accelerated by hardware implementations depend on your IBM Z® hardware and mode of operating the kernel.
Algorithms for | Hardware-acceleration available as of |
---|---|
SHA-1 | Available for all supported hardware |
SHA-256 | Available for all supported hardware |
SHA-512 | Available for all supported hardware |
DES and TDES | Available for all supported hardware: ECB and CBC
modes z196 for the CTR mode |
AES | Available for all supported hardware: ECB and CBC modes with 128-bit
keys Available for all supported hardware: ECB and CBC modes for all AES key sizes z196 for the CTR mode for all AES key sizes z196 for XTS mode for 256-bit and 512-bit keys z14 for GCM for 128-bit, 192-bit, and 256-bit keys |
GHASH | z196 |
PAES | z196 (AES with protected key) modes ECB, CBC, CTR, and XTS |
CRC32 | z13® for CRC-32 (IEEE 802.3 Ethernet) and CRC-32C (Castagnoli) |
ChaCha20 | z13 |
SHA3-256 and SHA3-512 | z14 |
Edwards-curve DSA (Ed25519, Ed448), Elliptic Curve DSA (P-256, P-384, P-521) | z15® |
CPACF dependencies
Hardware-acceleration for DES, TDES, AES, GHASH, PAES, and SHA requires the Central Processor Assist for Cryptographic Function (CPACF). For information about enabling CPACF, see the documentation for your IBM Z hardware.
Vector Extension Facility dependencies
Hardware-acceleration for CRC32 algorithms and for the ChaCha20 stream cipher
requires the Vector Extension Facility. Read the
features
line from /proc/cpuinfo to find out whether this
facility is available on your hardware.
# grep features /proc/cpuinfo
features : esan3 zarch stfle msa ldisp eimm dfp edat etf3eh highgprs te vx sie
In the output line, vx
indicates that the Vector Extension Facility is
available.
FIPS restrictions of the hardware capabilities
If the kernel runs in Federal Information Processing Standard (FIPS) mode, only FIPS 140-2 approved algorithms are available. DES, for example, is not approved by FIPS 140-2.
# cat /proc/sys/crypto/fips_enabled
1
1
, the kernel does not run in FIPS mode.You control the FIPS mode with the
fips
kernel parameter.
For more information about FIPS, see csrc.nist.gov/publications/detail/fips/140/2/final.