OpenSSL on IBM Z - out of the box

Edit online

OpenSSL implicitly offers features to accelerate cryptographic operations on IBM Z® and IBM® LinuxONE cryptographic hardware by a built-in use of CPACF or optimized IBM Z assembler code. No specific OpenSSL configuration is required for exploiting these features.

Hardware acceleration with OpenSSL out of the box

With the default configuration, all cryptographic operations are executed inside of OpenSSL with built-in support for mainly symmetric ciphers and hash functions. These algorithms are executed using one of the acceleration methods mentioned in Table 1, for example, the CPACF feature. CPACF requires specific microcode to be installed which you can order as no-charge feature code (LIC #3863), unless you are in an embargoed geography. The CPACF built-in support has been implemented for example, for the AES and SHA algorithms inside of OpenSSL. This means that the supported algorithms will always execute faster than pure C code, due to the automatic use of the OpenSSL built-in CPACF support.
Table 1 lists all algorithms that are implicitly accelerated by OpenSSL. The table is valid for OpenSSL versions 1.1.1 or later. It is also only valid for builds that are configured without option no-asm, which explicitly disables the usage of all CPACF processing. Also, if for any of the mentioned algorithms, the required hardware is not available, then the processing is conducted transparently for the requestor with OpenSSL software implementation.
Draft comment: hartig@de.ibm.com
OpenSSL versions: are they the upstream versions or versions available in Distros ?

===> Mail from Ingo:

Die OpenSSL Versionen in der Tabelle sind Upstream Versionen. Distro spezifische Situationen sind bei OpenSSL so gut wie nicht sauber zu beschreiben, drum lassen wir das lieber ganz.

Table 1. IBM Z specific features of OpenSSL

Table with three or four columns describing which OpenSSL algorithms are accelerated by IBM Z specific features, and by which means they are accelerated.
Algorithm or function Method of acceleration HW generation or MSA version available with OpenSSL version
AES-CBC CPACF MSA 4 on IBM z114 ≥ 1.1.1
AES-CCM CPACF MSA 4 on IBM z114 ≥ 1.1.1
AES-CFB (only CFB8 and CFB128) CPACF MSA 4 on IBM z114 ≥ 1.1.1
AES-ECB CPACF MSA 4 on IBM z114 ≥ 1.1.1
AES-GCM CPACF MSA 8 on IBM z14® and IBM LinuxONE II

If MSA 8 (KMA) is not available, an alternative CPACF based implementation requiring MSA 4 (KIMD and KM) is used.

 ≥ 1.1.1
AES-OFB CPACF MSA 4 on IBM z114 ≥ 1.1.1
AES-XTS CPACF

MSA 4 on IBM z114,
MSA 10 on IBM
z17™ and IBM LinuxONE 5

≥ 1.1.1
≥ 3.5.0
HMAC CPACF MSA 11 on IBM z17 and IBM LinuxONE 5 ≥ 3.4.0
SHA-1 CPACF since 06/2003 ≥ 1.1.1
SHA-2 CPACF since 09/2005 ≥ 1.1.1
SHA-3 CPACF

MSA 6 on IBM z14 and IBM LinuxONE II
MSA 12 on IBM
z17 and IBM LinuxONE 5

≥ 1.1.1
≥ 3.4.0
SHAKE CPACF

MSA 6 on IBM z14 and IBM LinuxONE II
MSA 12 on IBM
z17 and IBM LinuxONE 5

≥ 1.1.1
≥ 3.4.0
GHASH CPACF MSA 4 on IBM z114 ≥ 1.1.1
Poly1305 SIMD IBM z13® and IBM LinuxONE ≥ 1.1.1
Keccak-1600 CPACF MSA 6 on IBM z14 and IBM LinuxONE II ≥ 1.1.1
ChaCha20 SIMD IBM z13 and IBM LinuxONE ≥ 1.1.1
ECDSA/ECDH (for curves P-256, P-384, P-521) CPACF MSA 9 on IBM z15® and IBM LinuxONE III ≥ 3.0.0
EdDSA and EdDH (for curves Curve25519, Curve448) CPACF MSA 9 on IBM z15 and IBM LinuxONE III ≥ 3.0.0
BN GF2m Assembler independent from MSA ≥ 1.1.1
BN Montgomery Multiplication Assembler independent from MSA ≥ 1.1.1
Modular exponentiation and CRT operations (used by RSA and DH) Crypto Express adapter in CCA coprocessor mode or in accelerator mode. independent from MSA ≥ 3.2.0
Note: The OpenSSL version 3.2.0 added a new multi-squeeze API called EVP_DigestSqueeze() for the SHA-3 and SHAKE algorithms. This API is also supported on Linux® on IBM Z and IBM LinuxONE (s390x). The enhanced acceleration for these algorithms is available with MSA 12 (on IBM z17 and IBM LinuxONE 5) and OpenSSL version 3.4.0.
You can use cpacfinfo -m or cpacfinfo --msa to find out which MSA levels are available. Combining the options --msa and --functions with the cpacfinfo command, like: 

cpacfinfo --msa --functions
(or short: cpacfinfo -mf)
shows you, which functions are available for which MSA level (see Using the cpacfinfo utility).

For testing or debugging purposes, you can define the set of z/Architecture® algorithms and functions available to an application using the OPENSSL_s390xcap environment variable.

For further selective disabling features, see the OpenSSL web site:

OPENSSL_s390xcap
Note: This environment variable may not be available in all OpenSSL versions or Linux distributions. Also, use of this variable almost certainly reduces your OpenSSL performance.