External programming interfaces

6.10 LPAR mode z/VM guest KVM guest

Applications can directly access the zcrypt device driver through an API.

Programmers: This information is intended for those who want to program against the cryptographic device driver or against the available cryptographic libraries.
For information about the library APIs, see the following files in the Linux® source tree:
  • The libica library /usr/include/ica_api.h
  • The openCryptoki library /usr/include/opencryptoki/pkcs11.h
  • The CCA library /opt/IBM/CCA/include/csulincl.h
  • The EP11 library /usr/include/ep11/ep11.h and /usr/include/ep11/ep11adm.h

ep11.h and ep11adm.h are included in the EP11 devel package. pkcs11.h is included in the opencryptoki devel package. ica_api.h and csulincl.h are present after their libraries are installed.

Clear key cryptographic functions

The libica library provides a C API to clear-key cryptographic functions that are supported by IBM Z® hardware. You can configure both openCryptoki (by using the icatoken) and openssl (by using the ibmca engine) to use IBM Z clear-key cryptographic hardware support through libica. See libica Programmer's Reference, SC34-2602 for details about the libica functions.

If you must circumvent libica and access the zcrypt device driver directly, your user space program must open the z90crypt device node, and submit the cryptographic request with an IOCTL. The IOCTL subfunction ICARSAMODEXPO performs RSA modular exponent encryption and decryption. The IOCTL ICARSACRT performs RSA CRT decryption. See the cryptographic device driver header file in the Linux source tree:
/usr/include/asm/zcrypt.h

Secure key cryptographic functions

To use secure key cryptographic functions in your user space program by accessing a CCA coprocessor adapter, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this publication at https://www.ibm.com/docs/linuxonibm/liaaf/lnz_r_ccacnt.html.

To use secure key cryptographic functions in your user space program by accessing an EP11 coprocessor adapter, see Exploiting Enterprise PKCS #11 using openCryptoki, SC34-2713. You can obtain it at ibm.com/docs/en/linux-on-systems?topic=overview-exploiting-enterprise-pkcs-11-using-opencryptoki.

Reading true random numbers

To read true random numbers, a user space program must open the hwrng device and read as many bytes as needed from the device.
Tip: Using the output of the hwrng device to periodically reseed a pseudo-random number generator might be an efficient use of the random numbers.