Support modules
A udev rule ensures that any separately compiled modules for which the hardware prerequisites are fulfilled are loaded automatically for you.
The following support modules for hardware-accelerated cryptographic operations can be compiled
separately from the kernel. None of these modules have module parameters.
- sha1_s390
- enables hardware-acceleration for SHA-1 operations.
sha1_s390
requires thesha_common
module. - sha256_s390
- enables hardware-acceleration for SHA-224 and SHA-256 operations.
sha256_s390
requires thesha_common
module. - sha512_s390
- enables hardware-acceleration for SHA-384 and SHA-512 operations.
sha512_s390
requires thesha_common
module. - sha3_256_s390
- enables hardware-acceleration for SHA3-224 and SHA3-256 operations.
sha3_256_s390
requires thesha_common
module. - sha3_512_s390
- enables hardware-acceleration for SHA3-384 and SHA3-512 operations.
sha3_512_s390
requires thesha_common
module. - chacha_s390
- enables hardware-acceleration for the ChaCha20 stream cipher (RFC 7539).
- ghash_s390
- enables hardware-acceleration for Galois hashes.
- aes_s390
- enables hardware-acceleration for AES encryption and decryption for the following modes of operation:
- ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
- XTS for key lengths 128 and 256 bits
- GCM for key lengths 128, 192, and 256 bits
- des_s390
- enables hardware-acceleration for DES and TDES for the following modes of operation: ECB, CBC, and CTR.
- crc32-vx_s390
- enables hardware-acceleration for CRC-32 (IEEE 802.3 Ethernet) and CRC-32C (Castagnoli).
- paes_s390
- enables protected key AES encryption and decryption for the following modes of operation:
- ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
- XTS for key lengths 128 and 256 bits
Thepaes_s390
kernel module includes a self test for each cypher that it provides. These self tests run for Linux® in FIPS mode or if the kernel is compiled to enable crypto self tests. As a prerequisite for a successful self test, at least one of the following conditions must be met:- The PCKMO instruction is enabled in the profile of the LPAR on which the Linux instance or its hosting hypervisor runs. To enable the PCKMO instruction, select the Permit AES Key import functions option in the CPACF Key Management Operations section.
- The Linux instance can access a cryptographic adapter in CCA coprocessor mode.
- The Linux instance can access a cryptographic adapter in EP11 coprocessor mode.
The
paes_s390
module requires the pkey device driver, see Protected key device driver.The module also requires a cryptographic adapter for creating and handling secure and protected keys:- To use CCA AES data or CCA AES cipher secure keys, the module requires a cryptographic adapter in CCA coprocessor mode.
- To use EP11 secure keys, the module requires a cryptographic adapter in EP11 coprocessor mode.
The ciphers in the
paes_s390
module can work with CCA secure data or cipher keys and with EP11 secure keys, for example, keys that are generated by the pkey device driver. XTS requires two secure keys.Before the
paes_s390
module uses secure keys in a cypher, it transforms them into protected keys. If a protected key becomes invalid, thepaes_s390
module re-generates the protected key from the secure key.
Mainframe hardware prior to z14: To use CPACF for AES-GCM operations,
you must load both the
aes_s390
and ghash_s390
module.Tip: Load the modules with modprobe. modprobe
handles dependencies on other modules for you.
Example:
# modprobe sha512_s390