What's new in Linux information for IBM systems

Check here for the latest updates to Linux® information for IBM® systems, as of June 2026.

libica version 4.4.2

libica version 4.4.2 provides FIPS 140-3 certification updates, for example, higher RSA key lengths.New informationLearn more...

Using the Dump Tools - Kernel 7.1

This edition adds two examples: one that shows how to initiate a list-directed dump from a z/VM guest to an ECKD DASD device, and one that demonstrates how to use zgetdump to verify that DASD device /dev/dasdb is a valid dump device.New informationLearn more...

Crypto Express Support for IBM Secure Execution for Linux

A new white paper explains how the Crypto Express support of IBM Secure Execution for Linux allows a Secure Execution guest to securely use a Crypto Express adapter in both accelerator mode and as EP11 Hardware Security Module.New informationLearn more...

MongoDB on IBM Z Performance Tuning Guide

MongoDB is a widely used NoSQL database. While smaller installations can fully utilize available compute resources, enterprise-scale deployments often leave significant compute capacity unused. This performance tuning guide provides practical guidance for optimizing MongoDB at the hardware, operating system, and application levels to maximize utilization of IBM Z infrastructure. New informationLearn more...

libzpc - A Protected-Key Cryptographic Library 1.5

The libzpc library now reacts to a verification pattern mismatch caused by live guest relocation or migration by re-creating the protected key from the key material it was derived from. New informationLearn more...

Pervasive Encryption for Data Volumes (January 2026)

The main enhancements described by the January 2026 edition of this document are the support for retrievable secrets on IBM Secure Execution for Linux® guests, the ease of use of passphrases, and the improved handling of EP11 extractable and CCA exportable keys. New informationLearn more...

IBM Secure Execution for Linux

The 2025 edition introduces retrievable secrets, with which you can pass secrets as protected keys to a running SEL guest. You can also create generic SEL guests and personalize them at boot time using retrievable secrets. Using the new pvimg test command, you can check if an IBM SEL boot image can be decrypted by a given host. You can now update the customer communication key, if the image allows this. Links to the programming interfaces for creating and managing IBM SEL guests are added. New informationLearn more...

openCryptoki - An Open Source Implementation of PKCS #11, version 3.23 - 3.25

Multiple enhancements are implemented with versions 3.23 to 3.25 of openCryptoki for all tokens provided by IBM for Linux on IBM Z and IBM LinuxONE. Additionally, there is a new tool to configure user access to the token directories, and a new tool for importing and exporting AES secret keys between a token in a PKCS #11 slot and a KMIP server. New information Learn more...

Troubleshooting Guide

The update adds IBM z17® and LinuxONE 5 references, nftables for firewall diagnostics, and detailed Linux data collection steps. Enhancements include dbginfo.sh examples, refreshed outputs, ECuRep download and new accessibility contacts. Obsolete tools, version-specific notes, and outdated Linux distributions details were removed. New information Learn more...

Secure Key Solution with the Common Cryptographic Architecture: Application Programmer's Guide 8.4

With CCA releases 7.6 and 8.4, several verbs now support RSA key sizes in the range 4097 - 8192 bits. Also there is enhanced support for verb CSNBT31X for translation of CCA AES PINPROT tokens to TR-31 P0 tokens. CCA Release 8.4 additionally offers enhanced post-quantum computing support for ML-KEM, pure ML-DSA, and pre-hash ML-DSA algorithms. New information Learn more...

OpenSSL support for Linux on IBM Z® and LinuxONE

This publication shows how OpenSSL benefits from the performance acceleration and high security of IBM Z and LinuxONE cryptographic hardware. Among other things, this edition introduces a tool for obtaining CPACF information and provides a use case for connecting OpenSSL with PKCS#11 using a PKCS#11 provider. New information Learn more...

Managing Crypto Express adapters with a Trusted Key Entry workstation

Find the assembled information for CCA and EP11 applications on how to configure your environment to use a Trusted Key Entry (TKE) workstation to manage domains on IBM Crypto Express adapters. New information Learn more...

Enriching Linux on IBM Z Workloads with AI

This IBM Redpaper publication discusses the technical intricacies of AI and Machine Learning (ML) within the robust IBM Z ecosystem, exploring the synergy between Linux-based systems and the transformative potential of AI. It extends into the technical intricacies of integrating AI-enhanced workloads, shedding light on security concerns, and projecting the impact of AI across industries. New informationLearn more...

Important note on verifying Secure Execution host key documents

This note is obsolete for all distribution releases that have picked up pvimg, (genprotimg), pvattest and pvsecret from s390-tools version 2.32.0.

The certificates of the host key signing keys that are needed to verify host key documents will expire on
  • April 24, 2024 for IBM z15® and IBM LinuxONE III
  • March 29, 2024 for IBM z16™ and IBM LinuxONE 4.

Due to a requirement from the Certificate Authority (DigiCert), the renewed certificates are equipped with a new Locality value (“Armonk” instead of “Poughkeepsie”). These renewed certificates cause the current versions of the genprotimg, pvattest, and pvsecret tools to fail the verification of host key documents.

The IBM Z team is preparing updates of the genprotimg, pvattest, and pvsecret tools to accept the new certificates and is working with Linux distribution partners to release the updated tools.

To build new Secure Execution images, attestation requests, or add-secret requests before the updated tools are available in Linux distributions, follow these steps:

Step 1:

Obtain the host key document, the host key signing key certificate, the intermediate certificate from the Certificate Authority, and the list of revoked host keys (CRL):

Step 2:

Download the script check_hostkeydoc from

https://github.com/ibm-s390-linux/s390-tools/blob/master/genprotimg/samples/check_hostkeydoc

Step 3:

Verify each host key document using the check_hostkeydoc script. For example, issue:
# ./check_hostkeydoc HKD1234.crt ibm-z-host-key-signing.crt \ 
-c DigiCertCA.crt -r ibm-z-host-key.crl
 

This example verifies the host key document HKD1234.crt using the host key signing key certificate ibm-z-host-key-signing.crt, and the intermediate certificate of the Certificate Authority DigiCertCA.crt, as well as the list of revoked host keys ibm-z-host-key.crl.

After the host key documents are verified using the check_hostkeydoc script, you can safely call genprotimg, pvattest, or pvsecret with the –-no-verify option.

For a description about how to manually verify host key documents, see:

https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document

https://www.ibm.com/docs/en/linux-on-z?topic=execution-verify-host-key-document

You can view and print a PDF of this information.

--> PDF file