Loading the support modules
Load support modules to enable hardware-acceleration for specific cryptographic operations. None of these modules have module parameters.
- sha512_s390
- enables hardware-acceleration for SHA-384 and SHA-512 operations.
sha512_s390
requires thesha_common
module. - sha3_256_s390
- enables hardware-acceleration for SHA3-224 and SHA3-256 operations.
sha3_256_s390
requires thesha_common
module. - sha3_512_s390
- enables hardware-acceleration for SHA3-384 and SHA3-512 operations.
sha3_512_s390
requires thesha_common
module. - chacha_s390
- enables hardware-acceleration for the ChaCha20 stream cipher (RFC 7539).
- ghash_s390
- enables hardware-acceleration for Galois hashes.
- aes_s390
- enables hardware-acceleration for AES encryption and decryption for the following modes of operation:
- ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
- XTS for key lengths 128 and 256 bits
- des_s390
- enables hardware-acceleration for DES and TDES for the following modes of operation: ECB, CBC, and CTR.
- crc32-vx_s390
- enables hardware-acceleration for CRC-32 (IEEE 802.3 Ethernet) and CRC-32C (Castagnoli).
- paes_s390
- enables protected key AES encryption and decryption for the following modes of operation:
- ECB, CBC, and CTR for key lengths 128, 192, and 256 bits
- XTS for key lengths 128 and 256 bits
TheThepaes_s390
kernel module includes a self test for each cipher that it provides. These self tests run by default. As a prerequisite for a successful self test, at least one of the following conditions must be met:- The PCKMO instruction is enabled in the profile of the LPAR on which the Linux® instance or its hosting hypervisor runs. To enable the PCKMO instruction, select the Permit AES Key import functions option in the CPACF Key Management Operations section.
- The Linux instance can access a cryptographic adapter in CCA coprocessor mode.
- The Linux instance can access a cryptographic adapter in EP11 coprocessor mode.
paes_s390
module requires the pkey device driver, see Protected key device driver.The module also requires a cryptographic adapter for creating and handling secure and protected keys:- To use CCA AES data or CCA AES cipher secure keys, the module requires a cryptographic adapter in CCA coprocessor mode.
- To use EP11 secure keys, the module requires a cryptographic adapter in EP11 coprocessor mode.
The ciphers in the
paes_s390
module can work with CCA secure data keys and CCA secure cipher keys, for example, keys that are generated by the pkey device driver. XTS requires two secure keys.Before the
paes_s390
module uses secure keys in a cipher, it transforms them into protected keys. If a protected key becomes invalid, thepaes_s390
module re-generates the protected key from the secure key.
Mainframe hardware prior to z14: To use CPACF for AES-GCM
operations, you must load both the
aes_s390
and ghash_s390
module.Tip: Load the modules with modprobe. modprobe
handles dependencies on other modules for you.
Example:
# modprobe sha512_s390