Installing and loading the cryptographic device driver

Edit online

You need an installed Linux kernel that includes the cryptographic device driver. This cryptographic device driver is normally included in the regular kernel package shipped with your Linux® distribution. Loading the cryptographic device driver is only required for earlier installations as described in this topic.

About this task

In earlier Linux distributions, the cryptographic device driver is shipped as a single module called z90crypt. In more recent distributions, the cryptographic device driver is shipped as set of modules with the ap module being the main module that triggers loading all required sub-modules. There is, however, an alias name z90crypt that links to the ap main module.

There are distributions using kernel levels starting with 4.10, that have basic cryptographic device driver support as part of the kernel (that is, the ap module is already compiled in the kernel). In this case, loading the ap main module with the modprobe command is no longer needed. In addition, the domain and poll_thread parameters are no longer module parameters, but kernel parameters. In this case, you can change the values directly via sysfs, or change as kernel parameters. Refer to the Device Drivers, Features, and Commands for kernel 4.12 or later on the developerWorks website for further information.

Procedure

  1. For installations with a loadable cryptographic device driver, use the lsmod command to find out if either the z90crypt or the ap module is already loaded.
  2. If required, use the modprobe command to load the z90crypt or ap module. When loading the z90crypt or ap module, you can use the following optional module parameters:
    domain=
    Use an integer that identifies the default cryptographic domain for the Linux instance. You define cryptographic domains in the LPAR activation profile on the HMC or SE. The default value (domain=autoselect) causes the device driver to choose one of the available domains automatically.
    Important: Be sure to enter an existing domain. The Trusted Key Entry workstation does not find the cryptographic adapters if a non-existing domain is entered here.

    After loading the device driver, use the lszcrypt command with the -b option to confirm that the correct domain is used. If your distribution does not include this command, see the version of Device Drivers, Features, and Commands that applies to your distribution about how to use the sysfs interface to find out the domain.

    If the cryptographic device driver is part of the kernel, you cannot unload it. In this case, you can directly edit domain settings via sysfs.

    poll_thread=
    enables the polling thread for instances of Linux on z/VM® and for Linux instances that run in LPAR mode on an IBM® mainframe earlier than z10.

    For Linux instances that run in LPAR mode on a z10 or later mainframe, this setting is ignored and AP interrupts are used instead.

    For more information about these module parameters, the polling thread, and AP interrupts, see the version of Device Drivers, Features, and Commands that applies to your distribution.

Results

The zcrypt device driver that contains the EP11 extension is loaded and lszcrypt displays the cryptographic adapters available to the Linux system.