IBM Linux on System z zcrypt device driver

Edit online

The IBM® Linux™ on System z® generic cryptographic device driver (zcrypt) is required when one or more System z Crypto Express® (CEX) features are accessible in a LPAR.

Coprocessors and accelerators supported by current zcrypt versions:

  • PCI Cryptographic Coprocessor (PCICC)
  • PCI Cryptographic Accelerator (PCICA)
  • PCI-X Cryptographic Coprocessor (PCIXCC)
  • Crypto Express2 Coprocessor (CEX2C)
  • Crypto Express2 Accelerator (CEX2A)
  • Crypto Express3 Coprocessor (CEX3C) *
  • Crypto Express3 Accelerator (CEX3A) *

* Used for the System Under Test (SUT) cryptographic scenario outlined in this paper

Usually Linux kernel device driver modules are loaded with the modprobe command. The following command loads the zcrypt device driver called z90crypt as a Linux kernel module.

Sample command: load the zcrypt device driver

# modprobe z90crypt

On Novell SUSE Linux Enterprise Server 11 SP2 there is also a wrapper script available, that can be used for starting and querying the status of the zcrypt device driver.

Sample command: zcrypt device driver start and status query 

# rcz90crypt start 
Loading z90crypt module			done 
# rcz90crypt status 
Checking for module z90crypt:		running

The activity and status of the zcrypt supported devices can be monitored with the lszcrypt command. Use the maximum verbose level for the lszcrypt command to get a more detailed output about the request count and status of the cryptographic devices:

Sample command: lszcrypt in verbose mode 

# lszcrypt -VV 
card00:  CEX3C	online  hwtype=9  depth=8 request_count=11        
card01: 	CEX3A	online  hwtype=8  depth=8 request_count=0         
card02: 	CEX3C	online  hwtype=9  depth=8 request_count=10        
card03: 	CEX3A	online  hwtype=8  depth=8 request_count=0

The command output above lists four CEX3 adapters (two Accelerators and two Coprocessors).

All four devices are reported as online after loading the zcrypt device driver. The devices can be selectively turned on or off using the chzcrypt command:

Sample command: using chzcrypt to set adapter 00 offline

# chzcrypt -d 00 
# lszcrypt -V 
card00: CEX3C       offline 
card01: CEX3A       online 
card02: CEX3C       online 
card03: CEX3A       online

The chkconfig command can be used to enable the service startup at system boot time.

# chkconfig -s z90crypt <runlevel>

For more information on the zcrypt device driver see

Linux on System z - Device Drivers, Features, and Commands, SC33-8411-13

https://www.ibm.com/resources/publications/OutputPubsDetails?PubID=SC33841113