What's new in Linux information for IBM systems
Check here for the latest updates to Linux® information for IBM® systems, as of December 2025.
IBM Secure Execution for Linux
The 2025 edition introduces retrievable secrets, with which you can pass secrets as protected
keys to a running SEL guest. You can also create generic SEL guests and personalize them at boot
time using retrievable secrets. Using the new pvimg test command, you can check if an IBM SEL boot
image can be decrypted by a given host. You can now update the customer communication key, if the
image allows this. Links to the programming interfaces for creating and managing IBM SEL guests are
added. 
Learn
more...
Troubleshooting Guide
The update adds IBM z17® and LinuxONE 5 references, nftables for firewall diagnostics, and detailed Linux data collection steps. Enhancements include dbginfo.sh examples, refreshed outputs, ECuRep download and new accessibility contacts. Obsolete tools, version-specific notes, and outdated Linux distributions details were removed.
Learn more...Secure Key Solution with the Common Cryptographic Architecture: Application Programmer's Guide 8.4
With CCA releases 7.6 and 8.4, several verbs now support RSA key sizes in the range 4097 - 8192 bits. Also there is enhanced support for verb CSNBT31X for translation of CCA AES PINPROT tokens to TR-31 P0 tokens. CCA Release 8.4 additionally offers enhanced post-quantum computing support for ML-KEM, pure ML-DSA, and pre-hash ML-DSA algorithms.
Learn
more...libzpc - A Protected-Key Cryptographic Library 1.3 and 1.4
libzpc version 1.3 introduces a new protected key origin called ultravisor retrievable secret. You can use protected keys derived from retrievable secrets for encryption and decryption (AES), and for sign and verify operations (ECC) on an IBM z17 ™.libzpc version 1.4 supports new types of protected keys from origin retrievable secrets: full-XTS and HMAC protected keys. New groups of function APIs are provided to run on an IBM z17 to perform operations with these new key types.
Learn more...OpenSSL support for Linux on IBM Z® and LinuxONE
This publication shows how OpenSSL benefits from the performance acceleration and high security of IBM Z and LinuxONE cryptographic hardware. Among other things, this edition introduces a tool for obtaining CPACF information and provides a use case for connecting OpenSSL with PKCS#11 using a PKCS#11 provider.
Learn
more...libica 4.4
libica version 4.4 provides updates on FIPS 140-3 compliance. Specifically, if the API is used in
a non FIPS compliant way, it indicates the non-compliant usage by setting errno to EPERM.
Learn
more...
Managing Crypto Express adapters with a Trusted Key Entry workstation
Find the assembled information for CCA and EP11 applications on how to configure your environment to use a Trusted Key Entry (TKE) workstation to manage domains on IBM Crypto Express adapters.
Learn
more...
Red Hat® OpenShift® on IBM Z and IBM LinuxONE
The Red Hat OpenShift on IBM Z and IBM LinuxONE content has moved to this new location: https://www.ibm.com/docs/en/rhocp-ibm-z
Enriching Linux on IBM Z Workloads with AI
This IBM Redpaper publication discusses
the technical intricacies of AI and Machine Learning (ML) within the robust IBM Z ecosystem,
exploring the synergy between Linux-based systems and the
transformative potential of AI. It extends into the technical intricacies of integrating AI-enhanced
workloads, shedding light on security concerns, and projecting the impact of AI across industries.
Learn more...
IBM Secure Execution for Linux
A KVM guest running in secure execution mode can now use Crypto Express adapters in Enterprise
PKCS #11 coprocessor mode or accelerator mode. To protect EP11 secure keys, these keys can be
associated with an association secret that is maintained by the ultravisor on behalf of the secure
guest. To facilitate this protection, you can now submit secrets to the ultravisor.
Learn more...
Important note on verifying Secure Execution host key documents
- April 24, 2024 for IBM z15® and IBM LinuxONE III
- March 29, 2024 for IBM z16™ and IBM LinuxONE 4.
Due to a requirement from the Certificate Authority (DigiCert), the renewed certificates are equipped with a new Locality value (“Armonk” instead of “Poughkeepsie”). These renewed certificates cause the current versions of the genprotimg, pvattest, and pvsecret tools to fail the verification of host key documents.
The IBM Z team is preparing updates of the genprotimg, pvattest, and pvsecret tools to accept the new certificates and is working with Linux distribution partners to release the updated tools.
To build new Secure Execution images, attestation requests, or add-secret requests before the updated tools are available in Linux distributions, follow these steps:
Step 1:
Obtain the host key document, the host key signing key certificate, the intermediate certificate from the Certificate Authority, and the list of revoked host keys (CRL):
- For IBM z15 and IBM LinuxONE III, see:
https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen1.html
- For IBM
z16 and IBM LinuxONE 4, see:
https://www.ibm.com/support/resourcelink/api/content/public/secure-execution-gen2.html
Step 2:
Download the script check_hostkeydoc from
https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/samples/check_hostkeydoc
Step 3:
# ./check_hostkeydoc HKD1234.crt ibm-z-host-key-signing.crt \ -c DigiCertCA.crt -r ibm-z-host-key.crl
This example verifies the host key document HKD1234.crt using the host key signing key certificate ibm-z-host-key-signing.crt, and the intermediate certificate of the Certificate Authority DigiCertCA.crt, as well as the list of revoked host keys ibm-z-host-key.crl.
After the host key documents are verified using the check_hostkeydoc script, you can safely call genprotimg, pvattest, or pvsecret with the –-no-verify option.
For a description about how to manually verify host key documents, see:
https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-documenthttps://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document
You can view and print a PDF of this information.
Linux kernel 6.6 - Using the Dump Tools
You can now use ECKD DASDs for list-directed dumps of the memory of an LPAR. The standalone DASD
dump tool now automatically compresses a CCW-type DASD dump. Learn more...
How to set up IBM Event Streams with MongoDB on IBM Z
This guide provides detailed information on how to set up IBM Event Streams by using IBM Cloud® pak for integration, and it also explains a real-time scenario on how to transfer data between two databases (MongoDB) using Kafka Connect and Connectors.
Learn more...SMC-D via ISM pass-through performance evaluation for KVM guests on IBM Z
This study compares two network interconnect solutions for KVM guests within a CPC running on IBM Z® and IBM® LinuxONE. The conventional HiperSockets technology via MacVTap is compared with a new approach that utilizes pass-through of Internal Shared Memory (ISM) devices exploiting the Shared Memory Communications – Direct Memory Access (SMC-D) protocol.
Learn
more...Secure boot
A new publication describes the use of secure boot on Linux on IBM Z and IBM LinuxONE. Learn about benefits of secure boot, how to set up a Linux instance to use secure boot, how to manage certificates, and how to sign boot files and modules with your private signing keys.
Learn
more...openCryptoki - An Open Source Implementation of PKCS #11, version 3.18 - 3.22
Multiple enhancements are provided in versions 3.18 to 3.22 of openCryptoki, including support of quantum-safe algorithms for Dilithium Round 2 and 3 variants and Kyber Round 2, a new utility, pkcshsm_mk_change to support the changing (rolling) of master keys while applications using the CCA token or the EP11 token are running, and a possibility to restrict usage of mechanisms and keys via a global policy.
Learn
more...