Running secure key under a z/VM guest

In order to use the CEX*C feature under z/VM®, you need to apply specific APAR fixes.

These fixes are described in Hardware requirements.

Also, to get secure key running under a z/VM guest, a directory control statement (CRYPTO APDED) for a given z/VM guest needs to be used. This requires that the AP's with this domain are owned by the LPAR. There is no virtualization done by z/VM.

For secure key, z/VM does not virtualize the AP's. The AP's need to be dedicated, which is done by the user statement:
CRYPTO DOMAIN 12 APDED 5 7
This statement dedicates AP's 5 and 7 for domain 12 to one Linux guest.
Note: Shared crypto adapters, as defined with the z/VM user directory statement CRYPTO APVIRT, cannot be used for secure key cryptographic operations. Because dedicated and shared cryptographic adapters cannot be mixed in a z/VM guest virtual machine, additional crypto adapters for use with clear key cryptography, coprocessors or accelerators, must be defined as dedicated adapters.