Supported facilities

7.1 LPAR mode z/VM guest KVM guest

The cryptographic device driver supports several cryptographic accelerators as well as CCA and EP11 coprocessors.

Cryptographic accelerators support clear key cryptographic algorithms. In particular, they provide fast RSA encryption and decryption for any key size in the range 57 - 4096 bit.

Cryptographic coprocessors act as a hardware security module (HSM) and provide secure key cryptographic operations for the IBM® Common Cryptographic Architecture (CCA) and the Enterprise PKCS#11 feature (EP11).

Cryptographic CCA coprocessors also provide clear key RSA operations for any key size in the range 57 - 4096 bit, and a random number generator for /dev/hwrng. They also provide clear key ECC operations for ECDSA sign and verify, and ECDH key derivation for selected elliptic curves. The EP11 coprocessor supports only secure key operations.

For more information about CCA, see Secure Key Solution with the Common Cryptographic Architecture Application Programmer's Guide, SC33-8294. You can obtain this publication at https://www.ibm.com/docs/linuxonibm/liaaf/lnz_r_ccacnt.html.

For more information about EP11, see Exploiting Enterprise PKCS #11 using openCryptoki, SC34-2713 and openCryptoki - An Open Source Implementation of PKCS #11, SC34-7730. You can obtain these publications at ibm.com/docs/en/linux-on-systems?topic=security-cryptographic-hardware-support.