OpenSSL on IBM Z - out of the box

Edit online

OpenSSL implicitly offers features to accelerate cryptographic operations on IBM Z and IBM LinuxONE cryptographic hardware by a built-in use of CPACF or optimized IBM Z assembler code. No specific OpenSSL configuration is required for exploiting these features.

Hardware acceleration with OpenSSL out of the box

With the default configuration, all cryptographic operations are executed inside of OpenSSL with built-in support for mainly symmetric ciphers and hash functions. These algorithms are executed using one of the acceleration methods mentioned in Table 1, for example, the CPACF feature. CPACF requires specific microcode to be installed which you can order as no-charge feature code (LIC #3863), unless you are in an embargoed geography. The CPACF built-in support has been implemented for example, for the AES and SHA algorithms inside of OpenSSL. This means that the supported algorithms will always execute faster than pure C code, due to the automatic use of the OpenSSL built-in CPACF support.
Table 1 lists all algorithms that are implicitly accelerated by OpenSSL. The table is valid for OpenSSL versions 1.1.1 or later. It is also only valid for builds that are configured without option no-asm, which explicitly disables the usage of all CPACF processing. Also, if for any of the mentioned algorithms, the required hardware is not available, then the processing is conducted transparently for the requestor with OpenSSL software implementation.
Table 1. IBM Z specific features of OpenSSL
Algorithm or function Method of acceleration HW generation or MSA version available with OpenSSL version
AES-CBC CPACF MSA 4 - since IBM z114 ≥ 1.1.1
AES-CCM CPACF MSA 4 - since IBM z114 ≥ 1.1.1
AES-CFB (only CFB8 and CFB128) CPACF MSA 4 - since IBM z114 ≥ 1.1.1
AES-ECB CPACF MSA 4 - since IBM z114 ≥ 1.1.1
AES-GCM CPACF MSA 8 - since IBM z14®

If MSA 8 (KMA) is not available, an alternative CPACF based implementation requiring MSA 4 (KIMD and KM) is used.

 ≥ 1.1.1
AES-OFB CPACF MSA 4 - since IBM z114 ≥ 1.1.1
AES-XTS CPACF
MSA 4 - since IBM z114,
MSA 10 - since IBM z17
≥ 1.1.1
≥ 3.5.0
HMAC CPACF MSA 11 - since IBM z17 ≥ 3.4.0
SHA-1 CPACF since 06/2003 ≥ 1.1.1
SHA-2 CPACF since 09/2005 ≥ 1.1.1
SHA-3 CPACF
MSA 6 - since IBM z14
MSA 12 - since IBM z17
≥ 1.1.1
≥ 3.4.0
SHAKE CPACF
MSA 6 - since IBM z14
MSA 12 - since IBM z17
≥ 1.1.1
≥ 3.4.0
GHASH CPACF MSA 4 - since IBM z114 ≥ 1.1.1
Poly1305 SIMD IBM z13® ≥ 1.1.1
Keccak-1600 CPACF MSA 6 - since IBM z14 ≥ 1.1.1
ChaCha20 SIMD IBM z13 ≥ 1.1.1
ECDSA/ECDH (for curves P-256, P-384, P-521) CPACF MSA 9 - since IBM z15 ≥ 3.0.0
EdDSA and EdDH (for curves Curve25519, Curve448) CPACF MSA 9 - since IBM z15 ≥ 3.0.0
BN GF2m Assembler independent from MSA ≥ 1.1.1
BN Montgomery Multiplication Assembler independent from MSA ≥ 1.1.1
Modular exponentiation and CRT operations (used by RSA and DH) Crypto Express adapter in CCA coprocessor mode or in accelerator mode. independent from MSA ≥ 3.2.0
Note: The OpenSSL version 3.2.0 added a new multi-squeeze API called EVP_DigestSqueeze() for the SHA-3 and SHAKE algorithms. This API is also supported on Linux on IBM Z and IBM LinuxONE (s390x). The enhanced acceleration for these algorithms is available with MSA 12 (on IBM z17 ) and OpenSSL version 3.4.0.

You can use cpacfinfo -m or cpacfinfo --msa to find out which MSA levels are available. Combining the options --msa and --functions with the cpacfinfo command, like
cpacfinfo --msa --functions (or short: cpacfinfo -mf) shows you, which functions are available for which MSA level (see Using the cpacfinfo utility).

For testing or debugging purposes, you can define the set of z/Architecture® algorithms and functions available to an application using the OPENSSL_s390xcap environment variable.

For further selective disabling features, see the OpenSSL web site:

OPENSSL_s390xcap
Note: This environment variable may not be available in all OpenSSL versions or Linux distributions. Also, use of this variable almost certainly reduces your OpenSSL performance.