Hardware dependencies and restrictions
The cryptographic operations that can be accelerated by hardware implementations depend on your IBM Z hardware and mode of operating Ubuntu Server.
- AES for GCM for 128-bit, 192-bit, and 256-bit keys
- SHA3-256 and SHA3-512
IBM z15 provides CPACF MSA9, including Edwards-curve DSA (Ed25519, Ed448), and Elliptic Curve DSA (P-256, P-384, P-521).
CPACF dependencies
Hardware-acceleration for DES, TDES, AES, GHASH, PAES, and SHA requires the Central Processor Assist for Cryptographic Function (CPACF). For information about enabling CPACF, see the documentation for your IBM Z hardware.
Vector Extension Facility dependencies
Hardware-acceleration for CRC32 algorithms requires the Vector Extension Facility. Read the
features line from /proc/cpuinfo to find out whether this
facility is available on your hardware.
# grep features /proc/cpuinfo
features : esan3 zarch stfle msa ldisp eimm dfp edat etf3eh highgprs te vx sieIn the output line, vx indicates that the Vector Extension Facility is
available.
FIPS restrictions of the hardware capabilities
If the kernel runs in Federal Information Processing Standard (FIPS) mode, only FIPS 140-2 approved algorithms are available. DES, for example, is not approved by FIPS 140-2.
# cat /proc/sys/crypto/fips_enabled
0The kernel of the example does not run in FIPS mode. Also, if the
/proc/sys/crypto/fips_enabled file does not exist, the kernel does not run in
FIPS mode. For kernels that run in FIPS mode, the file exists and the output of the command is
1.
You control the FIPS mode with the fips kernel parameter.
For more information about FIPS, see csrc.nist.gov/publications/detail/fips/140/2/final.
https://docs.ubuntu.com/security-certs/en