Installing and loading the cryptographic device driver

Edit online

The cryptographic device driver is included in the regular kernel package shipped with your Linux® distribution.

In earlier Linux distributions, the cryptographic device driver is shipped as a single module called z90crypt. In more recent distributions, the cryptographic device driver is shipped as set of modules with the ap module being the main module that triggers loading all required sub-modules. There is, however, an alias name z90crypt that links to the ap main module.

There might be distributions using kernel levels starting with 4.10, that have basic cryptographic device driver support as part of the kernel (that is, the ap module is already compiled in the kernel). In this case, the subsequently mentioned lsmod and modprobe commands do not work as described. In addition, the domain and poll_thread parameters are no longer module parameters, but kernel parameters. In this case, you can change the values directly via sysfs, or change as kernel parameters. Refer to the Device Drivers, Features, and Commands website for further information.

For installations with a loadable cryptographic device driver, use the lsmod command to find out if either the z90crypt or the ap module is already loaded.

If required, use the modprobe command to load the z90crypt or ap module. When loading the z90crypt or ap module, you can use the following optional module parameters:
domain=
specifies a particular cryptographic domain. By default, the device driver attempts to use the domain with the maximum number of devices. To use all CCA 6.0 functions, the domain must include at least one CEX6C feature.

After loading the device driver, use the lszcrypt command with the -b option to confirm that the correct domain is used. If your distribution does not include this command, see the version of Device Drivers, Features, and Commands that applies to your distribution about how to use the sysfs interface to find out the domain. This publication also provides more information about loading and configuring the cryptographic device driver.

To change the domain, you must unload the z90crypt or ap module (see Unloading the cryptographic device driver) and reload it.

You should also read the information presented in Domain selection capabilities.

poll_thread=
enables the polling thread for instances of Linux on z/VM® and for Linux instances that run in LPAR mode on an IBM® mainframe earlier than z10™.

For Linux instances that run in LPAR mode on a z10 or later mainframe, this setting is ignored and AP interrupts are used instead.

For more information about these module parameters, the polling thread, and AP interrupts, see the version of Device Drivers, Features, and Commands that applies to your distribution.