Support modules

6.10 LPAR mode z/VM guest KVM guest

A udev rule ensures that any separately compiled modules for which the hardware prerequisites are fulfilled are loaded automatically for you.

The following support modules for hardware-accelerated cryptographic operations can be compiled separately from the kernel. None of these modules have module parameters.
sha1_s390
enables hardware-acceleration for SHA-1 operations. sha1_s390 requires the sha_common module.
sha256_s390
enables hardware-acceleration for SHA-224 and SHA-256 operations. sha256_s390 requires the sha_common module.
sha512_s390
enables hardware-acceleration for SHA-384 and SHA-512 operations. sha512_s390 requires the sha_common module.
sha3_256_s390
enables hardware-acceleration for SHA3-224 and SHA3-256 operations. sha3_256_s390 requires the sha_common module.
sha3_512_s390
enables hardware-acceleration for SHA3-384 and SHA3-512 operations. sha3_512_s390 requires the sha_common module.
chacha_s390
enables hardware-acceleration for the ChaCha20 stream cipher (RFC 7539).
ghash_s390
enables hardware-acceleration for Galois hashes.
aes_s390
enables hardware-acceleration for AES encryption and decryption for the following modes of operation:
  • ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
  • XTS for key lengths 128 and 256 bits
  • GCM for key lengths 128, 192, and 256 bits
des_s390
enables hardware-acceleration for DES and TDES for the following modes of operation: ECB, CBC, and CTR.
crc32-vx_s390
enables hardware-acceleration for CRC-32 (IEEE 802.3 Ethernet) and CRC-32C (Castagnoli).
paes_s390
enables protected key AES encryption and decryption for the following modes of operation:
  • ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
  • XTS for key lengths 128 and 256 bits
The paes_s390 kernel module includes a self test for each cypher that it provides. These self tests run for Linux® in FIPS mode or if the kernel is compiled to enable crypto self tests. As a prerequisite for a successful self test, at least one of the following conditions must be met:
  • The PCKMO instruction is enabled in the profile of the LPAR on which the Linux instance or its hosting hypervisor runs. To enable the PCKMO instruction, select the Permit AES Key import functions option in the CPACF Key Management Operations section.
  • The Linux instance can access a cryptographic adapter in CCA coprocessor mode.
  • The Linux instance can access a cryptographic adapter in EP11 coprocessor mode.

The paes_s390 module requires the pkey device driver, see Protected key device driver.

The module also requires a cryptographic adapter for creating and handling secure and protected keys:
  • To use CCA AES data or CCA AES cipher secure keys, the module requires a cryptographic adapter in CCA coprocessor mode.
  • To use EP11 secure keys, the module requires a cryptographic adapter in EP11 coprocessor mode.

The ciphers in the paes_s390 module can work with CCA secure data or cipher keys and with EP11 secure keys, for example, keys that are generated by the pkey device driver. XTS requires two secure keys.

Before the paes_s390 module uses secure keys in a cypher, it transforms them into protected keys. If a protected key becomes invalid, the paes_s390 module re-generates the protected key from the secure key.

Mainframe hardware prior to z14: To use CPACF for AES-GCM operations, you must load both the aes_s390 and ghash_s390 module.
Tip: Load the modules with modprobe. modprobe handles dependencies on other modules for you.
Example:
# modprobe sha512_s390